advanced encryption standard - wikipedia, the free encyclopedia.pdf
Post on 01-Mar-2016
214 Views
Preview:
TRANSCRIPT
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 1/11
AdvancedEncryptionStandard(Rijndael)
TheSubBytesstep,oneoffourstagesinaroundofAES
General
Designers VincentRijmen,JoanDaemen
Firstpublished
1998
Derivedfrom
Square
Successors Anubis,GrandCru
Certification AESwinner,CRYPTREC,NESSIE,NSA
Cipherdetail
Keysizes 128,192or256bits[1]
Blocksizes 128bits[2]
Structure Substitutionpermutationnetwork
Rounds 10,12or14(dependingonkeysize)
Bestpubliccryptanalysis
Attackshavebeenpublishedthatarecomputationallyfasterthanafullbruteforceattack,thoughnoneasof2013arecomputationallyfeasible:[3]
ForAES128,thekeycanberecoveredwithacomputationalcomplexityof2126.1usingthebicliqueattack.ForbicliqueattacksonAES192andAES256,thecomputationalcomplexitiesof2189.7and2254.4respectivelyapply.RelatedkeyattackscanbreakAES192andAES256withcomplexities2176and299.5,respectively.
AdvancedEncryptionStandardFromWikipedia,thefreeencyclopedia
TheAdvancedEncryptionStandard(AES),alsoreferencedasRijndael[4][5](itsoriginalname),isaspecificationfortheencryptionofelectronicdataestablishedbytheU.S.NationalInstituteofStandardsandTechnology(NIST)in2001.[6]
AESisbasedontheRijndaelcipher[5]developedbytwoBelgiancryptographers,JoanDaemenandVincentRijmen,whosubmittedaproposaltoNISTduringtheAESselectionprocess.[7]Rijndaelisafamilyofcipherswithdifferentkeyandblocksizes.
ForAES,NISTselectedthreemembersoftheRijndaelfamily,eachwithablocksizeof128bits,butthreedifferentkeylengths:128,192and256bits.
AEShasbeenadoptedbytheU.S.governmentandisnowusedworldwide.ItsupersedestheDataEncryptionStandard(DES),[8]whichwaspublishedin1977.ThealgorithmdescribedbyAESisasymmetrickeyalgorithm,meaningthesamekeyisusedforbothencryptinganddecryptingthedata.
IntheUnitedStates,AESwasannouncedbytheNISTasU.S.FIPSPUB197(FIPS197)onNovember26,2001.[6]Thisannouncementfollowedafiveyearstandardizationprocessinwhichfifteencompetingdesignswerepresentedandevaluated,beforetheRijndaelcipherwasselectedasthemostsuitable(seeAdvancedEncryptionStandardprocessformoredetails).
AESbecameeffectiveasafederalgovernmentstandardonMay26,2002afterapprovalbytheSecretaryofCommerce.AESisincludedintheISO/IEC180333standard.AESisavailableinmanydifferentencryptionpackages,andisthefirstpubliclyaccessibleandopencipherapprovedbytheNationalSecurityAgency(NSA)fortopsecretinformationwhenusedinanNSAapprovedcryptographicmodule(seeSecurityofAES,below).
ThenameRijndael(Dutchpronunciation:[rindal])isaplayonthenamesofthetwoinventors(JoanDaemenandVincentRijmen).ItisalsoacombinationoftheDutchnamefortheRhineriverandaDale.
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 2/11
Contents
1Definitivestandards2Descriptionofthecipher
2.1Highleveldescriptionofthealgorithm2.2TheSubBytesstep2.3TheShiftRowsstep2.4TheMixColumnsstep2.5TheAddRoundKeystep2.6Optimizationofthecipher
3Security3.1Knownattacks3.2Sidechannelattacks
4NIST/CSECvalidation5Testvectors6Performance7Implementations8Seealso9Notes10References11Externallinks
Definitivestandards
TheAdvancedEncryptionStandard(AES)isdefinedineachof:
FIPSPUB197:AdvancedEncryptionStandard(AES)[6]
ISO/IEC180333:InformationtechnologySecuritytechniquesEncryptionalgorithmsPart3:Blockciphers[9]
Descriptionofthecipher
AESisbasedonadesignprincipleknownasasubstitutionpermutationnetwork,combinationofbothsubstitutionandpermutation,andisfastinbothsoftwareandhardware.[10]UnlikeitspredecessorDES,AESdoesnotuseaFeistelnetwork.AESisavariantofRijndaelwhichhasafixedblocksizeof128bits,andakeysizeof128,192,or256bits.Bycontrast,theRijndaelspecificationperseisspecifiedwithblockandkeysizesthatmaybeanymultipleof32bits,bothwithaminimumof128andamaximumof256bits.
