The Advanced Encryption Standard (AES)

Conception - Why A New Cipher?

Conception - Why A New Cipher?

DES had outlived its usefulnessVulnerabilities were becoming known56-bit key was too smallToo slow in software implementations

Conception - Why A New Cipher?

DES had outlived its usefulnessVulnerabilities were becoming known56-bit key was too smallToo slow in software implementations

NIST wanted increased trust in cipherPrevious processes very closedDES suspected of having 'back doors'

Conception - The Process

January 2, 1997 - NIST announces need for DES successorAsks for input from interested parties

Conception - The Process

January 2, 1997 - NIST announces need for DES successorAsks for input from interested parties

September 12, 1997 - Call for new algorithms

Conception - The Process

January 2, 1997 - NIST announces need for DES successorAsks for input from interested parties

September 12, 1997 - Call for new algorithmsRequirements

Publicly defined, publicly availableVariable-length key, symmetric block cipherImplemented in both Hardware and Software

Conception - The Process

January 2, 1997 - NIST announces need for DES successorAsks for input from interested parties

September 12, 1997 - Call for new algorithmsRequirements

Publicly defined, publicly availableVariable-length key, symmetric block cipherImplemented in both Hardware and Software

Judgement CriteriaSecurityComputational Efficiency, Memory RequirementsHardware/Software suitabilitySimplicity, FlexibilityLicensing requirements

Conception - The Process

15 Ciphers submitted5 Finalists

MARS - IBMRC6 - RSA LaboratoriesRijndael - Daemon and RijmentSerpent - Anderson, Biham, KnudsenTwofish - Schneier, Kelsey, Whiting, (and others)

Final winner: Rijndael

The Cipher

The Cipher - Background Math

The Mathematics needed to understand AES look and sound very complicated - Don't worry, they aren't.

FieldsReal Numbers and Rational numbers are fields

Set of values such that addition, subtraction, multiplication, division can be applied to values in it

Other fields exist, and can be definedFinite Fields

A field, with a finite number of elements (unlike Real #s)Modular Arithmetic

9 Ξ 14 Ξ 24 Ξ 4 (mod 5)Works on integers, but also works on other groups and fields

The Cipher - Background Math

Rijndael's Finite Fielda 'characteristic 2 finite field with 8 terms' (strings of 8 bits)The Galois field GF(28)Addition done with XOR operator

Uses the reducing polynomial x8 + x4 + x3 + x + 1 for multiplication (an irreducible polynomial in GF(28))

The Cipher - Background MathA Higher Level Finite Field:

Polynomials with Coefficients in GF(28)a(x) = a3x

3 + a2x2 + a1x + a0

Each of ai are bytes, elements of GF(28)Addition:

a(x) + b(x) = (a3⊕b3)x3 + (a2⊕b2)x

2 + (a1⊕b1)x + (a0⊕b0)Multiplication:

Same as multiplying two polynomialsWe reduce to degree 4 by using mod x4+1For fixed polynomial, multiplication can turn into Matrix-Vector multiplication

The Cipher 

That's it. That's all the Math you need to know. You made it.

The Cipher

The Cipher - SubBytes

AES's single S-BoxDoes a non-linear substitutionwhich is invertible

For Each Byte of Input, {XY}1. Let {AB} := the multiplicative inverse of {XY} in GF(28)2. Let {XY}' := An affine transform of {AB}

The Cipher - SubBytes

{A8} => {C2}, {21} => {FD}, {27} => {CC}, {CF} => {8A}

The Cipher - ShiftRows

Cyclical Shift of the rows of the state

The Cipher - MixColumnsTreats each column as a four-term polynomialApply a polynomial to each column, returning a new polynomial

a(x) = {03}x3 + {01}x2 + {01}x + {02}

The Cipher - AddRoundKey

The Key Expansion takes a Cipher Key K and makes 4*NR 32-bit words, where NR = Number of RoundsAddRoundKey takes the state, (4 words), and the next 4 Round Keys, and returns a new stateFor each column, return Col ⊕ Keyl+i, l = Round#, i = column#

The Cipher - Key Expansion

Given the initial key (size 128, 196 or 256), and the number of rounds Nr, will generate 4*(Nr+1) 32-bit wordsUses SubWord function (which applies SubByte to 4 bytes)Uses RotWord function (permutes a set of 4 words)First 4-8 Round Keys arecipher keyLater keys are generated based on those, using given functions

The Cipher - InversionEach sub-function of the Cipher is invertible

SubBytes: Reverse the Affine Cipher, then find the Inverse of the resultShiftRows: Shift the rows by reverse amountsMixColumns: Apply the inverse matrix to each columnAddRoundKey: Use AddRoundKey again with same key

The Cipher

Example EncryptionFor Simplicity's sake, we will do AES with 1-roundBlock: 4422 6f44 7a7d 337d 3973 332C 5dae 2763Key: 2b7e 1516 28ae d2a6 abf7 1588 09cf 4f3c

Key Schedule:2b7e1516 28aed2a6 abf71588 09cf4f3ca0fafe17 88542cb1 23a33939 2a6c7605f2c295f2 7a96b943 5935807a �7359f67f

Example EncryptionInitial State: {4422 6f44 7a7d 337d 3973 332C 5dae 2763}

For Initial Round:AddRoundKey:

⊕

Example EncryptionFor our 1 round (typically, 10+ rounds):

SubByes:

ShiftRows:

MixColums:

AddRoundKey:⊕

Example EncryptionFor Final Round:

SubByes: ShiftRows:

(Skip MixColumns)AddRoundKey:

Final Output: {DFFD 649C 65A2 C8A2 66B1 8B18 184A 6FBB}

⊕

Security of AES

"I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic." -Bruce Schneier

Some related-key attacks on 192-bit, 256-bit versions, and on reduced-round versions

The attacks are better than exhaustive search, but are still entirely infeasible for real world applications256-bit version in 2117 time, 196-bit version in 2119 timeRelated key attacks require the attacker to know how plaintext is encrypted with more than 1 keyEven the best mathematical attacks are still not usable on AES-128, or AES-196, AES-256 with full rounds

Security of AES

Certain Side-channel attacks exist for specific implementations of AESThese do not exploit the actual cryptography of the cipher, but instead attack how specific versions are implemented

Ex: Using Timing Attacks to guess SSL KeysUsually, these attacks require the ability to run code on the victim machine

Very strong features built in to avoid DES-style attacksUse of finite field inversion in the S-Box construction helps make Linear and Differential attacks difficultMixColumns helps ensure that there are no "narrow" paths using only a few S-Boxes, again preventing Linear and Differential attacks

References1. Federal Information Processing Standards Publication 197,

November 26, 2001 - Advanced Encryption Standard2. "AES Announced", Bruce Schneier, Crypto-Gram

Newsletter, Oct 15, 2000 http://www.schneier.com/crypto-gram-0010.html#8

3. "Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds", Biryukov, Dunkelman, Keller, Khovratovich, Shamir. Cryptology ePrint Archive: Report 2009/374, http://eprint.iacr.org/2009/374

4. "Cache-timing attacks on AES", Daniel Bernstein, University of Illinois at Chicago. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

5. Stinson, Douglas. Cryptography, Theory and Practice. 3rd ed. Boca Raton, FL, Chapman & Hall/CRC, 2006.