chapter 3 - shodhgangashodhganga.inflibnet.ac.in/bitstream/10603/29174/12/12_chapter 3.p… ·...
TRANSCRIPT
29
Chapter 3
AES SPECIFICATIONS
This dissertation has implemented hard disk drive security using partial disk
encryption. The proposed partial disk encryption is based on Advanced Encryption
Standards(AES). This chapter discusses the specifications of Advanced Encryption
Standard, Data Encryption Standard which would be helpful to implement proposed
encryption algorithms. The chapter also implements AES(128, 192, 256) algorithm
using Java programming and compares the performance of AES for different key size.
While implementing any cryptography technique it is necessary to analyze the
mathematics related to encryption. It is discussed in section 3.1. The encryption
standard used in proposed thesis is a block cipher. The details of block cipher are
discussed in section 3.2, the detail implementation of AES is discussed in section 3.3.
3.1 Finite Field
In algebra, the field that has a finite number of elements is called finite field or Galois
field (GF). Each finite field has a prime integer which represents its characteristic. For
example, the finite field GF(p), represents a field with the range of integers {0,1, ….,
p-1}[62]
. The total number of elements in the finite field is called the finite field
order. Fields with prime integer orders have characteristic equal to their order.
Some finite fields use non prime integer orders; in this case the finite field will be
represented using the prime number ‘p’ which represents the characteristic along with
the power ‘n’. Equation (3.1) shows how to represent the finite field with order ‘k’,
using the prime number ‘p’ and the power ‘n’.
k = GF(pn)………………………..(3.1)
The finite field in equation (3.1) has a range of integers that vary between {0,1,…, k-
1}.
Finite fields are used in many cryptographic algorithms. The Advanced Encryption
Standard uses the finite field GF(28), where each data byte represents a value between
(00-FF)H.
30
Each data byte can be represented as a polynomial over the GF(28). Equation (3.2)
shows the polynomial representations in GF(28)
a(x) = b7x7+b6x
6+b5x
5+b4x
4+b3x
3+b2x
2+b1x+b0…………… (3.2)
Equation (3.2) can be also written as:
a(x) = ∑i=0 7
bi xi
……………………………………….(3.3)
Where bi ε {0,1}.
The next sub-sections has explained the arithmetic in finite fields based on the
characteristic p=2.
3.1.1 Addition in Finite Field
Arithmetic in finite field is different than normal algebra arithmetic. In finite field
with characteristic of two, an addition is obtained by applying bit-wise XOR
operation between the operands. Equation (3.5) shows the result of the finite field
addition in equation(3.4).
a3(x) = a1(x) + a2(x) = ∑i=0 7
bi xi
+ ∑i=0 7
bi xi
..........(3.4)
a3(x) = ∑i=0 7
(b1i(XOR) b2i)xi………………………….(3.5)
3.1.2 Multiplication in Finite Field
In finite field, the multiplication product of two polynomials will be modulo an
irreducible polynomial so that the final answer can be within the used finite field.
Irreducible polynomial means it cannot be factorized and expressed as a product of
two or more polynomials over the same field.
Equation (3.6) represents the multiplication operation of the polynomials a2(x) and
a1(x) using the modulus m(x).
a3(x) = (a1(x) × a2(x)) mod m(x)………………….(3.6)
31
3.2 Block Cipher
A symmetric-key block cipher is a cryptographic system whose principal aim is to
guarantee the confidentiality of data. Mao [63]
gives the following definition of a
cryptographic system.
Definition 3.2.1 (Cryptographic system). A cryptographic system consists of the
following:
- a plaintext message space P which is a set of strings over some alphabet;
- a ciphertext message space C which is set of possible ciphertext messages;
- an encryption key space K which is the set of possible encryption keys, and a
decryption key space K' which is the set of possible decryption keys;
- a key length l is maximum length of the key k;
- an efficient key generation algorithm: γ : N → K × K';
-an efficient encryption algorithm: ε : P × K → C;
- an efficient decryption algorithm: ε' : C × K' → P.
