b d aes
play

B.d) AES W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 - PowerPoint PPT Presentation

Apr 08, 2024 •344 likes •803 views

1 B.d) AES W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 B.96 AES (Advanced Encryption Standard) AES is a symmetric block cipher with plaintext space P = ciphertext space C = {0,1} 128 key space w K = {0,1} 128 (usual case) or

  1. 1 B.d) AES W. Schindler: Cryptography, B-IT, winter 2006 / 2007

  2. 2 B.96 AES (Advanced Encryption Standard) AES is a symmetric block cipher with • plaintext space P = ciphertext space C = {0,1} 128 • key space w K = {0,1} 128 (usual case) or w K = {0,1} 192 or w K = {0,1} 256 • Depending on the size of K the AES is a round- based block cipher with (cf. B.99) w 10 rounds or w 12 rounds or w 14 rounds • AES is not a Feistel cipher.

  3. 3 B.97 AES (History) • In 1997 NIST (National Institute for Standards and Technology) initiated a competition to find a successor of DES. • Requirements w Security, especially resistance against linear and differential attacks w Efficiency (hardware and software implementations) w Scalability w Royalty freeness

  4. 4 B.97 AES (History) • 1 st Round (1998): w 15 algorithms were submitted w main aspect: security w 5 algorithms “ survived ” the first round • 2 nd Round w Main aspect: Efficiency on various platforms • Winner of the competition: Rijndael (designers: V. Rijmen, J. Daemen,)

  5. 5 B.98 Remark Note: Cryptanalysts from all over the world analyzed the submitted AES candidates. Security and implementation aspects were discussed on many crypto conferences.

  6. 6 B.99 Scalability • The AES consists of Nr rounds and uses a 32*Nk bit key • Admissible pairs: (Nr, Nk) = w (10,4) (usual case) w (12,6) w (14,8) Note: Rijndael additionally considered the cases P = C = {0,1} 192 and P = C = {0,1} 256 . These options have not been standardized.

  7. 7 B.100 State Space • plaintext block: (s 00 ,s 10 ,s 20 ,s 30 ,s 01 ,s 11 , … , s 33 ) ∈ ({0,1} 8 ) 16 ≅ {0,1} 128 . (The s ij denote bytes.) • The plaintext block is transformed into the state state s 00 s 01 s 02 s 03 s 10 s 11 s 12 s 13 s 20 s 21 s 22 s 23 s 30 s 31 s 32 s 33

  8. 8 B.100 (continued) • The plaintext bytes fill the state array, column by column (direction: top - down), beginning with the leftmost column. • After encryption the (final) state is transformed into a ciphertext block. Decryption: ciphertext block → state → plaintext block

  9. 9 B.101 AES (coarse structure) plaintext block (128 bit = 16 Byte) → state AddRoundKey(state,RoundKey_0*) [[ * non-standard notation]] For i =1 to Nr-1 do { SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state, RoundKey_i*) } SubBytes(state) ShiftRows(state) final round AddRoundKey(state, RoundKey_Nr*) state → ciphertext block

  10. 10 B.102 Remark (i) The AES cipher consists of four ‘ basic ’ transformations. These transformations operate on the state. (ii) The final round is different from the others. (The MixColumns(.) operation is missing.) (iii) AES is a byte-oriented cipher. Each state byte s ij is interpreted as an element in the finite field GF(2 8 )

  11. 11 B.103 A Reminder: Finite Fields • For any integer n>1 Z n :={0, … ,n-1} is a ring (equipped with the addition and multiplication modulo n). • In general Z n is not a field. • Example: 2 ∈ Z 4 has no multiplicative inverse modulo 4. • If p is prime Z p ={0,1, … ,p-1} is a field. • Example: Z 2 , Z 17 , Z 101 are fields. Note: The definition of a group, a ring and a field can be found in any elementary algebra book.

  12. 12 B.103 (continued) Fact: (i) To any prime p and any positive integer k there exists a finite field with p k elements. (ii) All fields with p k elements are isomorphic. (iii) Any finite field contains p ’ k ’ elements where p ’ is a prime and k ’ a positive integer. Notation: In the following GF(p k ) stands for a finite field with p k elements. For p prime we alternatively use the notations Z p and GF(p).

