AN1044 Data Encryption Routines for PIC24 and dsPIC® Devices Authors: David Flowers and Howard Henry Schlunder Microchip Technology Inc. INTRODUCTION Currently, there are three data encryption standards approved for use in the Federal Information Processing Standards (FIPS). This application note discusses the implementation of two of these for PIC24 and dsPIC30/33 devices: Triple Data Encryption Standard (TDES) and Advanced Encryption Standard (AES). TDES ENCRYPTION Background The original Data Encryption Standard (DES), a 64-bit block cipher, was invented in the early 1970s by IBM®. DES uses a 64-bit encryption key: 56 bits for encoding and decoding, the remainder for parity. It was adopted by the United States government in 1977 as standard for encrypting sensitive data. By the mid 1990s, several public organizations had demonstrated that they were able to crack a DES code within days. FIGURE 1: Triple DES (TDES) is a variant of DES, and is described in FIPS 46-2 and 46-3. TDES uses three cycles of DES to extend the key from 56 bits to 112 or 168 bits, depending on the mode of operation. Because of known weaknesses in the DES algorithm, the actual security is believed to be on the order of 80 and 112 bits, respectively, for the two different methods. The use of TDES was suggested by the American government in 1999 for use in all systems, except in legacy systems, where only DES was available. There are several different modes of TDES. The most common involves using two different keys. The data is encrypted with the first key. That result is then decrypted with the second key. The data is then finally encrypted once again with the first key. Other modes of operation include using three different keys, one for each of the stages, and encrypting in all rounds instead of decrypting during the second round. For most new applications, TDES has been replaced with Advanced Encryption Standard (AES). AES provides a slightly higher security level than TDES and is much faster and smaller in implementation than TDES. The original DES algorithm is outlined in Figure 1. The cycle is run 32 times before the ciphertext is valid. ORIGINAL DES ALGORITHM Plaintext Key IP Permutation Left Half Right Half E Permutation Subkey Generator IP-1 Permutation S1 S2 S3 S4 S5 S6 S7 S8 Ciphertext Old Left © 2006 Microchip Technology Inc. P Permutation DS01044A-page 1 AN1044 In the original DES, the plaintext is permuted by the initial permutation matrix, IP (Figure 2). It is then split into a left portion and a right portion. The right portion is permuted by E (Figure 3), XORed with the round subkey, substituted with an S-Box value (Figure 6), permuted by P (Figure 4) and XORed with the left half of the data from the last round. The left data is replaced with the right data from the last round and the right data is replaced with this new calculated value. The cycle is repeated for 32 iterations, with the result permuted by the inverse permutation matrix, IP-1 (Figure 5), to get the final cipher text. FIGURE 2: PERMUTATION BOX MATRIX (P) 16 1 2 19 FIGURE 3: 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7 EXPANSION PERMUTATION MATRIX (E) 32 6 12 16 22 28 1 7 13 17 23 29 FIGURE 6: 2 8 12 18 24 28 3 9 13 19 25 29 4 8 14 20 24 30 5 9 15 21 25 31 4 10 16 20 26 32 5 11 17 21 27 1 7 15 8 13 FIGURE 5: 20 23 24 30 21 26 14 6 29 5 32 22 12 18 27 11 28 31 3 4 17 10 9 25 INVERSE PERMUTATION (IP-1) MATRIX 40 39 38 37 36 35 34 33 INITIAL PERMUTATION MATRIX (IP) 58 60 62 64 57 59 61 63 8 7 6 5 4 3 2 1 48 47 46 45 44 43 42 41 16 15 14 13 14 13 12 11 56 55 54 53 52 51 50 49 24 23 22 21 20 19 18 17 64 63 62 61 60 59 58 57 32 31 30 29 28 27 26 25 An optional implementation, shown in Figure 7, can be used to reduce the execution time required for each encryption. Because the S-Box substitution and P permutation are both linear operations, they can be combined into one operation, instead of two separate operations, thus resulting in a PS table. Unrolling the DES loop once removes the need for some temporary variables