cryptography lecture 17: advanced encryption standard (aes) piotr faliszewski
TRANSCRIPT
![Page 1: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/1.jpg)
Cryptography
Lecture 17: Advanced Encryption Standard (AES)
Piotr Faliszewski
![Page 2: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/2.jpg)
Advanced Encryption Standard
Need for a new cipher DES no longer sufficient ... even with DESX and
TripleDES
NIST’s call for algorithms in 1997 MARS RC6 Rijndael Serpent Twofish
Requirements for new cipher keys: 128, 192, 256
bits block: 128 bits easily implemented
8 bit CPU’s 32 bit CPU’s ...
finalists
![Page 3: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/3.jpg)
AES
Winner Rijndael
Pronounciation: Anything different from „region deal”
The algorithm not a Feistel system works in rounds, like DES firm mathematical
grounds (GF(28) + algebra)
Modes of operation ECB – electronic
codebook CBC – cipher block
chaining CFB – cipher feedback OFB – output feedback CTR – counter
Note decryption slower than
encryption
![Page 4: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/4.jpg)
Rijndael – AES
Keys 128 bit our focus 192 bit 256 bit
Algorithm outline ARK 9 rounds
BS SR MC ARK 1 round
BS SR ARK
Rounds a round:
BS – ByteSub Transformation
SR – Shift Row Transformation
MC – MixColumn Transofrmation
ARK – AddRoundKey
Key schedule
4 layers
![Page 5: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/5.jpg)
Rijndael – AES
ByteSub Transform nonlinear anti differential and
linear cryptanalysis big substitution
ShiftRow Transform mixing step diffusion of bits over
different rounds
MixColumn Transform similar purpose as
shiftrow moves bits around
AddRoundKey round key is XORed
with the result of the previous layer
![Page 6: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/6.jpg)
The Layers: Encoding Data
Input: 128 bits of data 16 bytes, 8 bits each arranged into 4x4 matrix
a00, a10, a20, ... a33
a00, a01, a02, ... a03
a10, a11, a12, ... a13
a20, a21, a22, ... a23
a30, a31, a32, ... a33
Interpretation bytes elements of
GF(28) bytes polynomials
P(X) = X8 + X4 + X3 + X + 1
![Page 7: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/7.jpg)
The Layers: ByteSub
ByteSub Transform each byte is substituted
depending on its value 16 x 16 S-box
Indexing the S-box: byte = abcdefgh abcd row efgh column
The S-box is invertible
Data Input: 4x4 matrix Outout: 4x4 matrix
Note: transformation
depends only on the value of each byte, not on its position
![Page 8: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/8.jpg)
AES S-Box
| 0 1 2 3 4 5 6 7 8 9 a b c d e f---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|00 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 |d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
![Page 9: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/9.jpg)
The Layers: ByteSub
S-boxes mysterious in DES very clear in AES!
result of a simple mathematical operation
Motivation inverse – highly nonlinear
matrix multiplication and the vector – to obfuscate
Operation of the S-box input: x Step 1: y = x-1
inverse in GF(28) Step 2:
1 0 0 0 1 1 1 1 y0 1 z0
1 1 0 0 0 1 1 1 y1 1 z1
1 1 1 0 0 0 1 1 y2 0 z2
1 1 1 1 0 0 0 1 y3 + 0 = z3
1 1 1 1 1 0 0 0 y4 0 z4
0 1 1 1 1 1 0 0 y5 1 z5
0 0 1 1 1 1 1 0 y6 1 z6
0 0 0 1 1 1 1 1 y7 0 z7
![Page 10: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/10.jpg)
The Layers: ShiftRow
ShiftRow Transform Input: 4x4 matrix Output: 4x4 matrix
Operation rotate the first row
cyclically by... 0 rotate the second row
cyclically by... 1 rotate the third row
cyclically by... 2 rotate the fourth row
cyclically by... 3
Comments: rotation to the left clearly invertible
![Page 11: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/11.jpg)
The Layers: MixColumn
MixColumn Transform Input: 4x4 matrix output: 4x4 matrix
Operation Mutiply the input matrix
by a fixed matrix
All computation in GF(28)
Matrix used: a = 00000010 b = 00000001 c = 00000011
a c b b
b a c b
b b a c
c b b a
![Page 12: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/12.jpg)
The Layers: AddRoundKey
AddRoundKey Input: 4x4 matrix Key: 4x4 matrix – the
round key Output: 4x4 matrix
Operation: XOR the bits of the
input and the key
![Page 13: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/13.jpg)
Key Schedule
Keys Original key: 128 bits 4x4 matrix columns:
W(0) W(1) W(2) W(3)
Further keys 40 more columns
Round key for i’th round W(4i), W(4i+1), W(4i+2), W(4i+3)
Generating i’th column
i is not a multiple of 4
W(i) = W(i-4) W(i-1)
i is a multiple of 4
W(i) = W(i-4) T(W(i-1))
T – transformation of the key column
![Page 14: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/14.jpg)
Key Schedule
Generating i’th column
i is not a multiple of 4
W(i) = W(i-4) W(i-1)
i is a multiple of 4
W(i) = W(i-4) T(W(i-1))
T – transformation of the key column
T transformation T(W(i-1))
W(i-1) = (a, b, c, d) Apply the S-box to
b,c,d,a to get e,f,g,h
r(i) = 00000010(i-4)/4
GF(28) !!!
T(W(i-1)) is then (e r(i), f, g, h )
![Page 15: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/15.jpg)
Decryption
Decryption possible – all steps are
invertible IBS – inverted BS ISR – inverted SR IMC – inverted MC ARK – inverted ARK
we can just run them backwards
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, ISR, IBS
ARK, IMC, ISR, IBS
...
ARK, IMC, ISR, IBS
ARK
![Page 16: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/16.jpg)
Decryption
Decryption possible – all steps are
invertible IBS – inverted BS ISR – inverted SR IMC – inverted MC ARK – inverted ARK
we can just run them backwards
Note: We want decryption to resemble encryption
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, ISR, IBS
ARK, IMC, ISR, IBS
...
ARK, IMC, ISR, IBS
ARK
![Page 17: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/17.jpg)
Decryption
Decryption IBS and ISR – can be
executed in any order IBS manipulates single
bytes
ARK and IMC can be reversed as well a little more involved IMC, IARK
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, ISR, IBS
ARK, IMC, ISR, IBS
...
ARK, IMC, ISR, IBS
ARK
![Page 18: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/18.jpg)
Decryption
Decryption IBS and ISR – can be
executed in any order IBS manipulates single
bytes
ARK and IMC can be reversed as well a little more involved IMC, IARK
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, IBS, ISR,
IMC, IARK, IBS, ISR
...
IMC, IARK, IBS, ISR
ARK
![Page 19: Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski](https://reader036.vdocuments.site/reader036/viewer/2022082816/56649f555503460f94c79676/html5/thumbnails/19.jpg)
Decryption
Encryption ARK 9 rounds: BS SR MC ARK 1 round: BS SR ARK
Decryption ARK 9 rounds: IBS ISR IMC IARK 1 round: IBS ISR ARK
Keys used in reverse order
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, IBS, ISR,
IMC, IARK, IBS, ISR
...
IMC, IARK, IBS, ISR
ARK