Kryptographie Advanced Encryption Standard Uwe Egly Vienna - - PowerPoint PPT Presentation

Kryptographie Advanced Encryption Standard

Uwe Egly

Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group

1 / 23

History

◮ Due to severe problems, DES, 3DES had to be replaced ◮ 1997: NIST published “request for candidates” for the AES:

◮ Fully specified and explained algorithm ◮ Symmetric block cipher with (at least) 128 bit block size ◮ Variable strength by variable key size (128, 192, 256 bits) ◮ Efficient implementation on various SW & HW platforms

◮ 1998: Crypto. community was asked to comment on 15

candidates

◮ 1999: Selection of 5 candidates for the 2nd round:

MARS, RC6, Rijndael, Serpent, and Twofish

◮ 2000/2001: Selection of Rijndael

2 / 23

Selection Criteria for the First Round

◮ Security

◮ Resistance to cryptanalysis ◮ Soundness of its mathematical basis ◮ Randomness of the algorithm output ◮ Relative security compared with other candidates

◮ Costs

◮ Efficiency (speed, memory) on various SW platforms ◮ Cost of HW implementation (e.g., chip area) ◮ Royalty-free

◮ Algorithm and implementation characteristics

◮ Versatility (flexible and suitable to SW and HW) ◮ Complexity of the algorithm 3 / 23

Relative Evaluation of the Finalists

Relative scores of the five candidate (3 is the best!)

MARS RC6 Rijndael Serpent Twofish General security 3 2 2 3 3 Implementation of security 1 1 3 3 2 SW performance 2 2 3 1 1 HW performance 1 2 3 3 2 Smart card performance 1 1 3 3 2 Design features 2 1 2 1 3

4 / 23

Overview of AES

◮ Key size: 128 bit, 192 bit or 256 bit ◮ Block size: 128 bit (Rijndael: 128–256 bit in 32 bit steps) ◮ No of rounds (Nr): variable, depending on the key size

◮ AES with 128 bit key: 10 rounds ◮ AES with 192 bit key: 12 rounds ◮ AES with 256 bit key: 14 rounds

◮ Round key:

128 bit RK for each round + 1 RK for addRoundKey

5 / 23

Input, Output, and Central Data Structures

◮ Plaintext: sequence of bytes (padded to multiple of block length) ◮ p0 · · · p4Nb−1 where Nb=block length/32, i.e., Nb = 4 in AES ◮ state: the data structure: matrix of 4 rows and Nb columns ◮ plaintext block → state: ai,j = pi+4j

(0 ≤ i < 4, 0 ≤ j < Nb)

a0,0 a0,1 a0,2 a0,3 a1,0 a1,1 a1,2 a1,3 a2,0 a2,1 a2,2 a2,3 a3,0 a3,1 a3,2 a3,3 = p0 p4 p8 p12 p1 p5 p9 p13 p2 p6 p10 p14 p3 p7 p11 p15

◮ state → ciphertext block: ci = a i mod 4,i div 4

(0 ≤ i < 4Nb) (mod rest, div integer division, e.g., 7 div 3 = 2)

◮ After decryption: pi = a i mod 4,i div 4

(0 ≤ i < 4Nb)

6 / 23

The Key and its Data Structures

◮ Key: sequence of bytes (length varies!)

z0z1z2 · · · z4Nk−1 where Nk is key length / 32

◮ Key array: matrix of 4 rows and Nk columns ◮ key → key array: ki,j = zi+4j

(0 ≤ i < 4, 0 ≤ j < Nk)

◮ Key array K for Nk = 6

k0,0 k0,1 k0,2 k0,3 k0,4 k0,5 k1,0 k1,1 k1,2 k1,3 k1,4 k1,5 k2,0 k2,1 k2,2 k2,3 k2,4 k2,5 k3,0 k3,1 k3,2 k3,3 k3,4 k3,5 = z0 z4 z8 z12 z16 z20 z1 z5 z9 z13 z17 z21 z2 z6 z10 z14 z18 z22 z3 z7 z11 z15 z19 z23

7 / 23

Overall Structure

◮ Rijndael is a key-iterated block cipher ◮ Apply round transformation to the state