and reduces the overhead of shuffling data. It does, however, increase the code size. For a more detailed description of how the permutations and substitutions work, please refer to Microchip application note AN583, “Implementation of the Data Encryption Standard Using PIC17C42” (DS00583). S-BOX MATRICES (Sn) 14 S1 = 0 4 15 4 15 1 12 13 7 14 8 1 4 8 2 2 14 13 4 15 2 6 9 11 13 2 1 8 1 11 7 3 10 15 5 10 6 12 11 6 12 9 3 12 11 7 14 5 9 3 10 9 5 10 0 15 S2 = 3 0 13 1 13 14 8 8 4 7 10 14 7 11 1 6 15 10 3 11 2 4 15 3 8 13 4 4 14 1 2 9 12 5 11 7 0 8 6 2 1 12 7 13 10 6 12 12 6 9 0 10 S 3 = 13 13 1 0 7 6 10 9 0 4 13 14 9 9 0 6 3 8 6 13 8 1 15 12 5 2 14 7 14 12 3 11 12 5 11 7 13 S4 = 10 3 FIGURE 4: 13 8 6 15 14 11 9 0 DS01044A-page 2 3 5 0 6 3 4 15 9 0 6 12 10 15 6 3 8 6 15 11 1 5 10 0 7 9 0 7 13 1 2 11 4 10 3 13 8 1 4 15 9 2 7 1 4 8 2 3 5 5 12 14 11 11 1 5 12 0 3 5 6 7 8 0 3 0 9 3 5 5 11 2 14 10 5 15 9 4 11 10 5 2 15 14 2 8 1 7 12 12 10 2 7 4 14 8 2 15 9 4 14 2 14 S4 = 10 3 12 S 6 = 10 9 4 1 15 14 3 4 13 S7 = 1 6 13 S8 = 1 7 2 12 11 6 15 4 2 9 0 1 12 0 6 7 4 12 10 10 4 15 2 15 2 5 12 9 7 2 9 11 0 4 11 2 15 11 1 2 11 11 13 8 13 4 14 14 7 13 8 4 8 1 7 6 10 9 4 10 7 11 1 2 12 8 5 15 4 12 1 11 13 7 13 6 9 12 15 0 9 3 4 15 3 12 10 8 5 3 10 8 1 7 10 11 7 14 8 6 1 13 8 0 6 7 11 13 10 14 7 1 4 2 13 8 5 15 9 5 0 1 4 3 15 3 5 15 10 14 11 13 3 5 12 0 9 2 7 13 1 0 14 3 13 4 1 4 14 10 7 14 0 1 6 7 11 13 0 5 3 11 8 9 5 6 0 7 12 8 15 5 2 0 14 10 15 5 2 6 8 9 3 3 6 10 9 14 11 13 0 5 0 15 3 0 14 3 5 12 9 5 6 3 14 10 9 10 12 0 15 12 3 15 5 9 5 6 12 14 8 8 2 9 6 4 14 11 8 6 13 1 6 2 12 7 2 8 11 © 2006 Microchip Technology Inc. AN1044 FIGURE 7: SPEED-OPTIMIZED DES ALGORITHM Plaintext Key IP Permutation Left Half Right Half E Permutation Subkey Generator IP-1 Permutation Ciphertext PS1 PS2 PS3 PS4 PS5 PS6 PS7 PS8 E Permutation PS1 PS2 PS3 PS4 PS5 PS6 PS7 PS8 © 2006 Microchip Technology Inc. DS01044A-page 3 AN1044 Using the TDES Algorithm This implementation of TDES is accessed through three function calls: initTDES, TDES_encrypt and TDES_decrypt. Their usage is discussed below. initTDES This function precalculates the subkey groups needed for TDES. By precalculating the subkeys, the encryption and decryption routines can be significantly enhanced for speed. Syntax void initTDES(unsigned int *KeyLocation); Parameters KeyLocation: word-aligned starting address in RAM where the calculated subkeys will be stored. This requires a 384-byte (192-word) block of memory. Return Values None Pre-Conditions KeyLocation is either reserved or allocated memory of 384 bytes (192 words). unsigned int Key[12] is loaded with the Encryption/Decryption Keys, where Key[0-3] is the first DES key, Key[4-7] is the second key and Key[8-11] is the third key. The same keys used to encrypt a block must also be used to decrypt it. Side Effects Values at reserved addresses are changed. Example ... unsigned int *KeyPointer; KeyPointer = (unsigned int*)malloc(384); if(KeyPointer != NULL) { initTDES(KeyPointer); } ... DS01044A-page 4 © 2006 Microchip Technology Inc. AN1044 TDES_encrypt This function uses a set of precalculated subkeys generated from initDES function and encrypts the data using TDES. Syntax void TDES_encrypt(unsigned int *KeyLocation); Parameters KeyLocation: pointer to the RAM where the subkeys are located. Return Values None Pre-Conditions initTDES() has been called resulting in a precalculated subkey unsigned int M[4] is loaded with the data that will be encrypted Side Effects unsigned int M[4] will be translated to the ciphertext. Example ... TDES_encrypt(KeyPointer); ... TDES_decrypt This function uses a set of precalculated subkeys and decrypts the data using TDES. Syntax void TDES_decrypt(unsigned int *KeyLocation); Parameters KeyLocation: the address in RAM where the subkeys are located. The subkeys must be generated from the same key used to encrypt the data (refer to the initTDES function for details). Return Values None Pre-Conditions initTDES() has been called resulting in a precalculated subkey unsigned int M[4] is loaded with the data that will be decrypted Side Effects unsigned int M[4] will be translated to the plaintext. Example ... TDES_decrypt(KeyPointer); ... © 2006 Microchip Technology Inc. DS01044A-page 5 AN1044 AES ENCRYPTION adopted by NIST on October 2, 2000, and is described in FIPS 197. Background Rijndael/AES is a symmetric block cipher that utilizes a single key to encrypt data. The implementation of AES in this application note is based on a 16-byte block of data and a 16-byte key size. In the late 1990s, the National Institute of Standards and Technology (NIST) held a contest to initiate the development of encryption algorithms that would replace DES. The competition tested the algorithms’ security and execution speed to determine which would be named the new Advanced Encryption Standard, or AES. The algorithm finally chosen is called the “Rijndael” algorithm after its two designers, Joan Daemen and Vincent Rijmen of Belgium. It was FIGURE 8: Encryption There are five basic subdivisions of the encryption algorithm, shown in Figure 8. A detailed explanation of each follows. AES ENCRYPTION FLOWCHART START Round Counter = 10 Round_con = 1 Key Addition S-Table Substitution Encode Row Shift True Round Counter = 1? False Encode Mix Column Encode Key Schedule Key Addition Round Counter – 1 False Round Counter = 0? True END DS01044A-page 6 © 2006 Microchip Technology Inc. AN1044 TABLE 2: The number of rounds needed in the transformation is taken from Table 1. The implementation of AES discussed here uses 16-byte block and key sizes, and thus, uses 10 rounds of encryption. TABLE 1: DETERMINING AES ROUNDS Rounds Needed for Block Size 16-Byte 16-byte 24-Byte 10* 12 Key [0] Key [4] Key [8] Key [1] Key [5] Key [9] Key [13] Key [2] Key [6] Key [10] Key [14] Key [3] Key [7] Key [11] Key [15] TABLE 3: Key Size KEY MATRIX Key [12] DATA MATRIX 32-Byte Data [0] Data [4] Data [8] 14 Data [1] Data [5] Data [9] Data [13] Data [2] Data [6] Data [10] Data [14] Data [3] Data [7] Data [11] Data [15] 24-byte 12 12 14 32-byte 14 14 14 * Used in this implementation. Data [12] KEY ADDITION The structures of the key and data blocks are shown in Table 2 and Table 3. To fit into the data matrix structure, the plain text to be encrypted needs to be broken into the appropriate size blocks, with any leftover space being padded with an application specified value. Finally, a key must be selected that is 128 bits (16 bytes) long. Once the key has been selected, each byte of the key is XORed with each of the corresponding data bytes. On subsequent rounds, the key generated by the key schedule for that round is XORed in a bytewise manner with the data. With a key selected and the data sectioned off into appropriate size blocks, the encryption cycle may begin. During each round, each data byte is replaced with a corresponding byte from a fixed substitution table, or S-Table. A fixed S-Table defined by AES is shown in Table 4. TABLE 4: S-TABLE SUBSTITUTION S-TABLE ENCRYPTION SUBSTITUTION TABLE (VALUES IN HEXADECIMAL) y x 00 10 00 20 30 40 50 60 70 63 7C 77 01 CA 82 C9 02 B7 FD 93 03 04 C7 23 04 09 83 2C 05 53 D1 06 D0 07 51 08 CD 0C 09 60 81 0A E0 32 3A 0A 49 0B E7 C8 37 6D 8D 0C BA 78 25 2E 1C 0D 70 3E B5 66 48 80 90 A0 B0 C0 D0 E0 F0 7B F2 6B 6F C5 30 01 7D FA 59 47 F0 AD D4 67 2B FE D7 AB 76 A2 AF 9C A4 72 C0 26 36 3F F7 CC 34 A5 E5 C3 18 96 05 9A 07 12 80 F1 71 D8 31 15 E2 EB 27 B2 75 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF EF AA FB 43 4D 33 85 45 A3 40 8F 92 9D 38 F5 BC F9 02 7F 50 3C 9F A8 B6 DA 21 10 FF F3 D2 13 EC 5F 97 44 17 C4 4F DC 22 2A 90 88 46 A7 7E 3D 64 5D 19 73 EE B8 14 DE 5E 0B DB 06 24 5C C2 D3 AC 62 91 95 E4 79 D5 4E A9 6C 56 F4 EA 65 7A AE 08 A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A 03 F6 0E 61 35 57 B9 86 C1 1D 9E 0E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF 0F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16 © 2006 Microchip Technology Inc. DS01044A-page 7 AN1044 ENCODE ROW SHIFT Row shift is a cyclical shift to the left