the advanced encryption standard: four years...
TRANSCRIPT
September 21, 2004 The State of the AES 1
The Advanced Encryption Standard:Four Years On
Matt Robshaw
Reader in Information SecurityInformation Security Group
Royal HollowayUniversity of London
September 21, 2004 The State of the AES 2
The Advanced Encryption Standard
• In October 2000 Rijndael was chosen as the Advanced Encryption Standard (AES)
– Published as FIPS 197 • Available via http://csrc.nist.gov/publications/fips
• A block cipher is a versatile primitive to have– Symmetric encryption algorithm– Can be used to construct a stream cipher– Can be used to construct a hash function– Can be used to construct a MAC
• Replaces DES – Provides vastly increased security
• But without the software costs of 3DES– Likely to be used widely around the world
• However full deployment will be slow
• The view from NIST• NIST expects to “get the world to AES by 2020”• AES and 3DES will co-exist as FIPS-approved
algorithms to 2030 [SP-800-67]
September 21, 2004 The State of the AES 3
The AES Process
• The search for the AES began in 1997– Full archives at http://www.nist.gov/aes/
• There were two rounds of assessment– 15 ciphers in Round 1– 5 ciphers in Round 2
• MARS (IBM)• RC6 (RSA Laboratories + Rivest)• Rijndael (Daemen + Rijmen)• Serpent (Anderson, Biham + Knudsen)• Twofish (Counterpane)
• Very different design philosophies– Different architectural features– Different approaches to security– Different performance profiles
• Rijndael was an excellent “best-fit” candidate
“Rijndael appears to be a consistently good performer in both hardware and software across a wide range of computing environments … ”
– NIST Final Report
September 21, 2004 The State of the AES 4
• The AES is a very elegant cipher– Novel construction– Good performance
• The AES is a carefully constructed cipher– Good levels of security against known attacks
• Differential cryptanalysis• Linear cryptanalysis
• Rijndael is more versatile than the AES – Rijndael allowed for different block sizes– This might have been helpful for hash function construction
• The structure of the AES has led to some novel analytical approaches
– Might a well-structured cipher offer new advantages to an attacker?
– What is the current state of AES cryptanalysis?
The AES
September 21, 2004 The State of the AES 5
AES Design Basics
• Shannon introduced the ideas of confusion and diffusion
– These are not rigorous notions but guides to some form of ideal behaviour
– During the design of a block cipher we typically choose cipher components to deliver these properties
• Confusion
“The relationship between the plaintext, ciphertext, and key should be complex”
– Typically provided by substitution operations
• Diffusion
“All of the ciphertext should depend on all of the plaintext and all of the key”
– Typically provided by permutation operations
September 21, 2004 The State of the AES 6
SP-Networks
• Single substitution and permutation operations on their own are unlikely to yield a strong cipher
– This leads us to SP-networks
September 21, 2004 The State of the AES 7
AES Description
• The AES has one block and three key lengths– For the AES b=128 and k=128, 192, and 256
• Referred to as AES-128, AES-192, AES-256• Here we concentrate on b=k=128
• Encryption can be described as a sequence of operations on an array of bytes
– Some operations are described over GF(28)• The Rijndael polynomial is X8+X4+X3+X+1
• Here we are less interested in the key schedule– For k=128
• The 128-bit user-supplied key is expanded into a sequence of 11 round keys each of 128 bits
– The key schedule (like the rest of the cipher) is very simple and lightweight
September 21, 2004 The State of the AES 8
AES Encryption
• There are four components to an AES round
SubBytesShiftRows
MixColumnsAddRoundKey
• The AES is best described using an array of bytes– Pack the input m0 … m15 into a (4 × 4) square array
September 21, 2004 The State of the AES 9
SubBytes
• There are 16 parallel S-box look-ups– The same S-box is used in each case
September 21, 2004 The State of the AES 10
ShiftRows
• Each row is rotated a different number of byte positions
– Row i (0 ≤ i ≤ 3) is moved by i byte positions to the left
September 21, 2004 The State of the AES 11
MixColumns
• View each column as a GF(28) column vector– Create a replacement column by computing M • c
September 21, 2004 The State of the AES 12
• We add the round key for the given round
AES AddKey
September 21, 2004 The State of the AES 13
AES-128 (k=b=128)
• There are nine full rounds– There is a key-addition prior to the first round– There is a tenth round without MixColumns– AES-192 and AES-256 have 12 and 14 rounds respectively
ShiftRows
AddRoundKey
SubBytes
AddRoundKey
ShiftRows
AddRoundKey
SubBytes
Repeat 9 timesMixColumns
September 21, 2004 The State of the AES 14
The AES S/P Network
September 21, 2004 The State of the AES 15
Rijndael In Context
• While Rijndael may look quite different to other cipher designs it has eminent predecessors
– The success of Rijndael has also inspired other designers
September 21, 2004 The State of the AES 16
AES Overview
• AES is a very simple S/P network
• Gives a good performance profile– Some sample figures include
• Software; e.g. 2.1 GHz Pentium 4 [Wei Dai 04]– AES-128: 62 Mbyte/sec– AES-192: 56 Mbyte/sec– AES-256: 49 Mbyte/sec
• Hardware – Space/performance/technology/implementation
trade-offs– High-end performance
» ≈ 1.3 Gbyte/sec (FPGA)» ≈ 3.1 Gbyte/sec (ASIC)
• Very careful construction
September 21, 2004 The State of the AES 17
Some Details
September 21, 2004 The State of the AES 18
The AES S-Box
• The S-box is crucial to security
• There are three components to its design
1. Invert the input x in GF(28) [ with 0 → 0 ]
2. Multiply x(-1) by an (8×8) GF(2) matrix L
3. XOR the constant c = 01100011
September 21, 2004 The State of the AES 19
S-Box Design Rationale
• The S-box has been carefully constructed
1. Invert the input in GF(28) [with 0 → 0]
– This operation has been shown to be very good against differential and linear cryptanalysis
– Maximum difference propagation probability 2-6 and maximum linear correlation 2-3
2. Multiply by an (8 × 8) GF(2) matrix L
– The operation x → x (-1) is algebraically simple– Multiplying by L should hinder attacks that exploit the
GF(28)-based algebraic structure
3. XOR the constant 01100011
– We remove the fixed point 0 → 0 by adding a non-zero constant
• The mix of incompatible operations over GF(28)and GF(2) should help resist cryptanalysis
September 21, 2004 The State of the AES 20
MixColumns
• The MixColumns operation provides mixing across bytes
• Introduce the concept of a branch number β for matrix M
• Denote the number of non-zero coefficients in column vector a by wb(a), then for a ≠ b
β = min{ wb(a ⊕ b) + wb(Ma ⊕ Mb) }
• The MixColumns matrix M has β = 5– A non-zero difference in a single byte is spread to a non-
zero difference in four bytes
September 21, 2004 The State of the AES 21
Approaches to AES Analysis
• Statistical attacks
• Structural attacks
• Alternative representations
• Algebraic attacks
September 21, 2004 The State of the AES 22
Statistical Attacks
• The AES is very resistant to statistical attacks– The attacker attempts to construct statistical patterns via
many cipher interactions• Differential Cryptanalysis (DC)
– The “statistical pattern” depends on bitwise difference
• Linear Cryptanalysis (LC)– The “statistical pattern” depends on the
correlation between bits
• To illustrate, DC is thwarted by– Careful S-box construction
• The probability p of a given bitwise non-zero difference propagation across an S-box is < 2-6
• In an attack, an S-box supporting such a propagation is said to be an active S-box
– Carefully designed diffusion layer• The number of active S-boxes n increases quickly
• The total differential probability behaves as pn
– Attack requirements are proportional to 1/pn
September 21, 2004 The State of the AES 23
The AES S/P Network
∆ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
September 21, 2004 The State of the AES 24
Statistical Attacks
• For differential and linear cryptanalysis– Attacks over four rounds of the AES require at least 25
active S-boxes
• More careful analysis takes account of additional complicated phenomena– Differentials, linear hulls, etc.
• Exploiting differential and linear techniques requires far more data than there is available
A different cryptanalytic approach is required!
September 21, 2004 The State of the AES 25
Approaches to AES Analysis
• Statistical attacks
• Structural attacks
• Alternative representations
• Algebraic attacks
September 21, 2004 The State of the AES 26
Structural Attacks
• The AES is heavily optimised against statistical attacks– Careful choice of S-box– Carefully designed structure to quickly magnify the
number of active S-boxes
• However this clean structure can be used to mount some innovative analysis– Analysis is specific to AES-like ciphers
• Such attacks tend to have a similar form– Identify a property over a few rounds that holds with a
good probability– Use special techniques to extend the attack a few rounds at
the beginning and the end
• Best example is the so-called Square Attack– But there are several others such as
• Impossible Differentials,• Bottleneck Attacks, …
September 21, 2004 The State of the AES 27
Square Attack
• Suppose we have a set of 256 plaintexts– The first byte in a text-set takes all possible values– All other byte positions are fixed across the text-set
• Consider three rounds of encryption
Round 1
Round 2
Round 3
September 21, 2004 The State of the AES 28
A Three Round Property
September 21, 2004 The State of the AES 29
Structural Attacks
• Structural attacks are very effective over a moderate number of rounds – However they do not extend well
• Since the number of rounds increases for different key-sizes in some sense we’re losing ground!
57%50%43%AES-256
75%58%50%AES-192
80%70%60%AES-128
876Rounds
September 21, 2004 The State of the AES 30
Approaches to AES Analysis
• Statistical attacks
• Structural attacks
• Alternative representations
• Algebraic attacks
September 21, 2004 The State of the AES 31
Alternative Representations
• The rich structure of the AES allows us to re-write and re-order components of the cipher
• There are a variety of reasons to consider alternative representations
– Different implementations– Insights into algorithm design– New approaches to cryptanalysis
• There have been a variety of proposals
– Continued fraction expansion– Dual ciphers– Algebraic structure
September 21, 2004 The State of the AES 32
Algebraic Structure
September 21, 2004 The State of the AES 33
One Round of the AES
• One round has the following form
M
September 21, 2004 The State of the AES 34
One Round of the AES
• We can move parts of the S-box into an augmented diffusion layer
M*
September 21, 2004 The State of the AES 35
Simplifying the AES
• The designers view of the AES:– In one S-box mix operations in GF(28) and GF(2)– Use a simple diffusion operation over GF(2)
• The unified view of the AES:– Use an algebraically simple S-box in GF(28)– Use a modified diffusion operation over GF(2)
• By grouping together similar operations– The strategy of mixing operations in GF(2) and GF(28)
within the S-box is unclear– The issue of eliminating fixed points in the S-box is not
relevant
How complicated does this re-writing make the modified diffusion operation?
September 21, 2004 The State of the AES 36
Simplifying the AES
• The modified diffusion layer can be represented as multiplication by a binary matrix M*– Minimum polynomial for M* is (X + 1) 15
– There are large fixed subspaces– The modified GF(2) diffusion layer is very simple and
preserves considerable structure
• However, have we really gained much?– The S-boxes are defined over GF(28) and diffusion is
defined over GF(2)– This creates difficulties for the cryptanalyst
September 21, 2004 The State of the AES 37
AES → BES
• The unified AES consists of – A layer of S-boxes over GF(28)– A modified diffusion layer given by a GF(2) matrix M*– Analysis techniques for the S-boxes don’t work across
diffusion and vice versa
• However it is possible to describe the actions of the the AES entirely with operations in GF(28)– Embed the AES in a larger cipher, the BES– AES: A → A operates with a mix of GF(2) and GF(28)– BES: B → B operates exclusively in GF(28)
BA = φ(A) ⊂ B
September 21, 2004 The State of the AES 38
BES
• Each byte in the AES is represented by a set of conjugates in BES
– AES is a 16-byte block cipher– BES is a 128-byte block cipher
• All AES operations can be replicated by simple operations on conjugates– Even the GF(2) linear map L
• AES encryption can be described exclusively in terms of GF(28) operations– The (slight) additional complexity allows us to avoid the
tension between GF(2) and GF(28)
September 21, 2004 The State of the AES 39
Comparing the AES and the BES S-box
– The AES S-box consists of 1 byte of input, inversion in GF(28), and mixing over GF(2)
– The BES S-box consists of 8 bytes of input, componentwise inversion in GF(28), and mixing over GF(28)
September 21, 2004 The State of the AES 40
Approaches to AES Analysis
• Statistical attacks
• Structural attacks
• Alternative representations
• Algebraic attacks
September 21, 2004 The State of the AES 41
Algebraic Attacks
• Algebraic analysis offers new approaches to symmetric cryptanalysis– Algebraic techniques previously the preserve of public key
cryptography– Courtois and Pieprzyk proposed algebraic cryptanalysis
against block ciphers– Also valuable techniques against certain stream cipher
designs
September 21, 2004 The State of the AES 42
Algebraic Attacks
• Algebraic attacks require us to: – Describe encryption as a system of equations
• Using key, plaintext, ciphertext, and internal variables
– Solve the system of equations (somehow!) – Recover the key
• For most block ciphers – The system of equations would be huge– The system of equations would be complex
• For the AES this is not the case– An algebraically simple S-box [x → x-1]– A simple and very structured diffusion layer
September 21, 2004 The State of the AES 43
Algebraic Analysis for AES and BES
• There are two approaches to writing systems of equations across the S-box
– AES style: express inversion over GF(2)– BES style: express the map L over GF(28)
• Courtois and Pieprzyk introduce a measure of S-box complexity, Γ
– s inputs, r equations, and t variables
≈21381248AES (ii)
≈2541248BES
≈216137408AES (i)
Γtrs
September 21, 2004 The State of the AES 44
The BES System of Equations
• Consider the BES equivalent of AES-128
• One single encryption provides – 5,248 equations in 7,808 terms
• 3,840 sparse quadratic equations • 1,408 linear equations
– 2,560 state variables – 1,408 key variables
• The key schedule provides – 2,560 equations in 3,308 terms
• 960 are sparse quadratic equations • 1,600 linear equations
– 1,408 key variables and 640 auxiliary variables
• We can assume there is no zero-inversion– (255/256)160 ≈ 0.53 for encryption– (255/256)40 ≈ 0.85 for the key schedule
September 21, 2004 The State of the AES 45
Solving Equations (I)
• Linearisation techniques– Courtois and Pieprzyk proposed Extended Sparse
Linearization (XSL)– An extension of the XL algorithm
• XL is reasonably well understood– Linearisation step– Gaussian elimination step– XSL adds an AES-specific enhancement to linearisation
• There are doubts over the full validity of XSL– Experiments on some equation systems work– But experiments on AES-like systems show that XSL
might not be so successful– All current claims for attacking the AES depend on the
correctness of the XSL
Beware of XL claims for XSL!
September 21, 2004 The State of the AES 46
Solving Equations (II)
• Gröbner Basis algorithms– Buchberger, F4, (F5) … – Small-scale experiments are successful– The key can be recovered directly!– However the algorithms quickly become inefficient
• The relation between these different techniques is becoming clearer– F4 should be better than XL
• Current implementations do not exploit the source of the equations– Yet, the system of equations for the AES is very structured– Ongoing research is considering how best to work with a
very specific set of equations
September 21, 2004 The State of the AES 47
Summary
• The AES is a very successful design– Good performance– Good security– Traditional methods of attack are not successful
• However the AES is very structured– AES-specific analysis techniques have been proposed– These might provide new opportunities for the attacker in
the future
• The current best approach (for the cryptanalyst) appears to be to use algebraic methods – However they are exceptionally difficult to work with
• With what we know today there is no substantive reason to question the security of the AES