The Advanced Encryption Standard - see Susan Landaus paper: - - PowerPoint PPT Presentation

The Advanced Encryption Standard

• see Susan Landau’s paper: “Communications security for the

twenty-first century: the advanced encryption standard.” In 1997, the NIST (the National Institute of Standards and Technology, formerly the NBS) began the process of choosing a replacement for DES, to be called the Advanced Encryption Standard (AES). At that time, triple-DES had become popular, but it was too slow and the 64-bit block length was too small. (Aside: recall that double-DES is not much harder to break by brute-force than DES using a “meet-in-the-middle” attack.)

AES Requirements

The NIST solicited proposals from the international community. The requirements for the algorithms were as follows:

• The algorithm must implement private-key cryptography.
• The algorithm must be a block cipher.
• The algorithm must work on 128-bit blocks and support 3

keys sizes: 128, 192, and 256 bits.

• If selected, the algorithm should be available world-wide on

a royalty-free basis.

AES Requirements

Evaluation criteria would be: security, cost, and algorithm and implementation characteristics. Submissions were due on June 15, 1998. Of the 21 submissions, 15 fulfilled the AES criteria. In August 1999, the NIST chose the following 5 finalists: MARS, RC6, Rijndael, Serpent, and Twofish. All finalists were felt to be secure. On October 2, 2000, Rijndael was selected as the AES. You can find short descriptions of the 5 finalists in Landau’s paper, and judge for yourself…

Description of AES

Recall that AES has block length 128, and three allowable key lengths: 128 bits, 192 bits, and 256 bits. AES is an iterated cipher. The number of rounds (N) depends

• n the key length: N = 10 for 128-bit keys, N = 12 for 192-

bit keys, and N = 14 for 256-bit keys. Here is a high-level description of AES:

• 1. Perform operation AddRoundKey, which XORs the round key with the

state.

• 2. For each of the N rounds:
• perform operation ByteSub (a substitution using an S-box)
• perform operation ShiftRow (a permutation)
• perform operation MixColumn (unless it is the last round)
• perform AddRoundKey.

Description of AES

Recall that AES has block length 128, and three allowable key lengths: 128 bits, 192 bits, and 256 bits. AES is an iterated cipher. The number of rounds (N) depends

• n the key length: N = 10 for 128-bit keys, N = 12 for 192-

bit keys, and N = 14 for 256-bit keys. Here is a high-level description of AES:

• 1. Perform operation AddRoundKey, which XORs the round key with the

state.

• 2. For each of the N rounds:
• perform operation ByteSub (a substitution using an S-box)
• perform operation ShiftRow (a permutation)
• perform operation MixColumn (unless it is the last round)
• perform AddRoundKey.

State

All operations in AES are byte-based. The state consists of 128 bits = 16 bytes, viewed as a 4x4 array of bytes. Initially, the 16 bytes of plaintext x0, … , x15 are arranged as follows: x15 x11 x7 x3 x14 x10 x6 x2 x13 x9 x5 x1 x12 x8 x4 x0

ByteSub

• operation performs a substitution on each byte
• uses one S-box πS that maps bytes to bytes (see page 155)
• represented as a 16 x 16 array: for hexadecimal digits X and

Y, πS(XY) is at position (row X, column Y)

ByteSub

• operation performs a substitution on each byte
• uses one S-box πS that maps bytes to bytes (see page 155)
• represented as a 16 x 16 array: for hexadecimal digits X and

Y, πS(XY) is at position (row X, column Y) In contrast to the DES S-boxes, the AES S-box can be defined algebraically. It was designed for resistance against linear and differential cryptanalysis and it is invertible. The AES box incorporates operations in the finite field with 28 elements: GF(28) = Z2[X] (mod X8+X4+X3+X+1).

What ???

A field is a set containing elements 0 and 1, where 0  1, with two operations: multiplication and addition. Both operations are closed, commutative, and associative, and the distributive law holds. 0 is the additive identity, and 1 is the multiplicative

• identity. Every element has an additive inverse.

Every non-zero element has a multiplicative inverse. Example fields ? For every prime power pk, there is exactly one field with pk

• elements. This field is called GF(pk) (Galois field).

We will now see how to construct these fields.

Polynomials

Z2[X] is the set of all polynomials with coefficients in Z2. Examples: Can we add/subtract/multiply elements of Z2[X] ? Is there an additive identity ? Is there a multiplicative identity ? Can we divide with remainder ? Divide X4+X3+1 by X2+X+1, get quotient: and remainder:

Polynomials

Can we divide with remainder ? Divide X4+X3+1 by X2+X+1, get quotient: and remainder:

Polynomials

Z2[X] is the set of all polynomials with coefficients in Z2. Since X4+X3+1 divided by X2+X+1 equals X2+1 with remainder X, we can write X4+X3+1 ≡ X (mod X2+X+1). It turns out that Z2[X] (mod X2+X+1) is the finite field GF(4). The elements of the field are ____________________, and the operations are addition and multiplication modulo X2+X+1.

