AN1044

AN1044
Data Encryption Routines for PIC24 and dsPIC® Devices
Authors:
David Flowers and
Howard Henry Schlunder
Microchip Technology Inc.
INTRODUCTION
Currently, there are three data encryption standards
approved for use in the Federal Information Processing
Standards (FIPS). This application note discusses the
implementation of two of these for PIC24 and
dsPIC30/33 devices: Triple Data Encryption Standard
(TDES) and Advanced Encryption Standard (AES).
TDES ENCRYPTION
Background
The original Data Encryption Standard (DES), a 64-bit
block cipher, was invented in the early 1970s by IBM®.
DES uses a 64-bit encryption key: 56 bits for encoding
and decoding, the remainder for parity. It was adopted
by the United States government in 1977 as standard
for encrypting sensitive data. By the mid 1990s, several
public organizations had demonstrated that they were
able to crack a DES code within days.
FIGURE 1:
Triple DES (TDES) is a variant of DES, and is
described in FIPS 46-2 and 46-3. TDES uses three
cycles of DES to extend the key from 56 bits to 112 or
168 bits, depending on the mode of operation. Because
of known weaknesses in the DES algorithm, the actual
security is believed to be on the order of 80 and
112 bits, respectively, for the two different methods.
The use of TDES was suggested by the American government in 1999 for use in all systems, except in legacy
systems, where only DES was available.
There are several different modes of TDES. The most
common involves using two different keys. The data is
encrypted with the first key. That result is then
decrypted with the second key. The data is then finally
encrypted once again with the first key. Other modes of
operation include using three different keys, one for
each of the stages, and encrypting in all rounds instead
of decrypting during the second round. For most new
applications, TDES has been replaced with Advanced
Encryption Standard (AES). AES provides a slightly
higher security level than TDES and is much faster and
smaller in implementation than TDES.
The original DES algorithm is outlined in Figure 1. The
cycle is run 32 times before the ciphertext is valid.
ORIGINAL DES ALGORITHM
Plaintext
Key
IP Permutation
Left Half
Right Half
E Permutation
Subkey Generator
IP-1 Permutation
S1 S2 S3 S4 S5 S6 S7 S8
Ciphertext
Old Left
© 2006 Microchip Technology Inc.
P Permutation
DS01044A-page 1
AN1044
In the original DES, the plaintext is permuted by the
initial permutation matrix, IP (Figure 2). It is then split
into a left portion and a right portion. The right portion
is permuted by E (Figure 3), XORed with the round
subkey, substituted with an S-Box value (Figure 6),
permuted by P (Figure 4) and XORed with the left half
of the data from the last round. The left data is replaced
with the right data from the last round and the right data
is replaced with this new calculated value. The cycle is
repeated for 32 iterations, with the result permuted by
the inverse permutation matrix, IP-1 (Figure 5), to get
the final cipher text.
FIGURE 2:
PERMUTATION BOX
MATRIX (P)
16
1
2
19
FIGURE 3:
50
52
54
56
49
51
53
55
42
44
46
48
41
43
45
47
34
36
38
40
33
35
37
39
26
28
30
32
25
27
29
31
18
20
22
24
17
19
21
23
10
12
14
16
9
11
13
15
2
4
6
8
1
3
5
7
EXPANSION PERMUTATION
MATRIX (E)
32
6
12
16
22
28
1
7
13
17
23
29
FIGURE 6:
2
8
12
18
24
28
3
9
13
19
25
29
4
8
14
20
24
30
5
9
15
21
25
31
4
10
16
20
26
32
5
11
17
21
27
1
7
15
8
13
FIGURE 5:
20
23
24
30
21
26
14
6
29
5
32
22
12
18
27
11
28
31
3
4
17
10
9
25
INVERSE PERMUTATION
(IP-1) MATRIX
40
39
38
37
36
35
34
33
INITIAL PERMUTATION
MATRIX (IP)
58
60
62
64
57
59
61
63
8
7
6
5
4
3
2
1
48
47
46
45
44
43
42
41
16
15
14
13
14
13
12
11
56
55
54
53
52
51
50
49
24
23
22
21
20
19
18
17
64
63
62
61
60
59
58
57
32
31
30
29
28
27
26
25
An optional implementation, shown in Figure 7, can be
used to reduce the execution time required for each
encryption. Because the S-Box substitution and P
permutation are both linear operations, they can be
combined into one operation, instead of two separate
operations, thus resulting in a PS table. Unrolling the
DES loop once removes the need for some temporary
variables and reduces the overhead of shuffling data. It
does, however, increase the code size.
For a more detailed description of how the permutations and substitutions work, please refer to Microchip
application note AN583, “Implementation of the Data
Encryption Standard Using PIC17C42” (DS00583).
