Hardware Implementation of Triple-DES Encryption/ Decryption Algorithm Fiolitakis Antonios*, Petrakis Nikolaos, Margaronis Panagiotis, Antonidakis Emmanouel TEI of Crete, Department of Electronics * E-mail:
[email protected]
Abstract This paper presents the design and the implementation of the Triple- Data Encryption Standard (DES) algorithm. A Hardware Triple-DES cryptographic algorithm has been implemented using a Field Programmable Gate Array (FPGA) chip. In order to confirm the expected behavior of the Triple-DES circuitry, the implemented design was extensively simulated and analyzed. The Simulations were run under various clock frequencies. The main objective of this paper is to provide the reader with a deep insight of the theory and design of a digital cryptographic circuit, which was implemented in a FPGA chip with the use of Very (High-Speed Integrated Circuit) Hardware Description Language (VHDL). A concise presentation of the cryptographic DES and Triple-DES Algorithms is given.
Keywords Security, Communication, FPGA, VHDL
1
Introduction
Beyond any doubt, the need for secure storage or transfer of information is an inextricable part of human history. This need was initially created by the difference in social, political, military or even religious persuasions among people. Nowadays, the rapid evolution of communication systems offers, to a very large percentage of population, access to a huge amount of information and a variety of means to use in order to exchange personal data. Therefore, every single transmitted bit of information needs to be processed into an unrecognizable form in order to be secured. This encipherment of the data is necessary to take place in real time and for this procedure a variety of encryption algorithms have been developed. This paper examines the full procedure of implementing an encryption algorithm using a high-level description language such as VHDL combined with the usage of FPGA technology. The implementation of cryptographic algorithms on FPGAs can be reprogrammed on the same chip increasing the security through different versions of the same algorithm (DES and Triple-DES). The switching of wiring between algorithms on the FPGA chip can be easily achieved. Also, the features of the FPGA maximize the opportunity for on-chip parallelism. The DES and Triple-DES algorithms presented in this paper are used as an example for the implementation of cryptographic algorithms.
Finally, the completed designs after being tested, using the official test vectors for the implementations that the National Institute of Standards and Technology (NIST) [4] provides, were simulated in order to verify the expected defined outputs.
2 The Data Encryption Standard (DES) and Triple-DES Algorithms Since the original development by an IBM team and the later on adaptation as a national standard in 1977 by NIST, the Data Encryption Standard (DES) has always been a basis for comparison for new encryption algorithms. Due to the constantly rising processor technology, DES is not an algorithm which is considered to be completely safe anymore. Despite this fact, it is still used in several applications such as IPSec protocols, ATM cell encryption, the secure socket layer (SSL) and in its Triple-DES form which was adopted in order to improve DES security in the X9.17 and the ISO 8732 standards [6-7]. In this section, we will describe in short the complete function of the DES algorithm as well as its variation called Triple-DES. The operation of DES, as a symmetrical private key algorithm, is based on a single key of 64 bits which is used in order to perform both the encryption and decryption process. The data to be encrypted (plaintext) consists of 64 bits and after an initial permutation (IP) they are split into two equal halves R0 and L0 each of 32 bits of length. After 16 rounds of processing the final outputs R16 and L16 are inversed for the final permutation. This permutation is the inverse of the initial permutation. The complete function of the algorithm is shown in Figure 2-1. Plaintext
IP IP Lo
Ro Ko
+
f
L1
R1 K1
+
f
L15
R15 K 16
+
f
R15
L15 IP - 1 - 1 IP
C ipher- Text
Figure -1 Complete DES Function
1.1 The f Function and the Key Schedule In this chapter, the f function will be analyzed and the key schedule will be explained in order to understand the complete procedure of the DES algorithm. As shown in Figure.2.2 the right half of the plaintext after been expanded from 32bits to 48bits is exclusively-ored with a certain round key. The result of this operation is led to the eight following substitution boxes which transforms the 48-bit input to a 32-bit output. Finally a simple permutation (P) is performed before the final output. Rn-1
Kn
Kn
32
48
64
E 48
PC-1
+
56
48
28 6
6
6
6
6
6
S1 S2 S3 S4 S5 S6 S7 S8 4
4
4
4
4
4
32 P
P
32
28
6 6
C
D
Shift
Shift
4 4
PC-2 48
Figure -2 function f
Figure -3 Key Schedule
As mentioned before, on each round a certain key is applied. This key is produced by a specific procedure shown in Figure 2-3 and its characteristic is its two substitution permutations. When the initial 64-bit key is inserted, a permutation occurs (PC-1) in which every 8th bit of the key is used only for parity check and so its final size is reduced to 56-bits. Then, the key splits in two equal halves of 28-bits and each half is shifted (left, when we have an encryption progress or right, when decryption) zero, one or two bits depending on the number of round. After this operation a final permutation (PC-2) occurs. Triple-DES is a minor variation of this standard. In fact, it contains three simple DES serial connected to each other in order to increase the length of the used key since two or three keys are applied depending on which mode of operation is used. Naturally, it is three times slower than the original form of DES but it is way more secure.