of the rows in the data block. The values of each row are shifted differently, as shown in Table 5. TABLE 5: where xtime is a linear feedback shift procedure. It can be described in C as shown in Example 1: EXAMPLE 1: ENCRYPTION CYCLICAL SHIFT Before Row Shift: 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 After Row Shift: 0 4 8 12 1 5 9 13 10 14 2 6 15 3 7 11 xtime ROUTINE if(a<0x80) { a<<=1; } else { a=(a<<1)^0x1b; } As an example, the first row of the resulting multiplication is shown in Equation 2, below. A more complete demonstration is provided in Microchip application note AN821, “Advanced Encryption Standard Using the PIC16XXX” (DS00821). ENCODE MIX COLUMN ENCODE KEY SCHEDULING Chapter 2, Section 4.2.3 of the AES specification (FIPS 197) defines the mix column transformation. In this operation, a fixed 4x4 matrix, c(x), is cross-multiplied by the input vector (a(x)) using the special rules of Polynomials with coefficients in GF(28) to form the output vector, b(x), shown in Equation 1: Each round of AES uses a different encryption key based on the previous encryption key. The key schedule algorithm also uses the S-table, the xtime routine and Round_con, an initial encryption value. Consider the generic key: EQUATION 1: b0 02 = 01 01 b2 03 b3 b1 03 02 01 01 01 03 02 01 a0 01 01 × a 1 03 a2 02 a3 a•1=a 1. 2. 3. a • 2 = xtime(a) a • 3 = a ⊕ xtime(a) 4. a • 4 = xtime(xtime(a)) 5. 6. 7. a • 5 = a ⊕ xtime(xtime(a)) ... K4 K8 K12 K1 K5 K9 K13 K2 K6 K10 K14 K3 K7 K11 K15 Starting with key matrix created from the original plaintext key, the key scheduling is as follows: FIXED MATRIX c(x) The special rules for multiplication equate to the following: K0 The values of column 3 of the key matrix (K12 through K15) are used to obtain values from the S-Table. Column 0 of the key matrix (K0 through K3) is XORed with the S-Table look-up values of column 3. K0 is XORed with Round_con (the original value of Round_con is 01h for encoding). Round_con is then updated with the Xtime of Round_con for the next round. Column 1 is XORed with column 0. Column 2 is XORed with column 1. Column 3 is XORed with column 2. EQUATION 2: b[0] = xtime(a[0]) ⊕ (a[1] ⊕ xtime(a[1])) ⊕ a[2] ⊕ a[3] where: “⊕” is the XOR operation Note: The members of the multiplication are XORed together rather then added together as they would in regular matrix multiplication. DS01044A-page 8 © 2006 Microchip Technology Inc. AN1044 Decryption number of rounds. After the completion of an encryption cycle, the key is transformed into a decryption key. The decryption key can be precalculated and stored in the system, or recalculated each time as needed. The functional divisions of the decryption algorithm are similar to those for the encryption algorithm, with most being the inverse operation. One major difference, however, is in the setup preceding the decryption. The decryption key differs from than the encryption key and must be loaded correctly. It can be calculated by running through the encryption key schedule the appropriate FIGURE 9: The value of Round_con must also be set differently for the decryption process. The value of 36h is used for 10 rounds. DECRYPT FLOWCHART START Round Counter = 10 Round_con = 36h Key Addition Round Counter = 10? True False Decode Mix Column Si-Table Substitution Decode Row Shift Decode Key Schedule Key Addition Round Counter – 1 False Round Counter = 0? True END © 2006 Microchip Technology Inc. DS01044A-page 9 AN1044 KEY ADDITION DECODE ROW SHIFT In a manner like the encryption process, each byte of the initial decryption key is XORed with each of the corresponding data bytes. On subsequent rounds, the key generated by the key schedule for that round is XORed in a bytewise manner with the data. As with encryption, row shift is a cyclical left shift of the rows in the data. For decryption, the different row shift values are shown in Table 6. TABLE 6: DECRYPTION CYCLICAL SHIFT Before Row Shift: DECODE MIX COLUMN The inverse mix column operation (Equation 3) differs from the encode mix column operation by only the matrix c(x). Note that the coefficients for c(x) are in hexadecimal. 