The Advanced Encryption Standard (AES)
Conception - Why A New Cipher?
Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow in software implementations
Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow in software implementations NIST wanted increased trust in cipher Previous processes very closed DES suspected of having 'back doors'
Conception - The Process January 2, 1997 - NIST announces need for DES successor Asks for input from interested parties
Conception - The Process January 2, 1997 - NIST announces need for DES successor Asks for input from interested parties September 12, 1997 - Call for new algorithms
Conception - The Process January 2, 1997 - NIST announces need for DES successor Asks for input from interested parties September 12, 1997 - Call for new algorithms Requirements Publicly defined, publicly available Variable-length key, symmetric block cipher Implemented in both Hardware and Software
Conception - The Process January 2, 1997 - NIST announces need for DES successor Asks for input from interested parties September 12, 1997 - Call for new algorithms Requirements Publicly defined, publicly available Variable-length key, symmetric block cipher Implemented in both Hardware and Software Judgement Criteria Security Computational Efficiency, Memory Requirements Hardware/Software suitability Simplicity, Flexibility Licensing requirements
Conception - The Process 15 Ciphers submitted 5 Finalists MARS - IBM RC6 - RSA Laboratories Rijndael - Daemon and Rijment Serpent - Anderson, Biham, Knudsen Twofish - Schneier, Kelsey, Whiting, (and others) Final winner: Rijndael
The Cipher
The Cipher - Background Math The Mathematics needed to understand AES look and sound very complicated - Don't worry, they aren't. Fields Real Numbers and Rational numbers are fields Set of values such that addition, subtraction, multiplication, division can be applied to values in it Other fields exist, and can be defined Finite Fields A field, with a finite number of elements (unlike Real #s) Modular Arithmetic 9 Ξ 14 Ξ 24 Ξ 4 (mod 5) Works on integers, but also works on other groups and fields
The Cipher - Background Math Rijndael's Finite Field a 'characteristic 2 finite field with 8 terms' (strings of 8 bits) The Galois field GF(2 8 ) Addition done with XOR operator Uses the reducing polynomial x 8 + x 4 + x 3 + x + 1 for multiplication (an irreducible polynomial in GF(2 8 ))
The Cipher - Background Math A Higher Level Finite Field: Polynomials with Coefficients in GF(2 8 ) a(x) = a 3 x 3 + a 2 x 2 + a 1 x + a 0 Each of a i are bytes, elements of GF(2 8 ) Addition: a(x) + b(x) = (a 3 b 3 )x 3 + (a 2 b 2 )x 2 + (a 1 b 1 )x + (a 0 b 0 ) Multiplication: Same as multiplying two polynomials We reduce to degree 4 by using mod x 4 +1 For fixed polynomial, multiplication can turn into Matrix- Vector multiplication
The Cipher That's it. That's all the Math you need to know. You made it.
The Cipher
The Cipher - SubBytes AES's single S-Box Does a non-linear substitution which is invertible For Each Byte of Input, {XY} 1. Let {AB} := the multiplicative inverse of {XY} in GF(2 8 ) 2. Let {XY}' := An affine transform of {AB}
The Cipher - SubBytes {A8} => {C2}, {21} => {FD}, {27} => {CC}, {CF} => {8A}
The Cipher - ShiftRows Cyclical Shift of the rows of the state
The Cipher - MixColumns Treats each column as a four-term polynomial Apply a polynomial to each column, returning a new polynomial a(x) = {03}x 3 + {01}x 2 + {01}x + {02}
The Cipher - AddRoundKey The Key Expansion takes a Cipher Key K and makes 4*NR 32-bit words, where NR = Number of Rounds AddRoundKey takes the state, (4 words), and the next 4 Round Keys, and returns a new state For each column, return Col Key l+i, l = Round#, i = column#
The Cipher - Key Expansion Given the initial key (size 128, 196 or 256), and the number of rounds Nr, will generate 4*(Nr+1) 32-bit words Uses SubWord function (which applies SubByte to 4 bytes) Uses RotWord function (permutes a set of 4 words) First 4-8 Round Keys are cipher key Later keys are generated based on those, using given functions
The Cipher - Inversion Each sub-function of the Cipher is invertible SubBytes: Reverse the Affine Cipher, then find the Inverse of the result ShiftRows: Shift the rows by reverse amounts MixColumns: Apply the inverse matrix to each column AddRoundKey: Use AddRoundKey again with same key
The Cipher
Example Encryption For Simplicity's sake, we will do AES with 1-round Block: 4422 6f44 7a7d 337d 3973 332C 5dae 2763 Key: 2b7e 1516 28ae d2a6 abf7 1588 09cf 4f3c Key Schedule: 2b7e1516 28aed2a6 abf71588 09cf4f3c a0fafe17 88542cb1 23a33939 2a6c7605 f2c295f2 7a96b943 5935807a 7359f67f
Example Encryption Initial State: {4422 6f44 7a7d 337d 3973 332C 5dae 2763} For Initial Round: AddRoundKey:
Example Encryption For our 1 round (typically, 10+ rounds): SubByes: ShiftRows: MixColums: AddRoundKey:
Example Encryption For Final Round: SubByes: ShiftRows: (Skip MixColumns) AddRoundKey: Final Output: {DFFD 649C 65A2 C8A2 66B1 8B18 184A 6FBB}
Security of AES "I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic." -Bruce Schneier Some related-key attacks on 192-bit, 256-bit versions, and on reduced-round versions The attacks are better than exhaustive search, but are still entirely infeasible for real world applications 256-bit version in 2 117 time, 196-bit version in 2 119 time Related key attacks require the attacker to know how plaintext is encrypted with more than 1 key Even the best mathematical attacks are still not usable on AES-128, or AES-196, AES-256 with full rounds
Security of AES Certain Side-channel attacks exist for specific implementations of AES These do not exploit the actual cryptography of the cipher, but instead attack how specific versions are implemented Ex: Using Timing Attacks to guess SSL Keys Usually, these attacks require the ability to run code on the victim machine Very strong features built in to avoid DES-style attacks Use of finite field inversion in the S-Box construction helps make Linear and Differential attacks difficult MixColumns helps ensure that there are no "narrow" paths using only a few S-Boxes, again preventing Linear and Differential attacks
References 1. Federal Information Processing Standards Publication 197, November 26, 2001 - Advanced Encryption Standard 2. "AES Announced", Bruce Schneier, Crypto-Gram Newsletter, Oct 15, 2000 http://www.schneier.com/cryptogram-0010.html#8 3. "Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds", Biryukov, Dunkelman, Keller, Khovratovich, Shamir. Cryptology eprint Archive: Report 2009/374, http://eprint.iacr.org/2009/374 4. "Cache-timing attacks on AES", Daniel Bernstein, University of Illinois at Chicago. http://cr.yp.to/antiforgery/cachetiming- 20050414.pdf 5. Stinson, Douglas. Cryptography, Theory and Practice. 3rd ed. Boca Raton, FL, Chapman & Hall/CRC, 2006.