Detectia Erorilor Prin Schimbarea b Paritate SErpent

8/2/2019 Detectia Erorilor Prin Schimbarea b Paritate SErpent

1/24

1

Error Detection by Parity Modification forthe 128-bit Serpent Encryption Algorithm

Grigori Kuznetsov, Ramesh Karri and Michael Gossel

Polytechnical University Brooklyn, USA

University of Potsdam, Germany


2/24

2

Modified input parity

Essence of the proposed method

The input-parity is determined and modified step bystep in accordance with the processing steps of the

cryptographic algorithm into the output-parity and

compared with the actual output parity

Often the same hardware can be used for the compu-

tation of the input-parity and of the output-parity


3/24

3

Serpent Encryption Algorithm

Initial permutation

32 rounds

componentwise key-addition

32 nonlinear substitution boxes

linear transformation

Final permutation


4/24

4

Serpent Encryption Algorithm

Initial Permutation

Key Mixing

Linear Transformation

Ciphertext

128

128

128

Plaintext

Y

X

Z

U

1284 44 4

SBoxes

Round Key

32 32 32

32 Rounds

32

128

Final Permutation


5/24

5

Serpent Encryption Algorithm: S-boxes

X 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Y 3 8 15 1 10 6 5 11 14 13 4 2 7 0 9 12


6/24

6

Serpent algorithm: Linear TransformationZ3


7/24

7

Ordinary Parity Prediction

y1(x) = f1(x), , ym(x) = fm(x)

P(y(x)) = y1(x) ym(x)

optimized

,

P(y(x)) is determined as a function of the inputs


8/24

8


y1(x) = f1(x), , ym(x) = fm(x)

P(y) = y1 yn,

P(y) is determined as the XOR-sum of the circuit-outputs

P(y(x)) is compared with P(y).


9/24

9


y1

nyn

P(x)

F

1x

x

p(y(x))


10/24

10

Proposed Method: Modified Input Parity

Input-parity Output-parity: P(x) P(y(x))

optimized

=

x1 xn y1(x) yn(x)

optimized


11/24

11

Proposed Method: Modified Parity

Input parity P(x) = x1 . . . xn

The input-parity P(x) is modified by adding modulo 2

P(x) P(y(x)) to the output parity P(y)


12/24

12

Proposed Method: Modified Parity

Output parity P(y) = y1 . . . yn

P(x) [P(x) P(y(x))] is compared with P(y)


13/24

13

Modified Parity

ym

y1

xn

x1

F

P(x) P(y)Parity

modification


14/24

14

Example with Serpent S-Box

S(0010) = 1111

P(1111) = P(0011)

S(0000) = 0011

Xi+3 Xi+2 Xi+1 Xi

Ki+3 Ki+2 Ki+1 Ki

Yi+3 Yi+2 Yi+1 Yi

SBox

0 0 1 > 0 0

error

1 > 0 1 > 0 1 1


15/24

15

Example with Serpent S-Box

Xi+3 Xi+2 Xi+1

Ki+3 Ki+2 Ki+1 Ki

Yi+3 Yi+2 Yi+1 Yi

P(x)

P(k)

P(0010)=1

P(y) = 0

0 > 1

Xi

SBox

1 > 0 1 > 0 1 1

1 > 0 000

error

1 0 = 1

Pinp Pout

P(0000)P(0011) = 0


16/24

16

Parity-modifications for :Key-addition

modulo 2

y1 = x1 k1, , ym = xm kmP(y(x)) = x1 k1 ym km = P(x) P(k)

with P(k) = k1 km

Modification: P(k), 1-bit operation


17/24

17

Key addition

P(x) P(y)

x

P(k)

1k y

nynk

1x

n

1

1P(x) P(y) = P(k) = k ... kn


18/24

18

Parity-modifications for :Non-linear

Transformation by an S-box

Example: S-box with four inputs x1, x2, x3, x4 = x and

four outputs y1, y2, y3, y4 withy1(x) = S1(x), , y4(x) = S4(x)

y5 = x1 x4 y1(x14) y4(x14)


19/24

19

S-boxes

x31 ... x28 y31 ... y28 ...x y0 33x ... y0

SBox 8 SBox 1. . .

0P(X ) P(Y )0

X0

xx 3 ...x31... 28 x 0

Y0

y y...y2831 3...y0


20/24

20

Parity-modifications for the Linear

Transformation

32 3232

32 32 3232

32

X X X X

P(U )UP(U )UP(U )U

P(x ) P(x ) P(x )P(x )

31 30 29

31 25 24...30

3 3 2 2 1 1 0 0

0 01 1U P(U )3 3 2 2


21/24

21

Serpent algorithm with error detection

32323232

Sboxes

Key MixingKey

Linear Transformation

Register0

1

2

3

P(Y )

P(Y )

P(Y )

P(Y )

P(Z )

P(Z )0

P(Z )1

2

P(Z )3

3

2

1

0

P(X )

P(X )

P(X )

P(X )

3 2 1 0X X X X

Y Y Y Y0123

Z3 Z2 Z1 Z0

U3 U2 U1 U0

Pk3

Pk2

Pk1

Pk0


22/24

22

Error detection capability and Area

overhead

If outputs of the s-boxes are independently implemen-ted then we can detect all single stuck-at faults

The area overhead for the S-boxes is 8% compared tothe s-boxes checked by ordinary parity.


23/24

23

Conclusions

A new method of error detection (due to technical

faults and due to attacs) for the Serpent EncryptionAlgorithm has been proposed.

The input parity is modified according to the processingsteps of the encryption algorithm into the output parity

and compared with the actual output parity.


24/24

24

Conclusions

the propagation of a single-bit error at the outputs ofa processing step ito a multi-bit error in the sucessive

processing steps , which is typical for encryption algo-

rithms, does not reduce the error detection capability

of the proposed method.

Documents

Detectia Erorilor Prin Schimbarea b Paritate SErpent