For a security parameter l, the key generation algorithm outputs a key pair (k, k') ∈ K
× K' of length l. For k ∈ K and p∈ P, we denote by
c = εk(p)……………………………………(3.7)
the encryption operation and by
p = ε'k' (c)………………………………….(3.8)
the decryption operation. It is furthermore necessary that for all m ∈ M
and all k ∈ K, there exists k'∈ K' such that
32
ε'k' (εk (p) ) = p…………………………………………………………..….(3.9)
A block cipher can be seen in a simple way as a deterministic, memoryless, invertible
function mapping an n-bit plaintext block p ∈ {0, 1}n to an n-bit ciphertext block c∈
{0, 1}n furthermore, this function is parameterised by a single l-bit secret key k ∈ {0,
1}l in other words, and using the terminology of Def. 3.2.1, ε = ε', K = K', and k = k'.
The notion of symmetry in block ciphers comes hence from the fact that the same key
is used for both encryption and decryption operations; the opposed notion is the
asymmetric or public-key cryptography [64,65]
which uses different, related keys for
both operations.
In order that a ciphertext decrypts to a unique plaintext for a given fixed key, it is
necessary that the encryption function is a bijection; this restrict the number of block
ciphers to the (2n)! permutations on n-bit values. As this value is extremely large one
for common values of n (64 or 128 bits), the size of the key further restricts the
number of reachable permutations. Usual key lengths (up to 256 bits) imply that this
number is actually very small fraction of all possible permutations. Informally, the
goal is to make it practically impossible to retrieve the plaintext from the ciphertext
without any knowledge on the secret key. The concept of block cipher is summarized
in a formal way in Def. 3.2.2, taken out of [66]
. As the block cipher is memoryless, we
will see it as a function and therefore use a different notation.
Definition 3.2.2 (Symmetric-Key Block Cipher). An n-bit symmetric key block
cipher is a function e : {0, 1}n
× {0, 1}l → {0, 1}
n such that for each key k ∈ {0, 1}
l
the encryption function e(p,k), written ek(p), is an invertible mapping from {0, 1}n
to
{0, 1}n. The inverse mapping is the decryption function, denoted dk(c), where c =
ek(p) denotes the ciphertext c resulting from the encryption of plaintext p under key k.
Note that it is possible to imagine probabilistic block ciphers which take some
randomness in addition to the key as input in order to select a mapping in a non-
deterministic way; thus, each time a plaintext block p is encrypted under the key k,
the output is a set of eligible ciphertext blocks and the function chooses one ciphertext
block c out of this set. Since the encryption function is essentially one-to-many, the
requirement for invertibility implies data expansion, which is a disadvantage of
33
randomized encryption. Furthermore, gathering “good" randomness is not a trivial
problem in the real world. However, depending on the strength of the security model
under consideration, some randomness may be required. In practice, this property is
often shifted to the use of randomized modes of operations. Virtually all block ciphers
are product ciphers, i.e. they combine at least two or more transformations in a
manner intending that the resulting cipher is more secure than the individual
components. The underlying idea is to build a complex encryption function by
combining several simple operations which offer complementary, but individually
insufficient security properties. A very important class of product ciphers is the
category of iterated blockciphers (see Figure 3.1). The key idea is to iterate the same
round function f several times on the plaintext block p.
P - Plain Test C- Cipher Text K- Key
Fig. 3.1 Diagram of an iterated Block-Cipher
More precisely, an iterated block cipher is a block cipher involving the sequential
repetition of an internal function f called a round function. Parameters include the
number of rounds r, the block bit size n and the bit size l of the input key k from
which r subkeys k(i)
(also called round keys) are derived. For invertibility purposes,
the round function f must be a bijection on the round input for each value k(i)
. The
round keys k(i)
are derived from the key k by an algorithm named key-schedule
algorithm. Iterated block ciphers have several advantages: it is possible to implement
them in an efficient way, because one can reuse the same code or circuit in each
round. Furthermore, it is easier to analyze them in a security point of view since
34
several theoretical results concerning iterated block ciphers are available. A more
“high-level" way to build a new block cipher consists in combining directly block
ciphers. The key point is that the keys used by the individual block ciphers should be
statistically independent; however, the distinction is not always clear. A cascade
cipher is usually defined as being the concatenation of s ≥ 2 block ciphers (called
stages), each with (statistically) independent keys: the plaintext is the input of the first
stage, the output of stage i is the input of stage i + 1 and the output of stage s is
defined to be the ciphertext. Multiple encryption is similar to cascade ciphers, but the
keys may be dependent and the stage block ciphers may be either a block cipher e or
its corresponding decryption function d. Most common constructions of multiple
encryption are the double encryption and triple encryption. With this discussion on
block cipher, the present research work proceeds with AES implementation.
