advanced encryption standard - wikipedia, the free encyclopedia.pdf

6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 1/11

AdvancedEncryptionStandard(Rijndael)

TheSubBytesstep,oneoffourstagesinaroundofAES

General

Designers VincentRijmen,JoanDaemen

Firstpublished

1998

Derivedfrom

Square

Successors Anubis,GrandCru

Certification AESwinner,CRYPTREC,NESSIE,NSA

Cipherdetail

Keysizes 128,192or256bits[1]

Blocksizes 128bits[2]

Structure Substitutionpermutationnetwork

Rounds 10,12or14(dependingonkeysize)

Bestpubliccryptanalysis

Attackshavebeenpublishedthatarecomputationallyfasterthanafullbruteforceattack,thoughnoneasof2013arecomputationallyfeasible:[3]

ForAES128,thekeycanberecoveredwithacomputationalcomplexityof2126.1usingthebicliqueattack.ForbicliqueattacksonAES192andAES256,thecomputationalcomplexitiesof2189.7and2254.4respectivelyapply.RelatedkeyattackscanbreakAES192andAES256withcomplexities2176and299.5,respectively.

AdvancedEncryptionStandardFromWikipedia,thefreeencyclopedia

TheAdvancedEncryptionStandard(AES),alsoreferencedasRijndael[4][5](itsoriginalname),isaspecificationfortheencryptionofelectronicdataestablishedbytheU.S.NationalInstituteofStandardsandTechnology(NIST)in2001.[6]

AESisbasedontheRijndaelcipher[5]developedbytwoBelgiancryptographers,JoanDaemenandVincentRijmen,whosubmittedaproposaltoNISTduringtheAESselectionprocess.[7]Rijndaelisafamilyofcipherswithdifferentkeyandblocksizes.

ForAES,NISTselectedthreemembersoftheRijndaelfamily,eachwithablocksizeof128bits,butthreedifferentkeylengths:128,192and256bits.

AEShasbeenadoptedbytheU.S.governmentandisnowusedworldwide.ItsupersedestheDataEncryptionStandard(DES),[8]whichwaspublishedin1977.ThealgorithmdescribedbyAESisasymmetrickeyalgorithm,meaningthesamekeyisusedforbothencryptinganddecryptingthedata.

IntheUnitedStates,AESwasannouncedbytheNISTasU.S.FIPSPUB197(FIPS197)onNovember26,2001.[6]Thisannouncementfollowedafiveyearstandardizationprocessinwhichfifteencompetingdesignswerepresentedandevaluated,beforetheRijndaelcipherwasselectedasthemostsuitable(seeAdvancedEncryptionStandardprocessformoredetails).

AESbecameeffectiveasafederalgovernmentstandardonMay26,2002afterapprovalbytheSecretaryofCommerce.AESisincludedintheISO/IEC180333standard.AESisavailableinmanydifferentencryptionpackages,andisthefirstpubliclyaccessibleandopencipherapprovedbytheNationalSecurityAgency(NSA)fortopsecretinformationwhenusedinanNSAapprovedcryptographicmodule(seeSecurityofAES,below).

ThenameRijndael(Dutchpronunciation:[rindal])isaplayonthenamesofthetwoinventors(JoanDaemenandVincentRijmen).ItisalsoacombinationoftheDutchnamefortheRhineriverandaDale.



Contents

1Definitivestandards2Descriptionofthecipher

2.1Highleveldescriptionofthealgorithm2.2TheSubBytesstep2.3TheShiftRowsstep2.4TheMixColumnsstep2.5TheAddRoundKeystep2.6Optimizationofthecipher

3Security3.1Knownattacks3.2Sidechannelattacks

4NIST/CSECvalidation5Testvectors6Performance7Implementations8Seealso9Notes10References11Externallinks

Definitivestandards

TheAdvancedEncryptionStandard(AES)isdefinedineachof:

FIPSPUB197:AdvancedEncryptionStandard(AES)[6]

ISO/IEC180333:InformationtechnologySecuritytechniquesEncryptionalgorithmsPart3:Blockciphers[9]

Descriptionofthecipher

AESisbasedonadesignprincipleknownasasubstitutionpermutationnetwork,combinationofbothsubstitutionandpermutation,andisfastinbothsoftwareandhardware.[10]UnlikeitspredecessorDES,AESdoesnotuseaFeistelnetwork.AESisavariantofRijndaelwhichhasafixedblocksizeof128bits,andakeysizeof128,192,or256bits.Bycontrast,theRijndaelspecificationperseisspecifiedwithblockandkeysizesthatmaybeanymultipleof32bits,bothwithaminimumof128andamaximumof256bits.

AESoperatesona44columnmajorordermatrixofbytes,termedthestate,althoughsomeversionsofRijndaelhavealargerblocksizeandhaveadditionalcolumnsinthestate.MostAEScalculationsaredoneinaspecialfinitefield.

ThekeysizeusedforanAEScipherspecifiesthenumberofrepetitionsoftransformationroundsthatconverttheinput,calledtheplaintext,intothefinaloutput,calledtheciphertext.Thenumberofcyclesofrepetitionareasfollows:

10cyclesofrepetitionfor128bitkeys.



IntheSubBytesstep,eachbyteinthestateisreplacedwithitsentryinafixed8bitlookuptable,Sbij=S(aij).

12cyclesofrepetitionfor192bitkeys.14cyclesofrepetitionfor256bitkeys.

Eachroundconsistsofseveralprocessingsteps,eachcontainingfoursimilarbutdifferentstages,includingonethatdependsontheencryptionkeyitself.Asetofreverseroundsareappliedtotransformciphertextbackintotheoriginalplaintextusingthesameencryptionkey.

Highleveldescriptionofthealgorithm

1. KeyExpansionsroundkeysarederivedfromthecipherkeyusingRijndael'skeyschedule.AESrequiresaseparate128bitroundkeyblockforeachroundplusonemore.

2. InitialRound1. AddRoundKeyeachbyteofthestateiscombinedwithablockoftheroundkeyusingbitwise

xor.3. Rounds

1. SubBytesanonlinearsubstitutionstepwhereeachbyteisreplacedwithanotheraccordingtoalookuptable.

2. ShiftRowsatranspositionstepwherethelastthreerowsofthestateareshiftedcyclicallyacertainnumberofsteps.

3. MixColumnsamixingoperationwhichoperatesonthecolumnsofthestate,combiningthefourbytesineachcolumn.

4. AddRoundKey4. FinalRound(noMixColumns)

1. SubBytes2. ShiftRows3. AddRoundKey.

TheSubBytesstep

IntheSubBytesstep,eachbyte inthestatematrixisreplacedwithaSubByte usingan8bitsubstitutionbox,theRijndaelSbox.Thisoperationprovidesthenonlinearityinthecipher.TheSboxusedisderivedfromthemultiplicativeinverseoverGF(28),knowntohavegoodnonlinearityproperties.Toavoidattacksbasedonsimplealgebraicproperties,theSboxisconstructedbycombiningtheinversefunctionwithaninvertibleaffinetransformation.TheSboxisalsochosentoavoidanyfixedpoints(andsoisaderangement),i.e., ,andalsoanyoppositefixedpoints,i.e.,

.Whileperformingthedecryption,InverseSubBytesstepisused,whichrequiresfirsttakingtheaffinetransformationandthenfindingthemultiplicativeinverse(justreversingthestepsusedinSubBytesstep).

TheShiftRowsstep

TheShiftRowsstepoperatesontherowsofthestateitcyclicallyshiftsthebytesineachrowbyacertainoffset.ForAES,thefirstrowisleftunchanged.Eachbyteofthesecondrowisshiftedonetotheleft.Similarly,thethirdandfourthrowsareshiftedbyoffsetsoftwoandthreerespectively.Forblocks



IntheShiftRowsstep,bytesineachrowofthestateareshiftedcyclicallytotheleft.Thenumberofplaceseachbyteisshifteddiffersforeachrow.

IntheMixColumnsstep,eachcolumnofthestateismultipliedwithafixedpolynomialc(x).

ofsizes128bitsand192bits,theshiftingpatternisthesame.Rownisshiftedleftcircularbyn1bytes.Inthisway,eachcolumnoftheoutputstateoftheShiftRowsstepiscomposedofbytesfromeachcolumnoftheinputstate.(Rijndaelvariantswithalargerblocksizehaveslightlydifferentoffsets).Fora256bitblock,thefirstrowisunchangedandtheshiftingforthesecond,thirdandfourthrowis1byte,3bytesand4bytesrespectivelythischangeonlyappliesfortheRijndaelcipherwhenusedwitha256bitblock,asAESdoesnotuse256bitblocks.Theimportanceofthisstepistoavoidthecolumnsbeinglinearlyindependent,inwhichcase,AESdegeneratesintofourindependentblockciphers.

