BIT PERMUTATION INSTRUCTIONS: ARCHITECTURE, IMPLEMENTATION, AND CRYPTOGRAPHIC PROPERTIES

Transcription

1 BIT PERMUTATION INSTRUCTIONS: ARCHITECTURE, IMPLEMENTATION, AND CRYPTOGRAPHIC PROPERTIES Zhijie Jerry Shi A DISSERTATION PRESENTED TO THE FACULTY OF PRINCETON UNIVERSITY IN CANDIDACY FOR THE DEGREE OF DOCTOR OF PHILOSOPHY RECOMMENDED FOR ACCEPTANCE BY THE DEPARTMENT OF ELECTRICAL ENGINEERING June 2004

2 Copyright by Zhijie Jerry Shi, All rights reserved. ii

3 I certify that I have read this thesis and that in my opinion it is fully adequate, in scope and in quality, as a dissertation for the degree of Doctor of Philosophy. Ruby B. Lee (Principal Adviser) I certify that I have read this thesis and that in my opinion it is fully adequate, in scope and in quality, as a dissertation for the degree of Doctor of Philosophy. Niraj K. Jha I certify that I have read this thesis and that in my opinion it is fully adequate, in scope and in quality, as a dissertation for the degree of Doctor of Philosophy. Yiqun L. Yin Approved for the Princeton University Graduate School: Dean of the Graduate School iii

4 Abstract Bit permutation operations are interesting and important from both cryptographic and architectural points of view. Cryptographically, bit-level permutations naturally provide certain effects which are not easily obtained through word-level operations. Architecturally, the ability to support very fast bit permutations may be the next step in the evolution of word-oriented processors to support new multimedia and secure information processing workloads, which frequently manipulate data items smaller than a word. Any new instructions introduced into a general-purpose processor should ideally be useful in many applications; and their impact on the cycle time, and datapath and control complexity evaluated in terms of cost versus benefit. This thesis investigates the benefits and cost of architectural support for fast bit permutations in programmable processors. The new permutation methods presented in the thesis reduce the number of instructions required to permute n bits from O(n) to O(log 2 (n)). This both accelerates existing block ciphers and enables new ciphers that use arbitrary data-dependent permutations. The thesis also demonstrates that the bit permutation instructions can be used to achieve significant speedup in other applications, such as sorting bytes. The cost of the bit permutation instructions is studied in terms of their implementation complexity and their impact on a processor s cycle time. The cryptographic properties of the bit permutation instructions are studied with respect to the two most effective cryptanalytic attacks, linear and differential cryptanalysis. The results show that the new bit permutation operations can enhance the iv

5 cryptographic strength of the round function in block ciphers, so fewer rounds can achieve the same level of security. This leads to significant improvements in performance and energy consumption. This thesis is a detailed example of a more general exploration of new instruction-set architecture features motivated by cryptographic algorithms, as well as of architectural features occurring for other reasons, e.g., multimedia, that may influence the design of cryptographic algorithms. We hope to have initiated a continuing dialog between cipher designers and processor architects. Future research in this direction will lead to more architectural and algorithmic innovations helpful for achieving pervasive security in information processing, networking, and storage. v

6 Acknowledgments First of all, I would like to thank my advisor Professor Ruby B. Lee for her guidance and support throughout my graduate studies. Her dedication to research and patience for students and colleagues will always be an example for me to follow. Without the numerous discussions and brainstorms with her, the results presented in this thesis would never have existed. I am indebted to Dr. Yiqun Lisa Yin, for her valuable comments and suggestions on my research. I would also like to thank Professor Neil Burgess (Cardiff University, U.K.), Professor Ronald Rivest (Massachusetts Institute of Technology), and Dr. Matt Robshaw (Royal Holloway College, University of London, U.K.) for their fruitful discussions. I would also like to thank Professor Niraj K. Jha (Princeton University) for taking the time to read my thesis. I am grateful to the members of PALMS group for their support. I would also like to thank all my friends at Princeton University, who make life at Princeton a wonderful experience. I would like to thank my parents and my wife Kate for their constant love and support. It is impossible for me to express my gratitude towards them in mere words. I dedicate this thesis to them. vi

7 Contents Abstract Acknowledgments iv vi 1 Introduction Subword and bit permutations Subword operations and permutations for multimedia processing Bit permutation Thesis contributions Thesis organization 11 2 Bit Permutations in Secret-key Encryption Cryptographic algorithms Symmetric-key algorithms Public-key algorithms 16 vii

8 2.1.3 Hash algorithms Block ciphers Basic operations in block ciphers Processor support for basic operations in block ciphers Summary 37 3 Bit Permutation Instructions Past work Design goals The GRP instruction Definition of the GRP instruction Configuration of GRP instructions for arbitrary permutations Other bit permutation instructions PPERM3R and PPERM CROSS OMFLIP SWPERM and SIEVE Comparison of permutation alternatives Subword permutations Scalability to 2n bits Mappings (permutations with repetitions) 76 viii

9 3.5.4 Performance for permuting 64 bits Performance Permutation in ASIP architectures LdState Register pair Two-length ISA Bundled instruction Superscalar execution VLIW execution Comparison Summary 93 4 Hardware Implementation of Bit Permutation Instructions Logical effort The implementation of CROSS and BFLY The latency of the butterfly network The latency of the CROSS instruction The implementation of OMFLIP The latency of a 4-stage omega and flip network The latency of a 2-stage omega and flip network Implementations of GRP 122 ix

10 4.5 The latency of the GRP unit Summary and discussion 138 Appendices 141 Appendix 4A. The capacitance of wires 141 Appendix 4B. Latency of the inverse butterfly network Cryptographic Properties of Bit Permutation Operations Overview of cryptanalytic techniques Differential properties of permutation instructions Linear properties of permutation instructions Enhancing existing ciphers using permutation operations RC5 and existing attacks Enhancing RC5 using GRP Performance improvement RC5-grp versus RC Decryption and the UNGRP operation Summary and discussion Bit Permutations in Other Applications Subword sorting Sorting subwords in a single register Sorting subwords in multiple registers 185 x

11 6.4 Performance of sorting subwords with GRP Configuring GRP instructions for permutations Permutation of multi-bit subwords in multiple registers Summary Conclusions and Future Research Efficient bit permutation instructions Bit permutation instructions in block ciphers Future research 211 Bibliography 213 xi

12 List of Tables Table 2.1: Block ciphers used in commonly-used security protocols Table 2.2: Operations in block ciphers for encrypting a block Table 2.3: Operations used in block ciphers Table 3.1: Traditional methods to do a 64-bit permutation on 64-bit systems Table 3.2: Configuring GRP instructions for an 8-bit permutation Table 3.3: Configuring the GRP instructions for (0, 1, 2, 3, 4, 5, 6, 7) Table 3.4: Number of the PPERM3R instructions for one permutation Table 3.5: Maximum number of instructions for a permutation Table 3.6: Comparison of permutation alternatives Table 3.7: Maximum number of instructions (or cycles) for permuting 64 bits Table 3.8: Memory requirement for 64-bit permutations Table 3.9: Comparison of alternatives on ASIPs for 64-bit permutations Table 4.1: The logical effort and parasitic delay of common logic gates xii

13 Table 4.2: Calculating the delay of a 64-bit butterfly network Table 4.3: Calculating the delay of 64-bit CROSS instructions Table 4.4: Input capacitance, logical effort, and parasitic delay of 3:1 MUX Table 4.5: Calculating the delay for a 64-bit 4-stage omega-flip network Table 4.6: Input capacitance, logical effort, and parasitic delay of 4:1 MUX Table 4.7: Calculating the delay for a 64-bit 2-stage omega-flip network Table 4.8: The input capacitance, logical effort, and parasitic delay of TG and ITG Table 4.9: Branching effort, logical effort, and parasitic delay for stages in GRP Table 4.10: The latency of different functional units (64 bits) Table 4.11: Estimation of wire capacitance Table 4.12: Branching effort, logical effort, and parasitic delay of the inverse butterfly network Table 5.1: Differential properties of permutation operations Table 5.2: Linear properties of DDR and GRP Table 5.3: Single-bit characteristics for DDR in RC Table 5.4: Characteristics for GRP following DDR in RC5-grp Table 5.5: The number of chosen plaintexts required for differential attack against RC5 and RC5-grp (64-bit block size) Table 5.6: Performance improvement of RC5-grp over RC5 with the same security level Table 5.7: The number of chosen plaintexts required for differential attacks against RC5- grp-64 and RC6 (128-bit block size) xiii

14 Table 5.8: Number of plaintexts required for linear attacks against RC5-grp-64 and RC6 (128-bit blocks) Table 5.9: Performance of RC5-grp-64 and RC6 (128-bit blocks) Table 6.1: Example of the BroadcastBit instruction Table 6.2: Number of instructions for sorting 64 subwords using GRP and MIX on 64-bit registers Table 6.3: Speedup of GRP and BroadcastBit Table 6.4: Speedup of GRP and MIX for 64 values xiv

15 List of Figures Figure 1.1: Parallel add of subwords... 4 Figure 1.2: Basic datapath in single-issue processors... 9 Figure 2.1: Symmetric-key algorithms Figure 2.2: Public-key algorithms Figure 2.3: Digital signature Figure 2.4: The authentication process in CHAP Figure 2.5: An example of the substitution-permutation network Figure 2.6: Round function in a Feistel network Figure 2.7: Structure of a typical block cipher Figure 2.8: The extract operation Figure 2.9: The concatenation operation Figure 2.10: The DEPOSIT instruction Figure 2.11: The Shift Right Pair instruction xv

16 Figure 3.1: Standard processor datapath with a new permutation unit Figure 3.2: Description of the GRP operation in pseudocode Figure 3.3: An 8-bit GRP operation Figure 3.4: Algorithm to configure a single GRP instruction Figure 3.5: Configure GRP instructions Figure 3.6: Doing the initial permutation in DES with PPERM3R Figure 3.7: A 16-bit butterfly network Figure 3.8: An 8-bit Benes network Figure 3.9: Algorithm config_cross Figure 3.10: The partitioning algorithm in config_cross Figure 3.11: Disjoint rings in an example of BN(8) Figure 3.12: cross_partition on eight bits Figure 3.13: Configuring Benes network for an 8-bit permutation Figure 3.14: A 16-bit OMFLIP functional unit Figure 3.15: An example of SWPERM instruction Figure 3.16: Doing bit permutation with SWPERM and SIEVE Figure 3.17: Separation of bits when doing 2n-bit permutations Figure 3.18: Generation of n permuted bits when permuting 2n bits Figure 3.19: Scheduling of permutation instructions on 2-way superscalar processors Figure 3.20: Instructions for table lookup Figure 3.21: Speedup of DES xvi

