Upload
dangkhanh
View
232
Download
2
Embed Size (px)
Citation preview
Conception - Why A New Cipher?
DES had outlived its usefulnessVulnerabilities were becoming known56-bit key was too smallToo slow in software implementations
Conception - Why A New Cipher?
DES had outlived its usefulnessVulnerabilities were becoming known56-bit key was too smallToo slow in software implementations
NIST wanted increased trust in cipherPrevious processes very closedDES suspected of having 'back doors'
Conception - The Process
January 2, 1997 - NIST announces need for DES successorAsks for input from interested parties
Conception - The Process
January 2, 1997 - NIST announces need for DES successorAsks for input from interested parties
September 12, 1997 - Call for new algorithms
Conception - The Process
January 2, 1997 - NIST announces need for DES successorAsks for input from interested parties
September 12, 1997 - Call for new algorithmsRequirements
Publicly defined, publicly availableVariable-length key, symmetric block cipherImplemented in both Hardware and Software
Conception - The Process
January 2, 1997 - NIST announces need for DES successorAsks for input from interested parties
September 12, 1997 - Call for new algorithmsRequirements
Publicly defined, publicly availableVariable-length key, symmetric block cipherImplemented in both Hardware and Software
Judgement CriteriaSecurityComputational Efficiency, Memory RequirementsHardware/Software suitabilitySimplicity, FlexibilityLicensing requirements
Conception - The Process
15 Ciphers submitted5 Finalists
MARS - IBMRC6 - RSA LaboratoriesRijndael - Daemon and RijmentSerpent - Anderson, Biham, KnudsenTwofish - Schneier, Kelsey, Whiting, (and others)
Final winner: Rijndael
The Cipher - Background Math
The Mathematics needed to understand AES look and sound very complicated - Don't worry, they aren't.
FieldsReal Numbers and Rational numbers are fields
Set of values such that addition, subtraction, multiplication, division can be applied to values in it
Other fields exist, and can be definedFinite Fields
A field, with a finite number of elements (unlike Real #s)Modular Arithmetic
9 Ξ 14 Ξ 24 Ξ 4 (mod 5)Works on integers, but also works on other groups and fields
The Cipher - Background Math
Rijndael's Finite Fielda 'characteristic 2 finite field with 8 terms' (strings of 8 bits)The Galois field GF(28)Addition done with XOR operator
Uses the reducing polynomial x8 + x4 + x3 + x + 1 for multiplication (an irreducible polynomial in GF(28))
The Cipher - Background MathA Higher Level Finite Field:
Polynomials with Coefficients in GF(28)a(x) = a3x
3 + a2x2 + a1x + a0
Each of ai are bytes, elements of GF(28)Addition:
a(x) + b(x) = (a3⊕b3)x3 + (a2⊕b2)x
2 + (a1⊕b1)x + (a0⊕b0)Multiplication:
Same as multiplying two polynomialsWe reduce to degree 4 by using mod x4+1For fixed polynomial, multiplication can turn into Matrix-Vector multiplication
The Cipher - SubBytes
AES's single S-BoxDoes a non-linear substitutionwhich is invertible
For Each Byte of Input, {XY}1. Let {AB} := the multiplicative inverse of {XY} in GF(28)2. Let {XY}' := An affine transform of {AB}
The Cipher - MixColumnsTreats each column as a four-term polynomialApply a polynomial to each column, returning a new polynomial
a(x) = {03}x3 + {01}x2 + {01}x + {02}
The Cipher - AddRoundKey
The Key Expansion takes a Cipher Key K and makes 4*NR 32-bit words, where NR = Number of RoundsAddRoundKey takes the state, (4 words), and the next 4 Round Keys, and returns a new stateFor each column, return Col ⊕ Keyl+i, l = Round#, i = column#
The Cipher - Key Expansion
Given the initial key (size 128, 196 or 256), and the number of rounds Nr, will generate 4*(Nr+1) 32-bit wordsUses SubWord function (which applies SubByte to 4 bytes)Uses RotWord function (permutes a set of 4 words)First 4-8 Round Keys arecipher keyLater keys are generated based on those, using given functions
The Cipher - InversionEach sub-function of the Cipher is invertible
SubBytes: Reverse the Affine Cipher, then find the Inverse of the resultShiftRows: Shift the rows by reverse amountsMixColumns: Apply the inverse matrix to each columnAddRoundKey: Use AddRoundKey again with same key
Example EncryptionFor Simplicity's sake, we will do AES with 1-roundBlock: 4422 6f44 7a7d 337d 3973 332C 5dae 2763Key: 2b7e 1516 28ae d2a6 abf7 1588 09cf 4f3c
Key Schedule:2b7e1516 28aed2a6 abf71588 09cf4f3ca0fafe17 88542cb1 23a33939 2a6c7605f2c295f2 7a96b943 5935807a �7359f67f
Example EncryptionInitial State: {4422 6f44 7a7d 337d 3973 332C 5dae 2763}
For Initial Round:AddRoundKey:
⊕
Example EncryptionFor our 1 round (typically, 10+ rounds):
SubByes:
ShiftRows:
MixColums:
AddRoundKey:⊕
Example EncryptionFor Final Round:
SubByes: ShiftRows:
(Skip MixColumns)AddRoundKey:
Final Output: {DFFD 649C 65A2 C8A2 66B1 8B18 184A 6FBB}
⊕
Security of AES
"I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic." -Bruce Schneier
Some related-key attacks on 192-bit, 256-bit versions, and on reduced-round versions
The attacks are better than exhaustive search, but are still entirely infeasible for real world applications256-bit version in 2117 time, 196-bit version in 2119 timeRelated key attacks require the attacker to know how plaintext is encrypted with more than 1 keyEven the best mathematical attacks are still not usable on AES-128, or AES-196, AES-256 with full rounds
Security of AES
Certain Side-channel attacks exist for specific implementations of AESThese do not exploit the actual cryptography of the cipher, but instead attack how specific versions are implemented
Ex: Using Timing Attacks to guess SSL KeysUsually, these attacks require the ability to run code on the victim machine
Very strong features built in to avoid DES-style attacksUse of finite field inversion in the S-Box construction helps make Linear and Differential attacks difficultMixColumns helps ensure that there are no "narrow" paths using only a few S-Boxes, again preventing Linear and Differential attacks
References1. Federal Information Processing Standards Publication 197,
November 26, 2001 - Advanced Encryption Standard2. "AES Announced", Bruce Schneier, Crypto-Gram
Newsletter, Oct 15, 2000 http://www.schneier.com/crypto-gram-0010.html#8
3. "Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds", Biryukov, Dunkelman, Keller, Khovratovich, Shamir. Cryptology ePrint Archive: Report 2009/374, http://eprint.iacr.org/2009/374
4. "Cache-timing attacks on AES", Daniel Bernstein, University of Illinois at Chicago. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
5. Stinson, Douglas. Cryptography, Theory and Practice. 3rd ed. Boca Raton, FL, Chapman & Hall/CRC, 2006.