TheMixColumnsstep

IntheMixColumnsstep,thefourbytesofeachcolumnofthestatearecombinedusinganinvertiblelineartransformation.TheMixColumnsfunctiontakesfourbytesasinputandoutputsfourbytes,whereeachinputbyteaffectsallfouroutputbytes.TogetherwithShiftRows,MixColumnsprovidesdiffusioninthecipher.

Duringthisoperation,eachcolumnistransformedusingafixedmatrix(matrixmultipliedbycolumngivesnewvalueofcolumninthestate):

Matrixmultiplicationiscomposedofmultiplicationandadditionoftheentries.Entriesare8bitbytestreatedascoefficientsofpolynomialoforderx7.AdditionissimplyXOR.Multiplicationismoduloirreduciblepolynomialx8+x4+x3+x+1.IfprocessedbitbybitthenaftershiftingaconditionalXORwith0x1Bshouldbeperformediftheshiftedvalueislargerthan0xFF(overflowmustbecorrectedbysubtractionofgeneratingpolynomial).ThesearespecialcasesoftheusualmultiplicationinGF(28).

Inmoregeneralsense,eachcolumnistreatedasapolynomialoverGF(28)andisthenmultipliedmodulox4+1withafixedpolynomialc(x)=0x03x3+x2+x+0x02.ThecoefficientsaredisplayedintheirhexadecimalequivalentofthebinaryrepresentationofbitpolynomialsfromGF(2)[x].TheMixColumnsstepcanalsobeviewedasamultiplicationbytheshownparticularMDSmatrixinthefinitefieldGF(28).ThisprocessisdescribedfurtherinthearticleRijndaelmixcolumns.

TheAddRoundKeystep



IntheAddRoundKeystep,eachbyteofthestateiscombinedwithabyteoftheroundsubkeyusingtheXORoperation().

IntheAddRoundKeystep,thesubkeyiscombinedwiththestate.Foreachround,asubkeyisderivedfromthemainkeyusingRijndael'skeyscheduleeachsubkeyisthesamesizeasthestate.ThesubkeyisaddedbycombiningeachbyteofthestatewiththecorrespondingbyteofthesubkeyusingbitwiseXOR.

Optimizationofthecipher

Onsystemswith32bitorlargerwords,itispossibletospeedupexecutionofthiscipherbycombiningtheSubBytesandShiftRowsstepswiththeMixColumnsstepbytransformingthemintoasequenceoftablelookups.Thisrequiresfour256entry32bittables,andutilizesatotaloffourkilobytes(4096bytes)ofmemoryonekilobyteforeachtable.Aroundcanthenbedonewith16tablelookupsand1232bitexclusiveoroperations,followedbyfour32bitexclusiveoroperationsintheAddRoundKeystep.[11]

Iftheresultingfourkilobytetablesizeistoolargeforagiventargetplatform,thetablelookupoperationcanbeperformedwithasingle256entry32bit(i.e.1kilobyte)tablebytheuseofcircularrotates.

Usingabyteorientedapproach,itispossibletocombinetheSubBytes,ShiftRows,andMixColumnsstepsintoasingleroundoperation.[12]

Security

UntilMay2009,theonlysuccessfulpublishedattacksagainstthefullAESweresidechannelattacksonsomespecificimplementations.TheNationalSecurityAgency(NSA)reviewedalltheAESfinalists,includingRijndael,andstatedthatallofthemweresecureenoughforU.S.Governmentnonclassifieddata.InJune2003,theU.S.GovernmentannouncedthatAEScouldbeusedtoprotectclassifiedinformation:

ThedesignandstrengthofallkeylengthsoftheAESalgorithm(i.e.,128,192and256)aresufficienttoprotectclassifiedinformationuptotheSECRETlevel.TOPSECRETinformationwillrequireuseofeitherthe192or256keylengths.TheimplementationofAESinproductsintendedtoprotectnationalsecuritysystemsand/orinformationmustbereviewedandcertifiedbyNSApriortotheiracquisitionanduse.[13]

AEShas10roundsfor128bitkeys,12roundsfor192bitkeys,and14roundsfor256bitkeys.By2006,thebestknownattackswereon7roundsfor128bitkeys,8roundsfor192bitkeys,and9roundsfor256bitkeys.[14]

