1 a clear a replacement for des was needed have theoretical attacks that can break it have...
Post on 22-Dec-2015
218 Views
Preview:
TRANSCRIPT
11
A A clear a replacement for DES was neededclear a replacement for DES was needed have theoretical attacks that can break ithave theoretical attacks that can break it have demonstrated exhaustive key search attackshave demonstrated exhaustive key search attacks
US NIST issued call for ciphers in 1997US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000Rijndael was selected as the AES in Oct-2000 issued as FIPS (issued as FIPS (Federal Information ProcessiFederal Information Processi
ng Standard)ng Standard) PUB 197 standard on 26 Nov- PUB 197 standard on 26 Nov-2001 2001
Chapter 5 –Chapter 5 –Advanced Encryption Advanced Encryption Standard (AES)Standard (AES)
22
AES RequirementsAES Requirements
private key symmetric block cipher private key symmetric block cipher 128-bit data, 128/192/256-bit keys 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES stronger & faster than Triple-DES active life of 20-30 years (+ archival use) active life of 20-30 years (+ archival use) provide full specification & design details provide full specification & design details both C & Java implementationsboth C & Java implementations NIST have released all submissions & NIST have released all submissions &
unclassified analysesunclassified analyses
33
AES Evaluation CriteriaAES Evaluation Criteria
initial criteria:initial criteria: security – effort for practical cryptanalysissecurity – effort for practical cryptanalysis cost – in terms of computational efficiencycost – in terms of computational efficiency algorithm & implementation characteristicsalgorithm & implementation characteristics
final criteriafinal criteria general securitygeneral security ease of software & hardware implementationease of software & hardware implementation implementation attacksimplementation attacks flexibility (in en/decrypt, keying, other factors)flexibility (in en/decrypt, keying, other factors)
44
AES ShortlistAES Shortlist
after testing and evaluation, shortlist in Aug-99: after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin Twofish (USA) - complex, v. fast, high security margin
then subject to further analysis & commentthen subject to further analysis & comment saw contrast between algorithms with saw contrast between algorithms with
few complex rounds verses many simple rounds few complex rounds verses many simple rounds which refined existing ciphers verses new proposalswhich refined existing ciphers verses new proposals
55
The Rijndael Cipher AlThe Rijndael Cipher Algorithmgorithm
66
•designed by Rijmen-Daemen in Belgium designed by Rijmen-Daemen in Belgium •has 128/192/256 bit keys, 128 bit data has 128/192/256 bit keys, 128 bit data
•an an iterativeiterative rather than rather than feistelfeistel cipher cipherprocesses processes data as block of 4 columns data as block of 4 columns of 4 bytesof 4 bytesoperates on entire data block in every operates on entire data block in every roundround
•designed to be:designed to be:resistant against known attacksresistant against known attacksspeed and code compactness on speed and code compactness on many CPUsmany CPUsdesign simplicitydesign simplicity
77
RijndaelRijndael data block of data block of 4 columns of 4 bytes is state4 columns of 4 bytes is state key is expanded to array of wordskey is expanded to array of words has 9/11/13 rounds in which state undergoes: has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte) byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material)add round key (XOR state with key material) view as alternating XOR key & scramble data bytesview as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last roundinitial XOR key material & incomplete last round with fast XOR & table lookup implementationwith fast XOR & table lookup implementation
88
Mathematical preliminariesMathematical preliminaries
The field GF(2The field GF(288)) Example: (57)Example: (57)1616xx66+x+x44+x+x22+x+1+x+1 AdditionAddition MultiplicationMultiplication Multiplication by xMultiplication by x
Polynomials with coefficients in GF(2Polynomials with coefficients in GF(288)) Multiplication by xMultiplication by x
99
AdditionAddition
Sum of two elements: the sum of Sum of two elements: the sum of coefficients with modulus 2coefficients with modulus 2
Example: ’57’+’83’=‘D4’Example: ’57’+’83’=‘D4’ (x(x66+x+x44+x+x22+x+1)+(x+x+1)+(x77+x+1)=x+x+1)=x77+x+x66+x+x44+x+x22
1010
MultiplicationMultiplication
Multiplication in GF(2Multiplication in GF(288): multiplication of ): multiplication of polynomials modulo xpolynomials modulo x88+x+x44+x+x33+x+1 or (11B)+x+1 or (11B)16 16 ..