  13. 13 B.103 (continued) • GF(2)[X] denotes the ring of polynomials over GF(2). • Example: X 4 +1, X 2 +X ∈ GF(2)[X] • A polynomial p(X) with deg(p(X)) ≥ 1 is called irreducible in GF(2)[X] if it cannot be expressed as a product of two non-constant polynomials. Example: (i) X 2 +X = X (X + 1) is not irreducible in GF(2)[X] (ii) X 2 +X+1 is irreducible in GF(2)[X]

  14. 14 B.103 (continued) • The AES cipher considers the polynomial m(X) := X 8 + X 4 + X 3 + X + 1 ∈ GF(2)[X] This polynomial is irreducible in GF(2)[X]. • < m(X) > := { p(X)m(X)| p(X) ∈ GF(2)[X] } • Fact: The factor ring GF(2)[X] / < m(X) > is a field. More precisely, it is (isomorphic to) GF(2 8 ). That is, GF(2 8 ) ≅ { p(X) + < m(X) > | p(X) ∈ GF(2)[X] }.

  15. 15 B.103 (continued) Reminder: For concrete computations modulo n we use the set of representatives Z n = {0,1, … ,n-1}. Similarly, for computations in GF(2 8 ) we use the set of representatives R:={p(X) ∈ GF(2)[X] | deg(p(X)) < deg(m(X))=8} Polynomials are added and multiplied modulo m(X). A more detailed treatment: blackboard

  16. 16 B.104 Example • X 8 ≡ X 4 + X 3 + X + 1 (mod m(X)) • Let a:=X 6 +X 4 +X 1 +1 and b:= X 2 +X 1 +1 • Then a+b = X 6 +X 4 +X 1 +1+X 2 +X 1 +1= X 6 +X 4 +X 2 (The corresponding coefficients are added modulo 2.) • a*b = (X 6 +X 4 +X 1 +1)(X 2 +X 1 +1) = (X 8 +X 6 +X 5 +X 2 ) +(X 7 +X 5 +X 2 +X 1 )+(X 6 +X 4 +X 1 +1) = X 8 + X 7 +X 4 +1 ≡ X 4 +X 3 +X+1 + X 7 +X 4 +1 = X 7 + X 3 + X (mod m(X))

  17. 17 B.105 Miscellaneous • We identify a byte b = (b 7 ,b 6 , … ,b 0 ) with the polynomial b 7 X 7 + b 6 X 6 + … + b 0 • Bytes are added and multiplied according to the laws in the field GF(2 8 ). • In hexadecimal notation the byte (b 7 ,b 6 , … ,b 0 ) reads (8*b 7 + 4*b 6 + 2*b 5 + b 4 , 8*b 3 + 4*b 2 + 2*b 1 +b 0 ). • Example: In hexadecimal notation (11010011) reads D3.

  18. 18 B.106 Next Steps Study the basic transformations • SubBytes(state) • ShiftRows(state) • MixColumns(state) • AddRoundKey(state, RoundKey)

  19. 19 B.107 SubBytes • SubBytes(.) maps an element t ∈ GF(2 8 ) to S(t) where S: GF(2 8 ) → GF(2 8 ) denotes a fixed non- GF(2)-linear bijective mapping. • More precisely, S(t)=At -1 +c for t ≠ 0. S(0)=c • In particular, w t -1 denotes the inverse of t in GF(2 8 ), viewed as a 8-bit vector w A is a fixed (8x8) matrix over GF(2) w c is a fixed vector in GF(2) 8

  20. 20 B.107 (continued) 1 0 0 0 1 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 1 0 0 0 1 1 0 1 1 1 1 0 0 0 1 0 A:= c:= 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 1 0 0 1 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 The computation of At -1 +c demands an inversion, a matrix-vector multiplication and a vector addition over GF(2).

