Cryptanalysis on FPGA Based Hardware

Malcolm Alda SumantriBachelors of Engineering (Software) & Bachelors of Commerce (Finance)

The University of Sydney

Supervisors:Matt Barrie

Craig Jin

Introduction• Welcome to the Digital Age where everything can be

replicated!• Cryptography is used…

– To protect our privacy• For example: our real identity, our e-mails to family and

friends, our digital photos, our work.

– To protect corporate secrets• For example: future corporate strategies, intellectual

property, pricing information, human resources information.

– By governments• For example: sending messages to spies, task forces,

between agencies to protect civilians and against terrorism.

• How secure are our currently deployed cryptosystems?

Motivation• Information security is a resource game.

– More funds means more access to information.• The US National Security Agency’s annual budget

is classified but is said to be over US $13 billion. • Assessing the strength of our cryptosystems

therefore involves determining the cost to break them.

• Rapid development in Field Programmable Gate Array Technology (FPGA) technology that makes it cheaper to develop high-performance custom hardware systems. FPGA technology has proven to be effective for cryptographic use.

• A recent optimization in cryptanalysis.– Rainbow Tables

Background• Symmetric Cipher

• Cryptanalysis: Code breaking, reveal the plaintext without the key.– Exhaustive Key Search: Try every key possible, requires large

computational power.– Table Lookup: Store keys and ciphertexts in a massive tables to

perform a lookup when trying to attack, requires a large amount of memory (infeasible).

– Time-memory trade-off: Give up memory to achieve a faster attack time.

• FPGAs– Reconfigurable logic (upload the bitstream to the hardware).– Cheaper than Application Specific Integrated Circuits (ASICs) for small

volumes.

Encryption Algorithm (E)

CiphertextC = EK(P)

Key (K)

Plaintext(P)

Decryption Algorithm (D)

Key (K)

PlaintextP = DK(C)

Time-Memory Trade-Off:Rainbow Tables• How does it work?

– Assume a chosen-plaintext attack scenario.• The attacker can choose which plaintext to access.• This attacker will use this to attack the cryptosystem.• This is practical in the real-world (UNIX password hashing, “#include <stdio.h>”,

“\n”)– Two Phases

1. Precomputation Phase2. Online Attack Phase (Cryptanalytic Attack)

• Precomputation Phase: Generate a rainbow table.– A rainbow table is a two-column table (start-point, end-point)– These points are possible keys.– This table is generated by a specific algorithm.

• Online Attack Phase: Use the rainbow table.– We are given a ciphertext to break.– Now we perform a search on the rainbow table by using another

algorithm

• This method is probabilistic, but faster than exhaustive key search.• Unlike exhaustive key search that only requires computational resources

(processor). This method uses memory as well as computational resources. • As a result, the attack time is faster but we have given up memory. This is

the trade-off.

End-point Start-point

... ...

... ...

... ...

Rainbow Table

Methodology• Design and implement an FPGA based

cryptanalytic system that uses the rainbow tables method of cryptanalysis.

• Use the Data Encryption Standard (DES) as the test symmetric cipher.– DES uses a 56-bit key.– DES is the most widely studied cipher.– DES is still used today (UNIX password

hashing).• Determine the cost to break DES.• Extrapolate the cost to break other

ciphers.

• In designing a cryptanalytic system, the performance of the cipher module will determine the performance.

• Security of DES derives from 16 rounds of permutations, substitutions and xoring.

• Each round is implemented as a 3-stage pipeline. A total of 48-stages for the 16 rounds of DES.– Pipelining improves

performance:• Attain higher clock

frequencies.• Achieve parallelization:

48 encryptions per clock cycle.

e-box

Right(32-bit)

xor and s-box

E(right)(48-bit)

p-box and xor

S-Boxes[E(right) xor RoundKey](32-bit)

Register for left and right

Register for left and right

Delayed Left (32-bit)Delayed Right (32-bit)

Delayed Left

Key Shift andPC-2

Register for 56-bit Shifted Key

Left(32-bit)

Register for 56-bit Shifted Key

DelayedNext Key(56-bit)

Round Key(48-bit)

Delayed Next Key(56-bit)

Key Input(56-bit)

R’=L xor f(R’,K) Next Key(56-bit)

L’=R

Data RoundEntity

Key RoundEntity

Delayed Right

Design I – Data Encryption Standard

Design II – The Rainbow Table Precomputation System

Starting Point Generator Unit

Enable Pause

First Start PointLast Start Point

(56-bit)

Multiplexer

Select

Key(56-bit)

16 Rounds of DES(48-stage Pipeline)

Start Point(56-bit)

DES Inverse Initial Permutation and

Reduction Function Unit

Ciphertext(64-bit)

Intermediate Point(56-bit)

Resume Key Generator

Permuted Plaintext Register

Plaintext(64-bit)

PermutedPlaintext(64-bit)

End Point(56-bit)

Start Point(56-bit)

First Start PointFirst Start Point

(56-bit)

Initial Permutation

Permuted Plaintext(64-bit)

