1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2<html>
3
4<head>
5<META http-equiv="Content-Type" content="text/html; charset=windows-1252">
6<META name="GENERATOR" content="IBM WebSphere Studio Homepage Builder Version 7.0.0.0 for Windows">
7<META http-equiv="Content-Style-Type" content="text/css">
8<title>AES Basic Functions: Overview</title>
9<LINK rel="stylesheet" href="../../css/nitro.css" type="text/css">
10</head>
11
12<body>
13
14<h1 align="left">AES Cipher Basic Functions: Overview</h1>
15
16<H2>Description</H2>
17
18<h3 class="inline">Overview</h3>
19<p>
20The TWL-SDK AES cipher library provides encryption functions using the AES algorithm. This library supports two cipher modes: (1) CTR mode, which performs simple encryption, and (2) CCM mode, which performs simple encryption and also contains mechanisms for detecting modification of the data.
21</p>
22
23
24
25<h3 class="inline">Terms</h3>
26<p>
27Here, we explain the terminology used in the documentation related to the TWL-SDK AES cipher library. This terminology explains the usage of these terms within the documentation of the TWL-SDK AES cipher library. Our usage of these terms may differ somewhat from the standard definitions used within the field of cryptography.
28</p>
29
30<table class="table">
31<tbody>
32<tr><th>secret<td>In terms of the cipher, what must not be disclosed to the public. Also covers such information.
33<tr><th>Encryption<td>The process of transforming information in a restorable manner to eliminate its apparent meaning.
34<tr><th>plaintext
35    <td>The data that will be encrypted. This refers to binary data as well as text data.
36<tr><th>ciphertext<td>The result of encrypting plaintext. Like plaintext, in general this refers to binary data as well as text data.
37<tr><th>decryption<td>The process of restoring plaintext from ciphertext.
38<tr><th>block cipher<td>A cipher algorithm that encrypts plaintext of a fixed length and outputs ciphertext of a fixed length.
39<tr><th>AES<td>One type of block cipher algorithm that generates 16 bytes of ciphertext from 16 bytes of plaintext.
40<tr><th>MAC<td>The data used to detect modification of data. It stands for Message Authentication Code.
41<tr><th>Cipher Mode<td>Term indicating use of an algorithm that encrypts data of an arbitrary length by using a block cipher.
42<tr><th>CTR Mode<td>One of the cipher modes. It stands for <EM><STRONG>C</STRONG>oun<STRONG>T</STRONG>e<STRONG>R</STRONG></EM> mode.
43<tr><th>CCM Mode<td>One of the cipher modes. In addition to the processing performed in CTR mode, this mode also adds a MAC to the ciphertext. This mode stands for <EM><STRONG>C</STRONG>ounter with <STRONG>C</STRONG>ipher block chaining <STRONG>M</STRONG>essage authentication code</EM>.
44<tr><th>Adata<td>Part of the input data in CCM mode. It does not get encrypted, but is subject to MAC operations.
45<tr><th>Pdata<td>Part of the input data in CCM mode. It gets encrypted and is subject to MAC operations.
46<tr><th>Key<td>Data that makes the ciphertexts differ, even when the same plaintext and cipher algorithm are used. It is secret.
47<tr><th nowrap>initial counter value
48    <td>Data that makes the ciphertexts differ in CTR mode, even if the same key, plaintext, and cipher algorithm are used.
49        It is not secret. A different value must be used each time encryption is performed.
50<tr><th>nonce
51    <td>Data that makes the ciphertexts and MACs differ in CCM mode, even if the same key, plaintext, and cipher algorithm are used.
52        It is not secret. A different value must be used each time encryption is performed.
53<tr><th>Signature<td>Adding a MAC.
54</tbody>
55</table>
56
57
58
59<h3 class="inline">Cipher Mode</h3>
60<p>
61The following shows the relationship between the data and the two cipher modes that the TWL-SDK AES cipher library supports.
62</p>
63
64<h4 class="inline">CTR Mode</h4>
65<p>
66In CTR mode, the plaintext is encrypted and nothing more. Decryption of the ciphertext requires the same key and initial counter value that were used during encryption.
