Advanced Encryption Standard - - PowerPoint PPT Presentation

Advanced Encryption Standard

密碼學與應用

海洋大學資訊工程系 丁培毅 丁培毅

1

Advanced Encryption Standard (AES) Advanced Encryption Standard (AES)

 1997 NIST call for candidate

 larger key size (bits): 128, 192, 256  larger block size (bits): 128  larger block size (bits): 128  different hardware implementations: 8 bit - 32 bit

did fi fi li

 1998 15 candidates, five finalists

 MARS (IBM), RC6 (RSA), Rijndael (Daemen and

Rijmen), Serpent (Anderson et al), Twofish (Schneier et al)

 2000 AES standard: Rijndael (FIPS 197)

replace DES in the following 30 years

2

replace DES in the following 30 years

http://csrc.nist.gov/CryptoToolkit/aes/rijndael/

Rijndael Rijndael

 Pronounced as ‘Reign Dahl’ or ‘Rain Doll’, ‘Rhine Dahl’  block cipher, 128 bit data block, key lengths can be 128,

192, and 256 bits, 10 rounds, not Feistel structure

 four steps (layers) in each round

 ByteSub Transformation: resist differential and linear attacks  ByteSub Transformation: resist differential and linear attacks  ShiftRow Transformation: diffusion effect  MixColumn Transformation: diffusion effect  MixColumn Transformation: diffusion effect  AddRoundKey: key XORed

b dd d hif i l

3

ByteSub AddRoundKey ShiftRow MixColumn

Rijndael Encryption Rijndael Encryption

 Encryption Algorithm

1 A i h 0 h d k

• 1. ARK, using the 0-th round key
• 2. Nine rounds of BS, SR, MC, ARK, using round keys 1 to 9
• 3. A final round: BS, SR, ARK, using the 10-th round key

BS: ByteSub SR Shif R SR: ShiftRow MC: MixColumn ARK: AddRoundKey

4

ARK: AddRoundKey

Input Data Input Data

 128 bits (16 bytes)

( y )

 arranged as a 4  4 matrix

a0 0 a1 0 a2 0 a3 0 a0 1 a1 1 a3 3 a0,0, a1,0, a2,0, a3,0, a0,1, a1,1,…, a3,3 a0,0 a0,1 a0,2 a0,3 a1,0 a1,1 a2 0 a2 1 a1,2 a2 2 a1,3 a2 3 a2,0 a3,0 a2,1 a3,1 a2,2 a3,2 a2,3 a3,3

 each byte is an elements of GF(28), can be added /

multiplied mod X8+X4+X3+X+1

5

ByteSub Transformation ByteSub Transformation

 Ex. Input a0 0 is 10001011  Ex. Input a0,0 is 10001011

1000  the 9-th row 1011  the 12 th column 1011  the 12-th column Output b0,0 is 61

 Each elements in [ai,j] matrix are transformed

independently to matrix [bi j] independently to matrix [bi,j]

b0,0 b0,1 b0,2 b0,3 b b b b b1,0 b1,1 b2,0 b2,1 b1,2 b2,2 b1,3 b2,3

6

b3,0 b3,1 b3,2 b3,3

ByteSub Transformation ByteSub Transformation

 S-box a nonlinear permutation

130 201 125 250 89 71 240 173 212 162 175 156 164 114 202 99 124 119 123 242 107 111 197 48 1 103 43 254 215 171 118 192 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 253 199 131 147 35 44 38 195 26 54 24 27 63 150 110 247 5 90 204 154 160 52 7 82 165 18 59 229 128 214 241 226 179 113 235 41 216 39 227 49 178 47 183 4 9 21 117 132 2 3 4 209 239 163 170 64 137 251 143 32 67 146 252 77 157 177 51 56 91 133 245 106 69 188 203 249 182 190 2 218 57 127 33 74 80 16 76 60 255 88 159 243 83 208 81 207 168 210 5 6 7 12 129 50 19 79 58 236 220 10 95 34 73 151 42 6 68 144 36 23 136 92 196 70 194 167 238 211 126 184 172 61 20 98 100 222 145 93 94 149 25 11 228 205 96 224 115 219 121 8 9 10 200 120 62 55 37 181 109 46 102 141 28 72 213 166 3 78 180 246 169 198 14 108 232 97 86 221 53 244 116 87 234 31 185 101 75 134 122 189 193 174 139 29 231 186 112 8 138 158 11 12 13

7

248 161 152 137 17 13 105 191 217 230 142 66 148 104 155 65 30 153 135 45 233 15 206 176 85 84 40 187 225 140 223 22 14 15