Reset(Active-Low)

Clock

Precomputer Entity(precomputer_nty)Precomputation Engine

Hardware ControllerRainbow Table Manager

(Database Communication Module)

Precomputation Hardware

End-Point

Precomputation Software

PlaintextStartMask

End Mask

FirstStart Point

LastStart Point

Open-Source SQL Database

Start-Point / End-Point Pair

1. High Level System Design

2. Hardware Design

3. Hardware output behavior (Timing Diagram)

Design III – The Rainbow Table Online Attack System

Hardware Controller for Rainbow End-Point Generator Hardware Controller for Rainbow End-Point GeneratorRainbow Table Manager

(Database Communication Module)

End-Point GeneratorHardware

ProspectiveEnd-Point

ProspectiveColumn for Key

Intermediate Key GeneratorHardware

Online Attack Software Controller

Plaintext CiphertextStart Mask

End Mask

ProspectiveKey

PlaintextStart Mask

LastMask

StartPoint

Open-Source SQL Database

End-Point Start-Point

Enable

Pause

16 Rounds of DES

(48-stage Pipeline)

Preoutput(64-bit)

Reset(Active-Low)

Clock

End Point Generator(oa_endpointgenerator_nty)

Controller

Plaintext(64-bit)

Key(56-bit)

ProspectiveEnd-Point

(56-bit)

Column Number(56-bit)

Plaintext(64-bit)

PermutedPlaintext Register

Plaintext(64-bit)

Ciphertext(64-bit)

Start Mask(56-bit)

End Mask(56-bit)

Step Goal Tool Input to Tool Output of Tool

1 Generate end-points from the chosen plaintext/ciphertext pair.

End-Point Generator (Hardware)

Chosen plaintext, chosen ciphertext, start mark, end-mask

Prospective End-Point, Prospective Column Number

2 Perform table lookup on all end-points generated from Step 1.

Online Attack Software Application

End-Points generated from Step 1.

Start Points that corresponds with matching end-points from Step 1.

3 Generate Key from Starting Points found in Step 2.

Intermediate Key Generator (Hardware)

Start-Point and matching column number (from Steps 1 and 2), start-mask, end-mask.

Candidate Key(s)

4 Test validity of Key

Online Attack Software Application

Candidate key(s) from Step 3, chosen plaintext, chosen ciphertext.

Key

1. High Level System Design

2. Hardware Design 3. Mechanism

Experiment and Results• Experiment:

– Cryptanalytic attack on 40-bit DES since the resources to break DES is out-of-reach for the budget in this thesis.

– Use Sensory NetworksTM NodalCoreTM C-1000 PCI Card.

• Xilinx® Virtex-II Pro VP-40 FPGA• Flexible chipset architecture to embed

our hardware engines.• PCI interface allows for high-speed

communications.

• Results– 40-bit DES Rainbow Table can be

generated in less than 4 hours. Table parameters allows for 85% cryptanalytic success probability.

• Fastest known implementation in the literature based on results.

– Online attack of 40-bit DES in 30.8 seconds.

0

0.5

1

1.5

2

2.5

Th

rou

gh

pu

t (M

bits

/se

con

d)

Rainbow TablePrecomputer

(Sumantri)

Distinguished PointsPrecomputer

(Quisquater et al)

Comparison of Precomputation Throughput for 40-bit DES

Data Analysis• Performance-Cost

Analysis– Determine the FPGA chip

that provides the highest performance for the lowest cost.

– Synthesized the hardware designs for various Xilinx FPGAs.

– Spartan 3 S-1500 provides the highest performance-cost relative to other Xilinx® FPGA chips.

• Extrapolate the design of a machine to break DES (56-bit key length)– Result: DES can be

broken with 85% success probability in 72 minutes for an approximate cost of US $1,210.

0

500

1,000

1,500

2,000

2,500

3,000

3,500

0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000Cost (dollar per FPGA chip)

Perfo

rman

ce (e

nd-p

oint

s ge

nera

ted

per s

econ

d)

Spartan 3

Virtex-II

Virtex-II Pro

Virtex 4

Performance-Cost of Precomputation Hardware System

Conclusion• FPGAs provides a low cost

and effective solution to cryptanalysis.

• Rainbow table attacks provide a faster attack time compared to brute-force, but brute-force uses less resources, that is, memory resources.– For large key sizes, the

rainbow table attack becomes infeasible as memory costs is prohibitive.

Potential Attacker Key Length (bits) Cost (US $)

Clever Outsider 56 353

58 1,413

60 5,650

Knowledgeable Insiders 62 22,600

64 90,400

Funded Organization(Large Corporation,

Mafia)

66 361,601

68 1.4 million

Funded Organization(Small Government,

Terrorist Networks)

72 24 million

76 370 million

78 1.5 billion

Funded Organization(Large Government

Bodies: US National Security

Agency)

80 6 billion

82 24.7 billion

84 94.8 billion

86 380 billion

88 1.5 trillion

Not feasible 92 242 trillion