17 Figure 3.22: Six CROSS instructions permuting 64 bits Figure 3.23: Permutation units and processor datapaths Figure 3.24: BFLY and IBFLY instruction variants Figure 3.25: BLFY and IBLFY with 4-way superscalar execution Figure 4.1: An inverter driving four identical inverters Figure 4.2: Two 2:1 MUXIs for a pair of bits in the butterfly network Figure 4.3: Transistor diagram of a 2:1 MUXI Figure 4.4: Transistor diagram of a minimum-sized inverter Figure 4.5: The critical path of the 64-bit butterfly network Figure 4.6: Generating the select signals in the CROSS unit Figure 4.7: The critical path of a CROSS unit Figure 4.8: Implementation of a 3:1 MUX with 2:1 MUXIs Figure 4.9: 4:1 MUX for 2-stage OMFLIP implementation Figure 4.10: The critical path of a 64-bit 4-stage omega-flip network Figure 4.11: The critical path of a 2-stage omega and flip network Figure 4.12: Three steps performing a GRP operation Figure 4.13: The GRP implementation with shift registers Figure 4.14: Diagram of GRP Figure 4.15: Grabbing z bits recursively Figure 4.16: GRP1Z: the first stage in GRP units Figure 4.17: The basic cell used in GRP unit xvii

18 Figure 4.18: Diagram of GRP8D Figure 4.19: Diagram of GRP8S Figure 4.20: Transistor diagram of the basic cell (TG) in the GRP unit Figure 4.21: Transistor diagram of ITG that uses an inverted select signal Figure 4.22: Number of cells in GRPmS and GRPmD Figure 4.23: The critical path of GRP Figure 5.1: The encryption procedure of RC Figure 5.2: The round function of RC5-grp Figure 5.3: The encryption procedure of RC Figure 5.4: Instructions performing one round of RC Figure 5.5: Programmatic definition of UNGRP Figure 6.1: Sorting subwords in a register with GRP and BroadcastBit Figure 6.2: The pre-transpose conversion Figure 6.3: Sort subwords after the pre-transpose Figure 6.4: The MIX instruction Figure 6.5: 8x8 matrix transpose with MIX Figure 6.6: Post-transpose after sorting Figure 6.7: Sorting 16 4-bit subwords Figure 6.8: GRP instructions for sorting eight 4-bit subwords Figure 6.9: Speedup of GRP and MIX over quicksort for sorting different number of 8-bit and 16-bit elements xviii

19 Figure 6.10: Using GRP to configure GRP instructions for a permutation Figure 6.11: Configuring an 8-bit permutation with GRP instructions Figure 6.12: Zigzag scanning of DCT coefficients Figure 6.13: Performing zigzag scan with bit permutation instructions xix

20 Chapter 1 Introduction With the rapid proliferation of the Internet and wireless networks, security becomes an increasingly important issue for networked computing devices. These include high-end servers, desktops, laptops, handheld devices such as personal digital assistants (PDAs), and sensors. Awareness of security has increased because more and more events and activities are conducted electronically over the public networks. For example, many financial transactions are made only with online banking or stock exchange systems, and elections may also be held through online electronic voting systems. However, the security of networked computer systems is far from satisfactory. According to the statistics from the CERT Coordination Center [1], the number of reported security incidents has been rising every year from six in 1988 to 137,529 in Security features in computing devices may be implemented by either hardware or software mechanisms, or a combination of both. Hardware-implemented security features are often considered more reliable and correctly implemented [2], and customized hardware implementations often permit higher performance than software implementations. Software-implemented security features are much more flexible, and can more readily accommodate new standards, algorithms, policies and environments. 1

21 Chapter 1: Introduction 2 By providing new hardware-implemented security enablers in a programmable processor, the benefits of software flexibility can be combined with hardware performance. In particular, this thesis studies how new processor features can accelerate softwareimplemented cryptography algorithms. Although computers have changed incredibly since the first one was built in 1940s [3], one thing has not changed. All the tasks performed are expressed, eventually, as basic commands that a computer s underlying processor can recognize and execute. These basic commands are known as instructions. The instructions visible to a programmer or compiler are referred to as the instruction set architecture (ISA) of the programmable processor [4]. All software programs are converted to the processor s instructions before being executed. Efficient ISAs reduce the implementation cost of a processor and provide superior performance at the same time. This thesis addresses the problem of efficient instructions for bit permutation. Bit permutation operations are interesting and important from both cryptographic and architectural points of view. Cryptographically, bit-level permutations naturally provide certain effects which are not easily obtained through word-level operations. Architecturally, the ability to support very fast bit permutations may be the next step in the evolution of word-oriented processors to support new multimedia and secure information processing workloads, which frequently manipulate data items smaller than a word. It is desirable to add to processors new instructions that operate on small data items efficiently. However, any new instructions introduced into a general-purpose processor should ideally be useful in many applications. In addition, a new instruction s implementation complexity needs to be considered, and the cost versus benefit evaluated. This thesis considers these issues in the context of adding bit permutation instructions to processors.