Example: ’57’Example: ’57’’83’=‘C1’’83’=‘C1’ (x(x66+x+x44+x+x22+x+1) +x+1) (x(x77+x+1) = +x+1) =
xx1313+x+x1111+x+x99+x+x88+x+x66+x+x55+x+x44+x+x33+1+1 xx1313+x+x1111+x+x99+x+x88+x+x66+x+x55+x+x44+x+x33+1 modulo x+1 modulo x88+x+x44+x+x33+x+1 = +x+1 =
xx77+x+x66+1+1
1111
Some PropertiesSome Properties
Multiplication is associative with a neutral element ‘Multiplication is associative with a neutral element ‘0101’. ’.
Inverse: bInverse: b-1-1(x)=a(x) mod m(x) with a(x)(x)=a(x) mod m(x) with a(x)b(x) mod m(x)= 1 b(x) mod m(x)= 1
a(x)a(x)(b(x)+c(x))=a(x)(b(x)+c(x))=a(x)b(x)+a(x)b(x)+a(x)c(x).c(x).
The set of 256 possible byte values, with addition and the The set of 256 possible byte values, with addition and the
multiplication defined as above has the structure of the multiplication defined as above has the structure of the
finite field GF(2finite field GF(288).).
1212
Multiplication by xMultiplication by x
Multiply b(x) with the polynomial x: bMultiply b(x) with the polynomial x: b77xx88+b+b66xx77+b+b55xx66+b+b44xx55+b+b33xx44+b+b22xx33+b+b11xx22+b+b00xx
If b7=0, the reduction is identity operation; if b7=If b7=0, the reduction is identity operation; if b7=1, m(x) must be subtracted (i.e. EXORed).1, m(x) must be subtracted (i.e. EXORed).
That is, multiplication by x (‘02’) can be implemeThat is, multiplication by x (‘02’) can be implemented by a left shift and a conditional EXOR with’1nted by a left shift and a conditional EXOR with’1B’. B’.
1313
ExampleExample
‘‘57’ 57’ ‘13’ =‘FE’ ‘13’ =‘FE’
‘‘57’ 57’ ’02’=xtime(57)=‘AE’’02’=xtime(57)=‘AE’
‘‘57’ 57’ ’04’=xtime(AE)=‘47’’04’=xtime(AE)=‘47’
‘‘57’ 57’ ’08’=xtime(47)=‘8E’ ’08’=xtime(47)=‘8E’
‘‘57’ 57’ ’10’=xtime(8E)=‘07’’10’=xtime(8E)=‘07’
‘ ‘57’ 57’ ‘13’ =‘57’ ‘13’ =‘57’(‘01’(‘01’’02’’02’’10’) = ’10’) = ‘5‘57’7’’AE’’AE’’07’=‘FE’’07’=‘FE’
1414
Polynomials with coefficients Polynomials with coefficients in GF(2in GF(288))
Two polynomials over GF(2Two polynomials over GF(288):):a(x)=aa(x)=a33xx33+a+a22xx22+a+a11x+ax+a00
b(x)=bb(x)=b33xx33+b+b22xx22+b+b11x+bx+b00
Their product c(x)=cTheir product c(x)=c66xx66+c+c55xx55+c+c44xx44+c+c33xx33+c+c22xx22+c+c11x+cx+c00
cc00=a=a00 b b00
cc11=a=a11 b b00 a a00 b b11
cc22=a=a22 b b00 a a11 b b11 a a00 b b22
cc33=a=a33 b b00 a a22 b b11 a a11 b b22+ + a a00 b b33
cc44=a=a33 b b11 a a22 b b22 a a11 b b33
cc55=a=a33 b b22 a a22 b b33
cc66=a=a33 b b33
1515
Polynomials with coefficients Polynomials with coefficients in GF(2in GF(288))
By reducing c(x) modulo a polynomial of By reducing c(x) modulo a polynomial of degree 4, the result can be reduced to a degree 4, the result can be reduced to a polynomial of degree below 4. polynomial of degree below 4.
M(x)=xM(x)=x44+1 and +1 and
xxii mod x mod x44+1=x+1=xi mod 4i mod 4..