Knownattacks



Forcryptographers,acryptographic"break"isanythingfasterthanabruteforceperformingonetrialdecryptionforeachkey(seeCryptanalysis).Thisincludesresultsthatareinfeasiblewithcurrenttechnology.Thelargestsuccessfulpubliclyknownbruteforceattackagainstanyblockcipherencryptionwasagainsta64bitRC5keybydistributed.netin2006.[15]

AEShasafairlysimplealgebraicdescription.[16]In2002,atheoreticalattack,termedthe"XSLattack",wasannouncedbyNicolasCourtoisandJosefPieprzyk,purportingtoshowaweaknessintheAESalgorithmduetoitssimpledescription.[17]Sincethen,otherpapershaveshownthattheattackasoriginallypresentedisunworkableseeXSLattackonblockciphers.

DuringtheAESprocess,developersofcompetingalgorithmswroteofRijndael,"...weareconcernedabout[its]use...insecuritycriticalapplications."[18]However,inOctober2000attheendoftheAESselectionprocess,BruceSchneier,adeveloperofthecompetingalgorithmTwofish,wrotethatwhilehethoughtsuccessfulacademicattacksonRijndaelwouldbedevelopedsomeday,hedoesnot"believethatanyonewilleverdiscoveranattackthatwillallowsomeonetoreadRijndaeltraffic."[19]

OnJuly1,2009,BruceSchneierblogged[20]aboutarelatedkeyattackonthe192bitand256bitversionsofAES,discoveredbyAlexBiryukovandDmitryKhovratovich,[21]whichexploitsAES'ssomewhatsimplekeyscheduleandhasacomplexityof2119.InDecember2009itwasimprovedto299.5.Thisisafollowuptoanattackdiscoveredearlierin2009byAlexBiryukov,DmitryKhovratovich,andIvicaNikoli,withacomplexityof296foroneoutofevery235keys.[22]However,relatedkeyattacksarenotofconcerninanyproperlydesignedcryptographicprotocol,asproperlydesignedsoftwarewillnotuserelatedkeys.

AnotherattackwasbloggedbyBruceSchneier[23]onJuly30,2009andreleasedasapreprint[24]onAugust3,2009.Thisnewattack,byAlexBiryukov,OrrDunkelman,NathanKeller,DmitryKhovratovich,andAdiShamir,isagainstAES256thatusesonlytworelatedkeysand239timetorecoverthecomplete256bitkeyofa9roundversion,or245timefora10roundversionwithastrongertypeofrelatedsubkeyattack,or270timeforan11roundversion.256bitAESuses14rounds,sotheseattacksaren'teffectiveagainstfullAES.

InNovember2009,thefirstknownkeydistinguishingattackagainstareduced8roundversionofAES128wasreleasedasapreprint.[25]ThisknownkeydistinguishingattackisanimprovementofthereboundorthestartfromthemiddleattacksforAESlikepermutations,whichviewtwoconsecutiveroundsofpermutationastheapplicationofasocalledSuperSbox.Itworksonthe8roundversionofAES128,withatimecomplexityof248,andamemorycomplexityof232.128bitAESuses10rounds,sothisattackisn'teffectiveagainstfullAES128.

InJuly2010VincentRijmenpublishedanironicpaperon"chosenkeyrelationsinthemiddle"attacksonAES128.[26]

ThefirstkeyrecoveryattacksonfullAESwereduetoAndreyBogdanov,DmitryKhovratovich,andChristianRechberger,andwerepublishedin2011.[27]Theattackisabicliqueattackandisfasterthanbruteforcebyafactorofaboutfour.Itrequires2126.1operationstorecoveranAES128key.ForAES192andAES256,2189.7and2254.4operationsareneeded,respectively.Thisisaverysmallgain,asa126bitkey(insteadof128bits)wouldstilltakebillionsofyears.Also,theauthorscalculatethebest



attackusingtheirtechniqueonAESwitha128bitkeyrequiresstoring288bitsofdata.Thatworksouttoabout38trillionterabytesofdata,whichismorethanallthedatastoredonallthecomputersontheplanet.AssuchthisisatheoreticalattackthathasnopracticalimplicationonAESsecurity.[28]

AccordingtotheSnowdendocuments,theNSAisdoingresearchonwhetheracryptographicattackbasedontaustatisticmayhelptobreakAES.[29]

Asfornow,therearenoknownpracticalattacksthatwouldallowanyonetoreadcorrectlyimplementedAESencrypteddata.

