lezione 7 the advanced encryption standard (aes) · lezione 7 the advanced encryption standard...
TRANSCRIPT
Lezione 7
The Advanced Encryption Standard (AES)
On January 2, 1997, the National Institute of Standards and Technology (NIST) announced the initiation of a new symmetric-key block cipher algorithm as the new encryption standard to replace the DES. The new algorithm would be named the Advanced Encryption Standard (AES). Unlike the closed design process for the DES, an open call for the AES algorithms was formally made on September 12, 1997.
The requirements of AES is as follows: (1) The call stipulated that the AES would specify
an unclassified, publicly disclosed symmetric-key encryption algorithm(s).
(2) The algorithm(s) must support (at a minimum) block sizes of 128-bits, key sizes of 128-, 192-, and 256-bits, and should have a strength at the level of the triple DES, but should be more efficient then the triple DES.
(3) It should work on a variety of different hardware.
(4) The algorithm(s), if selected, must be available royalty-free, worldwide.
On August 20, 1998, NIST announced a group of fifteen AES candidate algorithms. These algorithms had been submitted by members of the cryptographic community from around the world. Public comments on the fifteen candidates were solicited as the initial review of these algorithms (the period for the initial public comments was also called the Round 1). The Round 1 closed on April 15, 1999. Using the analyses and comments received, NIST selected five algorithms from the fifteen.
The five AES finalist candidate algorithms were MARS (from IBM), RC6 (from RSA Laboratories), Rijndael (from Joan Daemen and Vincent Rijmen), Serpent (from Ross Anderson, Eli Biham, and Lars Knudsen), and Twofish (from Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson). These finalist algorithms received further analysis during a second, more in-depth review period (the Round 2).
In the Round 2, comments and analysis were sought on any aspect of the candidate algorithms, including, but not limited to, the following topics: cryptanalysis, intellectual property, cross-cutting analyses of all of the AES finalists, overall recommendations and implementation issues. On October 2 , 2000, NIST announced that it has selected Rijndael to propose for the AES.
Outline About the Finite Field GF(pn) The Basic Algorithm The Layers Decryption Design Consideration
1 About the Finite Field GF(pn)
solution.
a havenot does ) (mod1 econgrucenc
thesince field, a formnot does modulo
integer But the elements. with field finite one
exactly is thereprime, a of powerevery For
n
n
n
n
ppx
p
p
p
≡
elements. 4 with field a isit ,1mod
tionmultiplica andaddition For 1.most at degree of spolynomial of
}1,,1,0{
set thebe to)1](mod[ definecan we
Therefore, ).1(mod1 as thiscan write We
.)1)(1(1get ,1 into 1
divide weexample,For integers. with theasjust remainder,with
division performcan We.1)1)(1(
assuch ,2modtscoefficien the work with weas long as set, in this
multiply and subtract, add,can We].[in Z also are 1,0 spolynomial
constant The .,1 assuch ,2mod integers are tscoefficien
whosespolynomial ofset thebe][Let Z :Solution
.)GF(2Construct
2
22
234
2234342
2343
2
6
2
2
++
+++
++≡++
++++=++++++
+++=+++
++
XX
XX
XXXZ
XXXXX
XXXXXXXXXX
XXXXXX
X
XXX
X
1 Example
1.1 The Construction of the Finite Field GF(pn)
field. same y theessentiall are e that thesshow topossible
isIt ? degree ofboth s,polynomial eirreducibldifferent
for twoon constructi same thedo weif happensWhat #
elements. with field
a is )(Then .)( ]mod[ be )(Let (3)
. degree
of mod polynomial eirreduciblan be to)( Choose (2)
.mod tscoefficien with spolynomial ofset theis ][ (1)
).( field finite a ngconstructifor procedure general The
n
p
pGFXPXZpGF
n
pXP
pXZ
pGF
n
np
n
p
n
1.2 Division
).1(mod1)1)((
:obtain we,1 mod Reducing
).1)(1()1)((1
Therefore,
.1))(1(1
)()1)(1(1
:integersfor as same theis
)dividenddivisorremainder)(1
,1gcd( Calculate :Solution
.1 of inverse thefind ),1
](mod[Z)GF(2Consider
AlgorithmEuclidean Extended The
3483672
348
3483672
26367
26367348
3
48367
3673
482
8
++++≡++++
++++
++++++++++=
++++=++++
++++++++=++++
→→→+++
+++++
+++++++
+=
XXXXXXXXX
XXXX
XXXXXXXXXX
XXXXXXXX
XXXXXXXXXXXX
ignoreXX
XXXXXX
XXXXXX
XXX2 Example
1.3 GF(28)
y.efficientl is )2(in operations that thesee wesummary,In
.010001101)1 isbit first theif,1
subtract (100011011110010110110010110
)0 a append andleft shift (11001011)(1
istion Multiplica
.11010010
000110011100101111
:bits theof
theisAddition .11001011 becomes 1 example,
For .byte arepresent bits 8 The .1or 0 is each where
,
polynomial a asuniquely drepresente becan element
Every .examplean as )1](mod[Z)GF(2 Use
8
348
367
467
34367
367
01234567
012
23
34
45
56
67
7
3482
8
GF
X
XXXXOR
XXXXX
XXXX
XORXXXXXX
XORXXXX
bbbbbbbbb
bXbXbXbXbXbXbXb
XXXXX
i
=++++→
→→++++
+++→
=→+++++++
++++
+++++++
++++=
)(
)()(
2 The Basic Algorithm
For simplicity, we restrict to 128 bits, and firstly give a brief outline of the algorithm. The algorithm consists of 10 rounds. Each round has a round key, derived from the original key. There is also a 0th round key using the original of 128 bits. A round starts with an input of 128 bits and produces an output of 128 bits.
There a four basic step, called layers, that are used to form the rounds:
(1) The ByteSub (SB) Transformation: This non-linear layer is for resistance to differential and linear cryptanalysis attacks.
(2) The ShiftRow (SR) Transformation: This linear mixing step causes diffusion of the bits over multiple rounds.
(3) The MixColumn (MC) Transformation: This layer has a purpose similar to ShiftRow.
(4) AddRoundKey (ARK) Transformation: The round key is XORed with the result of the above layer.
A round is then
ByteSub ShiftRow MixColumn AddRoundKey
Rijndael Encryption
(1) ARK, using the 0th round key.(2) Nine rounds of BS, SR, MC, ARK, using round keys 1 to 9.(3) A final round: BS, SR, ARK, using the 10th round key.
# The final round omits Mixcolumn layer.
3 The Layers
inverse.
tivemultiplica a haselement Each y.certain wa ain multiplied be also
They .by addedcan They bytes.by drepresente becan )(2 of
elements The .1 is Rijndealfor choice The 8. degree
of polynomial eirreducibl of choice aon depends )(2 of model
The ).(2 field finite the work with toneed ll we'following, In the
.
matrix 44int arranged are and
,,,,,,,,
themcall each, bits 8 of bytes 16 into grouped are bitsinput 128 The
8
348
8
8
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,31,11,00,30,20,10,0
XORGF
XXXX
GF
GF
aaaa
aaaa
aaaa
aaaa
aaaaaaa
++++
×
3.1 The ByteSub Transformation
22187841761545153651046623019113137161140
22340852062331353015514814221710517152248225
158291931341858753971424637210218162112
13813918975116221232198180166284637120186
8174122101234244861081697821314110955200231
121228149145981722111949236673105850224
2191194222201842387013614442342207912996
11525931001261671962368151952361912205
2102432551633218182188245561571461436416381
1681596980127224969133517767251170239208
207887674571902031069117725232237020983
13247227411792145982160901102726441319
11717839235226128187154515024195351994
214921611324122916552204247635438147253183
1921141641561751622121732407189250125201130202
1181712152544310314819711110724212311912499
16)(16Box S
31
61
×−
3.1 The ByteSub Transformation (Continued)
.
bytes. ofmatrix 44 aagain is ByteSub ofoutput The
binary.in 111101 is which 61, isentry The 12.column
and 9 rowin look we10001011, is byteinput the
if example,For column. and row in the
entry for theLook . :bits 8 as byte a Wirte
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
→
×
bbbb
bbbb
bbbb
bbbb
aaaa
aaaa
aaaa
aaaa
efghabcd
abcdefgh
3.2 The ShiftRow Transformation
.
obtain to3, and 0,1,2, of offsetsby left theto
cyclically shifted arematrix theof rowsfour The
2,31,30,33,3
1,20,23,22,2
0,13,12,11,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
=
bbbb
bbbb
bbbb
bbbb
cccc
cccc
cccc
cccc
3.3 The MixColumn Transformation
.
00000010000000010000000100000011
00000011000000100000000100000001
00000001000000110000001000000001
00000001000000010000001100000010
:follows as ),(output theproduce to),(2in entries
again with matrix, aby hisMultiply t ).(2in entries
with)(matrix 44 a is step ShiftRow theofoutput The
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
,8
8
,
=
×
dddd
dddd
dddd
dddd
cccc
cccc
cccc
cccc
dGF
GF
c
ji
ji
3.4 The RoundKey Addition
.
:step
MixColumn in the )(output with theXORed is This bytes. of
consisting )(matrix 44 ain arranged are which bits, 128
of consistskey original thefrom derivedkey, round The
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
,
,
=
⊕
×
eeee
eeee
eeee
eeee
kkkk
kkkk
kkkk
kkkk
dddd
dddd
dddd
dddd
d
k
ji
ji
3.5 The Key Schedule
3).(42),(4 1),(4
),(4columns theof consists roundth for thekey round The
)).1((
)10(
.)1(Let
).1( ofation transform theis ))1(( where)),1((
)4()( then , |4 If ).1()4()(then
, |4 If y.recursivel generated are columns new The (3).(2),
(1),(0), columsfour first theLabel bytes. ofmatrix 44 a
into generated are which bits, 128 of consistskey original The
4/)4(
+++
−=
⊕
→
→
→
=−
−−−⊕−=−⊕−=/
×
−
−
iWiWiW
iWi
iWT
h
g
f
e
h
g
f
e
a
d
c
b
d
c
b
a
d
c
b
a
iW
iWiWTiWT
iWiWiiWiWiW
iWW
WW
i
boxS
3.6 The Construction of the S-Box
.
0
1
1
0
0
0
1
1
11111000
01111100
00111110
00011111
10001111
11000111
11100011
11110001
by compute becan box -S in the ofentry
The 0000000.0 is 00000000 byte theof inverse theSuppose .
by drepresente becan )(2in byte
theof inverse The n.descriptio almathematic simple a hasbox -S The
7
6
5
4
3
2
1
0
7
6
5
4
3
2
1
0
01234567
012
345678
01234567
=
+
z
z
z
z
z
z
z
z
y
y
y
y
y
y
y
y
xxxxxxxx
yyy
yyyyyGFxxxxxxxx
3.6 The Construction of the S-Box (Continued)
31.entry obtian the also Webox.-S in the 12 1 1011column theand
1311001 row check the We31.00011111 byte theyield This
.
0
0
0
1
1
1
1
1
0
1
1
0
0
0
1
1
0
0
0
0
0
1
0
0
11111000
01111100
00111110
00011111
10001111
11000111
11100011
11110001
calculate We
.00000100 is )(2in 10010111 byte theof inverse The 8
=+=+=
=
+
GF3 Example
4 Decryption
Each of the steps ByteSub, ShiftRow, MixColumn, and AddRoundKey is invertible:
(1) The inverse of ByteSub is another lookup table, called InvByteSub (IBS).
(2) The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvShiftRow (ISR).
(3) The transformation InvMixColumn (IMC) is given by multiplication by the matrix
(4) AddRoundKey is its own inverse.
.
00001110000010010000110100001011
00001011000011100000100100001101
00001101000010110000111000001001
00001001000011010000101100001110
IMC". andARK " replace toIARK" and IMC" usecan We).( with XORing be
dKey(IARK)InvAddRounLet IMC. is arrowfirst The ).()()( where
),()()()()()(
is process the,)()()()())()((
)()( Since ).())(()( solvingby obtained is inverse The
).())(()())(()(
as gave is )(
matrix a ARK to then and MC Applying reversed. becan IBS and ISR ofoder the
Clearly, .encryption as structure same theachieve todecryption therewritecan We
ARK.
IBSISR,IMC,ARK,
IBSISR,IMC,ARK,
IBSISR,ARK,
ARK.SR,BS,
ARKMC,SR,BS,
ARKMC,SR,BS,
ARK
decryption Rijndael encryption Rijndael
Therefore,
,
,1
,,
,,1
,,1
,,
,1
,,1
,,,
1,,,,,,
,,,,,,,
,
ji
jijiji
jijijijijiji
jijijijijiji
jijijijijiji
jijijijijijiji
ji
k
kmk
kememe
kmemke
mckcme
kcmecmc
c
′=′
′⊕→→
⊕=⊕
=⊕=
⊕=→→
⇒
−
−−
−−
−
ARK.
ISRIBS,IARK,IMC,
ISRIBS,IARK,IMC,
ISRIBS,ARK,
decryption Rijndael
bygiven is decryption theNow,
Rijndael Decryption
(1) ARK, using the 10th round key.(2) Nine rounds of IBS, ISR, IMC, IARK, using round keys 9 to 1.(3) A final round: IBS, ISR, ARK, using the 0th round key.
# To keep the perfect structure, the MC is omitted in the last round of the encryption.
5 Design Consideration
(1) Unlike the Feistel system, all bits are treat uniformly. This has effect of diffusing the input bits faster. It can be shown that two rounds are sufficient to obtain full diffusion.
(2) The S-box is constructed in an explicit and simple algebraic way so as to avoid the mysteries of trapdoors built into the algorithm. It is excellent at resisting differential and linear cryptanalysis, as well as interpolation attacks.
(3) The SR step is added to resist truncated differentials and square attack.
(4) The MC causes diffusion among the bytes.
(5) The ARK involves nonlinear mixing of the key bits. The mixing is designed to resist the known part key attack. The round constants are used to eliminate symmetries.
(6) The number of rounds was chosen to be 10 because there are attacks that are better than brute force up to seven rounds in 2004. No known attack beats brute force for seven or more rounds. It was felt that three extra rounds provide a large enough margin of safety.