3.3 AES Specifications
In 1998 Rijndael cipher developed by the two Belgian cryptographers, John Daemen
and Vincent Rijmen was published. This cipher was selected later on by the NIST as
the Advanced Encryption Standard to supersede the old Data Encryption Standard.
The NIST has published full details of AES under the FIPS publication 1997[67 ]
.
The AES according to [68]
has a constant block size of 128 bits (16 bytes) with 3
different key sizes of 128 bits, 192 bits and 256 bits, where 10, 12 and 14 encryption
rounds will be applied for each key size, respectively. During the encryption and
decryption processes, the 16 bytes of data will form a changeable (4*4) array called
the state array as shown in Figure 3.2. During the encryption process, the state array
consists initially of the input data, this array will keep changing until reaching the
final enciphered data. In the decryption process the state array will start by the
enciphered data and will keep changing until the original data is retrieved.
Each encryption round has 4 main steps, Shift Rows, Byte Substitution using the
Substitution Box (S-Box), Mix Columns, and Add Round Key. The decryption
process consists of the inverse steps, where each decryption round consists of: Inverse
Shift Rows, Byte Substitution using Inverse S-Box, Add Round Key and Inverse Mix
Columns.
35
Fig. 3.2 Input, State and Output Arrays
The round keys will be generated using a unit called the key expansion unit. This unit
will be generating 176, 208 or 240 bytes of round keys depending on the size of the
used key, more details about the key expansion unit will be explained later in this
chapter. Figure 3.3 Shows the AES encryption and decryption processes.
Fig. 3.3 AES Encryption and Decryption Process
36
As can be seen from Figure 3.3, the encryption and decryption processes start by
adding the round key to the data. This round key is called the initial round key and it
consists of the first 16 bytes of round keys in case of encryption and the last 16 bytes
in case of decryption. The encryption iteration starts with the Shift Rows step, then
the Bytes Substitution is applied, followed by the Mix Columns step, and finally the
Round Key is added. In the decryption iteration the Round Key is obtained before the
Inverse Mix Columns step. These iterations are repeated 9, 11 and 13 times for the
key sizes 128,192 and 256 bits, respectively. The last encryption and decryption
iterations exclude the Mix column and Inverse Mix column steps.
3.3.1 Shift Rows/ Inverse Shift Rows
In Shift Rows step the second, third and fourth row of the state array are shifted one,
two and three cyclic shifts to the left, respectively. Most references consider the shift
rows step as the first step in the encryption iteration; however it can be done after the
Byte Substitution step without affecting the algorithm. Figure 3.4 shows how the Shift
Rows step is obtained.
Fig. 3.4 Shift Rows Step
The Inverse Shift Rows step is obtained during the decryption process by shifting the
second, third and fourth rows, one, two and three cyclically shift to the right,
respectively. Figure 3.5 shows how the Inverse Shift Rows step is obtained.
37
Fig. 3.5 Inverse Shift Rows Step
3.3.2 Byte Substitution and Inverse Byte
Byte substitution and Inverse Byte Substitution are the most complex steps in the
encryption and decryption processes. In these steps each byte of the state array will be
replaced with its equivalent byte in the S-Box or the Inverse S-Box as shown in
Figure 3.6.
Fig. 3.6 Byte Substitution
As AES algorithm uses elements within the GF(28), each element in the state array
represents a byte with a value that varies between 00H-FFH. The S-Box has a fixed
size of 256 bytes represented as (16 * 16) bytes matrix. Figure 3.7 shows the AES S-
Box. In this figure the variable ‘b2’ represents the most significant nibble while the
variable ‘b1’represents the least significant nibble.
The Inverse S-Box which is used during the decryption processes will be retrieving
the original byte that was substituted using the S-Box during the encryption process.
For example from the S-Box in Figure 3.7 shows that the S-Box will substitute the
byte ‘00H’ with the byte ‘63H’. Also the byte ‘63H’ in the Inverse S-Box shown in
Figure 3.8 will be substituted by ‘00H’.
