Cryptanalysis of AES using FPGA Implementation

Mrs. Priyanka Holambe#1, Prof. Ms. Harshali D. Zodpe *2
#Dept. of Electronics and Telecommunication Engineering
Maharashtra Institute of Technology, Pune – 411038, India,
* Dept. of Electronics and Telecommunication Engineering
Maharashtra Institute of Technology, Pune – 411038, India

Abstract: In an age of technological advancements, security and privacy plays an important role in day to day communication. Cryptanalysis of modern cryptography algorithm involves massive and parallel computations. In absence of the mathematical breakthrough to a cryptanalytical problem, a promising way to tackle these computations is to build special purpose hardware which will provide better cost-performance ratio. In this paper, the cryptanalysis of AES algorithm using brute force attack is used as a proof of concept. The basic concept is to create multiple instances of the design which can be instantiated simultaneously so that the solution space is exposed at a faster rate. For implementation of AES, Spartan-6 (XC6LX9) device is used. FPGA implementation of the AES requiring 1918 slices on a Xilinx Spartan3 (XC3S50) device, while achieving throughhput of 1114.624 Mbps. Time required for cryptanalysis of AES is reduced from seconds to miliseconds as 3 multiple instances of design are instantiated parallel. The low-cost implementation and moderate throughhput makes it practically suitable for low resource security applications.[1]

Keywords— AES, FPGA, VHDL, Cryptanalysis, Brute-Force Attack, Cipher Key.

I. INTRODUCTION TO CRYPTANALYSIS

With the advance high speed electronic communication there is more information than ever to protect. The constant increase of information transmitted electronically has led to an increased reliance on cryptography. The security of symmetric and asymmetric ciphers is usually determined by the size of their key-length. Hence when designing a cryptosystem, the key-length must be chosen according to the assumed computational capabilities of an attacker. Cryptanalysis of modern cryptographic algorithms involves massive and parallel computations. Cryptanalysis is the study of retrieving the plain-text without knowledge of the valid key. In the absence of mathematical breakthroughs to a cryptanalytical problem, a promising way to tackle these computations is to build special-purpose hardware which will provide better cost-performance ratio.

There are different types of cryptanalysis, such as classical, algebraic attack, pre-existing attack, side channel attack, brute-force attack etc…

A. Brute-Force Attack

Brute-force attack is a strategy which can be used against any encryption data. This attack is being used when attacker can’t take advantages of other any leak information from encryption. This applies every possible key from key space until the correct key is not obtained. The resources required brute-force attack increases exponentially as length of key increases. The length of key decides practical feasibility of performing Brute-force attack. The bottleneck for brute-force attack is time, as length of the key increase. Only by using the brute-force attack AES is breakable.

This paper is organized as follows: Section I is the Introduction to Cryptanalysis, Section II is Advanced Encryption Standard, it gives the detail explanation of AES algorithm and its operations. Section III gives proposed cryptanalysis of AES system requirements, specifications, design and implementation. Section IV gives results and conclusion V scope of future work.

II. ADVANCED ENCRYPTION STANDARD

The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2002. Originally called Rijndael, the cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted to the AES selection process. AES has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES). The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.

A. AES Algorithm

The AES is a symmetric block cipher that is used to encrypt and decrypt data. It consists of 128 bits input and support 128, 192 and 256 bits key length. These 128 bits are organized into 4x4 matrix referred as “state. The key size used for an AES specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the cipher-text. The feature of AES with different key is shown in Table I.
TABLE I

AES FEATURES WITH DIFFERENT KEY LENGTH

<table>
<thead>
<tr>
<th>Block Size</th>
<th>Key Length</th>
<th>No. of Rounds</th>
</tr>
</thead>
<tbody>
<tr>
<td>AES_128</td>
<td>4</td>
<td>4</td>
</tr>
<tr>
<td>AES_192</td>
<td>4</td>
<td>6</td>
</tr>
<tr>
<td>AES_256</td>
<td>4</td>
<td>8</td>
</tr>
</tbody>
</table>

The AES algorithm consists of four major transformations. These transformations are:

- Byte Substitution
- Shift Row Transformation
- Mix Column Transformation
- Addition of Round Key
- Key Expansion

The AES Encryption and decryption process include the above mentioned transformations applied consecutively over the state, for a fixed number of rounds. The number of rounds depends on the key length used. The transformations for encryption and decryption are as follows. [5]

1. AES encryption

Encryption is simply conversion of raw data referred as plain text to encrypted or encoded data referred as cipher text.

