applied cryptography in embedded systems

applied cryptography in embedded systems
UNIVERSITY OF VAASA
FACULTY OF TECHNOLOGY
TELECOMMUNICATION ENGINEERING
Yang Qian
APPLIED CRYPTOGRAPHY IN EMBEDDED SYSTEMS
Master´s thesis for the degree of Master of Science in Technology submitted for
inspection, Vaasa, 26 October, 2013.
Supervisor
Prof. Mohammed Elmusrati
Instructor
Tobias Glocker
1
ACKNOWLEDGEMENT
This thesis is aimed to study both the principle and practice of cryptography and security
for embedded systems.
First of all, I would like to express sincere appreciation to my thesis instructor Tobias
Glocker for his tremendous and patient instruction and guidance during my thesis
composing process. Moreover, I shall present big thanks to the staffs in Vaasa University
who have provided the essential equipment for my thesis. As well as my classmates and
friends in Finland who encourage me and help a lot in study and daily life. At last, I
sincerely express my gratitude to Tobias Glocker for his immense practical advice in
completing my thesis.
2
TABLE OF CONTENT
ACKNOWLEDGEMENT ...................................................................................................... 2
ABBREVIATIONS ................................................................................................................ 5
ABSTRACT ........................................................................................................................... 7
1. INTRODUCTION .............................................................................................................. 8
2. SYMMETRIC CRYPTOGRAPHY ................................................................................. 10
2.1. Block Cipher Principles ............................................................................................. 10
2.2. Data Encryption Standard (DES) .............................................................................. 12
2.3. Advanced Encryption Standard (AES) ...................................................................... 13
2.4. Pseudorandom Number Generation and Stream Ciphers .......................................... 21
2.5. Blowfish .................................................................................................................... 21
3. ASYMMETRIC CRYPTOGRAPHY .............................................................................. 23
3.1. The RSA algorithm.................................................................................................... 24
3.2. Diffie-Hellman Key Exchange .................................................................................. 25
3.3. El GAMAL Cryptographic System ........................................................................... 26
3.4. Elliptic Curve Cryptosystem ..................................................................................... 28
3.5. Hash Functions .......................................................................................................... 33
3.6. Key Management and Distribution............................................................................ 35
3.7. User Authentication ................................................................................................... 37
4. ATTACKS ........................................................................................................................ 39
4.1. Attacks on Hardware and Network ........................................................................... 40
4.1.1. Power Consumpution and Electromagetic Radiation Attack .............................. 41
4.1.2. Time Attacks ....................................................................................................... 41
4.1.3. Fault Induction Attacks ....................................................................................... 41
3
4.1.4. Some Possible Countermeasures ......................................................................... 42
4.2. Attacks on Algorithm ................................................................................................ 42
4.2.1. Uncivilized search ............................................................................................... 42
4.2.2. Pohlig-Hellman algorithm ................................................................................... 43
4.2.3. Baby-step Giant-step algorithm (BSGS) ............................................................. 43
4.2.4. Semaev Smart Satoh Araki Attack ...................................................................... 44
5. EXPERIMENTAL PART ................................................................................................ 45
5.1. Hardware for Simulations.......................................................................................... 45
5.2. Software used for implementation and for testing .................................................... 47
5.3. Selection and Implementation of Cryptographic Algorithms ................................... 49
5.4. Result of the implementation..................................................................................... 55
5.5 Time Consumption of Different Key Length ............................................................. 58
5.6 Power Consumption of Different Frequencies ........................................................... 63
6. CONCLUSION AND FUTURE WORK ......................................................................... 67
REFERENCE ....................................................................................................................... 69
APPENDIXES ...................................................................................................................... 73
APPENDIX 1. S-box ............................................................................................................ 73
APPENDIX 2 .CAESAR Encryption ................................................................................... 74
APPENDIX 3. AES Encryption and Decryption ................................................................ 78
4
ABBREVIATIONS
AES
Advanced Encryption Standard
BSGS
Baby Step/Giant Step Method
CM
Complex Multiplication
CRT
Chinese Remainder Theorem
DES
Data Encryption Standard
DHP
Diffie-Hellman Problem
DLP
Discrete Logarithm Problem
DSA
Digital Signature Algorithm
DSS
Digital Signature Standard
ECC
Elliptic Curve Cryptosystem
ECPP
Elliptic Curve Primality Providing Method
ECDLP
Elliptic Curve Discrete Logarithm Problem
GF
Galois Field
HTTP
Secure Hyper-Text Transfer Protocol
IEEE
Institute of Electrical and Electronics Engineers
IDEA
International Data Encryption Algorithm
KDC
Key Distribution Centre
LCM
Least Common Multiple
LED
Light-Emitting Diode
MOV
Menezes-Okamoto-Vanstone attack
5
NAF
Non-Adjacent Form
NFS
Number Field Sieve
NIST
National Institute of Standards and Technology
NSA
National Security Agency
OEF
Optimal Extensive Field
ONB
Optimal Normal Basis
PB
Polynomial Basis
PIN
Personal Identification Number
PKC
Public Key Cryptography
PRF
Pseudorandom Function
PRNG
Pseudorandom Number Generator
RAM
Random Access Memory
RC2
Rivest Cipher
RNS
Residue Number System
RSA
RSA Cryptosystem
SCA
Side Channel Attack
SD
Signed Digit
SEA
Schoof-Elkies-Atkin algorithm
SEC
Standard for Efficient Cryptography
TRNG
True Random Number Generator
6
___________________________________________________________________
UNIVERSITY OF VAASA
Faculty of Technology
Author:
Topic of the Thesis:
Name of the Supervisor:
Instructor:
Degree:
Department:
Degree Program
Major of Subject:
Year of Entering the University:
Year of Completing the Thesis:
Qian Yang
Applied cryptography in Embedded Systems
Professor Mohammed Salem Elmusrati
Tobias Glocker
Master of Science in Technology
Department of Computer Science
Degree Program in Information Technology
Telecommunication Engineering
2010
2013
Page: 98
_____________________________________________________________________________________________________
ABSTRACT
Nowadays, it is widely recognized that data security will play a central role in the design of
IT devices. There are more than billion wireless users by now; it faces a growing need for
security of embedded applications.
This thesis focuses on the basic concept; properties and performance of symmetric and
asymmetric cryptosystems. In this thesis, different encryption and decryption algorithms
have been implemented on embedded systems. Moreover, the execution time and power
consumption of each cryptography method have been evaluated as key performance
indicators. CAESAR and AES are implemented for the microcontroller (ATmega8515).
The STK 500 board is used for programming of the ATmega8515. Furthermore it is used
for the communication between the microcontroller and PC to obtain the performance
advantages of the cryptography methods. Time and power consumption are measured by
using an oscilloscope and a multimeter. Furthermore the performance of different
cryptography methods are compared.
_____________________________________________________________________
KEYWORDS: Cryptography, Embedded System, AES, ECC, security, encryption,
decryption
7
1. INTRODUCTION
The embedded systems and handheld devices have been widely developed in
comparison to a few years ago. From video equipment to mp3 players, cars to smart
phones, and washing machines to home thermostats, more and more embedded devices
interact with the real world and are connected to the internet, and then it’s very common
that those devices meet attacks, hackers and threats. Security issues might result in
physical side effect as potential damages, personal injury, and even death, so it will play
a central role in the design of future IT systems.
Due to the rapid growth of network communication, embedded devices and other
transactions face the challenge of an increasing demand of data security, which concerns
authentication for user admission, intrusion detection as well as any forms of attacks.
Therefore, the security requirements have become critical. The main security issues of
embedded systems will encounter when the data is routed over communication channels
such as Ethernet, Wi-Fi, WiMAX or Bluetooth. Unfortunately, the technology of
security applied in desk computing and enterprise cannot be executed in embedded
systems. But security issues for embedded systems are more than the problems being
addressed for desktop computing.
The possibility of adding security can be specified by hardware or by implementing the
cryptography algorithms in software. This project focuses on cryptography and the
8
implementation of a cryptographic algorithm to protect data by using encryption
technology on embedded systems.
There are several requirements and challenges of the implementation of cryptography
algorithms on embedded systems. Embedded systems are highly cost sensitive, the
length of cryptography key cannot be too big; a slow running cryptographic algorithm
will lead to a long waiting time. The cryptographic technology can be divided into the
two most common algorithmic models: symmetric cipher model and asymmetric-key.
Asymmetric-key algorithms are very computationally intensive compared to symmetrickey operations. Sufficient cryptographic algorithms need to be selected according to the
hardware and processor of the embedded systems.
The thesis consists of six chapters. In the first three chapters, the theory of cryptosystem
is explained, symmetric cryptography and asymmetric cryptography. Chapter four
introduces several attack methods. After the theoretical introduction it follows the most
significant part of the thesis, the experimental part. Chapter five describes the software
and hardware for the implementation, as well as the implementation algorithms, result
and analysis of the encryption and decryption. Conclusion and future development
regarding to this topic is given in the last chapter “CONCLUSION AND FUTURE
WORK”.
9
2. SYMMETRIC CRYPTOGRAPHY
Symmetric encryption is also known as conventional encryption or single-key
encryption. The encryption and decryption processes are performed by using the same
key. It contains five elements: Plaintext, Encryption Algorithm, Private Key, Ciphertext
and Decryption Algorithm, as the symmetric cryptosystem model is showed in Figure 1.
This system requires a strong encryption algorithm and the security of the private key.
Figure 1. Simplified model of symmetric cryptosystem (Stallings 2011: 57).
2.1. Block Cipher Principles
Block Cipher is a type of symmetric encryption/decryption scheme that transform a
fixed-length block of plaintext into a ciphertext block of the same length. The encryption
transformation process is under the use-provided private key (See Figure 2). Decryption
is the inverse process of encryption to the ciphertext using the same private key and will
result in the original plaintext which was encrypted. Typically the block size is 64 bits or
128 bits.
10
Figure 2. Block Cipher (Stallings 2011: 93).
There are many common block ciphers in use today. These are outlined in Table 1.
Table 1. Common Block Cipher Features (Ian McCombe 2007).
Name
Block Size (bits)
Key Size (bits)
Year
Developed
DES
64
56
1975
RC2
64
8-128(default 64)
1987
AES
128
128,196 or 256
1998
IDEA
64
128
1991
Lucifer
48
48
1971
BlowFish
64
32-448(default
1993
128)
Intel Cascaded Cipher
128
128
2006
11
2.2. Data Encryption Standard (DES)
The Data Encryption Standard is adopted in 1977 by the National Institute of Standards
and Technology (NIST), and the most widely used encryption scheme is based on it. The
encryption process of DES is to transform a 64-bit input in a series of steps into a 64-bit
output within a 56-bit key. The same key is used for the decryption process.
In Figure 3, the first step is permutation and the last step is inverse permutation, after
permutation, the block is broken into two 32 bits blocks, the left one is Li and the right
part is Ri . Then there are 16 rounds of identical operations, but each of them uses an
individual key K i Li : Ri 1 Ri : Li 1  f ( Ri 1, , K i )
(1)
In decoding, Ri : Li 1 , Li 1 : Ri  f ( Li , K i )
(2)
12
Figure 3. DES working process (Martti 2009:22).
Traditional DES has only 56 keys and therefore it does not meet the requirements of the
current distributed open network data encryption security. DES is considered as unsafe
after increasing of the clock rate of the computer.
2.3. Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is the most popular and secure symmetric system
used in the professional industrial application, which is intended to replace DES for
commercial applications. AES is a specification for encryption of the electronic data and
it was published in 2001 by the National Institute of Standard and Technology (NIST).
AES is the first publicly accessible and open cipher approved by the National Security
13
Agency (NSA) for the top secure information. In Comparison to AES, DES is insecure
due to the small key. (Wikipedia AES 2012a.)
Sometimes the algorithm is called Rijndael, which is combined by the names of the two
Belgian cryptographers, Joan Daemen and Vincent Rijmen. The basic structure of AES
is substitution-permutation network, which can work fast on both software and hardware.
The cipher takes the plaintext block size of 128 bits. The key sizes can be 128, 192 or
256 bits. (Wikipedia AES 2012a.)
AES operates on a 4×4 square matrix of bytes. This block is termed into the State array,
and the AES cipher consists of a number of repetitions of transformation rounds, where
the number of rounds depends on the key length (Table 2).
Table 2. Round and key length.
No. of rounds
Key Length (bytes)
10
16
12
24
14
32
The overall AES algorithm structure can be divided in the following steps as shown in
Figure 4, which models the whole process of the AES encryption and decryption and
indicates the sequence of the transformation in each round.
14
Figure 4. AES Encryption and Decryption (Stallings 2011: 178).
Refer to the Figure 4, the process of each steps can be listed as:
15
1) Key Expansion.
AES processes the data block as a single matrix during each round using substitutions
and permutations. Round keys are derived from cipher key which is expanded into an
array of forty-four 32-bit words.
2) Initial Transformation.
A simple bitwise XOR is applied to each byte of the state and the portion of the
expanded key.
3) Rounds.
Four different stages are used; one of permutation and the others are substitution:
Substitute Byte
ShiftRows
MixColumn
AddRoundKey.
Those four stages are repeating each round except the final round.
4) Final Round (no MixColumn)
The final round of both encryption and decryption consist three stages:
Substitute Byte
16
ShiftRows
AddRoundKey.
Figure 5. SubBytes step (Wikipedia AES 2012a).
Substitute Byte—each byte is replaced with another one according to an S-box (in
APPENDIX 1), it is a non-linear substitution step shown in Figure 5. The element
is replaced by the
using the S-box. The S-box contains all possible 256 2-byte
values for permutation. The substitution process is working in the following way: the
left side byte is used as row value and the right side byte is used as column number.
Then lookup the S-box within these row and column values to pick another 2-byte
output value.
bi , j  S ai ,i 
(3)
17
Galois Field is called finite field, which is a field that contains a finite number of
elements. The method of S-box substitution is based on the property of GF ( 2 8 ), the
addition in GF ( 2 8 ) is XOR.
1) Inverse in GF( 2 8 ), as the input element ωϵGF( 2 8 ), the inverse element of ω is
X:
X= 
1
 254