38
Fig. 3.7 AES S-Box
Fig. 3.8 AES Inverse S-Box
39
The generation of S-Box is done by two steps, first finding the multiplicative inverse
for the numbers 00H-FFH in the GF(28), then applying the affine transformation on
them. On the other hand, the generation of the Inverse S-Box starts by applying the
inverse affine transformation followed by finding the multiplicative inverse. The two
step generation of S-Box and inverse S-Box is as shown in Figure 3.9. The next sub-
sections have explained these sub-steps in more details.
Fig. 3.9 Generation of S-Box and Inverse S-Box
3.3.2.1 Multiplicative Inverse Calculation
The first step of S-Box generation is finding the multiplicative inverse for the
numbers 00H-FFH, This requires using the irreducible polynomial p(x) defined in the
equation (3.10).
p(x) = x8 + x
4 + x
3 + x + 1……………………………..(3.10)
Since AES is dealing with numbers within the GF(28), it uses the 8
th degree
irreducible polynomial shown in equation(3.10) as defined by[67]
. This polynomial is
used as a reduction polynomial by applying it as a modulus for the multiplication
result of two polynomials so that the final result can be within the finite field GF(28).
Calculating the multiplicative inverse requires using the Extended Euclidean
algorithm, which state that for every polynomial a(x) there exists two polynomials
b(x) and c(x) such that:
a(x) b(x) + p(x) c(x) = 1……………………………….(3.11)
40
And since:
(a(x) ∙ b(x)) mod p(x) = 1……………………………….(3.12)
a(x)-1
can be obtain as:
a(x)-1
= b(x) mod ( p(x))………………………………....(3.13)
3.3.2.2 Affine Transformation
The affine transformation is applied after the multiplicative inverse calculation in the
Byte Substitution step, while it is applied first in the Inverse Byte Substitution step.
The affine transformation and its inverse have two parts, the multiplication part where
a constant matrix will be multiplied with the data, then the addition part, where a
constant vector is added to multiplication result. The matrix ‘A1’ and the vector ‘C1’
are used for the affine transformation as shown in equation(3.14), while the matrix
‘A2’ and the vector ‘C2’ are using for the inverse affine transformation as shown in
equation(3.15).
..(3.14)
.(3.15)
41
3.3.3 Mix Columns / Inverse Mix Columns Steps
After performing the Byte Substitution step during the encryption process, Mix
Columns step is applied. In the decryption process the Inverse Mix Columns step is
applied after adding the Round Key. The Mix Columns step and its inverse are shown
in Figure 3.10. The Mix Columns step and its inverse are not applied in the last
encryption or decryption processes as described in [69]
. In these steps each column of
the state array will be processed using four polynomials. Each polynomial consists of
four operands representing the old state array column elements and they will be used
to obtain the new state array element.
Fig. 3.10 Mix Columns and Inverse Mix Columns Step
According to[70]
, the polynomial c(x) given in equation(3.16) is used to obtain the Mix
Column step:
c(x) = {0,3} ∙ x3 + {0,1} ∙ x
2 + {0,1} ∙ x
2 + 02…………(3.16)
To obtain the Mix Column Step, each 4 bytes state array column is represented as
polynomials over GF (28) as shown in equation(3.17). Each polynomial is multiplied
by the fix polynomial c(x) modulo the polynomial k(x) described in equation(3.18).
b(x) = S3,c∙ x3
+ S2,c ∙ x2 + S1,c ∙ x
2 + S0,c ……………(3.17)
k(x)= x4 + 1……………………………………………(3.18)
According to [71]
, multiplication between the polynomials c(x) and b(x) modulo k(x)
will result in the matrix equation(3.19).
42
………(3.19)
Matrix equation(3.15) can be written in the polynomials equation(3.20):
S0,c' = {02} ∙ S0,c + {03} ∙ S1,c + S2,c + S3,c
S1,c' = {02} ∙ S1,c + {03} ∙ S2,c + S3,c + S0,c …. (3.20)
S2,c' = {02} ∙ S2,c + {03} ∙ S3,c + S1,c + S1,c
S3,c' = {02} ∙ S3,c + {03} ∙ S0,c + S0,c + S2,c
The Inverse Mix Column step is obtained by multiplying the 4 bytes state array
column polynomial b(x) (3.10) by the Inverse Mix Columns polynomial c(x)-1
(3.21)
Modulo k(x) equation(3.18).