1616
Polynomials with coefficients Polynomials with coefficients in GF(2in GF(288))
Product of a( x ) and b( x ):Product of a( x ) and b( x ):
d( x ) = a( x ) d( x ) = a( x ) b( x )= db( x )= d33xx33+d+d22xx22+d+d11x+dx+d00
dd00 = a = abb00 aabb11 aabb22 aabb33
dd11 = a = abb00 aabb11 aabb22 aabb33
dd22 = a = abb00 aabb11 aabb22 aabb33
dd33 = a = abb00 aabb11 aabb22 aabb33
1717
Polynomials with coefficients Polynomials with coefficients in GF(2in GF(288))
circulant matrix:
1818
Multiplication by xMultiplication by x
Multiply b( x ) by the polynomial x: bMultiply b( x ) by the polynomial x: b33xx44+b+b22xx33+b+b11xx22+b+b00xx
x x b( x ) modulo 1+xb( x ) modulo 1+x44= b= b22xx33+b+b11xx22+b+b00x+bx+b33
It is equivalent to multiplication by a matrix with all aIt is equivalent to multiplication by a matrix with all a ii =‘00’ except a =‘00’ except a11
=‘01’. Let c( x ) = x=‘01’. Let c( x ) = xb( x ). We have:b( x ). We have:
1919
SpecificationSpecification
Variable block length and key lengthVariable block length and key length Block length and the key length can be Block length and the key length can be
128, 192, or 256 bits.128, 192, or 256 bits. The state: the intermediate cipher result.The state: the intermediate cipher result. The Cipher Key is similarly picture as a The Cipher Key is similarly picture as a
rectangular array with four rows.rectangular array with four rows.
2020
The state and the Cipher KeyThe state and the Cipher Key
2121
The roundsThe rounds
The number of rounds is denoted by The number of rounds is denoted by Nr Nr anand depends on the values d depends on the values Nb Nb and and NNkk. . It is It is given in Table 1.given in Table 1.
2222
The cipherThe cipher
The cipher Rijndael consists ofThe cipher Rijndael consists of• An initial Round Key addition;An initial Round Key addition;• NNr-1 Rounds;r-1 Rounds;• A final round.A final round.
• In pseudo C code,In pseudo C code,Rijndael(State,CipherKey)Rijndael(State,CipherKey){{KeyExpansion(CipherKey,ExpandedKey) ;KeyExpansion(CipherKey,ExpandedKey) ;AddRoundKey(State,ExpandedKey);AddRoundKey(State,ExpandedKey);For( i=1 ; i<Nr ; i++ ) For( i=1 ; i<Nr ; i++ )
Round(State,ExpandedKey + Nb*i) ;Round(State,ExpandedKey + Nb*i) ;FinalRound(State,ExpandedKey + Nb*Nr);FinalRound(State,ExpandedKey + Nb*Nr);}}
2323
The cipherThe cipher The key expansion can be done on beforehand and The key expansion can be done on beforehand and
Rijndael can be specified in terms of the Expanded KRijndael can be specified in terms of the Expanded Key.ey.
Rijndael(State,ExpandedKey)Rijndael(State,ExpandedKey){{AddRoundKey(State,ExpandedKey);AddRoundKey(State,ExpandedKey);For( i=1 ; i<Nr ; i++ ) For( i=1 ; i<Nr ; i++ )
Round(State,ExpandedKey + Nb*i) ;Round(State,ExpandedKey + Nb*i) ;FinalRound(State,ExpandedKey + Nb*Nr);FinalRound(State,ExpandedKey + Nb*Nr);}}
2424
The round transformationThe round transformation
Round(State,RoundKey)Round(State,RoundKey){{ByteSub(State);ByteSub(State);ShiftRow(State);ShiftRow(State);MixColumn(State);MixColumn(State);AddRoundKey(State,RoundKey);AddRoundKey(State,RoundKey);}}
2525
The final roundThe final round
FinalRound(State,RoundKey)FinalRound(State,RoundKey)
{{
ByteSub(State) ;ByteSub(State) ;
ShiftRow(State) ;ShiftRow(State) ;
AddRoundKey(State,RoundKey);AddRoundKey(State,RoundKey);
}}
2626
The ByteSub transformation(1The ByteSub transformation(1/2)/2)
1. Taking the multiplicative inverse in GF(21. Taking the multiplicative inverse in GF(288). ). 2. Applying an affine transformation defined by:2. Applying an affine transformation defined by:
2727
The ByteSub transformation(2The ByteSub transformation(2/2)/2)
2828
The ShiftRow transformationThe ShiftRow transformation(1/2)(1/2)
2929
The ShiftRow transformationThe ShiftRow transformation(2/2)(2/2)
3030
The MixColumn transformation(1The MixColumn transformation(1/2)/2)
The columns of the State are considered as The columns of the State are considered as polynomials over GF(2polynomials over GF(288) and multiplied modulo x) and multiplied modulo x44+1 +1 with a fixed polynomial c(x)= with a fixed polynomial c(x)= ‘03‘03’x’x33++‘01‘01’x’x22++‘01‘01’x+’x+‘02‘02’.’.
