Presentation is loading. Please wait.

Presentation is loading. Please wait.

This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary."— Presentation transcript:

1 This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary

2 Key Expansion Takes as input a Nb word key and produces a linear array of Nb * (Nr+1) words. Expanded key provide a Nb word round key for the initial AddRoundKey() stage and for each of the Nr rounds of the cipher. The key is first copied into the first Nb words, the remainder of the expanded key is filled Nb words at a time.

3 Key Expansion Pseudo Code 16 byte key KeyExpansion(byte key[16], word w[44]) { word temp; for (i = 0; i < 4; i++)w[i] = (key[4*i], key[4*i+1], key[4*i+3], key[4*i+3]); for (i = 4; i < 44; i++) } temp = w[i-1]; if ( i mod 4 = 0 ) temp = SubWord(RotWord(temp)) XOR Rcon[i/4]; w[i] = w[i-4] XOR temp; }

4 Key Expansion RotWord performs a one byte circular left shift on a word. For example: RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0] SubWord performs a byte substitution on each byte of input word using the S-box. SubWord(RotWord(temp)) is XORed with Rcon[j] – the round constant.

5 Key Expansion The round constant - Explained The round constant is a word in which the three rightmost bytes are zero. It is different for each round and defined as: Rcon[j] = (RC[j],0,0,0) where RC[1] = 1, RC[j] = 2 * RC[j-1] Multiplication is defined over GF(2^8). Values of RC[j] in hexadecimal are: j123456 Rc[j]010204081020

6 Key Expansion The round constant - Example Example of expansion of a 128-bit cipher key Cipher key = 2b7e151628aed2a6abf7158809cf4f3c w0=2b7e1516 w1=28aed2a6 w2=abf71588 w3=09cf4f3c itempRotWordSubWordRcon[i/4]XORw[i-4]result 409cf4f3ccf4f3c098a84eb01010000008b84eb012b7e1516a0fafe17 5A0fafe1728aed2a688542cb1 6 Abf7158823a33939 7 09cf4f3c2a6c7605

7 Key Expansion Rationale Criteria used for key expansion algorithm’s design: Simple description. Non-linearity – prohibits the full determination of round key differences from cipher key differences. Diffusion – each cipher key bit affects many round key bits. Round constant – eliminates symmetry or similarity between the way round keys are generated. Knowledge of less than Nk consecutive of either cipher or round key makes it difficult to reconstruct the remaining unknown bits.

8 Equivalent Inverse Cipher The Rijndael decryption cipher is not identical to the encryption cipher. Disadvantage – Two separate software or hardware modules are required if performing both encryption and decryption. There is an equivalent version of the decryption algorithm that has the same structure ( the same sequence of transformations) as the encryption algorithm.

9 InvCipher, Scheme

10 Equivalent Inverse Cipher The original sequence is : Encryption: SubBytes ShiftRows MixColumns AddRoundKey Decryption: InvShiftRows InvSubBytes AddRoundKey InvMixColumns Thus InvShiftRows needs to be interchanged with InvSubBytes and AddRoundKey with InvMixColumns.

11 Equivalent Inverse Cipher InvShiftRows – Affects sequence of bytes but does not alter byte content and does not depend on the byte content to perform transformation. InvSubBytes – Affects content of bytes but does not alter byte sequence and does not depend on the byte sequence to perform transformation. Thus InvShiftRows and InvSubBytes can be interchanged. For given state S, InvShiftRows(InvSubBytes(S)) = InvSubBytes(InvShiftRows(S))

12 Equivalent Inverse Cipher If key is viewed as sequence of words then both AddRoundKey and InvMixColumns operate on state one column at a time. These operations are linear with respect to the column input: State – S and key - w InvMixColumns (S XOR w) = [ InvMixColumns (S)] XOR [ InvMixColumns (w)]

13 Equivalent Inverse Cipher 0E0B0D09 0E0B0D 090E0B 0D090E y0 XOR k0 y1 XOR k1 y2 XOR k2 y3 XOR k3 0E0B0D09 0E0B0D 090E0B 0D090E 0B0D09 0E0B0D 090E0B 0D090E y0 y1 y2 y3 y0 y1 y2 y3 Thus InvMixColumns and AddRoundKey can be interchanged.

14 Rijndael performance summary As evaluated by the National Institute for Standards and Technology General Security: Rijndael has no known security attacks and has an adequate security margin. Received some criticism suggesting it’s simple mathematical structure may lead to attacks. On the other hand the simple structure may have facilitated the security analysis.

15 Rijndael performance summary As evaluated by the National Institute for Standards and Technology Software Implementation: Performs encryption and decryption very well across a variety of platforms (including 8 bit, 32 bit and 64 bit processors). There is a decrease in performance with higher key sizes because of the increased number of rounds. High parallelism facilitates the efficient use of processor resources. Very well suited for restricted space environments (small amounts of RAM and/or ROM) where either encryption or decryption is performed (but not both).

16 Rijndael performance summary As evaluated by the National Institute for Standards and Technology Hardware Implementation: Has the highest throughput for feedback mode and second highest for non feedback mode. Efficiency is generally very good. Attacks on Implementation: Timing Attacks – attacks on operations that execute in different amounts of time. General defense is to make encryption and decryption run in the same amount of time.

17 Rijndael performance summary As evaluated by the National Institute for Standards and Technology Attacks on Implementation continued: Power Attacks – attacks on operations that use different amounts of power. General defense is to process the data and it’s complement (nearly) simultaneously. The boolean operations, table lookups and fixed shift rotations are the easiest operations to defend against those attacks. The use of masking (executing the same operation twice to mask power consumption) does not cause significant performance degradation.

18 Rijndael performance summary As evaluated by the National Institute for Standards and Technology Key Agility: Defined as the ability to change keys quickly and with a minimum or resources. Provides on the fly subkey computation (computation of the specific subkey needed for a particular round just prior to use in the round). First decryption subkey cannot be generated directly from the original key and there is a need to scale through all the subkeys. This places a slight resource burden on key agility.

19 Rijndael performance summary As evaluated by the National Institute for Standards and Technology Encryption vs. Decryption: Speed does not vary significantly between encryption and decryption, although key setup performance is slower decryption.

Download ppt "This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary."

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Advanced Encryption Standard

Advanced Encryption Standard
Cryptography and Network Security

Cryptography and Network Security
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.

Algorithm Scheme. AddRoundKey Each round uses four different words from the expanded key array. Each column in the state matrix is XORed with a different.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.

Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
1 AES Proposal : Rijndael Joan Daeman Vincent Rijmen.

1 AES Proposal : Rijndael Joan Daeman Vincent Rijmen.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
RIJNDAEL Arta Doci University Of Colorado.

RIJNDAEL Arta Doci University Of Colorado.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 89321032 游精允.

The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.

ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google