Sidechannelattacks

Sidechannelattacksdonotattacktheunderlyingcipher,andthusarenotrelatedtosecurityinthatcontext.Theyratherattackimplementationsofthecipheronsystemswhichinadvertentlyleakdata.ThereareseveralsuchknownattacksoncertainimplementationsofAES.

InApril2005,D.J.BernsteinannouncedacachetimingattackthatheusedtobreakacustomserverthatusedOpenSSL'sAESencryption.[30]Theattackrequiredover200millionchosenplaintexts.[31]Thecustomserverwasdesignedtogiveoutasmuchtiminginformationaspossible(theserverreportsbackthenumberofmachinecyclestakenbytheencryptionoperation)however,asBernsteinpointedout,"reducingtheprecisionoftheserver'stimestamps,oreliminatingthemfromtheserver'sresponses,doesnotstoptheattack:theclientsimplyusesroundtriptimingsbasedonitslocalclock,andcompensatesfortheincreasednoisebyaveragingoveralargernumberofsamples."[30]

InOctober2005,DagArneOsvik,AdiShamirandEranTromerpresentedapaperdemonstratingseveralcachetimingattacksagainstAES.[32]OneattackwasabletoobtainanentireAESkeyafteronly800operationstriggeringencryptions,inatotalof65milliseconds.ThisattackrequirestheattackertobeabletorunprogramsonthesamesystemorplatformthatisperformingAES.

InDecember2009anattackonsomehardwareimplementationswaspublishedthatuseddifferentialfaultanalysisandallowsrecoveryofakeywithacomplexityof232.[33]

InNovember2010EndreBangerter,DavidGullaschandStephanKrennpublishedapaperwhichdescribedapracticalapproachtoa"nearrealtime"recoveryofsecretkeysfromAES128withouttheneedforeitherciphertextorplaintext.TheapproachalsoworksonAES128implementationsthatusecompressiontables,suchasOpenSSL.[34]LikesomeearlierattacksthisonerequirestheabilitytorununprivilegedcodeonthesystemperformingtheAESencryption,whichmaybeachievedbymalwareinfectionfarmoreeasilythancommandeeringtherootaccount.[35]

NIST/CSECvalidation

TheCryptographicModuleValidationProgram(CMVP)isoperatedjointlybytheUnitedStatesGovernment'sNationalInstituteofStandardsandTechnology(NIST)ComputerSecurityDivisionandtheCommunicationsSecurityEstablishment(CSE)oftheGovernmentofCanada.TheuseofcryptographicmodulesvalidatedtoNISTFIPS1402isrequiredbytheUnitedStatesGovernmentforencryptionofalldatathathasaclassificationofSensitivebutUnclassified(SBU)orabove.FromNSTISSP#11,NationalPolicyGoverningtheAcquisitionofInformationAssurance:"EncryptionproductsforprotectingclassifiedinformationwillbecertifiedbyNSA,andencryptionproductsintendedforprotectingsensitiveinformationwillbecertifiedinaccordancewithNISTFIPS1402."[36]



TheGovernmentofCanadaalsorecommendstheuseofFIPS140validatedcryptographicmodulesinunclassifiedapplicationsofitsdepartments.

AlthoughNISTpublication197("FIPS197")istheuniquedocumentthatcoverstheAESalgorithm,vendorstypicallyapproachtheCMVPunderFIPS140andasktohaveseveralalgorithms(suchasTripleDESorSHA1)validatedatthesametime.Therefore,itisraretofindcryptographicmodulesthatareuniquelyFIPS197validatedandNISTitselfdoesnotgenerallytakethetimetolistFIPS197validatedmodulesseparatelyonitspublicwebsite.Instead,FIPS197validationistypicallyjustlistedasan"FIPSapproved:AES"notation(withaspecificFIPS197certificatenumber)inthecurrentlistofFIPS140validatedcryptographicmodules.