  21. 21 B.108 Remark • AES implementations neither invert bytes nor perform matrix-vector multiplication since this was too costly. • Instead, the values of S are stored, and SubBytes(.) needs only one table-lookup. • The SubBytes(.) transformation is called S-box.

  22. 22 B.109 ShiftRows • The ShiftRows(.) transformation shifts the rows of the state cyclically to the left. To be precise w Row 0 is not shifted w Row 1 is shifted cyclically by 1 position to the left w Row 2 is shifted cyclically by 2 positions to the left w Row 3 is shifted cyclically by 3 positions to the left

  23. 23 B.110 MixColumns • MixColumns(state) is given by a matrix-matrix multiplication in GF(2 8 ): s 00 s 01 s 02 s 03 02 03 01 01 s 10 s 11 s 12 s 13 01 02 03 01 s 20 s 21 s 22 s 23 01 01 02 03 s 30 s 31 s 32 s 33 03 02 01 01 Note: The matrix entries 01, 02 and 03 (hexadecimal notation) correspond to the polynomials 1, X and X+1, respectively.

  24. 24 B.111 AddRoundKey • AddRoundKey (state, RoundKey) computes the next state by adding RoundKey (interpreted as a 4x4 matrix over GF(2 8 )) to the state. Note: AddRoundKey(.,.) implies a bitwise XOR addition.

  25. 25 B.112 Key Scheduling • A non-linear feedback shift register on 32-bit words is used to compute the (Nr+1) round keys from the encryption key K . • Each round key is as large as the state (i.e., it consists of 128 bits.)

  26. 26 B.112 (continued) Definitions: • word: w=(b 0 ,b 1 ,b 2 ,b 3 ) (data type, consists of 4 Bytes) • SubWord(w):=(SubBytes(b 0 ), SubBytes(b 1 ), SubBytes(b 2 ), SubBytes(b 3 )) • RotWord((b 0 ,b 1 ,b 2 ,b 3 )):= (b 1 ,b 2 ,b 3 ,b 0 ) • Rcon(n): ((02) n-1 ,(00),(00),(00)) The first byte equals X n-1 (mod m(X)) ∈ GF(2 8 ) (hexadecimal notation). Note: On the next slide we concentrate on the case Nk=4, i.e. on 128 bit keys. The other key lengths are treated similarly.

  27. 27 B.112 (continued) [128-bit keys] for j:=0 to 3 do w[j] := j th key word j := 4 while (j < 4 * 11) { temp = w[j-1] if (j ≡ 0 (mod 4)) temp = SubWord(RotWord(temp)) ⊕ Rcon(j/4) else temp = SubWord(temp) w[j] = w[j-4] ⊕ temp j := j + 1 }

  28. 28 B.112 (continued) first round key: (w[0], w[1], w[2], w[3]) second round key: (w[4], w[5], w[6], w[7]) … last round key: (w[40], w[41], w[42], w[43]) Note: When AddRoundKey(.,.) is called the i th time the word w[4*i+j] is added to the j th column of the state.

  29. 29 B.113 Decryption Decryption: w The order of the basic transformations has to be reversed. w Each basic transformation is replaced by its inverse. w The order of the round keys is reversed. • AddRoundKey(.,RoundKey) is self-inverse. • The inverse transformations of SubBytes(.), ShiftRows(.), MixColumns(.) are called InvSubBytes(.), InvShiftRows(.), InvMixColumns(.).

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Database Systems IIB: DBMS-Implementation Chapter 8: Row Format Prof. Dr. Stefan Brass

Database Systems IIB: DBMS-Implementation Chapter 8: Row Format Prof. Dr. Stefan Brass

Row Format Data Format Database Systems IIB: DBMS-Implementation Chapter 8: Row Format Prof. Dr. Stefan Brass Martin-Luther-Universit at Halle-Wittenberg Wintersemester 2019/20 http://www.informatik.uni-halle.de/brass/dbi19/ Stefan

415 views • 19 slides
Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline

Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline

Algorithms and Architecture 1 Representing and Manipulating Numbers Alexandre David 1 Outline Introduction Information storage Integer coding Basic arithmetics Hexadecimal notation Endianness Floats IEEE FP

