Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations for cipher design: ● Encrypted data should look random. As though someone flipped a fair coin 64 times and heads means 1 and tails 0. Any change in one bit of output corresponds to a huge change in the input (bits are uncorrelated). Should be about as many 1's as 0's usually.

Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations for cipher design: ● Encrypted data should look random. As though someone flipped a fair coin 64 times and heads means 1 and tails 0. Any change in one bit of output corresponds to a huge change in the input (bits are uncorrelated). Should be about as many 1's as 0's usually. ● Try to spread the influence of each input bit to all output bits and change in one input bit should have 50% chance of changing any of the output bits (hence many rounds).

Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations for cipher design: ● Encrypted data should look random. As though someone flipped a fair coin 64 times and heads means 1 and tails 0. Any change in one bit of output corresponds to a huge change in the input (bits are uncorrelated). Should be about as many 1's as 0's usually. ● Try to spread the influence of each input bit to all output bits and change in one input bit should have 50% chance of changing any of the output bits (hence many rounds). ● Operations should be invertible – hence xor and table lookup. Use of one key for both encryption and decryption.

Secret Key Systems Encrypting a small block of text (say 64 bits) General considerations for cipher design: ● Encrypted data should look random. As though someone flipped a fair coin 64 times and heads means 1 and tails 0. Any change in one bit of output corresponds to a huge change in the input (bits are uncorrelated). Should be about as many 1's as 0's usually. ● Try to spread the influence of each input bit to all output bits and change in one input bit should have 50% chance of changing any of the output bits (hence many rounds). ● Operations should be invertible – hence xor and table lookup. Use of one key for both encryption and decryption. ● Attacks may be mitigated if they rely on operations that are not efficiently implemented in hardware yet allow normal operation to complete efficiently, even in software (permute).

Secret Key Systems Encrypting a small block of text (say 64 bits) What is considered a successful attack? Suppose some plaintext is known (a crib) and it is desired to find the key. If the cipher were generating truly random output, an attack on a key should take 2 55 tries, on the average, for 56 bit keys. If someone can find a way to guarantee finding a key in 2 50 tries even, then the cipher is considered broken.

Secret Key Systems - DES IBM/NSA bit blocks, 56 bit key, 8 bits parity 64 bit input block 32 bit L i 32 bit R i Mangler Function 32 bit L i+1 32 bit R i+1 64 bit output block ⊕ KiKi Encryption Round

Secret Key Systems - DES IBM/NSA bit blocks, 56 bit key, 8 bits parity 64 bit input block 32 bit L i 32 bit R i Mangler Function 32 bit L i+1 32 bit R i+1 64 bit output block ⊕ KnKn 32 bit L i 32 bit R i Mangler Function 32 bit L i+1 32 bit R i+1 64 bit input block ⊕ KnKn Encryption Round Decryption Round

Secret Key Systems - DES Generating per round keys K 1 K 2... K 16 from the 56 bit Key + 8 parity bits Key bits:

Secret Key Systems - DES Generating per round keys K 1 K 2... K 16 from the 56 bit Key + 8 parity bits Key bits: C 0 : D 0 :

Secret Key Systems - DES Generating per round keys K 1 K 2... K 16 from the 56 bit Key + 8 parity bits Key bits: C 0 : D 0 : Each round: K i has 48 bits assembled in 2 halves permuted from 24 bits each of C i and D i, K i+1 is obtained by rotating C i and D i left to form C i+1 and D i+1 (rotation is 1 bit for rounds 1,2,9,16 and 2 bits for other rounds)

Secret Key Systems - DES Generating per round keys K 1 K 2... K 16 from the 56 bit Key + 8 parity bits Key bits: C 0 : D 0 : Each round: K i has 48 bits assembled in 2 halves permuted from 24 bits each of C i and D i, K i+1 is obtained by rotating C i and D i left to form C i+1 and D i+1 (rotation is 1 bit for rounds 1,2,9,16 and 2 bits for other rounds) Permutations: Left half C i : (9,18,22,25 are missing) Right half D i : (35,38,43,54 are missing)

Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i Mangler Function 32 bit R i+1 ⊕ KiKi

Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i Mangler Function 32 bit R i+1 ⊕ 1. Expansion of input bits: 4 bits KiKi

Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i Mangler Function 32 bit R i+1 ⊕ KiKi 1. Expansion of input bits: 4 bits 6 bits... R i (32 bits)

Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i Mangler Function 32 bit R i+1 ⊕ KiKi 1. Expansion of input bits: 4 bits 6 bits... Expanded input (48 bits) 6 bits K i (48 bits) R i (32 bits)

Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i Mangler Function 32 bit R i+1 ⊕ KiKi 1. Expansion of input bits: 4 bits 6 bits... Expanded input (48 bits) 6 bits K i (48 bits) ⊕ 6 bits 4 bits... R i (32 bits) 2. Mixing with key: S- Box i

Secret Key Systems - DES The Mangler function: mixes 32 bit input with 48 bit key to produce 32 bits 32 bit R i Mangler Function 32 bit R i+1 ⊕ KiKi 1. Expansion of input bits: 4 bits 6 bits... Expanded input (48 bits) 6 bits K i (48 bits) ⊕ 6 bits S- Box i 4 bits... R i+1 (32 bits) R i (32 bits) 2. Mixing with key: 4 bits

Secret Key Systems - DES The S-Box: maps 6 bit blocks to 4 bit sections S-Box 1 (first 6 bits): Input bits 1 and 6 Input bits 2,3,4,5 Final permutation:

Secret Key Systems - DES Weak and semi-weak keys: If key is such that C 0 or D 0 are: 1) all 0s; 2) all 1s; 3) alternating 1s and 0s, There are 16 such keys. Keys for which C 0 and D 0 are both 0 or both 1 are called weak: E(E(M)) = M The others are semi-weak: E K1 (E K2 (M)) = M

Secret Key Systems - DES Weak and semi-weak keys: If key is such that C 0 or D 0 are: 1) all 0s; 2) all 1s; 3) alternating 1s and 0s, There are 16 such keys. Keys for which C 0 and D 0 are both 0 or both 1 are called weak: E(E(M)) = M The others are semi-weak: E K1 (E K2 (M)) = M Discussion: 1. Not much known about the design – not made public Probably attempt to prevent known attacks 2. Changing S-Boxes has resulted in provably weaker system

Secret Key Systems - 3DES Two keys K 1 and K 2 : K 1 K 2 K 1 m E D E c K 1 K 2 K 1 c D E D m encryption decryption

Secret Key Systems - 3DES Two keys K 1 and K 2 : K 1 K 2 K 1 m E D E c K 1 K 2 K 1 c D E D m encryption decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys

Secret Key Systems - 3DES Two keys K 1 and K 2 : K 1 K 2 K 1 m E D E c K 1 K 2 K 1 c D E D m encryption decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some pairs are known:

Secret Key Systems - 3DES Two keys K 1 and K 2 : K 1 K 2 K 1 m E D E c K 1 K 2 K 1 c D E D m encryption decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some pairs are known: m: K 1 E(K 1, m) {

Secret Key Systems - 3DES Two keys K 1 and K 2 : K 1 K 2 K 1 m E D E c K 1 K 2 K 1 c D E D m encryption decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some pairs are known: m: K 1 E(K 1, m) { c: K 2 D(K 2, c) {

Secret Key Systems - 3DES Two keys K 1 and K 2 : K 1 K 2 K 1 m E D E c K 1 K 2 K 1 c D E D m encryption decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some pairs are known: m: K 1 E(K 1, m) { c: K 2 D(K 2, c) {

Secret Key Systems - 3DES Two keys K 1 and K 2 : K 1 K 2 K 1 m E D E c K 1 K 2 K 1 c D E D m encryption decryption Why not 2DES 1. Double encryption with the same key still requires searching 2 56 keys 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some pairs are known: m: K 1 E(K 1, m) { c: K 2 D(K 2, c) { m E(K 1,m) D(K 2,c) c Test matches on other pairs