c(x)-1
= {0B} ∙ x3
+ {0D} ∙ x2 + {09} ∙ x
2 + 0E……….……(3.21)
The latter multiplication can be represented using the matrix in equation(3.22):
…………(3.22)
Matrix (3.18) can be written using the polynomials equation(3.23):
S0,c' = {0E} ∙ S0,c + {0B} ∙ S1,c + {0D} S2,c + {09} S3,c
S1,c' = {0E} ∙ S1,c + {0B} ∙ S2,c + {0D} S3,c +{09} S0,c .. (3.23)
S2,c' = {0E} ∙ S2,c + {0B} ∙ S3,c +{0D} S1,c + {09} S1,c
S3,c' = {0E} ∙ S3,c + {0B} ∙ S0,c + {0D}S0,c + {09} S2,c
43
3.3.4 Add Round Key Step
Add Round Key step is applied one additional time comparing to the other encryption
and decryption steps. The first Add Round Key step is as shown in Figure 3.11. The
first Add Round Key step is applied before starting the encryption and decryption
iterations, where in the encryption process the first 128 bits of the input key the whole
key in case of using key size of 128 bits are added to the original data block. This
round key is called the initial round key. For the decryption process the initial round
key is the last 128 bits of the generated keys as will be explained later.
Fig. 3.11 Add Round Key
In addition to the initial 16 bytes round keys, another 16 bytes of round keys will be
required for each encryption or decryptions iterations, this makes the total as 176
bytes, 224 bytes and 240 bytes for the key sizes 128,192 and 256 bits, respectively.
These round keys are generated using an operation called the key expansion. In the
key expansion all the round keys will be generated from the original input key. The
next sub-section explains the round keys generation using the key expansion
operation.
3.3.4.1 Key Expansion
The key expansion term is used to describe the operation of generating all Round
Keys from the original input key. The initial round key will be the original key in case
of encryption and the last group of the generated key expansion keys in case of
decryption –the first and last 16 bytes in case of key sizes of 192 and 256 bits. As
mentioned previously this initial round key will be added to the input initially before
starting the encryption or decryption iterations. Using the 128 bits key size, 10 groups
of round keys will be generated with 16 bytes size for each [68].
44
The first four bytes column in each group will be generated as follows:
1) Taking the S-Box equivalent to the last column of the previous group (one previous
column).
2) Perform one cyclic permutation “rotate elements [R0r R1r R2r R3r] to [R1r R2r R3r
R0r].
3) Add the round constant.
4) Add the result to the first column of the previous group (four previous columns).
The remaining second, third and fourth column of each group will be created by
adding the direct previous column with the equivalent column in the previous group
(four previous columns). This will create a total of 176 bytes of round keys.
In the 192 bits key size, each group consists of six columns. The first column will be
created in the same way as in the case of 128 bits key size. The remaining second to
sixth column of each group will be also created by adding the direct previous column
with the equivalent column in the previous group (six previous columns). In the 192
bits key size, 192 bytes of round keys will be generated in addition to the original 24
bytes key. The round keys will be retaken as groups of four columns each and are
applied 13 times during the encryption and decryption processes.
Finally, for the 256 key sizes, each group will consist of 8 columns; the first column
in the group will be created exactly the same way as in the 128 and 192 key sizes. The
fourth column of each group will be created by applying the byte substitution to the
third column values and then adding it to the equivalent column in the previous group
(eight previous columns). The remaining columns are created also by adding the
direct previous column with the equivalent column of the previous group. In the 256
bits key size, 208 bytes of generated round keys in addition to the original 32 bytes
key are applied 15 times as groups of 16 bytes in the encryption and decryption
processes. The Key expansion process is as shown in Figure 3.12.
45
Fig. 3.12 Key Expansion
The round constant matrix “known as RCON” is a constant matrix used during the
key expansion process. Each row of the round constant matrix will be added to the
first row of each group during the key generation as explained previously. The first
column of this matrix is generated according to equation(3.24) while the second, third
and fourth row are zeros. The standard AES reduction polynomial will be used to
keep the elements in the GF(28).
