Download presentation

Presentation is loading. Please wait.

Published byRodrigo Hansen Modified over 5 years ago

1
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown

2
"It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable. “ — Talking to Strange Men, Ruth Rendell

3
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

4
Origins of AES DES problems have theoretical attacks that can break it have demonstrated exhaustive key search attacks DES solution Triple-DES – but slow with small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001

5
AES Requirements private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years provide full specification & design details both C & Java implementations NIST have released all submissions & unclassified analyses

6
AES Evaluation Criteria initial criteria (Table 5.1): security – effort for practical cryptanalysis Brute-force for 128-bit key is impractical cost – computational efficiency algorithm & implementation characteristics final criteria: general security – public security analysis for 3 years software & hardware implementation ease Attacks on implementations Timing attacks, power analysis flexibility (in en/decrypt, keying, other factors)

7
AES Shortlist after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin then subject to further analysis & comment saw contrast between algorithms with few complex rounds verses many simple rounds which refined existing ciphers verses new proposals

8
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

9
The AES Cipher - Rijndael designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data

10
Rijndael an iterative rather than Feistel cipher Feistel cipher: half of the data block is used to modify the other half, then swap the halves Rijndael cipher: treats data in 4 groups of 4 bytes, operates an entire block in every round designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity

11
AES sub. perm.

12
AES preview has 9/11/13 full rounds: byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material) initial XOR key material & incomplete last round all operations can be combined into XOR and table lookups - hence very fast & efficient

13
AES data structure 128-bit data block => 16 bytes input output Round 1 Round n a byte A column of 4 bytes(1 word) row state

14
Add Round Key XOR state with 128-bits of the round key inverse for decryption is identical since XOR is own inverse, just with correct round key

15
Add round key (cont.) processed by column (though effectively a series of byte operations) + 128-bit key Original keyExpanded key +

16
AES key expansion takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words start by copying key into first 4 words Expanded key: loop creating words that depend on values in previous & 4 places back in 3 of 4 cases just XOR these together every 4 th has S-box + rotate + XOR constant of previous before XOR together

17
AES key expansion (cont.) Original 128-bit key g: w 3 = 7F 8D 29 2F 1. Rotate word - 8D 29 2F 7F 2. Substitute byte (S-Box) - 5D A5 15 D2 3. XOR a round constant - 5C A5 15 D2

18
S-Box 8D 29 2F 7F=> 5D A5 15 D2

19
Round constant in g Round constant (RC) word 3 rightmost bytes are 0 Leftmost byte follows RC[j]=2 RC[j-1] over GF(2 8 ) 5D A5 15 D2 3. XOR a round constant 5C A5 15 D2 Round j 1 2 3 4 5 6 7 8 9 10 RC[j] 01 02 04 08 10 20 40 80 1B 36 22 22

20
Fast multiplication in GF(2 8 ) Textbook p. 133 Irreducible poly. for AES: m(x)=x 8 + x 4 + x 3 +x+1 {80} 2=? x7x7 x = x 8 which exceeds the range of GF(2 8 ) 0001 1011 = {1B}

21
Fast multiplication Example: x 4 + x 3 +x+1

22
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

23
AES

24
Substitute bytes transformation One byte: 1001 0101 1001 0101

25
S-Box (the only one in AES)

26
Construction of S-box 1. Initialize S-box 2. Map each entry to its multiplicative inverse in GF(2 8 ) 3. Apply transformation formula 0 1 2 3 4 5 … E F 0 00 01 02 03 04 05 … 0E 0F 1 10 11 12 13 14 15 … 1E 1F … F F0 F1 F2 F3 F4 F5 … FE FF 0 1 2 3 4 5 … E F 0 00 01 … 1 … 9 … 8A … F …

27
Mathematics behind S-Box Modulo 2 arithmetic =7C

28
Mathematics behind S-Box Modulo 2 arithmetic Input bitsOutput bits To avoid Fixed point

29
Inverse transform Modulo 2 arithmetic Input bitsOutput bits

30
Rationale behind S-Box Low correlation between input bits and output bits (check linear approximation table) No fixed points: S-box(a)=a By the added constant 01100011 No opposite fixed points: S-box(a)=a a : the bitwise complement of a S-box is not self-inverse S-box(a) = Inv_S-box(a)

31
S-box design criterion (p.88) Strict avalanche criterion (SAC) Any output bit j of an S-box should change with probability ½ when any single input bit i is inverted for all i, j Bit independence criterion (BIC) Output bits j and k should change independently when any single input bit i is inverted, for all i, j, k Guaranteed avalanche (GA) For a 1-bit input change, at least r output bits change. (r=2 to 5 provides strong diffusion)

32
S-box design approaches Random: use pseudo-random number generator for each entry in the S-box Suitable for large S-box Random with testing: test results against various criteria Human-made: ex. DES Suitable for small S-box Math-made: ex. AES Key-dependent S-box: Blowfish (Chap. 6)

33
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

34
Shift Rows 4 bytes of one column are spread out to 4 different columns Shift left 1 byte Shift left 2 bytes Shift left 3 bytes

35
Mix column transformation Input state Output state column

36
Mix Columns (cont.) each column is processed separately each byte is replaced by a value dependent on all 4 bytes in the column a matrix multiplication in GF(2 8 ) using prime poly m(x) =x 8 +x 4 +x 3 +x+1

37
Matrix computation in GF(2 8 ) Example: Only 1, 2, 3 * Only shift, conditional XOR, and XOR

38
Matrix computation in GF(2 8 ) Example: 00010101 10110010 01000110 10100110 01000111 ={47} +

39
For 8-bit processor (p.165) => 2 x => can be replaced by a table lookup

40
Implementation Aspects can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256 entries shift rows is simple byte shifting add round key works on byte XORs mix columns requires matrix multiply in GF(2 8 ) which works on byte values, can be simplified to use a table lookup

42
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

43
AES Decryption AES decryption is not identical to encryption since steps done in reverse

44
AES decryption Two separate software/hardware for both encryption and decryption Is it possible that the decryption algorithm has the same sequence of transformation (inverse transform) as the encryption algorithm?

45
Inverse shift rows and sub. bytes inverse

46
Inverse shift rows then Sub. bytes = Sub. bytes then Inverse shift rows According to the previous figure, both operations are on each bytes, and they are commute.

47
Add round key and inverse mix columns The order can be exchanged

48
AES Implementation by table look-up and XOR a ij : element of status matrix SubBytes b ij = S[a ij ] ShiftRows MixColumns AddRoundKey

49
Summary have considered: the AES selection process the details of Rijndael – the AES cipher the key expansion looked at the steps in each round implementation aspects

Similar presentations

© 2020 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google