TheCryptographicAlgorithmValidationProgram(CAVP)[37]allowsforindependentvalidationofthecorrectimplementationoftheAESalgorithmatareasonablecost.SuccessfulvalidationresultsinbeinglistedontheNISTvalidationspage(http://csrc.nist.gov/groups/STM/cmvp/documents/1401/140valall.htm).ThistestingisaprerequisitefortheFIPS1402modulevalidationdescribedbelow.However,successfulCAVPvalidationinnowayimpliesthatthecryptographicmoduleimplementingthealgorithmissecure.AcryptographicmodulelackingFIPS1402validationorspecificapprovalbytheNSAisnotdeemedsecurebytheUSGovernmentandcannotbeusedtoprotectgovernmentdata.[36]

FIPS1402validationischallengingtoachievebothtechnicallyandfiscally.[38]Thereisastandardizedbatteryoftestsaswellasanelementofsourcecodereviewthatmustbepassedoveraperiodofafewweeks.Thecosttoperformtheseteststhroughanapprovedlaboratorycanbesignificant(e.g.,wellover$30,000US)[38]anddoesnotincludethetimeittakestowrite,test,documentandprepareamoduleforvalidation.Aftervalidation,modulesmustberesubmittedandreevaluatediftheyarechangedinanyway.Thiscanvaryfromsimplepaperworkupdatesifthesecurityfunctionalitydidnotchangetoamoresubstantialsetofretestingifthesecurityfunctionalitywasimpactedbythechange.

Testvectors

Testvectorsareasetofknownciphersforagiveninputandkey.NISTdistributesthereferenceofAEStestvectorsasAESKnownAnswerTest(KAT)Vectors(inZIPformat)(http://csrc.nist.gov/groups/STM/cavp/documents/aes/KAT_AES.zip).

Performance

HighspeedandlowRAMrequirementswerecriteriaoftheAESselectionprocess.ThusAESperformswellonawidevarietyofhardware,from8bitsmartcardstohighperformancecomputers.

OnaPentiumPro,AESencryptionrequires18clockcyclesperbyte,[39]equivalenttoathroughputofabout11MB/sfora200MHzprocessor.Ona1.7GHzPentiumMthroughputisabout60MB/s.

OnIntelCorei3/i5/i7andAMDAPUandFXCPUssupportingAESNIinstructionsetextensions,throughputcanbeover700MB/sperthread.[40]

Implementations

Seealso

Diskencryption



WhirlpoolhashfunctioncreatedbyVincentRijmenandPauloS.L.M.Barreto

Notes1. Keysizesof128,160,192,224,and256bitsaresupportedbytheRijndaelalgorithm,butonlythe128,192,

and256bitkeysizesarespecifiedintheAESstandard.2. Blocksizesof128,160,192,224,and256bitsaresupportedbytheRijndaelalgorithm,butonlythe128bit

blocksizeisspecifiedintheAESstandard.3. "BicliqueCryptanalysisoftheFullAES"(http://research.microsoft.com/en

us/projects/cryptanalysis/aesbc.pdf)(PDF).RetrievedJuly23,2013.4. "Rijndael"(http://searchsecurity.techtarget.com/definition/Rijndael).RetrievedMarch9,2015.5. Daemen,JoanRijmen,Vincent(March9,2003)."AESProposal:Rijndael"

(http://csrc.nist.gov/archive/aes/rijndael/Rijndaelammended.pdf#page=1)(PDF).NationalInstituteofStandardsandTechnology.p.1.Retrieved21February2013.

6. "AnnouncingtheADVANCEDENCRYPTIONSTANDARD(AES)"(http://csrc.nist.gov/publications/fips/fips197/fips197.pdf)(PDF).FederalInformationProcessingStandardsPublication197.UnitedStatesNationalInstituteofStandardsandTechnology(NIST).November26,2001.RetrievedOctober2,2012.

7. JohnSchwartz(October3,2000)."U.S.SelectsaNewEncryptionTechnique"(http://www.nytimes.com/2000/10/03/business/technologyusselectsanewencryptiontechnique.html).NewYorkTimes.

8. Westlund,HaroldB.(2002)."NISTreportsmeasurablesuccessofAdvancedEncryptionStandard"(http://www.findarticles.com/p/articles/mi_m0IKZ/is_3_107?pnum=2&opg=90984479).JournalofResearchoftheNationalInstituteofStandardsandTechnology.

9. "ISO/IEC180333:InformationtechnologySecuritytechniquesEncryptionalgorithmsPart3:Blockciphers"(http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54531).

10. BruceSchneierJohnKelseyDougWhitingDavidWagnerChrisHallNielsFergusonTadayoshiKohnoetal.(May2000)."TheTwofishTeam'sFinalCommentsonAESSelection"(http://www.schneier.com/papertwofishfinal.pdf)(PDF).

