1 / 41

The Advanced Encryption Standard

The Advanced Encryption Standard. CSIS 5857: Encoding and Encryption. AES History. 1997: NIST calls for proposals for DES replacement 56-bit DES key not computationally secure Triple DES very slow DES S-Boxes poorly understood 1999: Several algorithms chosen as finalists

auryon
Télécharger la présentation

The Advanced Encryption Standard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Advanced Encryption Standard CSIS 5857: Encoding and Encryption

  2. AES History • 1997: NIST calls for proposals for DES replacement • 56-bit DES key not computationally secure • Triple DES very slow • DES S-Boxes poorly understood • 1999: Several algorithms chosen as finalists • Rijndael (selected) • Twofish, Serpent, etc. (still used by some systems) • 2001: Rijndael published by NIST as Advanced Encryption Standard

  3. Goals of AES • Security • Minimum key size: 128 bits(computationally secure now) • Expandable to 192 or 256 bits (will still be computationally secure in future) • Block size: 128 bits (more possible mappings) • Designed for resistance to differential and linear cryptanalysis • Cost • Structure optimized for efficiency in current computer architectures

  4. Mathematical Goals • S-Boxes and other transformations should have mathematical basis • Can insure useful properties (nonlinearity, etc.) • Can re-derive as needed for larger keys • Mapping should appear “random”(no simple patterns between inputs and outputs)

  5. Modular Multiplication • a  b mod m = remainder left after (a  b)/m • Example: multiplication table mod 7

  6. Modular Multiplicative Inverses • b isinverse of a mod m if ab mod m = 1(b = a -1 mod m) • Example:5 = 3-1 mod 7since 3 x 5 = 15 = 1 mod 7 • Creates nonlinear “pseudorandom” mappings

  7. Modular Multiplicative Inverses • Problem: Only works if m is a prime numberOtherwise, some numbers have no inverse • Example: modular inverses mod8

  8. Modular Multiplicative Inverses • Goal: use this idea in cases where m = 2n(that is, m is the size of a typical block) • Galois Fields • Represent byte to transform as a polynomial • Compute inverse of that polynomial mod some other “prime” polynomial • Galois Field with m = 28 used to create S-Boxes for AES , mapping 256 possible byte inputs to 256 possible byte outputs

  9. Galois Field Mathematics • Step 1: Represent binary numbers with n bits as polynomial of degree n • Example: n = 3GF(23)

  10. Galois Field Mathematics • All coefficients are binary (1 or 0) • Addition/subtraction in mod 2= XOR function • Examples: x2 + x + 1 x2 + x + 1- (x + 1) x2 + 2x + 2 x2 - x - 1 = x2 + 0x + 0 = x2 + x + 1 = x2since -1 mod 2 = 1since 2 mod 2 = 0

  11. Galois Field Mathematics • Step 2:Find a “prime” polynomial Pnof degree n • Not a multiple of any two other polynomials(other than 1 and itself) • Example for GF(23):P3 = x3 + x + 1 • Used in AES for GF(28):P8 = x8 + x4 + x3 + x + 1

  12. Galois Field Mathematics • Step 3:Compute multiplication table for all pairs of polynomials Pi x Pj mod Pn • Will need to compute mod if order of Pi x Pj is kn • Simple (inefficient) way: compute Pi x Pj – xk-nPn • Example for GF(23):

  13. Galois Field Example • Example: Multiplying 110 and 101 • 110 x2 + x011  x + 1 • (x2 + x)(x + 1) = x3 + 2x2 + x = x3 + x2 mod 2 = 0 • (x3 + x) mod (x3 + x + 1) = x3 + x- x3 + x + 1 - 1 = 1-1 mod 2 = 1

  14. Galois Field Inverses • Inverseb-1 of a binary number b in GF(2n)b-1 x b = 1 in GF(2n) • Example: GF(23)

  15. Galois Fields in AES • AES mathematics based on GF(28) • Prime polynomial= x8 + x4 + x3 + x + 1 • SubBytes stage • Basis of S-Boxes • MixColumns Stage • Uses matrix multiplication in GF(28) • Round Key Generation • Adds extra “random” bits to each round key

  16. AES Bytes and Words Blocks represented as arrays of smaller groups of bits • Byte: 8 bits • Word: 32 bits (4 bytes in word)