22 Chapter 1: Introduction 3 Today, performing cryptographic processing in software rather than in add-on, special-purpose hardware is highly desirable to facilitate more pervasive use of secure information processing. This thesis is a detailed example of a more general exploration of new instruction-set architecture features motivated by cryptographic algorithms, as well as of architectural features occurring for other reasons, e.g., multimedia, that may influence the design of cryptographic algorithms. We hope to initiate a dialog between cipher designers and processor architects. Research in this direction could lead to architectural and algorithmic innovations that are helpful for achieving more pervasive security in information processing, networking, and storage. Section 1.1, together with Chapter 2, provides the background for the bit permutation problem that will be addressed in this thesis. Section 1.1 describes the processor architecture background for considering subword and bit permutations in word-oriented processor architectures, while Chapter 2 provides the security background by describing important classes of cryptography algorithms used in secure information processing. Also, Section 1.2 provides a brief summary of the thesis contributions, and Section 1.3 provides an outline of the work covered in the thesis. 1.1 Subword and bit permutations As technology advances and computers evolve, new applications are emerging to satisfy users increasing demand of computing. The workload of computers keeps changing because of new applications and new requirements. The workload changes influence many aspects of computer design, including instruction set architecture. Traditional general-purpose processors are optimized for word-oriented computation. Hence, their instruction set architecture provides limited support for the manipulation of data items smaller than a word. Only a few instructions can process small data items in limited

23 Chapter 1: Introduction 4 ways; the most common are logical instructions like AND, OR, and NOT along with shift instructions like SHIFT and ROTATE Subword operations and permutations for multimedia processing In addition to traditional commercial and scientific computations, computers also face the challenges of processing information presented in digital multimedia formats, which include text, audio, video, and graphics [5]. Such processing involves repeating the same operations on small data items like 8-bit pixel components and 16-bit audio samples. To accelerate such multimedia information processing, Lee introduced the concept of subword parallelism [6][7][8] to exploit the parallelism at the intra-instruction level. This is contrasted with inter-instruction parallelism, typically called instruction level parallelism (ILP), where multiple instructions are executed simultaneously in the same cycle. Subword parallelism refers to the execution of the same operation on multiple pairs of subwords by a single instruction simultaneously. The bits in the word-sized registers are interpreted as representing multiple subwords. Figure 1.1 illustrates an example of performing eight add operations in parallel. In the figure, Rs1 and Rs2 are two source registers, each consisting of eight subwords. With one parallel add Rs1 Rs2 Rd Figure 1.1: Parallel add of subwords

24 Chapter 1: Introduction 5 instruction, eight pairs of corresponding subwords in Rs1 and Rs2 are added in parallel, and the results are stored in the destination register Rd. This can be done with only minor modification to the normal word-sized adder needed for an ADD operation on the two words in Rs1 and Rs2. Today, most microprocessors instruction set architecture supports subword parallel instructions [6][7][8][9][10][11][12][13][14][15][16]. This technique is also referred to as Single Instruction Multiple Data (SIMD) instructions, using the same term, SIMD, first introduced as one class of parallel processor organizations [17]. Lee has also called it microsimd [18] architecture, since the parallelism is exploited within a microprocessor (in fact within an instruction), rather than across parallel processor organizations. Past work in subword permutation instructions A problem arising with the introduction of subword parallelism is the efficient rearrangement of subwords in registers [8]. It is often necessary to place subwords into proper positions in registers, so operations can be applied to all subwords at the same time. Without such fast arrangement of subwords, called subword permutation [8], the performance gain brought by subword parallelism may diminish. The subword permutation maps the subwords in the source register to the subwords in the destination register. The subword permutation can be defined with permutation π on integers 0,..., m 1, where m is the number of subwords in a register. Suppose the permutation converts the integer sequence (m 1, m 2,..., 2, 1, 0) into (π(m 1), π(m 2),..., π(2), π(1), π(0)), where π can be considered as a function and π(i) denotes the number that goes to the position where i was. If the source register has m subwords (s m 1, s m 2,..., s 1, s 0 ), the subword permutation associated with the integer permutation π will generate the destination register (s π(m 1), s π(m 2),..., s π(1), s π(0) ). Every subword in the