- Byte substitution
  It is a nonlinear substitution of bytes that operates independently applied on State matrix. It includes two steps: first, executing the inverse of multiplication on finite field GF (2^8) with irreducible polynomial \( m(x) = x^8 + x^4 + x^3 + x + 1 \), then apply the transformation defined by

  \[
  \begin{bmatrix}
  b'0 \\
  b'1 \\
  b'2 \\
  b'3 \\
  b'4 \\
  b'5 \\
  b'6 \\
  b'7 \\
  \end{bmatrix} = \begin{bmatrix}
  1 & 0 & 0 & 0 & 1 & 1 & 1 & 1 \\
  1 & 1 & 0 & 0 & 0 & 1 & 1 & 1 \\
  1 & 1 & 1 & 0 & 0 & 0 & 1 & 1 \\
  1 & 1 & 1 & 1 & 0 & 0 & 0 & 1 \\
  1 & 1 & 1 & 1 & 1 & 0 & 0 & 0 \\
  0 & 1 & 1 & 1 & 1 & 1 & 0 & 0 \\
  0 & 0 & 1 & 1 & 1 & 1 & 1 & 0 \\
  0 & 0 & 0 & 1 & 1 & 1 & 1 & 1 \\
  \end{bmatrix} \begin{bmatrix}
  b0 \\
  b1 \\
  b2 \\
  b3 \\
  b4 \\
  b5 \\
  b6 \\
  b7 \\
  \end{bmatrix} + \begin{bmatrix}
  1 \\
  1 \\
  0 \\
  0 \\
  0 \\
  0 \\
  0 \\
  0 \\
  \end{bmatrix}
  \]

  Figure 1. Matrix Notation for S-Box

- Shift Row Transformation
  It performs cyclic shift of rows in the state matrix. The shift is performed over different offsets.

- Mix Column Transformation
  In this transformation, each column of the state matrix is treated as a four-term polynomial. The columns are considered as polynomial over GF (2^8) and multiplied by \( x^8 + x^4 + x^3 + x + 1 \).

- Addition of Round Keys
  In this transformation, a Round Key is added to each byte of state matrix by simple bitwise XOR operation.

- Key Expansion
  In AES, there are a number of rounds, each needing its own key, so the actual key is “stretched out” and transformed to give portions of key for each round.

2. AES Decryption

Decryption is the reverse process to convert cipher text into the plain text. The decryption algorithm is very similar to the encryption algorithm except it uses inverses of the subroutines and they are executed in a slightly different order. 128-bit cipher text is converted into plaintext by the application of the inverse of the four transformations. Addition of round key is same for both encryption and decryption. The last round of both data and key are the first round inputs for the decryption process. [5]

The overall AES encryption and decryption process is described by Figure 2.

III. Implementation of cryptanalysis of AES on SPARTAN-6 Board

A. Overall System Design

In this paper Cryptanalysis of AES-128 for single and three parallel instances is implemented at the description level using Verilog Hardware Descriptive Language (VHDL). This program is written in Xilinx ISE 14.1 Project Navigator and...
simulated using ISE Simulator and implemented using FPGA Spartan-6 Board.

Figure 3 shows the proposed system design for AES Cryptanalysis.

![Figure 3: System Block Diagram for Cryptanalysis of AES using FPGA](image)

Computer is interfaced with the FPGA board, here Spartan-6 by using USB cable which also provides power supply to the kit. FPGA board has three key search engines. Each key search engine has VHDL programmed cryptanalysis of AES instances. Plaintext and ciphertext both are inputs required for cryptanalysis of AES’s module which is VHDL program. These instances of key search engine are instantiated parallel to find the output key. Computer shows this output key and time required finding the key, generated from the FPGA Spartan-6 board.

