chap. 5: advanced encryption standard (aes) jen-chang liu, 2005 adapted from lecture slides by...
Post on 14-Dec-2015
246 Views
Preview:
TRANSCRIPT
Chap. 5: Advanced Encryption Standard (AES)
Jen-Chang Liu, 2005
Adapted from lecture slides by Lawrie Brown
"It seems very simple.""It is very simple. But if you don't know
what the key is it's virtually indecipherable.“
—Talking to Strange Men, Ruth Rendell
Outline Introduction, evaluation criteria for AES AES cipher
Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
Origins of AES DES problems
have theoretical attacks that can break it have demonstrated exhaustive key search
attacks DES solution
Triple-DES – but slow with small blocks US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001
AES Requirements private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years provide full specification & design
details both C & Java implementations NIST have released all submissions &
unclassified analyses
AES Evaluation Criteria initial criteria (Table 5.1):
security – effort for practical cryptanalysis Brute-force for 128-bit key is impractical
cost – computational efficiency algorithm & implementation characteristics
final criteria: general security – public security analysis for
3 years software & hardware implementation ease Attacks on implementations
Timing attacks, power analysis flexibility (in en/decrypt, keying, other factors)
AES Shortlist after testing and evaluation, shortlist in Aug-
99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security
margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security
margin then subject to further analysis & comment saw contrast between algorithms with
few complex rounds verses many simple rounds which refined existing ciphers verses new proposals
Outline Introduction, evaluation criteria for AES AES cipher
Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
The AES Cipher - Rijndael designed by Rijmen-Daemen in
Belgium has 128/192/256 bit keys, 128 bit data
Rijndael an iterative rather than Feistel cipher
Feistel cipher: half of the data block is used to modify the other half, then swap the halves
Rijndael cipher: treats data in 4 groups of 4 bytes, operates an entire block in every round
designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity
AES preview has 9/11/13 full rounds:
byte substitution (1 S-box used on every byte) shift rows (permute bytes between
groups/columns) mix columns (subs using matrix multipy of
groups) add round key (XOR state with key material)
initial XOR key material & incomplete last round
all operations can be combined into XOR and table lookups - hence very fast & efficient
AES data structure
128-bit data block => 16 bytes
input output
Round1
Roundn
a byteA columnof 4 bytes(1 word)
row state
Add Round Key XOR state with 128-bits of the round
key inverse for decryption is identical since
XOR is own inverse, just with correct round key
Add round key (cont.) processed by column (though effectively a
series of byte operations)
+128-bit key
Original key Expanded key
+
AES key expansion takes 128-bit (16-byte) key and
expands into array of 44/52/60 32-bit words
start by copying key into first 4 words Expanded key: loop creating words
that depend on values in previous & 4 places back in 3 of 4 cases just XOR these together every 4th has S-box + rotate + XOR
constant of previous before XOR together
AES key expansion (cont.)
Original128-bit
key
g:w3 = 7F 8D 29 2F1. Rotate word -
8D 29 2F 7F2. Substitute byte (S-Box) -
5D A5 15 D23. XOR a round constant -
5C A5 15 D2
Round constant in g
Round constant (RC) word 3 rightmost bytes are 0 Leftmost byte follows RC[j]=2RC[j-1]
over GF(28)
5D A5 15 D23. XOR a round constant
5C A5 15 D2
Round j 1 2 3 4 5 6 7 8 9 10
RC[j] 01 02 04 08 10 20 40 80 1B 36
2 2
Fast multiplication in GF(28)
Textbook p. 133 Irreducible poly. for AES:
m(x)=x8+ x4+ x3+x+1 {80}2=?