S-BOX MATRICES (Sn)
14
S1 = 0
4
15
4
15
1
12
13
7
14
8
1
4
8
2
2
14
13
4
15
2
6
9
11
13
2
1
8
1
11
7
3
10
15
5
10
6
12
11
6
12
9
3
12
11
7
14
5
9
3
10
9
5
10
0
15
S2 = 3
0
13
1
13
14
8
8
4
7
10
14
7
11
1
6
15
10
3
11
2
4
15
3
8
13
4
4
14
1
2
9
12
5
11
7
0
8
6
2
1
12
7
13
10
6
12
12
6
9
0
10
S 3 = 13
13
1
0
7
6
10
9
0
4
13
14
9
9
0
6
3
8
6
13
8
1
15
12
5
2
14
7
14
12
3
11
12
5
11
7
13
S4 =
10
3
FIGURE 4:
13
8
6
15
14
11
9
0
DS01044A-page 2
3
5
0
6
3
4
15
9
0
6
12
10
15
6
3
8
6
15
11
1
5
10
0
7
9
0
7
13
1
2
11
4
10
3
13
8
1
4
15
9
2
7
1
4
8
2
3
5
5
12
14
11
11
1
5
12
0
3
5
6
7
8
0
3
0
9
3
5
5
11
2
14
10
5
15
9
4
11
10
5
2
15
14
2
8
1
7
12
12
10
2
7
4
14
8
2
15
9
4
14
2
14
S4 =
10
3
12
S 6 = 10
9
4
1
15
14
3
4
13
S7 =
1
6
13
S8 = 1
7
2
12
11
6
15
4
2
9
0
1
12
0
6
7
4
12
10
10
4
15
2
15
2
5
12
9
7
2
9
11
0
4
11
2
15
11
1
2
11
11
13
8
13
4
14
14
7
13
8
4
8
1
7
6
10
9
4
10
7
11
1
2
12
8
5
15
4
12
1
11
13
7
13
6
9
12
15
0
9
3
4
15
3
12
10
8
5
3
10
8
1
7
10
11
7
14
8
6
1
13
8
0
6
7
11
13
10
14
7
1
4
2
13
8
5
15
9
5
0
1
4
3
15
3
5
15
10
14
11
13
3
5
12
0
9
2
7
13
1
0
14
3
13
4
1
4
14
10
7
14
0
1
6
7
11
13
0
5
3
11
8
9
5
6
0
7
12
8
15
5
2
0
14
10
15
5
2
6
8
9
3
3
6
10
9
14
11
13
0
5
0
15
3
0
14
3
5
12
9
5
6
3
14
10
9
10
12
0
15
12
3
15
5
9
5
6
12
14
8
8
2
9
6
4
14
11
8
6
13
1
6
2
12
7
2
8
11
© 2006 Microchip Technology Inc.
AN1044
FIGURE 7:
SPEED-OPTIMIZED DES ALGORITHM
Plaintext
Key
IP Permutation
Left Half
Right Half
E Permutation
Subkey Generator
IP-1 Permutation
Ciphertext
PS1 PS2 PS3 PS4 PS5 PS6 PS7 PS8
E Permutation
PS1 PS2 PS3 PS4 PS5 PS6 PS7 PS8
© 2006 Microchip Technology Inc.
DS01044A-page 3
AN1044
Using the TDES Algorithm
This implementation of TDES is accessed through
three function calls: initTDES, TDES_encrypt and
TDES_decrypt. Their usage is discussed below.
initTDES
This function precalculates the subkey groups needed for TDES. By precalculating the subkeys, the encryption and
decryption routines can be significantly enhanced for speed.
Syntax
void initTDES(unsigned int *KeyLocation);
Parameters
KeyLocation: word-aligned starting address in RAM where the calculated subkeys will be stored. This requires a
384-byte (192-word) block of memory.
Return Values
None
Pre-Conditions
KeyLocation is either reserved or allocated memory of 384 bytes (192 words).
unsigned int Key[12] is loaded with the Encryption/Decryption Keys, where Key[0-3] is the first DES key,
Key[4-7] is the second key and Key[8-11] is the third key.
The same keys used to encrypt a block must also be used to decrypt it.
Side Effects
Values at reserved addresses are changed.
Example
...
unsigned int *KeyPointer;
KeyPointer = (unsigned int*)malloc(384);
if(KeyPointer != NULL)
{
initTDES(KeyPointer);
}
...
DS01044A-page 4
© 2006 Microchip Technology Inc.
AN1044
TDES_encrypt
This function uses a set of precalculated subkeys generated from initDES function and encrypts the data using TDES.
Syntax
void TDES_encrypt(unsigned int *KeyLocation);
Parameters
KeyLocation: pointer to the RAM where the subkeys are located.
Return Values
None
Pre-Conditions
initTDES() has been called resulting in a precalculated subkey
unsigned int M[4] is loaded with the data that will be encrypted
Side Effects
unsigned int M[4] will be translated to the ciphertext.
Example
...
TDES_encrypt(KeyPointer);
...
TDES_decrypt
This function uses a set of precalculated subkeys and decrypts the data using TDES.
Syntax
void TDES_decrypt(unsigned int *KeyLocation);
Parameters
KeyLocation: the address in RAM where the subkeys are located. The subkeys must be generated from the same
key used to encrypt the data (refer to the initTDES function for details).