The modeling process utilized in this project is the bottom-up approach. This means that the leaf components in the design hierarchy were developed first and the higher-level modules were constructed by instantiating their subcomponents and connecting them with the internal signals. All the modules in the design hierarchy were modeled in behavioral style, but the root module consisted of data flow modeling as well to implement the four major cipher transformations.

For the Cryptanalysis of AES design, a software model was initially developed in VHDL which would read a binary input and then output the encoded bit stream into another binary output. It gives the output key search for plaintext and cipher text.

**B. System Implementation**

The top module of the program (Single instance AES-128 Cryptanalysis) is simulated by using ISE simulator available with the Xilinx 14.1 ISE Design suite. Once the design is placed and routed, the Post placed and routed design is simulated and the output is cross checked with reference to the standard documentation available for AES. Then it is implemented on the FPGA board (XC6SLX9 CSG324). Same is done for the three parallel instances AES-128 cryptanalysis.

**C. Requirements**

- **Hardware selection**
  FPGA is used here because of its ability of re-programmable, and a shorter time to market and lower non-recurring engineering costs. FPGAs combine the best parts of ASICs and processor-based systems.

- **Software selection**
  1. Xilinx ISE 14.1: It is a software tool produced by Xilinx for synthesis and analysis of HDL designs, enabling the developer to synthesize their designs, perform timing analysis, examine RTL diagrams, simulate a design's reaction to different stimuli, and configure the target device with the programmer. Xilinx 14.1 supports Spartan-6 boards.
  2. Mimas V2: It is used to download VHDL Xilinx program in Spartan-6 board with port selection option.
  3. Visual Basic: Using Visual Basic we can see only required parameters in a single window and it is flexible to add or remove the parameters in window.

**D. Specifications**

1. 128 bit Plaintext and 128 bit Chipertext-Input
2. AES algorithm
3. 128-bit key Variable - Output
4. Hardware used – Spartan-6 FPGA Board

**E. Simulation Results**

The simulation results for the AES 128 bit for encryption and decryption are obtained from ISE simulator as shown in Fig. 4-5. These results are verified from AES standard documentation.

The simulation results for single and three instances cryptanalysis of AES are obtained as shown in Figure 6-7.
Details of the simulation result of three instances of cryptanalysis of AES.

Plaintext considered = 303030303030303030303030303030
Ciphertext out = 3c57908a5d398d62c5954fe48051e3cd
Output key generated = 000000000000000000000000000003
Elapsed time to generate the key with single instance is 0.608 sec.

IV. RESULTS AND CONCLUSIONS
A. Results
Table 1 gives synthesis results with fastest and memory free AES-128 encryption. Synthesis comparison of AES encryption with other results [1]

Table 1
Synthesis Result Comparison

<table>
<thead>
<tr>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td>Clock time (MHz)</td>
<td>60</td>
<td>70</td>
<td>161</td>
<td>67</td>
<td>30</td>
<td>45</td>
<td>45.624</td>
<td>115.508</td>
</tr>
<tr>
<td>Dots per clock cycle</td>
<td>44</td>
<td>40</td>
<td>92</td>
<td>96</td>
<td>1.554</td>
<td>952</td>
<td>160</td>
<td>123</td>
</tr>
<tr>
<td>No. of clock cycles</td>
<td>222</td>
<td>183</td>
<td>125</td>
<td>134</td>
<td>18</td>
<td>280</td>
<td>184</td>
<td>3918</td>
</tr>
<tr>
<td>No. of Block RAMs</td>
<td>3</td>
<td>3</td>
<td>0</td>
<td>2</td>
<td>2</td>
<td>0</td>
<td>0</td>
<td>0</td>
</tr>
<tr>
<td>Speed of Block RAMs (Kbps)</td>
<td>4</td>
<td>18</td>
<td>0</td>
<td>4</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>0</td>
</tr>
<tr>
<td>Total clock cycles</td>
<td>522</td>
<td>131</td>
<td>1125</td>
<td>264</td>
<td>152</td>
<td>280</td>
<td>184</td>
<td>5918</td>
</tr>
<tr>
<td>Throughput (Mbps)</td>
<td>106</td>
<td>206</td>
<td>215</td>
<td>2.2</td>
<td>0.7452</td>
<td>24</td>
<td>36.5</td>
<td>1114.624</td>
</tr>
<tr>
<td>Throughput (Microns)</td>
<td>3.10</td>
<td>10</td>
<td>1.05</td>
<td>0.5</td>
<td>1.5</td>
<td>0.5</td>
<td>85.1</td>
<td>147.5</td>
</tr>
<tr>
<td>Summary</td>
<td>Least speed/slower</td>
<td>Faster</td>
<td>ASIP</td>
<td>Systolic</td>
<td>_</td>
<td>Systolic</td>
<td>_</td>
<td>Systolic</td>
</tr>
</tbody>
</table>