AESoperatesona44columnmajorordermatrixofbytes,termedthestate,althoughsomeversionsofRijndaelhavealargerblocksizeandhaveadditionalcolumnsinthestate.MostAEScalculationsaredoneinaspecialfinitefield.
ThekeysizeusedforanAEScipherspecifiesthenumberofrepetitionsoftransformationroundsthatconverttheinput,calledtheplaintext,intothefinaloutput,calledtheciphertext.Thenumberofcyclesofrepetitionareasfollows:
10cyclesofrepetitionfor128bitkeys.
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 3/11
IntheSubBytesstep,eachbyteinthestateisreplacedwithitsentryinafixed8bitlookuptable,Sbij=S(aij).
12cyclesofrepetitionfor192bitkeys.14cyclesofrepetitionfor256bitkeys.
Eachroundconsistsofseveralprocessingsteps,eachcontainingfoursimilarbutdifferentstages,includingonethatdependsontheencryptionkeyitself.Asetofreverseroundsareappliedtotransformciphertextbackintotheoriginalplaintextusingthesameencryptionkey.
Highleveldescriptionofthealgorithm
1. KeyExpansionsroundkeysarederivedfromthecipherkeyusingRijndael'skeyschedule.AESrequiresaseparate128bitroundkeyblockforeachroundplusonemore.
2. InitialRound1. AddRoundKeyeachbyteofthestateiscombinedwithablockoftheroundkeyusingbitwise
xor.3. Rounds
1. SubBytesanonlinearsubstitutionstepwhereeachbyteisreplacedwithanotheraccordingtoalookuptable.
2. ShiftRowsatranspositionstepwherethelastthreerowsofthestateareshiftedcyclicallyacertainnumberofsteps.
3. MixColumnsamixingoperationwhichoperatesonthecolumnsofthestate,combiningthefourbytesineachcolumn.
4. AddRoundKey4. FinalRound(noMixColumns)
1. SubBytes2. ShiftRows3. AddRoundKey.
TheSubBytesstep
IntheSubBytesstep,eachbyte inthestatematrixisreplacedwithaSubByte usingan8bitsubstitutionbox,theRijndaelSbox.Thisoperationprovidesthenonlinearityinthecipher.TheSboxusedisderivedfromthemultiplicativeinverseoverGF(28),knowntohavegoodnonlinearityproperties.Toavoidattacksbasedonsimplealgebraicproperties,theSboxisconstructedbycombiningtheinversefunctionwithaninvertibleaffinetransformation.TheSboxisalsochosentoavoidanyfixedpoints(andsoisaderangement),i.e., ,andalsoanyoppositefixedpoints,i.e.,
.Whileperformingthedecryption,InverseSubBytesstepisused,whichrequiresfirsttakingtheaffinetransformationandthenfindingthemultiplicativeinverse(justreversingthestepsusedinSubBytesstep).
TheShiftRowsstep
TheShiftRowsstepoperatesontherowsofthestateitcyclicallyshiftsthebytesineachrowbyacertainoffset.ForAES,thefirstrowisleftunchanged.Eachbyteofthesecondrowisshiftedonetotheleft.Similarly,thethirdandfourthrowsareshiftedbyoffsetsoftwoandthreerespectively.Forblocks
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 4/11
IntheShiftRowsstep,bytesineachrowofthestateareshiftedcyclicallytotheleft.Thenumberofplaceseachbyteisshifteddiffersforeachrow.
IntheMixColumnsstep,eachcolumnofthestateismultipliedwithafixedpolynomialc(x).
ofsizes128bitsand192bits,theshiftingpatternisthesame.Rownisshiftedleftcircularbyn1bytes.Inthisway,eachcolumnoftheoutputstateoftheShiftRowsstepiscomposedofbytesfromeachcolumnoftheinputstate.(Rijndaelvariantswithalargerblocksizehaveslightlydifferentoffsets).Fora256bitblock,thefirstrowisunchangedandtheshiftingforthesecond,thirdandfourthrowis1byte,3bytesand4bytesrespectivelythischangeonlyappliesfortheRijndaelcipherwhenusedwitha256bitblock,asAESdoesnotuse256bitblocks.Theimportanceofthisstepistoavoidthecolumnsbeinglinearlyindependent,inwhichcase,AESdegeneratesintofourindependentblockciphers.