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 After Row Shift: EQUATION 3: 0 b0 0E b1 = 09 0D b2 0B b3 0B 0E 09 0D 0D 0B 0E 09 a0 09 0D × a 1 0B a2 0E a3 4 8 12 13 1 5 9 10 14 2 6 7 11 15 3 Note that this transformation is different for encryption and decryption. Also note that the results of this transformation are equivalent to the row shift transformation used during encryption if the blocks are shifted to the right instead of to the left. FIXED MATRIX c(x) Si-TABLE SUBSTITUTION To undo the S-Table substitutions of the encryption process, a fixed Si-Table is used (Table 7). During each round, each data byte is replaced with a corresponding byte from the Si-Table. TABLE 7: Si-TABLE DECRYPTION SUBSTITUTION TABLE (VALUES IN HEXADECIMAL) y 00 x 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 52 09 6A D5 30 36 A5 38 BF 40 A3 9E 81 F3 D7 FB 10 7C E3 39 82 9B 2F FF 87 34 8E 43 44 C4 DE E9 CB 20 54 7B 94 32 A6 C2 23 3D EE 4C 95 0B 42 FA C3 4E 30 08 2E A1 66 28 D9 24 B2 76 5B A2 49 6D 8B D1 25 40 72 F8 F6 64 86 68 98 16 D4 A4 5C CC 5D 65 B6 92 50 6C 70 48 50 FD ED B9 DA 5E 15 46 57 A7 8D 9D 84 60 90 D8 AB 00 8C BC D3 0A F7 E4 58 05 B8 B3 45 06 70 D0 2C 1E 8F CA 3F 0F 02 C1 AF BD 03 01 13 8A 6B 80 3A 91 11 41 4F 67 DC EA 97 F2 CF CE F0 B4 E6 73 90 96 AC 74 22 E7 AD 35 85 E2 F9 37 E8 1C 75 DF 6E A0 47 F1 1A 71 1D 29 C5 89 6F B7 62 0E AA 18 BE 1B B0 FC 56 3E 4B C6 D2 79 20 9A DB C0 FE 78 CD 5A F4 C0 1F DD A8 33 88 07 C7 31 B1 12 10 59 27 80 EC 5F D0 60 51 7F A9 19 B5 4A 0D 2D E5 7A 9F 93 C9 9C EF E0 A0 E0 3B 4D AE 2A F5 B0 C8 EB BB 3C 83 53 99 61 F0 17 2B 04 7E BA 77 D6 26 E1 69 14 63 55 21 0C 7D DS01044A-page 10 © 2006 Microchip Technology Inc. AN1044 DECODE KEY SCHEDULE EXAMPLE 2: if(a&0x01) { a=0x80; } else { a>>=1; } Each round of AES decryption uses the same key that was used to encrypt the data. The key for the next iteration can be determined from the previous decryption key by performing the inverse operation to the encryption key schedule. Starting from the decryption key of the previous round, the key scheduling is as follows: 1. 2. 3. 4. 5. 6. Column 3 is XORed with column 2. Column 2 is XORed with column 1. Column 1 is XORed with column 0. Column 0 is XORed with the S-Table look-up of column 3. (Note: This step uses the S-Table (Table 4), not the Si-Table (Table 7).) K0 is XORed with Round_con Round_con is updated with the inverse xtime of Round_con. The inverse xtime function can be defined in C, as shown is Example 2. INVERSE xtime ROUTINE Using the AES Algorithm The implementation of AES discussed here is accessed through three function calls: AESEncrypt, AESDecrypt and AESCalcDecKey. Their usage is discussed below. AESEncrypt This function encrypts a 16-byte block of data in place with a 128-bit (16-byte) key using the AES algorithm. Syntax void AESEncrypt(int *DataBlock, const int *EncryptKey) Parameters *DataBlock: Pointer to the 16-byte block of data to encrypt. The block of data must begin on an even memory address. *EncryptKey: Pointer to the 16-byte key to use for encryption. The key must begin on an even memory address. Return Values DataBlock: 16 bytes of plaintext at *DataBlock is replaced with 16 bytes of cipher text. Pre-Condition None Side Effects None Remarks 1. 2. 3. Peak stack memory usage is 40 bytes, including the 4-byte return address. AESEncrypt requires 2808 instruction cycles (including CALL, RETURN and two parameter load instructions) when EncryptKey is stored in data memory. If EncryptKey is stored in program memory, eight additional instruction cycles are required. AESEncrypt is interrupt and re-entrant safe. Example int block[8]; int key[8] = {0x0100,0x0302,0x0504,0x0706,0x0908,0x0B0A,0x0D0C,0x0F0E}; ... // Load block[] with application data ... AESEncrypt(block, key); © 2006 Microchip Technology Inc. DS01044A-page 11 AN1044 AESDecrypt This function decrypts a 16-byte block of data in place with a 128-bit (16-byte) key using the