Secret Key Systems - 3DES Why not 2DES 2. Double encryption with two different keys is just as vulnerable as DES due to the following, assuming some pairs are known: How many pairs do you need? 2 64 possible blocks 2 56 table entries each block has probability 2 -8 = 1/256 of showing in a table probability a block is in both tables is average number of matches is 2 48 average number of matches for two pairs is about 2 32 for three pairs is about 2 16 for four pairs is about Triple encryption with two different keys bits of key is considered enough - straightforward to find a triple of keys that maps a given plaintext to a given ciphertext (no known attack with 2 keys) - EDE: use same keys to get DES, EEE: effect of permutations lost

Secret Key Systems - 3DES CBC with 3DES: mimi cici ⊕ E D E m i+1 c i+1 ⊕ E D E mimi cici ⊕ E D E m i+1 c i+1 ⊕ E D E ⊕ ⊕ K1K1 K1K1 K1K1 K1K1 K2K2 K2K2 outside inside

Secret Key Systems - 3DES CBC with 3DES : 1. On the outside – same attack as with CBC – change a block with side effect of garbling another 2. On the inside – attempt at changing a block results in all block garbled to the end of the message. 3. On the inside – use three times as much hardware to pipeline encryptions resulting in DES speeds. 4. On the outside – EDE simply is a drop-in replacement for what might have been there before.

Secret Key Systems - IDEA ETH Zuria bit blocks, 128 bit key, 0 bits parity: 64 bit input block 16 bit X i,a 64 bit output block Odd Encryption Round 16 bit X i,b 16 bit X i,c 16 bit X i,d 16 bit X i+1,a 16 bit X i+1,b 16 bit X i+1,c 16 bit X i+1,d ⊗ ⊗ ⊙ ⊙ K i, a K i, b K i, c K i, d ⊗ ⊙ Addition but throw away carries Multiplication mod is treated as 2 16 (invertible)

Secret Key Systems - IDEA ETH Zuria bit blocks, 128 bit key, 0 bits parity: 64 bit input block 16 bit X i,a 64 bit output block Even Encryption Round 16 bit X i,b 16 bit X i,c 16 bit X i,d 16 bit X i+1,a 16 bit X i+1,b 16 bit X i+1,c 16 bit X i+1,d ⊙ ⊙ K i, e K i,f ⊗ ⊗ ⊙ ⊙ Mangler Function Y in = X i,a ⊗ X i,b Z in = X i,c ⊗ X i,d Y out = ((K i,e ⊗ Y in ) ⊙ Z in ⊗ K i,f Z out = (K i,e ⊗ Y in ) ⊙ Y out X i+1,a = X i,a ⊙ Y out X i+1,b = X i,b ⊙ Y out X i+1,c = X i,c ⊙ Z out X i+1,d = X i,d ⊙ Z out

Secret Key Systems - IDEA Key generation bit keys needed (2 per even round 4 per odd): 128 bit key K 1,a K 1,b K 1,c K 1,d K 2,e K 2,f K 3,a K 3,b

Secret Key Systems - IDEA Key generation bit keys needed (2 per even round 4 per odd): 128 bit key K 1,a K 1,b K 1,c K 1,d K 2,e K 2,f K 3,a K 3,b 128 bit key K 3,c K 3,d K 4,e K 4,f K 5,a K 5,b K 5,c K 5,d 128 bit key bits

Secret Key Systems - AES NIST (2001) parameterized key size (128 bits to 256 bits) 4N b octet inp... ⊕ a 0,0 a 1,0 a 2,0 a 3,0 round 1 ⊕... 4N k octet key key expansion K0K0 K1K1 a 0,3 a 1,3 a 2,3 a 3,3... k 0,0 k 1,0 k 2,0 k 3,0 k 0,3 k 1,3 k 2,3 k 3,3

Secret Key Systems - AES The State: An array of four rows and N b columns – each element is a byte. Initially: next block of 4N b input bytes. Execution: all operations are performed on the State. Example: N b = 4 in 1 in 0 in 2 in 3 in 12 in 13 in 14 in 15 in 4 in 8 in 5 in 9 in 6 in 10 in 7 in 11 s 1,1 s 0,0 s 2,2 s 3,3 s 0,3 s 1,0 s 2,1 s 3,2 s 0,1 s 0,2 s 1,2 s 1,3 s 2,3 s 2,0 s 3,0 s 3,1

