aes: advanced encryption standardduan/classes/cnt5412/lectures/... · aes: advanced encryption...
TRANSCRIPT
![Page 1: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/1.jpg)
AES: Advanced Encryption Standard
• Reading
– Chapter 3
1
![Page 2: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/2.jpg)
Origin and Objectives of AES
• Replacement for DES was needed– have theoretical attacks that can break it
– have demonstrated exhaustive key search attacks
• Design objectives of a new cryptographic algorithm– Secure
– Efficient
– Flexible
• US NIST issued call for ciphers in 1997– 15 candidates accepted in Jun 98
– 5 were shortlisted in Aug-99
– Rijndael was selected as the AES in Oct-2000
– Issued as FIPS PUB 197 standard in Nov-2001
2
![Page 3: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/3.jpg)
The AES Cipher
• Data block size– 128 bits
• Key size– 128, 192, and 256 bits
– AES-128, AES-196, and AES-256
• Number of rounds depends on key size– 10 rounds for AES-128
– 12 rounds for AES-196
– 14 rounds for AES-256
• An iterative rather than Feistel cipher– processes data as block of 4 by 4 matrix of bytes
– operates on entire data block in every round
3
![Page 4: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/4.jpg)
AES Encryption
Process
4
![Page 5: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/5.jpg)
AES Structure
• Data block of 4 by 4 matrix of bytes is state
• Key is expanded to array of words
• First N-1 rounds have 4 state transformations• byte substitution (1 S-box used on every byte)
• shift rows (permute bytes between groups/columns)
• mix columns (subs using matrix multiply of groups)
• add round key (XOR state with key material)
• Last round has 3 state transformation• does not have mix column operation
• In addition, there is an initial “round”, • Which only performs “add round key” operation
5
![Page 6: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/6.jpg)
AES Structure
6
![Page 7: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/7.jpg)
Substitute Bytes
• A simple substitution of each byte
• Uses one table of 16x16 bytes containing a permutation of all 256 8-bit values
• Each byte of state is replaced by byte indexed by row (left 4-bits) and column (right 4-bits)– eg. byte 0x95 is replaced by byte in row 9 column 5
• S-box constructed using defined transformation of values in GF(28)
• Decryption using an Inverse S-Box.
7
![Page 8: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/8.jpg)
Substitute Bytes
8
![Page 9: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/9.jpg)
Shift Rows
• A circular byte shift in each row– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 byte circular shift to left
– 4th row does 3 byte circular shift to left
• Decrypt inverts using shifts to right
• Since state is processed by columns, this step permutes bytes between the columns
9
![Page 10: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/10.jpg)
Shift Rows
10
![Page 11: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/11.jpg)
Mix Columns
• Each column is processed separately
• Each byte is replaced by a value dependent on all 4
bytes in the column
• Effectively a matrix multiplication in GF(28)
11
![Page 12: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/12.jpg)
Add Round Key
XOR state with 128-bits of the round key
again processed by column (though effectively a
series of byte operations)
inverse for decryption identical
since XOR own inverse, with reversed keys
designed to be as simple as possible
a form of Vernam cipher on expanded key
requires other stages for complexity / security
12
![Page 13: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/13.jpg)
Add Round Key
13
![Page 14: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/14.jpg)
AES Round
14
![Page 15: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/15.jpg)
AES Key Expansion
• Takes 128-bit (16-byte) key and expands into array of
44 32-bit words
• Start by copying key into first 4 words
• Then loop creating word w[i]
• Depend on values in immediate previous w[i-1] and 4
position back w[i-4]
• in 3 of 4 cases just XOR these together
• 1st word in 4 has rotate + S-box + XOR round constant on
previous, before XOR 4th back
15
![Page 16: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/16.jpg)
AES Key Expansion
16
![Page 17: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/17.jpg)
AES Decryption
• AES decryption is not identical to encryption since steps done in reverse
• but can define an equivalent inverse cipher with steps as for encryption– but using inverses of each step
– with a different key schedule
• works since result is unchanged when– swap byte substitution & shift rows
– swap mix columns & add (tweaked) round key
17
![Page 18: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/18.jpg)
AES Decryption
18
![Page 19: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/19.jpg)
Implementation Aspects
• Can efficiently implement on 8-bit CPU
– byte substitution works on bytes using a table of 256 entries
– shift rows is simple byte shift
– add round key works on byte XOR’s
– mix columns requires matrix multiply in GF(28) which works
on byte values, can be simplified to use table lookups & byte
XOR’s
19
![Page 20: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/20.jpg)
Implementation Aspects
Can efficiently implement on 32-bit CPU redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be computed using 4 table lookups + 4 XORs
at a cost of 4Kb to store tables
Designers believe this very efficient implementation was a key factor in its selection as the AES cipher
20
![Page 21: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/21.jpg)
AES Security
• Attacks exist on Rijndael with less rounds
– For example, 239 to recover the complete key of a 9-round
AES-256 version
– (note that AES-256 uses 14 rounds)
• Simple structure
– Can be represented as an closed algebraic formula over
finite field with 256 elements
– Not know if this algebraic formula can be solved or not
• More of a concern for cryptographers, who consider a
system is broken if better than brute-force attacks
exist
21
![Page 22: AES: Advanced Encryption Standardduan/classes/cnt5412/lectures/... · AES: Advanced Encryption Standard • Reading –Chapter 3 1. Origin and Objectives of AES • Replacement for](https://reader034.vdocuments.us/reader034/viewer/2022042915/5f542d8d71e0556b135c57bb/html5/thumbnails/22.jpg)
Reading Assignments
• More on AES design rationales
• More on AES security
• Rijndael: The Advanced Encryption Standard, Dr.
Dobb’s, March 01, 2001
22