RC[0] = x0 = 1
RC[1] = x …….. …... …….. .. …. (3.24)
RC[j] = x ∙ RC[j-1] = xj , j > 1
3.4 Data Encryption Standard(DES)
The DES[72]
algorithm was designed to encrypt blocks of data containing 64-bits
under control of 56-bit key. DES is considered as the successor of the Lucifer cipher,
which was developed by Horst Feistel and his colleagues at IBM in 1970s. DES
consist of 16 iterations of round a function, which is named as F-function, and an
initial permutation (IP) and a final permutation(FP). The sketch of the DES
encryption is given in Figure 3.13, where K1, K
2, ….., K
16 are subkeys. Note that the
subkeys are derived from the 56-bit secret key by the key scheduling algorithm.
46
Fig. 3.13 The Feistel structure of DES
The F-function of DES is illustrated in Figure 3.14. In each round, the block is
divided into 32-bit halves: the left half L and the right half R. The F-function accepts
R and subkey Ki as its inputs, uses expansion E to expand R from 32-bits to 48 bits,
and XORs the result with 48-bit Ki. The result of the XOR operation is substituted by
employing eight S-Boxes. Each S-Box accepts 6-bit input and generates a 4-bit
output. The Permutation P is used to permute the 32-bit result of the S-Box operation.
The output of the F-function, denoted by F(R, Ki), is XORed with the left half L, and
then the left and right halves are interchanged. The complete specification of the DES
cipher can be found in[73]
.
47
Fig. 3.14 DES F- Function
3.5 AES Implementation
The detailed implementation of standard AES algorithm[67]
is discussed in section
3.3. Here the pseudo code and flowchart for implementation are given for AES(128,
192, 256)encryption. The encryption algorithm takes a plaintext and a key as input
and outputs a ciphertext. The plaintexts represented as a byte matrix with 4 rows and
4 columns. The intermediate cipher result is called state. After an initial round key
addition, the state is transformed by implementing a round function 10, 12 or 14 times
for 128-bit, 192-bit or 256-bit keys, respectively [74]
. Each round function, except the
final round, contains four transformations which are SubBytes (SB), ShiftRows (SR),
MixColumns (MC) and AddRoundKey(AK). The final round is slightly different
from Nr – 1 round as it does not include the MixColumns operation. The details
process is as per section 3.3[67]
. The operation routine is illustrated below in
Procedure 3.1:
48
Procedure 3.1 [74]
Cipher (byte in[4 * Nb], byte out[4 * Nb], word w[Nb * (Nr + 1])
1. byte s[4, Nb]
2. s = in
3: AddRound(s, w[0, Nb-1])
4. For round = 1 to Nr -1 do
5.SubBttes(s).
6. ShiftRows(s)
7. MixColumns(s)
8. Add Round Key(s, w[round * Nb, (round + 1) * Nb – 1])
9. end for
10. SubBytes(s)
11. ShiftRows(s)
12. AddRundKey(s, w[Nr * Nb, (Nr + 1) * (Nb – 1])
13 out = s
The flow chart of AES encryption algorithm is as shown in Figure 3.15[74]
.
Fig. 3.15 AES Implementation: Encryption Flow chart
49
3.5.1 Decryption
For decryption, the decryption cipher takes a ciphertext and a key as two input
parameters and outputs the corresponding plaintext. The four transformations:
SubBytes, ShiftRows, MixColumns and AddRoundKey, can be inverted in reverse
order to provide the decryption of the cipher. The decryption algorithm is expressed in
pseudo code in Procedure3.2 [47].
The decryption process is shown in Figure 3.16[74].
The inverse operation is performed on SubBytes, ShiftRows, and MixColumns. The
inverse operation of AddRoundKey is itself.
Procedure 3.2 [74] InvCipher (byte in[4 * Nb], byte out[4 * Nb], word w[Nb *(Nr + 1])
1. byte s[4, Nb]
2. s = in
3. AddRound(s, w[Nr * Nb, Nr + 1 * Nb-1])
4. InvShiftRows(s)
5. InvSubBttes(s).
6. For round = Nr -1 to 1 do
7. InvShiftRows(s)
8. InvSubBttes(s).
9. Add Round Key(s, w [round * Nb, (round + 1) * Nb – 1])
10. InvMixColumns(s)
11. end for
12. AddRundKey(s, w [Nr * Nb, (Nr + 1) * (Nb – 1])
13 out = s
The flow chart of AES decryption algorithm is as shown in Figure 3.16[74]
.