AES algorithm. Syntax void AESDecrypt(int *DataBlock, const int *DecryptKey) Parameters *DataBlock: Pointer to the 16-byte block of data to decrypt. The block of data must begin on an even memory address. *DecryptKey: Pointer to the 16-byte key to use for decryption. This key is not the same key used for encryption. Use the AESCalcDecKey function to derive a decryption key from an encryption key. The key must begin on an even memory address. Return Values DataBlock: 16 bytes of cipher text at *DataBlock is replaced with 16 bytes of plaintext. Pre-Condition If necessary, calculate the decryption key. Side Effects None Remarks 1. 2. 3. Peak stack memory usage is 40 bytes, including the 4-byte return address. When DecryptKey is stored in data memory, AESDecrypt requires 4490 instruction cycles (including CALL, RETURN and two parameter load instructions). If DecryptKey is stored in program memory, nine additional instruction cycles are required. AESDecrypt is interrupt and re-entrant safe. Example int block[8]; int key[8] = {0x0100,0x0302,0x0504,0x0706,0x0908,0x0B0A,0x0D0C,0x0F0E}; // Assuming key is loaded with the encryption key, calculate a decryption key // first AESCalcDecKey(key); ... // Load block[] with application data ... AESDecrypt(block, key); DS01044A-page 12 © 2006 Microchip Technology Inc. AN1044 AESCalcDecKey This function derives a 128-bit (16-byte) decryption key from a 128-bit (16-byte) encryption key. Syntax void AESCalcDecKey(int *Key) Parameters *Key: Pointer to the 16-byte encryption key to translate. The key must begin on an even memory address. Return Values Key: 16-byte encryption key at *Key is replaced with 16-byte decryption key. Pre-Condition None Side Effects None Remarks 1. 2. 3. 4. Peak stack memory usage is 6 bytes, including the 4-byte return address. AESCalcDecKey requires 497 instruction cycles (including CALL, RETURN and one parameter load instruction). AESCalcDecKey is interrupt and re-entrant safe. If this function is not needed, it may be deleted to save program memory. Example int key[8] = {0x0100,0x0302,0x0504,0x0706,0x0908,0x0B0A,0x0D0C,0x0F0E}; // Assuming key is loaded with an encryption key, calculate the decryption key AESCalcDecKey(key); © 2006 Microchip Technology Inc. DS01044A-page 13 AN1044 PERFORMANCE SUMMARY The 16-bit implementations of TDES and AES were evaluated on the PIC24FJ128GA010, running at a clock speed of 32 MHz (16 MIPS). The results are shown in Table 8. TDES and AES are two of only three encryption algorithms that are used as Federal Information Processing Standards. Both of these algorithms are available for PIC24 and dsPIC30/33 devices as compact and efficient implementations. TABLE 8: This purpose of this document has been to introduce the reader to the algorithms and their practical use in application code. A full discussion of the algorithms, usage modes and test vectors for the algorithms are provided in the FIPS documentation. EXECUTION TIME AND THROUGHPUT PERFORMANCE FOR PIC24/dsPIC® DEVICE ENCRYPTION ALGORITHMS Execution Time (Instruction Cycles) Algorithm Throughput (Kbit/s) @ 16 MIPS Encrypt Decrypt Encrypt Decrypt 6403(1) 6403(1) 159(1) 13557(2) 13557(2) 75.5(2) TDES (8 bytes/block) AES (16 bytes/block) Note 1: 2: 2808 4490 159(1) 75.5(2) 729 456 Key value is constant for each block and does not require recalculation. Key value is recalculated for each block. The memory requirements of the algorithms are shown in Table 9. MEMORY USAGE FOR ENCRYPTION ALGORITHMS Algorithm TDES AES Note 1: Data RAM (Bytes) Program Memory (Bytes) 430(1) 7500 40 3018 An additional reduction of data RAM usage can be achieved if Key 1 and Key 3 are always equal to the same value. If the application code is modified to do this, the application will use 302 bytes. DS01044A-page 14 REFERENCES A. Lovrich and M. Palmer, AN583, “Implementation of the Data Encryption Standard Using PIC17C42” (DS00583), Microchip Technology, Inc., 1997. C. Gübel, AN821, “Advanced Encryption Standard Using the PIC16XXX” (DS00821), Microchip