Presentation is loading. Please wait.

Presentation is loading. Please wait.

AES Advanced Encryption Standard

Published byDavid Pugh Modified over 10 years ago

Similar presentations

Presentation on theme: "AES Advanced Encryption Standard"— Presentation transcript:

1 AES Advanced Encryption Standard

2 Advanced Encryption Standard
Adopted by National Institute of Standards and Technology (NIST) on May 26, 2002. AES is a simple design, a high speed algorithm, with low memory costs. AES is a symmetric block cipher. The same key is used to encrypt and decrypt the message. The plain text and the cipher text are the same size.

3 AES Block AES has a fixed block size of 128 bits called a state
ABCDEFGHIJKLMNOP A E I M D B F J N A 4E C G K O B 4F D H L P C 50 (ASCII)

4 AES Key AES key is either 128 bits, 192 bits or 256 bits 11 22 33 44
128 bits (4 words): AA BB CC DD EE FF 99 00 AA BB CC DD EE FF

5 AES Key or 192 bits (6 words) 1122334455667788 9900AABBCCDDEEFF
99 00 AA BB CC DD EE FF or 256 bits (8 words) 9900AABBCCDDEEFF 99 00 AA BB CC DD EE FF

6 Comparisons

7 Security The key security feature is the size of the key.
Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old. Accepting Moore's Law, doubling processor speed every 18 months, AES will be secure for another years.

8 b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x + b0
AES Operations AES Operates on the binary field GF(28). This can be represented as a polynomial b(x) with binary coefficients b  {0,1}: b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x + b0 Multiplication in GF(28) consists of multiplying two polynomials modulo an irreducible polynomial of degree 8. AES uses the following irreducible polynomial m(x) = x8 + x4 + x3 + x + 1

9 AES Algorithm

10 AES Algorithm

11 AES Algorithm Key Expansion
Sample Key: AABBCCDDEEFF The first 4 (Nk) words are set equal to the key w[0] w[1] w[2] AA BB w[3] CC DD EE FF

12 AES Algorithm Key Expansion
For words 4 through 43 i = Nk // Nk = 4 while (i < Nb*(Nr+1)) { // Nb*(Nr+1)= 4*(10+1)= 44 temp = w[ i – 1 ] If ( i%Nk == 0 ) rotate word left 1 byte process each byte through sbox XOR with RCON[i/Nk-1] // just first byte of w[i] w[ i ] = w[ i-4 ] XOR temp i++}

13 AES Algorithm Key Expansion
w[0] w[1] w[2] AA BB w[3] CC DD EE FF i = Nk // Nk = 4 while (i < Nb*(Nr+1)) { // Nb*(Nr+1)= 4*(10+1)= 44 temp = w[ i - 1 ] i = 4 temp = w[3] = CC DD EE FF

14 AES Algorithm Key Expansion
If ( i%Nk == 0 ) rotate word left 1 byte process each byte through sbox XOR with RCON[i/Nk-1] temp = CC DD EE FF temp = DD EE FF CC temp = sbox[DD] sbox[EE] sbox[FF] sbox[CC] = C B RCON[0] = 01 temp = (C ) B temp = C B

15 rCon – round Constants rCon can be implemented with a look-up-table
2i in GF(28) Removes symmetry and linearity from key expansion.

16 AES Algorithm Key Expansion
For words 4 through 43 i = Nk // Nk = 4 while (i < Nb*(Nr+1)) {// Nb*(Nr+1)= 4*(10+1)= 44 temp = W[i-1] If (i%Nk == 0) rotate word left 1 byte process each byte through sbox XOR with RCON[i] // just first element of w w[i] = w[i-4] XOR temp i++} i = 4 temp = C B w[i] = w[i-4] XOR temp

17 AES Algorithm Key Expansion
w[0] w[1] w[2] AA BB w[3] CC DD EE FF w[4] D1 0A F i = temp = C B w[i] = w[i-4] XOR temp w[4] = (11 C0) ( ) ( ) ( B) w[4] = D A F

18 AES Algorithm Key Expansion
For words 4 through 43 i = Nk // Nk = i = 5 while (i < Nb*(Nr+1)) { // Nb*(Nr+1)= 4*(10+1)= 44 temp = w[i-1] If (i%Nk == 0) rotate word left 1 byte process each byte through sbox XOR with RCON[i/Nk-1] // just first element of W w[i] = w[i-4] XOR temp i++} temp = w[4] = D A F

