ESE 566 Report 2 Implementation of International Data Encryption Algorithm Hui Zhang Preethi Karthik 7-1 Introduction In this report, an International Data Encryption Algorithm (IDEA) cipher is specified in system-level with SystemC. The cipher is simulated and tested. IDEA (International Data Encryption Algorithm) is an encryption algorithm developed at ETH in Zurich, Switzerland. It uses a block cipher with a 128-bit key, and is generally considered to be very secure. It is considered among the best publicly known algorithms. Description of functionality of the application IDEA is a 64-bit iterative block cipher with a 128-bit key. The encryption process requires eight complex rounds. Decryption is carried out in the same manner as encryption once the decryption subkeys have been calculated from the encryption subkeys. The cipher structure was designed to be easily implemented in both software and hardware, and the security of IDEA relies on the use of three incompatible types of arithmetic operations on 16-bit words. IDEA uses 52 subkeys, each 16 bits long. Two are used during each round proper, and four are used before every round and after the last round. It has eight rounds. The plaintext block in IDEA is divided into four quarters, each 16 bits long. Three operations are used in IDEA to combine two 16 bit values to produce a 16 bit result, addition, XOR, and multiplication. Addition is normal addition with carries, modulo 65,536. Multiplication, as used in IDEA, requires some explanation. Multiplication by zero always produces zero, and is not invertible. Multiplication modulo n is also not invertible whenever it is by a number which is not relatively prime to n. The way multiplication is used in IDEA, it is necessary that it be always invertible. This is true of multiplication IDEA style. The number 65,537, which is 2^16+1, is a prime number. (Incidentally, 2^8+1, or 257, is also prime, and so is 2^4+1, or 17, but 2^32+1 is not prime, so IDEA cannot be trivially scaled up to a 128-bit block size.) Thus, if one forms a multiplication table for the numbers from 1 through 65,536, each row and column will contain every number once only, forming a Latin square, and providing an invertible operation. The numbers that 16 bits normally represent are from 0 to 65,535 (or, perhaps even more commonly, from -32,768 to 32,767). In IDEA, for purposes of multiplication, a 16 bit word containing all zeroes is considered to represent the number 65,536; other numbers are represented in conventional unsigned notation, and multiplication is modulo the prime number 65,537. Description of IDEA Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys called K(1) through K(52). Before round 1, or as the first part of it, the following is done: 7-2 Multiply A by K(1). Add K(2) to B. Add K(3) to C. Multiply D by K(4). Round 1 proper consists of the following: Calculate A xor C (call it E) and B xor D (call it F). Multiply E by K(5). Add the new value of E to F. Multiply the new value of F by K(6). Add the result, which is also the new value of F, to E. Change both A and C by XORing the current value of F with each of them; change both B and D by XORing the current value of E with each of them. Swap B and C. Repeat all of this eight times, or seven more times, using K(7) through K(12) the second time, up to K(43) through K(48) the eighth time. Note that the swap of B and C is not performed after round 8. Then multiply A by K(49). Add K(50) to B. Add K(51) to C. Multiply D by K(52). The intricacies of IDEA encryption may be made somewhat clearer by examining the following diagrams: Details: Overview: Figure 1 Decryption How can the round in IDEA be reversed, since all four quarters of the block are changed at the same time, based on a function of all four of their old values? Well, the trick to that is that A xor C isn't changed when both A and C are XORed by the same value, that value cancels out, no matter what that value might be. And the same applies to B xor D. And since the values used are functions of (A xor C) and (B xor D), they are still available. 