announcements: des due thursday. careful with putting it off since ch 3 test friday too. today:
DESCRIPTION
DTTF/NB479: Dszquphsbqiz Day 17. Announcements: DES due Thursday. Careful with putting it off since Ch 3 test Friday too. Today: Finish GF(2 8 ) Rijndael Questions?. AES ( Rijndael ). The S-boxes, round keys, and MixColumn functions require the use of GF(2 8 ), so. - PowerPoint PPT PresentationTRANSCRIPT
Announcements:Announcements: DES due Thursday.DES due Thursday. Careful with putting it off since Ch 3 test Careful with putting it off since Ch 3 test
Friday too.Friday too.
Today:Today: Finish Finish GF(2GF(288)) RijndaelRijndael
Questions?Questions?
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 17Day 17
AES (Rijndael)AES (Rijndael)
The S-boxes, round keys, and MixColumn The S-boxes, round keys, and MixColumn functions require the use of GF(2functions require the use of GF(288), so), so
Fields (T&W, 3.11)Fields (T&W, 3.11)A A fieldfield is a is a set of numbers set of numbers with the following properties:with the following properties:
Addition, with identity: a + 0 = a and inverse a+(-a)=0 Addition, with identity: a + 0 = a and inverse a+(-a)=0 Multiplication with identity: a*1=a, and inverse Multiplication with identity: a*1=a, and inverse
(a * a(a * a-1-1 = 1 for all a != 0) = 1 for all a != 0) Subtraction and division (using inverses)Subtraction and division (using inverses) Commutative, associative, and distributive propertiesCommutative, associative, and distributive properties Closure over all four operationsClosure over all four operations
Examples:Examples: Real numbersReal numbers GF(4) = {0, 1, GF(4) = {0, 1, , , 22} with these additional laws: x + x = 0 for all x } with these additional laws: x + x = 0 for all x
and and + 1 = + 1 = 22.. GF(pGF(pnn) for prime p is called a Galois Field.) for prime p is called a Galois Field.
A Galois field is a finite field with pA Galois field is a finite field with pnn elements elements for a prime pfor a prime p
• There is There is only one only one finite field with pfinite field with pnn elements for every elements for every power of n and prime p.power of n and prime p.
• GF(pGF(pnn) = Z) = Zpp[X] (mod P(X)) is a field with p[X] (mod P(X)) is a field with pnn elements. elements.
• Wasn’t ZWasn’t Z22[X] (mod X[X] (mod X22 + X + 1) = GF(4)? + X + 1) = GF(4)?
• Consider GF(2Consider GF(2nn) with P(X) = X) with P(X) = X88 + X + X44 + X + X33 + X + 1 + X + 1Rijndael uses this!Rijndael uses this!
Finish quiz.Finish quiz.
Back to Rijndael/AESBack to Rijndael/AESParallels with DES? Parallels with DES?
Multiple roundsMultiple rounds(7 is enough to require (7 is enough to require brute force)brute force)
DiffusionDiffusion XOR with round keysXOR with round keys No MixColumn in last No MixColumn in last
roundround
Major differencesMajor differences Not a Feistel systemNot a Feistel system Much quicker diffusion of Much quicker diffusion of
bits (2 rounds)bits (2 rounds) Much stronger against Much stronger against
linear, diffy. crypt., linear, diffy. crypt., interpolation attacksinterpolation attacks
ByteSub (BS)ByteSub (BS)1.1. Write 128-bit input Write 128-bit input aa as matrix as matrix
with 16 byte entries (column with 16 byte entries (column major ordering):major ordering):
2.2. For each byte, abcdefgh, For each byte, abcdefgh, replace with byte in location replace with byte in location (abcd, efgh)(abcd, efgh)
Example: 00011111 Example: 00011111 ___ ___Example: 11001011 Example: 11001011 ___ ___
3.3. Output is a matrix called bOutput is a matrix called bWhy were these numbers chosen?
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
aaaaaaaaaaaaaaaa
a
S-box DerivationS-box Derivation
The S-box maps byte x to byte z via the function z = Ax-1+b:
Input byte x: x7x6x5x4x3x2x1x0
Compute the inverse in GF(28): y7y6y5y4y3y2y1y0 (non-linear, vs. attacks)(use 0 as inverse of 0)
Compute this linear function z in GF(28): (to complicate attacks) (A is simple to implement) b chosen so
xzandxz
2,31,30,33,3
1,20,23,22,2
0,13,12,11,1
3,02,01,00,0
bbbbbbbbbbbbbbbb
c
ShiftRow (SR)ShiftRow (SR)
Shifts the entries of Shifts the entries of each row by each row by increasing offset:increasing offset:
Gives resistance to newer attacks Gives resistance to newer attacks (truncated differentials, (truncated differentials, Square attack)Square attack)
MixColumn (MC)MixColumn (MC) Multiply – via GF(2Multiply – via GF(288) – with ) – with
the fixed matrix shown.the fixed matrix shown.
Speed? Speed? 64 multiplications, each 64 multiplications, each involving at most 2 shifts involving at most 2 shifts + XORs+ XORs
Gives quick diffusion of bitsGives quick diffusion of bits
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
010..001..001..000000011011..0010..001..00000000101..0011..0010..00000000101..001..0011..000000010
cccccccccccccccc
d
AddRoundKey (AddRoundKey (ARKARK))
XOR the round key XOR the round key with matrix d. with matrix d.
Key schedule on next slideKey schedule on next slide
ikde
Key ScheduleKey Schedule
Write original key as 4x4matrix with 4 columns: W(0), W(1), W(2), W(3). Key for round i is (W(4i), W(4i+1), W(4i+2), W(4i+3))
Other columns defined recursively:
Highly non-linear. Resists attacks at finding whole key when part is known
K0K1 K10
192-, 256-bit versions similar
)43(...)7(...)4()3()2()1()0( WWWWWWW
otherwiseiW
iifiWTiWiW
)1(|4))1((
)4()(
)2()00000010()(
))((
000)(
)(
84/)4( GFinir
iWT
ir
hgfe
dcba
iW
i
SboxandShift
DecryptionDecryptionE(k) is:E(k) is:(ARK(ARK00, BS, SR, MC, ARK, BS, SR, MC, ARK11, … BS, SR, MC, , … BS, SR, MC,
ARKARK99, BS, SR, ARK, BS, SR, ARK1010))
Each function is invertible:Each function is invertible:ARK; IBS; ISR; IMCARK; IBS; ISR; IMC
So D(k) is:So D(k) is:ARKARK1010, ISR, IBS, ARK, ISR, IBS, ARK99, IMC, ISR, IBS, … , IMC, ISR, IBS, … ARKARK11, IMC, ISR, IBS, ARK, IMC, ISR, IBS, ARK00))
Half-round structure:Half-round structure:Write E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARKWrite E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARK
(Note that last MC wouldn’t fit)(Note that last MC wouldn’t fit)D(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARKD(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARK
Can write:Can write:D(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARKD(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARK
Wrap-upWrap-up
Wikipedia’s entry has some nice visualsWikipedia’s entry has some nice visualsBut this site has even nicer animations*But this site has even nicer animations*
* * Thanks to Adam Shiemke, 2009 for the linkThanks to Adam Shiemke, 2009 for the link