0
0
0
(4)
2) Then the sub element of X form byte to bits are ( x7 , x6 , x5 , x4 , x3 , x2 , x1 , x0 ),
According to (Stallings 2011: 178) the transformation is:
 x0' 
 '  1
 x1  1
x'  
 2  1
 x3'  1
 '
 x 4  1
 '  0
 x5  
 x '  0
 6  0
 x7'  
1 0 0 1 1 1 1  x0  1 
 
1 0 0 0 1 1 1  x1  1 
1 1 0 0 0 1 1   x 2  0 
    
1 1 1 0 0 0 1   x 3  0 


1 1 1 1 0 0 0   x 4  0 
    
1 1 1 1 1 0 0  x5  1 
0 1 1 1 1 1 0  x6  1 
    
0 0 1 1 1 1 1  x7  0
(5)
ShiftRows—is the row forward shift process. The first row remains the same. For the
second row, shift to left 1-byte circular. For the third row, shift to left 2-byte circular.
Then the fourth row, shift to left 3-byte circular.
18
The transformation can be expressed as:
c0, j  b0, j 
  

c1, j  b1, j 1 
c   b

 2, j   2, j  2 
c3, j  b3, j 3 
(6)
The whole process is represented in Figure 6 clearly.
Figure 6. Shift Rows (Wikipedia AES 2012a).
MixColumn—is a forward mix column transformation. The mathematical model of
intermixing between the different columns is in order to reach the confusion of the
encrypted order. The whole process can be defined by the following mathematical model:
02
 01

 01

03
03
02
01
01
01
03
02
01
01  s 0,0

01  s1, 0

03  s 2, 0
 
02  s 3, 0
s 0,1
s1,1
s 2,1
s 3,1
s 0, 2
s1, 2
s 2, 2
s 3, 2
s 0,3   s 0' ,0

s1,3   s1' , 0

s 2,3   s 2' , 0
 
s 3,3   s 3' , 0
s 0' ,1
s1' ,1
s 2' ,1
s 3' ,1
s 0' , 2
s1' , 2
s 2' , 2
s 3' , 2
s 0' ,3 

s1' ,3 
s 2' ,3 

s 3' ,3 
(7)
19
AddRoundKey—is a forward and inverse transformation. This step is the process that
128 bits of the state are bitwise XORed with the 128bit of the round key. The
mathematic model can be expressed as:
e 0 , j   d 0 , j   k 0 , j 
  
  
e1, j  d1, j  k1, j 
e    d    k 
 2, j   2, j   2, j 
e3, j  d 3, j  k 3, j 
(8)
Refer to Figure 7; the detail of the transformation process is represented.
Figure 7. AddRoundKey (Wikipedia AES 2012a).
20
The algorithm for decryption makes use of the expanded key in reverse order. The step
AddRoundKey is the same as in encryption. However, the decryption algorithm is no
identical to the encryption algorithm. All the four stages are reversible, and encryption
and decryption are going in opposite vertical directions.
2.4. Pseudorandom Number Generation and Stream Ciphers
The real random number (or random events) in a generating process is according to the
experimental performance of distribution probability, the result is unpredictable, is not
visible. The pseudorandom number is generated according to a certain algorithm
simulation, the sequences of numbers that are not statistically random. And the result is
certain and visible.
Random numbers are widely used in cryptography based on a number of network
security algorithms and protocols. There are some random and pseudorandom number
generators. TRNG is the true random number generator. It is the source of true analog
randomness to a binary output. PRNG is a pseudorandom number generator. PRF is a
pseudorandom function. Those two generators are used to produce pseudorandom
numbers. Both require a fixed value as input, called the seed that should be different
every time to guarantee randomness and unpredictability.
2.5. Blowfish
Blowfish is a substitute for the DES and IDEA encryption algorithm. It is a symmetrical
block cipher (secret or private key), use that a variable key length from 32 to 448 bits.
21
(The U.S. government prohibits the encryption output software to use the key which
key-length is more than 40, unless special-purpose software). Blowfish algorithm is an
alternative encryption method, proposed in 1993 by Bruce Schneier. After the birth of
the 32-bit processor, the speed of blowfish algorithm in the encryption beyond the DES
attracted the attention of the people. Blowfish is a not registered patent, it can be used
free. The round function is shown in Figure 8.
Figure 8. The round functions of Blowfish.
There are some features of blowfish:

Blowfish is fast

Blowfish needs only 5 KB of memory is easy to implement and compact

Blowfish is considered secure

Encryption consist 16+1 phases, each phase consists of ⊕, + and S-box operation

Decryption is identical to encryption; keys are used in inverse order. (Martti
2009:35.)
22
3. ASYMMETRIC CRYPTOGRAPHY
Asymmetric cryptography is also known as public-key cryptography, which is a form of
a cryptosystem in which encryption and decryption are performed by different keys.
There is one public key and one private key. The public key is widely distributed, while
the private key is kept secure.
Figure 9. Simplified model of asymmetric cryptography (Information Security).
The process of asymmetric cryptography is to transform the plaintext into ciphertext by
using the public key of the receiver (see Figure 9). The receiver decrypts the ciphertext
with the private key. Anyone who wants to send a message to Alice can encrypt it using
Alice’s public key but only Alice can decrypt it with her private key. The private key
should be kept secret at all times.
The use of public-key cryptosystem can be divided into three categories: Encryption/
decryption; digital signature; key exchange. (Stallings 2011: 57.)
23
3.1. The RSA algorithm
RSA is one kind of public-key algorithm; it stands for Ron Rivest, Adi Shamir, and Len
Adleman who first publicly described it in 1978.
The RSA scheme is a block cipher in which the plaintext and ciphertext are integers
between 0 and n-1 for some n. The public key is created and published by the product of
two large prime numbers, along with an auxiliary value. The prime factors must be kept
secret. Anyone can use the public key to encrypt a message, only someone with
knowledge of the prime factors can feasibly decode the message. At present RSA is the
most widely used public key cryptography, which is based on the principle of trapdoor
one-way function, as it is shown in the Figure 10,
Figure 10. RSA is based on trapdoor one-way function principle.
The RSA algorithm is simple and easy to use. But as decomposition method of big
integers is progressing, and the improvement of the speed of the computers and the
24
development of computer networks, the key length has to be increased in order to
guarantee the safety of RSA. Increasing the key length will slow down the encryption
and decryption speed. Hardware based implementation would be difficult. Thus RSA
will be limited in terms of the key length.
Compared to DES, the speed of RSA is 1000 times slower than DES in hardware. In
software, RSA is 100 times slower than DES. Those numbers might be changed slightly
as technology changes, but the speeds of RSA can never approach the symmetric
algorithms. Refer to the Table 3, it shows RSA speeds for different modulus lengths
with 8-bit public key.
Table 3. RSA Speeds for Different Modulus Lengths with an 8-bit Public Key
(J.B.Lacy 1993).
512 bits
768 bits
1,024 bits
Encrypt
0.03 sec
0.05 sec
0.08 sec
Decrypt
0.16 sec
0.48 sec
0.93 sec
Sign
0.16 sec
0.52 sec
0.97 sec
Verify
0.02 sec
0.07 sec
0.08 sec
3.2. Diffie-Hellman Key Exchange
Diffie-Hellman Key Exchange is a security protocol. The math method is simple. Alice
and Bob can use this algorithm to generate a secret key. First, Alice and Bob agree on a
large prime, n and g, g < n and g is a primitive root of n. These two integers don’t need
25
to be secret; Alice and Bob can agree to them over some insecure channels, which even
are common among a group of users.
The algorithm works as follows:
(1) Alice Key Generation:
X  g x mod n , x is a large random integer
(2) Bob Key Generation:
Y  g y mod n , y is a large random integer
(3) Calculation of secret key by Alice:
k  Y x mod n
(4) Calculation of secret key by Bob:
k '  X y mod n
Diffie-Hellman key exchange protocol can easily be extended to work with more people,
just add more people and more rounds of computations.
This algorithm is not suitable for embedded systems. It can be used for the key
distribution. Both sides can use this algorithm to generate a secret key, but it cannot be
used for encryption and decryption of the message. (Stallings 2011: 327.)
3.3. El GAMAL Cryptographic System
The ElGamal algorithm is public-key cryptography which is based on Diffie-Hellman
key exchange. ElGamal contains key generation, encryption algorithm and decryption
26
algorithm which were described by Taher Elgamal in 1984. It can be used for both
digital signature and message encryption.
Key generation
Alice generates a key pair, first two random numbers are chosen, g and x; a prime p, g
and x are smaller than p.
Alice computes y  g x mod p , the public key is y, g and p, can be shared among groups
of users. And x is kept private.
ElGamal Encryption
Plaintext is M, a random number k is chosen, k is relatively prime of p-1.
a, b are ciphertexts, the length is two times of plaintext,
a  g k (mod p)
(9)
b  y k M (mod p)
(10)
Decrypting: M  b / a x (mod p)
(11)
ElGamal Signatures
The signing message is M, a random number k is chosen, k is relatively prime of p-1,
M= (ax+bk) mod (p-1)
(12)
This signature is the pair a and b. The value of k should be kept private.
Verifying: y a a b (mod p)  g M (mod p)
(13)
27
Table 4. Gives some sample software speed of ElGamal (J.B.Lacy 1993).
512 bits
768 bits
1024 bits
Encrypt
0.33 sec
0.80 sec
1.09 sec
Decrypt
0.24 sec
0.58 sec
0.77 sec
Sign
0.25 sec
0.47 sec
0.63 sec
Verify
1.37 sec
5.12 sex
9.30 sec
Table 4 shows that ElGamal when comparing the measurement with Table 3 is slower
than RSA.
3.4. Elliptic Curve Cryptosystem
In 1985, Miller and Koblitz firstly suggested to use Elliptic Curve in cryptography
independently, which is based on the algebraic structure of elliptic curves over finite
fields. Elliptic Curves are becoming more popular is because the keys size is much
shorter than the public key systems which are based on the integer factorization or finite
field discrete logarithm problem. Compared to RSA, the security level of ECC is higher.
A key of 160 bits in ECC is secure as a 1024 bits RSA key as shown in Table 5. As a
result, due to the short key length, the elliptic curve cryptosystem needs less bandwidth,
less running time as well as lower power cost and it is suitable for the development of
security products like PDA, mobile phone and embedded card .It will replace RSA in the
near future. ECC becomes one of most efficient public-key cryptosystem.
28
Table 5. Key length of ECC and RSA with same security level.
ECC key length RSA
key
length Crack Time /MIPS ECC/RSA
(bits)
(bits)
(year)
length rate
106
512
10 4
5:1
160
1024
1011
7:1
210
2048
10 20
10:1
600
21000
10 78
35:1
key
In general, cubic equations for elliptic curves take the Weierstrass equation:
y 2  axy  by  x 3  cx 2  dx  e
(14)
Where a, b, c, d, e are real numbers and x, y take the values of real numbers. The elliptic
curve can be seen as a set of all solutions to equations of the form:
y 2  x 3  ax  b
(15)
The curve discriminant equation is:  =-16( 4a 3  27b 2 )
(16)
A group can be defined on a set E (a, b) for specific values of a and b in Equation (14),
the following condition is met:
4a 3  27b 2  0
(17)
The process of ECC Diffie-Hellman Key Exchange can be done by the following step.
First pick a large integer q, which is a prime or an integer of the form of 2 m . Then the
29
elliptic curve parameters a, b must be applied for Equation (14) or (15), which defines
the elliptic group of the points Eq (a, b) . In the next step a base point G= ( x1 , y1 ) in
Eq (a, b) is selected, whose order is larger than value n.
A key exchange between user Alice and Bob can be described in Figure 11.
User Alice Key Generation
Select private n A
nA  n
Calculate public PA
PA  n A  G
User Bob Key Generation
Select private n B
nB  n
Calculate public PB
PB  nB  G
Calculation of Secret Key by User Alice
K n A P B
Calculation of Secret Key by User Bob
K n B P A
Figure 11. ECC Diffie-Hellman Key Exchange (Stallings 2011: 343).
ECC Encryption and Decryption
30
Choose Elliptic curve over GF ( 2 m ) for instant, the preparation assignments are:

