1 / 48

AES

AES. Advanced Encryption Standard. Origins of AES. In 1999, NIST issued a new standard that is said 3DES, 168-bit key length Algorithm is the same as DES 3DES had drawbacks Algorithm is sluggish in software Only uses 64-bit block size. Origins of AES (2).

michellewhite
Télécharger la présentation

AES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AES Advanced Encryption Standard

  2. Origins of AES • In 1999, NIST issued a new standard that is said 3DES, • 168-bit key length • Algorithm is the same as DES • 3DES had drawbacks • Algorithm is sluggish in software • Only uses 64-bit block size

  3. Origins of AES (2) • In 1997, NIST issued a calls for proposals for the new Advanced Encryption Standard (AES) • security strength >= 3DES • improved efficiency • must be a symmetric block cipher (128-bit) • key lengths of 128, 192, and 256 bits

  4. Evolution of AES • The Previous algorithms like DES were not secure enough after the inclusion of fastest computing technologies. • AES has key sizes of 128,192 and 256 bits which were higher than that of previous one. • No method exists to break the AES key even if a key is found @ 1 second, it would still take 149 trillion years to crack the 128-bit AES key.

  5. AES Evaluation Criteria • Criteria used by NIST to evaluate potential candidates • Initial Criteria: • Security • Cost • Algorithm characteristics • Final Criteria: • General Security • Software Implementations • Restricted-space environments • Flexibility • Hardware Implementations • Attacks on Implementations • Encryption vs. Decryption • Key agility

  6. Rounds of Evaluation • First round of evaluation • 15 proposed algorithms accepted • Second round • 5 proposed algorithms accepted • Final Standard - November 2001 • Rijndael selected as AES algorithm • Created by Dr. Joan Daemen and Dr. Vincent Rijmen

  7. What makes Rijndael stand out? • The Symmetric and parallel structure • gives implementers a lot of flexibility • Has not allowed effective cryptanalytic attacks. • Well adapted to modern processors • Pentium • RISC and parallel processors • Suited for Smart cards • Flexible in dedicated hardware

  8. AES Formation • AES uses Block Cipher technique • A block cipher is a type of symmetric-key encryption algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of Cipher text (encrypted text) data of the same length

  9. AES Requirements • Symmetric Cipher • Block size must be at least 128 bits; keys of 128,192 and 256 must be applicable. • It should resist to all known methods of cryptanalysis • No Propriety • Design simplicity • Speed and code Compactness on a wide range of platforms.

  10. Plaintext Plaintext w[0,3] Round 10 Add round key Add round key Substitute Bytes Expand Key Inverse sub bytes Round 1 Shift Rows Inverse shift rows Mix Columns Inverse mix cols Round 9 w[4,7] Add round key Add round key . . . Inverse sub bytes Inverse shift rows Substitute Bytes . . . Round 9 Shift Rows Mix Columns Inverse mix cols Round 1 w[36,39] Add Round Key Add round key Round 10 Substitute Bytes Inverse sub bytes Shift Rows Inverse shift rows w[40,43] Add round key Add Round Key Ciphertext Ciphertext

  11. Basic Operations • The Rijndael Algorithm is a block cipher that encrypt blocks of 128, 192, or 256 bits. • Uses symmetric keys of 128, 192 or 256 bits. • It consists of an initial round (AddRoundKey), and r standard rounds, r is 10,12 or 14 depending on the block and key length. • The first r-1 rounds are similar and they consist of 4 transformations, called • ByteSub (Substitution Bytes) • ShiftRow (Shift Rows) • MixColumn (multiply columns) • AddRoundKey (XOR by key ) • The last round have only the transformations • ByteSub • ShiftRow • AddRoundKey

  12. Details Terms used

  13. Algorithm Parameters, Symbols, and Functions

  14. Working of Algorithm • The number of rounds for the algorithm depends on the key length and Block size.

  15. Building Blocks • Key schedule to provide K[r]. • Key scheduling is to generate the subkeys K[r]. • Encryption (10 rounds in 128 bits case) • Transformation of plain text to cipher text.

  16. Illustration by Example • Consider Matrix B[ji] which is B[00] B[01] B[02] B[03] B[10] B[11] B[12] B[13] B[20] B[21] B[22] B[23] B[30] B[31] B[32] B[33] In the 192 bits case, we have to add 2 columns more In the 256 bits case, we have to add 4 columns more All transformations are applied to B, except AddRoundKey(B,Kr), it has another input, the sub-key K[r][ji]. The sub-keys K[r] that it generates are loaded in a linear array W. The lenght of the array W depend on the block and key length, it provides the sub-keys K[r] to every round r.