7-3 This cross-footed round, rather than a Feistel round, is the most striking distinguishing factor of IDEA, although its use of multiplication, addition, and XOR to avoid the use of S-boxes is also important. Those that are added are replaced by their two's complement. Those that are multiplied in are replaced by their multiplicative inverse, modulo 65,537, in IDEA notation when used to change blocks directly, but those used to calculate the cross-footed F-functions are not changed. Keys XORed in would not need to be changed, but there aren't any such keys in IDEA. Due to the placement of the swap, the first four keys for decryption are moved somewhat differently than the other keys used for the same operation between rounds. The decryption key schedule is: The first four subkeys for decryption are: KD(1) KD(2) KD(3) KD(4) = 1/K(49) = -K(50) = -K(51) = 1/K(52) and they do not quite follow the same pattern as the remaining subkeys which follow. The following is repeated eight times, adding 6 to every decryption key's index and subtracting 6 from every encryption key's index: KD(5) KD(6) = = K(47) K(48) KD(7) KD(8) KD(9) KD(10) = 1/K(43) = -K(45) = -K(44) = 1/K(46) Subkey generation This method of subkey generation is regular, and this may be a weakness. However, IDEA is considered to be highly secure, having stood up to all forms of attack so far tried by the academic community. Table 1 shows the encryption key sub-blocks and the corresponding decryption key sub-blocks. Table 1 IDEA Encryption and Decryption Key Sub-Blocks ROUND 1: 2: 3: 4: 5: 6: 7: 8: output transformation ENCRYPTION KEY SUB-BLOCKS Z1(1) Z1(2) Z1(3) Z1(4) Z1(5) Z1(6) Z1(7) Z1(8) Z1(9) Z2(1) Z2(2) Z2(3) Z2(4) Z2(5) Z2(6) Z2(7) Z2(8) Z2(9) Z3(1) Z3(2) Z3(3) Z3(4) Z3(5) Z3(6) Z3(7) Z3(8) Z3(9) Z3(1) Z3(2) Z3(3) Z3(4) Z3(5) Z3(6) Z3(7) Z3(8) Z3(9) Z4(1) Z4(2) Z4(3) Z4(4) Z4(5) Z4(6) Z4(7) Z4(8) Z5(1) Z5(2) Z5(3) Z5(4) Z5(5) Z5(6) Z5(7) Z5(8) Z6(1) Z6(2) Z6(3) Z6(4) Z6(5) Z6(6) Z6(7) Z6(8) DECRYPTION KEY SUB-BLOCKS [Z1(9)]-1 [Z1(8)]-1 [Z1(7)]-1 [Z1(6)]-1 [Z1(5)]-1 [Z1(4)]-1 [Z1(3)]-1 [Z1(2)]-1 [Z1(1)]-1 -Z2(9) -Z2(8) -Z2(7) -Z2(6) -Z2(5) -Z2(4) -Z2(3) -Z2(2) -Z2(1) -Z3(9) -Z3(8) -Z3(7) -Z3(6) -Z3(5) -Z3(4) -Z3(3) -Z3(2) -Z3(1) [Z4(9)]-1 [Z4(8)]-1 [Z4(7)]-1 [Z4(6)]-1 [Z4(5)]-1 [Z4(4)]-1 [Z4(3)]-1 [Z4(2)]-1 [Z4(1)]-1 Z5(8) Z5(7) Z5(6) Z5(5) Z5(4) Z5(3) Z5(2) Z5(1) Z6(8) Z6(7) Z6(6) Z6(5) Z6(4) Z6(3) Z6(2) Z6(1) 7-4 System Specification Encrypt /decrypt Output-termination Round 7 Round 1 Round 0 data-in Key-generator data-out Idea_top Module Figure 2 IDEA cipher TOP MODULE idea_top module is the cipher. The ports of it are as following: sc_in<sc_uint<64> > sc_in<bool> sc_in<bool> sc_in<bool> sc_in_clk sc_out<sc_uint<64> > sc_out<bool> DATA_IN; // 64-bit plaintext or ciphertext input INPUT_VALID; // to indicate input data is ready ENCRYPTION; // to do encryption or decryption RESET; // reset the system CLK; // clock DATA_OUT; // 64-bit ciphertext or plaintext output OUTPUT_DATA_READY; // to indicate output data is ready The idea_top module consists 10 sub-modules. key_gen is a key generator, it outputs 52 16-bit encryption or decryption subkeys to the rest parts of the idea_top module, which are 8 round sub-modules and a output termination sub-module. 