ADVANCED ENCRYPTION STANDARD (AES)

Transcription

1 ADVANCED ENCRYPTION STANDARD (AES) Tran Song Dat Phuc Department of Computer Science and Engineering Seoul National University of Science and Technology

2 Outline AES History AES Operations Advanced Encryption Standard (AES) AES Implementation Security of AES Summary

3 AES History: - A replacement of DES was needed -> key size to small - Triple-DES is a solution, but slow and small block - AES Competition started in 1997 by NIST:. Single block cipher. Available royalty-free worldwide. Have a public and flexible design. 128-bits block data. 128/192/256-bits key (based on round numbers)

4 AES - Rijndael design was selected as AES Cipher in Design by Vincent Rijmen and Joan Daemen. Issued as FIPS PUB 197 standard in Simplicity. Support 128-bits block, 128/192/256-bits key. Resistant against known attack. Speed and code compactness on many CPU s

5 AES Operations In AES, all operations are performed on 8-bit bytes, so it operates on the finite field GF(2 8 ), which can be presented as a polynomial b(x) with binary coefficient b {0,1}: b 7 x 7 + b 6 x 6 + b 5 x 5 + b 4 x 4 + b 3 x 3 + b 2 x 2 + b 1 x + b 0 Addition of two bytes in AES is defined as the bitwise XOR operation.

6 AES Operations Multiplication in AES is defined as multiplication in the finite field GF(2 8 ) of with the irreducible polynomial of degree 8. AES irreducible polynomial: m(x) = x 8 + x 4 + x 3 + x + 1

7 AES (Advance Encryption Standard) AES is a symmetric block cipher. - The same key is used to encrypt and decrypt the message (128/192/256-bits key) - The plaintext and cipher-text are the same size (128-bits block)

8 AES Block AES has a block size of 128-bits(16bytes) called state

9 AES Key

10 AES Key

11 AES Multiple Rounds First and last round are different

12 AES Round Stage

13 AES Structure

14 AES Encryption With 128-bits (16bytes), AES views data block as 4-by-4 table of bytes.

15 AddRoundKey Transformation At each round, the state array is combined with a similarly sized array of subkey material.

16 AddRoundKey Transformation

17 Key Expansion Use to create round key for each round. If the number of round is, the key-expansion creates N r bit round keys from one single 128-bit cipher key. The key expansion creates round keys word by word, where a word is an array of four bytes (4 x N r +1) w 0, w 1, w 2,, w 4(Nr +1) - 1 with 128-bits key (10 rounds, 44 words, ), 192-bits key (12 rounds, 52 words) and 256-bits key (14 rounds, 60 words).

18 Key Expansion Round Words Pre-round w 0 w 1 w 2 w 3 1 w 4 w 5 w 6 w 7 2 w 8 w 9 w 10 w 11 N r w 4Nr w 4Nr+1 w 4Nr+2 w 4Nr+3

19 Key Expansion

20 Key Expansion

21 Key Expansion RCon Constants Round Constant ( RCon ) 1 ( ) 16 2 ( ) 16 3 ( ) 16 4 ( ) 16 5 ( ) 16 6 ( ) 16 7 ( ) 16 8 ( ) 16 9 (1B ) ( ) 16

22 Key Expansion

23 Key Expansion Round Value of t First word Second word Third word Fourth word W 00 = 2475A2B3 W 01 = W 02 = 31E21200 W 03 = 13AA AD20177D W 04 = 8955B5CE W 05 = BD20E346 W 06 = 8CC2F146 W 07 = 9F68A5C DB W 08 = CE53CD15 W 09 = 73732E53 W 10 = FFB1DF15 W 11 = 60D97AD4 9 0A5E4F61 W 36 = E43FE3BF W 37 = 0EC1FCF4 W 38 = 21A35A12 W 39 = F940C FC6CD99 W 40 = DBF92E26 W 041 = D538D2D2 W 42 = F49B88C0 W 43 = 0DDB4F40

24 Key Expansion

25 SubBytes Transformation Each byte of the array transformed by the S-box, provide confusion for cipher. This takes 8-bits input and returns 8-bits output. Only one S-box(16x16 bytes) is used throughout AES cipher, contains a permutation of all bits values.

26 SubBytes Transformation

27 SubBytes Transformation SubBytes Transformation using the S-Boxes Table : State AddRoundKey

28 SubBytes Transformation SubBytes Transformation using the GF(2 8 ) Field : - AES defines the transformation algebraically using the GF(2 8 ) field with the irreducible polynomials : (x 8 + x 4 + x 3 + x + 1) as the modulus. - The multiplicative inverse of byte (as an 8-bit binary string) is found in GF(2 8 ). - The inverted byte is interpreted as a column matrix with the least bit at the top and the most bit at the bottom. - This column matrix is multiplied by a constant square matrix, X, and the result is added with a constant column matrix, Y, to give a new byte.