19 AES Algorithm Key Expansion
w[0] w[1] w[2] AA BB w[3] CC DD EE FF w[4] D A F i = temp = D A F w[i] = w[i-4] XOR temp w[5] = (55 D1) (66 0A) ( ) ( F) w[5] = C

20

21 AES Algorithm

22 AES Algorithm

23 AES Algorithm AddRoundKey
Expanded Key w[0]  w[4] State After AddRoundKey

24 AES Algorithm

25 AES Algorithm SubBytes
SubBytes is the SBOX for AES This make AES a non-linear cryptographic system. For every value of b there is a unique value for b’ It is faster to use a substitution table (and easier). = + x is the inverse value of the byte b

26 AES Algorithm SubBytes

27 AES Algorithm SubBytes
State

28 AES Algorithm

29 AES Algorithm ShiftRows
Simple routine which performs a left shift rows 1, 2 and 3 by 1, 2 and 3 bytes respectively Before Shift Rows After Shift Rows

30 AES Algorithm

31 AES Algorithm - MixColumns
This with shift rows provides diffusion The columns are considered polynomials over GF(28) and multiplied modulo x4+1 with a(x) where a(x) = {03}x3 + {01}x2 + {01}x + {02} NOTE: x4+1 is relatively prime to a(x) a’j  (aj*a(x))mod(x4+1) This can also be written as matrix multiplication. a’0 a’1 a’2 a’3 02 03 01 a0 a1 a2 a3 =

32 AES Algorithm - MixColumns
02 03 01 a0 a1 a2 a3 a’0 = 2a0  3a1  a2  a3 a’1 = a0  2a1  3a2  a3 a’2 = a0  a1  2a2  3a3 a’3 = 3a0  a1  a2  2a3 a’0 = 2a0 + 3a1 + a2 + a3 a’1 = a0 + 2a1 + 3a2 + a3 a’2 = a0 + a1 + 2a2 + 3a3 a’3 = 3a0 + a1 + a2 + 2a3 = Addition is easy in GF(28) : Addition is just the XOR operation Multiplication by 1 is easy in GF(28) : Multiplication by one is the identity Multiplication by 2 in GF(28) takes some work: If multiplying by a value < 0x80 just shift all the bits left by If multiplying by a value ≥ 0x80 shift left by 1 and XOR with 0x1b This prevents overflow and keeps the values within range To Multiply by 3 in GF(28) : a * 0x03 = a * (0x02 + 0x01) = (a * 0x02)  (a * 0x01)

33 AES Algorithm KeyExpansion(byte key[4*Nk], word w[Nb* ( Nr+1) ],Nk)
Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb - 1]) for round = 1 step 1 to Nr 1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state, w[round*Nb, round+1)*Nb end for AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb out = state end

34 Sample Conversions

35 AES Algorithm Encryption Decryption PlainText Cipher Text RoundKey
AddRoundKey 1st Round RoundKey* AddRoundKey 1st Round SubBytes InvShiftRows ShiftRows Repeat Nr -1 Round InvSubBytes Repeat Nr -1 Round MixColumns RoundKey* AddRoundKey RoundKey AddRoundKey InvMixColumns SubBytes InvShiftRows Last Round Last Round ShiftRows InvSubBytes RoundKey AddRoundKey RoundKey* AddRoundKey CipherText Plain Text * RoundKey Added in reverse order

36 Larger Plain Texts How to avoid frequency analysis?
Cipher Block Chaining

37 Padding If plaintext messages are not divisible by 16 bytes. Padding may be a solution. An easy method is to add a single 1 bit at the end of the message followed by enough 0’s to fill the block. If the block is filled, encode one more block with a 1 followed by 0’s.

38 Attacks on AES Differential Cryptanalysis – Study of how differences in input affect differences in output. Greatly reduced due to high number of rounds. Linear Cryptanalysis – Study of correlations between input and output. SBOX & Mix Columns are designed to frustrate Linear Analysis

39 Attacks on AES Side Channel Attacks – Attacks based on studying and measuring the actual implementation of the code. For some implementations of AES the key has been obtained in under 100 minutes. Computer running AES was 850MHz, Pentium III running FreeBSD 4.8

40 Types of Side Channel Attacks
Timing Attacks – Watches movement of data in and out of the CPU or memory. It is difficult to retrieve an array element in a time that is not dependent on the index value. Power Attacks – Watches power consumption by CPU or memory. Changing one bit requires considerably less power than changing all bits in a byte.