25 Chapter 1: Introduction 6 source register appears once and only once in the destination register. When the subword size is one, the subword permutation becomes a bit permutation. From the architectural point of view, it is desirable to have instructions that can perform arbitrary subword permutations efficiently, not just the permutations used in existing algorithms. This enables processors to perform any permutations that may be used in future algorithms efficiently. How processors can perform arbitrary subword permutation efficiently, especially as the number of subwords increases, is still a problem that has not been completely solved. The PERMUTE and MIX instructions were proposed in the MAX-2 [8]multimedia instruction set for PA-RISC 2.0 processors [19][20]to address the subword permutation problem. The PERMUTE instruction is able to perform arbitrary permutations of 16-bit subwords in one register with a single instruction by specifying the subword s index in the source register. A 64-bit register can store four 16-bit subwords. For every subword in the destination register, two bits are used to select one of the four subwords in the source register; eight bits are used in total for four subwords. These eight bits are encoded in the instruction word. The MIX instruction combines even or odd subwords from two source registers. Although the MIX instruction can only rearrange subwords in two ways for each subword size, it is a very efficient permutation primitive for certain types of rearrangements such as matrix transpose. PERMUTE and MIX represent the first general-purpose subword permutation primitives implemented in processors. Because they were part of the multimedia instruction extensions, MAX-2 [8] for PA- RISC processors [19][20], which only implemented 16-bit and 32-bit subwords, both PERMUTE and MIX dealt only with subwords of size 16 bits or larger. IA-64 extended the MIX instruction to support 8-bit subwords and added five variants of byte permute instructions called MUX,byte [13][21]. Each of the five variants performs a fixed permutation on bytes in a register. Examples are reversing the bytes or

26 Chapter 1: Introduction 7 broadcasting the lowest byte. These instructions, however, generate only a limited number of permutation results, unlike the permutation instructions in this thesis. The subword permutation problem becomes harder when the size of the subword decreases, since a word-sized register can now store more subwords. When the subword size is large, only a small number of subwords can be stored in a register. The permutation of a small number of subwords can be performed with instructions like PERMUTE in MAX-2 [8], which can achieve any permutation of four 16-bit subwords in a single instruction. As the subwords become smaller, the number of subwords in a register increases and more subwords need to be permuted. When many subwords need to be permuted, the techniques in PERMUTE can not be used because of the increase in the number of bits that are required to specify a desired permutation [22]. For example, when a register may store 32 subwords, five bits are required to pick one out of the 32 subwords in the source register. Thirty-two subwords in the destination would require 160 bits to specify the desired subword permutation. These bits cannot fit in the instruction word nor in a register of size 128 bits or smaller. The PERMSET instruction [22] circumvents this problem by dividing the subwords into several sets and repeating the same subword permutation on each set. The subword size and the number of subwords in a set can be specified. As long as there are only a small number of subwords in each set, the subwords can be permuted with the method used in the PERMUTE instruction. PERMSET breaks the relationship between the subword size and the number of subwords to be permuted, and thus allows the small subwords to be repeatedly permuted as a small set. The restriction of the PERMSET instruction is that all sets must perform the same permutation. Although PERMSET is efficient for permutations with certain patterns, the restriction makes PERMSET not so efficient for performing arbitrary permutations of small subwords across a full register.

27 Chapter 1: Introduction 8 Other subword permutation instructions have appeared in second-generation multimedia instructions sets [14]. For example, AltiVec [10] defined the VPERM instruction to perform permutations of bytes selected from two registers. It takes three 128-bit registers as input and produces one 128-bit result. The bytes in the destination register can be selected from 32 bytes that are stored in two of the source registers, and the selection is determined by the third source register, which contains the index of bytes. Streaming SIMD Extension 2 (SSE2) [16], one of the multimedia extension sets for IA- 32 (after MMX [9] and SSE[16]), has similar subword permutation instructions as PERMUTE. For example, the PSHUFD instruction divides a 128-bit value into four 32- bit subwords, and each 32-bit subword in the destination register can be selected from any of the four source subwords, as specified by an 8-bit immediate value. Although these instructions are efficient for certain types of subword permutations, they do not solve the subword permutation problem completely. The instructions like PERMUTE, for example, can process only a small number of subwords, and the instructions like MIX or MUX perform a few fixed permutations only. There are still many open problems regarding subword permutations. Are there instructions that can perform arbitrary permutation of subwords in different sizes, e.g., from 16 bits, 8 bits down to 1 bit? How fast can they perform permutations using the two-operand, oneresult datapath in conventional processors? On such a datapath, as shown in Figure 1.2 for single-issue processors, a functional unit receives two source operands and returns one result. These are some questions that will be addressed in this thesis Bit permutation The bit permutation is the most difficult of subword permutations. The difficulty lies in the large number of distinctive results that the bit permutation operation may generate; there are n! different ways to permute the bits in an n-bit register. Other common

28 Chapter 1: Introduction 9 Register n n File ALU Shifter n Figure 1.2: Basic datapath in single-issue processors operations do not have such variation in the results. For example, the ADD operation on n-bit registers can generate only 2 n different results, whereas the n! different results for bit permutations is on the order of n n different results. Ideally, the solution to the bit permutation problem may be applied to the permutation of larger subwords as well. The bit permutations are interesting not only because they are the most difficult subword permutations but also because they are important for block ciphers to achieve security. Block ciphers are a class of cryptographic algorithms that are used to protect private and sensitive data. The use of bit permutations in block ciphers will be investigated in detail in the next chapter. Since bit permutations are not supported very well on existing processors, cipher designers tend to use simple permutations. These simple permutations, however, may not be the best for achieving the security goals. Efficient bit permutation instructions will not only be able to accelerate existing ciphers that use complicated permutations, but also will enable the use of any arbitrary permutations in the design of new ciphers.