Algorithm 1: Rijndael(State, CipherKey)

begin KeyExpansion(CipherKey, ExpandedK); /* ExpandedK[0 ], ..., ExpandedK[Nr ]: round keys */ AddRoundKey(State, ExpandedK[0 ]); for i=1 to Nr-1 step 1 do Round(State, ExpandedK[i ]); FinalRound(State, ExpandedK[Nr ]); end

8 / 23

Overall Description of Round and FinalRound

Algorithm 2: Round(State, ExpandedK[ i ])

; /* has to be invertible */ begin Subbytes(State); ShiftRows(State); MixColumns(State); AddRoundKey(State,ExpandedK[i ]); end

Algorithm 3: FinalRound(State, ExpandedK[ Nr ])

; /* has to be invertible */ begin Subbytes(State); ShiftRows(State); ; /* No MixColumns */ AddRoundKey(State,ExpandedK[Nr ]); end

9 / 23

Description of the Steps of a Round

◮ SubBytes: Non-linear operation (using an S-Box) for

resistance to differential and linear attacks

◮ ShiftRows: Linear transformation causes diffusion of the

bits over multiple rounds (for resistance to differential and linear attacks)

◮ MixColumns: Similar purpose and effects as ShiftRows ◮ AddRoundKey: XOR the round key with the currently

processed state (resulting from the transformations above)

10/ 23

SubBytes

◮ Maps each byte in the state to S-Box(byte): bi,j = S(ai,j) ◮ S-Box: This is the only non-linear function in the round ◮ S-Box operation is invertible ◮ S-Box properties crucial for security (as in DES) ◮ S-Box is described as an “algebraic operation”

but implemented as a look-up table (very fast)

11/ 23

The (Only) S-Box of AES

◮ ai,j = 8b → bi,j = 3d with the following S-Box of AES

1 2 3 4 5 6 7 8 9 a b c d e f 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

12/ 23

The Algebraic Basics of the S-Box: The Preparation

◮ Represent a byte as a polynomial with coefficients in GF(2)

b7b6 · · · b1b0 → b7 · x7 + b6 · x6 + · · · + b1 · x + b0

◮ Use the following irreducible polynomial of degree 8 for

reduction m(x) = x8 + x4 + x3 + x + 1

◮ Then GF(2)[x]/(m(x)) is a finite field of order 28 as expected ◮ We need the concept of an affine translation:

It is an array-vector product + a translation vector

◮ Recall: Multiplicative inverses can be computed with the

extended Euclidean algortithm

13/ 23

The Algebraic Basics of the S-Box

◮ S-Box constructed by composing two transformations:

• 1. Take y = g(x) defined as follows:

y =

• 0016

if x = 0016, x−1 (the multiplicative inverse) otherwise.

• 2. Apply the affine transformation (AT) z = f(y) (over GF(2))

zi = yi ⊕ yi+4 mod 8 ⊕ yi+5 mod 8 ⊕ yi+6 mod 8 ⊕ yi+7 mod 8 ⊕ ci (⊕ denotes exclusive or and corresponds to addition in Z2)

◮ xi, yi, zi is the ith bit of the byte x, y, z ◮ ci is the ith bit of a byte c with value 6316 or 01100011 ◮ We will compute some entries of the S-box in the exercises

14/ 23

The Affine Translation in Matrix Notation

            z7 z6 z5 z4 z3 z2 z1 z0             =             1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1             ·             y7 y6 y5 y4 y3 y2 y1 y0             ⊕             1 1 1 1            

15/ 23

ShiftRows

◮ Rotation of rows: row i is rotated by Ci positions (0 ≤ i < 4) ◮ Ci depend on Nb, e.g.: (C0, . . . , C3) = (0, 1, 2, 3) for

Nb = 4, 5, 6 (for Rijndael Nb = 4, 5, 6, 7, 8, for AES Nb = 4)

◮ Example for Nb = 4: ◮ Value of ai,j moves to position (i, (j − Ci) mod Nb)