TheMixColumnsstep
IntheMixColumnsstep,thefourbytesofeachcolumnofthestatearecombinedusinganinvertiblelineartransformation.TheMixColumnsfunctiontakesfourbytesasinputandoutputsfourbytes,whereeachinputbyteaffectsallfouroutputbytes.TogetherwithShiftRows,MixColumnsprovidesdiffusioninthecipher.
Duringthisoperation,eachcolumnistransformedusingafixedmatrix(matrixmultipliedbycolumngivesnewvalueofcolumninthestate):
Matrixmultiplicationiscomposedofmultiplicationandadditionoftheentries.Entriesare8bitbytestreatedascoefficientsofpolynomialoforderx7.AdditionissimplyXOR.Multiplicationismoduloirreduciblepolynomialx8+x4+x3+x+1.IfprocessedbitbybitthenaftershiftingaconditionalXORwith0x1Bshouldbeperformediftheshiftedvalueislargerthan0xFF(overflowmustbecorrectedbysubtractionofgeneratingpolynomial).ThesearespecialcasesoftheusualmultiplicationinGF(28).
Inmoregeneralsense,eachcolumnistreatedasapolynomialoverGF(28)andisthenmultipliedmodulox4+1withafixedpolynomialc(x)=0x03x3+x2+x+0x02.ThecoefficientsaredisplayedintheirhexadecimalequivalentofthebinaryrepresentationofbitpolynomialsfromGF(2)[x].TheMixColumnsstepcanalsobeviewedasamultiplicationbytheshownparticularMDSmatrixinthefinitefieldGF(28).ThisprocessisdescribedfurtherinthearticleRijndaelmixcolumns.
TheAddRoundKeystep
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 5/11
IntheAddRoundKeystep,eachbyteofthestateiscombinedwithabyteoftheroundsubkeyusingtheXORoperation().
IntheAddRoundKeystep,thesubkeyiscombinedwiththestate.Foreachround,asubkeyisderivedfromthemainkeyusingRijndael'skeyscheduleeachsubkeyisthesamesizeasthestate.ThesubkeyisaddedbycombiningeachbyteofthestatewiththecorrespondingbyteofthesubkeyusingbitwiseXOR.
Optimizationofthecipher
Onsystemswith32bitorlargerwords,itispossibletospeedupexecutionofthiscipherbycombiningtheSubBytesandShiftRowsstepswiththeMixColumnsstepbytransformingthemintoasequenceoftablelookups.Thisrequiresfour256entry32bittables,andutilizesatotaloffourkilobytes(4096bytes)ofmemoryonekilobyteforeachtable.Aroundcanthenbedonewith16tablelookupsand1232bitexclusiveoroperations,followedbyfour32bitexclusiveoroperationsintheAddRoundKeystep.[11]
Iftheresultingfourkilobytetablesizeistoolargeforagiventargetplatform,thetablelookupoperationcanbeperformedwithasingle256entry32bit(i.e.1kilobyte)tablebytheuseofcircularrotates.
Usingabyteorientedapproach,itispossibletocombinetheSubBytes,ShiftRows,andMixColumnsstepsintoasingleroundoperation.[12]
Security
UntilMay2009,theonlysuccessfulpublishedattacksagainstthefullAESweresidechannelattacksonsomespecificimplementations.TheNationalSecurityAgency(NSA)reviewedalltheAESfinalists,includingRijndael,andstatedthatallofthemweresecureenoughforU.S.Governmentnonclassifieddata.InJune2003,theU.S.GovernmentannouncedthatAEScouldbeusedtoprotectclassifiedinformation:
ThedesignandstrengthofallkeylengthsoftheAESalgorithm(i.e.,128,192and256)aresufficienttoprotectclassifiedinformationuptotheSECRETlevel.TOPSECRETinformationwillrequireuseofeitherthe192or256keylengths.TheimplementationofAESinproductsintendedtoprotectnationalsecuritysystemsand/orinformationmustbereviewedandcertifiedbyNSApriortotheiracquisitionanduse.[13]
AEShas10roundsfor128bitkeys,12roundsfor192bitkeys,and14roundsfor256bitkeys.By2006,thebestknownattackswereon7roundsfor128bitkeys,8roundsfor192bitkeys,and9roundsfor256bitkeys.[14]
Knownattacks
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 6/11
Forcryptographers,acryptographic"break"isanythingfasterthanabruteforceperformingonetrialdecryptionforeachkey(seeCryptanalysis).Thisincludesresultsthatareinfeasiblewithcurrenttechnology.Thelargestsuccessfulpubliclyknownbruteforceattackagainstanyblockcipherencryptionwasagainsta64bitRC5keybydistributed.netin2006.[15]
AEShasafairlysimplealgebraicdescription.[16]In2002,atheoreticalattack,termedthe"XSLattack",wasannouncedbyNicolasCourtoisandJosefPieprzyk,purportingtoshowaweaknessintheAESalgorithmduetoitssimpledescription.[17]Sincethen,otherpapershaveshownthattheattackasoriginallypresentedisunworkableseeXSLattackonblockciphers.