29 Chapter 1: Introduction Thesis contributions The thesis concentrates on bit permutations. The first problem that is solved is how to perform arbitrary bit permutations efficiently with the datapath in conventional processors, which takes only two source operands and generates one result. A new instruction called GRP is defined for fast bit permutations. It can perform arbitrary n-bit permutations within log 2 (n) steps, the minimum number of steps required to perform such permutations on the conventional two-source one-destination datapath, while the traditional instructions take O(n) steps. The GRP instruction can also be used to permute subwords of larger sizes efficiently. The thesis also presents new studies of the implementation complexity of several bit permutation instructions. It compares the latencies of their respective functional units using logical effort, a process technology independent methodology. In addition to proposing implementations of the GRP instruction, the thesis improves the implementations of two other permutation instructions, CROSS and OMFLIP, significantly reducing their latencies. The cryptographic properties of the permutation instructions are studied with respect to the two most effective cryptanalytic techniques for block ciphers. The permutation instructions are compared with data-dependent rotations (DDR). DDR has been used in several ciphers, but has been found vulnerable to certain types of attacks. The results in this thesis show that the GRP instruction has complementary properties with respect to DDR, and may be used to protect the vulnerabilities of DDR. A cipher using both of them can achieve the desired security level faster. This is demonstrated by an example in which the GRP instruction improves the security and performance of a well-known cipher RC5. The new bit permutations offer new primitives and opportunities for cryptographers to design fast and secure ciphers.

30 Chapter 1: Introduction 11 The thesis also investigates the versatility of the GRP instruction and demonstrates that it can be used to accelerate other applications like subword sorting. Using the GRP instruction to accelerate subword sorting also serves as an example showing how the bit permutation instructions may be used to accelerate applications that use subwords larger than single bits. 1.3 Thesis organization The organization of this thesis is as follows. Chapter 1 provided the background on processor architecture motivations for permutations and past work on subword and bit permutations. Chapter 2 first provides an overview of the commonly used cryptographic algorithms, and then investigates the basic operations used in block ciphers. The bit permutation operation is identified as the only operation that is not supported well on current processors. Chapter 3 studies alternative solutions for the bit permutation problem. First, it introduces a novel instruction, called GRP, for performing arbitrary bit permutations on conventional datapaths, and provides an algorithm that configures a sequence of the GRP instructions to achieve any arbitrary permutation. Then, it studies several other bit permutation alternatives proposed recently and compares all the permutation instructions from multiple perspectives. The last section of the chapter studies how bit permutations may be performed even faster in processors that allow more flexibility on instruction set architecture and micro-architecture. In Chapter 4, the implementation of several permutation instructions is studied. The latency of the permutation circuits is examined using logical effort, a process technology

31 Chapter 1: Introduction 12 independent method. The results imply that all the bit permutation instructions can be implemented on most processors without slowing down the processor clock. Chapter 5 presents the work on cryptographic properties of bit permutation operations and their applications in cipher design. After introducing differential cryptanalysis and linear cryptanalysis, this chapter compares the cryptographic properties of the bit permutation operations with those of DDR. Following that, the thesis uses a well-known cipher, RC5, as an example to demonstrate how the GRP instruction can be used in block ciphers to protect against the weakness of DDR. The GRP instruction can improve the performance of RC5 while maintaining the same level of security. Chapter 6 demonstrates the versatility of the GRP instruction, showing how it can be used to accelerate subword sorting problems. Finally, Chapter 7 summarizes the thesis and discusses some future research directions.

32 Chapter 2 Bit Permutations in Secret-key Encryption This chapter provides an overview of commonly used cryptographic algorithms, and then focuses on a class of cryptographic algorithms known as block ciphers. The basic operations in this class of algorithms are then examined. Among the basic operations used in block ciphers, the bit permutation operation is identified as the only one that is not well-supported on existing processors. The organization of this chapter is as follows. Section 2.1 briefly describes commonly-used cryptographic algorithms. Section 2.2 discusses block ciphers, a class of cryptographic algorithms that are used to encrypt bulk data. Section 2.3 investigates the basic operations that are used in block ciphers. Section 2.4 examines the existing support of these basic operations on processors, and Section 2.5 summarizes this chapter. 2.1 Cryptographic algorithms Different types of cryptographic algorithms have been designed to achieve different security functions such as confidentiality, authentication, and data integrity. 13

33 Chapter 2: Bit Permutations in Secret-key Encryption 14 Confidentiality. Confidentiality protects eavesdropping on private or sensitive data. For example, customers shopping on the Internet demand protection of credit card numbers against anyone sniffing the network traffic. Authentication. Authentication is a process of confirming an identity. A system or a person should be able to ascertain the origin of messages he receives; and an attacker or intruder should be prevented from masquerading as someone else to retrieve information or obtain services. Data integrity. Data integrity ensures no modification occurs to data in transit; an attack should be unable to replace a legitimate message with an altered message without being detected. These security requirements can be achieved with symmetric-key algorithms, publickey algorithms, and hash functions, respectively. There are many other security requirements in cyber space. But these three types of algorithms provide some of the basic security needs of e-commerce, e-business, and other transactions Symmetric-key algorithms Cryptographic algorithms provide confidentiality by converting data into a form that is difficult to understand. The input is called plaintext, and the output ciphertext. This process of converting the plaintext into the ciphertext is called encryption. The plaintext is protected by secret information, referred to as the secret key, introduced during encryption. Decryption, which converts the ciphertext back to the plaintext, is the reverse of encryption. The algorithms for encryption and decryption are also called ciphers. Although it is trivial to do decryption with the knowledge of the key, a good symmetrickey algorithm makes it extremely difficult to deduce the plaintext from the ciphertext without knowing the key. Trying to crack the ciphertext without the secret key takes an

