announcements: quiz grades entered quiz grades entered homework 4 updated with more details....
Post on 19-Dec-2015
217 views
TRANSCRIPT
Announcements:Announcements: Quiz grades enteredQuiz grades entered Homework 4 updated with more details. Homework 4 updated with more details. Discussion forum is picking up trafficDiscussion forum is picking up traffic
Today:Today: Prep. for Rijndael and Discrete Logs: Prep. for Rijndael and Discrete Logs: GF(2GF(288)) RijndaelRijndael
Questions?Questions?
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 18Day 18
Rijndael Rijndael
A.k.a. A.k.a. AESAES (Advanced Encryption Standard) (Advanced Encryption Standard)
128-bit blocks128-bit blocks
Encrypted using functions of 128-bit key for 10 Encrypted using functions of 128-bit key for 10 roundsrounds Versions exist for keys with 192 bits (12 rounds), 256 Versions exist for keys with 192 bits (12 rounds), 256
bits (14 rounds)bits (14 rounds)
The S-boxes, round keys, and MixColumn The S-boxes, round keys, and MixColumn functions require the use of GF(2functions require the use of GF(288), so…), so…
Fields (T&W, 3.11)Fields (T&W, 3.11)
A A fieldfield is a is a set of numbers set of numbers with the following properties:with the following properties: Addition, with identity: a + 0 = a and inverse a+(-a)=0 Addition, with identity: a + 0 = a and inverse a+(-a)=0 Multiplication with identity: a*1=a, and inverse Multiplication with identity: a*1=a, and inverse
(a * a(a * a-1-1 = 1 for all a != 0) = 1 for all a != 0) Subtraction and division (using inverses)Subtraction and division (using inverses) Commutative, associative, and distributive propertiesCommutative, associative, and distributive properties Closure over all four operationsClosure over all four operations
Examples:Examples: Real numbersReal numbers GF(4) = {0, 1, GF(4) = {0, 1, , , 22} with these additional laws: x + x = 0 for all x } with these additional laws: x + x = 0 for all x
and and + 1 = + 1 = 22.. GF(pGF(pnn) for prime p is called a Galois Field.) for prime p is called a Galois Field.
Galois fieldsGalois fields
For every power of n with prime p, there is For every power of n with prime p, there is only 1 finite field with ponly 1 finite field with pnn elements. elements.
The integers (mod pThe integers (mod pnn) aren’t a field. (Why ) aren’t a field. (Why not?)not?)
Another way to get GF(4) = GF(2Another way to get GF(4) = GF(222) using ) using polynomialspolynomials Technique extends to GF(2Technique extends to GF(288))
Finish discussion of ZFinish discussion of Z22[X][X]
Galois fieldsGalois fields
If ZIf Zpp[X] is set of polynomials with coefficients (mod p)[X] is set of polynomials with coefficients (mod p)
……and P(X) is degree n and irreducible (mod p)and P(X) is degree n and irreducible (mod p)
Then GF(pThen GF(pnn) = Z) = Zpp[X] (mod P(X) is a field with p[X] (mod P(X) is a field with pnn elements. elements.
Wasn’t ZWasn’t Z22[X] (mod X[X] (mod X22 + X + 1) = GF(4)? + X + 1) = GF(4)?
Consider GF(2Consider GF(2nn) with P(X) = X) with P(X) = X88 + X + X44 + X + X33 + X + 1 + X + 1Rijndael uses this!Rijndael uses this!
Back to Rijndael/AESBack to Rijndael/AESParallels with DES? Parallels with DES?
Multiple roundsMultiple rounds(7 enough to force brute (7 enough to force brute force)force)
DiffusionDiffusion XOR with round keysXOR with round keys No MixColumn in last No MixColumn in last
roundround
Major differencesMajor differences Not a Feistel systemNot a Feistel system Much quicker diffusion of Much quicker diffusion of
bits (2 rounds)bits (2 rounds) Much stronger against Much stronger against
linear, diffy. crypt., linear, diffy. crypt., interpolation attacksinterpolation attacks
ByteSub (BS)ByteSub (BS)
1.1. Write 128-bit input Write 128-bit input aa as matrix as matrix with 16 byte entries (column with 16 byte entries (column major ordering):major ordering):
2.2. For each byte, abcdefgh, For each byte, abcdefgh, replace with byte in location replace with byte in location (abcd, efgh)(abcd, efgh)
Example: 00011111 Example: 00011111 ___ ___Example: 11001011 Example: 11001011 31 31
3.3. Output is a matrix called bOutput is a matrix called b
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
aaaa
aaaa
aaaa
aaaa
a
Why were these numbers chosen?
S-box DerivationS-box Derivation
The S-box maps byte x to byte z via the function z = Ax-1+b:
Input byte x: x7x6x5x4x3x2x1x0
Compute the inverse in GF(28): y7y6y5y4y3y2y1y0 (non-linear, vs. attacks)(use 0 as inverse of 0)
Compute this linear function z in GF(28): (to complicate attacks) (A is simple to implement) b chosen so
xzandxz
ShiftRow (SR)ShiftRow (SR)
Shifts the entries of Shifts the entries of each row by each row by increasing offset:increasing offset:
Gives resistance to newer attacks Gives resistance to newer attacks (truncated differentials, (truncated differentials, Square attack)Square attack)
2,31,30,33,3
1,20,23,22,2
0,13,12,11,1
3,02,01,00,0
bbbb
bbbb
bbbb
bbbb
c
MixColumn (MC)MixColumn (MC)
Multiply -- via GF(2Multiply -- via GF(288) – with ) – with the fixed matrix shown.the fixed matrix shown.
Speed? Speed?
64 multiplications, each 64 multiplications, each involving at most 1 shift involving at most 1 shift + XOR+ XOR
Gives quick diffusion of bitsGives quick diffusion of bits
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
010..001..001..000000011
011..0010..001..000000001
01..0011..0010..000000001
01..001..0011..000000010
cccc
cccc
cccc
cccc
d
AddRoundKey (AddRoundKey (ARKARK))
XOR the round key XOR the round key with matrix d. with matrix d.
Key schedule on next slideKey schedule on next slide
ikde
Key ScheduleKey Schedule
)43(...)5()4()3()2()1()0( WWWWWWW
Write original key as 4x4matrix with 4 columns: W(0), W(1), W(2), W(3). Key for round i is (W(4i), W(4i+1), W(4i+2), W(4i+3))
Other columns defined recursively:
otherwiseiW
iifiWTiWiW
)1(
|4))1(()4()(
)2()00000010()(
))((
0
0
0
)(
)(
84/)4( GFinir
iWT
ir
h
g
f
e
d
c
b
a
iW
i
Sbox
Highly non-linear. Resists attacks at finding whole key when part is known
K0K1 K10
192-, 256-bit versions similar
DecryptionDecryptionE(k) is:E(k) is:
(ARK(ARK00, BS, SR, MC, ARK, BS, SR, MC, ARK11, … BS, SR, , … BS, SR,
MC, ARKMC, ARK99, BS, SR, ARK, BS, SR, ARK1010))
Each function is invertible:Each function is invertible:
ARK; IBS; ISR; IMC (IMC is slower)ARK; IBS; ISR; IMC (IMC is slower)
So D(k) is:So D(k) is:
ARKARK1010, ISR, IBS, ARK, ISR, IBS, ARK99, IMC, ISR, IBS, , IMC, ISR, IBS,
… ARK… ARK11, IMC, ISR, IBS, ARK, IMC, ISR, IBS, ARK00))
Half-round structure:Half-round structure:Write E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARKWrite E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARK
(Note that last MC wouldn’t fit)(Note that last MC wouldn’t fit)D(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARKD(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARK
Can write:Can write:D(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARKD(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARK