Understanding Cryptography by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 4 – The Advanced Encryption Standard (AES) ver. October 28, 2009.

Slides:



Advertisements
Similar presentations
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Advertisements

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5
The Advanced Encryption Standard (AES) Simplified.
Advanced Encryption Standard
Cryptography and Network Security
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
RIJNDAEL Arta Doci University Of Colorado.
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
ECE578/7 #1 Spring 2010 © , Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve Cryptographic Systems Professor Richard A. Stanley, P.E.
ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.
Lecture 23 Symmetric Encryption
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Dr. Lo’ai Tawalbeh 2007 Chapter 5: Advanced Encryption Standard (AES) Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Chapter 5 Advanced Encryption Standard. Origins clear a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
Cryptography and Network Security
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
Cryptography and Network Security
Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable."
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 3 – The Data Encryption.
9/17/15UB Fall 2015 CSE565: S. Upadhyaya Lec 6.1 CSE565: Computer Security Lecture 6 Advanced Encryption Standard Shambhu Upadhyaya Computer Science &
Classical &ontemporyryptology 1 AESAES Classical &ontemporyryptology 2 Advanced Encryption Standard Since DES was becoming less reliable as new cryptanalysis.
Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.
AES Background and Mathematics CSCI 5857: Encoding and Encryption.
Information Security Lab. Dept. of Computer Engineering 122/151 PART I Symmetric Ciphers CHAPTER 5 Advanced Encryption Standard 5.1 Evaluation Criteria.
Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 8 –
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 11 – Hash Functions.
AES: Rijndael 林志信 王偉全. Outline Introduction Mathematical background Specification Motivation for design choice Conclusion Discussion.
Advanced Encryption Standard. Origins NIST issued a new version of DES in 1999 (FIPS PUB 46-3) DES should only be used in legacy systems 3DES will be.
Lecture 23 Symmetric Encryption
Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski.
Fifth Edition by William Stallings
Advanced Encryption Standard Dr. Shengli Liu Tel: (O) Cryptography and Information Security Lab. Dept. of Computer.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Data Security and Encryption (CSE348) 1. Lecture # 9 2.
1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.
Zong-Cing Lin 2007/10/31.  Algorithm Description  Why chose Rijndael  Reference.
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Cryptography and Network Security Chapter 5
CS480 Cryptography and Information Security
Triple DES.
School of Computer Science and Engineering Pusan National University
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 3 – The Data Encryption.
Cryptography and Network Security Chapter 5
The Advanced Encryption Standard: Rijndael
AES Objectives ❏ To review a short history of AES
Advanced Encryption Standard (Symmetric key Algorithm)
Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 5
Advanced Encryption Standard
Advanced Encryption Standard
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Advanced Encryption Standard
Cryptography and Network Security Chapter 5
Introduction to Modern Cryptography
Presentation transcript:

Understanding Cryptography by Christof Paar and Jan Pelzl Chapter 4 – The Advanced Encryption Standard (AES) ver. October 28, 2009 These slides were prepared by Daehyun Strobel, Christof Paar and Jan Pelzl

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Some legal stuff (sorry): Terms of Use The slides can used free of charge. All copyrights for the slides remain with Christof Paar and Jan Pelzl. The title of the accompanying book “Understanding Cryptography” by Springer and the author’s names must remain on each slide. If the slides are modified, appropriate credits to the book authors and the book title must remain within the slides. It is not permitted to reproduce parts or all of the slides in printed form whatsoever without written consent by the authors. 2/28

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter Overview of the AES algorithm Internal structure of AES Byte Substitution layer Diffusion layer Key Addition layer Key schedule Decryption Practical issues 3/28

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter Overview of the AES algorithm Internal structure of AES Byte Substitution layer Diffusion layer Key Addition layer Key schedule Decryption Practical issues 4/28

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl  Some Basic Facts AES is the most widely used symmetric cipher today The algorithm for AES was chosen by the US National Institute of Standards and Technology (NIST) in a multi-year selection process The requirements for all AES candidate submissions were: Block cipher with 128-bit block size Three supported key lengths: 128, 192 and 256 bit Security relative to other submitted algorithms Efficiency in software and hardware 5/28

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl  Chronology of the AES Selection The need for a new block cipher announced by NIST in January, candidates algorithms accepted in August, finalists announced in August, 1999: Mars – IBM Corporation RC6 – RSA Laboratories Rijndael – J. Daemen & V. Rijmen Serpent – Eli Biham et al. Twofish – B. Schneier et al. In October 2000, Rijndael was chosen as the AES AES was formally approved as a US federal standard in November /28

 AES: Overview The number of rounds depends on the chosen key length: Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Key length (bits)Number of rounds /28

 AES: Overview Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Iterated cipher with 10/12/14 rounds Each round consists of “Layers” 8/28

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter Overview of the AES algorithm Internal structure of AES Byte Substitution layer Diffusion layer Key Addition layer Key schedule Decryption Practical issues 9/28

 Internal Structure of AES AES is a byte-oriented cipher The state A (i.e., the 128-bit data path) can be arranged in a 4x4 matrix: with A 0,…, A 15 denoting the 16-byte input of AES Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl A0A0 A4A4 A8A8 A 12 A1A1 A5A5 A9A9 A 13 A2A2 A6A6 A 10 A 14 A3A3 A7A7 A 11 A 15 10/28

 Internal Structure of AES Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Round function for rounds 1,2,…,n r-1 : Note: In the last round, the MixColumn tansformation is omitted 11/28

 Byte Substitution Layer The Byte Substitution layer consists of 16 S-Boxes with the following properties: The S-Boxes are identical the only nonlinear elements of AES, i.e., ByteSub(A i ) + ByteSub(A j ) ≠ ByteSub(A i + A j ), for i,j = 0,…,15 bijective, i.e., there exists a one-to-one mapping of input and output bytes  S-Box can be uniquely reversed In software implementations, the S-Box is usually realized as a lookup table Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 12/28

 Diffusion Layer The Diffusion layer provides diffusion over all input state bits consists of two sublayers: ShiftRows Sublayer: Permutation of the data on a byte level MixColumn Sublayer: Matrix operation which combines (“mixes”) blocks of four bytes performs a linear operation on state matrices A, B, i.e., DIFF(A) + DIFF(B) = DIFF(A + B) Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 13/28

 ShiftRows Sublayer Rows of the state matrix are shifted cyclically: Input matrix Output matrix Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl B0B0 B4B4 B8B8 B 12 B1B1 B5B5 B9B9 B 13 B2B2 B6B6 B 10 B 14 B3B3 B7B7 B 11 B 15 B0B0 B4B4 B8B8 B 12 B5B5 B9B9 B 13 B1B1 B 10 B 14 B2B2 B6B6 B 15 B3B3 B7B7 B 11 no shift ← one position left shift ← two positions left shift ← three positions left shift 14/28

 MixColumn Sublayer Linear transformation which mixes each column of the state matrix Each 4-byte column is considered as a vector and multiplied by a fixed 4x4 matrix, e.g., where 01, 02 and 03 are given in hexadecimal notation All arithmetic is done in the Galois field GF(2 8 ) (for more information see Chapter 4.3 in Understanding Cryptography) Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 15/28

 Key Addition Layer Inputs: 16-byte state matrix C 16-byte subkey k i Output: C  k i The subkeys are generated in the key schedule Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 16/28

 Key Schedule Subkeys are derived recursively from the original 128/192/256-bit input key Each round has 1 subkey, plus 1 subkey at the beginning of AES Key whitening: Subkey is used both at the input and output of AES  # subkeys = # rounds + 1 There are different key schedules for the different key sizes Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Key length (bits)Number of subkeys /28

 Key Schedule Example: Key schedule for 128-bit key AES Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Word-oriented: 1 word = 32 bits 11 subkeys are stored in W[0]…W[3], W[4]…W[7], …, W[40]…W[43] First subkey W[0]…W[3] is the original AES key 18/28

 Key Schedule Function g rotates its four input bytes and performs a bytewise S-Box substitution  nonlinearity The round coefficient RC is only added to the leftmost byte and varies from round to round: RC[1] = x 0 = ( ) 2 RC[2] = x 1 = ( ) 2 RC[3] = x 2 = ( ) 2... RC[10] = x 9 = ( ) 2 x i represents an element in a Galois field (again, cf. Chapter 4.3 of Understanding Cryptography) Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 19/28

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter Overview of the AES algorithm Internal structure of AES Byte Substitution layer Diffusion layer Key Addition layer Key schedule Decryption Practical issues 20/28

 Decryption AES is not based on a Feistel network  All layers must be inverted for decryption: MixColumn layer → Inv MixColumn layer ShiftRows layer→ Inv ShiftRows layer Byte Substitution layer → Inv Byte Substitution layer Key Addition layer is its own inverse Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 21/28

 Decryption Inv MixColumn layer: To reverse the MixColumn operation, each column of the state matrix C must be multiplied with the inverse of the 4x4 matrix, e.g., where 09, 0B, 0D and 0E are given in hexadecimal notation Again, all arithmetic is done in the Galois field GF(2 8 ) (for more information see Chapter 4.3 in Understanding Cryptography) Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 22/28

 Decryption Inv ShiftRows layer: All rows of the state matrix B are shifted to the opposite direction: Input matrix Output matrix Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl B0B0 B4B4 B8B8 B 12 B1B1 B5B5 B9B9 B 13 B2B2 B6B6 B 10 B 14 B3B3 B7B7 B 11 B 15 B0B0 B4B4 B8B8 B 12 B 13 B1B1 B5B5 B9B9 B 10 B 14 B2B2 B6B6 B7B7 B 11 B 15 B3B3 no shift → one position right shift → two positions right shift → three positions right shift 23/28

 Decryption Inv Byte Substitution layer: Since the S-Box is bijective, it is possible to construct an inverse, such that A i = S -1 (B i ) = S -1 (S(A i ))  The inverse S-Box is used for decryption. It is usually realized as a lookup table Decryption key schedule: Subkeys are needed in reversed order (compared to encryption) In practice, for encryption and decryption, the same key schedule is used. This requires that all subkeys must be computed before the encryption of the first block can begin Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 24/28

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter Overview of the AES algorithm Internal structure of AES Byte Substitution layer Diffusion layer Key Addition layer Key schedule Decryption Practical issues 25/28

 Implementation in Software One requirement of AES was the possibility of an efficient software implementation Straightforward implementation is well suited for 8-bit processors (e.g., smart cards), but inefficient on 32-bit or 64-bit processors A more sophisticated approach: Merge all round functions (except the key addition) into one table look-up This results in four tables with 256 entries, where each entry is 32 bits wide One round can be computed with 16 table look-ups Typical SW speeds are more than 1.6 Gbit/s on modern 64-bit processors Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 26/28

 Security Brute-force attack: Due to the key length of 128, 192 or 256 bits, a brute-force attack is not possible Analytical attacks: There is no analytical attack known that is better than brute-force Side-channel attacks: Several side-channel attacks have been published Note that side-channel attacks do not attack the underlying algorithm but the implementation of it Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 27/28

Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl  Lessons Learned AES is a modern block cipher which supports three key lengths of 128, 192 and 256 bit. It provides excellent long-term security against brute-force attacks. AES has been studied intensively since the late 1990s and no attacks have been found that are better than brute-force. AES is not based on Feistel networks. Its basic operations use Galois field arithmetic and provide strong diffusion and confusion. AES is part of numerous open standards such as IPsec or TLS, in addition to being the mandatory encryption algorithm for US government applications. It seems likely that the cipher will be the dominant encryption algorithm for many years to come. AES is efficient in software and hardware. 28/28

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.