Return Values
None
Pre-Conditions
initTDES() has been called resulting in a precalculated subkey
unsigned int M[4] is loaded with the data that will be decrypted
Side Effects
unsigned int M[4] will be translated to the plaintext.
Example
...
TDES_decrypt(KeyPointer);
...
© 2006 Microchip Technology Inc.
DS01044A-page 5
AN1044
AES ENCRYPTION
adopted by NIST on October 2, 2000, and is described
in FIPS 197.
Background
Rijndael/AES is a symmetric block cipher that utilizes a
single key to encrypt data. The implementation of AES
in this application note is based on a 16-byte block of
data and a 16-byte key size.
In the late 1990s, the National Institute of Standards
and Technology (NIST) held a contest to initiate the
development of encryption algorithms that would
replace DES. The competition tested the algorithms’
security and execution speed to determine which would
be named the new Advanced Encryption Standard, or
AES. The algorithm finally chosen is called the
“Rijndael” algorithm after its two designers, Joan
Daemen and Vincent Rijmen of Belgium. It was
FIGURE 8:
Encryption
There are five basic subdivisions of the encryption
algorithm, shown in Figure 8. A detailed explanation of
each follows.
AES ENCRYPTION FLOWCHART
START
Round Counter = 10
Round_con = 1
Key Addition
S-Table Substitution
Encode Row Shift
True
Round Counter = 1?
False
Encode Mix Column
Encode Key Schedule
Key Addition
Round Counter – 1
False
Round Counter = 0?
True
END
DS01044A-page 6
© 2006 Microchip Technology Inc.
AN1044
TABLE 2:
The number of rounds needed in the transformation is
taken from Table 1. The implementation of AES
discussed here uses 16-byte block and key sizes, and
thus, uses 10 rounds of encryption.
TABLE 1:
DETERMINING AES ROUNDS
Rounds Needed for Block Size
16-Byte
16-byte
24-Byte
10*
12
Key [0]
Key [4]
Key [8]
Key [1]
Key [5]
Key [9]
Key [13]
Key [2]
Key [6]
Key [10]
Key [14]
Key [3]
Key [7]
Key [11]
Key [15]
TABLE 3:
Key Size
KEY MATRIX
Key [12]
DATA MATRIX
32-Byte
Data [0]
Data [4]
Data [8]
14
Data [1]
Data [5]
Data [9]
Data [13]
Data [2]
Data [6]
Data [10]
Data [14]
Data [3]
Data [7]
Data [11]
Data [15]
24-byte
12
12
14
32-byte
14
14
14
* Used in this implementation.
Data [12]
KEY ADDITION
The structures of the key and data blocks are shown in
Table 2 and Table 3. To fit into the data matrix structure,
the plain text to be encrypted needs to be broken into
the appropriate size blocks, with any leftover space
being padded with an application specified value.
Finally, a key must be selected that is 128 bits (16 bytes)
long.
Once the key has been selected, each byte of the key
is XORed with each of the corresponding data bytes.
On subsequent rounds, the key generated by the key
schedule for that round is XORed in a bytewise manner
with the data.
With a key selected and the data sectioned off into
appropriate size blocks, the encryption cycle may
begin.
During each round, each data byte is replaced with a
corresponding byte from a fixed substitution table, or
S-Table. A fixed S-Table defined by AES is shown in
Table 4.
TABLE 4:
S-TABLE SUBSTITUTION
S-TABLE ENCRYPTION SUBSTITUTION TABLE (VALUES IN HEXADECIMAL)
y
x
00
10
00
20
30
40
50
60
70
63
7C
77
01
CA
82
C9
02
B7
FD
93
03
04
C7
23
04
09
83
2C
05
53
D1
06
D0
07
51
08
CD
0C
09
60
81
0A
E0
32
3A
0A
49
0B
E7
C8
37
6D
8D
0C
BA
78
25
2E
1C
0D
70
3E
B5
66
48
80
90
A0
B0
C0
D0
E0
F0
7B
F2
6B
6F
C5
30
01
7D
FA
59
47
F0
AD
D4
67
2B
FE
D7
AB
76
A2
AF
9C
A4
72
C0
26
36
3F
F7
CC
34
A5
E5
C3
18
96
05
9A
07
12
80
F1
71
D8
31
15
E2
EB
27
B2
75
1A
1B
6E
5A
A0
52
3B
D6
B3
29
E3
2F
84
00
ED
20
FC
B1
5B
6A
CB
BE
39
4A
4C
58
CF
EF
AA
FB
43
4D
33
85
45
A3
40
8F
92
9D
38
F5
BC
F9
02
7F
50
3C
9F
A8
B6
DA
21
10
FF
F3
D2
13
EC
5F
97
44
17
C4
4F
DC
22
2A
90
88
46
A7
7E
3D
64
5D
19
73
EE
B8
14
DE
5E
0B
DB
06
24
5C
C2
D3
AC
62
91
95
E4
79
D5
4E
A9
6C
56
F4
EA
65
7A
AE
08
A6
B4
C6
E8
DD
74
1F
4B
BD
8B
8A
03
F6
0E
61
35
57
B9
86
C1
1D
9E
0E
E1
F8
98
11
69
D9
8E
94
9B
1E
87
E9
CE
55
28
DF
0F
8C
A1
89
0D
BF
E6
42
68
41
99
2D
0F
B0
54
BB
16
© 2006 Microchip Technology Inc.
DS01044A-page 7
AN1044
ENCODE ROW SHIFT
Row shift is a cyclical shift to the left of the rows in the
data block. The values of each row are shifted
differently, as shown in Table 5.
TABLE 5:
where xtime is a linear feedback shift procedure. It
can be described in C as shown in Example 1:
EXAMPLE 1:
ENCRYPTION CYCLICAL SHIFT
Before Row Shift:
0
4
8
12
1
5
9
13
2
6
10
14
3
7
11
15
After Row Shift:
0
4
8
12
1
5
9
13
10
14
2
6
15
3
7
11
xtime ROUTINE
if(a<0x80)
{
a<<=1;
}
else
{
a=(a<<1)^0x1b;
}
As an example, the first row of the resulting multiplication is shown in Equation 2, below. A more complete
demonstration is provided in Microchip application
note AN821, “Advanced Encryption Standard Using
the PIC16XXX” (DS00821).
ENCODE MIX COLUMN
ENCODE KEY SCHEDULING
Chapter 2, Section 4.2.3 of the AES specification
(FIPS 197) defines the mix column transformation. In
this operation, a fixed 4x4 matrix, c(x), is
cross-multiplied by the input vector (a(x)) using the
special rules of Polynomials with coefficients in GF(28)
to form the output vector, b(x), shown in Equation 1:
Each round of AES uses a different encryption key
based on the previous encryption key. The key schedule algorithm also uses the S-table, the xtime routine
and Round_con, an initial encryption value.
Consider the generic key:
EQUATION 1:
b0
02
= 01
01
b2
03
b3
b1
03
02
01
01
01
03
02
01
a0
01
01 × a 1
03
a2
02
a3
a•1=a
1.
2.
3.
a • 2 = xtime(a)
a • 3 = a ⊕ xtime(a)
4.
a • 4 = xtime(xtime(a))
5.
6.
7.
a • 5 = a ⊕ xtime(xtime(a))
...
K4
K8
K12
K1
K5
K9
K13
K2
K6
K10
K14
K3
K7
K11
K15
Starting with key matrix created from the original
plaintext key, the key scheduling is as follows:
FIXED MATRIX c(x)
The special rules for multiplication equate to the
following:
K0
The values of column 3 of the key matrix (K12
through K15) are used to obtain values from the
S-Table.
Column 0 of the key matrix (K0 through K3) is
XORed with the S-Table look-up values of
column 3.
K0 is XORed with Round_con (the original
value of Round_con is 01h for encoding).
Round_con is then updated with the Xtime of
Round_con for the next round.
Column 1 is XORed with column 0.
Column 2 is XORed with column 1.
Column 3 is XORed with column 2.
EQUATION 2:
b[0] = xtime(a[0]) ⊕ (a[1] ⊕ xtime(a[1])) ⊕ a[2] ⊕ a[3]
where: “⊕” is the XOR operation
Note:
The members of the multiplication are XORed together rather then added together as they would in
regular matrix multiplication.
DS01044A-page 8
© 2006 Microchip Technology Inc.
AN1044
Decryption
number of rounds. After the completion of an encryption
cycle, the key is transformed into a decryption key. The
decryption key can be precalculated and stored in the
system, or recalculated each time as needed.
The functional divisions of the decryption algorithm are
similar to those for the encryption algorithm, with most
being the inverse operation. One major difference, however, is in the setup preceding the decryption. The
decryption key differs from than the encryption key and
must be loaded correctly. It can be calculated by running
through the encryption key schedule the appropriate
FIGURE 9:
The value of Round_con must also be set differently
for the decryption process. The value of 36h is used for
10 rounds.
DECRYPT FLOWCHART
START
Round Counter = 10
Round_con = 36h
Key Addition
Round Counter = 10?
True
False
Decode Mix Column
Si-Table Substitution
Decode Row Shift
Decode Key Schedule
Key Addition
Round Counter – 1
False
Round Counter = 0?
True
END
© 2006 Microchip Technology Inc.
DS01044A-page 9
AN1044
KEY ADDITION
DECODE ROW SHIFT
In a manner like the encryption process, each byte of
the initial decryption key is XORed with each of the corresponding data bytes. On subsequent rounds, the key
generated by the key schedule for that round is XORed
in a bytewise manner with the data.
As with encryption, row shift is a cyclical left shift of the
rows in the data. For decryption, the different row shift
values are shown in Table 6.
TABLE 6:
DECRYPTION CYCLICAL SHIFT
Before Row Shift:
DECODE MIX COLUMN
The inverse mix column operation (Equation 3) differs
from the encode mix column operation by only the
matrix c(x). Note that the coefficients for c(x) are in
hexadecimal.
0
4
8
12
1
5
9
13
2
6
10
14
3
7
11
15
After Row Shift:
EQUATION 3:
0
b0
0E
b1
= 09
0D
b2
0B
b3
0B
0E
09
0D
0D
0B
0E
09
a0
09
0D × a 1
0B
a2
0E
a3
4
8
12
13
1
5
9
10
14
2
6
7
11
15
3
Note that this transformation is different for encryption
and decryption. Also note that the results of this
transformation are equivalent to the row shift transformation used during encryption if the blocks are shifted
to the right instead of to the left.
FIXED MATRIX c(x)
Si-TABLE SUBSTITUTION
To undo the S-Table substitutions of the encryption process, a fixed Si-Table is used (Table 7). During each
round, each data byte is replaced with a corresponding
byte from the Si-Table.
TABLE 7:
Si-TABLE DECRYPTION SUBSTITUTION TABLE (VALUES IN HEXADECIMAL)
y
00
x
01
02
03
04
05
06
07
08
09
0A
0B
0C
0D
0E
0F
00
52
09
6A
D5
30
36
A5
38
BF
40
A3
9E
81
F3
D7
FB
10
7C
E3
39
82
9B
2F
FF
87
34
8E
43
44
C4
DE
E9
CB
20
54
7B
94
32
A6
C2
23
3D
EE
4C
95
0B
42
FA
C3
4E
30
08
2E
A1
66
28
D9
24
B2
76
5B
A2
49
6D
8B
D1
25
40
72
F8
F6
64
86
68
98
16
D4
A4
5C
CC
5D
65
B6
92
50
6C
70
48
50
FD
ED
B9
DA
5E
15
46
57
A7
8D
9D
84
60
90
D8
AB
00
8C
BC
D3
0A
F7
E4
58
05
B8
B3
45
06
70
D0
2C
1E
8F
CA
3F
0F
02
C1
AF
BD
03
01
13
8A
6B
80
3A
91
11
41
4F
67
DC
EA
97
F2
CF
CE
F0
B4
E6
73
90
96
AC
74
22
E7
AD
35
85
E2
F9
37
E8
1C
75
DF
6E
A0
47
F1
1A
71
1D
29
C5
89
6F
B7
62
0E
AA
18
BE
1B
B0
FC
56
3E
4B
C6
D2
79
20
9A
DB
C0
FE
78
CD
5A
F4
C0
1F
DD
A8
33
88
07
C7
31
B1
12
10
59
27
80
EC
5F
D0
60
51
7F
A9
19
B5
4A
0D
2D
E5
7A
9F
93
C9
9C
EF
E0
A0
E0
3B
4D
AE
2A
F5
B0
C8
EB
BB
3C
83
53
99
61
F0
17
2B
04
7E
BA
77
D6
26
E1
69
14
63
55
21
0C
7D
DS01044A-page 10
© 2006 Microchip Technology Inc.
AN1044
DECODE KEY SCHEDULE
EXAMPLE 2:
if(a&0x01)
{
a=0x80;
}
else
{
a>>=1;
}
Each round of AES decryption uses the same key that
was used to encrypt the data. The key for the next
iteration can be determined from the previous decryption key by performing the inverse operation to the
encryption key schedule.
Starting from the decryption key of the previous round,
the key scheduling is as follows:
1.
2.
3.
4.
5.
6.
Column 3 is XORed with column 2.
Column 2 is XORed with column 1.
Column 1 is XORed with column 0.
Column 0 is XORed with the S-Table look-up of
column 3. (Note: This step uses the S-Table
(Table 4), not the Si-Table (Table 7).)
K0 is XORed with Round_con
Round_con is updated with the inverse xtime
of Round_con. The inverse xtime function can
be defined in C, as shown is Example 2.
INVERSE xtime ROUTINE
Using the AES Algorithm
The implementation of AES discussed here is
accessed through three function calls: AESEncrypt,
AESDecrypt and AESCalcDecKey. Their usage is
discussed below.
AESEncrypt
This function encrypts a 16-byte block of data in place with a 128-bit (16-byte) key using the AES algorithm.
Syntax
void AESEncrypt(int *DataBlock, const int *EncryptKey)
Parameters
*DataBlock: Pointer to the 16-byte block of data to encrypt. The block of data must begin on an even memory address.
*EncryptKey: Pointer to the 16-byte key to use for encryption. The key must begin on an even memory address.
Return Values
DataBlock: 16 bytes of plaintext at *DataBlock is replaced with 16 bytes of cipher text.
Pre-Condition
None
Side Effects
None
Remarks
1.
2.
3.
Peak stack memory usage is 40 bytes, including the 4-byte return address.
AESEncrypt requires 2808 instruction cycles (including CALL, RETURN and two parameter load instructions)
when EncryptKey is stored in data memory. If EncryptKey is stored in program memory, eight additional
instruction cycles are required.
AESEncrypt is interrupt and re-entrant safe.
Example
int block[8];
int key[8] = {0x0100,0x0302,0x0504,0x0706,0x0908,0x0B0A,0x0D0C,0x0F0E};
...
// Load block[] with application data
...
AESEncrypt(block, key);
© 2006 Microchip Technology Inc.
DS01044A-page 11
AN1044
AESDecrypt
This function decrypts a 16-byte block of data in place with a 128-bit (16-byte) key using the AES algorithm.
Syntax
void AESDecrypt(int *DataBlock, const int *DecryptKey)
Parameters
*DataBlock: Pointer to the 16-byte block of data to decrypt. The block of data must begin on an even memory address.
*DecryptKey: Pointer to the 16-byte key to use for decryption. This key is not the same key used for encryption. Use
the AESCalcDecKey function to derive a decryption key from an encryption key. The key must begin on an even
memory address.
Return Values
DataBlock: 16 bytes of cipher text at *DataBlock is replaced with 16 bytes of plaintext.
Pre-Condition
If necessary, calculate the decryption key.
Side Effects
None
Remarks
1.
2.
3.
Peak stack memory usage is 40 bytes, including the 4-byte return address.
When DecryptKey is stored in data memory, AESDecrypt requires 4490 instruction cycles (including CALL,
RETURN and two parameter load instructions). If DecryptKey is stored in program memory, nine additional
instruction cycles are required.
AESDecrypt is interrupt and re-entrant safe.
Example
int block[8];
int key[8] = {0x0100,0x0302,0x0504,0x0706,0x0908,0x0B0A,0x0D0C,0x0F0E};
// Assuming key is loaded with the encryption key, calculate a decryption key
// first
AESCalcDecKey(key);
...
// Load block[] with application data
...
AESDecrypt(block, key);
DS01044A-page 12
© 2006 Microchip Technology Inc.
AN1044
AESCalcDecKey
This function derives a 128-bit (16-byte) decryption key from a 128-bit (16-byte) encryption key.
Syntax
void AESCalcDecKey(int *Key)
Parameters
*Key: Pointer to the 16-byte encryption key to translate. The key must begin on an even memory address.
Return Values
Key: 16-byte encryption key at *Key is replaced with 16-byte decryption key.
Pre-Condition
None
Side Effects
None
Remarks
1.
2.
3.
4.
Peak stack memory usage is 6 bytes, including the 4-byte return address.
AESCalcDecKey requires 497 instruction cycles (including CALL, RETURN and one parameter load instruction).
AESCalcDecKey is interrupt and re-entrant safe.
If this function is not needed, it may be deleted to save program memory.
Example
int key[8] = {0x0100,0x0302,0x0504,0x0706,0x0908,0x0B0A,0x0D0C,0x0F0E};
// Assuming key is loaded with an encryption key, calculate the decryption key
AESCalcDecKey(key);
© 2006 Microchip Technology Inc.
DS01044A-page 13
AN1044
PERFORMANCE
SUMMARY
The 16-bit implementations of TDES and AES were
evaluated on the PIC24FJ128GA010, running at a
clock speed of 32 MHz (16 MIPS). The results are
shown in Table 8.
TDES and AES are two of only three encryption algorithms that are used as Federal Information Processing
Standards. Both of these algorithms are available for
PIC24 and dsPIC30/33 devices as compact and
efficient implementations.
TABLE 8:
This purpose of this document has been to introduce
the reader to the algorithms and their practical use in
application code. A full discussion of the algorithms,
usage modes and test vectors for the algorithms are
provided in the FIPS documentation.
EXECUTION TIME AND
THROUGHPUT PERFORMANCE
FOR PIC24/dsPIC® DEVICE
ENCRYPTION ALGORITHMS
Execution Time
(Instruction
Cycles)
Algorithm
Throughput
(Kbit/s) @
16 MIPS
Encrypt Decrypt Encrypt Decrypt
6403(1) 6403(1) 159(1)
13557(2) 13557(2) 75.5(2)
TDES
(8 bytes/block)
AES
(16 bytes/block)
Note 1:
2:
2808
4490
159(1)
75.5(2)
729
456
Key value is constant for each block and
does not require recalculation.
Key value is recalculated for each block.
The memory requirements of the algorithms are shown
in Table 9.
MEMORY USAGE FOR
ENCRYPTION ALGORITHMS
Algorithm
TDES
AES
Note 1:
Data RAM
(Bytes)
Program
Memory
(Bytes)
430(1)
7500
40
3018
An additional reduction of data RAM
usage can be achieved if Key 1 and Key 3
are always equal to the same value. If the
application code is modified to do this, the
application will use 302 bytes.
DS01044A-page 14
REFERENCES
A. Lovrich and M. Palmer, AN583, “Implementation of
the Data Encryption Standard Using PIC17C42”
(DS00583), Microchip Technology, Inc., 1997.
C. Gübel, AN821, “Advanced Encryption Standard Using
the PIC16XXX” (DS00821), Microchip Technology, Inc.,
2002.
RESOURCE USAGE
TABLE 9:
It is important to remember when working data
encryption algorithms, that no encryption algorithm is
secure. Data encryption algorithms only provide a
probability of security. It is also important to be aware of
any exportation control laws that may affect the source
code or end product that have cryptographic elements.