1)( mod 348 xxxxmx
x7 x = x8which exceeds the range of GF(28)
0001 1011 = {1B}
Fast multiplication
01
12
23
34
45
56
67
7)( bxbxbxbxbxbxbxbxf
}{ 01234567 bbbbbbbb
1 if 000110110
0 if 0)(
70123456
70123456
bbbbbbbb
bbbbbbbbxfx
000101010001101100001110
10000111028702
Example:
x4+ x3+x+1
Outline Introduction, evaluation criteria for AES AES cipher
Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
Construction of S-box
1. Initialize S-box2. Map each entry toits multiplicative
inversein GF(28)3. Apply
transformationformula
0 1 2 3 4 5 … E F0 00 01 02 03 04 05 … 0E 0F1 10 11 12 13 14 15 … 1E 1F …F F0 F1 F2 F3 F4 F5 … FE FF
0 1 2 3 4 5 … E F0 00 01 …1 …9 … 8A …F …
Mathematics behind S-Box Modulo 2 arithmetic
0
1
1
1
1
1
0
0
0
1
1
0
0
0
1
1
0
0
0
1
1
1
1
1
0
1
1
0
0
0
1
1
0
0
0
0
0
0
0
1
11111000
01111100
00111110
00011111
10001111
11000111
11100011
11110001
=7C
Rationale behind S-Box Low correlation between input bits and
output bits (check linear approximation table)
No fixed points: S-box(a)=a By the added constant 01100011
No opposite fixed points: S-box(a)=a a : the bitwise complement of a
S-box is not self-inverse S-box(a) = Inv_S-box(a)
S-box design criterion (p.88)
Strict avalanche criterion (SAC) Any output bit j of an S-box should change
with probability ½ when any single input bit i is inverted for all i, j
Bit independence criterion (BIC) Output bits j and k should change
independently when any single input bit i is inverted, for all i, j, k
Guaranteed avalanche (GA) For a 1-bit input change, at least r output bits
change. (r=2 to 5 provides strong diffusion)
S-box design approaches Random: use pseudo-random number
generator for each entry in the S-box Suitable for large S-box
Random with testing: test results against various criteria
Human-made: ex. DES Suitable for small S-box
Math-made: ex. AES Key-dependent S-box: Blowfish (Chap.
6)
Outline Introduction, evaluation criteria for AES AES cipher
Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
Shift Rows
4 bytes of one column are spread out to 4 different columns
Shift left 1 byte
Shift left 2 bytes
Shift left 3 bytes
Mix Columns (cont.) each column is processed separately each byte is replaced by a value
dependent on all 4 bytes in the column a matrix multiplication in GF(28) using
prime poly m(x) =x8+x4+x3+x+1
Matrix computation in GF(28)
j
j
j
j
j
j
j
j
s
s
s
s
s
s
s
s
,3
,2
,1
,0
,3
,2
,1
,0
2113
3211
1321
1132
Example:
Only 1, 2, 3
1 if 000110110
0 if 0}{}02{
70123456
70123456
bbbbbbbb
bbbbbbbbx
}{}){}02({}{}03{ xxx
* Only shift, conditional XOR, and XOR
Matrix computation in GF(28)
EDA
E
94
37
47
6
46
6
87
2113
3211
1321
1132
Example:
000101010001101100001110
10000111028702
101100101101110001101110
6026603
EEE
00010101101100100100011010100110
01000111
={47}
+
For 8-bit processor (p.165)
j
j
j
j
j
j
j
j
s
s
s
s
s
s
s
s
,3
,2
,1
,0
,3
,2
,1
,0
2113
3211
1321
1132
jjjj ssssTmp ,3,2,1,0
=>
jjjj sssTmps ,1,0,0,0 2
jjjj sssTmps ,2,1,1,1 2
jjjj sssTmps ,3,2,2,2 2 jjjj sssTmps ,0,3,3,3 2
2x => can be replacedby a table lookup
Implementation Aspects can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of 256 entries
shift rows is simple byte shifting add round key works on byte XORs mix columns requires matrix multiply in
GF(28) which works on byte values, can be simplified to use a table lookup
Outline Introduction, evaluation criteria for AES AES cipher
Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
AES decryption Two separate software/hardware for
both encryption and decryption Is it possible that the decryption
algorithm has the same sequence of transformation (inverse transform) as the encryption algorithm?
Inverse shift rows then Sub. bytes= Sub. bytes then Inverse shift rows
According to the previous figure, both operations are oneach bytes, and they are commute.
AES Implementation by table look-up and XOR
aij: element of status matrix
SubBytes bij = S[aij]
ShiftRows
3,3
2,2
1,1
,0
,3
,2
,1
,0
j
j
j
j
j
j
j
j
b
b
b
b
c
c
c
c
MixColumns
j
j
j
j
j
j
j
j
c
c
c
c
d
d
d
d
,3
,2
,1
,0
,3
,2
,1
,0
02010103
03020101
01030201
01010302
j
j
j
j
j
j
j
j
j
j
j
j
k
k
k
k
d
d
d
d
e
e
e
e
,3
,2
,1
,0
,3
,2
,1
,0
,3
,2
,1
,0
AddRoundKey
top related