Technology, Inc., 2002. RESOURCE USAGE TABLE 9: It is important to remember when working data encryption algorithms, that no encryption algorithm is secure. Data encryption algorithms only provide a probability of security. It is also important to be aware of any exportation control laws that may affect the source code or end product that have cryptographic elements. D. Flowers, AN953, “Data Encryption Routines for the PIC18” (DS00953), Microchip Technology, Inc., 2005. D.C. Feldmeier, “A High-Speed Software DES Implementation”, Computer Communication Research Group, Bellcore, June 1989. Institute for Applied Information Processing and Communications, Graz University of Technology, “AES Lounge” (AES public home page), http://www.iaik.tu-graz.ac.at/research/krypto/AES/ Computer Security Resource Center, National Institute of Standards and Technology, “Cryptographic Toolkit” (home page, link to archival information on AES), http://csrc.nist.gov/CryptoToolkit/tkencryption.html. © 2006 Microchip Technology Inc. AN1044 APPENDIX A: SOFTWARE DISCUSSED IN THIS APPLICATION NOTE Because of statutory export license restrictions on encryption software, the source code listings for the AES and TDES algorithms are not provided here. These applications may be ordered from Microchip Technology, Inc. through its sales offices, or through the corporate web site: www.microchip.com Interested users are encouraged to check the web site or their nearest sales office for more information. © 2006 Microchip Technology Inc. DS01044A-page 15 AN1044 NOTES: DS01044A-page 16 © 2006 Microchip Technology Inc. Note the following details of the code protection feature on Microchip devices: • Microchip products meet the specification contained in their particular Microchip Data Sheet. • Microchip believes that its family of products is one of the most secure families of its kind on the market today, when used in the intended manner and under normal conditions. • There are dishonest and possibly illegal methods used to breach the code protection feature. All of these methods, to our knowledge, require using the Microchip products in a manner outside the operating specifications contained in Microchip’s Data Sheets. Most likely, the person doing so is engaged in theft of intellectual property. • Microchip is willing to work with the customer who is concerned about the integrity of their code. • Neither Microchip nor any other semiconductor manufacturer can guarantee the security of their code. Code protection does not mean that we are guaranteeing the product as “unbreakable.” Code protection is constantly evolving. We at Microchip are committed to continuously improving the code protection features of our products. Attempts to break Microchip’s code protection feature may be a violation of the Digital Millennium Copyright Act. If such acts allow unauthorized access to your software or other copyrighted work, you may have a right to sue for relief under that Act. Information contained in this publication regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Microchip disclaims all liability arising from this information and its use. Use of Microchip devices in life support and/or safety applications is entirely at the buyer’s risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights. Trademarks The Microchip name and logo, the Microchip logo, Accuron, dsPIC, KEELOQ, microID, MPLAB, PIC, PICmicro, PICSTART, PRO MATE, PowerSmart, rfPIC, and SmartShunt are registered trademarks of Microchip Technology Incorporated in the U.S.A. and other countries. AmpLab, FilterLab, Migratable Memory, MXDEV, MXLAB, SEEVAL, SmartSensor and The Embedded Control Solutions Company are registered trademarks of Microchip Technology Incorporated in the U.S.A. Analog-for-the-Digital Age, Application Maestro, CodeGuard, dsPICDEM, dsPICDEM.net, dsPICworks, ECAN, ECONOMONITOR, FanSense, FlexROM, fuzzyLAB, In-Circuit Serial Programming, ICSP, ICEPIC, Linear Active Thermistor, Mindi, MiWi, MPASM, MPLIB, MPLINK, PICkit, PICDEM, PICDEM.net, PICLAB, PICtail, PowerCal, PowerInfo, PowerMate, PowerTool, REAL