308 views • 19 slides
PROGRAMMAZIONE PROCEDURALE A.A. 2020/2021 LITERALS LITERALS A literal is a token that denotes a

PROGRAMMAZIONE PROCEDURALE A.A. 2020/2021 LITERALS LITERALS A literal is a token that denotes a

PROGRAMMAZIONE PROCEDURALE A.A. 2020/2021 LITERALS LITERALS A literal is a token that denotes a fixed value, which may be an integer , a floating-point number, a character , or a string . A literals type is determined by its value and its

372 views • 12 slides
Bits and Bytes Chris Riesbeck, Fall 2011 Wednesday, September 28, 2011 Why dont computers use

Bits and Bytes Chris Riesbeck, Fall 2011 Wednesday, September 28, 2011 Why dont computers use

Bits and Bytes Chris Riesbeck, Fall 2011 Wednesday, September 28, 2011 Why dont computers use Base 10? Base 10 number representation Digit in many languages also refers to fingers (and toes) Decimal (from latin decimus) means

434 views • 32 slides
Changelog Changes made in this version not seen in fjrst lecture: 7 September 2017: slide 37:

Changelog Changes made in this version not seen in fjrst lecture: 7 September 2017: slide 37:

Changelog Changes made in this version not seen in fjrst lecture: 7 September 2017: slide 37: correct text about division speed: four-byte division is weirdly not much slower than 1-byte division on Skylake (but 64-bit division is much slower)

2.06k views • 162 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX &amp; Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations

Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations

Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations p. 1/19 Place Value Numerals A numeral represents a number using some notation. Normal place value numerals: each place represents a power of

235 views • 19 slides
Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various

Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various

Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various types of numbers: Integer (1234) Floating point number (12.34) Octal and hexadecimal number (0177, 0x9gff) Complex number (3.0+4.1j)

255 views • 7 slides
Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems

Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems

Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems Converting Numbers Summation and Subtraction of Binary Numbers Numerical Systems Binary (base 2) Octal (base 8) Decimal (Base 10)

560 views • 13 slides
CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse

CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse

The Big Picture Languages and Tools Lab/Assignment 1 Build machine model of execution SM213 Assembly SimpleMachine simulator CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse and get it

9.69k views • 3 slides
Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,

577 views • 43 slides
Programming in C 1 Reserved Words and Identifiers Reserved word Word that has a specific

Programming in C 1 Reserved Words and Identifiers Reserved word Word that has a specific

Programming in C 1 Reserved Words and Identifiers Reserved word Word that has a specific meaning in C Ex: int, return Identifier Word used to name and refer to a data element or object manipulated by the program. 2 Valid

806 views • 67 slides
Digital Circuits and Systems Number Systems Shankar Balachandran* Associate Professor, CSE

Digital Circuits and Systems Number Systems Shankar Balachandran* Associate Professor, CSE

Spring 2015 Week 2 Module 12 Digital Circuits and Systems Number Systems Shankar Balachandran* Associate Professor, CSE Department Indian Institute of Technology Madras *Currently a Visiting Professor at IIT Bombay Digits vs. bits

1.29k views • 15 slides
GEM Detector Development for MAGIX 6 th Apr 2016 LEPP Mainz Pepe Glker 1 Requirements &amp;

GEM Detector Development for MAGIX 6 th Apr 2016 LEPP Mainz Pepe Glker 1 Requirements &amp;

GEM Detector Development for MAGIX 6 th Apr 2016 LEPP Mainz Pepe Glker 1 Requirements &amp; Challenges for the detector-system Spatial Resolution &lt; 50 m Many Channels ~10k High Rate Capability ~1MHz (Luminosity: 10 35 cm

341 views • 19 slides
Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill

Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill

Model-driven Design &amp; Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill Harrison University of Missouri Adam Procter Intel Corp. Gerard Allwein US Naval Research Laboratory October 7, 2016 Challenge: High Assurance Hardware

495 views • 14 slides
2-proton radioactivity from theoretical prediction to experimental exploration LPSC 14 march

