Download presentation

Presentation is loading. Please wait.

1
1 The AES block cipher Niels Ferguson

2
2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition. US government standard. Also known as Rijndael.

3
3 Bias warning I’m one of the designers of the Twofish block cipher. Twofish was one of the other AES submissions. AES (then called Rijndael) won. I’ve spent several month trying to break AES.

4
4 Block cipher AES Plaintext (128 bits) Ciphertext (128 bits) Key (128-256 bits)

5
5 Multiple rounds Plaintext Ciphertext Key schedule

6
6 AES multiple rounds 10-14 simple rounds. Each round is a weak block cipher. Rounds are (almost) identical. Simple key schedule.

7
7 AES single round Add key S-box Shift row Mix column

8
8 128-bit values Represented as 4 by 4 matrix of 8-bit bytes.

9
9 Add key operation Xor of corresponding byteskey

10
10 S-box S 8-bit lookup table 16 lookups in parallel S

11
11 Shift row Reordering of the bytes within each row. Rotate rows by 0-3 byte positions.

12
12 Mix column Interpret each column as a vector of length 4. Multiply by 4 4 matrix over GF(2 8 ). Matrix is an MDS matrix.

13
13 Single round S Round key

14
14 Last round S Round key

15
15 S-box Inversion in GF(2 8 ) Bitwise linear transformation Xor with a constant

16
16 MDS matrix Maximum Distance Separable. Byte-Hamming weight of input + output is at least 5. Input weightOutput weight 1 4 2>= 3 3>= 2 4>= 1

17
17 Decryption Every operation is invertible. Order of operations can be the same as for encryption.

18
18 Changing the order S Round key S

19
19 Decryption differences Inverse S-box. Inverse of MDS matrix. Modified round keys, or modified operation order. Requires extra hardware.

20
20 Key schedule (128 bits) S r

21
21 Key schedule (256 bits) S r S

22
22 Key schedule Cannot directly generate round keys in reverse order. Decryption must either store all round keys, or pre-compute the ‘final’ state and work backwards from that. Requires extra time from getting key to start of first decryption.

23
23 Speed About 16 clock cycles/byte on modern 32- bit CPUs. That’s 200 MByte/s on a 3.2 GHz P4!

24
24 Uses Almost never used as-is: most messages are not exactly 128 bits long. Used with a block cipher mode to encrypt and/or authenticate messages.

25
25 Security properties For any given key, a block cipher is a permutation (must be able to decrypt). Should behave like a random permutation: no detectable structure. Different keys result in “independent random permutations.”

26
26 Best known attacks No known attacks on full AES. Best attack on 7 9 rounds (out of 10 14 rounds). Clean design leaves algebraic structures: no attacks, but some worries.

Similar presentations

© 2020 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google