180 likes | 251 Views
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES Mode Discussion] Date Submitted: [15 May, 2002] Source: [Rene Struik] Company [Certicom Corp.] Address [5520 Explorer Drive, 4th Floor, Mississauga, ON Canada L4W 5L1]
E N D
Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES Mode Discussion] Date Submitted: [15 May, 2002] Source: [Rene Struik] Company [Certicom Corp.] Address [5520 Explorer Drive, 4th Floor, Mississauga, ON Canada L4W 5L1] Voice:[+1 (905) 501-6083], FAX: [+1 (905) 507-4230], E-Mail:[rstruik@certicom.com] Re: [] Abstract: [This document discusses trade-offs between different block-cipher modes of operation and their suitability within the IEEE 802.15.3 High-Rate WPAN context.] Purpose: [Highlight trade-offs that govern the choice of symmetric algorithms for the IEEE 802.15.3 WPAN.] Notice: This document has been prepared to assist the IEEE P802.15. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor acknowledges and accepts that this contribution becomes the property of IEEE and may be made publicly available by P802.15. Rene Struik, Certicom Corp.
AES-Mode of Operation (and MAC-function) Discussion for IEEE 802.15.3 WPANs René Struik, Certicom Research Rene Struik, Certicom Corp.
Outline: • Block Cipher Modes of Operation: • - Cipher-Block Chaining (CBC Mode); • - Counter Mode (CTR Mode) • Message Authentication Codes: • Based on Block Codes: CBC-MAC; • Based on Un-Keyed Hash Functions: HMAC • Implementation Issues • - Hardware vs. software implementation; • - Computational efficiency considerations. Rene Struik, Certicom Corp.
x1 x2 x3 xm-1 xm DK DK DK DK DK EK EK EK EK EK c0:=IV c1 c2 c3 cm-1 cm c0:=IV c3 cm-1 c1 c2 cm x3 xm-1 x1 x2 xm Block-Cipher Modes of Operation: CBC Mode (1) Encryption: Encryption algorithm: cj:=EK(xj cj-1) for all j>0; c0:=IV. Decryption: Decryption algorithm: xj:=DK(cj) cj-1for all j>0; c0:=IV. Rene Struik, Certicom Corp.
Block-Cipher Modes of Operation: CBC Mode (2) • Security requirement: • -IV should be unpredictable. • Encryption computation: • -No parallelization of computation possible; • -Access to plaintext required for computation; • -Access to IV needed for computation. • Decryption computation: • -Full parallelization of computation possible; • -Access to ciphertext required for computation; • -Access to IV needed for computation. • Message size: • -Plaintext expansion might be needed • (size is multiple of encryption block length). • Implementation: • -Both encryption function EK and decryption • function DK need to be implemented. Encryption algorithm: cj:=EK(xj cj-1) for all j>0; c0:=IV. Decryption algorithm: xj:=DK(cj) cj-1for all j>0; c0:=IV. Rene Struik, Certicom Corp.
Block-Cipher Modes of Operation: CBC Mode (3) • Example: Use of CBC-mode of operation in IEEE 802.15.3 High-Rate WPAN. • Block-cipher: AES-128 {block-cipher length: 128 bits}. • IV=EK( IdA || Nonce || j), where • IdA: identifier of sender (64-bits field, right-adjusted); • Nonce: inter-frame sequence number (48-bits field, right-adjusted); • j: intra-frame sequence number (16-bits field, right-adjusted). • Motivation: • IV is obtained via encryption, to ensure unpredictability hereof for outsiders; • IdA is included to ensure logical separation between senders who have same key • (no re-use of same IV value between different senders; no synchronization required); • Nonce and j are included to ensure no re-use of same IV between different data • frames (via increment of Nonce-value) and within data blocks in a frame (via increment of j-value). • Combinatorial freedom: • Maximum size of data frame= max. #blocks encryption block size = 216 * 27= 223 = 1Mbytes; • Maximum #data frames = max. #Nonce values = 248data frames • (At 1Gbps data rate, exhaustion after roughly 1 year, if all data frames consist of only 1 block.) • NB: current max. frame length: 214 bits = 2 kbytes; at 55 Mbps data rate, exhaustion after >20 yrs. Rene Struik, Certicom Corp.
tm tm t2 t1 t1 t2 t3 t3 tm-1 tm-1 counters counters EK EK EK EK EK EK EK EK EK EK xm cm c1 x1 x2 c2 x3 c3 xm-1 cm-1 xm cm x1 x2 c2 c1 x3 c3 xm-1 cm-1 Block-Cipher Modes of Operation: CTR Mode (1) Encryption: Encryption algorithm: cj:=EK(tj) xjfor all j>0. Decryption: Decryption algorithm: xj:=DK(tj) cjfor all j>0. Rene Struik, Certicom Corp.