50
Fig. 3.16 AES Implementation: Decryption Flow chart
3.5.2 Key Schedule
The AES cipher is specified as a number of repetitions of transformation rounds that
convert the input plaintext into the final output of ciphertext. The numbers of cycles
of repetition are as follows:
10 cycles of repetition for 128 bit keys.
12 cycles of repetition for 192 bit keys.
14 cycles of repetition for 256 bit keys.
Each round consists of several processing steps, including one that depends on the
encryption key. A set of reverse rounds are applied to transform ciphertext back into
the original plaintext using the same encryption key [68].
51
The AES uses the key schedule to expand the cipher key into the round keys. The
total number of words in the round keys generated by the key schedule is equal to Nb
* (Nr +1) since the algorithm requires a block of Nb words for the initial key addition,
and each of the Nr rounds need Nb words of key data.
The round keys are represented as a linear array of four byte words, denoted by W[i],
with i in the range 0 ≤ i < Nb(Nr + 1). Therefore, the rounds key contains 44, 52 and
60 words for AES-128, AES-192 and AES-256 respectively. The pseudo code for the
key schedule of AES algorithm is shown in Procedure3.3 [74].
The RotWord(RW) function takes a four-byte as input, and applies a cyclic
permutation to the input. Figure 3.17 [68]
illustrates the RotWord operation.
SubWord(SW) is a transformation that takes an input, and uses the SubBytes
operation described in section 2, to substitute each byte of the input. The SubWord
operation is depicted in Figure 3.18 Rcon[i] is a word array that contains the round
constants. The constants are values given by[xi-1
, 00, 00, 00] with xi-1
being powers of
x(x is denoted as {02}) in the field GF(28). Note that i begin with 1, not 0.
Procedure 3.3 [74]
KeyExpansion byte in[4 * Nk], word w[Nb * (Nr + 1], Nk)
1. word temp
2. i = 0
3. while (i < Nk) do
4. W[i] = word(key[4 * i], key[4 * i + 1], key[4 * i + 2], key[4 * i + 3])
5. i = i +1
6. end while
7. i = Nk
8. while(i < Nb * (Nr + 1)) do
9. temp = SubWord (RotWord(temp) xor Rcon[i/Nk]
10. else if ( Nk > 6 and I mod NK = 4) then
11. temp = SubWord(RotWord(temp) xor Rcon[i/Nk]
12. else if ( Nk > 6 and I mod Nk = 4) then
13 temp = SubWord(temp)
52
14. end if
15. W[i] = W[i – Nk] xor temp
16. i = i + 1
17. end while
Fig. 3.17 RotWord Transformation
Fig. 3.18 The SubWord Operation
It is demonstrated in Procedure 3.3[67]
that the cipher key is copied to the first Nk
words of array W. The calculation of every following word W[i], is carried out by
XORing the previous word W[i-1], with the word Nk positions earlier, W[i-Nk]. For
words in positions that are multiple of Nk, the key schedule first applies the word
RotWord and SubWord transformation to W[i-1], and then XORs the resulting W[i-1]
with W[i – Nk] and the a round constant, Rcon[i] .
3.5.2.1 The AES-128 Key Schedule
Let K be a 128-bit secret key, and it is denoted by four words: K = (K0, K1, K2, K3),
where Ki is a 4-byte word. The expanded round keys are contained in a 4-byte word
array W[i], 0 ≤ i ≤ 43[68, 48]
. In the key schedule of AES-128, W[i] is defined by
following method:
Ki, 0 ≤ i ≤4;
53
W[i] = { W[i - 4] ⊕ W[i – 1], 4 ≤ i ≤43 and i mod 4 ≠ 0;…………(3.25)
W[i - 4] ⊕ f(W[i – 1]), 4 ≤ i ≤43 and i mod 4 ≠ 0;
where f(W[i – 1]) = SubWord(RotWord(W[i – 1])) ⊕ Rcon[i/4]. Figure 3.19 gives a
diagrammatic representation of the AES-128 key schedule.