DuringtheAESprocess,developersofcompetingalgorithmswroteofRijndael,"...weareconcernedabout[its]use...insecuritycriticalapplications."[18]However,inOctober2000attheendoftheAESselectionprocess,BruceSchneier,adeveloperofthecompetingalgorithmTwofish,wrotethatwhilehethoughtsuccessfulacademicattacksonRijndaelwouldbedevelopedsomeday,hedoesnot"believethatanyonewilleverdiscoveranattackthatwillallowsomeonetoreadRijndaeltraffic."[19]
OnJuly1,2009,BruceSchneierblogged[20]aboutarelatedkeyattackonthe192bitand256bitversionsofAES,discoveredbyAlexBiryukovandDmitryKhovratovich,[21]whichexploitsAES'ssomewhatsimplekeyscheduleandhasacomplexityof2119.InDecember2009itwasimprovedto299.5.Thisisafollowuptoanattackdiscoveredearlierin2009byAlexBiryukov,DmitryKhovratovich,andIvicaNikoli,withacomplexityof296foroneoutofevery235keys.[22]However,relatedkeyattacksarenotofconcerninanyproperlydesignedcryptographicprotocol,asproperlydesignedsoftwarewillnotuserelatedkeys.
AnotherattackwasbloggedbyBruceSchneier[23]onJuly30,2009andreleasedasapreprint[24]onAugust3,2009.Thisnewattack,byAlexBiryukov,OrrDunkelman,NathanKeller,DmitryKhovratovich,andAdiShamir,isagainstAES256thatusesonlytworelatedkeysand239timetorecoverthecomplete256bitkeyofa9roundversion,or245timefora10roundversionwithastrongertypeofrelatedsubkeyattack,or270timeforan11roundversion.256bitAESuses14rounds,sotheseattacksaren'teffectiveagainstfullAES.
InNovember2009,thefirstknownkeydistinguishingattackagainstareduced8roundversionofAES128wasreleasedasapreprint.[25]ThisknownkeydistinguishingattackisanimprovementofthereboundorthestartfromthemiddleattacksforAESlikepermutations,whichviewtwoconsecutiveroundsofpermutationastheapplicationofasocalledSuperSbox.Itworksonthe8roundversionofAES128,withatimecomplexityof248,andamemorycomplexityof232.128bitAESuses10rounds,sothisattackisn'teffectiveagainstfullAES128.
InJuly2010VincentRijmenpublishedanironicpaperon"chosenkeyrelationsinthemiddle"attacksonAES128.[26]
ThefirstkeyrecoveryattacksonfullAESwereduetoAndreyBogdanov,DmitryKhovratovich,andChristianRechberger,andwerepublishedin2011.[27]Theattackisabicliqueattackandisfasterthanbruteforcebyafactorofaboutfour.Itrequires2126.1operationstorecoveranAES128key.ForAES192andAES256,2189.7and2254.4operationsareneeded,respectively.Thisisaverysmallgain,asa126bitkey(insteadof128bits)wouldstilltakebillionsofyears.Also,theauthorscalculatethebest
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 7/11
attackusingtheirtechniqueonAESwitha128bitkeyrequiresstoring288bitsofdata.Thatworksouttoabout38trillionterabytesofdata,whichismorethanallthedatastoredonallthecomputersontheplanet.AssuchthisisatheoreticalattackthathasnopracticalimplicationonAESsecurity.[28]
AccordingtotheSnowdendocuments,theNSAisdoingresearchonwhetheracryptographicattackbasedontaustatisticmayhelptobreakAES.[29]
Asfornow,therearenoknownpracticalattacksthatwouldallowanyonetoreadcorrectlyimplementedAESencrypteddata.
Sidechannelattacks
Sidechannelattacksdonotattacktheunderlyingcipher,andthusarenotrelatedtosecurityinthatcontext.Theyratherattackimplementationsofthecipheronsystemswhichinadvertentlyleakdata.ThereareseveralsuchknownattacksoncertainimplementationsofAES.
InApril2005,D.J.BernsteinannouncedacachetimingattackthatheusedtobreakacustomserverthatusedOpenSSL'sAESencryption.[30]Theattackrequiredover200millionchosenplaintexts.[31]Thecustomserverwasdesignedtogiveoutasmuchtiminginformationaspossible(theserverreportsbackthenumberofmachinecyclestakenbytheencryptionoperation)however,asBernsteinpointedout,"reducingtheprecisionoftheserver'stimestamps,oreliminatingthemfromtheserver'sresponses,doesnotstoptheattack:theclientsimplyusesroundtriptimingsbasedonitslocalclock,andcompensatesfortheincreasednoisebyaveragingoveralargernumberofsamples."[30]
InOctober2005,DagArneOsvik,AdiShamirandEranTromerpresentedapaperdemonstratingseveralcachetimingattacksagainstAES.[32]OneattackwasabletoobtainanentireAESkeyafteronly800operationstriggeringencryptions,inatotalof65milliseconds.ThisattackrequirestheattackertobeabletorunprogramsonthesamesystemorplatformthatisperformingAES.
InDecember2009anattackonsomehardwareimplementationswaspublishedthatuseddifferentialfaultanalysisandallowsrecoveryofakeywithacomplexityof232.[33]
InNovember2010EndreBangerter,DavidGullaschandStephanKrennpublishedapaperwhichdescribedapracticalapproachtoa"nearrealtime"recoveryofsecretkeysfromAES128withouttheneedforeitherciphertextorplaintext.TheapproachalsoworksonAES128implementationsthatusecompressiontables,suchasOpenSSL.[34]LikesomeearlierattacksthisonerequirestheabilitytorununprivilegedcodeonthesystemperformingtheAESencryption,whichmaybeachievedbymalwareinfectionfarmoreeasilythancommandeeringtherootaccount.[35]
NIST/CSECvalidation
TheCryptographicModuleValidationProgram(CMVP)isoperatedjointlybytheUnitedStatesGovernment'sNationalInstituteofStandardsandTechnology(NIST)ComputerSecurityDivisionandtheCommunicationsSecurityEstablishment(CSE)oftheGovernmentofCanada.TheuseofcryptographicmodulesvalidatedtoNISTFIPS1402isrequiredbytheUnitedStatesGovernmentforencryptionofalldatathathasaclassificationofSensitivebutUnclassified(SBU)orabove.FromNSTISSP#11,NationalPolicyGoverningtheAcquisitionofInformationAssurance:"EncryptionproductsforprotectingclassifiedinformationwillbecertifiedbyNSA,andencryptionproductsintendedforprotectingsensitiveinformationwillbecertifiedinaccordancewithNISTFIPS1402."[36]
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 8/11
TheGovernmentofCanadaalsorecommendstheuseofFIPS140validatedcryptographicmodulesinunclassifiedapplicationsofitsdepartments.
AlthoughNISTpublication197("FIPS197")istheuniquedocumentthatcoverstheAESalgorithm,vendorstypicallyapproachtheCMVPunderFIPS140andasktohaveseveralalgorithms(suchasTripleDESorSHA1)validatedatthesametime.Therefore,itisraretofindcryptographicmodulesthatareuniquelyFIPS197validatedandNISTitselfdoesnotgenerallytakethetimetolistFIPS197validatedmodulesseparatelyonitspublicwebsite.Instead,FIPS197validationistypicallyjustlistedasan"FIPSapproved:AES"notation(withaspecificFIPS197certificatenumber)inthecurrentlistofFIPS140validatedcryptographicmodules.
TheCryptographicAlgorithmValidationProgram(CAVP)[37]allowsforindependentvalidationofthecorrectimplementationoftheAESalgorithmatareasonablecost.SuccessfulvalidationresultsinbeinglistedontheNISTvalidationspage(http://csrc.nist.gov/groups/STM/cmvp/documents/1401/140valall.htm).ThistestingisaprerequisitefortheFIPS1402modulevalidationdescribedbelow.However,successfulCAVPvalidationinnowayimpliesthatthecryptographicmoduleimplementingthealgorithmissecure.AcryptographicmodulelackingFIPS1402validationorspecificapprovalbytheNSAisnotdeemedsecurebytheUSGovernmentandcannotbeusedtoprotectgovernmentdata.[36]
FIPS1402validationischallengingtoachievebothtechnicallyandfiscally.[38]Thereisastandardizedbatteryoftestsaswellasanelementofsourcecodereviewthatmustbepassedoveraperiodofafewweeks.Thecosttoperformtheseteststhroughanapprovedlaboratorycanbesignificant(e.g.,wellover$30,000US)[38]anddoesnotincludethetimeittakestowrite,test,documentandprepareamoduleforvalidation.Aftervalidation,modulesmustberesubmittedandreevaluatediftheyarechangedinanyway.Thiscanvaryfromsimplepaperworkupdatesifthesecurityfunctionalitydidnotchangetoamoresubstantialsetofretestingifthesecurityfunctionalitywasimpactedbythechange.
Testvectors
Testvectorsareasetofknownciphersforagiveninputandkey.NISTdistributesthereferenceofAEStestvectorsasAESKnownAnswerTest(KAT)Vectors(inZIPformat)(http://csrc.nist.gov/groups/STM/cavp/documents/aes/KAT_AES.zip).
Performance
HighspeedandlowRAMrequirementswerecriteriaoftheAESselectionprocess.ThusAESperformswellonawidevarietyofhardware,from8bitsmartcardstohighperformancecomputers.
OnaPentiumPro,AESencryptionrequires18clockcyclesperbyte,[39]equivalenttoathroughputofabout11MB/sfora200MHzprocessor.Ona1.7GHzPentiumMthroughputisabout60MB/s.
OnIntelCorei3/i5/i7andAMDAPUandFXCPUssupportingAESNIinstructionsetextensions,throughputcanbeover700MB/sperthread.[40]
Implementations
Seealso
Diskencryption
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 9/11
WhirlpoolhashfunctioncreatedbyVincentRijmenandPauloS.L.M.Barreto
Notes1. Keysizesof128,160,192,224,and256bitsaresupportedbytheRijndaelalgorithm,butonlythe128,192,
and256bitkeysizesarespecifiedintheAESstandard.2. Blocksizesof128,160,192,224,and256bitsaresupportedbytheRijndaelalgorithm,butonlythe128bit
blocksizeisspecifiedintheAESstandard.3. "BicliqueCryptanalysisoftheFullAES"(http://research.microsoft.com/en
us/projects/cryptanalysis/aesbc.pdf)(PDF).RetrievedJuly23,2013.4. "Rijndael"(http://searchsecurity.techtarget.com/definition/Rijndael).RetrievedMarch9,2015.5. Daemen,JoanRijmen,Vincent(March9,2003)."AESProposal:Rijndael"
(http://csrc.nist.gov/archive/aes/rijndael/Rijndaelammended.pdf#page=1)(PDF).NationalInstituteofStandardsandTechnology.p.1.Retrieved21February2013.
6. "AnnouncingtheADVANCEDENCRYPTIONSTANDARD(AES)"(http://csrc.nist.gov/publications/fips/fips197/fips197.pdf)(PDF).FederalInformationProcessingStandardsPublication197.UnitedStatesNationalInstituteofStandardsandTechnology(NIST).November26,2001.RetrievedOctober2,2012.
7. JohnSchwartz(October3,2000)."U.S.SelectsaNewEncryptionTechnique"(http://www.nytimes.com/2000/10/03/business/technologyusselectsanewencryptiontechnique.html).NewYorkTimes.
8. Westlund,HaroldB.(2002)."NISTreportsmeasurablesuccessofAdvancedEncryptionStandard"(http://www.findarticles.com/p/articles/mi_m0IKZ/is_3_107?pnum=2&opg=90984479).JournalofResearchoftheNationalInstituteofStandardsandTechnology.
9. "ISO/IEC180333:InformationtechnologySecuritytechniquesEncryptionalgorithmsPart3:Blockciphers"(http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54531).
10. BruceSchneierJohnKelseyDougWhitingDavidWagnerChrisHallNielsFergusonTadayoshiKohnoetal.(May2000)."TheTwofishTeam'sFinalCommentsonAESSelection"(http://www.schneier.com/papertwofishfinal.pdf)(PDF).
