Slaa 547 C
Slaa 547 C
Application Report
C Implementation of Cryptographic Algorithms
Note
This document may be subject to the export control policies of the local government.
Table of Contents
1 Software Benchmarks............................................................................................................................................................ 2
1.1 AES Benchmarks............................................................................................................................................................... 2
1.2 DES Benchmarks...............................................................................................................................................................2
1.3 SHA-2 Benchmarks............................................................................................................................................................2
2 Using Library Functions.........................................................................................................................................................3
2.1 AES 128............................................................................................................................................................................. 3
2.2 DES....................................................................................................................................................................................4
2.3 3DES..................................................................................................................................................................................5
2.4 SHA-2.................................................................................................................................................................................6
3 Overview of Library Functions.............................................................................................................................................. 7
3.1 AES 128............................................................................................................................................................................. 7
3.2 DES and 3DES.................................................................................................................................................................. 8
3.3 SHA-256 and SHA-224.................................................................................................................................................... 10
4 Cryptographic Standard Definitions................................................................................................................................... 11
4.1 AES.................................................................................................................................................................................. 11
4.2 DES and 3DES................................................................................................................................................................ 16
4.3 SHA-256 and SHA-224.................................................................................................................................................... 22
5 References............................................................................................................................................................................ 24
Revision History.......................................................................................................................................................................25
Trademarks
MSP430™ is a trademark of Texas Instruments.
IAR Embedded Workbench® is a registered trademark of IAR Systems.
All trademarks are the property of their respective owners.
1 Software Benchmarks
All code was tested and benchmarked on the MSP430™ platform using IAR Embedded Workbench® IDE as the
compiler tool. The optimization columns in the benchmark tables indicate the type of optimization used in IAR.
Table 1-1 describes the settings used.
Table 1-1. Optimization Settings in IAR for Benchmark Testing
Optimized for Optimization Level Aggressive Unrolling Aggressive In-Lining
Size High => Size No No
Speed High => Speed Yes Yes
(1) Values in () indicate a hashing of 448 bits < Data< 960 bits or 2 blocks of data.
This short program defines two arrays of the type unsigned character. Each array is 16 bytes long. The first one
contains the plaintext and the other one the key for the AES encryption.
After the function aes_enc_dec( ) returns, the encryption result is available in the array state.
2.1.2 Decrypting With AES 128
Decryption can be done in a similar way to encryption. First, two arrays are defined. When a decryption needs to
be performed, one array contains the key and the other one the cipher text.
After the function aes_enc_dec( ) returns, the decryption result is available in the array state.
#include "msp430xxxx.h"
#include "TI_aes.h"
2.2 DES
2.2.1 Setting the Key Schedule for DES
The following code example shows how to set the key schedule for DES encryption or decryption rounds. This
step must be performed before encryption or decryption can begin.
#include "msp430xxxx.h"
#include "TI_DES.h"
return 0;
}
return 0;
}
2.3 3DES
2.3.1 Encrypting and Decrypting With Triple DES
The following code example shows the encryption and decryption process using 3DES with and without CBC.
The key scheduler is set to populate both key schedules. The results of the operations are stored in the original
data array.
#include "msp430xxxx.h"
#include "TI_DES.h"
/// All 16 Bytes of Data will be Encrypted then Decrypted with CBC
TripleDES_ENC_CBC( &dc, cp, 2, key, key1, key2); // 3DES Encrypt
TripleDES_DEC_CBC( &dc, cp, 2, key, key1, key2); // 3DES Decrypt
return 0;
}
2.4 SHA-2
2.4.1 Hashing With SHA-256
The following code example shows an example of a data hash using SHA-256.
#include "msp430xxxx.h"
#include "TI_SHA2.h"
return 0;
}
Although this example does not show full initialization of the array M[ ], all relevant values have been populated
with meaningful data. M[ ] must be initialized to sizes equal to a 512-bit block of data or hashing block. If the
message to be hashed exceeds 448 bits within a hashing block, then an additional hashing block must be
reserved. Table 2-1 explains minimum sizes of M[ ] according to message size.
Table 2-1. Minimum Sizes of M[ ]
Message Size x (bits) Minimum Size of Array M[ ]
× < 448 M[16]
448 ≤ × ≤ 512 M[32]
512 < × < 960 M[32]
960 ≤ × < 1024 M[48]
return 0;
}
Note
A separate header and code file are made specifically for this function; this is intended for code size
sensitive applications.