34 Chapter 2: Bit Permutations in Secret-key Encryption 15 extremely long time, even when using very powerful computers. For example, suppose a cipher requires trials to break it, and a supercomputer can perform 2 49 trials every second for example, the BlueGene supercomputer that is being built is expected to perform about 2 49 floating-point operations per second [23]. There are about 2 25 seconds in a year, so it would take 2 53 years to break the cipher while the age of the universe is only 2 34 years [24]. As a result, the plaintext is only accessible to the people who know the secret key. Symmetric-key algorithms use the same key in both encryption and decryption. Figure 2.1 illustrates how symmetric-key ciphers work. Encryption converts the plaintext to the ciphertext with a key, and the same key is used to decrypt the ciphertext. Since anyone who knows the key can decrypt the ciphertext, the key should be kept confidential. For that reason, the symmetric-key algorithms are also called secret-key algorithms. The process of encryption can be represented as: C = E k ( P ), where P is the plaintext, k is the key, and C is the ciphertext. Similarly, the decryption process can be represented as: Plaintext,P Ciphertext,C Plaintext,P Symmetrickey ciphers can protect sensitive... Encryption, E A0TGQ841 L2ASDF7K LASDYLS DA0FL3 Decryption, D Symmetrickey ciphers can protect sensitive... Key, k Key, k Figure 2.1: Symmetric-key algorithms

35 Chapter 2: Bit Permutations in Secret-key Encryption 16 P = D k ( C ). The subscript k is sometimes omitted. The algorithms in this category include DES [25], AES [26], RC5 [27], RC6 [28], MARS [29], Twofish [30], Serpent [31], IDEA [32], and Kasumi [33]. These algorithms are discussed in greater detail in Section Public-key algorithms Unlike symmetric-key algorithms, public-key algorithms use different keys for encryption and decryption. Hence, they are also called asymmetric algorithms. For example, an asymmetric-key algorithm may need a pair of keys (d, e). Messages encrypted with e can only be decrypted with d, and vice versa. One of the keys can be known by everybody and is called a public key. The other key should be kept secret, and is called a private key. In a public-key algorithm, it should be computationally infeasible to deduce the private key just from the public key. Figure 2.2 shows an example of public-key algorithms. The plaintext is encrypted with the public key, and the ciphertext is decrypted with the private key. Besides providing confidentiality similar to symmetric-key algorithms, public-key algorithms can also be used to perform user authentication. For instance, Alice can send the server a message encrypted with her private key when she wants access. The Plaintext Ciphertext Plaintext Messages can also be encrypted with publickey Encryption U10A9YAY ALCK123A YHRAYRH VZP1QUF0 I2 Decryption Messages can also be encrypted with publickey Public key, e Private key, d Figure 2.2: Public-key algorithms

36 Chapter 2: Bit Permutations in Secret-key Encryption 17 plaintext may include random bits, called a nonce, generated by the server. After the server receives the ciphertext generated by Alice, it can verify the encrypted message by trying to decrypt the message with Alice s public key. If the message can be decrypted correctly, the server believes the message is from Alice because only Alice can generate a message with her private key. Public-key algorithms can also be used to generate digital signatures. This will be described in the next subsection. The most popular public-key algorithms are RSA [34], El Gamal [35], and Diffie- Hellman [36]. Elliptic Curve Cryptography (ECC) algorithms are newer public-key algorithms [37]. They use shorter keys while achieving the same level of security as RSA Hash algorithms Hash algorithms obtain as input a message of arbitrary length, and produce a hash or message digest as output. This process can be denoted as: h = H( M ) where M is the input message and h is the hash generated by the hash algorithm H. Normally, the size of the hash h is fixed by the algorithm. The hash algorithms contain the following properties. First, it is a one-way function. It is easy to compute the hash from a message, but it is impossible to deduce the message from the hash. Second, it is extremely hard to find two inputs that generate the same hash. Any change in the input results in changes, often wild changes, in the hash. Although the size of the hash is fixed regardless of the size of the input message, it should be large enough to prevent an attack from finding two or more messages that