3
Implementation of Triple-DES
In this section, the implementation architecture of DES and Triple-DES will be analyzed. The complete design was implemented with the use of VHDL. The files of the components were run and tested on various clock frequencies. The maximum transfer rate achieved at 290 MB/sec (pipeline architecture). Figure 3.1 represents the course that was followed for the digital implementation. DIGITAL DESIGN
SIMULATE
VHDL CODE
SYNTHESIZE
IMPLEMENTATION
TRANSLATION
DOWNLOADING & PROGRAMMING CHIP
MAPPING
PLACE&ROUTE
TEST
FINAL TEST
PROGRAMMING FILES GENERATION
Figure -4: Implementation Course
In order to implement the cryptographic algorithm, it was necessary to translate the mathematical expression of the specific algorithm to an equal expression on digital design. The following figures describe the complete process of the DES encryption algorithm which was separated to three parts. In the first part, an initial permutation of the plaintext and the permutation of the key occur (Figure 3-2). As shown in figure (Figure 3-3), the round function of DES is applied sixteen times before the final permutation IP-1(Figure 3-4).
TEXT IN 64bits ip1in
Initial Permutation ( IP ) Ipsplit.vhd
32bits left
32bits right
32bits left
ROUND1 ROUND1 KEY IN 64bits keyin
PC1
ROUND2 ROUND2
ROUND16 ROUND16
Final TEXT Permutation -1 OUT ( IP ) 64bits
32bits right
28bits keyleft
IP-1.vhd
Kpc1asplit.vhd 28bits keyright
Figure -7: Final Permutation
Figure -6 Sixteen DES Rounds
Figure -5:Initial Permutations
The complete Round function of DES is represented on Figure 3-5. This figure shows the architecture that was used in the present paper for the efficient implementation of the algorithm on a reconfigurable platform. 32bits left
32bits
Left Register 32
ENABLE 1
Reg32left.vhd
ENABLE ROUND
Right Register 32
32bits outl
Reg32right.vhd
ENABLE ROUND 28bits keyleft 28bits keyright
28 Shift Register
Exp.vhd
48bits expout
48bits
KEY 1
28bits skeyleft
PC2
28bits skeyright
Kpc2.vhd
P -Box
8 sbox
Soutpboxout .vhd
32bits pboxout
XOR 48 OUTL ENABLE 1
SKE Y LE FT
S K E YR I GH T
MODE
Expansion
48b its
32bits right
32bits outl
SKEYLEFT SKEYRIGHT
28bits skeyleft 28bits skeyright
REGISTER 88 Reg88.vhd
Figure -8: DES Round function
32bits outl 28bits skeyleft 28bits skeyright
right
XOR32
After programming, all the necessary VHDL files (Components) were connected to each other, as shown in the following Register Transfer Level (RTL) schematic diagram (Figure 3-6) in order to confirm the correct operation of the complete algorithm according to the official test vectors [4].
Figure -9: RTL schematic of the full DES
The Triple-DES algorithm was designed as three simple DES serial connected to each other. Instead of the first and third simple DES, the second performs the opposite operation using a different key. For instance, if the operation of Triple-DES is encryption, then the first and third simple DES perform encryption using key 1 while the second simple DES performs decryption using key 2. When Triple-DES operates in decryption mode, all the simple DES components work opposite respectively. The Triple-DES RTL architecture is illustrated in figure 3.7
Figure -10: RTL schematic of Triple-DES
Figure 3-8 illustrates the implemented components inside the chip. Additionally, the interconnections of the components are shown. The chip which was used for the Triple-DES implementation is mentioned below. Xilinx, Device Family: Virtex- E, Chip XCV1600ebg560-8 C
Figure -11: Triple-DES Chip Implementation
Table 3-1 presents the chip’s implementation report. Number of Slices:
12635 out of 14039 90%
Number of Slice Flip Flops:
20505 out of 31104 65%
Number of 4 input LUTs:
15518 out of 31104 49%
Number of bonded IOBs:
243 out of 408 59%
Number of GCLKs:
1 out of 4 25%
Minimum period
6.564ns (Maximum Frequency: 152.346MHz) Table -1: Implementation Summary
4
Conclusion
The present work introduces the worth point of a digital Triple-DES cryptographic algorithm implementation based on FPGA technology. This work can be used for high speed hardware circuitries where the need of privacy on communication is imperative.
5
References
[1] Bruce Schneier, “Applied Cryptography Protocols, Algorithms, and Source Code in C”, Second Edition, John Wiley & Sons, 1996 [2]
Andrew Rushton, “VHDL for Logic Synthesis”, John Wiley & Sons, Second edition 1998
[3] 2002
D. Stinson. “Cryptography: Theory and Practice”, 2nd Edition, Chapman and Hall/CRC,
[4] Federal Information Processing Standards Publications (FIPS PUBS) FIPS Home Page. http://www.itl.nist.gov/fipspubs/ [5]
Andrew S. Tanenbaum, “Computer Networks”, 2003
[6] ANSI X9.17 (Revised): “American National Standard for financial Institution key management (wholesale)”, American Bankers Association, 1986 [7] ISO DIS 8732: “Banking – key management (wholesale)” Association for Payment Clearing Services, London, December 1987