  17. Plain Text • B = 000102030405060708090A0B0C0D0E0F • Key • K = 000102030405060708090A0B0C0D0E0F

  18. Key Schedule • The key schedule is used to provide the sub-keys K[r] • Beginning with the key K, we extend it (called Key Expansion), and get the linear array W. W is an array with 4-byte words [Nb*(Nr+1)], where Nb is the number of columns of the matrix B[i,j], and Nr is the number of rounds. Here Nb=4, Nr=10, so W have [4*(10+1)] = 44 words of 32b. • Every block of 4 words have 128b and it is the sub-key [r]. • The first sub-key is K[0] = (W[0],W[1],W[2],W[3]), which is the copy of the key K • The next sub-keys are derived from the K[0]. The rule is

  19. Rule to Derive the Sub-Keys W[4] = W[0] xor temp1 W[5] = W[1] xor W[4] W[6] = W[2] xor W[5] where i mod Nk <> 0, the rule is: W[7] = W[3] xor W[6] W [i] = W[i-Nk] xor W[i-1], W[8] = W[4] xor temp2 with Nr=4. ... where i mod Nk = 0, we have W[42] = W[38] xor W[41] W[i] = W[i-Nk] xor tempk, where W[43] = W[39] xor W[42] tempk = SubByte[Shift(1)(W[i-1])] xor rcon[k] SubByte is applied to W[i-1] with a byte shifted, and rcon[k], is defined as rcon[k] = (RC[k], 00, 00, 00), with RC[1] =1, and RC[k] = X*RC[k-1] = X^(k-1), are elements in GF(2^8). k = i/Nk, i = 4,8,12,...,44 and Nk=4

  20. Rcon[1]=[01,00,00,00] Rcon[2]=[02,00,00,00] Rcon[3]=[04,00,00,00] Rcon[4]=[08,00,00,00] Rcon[5]=[10,00,00,00] Rcon[6]=[20,00,00,00] Rcon[7]=[40,00,00,00] Rcon[8]=[80,00,00,00] Rcon[9]=[1B,00,00,00] Rcon[10]=[36,00,00,00] Round Constant Word Array rcon[k]

  21. The Sub-Key K[0] • 00 04 08 0C • 01 05 09 0D • 02 06 0A 0E • 03 07 0B 0F

  22. Evaluation of W[i] • When i is multiple of 4 The rule is W[i] = W[i-4] xor SubByte[Shift(1)(W[i-1])] xor rcon[k] W[4] = W[0] xor SubByte(S(1)(W[3])) D6 = 00 xor D7 AA = 01 xor AB 74 = 02 xor 76 FD = 03 xor FE W[4][0] = W[4][0] xor rcon[1] D6 = D7 xor 02

  23. Determination of SubByte Values • The S-box used in the SubBytes() transformation is presented in hexadecimal form in next Figure • For example, for {53} then the substitution value would be determined by the intersection of the row with index ‘5’ and the column with index ‘3’ in Figure. This would result in a value of {ED}.

  24. SubBytes Transformation

  25. Evaluation of W[i] • When i is not a multiple of 4 The rule is W[i] = W[i-4] xor W[i-1] W[5] = W[1] xor W[4] W[6] = W[2] xor W[5] W[7] = W[3] xor W[6] D2 = 04 xor D6 DA = 08 xor D2 D6 = 0C xor DA AF = 05 xor AA A6 = 09 xor AF AB = 0D xor A6 72 = 06 xor 74 78 = 0A xor 72 76 = 0E xor 78 FA = 07 xor FD F1 = 0B xor FA FE = 0F xor F1

  26. Sub-Key K[1] • D6 AA 74 FD D2 AF 72 FA DA A6 78 F1 D6 AB 76 FE

  27. Home Work • Find All Remaining Sub-Keys

  28. Remaining Keys • Sub-Key K[1] = D6 AA 74 FD D2 AF 72 FA DA A6 78 F1 D6 AB 76 FE • Sub-Key K[2] = B6 92 CF 0B 64 3D BD F1 BE 9B C5 00 68 30 B3 FE • Sub-Key K[3] = B6 FF 74 4E D2 C2 C9 BF 6C 59 0C BF 04 69 BF 41 • Sub-Key K[4] = 47 F7 F7 BC 95 35 3E 03 F9 6C 32 BC FD 05 8D FD • Sub-Key K[5] = 3C AA A3 E8 A9 9F 9D EB 50 F3 AF 57 AD F6 22 AA • Sub-Key K[6] = 5E 39 0F 7D F7 A6 92 96 A7 55 3D C1 0A A3 1F 6B • Sub-Key K[7] = 14 F9 70 1A E3 5F E2 8C 44 0A DF 4D 4E A9 C0 26 • Sub-Key K[8] = 47 43 87 35 A4 1C 65 B9 E0 16 BA F4 AE BF 7A D2 • Sub-Key K[9] = 54 99 32 D1 F0 85 57 68 10 93 ED 9C BE 2C 97 4E • Sub-Key K[10]= 13 11 1D 7F E3 94 4A 17 F3 07 A7 8B 4D 2B 30 C5