67</p>
68<img src="ctr.png">
69
70<h4 class="inline">CCM Mode</h4>
71<p>
72In CCM mode, the Pdata is encrypted and a MAC is generated for the sake of verifying the integrity of the Pdata. In addition to Pdata, the MAC can include information called Adata that is not encrypted but whose integrity must be verified. The Adata can include anything (for example, the data size). Decryption of the ciphertext requires the same key and nonce that were used during encryption. Verification of the ciphertext also requires the same Adata that was used during encryption.
73
74</p>
75<img src="ccm.png">
76
77
78
79<h3 class="inline">Performance</h3>
80<p>
81The following shows the approximate performance per byte for encryption and decryption. In addition to this, each encryption or decryption operation requires about 60000 cycles (@134.06 MHz) of overhead.
82</p>
83
84<table class="table">
85<thead>
86<tr><th colspan="2">Mode<th>Number of Cycles (@134.06 MHz)
87</thead>
88<tbody>
89<tr><th colspan="2">CTR Mode<td>8.4 cycles/byte
90<tr><th rowspan="2">CCM Mode<th>Adata<td>4.9 cycles/byte
91<tr><th>Pdata<td>8.4 cycles/byte
92
93</tbody>
94</table>
95
96
97
98<h3 class="inline">Limitations</h3>
99<p>
100Compared with the standard AES library, the TWL-SDK AES cipher library has the following limitations.
101</p>
102
103<h4 class="inline">CTR Mode</h4>
104<ul>
105<li>Ciphertext is non-interchangeable.
106</ul>
107
108<h4 class="inline">CCM Mode</h4>
109<ul>
110<li>The maximum size each for Adata and Pdata is 1,048,560 bytes (1 MB - 16 bytes).
111<li>The size of the Adata must be a multiple of 16.
112<li>The Adata data size is not included when calculating the MAC. You must include it in the Adata if it is necessary.
113<li>The size of the nonce is fixed at 96 bits.
114<li>The ciphertext and MAC are non-interchangeable.
115</ul>
116
117
118
119<h3 class="inline">Security Precautions</h3>
120<p>
121CTR mode has a certain property: If you take ciphertext produced in this mode and invert any bit, the corresponding bit of the plaintext obtained by decrypting this ciphertext will also be inverted as compared to the original plaintext.
122</p>
123<p>
124For example, assume that the plaintext represented by the bit array in the first line below is encrypted, resulting in the ciphertext represented by the bit array in the second line.
125</p>
126<code class="src"><pre>
127plaintext:     00011010000111111100100101010001<span style="background-color: blue; color: white; font-weight: bold;">1</span>001000010100111110110010001001
128ciphertext:    01000010011011110100011110001011<span style="background-color: blue; color: white; font-weight: bold;">0</span>111110001010011001001000011101
129</pre></code>
130<p>
131We now invert a bit in the ciphertext (for example, the 33rd bit), calling the result ciphertext'.
132</p>
133<code class="src"><pre>
134ciphertext': 01000010011011110100011110001011<span style="background-color: red; color: white; font-weight: bold;">1</span>111110001010011001001000011101
135</pre></code>
136<p>
137If we decrypt ciphertext' and call the result plaintext', plaintext' will have the 33rd bit inverted compared with the original plaintext.
138</p>
139<code class="src"><pre>
140plaintext':   00011010000111111100100101010001<span style="background-color: red; color: white; font-weight: bold;">0</span>001000010100111110110010001001
141</pre></code>
142<p>
143There are ways to use this property. If an attacker can guess the plaintext and also possesses some sample ciphertext, the attacker can generate any ciphertext encrypted with the key that was used to encrypt that sample, even without knowing the key. In cases where this property would be problematic, you must use CCM mode. In CCM mode, you can detect the kind of modification described above, because this mode adds a MAC.
144</p>
145
146
147
148<H2>Revision History</H2>
149<P>
1502008/09/03 Added a note that the Adata size is not added in CCM mode. <br>2007/12/25 Initial version.
151</p>
152
153<hr><p>CONFIDENTIAL</p></body>
154</html>
155