Advanced Encryption Standard. Z. Jerry Shi Department of Computer Science and Engineering University of Connecticut

Transcription

1 Advanced Encryption Standard Z. Jerry Shi Department of Computer Science and Engineering University of Connecticut February 2012

2 Classes of cryptographic algorithms Symmetric-key algorithms Use the same key for encryption and decryption Block ciphers Stream ciphers Public-key algorithms A pair of keys, one private and one public Hash algorithms Message digest Based on primitives, we build crypto-systems. Based on crypto-systems, we build protocols.

3 Confidentiality Symmetric-key ciphers Use same key for encryption and decryption Sometimes two keys are not identical, but trivially related Block ciphers Divide the message into blocks Stream ciphers Can do encryption/decryption bit by bit

4 Kerckhoffs' assumption The system must be practically, if not mathematically, indecipherable; It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience; Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents; It must be applicable to telegraphic correspondence; It must be portable, and its usage and function must not require the concourse of several people; Finally, it is necessary, given the circumstances that command its application, that the system be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.

5 Block ciphers for confidentiality Plaintext Symmetrickey ciphers can protect sensitive... Encrypt Key Ciphertext A0TGQ841 L2ASDF7K LASDYLS DA0FL3 Internet Plaintext Ciphertext Symmetrickey ciphers can protect sensitive... Decrypt A0TGQ841 L2ASDF7K LASDYLS DA0FL3 Key e.g. DES, AES, RC6, MARS, Serpent, Two-fish, Kasumi, RC5, IDEA, etc.

6 Breaking a cipher Plaintext Symmetrickey ciphers can protect sensitive... Encrypt Ciphertext A0TGQ841 L2ASDF7K LASDYLS DA0FL3 Key Plaintext Symmetrickey ciphers can protect sensitive... Decrypt Ciphertext A0TGQ841 L2ASDF7K LASDYLS DA0FL3 Key? Brute-force: 2 n trials for n-bit key

7 Cryptanalysis Ciphertext-only attack Known-plaintext attack Chosen-plaintext attack Adaptiv-chosen-plaintext attack Chosen-ciphertext attack Chosen-key attack Rubber-hose cryptanalysis Purchase-key cryptanalysis

8 Breaking cipher Total break The key can be recovered Global deduction Another algorithm can generate plaintext, without knowing the key Instance deduction A specific plaintext can be retrieved, without knowing the key Information deduction Attacks can know some information about the plaintext and key Unconditionally secure Brute-force attacks Computationally secure

9 Earlier ciphers: Polyalphabetic cipher (Substitution based ciphers) Caesar cipher Each letter in the plaintext is replaced by a letter at some fixed number of positions down the alphabet E n (x) = x + n mod 26

10 Breaking Caesar cipher Try all possible shift amounts Frequency attacks Pattern

11 Techniques in symmetric-key ciphers Claude E. Shannon, "Communication Theory of Secrecy Systems", Bell System Technical Journal, vol.28-4, page , Confusion - obscure the relationship between the plain-text/key and the cipher-text S-box (non-linear substitution) Diffusion - dissipate the redundancy of plain-text by spreading it out over the cipher-text Permutation

12 Substitution Permutation Network (SPN) ciphers Composed of a number of stages involving substitution and permutation

13 Sample SPN

14 Iterative structure of block ciphers Plaintext Prologue Round func Number of rounds + Operations in a round Epilogue Ciphertext

15 Advanced Encryption Standard (AES) National Institute of Standards and Technology (NIST) announced AES as the new standard symmetric-key cipher to replace DES in November 2001 Originally called Rijndael Block size: 128 bits Key length: 128, 192, or 256 bits Called AES-128, AES-192, or AES-256 The number of rounds are also different: 10, 12, or 14

16 Overview

17 Block to state and state to block transition

18 Example:

19 Round function

20 SubBytes

21 AES S-Box a b c d e f c 77 7b f2 6b 6f c b fe d7 ab ca 82 c9 7d fa f0 ad d4 a2 af 9c a4 72 c0 20 b7 fd f f7 cc 34 a5 e5 f1 71 d c7 23 c a e2 eb 27 b c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 d0 ef aa fb 43 4d f9 02 7f 50 3c 9f a a3 40 8f 92 9d 38 f5 bc b6 da ff f3 d2 80 cd 0c 13 ec 5f c4 a7 7e 3d 64 5d f dc 22 2a ee b8 14 de 5e 0b db a0 e0 32 3a 0a c c2 d3 ac e4 79 b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 ba e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 70 3e b f6 0e b9 86 c1 1d 9e e0 e1 f d9 8e 94 9b 1e 87 e9 ce df f0 8c a1 89 0d bf e d 0f b0 54 bb 16

22 AES Inverse S-Box a b c d e f a d a5 38 bf 40 a3 9e 81 f3 d7 fb 10 7c e b 2f ff e c4 de e9 cb b a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e e a d9 24 b2 76 5b a2 49 6d 8b d f8 f d4 a4 5c cc 5d 65 b c fd ed b9 da 5e a7 8d 9d d8 ab 00 8c bc d3 0a f7 e b8 b d0 2c 1e 8f ca 3f 0f 02 c1 af bd a 6b 80 3a f 67 dc ea 97 f2 cf ce f0 b4 e ac e7 ad e2 f9 37 e8 1c 75 df 6e a0 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b0 fc 56 3e 4b c6 d a db c0 fe 78 cd 5a f4 c0 1f dd a c7 31 b ec 5f d f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e0 a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c f0 17 2b 04 7e ba 77 d6 26 e c 7d

23 SubBytes Example:

24 Finite Fields AES uses finite field GF(2 8 ) (Galois Field) Eight bits in a byte can be considered as a polynomial b 7 x 7 + b 6 x 6 + b 5 x 5 + b 4 x 4 + b 3 x 3 + b 2 x 2 + b 1 x + b 0 Little endian {b 7, b 6, b 5, b 4, b 3, b 2, b 1, b 0 } Example: = is x 6 + x 5 + x + 1 Different arithmetic operations Addition is XOR ( ) Multiplication Prime polynomial is x 8 + x 4 + x 3 + x + 1 ( or 11B 16 )

25 Example of Multiplication mod 11B 16 = mod 11B 16 = = If it is not clear to you, convert all binaries to polynomials.

26 ShiftRow

27 ShiftRow Example

28 MixColumns: Matrix Multiplication

29 Constant Matrix and its Inverse

30 MixColumns Example

31 AddRoundKey 16 byte-wise XOR The figure shows one column

32 Summary of Operations in a Round

33 Table Lookup for Fast MixColumns

34 T-BOX Combine SubBytes, ShiftRows, MixColumns using the standard T-table approach.

35 Memory requirements Four tables (a total of 4K bytes) Each tables: 256 * 4 = 1K bytes One table ( 1K bytes) Three rotations are needed for other columns One table (256 bytes) S-Box MixColumns may need tables too. No table

36 Key Expansion (or scheduling) The main key is expanded to round keys Each round needs four Assume big-endian systems

37 AES-128 Key Scheduling RotWord: <<< 8, SubWord: 4 SubBytes, Change the left most byte

38 Constants in the Key Scheduling

39 References Announcing the AES, AES, Input and output block conventions for AES encryption algorithms Rijndael S-box, AES speed, Aescrypt,