  29. Encryption • Initial Round ( Key addition ) This transformation applies a XOR between every entry of matrices B[j,i] and K[0][j,i], i.e. B[j,i] = B[j,i] XOR K[0][j,i] B[j,i] K[0][j,i] B[j,i] 00 04 08 0C 00 04 08 0C 00 00 00 00 01 05 09 0D 01 05 09 0D 00 00 00 00 XOR = 02 06 0A 0E 02 06 0A 0E 00 00 00 00 03 07 0B 0F 03 07 0B 0F 00 00 00 00

  30. Round 1 ( Byte Substitution) • This transformation replaces every entry of the input B[j,i] by the result of two operations • The first operation maps entries to their multiplicative inverse in GF(28). Every entry (a byte) has a polynomial representation with the irreducible polynomial f(x)=x8+x4+x3+x+1 • The zero is mapped to zero.

  31. Linear Transformation LT • Here is the calculation for the entry (3,3), LT(a[3,3]-1) • |y0| |10001111||0| |1| 63 63 63 63 • |y1| |11000111||0| |1| • |y2| |11100011||0| |0| 63 63 63 63 • |y3| |11110001||0| |0| LT(a[j,i]-1) = • |y4|= |11111000||0|+|0| 63 63 63 63 • |y5| |01111100||0| |1| • |y6| |00111110||0| |1| 63 63 63 |63 | • |y7| |00011111||0| |0| |___| • The second operation applies a linear transformation from GF(28) to GF(28) for every entry (byte) of the matrix. • The inputs are the bits x7,..,x0 in a[j,i]-1 and the outputs are y7,..,y0, this is the new element B[j,i] And this is the final output in the transformation SubByte ( For Easiness refer to the same table used in key scheduling)

  32. Shift Rows

  33. This transformation is applied to the rows of B[j,i], it shifts bytes in the rows. Row 1 is not shifted, row 2 is shifted 1 byte, row 3 shifted 2 bytes and row 4, 3 bytes (this is in our case of 128b). In the case of 192 the same applies. In the case of 256 the only change is that rows 3 and 4 are shifted 3 and 4 bytes respectively.

  34. 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 Shift(a[j]) = 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63

  35. Mix Column • This transformation is applied to the columns of B[j,i], we can see each column as a polynomial of GF(28)[x] • So Mixcolumn multiplies each column by the constant polynomial c(x)=03x3 + 01x2 + 01x + 02 • The coeficients are shown in hexadecimal, and they are in GF(28).

  36. MixColumns Transformation

  37. 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 MixColum(a[j]) = 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63 63

  38. Key Addition • This transformation only does an XOR between every entry the matrix B[j,i] and every entry of K[r][j,i] from the Key schedule. B[j,i] = B[j,i] XOR K[r][j,i]. • This is the final of the round r, and the partial vector test CT[r]

  39. 63 63 63 63 D6 D2 DA D6 B5 B1 B9 B5 63 63 63 63 AA AF A6 AB C9 CC C5 C8 XOR = 63 63 63 63 74 72 78 76 17 11 1B 15 63 63 63 63 FD FA F1 FE 9E 99 92 9D

  40. Cipher Text ( CT[1]) • B5 C9 17 9E B1 CC 11 99 B9 C5 1B 92 B5 C8 15 9D

  41. Home Work • Do the remaining rounds by taking the CT[1] and apply the same steps. • The last round would not have any Mix Column transformation

  42. Advantages • Implementation aspects: • Rijndael can be implemented to run at speeds unusually fast for a block cipher on a Pentium (Pro). There is a trade-off between table size/performance. • Rijndael can be implemented on a Smart Card in a small amount of code, using a small amount of RAM and taking a small number of cycles. There is some ROM/performance trade-off. • The round transformation is parallel by design, an important advantage in future processors and dedicated hardware. • As the cipher does not make use of arithmetic operations, it has no bias towards big or little endian processor architectures.

  43. Simplicity of Design: • The cipher is fully “self-supporting”. It does not make use of another cryptographic component, S-boxes “lent” from well-reputed ciphers, bits obtained from Rand tables, digits of p or any other such jokes. • The cipher does not base its security or part of it on obscure and not well understood interactions between arithmetic operations. • The tight cipher design does not leave enough room to hide a trapdoor.

  44. Variable block length: • The block lengths of 192 and 256 bits allow the construction of a collision-resistant iterated hash function using Rijndael as the compression function. The block length of 128 bits is not considered sufficient for this purpose nowadays. • Extensions: • The design allows the specification of variants with the block length and key length both ranging from 128 to 256 bits in steps of 32 bits. • Although the number of rounds of Rijndael is fixed in the specification, it can be modified as a parameter in case of security problems.

  45. Limitations • The inverse cipher is less suited to be implemented on a smart card than the cipher itself: it takes more code and cycles. (Still, compared with other ciphers, even the inverse is very fast) • In software, the cipher and its inverse make use of different code and/or tables. • In hardware, the inverse cipher can only partially re-use the circuitry that implements the cipher.

More Related