The Advanced Encryption Standard (AES)

Transcription

1 The Advanced Encryption Standard (AES)

2 Conception - Why A New Cipher?

3 Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow in software implementations

4 Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow in software implementations NIST wanted increased trust in cipher Previous processes very closed DES suspected of having 'back doors'

5 Conception - The Process January 2, NIST announces need for DES successor Asks for input from interested parties

6 Conception - The Process January 2, NIST announces need for DES successor Asks for input from interested parties September 12, Call for new algorithms

7 Conception - The Process January 2, NIST announces need for DES successor Asks for input from interested parties September 12, Call for new algorithms Requirements Publicly defined, publicly available Variable-length key, symmetric block cipher Implemented in both Hardware and Software

8 Conception - The Process January 2, NIST announces need for DES successor Asks for input from interested parties September 12, Call for new algorithms Requirements Publicly defined, publicly available Variable-length key, symmetric block cipher Implemented in both Hardware and Software Judgement Criteria Security Computational Efficiency, Memory Requirements Hardware/Software suitability Simplicity, Flexibility Licensing requirements

9 Conception - The Process 15 Ciphers submitted 5 Finalists MARS - IBM RC6 - RSA Laboratories Rijndael - Daemon and Rijment Serpent - Anderson, Biham, Knudsen Twofish - Schneier, Kelsey, Whiting, (and others) Final winner: Rijndael

10 The Cipher

11 The Cipher - Background Math The Mathematics needed to understand AES look and sound very complicated - Don't worry, they aren't. Fields Real Numbers and Rational numbers are fields Set of values such that addition, subtraction, multiplication, division can be applied to values in it Other fields exist, and can be defined Finite Fields A field, with a finite number of elements (unlike Real #s) Modular Arithmetic 9 Ξ 14 Ξ 24 Ξ 4 (mod 5) Works on integers, but also works on other groups and fields

12 The Cipher - Background Math Rijndael's Finite Field a 'characteristic 2 finite field with 8 terms' (strings of 8 bits) The Galois field GF(2 8 ) Addition done with XOR operator Uses the reducing polynomial x 8 + x 4 + x 3 + x + 1 for multiplication (an irreducible polynomial in GF(2 8 ))

13 The Cipher - Background Math A Higher Level Finite Field: Polynomials with Coefficients in GF(2 8 ) a(x) = a 3 x 3 + a 2 x 2 + a 1 x + a 0 Each of a i are bytes, elements of GF(2 8 ) Addition: a(x) + b(x) = (a 3 b 3 )x 3 + (a 2 b 2 )x 2 + (a 1 b 1 )x + (a 0 b 0 ) Multiplication: Same as multiplying two polynomials We reduce to degree 4 by using mod x 4 +1 For fixed polynomial, multiplication can turn into Matrix- Vector multiplication

14 The Cipher That's it. That's all the Math you need to know. You made it.

15 The Cipher

16 The Cipher - SubBytes AES's single S-Box Does a non-linear substitution which is invertible For Each Byte of Input, {XY} 1. Let {AB} := the multiplicative inverse of {XY} in GF(2 8 ) 2. Let {XY}' := An affine transform of {AB}

17 The Cipher - SubBytes {A8} => {C2}, {21} => {FD}, {27} => {CC}, {CF} => {8A}

18 The Cipher - ShiftRows Cyclical Shift of the rows of the state

19 The Cipher - MixColumns Treats each column as a four-term polynomial Apply a polynomial to each column, returning a new polynomial a(x) = {03}x 3 + {01}x 2 + {01}x + {02}

20 The Cipher - AddRoundKey The Key Expansion takes a Cipher Key K and makes 4*NR 32-bit words, where NR = Number of Rounds AddRoundKey takes the state, (4 words), and the next 4 Round Keys, and returns a new state For each column, return Col Key l+i, l = Round#, i = column#

21 The Cipher - Key Expansion Given the initial key (size 128, 196 or 256), and the number of rounds Nr, will generate 4*(Nr+1) 32-bit words Uses SubWord function (which applies SubByte to 4 bytes) Uses RotWord function (permutes a set of 4 words) First 4-8 Round Keys are cipher key Later keys are generated based on those, using given functions

22 The Cipher - Inversion Each sub-function of the Cipher is invertible SubBytes: Reverse the Affine Cipher, then find the Inverse of the result ShiftRows: Shift the rows by reverse amounts MixColumns: Apply the inverse matrix to each column AddRoundKey: Use AddRoundKey again with same key

23 The Cipher

24 Example Encryption For Simplicity's sake, we will do AES with 1-round Block: f44 7a7d 337d C 5dae 2763 Key: 2b7e ae d2a6 abf cf 4f3c Key Schedule: 2b7e aed2a6 abf cf4f3c a0fafe cb1 23a a6c7605 f2c295f2 7a96b a 7359f67f

25 Example Encryption Initial State: {4422 6f44 7a7d 337d C 5dae 2763} For Initial Round: AddRoundKey:

26 Example Encryption For our 1 round (typically, 10+ rounds): SubByes: ShiftRows: MixColums: AddRoundKey:

27 Example Encryption For Final Round: SubByes: ShiftRows: (Skip MixColumns) AddRoundKey: Final Output: {DFFD 649C 65A2 C8A2 66B1 8B18 184A 6FBB}

28 Security of AES "I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic." -Bruce Schneier Some related-key attacks on 192-bit, 256-bit versions, and on reduced-round versions The attacks are better than exhaustive search, but are still entirely infeasible for real world applications 256-bit version in time, 196-bit version in time Related key attacks require the attacker to know how plaintext is encrypted with more than 1 key Even the best mathematical attacks are still not usable on AES-128, or AES-196, AES-256 with full rounds

29 Security of AES Certain Side-channel attacks exist for specific implementations of AES These do not exploit the actual cryptography of the cipher, but instead attack how specific versions are implemented Ex: Using Timing Attacks to guess SSL Keys Usually, these attacks require the ability to run code on the victim machine Very strong features built in to avoid DES-style attacks Use of finite field inversion in the S-Box construction helps make Linear and Differential attacks difficult MixColumns helps ensure that there are no "narrow" paths using only a few S-Boxes, again preventing Linear and Differential attacks

30 References 1. Federal Information Processing Standards Publication 197, November 26, Advanced Encryption Standard 2. "AES Announced", Bruce Schneier, Crypto-Gram Newsletter, Oct 15, "Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds", Biryukov, Dunkelman, Keller, Khovratovich, Shamir. Cryptology eprint Archive: Report 2009/374, 4. "Cache-timing attacks on AES", Daniel Bernstein, University of Illinois at Chicago pdf 5. Stinson, Douglas. Cryptography, Theory and Practice. 3rd ed. Boca Raton, FL, Chapman & Hall/CRC, 2006.