Secret Key Systems - AES Addition: modulo 2 addition (xor) of polynomials of maximum degree 7 Examples: (x 6 +x 4 +x 2 +x 1 +1) + (x 7 +x 1 +1) = x 7 +x 6 +x 4 +x 2 (polynomial) ⊕ = (binary notation) 0x57 ⊕ 0x83 = D4 (hexadecimal)

Secret Key Systems - AES Multiplication of two degree 7 polynomials (bytes): Just like ordinary multiplication except mod m(x) = (x 8 +x 4 +x 3 +x 1 +1) Reason: for each byte there will be an inverse: a a -1 = 1 mod m(x) Basis: x b = b 7 x 8 + b 6 x 7 + b 5 x 6 + b 4 x 5 + b 3 x 4 + b 2 x 3 + b 1 x 2 + b 0 x Shift b left by 1, if result has a degree 8 bit, xor with m(x) This operation is called xtime(x) = (x > 7) & 1) * 0x11b)

Secret Key Systems - AES Multiplication of two degree 7 polynomials (bytes): Just like ordinary multiplication except mod m(x) = (x 8 +x 4 +x 3 +x 1 +1) Reason: for each byte there will be an inverse: a a -1 = 1 mod m(x) Basis: x b = b 7 x 8 + b 6 x 7 + b 5 x 6 + b 4 x 5 + b 3 x 4 + b 2 x 3 + b 1 x 2 + b 0 x Shift b left by 1, if result has a degree 8 bit, xor with m(x) This operation is called xtime(x) = (x > 7) & 1) * 0x11b) Example: xtime(x 7 + x 5 + x 3 + x 2 + x) = x 6 + x 2 + x + 1 or ⊕ = or xtime(0xAE) = 0x47 Example: (x 6 + x 4 + x 2 + x 1 + 1) ⊗ (x 4 + x + 1) = 0x57 ⊗ 0x13 (x 6 + x 4 + x 2 + x 1 + 1) ⊗ x = xtime(0x57) = 0xAE (x 6 + x 4 + x 2 + x 1 + 1) ⊗ x 2 = xtime(0xAE) = 0x47 (x 6 + x 4 + x 2 + x 1 + 1) ⊗ x 3 = xtime(0x47) = 0x8E (x 6 + x 4 + x 2 + x 1 + 1) ⊗ x 4 = xtime(0x8E) = 0x7 0x57 ⊗ 0x13 = 0x7 0xAE 0x57 = 0xFE

Secret Key Systems - AES Byte substitutions (S-Box): Find the inverse of a polynomial: a(x) ⊗ b(x) m(x) ⊗ c(x) = 1 Example: 0x57 ⊗ 0xBF = 1 so 0xBF is the inverse of 0x57 S-Box number: Apply the transformation on the right to the inverse Example: getSbox(0x57) = 0x5B b 0 ' b 0 1 b 1 ' b 1 1 b 2 ' b 2 0 b 3 ' b 3 0 b 4 ' b 4 0 b 5 ' b 5 1 b 6 ' b 6 1 b 7 ' b 7 0 =

Secret Key Systems - AES The S-Box: y a b c d e f c 77 7b f2 6b 6f c b fe d7 ab 76 1 ca 82 c9 7d fa f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd f f7 cc 34 a5 e5 f1 71 d c7 23 c a e2 eb 27 b c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d f9 02 7f 50 3c 9f a8 x 7 51 a3 40 8f 92 9d 38 f5 bc b6 da ff f3 d2 8 cd 0c 13 ec 5f c4 a7 7e 3d 64 5d f dc 22 2a ee b8 14 de 5e 0b db a e0 32 3a 0a c c2 d3 ac e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b f6 0e b9 86 c1 1d 9e e e1 f d9 8e 94 9b 1e 87 e9 ce df f 8c a1 89 0d bf e d 0f b0 54 bb 16

