q aes implementation
TRANSCRIPT
Data Security
q Finite Field Arithmeticq AES Structure
q AES Transformation Functions
q AES Key Expansion
q An AES Example
q AES Implementation
Outline
Data Security
AES Key Expansion
• takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words
• start by copying key into first 4 words
• then loop creating words that depend on values in previous & 4 places back– in 3 of 4 cases use just XOR operation– every 4th case has S-box + rotate + XOR constant of previous before
XOR together
Data Security
Key Expansion Algorithm
1. RotWord performs a one-byte circular left shift on a word– Word [b0, b1, b2, b3] à [b1, b2, b3, b0]
2. SubWord performs a byte substitution on each byte of its input word, using the S-box
3. The result of steps 1 and 2 is XORed with a round constant Rcon[j]• The round constant is a word • The three rightmost bytes are always 0• Rcon[j] = (RC[j], 0, 0, 0)
j 1 2 3 4 5 6 7 8 9 10RC[j] 01 02 04 08 10 20 40 80 1B 36
Data Security
Example of Round Keys
• Suppose that the round key for round 8 isEA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F
• The first 4 bytes (first column) of the round key for round 9 are calculated as follows:
Data Security
Rationale
• The expansion key algorithm is designed to be resistant to known cryptanalytic attacks
• Criteria:– Knowledge of a part of the cipher key or round key does not
enable calculation of many other round key bits– An invertible transformation (Nk consecutive words à entire
key)– Speed on a wide range of processors– Usage of round constants to eliminate symmetries– Diffusion of cipher key differences into the round keys
• Each key bit affects many round key bits– Enough nonlinearity to prohibit the full determination of
round key differences from cipher key differences only– Simplicity of description
Data Security
q Finite Field Arithmeticq AES Structure
q AES Transformation Functions
q AES Key Expansion
q An AES Example
q AES Implementation
Outline
Data Security
q Finite Field Arithmeticq AES Structure
q AES Transformation Functions
q AES Key Expansion
q An AES Example
q AES Implementation
Outline
Data Security
AES Decryption
• AES decryption is not identical to encryption since steps done in reverse
• but can define an equivalent inverse cipher with steps as for encryption– but using inverses of each step– with a different key schedule
• works since result is unchanged when– swap byte substitution & shift rows– swap mix columns & add (tweaked) round key
Data Security
Interchanging
• Interchanging InvShiftRows and InvSubBytes– InvShiftRows affects the sequence of bytes in State only– InvSubBytes affects the contents of bytes in State only
InvShiftRows [InvSubBytes (Si)] = InvSubBytes [InvShiftRows (Si)]
• Interchanging AddRoundKey and InvMixColumns– Do not alter the sequence of bytes in State– Operate on State one column at a time
InvMixColumns (Si Å wj) = [InvMixColumns (Si)] Å [InvMixColumns (wj)]
– Interchange AddRoundKey and InvMixColumns• First apply InvMixColumns to the round key
Data Security
Example
• Suppose that the first column of State Si is the sequence (y0, y1, y2, y3) and the first column of the round key wj is (k0, k1, k2, k3)
Data Security
Equivalent Inverse Cipher
Add round key
w[36, 39]
w[40, 43]
Ciphertext
Inverse sub bytes
Inverse shift rows
Inverse mix cols Rou
nd 1
Rou
nd 9
Rou
nd 1
0
Add round keyInverse mix cols
•••
Inverse sub bytes
Inverse shift rows
Inverse mix cols
Add round keyInverse mix cols
Inverse sub bytes
Inverse shift rowsExpand key
Add round key
PlaintextKey
Figure 6.10 Equivalent Inverse Cipher
w[4, 7]
w[0, 3]
Data Security
Implementation Aspects
• can efficiently be implemented on 8-bit CPU– byte substitution works on bytes using a table of 256 entries– shift rows is simple byte shifting– add round key works on byte XORs– mix columns requires matrix multiply in GF(28) which works on
byte values, can be simplified to use a table lookup
Data Security
8-bit Processor
• The multiplication by {02} involves a shift and a conditional XOR– Vulnerable to a timing attack– The multiplication can be replaced by a table lookup
• Also increase processing efficiency• Define the 256-byte table X2, such that X2[i] = {02}i
Data Security
Implementation Aspects
• can efficiently be implemented on 32-bit CPU– redefine steps to use 32-bit words– can precompute 4 tables of 256-words– then each column in each round can be computed using 4
table lookups + 4 XORs– at a cost of 4 KBytes to store tables
• designers believe this very efficient implementation was a key factor in its selection as the AES cipher
Data Security
32-Bit Processor
• Define four 256-word (1024-byte) tables as follows:
• Define a round function operating on a column as follows:
Data Security
Rijndael Wrap Up
• The Rijndael algorithm is not a Feistel system• In a Feistel system, half of the bits are moved but not
changed during each round.• In Rijndael, all bits are treated uniformly. This has the
effect of diffusing the input bits faster.• It can be shown that two rounds are sufficient to
obtain full diffusion, namely, each of the 128 output bits depends on each of the 128 input bits.
• So far, there is no known attack beats brute force for seven or more rounds. It was felt that four extra rounds provide a large enough margin of safety.
• Of course, the number of rounds could easily be increased if needed.
Data Security
Summary
• Finite field arithmetic
• AES structure– General structure– Detailed structure
• AES key expansion– Key expansion
algorithm– Rationale
• AES transformation functions• Substitute bytes• ShiftRows• MixColumns• AddRoundKey
• AES implementation• Equivalent inverse
cipher• Implementation
aspects