Select GF(p)

Select elliptic curve E

Select base point G(x,y)

Applied algorithm for transforming plaintext into the points of elliptic curve, called
encryption process

Generating the private and public keys between sender Alice and receiver Bob.
Select one private key n, calculate the public key P  nG  n( x, y) . For Alice, the
private key is n A , and the public key is PA  n A G  n A ( x, y) . For Bob, the private
key is n B and the public key is PB  n B G  n B ( x, y) .
Encryption: Alice sends encrypted message to Bob

Choose random number k, 1  k  p  1

Get the corresponding points ( x m , y m ) by encoding the plaintext;

Calculate the cipher text C m  {k ( x, y), ( x m , y m )  kPB } , and the cipher text here
turns into two points on the elliptic curve.
Decryption, Bob decrypts the received message from Alice:

Calculation
(( x m , y m )  kPB )  n B (kG)
 (( x m , y m )  k (n B ( x, y )))  n B (k ( x, y ))
 ( x m , y m )  knB ( x, y )  n B k ( x, y )
(18)
 ( xm , y m )
31

Get the corresponding plaintext by decoding the points ( x m , y m ) .
The study and implementation of elliptic curve cryptography is now becoming a focus in
public-key cryptosystems, and its foundation relies on the difficulty to solve the discrete
logarithm of the elliptic curve Abelian group.
The set of points on the elliptic curve, together with a special point O called the point at
infinity can be equipped with an Abelian group structure by the following addition
operation.
Additional algorithm:
Input: modulus p, integer a, b  [ p  1]
Output: c=(a+b) mod p
c 0  a 0  b0
For i from 1 to t-1 do: c1  a1  b1  carry
If carry =1, then c=c-p
If c  p , then c=c-p
Return (c)
Subtraction algorithm
32
Input: modulus p, integer a, b  [ p  1]
Output: c= (a+b) mod p
c 0  a 0  b0
For i from 1 to t-1 do: c1  a1  b1  carry
If carry =1, then c=c+p
Return (c)
3.5. Hash Functions
A hash function is any algorithm that maps large data sets of variable lengths to smaller
fixed length data sets. For instance, an address name, having a variable length, could be
hashed to a single integer. The values returned by a hash function are called hash values,
hash codes, hash sums, checksums or simply hashes.
Some common uses hash functions:
f ( x) : x mod max M
(19)
When max (M) is a prime and normal not close to 2 n ;
f ( x) : trunc(( x / max X ) * max longit ) mod max M
(20)
This is used for integer;
33
f ( x) : ( x * xdiv1000) mod 1000000)
(21)
First Square meter then get the middle value.
In original sense, good hash functions are usually required to meet certain properties
listed below:
Determinism--the hash procedure must be deterministic. It means for a given input value
the output hash value must be the same.
Uniformity-- A good hash function should map the expected inputs as evenly as possible
over its output range. That is, every hash value in the output range should be generated
with roughly the same probability.
Variable range—in many applications, the hash function range may be different for each
run of the program.
Variable range with minimal movement—the hash table is refers to a dynamic hash table
when the hash function is used to store values in a hash table that outlives the run of the
program, and the hash table needs to be expanded or shrunk.
Data normalization—accomplishes normalizing the input before hashing it. That is, any
two inputs that are considered equivalent must yield the same hash value.
Continuity—Hash function is used for searching similar data, which must be as
continuous as possible.
34
3.6. Key Management and Distribution
Key management includes key generation, storage, distribution, using and destroy. The
main target is to make sure that the key delivery via the public network is safely. A good
key management system should include three aspects:

Keys are hard to be stolen

Under certain conditions, it should be useless to steal the keys because they have a
limited lifetime

Key distribution and exchange process are transparent to the users; users don’t need
to manage the keys personally.
The key distribution is the way that delivers a key to two parties who are intended to
exchange secure encrypted data. A protocol is needed that provides a secure distribution
of the keys. There are two kinds’ keys that are involved in key distribution. Master keys
are infrequently used and they last for a long time. The other is session keys, which are
generated and distributed for temporary use between two parties.
Key distribution technique is a term that refers to the means of delivering a key between
two parties that want to exchange data without allowing others to see the key. So far,
the two main techniques are described Key Distribution Centre (KDC) and DiffieHellman. The process of Diffie-Hellman is described in chapter 3.2.
Kerberos is an authentication service designed for key distribution environment, it
applies symmetric cryptography algorithms to establish a trustable third party KDC
35
verification system and verifies the authenticity of the two parties that communication
with each other. The main function of Kerberos is to solve the key management and
distribution. There are three parties in this communication: two communication parties
that need to be verified and a trustable third party (KDC). Each party should only keep
the encryption key with KDC secure, and KDC will safeguard the different encryption
keys for individual users. When two parties want to communicate, they apply to KDC
and KDC will encrypt the session keys by their individual keys .Then keys will be sent
back (Stallings 2011: 435).The process is illustrated in Figure 12.
Figure 12. Key Distribution Scenario (Stallings 2011: 439).
36
3.7. User Authentication
In most computer security contents, user authentication is a mean of identifying the user
and verifying that the user is allowed to access some strict network. For example, a user
must be identified as a particular student to access the universities weboodi system or
webmail service. A user must be identified as a member of IEEE to in order to view the
IEEE materials. Furthermore, a user must be identified as a system administrator in
order to access the document about the network administration. User authentication is
the basis for access control and for user accountability.
There are two steps for remote user authentication:

Identification step: Presenting an identifier to the security network, like user name
and password.

Verification step: Server and database. Generate authentication information to
confirm the user’s access right.
There are four possibilities that can be used individually or together to authenticate the
users.

Individual knows: A password, a PIN, or answers to a prearranged set of questions.

Individual possesses: Tokens, like cryptography keys, smart cards, physical keys
and electronic keys.

Static biometrics: Fingerprint, face and retina.

Dynamic biometrics: Voice pattern and handwriting characteristics
37
The remote User-authentication can be divided into two methods: mutual authentication
and one-way authentication. Mutual authentication should consider the key distribution
issues and should enable two communication parties to satisfy themselves mutually
about the other’s identity; one-way authentication can be applied for the e-mail system.
A Remote user authentication can use symmetric encryption and asymmetric encryption
with Kerberos service.
38
4. ATTACKS
Attacks can be active or passive. An ‘active attack’ attempts to delete, add or use other
method to affect the channel. A ‘passive attack’ only monitors the channel, does not
affect the system resources.
Types of attacks:

Passive Attack

Within ciphertext: attempts to get secret key or plaintext by observing
ciphertext

Knows some plaintext and relative ciphertext, but this attack it difficult to
realize

Knows some plaintext, attempts to know the encryption algorithms

Choosing relative plaintext to attack

Choosing ciphertext to attack

Choosing relative ciphertext to attack
39
Refer to Figure 13, which is shown the four attacks on Four Levels:
Attacks on Mechanisms
Attacks on Protocols
Attacks on algorithm
Attacks on Hardware and Network
Figure 13. Four different levels attack.
Refer to the elliptic curve cryptosystem; most attacks on ECC are focusing on
algorithms.
4.1. Attacks on Hardware and Network
It can be realized by a Side-Channel Attack (SCA), this method is powerful because
there is no unified counter plan. SCA can be classified by invasive attacks and noninvasive attacks. Invasive attacks include probing and fault induction attacks. Noninvasive attacks include timing attacks and leaked-information attacks.
40
4.1.1. Power Consumpution and Electromagetic Radiation Attack
In this kind of attack, the rival get system leaked information by means of measures or
by analyzing the switch, current and power. Those information include hamming
distance, bit string and operation order. Some attacks can even get the RAM information
via CPU RAM address.
Similar, they can get the information via the equipment’s electromagetic radiation.
Because of electromagnetic radiation, an attacker can get data without getting close to
the equipment.
4.1.2. Time Attacks
The target of time attack is a computational process nD, where n is fixed, and where D
is a rational point on the elliptic curve.This kind of attack is to analyse the selected time.
The principle is that for a software or a device, different input consumes time differently.
In theory, time randomization and process interrupt randomization are the ways to resist
timimg attack. But in practice, those method are too strict, there is no perfect resist
method.
4.1.3. Fault Induction Attacks
Fault Induction Attacks is to do wrong operation deliberately, get the secure information
from the output result.
41
The method for assist this attack is simple, examine intermediate result. If the
intermediate result not belongs to the curve point group, recalculate it.
4.1.4. Some Possible Countermeasures

Non area differentiation in basic operation, at least make operation atomic;

Group randomized, at least for base point;

Check if the intermediate result is reasonable;

Well stored precomputation result in hard disk;

Electromagnetic shielding;

Random process interrupt, random timing. (Avanzi 2005.)
4.2. Attacks on Algorithm
These kind attacks mostly rely on the mathematical algorithm, for ECC, it will aim to
attack the ECC discrete logarithm ECDLP.
Because of the features of ECC are
complicated and attractive, it can be observed from different angles and get different
properties. Meanwhile, the attacker obtains ideas from its characters.
4.2.1. Uncivilized search
Uncivilized search on elliptic curve is : a given curve E, point P and a random point Q,
calculate P, 2P, 3P…until get Q=IP. The worst situation of this algorithm needs process
n times elliptic curve addition, complexity is O(n).
42
4.2.2. Pohlig-Hellman algorithm
This algorithm makes use of factorization. By means of factoring n, the ECDLP how to
solve l change into how to solve all the prime factors of n. Then regain l by CRT.
In order to withstand this attack, when we choose elliptic curve, the curve degree should
be aliquot of a big prime n or be a big prime.
4.2.3. Baby-step Giant-step algorithm (BSGS)
We describe the BSBG method for a general finite abelian group, with n elements. By
the Pohlig-Hellman simplification it can be assumed that n is prime. This method is the
improvement of uncivilized search, but it costs more Random Access Memory (RAM).
By means of precalculated and store the number of
n elliptic curve points, the
complexity of the worse situation can be decreased to O ( n ) Pollard Rho Method. And
the main problem of the method is that the storage space of O ( n ) group elements.
This method in practice is a way of integer generation, and can be used for big integer
factorization. When solving the ECDLP problem, Pollard Rho method simplify Babystep Giant-step which saves memory space. After this improvement, the complexity of
this method is around O ( n
2
). Based on this method, it is possible to parallelize
Pollard Pho method, arithmetic complexity decreased to O ( n
2r
)
43
4.2.4. Semaev Smart Satoh Araki Attack
Prime Field Anomalous can solve ECDLP quickly. But this attack won’t diffuse to other
infinite field. It is to solve the ECDLP in subgroups of order p, where p is the
characteristic of the field of the definition of the curve. An attack can be avoided by
checking if the infinite element numbers are equal to the elliptic curve point members.
44
5. EXPERIMENTAL PART
In the experimental part, the content is about simulation regarding to security and
performance on CAESAR and AES.
5.1. Hardware for Simulations
The STK500 board is manufactured by ATMEL in Sweden and it is equipped with an
ATmega8515 microcontroller (see Figure 14), starter kit for 8-bit AVR. These
microcontrollers are available in different configurations. It consists of a RS-232
interface to PC for programming and control, an additional RS-232 port for general use.
It works with a regular power supply for 10-15V DC power.
Figure 14. ATMEL STK 500.
45
The key features of STK500 I used are listed below:


RS232 Interface to PC for programming and control
Regulated power supply for 10-15V DC power
Sockets for 8-pin, 20-pin, 28-pin, and 40-pin AVR devices
Parallel and Serial High-Voltage Programming of AVR devices
Serial In-System Programming (ISP) of AVR devices
In-System Programmer for Programming AVR devices in External Target

System
8 Push-buttons for general use








8 LEDS for general use
All I/O ports easily accessible through pin header connectors
Additional RS232 port for general use
Expansion connectors for plug-in modules and prototyping area
And the key Parameter Value of the chipcon is listed below:










Flash (Kbytes): 8 Kbytes
Pin Count: 44
Max. Operating Frequency: 16 MHz
CPU: 8-bit AVR
# of Touch Channels: 16
Hardware QTouch Acquisition: No
Max I/O Pins: 35
Ext Interrupts: 3
USB Speed: No
USB Interface: No
46
Figure 15. STK 500 Components (ATMEL User guide).
5.2. Software used for implementation and for testing
The software which is used to program the microcontroller on STK500 development
board is Atmel Studio 6.0. Realterm is used for the communication between the PC and
the microcontroller. The FrontPage of Atmel Studio 6.0 is shown in Figure 16.
47
Figure 16. AtmelStudio 6.0 FrontPage.
The experiment will be done with Realterm, which is created mostly to represent a better
alternative to the ubiquitous HyperTerminal application. In this project, the most
impressive part of this application is the fact that it can emulate almost any kind of
terminal used for serial communication. The FrontPage of Realterm is shown in Figure
17.
48
Figure 17. The Realterm FrontPage.
5.3. Selection and Implementation of Cryptographic Algorithms
The experiment is done with three programs containing the implementations of
cryptography algorithms CAESAR and AES. The procedure is shown in Figure 18.
First the program that contains the selected crypto graphical algorithms is compiled and
uploaded to the microcontroller. This is done with Atmel AVR studio. In this case serial
cable must be connected with the programming port of the STK500 board. Then the
serial cable must be connected with the communication serial port in order to
communicate with the microcontroller over the Realterm software.
49
In Figure 18, the STK 500 is connected to the PC via RS232 port. There are two RS232
ports on STK 500, one is for programming which is occupied when using Atmel studio
6.0; the other one is for communication when communicates with Realterm.
Figure 18. Schematic Diagram.
A. CAESAR
CAESAR encryption (Caesar cipher), known as shift cipher, is the simplest encryption
method. It is a type of substitution cipher in which each letter in the plaintext is replaced
by a letter some fixed number of positions down the alphabet. Each letter in the alphabet
will be replaced with a constants right shift k.
50
Figure 19. CAESAR letter left shift of 3 (Wikipedia CAESAR 2013).
See Figure 19, for example if k equals 3, each letter would move forward by three, and
A will be replaced by D. B is replaced with E, and so on. The letters which sit in end of
the alphabet will roll back to the beginning. So, W will be replaced by Z, X will be
replaced by A.
B. AES
Due to the less security of DES, AES is a specification for encryption of the electronic
data and it was published in 2001 by the National Institute of Standard and Technology
(NIST). It aims to develop a royalty-free cryptographic technique for public authorities
and private department. There are no known approaches for an attack in case of AES128. (Biryukov & Khovratovich 2009.)
51
Table 6. AES Parameters (The AES Cipher).
Key Size
(words/bytes/bits)
Plaintext
4/16/128
6/24/192
8/32/256
4/16/128
4/16/128
10
12
14
4/16/128
4/16/128
4/16/128
44/176
52/208
60/240
block
size
4/16/128
(words/bytes/bits)
Number of rounds
Round
key
size
(words/bytes/bits)
Expanded key size
(words/bytes)
AES can be used with a variable block and key length; there are 56 bits for DES which
will increase the computational power and are easy to break (NIST 2001). Refer to the
Table 6, if a 128 bits key is chosen, the message M is divided into several blocks m1 ,
m 2 … m n . A simple bitwise XOR is applied to each byte of the block and the portion of
the expanded key is processed in 10 rounds using following operations as well the
Figure 20.
Substitution: Each byte is replaced with another one according to a 256-byte look-up
table called the S-box.
Permutation: Cyclically shifting of lines in state array. The bytes in each of the 4 rows
in the state are rotated by (n-1) where n represents the row number from 1 to 4.
52
Diffusion: Performing matrix multiplication, each byte of a column with every other
byte. The state can be considered to be a 4*4 matrix and this transformation can be
achieved by multiplying this matrix by:
02
 01

 01

03
03 01 01
02 03 01
01 02 03

01 01 02
In the last round this step must be omitted.
Key Generation: Performing XOR operation. In this transformation, the round key is
simply added to the state, which is done by GF ( 2 8 ).
The decryption of AES uses the inverse function of encryption and the same keyschedule for the round keys, which need longer processing time due to high complexity.
53
Figure 20. The procedure of AES encryption and decryption.
AES works with three key lengths, thus three different versions of the encryption and
decryption scheme have been prepared. The key sizes used for an AES cipher specified
the number of repetitions of transformation rounds. The numbers of repetitions of
transformation rounds are as follows:

10 rounds for 128-bit key;

