# This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary.

## Presentation on theme: "This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary."— Presentation transcript:

This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary

Key Expansion Takes as input a Nb word key and produces a linear array of Nb * (Nr+1) words. Expanded key provide a Nb word round key for the initial AddRoundKey() stage and for each of the Nr rounds of the cipher. The key is first copied into the first Nb words, the remainder of the expanded key is filled Nb words at a time.

Key Expansion Pseudo Code 16 byte key KeyExpansion(byte key[16], word w[44]) { word temp; for (i = 0; i < 4; i++)w[i] = (key[4*i], key[4*i+1], key[4*i+3], key[4*i+3]); for (i = 4; i < 44; i++) } temp = w[i-1]; if ( i mod 4 = 0 ) temp = SubWord(RotWord(temp)) XOR Rcon[i/4]; w[i] = w[i-4] XOR temp; }

Key Expansion RotWord performs a one byte circular left shift on a word. For example: RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0] SubWord performs a byte substitution on each byte of input word using the S-box. SubWord(RotWord(temp)) is XORed with Rcon[j] – the round constant.

Key Expansion The round constant - Explained The round constant is a word in which the three rightmost bytes are zero. It is different for each round and defined as: Rcon[j] = (RC[j],0,0,0) where RC[1] = 1, RC[j] = 2 * RC[j-1] Multiplication is defined over GF(2^8). Values of RC[j] in hexadecimal are: j123456 Rc[j]010204081020

Key Expansion The round constant - Example Example of expansion of a 128-bit cipher key Cipher key = 2b7e151628aed2a6abf7158809cf4f3c w0=2b7e1516 w1=28aed2a6 w2=abf71588 w3=09cf4f3c itempRotWordSubWordRcon[i/4]XORw[i-4]result 409cf4f3ccf4f3c098a84eb01010000008b84eb012b7e1516a0fafe17 5A0fafe1728aed2a688542cb1 6 Abf7158823a33939 7 09cf4f3c2a6c7605

Key Expansion Rationale Criteria used for key expansion algorithm’s design: Simple description. Non-linearity – prohibits the full determination of round key differences from cipher key differences. Diffusion – each cipher key bit affects many round key bits. Round constant – eliminates symmetry or similarity between the way round keys are generated. Knowledge of less than Nk consecutive of either cipher or round key makes it difficult to reconstruct the remaining unknown bits.

Equivalent Inverse Cipher The Rijndael decryption cipher is not identical to the encryption cipher. Disadvantage – Two separate software or hardware modules are required if performing both encryption and decryption. There is an equivalent version of the decryption algorithm that has the same structure ( the same sequence of transformations) as the encryption algorithm.

InvCipher, Scheme

Equivalent Inverse Cipher The original sequence is : Encryption: SubBytes ShiftRows MixColumns AddRoundKey Decryption: InvShiftRows InvSubBytes AddRoundKey InvMixColumns Thus InvShiftRows needs to be interchanged with InvSubBytes and AddRoundKey with InvMixColumns.

Equivalent Inverse Cipher InvShiftRows – Affects sequence of bytes but does not alter byte content and does not depend on the byte content to perform transformation. InvSubBytes – Affects content of bytes but does not alter byte sequence and does not depend on the byte sequence to perform transformation. Thus InvShiftRows and InvSubBytes can be interchanged. For given state S, InvShiftRows(InvSubBytes(S)) = InvSubBytes(InvShiftRows(S))

Equivalent Inverse Cipher If key is viewed as sequence of words then both AddRoundKey and InvMixColumns operate on state one column at a time. These operations are linear with respect to the column input: State – S and key - w InvMixColumns (S XOR w) = [ InvMixColumns (S)] XOR [ InvMixColumns (w)]

Equivalent Inverse Cipher 0E0B0D09 0E0B0D 090E0B 0D090E y0 XOR k0 y1 XOR k1 y2 XOR k2 y3 XOR k3 0E0B0D09 0E0B0D 090E0B 0D090E 0B0D09 0E0B0D 090E0B 0D090E y0 y1 y2 y3 y0 y1 y2 y3 Thus InvMixColumns and AddRoundKey can be interchanged.

Rijndael performance summary As evaluated by the National Institute for Standards and Technology General Security: Rijndael has no known security attacks and has an adequate security margin. Received some criticism suggesting it’s simple mathematical structure may lead to attacks. On the other hand the simple structure may have facilitated the security analysis.

Rijndael performance summary As evaluated by the National Institute for Standards and Technology Software Implementation: Performs encryption and decryption very well across a variety of platforms (including 8 bit, 32 bit and 64 bit processors). There is a decrease in performance with higher key sizes because of the increased number of rounds. High parallelism facilitates the efficient use of processor resources. Very well suited for restricted space environments (small amounts of RAM and/or ROM) where either encryption or decryption is performed (but not both).

Rijndael performance summary As evaluated by the National Institute for Standards and Technology Hardware Implementation: Has the highest throughput for feedback mode and second highest for non feedback mode. Efficiency is generally very good. Attacks on Implementation: Timing Attacks – attacks on operations that execute in different amounts of time. General defense is to make encryption and decryption run in the same amount of time.

Rijndael performance summary As evaluated by the National Institute for Standards and Technology Attacks on Implementation continued: Power Attacks – attacks on operations that use different amounts of power. General defense is to process the data and it’s complement (nearly) simultaneously. The boolean operations, table lookups and fixed shift rotations are the easiest operations to defend against those attacks. The use of masking (executing the same operation twice to mask power consumption) does not cause significant performance degradation.

Rijndael performance summary As evaluated by the National Institute for Standards and Technology Key Agility: Defined as the ability to change keys quickly and with a minimum or resources. Provides on the fly subkey computation (computation of the specific subkey needed for a particular round just prior to use in the round). First decryption subkey cannot be generated directly from the original key and there is a need to scale through all the subkeys. This places a slight resource burden on key agility.

Rijndael performance summary As evaluated by the National Institute for Standards and Technology Encryption vs. Decryption: Speed does not vary significantly between encryption and decryption, although key setup performance is slower decryption.

Download ppt "This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary."

Similar presentations