cryptography lecture 17: advanced encryption standard (aes) piotr faliszewski
TRANSCRIPT
Cryptography
Lecture 17: Advanced Encryption Standard (AES)
Piotr Faliszewski
Advanced Encryption Standard
Need for a new cipher DES no longer sufficient ... even with DESX and
TripleDES
NIST’s call for algorithms in 1997 MARS RC6 Rijndael Serpent Twofish
Requirements for new cipher keys: 128, 192, 256
bits block: 128 bits easily implemented
8 bit CPU’s 32 bit CPU’s ...
finalists
AES
Winner Rijndael
Pronounciation: Anything different from „region deal”
The algorithm not a Feistel system works in rounds, like DES firm mathematical
grounds (GF(28) + algebra)
Modes of operation ECB – electronic
codebook CBC – cipher block
chaining CFB – cipher feedback OFB – output feedback CTR – counter
Note decryption slower than
encryption
Rijndael – AES
Keys 128 bit our focus 192 bit 256 bit
Algorithm outline ARK 9 rounds
BS SR MC ARK 1 round
BS SR ARK
Rounds a round:
BS – ByteSub Transformation
SR – Shift Row Transformation
MC – MixColumn Transofrmation
ARK – AddRoundKey
Key schedule
4 layers
Rijndael – AES
ByteSub Transform nonlinear anti differential and
linear cryptanalysis big substitution
ShiftRow Transform mixing step diffusion of bits over
different rounds
MixColumn Transform similar purpose as
shiftrow moves bits around
AddRoundKey round key is XORed
with the result of the previous layer
The Layers: Encoding Data
Input: 128 bits of data 16 bytes, 8 bits each arranged into 4x4 matrix
a00, a10, a20, ... a33
a00, a01, a02, ... a03
a10, a11, a12, ... a13
a20, a21, a22, ... a23
a30, a31, a32, ... a33
Interpretation bytes elements of
GF(28) bytes polynomials
P(X) = X8 + X4 + X3 + X + 1
The Layers: ByteSub
ByteSub Transform each byte is substituted
depending on its value 16 x 16 S-box
Indexing the S-box: byte = abcdefgh abcd row efgh column
The S-box is invertible
Data Input: 4x4 matrix Outout: 4x4 matrix
Note: transformation
depends only on the value of each byte, not on its position
AES S-Box
| 0 1 2 3 4 5 6 7 8 9 a b c d e f---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|00 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 |d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
The Layers: ByteSub
S-boxes mysterious in DES very clear in AES!
result of a simple mathematical operation
Motivation inverse – highly nonlinear
matrix multiplication and the vector – to obfuscate
Operation of the S-box input: x Step 1: y = x-1
inverse in GF(28) Step 2:
1 0 0 0 1 1 1 1 y0 1 z0
1 1 0 0 0 1 1 1 y1 1 z1
1 1 1 0 0 0 1 1 y2 0 z2
1 1 1 1 0 0 0 1 y3 + 0 = z3
1 1 1 1 1 0 0 0 y4 0 z4
0 1 1 1 1 1 0 0 y5 1 z5
0 0 1 1 1 1 1 0 y6 1 z6
0 0 0 1 1 1 1 1 y7 0 z7
The Layers: ShiftRow
ShiftRow Transform Input: 4x4 matrix Output: 4x4 matrix
Operation rotate the first row
cyclically by... 0 rotate the second row
cyclically by... 1 rotate the third row
cyclically by... 2 rotate the fourth row
cyclically by... 3
Comments: rotation to the left clearly invertible
The Layers: MixColumn
MixColumn Transform Input: 4x4 matrix output: 4x4 matrix
Operation Mutiply the input matrix
by a fixed matrix
All computation in GF(28)
Matrix used: a = 00000010 b = 00000001 c = 00000011
a c b b
b a c b
b b a c
c b b a
The Layers: AddRoundKey
AddRoundKey Input: 4x4 matrix Key: 4x4 matrix – the
round key Output: 4x4 matrix
Operation: XOR the bits of the
input and the key
Key Schedule
Keys Original key: 128 bits 4x4 matrix columns:
W(0) W(1) W(2) W(3)
Further keys 40 more columns
Round key for i’th round W(4i), W(4i+1), W(4i+2), W(4i+3)
Generating i’th column
i is not a multiple of 4
W(i) = W(i-4) W(i-1)
i is a multiple of 4
W(i) = W(i-4) T(W(i-1))
T – transformation of the key column
Key Schedule
Generating i’th column
i is not a multiple of 4
W(i) = W(i-4) W(i-1)
i is a multiple of 4
W(i) = W(i-4) T(W(i-1))
T – transformation of the key column
T transformation T(W(i-1))
W(i-1) = (a, b, c, d) Apply the S-box to
b,c,d,a to get e,f,g,h
r(i) = 00000010(i-4)/4
GF(28) !!!
T(W(i-1)) is then (e r(i), f, g, h )
Decryption
Decryption possible – all steps are
invertible IBS – inverted BS ISR – inverted SR IMC – inverted MC ARK – inverted ARK
we can just run them backwards
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, ISR, IBS
ARK, IMC, ISR, IBS
...
ARK, IMC, ISR, IBS
ARK
Decryption
Decryption possible – all steps are
invertible IBS – inverted BS ISR – inverted SR IMC – inverted MC ARK – inverted ARK
we can just run them backwards
Note: We want decryption to resemble encryption
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, ISR, IBS
ARK, IMC, ISR, IBS
...
ARK, IMC, ISR, IBS
ARK
Decryption
Decryption IBS and ISR – can be
executed in any order IBS manipulates single
bytes
ARK and IMC can be reversed as well a little more involved IMC, IARK
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, ISR, IBS
ARK, IMC, ISR, IBS
...
ARK, IMC, ISR, IBS
ARK
Decryption
Decryption IBS and ISR – can be
executed in any order IBS manipulates single
bytes
ARK and IMC can be reversed as well a little more involved IMC, IARK
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, IBS, ISR,
IMC, IARK, IBS, ISR
...
IMC, IARK, IBS, ISR
ARK
Decryption
Encryption ARK 9 rounds: BS SR MC ARK 1 round: BS SR ARK
Decryption ARK 9 rounds: IBS ISR IMC IARK 1 round: IBS ISR ARK
Keys used in reverse order
EncryptionARK
BS, SR, MC, ARK
...
BS, SR, MC, ARK
BS, SR, ARK
DecryptionARK, IBS, ISR,
IMC, IARK, IBS, ISR
...
IMC, IARK, IBS, ISR
ARK