12 rounds for 192-bit key;
54

14 rounds for 256-bit key.
5.4. Result of the implementation
A. CAESAR
After programming the STK 500 with ATMEL studio, Realterm is used for the
communication between PC and microcontroller.
A string is sent from the Realterm application (running on the PC) to the microcontroller,
where the string will be encrypted. The encrypted string is sent back to the Realterm
application, after that the microcontroller decrypts the string again and sends it to the
Realterm application.
Figure 21. CAESAR algorithm encryption.
55
Plain message is ABCD and cipher message is BCDE, see Figure 21.
The decryption is quite simple here; just reverse the key shift. The encrypted key is 1, so
the decrypted key is -1. Figure 22 illustrates the decryption result.
Figure 22. CAESAR algorithm decryption.
B. AES
The result of AES encryption and decryption is shown in Figure 23.The block message
is 128 bits. AES has 10 rounds for a key length 128 bits; 12 rounds for a 192-bit key and
14 rounds for a 256-bit key. In this experiment, the time and current consumption for the
encryption and decryption is measured.
56
Figure 23. AES Encryption and Decryption result.
57
5.5 Time Consumption of Different Key Length
A. CAESAR encryption and decryption
An oscilloscope is used for measuring the times. Before and after the encryption/
decryption a selected pin is toggled. Then the encryption time with different number of
bytes and different frequencies is measured. Figure 24 is the screenshot of the CAESAR
encryption time measuring result for 50bytes and a beginning of 8 MHz on oscilloscope.
Figure 24. The screenshot of CAESAR encryption time at 8 MHz and 50bytes message
on oscilloscope.
The result of time consumption for CAESAR encryption with different bytes and
different frequencies is shown in Table 7. For CAESAR, decryption is just the reverse
procedure of encryption, so the time consumption is just the same as encryption.
58
Table 7. The result of CAESAR encryption time of different times with different
frequencies and messages bytes
Frequency
1MHz
4MHz
8MHZ
50
12.80 ms
3.12ms
1.56ms
100
25.40ms
6.20ms
3.12ms
150
38.00ms
9.30ms
4.72ms
200
50.08ms
12.30ms
6.28ms
NO. of bytes
The relationship between the encryption time and the frequency is linear; as well it is
linear with the plaintext bytes. The bigger the frequency, the shorter the time
consumption is; the more the number of bytes, the higher the time consumption. Figure
25 represents those relationships.
Generally, decryption time is just the same as encryption in CAESAR.
59
CAESAR Encryption Time with Different
Frequencies and Message Bytes
60
50
40
1MHz
Time(ms) 30
20
4MHz
10
8MHZ
0
50
100
150
200
NO. of Bytes
Figure 25. The relationship among CAESAR, frequency and message bytes.
B. AES
In this section, the encryption and decryption times of AES are measured and compared
by using different key lengths at different frequencies. An oscilloscope is used for
measuring the times. Before and after the encryption/ decryption a selected pin is
toggled. Figure 26 is the screenshot of the AES encryption time measuring result for 50
bytes and a frequency of 8 MHz on oscilloscope.
60
Figure 26. The screenshot of the AES encryption time at 8MHz 128 bit key on
oscilloscope.
The result of time consumption for AES encryption with different key lengths and
different frequencies is shown is the Table 8.
Table 8. Results of AES Encryption time consumption on Atmel STK 500 with different
key lengths and different frequencies.
Frequency
Key Length
Rounds
1MHz
4MHz
8MHz
128 bit
10
8.80ms
2.20ms
1.20ms
192 bit
12
10.60ms
2.78ms
1.40ms
256 bit
14
13.40ms
3.24ms
1.66ms
The relationship of AES encryption time consumption with different key lengths and
different frequencies is shown as a bar chart in Figure 27.
61
The Bar Chart of AES Encryption Time with
Different Key Length
16
14
12
10
Time(ms) 8
6
4
2
0
1MHz
4MHz
8MHz
128bits
192bits
256bits
Figure 27. The bar chart of the relationship among AES encryption time consumption,
frequency and key lengths.
The comparison to the encryption time obtain in Table 8, the decryption time is a little
bit longer than the encryption (see Table 9).
Table 9. Results of the AES Decryption time consumption on Atmel STK 500 with
different key lengths and different frequencies.
Frequency
Key Length
Rounds
1MHz
4MHz
8MHz
128 bit
10
9.60ms
2.50ms
1.24ms
192 bit
12
11.40ms
2.90ms
1.48ms
256 bit
14
13.60ms
3.30ms
1.72ms
62
The relationship of AES encryption time consumption with different key lengths and
different frequencies is shown as a bar chart in Figure 28.
The Bar Chart of AES Decryption Time with
Different Key Length
16
14
12
10
Time(ms) 8
6
4
2
0
1MHz
4MHz
8MHz
128bits
192bits
256bits
Figure 28. The bar chart of the relationship among AES decryption time consumption,
frequency and key lengths.
5.6 Power Consumption of Different Frequencies
A multimeter is used for measuring the current. Idle current is measured when the circuit
is idle; maximum current is measured when the circuit is being operated under
encryption and decryption process. The circuit model is illustrated in Figure 29. The
input voltage is 12 Volts. Then the power consumption can be calculated by formula
Power= current *voltage.
63
Figure 29. Circuit Model.
The current consumption of CAESAR is measured, and the result is listed in Table 10.
Table 10. Results of CAESAR idle and max current measurement
Frequency
1 MHz
4MHz
8MHz
Idle Current
102.5mA
107.2mA
111.9mA
Max Current
110mA
114.5mA
118.6mA
The relationship of CAESAR encryption current consumption with different frequencies
is shown as a bar chart in Figure 30.
Bar chart of CAESAR idle current and
max current
120
(mA) 110
100
Idle Current
Max Current
90
1 MHz
4MHz
8MHz
Figure 30. The bar chart shows the relationship between CAESAR encryption current
consumption and frequency.
64
The maximum power consumption at 1MHz is calculated as: P=V*I= 12Volts *
110mA= 1.32 Watt. Then the power/time =1.32watt / 12.8 ms= 103.125 watt/s. When
Frequency at 4MHz, P/T = 440.38 watt/s. More power consumption results in less time
consumption. This principle is the same for AES cryptography.
The current consumption of AES is measured, and the result is listed in Table 11.
Table 11. Results of AES idle and max current measurement.
Frequency
1 MHz
4MHz
8MHz
Idle Current
99.9 mA
103.8mA
106.7mA
Max Current
101.7mA
106.6mA
110.3mA
The relationship of the CAESAR encryption current consumption with different
frequencies is shown as a bar chart in Figure 31.
Bar chart of AES idle current and max
current
112
110
108
106
104
(mA)
102
100
98
96
94
Idle Current
Max Current
1MHz
4MHz
8MHz
65
Figure 31. The bar chart of the relationship between AES encryption current
consumption and frequency.
The result shows that the higher the frequency, the higher the current consumption. Here
voltage is constant; the power consumption is increasing with the rise of the frequency.
66
6. CONCLUSION AND FUTURE WORK
In this thesis, symmetric cryptography and asymmetric cryptography algorithms were
analyzed and researched in the theoretical section. Different algorithms were compared
by the key lengths, the length of encryption time and decryption time, as well the
security of itself. In the practical section, CAESAR and AES were coded by C language
and programmed on an embedded system (Atmel STK 500 board). Time consumption
and power consumption of each algorithm were measured. The higher the frequency is,
the less the time consumption is. Bigger messages or longer key lengths lead to more
time consumptions. Regarding to the power consumption, a higher frequency results in
more power consumption. After analyzing those results, it is obviously shown that
power consumption decreases when time consumption increases.
ECC is a new secure innovation in the information security field that can be adapted in
the future telecommunication and embedded system area. Absolute advantages in
computing speed and storage space, it is a research hot spot in current public
cryptography systems. As a matter of factor, there are still rooms for improvement on
the implementation of ECC with software.
There are still many problems in the research field of ECC, which become the bottleneck
of its development and application, such as embedded plaintext algorithm, curve and
basis of calculation and the selection of safety curve algorithm. The calculation of
ECDLP is the core research of the elliptic curve. Future works on ECC are based on
three aspects: how to select the high security level Elliptic Curve, which means the
67
selected algorithm is easy to be applied and hard to brake. In the Elliptic Curve
Cryptosystem, the times of points on the elliptic curve group take up a large proportion
of the whole operation. The efficiency is related to the execution of the whole procedure.
As far as the application and development of Smart Card and wireless communication
field are concerned, what is significant to be researched is how to enhance the defense
capability of the chip itself.
68
REFERENCE
Announcing the Advanced Encryption Standard (AES). Available from the Internet:
< www. Nist.gov>
Avanzi R.M (2005). Side Channel Attacks on Implementations of Curve-Based
Cryptographic Primitives (preprint),eprint.
ATMEL, AVR STK500 User Guide
Bailey D & Paar C(1998). Optimal Extension Field for Fast Arithmetic in Public-Key
Algorithms , CRYPTO’98, lNCS 1462,pp.472-485.
