aes
DESCRIPTION
AES. Advanced Encryption Standard. Origins of AES. In 1999, NIST issued a new standard that is said 3DES, 168-bit key length Algorithm is the same as DES 3DES had drawbacks Algorithm is sluggish in software Only uses 64-bit block size. Origins of AES (2). - PowerPoint PPT PresentationTRANSCRIPT
AES
Advanced Encryption Standard
Origins of AES
• In 1999, NIST issued a new standard that is said 3DES,– 168-bit key length– Algorithm is the same as DES
• 3DES had drawbacks– Algorithm is sluggish in software– Only uses 64-bit block size
Origins of AES (2)
• In 1997, NIST issued a calls for proposals for the new Advanced Encryption Standard (AES)– security strength >= 3DES– improved efficiency– must be a symmetric block cipher
(128-bit)– key lengths of 128, 192, and 256 bits
Evolution of AES• The Previous algorithms like DES were not
secure enough after the inclusion of fastest computing technologies.
• AES has key sizes of 128,192 and 256 bits which were higher than that of previous one.
• No method exists to break the AES key even if a key is found @ 1 second, it would still take 149 trillion years to crack the 128-bit AES key.
AES Evaluation Criteria• Criteria used by NIST to evaluate
potential candidates– Initial Criteria:
• Security• Cost• Algorithm characteristics
– Final Criteria:•General Security•Software Implementations•Restricted-space environments•Flexibility
•Hardware Implementations•Attacks on Implementations•Encryption vs. Decryption•Key agility
Rounds of Evaluation
• First round of evaluation– 15 proposed algorithms accepted
• Second round– 5 proposed algorithms accepted
• Final Standard - November 2001– Rijndael selected as AES algorithm
• Created by Dr. Joan Daemen and Dr. Vincent Rijmen
What makes Rijndael stand out?
• The Symmetric and parallel structure• gives implementers a lot of flexibility• Has not allowed effective cryptanalytic
attacks.
• Well adapted to modern processors• Pentium• RISC and parallel processors
• Suited for Smart cards• Flexible in dedicated hardware
AES Formation• AES uses Block Cipher technique
• A block cipher is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of Cipher text (encrypted text) data of the same length
AES Requirements
• Symmetric Cipher• Block size must be at least 128 bits;
keys of 128,192 and 256 must be applicable.
• It should resist to all known methods of cryptanalysis
• No Propriety• Design simplicity• Speed and code Compactness on a
wide range of platforms.
Add Round Key
Inverse mix cols
Add round key
Inverse sub bytes
Inverse shift rows
Add round key
Mix Columns
Shift Rows
Add Round Key
Inverse sub bytes
Inverse shift rows
Inverse mix cols
Add round key
Inverse sub bytes
Inverse shift rows
Add round key
Substitute Bytes
Add round key
Shift Rows
Substitute Bytes
Add round key
Substitute Bytes
Shift Rows
Mix Columns
Expand Key
.
.
.
.
.
.
w[0,3]
w[4,7]
w[36,39]
w[40,43]
Plaintext Plaintext
Ciphertext Ciphertext
Rou
nd 1
Rou
nd 9
Rou
nd 1
0R
ound
1
Rou
nd 9
Rou
nd 1
0
Basic Operations• The Rijndael Algorithm is a block cipher that encrypt blocks of
128, 192, or 256 bits.• Uses symmetric keys of 128, 192 or 256 bits.• It consists of an initial round (AddRoundKey), and r standard
rounds, r is 10,12 or 14 depending on the block and key length.
• The first r-1 rounds are similar and they consist of 4 transformations, called– ByteSub (Substitution Bytes)– ShiftRow (Shift Rows)– MixColumn (multiply columns)– AddRoundKey (XOR by key )
• The last round have only the transformations – ByteSub– ShiftRow– AddRoundKey
Details Terms used
Algorithm Parameters, Symbols, and Functions
Working of Algorithm• The number of rounds for the algorithm
depends on the key length and Block size.
Building Blocks
• Key schedule to provide K[r].– Key scheduling is to generate the
subkeys K[r].
• Encryption (10 rounds in 128 bits case)– Transformation of plain text to cipher
text.
Illustration by Example
• Consider Matrix B[ji] which is
B[00] B[01] B[02] B[03]B[10] B[11] B[12] B[13]B[20] B[21] B[22] B[23]B[30] B[31] B[32] B[33]
In the 192 bits case, we have to add 2 columns moreIn the 256 bits case, we have to add 4 columns more
All transformations are applied to B, except AddRoundKey(B,Kr),it has another input, the sub-key K[r][ji].The sub-keys K[r] that it generates are loaded in a linear array W.The lenght of the array W depend on the block and key length,it provides the sub-keys K[r] to every round r.
• Plain Text– B =
000102030405060708090A0B0C0D0E0F
• Key– K =
000102030405060708090A0B0C0D0E0F
Key Schedule• The key schedule is used to provide the sub-keys K[r]• Beginning with the key K, we extend it (called Key
Expansion), and get the linear array W. W is an array with 4-byte words
[Nb*(Nr+1)], where Nb is the number of columns of the matrix B[i,j], and
Nr is the number of rounds. Here Nb=4, Nr=10, so W have [4*(10+1)] = 44
words of 32b.• Every block of 4 words have 128b and it is the sub-
key [r].• The first sub-key is K[0] = (W[0],W[1],W[2],W[3]),
which is the copy of the key K• The next sub-keys are derived from the K[0]. The rule
is
Rule to Derive the Sub-Keys W[4] = W[0] xor temp1 W[5] = W[1] xor W[4] W[6] = W[2] xor W[5] where i mod Nk <> 0, the rule
is: W[7] = W[3] xor W[6] W [i] = W[i-Nk] xor W[i-1], W[8] = W[4] xor temp2 with Nr=4. ... where i mod Nk = 0, we have W[42] = W[38] xor W[41] W[i] = W[i-Nk] xor tempk,
where W[43] = W[39] xor W[42]
tempk = SubByte[Shift(1)(W[i-1])] xor rcon[k] SubByte is applied to W[i-1] with a byte shifted, and
rcon[k], is defined as rcon[k] = (RC[k], 00, 00, 00), with RC[1] =1, and RC[k] = X*RC[k-1] = X^(k-1), are elements in
GF(2^8). k = i/Nk, i = 4,8,12,...,44 and Nk=4
Round Constant Word Array rcon[k]• Rcon[1]=[01,00,00,0
0]• Rcon[2]=[02,00,00,0
0]• Rcon[3]=[04,00,00,0
0]• Rcon[4]=[08,00,00,0
0]• Rcon[5]=[10,00,00,0
0]
• Rcon[6]=[20,00,00,00]
• Rcon[7]=[40,00,00,00]
• Rcon[8]=[80,00,00,00]
• Rcon[9]=[1B,00,00,00]
• Rcon[10]=[36,00,00,00]
The Sub-Key K[0]
• 00 04 08 0C
• 01 05 09 0D
• 02 06 0A 0E
• 03 07 0B 0F
Evaluation of W[i]• When i is multiple of 4 The rule isW[i] = W[i-4] xor SubByte[Shift(1)(W[i-1])] xor
rcon[k]
W[4] = W[0] xor SubByte(S(1)(W[3]))
D6 = 00 xor D7AA = 01 xor AB74 = 02 xor 76FD = 03 xor FE
W[4][0] = W[4][0] xor rcon[1]D6 = D7 xor 02
Determination of SubByte Values• The S-box used in the SubBytes()
transformation is presented in hexadecimal form in next Figure
• For example, for {53} then the substitution value would be determined by the intersection of the row with index ‘5’ and the column with index ‘3’ in Figure. This would result in a value of {ED}.
SubBytes Transformation
Evaluation of W[i]
• When i is not a multiple of 4 The rule is W[i] = W[i-4] xor W[i-1]
W[5] = W[1] xor W[4] W[6] = W[2] xor W[5] W[7] = W[3] xor W[6]
D2 = 04 xor D6 DA = 08 xor D2 D6 = 0C xor DA
AF = 05 xor AA A6 = 09 xor AF AB = 0D xor A6
72 = 06 xor 74 78 = 0A xor 72 76 = 0E xor 78
FA = 07 xor FD F1 = 0B xor FA FE = 0F xor F1
Sub-Key K[1]
• D6 AA 74 FD D2 AF 72 FA DA A6 78 F1 D6 AB 76 FE
Home Work
• Find All Remaining Sub-Keys
Remaining Keys
• Sub-Key K[1] = D6 AA 74 FD D2 AF 72 FA DA A6 78 F1 D6 AB 76 FE• Sub-Key K[2] = B6 92 CF 0B 64 3D BD F1 BE 9B C5 00 68 30 B3 FE• Sub-Key K[3] = B6 FF 74 4E D2 C2 C9 BF 6C 59 0C BF 04 69 BF 41• Sub-Key K[4] = 47 F7 F7 BC 95 35 3E 03 F9 6C 32 BC FD 05 8D FD• Sub-Key K[5] = 3C AA A3 E8 A9 9F 9D EB 50 F3 AF 57 AD F6 22 AA• Sub-Key K[6] = 5E 39 0F 7D F7 A6 92 96 A7 55 3D C1 0A A3 1F 6B• Sub-Key K[7] = 14 F9 70 1A E3 5F E2 8C 44 0A DF 4D 4E A9 C0 26• Sub-Key K[8] = 47 43 87 35 A4 1C 65 B9 E0 16 BA F4 AE BF 7A D2• Sub-Key K[9] = 54 99 32 D1 F0 85 57 68 10 93 ED 9C BE 2C 97 4E• Sub-Key K[10]= 13 11 1D 7F E3 94 4A 17 F3 07 A7 8B 4D 2B 30 C5
Encryption
• Initial Round ( Key addition )This transformation applies a XOR between every entry ofmatrices B[j,i] and K[0][j,i], i.e. B[j,i] = B[j,i] XOR K[0][j,i]
B[j,i] K[0][j,i] B[j,i]
00 04 08 0C 00 04 08 0C 00 00 00 00
01 05 09 0D 01 05 09 0D 00 00 00 00 XOR = 02 06 0A 0E 02 06 0A 0E 00 00 00 00
03 07 0B 0F 03 07 0B 0F 00 00 00 00
Round 1 ( Byte Substitution)• This transformation replaces every entry
of the input B[j,i] by the result of two operations
• The first operation maps entries to their multiplicative inverse in GF(28). Every entry (a byte) has a polynomial representation with the irreducible polynomial f(x)=x8+x4+x3+x+1
• The zero is mapped to zero.
• Linear Transformation LT
• Here is the calculation for the entry (3,3), LT(a[3,3]-1)
• |y0| |10001111||0| |1| 63 63 63 63• |y1| |11000111||0| |1|• |y2| |11100011||0| |0| 63 63 63 63• |y3| |11110001||0| |0| LT(a[j,i]-1) =• |y4|= |11111000||0|+|0| 63 63 63 63• |y5| |01111100||0| |1|• |y6| |00111110||0| |1| 63 63 63 |63 |• |y7| |00011111||0| |0| |___|
• The second operation applies a linear transformation from GF(28) to GF(28) for every entry (byte) of the matrix.
• The inputs are the bits x7,..,x0 in a[j,i]-1 and the outputs are y7,..,y0, this is the new element B[j,i] And this is the final output in the transformation SubByte ( For Easiness refer to the same table used in key scheduling)
Shift Rows
• This transformation is applied to the rows of B[j,i], it shifts bytes in the rows. Row 1 is not shifted, row 2 is shifted 1 byte, row 3 shifted 2 bytes and row 4, 3 bytes (this is in our case of 128b).
In the case of 192 the same applies.
In the case of 256 the only change is that rows 3 and 4 are shifted 3 and 4 bytes respectively.
63 63 63 63 63 63 63 63
63 63 63 63 63 63 63 63
Shift(a[j]) = 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63
Mix Column• This transformation is applied to the
columns of B[j,i], we can see each column as a polynomial of GF(28)[x]
• So Mixcolumn multiplies each column by the constant polynomialc(x)=03x3 + 01x2 + 01x + 02
• The coeficients are shown in hexadecimal, and they are in GF(28).
MixColumns Transformation
63 63 63 63 63 63 63 63
63 63 63 63 63 63 63 63
MixColum(a[j]) = 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63
Key Addition
• This transformation only does an XOR between every entry the matrix B[j,i] and every entry of K[r][j,i] from the Key schedule.
B[j,i] = B[j,i] XOR K[r][j,i].• This is the final of the round r, and
the partial vector test CT[r]
63 63 63 63 D6 D2 DA D6 B5 B1 B9 B5
63 63 63 63 AA AF A6 AB C9 CC C5 C8 XOR = 63 63 63 63 74 72 78 76 17 11 1B 15
63 63 63 63 FD FA F1 FE 9E 99 92 9D
Cipher Text ( CT[1])
• B5 C9 17 9E B1 CC 11 99 B9 C5 1B 92 B5 C8 15 9D
Home Work
• Do the remaining rounds by taking the CT[1] and apply the same steps.
• The last round would not have any Mix Column transformation
Advantages• Implementation aspects:
– Rijndael can be implemented to run at speeds unusually fast for a block cipher on a Pentium (Pro). There is a trade-off between table size/performance.
– Rijndael can be implemented on a Smart Card in a small amount of code, using a small amount of RAM and taking a small number of cycles. There is some ROM/performance trade-off.
– The round transformation is parallel by design, an important advantage in future processors and dedicated hardware.
– As the cipher does not make use of arithmetic operations, it has no bias towards big or little endian processor architectures.
• Simplicity of Design:– The cipher is fully “self-supporting”. It does
not make use of another cryptographic component, S-boxes “lent” from well-reputed ciphers, bits obtained from Rand tables, digits of p or any other such jokes.
– The cipher does not base its security or part of it on obscure and not well understood interactions between arithmetic operations.
– The tight cipher design does not leave enough room to hide a trapdoor.
• Variable block length:– The block lengths of 192 and 256 bits allow the
construction of a collision-resistant iterated hash function using Rijndael as the compression function. The block length of 128 bits is not considered sufficient for this purpose nowadays.
• Extensions:– The design allows the specification of variants
with the block length and key length both ranging from 128 to 256 bits in steps of 32 bits.
– Although the number of rounds of Rijndael is fixed in the specification, it can be modified as a parameter in case of security problems.
Limitations• The inverse cipher is less suited to be
implemented on a smart card than the cipher
itself: it takes more code and cycles. (Still, compared with other ciphers, even theinverse is very fast)
• In software, the cipher and its inverse make use of different code and/or tables.
• In hardware, the inverse cipher can only partially re-use the circuitry that implements
the cipher.