Irreducible Polynomials

You cannot just use any polynomial to get a field; you must use an irreducible polynomial. A polynomial F(X) in Z2[X] is irreducible if it doesn’t factor into two polynomials of lower degree. Z2[X] (mod F(X)) is a field if and only if F(X) is irreducible.

Back to AES

Recall ;-) GF(28) = Z2[X] (mod X8+X4+X3+X+1). Every byte corresponds to a field element and vice versa.

More about the S-box

As mentioned previously, although the S-box is implemented as a lookup table (see Table 5.1), it has a simple mathematical description. View a byte as an element of GF(28). For example, view the byte 01010011 as the field element X6+X4+X+1. Now take the inverse of this field element in GF(28). In our example, this is X7+X6+X3+X. How would you compute the inverse?

More about the S-box

Computing the inverse of X6+X4+X+1 mod X8+X4+X3+X+1:

More about the S-box

S-box mapping of 01010011:

• Compute the inverse of X6+X4+X+1, get X7+X6+X3+X.
• View this element as a bit vector, with the right-most bit in

the top position. In our example, we get the vector (0,1,0,1,0,0,1,1)T.

• Multiply the matrix on page 157 by this vector, and add

vector (1,1,0,0,0,1,1,0)T.

• View the resulting vector as a byte (taking the top bit to be

the rightmost bit). This is the output of the S-box. In our example, the output is 11101101, which we can verify with the S-box table.

More about the S-box

S-box mapping of 01010011:

• Compute the inverse of X6+X4+X+1, get X7+X6+X3+X.
• View this element as a bit vector, with the right-most bit in

the top position. In our example, we get the vector (0,1,0,1,0,0,1,1)T.

• Multiply the matrix on page 157 by this vector, and add

vector (1,1,0,0,0,1,1,0)T.

• View the resulting vector as a byte (taking the top bit to be

the rightmost bit). This is the output of the S-box. In our example, the output is 11101101, which we can verify with the S-box table.

More about the S-box

Why?

• Inverse to achieve non-linearity
• Perhaps inverse is simple to attack, let’s obfuscate it more:
• Multiply by a matrix and add a vector
• Matrix choice: simple, full rank
• Vector choice: so that no S-box input maps to itself

ShiftRow, MixColumn, Key Schedule

The operation ShiftRow cyclically shifts the elements of the i-th row i elements to the left. The operation MixColumn replaces each column of the state by a new column. This operation uses polynomials over GF(28). Key Schedule The book describes the key schedule for 10-round AES, which uses a 128-bit key. We need 11 round keys, each of which consists of 16 bytes. The key schedule is word oriented. The concatenation of the 11 round keys is called the expanded key, and consists of 44 words. You can find the exact algorithm on page 156/157.

ShiftRow, MixColumn, Key Schedule

The operation ShiftRow cyclically shifts the elements of the i-th row i elements to the left. After ByteSub, have: After ShiftRow, have:

ShiftRow, MixColumn, Key Schedule

The operation MixColumn replaces each column of the state by a new column. This operation uses polynomials over GF(28).

Key Schedule

10-round AES:

• 128-bit key, arranged it into 4x4 matrix of bytes
• let W(0), W(1), W(2), W(3) be the columns
• generate more columns:

W(i) = W(i-4) ⊕ W(i-1) if i not divisible by 4 W(i) = W(i-4) ⊕ T(W(i-1))

• therwise,

where T(W(i-1)) = (e ⊕ r(i),f,g,h)T, where W(i-1) = (a,b,c,d)T, e,f,g,h are the S-box values for b,c,d,a, and r(i) = 00000010(i-4)/4 in GF(28)

• Round key for the i-th round:

W(4i),W(4i+1), W(4i+2), W(4i+3)

Design Considerations

• not a Feistel cipher: diffuses bits faster (every bit treated

the same, no left/half portion of bits)

• S-box:
• algebraic construction to avoid suspicion of trapdoors
• resistant to differential and linear cryptanalysis
• ShiftRow: to resist two recent attacks: truncated

differentials and the Square attack

• MixColumn: diffusion
• Key schedule:
• nonlinear mixing of key bits (using the S-box) to avoid

learning some key bits and proceeding to uncover more

• distinct keys -> very distinct round keys
• round constants to eliminate symmetries
• Rounds: exist attacks better than brute force for up to 6

rounds; four extra rounds provide good safety margin