Bailey D & Paar C (2001). Efficient Arithmetic in Finite Field Extensions with
Application in Elliptic Curve Cryptography, Journal of Cryptography, Vol 14,
pp.153-176
Biryukov, A & D. Khovratovich (2009). “Distinguisher and Realated-Key Attack on the
Full AES-256.”CRYPTO’09.
Connected: An Internet Encyclopedia."Block Ciphers". April 1997. Available from the
Internet: <URL: http://www.freesoft.org/CIE/Topics/143.htm>
I.A. Semaev (1998). Evaluation of discrete logarithms on some elliptic curves. Math.
Comp., 67, 353-356.
69
Ian B., Gadiel S. and Nigel S (1999). Elliptic Curves in Cryptography. ISBN 0-52165374-6
Ian McCombe April 04, 2007. Available from the Internet:
<URL:
http://imps.mcmaster.ca/courses/SE-4C0307/wiki/mccombi/blockciphers.html>.
Information Security. Available from the Internet:
<URL:http://www.javvin.com/networksecurity/dictionary.html>
J.B.Lacy, D.P.Mitchell & W.M.Schell (1984). “CryptoLib: Cryptography in Software,”
UNIX Security Symposium IV Proceeddings of Crypto 83, Plenum Press, pp.323.
Jean-Sebastien Coron. Resistance against Differential Power Analysis for Elliptic Curve
Cryptosystems.
J.H. Silverman (1986). The Arithmetic of Elliptic Curves. Springer-Verlag, GTM 106.
Martti Penttonen (2009). Date Security [online] [cited 13 March 2009]. Available from
the Internet: <URL: www.cs.uku.fi/~penttion/secu/>.
N.P.Smart (1998). The Algorithmic Resolution of Diophamtine Equations. Cambridge
University Press.
Ondrej H, Pavel K, Petr H & Petr F (2011). Performance Evaluation of Symmetric
Cryptography in Embedded Systems.
70
Ptiotr B, Wiealaw W & Tomasz A. Implementation of symmetric Cryptography in
Embedded Systems for Secure Measurement Systems.
Schneier Bruce (1996). APPLIED CRYPTOGRAPHY. Protocols, Algorithms, and
Source Code in C. ISBN:0-471-12845-7.
Shammi D., Aaron A & Saurabh B. Optimizing AES for Embedded Devices and
Wireless Sensor Network.
S. Chari, C. Jutla, J.R. Rao & P. Rohatgi (1999). A cautionary note regarding evaluation
of AES candidates on smart-cards, Proceedings of the second AES Candidate
Conference, March, pp. 133-147.
Smart N (1999). The Discrete Logarithm Problem on Elliptic Curves of Trace One.
Journal of Cryptography, Vol.12,pp.193-196.
Satoh T. & Araki K (1998). Fermat Quotient and The Polynimial Time Discrete Log
Algorithm
for
Anomalous
Elliptic
Curves,
Commentarii
Mathematici
Universitatis Sancti Pauli, Vol.47, pp.81-92.
The AES Cipher. Available from the Internet: < http://flylib.com/books/en/3.190.1.55/1/>
Thomas W, Jorge G & Christof P (2003). Cryptography in Embedded Systems: An
Overview. Pp.735-744, Design & Elektronik, Nuernberg, Germany, Feb. 18-20.
71
Wang L, Zhao H & Bai Gq. A Cost-Efficient Implementation of Public-KEY
Cryptography on Embedded Systems.
Wang Qingxian, The application of Elliptic Curves Cryptography in Embedded Systems.
Welschenbach M (2001). Cryptography in C and C++. ISBN: 1-893115-95-X.
Wikipedia
(2013a).
CAESAR
cipher.
Available
from
the
Internet:
<http://en.wikipedia.org/wiki/Caesar_cipher>.
Wikipedia (2012a) . Advanced Encryption Standard. Available from the Internet:
<http://en.wikipedia.org/wiki/AES>.
AES
算
法
自
主
学
习
报
告
.
Available
from
the
Internet:<http://wenku.baidu.com/view/e6b01b8671fe910ef12df8d8.html?from=r
elated&hasrec=1>.
杨新国, 基于 AES 的加密技术研究及应用. Available from the Internet:
<http://www.doc88.com/p-735479808402.html>.
72
APPENDIXES
APPENDIX 1. S-box(William Stallings 2011: 181)
Inverse S-box
73
APPENDIX 2. CAESAR Encryption
################################################################
###
### CAESAR encryption code
###
### Copyright (C) 2013, Qian Yang ([email protected])
###
### University of Vaasa
###
################################################################
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <avr/interrupt.h>
#define ARRAY_SIZE 220
static volatile uint8_t count;
static char buffer[ARRAY_SIZE];
void caesar(char *, const int);
// ISR for USART receive
ISR(USART_RX_vect)
{
buffer[count] = UDR;
if(buffer[count] == '\r' || count == (ARRAY_SIZE -1))
74
{
buffer[count] == '\0';
// set PB0 to 1
PORTB |= (1 << PB0);
caesar(buffer, 10);
// set PB0 to 0
PORTB &= ~(1 << PB0);
int i;
for(i = 0; i < count; i++)
{
usart_putc(buffer[i]);
buffer[i] = '\0';
}
count = 0;
}
else
count++;
}
int main(void)
75
{
// define PB0 of PORTB as output
DDRB |= (1 << PB0);
// set PB0 to 0
PORTB &= ~(1 << PB0);
// initialize USART
//UBRRL = 103; // 8MHz Baudrate 9600
//UBRRL = 51; // 4MHz Baudrate 9600
UBRRL = 12; // 1MHz Baudrate 9600
UCSRA |= (1 << U2X);
UCSRB |= (1 << RXCIE) | (1 << RXEN) | (1 << TXEN);
// initialize count variable
count = 0;
// enable interrupt
sei();
while(1);
return 0;
}
inline void caesar(char *str, const int offset)
{
76
for(;*str!='\0';str++)
{
if(*str>='A' && *str<='Z')
*str = 'A' + (*str - 'A' + offset) % 26;
else if(*str>='a' && *str<='z')
*str = 'a' + (*str - 'a' + offset) % 26;
}
}
void usart_putc(unsigned char c)
{
// wait for an empty transmit buffer
// UDRE = USART Data Register Empty
// if UDRE = 1 the buffer is empty
while(!(UCSRA & (1 << UDRE)));
// USART I/O Data Register
UDR = c;
}
77
APPENDIX 3. AES Encryption and Decryption
################################################################
### AES Encryption and Decryption code
###
### Original author: Karl Malbrain, [email protected]
### Modified and ported to Atmel AVR by: Yang Qian
### ([email protected])
### University of Vaasa
################################################################
// AES only supports Nb=4
#define Nb 4
// The number of columns comprising a state in AES. This is a constant in AES.
Value=4
#define Nk 4
// number of columns in a key
#define Nr 10
// number of rounds in encryption
#define Sbox(i) (pgm_read_byte(&P_Sbox[i]))
const unsigned char P_Sbox[256] __attribute__ ((__progmem__)) = {
// forward s-box
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7,
0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4,
0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8,
0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27,
0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3,
0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c,
0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c,
78
0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff,
0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d,
0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e,
0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95,
0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a,
0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd,
0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1,
0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55,
0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54,
0xbb, 0x16};
#define InvSbox(i) (pgm_read_byte(&P_InvSbox[i]))
const unsigned char P_InvSbox[256] __attribute__ ((__progmem__)) = { // inverse sbox
0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3,
0xd7, 0xfb,
0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde,
0xe9, 0xcb,
0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa,
0xc3, 0x4e,
0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b,
0xd1, 0x25,
0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65,
0xb6, 0x92,
79
0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d,
0x9d, 0x84,
0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3,
0x45, 0x06,
0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13,
0x8a, 0x6b,
0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4,
0xe6, 0x73,
0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75,
0xdf, 0x6e,
0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18,
0xbe, 0x1b,
0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd,
0x5a, 0xf4,
0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80,
0xec, 0x5f,
0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9,
0x9c, 0xef,
0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53,
0x99, 0x61,
0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21,
0x0c, 0x7d};
// combined Xtimes2[Sbox[]]
#define Xtime2Sbox(i) (pgm_read_byte(&P_Xtime2Sbox[i]))
const unsigned char P_Xtime2Sbox[256] __attribute__ ((__progmem__)) = {
0xc6, 0xf8, 0xee, 0xf6, 0xff, 0xd6, 0xde, 0x91, 0x60, 0x02, 0xce, 0x56, 0xe7, 0xb5,
0x4d, 0xec,
0x8f, 0x1f, 0x89, 0xfa, 0xef, 0xb2, 0x8e, 0xfb, 0x41, 0xb3, 0x5f, 0x45, 0x23, 0x53,
0xe4, 0x9b,
0x75, 0xe1, 0x3d, 0x4c, 0x6c, 0x7e, 0xf5, 0x83, 0x68, 0x51, 0xd1, 0xf9, 0xe2, 0xab,
0x62, 0x2a,
0x08, 0x95, 0x46, 0x9d, 0x30, 0x37, 0x0a, 0x2f, 0x0e, 0x24, 0x1b, 0xdf, 0xcd, 0x4e,
80
0x7f, 0xea,
0x12, 0x1d, 0x58, 0x34, 0x36, 0xdc, 0xb4, 0x5b, 0xa4, 0x76, 0xb7, 0x7d, 0x52, 0xdd,
0x5e, 0x13,
0xa6, 0xb9, 0x00, 0xc1, 0x40, 0xe3, 0x79, 0xb6, 0xd4, 0x8d, 0x67, 0x72, 0x94, 0x98,
0xb0, 0x85,
0xbb, 0xc5, 0x4f, 0xed, 0x86, 0x9a, 0x66, 0x11, 0x8a, 0xe9, 0x04, 0xfe, 0xa0, 0x78,
0x25, 0x4b,
0xa2, 0x5d, 0x80, 0x05, 0x3f, 0x21, 0x70, 0xf1, 0x63, 0x77, 0xaf, 0x42, 0x20, 0xe5,
0xfd, 0xbf,
0x81, 0x18, 0x26, 0xc3, 0xbe, 0x35, 0x88, 0x2e, 0x93, 0x55, 0xfc, 0x7a, 0xc8, 0xba,
0x32, 0xe6,
0xc0, 0x19, 0x9e, 0xa3, 0x44, 0x54, 0x3b, 0x0b, 0x8c, 0xc7, 0x6b, 0x28, 0xa7, 0xbc,
0x16, 0xad,
0xdb, 0x64, 0x74, 0x14, 0x92, 0x0c, 0x48, 0xb8, 0x9f, 0xbd, 0x43, 0xc4, 0x39, 0x31,
0xd3, 0xf2,
0xd5, 0x8b, 0x6e, 0xda, 0x01, 0xb1, 0x9c, 0x49, 0xd8, 0xac, 0xf3, 0xcf, 0xca, 0xf4,
0x47, 0x10,
0x6f, 0xf0, 0x4a, 0x5c, 0x38, 0x57, 0x73, 0x97, 0xcb, 0xa1, 0xe8, 0x3e, 0x96, 0x61,
0x0d, 0x0f,
0xe0, 0x7c, 0x71, 0xcc, 0x90, 0x06, 0xf7, 0x1c, 0xc2, 0x6a, 0xae, 0x69, 0x17, 0x99,
0x3a, 0x27,
0xd9, 0xeb, 0x2b, 0x22, 0xd2, 0xa9, 0x07, 0x33, 0x2d, 0x3c, 0x15, 0xc9, 0x87, 0xaa,
0x50, 0xa5,
0x03, 0x59, 0x09, 0x1a, 0x65, 0xd7, 0x84, 0xd0, 0x82, 0x29, 0x5a, 0x1e, 0x7b, 0xa8,
0x6d, 0x2c
};
// combined Xtimes3[Sbox[]]
#define Xtime3Sbox(i) (pgm_read_byte(&P_Xtime3Sbox[i]))
const unsigned char P_Xtime3Sbox[256] __attribute__ ((__progmem__)) = {
0xa5, 0x84, 0x99, 0x8d, 0x0d, 0xbd, 0xb1, 0x54, 0x50, 0x03, 0xa9, 0x7d, 0x19, 0x62,
0xe6, 0x9a,
0x45, 0x9d, 0x40, 0x87, 0x15, 0xeb, 0xc9, 0x0b, 0xec, 0x67, 0xfd, 0xea, 0xbf, 0xf7,
81
0x96, 0x5b,
0xc2, 0x1c, 0xae, 0x6a, 0x5a, 0x41, 0x02, 0x4f, 0x5c, 0xf4, 0x34, 0x08, 0x93, 0x73,
0x53, 0x3f,
0x0c, 0x52, 0x65, 0x5e, 0x28, 0xa1, 0x0f, 0xb5, 0x09, 0x36, 0x9b, 0x3d, 0x26, 0x69,
0xcd, 0x9f,
0x1b, 0x9e, 0x74, 0x2e, 0x2d, 0xb2, 0xee, 0xfb, 0xf6, 0x4d, 0x61, 0xce, 0x7b, 0x3e,
0x71, 0x97,
0xf5, 0x68, 0x00, 0x2c, 0x60, 0x1f, 0xc8, 0xed, 0xbe, 0x46, 0xd9, 0x4b, 0xde, 0xd4,
0xe8, 0x4a,
0x6b, 0x2a, 0xe5, 0x16, 0xc5, 0xd7, 0x55, 0x94, 0xcf, 0x10, 0x06, 0x81, 0xf0, 0x44,
0xba, 0xe3,
0xf3, 0xfe, 0xc0, 0x8a, 0xad, 0xbc, 0x48, 0x04, 0xdf, 0xc1, 0x75, 0x63, 0x30, 0x1a,
0x0e, 0x6d,
0x4c, 0x14, 0x35, 0x2f, 0xe1, 0xa2, 0xcc, 0x39, 0x57, 0xf2, 0x82, 0x47, 0xac, 0xe7,
0x2b, 0x95,
0xa0, 0x98, 0xd1, 0x7f, 0x66, 0x7e, 0xab, 0x83, 0xca, 0x29, 0xd3, 0x3c, 0x79, 0xe2,
0x1d, 0x76,
0x3b, 0x56, 0x4e, 0x1e, 0xdb, 0x0a, 0x6c, 0xe4, 0x5d, 0x6e, 0xef, 0xa6, 0xa8, 0xa4,
0x37, 0x8b,
0x32, 0x43, 0x59, 0xb7, 0x8c, 0x64, 0xd2, 0xe0, 0xb4, 0xfa, 0x07, 0x25, 0xaf, 0x8e,
0xe9, 0x18,
0xd5, 0x88, 0x6f, 0x72, 0x24, 0xf1, 0xc7, 0x51, 0x23, 0x7c, 0x9c, 0x21, 0xdd, 0xdc,
0x86, 0x85,
0x90, 0x42, 0xc4, 0xaa, 0xd8, 0x05, 0x01, 0x12, 0xa3, 0x5f, 0xf9, 0xd0, 0x91, 0x58,
0x27, 0xb9,
0x38, 0x13, 0xb3, 0x33, 0xbb, 0x70, 0x89, 0xa7, 0xb6, 0x22, 0x92, 0x20, 0x49, 0xff,
0x78, 0x7a,
0x8f, 0xf8, 0x80, 0x17, 0xda, 0x31, 0xc6, 0xb8, 0xc3, 0xb0, 0x77, 0x11, 0xcb, 0xfc,
0xd6, 0x3a
};
// modular multiplication tables
// based on:
82
// Xtime2[x] = (x & 0x80 ? 0x1b : 0) ^ (x + x)
// Xtime3[x] = x^Xtime2[x];
#define Xtime2(i) (pgm_read_byte(&P_Xtime2[i]))
const unsigned char P_Xtime2[256] __attribute__ ((__progmem__)) = {
0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a,
0x1c, 0x1e,
0x20, 0x22, 0x24, 0x26, 0x28, 0x2a, 0x2c, 0x2e, 0x30, 0x32, 0x34, 0x36, 0x38, 0x3a,
0x3c, 0x3e,
0x40, 0x42, 0x44, 0x46, 0x48, 0x4a, 0x4c, 0x4e, 0x50, 0x52, 0x54, 0x56, 0x58, 0x5a,
0x5c, 0x5e,
0x60, 0x62, 0x64, 0x66, 0x68, 0x6a, 0x6c, 0x6e, 0x70, 0x72, 0x74, 0x76, 0x78, 0x7a,
0x7c, 0x7e,
0x80, 0x82, 0x84, 0x86, 0x88, 0x8a, 0x8c, 0x8e, 0x90, 0x92, 0x94, 0x96, 0x98, 0x9a,
0x9c, 0x9e,
0xa0, 0xa2, 0xa4, 0xa6, 0xa8, 0xaa, 0xac, 0xae, 0xb0, 0xb2, 0xb4, 0xb6, 0xb8, 0xba,
0xbc, 0xbe,
0xc0, 0xc2, 0xc4, 0xc6, 0xc8, 0xca, 0xcc, 0xce, 0xd0, 0xd2, 0xd4, 0xd6, 0xd8, 0xda,
0xdc, 0xde,
0xe0, 0xe2, 0xe4, 0xe6, 0xe8, 0xea, 0xec, 0xee, 0xf0, 0xf2, 0xf4, 0xf6, 0xf8, 0xfa, 0xfc,
0xfe,
0x1b, 0x19, 0x1f, 0x1d, 0x13, 0x11, 0x17, 0x15, 0x0b, 0x09, 0x0f, 0x0d, 0x03, 0x01,
0x07, 0x05,
0x3b, 0x39, 0x3f, 0x3d, 0x33, 0x31, 0x37, 0x35, 0x2b, 0x29, 0x2f, 0x2d, 0x23, 0x21,
0x27, 0x25,
0x5b, 0x59, 0x5f, 0x5d, 0x53, 0x51, 0x57, 0x55, 0x4b, 0x49, 0x4f, 0x4d, 0x43, 0x41,
0x47, 0x45,
0x7b, 0x79, 0x7f, 0x7d, 0x73, 0x71, 0x77, 0x75, 0x6b, 0x69, 0x6f, 0x6d, 0x63, 0x61,
0x67, 0x65,
0x9b, 0x99, 0x9f, 0x9d, 0x93, 0x91, 0x97, 0x95, 0x8b, 0x89, 0x8f, 0x8d, 0x83, 0x81,
0x87, 0x85,
0xbb, 0xb9, 0xbf, 0xbd, 0xb3, 0xb1, 0xb7, 0xb5, 0xab, 0xa9, 0xaf, 0xad, 0xa3, 0xa1,
83
0xa7, 0xa5,
0xdb, 0xd9, 0xdf, 0xdd, 0xd3, 0xd1, 0xd7, 0xd5, 0xcb, 0xc9, 0xcf, 0xcd, 0xc3, 0xc1,
0xc7, 0xc5,
0xfb, 0xf9, 0xff, 0xfd, 0xf3, 0xf1, 0xf7, 0xf5, 0xeb, 0xe9, 0xef, 0xed, 0xe3, 0xe1, 0xe7,
0xe5};
#define Xtime9(i) (pgm_read_byte(&P_Xtime9[i]))
const unsigned char P_Xtime9[256] __attribute__ ((__progmem__)) = {
0x00, 0x09, 0x12, 0x1b, 0x24, 0x2d, 0x36, 0x3f, 0x48, 0x41, 0x5a, 0x53, 0x6c, 0x65,
0x7e, 0x77,
0x90, 0x99, 0x82, 0x8b, 0xb4, 0xbd, 0xa6, 0xaf, 0xd8, 0xd1, 0xca, 0xc3, 0xfc, 0xf5,
0xee, 0xe7,
0x3b, 0x32, 0x29, 0x20, 0x1f, 0x16, 0x0d, 0x04, 0x73, 0x7a, 0x61, 0x68, 0x57, 0x5e,
0x45, 0x4c,
0xab, 0xa2, 0xb9, 0xb0, 0x8f, 0x86, 0x9d, 0x94, 0xe3, 0xea, 0xf1, 0xf8, 0xc7, 0xce,
0xd5, 0xdc,
0x76, 0x7f, 0x64, 0x6d, 0x52, 0x5b, 0x40, 0x49, 0x3e, 0x37, 0x2c, 0x25, 0x1a, 0x13,
0x08, 0x01,
0xe6, 0xef, 0xf4, 0xfd, 0xc2, 0xcb, 0xd0, 0xd9, 0xae, 0xa7, 0xbc, 0xb5, 0x8a, 0x83,
0x98, 0x91,
0x4d, 0x44, 0x5f, 0x56, 0x69, 0x60, 0x7b, 0x72, 0x05, 0x0c, 0x17, 0x1e, 0x21, 0x28,
0x33, 0x3a,
0xdd, 0xd4, 0xcf, 0xc6, 0xf9, 0xf0, 0xeb, 0xe2, 0x95, 0x9c, 0x87, 0x8e, 0xb1, 0xb8,
0xa3, 0xaa,
0xec, 0xe5, 0xfe, 0xf7, 0xc8, 0xc1, 0xda, 0xd3, 0xa4, 0xad, 0xb6, 0xbf, 0x80, 0x89,
0x92, 0x9b,
0x7c, 0x75, 0x6e, 0x67, 0x58, 0x51, 0x4a, 0x43, 0x34, 0x3d, 0x26, 0x2f, 0x10, 0x19,
0x02, 0x0b,
0xd7, 0xde, 0xc5, 0xcc, 0xf3, 0xfa, 0xe1, 0xe8, 0x9f, 0x96, 0x8d, 0x84, 0xbb, 0xb2,
0xa9, 0xa0,
0x47, 0x4e, 0x55, 0x5c, 0x63, 0x6a, 0x71, 0x78, 0x0f, 0x06, 0x1d, 0x14, 0x2b, 0x22,
0x39, 0x30,
0x9a, 0x93, 0x88, 0x81, 0xbe, 0xb7, 0xac, 0xa5, 0xd2, 0xdb, 0xc0, 0xc9, 0xf6, 0xff,
84
0xe4, 0xed,
0x0a, 0x03, 0x18, 0x11, 0x2e, 0x27, 0x3c, 0x35, 0x42, 0x4b, 0x50, 0x59, 0x66, 0x6f,
0x74, 0x7d,
0xa1, 0xa8, 0xb3, 0xba, 0x85, 0x8c, 0x97, 0x9e, 0xe9, 0xe0, 0xfb, 0xf2, 0xcd, 0xc4,
0xdf, 0xd6,
0x31, 0x38, 0x23, 0x2a, 0x15, 0x1c, 0x07, 0x0e, 0x79, 0x70, 0x6b, 0x62, 0x5d, 0x54,
0x4f, 0x46};
#define XtimeB(i) (pgm_read_byte(&P_XtimeB[i]))
const unsigned char P_XtimeB[256] __attribute__ ((__progmem__)) = {
0x00, 0x0b, 0x16, 0x1d, 0x2c, 0x27, 0x3a, 0x31, 0x58, 0x53, 0x4e, 0x45, 0x74, 0x7f,
0x62, 0x69,
0xb0, 0xbb, 0xa6, 0xad, 0x9c, 0x97, 0x8a, 0x81, 0xe8, 0xe3, 0xfe, 0xf5, 0xc4, 0xcf,
0xd2, 0xd9,
0x7b, 0x70, 0x6d, 0x66, 0x57, 0x5c, 0x41, 0x4a, 0x23, 0x28, 0x35, 0x3e, 0x0f, 0x04,
0x19, 0x12,
0xcb, 0xc0, 0xdd, 0xd6, 0xe7, 0xec, 0xf1, 0xfa, 0x93, 0x98, 0x85, 0x8e, 0xbf, 0xb4,
0xa9, 0xa2,
0xf6, 0xfd, 0xe0, 0xeb, 0xda, 0xd1, 0xcc, 0xc7, 0xae, 0xa5, 0xb8, 0xb3, 0x82, 0x89,
0x94, 0x9f,
0x46, 0x4d, 0x50, 0x5b, 0x6a, 0x61, 0x7c, 0x77, 0x1e, 0x15, 0x08, 0x03, 0x32, 0x39,
0x24, 0x2f,
0x8d, 0x86, 0x9b, 0x90, 0xa1, 0xaa, 0xb7, 0xbc, 0xd5, 0xde, 0xc3, 0xc8, 0xf9, 0xf2,
0xef, 0xe4,
0x3d, 0x36, 0x2b, 0x20, 0x11, 0x1a, 0x07, 0x0c, 0x65, 0x6e, 0x73, 0x78, 0x49, 0x42,
0x5f, 0x54,
0xf7, 0xfc, 0xe1, 0xea, 0xdb, 0xd0, 0xcd, 0xc6, 0xaf, 0xa4, 0xb9, 0xb2, 0x83, 0x88,
0x95, 0x9e,
0x47, 0x4c, 0x51, 0x5a, 0x6b, 0x60, 0x7d, 0x76, 0x1f, 0x14, 0x09, 0x02, 0x33, 0x38,
0x25, 0x2e,
0x8c, 0x87, 0x9a, 0x91, 0xa0, 0xab, 0xb6, 0xbd, 0xd4, 0xdf, 0xc2, 0xc9, 0xf8, 0xf3,
0xee, 0xe5,
0x3c, 0x37, 0x2a, 0x21, 0x10, 0x1b, 0x06, 0x0d, 0x64, 0x6f, 0x72, 0x79, 0x48, 0x43,
85
0x5e, 0x55,
0x01, 0x0a, 0x17, 0x1c, 0x2d, 0x26, 0x3b, 0x30, 0x59, 0x52, 0x4f, 0x44, 0x75, 0x7e,
0x63, 0x68,
0xb1, 0xba, 0xa7, 0xac, 0x9d, 0x96, 0x8b, 0x80, 0xe9, 0xe2, 0xff, 0xf4, 0xc5, 0xce,
0xd3, 0xd8,
0x7a, 0x71, 0x6c, 0x67, 0x56, 0x5d, 0x40, 0x4b, 0x22, 0x29, 0x34, 0x3f, 0x0e, 0x05,
0x18, 0x13,
0xca, 0xc1, 0xdc, 0xd7, 0xe6, 0xed, 0xf0, 0xfb, 0x92, 0x99, 0x84, 0x8f, 0xbe, 0xb5,
0xa8, 0xa3};
#define XtimeD(i) (pgm_read_byte(&P_XtimeD[i]))
const unsigned char P_XtimeD[256] __attribute__ ((__progmem__)) = {
0x00, 0x0d, 0x1a, 0x17, 0x34, 0x39, 0x2e, 0x23, 0x68, 0x65, 0x72, 0x7f, 0x5c, 0x51,
0x46, 0x4b,
0xd0, 0xdd, 0xca, 0xc7, 0xe4, 0xe9, 0xfe, 0xf3, 0xb8, 0xb5, 0xa2, 0xaf, 0x8c, 0x81,
0x96, 0x9b,
0xbb, 0xb6, 0xa1, 0xac, 0x8f, 0x82, 0x95, 0x98, 0xd3, 0xde, 0xc9, 0xc4, 0xe7, 0xea,
0xfd, 0xf0,
0x6b, 0x66, 0x71, 0x7c, 0x5f, 0x52, 0x45, 0x48, 0x03, 0x0e, 0x19, 0x14, 0x37, 0x3a,
0x2d, 0x20,
0x6d, 0x60, 0x77, 0x7a, 0x59, 0x54, 0x43, 0x4e, 0x05, 0x08, 0x1f, 0x12, 0x31, 0x3c,
0x2b, 0x26,
0xbd, 0xb0, 0xa7, 0xaa, 0x89, 0x84, 0x93, 0x9e, 0xd5, 0xd8, 0xcf, 0xc2, 0xe1, 0xec,
0xfb, 0xf6,
0xd6, 0xdb, 0xcc, 0xc1, 0xe2, 0xef, 0xf8, 0xf5, 0xbe, 0xb3, 0xa4, 0xa9, 0x8a, 0x87,
0x90, 0x9d,
0x06, 0x0b, 0x1c, 0x11, 0x32, 0x3f, 0x28, 0x25, 0x6e, 0x63, 0x74, 0x79, 0x5a, 0x57,
0x40, 0x4d,
0xda, 0xd7, 0xc0, 0xcd, 0xee, 0xe3, 0xf4, 0xf9, 0xb2, 0xbf, 0xa8, 0xa5, 0x86, 0x8b,
0x9c, 0x91,
0x0a, 0x07, 0x10, 0x1d, 0x3e, 0x33, 0x24, 0x29, 0x62, 0x6f, 0x78, 0x75, 0x56, 0x5b,
0x4c, 0x41,
0x61, 0x6c, 0x7b, 0x76, 0x55, 0x58, 0x4f, 0x42, 0x09, 0x04, 0x13, 0x1e, 0x3d, 0x30,
86
0x27, 0x2a,
0xb1, 0xbc, 0xab, 0xa6, 0x85, 0x88, 0x9f, 0x92, 0xd9, 0xd4, 0xc3, 0xce, 0xed, 0xe0,
0xf7, 0xfa,
0xb7, 0xba, 0xad, 0xa0, 0x83, 0x8e, 0x99, 0x94, 0xdf, 0xd2, 0xc5, 0xc8, 0xeb, 0xe6,
0xf1, 0xfc,
0x67, 0x6a, 0x7d, 0x70, 0x53, 0x5e, 0x49, 0x44, 0x0f, 0x02, 0x15, 0x18, 0x3b, 0x36,
0x21, 0x2c,
0x0c, 0x01, 0x16, 0x1b, 0x38, 0x35, 0x22, 0x2f, 0x64, 0x69, 0x7e, 0x73, 0x50, 0x5d,
0x4a, 0x47,
0xdc, 0xd1, 0xc6, 0xcb, 0xe8, 0xe5, 0xf2, 0xff, 0xb4, 0xb9, 0xae, 0xa3, 0x80, 0x8d,
0x9a, 0x97};
#define XtimeE(i) (pgm_read_byte(&P_XtimeE[i]))
const unsigned char P_XtimeE[256] __attribute__ ((__progmem__)) = {
0x00, 0x0e, 0x1c, 0x12, 0x38, 0x36, 0x24, 0x2a, 0x70, 0x7e, 0x6c, 0x62, 0x48, 0x46,
0x54, 0x5a,
0xe0, 0xee, 0xfc, 0xf2, 0xd8, 0xd6, 0xc4, 0xca, 0x90, 0x9e, 0x8c, 0x82, 0xa8, 0xa6,
0xb4, 0xba,
0xdb, 0xd5, 0xc7, 0xc9, 0xe3, 0xed, 0xff, 0xf1, 0xab, 0xa5, 0xb7, 0xb9, 0x93, 0x9d,
0x8f, 0x81,
0x3b, 0x35, 0x27, 0x29, 0x03, 0x0d, 0x1f, 0x11, 0x4b, 0x45, 0x57, 0x59, 0x73, 0x7d,
0x6f, 0x61,
0xad, 0xa3, 0xb1, 0xbf, 0x95, 0x9b, 0x89, 0x87, 0xdd, 0xd3, 0xc1, 0xcf, 0xe5, 0xeb,
0xf9, 0xf7,
0x4d, 0x43, 0x51, 0x5f, 0x75, 0x7b, 0x69, 0x67, 0x3d, 0x33, 0x21, 0x2f, 0x05, 0x0b,
0x19, 0x17,
0x76, 0x78, 0x6a, 0x64, 0x4e, 0x40, 0x52, 0x5c, 0x06, 0x08, 0x1a, 0x14, 0x3e, 0x30,
0x22, 0x2c,