11. "EfficientsoftwareimplementationofAESon32bitplatforms".(http://www.springerlink.com/index/UVX5NQGNN55VK199.pdf)LectureNotesinComputerScience:2523.2003
12. "byteorientedaesApublicdomainbyteorientedimplementationofAESinCGoogleProjectHosting"(https://code.google.com/p/byteorientedaes).Code.google.com.Retrieved20121223.
13. LynnHathaway(June2003)."NationalPolicyontheUseoftheAdvancedEncryptionStandard(AES)toProtectNationalSecuritySystemsandNationalSecurityInformation"(http://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf)(PDF).Retrieved20110215.
14. JohnKelsey,StefanLucks,BruceSchneier,MikeStay,DavidWagner,andDougWhiting,ImprovedCryptanalysisofRijndael,FastSoftwareEncryption,2000pp213230[1](http://www.schneier.com/paperrijndael.html)
15. Ou,George(April30,2006)."Isencryptionreallycrackable?"(http://www.webcitation.org/5rocpRxhN).ZiffDavis.Archivedfromtheoriginal(http://www.zdnet.com/blog/ou/isencryptionreallycrackable/204)onAugust7,2010.RetrievedAugust7,2010.
16. "SeanMurphy"(http://www.isg.rhul.ac.uk/~sean/).UniversityofLondon.Retrieved20081102.17. BruceSchneier."AESNews,CryptoGramNewsletter,September15,2002"
(http://www.schneier.com/cryptogram0209.html).Archived(http://web.archive.org/web/20070707105715/http://www.schneier.com/cryptogram0209.html)fromtheoriginalon7July2007.Retrieved20070727.
18. NielsFergusonRichardSchroeppelDougWhiting(2001)."AsimplealgebraicrepresentationofRijndael"(http://web.archive.org/web/20061104080748/http://www.macfergus.com/pub/rdalgeq.html).ProceedingsofSelectedAreasinCryptography,2001,LectureNotesinComputerScience.SpringerVerlag.pp.103111.Archivedfromtheoriginal(http://www.macfergus.com/pub/rdalgeq.html)(PDF/POSTSCRIPT)on4November2006.Retrieved20061006.
19. BruceSchneier,AESAnnounced(http://www.schneier.com/cryptogram0010.html),October15,200020. BruceSchneier(20090701)."NewAttackonAES"
(http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html).SchneieronSecurity,Ablogcoveringsecurityandsecuritytechnology.Archived
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 10/11
References
NicolasCourtois,JosefPieprzyk,"CryptanalysisofBlockCipherswithOverdefinedSystemsofEquations".pp267287,ASIACRYPT2002.
coveringsecurityandsecuritytechnology.Archived(http://web.archive.org/web/20100208155652/http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html)fromtheoriginalon8February2010.Retrieved20100311.
21. Biryukov,AlexKhovratovich,Dmitry(20091204)."RelatedkeyCryptanalysisoftheFullAES192andAES256"(http://eprint.iacr.org/2009/317).Retrieved20100311.
22. Nikoli,Ivica(2009)."DistinguisherandRelatedKeyAttackontheFullAES256".AdvancesinCryptologyCRYPTO2009.SpringerBerlin/Heidelberg.pp.231249.doi:10.1007/9783642033568_14(https://dx.doi.org/10.1007%2F9783642033568_14).ISBN9783642033551.
23. BruceSchneier(20090730)."AnotherNewAESAttack"(http://www.schneier.com/blog/archives/2009/07/another_new_aes.html).SchneieronSecurity,Ablogcoveringsecurityandsecuritytechnology.Retrieved20100311.
24. AlexBiryukovOrrDunkelmanNathanKellerDmitryKhovratovichAdiShamir(20090819)."KeyRecoveryAttacksofPracticalComplexityonAESVariantsWithUpTo10Rounds"(http://eprint.iacr.org/2009/374).Archived(http://web.archive.org/web/20100128050656/http://eprint.iacr.org/2009/374)fromtheoriginalon28January2010.Retrieved20100311.
25. HenriGilbertThomasPeyrin(20091109)."SuperSboxCryptanalysis:ImprovedAttacksforAESlikepermutations"(http://eprint.iacr.org/2009/531).Retrieved20100311.
26. VincentRijmen(2010)."PracticalTitledAttackonAES128UsingChosenTextRelations"(http://eprint.iacr.org/2010/337.pdf)(PDF).
27. AndreyBogdanovDmitryKhovratovich&ChristianRechberger(2011)."BicliqueCryptanalysisoftheFullAES"(http://research.microsoft.com/enus/projects/cryptanalysis/aesbc.pdf)(PDF).
28. JeffreyGoldberg."AESEncryptionisn'tCracked"(https://blog.agilebits.com/2011/08/18/aesencryptionisntcracked/).Retrieved30December2014.
29. http://www.spiegel.de/international/germany/insidethensaswaroninternetsecuritya1010361.html30. "Indexofformalscientificpapers"(http://cr.yp.to/papers.html#cachetiming).Cr.yp.to.Retrieved20081102.31. BruceSchneier."AESTimingAttack"
(http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html).Archived(http://web.archive.org/web/20070212015727/http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html)fromtheoriginalon12February2007.Retrieved20070317.
32. DagArneOsvikAdiShamirEranTromer(20051120)."CacheAttacksandCountermeasures:theCaseofAES"(http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf)(PDF).Retrieved20081102.
33. DhimanSahaDebdeepMukhopadhyayDipanwitaRoyChowdhury."ADiagonalFaultAttackontheAdvancedEncryptionStandard"(http://eprint.iacr.org/2009/581.pdf)(PDF).Archived(http://web.archive.org/web/20091222070135/http://eprint.iacr.org/2009/581.pdf)(PDF)fromtheoriginalon22December2009.Retrieved20091208.
34. EndreBangerterDavidGullasch&StephanKrenn(2010)."CacheGamesBringingAccessBasedCacheAttacksonAEStoPractice"(http://eprint.iacr.org/2010/594.pdf)(PDF).
35. "BreakingAES128inrealtime,nociphertextrequired|HackerNews"(http://news.ycombinator.com/item?id=1937902).News.ycombinator.com.Retrieved20121223.
36. http://www.cnss.gov/Assets/pdf/nstissp_11_fs.pdf37. "NIST.govComputerSecurityDivisionComputerSecurityResourceCenter"
(http://csrc.nist.gov/groups/STM/cavp/index.html).Csrc.nist.gov.Retrieved20121223.38. OpenSSL,openssl@openssl.org."OpenSSL'sNotesaboutFIPScertification"
(http://openssl.org/docs/fips/fipsnotes.html).Openssl.org.Retrieved20121223.39. Schneier,BruceKelsey,JohnWhiting,DougWagner,DavidHall,ChrisFerguson,Niels(19990201).
"PerformanceComparisonsoftheAESsubmissions"(http://www.schneier.com/paperaesperformance.pdf)(PDF).Retrieved20101228.
40. McWilliams,Grant(6July2011)."HardwareAESShowdownVIAPadlockvs.IntelAESNIvs.AMDHexacore"(http://grantmcwilliams.com/tech/technology/387hardwareaesshowdownviapadlockvsintelaesnivsamdhexacore).Retrieved20130828.
-
6/15/2015 AdvancedEncryptionStandardWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard 11/11
JoanDaemen,VincentRijmen,"TheDesignofRijndael:AESTheAdvancedEncryptionStandard."Springer,2002.ISBN3540425802.ChristofPaar,JanPelzl,"TheAdvancedEncryptionStandard"(http://wiki.crypto.rub.de/Buch/sample_chapters.php),Chapter4of"UnderstandingCryptography,ATextbookforStudentsandPractitioners".(companionwebsitecontainsonlinelecturesonAES),Springer,2009.
Externallinks
256bitCiphersAESReferenceimplementationandderivedcode(http://embeddedsw.net/Cipher_Reference_Home.html)FIPSPUB197:theofficialAESstandard(http://csrc.nist.gov/publications/fips/fips197/fips197.pdf)(PDFfile)AESalgorithmarchiveinformation(old,unmaintained)(http://csrc.nist.gov/archive/aes/rijndael/wsdindex.html)PreviewofISO/IEC180333(http://webstore.iec.ch/preview/info_isoiec180333%7Bed2.0%7Den.pdf)AnimationofRijndael(http://www.formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng.swf)AESencryptioniscracked(http://www.theinquirer.net/inquirer/news/2102435/aesencryptioncracked/)
Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Advanced_Encryption_Standard&oldid=666183137"
Categories: Blockciphers AdvancedEncryptionStandard Brokenblockciphers
Thispagewaslastmodifiedon9June2015,at13:21.TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmayapply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.WikipediaisaregisteredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.
top related