Announcements:Announcements: DES due Thursday.DES due Thursday. Try not to use late day, so you can study for Ch Try not to use late day, so you can study for Ch

3 quiz Friday.3 quiz Friday. Can you break it?Can you break it?

http://www.fbi.gov/news/stories/2011/march/cryptanalysis_032911

http://www.foxnews.com/us/2011/03/31/fbi-inundated-tips-encrypted-notes-1-murder-mystery/

Today:Today: Finish Finish GF(2GF(288)) RijndaelRijndael

Questions?Questions?

DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 17Day 17

AES (Rijndael)AES (Rijndael)

The S-boxes, round keys, and MixColumn The S-boxes, round keys, and MixColumn functions require the use of GF(2functions require the use of GF(288), so), so

Fields (T&W, 3.11)Fields (T&W, 3.11)

A A fieldfield is a is a set of numbers set of numbers with the following properties:with the following properties: Addition, with identity: a + 0 = a and inverse a+(-a)=0 Addition, with identity: a + 0 = a and inverse a+(-a)=0 Multiplication with identity: a*1=a, and inverse Multiplication with identity: a*1=a, and inverse

(a * a(a * a-1-1 = 1 for all a != 0) = 1 for all a != 0) Subtraction and division (using inverses)Subtraction and division (using inverses) Commutative, associative, and distributive propertiesCommutative, associative, and distributive properties Closure over all four operationsClosure over all four operations

Examples:Examples: Real numbersReal numbers GF(4) = {0, 1, GF(4) = {0, 1, , , 22} with these additional laws: x + x = 0 for all x } with these additional laws: x + x = 0 for all x

and and + 1 = + 1 = 22.. GF(pGF(pnn) for prime p is called a Galois Field.) for prime p is called a Galois Field.

A Galois field is a finite field with pA Galois field is a finite field with pnn elements elements for a prime pfor a prime p

• There is There is only one only one finite field with pfinite field with pnn elements for every elements for every power of n and prime p.power of n and prime p.

• GF(pGF(pnn) = Z) = Zpp[X] (mod P(X)) is a field with p[X] (mod P(X)) is a field with pnn elements. elements.

• Wasn’t ZWasn’t Z22[X] (mod X[X] (mod X22 + X + 1) = GF(4)? + X + 1) = GF(4)?

• Consider GF(2Consider GF(2nn) with P(X) = X) with P(X) = X88 + X + X44 + X + X33 + X + 1 + X + 1Rijndael uses this!Rijndael uses this!

Finish quiz.Finish quiz.

Back to Rijndael/AESBack to Rijndael/AESParallels with DES? Parallels with DES?

Multiple roundsMultiple rounds(7 is enough to require (7 is enough to require brute force)brute force)

DiffusionDiffusion XOR with round keysXOR with round keys No MixColumn in last No MixColumn in last

roundround

Major differencesMajor differences Not a Feistel systemNot a Feistel system Much quicker diffusion of Much quicker diffusion of

bits (2 rounds)bits (2 rounds) Much stronger against Much stronger against

linear, diffy. crypt., linear, diffy. crypt., interpolation attacksinterpolation attacks

ByteSub (BS)ByteSub (BS)

1.1. Write 128-bit input Write 128-bit input aa as matrix as matrix with 16 byte entries (column with 16 byte entries (column major ordering):major ordering):

2.2. For each byte, abcdefgh, For each byte, abcdefgh, replace with byte in location replace with byte in location (abcd, efgh)(abcd, efgh)

Example: 00011111 Example: 00011111 ___ ___Example: 11001011 Example: 11001011 ___ ___

3.3. Output is a matrix called bOutput is a matrix called bWhy were these numbers chosen?

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

aaaa

aaaa

aaaa

aaaa

a

S-box DerivationS-box Derivation

The S-box maps byte x to byte z via the function z = Ax-1+b:

Input byte x: x7x6x5x4x3x2x1x0

Compute the inverse in GF(28): y7y6y5y4y3y2y1y0 (non-linear, vs. attacks)(use 0 as inverse of 0)

Compute this linear function z in GF(28): (to complicate attacks) (A is simple to implement) b chosen so

xzandxz

2,31,30,33,3

1,20,23,22,2

0,13,12,11,1

3,02,01,00,0

bbbb

bbbb

bbbb

bbbb

c

ShiftRow (SR)ShiftRow (SR)

Shifts the entries of Shifts the entries of each row by each row by increasing offset:increasing offset:

Gives resistance to newer attacks Gives resistance to newer attacks (truncated differentials, (truncated differentials, Square attack)Square attack)

MixColumn (MC)MixColumn (MC)

Multiply – via GF(2Multiply – via GF(288) – with ) – with the fixed matrix shown.the fixed matrix shown.

Speed? Speed?

64 multiplications, each 64 multiplications, each involving at most 2 shifts involving at most 2 shifts + XORs+ XORs

Gives quick diffusion of bitsGives quick diffusion of bits

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

010..001..001..000000011

011..0010..001..000000001

01..0011..0010..000000001

01..001..0011..000000010

cccc

cccc

cccc

cccc

d

AddRoundKey (AddRoundKey (ARKARK))

XOR the round key XOR the round key with matrix d. with matrix d.

Key schedule on next slideKey schedule on next slide

ikde

Key ScheduleKey Schedule

Write original key as 4x4matrix with 4 columns: W(0), W(1), W(2), W(3). Key for round i is (W(4i), W(4i+1), W(4i+2), W(4i+3))

Other columns defined recursively:

Highly non-linear. Resists attacks at finding whole key when part is known

K0K1 K10

192-, 256-bit versions similar

)43(...)7(...)4()3()2()1()0( WWWWWWW

otherwiseiW

iifiWTiWiW

)1(

|4))1(()4()(

)2()00000010()(

))((

0

0

0

)(

)(

84/)4( GFinir

iWT

ir

h

g

f

e

d

c

b

a

iW

i

SboxandShift

DecryptionDecryptionE(k) is:E(k) is:

(ARK(ARK00, BS, SR, MC, ARK, BS, SR, MC, ARK11, … BS, SR, , … BS, SR,

MC, ARKMC, ARK99, BS, SR, ARK, BS, SR, ARK1010))

Each function is invertible:Each function is invertible:

ARK; IBS; ISR; IMCARK; IBS; ISR; IMC

So D(k) is:So D(k) is:

ARKARK1010, ISR, IBS, ARK, ISR, IBS, ARK99, IMC, ISR, IBS, , IMC, ISR, IBS,

… ARK… ARK11, IMC, ISR, IBS, ARK, IMC, ISR, IBS, ARK00))

Half-round structure:Half-round structure:Write E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARKWrite E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARK

(Note that last MC wouldn’t fit)(Note that last MC wouldn’t fit)D(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARKD(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARK

Can write:Can write:D(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARKD(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARK

Wrap-upWrap-up

Wikipedia’s entry has some nice visualsWikipedia’s entry has some nice visuals

But this site has even nicer animations*But this site has even nicer animations*

* * Thanks to Adam Shiemke, 2009 for the linkThanks to Adam Shiemke, 2009 for the link