Chap. 5: Advanced Encryption Standard (AES)

Jen-Chang Liu, 2005

Adapted from lecture slides by Lawrie Brown

"It seems very simple.""It is very simple. But if you don't know

what the key is it's virtually indecipherable.“

—Talking to Strange Men, Ruth Rendell

Outline Introduction, evaluation criteria for AES AES cipher

Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

Origins of AES DES problems

have theoretical attacks that can break it have demonstrated exhaustive key search

attacks DES solution

Triple-DES – but slow with small blocks US NIST issued call for ciphers in 1997

15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001

AES Requirements private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years provide full specification & design

details both C & Java implementations NIST have released all submissions &

unclassified analyses

AES Evaluation Criteria initial criteria (Table 5.1):

security – effort for practical cryptanalysis Brute-force for 128-bit key is impractical

cost – computational efficiency algorithm & implementation characteristics

final criteria: general security – public security analysis for

3 years software & hardware implementation ease Attacks on implementations

Timing attacks, power analysis flexibility (in en/decrypt, keying, other factors)

AES Shortlist after testing and evaluation, shortlist in Aug-

99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security

margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security

margin then subject to further analysis & comment saw contrast between algorithms with

few complex rounds verses many simple rounds which refined existing ciphers verses new proposals

Outline Introduction, evaluation criteria for AES AES cipher

Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

The AES Cipher - Rijndael designed by Rijmen-Daemen in

Belgium has 128/192/256 bit keys, 128 bit data

Rijndael an iterative rather than Feistel cipher

Feistel cipher: half of the data block is used to modify the other half, then swap the halves

Rijndael cipher: treats data in 4 groups of 4 bytes, operates an entire block in every round

designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity

AES

sub.

sub.

sub.

perm.

AES preview has 9/11/13 full rounds:

byte substitution (1 S-box used on every byte) shift rows (permute bytes between

groups/columns) mix columns (subs using matrix multipy of

groups) add round key (XOR state with key material)

initial XOR key material & incomplete last round

all operations can be combined into XOR and table lookups - hence very fast & efficient

AES data structure

128-bit data block => 16 bytes

input output

Round1

Roundn

a byteA columnof 4 bytes(1 word)

row state

Add Round Key XOR state with 128-bits of the round

key inverse for decryption is identical since

XOR is own inverse, just with correct round key

Add round key (cont.) processed by column (though effectively a

series of byte operations)

+128-bit key

Original key Expanded key

+

AES key expansion takes 128-bit (16-byte) key and

expands into array of 44/52/60 32-bit words

start by copying key into first 4 words Expanded key: loop creating words

that depend on values in previous & 4 places back in 3 of 4 cases just XOR these together every 4th has S-box + rotate + XOR

constant of previous before XOR together

AES key expansion (cont.)

Original128-bit

key

g:w3 = 7F 8D 29 2F1. Rotate word -

8D 29 2F 7F2. Substitute byte (S-Box) -

5D A5 15 D23. XOR a round constant -

5C A5 15 D2

S-Box 8D 29 2F 7F => 5D A5 15 D2

Round constant in g

Round constant (RC) word 3 rightmost bytes are 0 Leftmost byte follows RC[j]=2RC[j-1]

over GF(28)

5D A5 15 D23. XOR a round constant

5C A5 15 D2

Round j 1 2 3 4 5 6 7 8 9 10

RC[j] 01 02 04 08 10 20 40 80 1B 36

2 2

Fast multiplication in GF(28)

Textbook p. 133 Irreducible poly. for AES:

m(x)=x8+ x4+ x3+x+1 {80}2=?

1)( mod 348 xxxxmx

x7 x = x8which exceeds the range of GF(28)

0001 1011 = {1B}

Fast multiplication

01

12

23

34

45

56

67

7)( bxbxbxbxbxbxbxbxf

}{ 01234567 bbbbbbbb

1 if 000110110

0 if 0)(

70123456

70123456

bbbbbbbb

bbbbbbbbxfx

000101010001101100001110

10000111028702

Example:

x4+ x3+x+1

Outline Introduction, evaluation criteria for AES AES cipher

Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

AES

Substitute bytes transformation

One byte:1001 0101

1001

0101

S-Box (the only one in AES)

Construction of S-box

1. Initialize S-box2. Map each entry toits multiplicative

inversein GF(28)3. Apply

transformationformula

0 1 2 3 4 5 … E F0 00 01 02 03 04 05 … 0E 0F1 10 11 12 13 14 15 … 1E 1F …F F0 F1 F2 F3 F4 F5 … FE FF

0 1 2 3 4 5 … E F0 00 01 …1 …9 … 8A …F …

Mathematics behind S-Box Modulo 2 arithmetic

0

1

1

1

1

1

0

0

0

1

1

0

0

0

1

1

0

0

0

1

1

1

1

1

0

1

1

0

0

0

1

1

0

0

0

0

0

0

0

1

11111000

01111100

00111110

00011111

10001111

11000111

11100011

11110001

=7C

Rationale behind S-Box Low correlation between input bits and

output bits (check linear approximation table)

No fixed points: S-box(a)=a By the added constant 01100011

No opposite fixed points: S-box(a)=a a : the bitwise complement of a

S-box is not self-inverse S-box(a) = Inv_S-box(a)

S-box design criterion (p.88)

Strict avalanche criterion (SAC) Any output bit j of an S-box should change

with probability ½ when any single input bit i is inverted for all i, j

Bit independence criterion (BIC) Output bits j and k should change

independently when any single input bit i is inverted, for all i, j, k

Guaranteed avalanche (GA) For a 1-bit input change, at least r output bits

change. (r=2 to 5 provides strong diffusion)

S-box design approaches Random: use pseudo-random number

generator for each entry in the S-box Suitable for large S-box

Random with testing: test results against various criteria

Human-made: ex. DES Suitable for small S-box

Math-made: ex. AES Key-dependent S-box: Blowfish (Chap.

6)

Outline Introduction, evaluation criteria for AES AES cipher

Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

Shift Rows

4 bytes of one column are spread out to 4 different columns

Shift left 1 byte

Shift left 2 bytes

Shift left 3 bytes

Mix column transformation

Input state Output state

column

column

Mix Columns (cont.) each column is processed separately each byte is replaced by a value

dependent on all 4 bytes in the column a matrix multiplication in GF(28) using

prime poly m(x) =x8+x4+x3+x+1

Matrix computation in GF(28)

j

j

j

j

j

j

j

j

s

s

s

s

s

s

s

s

,3

,2

,1

,0

,3

,2

,1

,0

2113

3211

1321

1132

Example:

Only 1, 2, 3

1 if 000110110

0 if 0}{}02{

70123456

70123456

bbbbbbbb

bbbbbbbbx

}{}){}02({}{}03{ xxx

* Only shift, conditional XOR, and XOR

Matrix computation in GF(28)

EDA

E

94

37

47

6

46

6

87

2113

3211

1321

1132

Example:

000101010001101100001110

10000111028702

101100101101110001101110

6026603

EEE

00010101101100100100011010100110

01000111

={47}

+

For 8-bit processor (p.165)

j

j

j

j

j

j

j

j

s

s

s

s

s

s

s

s

,3

,2

,1

,0

,3

,2

,1

,0

2113

3211

1321

1132

jjjj ssssTmp ,3,2,1,0

=>

jjjj sssTmps ,1,0,0,0 2

jjjj sssTmps ,2,1,1,1 2

jjjj sssTmps ,3,2,2,2 2 jjjj sssTmps ,0,3,3,3 2

2x => can be replacedby a table lookup

Implementation Aspects can efficiently implement on 8-bit CPU

byte substitution works on bytes using a table of 256 entries

shift rows is simple byte shifting add round key works on byte XORs mix columns requires matrix multiply in

GF(28) which works on byte values, can be simplified to use a table lookup

Outline Introduction, evaluation criteria for AES AES cipher

Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher

AES Decryption AES decryption is not identical to

encryption since steps done in reverse

AES decryption Two separate software/hardware for

both encryption and decryption Is it possible that the decryption

algorithm has the same sequence of transformation (inverse transform) as the encryption algorithm?

Inverse shift rows and sub. bytes

inverse

Inverse shift rows then Sub. bytes= Sub. bytes then Inverse shift rows

According to the previous figure, both operations are oneach bytes, and they are commute.

Add round key and inverse mix columns

The order can be exchanged

AES Implementation by table look-up and XOR

aij: element of status matrix

SubBytes bij = S[aij]

ShiftRows

3,3

2,2

1,1

,0

,3

,2

,1

,0

j

j

j

j

j

j

j

j

b

b

b

b

c

c

c

c

MixColumns

j

j

j

j

j

j

j

j

c

c

c

c

d

d

d

d

,3

,2

,1

,0

,3

,2

,1

,0

02010103

03020101

01030201

01010302

j

j

j

j

j

j

j

j

j

j

j

j

k

k

k

k

d

d

d

d

e

e

e

e

,3

,2

,1

,0

,3

,2

,1

,0

,3

,2

,1

,0

AddRoundKey

Summary have considered:

the AES selection process the details of Rijndael – the AES cipher the key expansion looked at the steps in each round implementation aspects