29 SubBytes Transformation SubBytes Process

30 SubBytes Transformation Ex: with byte 53 is transformed by SubBytes routine - 53 in binary is , can be denoted in the finite field GF(2 8 ) as polynomial : x 6 + x 4 + x Multiplicative inverse of a byte in GF(2 8 ) with polynomial : x 8 + x 4 + x 3 + x + 1 as modulus - Multiplicative inverse algorithm: remainder[1] := f(x) auxiliary[1] := 0 remainder[2] := a(x) auxiliary[2] := 1 i := 2 while remainder[i] > 1 i := i + 1 remainder[i] := remainder(remainder[i-2] / remainder[i-1]) quotient[i] := quotient(remainder[i-2] / remainder[i-1]) auxiliary[i] := -quotient[i] * auxiliary[i-1] + auxiliary[i-2] inverse := auxiliary[i]

31 SubBytes Transformation i Remainder[i] Quotient[i] Auxiliary[i] 1 x 8 + x 4 + x 3 + x x 6 + x 4 + x x 2 x x x + 1 x 4 + x 2 x 6 + x 4 + x 4 + x x + 1 x 7 + x 6 + x 3 + x 2 + x 2 + x x The multiplicative inverse of byte 53 is CA. x 7 + x 6 + x 3 + x = (CA in Hex)

32 SubBytes Transformation - Multiply the inverted byte with the matrix X. - An easier way to view the matrix multiplication is as polynomial multiplication. Row 1 = = N 0 + N 4 + N 5 + N 6 + N = 0 Row 2 = = N 0 + N 1 + N 5 + N 6 + N = 1 Row 3 = = N 0 + N 1 + N 2 + N 6 + N = 1 Row 4 = = N 0 + N 1 + N 2 + N 3 + N = 1 Row 5 = = N 0 + N 1 + N 2 + N 3 + N = 0 Row 6 = = N 1 + N 2 + N 3 + N 4 + N = 0 Row 7 = = N 2 + N 3 + N 4 + N 5 + N = 0 Row 8 = = N 3 + N 4 + N 5 + N 6 + N = 1 - The result of multiplication is the vector :

33 SubBytes Transformation

34 ShiftRows Transformation

35 ShiftRows Transformation Before After

36 MixColumns Transformation ShiftRows and MixColumns provide confusion for cipher. Each column of the array is mixed together. Each byte is replaced by a value dependent on all 4 bytes of column.

37 MixColumns Transformation

38 MixColumns Transformation

39 MixColumns Transformation

40 MixColumns Transformation

41 MixColumns Transformation. {02. 63} : 02 = (in Binary), be denoted in GF(2 8 ) as the polynomial : x 63 = (in Binary), in GF(2 8 ) as the polynomial : x 6 + x 5 + x + 1 {02. 63} = x(x 6 + x 5 + x + 1) = x 7 + x 6 + x 2 + x. {03. F2} : 03 = = x + 1 F2 = = x 7 + x 6 + x 5 + x 4 + x {03. F2} = (x + 1)(x 7 + x 6 + x 5 + x 4 + x) = x 8 + x 7 + x 6 + x 5 + x 2 + x 7 + x 6 + x 5 + x 4 + x = (x 8 + x 4 + x 2 + x) mod (x 8 + x 4 + x 3 + x + 1)

42 MixColumns Transformation x 8 + x 4 + x 2 + x x 8 + x 4 + x 3 + x + 1 x 8 + x 4 + x 3 + x x 3 + x {03. F2} = x 3 + x {01. 7D} = x 6 + x 5 + x 4 + x 3 + x {01. D4} = x 7 + x 6 + x 4 + x 2. P 0 = {02. 63} + {03. F2} + {01. 7D} + {01. D4} = x 7 + x 6 + x 2 + x + x 3 + x x 6 + x 5 + x 4 + x 3 + x x 7 + x 6 + x 4 + x 2 = x 6 + x 5 + x = = 62 (in Hex)

43 MixColumns Transformation

44 MixColumns Transformation

45 MixColumns Transformation

46 MixColumns Transformation

47 Decryption with AES Decryption do operations similar to encryption process, in reverse order. Use InvSubBytes, InvShiftRows, InvMixColumns replace to SubBytes, ShiftRows and MixColumns.

48 Decryption with AES S-box S -1 [.] of InvSubBytes.

49 Decryption with AES InvSubBytes Process

50 Decryption with AES Matrix M -1 of InvMixColumns. M -1 = 0E 0B 0D E 0B 0D 0D 09 0E 0B 0B 0D 09 0E

51 AES Implementation

52 AES Implementation

53 AES Implementation The Avalanche Effect: - A change in one bit of either the plaintext or the key should produce a change in many bits of the ciphertext.

54 AES Implementation

55 AES Implementation

56 AES Security AES was designed after DES. Most of the known attacks on DES were already tested on AES. Brute-Force Attack: - AES is definitely more secure than DES due to the larger-size key. Statistical Attacks: - Numerous tests have failed to do statistical analysis of the cipher-text. Differential and Linear Attacks: - There are no differential and linear attacks on AES as yet.

57 AES Security Differential Cryptanalysis: - Study of how differences in input affect differences in output. - Can greatly reduced due to high number of rounds. Linear Cryptanalysis: - Study of correlations between input and output. - S-Box and MixColumns are designed to frustrate Linear Analysis.

58 Summary The Advanced Encryption Standard (AES) is a symmetric-key block cipher published in AES was given to improve DES weaknesses as well as create stronger block cipher design. AES uses 128-bits length as input, with 128, 192, 256-bits key size to produce 128-bits output. AES showed its advantage to secure against most known attacks (brute-force, statistical, differential and linear cryptanalysis).