Fig. 3.19 AES 128-bit Key Schedule
3.5.2.2 The AES-192 Key Schedule
This work represents a 192-bit cipher key as 6 four-byte words: K = (K0, K1, K2, K3,
K4, K5), where Ki is a four-byte word. A four-bytes word array W[i], 0 ≤ i ≤ 51, is
54
used to store the expanded round keys . The key schedule of AES-192 employs the
following formula to calculate W[i] :
the key schedule of AES-128, W[i] is defined by following method :
Ki, 0 ≤ i ≤6;
W[i] = { W[i - 6] ⊕W[i – 1], 6 ≤ i ≤51 and i mod 6 ≠ 0;
W[i - 6] ⊕ f(W[i – 1]), 6 ≤ i ≤51 and i mod 6 ≠ 0;…………(3.26)
where f(W[i – 1]) = SubWord(RotWord(W[i – 1])) ⊕ Rcon[i/6]. Figure 3.20 gives a
diagrammatic representation of the AES-192 key schedule.
Fig. 3.20 The AES-192 Key Schedule
55
3.5.2.3 AES-256 bit Key Schedule
Fig. 3.21 AES-256 bit Key Schedule
Assume that the K is a 256-bit secret key, and it is expressed as 8 four-byte words: K
= (K0, K1, K2……., K7) where Ki is a four-byte word. The resultant round key are
contained in four-byte word array W[i], 0 ≤ i ≤ 59. In the following key schedule of
AES-256, the calculation of W[i] is determined by following routine:
Ki, 0 ≤ i ≤8;
W[i] = { W[i - 8] ⊕ W[i – 1], 8 ≤ i ≤59 and i mod 8 e {0, 4};
W[i - 8] ⊕ f(W[i – 1]), 8≤ i ≤59 and i mod 8 = 0;
W[i - 8] ⊕ g(W[i – 1]), 8≤ i ≤59 and i mod 8 = 4;…………(3.27)
where f(W[i – 1]) and g(W[i – 1]) are defined as fillows:
f(W[i – 1]) = SubWord(RotWord(W[i – 1])) ⊕ Rcon[i/8].
g(W[i – 1]) = SubWord(W[i - 1])
56
Figure 3.21 gives a diagrammatic representation of the AES-256 key schedule. The
AES-256 key schedule (Nk = 8) is slightly different from the AES-128, AES-192 key
schedules. If Nk = 8 and i – 4 is a multiple of Nk, an extra SubWord operation is
applied to W[i–1] prior to XOR operation. For instance, if i=12, the AES-256 key
schedule carries out an extra SubWord operation on W[11] before XOring it with
W[4] (shown in Figure 3.19)
3.6 Results
The AES algorithm with different key size is implemented in Java. For the
experiment, the current work used a laptop PentiumV 2.4 GHz CPU, in which
performance data is collected. The encryption/decryption time required for specific
amount of data is observed. The encryption/decryption time is used to calculate the
throughput of an encryption scheme. It indicates the speed of encryption. The
throughput of the encryption scheme is calculated as the total plaintext in bytes
encrypted by the encryption time. The increase in key size increases the
encryption/decryption time. It also increases the complexity of algorithm so that it
would be almost impossible to break the algorithm. The performance of AES
algorithm for different key size on different size data files is observed. The simulation
results with different key sizes are as shown in Table 3.1
Table 3.1 AES Performance with Different Key Size
Input Size
(KB)
Time (Millisecond)
AES(128) AES(192) AES(256)
45 38 56 67 76 86 94 102
102 93 105 121
500 130 167 178
900 206 267 290
1025 300 301 320
Avg. Time 142.1 165 179.6
Throughput 18.62 16.04 14.73
57
The observed values are graphically plotted as shown in Figure 3.22. The x-axis
shows the file size and the y-axis represents time in milliseconds. The calculated
throughput and average from the observed values are graphically plotted,
Fig. 3.22 AES Performance with different key size
The observations are
1. In case of AES it can be seen that higher key size leads to clear change in the
battery and time consumption.
2. It can be seen that going from 128 bits key to 192 bits causes increase in
power and time consumption about 8% and to 256 bit key causes an increase
of 16%.
0
50
100
150
200
250
300
350
Time ms
Input Data KB
AES(128,192,256) Performance
Time (Millisecond) AES(128)
Time (Millisecond) AES(192)
Time (Millisecond) AES(256)
58
3. Hence user can select higher key size algorithm when higher security is
desired and lower key size for higher performance in terms of resources.
3.7 Summary
The chapter studied AES and DES specifications. The chapter also conations
implementation of AES(128, 192, 256) algorithm using Java programming and
compared the performance of AES for different key size.