Block-Cipher Modes of Operation: CTR Mode (2) • Security requirement: • -Counters t1, t2, t3, … shall all be distinct over • lifetime key K. • Encryption computation: • -Full parallelization of computation possible; • -No access to plaintext required for computation; • -Access to t1, t2, t3, … needed for computation. • Decryption computation: • -Full parallelization of computation possible; • -No access to ciphertext required for computation; • -Access to t1, t2, t3, … needed for computation. • Message size: • -No plaintext expansion needed! • (ciphertext can be truncated to plaintext length). • Implementation: • -Only encryption function EK needs to be • implemented. Encryption algorithm: cj:=EK(tj) xjfor all j>0. Decryption algorithm: xj:=DK(tj) xjfor all j>0. Rene Struik, Certicom Corp.
Block-Cipher Modes of Operation: CTR Mode (3) • Example: Use of CTR-mode of operation in IEEE 802.15.3 High-Rate WPAN. • Block-cipher: AES-128 {block-cipher length: 128 bits}. • counter value=(IdA || Nonce || j), where • IdA: identifier of sender (64-bits field, right-adjusted); • Nonce: inter-frame sequence number (48-bits field, right-adjusted); • j: intra-frame sequence number (16-bits field, right-adjusted). • Motivation: • IdA is included to ensure logical separation between senders who have same key • (no re-use of same IV value between different senders; no synchronization required); • Nonce and j are included to ensure no re-use of same IV between different data • frames (via increment of Nonce-value) and within blocks in a frame (via increment of j-value). • Combinatorial freedom: • Maximum size of data frame= max. #blocks encryption block size = 216 * 27= 223 = 1Mbytes; • Maximum #data frames = max. #Nonce values = 248data frames. • (At 1Gbps data rate, exhaustion after roughly 1 year, if all data frames consist of only 1 block.) • NB: current max. frame length: 214 bits = 2 kbytes; at 55 Mbps data rate, exhaustion after >20 yrs. Rene Struik, Certicom Corp.
x3 xm-1 xm IV:=0 CBC-MAC algorithm: cj:=EK(xj cj-1) for j=1,…,m; c0:=IV:=0; MAC:=cm. EK EK EK EK EK EK EK EK cm x1 x2 x3 xm-1 xm IV:=0 EK DK’ EK EK MAC MACs Based on Block-Ciphers : CBC-MAC (1) CBC-MAC: x1 x2 Strengthened CBC-MAC: Strengthened CBC-MAC algorithm: cj:=EK(xj cj-1) for j=1,…,m; c0:=IV:=0; MAC:=EK(DK’(cm)). (Bellare, Kilian, Rogaway) Rene Struik, Certicom Corp.
MACs Based on Block-Ciphers: CBC-MAC (2) • Security requirement: • -Keys K and K’ should be independent; • {This prevents chosen-text existential forgery attacks.} • - If K=K’, then • Strengthened CBC-MAC reduces to ‘folklore’ CBC-MAC • (which is only secure for fixed length messages) • (Strengthened) CBC-MAC computation: • -No parallelization of computation possible; • -Management of two keys, K and K’, required. • Data integrity field size: • -MAC value has size equal to encryption block length • (truncated outputs possible, in exchange for reduced security level). • Implementation: • -Both encryption function EKand decryption function DK’ • need to be implemented. • Standard: FIPS Pub 113 for DES; unknown whether continued for AES-128 Rene Struik, Certicom Corp.
MACs Based on Un-keyed Hash Functions: HMAC (1) • Security requirement: • - HMAC should use un-keyed hash function of same security level; • HMAC computation: • -No parallelization of computation possible; • -Management of 1 key, viz. K, required. • Data integrity field size: • -HMAC value has size equal to 1 encryption block length • (truncated outputs possible, in exchange for reduced security level). • Implementation: • -Un-keyed hash function needs to be implemented. • Standard: • Draft FIPS Pub #HMAC (specification of HMAC) • Draft FIPS Pub 180-2 (specification of SHA-256) Rene Struik, Certicom Corp.
MACs Based on Un-keyed Hash Functions: HMAC (2) • HMAC-256: • Building block: SHA-256. • Block size: 512 bits. • Operations on 32-bits words: • logical AND, XOR, NOT; • integer additions modulo 232; • rotations, shifts. • Storage: • temporary storage: roughly 10 words (of 32 bits); • permanent storage: roughly 8 words (of 32 bits). • -Computational overhead: • - roughly same as SHA-256. Rene Struik, Certicom Corp.