37 Chapter 2: Bit Permutations in Secret-key Encryption 18 generate the same hash. The most common hash algorithms are MD5 [38] and SHA [39]. MD5 generates 128-bit hash, and SHA generates 180-bit hash. Hash algorithms can be used to verify data integrity. After receiving data, one can compute the hash of the received data, and compare it with the hash of the original data, which may be encrypted or sent through secure channels. If they are the same, there is a high confidence level that the message was not modified during the transmission. Hash algorithms can also be used together with public-key algorithms to generate digital signatures. For example, Alice can sign a document by encrypting the hash of the message with her private key. The ciphertext can be used as Alice s signature. Anyone who wants to verify the signature can decrypt the ciphertext with Alice s public key, and compare the decrypted value with the hash that is generated from the message. This process is shown in Figure 2.3. The left part of the figure generates the signature with Alice s private key, and the right part checks the signature with her public key. Hash algorithms can be used for authentication as well. In this case, the hash value of the user s password, instead of the password itself, is transmitted and compared by the server. When computing the hash, the password may be concatenated with a random Message Message Signature HASH HASH Decryption Public key, e Private key, e Encryption Signature =? Figure 2.3: Digital signature

38 Chapter 2: Bit Permutations in Secret-key Encryption 19 Client: User U01 Server: S Generate a sequential number id identifying this challenge; 2. Generate a random value rv. 01 id rv S01 Calculate h = H(id, rv, p) where p is U01 s password on S id h U Retrieve rv for challenge id; 2. Look up U01 s password p ; 3. Calculate h =H(id, rv, p ); 4. If h = h, send the success packet; otherwise, send the failure packet. 03 id Figure 2.4: The authentication process in CHAP value generated by the server. Hence, the hashes are different every time, preventing an attacker sniffing on the network traffic from reusing an old hash. For example, the Challenge-Handshake Authentication Protocol (CHAP) [40] uses this approach to do authentication in the Point-to-Point Protocol (PPP) [41] for dial-up Internet connections. Figure 2.4 illustrates the authentication process specified in CHAP with six steps. In the figure, the server S01 verifies if the client knows user U01 s password. In Step 1, the server generates a sequential number id identifying the challenge and a random value rv. In Step 2, it builds a data packet and sends it to the client. This data packet is called the Challenge packet. The Challenge packet, indicated by the code 01, includes the sequential number id, the random value rv, and the server name. After the client receives the Challenge packet, it first obtains user U01 s password p on the server S01. Then, the

39 Chapter 2: Bit Permutations in Secret-key Encryption 20 client calculates the hash h of id, rv, and p in Step 3, and builds a Response packet, which includes the sequential number id, the hash h, and the user name. A Response packet is identified by the code 02. In Step 4, the client sent the Response packet to the server. When the server receives the response packet in Step 5, it retrieves the original random value in the Challenge packet identified by id. It also looks up U01 s password in its user information database. Then, it repeats the calculation of the hash of the sequential number, the random value, and U01 s password. If the server generates the same hash as the client does, it believes that the client knows U01 s password, and sends a Success packet with code 03 to the client, as shown in Step 6 in the figure. If the two hashes are different, the server will send a Failure packet to the client. 2.2 Block ciphers Although both the symmetric-key and public-key algorithms can provide confidentiality by encrypting data, symmetric-key algorithms remain the practical solutions for applications requiring high data rates, or for encrypting large amounts of data, often referred to as bulk data. Public-key algorithms are mainly used in applications such as authentication and digital signature. In software implementations, symmetric-key algorithms can be two to three orders of magnitude faster than public-key algorithms [24]. There are two types of symmetric-key algorithms: stream ciphers and block ciphers. Stream ciphers operate on small units of plaintext, such as bits or bytes. Stream ciphers are able to encrypt a small unit each time, and do not have to wait for a block of data to be generated. A stream cipher has a keystream generator producing a stream of bits: k 1, k 2,..., k n,... Each k is a small unit in the stream cipher. The ciphertext, for example, is generated by XOR-ing the keystream with the plaintext: p 1, p 2,..., p n,...:

40 Chapter 2: Bit Permutations in Secret-key Encryption 21 c i = p i k i.. Decryption is just XOR-ing the ciphertexts with the same keystream. The security of a stream cipher depends on the keystream generator. A one-time pad [24] is a stream cipher in which the keystream generator generates an endless real random keystream and the keystream is used only once. A one-time pad is a perfect cipher; it is secure under any type of attack. But the one-time pad also has some problems. For example, the length of the keystream must be equal to the length of the plaintext, which makes the key storage and distribution very difficult for long messages and for high-bandwidth communication channels. Block ciphers divide the plaintext into blocks and encrypt a block at a time. The typical block size is 64 bits, 128 bits, or 256 bits. Block ciphers are especially interesting because of the following two reasons. Block ciphers are used in most systems, and stream ciphers can be constructed easily from block ciphers. Given a block cipher, for example, the keystream of a stream cipher can be constructed as the encrypted value of a sequence derived from a random value: E(s), E(s + 1), E(s + 2),..., E(s + i),..., where s is a random value [24]. Block ciphers normally use two techniques to achieve security: confusion and diffusion [42]. Confusion is the use of enciphering transformations that complicate the determination of how the statistics of the ciphertext depend on the statistics of the plaintext [42]. More simply, confusion tries to make the relationship between ciphertext and plaintext as complex as possible, thereby hiding the statistics of the plaintext. Diffusion causes the statistical structure of the plaintext to be dissipated into long range statistics, i.e., into statistical structure involving long combinations of letters in the cryptogram [42]. More simply, the redundancy of the plaintext is spread over a large section of the ciphertext.