2-proton radioactivity from theoretical prediction to experimental exploration LPSC 14 march

J. Giovinazzo CENBG / IN2P3 2-proton radioactivity from theoretical prediction to experimental exploration LPSC 14 march 2017 presentation summary nuclear landscape stability and radioactivity exotic decays modes at the proton

1.23k views • 81 slides
CS61A Lecture #38: Cryptography Announcements: HKN surveys on Friday: 5 bonus points for

CS61A Lecture #38: Cryptography Announcements: HKN surveys on Friday: 5 bonus points for

CS61A Lecture #38: Cryptography Announcements: HKN surveys on Friday: 5 bonus points for filling out their survey on Friday (yes, that means you have to come to lecture). Last modified: Wed Apr 27 13:54:28 2016 CS61A: Lecture #38 1

579 views • 19 slides
CS 2316 Data Manipulation for Engineers Text Processing Christopher Simpkins

CS 2316 Data Manipulation for Engineers Text Processing Christopher Simpkins

CS 2316 Data Manipulation for Engineers Text Processing Christopher Simpkins chris.simpkins@gatech.edu Chris Simpkins (Georgia Tech) CS 2316 Data Manipulation for Engineers Text Processing 1 / 21 String Interpolation with % The old-style

321 views • 21 slides
The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h

The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h

The Standard C Library 1 The C Standard Library 2 The C Standard Library I/O stdio.h printf, scanf, puts, gets, open, close, read, write, fprintf, fscanf, fseek, Memory and string operations string.h memcpy, memcmp, memset,

1.02k views • 54 slides
Java Object/Relational Persistence with Hibernate David Lucek 11 Jan 2005 Object Relational

Java Object/Relational Persistence with Hibernate David Lucek 11 Jan 2005 Object Relational

Java Object/Relational Persistence with Hibernate David Lucek 11 Jan 2005 Object Relational Persistence Maps objects in your Model to a datastore, normally a relational database. Why? EJB Container Managed Persistence (CMP) is Dead.

443 views • 20 slides
N+1 Select Issues with Hibernate Part 2: Solving n+1 select issues with @NamedEntityGraphs

N+1 Select Issues with Hibernate Part 2: Solving n+1 select issues with @NamedEntityGraphs

How to find and fix N+1 Select Issues with Hibernate Part 2: Solving n+1 select issues with @NamedEntityGraphs www.thoughts-on-java.org Course Structure Part 1: What is the n+1 select issue? How to find it in your project?

134 views • 11 slides
Scaling Hibernate Emmanuel Bernard - Max Ross Emmanuel Bernard Hibernate Search in Action

Scaling Hibernate Emmanuel Bernard - Max Ross Emmanuel Bernard Hibernate Search in Action

Scaling Hibernate Emmanuel Bernard - Max Ross Emmanuel Bernard Hibernate Search in Action blog.emmanuelbernard.com twitter.com/emmanuelbernard Max Ross Google App Engine Hibernate Shards What is scalability? What is

820 views • 44 slides
Database Programming Prof. Dr. Ralf Lmmel Universitt Koblenz-Landau Software Languages Team

Database Programming Prof. Dr. Ralf Lmmel Universitt Koblenz-Landau Software Languages Team

Database Programming Prof. Dr. Ralf Lmmel Universitt Koblenz-Landau Software Languages Team Elevator speech Think of information systems and data processing! 1. How to persist data? 2. How to separate data and functionality ? 3.

1.76k views • 85 slides
Groovy and CFML CFGroovy: Groovy for CFML Developers Barney Boisvert Who Am I? Barney Boisvert

Groovy and CFML CFGroovy: Groovy for CFML Developers Barney Boisvert Who Am I? Barney Boisvert

Groovy and CFML CFGroovy: Groovy for CFML Developers Barney Boisvert Who Am I? Barney Boisvert Sr. Web Application Developer Mentor Graphics Corp. 10 years of CFML development 2 years of Spring/Hibernate development I try not to read

512 views • 20 slides

More recommend