This can be written as a matrix multiplication. Let b(x) This can be written as a matrix multiplication. Let b(x) = c(x) = c(x) a(x),a(x),
3131
The MixColumn transformation(2The MixColumn transformation(2/2)/2)
3232
The Round Key additionThe Round Key addition
3333
Key scheduleKey schedule
The Round Keys are derived from the Cipher Key by The Round Keys are derived from the Cipher Key by means of the key schedule. This consists of two commeans of the key schedule. This consists of two components: the Key Expansion and the Round Key Seleponents: the Key Expansion and the Round Key Selection. The basic principle is the following:ction. The basic principle is the following:
• The total number of Round Key bits is equal to the block lenThe total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. (e.g., for a blogth multiplied by the number of rounds plus 1. (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits arck length of 128 bits and 10 rounds, 1408 Round Key bits are needed).e needed).
• The Cipher Key is expanded into an Expanded Key.The Cipher Key is expanded into an Expanded Key.• Round Keys are taken from this Expanded Key in the followiRound Keys are taken from this Expanded Key in the followi
ng way: the first Round Key consists of the first ng way: the first Round Key consists of the first Nb Nb words, thwords, the second one of the following e second one of the following Nb Nb words, and so on.words, and so on.
3434
Key expansionKey expansion The Expanded Key is a linear array of 4-byte words and is The Expanded Key is a linear array of 4-byte words and is
denoted by Wdenoted by W[Nb*(Nr+1)[Nb*(Nr+1)]. The first NK]. The first NK words contain the words contain the Cipher Key. All other words are defined recursively in termCipher Key. All other words are defined recursively in terms of words with smaller indices.s of words with smaller indices.
For For Nk Nk 6, we have:6, we have:KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i = for(i =
0; i < Nk; i++)0; i < Nk; i++)W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);for(i = Nk; i < Nb * (Nr + 1); i++) {for(i = Nk; i < Nb * (Nr + 1); i++) {
temp = W[i - 1];temp = W[i - 1];if (i % Nk == 0)if (i % Nk == 0)temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];W[i] = W[i - Nk] ^ temp;W[i] = W[i - Nk] ^ temp; }} }}
3535
Key expansionKey expansionFor For Nk Nk > 6, we have:> 6, we have:KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) {KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) {
for(i = 0; i < Nk; i++)for(i = 0; i < Nk; i++)W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]);W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]);
for(i = Nk; i < Nb * (Nr + 1); i++)for(i = Nk; i < Nb * (Nr + 1); i++){{ temp = W[i - 1];temp = W[i - 1];if (i % Nk == 0)if (i % Nk == 0)temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];else if (i % Nk == 4)else if (i % Nk == 4)temp = SubByte(temp);temp = SubByte(temp);W[i] = W[i - Nk] ^ temp;W[i] = W[i - Nk] ^ temp; }}
}}
3636
Round Key selectionRound Key selection
Round key Round key i i is given by the Round Key buffis given by the Round Key buffer words Wer words W[Nb*i[Nb*ito Wto W[Nb*(i+[Nb*(i+1)].1)].
3737
Strength against known Strength against known attacksattacks
• Symmetry properties and weak keys of the Symmetry properties and weak keys of the DES typeDES type Round constants are different in each round Round constants are different in each round
to eliminate symmetry in the cipher.to eliminate symmetry in the cipher. The cipher and its inverse use different The cipher and its inverse use different
components to eliminates the possibility for components to eliminates the possibility for weak and semi-weak keys, as existing for weak and semi-weak keys, as existing for DES.DES.
The non-linearity of the key expansion The non-linearity of the key expansion eliminates the possibility of equivalent keys.eliminates the possibility of equivalent keys.
3838
Strength against known Strength against known attacksattacks
• Differential cryptanalysis(DC)Differential cryptanalysis(DC) First described by Eli Biham and Adi Shamir in 1991.First described by Eli Biham and Adi Shamir in 1991. A differential propagation is composed of differential trA differential propagation is composed of differential tr
ails(DT), where its prop ratio(PR) is the sum of the PRails(DT), where its prop ratio(PR) is the sum of the PRs of all DTs that have the specified initial and final diffs of all DTs that have the specified initial and final difference patterns.erence patterns.