41 Attack Precautions Avoid use of arrays. Compute values in SBOX and rCon. Design algorithms and devices to work with constant time intervals. (independent of key and plaintext.) Hidden CPU timing data is a threat. Use same memory throughout, Cache is faster than DRAM Compute Key Expansion on the fly. Utilize pipelining to stabilize CPU power consumption.

42 Joan Daemen & Vincent Rijmen’s AES Selling Points
Extremely fast compared to other block ciphers. (tradeoff between size and speed) The round transformation is parallel by design. Important in dedicated hardware. Amenable to pipelining The cipher does not use arithmetic operations so has no bias towards big or little endian architectures.

43 Joan Daemen & Vincent Rijmen’s AES Selling Points
Fully Self-supporting. Does not use Sboxes of other ciphers, bits from Rand tables, digits of  or any other such jokes. Is not based on obscure or not well understood processes The tight cipher design does not leave enough room to hide a trap door.

44 Joan Daemen & Vincent Rijmen’s AES Limitations
The inverse cipher is less suited to smart cards, as it takes more codes and cycles. The cipher and inverse cipher make use of different codes and/or tables. In hardware, The inverse cipher can only partially re-use circuitry which implements the cipher.

45 References About AES AES Proposal : Rijndael
Joan Daemen, Vincent Rijmen, 2nd version of document to NIST Polynomials in the Nations Service: Using Algebra to Design the Advanced Encryption Standard Susan Landau The Mathmatical Association of America, Monthly 111 Feb 2004 Page(s):89-117 Selecting the Advanced Encryption Standard Burr, W.E.; Security & Privacy Magazine, IEEE Volume 1, Issue 2, Mar-Apr 2003 Page(s): Title: Introduction to Cryptography Author: Johannes A Buchman Publisher: Springer; 2 edition (July 13, 2004)

46 References Security and Attacking AES
Power-analysis attack on an ASIC AES implementation Ors, S.B.; Gurkaynak, F.; Oswald, E.; Preneel, B.;Information Technology: Coding and Computing, Proceedings. ITCC International Conference onVolume 2, 2004 Page(s):  Vol.2 Algebraic attacks on cipher systems Penzhorn, W.T.; AFRICON, th AFRICON Conference in Africa Volume 2, 2004 Page(s): Vol.2 Cache-Timing attacks on AES Daniel J Bernstein Preliminary version of report to National Science Foundation, grant CCR

47 References Applications / Implementations: AES
A high throughput low cost AES processor Chih-Pin Su; Tsung-Fu Lin; Chih-Tsiun Huang; Cheng-Wen Wu; Communications Magazine, IEEE Volume 41, Issue 12, Dec Page(s): An efficient FPGA implementation of advanced encryption standard algorithm Shuenn-Shyang Wang; Wan-Sheng Ni; Circuits and Systems, ISCAS '04. Volume 2, 23-26 May 2004 Page(s):II Vol.2 High-speed VLSI architectures for the AES algorithm Xinmiao Zhang; Parhi, K.K.; Very Large Scale Integration (VLSI) Systems Volume 12, Issue 9, Sept Page(s):957 – 967 Fast implementation of AES cryptographic algorithms in smart cards Chi-Feng Lu; Yan-Shun Kao; Hsia-Ling Chiang; Chung-Huang Yang; Security Technology, 2003. 14-16 Oct Page(s):

48 References Applications / Implementations : AES
A new VLSI implementation of the AES algorithm Liang Deng; Hongyi Chen; Communications, Circuits and Systems and West Sino Expositions, IEEE 2002 International Conference on Volume 2, 29 June-1 July 2002 Page(s): vol.2

Download ppt "AES Advanced Encryption Standard"

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Lect. 8 : Advanced Encryption Standard

Lect. 8 : Advanced Encryption Standard
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Sukesh Jain – Media Informatics

Sukesh Jain – Media Informatics
Advanced Encryption Standard

Advanced Encryption Standard
Cryptography and Network Security

Cryptography and Network Security
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.

Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.
This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.

This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.
Encryption CS 465 January 9, 2006 Tim van der Horst.

Encryption CS 465 January 9, 2006 Tim van der Horst.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.

Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
RIJNDAEL Arta Doci University Of Colorado.

RIJNDAEL Arta Doci University Of Colorado.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.

Similar presentations

Ads by Google