  17. AES States • Each word (each 4 bytes) corresponds to column in state • Used to simplify mathematics

  18. AES States • Example: 17 17 Note that a byte can be represented by a 2-digit hexadecimal (base 16) number

  19. AES Structure

  20. AES Round Structure • SubBytes: Each byte transformed by an S-Box • ShiftRows: Permutation to swap bytes around • MixColumns: Matrix multiplication to permute bits within bytes • AddRoundKey: XOR result with current round key • Notes: • Extra AddRoundKey before first round • No MixColumns in last round

  21. SubBytes Stage • 128-bit input  16 bytes • Each byte transformed by same S-Box • S-Box structure: 2 dimensional 16 x 16 table • First 4 bits of input determine row • Last 4 bits of input determine column • Example: 1101 0101row 13, column 5 • Often represented in hexadecimal:1011 0110row d, column 5 • Result (see table next slide): 03  0000 0011

  22. AES S-Box

  23. S-Box Basis • Inverse of each byte computed in GF(28) using x8 + x4 + x3 + x + 1 • Additional confusion created by array multiplication and addition • Multiplication/addition in mod 2 • Resulting byte with bits b0 – b7multiplied by 8 x 8 matrix X • Each output bit cjis effectively xor of different bi’s • Resulting byte with bits c0 – c7added to 8 x 1 matrix d • Has effect of inverting bits 0, 1, 5, and 6

  24. Inverse S-Box • Subtract matrix d • Multiply by inverse of matrix X • Invert in GF(28)

  25. ShiftRows Stage • Goal: Swap bytesaround within a state • State = bytes arranged in columns • Shift rows around within this 2 dimensional structure to add diffusion

  26. ShiftRows Stage • Circular shift used on each row • Each row shifted by different number of bytes • Inverse just reverses shift

  27. ShiftRows Stage

  28. ShiftRows Example • Input: 63F2C9FAC9F2C963FE637D823026D4D4 • Output: 63F27DD4C963D4FAFE26C96330F2C982 Shift 0 Shift 1 Shift 2 Shift 3

  29. MixColumns Stage • Goal: permute bits within each 4-byte word(column of state) • Matrix multiplication with 4x4 byte constant matrix • Multiplication in GF(28), mod x8 + x4 + x3 + x + 1

  30. MixColumns Stage • Idea: Matrix multiplication makes each bit depend on every other bit in word (diffusion)

  31. MixColumns Stage • Matrices used: • Hexadecimal representation • Example: 0E 00001110  x3+ x2+ x • Computed to maximize diffusion • Decryption uses inverse of encryption matrix

  32. MixColumns Stage

  33. MixColumns Stage • Example: column 1, row 1 of example 63*02 + F2*03 + 7D*01 + D4*01 = 01100011*10 = 11000110(shift 1 digit) + 11110010*11 = 100010110 (111100100+11110010) + 01111101*01 = 01111101 + 11010100*01 = 11010100 101111001 (addition = XOR) -100011011(mod x8+x4+x3+x+1) 001100010 (subtraction = XOR) = 62

  34. AddRoundKey Stage • Round Key: 128 bits • Broken into 4 round key words (32 bits each) • Round key words combined with columns using XOR

  35. Round Key Expansion • Generates rounds + 1 round keys of size 128 bits • First used at beginning of cipher • Rest used at end of each round

  36. Round Key Expansion • Keys broken down into 4 4-byte words • Initial round key = cipher key • Subsequent key words are wn function of : • Previous word (wn-1) • Corresponding word in previous round key (wn-4)

  37. Round Key Expansion • For nnot multiple of 4: Wn= Wn-1 Wn-4 • Difficult to work back from final ciphertext to key • For nmultiple of 4: Wn= tn Wn-4tn = more complex function of Wn-1 • Adds confusion to relationship between key and ciphertext

  38. Round Key Expansion • RotWord: Circular left shift of byte (like ShiftRows) • B1 B2 B3 B4  B2 B3 B4 B1 • SubWordUse S-Box to transform each of the 4 bytes (like SubBytes) • Adds more nonlinearity

  39. Round Key Expansion • RCon: Round constant • Recursive functionRCon[i] = 2 x RCon[i-1] over GF(28)

  40. AES Analysis • Security • Key size prevents exhaustive key search • Designed to be resistant to cryptanalysis • Substitution (SubBytes) and permutation (ShiftRows/MixColumns) prevent statistical analysis • Multiple rounds prevent differential analysis • S-Box design prevent linear cryptanalysis

  41. AES Analysis • Efficiency • Operations done at byte level for 8–bit devices • SubBytes: byte-wise substitution • ShiftRows: moves bytes • MixColumns: multiplies bytes • Operations can be done one word at a time for maximum speed on 32-bit processors • All 4 bytes in word can be processed simultaneously in each operation

More Related