Secret Key Systems - AES The Inverse S-Box: y a b c d e f a d a5 38 bf 40 a3 9e 81 f3 d7 fb 1 7c e b 2f ff e c4 de e9 cb b a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e e a d9 24 b2 76 5b a2 49 6d 8b d f8 f d4 a4 5c cc 5d 65 b c fd ed b9 da 5e a7 8d 9d d8 ab 00 8c bc d3 0a f7 e b8 b x 7 d0 2c 1e 8f ca 3f 0f 02 c1 af bd a 6b 8 3a f 67 dc ea 97 f2 cf ce f0 b4 e ac e7 ad e2 f9 37 e8 1c 75 df 6e a 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b fc 56 3e 4b c6 d a db c0 fe 78 cd 5a f4 c 1f dd a c7 31 b ec 5f d f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c f 17 2b 04 7e ba 77 d6 26 e c 7d

Secret Key Systems - AES Four term polynomials with 8 bit coefficients: State columns will be represented by such polynomials. We will want to transform columns by multiplication, modulo a polynomial, as was done to get the S-Box. However, in this case the maximum degree is 3 and the coefficients are bytes, not bits. The idea is to multiply a column polynomial by the fixed polynomial a(x) = 3x 3 + x 2 + x + 2 mod x Equivalently: a(x) b(x) = d(x) = d 3 x 3 + d 2 x 2 + d 1 x + d 0 where d 0 = (2 b 0 ) (3 b 1 ) (1 b 2 ) (1 b 3 ) d 1 = (1 b 0 ) (2 b 1 ) (3 b 2 ) (1 b 3 ) d 2 = (1 b 0 ) (1 b 1 ) (2 b 2 ) (3 b 3 ) d 3 = (3 b 0 ) (1 b 1 ) (1 b 2 ) (2 b 3 ) Observe: d i is influenced by all four bytes of original column Example: a(x) (0xBx 3 + 0xDx 2 + 0x9x + 0xE) = 1

Secret Key Systems - AES void Cipher () { // Nr is the number of rounds int i, j, round=0; // Copy the input PlainText to state array. state = in; AddRoundKey(0); for (round=1 ; round < Nr ; round++) { SubBytes(); ShiftRows(); MixColumns(); AddRoundKey(round); } SubBytes(); ShiftRows(); AddRoundKey(Nr); // Copy the state array to the Output array. out = state; }

SubBytes ( ): Secret Key Systems - AES s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s 3,0 s 3,1 s 3,2 s 3,3 gSx(s 0,0 ) gSx(s 0,1 ) gSx(s 0,2 ) gSx(s 0,3 ) gSx(s 1,0 ) gSx(s 1,1 ) gSx(s 1,2 ) gSx(s 1,3 ) gSx(s 2,0 ) gSx(s 2,1 ) gSx(s 2,2 ) gSx(s 2,3 ) gSx(s 3,0 ) gSx(s 3,1 ) gSx( s 3,2 ) gSx(s 3,3 ) Function gSx(a) maps a to the character it indexes in the S-Box

Secret Key Systems - AES ShiftRows ( ): s 1,0 s 0,0 s 2,0 s 3,0 s 0,3 s 1,3 s 2,3 s 3, 3 NbNb Row s 0,1 s 0,2 s 1,1 s 1,2 s 2,1 s 2,2 s 3,1 s 3,2 s 1,1 s 0,0 s 2,2 s 3,3 s 0,3 s 1,0 s 2,1 s 3,2 s 0,1 s 0,2 s 1,2 s 1,3 s 2,3 s 2,0 s 3,0 s 3,1

Secret Key Systems - AES MixColumns ( ) : '''''''' s 0,c s 0,c s 1,c s 1,c s 2,c s 2,c s 3,c s 3,c = Replace state columns by matrix multiplication ( and ) above Columns are considered as polynomials over GF(2 8 ) and multiplied mod x 4 +1 by a fixed polynomial given by 3x 3 + x 2 + x + 2 tmp = s 0,c s 1,c s 2,c s 3,c s 0,c = xtime(s 0,c s 1,c ) tmp s 0,c s 1,c = xtime(s 1,c s 2,c ) tmp s 1,c s 2,c = xtime(s 2,c s 3,c ) tmp s 2,c s 3,c = xtime(s 0,c s 3,c ) tmp s 3,c Example: 0xD4 0x04 0xBF 0x66 0x5D 0x81 0x30 0xE5

Secret Key Systems - AES MixColumns ( ) : ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ 0x2B 0xD4 0xDE 0xA D 0x41 0xA D 0xEC 0xA7 0xDE 0x79 0xB3 0xD4 0x67 0x56 0x2B 0x7D ⊕ 0x42 0x4 C 0xB 4 0x36 lookups

Secret Key Systems - AES AddRoundKey ( ):... k 0,0 k 1,0 k 2,0 k 3,0 k 0,5 k 1,5 k 2,5 k 3,5 ⊕ s 1,0 s 0,0 s 2,0 s 3,0 s 0,3 s 1,3 s 2,3 s 3,3 s 0,1 s 0,2 s 1,1 s 1,2 s 2,1 s 2,2 s 3,1 s 3,2 s 1,1 s 0,0 s 2,2 s 3,3 s 0,3 s 1,0 s 2,1 s 3,2 s 0,1 s 0,2 s 1,2 s 1,3 s 2,3 s 2,0 s 3,0 s 3,1 w 1,0 w 0,0 w 2,0 w 3,0 w 0,3 w 1,3 w 2,3 w 3,3 w 0,1 w 0,2 w 1,1 w 1,2 w 2,1 w 2,2 w 3,1 w 3,2 first round only - generally it's w i,r+c where c is the column and r is the round

Secret Key Systems - AES Key Schedule: example for N k =4 w 0,0, w 1,0, w 2,0, w 3,0 w 0,3, w 1,3, w 2,3, w 3,3 w 0,4, w 1,4, w 2,4, w 3, st round 2 nd round All rounds: 32*N k bits for a round key

Secret Key Systems - AES Key Expansion: example for N k = 4 RotWord ( ): changes [ a 0, a 1, a 2, a 3 ] to [ a 3, a 2, a 1, a 0 ] Rcon[i]: the word [ x i-1, 0, 0, 0 ] mod x 4 + 1, where x = 2 SubWord ( ): maps each byte of [ a 0, a 1, a 2, a 3 ] using S-Box values

Secret Key Systems - AES Rcon[i]: also precomputed as a lookup table Y a b c d e f b 36 6c d8 ab 4d 9a 1 2f 5e bc 63 c a d4 b3 7d fa ef c e4 d3 bd 61 c2 9f 25 4a cc 83 1d 3a 3 74 e8 cb 8d b 36 6c d8 4 ab 4d 9a 2f 5e bc 63 c a d4 b3 7d fa ef 5 c e4 d3 bd 61 c2 9f 25 4a cc d 3a 74 e8 cb 8d b X c d8 ab 4d 9a 2f 5e bc 63 c a d4 b3 8 7d fa ef c e4 d3 bd 61 c2 9f 25 4a cc 83 1d 3a 74 e8 cb 8d a b 36 6c d8 ab 4d 9a 2f 5e bc 63 c b 6a d4 b3 7d fa ef c e4 d3 bd 61 c2 9f c 25 4a cc 83 1d 3a 74 e8 cb 8d d b 36 6c d8 ab 4d 9a 2f 5e bc 63 e c a d4 b3 7d fa ef c e4 d3 bd f 61 c2 9f 25 4a cc 83 1d 3a 74 e8 cb

Secret Key Systems - AES Key Expansion: example for N k = 4 First Round: the original key (16 bytes if N k = 4) Other Rounds: [ w 0,l, w 1,l, w 2,l, w 3,l ] smallest l is N k -1 [ w 3,l, w 2,l, w 1,l, w 0,l ] apply RotWord [ S(w 0,l ), S(w 1,l ), S(w 2,l ), S(w 3,l ) ] apply SubWord [ S(w 0,l ) Rcon[(l+1)/N k ], S(w 1,l ), S(w 2,l ), S(w 3,l ) ] use Rcon [ S(w 0,l ) Rcon[(l+1)/N k ] w 0,l, S(w 1,l ) w 1,l, S(w 2,l ) w 2,l, S(w 3,l ) w 3,l ] [ w 0,l+1, w 1,l+1, w 2,l+1, w 3,l+1 ] next key word RotWord ( ): changes [ a 0, a 1, a 2, a 3 ] to [ a 3, a 2, a 1, a 0 ] Rcon[i]: the word [ x i-1, 0, 0, 0 ] mod x 4 + 1, where x = 2 SubWord ( ): maps each byte of [ a 0, a 1, a 2, a 3 ] using S-Box values

Key: 2B 7E AE D2 A6 AB F CF 4F 3C

E0 43 5A F A8 8D A2 34 Secret Key Systems - AES Example: Input: 2B 28 AB 09 7E AE F7 CF 15 D2 15 4F 16 A6 88 3C Key:

E0 43 5A F A8 8D A2 34 Secret Key Systems - AES Example: Input: 2B 28 AB 09 7E AE F7 CF 15 D2 15 4F 16 A6 88 3C Key: 19 A0 9A E9 3D F4 C6 F8 E3 E2 8D 48 BE 2B 2A 08 beginning of first round - input placed into the state and key has been added to state

19 A0 9A E9 3D F4 C6 F8 E3 E2 8D 48 BE 2B 2A 08 Secret Key Systems - AES Example: State: D4 E0 B8 1E BF B D AE F1 E5 D4 E0 B8 1E 27 BF B D 52 AE F1 E5 30 S-Box ShiftRows 04 E CB F D3 26 E5 9A 7A 4C MixColumns

Secret Key Systems - AES Performance Notes: 1. Many operations are table look ups so they are fast 2. Parallelism can be exploited 3. Key expansion only needs to be done one time until the key is changed 4. The S-box minimizes the correlation between input and output bits 5. There are no known weak keys

Secret Key Systems - AES Attacks: Extended Sparse Linearization - Derive a system of quadratic simultaneous equations and solve, 128 bit key: 8000 quadratic equations, 1600 variables 256 bit key: quadratic equations, 4480 variables given plaintext, to get the key – not practical although vs

Secret Key Systems - AES Attacks: Extended Sparse Linearization - Derive a system of quadratic simultaneous equations and solve, 128 bit key: 8000 quadratic equations, 1600 variables 256 bit key: quadratic equations, 4480 variables given plaintext, to get the key – not practical although vs Related Key - Attacker may be able to observe behavior of cipher in the case of several keys, not initially known, but with some understanding of the mathematical relationship connecting the keys - e.g. the number of 1s equals the number of 0s – 2 70 time for an 11 round version of 256-bit AES but attack on full version is not Reported.

Secret Key Systems - AES Attacks: Extended Sparse Linearization - Derive a system of quadratic simultaneous equations and solve, 128 bit key: 8000 quadratic equations, 1600 variables 256 bit key: quadratic equations, 4480 variables given plaintext, to get the key – not practical although vs Related Key - Attacker may be able to observe behavior of cipher in the case of several keys, not initially known, but with some understanding of the mathematical relationship connecting the keys - e.g. the number of 1s equals the number of 0s – 2 70 time for an 11 round version of 256-bit AES but attack on full version is not Reported. Titled Attack - If attacker can stop the execution of encryption, apply a “difference” to the state, and roll back the encryption vs

Secret Key Systems - AES Attacks: Extended Sparse Linearization - Derive a system of quadratic simultaneous equations and solve, 128 bit key: 8000 quadratic equations, 1600 variables 256 bit key: quadratic equations, 4480 variables given plaintext, to get the key – not practical although vs Related Key - Attacker may be able to observe behavior of cipher in the case of several keys, not initially known, but with some understanding of the mathematical relationship connecting the keys - e.g. the number of 1s equals the number of 0s – 2 70 time for an 11 round version of 256-bit AES but attack on full version is not Reported. Titled Attack - If attacker can stop the execution of encryption, apply a “difference” to the state, and roll back the encryption vs Side Channel - Vulnerable in some implementations – later in the course

Secret Key Systems - AES Number of rounds: NkNk NbNb