Exa: (1, 0) → (1, (0 − 1) mod 4) = (1, 3) since −1 = −1 · 4 + 3

16/ 23

MixColumns

◮ It is a bricklayer function, i.e.,

it can be decomposed into a number of Boolean functions

• perating independently on subsets of bits of the input

◮ View (4 byte) column of state as a polynomial over GF(28)

➥ Such polynomials a(x) have degree less than 4 and

coefficients between 0 and 255

◮ l(x) = x4 + 1 used as reduction polynomial in multiplications ◮ l(x) reducible over GF(28) since x4 + 1 = (x + 1)4

➥ Not all a(x) have inverses (a(x) has one if l(x) does not

divide it)

17/ 23

MixColumns (cont’d)

◮ Multiply modulo l(x) each a(x) with a fixed polynomial c(x) ◮ Fixed polynomial c(x) = 03 · x3 + 01 · x2 + 01 · x + 02

➥ c(x) is invertible because c(x) coprime to l(x)

◮ b(x) = (c(x) · a(x)) mod l(x)

18/ 23

MixColumns (cont’d)

◮ b(x) = (c(x) · a(x)) mod l(x) ◮ Computation (performed in the exercise part) and fixing the

coefficients yield:     b0 b1 b2 b3     =     02 03 01 01 01 02 03 01 01 01 02 03 03 01 01 02     ·     a0 a1 a2 a3    

◮ Efficient implementations for this matrix multiplication

available (coefficients have been chosen carefully!)

19/ 23

AddRoundKey

◮ For any round: RK is generated from the (expanded) key ◮ Take RK (same size as state) and XOR bitwisely with the

state

20/ 23

Key Expansion

◮ Key expansion differs for Nk ≤ 6 and Nk > 6 (here Nk ≤ 6) ◮ The key is already in the key array K ◮ Needed: expanded key array W for all round keys:

W[4][Nb(Nr + 1)] is this data structure

◮ RK for i th round in columns Nb · i to Nb · (i + 1) − 1 of W ◮ Expand the key array: key array → expanded key array

Fill first Nk cols with cipher key from the key array (first for loop)

◮ Then compute the other round keys recursively using

round constants (RC) in GF(28) (indep. from Nk):

RC[1] = x0 = 01 RC[2] = x1 = 02 RC[j] = x·RC[j−1] for j > 2

21/ 23

Key Expansion: The Pseudecode for Nk ≤ 6

Algorithm 4: KeyExpansion(byte K[ 4 ][ Nk ], byte W[ 4 ][ Nb(Nr + 1) ])

for j = 0 to Nk-1 step 1 do for i = 0 to 3 step 1 do W[ i ][ j ] = K[ i ][ j ]; for j = Nk to Nb · (NR + 1) − 1 step 1 do if j mod Nk == 0 then W[ 0 ][ j ] = W[ 0 ][ j − Nk ] ⊕ S(W[ 1 ][ j − 1 ]) ⊕ RC[ j/Nk ]; for i = 1 to 3 step 1 do W[ i ][ j ] = W[ i ][ j − Nk ] ⊕ S(W[ i + 1 mod 4 ][ j − 1 ]); else for i = 0 to 3 step 1 do W[ i ][ j ] = W[ i][ j − Nk ] ⊕ W[ i ][ j − 1 ];

◮ S(·) denotes the application of the S-box

22/ 23

An Example Illustrating Key Expansion

◮ Given 128 bit key already in the extended key array:

W[·][0] = (2b 7e 15 16) W[·][1] = (28 ae d2 a6) W[·][2] = (ab f7 15 88) W[·][3] = (09 cf 4f 3c)

◮ Perform key expansion:

i j W[i][j] S(W[(i + 1) mod 4][j − 1]) W[i][j − 1] W[i][j − Nk] RC(j/Nk) 0 4 a0 8a 2b 01 1 4 fa 84 7e 01 2 4 fe eb 15 01 3 4 17 01 16 01 0 5 88 a0 28 1 5 54 fa ae 2 5 2c fe d2 3 5 b1 17 a6 . . . . . . . . . . . . . . . . . . . . .

◮ RK for round 1: (a0fafe17

88542cb1 23a33939 2a6c7605)

23/ 23