ShiftRow Transformation ShiftRow Transformation

 The four rows of the matrix [bi,j] are shifted

i,j

cyclically to the left by offsets of 0, 1, 2, and 3 to obtain

b0,0 b0,1 b0,2 b0,3 b1 1 b1 2 b1 3 b1 0 c0,0 c0,1 c0,2 c0,3 c1 0 c1 1 c1 2 c1 3

1,1 1,2

b2,2 b b2,3 b

1,3

b2,0 b

1,0

b2,1 b

1,0 1,1

c2,0 c2,1

1,2

c2,2

1,3

c2,3 = b3,3 b3,0 b3,1 b3,2 c3,0 c3,1 c3,2 c3,3

8

MixColumn Transformation MixColumn Transformation

 Perform the following matrix multiplication in  Perform the following matrix multiplication in

GF(28)

d d d d d0,0 d0,1 d0,2 d0,3 d1,0 d1,1 d1,2 d1,3 d2,0 d3 0 d2,1 d3 1 d2,2 d3 2 d2,3 d3 3 = d3,0 d3,1 d3,2 d3,3 c0,0 c0,1 c0,2 c0,3

00000010 00000011 00000001 00000001

c1,0 c1,1 c2 0 c2 1 c1,2 c2 2 c1,3 c2 3

00000001 00000001 00000010 00000001 00000011 00000010 00000001 00000011

9

2,0

c3,0

2,1

c3,1

2,2

c3,2

2,3

c3,3

00000011 00000001 00000001 00000010

RoundKey Addition RoundKey Addition

 The 128-bit round key matrix [kij] is derived

y [ ij] from the key, and XORed to the output of [dij]

e e e e e0,0 e0,1 e0,2 e0,3 e1,0 e1,1 e1,2 e1,3 = e2,0 e3 0 e2,1 e3 1 e2,2 e3 2 e2,3 e3 3

3,0 3,1 3,2 3,3

d0,0 d0,1 d0,2 d0,3 d d d d k0,0 k0,1 k0,2 k0,3 k k k k d1,0 d1,1 d2,0 d2,1 d1,2 d2,2 d1,3 d2,3  k1,0 k1,1 k2,0 k2,1 k1,2 k2,2 k1,3 k2,3

10

d3,0 d3,1 d3,2 d3,3 k3,0 k3,1 k3,2 k3,3

Key Schedule Key Schedule

 128 bit key K is arranged to 4x4 matrix [wij] of bytes, let

y g

ij

y the four column be W(0), W(1), W(2), W(3)

 expanded in the following recursive way

g y

 i  0 mod 4, W(i) = W(i-4)  W(i-1)  i  0 mod 4, W(i) = W(i-4)  T(W(i-1))  i 0 mod 4, W(i) W(i 4)  T(W(i 1))

 where T(ꞏ) is defined as

i-4 i

and S(ꞏ) is the S-box S(b)  00000010

i

S(c) a b T = ( ) S(d) S(a) c d

11

• the i-th round key is (W(4i), W(4i+1), W(4i+2), W(4i+3))

Construction of the S Box Construction of the S-Box

 There is a simple mathematical formula to calculate

p each elements in the S-Box

 ex. consider row 12=(1100)2 and column 11=(1011)2,

hi i this entry is

31 = (00011111)2

 starting from the byte (11001011)  starting from the byte (11001011)2  its inverse in GF(28)

w.r.t. X8+X4+X3+X+1

1 1 1 1 1 1 1 1 1 1 1 1 1 1

is (00000100)2

 multiply by a matrix

d dd h l

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

 = and add the column vector (1,1,0,0,0,1,1,0)T in GF(28), we obtain

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1



12

G ( ), we ob the entry (00011111)2

1 1 1 1 1 1 1 1 1 1 1

Construction of the S Box Construction of the S-Box

 The inverse mapping in GF(28) was used to

pp g ( ) achieve non-linearity. Thi i l i ld ibl ll i

 This simple mapping could possibly allow certain

attacks, so it was combined with multiplication by h i d ddi h the matrix and adding the vector.

 The matrix was chosen mostly because of its  The matrix was chosen mostly because of its

simple form.

 The vector was chosen so that no input ever

equals its S-box output or the complement of its

13

q p p S-box output.

Rijndael Decryption Rijndael Decryption

 Each of the steps ByteSub, ShiftRow, MixColumn, and

p y AddRoundKey are invertible

 The inverse of ByteSub is another lookup table, called

I B t S b InvByteSub

 The inverse of ShiftRow is obtained by shifting the rows to the

right instead of to the left, yielding InvShiftRow g t stead o to t e e t, y e d g vS t ow

 The inverse of MixColumn exists because the 44 matrix used

in MixColumn is invertible. The transformation I Mi C l i i b lti li ti f th t i InvMixColumn is given by multiplication of the matrix

00001110 00001001 00001011 00001110 00001101 00001011 00001001 00001101 00001001 00001101 00001011 00001110 00001001 00001101 00001011 00001110 00001001 00001101 00001011 00001110

14

 AddRoundKey is its own inverse

Rijndael Decryption(cont’d) Rijndael Decryption(cont d)

 Rijndael Encryption

j yp

ARK BS, SR, MC, ARK … BS, SR, MC, ARK BS, SR, ARK

 Decryption with all steps reversed (key schedule also

reversed)

ARK ISR IBS ARK, ISR, IBS ARK, IMC, ISR, IBS … ARK, IMC, ISR, IBS ARK N h f i i diff f h

15

 Note: the step sequence of encryption is very different from that

• f decryption, we want to make it look more alike.

Rijndael Decryption (cont’d) Rijndael Decryption (cont d)

 Note: BS then SR is the same as SR then BS, since BS

acts one byte at a time and SR permutes the bytes. Therefore, the order of ISR and IBS can be reversed.

 The order of ARK and IMC need to be reversed.

applying ARK then IMC to [cij]: ei,j mi,j ci,j ki,j = ꞏ 

• 1

= ꞏ mi,j

• 1

ꞏ mi,j

• 1

ci,j ki,j  = mi,j ci,j k'i,j ꞏ 

• 1

IMC InvAddRoundKey (IARK)

IMC then IARK

16

InvAddRoundKey (IARK)

Rijndael Decryption (cont’d) Rijndael Decryption (cont d)

St t f th di t d ti t

 Start from the direct decryption step sequence ARK, ISR, IBS ARK, IMC, ISR, IBS , , , … ARK, IMC, ISR, IBS ARK ARK  Modify the above sequence with ISR, IBS reversed and

ARK IMC l d b IMC IARK ARK, IMC replaced by IMC, IARK

ARK, IBS, ISR, IMC, IARK, , , , , IBS, ISR, IMC, IARK, … IBS ISR ARK

17

IBS, ISR, ARK

Rijndael Decryption (cont’d) Rijndael Decryption (cont d)

 Decryption Algorithm

yp g

• 1. ARK, using the 10-th round key
• 2. Nine rounds of IBS, ISR, IMC, IARK, using round keys 9 to 1

3 A final round: IBS, ISR, ARK, using the 0-th round key

• 3. A final round: IBS, ISR, ARK, using the 0 th round key

Note: 1. Decryption and encryption has essentially the same structure, yet not identical.

• 2. This explains why MC is omitted in the last round in

the encryption algorithm the encryption algorithm.

• 3. On 8-bit processors, decryption takes 30% longer than

encryption because entries of [mij]-1 are more complex

18

encryption because entries of [mij] are more complex than [mij] (some modes, like CFB, do not need decryption)

Design Considerations Design Considerations

 Not Feistel system (half the bits are not changed in each

y ( g round) All bits are treated uniformly. y Diffusing the input bits faster, actually each output bits

• f a Rijndael round depends on each of the 128 input bits.

j p p

 No mystery in the design of S-Box (explicit, simple

algebraic way to construct the S-Box) algebraic way to construct the S Box)

 The S-box is highly nonlinear, based on xx-1 in GF(28),

ll tl t i ti diff ti l d li tt k d excellently at resisting differential and linear attacks and interpolation attacks.

19

Design Considerations Design Considerations

 The ShiftRow step was added to resist truncated  The ShiftRow step was added to resist truncated

differentials and the Square attack. Th Mi C l t d diff i th

 The MixColumn step caused diffusion among the

• bytes. A change in one input byte results in four
• utput bytes changing.

 The Key Schedule involves nonlinear mixing of  The Key Schedule involves nonlinear mixing of

the key bits by using S-box. This can resist tt k th k h ti l bit f th k attacks on the key when partial bits of the key are

• known. This also ensure that two distinct keys

20

do not have many round keys in common.

Design Considerations Design Considerations

 The number of rounds was chosen to be 10

because there are attacks that are better than because there are attacks that are better than brute force up to six rounds. The number of d ld il b i d if d d rounds could easily be increased if needed.

21

Weak Keys Weak Keys

 Symmetry properties and DES type weak keys  Symmetry properties and DES-type weak keys

 Round constants are different in each round to

li i i h i h eliminate symmetry in the cipher.

 The cipher and its inverse use different components

to eliminates the possibility for weak and semi-weak keys, as existing for DES.

 The non-linearity of the key expansion eliminates the

possibility of equivalent keys. p y q y

22

Differential Cryptanalysis Differential Cryptanalysis

Bih d Sh i “Diff i l l i f DES

 Biham and Shamir, “Differential cryptanalysis of DES-

like cryptosystems,” Crypto90

 A differential propagation is composed of differential

trails(DT), where its propagation ratio(PR) is the sum of the PRs of all DTs that have the specified initial and final difference patterns.

 Necessary condition to resist differential cryptanalysis:

No DT with predicated PR > 21-n n the block length No DT with predicated PR > 2 , n the block length.

 For Rijndael: No 4-round DT with predicated PR above

150 300

23

2-150 (no 8-round trails with PR above 2-300 ).

Linear Cryptanalysis Linear Cryptanalysis

 M. Matsui, “Linear cryptanalysis method for DES

cipher,” Eurocrypt’93

 An input-output correlation is composed of linear trails

(LT) that have the specified initial and final selection (LT) that have the specified initial and final selection patterns. N diti t b i t t i t LC N LT

 Necessary condition to be resistant against LC: No LTs

with correlation coefficient > 2-n/2

 For Rijndael: No 4-round LTs with correlation above

2-75 (no 8-round LTs with correlation above 2-150).

24

( )

Interpolation Attacks Interpolation Attacks

 Jakobsen and Knudsen,1997.

,

 The attacker constructs polynomials using cipher

input/output pairs If the polynomials have a small input/output pairs. If the polynomials have a small degree, only a few pairs are necessary to solve for the coefficients of the polynomial coefficients of the polynomial.

 The expression for the S-box is given by 63+8f X127+b5 X191+01 X223+f4 X239+25 X247+f9 X251+09 X253+05 X25

25

Advantages Advantages

 I

l t ti t

 Implementation aspects

 Rijndael can be implemented to run at speeds

unusually fast on a Pentium (Pro). Trade-off between table size and performance.

 Rijndael can be implemented on a smart card in a

small code, using a small amount of RAM and a , g small number of cycles.

 The round transformation is parallel by design.  The round transformation is parallel by design.  As the cipher makes no use of arithmetic operations,

it has no bias towards processor architectures

26

it has no bias towards processor architectures.

Advantages Advantages

 Simplicity of design  Simplicity of design

 The cipher is fully “self-supporting”.  The cipher does not base its security on obscurity  The cipher does not base its security on obscurity

and not well understood arithmetic operations.

 The tight cipher design does not leave enough room  The tight cipher design does not leave enough room

to hide a trapdoor.

 Variable block length and extensions

 Block lengths and key lengths both range from 128  Block lengths and key lengths both range from 128

to 256 in steps of 32 bits.

 Round number can be also modified as a parameter.

27

 Round number can be also modified as a parameter.

Limitations Limitations

 The inverse cipher is less suited to be

implemented on a smart card than the cipher p p

• itself. It takes more code and cycles.

 In software, the cipher and its inverse cipher

make use of different code and/or tables.

 In hardware, the inverse cipher can only partially

28

re-use the circuitry that implements the cipher.

Mathematical Backgrounds Mathematical Backgrounds

 The field GF(28)

Example: (57)16 = (01010111)2  x6+x4+x2+x+1 Example: (57)16 (01010111)2  x x x x 1

 Addition

M l i li i

 Multiplication  Multiplication by x

 Polynomials with coefficients in GF(28)

 Multiplication by x

29

Addition Addition

 The sum of two elements can be obtained by  The sum of two elements can be obtained by

adding corresponding polynomials with modulo 2 addition 2 addition.

 Example: (57)16 + (83)16= (D4)16

( 6+ 4+ 2+ +1) + ( 7+ +1)

7+ 6+ 4+ 2

(x6+x4+x2+x+1) + (x7+x+1) = x7+x6+x4+x2

30

Multiplication Multiplication

M l i li i i GF(28) b b i d b

 Multiplication in GF(28) can be obtained by

multiplying both polynomials modulo an p y g p y irreducible binary polynomial of degree 8. For Rijndael this polynomial is called m(x) and given Rijndael, this polynomial is called m(x) and given by: m(x)=x8+x4+x3+x+1 or (11B)16 .

 Example: (57)16  (83)16 = (C1)16

( 6

4 2

1) ( 7 1) (x6+x4+x2+x+1)  (x7+x+1) = x13+x11+x9+x8+x6+x5+x4+x3+1 (mod x8+x4+x3+x+1)

31

= x7+x6+1

Extended Euclidean Algorithm Extended Euclidean Algorithm

 The multiplication defined above is associative and there  The multiplication defined above is associative and there

is an identity element (01)16. For any binary polynomial b(x) of degree below 8, the extended Euclidean algorithm ( ) g g can be used to compute polynomials a(x), c(x) such that b( x ) a(x) + m(x) c(x) = 1. ( ) ( ) ( ) ( )

 Hence, a(x)ꞏb(x)  1 (mod m(x)) or

b-1(x)  a(x) (mod m(x)) b 1(x)  a(x) (mod m(x)).

 Also, a(x)ꞏ(b(x)+c(x))  a(x)ꞏb(x)+a(x)ꞏc(x) (mod m(x)).

( ) ( ( ) ( )) ( ) ( ) ( ) ( ) ( ( ))

 It follows that the set of 256 possible byte values, with the

XOR as addition and the multiplication defined as above

32

XOR as addition and the multiplication defined as above has the structure of the finite field GF(28).

Multiplication by x Multiplication by x

 Multiply b(x) by the polynomial x, we have

b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x

 xb(x) is obtained by reducing the above result

(mod m(x)) If b =0 the reduction is identity (mod m(x)). If b7=0, the reduction is identity

• peration; if b7=1, m(x) must be subtracted (i.e.

XORed) XORed).

 That is multiplication by x or (02)16 can be  That is, multiplication by x or (02)16 can be

implemented by a left shift and a conditional XOR ith (1B)

33

XOR with (1B)16.

Example Example

 57  13 = FE  57 13 FE

57  02 = x  57 = AE 57  04 = x  AE = 47 57  08 = x  47 = 8E 57  08 x  47 8E 57  10 = x  8E = 07 57  13 = 57  (01  02  10) = 57  AE  07 57  AE  07 = FE

34

Polynomials with coefficients in GF(28) Polynomials with coefficients in GF(28)

 Consider two polynomials over GF(28):

a(x) = a3x3+a2x2+a1x+a0 b(x) = b3x3+b2x2+b1x+b0 b(x) b3x +b2x +b1x+b0

 The product c(x) = c6x6+c5x5+c4x4+c3x3+c2x2+c1x+c0

c0 = a0  b0 c1 = a1  b0  a0  b1 c2 = a2  b0  a1  b1  a0  b2 c3 = a3  b0  a2  b1  a1  b2  a0  b3 c4 = a3  b1  a2  b2  a1  b3 c5 = a3  b2  a2  b3

35

c6 = a3  b3

Polynomials with coefficients in GF(28) Polynomials with coefficients in GF(28)

 By reducing c(x) on previous slide modulo a

l i l f d 4 h l b polynomial of degree 4, the result can be reduced to a polynomial of degree below 4. In Rijndael, the polynomial m(x) = x4+1.

 ex. xi mod (x4+1) = x(i mod 4).

36

Polynomials with coefficients in GF(28) Polynomials with coefficients in GF(28)

 The modular product of a(x) and b(x) denoted  The modular product of a(x) and b(x), denoted

by d(x) = a(x) b(x) is given by d(x) = d3x3+d2x2+d1x+d0 with

3

d0 = ab0 ab1 ab2 ab3 d0 ab0 ab1 ab2 ab3 d1 = ab0 ab1 ab2 ab3 d b  b  b  b d2 = ab0 ab1 ab2 ab3 d3 = ab0 ab1 ab2 ab3

37

Polynomials with coefficients in GF(28) Polynomials with coefficients in GF(28)

 The operation consisting of multiplication by a  The operation consisting of multiplication by a

fixed polynomial a(x) can be written as matrix multiplication where the matrix is a circular multiplication where the matrix is a circular matrix.

d0 a0 a3 a2 a1 b0

=

d1 d a1 a0 a a a3 a a2 a b1 b d2 d3 a2 a3 a1 a2 a0 a1 a3 a0 b2 b3

38

Multiplication by x Multiplication by x

 If we multiply b(x) by the polynomial x, we have:

b3x4+b2x3+b1x2+b0x

3 2 1

 x b(x) is obtained by reducing the above result

modulo 1+x4. This gives b2x3+b1x2+b0x+b3 Th lti li ti b i i l t t lti li ti

 The multiplication by x is equivalent to multiplication

by a matrix as above with all ai =‘00’ except a1 =‘01’. L t ( )  b( ) W h Let c(x) = x  b(x). We have:

39

Multiplication by x Multiplication by x

 Hence multiplication by x or power of x  Hence, multiplication by x, or power of x,

corresponds to a cyclic shift of the bytes inside the vector

c0 00 00 00 01 b0 b

=

c1 c2 01 00 00 01 00 00 00 00 b1 b2

2

c3 00 00 01 00

2

b3

40