1

Error Detection by Parity Modication for the 128-bit Serpent Encryption Algorithm

Grigori Kuznetsov, Ramesh Karri and Michael Gssel o Polytechnical University Brooklyn, USA University of Potsdam, Germany

Modied input parity

Essence of the proposed method The input-parity is determined and modied step by step in accordance with the processing steps of the cryptographic algorithm into the output-parity and compared with the actual output parity Often the same hardware can be used for the computation of the input-parity and of the output-parity

Serpent Encryption Algorithm

Initial permutation 32 rounds componentwise key-addition 32 nonlinear substitution boxes linear transformation Final permutation

Serpent Encryption Algorithm

Plaintext
128

Initial Permutation
128

X Key Mixing Y
4 4 4 4

Round Key
128

SBoxes Z U
128 32 32 32 32

Linear Transformation 32 Rounds Final Permutation

128

Ciphertext

Serpent Encryption Algorithm: S-boxes

X Y 0 3 1 8 2 15 3 1 4 10 5 6 6 5 7 11 8 14 9 13 10 4 11 2 12 7 13 0 14 9 15 12

Serpent algorithm: Linear Transformation

Z3 32 Z2 32 <<< 3 bits Z1 32 Z0 32 <<< 13 bits

<< 3 bits <<< 3 bits <<< 7 bits <<< 1 bit left rotation by 3

<< 7 bits << 7 bits left shift by 7

<<< 22 bits 32 U3 32 U2 32 U1

<<< 5 bits 32 U0

Ordinary Parity Prediction

y1(x) = f1(x), , ym(x) = fm(x)

P (y(x)) = y1(x) ym(x),

optimized

P (y(x)) is determined as a function of the inputs

Ordinary Parity Prediction

y1(x) = f1(x), , ym(x) = fm(x)

P (y) = y1 yn, P (y) is determined as the XOR-sum of the circuitoutputs P (y(x)) is compared with P (y).

Ordinary Parity Prediction

x1 F xn yn p(y(x)) P(x) y1

10

Proposed Method: Modied Input Parity

Input-parity Output-parity: P (x) P (y(x)) =
optimized

x1 xn y1(x) yn(x)
optimized

11

Proposed Method: Modied Parity

Input parity P(x) = x1 . . . xn The input-parity P (x) is modied by adding modulo 2 P (x) P (y(x)) to the output parity P (y)

12

Proposed Method: Modied Parity

Output parity P(y) = y1 . . . yn P (x) [P (x) P (y(x))] is compared with P (y)

13

Modied Parity
x1 F xn ym y1

P(x)

P(y)

Parity modification

14

Example with Serpent S-Box

Xi+3 Ki+3 Xi+2 Ki+2 Xi+1 Ki+1
error

Xi Ki

1 > 0

S(0000) = 0011 S(0010) = 1111 1 > 0 P(1111) = P(0011) Yi+3

SBox

1 > 0 Yi+2

1 Yi+1

1 Yi

15

Example with Serpent S-Box

Xi+3 Ki+3 Xi+2 Ki+2 Xi+1 Ki+1
error

Xi Ki

P(x) P(k) P(0010)=1

1 > 0 Pinp

0 Pout

SBox

P(0000) P(0011) = 0

0=1 0 > 1 P(y) = 0

1 > 0 Yi+3

1 > 0 Yi+2

1 Yi+1

1 Yi

16

Parity-modications for :Key-addition modulo 2

y1 = x 1 k 1 , , y m = x m k m P (y(x)) = x1 k1 ym km = P (x) P (k) with P (k) = k1 km Modication: P (k), 1-bit operation

17

Key addition
x1 k1 y1

xn

kn

yn

P(x) P(k)
P(x) P(y) = P(k) = k1 ...

P(y)
k n

18

Parity-modications for :Non-linear Transformation by an S-box

Example: S-box with four inputs x1, x2, x3, x4 = x and four outputs y1, y2, y3, y4 with y1(x) = S1(x), , y4(x) = S4(x) y5 = x1 x4 y1(x14) y4(x14)

19

S-boxes
X0 x 31... x 28 x 3 ... x 0

SBox 8 x31
...

. . .
x28 y31
...

SBox 1 y28 x3
...

x0

y3

...

y0

y31... y28 Y0

y3 ... y0

P(X 0)

P(Y0)

20

Parity-modications for the Linear Transformation

X3
32

P(x 3 )

X2
32

P(x 2 )

X1
32

P(x1)

X0
32

P(x 0 )

<<< 3

<<< 13

31 30 29

<< 3 <<< 7 <<< 1

31 30 ... 25 24

<< 7

<<< 22
32 32 32

<<< 5
32

U3

P(U3 )

U2

P(U2 )

U1

P(U1)

U0

P(U0)

21

Serpent algorithm with error detection

X3 X2 X1 X0
P(X3) P(X2) P(X1) P(X0) 32 32 32 Key Mixing 32 Pk 0 Pk 1

Key

Pk 2 Pk 3

Y3

Y2

Y1

Y0
P(Y0 ) P(Z0 ) P(Y1 ) P(Z1 ) P(Y2 ) P(Z2 ) P(Y3 ) P(Z3 )

Sboxes

Z3

Z2

Z1

Z0

Register

Linear Transformation

U3

U2

U1

U0

22

Error detection capability and Area overhead

If outputs of the s-boxes are independently implemented then we can detect all single stuck-at faults The area overhead for the S-boxes is 8% compared to the s-boxes checked by ordinary parity.

23

Conclusions
A new method of error detection (due to technical faults and due to attacs) for the Serpent Encryption Algorithm has been proposed. The input parity is modied according to the processing steps of the encryption algorithm into the output parity and compared with the actual output parity.

24

Conclusions

the propagation of a single-bit error at the outputs of a processing step ito a multi-bit error in the sucessive processing steps , which is typical for encryption algorithms, does not reduce the error detection capability of the proposed method.