Inputs
• Unsigned char *state – Pointer to data block to be encrypted
• Unsigned char *key – Pointer to 128-bit key
DES_DEC_CBC
(des_ctx *(Key Structure), unsigned char *pucData, short sBlocks, unsigned char *pucIV);
This function performs a DES decryption process with CBC mode. Key schedule must be created before use.
Data must be in hex form. Function does not convert ASCII text. Updated IV is stored starting at location pucIV.
Inputs
• des_ctx *Ks -- Pointer to structure containing scheduled keys.
• unsigned char *pucData – Pointer to start of data array that will be deciphered
• short sBlocks – Value indicating how many 64-bit blocks need to be deciphered
• unsigned char *pucIV – Pointer to start of array of Initialization Vector (IV)
TripleDES_ENC
(des_ctx *(Key Structure), unsigned char *pucData, short sBlocks, unsigned char *pucKey1, unsigned char
*pucKey2, unsigned char *pucKey3);
This function performs a 3DES encryption process in the form: Enckey3( Deckey2( Enckey1( Data ) ) ). Data and
keys must be in hex form. Function does not convert ASCII text.
Inputs
• des_ctx *Ks -- Pointer to structure that will store the key scheduler
• unsigned char *pucData – Pointer to start of data array that will be enciphered
• short sBlocks – Value indicating how many 64-bit blocks need to be enciphered
• unsigned char *pucKey1 – Pointer to the first key array location
• unsigned char *pucKey2 – Pointer to the second key array location
• unsigned char *pucKey3 – Pointer to the third key array location
TripleDES_DEC
(des_ctx *(Key Structure), unsigned char *pucData, short sBlocks, unsigned char *pucKey1, unsigned char
*pucKey2, unsigned char *pucKey3);
This function performs a 3DES encryption process in the form: Dec[key1](Enc[key2](Dec[key3](Data))). Data and
keys must be in hex form. Function does not convert ASCII text.
Inputs
• des_ctx *Ks -- Pointer to structure that will store the key scheduler.
• unsigned char *pucData – Pointer to start of data array that will be deciphered.
• short sBlocks – Value indicating how many 64-bit blocks need to be deciphered.
• unsigned char *pucKey1 – Pointer to the first key location.
• unsigned char *pucKey2 – Pointer to the second key location.
• unsigned char *pucKey3 – Pointer to the third key location.
TripleDES_ENC_CBC
(des_ctx *(Key Structure), unsigned char *pucData, short sBlocks, unsigned char *pucKey1, unsigned char
*pucKey2, unsigned char *pucKey3, unsigned char *pucIV);
This function performs a 3DES encryption process in the form: Enckey3( Deckey2( Enckey1( Data ) ) ) with CBC
mode enabled. Data and keys must be in hex form. Function does not convert ASCII text. Updated IV is stored
starting at location pucIV.
Inputs
• des_ctx *Ks -- Pointer to structure that will store the key scheduler
• unsigned char *pucData – Pointer to start of data array that will be enciphered
• short sBlocks – Value indicating how many 64-bit blocks need to be enciphered
• unsigned char *pucKey1 – Pointer to the first key array location
• unsigned char *pucKey2 – Pointer to the second key array location
• unsigned char *pucKey3 – Pointer to the third key array location
• unsigned char *pucIV – Pointer to start of array of Initialization Vector (IV)
TripleDES_DEC_CBC
(des_ctx *(Key Structure), unsigned char *pucData, short sBlocks, unsigned char *pucKey1, unsigned char
*pucKey2, unsigned char *pucKey3, unsigned char *pucIV);
This function performs a 3DES encryption process in the form Dec[key1](Enc[key2](Dec[key3](Data))) with CBC
mode enabled. Data and keys must be in hex form. Function does not convert ASCII text.
Inputs
• des_ctx *Ks -- Pointer to structure that will store the key scheduler
• unsigned char *pucData – Pointer to start of data array that will be deciphered
• short sBlocks – Value indicating how many 64-bit blocks need to be deciphered
• unsigned char *pucKey1 – Pointer to the first key location
• unsigned char *pucKey2 – Pointer to the second key location
• unsigned char *pucKey3 – Pointer to the second key location
• unsigned char *pucIV – Pointer to start of array of Initialization Vector (IV)
3.3 SHA-256 and SHA-224
The software implementation uses a 256-bit hash to hash, a hashing block of 512 bits as described in the
document FIBS PUB 180-3. Data to be hashed must be in hex form. Function does not convert ASCII text.
Message array must be a multiple of a hashing block with array elements being 32 bits in length. Function is
written in C99 notation for portability reasons.
SHA_256
(uint32_t *Message, uint64_t Mbit_Length, uint32_t *Hash, short sMode);
Inputs
• uint32_t *Message – Pointer to array of 32-bit longs to be hashed. Size of array must be a multiple of a
hashing block (512 bits or sixteen 32-bit longs).
• uint64_t Mbit_length -- 64-bit value containing the precise number of bits to be hashed within the Message
array.
Note
If Mbit_Length %(mod) 512 >= 448 bits, then an additional hashing block is needed. You must
allocate the additional 512 bits.
• uint32_t *Hash – Pointer to array of eight 32-bit longs. The final hash value is stored here.
• short sMode – Determines if the algorithm run is SHA-224 or SHA-256.
– Mode is equal to "False", SHA-224 is used. Final Hash == Hash[0-6].
– Mode is equal to "True", SHA-256 is used. Final Hash == Hash[0-7].
128 128
Round Key 0
128
After an initial round, during which the first round key is XORed to the plain text (Add roundkey operation), nine
equally structured rounds follow. Each round consists of the following operations:
• Substitute bytes
• Shift rows
• Mix columns
• Add round key
The tenth round is similar to rounds one to nine, but the Mix columns step is omitted. In the following sections,
these four operations are explained.
a0 a4 a8 a12 k0 k4 k8 k12
a1 a5 a9 a13 k1 k5 k9 k13
a2 a6 a10 a14 k2 k6 k10 k14
a3 a7 a11 a15 k3 k7 k11 k15
Figure 4-2. Structure of the Key and the State
a0 a4 a8 a12 b0 b4 b8 b12
a b
a1 5a5 a9 a13 b1 5b5 b9 b13
S-box
a2 a6 a10 a14 (table lookup) b2 b6 b10 b14
a3 a7 a11 a15 b3 b7 b11 b15
Figure 4-3. Subbytes Operation
a0,1 b0,1
a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3
a1,1 02 03 01 01 b1,1
a1,0 a1,1 a1,2 a13 01 02 03 01 b1,0 b1,1 b1,2 b13
a
a2,0 2,1
a2,1 a2,2 a2,3 01 01 02 03
x b
2,1
b2,0 b 2,1 b2,2 b2,3
03 01 01 02
a3,1 b
3,1
a3,0 a3,1 a3,2 a3,3 b3,0 b 3,1 b3,2 b3,3
Opposed to the Shiftrows operation, which works on rows in the 4x4 state matrix, the Mixcolumns operation
processes columns.
In principle, only a matrix multiplication needs to be executed. To make this operation reversible, the usual
addition and multiplication are not used. In AES, Galois field operations are used. This document does not go
into the mathematical details, it is only important to know that in a Galois field, an addition corresponds to an
XOR and a multiplication to a more complex equivalent.
The fact that there are many instances of 01 in the multiplication matrix of the Mixcolumns operation makes this
step easily computable.
a0 a4 a8 a12
a5
a1 a5 a9 a13
a2 a6 a10 a14
b1 bb
55 b9 b13
b2 b6 b10 b14
k0 k4 k8 k12
b3 b7 b11 b15
k5
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15
Figure 4-6. Addroundkey Operation
Rotate
t0,3 t1,3 RC1
t0,j
t1,3 t1,j t2,3 00
S-Box
S (kij) t2,3 t2,j t3,3 00
t3,3 t3,j t0,3 00
First, all bytes of the old fourth column must be substituted using the Subbytes operation. These four bytes
are shifted vertically by one byte position and then XORed to the old first column. The result of these
operations is the new first column.
2. Calculate columns 2 to 4 of the new round key as shown:
a. [new second column] = [new first column] XOR [old second column]
b. [new third column] = [new second column] XOR [old third column]
c. [new fourth column] = [new third column] XOR [old fourth column]
Figure 4-8 illustrates the calculation of columns 2 to 4 of the new round key.
RK(n) RK(n+1)
k0,0 k0,4 k0,5
k0,0 k0,1 k0,2 k0,3
k1,0 k1,4 k1,5
k1,0 k1,1 k1,2 k13
k2,0 k k2,5
k2,0 k2,1 k2,2 k2,3 2,4
k k k3,5
k3,0 k3,03,1 k3,2 k3,3 3,4
Input, 64 Bit
Initial Permutation
F(x,k i)
K1
R0 = L 1 F(L 0, k 1) = R 1
K2
F(x,k i)
LN RN
KN
F(x,k i)
L 15 R 15
K16
F(x,k i)
L 16 R 16
Output, 64 Bit
Round
48 Bits
Expansion Box key
48 Bits
6 Bits
S1 S2 S3 S4 S5 S6 S7 S8
4 Bits
Permutation Box
32 Bits
The expanded block is then XORed with the round key. The resultant is the split into 6-bit increments and
passed through eight S-boxes, with the six MSb going through S1 and the six LSb through S8. The S-boxes give
4-bit results which are concatenated (S1+S2+S3+S4+S5+S6+S7+S8) and sent through a 32-bit permutation
box.