Implementation Issues (1) Block-Cipher: AES-128 in one of the following modes: (1) CBC mode; (2) CTR mode. Un-keyed hash function: SHA-256 {block length: 512 bits}. Keyed hash function: (1) HMAC-256; (2) CBC-MAC function. AES-128 implementation: CBC Mode: implement both AES-128 encryption and AES-128 decryption; CTR Mode: implement AES-128 encryption only. Lowest gate count: AES-128 in CTR mode. SHA-256 cost during key agreement (if implemented in software): Full MQV with Key Confirmation: additional 15% workload compared to hardware only. Modified-ECIES TLS-Variant Key agreement: additional 30% workload compared to hardware only. MAC implementation (in hardware): CBC-MAC: implement both AES-128 encryption and AES-128 decryption HMAC: implement SHA-256. Lowest gate count: roughly equal!!! (if encr + auth computations not carried out in parallel) *AES-OCB with Authentic Side Information: implement both AES-128 encryption and decryption (Note: Attractive if 55 Mbps 500 Mbps, since encr + auth computations carried out in parallel.) Rene Struik, Certicom Corp.
Implementation Issues (2) Gate count figures1 • Option 1: AES-128 in CBC Mode + SHA-256: 30.7k (21.7k if slow SHA-256 used) • Option 2: AES-128 in CTR Mode + SHA-256: 27k (18k if slow SHA-256 used) • Option 3: AES-128 in CTR Mode + Strengthened CBC-MAC: 35.1k [26.7k]* • Same but with ‘basic’ CBC-MAC 26.7k [21.1k]* • Option 4: AES-128 in OCB Mode: 32.1k [29.3k]* • Figures are based on the following: • Gate count for temporary and permanent storage (e.g., keying material and status info), both • at cost of 6 gates/bit and 4 gates/bit {latter in square brackets *}. • Cost include gate count core algorithm plus mode gate count and the minimum number of • registers to support base core function. • 0.13 technology, based on 8051 processor, RAM/ROM, RF circuitry, and Register File. • Throughput rate: 50 Mbps; clock rate: 40 MHz. • The architecture of the system IC design could have impact on both the gate count and performance • of the hardware macro modules. • 1Estimates courtesy of Motorola Labs - Advanced Systems Architecture Security Technology Center. • (improved gate count figures using ‘slow’ SHA-256 courtesy of Certicom Embedded Systems Group) Rene Struik, Certicom Corp.
Implementation Issues (3) Speed comparison of Message Authentication Codes CBC-MAC Function: Cost of message authentication Cost of data encryption (per bit) [Message integrity over n blocks: n+2 block cipher applications; Encryption over n blocks: n block cipher operations (discarding initialization of IV vector)] HMAC-256 based on the un-keyed hash function SHA-256: Cost of message authentication 14% of cost of data encryption (per bit) [At 40MHz clock rate, the throughput figures are as follows (example): -AES-128 in CTR mode: ±50Mbps -SHA-256: ±350Mbps] Important Note: (Trade-offs gate count – efficiency of SHA-256 implementation) (!!!) - Full speed HMAC-256: 5k+17.5k gates; Slow HMAC-256: 5k+4.6k gates (‘Full speed’ HMAC-256 operates < 2 as fast as ‘Slow’ HMAC-256) Note: ‘slow’ HMAC-256 is relatively still much faster than AES-128 (so slow-down not noticeable) Message authentication based on AES-OCB mode of operation: Cost of message authentication 2/L Cost of data encryption (per bit) [L is message length in #encryption block sizes] Rene Struik, Certicom Corp.
Implementation Issues (4) Side Effect of Choice of Message Authentication Codes SHA-256 cost during key agreement (if implemented in software): Full MQV with Key Confirmation: additional 15% workload compared to hardware only. Modified-ECIES TLS-Variant Key agreement: additional 30% workload compared to hardware only. SHA-256 cost during Implicit Certificate Verification (if implemented in software): Full MQV with Key Confirmation: additional 37% workload compared to hardware only. Modified-ECIES TLS-Variant Key agreement: additional 37% workload compared to hardware only. SHA-256 cost during ACL Processing (if implemented in software): Additional 100% workload compared to hardware only. Rene Struik, Certicom Corp.
Conclusion • Optimum Choice of Symmetric encryption Algorithms • Block cipher: AES-128 in CTR Mode; • Hash function: SHA-256; • Message authentication code: HMAC-256 based on SHA-256, truncated to leftmost 128 output bits. • Required Changes to the Draft • Replace §2.2.4.6 of document 02/210r0 by the following text: • §2.2.4.6 CTR Mode of Operation: • The counter mode of operation (CTR Mode) for block ciphers used in this security suite shall be • preceded by a counter CTR and performed as specified in NIST Special Publication 800-38A • [{xref} MODES}]. • Recommendation to the Editor: define CTR as specified on Slide 9 of this presentation. Rene Struik, Certicom Corp.