Necessary condition to be resistant against DC: No DNecessary condition to be resistant against DC: No DT with predicated PR > 2T with predicated PR > 21-n1-n, n the block length., n the block length.
For Rijndael: No 4-round DT with predicated PR abovFor Rijndael: No 4-round DT with predicated PR above 2e 2-150 -150 (no 8-round trails with PR above 2(no 8-round trails with PR above 2-300 -300 ).).
3939
Strength against known Strength against known attacksattacks
• Linear cryptanalysis(LC)Linear cryptanalysis(LC) First described by Mitsuru Matsui in 1994.First described by Mitsuru Matsui in 1994. An input-output correlation is composed of linear trails An input-output correlation is composed of linear trails
(LT) that have the specified initial and final selection p(LT) that have the specified initial and final selection patterns.atterns.
Necessary condition to be resistant against LC: No LTNecessary condition to be resistant against LC: No LTs with a correlation coefficients > 2s with a correlation coefficients > 2n/2n/2
For Rijndael: No 4-round LTs with a correlation above For Rijndael: No 4-round LTs with a correlation above 22-75 -75 (no 8-round trails with a correlation above 2(no 8-round trails with a correlation above 2-150-150).).
4040
Strength against known Strength against known attacksattacks
Interpolation attacksInterpolation attacks Introduced by Jakobsen and Knudsen in 1997.Introduced by Jakobsen and Knudsen in 1997. The attacker constructs polynomials using cipher inpuThe attacker constructs polynomials using cipher inpu
t/output pairs. If the polynomials have a small degree, t/output pairs. If the polynomials have a small degree, only a few pairs are necessary to solve for the coefficionly a few pairs are necessary to solve for the coefficients of the polynomial.ents of the polynomial.
The expression for the S-box is given byThe expression for the S-box is given by63+8fX63+8fX127127+b5X+b5X191191+01X+01X223223+f4X+f4X239239+25X+25X247247+f9X+f9X251251+09X+09X253253+05X+05X254254
4141
Strength against known Strength against known attacksattacks
Other attacks considered:Other attacks considered: Truncated differentialsTruncated differentials The Square attackThe Square attack Related-key attacksRelated-key attacks Weak keys as in IDEAWeak keys as in IDEA
4242
Advantages and limitationsAdvantages and limitations
AdvantagesAdvantages Implementation aspectsImplementation aspects
Rijndael can be implemented to run at speeds unusually fast Rijndael can be implemented to run at speeds unusually fast on a Pentium (Pro). Trade-off between table size/performancon a Pentium (Pro). Trade-off between table size/performance.e.
Rijndael can be implemented on a smart card in a small code,Rijndael can be implemented on a smart card in a small code, using a small amount of RAM and a small number of cycles. using a small amount of RAM and a small number of cycles.
The round transformation is parallel by design.The round transformation is parallel by design.As the cipher does not make use of arithmetic operations, it hAs the cipher does not make use of arithmetic operations, it h
as no bias towards processor architectures. as no bias towards processor architectures.
4343
Advantages and limitationsAdvantages and limitations
AdvantagesAdvantages Simplicity of designSimplicity of design
The cipher is fully “self-supporting”.The cipher is fully “self-supporting”.The cipher does not base its security on obscure and not The cipher does not base its security on obscure and not
well understood arithmetic operations.well understood arithmetic operations.The tight cipher design does not leave enough room to hide The tight cipher design does not leave enough room to hide
a trapdoor.a trapdoor. Variable block length and extensionsVariable block length and extensions
Block lengths and key length both range from 128 to 256 in Block lengths and key length both range from 128 to 256 in steps of 32 bits.steps of 32 bits.
Round number can be also modified as a parameter.Round number can be also modified as a parameter.
4444
Advantages and limitationsAdvantages and limitations
LimitationsLimitations The inverse cipher is less suited to be The inverse cipher is less suited to be
implemented on a smart card than the cipher implemented on a smart card than the cipher itself: it takes more code and cycles.itself: it takes more code and cycles.
In software, the cipher and its inverse make In software, the cipher and its inverse make use of different code and/or tables.use of different code and/or tables.
In hardware, the inverse cipher can only In hardware, the inverse cipher can only partially re-use the circuitry that implements partially re-use the circuitry that implements the cipher. the cipher.
top related