4.2.3 Key Schedule
The key schedule for all sixteen rounds of the DES algorithm must be calculated before encryption or decryption
can occur. The key schedule process in this library is the most CPU intensive component of the algorithm.
System speed can be increased by limiting the number of keys to be scheduled. Figure 4-11 describes how the
key schedule is calculated. First, the 64-bit key is sent through a permutation box that reduces the bit count to
56. The result is split evenly and left rotated by 1-2 bits depending on the round. The rotate results are fed into a
second permutation box that gives the round key used in the DES Function block.
64 Bit Key
P1 Box
KN
P2 Box Left Rotate, N
K 16
P2 Box Left Rotate, 16
IV Block IV Block
IV Block IV Block
Encoding in CBC modes begins with an XOR of the IV block and the first Plain text box. The result is encrypted
to give the first block of Cipher text. This cipher text is then XORed with the next block of plaint text, which is
then encoded. This process repeats until all data blocks are enciphered. The IV block is then updated to equal
the last enciphered block.
Decoding in CBC happens in a similar way. In decoding, however, the XOR step happens after the decoding
process. The first cipher text block is decoded then XORed with IV block to get the plain text. Continuing blocks
are XORed with the previous cipher block after decoding, and the last cipher block is taken as the updated IV.
Triple DES with CBC works in the same way as DES with CBC. In Figure 4-13, replace the DES Encode module
with 3DES Encode and the DES Decode module with 3DES Decode to have a visualization of the mode.
4.3 SHA-256 and SHA-224
Secure Hash Standard (SHA) 2 is a set of hashing algorithms developed by NIST to replace SHA-1. SHA-2 is a
family of algorithms with message digests of 224, 256, 384 and 512 bits. The 224 and 384 variants are subsets
of the 256 and 512, respectively. This library only implements SHA-256 and SHA-224.
4.3.1 Message Padding and Parsing
In order for a hash to be computed, the message must be padded to a multiple of a 512-bit hashing block.
The last 64-bits of the last block is reserved for the bit count of the message. Figure 4-14 shows how padding
is implemented. At the end of the message to be hashed a single "1" bit is appended followed by zeros. The
zeroes continue until Message + Message Length + "1" + "00…00" = 512 bits.
512 - bit
Wt
Kt
A B C D E F G H
Ch
∑1
Ma
∑0
A B C D E F G H
! = Bitwise XOR
& = Bitwise AND
A’ = Bitwise Compliment of A
>> = Shift Right
>>> = Rotate Right (1)
Functions:
ch(x,y,z) = (x & y) ⊕ (x' & z)
Ma (x, y, z) = (x & y) ⊕ (x & z) ⊕ (y & z)
σ0(x)
ìïM ( i ) , 0 £ t £ 15
Wt = Wt = í t
ïî σ 0 (Wt -2 ) Å Wt -7 Å σ1 (Wt -15 ) Å Wt -16 , 16 £ t £ 15 (2)
Loop Equations:
T1 = h ÅKt Å Wt Å å1 (E ) Å Ch(e, ¦, g )
T2 = Ma (a, b, c ) Å å0 (A )
h=g
g=¦
¦ =e
e = d Å T1
d=c
c =b
b=a
a = T1 Å T2 (3)
4.3.4 SHA-224
SHA-224 is a subset of SHA-256 with a message digest of 224-bits. The algorithm is the same with the
exception of different Hash initialization values. Also, only the first seven 32-bit words (224 bits) of the final
message digest are used.
5 References
1. Announcing the Advanced Encryption Standard (FIPS PUB 197)
2. Data Encryption Standard (DES) (FIPS PUB 46-3)
3. Security Hash Standard (SHS) (FIPS PUB 180-3)
4. AES128 – A C Implementation for Encryption and Decryption
5. DES Modes of Operation (FIPS PUB 81)
6. Schneier, Bruce; Applied Cryptography; John Wiley & Sons; 1996
Revision History
NOTE: Page numbers for previous revisions may differ from page numbers in the current version.
Changes from Revision B (March 2018) to Revision C (July 2021) Page
• Updated the numbering format for tables, figures, and cross references throughout the document..................1
• Added a link to a related application report in the Abstract................................................................................ 1
Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265
Copyright © 2022, Texas Instruments Incorporated