0x96, 0x98, 0x8a, 0x84, 0xae, 0xa0, 0xb2, 0xbc, 0xe6, 0xe8, 0xfa, 0xf4, 0xde, 0xd0,
0xc2, 0xcc,
0x41, 0x4f, 0x5d, 0x53, 0x79, 0x77, 0x65, 0x6b, 0x31, 0x3f, 0x2d, 0x23, 0x09, 0x07,
0x15, 0x1b,
0xa1, 0xaf, 0xbd, 0xb3, 0x99, 0x97, 0x85, 0x8b, 0xd1, 0xdf, 0xcd, 0xc3, 0xe9, 0xe7,
87
0xf5, 0xfb,
0x9a, 0x94, 0x86, 0x88, 0xa2, 0xac, 0xbe, 0xb0, 0xea, 0xe4, 0xf6, 0xf8, 0xd2, 0xdc,
0xce, 0xc0,
0x7a, 0x74, 0x66, 0x68, 0x42, 0x4c, 0x5e, 0x50, 0x0a, 0x04, 0x16, 0x18, 0x32, 0x3c,
0x2e, 0x20,
0xec, 0xe2, 0xf0, 0xfe, 0xd4, 0xda, 0xc8, 0xc6, 0x9c, 0x92, 0x80, 0x8e, 0xa4, 0xaa,
0xb8, 0xb6,
0x0c, 0x02, 0x10, 0x1e, 0x34, 0x3a, 0x28, 0x26, 0x7c, 0x72, 0x60, 0x6e, 0x44, 0x4a,
0x58, 0x56,
0x37, 0x39, 0x2b, 0x25, 0x0f, 0x01, 0x13, 0x1d, 0x47, 0x49, 0x5b, 0x55, 0x7f, 0x71,
0x63, 0x6d,
0xd7, 0xd9, 0xcb, 0xc5, 0xef, 0xe1, 0xf3, 0xfd, 0xa7, 0xa9, 0xbb, 0xb5, 0x9f, 0x91,
0x83, 0x8d};
// exchanges columns in each of 4 rows
// row0 - unchanged, row1- shifted left 1,
// row2 - shifted left 2 and row3 - shifted left 3
void ShiftRows (unsigned char *state)
{
unsigned char tmp;
// just substitute row 0
state[0] = Sbox(state[0]), state[4] = Sbox(state[4]);
state[8] = Sbox(state[8]), state[12] = Sbox(state[12]);
// rotate row 1
tmp = Sbox(state[1]), state[1] = Sbox(state[5]);
state[5] = Sbox(state[9]), state[9] = Sbox(state[13]), state[13] = tmp;
// rotate row 2
tmp = Sbox(state[2]), state[2] = Sbox(state[10]), state[10] = tmp;
tmp = Sbox(state[6]), state[6] = Sbox(state[14]), state[14] = tmp;
88
// rotate row 3
tmp = Sbox(state[15]), state[15] = Sbox(state[11]);
state[11] = Sbox(state[7]), state[7] = Sbox(state[3]), state[3] = tmp;
}
// restores columns in each of 4 rows
// row0 - unchanged, row1- shifted right 1,
// row2 - shifted right 2 and row3 - shifted right 3
void InvShiftRows (unsigned char *state)
{
unsigned char tmp;
// restore row 0
state[0] = InvSbox(state[0]), state[4] = InvSbox(state[4]);
state[8] = InvSbox(state[8]), state[12] = InvSbox(state[12]);
// restore row 1
tmp = InvSbox(state[13]), state[13] = InvSbox(state[9]);
state[9] = InvSbox(state[5]), state[5] = InvSbox(state[1]), state[1] = tmp;
// restore row 2
tmp = InvSbox(state[2]), state[2] = InvSbox(state[10]), state[10] = tmp;
tmp = InvSbox(state[6]), state[6] = InvSbox(state[14]), state[14] = tmp;
// restore row 3
tmp = InvSbox(state[3]), state[3] = InvSbox(state[7]);
state[7] = InvSbox(state[11]), state[11] = InvSbox(state[15]), state[15] = tmp;
}
// recombine and mix each row in a column
void MixSubColumns (unsigned char *state)
{
unsigned char tmp[4 * Nb];
89
// mixing column 0
tmp[0] = Xtime2Sbox(state[0]) ^ Xtime3Sbox(state[5]) ^ Sbox(state[10]) ^
Sbox(state[15]);
tmp[1] = Sbox(state[0]) ^ Xtime2Sbox(state[5]) ^ Xtime3Sbox(state[10]) ^
Sbox(state[15]);
tmp[2] = Sbox(state[0]) ^ Sbox(state[5]) ^ Xtime2Sbox(state[10]) ^
Xtime3Sbox(state[15]);
tmp[3] = Xtime3Sbox(state[0]) ^ Sbox(state[5]) ^ Sbox(state[10]) ^
Xtime2Sbox(state[15]);
// mixing column 1
tmp[4] = Xtime2Sbox(state[4]) ^ Xtime3Sbox(state[9]) ^ Sbox(state[14]) ^
Sbox(state[3]);
tmp[5] = Sbox(state[4]) ^ Xtime2Sbox(state[9]) ^ Xtime3Sbox(state[14]) ^
Sbox(state[3]);
tmp[6] = Sbox(state[4]) ^ Sbox(state[9]) ^ Xtime2Sbox(state[14]) ^
Xtime3Sbox(state[3]);
tmp[7] = Xtime3Sbox(state[4]) ^ Sbox(state[9]) ^ Sbox(state[14]) ^
Xtime2Sbox(state[3]);
// mixing column 2
tmp[8] = Xtime2Sbox(state[8]) ^ Xtime3Sbox(state[13]) ^ Sbox(state[2]) ^
Sbox(state[7]);
tmp[9] = Sbox(state[8]) ^ Xtime2Sbox(state[13]) ^ Xtime3Sbox(state[2]) ^
Sbox(state[7]);
tmp[10] = Sbox(state[8]) ^ Sbox(state[13]) ^ Xtime2Sbox(state[2]) ^
Xtime3Sbox(state[7]);
tmp[11] = Xtime3Sbox(state[8]) ^ Sbox(state[13]) ^ Sbox(state[2]) ^
Xtime2Sbox(state[7]);
// mixing column 3
tmp[12] = Xtime2Sbox(state[12]) ^ Xtime3Sbox(state[1]) ^ Sbox(state[6]) ^
90
Sbox(state[11]);
tmp[13] = Sbox(state[12]) ^ Xtime2Sbox(state[1]) ^ Xtime3Sbox(state[6]) ^
Sbox(state[11]);
tmp[14] = Sbox(state[12]) ^ Sbox(state[1]) ^ Xtime2Sbox(state[6]) ^
Xtime3Sbox(state[11]);
tmp[15] = Xtime3Sbox(state[12]) ^ Sbox(state[1]) ^ Sbox(state[6]) ^
Xtime2Sbox(state[11]);
memcpy (state, tmp, sizeof(tmp));
}
// restore and un-mix each row in a column
void InvMixSubColumns (unsigned char *state)
{
unsigned char tmp[4 * Nb];
int i;
// restore column 0
tmp[0] = XtimeE(state[0]) ^ XtimeB(state[1]) ^ XtimeD(state[2]) ^
Xtime9(state[3]);
tmp[5] = Xtime9(state[0]) ^ XtimeE(state[1]) ^ XtimeB(state[2]) ^
XtimeD(state[3]);
tmp[10] = XtimeD(state[0]) ^ Xtime9(state[1]) ^ XtimeE(state[2]) ^
XtimeB(state[3]);
tmp[15] = XtimeB(state[0]) ^ XtimeD(state[1]) ^ Xtime9(state[2]) ^
XtimeE(state[3]);
// restore column 1
tmp[4] = XtimeE(state[4]) ^ XtimeB(state[5]) ^ XtimeD(state[6]) ^
Xtime9(state[7]);
tmp[9] = Xtime9(state[4]) ^ XtimeE(state[5]) ^ XtimeB(state[6]) ^
XtimeD(state[7]);
tmp[14] = XtimeD(state[4]) ^ Xtime9(state[5]) ^ XtimeE(state[6]) ^
91
XtimeB(state[7]);
tmp[3] = XtimeB(state[4]) ^ XtimeD(state[5]) ^ Xtime9(state[6]) ^
XtimeE(state[7]);
// restore column 2
tmp[8] = XtimeE(state[8]) ^ XtimeB(state[9]) ^ XtimeD(state[10]) ^
Xtime9(state[11]);
tmp[13] = Xtime9(state[8]) ^ XtimeE(state[9]) ^ XtimeB(state[10]) ^
XtimeD(state[11]);
tmp[2] = XtimeD(state[8]) ^ Xtime9(state[9]) ^ XtimeE(state[10]) ^
XtimeB(state[11]);
tmp[7] = XtimeB(state[8]) ^ XtimeD(state[9]) ^ Xtime9(state[10]) ^
XtimeE(state[11]);
// restore column 3
tmp[12] = XtimeE(state[12]) ^ XtimeB(state[13]) ^ XtimeD(state[14]) ^
Xtime9(state[15]);
tmp[1] = Xtime9(state[12]) ^ XtimeE(state[13]) ^ XtimeB(state[14]) ^
XtimeD(state[15]);
tmp[6] = XtimeD(state[12]) ^ Xtime9(state[13]) ^ XtimeE(state[14]) ^
XtimeB(state[15]);
tmp[11] = XtimeB(state[12]) ^ XtimeD(state[13]) ^ Xtime9(state[14]) ^
XtimeE(state[15]);
for( i=0; i < 4 * Nb; i++ )
state[i] = InvSbox(tmp[i]);
}
// encrypt/decrypt columns of the key
// n.b. you can replace this with
//
byte-wise xor if you wish.
void AddRoundKey (unsigned *state, unsigned *key)
92
{
int idx;
for( idx = 0; idx < 4; idx++ )
state[idx] ^= key[idx];
}
unsigned char Rcon[11] = {0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
0x1b, 0x36};
// produce Nb bytes for each round
void ExpandKey (unsigned char *key, unsigned char *expkey)
{
unsigned char tmp0, tmp1, tmp2, tmp3, tmp4;
unsigned idx;
memcpy (expkey, key, Nk * 4);
for( idx = Nk; idx < Nb * (Nr + 1); idx++ ) {
tmp0 = expkey[4*idx - 4];
tmp1 = expkey[4*idx - 3];
tmp2 = expkey[4*idx - 2];
tmp3 = expkey[4*idx - 1];
if( !(idx % Nk) ) {
tmp4 = tmp3;
tmp3 = Sbox(tmp0);
tmp0 = Sbox(tmp1) ^ Rcon[idx/Nk];
tmp1 = Sbox(tmp2);
tmp2 = Sbox(tmp4);
} else if( Nk > 6 && idx % Nk == 4 ) {
tmp0 = Sbox(tmp0);
tmp1 = Sbox(tmp1);
tmp2 = Sbox(tmp2);
93
tmp3 = Sbox(tmp3);
}
expkey[4*idx+0] = expkey[4*idx - 4*Nk + 0] ^ tmp0;
expkey[4*idx+1] = expkey[4*idx - 4*Nk + 1] ^ tmp1;
expkey[4*idx+2] = expkey[4*idx - 4*Nk + 2] ^ tmp2;
expkey[4*idx+3] = expkey[4*idx - 4*Nk + 3] ^ tmp3;
}
}
// encrypt one 128 bit block
void Encrypt (unsigned char *in, unsigned char *expkey, unsigned char *out)
{
unsigned char state[Nb * 4];
unsigned round;
memcpy (state, in, Nb * 4);
AddRoundKey ((unsigned *)state, (unsigned *)expkey);
for( round = 1; round < Nr + 1; round++ ) {
if( round < Nr )
MixSubColumns (state);
else
ShiftRows (state);
AddRoundKey ((unsigned *)state, (unsigned *)expkey + round * Nb);
}
memcpy (out, state, sizeof(state));
}
void Decrypt (unsigned char *in, unsigned char *expkey, unsigned char *out)
{
94
unsigned char state[Nb * 4];
unsigned round;
memcpy (state, in, sizeof(state));
AddRoundKey ((unsigned *)state, (unsigned *)expkey + Nr * Nb);
InvShiftRows(state);
for( round = Nr; round--; )
{
AddRoundKey ((unsigned *)state, (unsigned *)expkey + round * Nb);
if( round )
InvMixSubColumns (state);
}
memcpy (out, state, sizeof(state));
}
#define USR UCSRA
void printP (PGM_P string){
char c;
c=pgm_read_byte(string);
while (c) {
loop_until_bit_is_set(USR, UDRE);
UDR = c;
c=pgm_read_byte(++string);
}
return;
}
95
void print (const char *string){
while (*string) {
loop_until_bit_is_set(USR, UDRE);
UDR = *string++;
}
return;
}
void scan(char *string){
char c;
do
{
do {
loop_until_bit_is_set(USR, RXC);
c =UDR;
} while bit_is_set(USR, FE);
*string++ = c;
//echo the character
loop_until_bit_is_set(USR, UDRE);
UDR = c;
} while ( c != '\r' );
loop_until_bit_is_set(USR, UDRE);
UDR = '\n';
string[-1]=0;
}
void UART_init(void)
{
// initialize USART
UBRRH = 0;
UBRRL = 103; // 8MHz, Baudrate: 9600
UCSRA = (1<<U2X);
UCSRB = (1<<TXEN)|(1<<RXEN);
UCSRC = (1<<URSEL)|(1<<UCSZ0)|(1<<UCSZ1)|(1<<USBS);
}
96
#define itoa10(N,S) itoa(N,S,10)
#define itoa16(N,S) itoa(N,S,16)
//DEMO
unsigned char sampleout[16];
unsigned char samplekey[] = {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab,
0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c};
unsigned char samplein[] = {0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31,
0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34};
int main(void)
{
UART_init();
unsigned char expkey[4 * Nb * (Nr + 1)];
unsigned char i;
char c[8];
printP(PSTR("Original: "));
for( i = 0; i < 16; i++ ) {itoa16(samplein[i],c);print(c); print(" ");}
printP(PSTR("\n"));
ExpandKey (samplekey, expkey);
Encrypt (samplein, expkey, sampleout);
printP(PSTR("Encrypted: "));
for( i = 0; i < 16; i++ ) {itoa16(sampleout[i],c);print(c); print(" ");}
printP(PSTR("\n"));
97
Decrypt (sampleout, expkey, samplein);
printP(PSTR("Decrypted: "));
for( i = 0; i < 16; i++ ) {itoa16(samplein[i],c);print(c); print(" ");}
printP(PSTR("\n"));
}
98
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement