Upload
abigail-holmes
View
223
Download
0
Embed Size (px)
Citation preview
11/151/151
Information Security Lab.Dept. of Computer Engineering
PART I Symmetric CiphersCHAPTER 5 Advanced Encryption Standard
5.1 Evaluation Criteria For AES
5.2 The AES Cipher
22/151/151
Information Security Lab.Dept. of Computer Engineering
KEY POINTS AES is a block cipher intended to replace DES for commercial applications. It uses a 128-bit block size and a key size of 128, 192, or 256 bits.
AES does not use a Feistel structure. Instead, each full round consists of four separate functions: byte substitution, permutation, arithmetic operations over a finite field, and XOR with a key.
33/151/151
Information Security Lab.Dept. of Computer Engineering
5.1 Evaluation Criteria for AES5.1 Evaluation Criteria for AESThe Origins of AES A replacement for DES was needed
have theoretical attacks that can break it have demonstrated exhaustive key search attacks
Can use Triple-DES – but slow, has small blocks
US NIST issued call for ciphers in Sep. 12, 1997; (block length:128bits, key length: 128, 192, 256bits, royalty-free basis, stronger & faster than Triple-DES) Submission were due on June 15, 1998, Of 21submitted cryptosystems, 15 met all the necessary criteria. AES candidates “First AES Candidate Conference” on Aug. 20, 98. “Second AES Candidate Conference” on Mar., 99.
44/151/151
Information Security Lab.Dept. of Computer Engineering
The Origins of AES Aug. 99, five of the candidates were chosen by NIST as finalist: MARS, RC6, Rijndael, Serpent, Twofish Apr., 2000, Third AES candidates Conference
Oct. 2, 2000, Rijndael was selected to be the AES Belgian researcher, Joan Daemen, Vincent Rijmen
Feb. 28, 2001, (NIST) AES was available for public review and comment. Nov. 26, 2001, Rijndael was adopted as a standard (AES). Dec. 4, 2001, published as FIPS 197.
Rijndael was selected because its combination of security, performance, efficiency, implementability and flexibility
5.1 Evaluation Criteria for AES5.1 Evaluation Criteria for AES
55/151/151
Information Security Lab.Dept. of Computer Engineering
AES Evaluation initial criteria:
security – effort for practical cryptanalysis cost – in terms of computational efficiency algorithm & implementation characteristics
final criteria (Oct. 2, 2000) general security ease of software & hardware implementation implementation attacks flexibility (in en/decrypt, keying, other factors)
5.1 Evaluation Criteria for AES5.1 Evaluation Criteria for AES
66/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Designed by Rijmen-Daemen in Belgium Block & Key size : 128/192/256 bit keys Table 5.3 AES Parameters an iterative rather than feistel cipher
processes data as block of 4 columns of 4 bytes operates on entire data block in every round
Designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity
77/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Variable block length : 128, 192, 256 bits; State : Intermediate cipher result
Nb : the # of 4-bytes(word; 32 bits) of a block Nb = 4, 6, 8 if the block length is 128, 192, 256 bits
One dimensional array of a byte within a block; x0, x1, x2, …, x15,…, x23,…, x31
Rectangular(2D) array with four rows Index of One dimensional array: n 0n15(Nb = 4); 0n23(Nb = 6); 0n31(Nb = 8)
Index of Rectangular(2D): (i, j) i = n mod 4, j = n / 4, n = i + 4 * j
0j3(Nb = 4); 0j5(Nb = 6); 0n7(Nb = 8)
88/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher State : Intermediate cipher result
Variable key length : 128, 192, 256 bits Nk : the # of 4-bytes(word; 32 bits) of a key Nk = 4, 6, 8 if the key length is 128, 192, 256 bits
x0 x4 x8 x12
x1 x5 x9 x13
x2 x6 x10 x14
x3 x7 x11 x15
s0,0 s0,1 s0,2 s0,3
s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3 State (Nb=4) Nb=6 Nb=8 Plaintext block (Nb=4)
99/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Variable key length : 128, 192, 256 bits
Nk : the # of 4-bytes(word; 32 bits) of a key Nk = 4, 6, 8 if the key length is 128, 192, 256 bits
k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15
w0 w1 w2
w3
w42 w43
Key and expanded key Nr = 10Key size (Nk = 4)
1010/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher The AES is an iterated cipher; the # of rounds; Nr Nr depends on the block length and key length.
Nr Nb = 4 Nb = 6 Nb = 8
Nk = 4 10 12 14
Nk = 6 12 12 14
Nk = 8 14 14 14
Nr =The number of rounds
1111/151/151
Information Security Lab.Dept. of Computer Engineering
Fig. 5.1 AES Encryption/ Decryption
Nb = 4Nk = 4Nr = 10
1212/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Substitute Bytes Transformation (SubBytes) Forward and Inverse substitute byte transformation
S1,1 = {95}
9
5
S1,1 = {2A}
S-box constructed using defined transformation of values in GF(28) designed to be resistant to all known attacks
1313/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Substitute Bytes Transformation (SubBytes)
Table 5.4 AES S-box
1414/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Substitute Bytes Transformation (SubBytes) The S-box is constructed in the following fashion:
The value of the byte at row x, column y is { xy }. Map each byte { xy } in the S-Box to its multiplicative inverse in the finite field GF(28) =F[x]/(x8+x4+x3+x+1)
Let { xy }1 = b = (b7 b6 b5 b4 b3 b2 b1 b0).
Apply the following transformation to each bit of b:
bi = bib(i+4) mod 8b(i+5) mod 8b(i+6) mod 8b(i+7) mod 8ci
where ci such that (c7c6c5c4c3c2c1c0)=(01100011)={63}16
b Affine transformation b
1515/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Substitute Bytes Transformation (SubBytes) The affine transformation of the S-box in field GF(28).
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
1 0 0 0 1 1 1 1 1
1 1 0 0 0 1 1 1 1
1 1 1 0 0 0 1 1 0
1 1 1 1 0 0 0 1 0
1 1 1 1 1 0 0 0 0
0 1 1 1 1 1 0 0 1
0 0 1 1 1 1 1 0 1
0 0 0 1 1 1 1 1 0
b b
b b
b b
b b
b b
b b
b b
b b
1616/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Substitute Bytes Transformation (SubBytes) Example : {xy}={95}= (10010101): A(x) = x7+ x4+ x2+1 A(x)1 = x7+ x3+ x b= (10001010)={8A}
b = (00101010) = {2A}
0
1
2
3
4
5
6
7
1 0 0 0 1 1 1 1 0 1
1 1 0 0 0 1 1 1 1 0
1 1 1 0 0 0 1 1 0 0
1 1 1 1 0 0 0 1 1 1
1 1 1 1 1 0 0 0 0 0
0 1 1 1 1 1 0 0 0 0
0 0 1 1 1 1 1 0 0 1
0 0 0 1 1 1 1 1 1 0
b
b
b
b
b
b
b
b
1 0
1 1
0 0
0 1
0 0
1 1
1 0
0 0
1717/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Inverse SubBytes Transformation
Table 5.4 AES Inverse S-box
1818/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Inverse SubBytes Transformation The inverse affine transformation: b = {2A} {8A}
{8A}1 = {95} : inverse in the field GF(28)
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
0 0 1 0 0 1 0 1 1
1 0 0 1 0 0 1 0 0
0 1 0 0 1 0 0 1 1
1 0 1 0 0 1 0 0 0
0 1 0 1 0 0 1 0 0
0 0 1 0 1 0 0 1 0
1 0 0 1 0 1 0 0 0
0 1 0 0 1 0 1 0 0
b b
b b
b b
b b
b b
b b
b b
b b
1919/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Forward ShiftRows Transformation A circular byte shift in each row
87 F2 4D 97
EC 6E 4C 90
4A C3 46 E7
8C D8 95 A6
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
no left shift
1 left shift
2 left shifts
3 left shifts
Nb Row 1 Row 2
Row 3
Row 4
4 0 1 2 3
6 0 1 2 3
8 0 1 3 4
Shift offsets for different block lengths
2020/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Forward ShiftRows Transformation
Inverse ShiftRows Transformation Decrypt inverts using shifts to right
2121/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Forward MixColumn Transformation Each column is processed separately.
Each byte is replaced by a value dependent on all 4 bytes in the column
2222/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Forward MixColumn Transformation effectively a matrix multiplication in GF(28) using prime poly. m(x) = x8 + x4 + x3 + x +1
0, 0, 1, 2, 3,
1, 0, 1, 2, 3,
2, 0, 1, 2, 3,
3, 0, 1, 2, 3,
(2 ) (3 )
(2 ) (3 )
(2 ) (3 )
(3 ) (2 )
j j j j j
j j j j j
j j j j j
j j j j j
s s s s s
s s s s s
s s s s s
s s s s s
2323/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Forward MixColumn Transformation Example :
47 40 A3 4C
37 D4 70 9F
94 E4 3A 42
ED A5 A6 BC
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
Inverse MixColumn Transformation decryption requires use of inverse matrix
0,0 0,1 0,2 0,3 0,0 0,1 0,2 0,3
1,0 1,1 1,2 1,3 1,0 1,1 1,2 1,3
2,0 2,1 2,2 2,3 2,0 2,1 2,2 2,3
3,0 3,1 3,2 3,3 3,0 3,1 3,2 3,
0E 0B 0D 09
09 0E 0B 0D
0D 09 0E 0B
0B 0D 09 0E
s s s s s s s s
s s s s s s s s
s s s s s s s s
s s s s s s s s
3
2424/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Forward AddRoundKey Transformation XOR state with 128-bits of the round key
Inverse AddRoundKey Transformation inverse for decryption identical; since XOR own inverse, with reversed keys
2525/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher AES Key Expansion Takes 128-bit (16-byte) key and expands into array of Nk = 44/52/60 32-bit words
The function g :1: RotWord : one-byte circular left shift wi = [b0 b1 b2 b3] [b1 b2 b3 b0] 2: SubWord : SubBytes transformaton3: The result of 1 & 2 Rcon[j]
Rcon[j] = 1, Rcon[j] = 2Rcons[j1] over GF(28)Rcon[2] = 02 Rcon[3] = 04 Rcon[4] = 08 Rcon[5] = 10Rcon[6] = 20 Rcon[7] = 40Rcon[8] = 80 Rcon[9] = 1BRcon[10] = 36
2626/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher AES Key Expansion Rationale designed to resist known attacks design criteria included
knowing part key insufficient to find many more invertible transformation fast on wide range of CPU’s use round constants to break symmetry diffuse key bits into round keys enough non-linearity to hinder analysis simplicity of description
2727/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Equivalent Inverse Cipher AES decryption is not identical to encryption since steps done in reverse; but can define an equivalent inverse cipher with steps as for encryption
using inverses of each step with a different key schedule
Interchangeing InvShiftRows and InvSubBytes InvShiftRows[InvSubBytes(Si)] = InvSubBytes[InvShiftRows (Si)]
Interchanging AddRoundKey and InvMixColumns InvMixColumns(Siwj) = InvMixColumns(Si) InvMixColumns(wj)
2828/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher
2929/151/151
Information Security Lab.Dept. of Computer Engineering
5.2 The AES Cipher 5.2 The AES Cipher Implementation Aspects can efficiently implement on 8-bit CPU
byte substitution; shift rows is byte shift; add round key works on byte XOR’s mix columns requires matrix multiply in GF(28)
can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables
Very efficient implementation was a key factor in its selection as the AES cipher
3030/151/151
Information Security Lab.Dept. of Computer Engineering
SummarySummary have considered:
the AES selection process the details of Rijndael – the AES cipher looked at the steps in each round the key expansion implementation aspects