Table 2
Comparison of elapsed time required to find key

<table>
<thead>
<tr>
<th>Sr. No.</th>
<th>Key(16 bytes)</th>
<th>Elapsed time required for single cryptanalysis (sec)</th>
<th>Elapsed time required for three cryptanalysis (sec)</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>00 0 0 0 0</td>
<td>0.39</td>
<td>0.39</td>
</tr>
<tr>
<td>2</td>
<td>00 0 0 0 0</td>
<td>0.608</td>
<td>0.39</td>
</tr>
<tr>
<td>3</td>
<td>00 0 0 0 0</td>
<td>0.842</td>
<td>0.39</td>
</tr>
<tr>
<td>4</td>
<td>00 0 0 0 0</td>
<td>1.061</td>
<td>0.608</td>
</tr>
<tr>
<td>5</td>
<td>00 0 0 0 0</td>
<td>1.279</td>
<td>0.608</td>
</tr>
<tr>
<td>6</td>
<td>00 0 0 0 0</td>
<td>1.528</td>
<td>0.608</td>
</tr>
<tr>
<td>7</td>
<td>00 0 0 0 0</td>
<td>1.747</td>
<td>0.843</td>
</tr>
<tr>
<td>8</td>
<td>00 0 0 0 0</td>
<td>1.982</td>
<td>0.843</td>
</tr>
<tr>
<td>9</td>
<td>00 0 0 0 0</td>
<td>2.199</td>
<td>0.843</td>
</tr>
<tr>
<td>10</td>
<td>00 0 0 0 0</td>
<td>6.723</td>
<td>2.418</td>
</tr>
<tr>
<td>11</td>
<td>00 0 0 0 0</td>
<td>58.095</td>
<td>19.594</td>
</tr>
<tr>
<td>12</td>
<td>00 0 0 0 0</td>
<td>68.048</td>
<td>22.792</td>
</tr>
</tbody>
</table>
From the above results we can conclude that, as number of key search engines are increases time required to find key reduces. Table 1 is formed by collecting number of results of single and three instances of cryptanalysis AES, so collectively we can easily illustrate the result that time required to search the key is reduced as numbers of search engines are increased.

B. Conclusions

The proposed hardware-based cryptanalysis of AES system is designed to find the key, which is used to encrypt and decrypt data. Using AES-128 algorithm, implementation of cryptanalysis of AES is done on FPGA board; here Spartan-6 board is used. From the results of AES cryptanalysis it is clearly seen that as numbers of instances increases processing time to find key decreases. As the length of the key increases the processing time required to find output key is increases exponentially. From the results we can say that time increase from seconds to minutes, as length of key increases. Processing time to generate the output key reduces as the multiple instances of cryptanalysis are instantiated parallel as compared to single instance.

B. Scope for future work

In this project, a single FPGA board is used for implementation of Cryptanalysis of AES. Further, a system consisting of customized board with multiple FPGA’s board and multiple such boards can be developed. All FPGA cards can be controlled by using a controller or another FPGA board.

Figure 8 shows proposed future scope block diagram for Cryptanalysis of AES.

ACKNOWLEDGMENT

We take this opportunity to express our sincere appreciation for the cooperation given by all the faculty and staff members of MIT, Pune to make this work a memorable experience.

REFERENCES