The Advanced Encryption Standard - see Susan Landaus paper: - PowerPoint PPT Presentation

The Advanced Encryption Standard - see Susan Landau’s paper: “Communications security for the twenty-first century: the advanced encryption standard.” In 1997, the NIST (the National Institute of Standards and Technology, formerly the NBS) began the process of choosing a replacement for DES, to be called the Advanced Encryption Standard (AES). At that time, triple-DES had become popular, but it was too slow and the 64-bit block length was too small. (Aside: recall that double-DES is not much harder to break by brute-force than DES using a “meet-in-the-middle” attack.)

AES Requirements The NIST solicited proposals from the international community. The requirements for the algorithms were as follows: • The algorithm must implement private-key cryptography. • The algorithm must be a block cipher. • The algorithm must work on 128-bit blocks and support 3 keys sizes: 128, 192, and 256 bits. • If selected, the algorithm should be available world-wide on a royalty-free basis.

AES Requirements Evaluation criteria would be: security, cost, and algorithm and implementation characteristics. Submissions were due on June 15, 1998. Of the 21 submissions, 15 fulfilled the AES criteria. In August 1999, the NIST chose the following 5 finalists: MARS, RC6, Rijndael, Serpent, and Twofish. All finalists were felt to be secure. On October 2, 2000, Rijndael was selected as the AES. You can find short descriptions of the 5 finalists in Landau’s paper, and judge for yourself…

Description of AES Recall that AES has block length 128, and three allowable key lengths: 128 bits, 192 bits, and 256 bits. AES is an iterated cipher. The number of rounds (N) depends on the key length: N = 10 for 128-bit keys, N = 12 for 192- bit keys, and N = 14 for 256-bit keys. Here is a high-level description of AES: 1. Perform operation AddRoundKey, which XORs the round key with the state. 2. For each of the N rounds: - perform operation ByteSub (a substitution using an S-box) - perform operation ShiftRow (a permutation) - perform operation MixColumn (unless it is the last round) - perform AddRoundKey.

Description of AES Recall that AES has block length 128, and three allowable key lengths: 128 bits, 192 bits, and 256 bits. AES is an iterated cipher. The number of rounds (N) depends on the key length: N = 10 for 128-bit keys, N = 12 for 192- bit keys, and N = 14 for 256-bit keys. Here is a high-level description of AES: 1. Perform operation AddRoundKey, which XORs the round key with the state. 2. For each of the N rounds: - perform operation ByteSub (a substitution using an S-box) - perform operation ShiftRow (a permutation) - perform operation MixColumn (unless it is the last round) - perform AddRoundKey.

State All operations in AES are byte-based. The state consists of 128 bits = 16 bytes, viewed as a 4x4 array of bytes. Initially, the 16 bytes of plaintext x 0 , … , x 15 are arranged as follows: x 0 x 4 x 8 x 12 x 1 x 5 x 9 x 13 x 2 x 6 x 10 x 14 x 3 x 7 x 11 x 15

ByteSub - operation performs a substitution on each byte - uses one S-box π S that maps bytes to bytes (see page 155) - represented as a 16 x 16 array: for hexadecimal digits X and Y, π S (XY) is at position (row X, column Y)

ByteSub - operation performs a substitution on each byte - uses one S-box π S that maps bytes to bytes (see page 155) - represented as a 16 x 16 array: for hexadecimal digits X and Y, π S (XY) is at position (row X, column Y) In contrast to the DES S-boxes, the AES S-box can be defined algebraically. It was designed for resistance against linear and differential cryptanalysis and it is invertible. The AES box incorporates operations in the finite field with 2 8 elements: GF(2 8 ) = Z 2 [X] (mod X 8 +X 4 +X 3 +X+1).

What ??? A field is a set containing elements 0 and 1, where 0  1, with two operations: multiplication and addition. Both operations are closed, commutative, and associative, and the distributive law holds. 0 is the additive identity, and 1 is the multiplicative identity. Every element has an additive inverse. Every non-zero element has a multiplicative inverse. Example fields ? For every prime power p k , there is exactly one field with p k elements. This field is called GF(p k ) (Galois field). We will now see how to construct these fields.

Polynomials Z 2 [X] is the set of all polynomials with coefficients in Z 2 . Examples: Can we add/subtract/multiply elements of Z 2 [X] ? Is there an additive identity ? Is there a multiplicative identity ? Can we divide with remainder ? Divide X 4 +X 3 +1 by X 2 +X+1, get quotient: and remainder:

Polynomials Can we divide with remainder ? Divide X 4 +X 3 +1 by X 2 +X+1, get quotient: and remainder:

Polynomials Z 2 [X] is the set of all polynomials with coefficients in Z 2 . Since X 4 +X 3 +1 divided by X 2 +X+1 equals X 2 +1 with remainder X, we can write X 4 +X 3 +1 ≡ X (mod X 2 +X+1). It turns out that Z 2 [X] (mod X 2 +X+1) is the finite field GF(4). The elements of the field are ____________________, and the operations are addition and multiplication modulo X 2 +X+1.

Irreducible Polynomials You cannot just use any polynomial to get a field; you must use an irreducible polynomial. A polynomial F(X) in Z 2 [X] is irreducible if it doesn’t factor into two polynomials of lower degree. Z 2 [X] (mod F(X)) is a field if and only if F(X) is irreducible.

Back to AES Recall ;-) GF(2 8 ) = Z 2 [X] (mod X 8 +X 4 +X 3 +X+1). Every byte corresponds to a field element and vice versa.

More about the S-box As mentioned previously, although the S-box is implemented as a lookup table (see Table 5.1), it has a simple mathematical description. View a byte as an element of GF(2 8 ). For example, view the byte 01010011 as the field element X 6 +X 4 +X+1. Now take the inverse of this field element in GF(2 8 ). In our example, this is X 7 +X 6 +X 3 +X. How would you compute the inverse?

More about the S-box Computing the inverse of X 6 +X 4 +X+1 mod X 8 +X 4 +X 3 +X+1:

More about the S-box S-box mapping of 01010011: - Compute the inverse of X 6 +X 4 +X+1, get X 7 +X 6 +X 3 +X. - View this element as a bit vector, with the right-most bit in the top position. In our example, we get the vector (0,1,0,1,0,0,1,1) T . - Multiply the matrix on page 157 by this vector, and add vector (1,1,0,0,0,1,1,0) T . - View the resulting vector as a byte (taking the top bit to be the rightmost bit). This is the output of the S-box. In our example, the output is 11101101, which we can verify with the S-box table.

More about the S-box S-box mapping of 01010011: - Compute the inverse of X 6 +X 4 +X+1, get X 7 +X 6 +X 3 +X. - View this element as a bit vector, with the right-most bit in the top position. In our example, we get the vector (0,1,0,1,0,0,1,1) T . - Multiply the matrix on page 157 by this vector, and add vector (1,1,0,0,0,1,1,0) T . - View the resulting vector as a byte (taking the top bit to be the rightmost bit). This is the output of the S-box. In our example, the output is 11101101, which we can verify with the S-box table.

More about the S-box Why? - Inverse to achieve non-linearity - Perhaps inverse is simple to attack, let’s obfuscate it more: - Multiply by a matrix and add a vector - Matrix choice: simple, full rank - Vector choice: so that no S-box input maps to itself

ShiftRow, MixColumn, Key Schedule The operation ShiftRow cyclically shifts the elements of the i-th row i elements to the left. The operation MixColumn replaces each column of the state by a new column. This operation uses polynomials over GF(2 8 ). Key Schedule The book describes the key schedule for 10-round AES, which uses a 128-bit key. We need 11 round keys, each of which consists of 16 bytes. The key schedule is word oriented. The concatenation of the 11 round keys is called the expanded key, and consists of 44 words. You can find the exact algorithm on page 156/157.

ShiftRow, MixColumn, Key Schedule The operation ShiftRow cyclically shifts the elements of the i-th row i elements to the left. After ByteSub, have: After ShiftRow, have:

ShiftRow, MixColumn, Key Schedule The operation MixColumn replaces each column of the state by a new column. This operation uses polynomials over GF(2 8 ).

Key Schedule 10-round AES: - 128-bit key, arranged it into 4x4 matrix of bytes - let W(0), W(1), W(2), W(3) be the columns - generate more columns: W(i) = W(i-4) ⊕ W(i-1) if i not divisible by 4 W(i) = W(i-4) ⊕ T(W(i-1)) otherwise, where T(W(i-1)) = (e ⊕ r(i),f,g,h) T , where W(i-1) = (a,b,c,d) T , e,f,g,h are the S-box values for b,c,d,a, and r(i) = 00000010 (i-4)/4 in GF(2 8 ) - Round key for the i-th round: W(4i),W(4i+1), W(4i+2), W(4i+3)

Design Considerations - not a Feistel cipher: diffuses bits faster (every bit treated the same, no left/half portion of bits) - S-box: - algebraic construction to avoid suspicion of trapdoors - resistant to differential and linear cryptanalysis - ShiftRow: to resist two recent attacks: truncated differentials and the Square attack - MixColumn: diffusion - Key schedule: - nonlinear mixing of key bits (using the S-box) to avoid learning some key bits and proceeding to uncover more - distinct keys -> very distinct round keys - round constants to eliminate symmetries - Rounds: exist attacks better than brute force for up to 6 rounds; four extra rounds provide good safety margin