8 round sub-modules have the same structure, so they are all the instances of module round. Output_termination is the last stage of the computation. key_gen round output_termination *key_gen0; *round0, *round1, *round2, *round3,\ *round4, *round5, *round6, *round7; *output_t0; Module round is to implement the computation in one round as decrypted in Figure 1. It take 64-bit data and 6 16-bit subkeys as inputs. SC_MODULE(round){ sc_in<sc_uint<64> > sc_in<bool> sc_in<bool> sc_out<sc_uint<64> > sc_out<bool> sc_in_clk sc_in<sc_uint<16> > data_in; // 64-bit input input_valid; reset; data_out; // 64-bit encrypted block output output_data_ready; CLK; K0,K1,K2,K3,K4,K5; // 6 16-bit sub-blocks of the key SC_CTOR(round) { SC_CTHREAD(entry, CLK.pos()); 7-5 watching(reset.delayed() == true); } void entry(); }; Module key_gen converts a 128-bit IDEA key to 52 16-bit encryption subkeys. Or for decryption case, it outputs 52 16-bit decryption subkeys derived from encryption subkeys by using table 1. In our project, this module is not fully developed. It works well for the encryption subkeys generation. But for the decryption subkeys generation, because of temporary absence of an effective method to calculate multiplicative inverse modulo 216+1 of an encryption subkey and short of time, we just set a pair of constant encryption and decryption subkeys. Description of Testbench We use testbench as figure 3 shows. Module stimulus and idea_top and display are in main routine. Module stimulus generates clock, reset and plaintext or ciphertext for module idea_top. display module displays the results. The data encrypted or decrypted and 52 subkeys are also displayed for the test purpose. stimulus idea_top display Main module Figure 3 IDEA cipher simulation and test The design is write in C++ with SystemC 2.0 library. The test and simulation are done in MS Visual C++ 6.0. We use following keys for the test: ENCRYPTION SUBKEYS 729A 14C9 1A29 5834 B2B0 E1F4 F5C3 B1EB FB63 27ED 0B43 9216 5324 68A6 5D78 E8BA 87D1 D70F 8F5C DB1E 86E5 2D0D 485A 4C90 F165 75E2 A2EB 3E8B B87D 344F CA68 1B94 B437 60D1 CAC1 C595 AF16 175E FA2E 9FB6 D13F 29A2 6E53 A299 560D 2CAC BC59 3D70 6C7A 7ED8 44FD 2168 DECRYPTION SUBKEYS DE00 C501 3B12 DA6F 6013 AAD3 C231 FD1E DE59 28F1 8A1E 0E9B B370 B7A6 D2F3 791B 24E2 D813 5D15 782F 1746 A288 975A ACDC 6DEA F4BD 70A4 7D3F 21AC DA1E 10CC B1EF E061 D19B 2C7B 3EC2 A299 6E53 29A2 D13F 9FB6 FA2E 175E AF16 2168 44FD 7ED8 6C7A 3D70 BC59 2CAC 560D 7-6 Table 2 Test Results Input 64-bit data 1234 5678 9ABC DEF0 A468 A310 CD64 FB95 Encrypt/Decrypt Encrypt Decrypt Result A468 A310 CD64 FB95 1234 5678 9ABC DEF0 The table 2 shows the functions of encryption and the decryption work well. The ciphertext can be decrypted with the same method as encryption but the different subkeys. In order to check the encryption is really IDEA, we employ the IDEA-SDK-Demo Kit from MediaCrypt AG (www.mediacrypt.com) to check the correctness of the encryption and decryption. The results show our IDEA cipher workes in IDEA ECB mode. Conclusion 1. The IDEA can be designed in system level by using SystemC 2.0 2. In system description, we can ignore details in subblock. Also we possibly can design and simulate the system when the subblock is not fully understood or implemented. For example, in our design, the functionality of key_gen module is not fully implemented, however, we still can finish our system level specification and simulation. 3. In our design experience, SystemC 2.0 has some limitations on data operation. For more freedom, we will have to go deep into SystemC 2.0 core. References [1] M.P.Leong, O.Y.H.Cheung, K.H.Tsoi and P.H.W.Leong, A Bit-Serial Implementation of the International Data Encryption Algorithm IDEA, IEEE 2000 [2] SystemC Open Source, SystemC Version 2.0 User’s Guide [3] B.Schneier, Applied Cryptography, John Wiley, 1996 7-7