11. "EfficientsoftwareimplementationofAESon32bitplatforms".(http://www.springerlink.com/index/UVX5NQGNN55VK199.pdf)LectureNotesinComputerScience:2523.2003

12. "byteorientedaesApublicdomainbyteorientedimplementationofAESinCGoogleProjectHosting"(https://code.google.com/p/byteorientedaes).Code.google.com.Retrieved20121223.

13. LynnHathaway(June2003)."NationalPolicyontheUseoftheAdvancedEncryptionStandard(AES)toProtectNationalSecuritySystemsandNationalSecurityInformation"(http://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf)(PDF).Retrieved20110215.

14. JohnKelsey,StefanLucks,BruceSchneier,MikeStay,DavidWagner,andDougWhiting,ImprovedCryptanalysisofRijndael,FastSoftwareEncryption,2000pp213230[1](http://www.schneier.com/paperrijndael.html)

15. Ou,George(April30,2006)."Isencryptionreallycrackable?"(http://www.webcitation.org/5rocpRxhN).ZiffDavis.Archivedfromtheoriginal(http://www.zdnet.com/blog/ou/isencryptionreallycrackable/204)onAugust7,2010.RetrievedAugust7,2010.

16. "SeanMurphy"(http://www.isg.rhul.ac.uk/~sean/).UniversityofLondon.Retrieved20081102.17. BruceSchneier."AESNews,CryptoGramNewsletter,September15,2002"

(http://www.schneier.com/cryptogram0209.html).Archived(http://web.archive.org/web/20070707105715/http://www.schneier.com/cryptogram0209.html)fromtheoriginalon7July2007.Retrieved20070727.

18. NielsFergusonRichardSchroeppelDougWhiting(2001)."AsimplealgebraicrepresentationofRijndael"(http://web.archive.org/web/20061104080748/http://www.macfergus.com/pub/rdalgeq.html).ProceedingsofSelectedAreasinCryptography,2001,LectureNotesinComputerScience.SpringerVerlag.pp.103111.Archivedfromtheoriginal(http://www.macfergus.com/pub/rdalgeq.html)(PDF/POSTSCRIPT)on4November2006.Retrieved20061006.

19. BruceSchneier,AESAnnounced(http://www.schneier.com/cryptogram0010.html),October15,200020. BruceSchneier(20090701)."NewAttackonAES"

(http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html).SchneieronSecurity,Ablogcoveringsecurityandsecuritytechnology.Archived



References

NicolasCourtois,JosefPieprzyk,"CryptanalysisofBlockCipherswithOverdefinedSystemsofEquations".pp267287,ASIACRYPT2002.

coveringsecurityandsecuritytechnology.Archived(http://web.archive.org/web/20100208155652/http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html)fromtheoriginalon8February2010.Retrieved20100311.

21. Biryukov,AlexKhovratovich,Dmitry(20091204)."RelatedkeyCryptanalysisoftheFullAES192andAES256"(http://eprint.iacr.org/2009/317).Retrieved20100311.

22. Nikoli,Ivica(2009)."DistinguisherandRelatedKeyAttackontheFullAES256".AdvancesinCryptologyCRYPTO2009.SpringerBerlin/Heidelberg.pp.231249.doi:10.1007/9783642033568_14(https://dx.doi.org/10.1007%2F9783642033568_14).ISBN9783642033551.

23. BruceSchneier(20090730)."AnotherNewAESAttack"(http://www.schneier.com/blog/archives/2009/07/another_new_aes.html).SchneieronSecurity,Ablogcoveringsecurityandsecuritytechnology.Retrieved20100311.

24. AlexBiryukovOrrDunkelmanNathanKellerDmitryKhovratovichAdiShamir(20090819)."KeyRecoveryAttacksofPracticalComplexityonAESVariantsWithUpTo10Rounds"(http://eprint.iacr.org/2009/374).Archived(http://web.archive.org/web/20100128050656/http://eprint.iacr.org/2009/374)fromtheoriginalon28January2010.Retrieved20100311.

25. HenriGilbertThomasPeyrin(20091109)."SuperSboxCryptanalysis:ImprovedAttacksforAESlikepermutations"(http://eprint.iacr.org/2009/531).Retrieved20100311.

26. VincentRijmen(2010)."PracticalTitledAttackonAES128UsingChosenTextRelations"(http://eprint.iacr.org/2010/337.pdf)(PDF).

27. AndreyBogdanovDmitryKhovratovich&ChristianRechberger(2011)."BicliqueCryptanalysisoftheFullAES"(http://research.microsoft.com/enus/projects/cryptanalysis/aesbc.pdf)(PDF).

28. JeffreyGoldberg."AESEncryptionisn'tCracked"(https://blog.agilebits.com/2011/08/18/aesencryptionisntcracked/).Retrieved30December2014.

29. http://www.spiegel.de/international/germany/insidethensaswaroninternetsecuritya1010361.html30. "Indexofformalscientificpapers"(http://cr.yp.to/papers.html#cachetiming).Cr.yp.to.Retrieved20081102.31. BruceSchneier."AESTimingAttack"

(http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html).Archived(http://web.archive.org/web/20070212015727/http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html)fromtheoriginalon12February2007.Retrieved20070317.

32. DagArneOsvikAdiShamirEranTromer(20051120)."CacheAttacksandCountermeasures:theCaseofAES"(http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf)(PDF).Retrieved20081102.

33. DhimanSahaDebdeepMukhopadhyayDipanwitaRoyChowdhury."ADiagonalFaultAttackontheAdvancedEncryptionStandard"(http://eprint.iacr.org/2009/581.pdf)(PDF).Archived(http://web.archive.org/web/20091222070135/http://eprint.iacr.org/2009/581.pdf)(PDF)fromtheoriginalon22December2009.Retrieved20091208.

34. EndreBangerterDavidGullasch&StephanKrenn(2010)."CacheGamesBringingAccessBasedCacheAttacksonAEStoPractice"(http://eprint.iacr.org/2010/594.pdf)(PDF).

35. "BreakingAES128inrealtime,nociphertextrequired|HackerNews"(http://news.ycombinator.com/item?id=1937902).News.ycombinator.com.Retrieved20121223.

36. http://www.cnss.gov/Assets/pdf/nstissp_11_fs.pdf37. "NIST.govComputerSecurityDivisionComputerSecurityResourceCenter"

(http://csrc.nist.gov/groups/STM/cavp/index.html).Csrc.nist.gov.Retrieved20121223.38. OpenSSL,[email protected]."OpenSSL'sNotesaboutFIPScertification"

(http://openssl.org/docs/fips/fipsnotes.html).Openssl.org.Retrieved20121223.39. Schneier,BruceKelsey,JohnWhiting,DougWagner,DavidHall,ChrisFerguson,Niels(19990201).

"PerformanceComparisonsoftheAESsubmissions"(http://www.schneier.com/paperaesperformance.pdf)(PDF).Retrieved20101228.

40. McWilliams,Grant(6July2011)."HardwareAESShowdownVIAPadlockvs.IntelAESNIvs.AMDHexacore"(http://grantmcwilliams.com/tech/technology/387hardwareaesshowdownviapadlockvsintelaesnivsamdhexacore).Retrieved20130828.



JoanDaemen,VincentRijmen,"TheDesignofRijndael:AESTheAdvancedEncryptionStandard."Springer,2002.ISBN3540425802.ChristofPaar,JanPelzl,"TheAdvancedEncryptionStandard"(http://wiki.crypto.rub.de/Buch/sample_chapters.php),Chapter4of"UnderstandingCryptography,ATextbookforStudentsandPractitioners".(companionwebsitecontainsonlinelecturesonAES),Springer,2009.

Externallinks

256bitCiphersAESReferenceimplementationandderivedcode(http://embeddedsw.net/Cipher_Reference_Home.html)FIPSPUB197:theofficialAESstandard(http://csrc.nist.gov/publications/fips/fips197/fips197.pdf)(PDFfile)AESalgorithmarchiveinformation(old,unmaintained)(http://csrc.nist.gov/archive/aes/rijndael/wsdindex.html)PreviewofISO/IEC180333(http://webstore.iec.ch/preview/info_isoiec180333%7Bed2.0%7Den.pdf)AnimationofRijndael(http://www.formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng.swf)AESencryptioniscracked(http://www.theinquirer.net/inquirer/news/2102435/aesencryptioncracked/)

Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Advanced_Encryption_Standard&oldid=666183137"

Categories: Blockciphers AdvancedEncryptionStandard Brokenblockciphers

Thispagewaslastmodifiedon9June2015,at13:21.TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmayapply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.WikipediaisaregisteredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.

advanced encryption standard - wikipedia, the free encyclopedia.pdf

Documents