ICE, rfLAB, rfPICDEM, Select Mode, Smart Serial, SmartTel, Total Endurance, UNI/O, WiperLock and ZENA are trademarks of Microchip Technology Incorporated in the U.S.A. and other countries. SQTP is a service mark of Microchip Technology Incorporated in the U.S.A. All other trademarks mentioned herein are property of their respective companies. © 2006, Microchip Technology Incorporated, Printed in the U.S.A., All Rights Reserved. Printed on recycled paper. Microchip received ISO/TS-16949:2002 certification for its worldwide headquarters, design and wafer fabrication facilities in Chandler and Tempe, Arizona, Gresham, Oregon and Mountain View, California. The Company’s quality system processes and procedures are for its PICmicro® 8-bit MCUs, KEELOQ® code hopping devices, Serial EEPROMs, microperipherals, nonvolatile memory and analog products. In addition, Microchip’s quality system for the design and manufacture of development systems is ISO 9001:2000 certified. © 2006 Microchip Technology Inc. DS01044A-page 17 WORLDWIDE SALES AND SERVICE AMERICAS ASIA/PACIFIC ASIA/PACIFIC EUROPE Corporate Office 2355 West Chandler Blvd. Chandler, AZ 85224-6199 Tel: 480-792-7200 Fax: 480-792-7277 Technical Support: http://support.microchip.com Web Address: www.microchip.com Asia Pacific Office Suites 3707-14, 37th Floor Tower 6, The Gateway Habour City, Kowloon Hong Kong Tel: 852-2401-1200 Fax: 852-2401-3431 India - Bangalore Tel: 91-80-4182-8400 Fax: 91-80-4182-8422 India - New Delhi Tel: 91-11-4160-8631 Fax: 91-11-4160-8632 Austria - Wels Tel: 43-7242-2244-3910 Fax: 43-7242-2244-393 Denmark - Copenhagen Tel: 45-4450-2828 Fax: 45-4485-2829 India - Pune Tel: 91-20-2566-1512 Fax: 91-20-2566-1513 France - Paris Tel: 33-1-69-53-63-20 Fax: 33-1-69-30-90-79 Japan - Yokohama Tel: 81-45-471- 6166 Fax: 81-45-471-6122 Germany - Munich Tel: 49-89-627-144-0 Fax: 49-89-627-144-44 Atlanta Alpharetta, GA Tel: 770-640-0034 Fax: 770-640-0307 Boston Westborough, MA Tel: 774-760-0087 Fax: 774-760-0088 Chicago Itasca, IL Tel: 630-285-0071 Fax: 630-285-0075 Dallas Addison, TX Tel: 972-818-7423 Fax: 972-818-2924 Detroit Farmington Hills, MI Tel: 248-538-2250 Fax: 248-538-2260 Kokomo Kokomo, IN Tel: 765-864-8360 Fax: 765-864-8387 Los Angeles Mission Viejo, CA Tel: 949-462-9523 Fax: 949-462-9608 Santa Clara Santa Clara, CA Tel: 408-961-6444 Fax: 408-961-6445 Toronto Mississauga, Ontario, Canada Tel: 905-673-0699 Fax: 905-673-6509 Australia - Sydney Tel: 61-2-9868-6733 Fax: 61-2-9868-6755 China - Beijing Tel: 86-10-8528-2100 Fax: 86-10-8528-2104 China - Chengdu Tel: 86-28-8676-6200 Fax: 86-28-8676-6599 Korea - Gumi Tel: 82-54-473-4301 Fax: 82-54-473-4302 China - Fuzhou Tel: 86-591-8750-3506 Fax: 86-591-8750-3521 Korea - Seoul Tel: 82-2-554-7200 Fax: 82-2-558-5932 or 82-2-558-5934 China - Hong Kong SAR Tel: 852-2401-1200 Fax: 852-2401-3431 Malaysia - Penang Tel: 60-4-646-8870 Fax: 60-4-646-5086 China - Qingdao Tel: 86-532-8502-7355 Fax: 86-532-8502-7205 Philippines - Manila Tel: 63-2-634-9065 Fax: 63-2-634-9069 China - Shanghai Tel: 86-21-5407-5533 Fax: 86-21-5407-5066 Singapore Tel: 65-6334-8870 Fax: 65-6334-8850 China - Shenyang Tel: 86-24-2334-2829 Fax: 86-24-2334-2393 Taiwan - Hsin Chu Tel: 886-3-572-9526 Fax: 886-3-572-6459 China - Shenzhen Tel: 86-755-8203-2660 Fax: 86-755-8203-1760 Taiwan - Kaohsiung Tel: 886-7-536-4818 Fax: 886-7-536-4803 China - Shunde Tel: 86-757-2839-5507 Fax: 86-757-2839-5571 Taiwan - Taipei Tel: 886-2-2500-6610 Fax: 886-2-2508-0102 China - Wuhan Tel: 86-27-5980-5300 Fax: 86-27-5980-5118 Thailand - Bangkok Tel: 66-2-694-1351 Fax: 66-2-694-1350 Italy - Milan Tel: 39-0331-742611 Fax: 39-0331-466781 Netherlands - Drunen Tel: 31-416-690399 Fax: 31-416-690340 Spain - Madrid Tel: 34-91-708-08-90 Fax: 34-91-708-08-91 UK - Wokingham Tel: 44-118-921-5869 Fax: 44-118-921-5820 China - Xian Tel: 86-29-8833-7250 Fax: 86-29-8833-7256 07/21/06 DS01044A-page 18 © 2006 Microchip Technology Inc.

- Similar pages
- Presentation (2,536KB)