aes key expansition
TRANSCRIPT
-
7/29/2019 AES Key Expansition
1/20
This Lecture:
AES Key Expansion
Equivalent Inverse Cipher Rijndael performance summary
-
7/29/2019 AES Key Expansition
2/20
Key Expansion
Takes as input a Nb word key and produces a linear array of
Nb * (Nr+1) words.
Expanded key provide a Nb word round key for the initial
AddRoundKey() stage and for each of the Nr rounds of the
cipher.
The key is first copied into the first Nb words, the remainder
of the expanded key is filled Nb words at a time.
-
7/29/2019 AES Key Expansition
3/20
Key Expansion Pseudo Code16 byte key
KeyExpansion(byte key[16],wordw[44])
{
wordtemp;
for (i = 0; i < 4; i++) w[i] = (key[4*i],
key[4*i+1],key[4*i+3], key[4*i+3]);
for(i = 4; i < 44; i++)
}
temp = w[i-1];
if ( i mod 4 = 0 ) temp =SubWord(RotWord(temp))XOR Rcon[i/4];
w[i] = w[i-4] XOR temp;
}
}
-
7/29/2019 AES Key Expansition
4/20
Key Expansion
RotWordperforms a one byte circular left shift on a word.For example:
RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0]
SubWordperforms a byte substitution on each byte of input
word using the S-box.
SubWord(RotWord(temp)) is XORed with Rcon[j]theround constant.
-
7/29/2019 AES Key Expansition
5/20
-
7/29/2019 AES Key Expansition
6/20
Key Expansion
The round constant - Explained The round constant is a word in which the three rightmost
bytes are zero. It is different for each round and defined as:
Rcon[j] = (RC[j],0,0,0)
where RC[1] = 1, RC[j] = 2 * RC[j-1]
Multiplication is defined over GF(2^8).
Values of RC[j] in hexadecimal are:
j 1 2 3 4 5 6
Rc[j] 01 02 04 08 10 20
-
7/29/2019 AES Key Expansition
7/20
Key Expansion
The round constant - Example Example of expansion of a 128-bit cipher key
Cipher key = 2b7e151628aed2a6abf7158809cf4f3c
w0=2b7e1516w1=28aed2a6w2=abf71588w3=09cf4f3c
i temp RotWord SubWord Rcon[i/4] XOR w[i-4] result
4 09cf4f3c cf4f3c09 8a84eb01 01000000 8b84eb01 2b7e1516 a0fafe17
5 A0fafe17 28aed2a6 88542cb1
6 88542cb1 Abf71588 23a33939
7 23a33939 09cf4f3c 2a6c7605
-
7/29/2019 AES Key Expansition
8/20
Key ExpansionRationale
Criteria used for key expansion algorithms design:
Simple description.
Non-linearityprohibits the full determination of roundkey differences from cipher key differences.
Diffusioneach cipher key bit affects many round keybits.
Round constanteliminates symmetry or similarity
between the way round keys are generated.
Knowledge of less than Nk consecutive of either cipher orround key makes it difficult to reconstruct the remainingunknown bits.
-
7/29/2019 AES Key Expansition
9/20
Equivalent Inverse Cipher
The Rijndael decryption cipher is not identical to the
encryption cipher.
DisadvantageTwo separate software or hardware modules
are required if performing both encryption and decryption.
There is an equivalent version of the decryption algorithm that
has the same structure ( the same sequence of transformations)
as the encryption algorithm.
-
7/29/2019 AES Key Expansition
10/20
InvCipher, Scheme
-
7/29/2019 AES Key Expansition
11/20
Equivalent Inverse Cipher The original sequence is :
Encryption:SubBytes ShiftRows MixColumns AddRoundKey
Decryption:
InvShiftRows InvSubBytes AddRoundKey InvMixColumns
ThusInvShiftRows needs to be interchanged with
InvSubBytes andAddRoundKey with
InvMixColumns.
-
7/29/2019 AES Key Expansition
12/20
Equivalent Inverse Cipher
InvShiftRowsAffects sequence of bytes butdoes not alter byte content and does not depend onthe byte content to perform transformation.
InvSubBytesAffects content of bytes but doesnot alter byte sequence and does not depend on the
byte sequence to perform transformation.
Thus InvShiftRows and InvSubBytescanbe interchanged. For given state S,
InvShiftRows(InvSubBytes(S))
=
InvSubBytes(InvShiftRows(S))
-
7/29/2019 AES Key Expansition
13/20
Equivalent Inverse Cipher
If key is viewed as sequence of words then bothAddRoundKey and InvMixColumns operate on state one
column at a time.
These operations are linear with respect to the column input:StateS and key - w
InvMixColumns(S XOR w) =
[InvMixColumns(S)] XOR [InvMixColumns(w)]
-
7/29/2019 AES Key Expansition
14/20
Equivalent Inverse Cipher
0E 0B 0D 09
09 0E 0B 0D
0D 09 0E 0B
0B 0D 09 0E
y0 XOR k0
y1 XOR k1
y2 XOR k2
y3 XOR k3
0E 0B 0D 09
09 0E 0B 0D
0D 09 0E 0B
0B 0D 09 0E
0E 0B 0D 09
09 0E 0B 0D
0D 09 0E 0B
0B 0D 09 0E
y0
y1
y2
y3
y0
y1
y2
y3
Thus InvMixColumns andAddRoundKey can be
interchanged.
-
7/29/2019 AES Key Expansition
15/20
Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology
General Security:
Rijndael has no known security attacks and has an adequate
security margin.
Received some criticism suggesting its simple mathematicalstructure may lead to attacks. On the other hand the simple
structure may have facilitated the security analysis.
-
7/29/2019 AES Key Expansition
16/20
Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology
Software Implementation:
Performs encryption and decryption very well across a variety
of platforms (including 8 bit, 32 bit and 64 bit processors). There is a decrease in performance with higher key sizes
because of the increased number of rounds.
High parallelism facilitates the efficient use of processor
resources. Very well suited for restricted space environments (small
amounts of RAM and/or ROM) where either encryption or
decryption is performed (but not both).
-
7/29/2019 AES Key Expansition
17/20
Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology
Hardware Implementation:
Has the highest throughput for feedback mode and second
highest for non feedback mode.
Efficiency is generally very good.
Attacks on Implementation:
Timing Attacksattacks on operations that execute indifferent amounts of time. General defense is to make
encryption and decryption run in the same amount of time.
-
7/29/2019 AES Key Expansition
18/20
Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology
Attacks on Implementation continued:
Power Attacksattacks on operations that use different
amounts of power. General defense is to process the data and
its complement (nearly) simultaneously.
The boolean operations, table lookups and fixed shift rotations
are the easiest operations to defend against those attacks.
The use of masking (executing the same operation twice to
mask power consumption) does not cause significantperformance degradation.
-
7/29/2019 AES Key Expansition
19/20
Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology
Key Agility:
Defined as the ability to change keys quickly and with a
minimum or resources.
Provides on the fly subkey computation (computation of the
specific subkey needed for a particular round just prior to use
in the round).
First decryption subkey cannot be generated directly from the
original key and there is a need to scale through all thesubkeys. This places a slight resource burden on key agility.
-
7/29/2019 AES Key Expansition
20/20
Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology
Encryption vs. Decryption:
Speed does not vary significantly between encryption and
decryption, although key setup performance is slower
decryption.