D. Flowers, AN953, “Data Encryption Routines for the
PIC18” (DS00953), Microchip Technology, Inc., 2005.
D.C. Feldmeier, “A High-Speed Software DES Implementation”, Computer Communication Research
Group, Bellcore, June 1989.
Institute for Applied Information Processing and
Communications, Graz University of Technology, “AES
Lounge” (AES public home page),
http://www.iaik.tu-graz.ac.at/research/krypto/AES/
Computer Security Resource Center, National Institute
of Standards and Technology, “Cryptographic Toolkit”
(home page, link to archival information on AES),
http://csrc.nist.gov/CryptoToolkit/tkencryption.html.
© 2006 Microchip Technology Inc.
AN1044
APPENDIX A:
SOFTWARE
DISCUSSED IN THIS
APPLICATION NOTE
Because of statutory export license restrictions on
encryption software, the source code listings for the
AES and TDES algorithms are not provided here.
These applications may be ordered from Microchip
Technology, Inc. through its sales offices, or through
the corporate web site:
www.microchip.com
Interested users are encouraged to check the web site
or their nearest sales office for more information.
© 2006 Microchip Technology Inc.
DS01044A-page 15
AN1044
NOTES:
DS01044A-page 16
© 2006 Microchip Technology Inc.
Note the following details of the code protection feature on Microchip devices:
•
Microchip products meet the specification contained in their particular Microchip Data Sheet.
•
Microchip believes that its family of products is one of the most secure families of its kind on the market today, when used in the
intended manner and under normal conditions.
•
There are dishonest and possibly illegal methods used to breach the code protection feature. All of these methods, to our
knowledge, require using the Microchip products in a manner outside the operating specifications contained in Microchip’s Data
Sheets. Most likely, the person doing so is engaged in theft of intellectual property.
•
Microchip is willing to work with the customer who is concerned about the integrity of their code.
•
Neither Microchip nor any other semiconductor manufacturer can guarantee the security of their code. Code protection does not
mean that we are guaranteeing the product as “unbreakable.”
Code protection is constantly evolving. We at Microchip are committed to continuously improving the code protection features of our
products. Attempts to break Microchip’s code protection feature may be a violation of the Digital Millennium Copyright Act. If such acts
allow unauthorized access to your software or other copyrighted work, you may have a right to sue for relief under that Act.
Information contained in this publication regarding device
applications and the like is provided only for your convenience
and may be superseded by updates. It is your responsibility to
ensure that your application meets with your specifications.
MICROCHIP MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WHETHER EXPRESS OR
IMPLIED, WRITTEN OR ORAL, STATUTORY OR
OTHERWISE, RELATED TO THE INFORMATION,
INCLUDING BUT NOT LIMITED TO ITS CONDITION,
QUALITY, PERFORMANCE, MERCHANTABILITY OR
FITNESS FOR PURPOSE. Microchip disclaims all liability
arising from this information and its use. Use of Microchip
devices in life support and/or safety applications is entirely at
the buyer’s risk, and the buyer agrees to defend, indemnify and
hold harmless Microchip from any and all damages, claims,
suits, or expenses resulting from such use. No licenses are
conveyed, implicitly or otherwise, under any Microchip
intellectual property rights.
Trademarks
The Microchip name and logo, the Microchip logo, Accuron,
dsPIC, KEELOQ, microID, MPLAB, PIC, PICmicro, PICSTART,
PRO MATE, PowerSmart, rfPIC, and SmartShunt are
registered trademarks of Microchip Technology Incorporated
in the U.S.A. and other countries.
AmpLab, FilterLab, Migratable Memory, MXDEV, MXLAB,
SEEVAL, SmartSensor and The Embedded Control Solutions
Company are registered trademarks of Microchip Technology
Incorporated in the U.S.A.
Analog-for-the-Digital Age, Application Maestro, CodeGuard,
dsPICDEM, dsPICDEM.net, dsPICworks, ECAN,
ECONOMONITOR, FanSense, FlexROM, fuzzyLAB,
In-Circuit Serial Programming, ICSP, ICEPIC, Linear Active
Thermistor, Mindi, MiWi, MPASM, MPLIB, MPLINK, PICkit,
PICDEM, PICDEM.net, PICLAB, PICtail, PowerCal,
PowerInfo, PowerMate, PowerTool, REAL ICE, rfLAB,
rfPICDEM, Select Mode, Smart Serial, SmartTel, Total
Endurance, UNI/O, WiperLock and ZENA are trademarks of
Microchip Technology Incorporated in the U.S.A. and other
countries.
SQTP is a service mark of Microchip Technology Incorporated
in the U.S.A.
All other trademarks mentioned herein are property of their
respective companies.
© 2006, Microchip Technology Incorporated, Printed in the
U.S.A., All Rights Reserved.
Printed on recycled paper.
Microchip received ISO/TS-16949:2002 certification for its worldwide
headquarters, design and wafer fabrication facilities in Chandler and
Tempe, Arizona, Gresham, Oregon and Mountain View, California. The
Company’s quality system processes and procedures are for its
PICmicro® 8-bit MCUs, KEELOQ® code hopping devices, Serial
EEPROMs, microperipherals, nonvolatile memory and analog
products. In addition, Microchip’s quality system for the design and
manufacture of development systems is ISO 9001:2000 certified.
© 2006 Microchip Technology Inc.
DS01044A-page 17
WORLDWIDE SALES AND SERVICE
AMERICAS
ASIA/PACIFIC
ASIA/PACIFIC
EUROPE
Corporate Office
2355 West Chandler Blvd.
Chandler, AZ 85224-6199
Tel: 480-792-7200
Fax: 480-792-7277
Technical Support:
http://support.microchip.com
Web Address:
www.microchip.com
Asia Pacific Office
Suites 3707-14, 37th Floor
Tower 6, The Gateway
Habour City, Kowloon
Hong Kong
Tel: 852-2401-1200
Fax: 852-2401-3431
India - Bangalore
Tel: 91-80-4182-8400
Fax: 91-80-4182-8422
India - New Delhi
Tel: 91-11-4160-8631
Fax: 91-11-4160-8632
Austria - Wels
Tel: 43-7242-2244-3910
Fax: 43-7242-2244-393
Denmark - Copenhagen
Tel: 45-4450-2828
Fax: 45-4485-2829
India - Pune
Tel: 91-20-2566-1512
Fax: 91-20-2566-1513
France - Paris
Tel: 33-1-69-53-63-20
Fax: 33-1-69-30-90-79
Japan - Yokohama
Tel: 81-45-471- 6166
Fax: 81-45-471-6122
Germany - Munich
Tel: 49-89-627-144-0
Fax: 49-89-627-144-44
Atlanta
Alpharetta, GA
Tel: 770-640-0034
Fax: 770-640-0307
Boston
Westborough, MA
Tel: 774-760-0087
Fax: 774-760-0088
Chicago
Itasca, IL
Tel: 630-285-0071
Fax: 630-285-0075
Dallas
Addison, TX
Tel: 972-818-7423
Fax: 972-818-2924
Detroit
Farmington Hills, MI
Tel: 248-538-2250
Fax: 248-538-2260
Kokomo
Kokomo, IN
Tel: 765-864-8360
Fax: 765-864-8387
Los Angeles
Mission Viejo, CA
Tel: 949-462-9523
Fax: 949-462-9608
Santa Clara
Santa Clara, CA
Tel: 408-961-6444
Fax: 408-961-6445
Toronto
Mississauga, Ontario,
Canada
Tel: 905-673-0699
Fax: 905-673-6509
Australia - Sydney
Tel: 61-2-9868-6733
Fax: 61-2-9868-6755
China - Beijing
Tel: 86-10-8528-2100
Fax: 86-10-8528-2104
China - Chengdu
Tel: 86-28-8676-6200
Fax: 86-28-8676-6599
Korea - Gumi
Tel: 82-54-473-4301
Fax: 82-54-473-4302
China - Fuzhou
Tel: 86-591-8750-3506
Fax: 86-591-8750-3521
Korea - Seoul
Tel: 82-2-554-7200
Fax: 82-2-558-5932 or
82-2-558-5934
China - Hong Kong SAR
Tel: 852-2401-1200
Fax: 852-2401-3431
Malaysia - Penang
Tel: 60-4-646-8870
Fax: 60-4-646-5086
China - Qingdao
Tel: 86-532-8502-7355
Fax: 86-532-8502-7205
Philippines - Manila
Tel: 63-2-634-9065
Fax: 63-2-634-9069
China - Shanghai
Tel: 86-21-5407-5533
Fax: 86-21-5407-5066
Singapore
Tel: 65-6334-8870
Fax: 65-6334-8850
China - Shenyang
Tel: 86-24-2334-2829
Fax: 86-24-2334-2393
Taiwan - Hsin Chu
Tel: 886-3-572-9526
Fax: 886-3-572-6459
China - Shenzhen
Tel: 86-755-8203-2660
Fax: 86-755-8203-1760
Taiwan - Kaohsiung
Tel: 886-7-536-4818
Fax: 886-7-536-4803
China - Shunde
Tel: 86-757-2839-5507
Fax: 86-757-2839-5571
Taiwan - Taipei
Tel: 886-2-2500-6610
Fax: 886-2-2508-0102
China - Wuhan
Tel: 86-27-5980-5300
Fax: 86-27-5980-5118
Thailand - Bangkok
Tel: 66-2-694-1351
Fax: 66-2-694-1350
Italy - Milan
Tel: 39-0331-742611
Fax: 39-0331-466781
Netherlands - Drunen
Tel: 31-416-690399
Fax: 31-416-690340
Spain - Madrid
Tel: 34-91-708-08-90
Fax: 34-91-708-08-91
UK - Wokingham
Tel: 44-118-921-5869
Fax: 44-118-921-5820
China - Xian
Tel: 86-29-8833-7250
Fax: 86-29-8833-7256
07/21/06
DS01044A-page 18
© 2006 Microchip Technology Inc.