1 / 89

AES S-box How and Why?

AES S-box How and Why?. Notes. The general math review slides are taken from a variety of internet sources. I tried to be diligent in citing, but given the nature of basic math, I may have missed some citation

sandersr
Télécharger la présentation

AES S-box How and Why?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AES S-box How and Why?

  2. Notes • The general math review slides are taken from a variety of internet sources. I tried to be diligent in citing, but given the nature of basic math, I may have missed some citation • This presentation assumes you are comfortable with symmetric ciphers as well as the details of AES.

  3. Basic Math Review: Represent decimals as polynomials

  4. Basic Math Review: Fields, groups, rings • In mathematics, and more specifically in abstract algebra, the term algebraic structure generally refers to a set with one or more operations defined on it • A group is an algebraic system consisting of a set, an identity element, one operation and its inverse operation. • A ring is an algebraic system consisting of a set, an identity element, two operations and the inverse operation of the first operation. • A field is an algebraic system consisting of a set, an identity element for each operation, two operations and their respective inverse operations. • GF(p) for any prime, p, this Galois Field has p elements which are the residue classes of integers modulo p.

  5. Basic Math Review: Galois Fields The order of the field is given by pn while p is called the characteristic of the field example: gf(5) = (0; 1; 2; 3; 4) which consists of 5 elements where each of them is a polynomial of degree 0(a constant) while gf(23) = (0; 1; 2; 2 + 1; 22; 22 + 1; 22 + 2; 22 + 2 + 1) = (0; 1; 2; 3; 4; 5; 6; 7) which consists of 23 = 8 elements where each of them is a polynomial of degree at most 2 evaluated at 2.

  6. Basic Math Review: Galois Field Addition

  7. Basic Math Review: Galois Field Addition

  8. Basic Math Review: Galois Field Multiplication

  9. Basic Math Review: First refresh your memory on polynomial multiplication

  10. Basic Math Review: Polynomial Division For additional review of basic polynomial math http://www.doc.ic.ac.uk/~mrh/330tutor/ch04s02.html

  11. Basic Math Review: Galois Field Multiplication

  12. Can compute using polynomials Several alternatives available ordinary polynomial arithmetic poly arithmetic with coords mod p Basic Math Review: Polynomial Arithmetic

  13. add or subtract corresponding coefficients multiply all terms by each other For example: let f(x) = x3 + x2 + 2 and g(x) = x2 – x + 1 f(x) + g(x) = x3 + 2x2 – x + 3 f(x) – g(x) = x3 + x + 1 f(x) x g(x) = x5 + 3x2 – 2x + 2 Basic Math Review: Polynomial Arithmetic

  14. when computing value of each coefficient do calculation modulo some value could be modulo any prime but we are most interested in mod 2 ie all coefficients are 0 or 1 eg. let f(x) = x3 + x2 and g(x) = x2 + x + 1 f(x) + g(x) = x3 + x + 1 f(x) x g(x) = x5 + x2 Basic Math Review: Polynomial Arithmetic

  15. can write any polynomial in the form: f(x) = q(x) g(x) + r(x) can interpret r(x) as being a remainder r(x) = f(x) mod g(x) if have no remainder say g(x) divides f(x) if g(x) has no divisors other than itself & 1 say it is irreducible (or prime) polynomial arithmetic modulo an irreducible polynomial forms a field Basic Math Review: Polynomial Arithmetic

  16. can compute in field GF(2n) polynomials with coefficients modulo 2 whose degree is less than n hence must reduce modulo an irreducible poly of degree n (for multiplication only) Form a finite field Basic Math Review: Polynomial Arithmetic

  17. Find the results of (x5+x2+x) * (x7+x4+x3+x2+x ) in GF(28) with irreducible polynomial x8+x4+x3+x+1 Basic Math Review: Polynomial Arithmetic

  18. Multiply the two polynomials (x5+x2+x) * x7+x4+x3+x2+x = x5 * (x7+x4+x3+x2+x ) + x2 * (x7+x4+x3+x2+x ) + x * (x7+x4+x3+x2+x ) = (x12+x7+x2) Get the results of (x12+x7+x2) mod (x8+x4+x3+x+1) = (x5+x3+x2+x+1) Basic Math Review: Polynomial Arithmetic Answer

  19. Basic Math Review: Polynomial Arithmetic Polynomial Algebra • Operation of addition is performed using an XOR operation denoted by . For example, all notations below are equivalent:   (x6 + x4 + x2 + x + 1) + (x7 + x + 1) = x7 + x6 + x4 + x2 + 0 [polynomial notation]; {01010111} {10000011} = {11010100} [binary notation]. • Multiplication in Rijndael is the multiplication of polynomials modulo the irreducible polynomial. For example, in the polynomial notation: (x6 + x4 + x2 + x + 1) • (x7 + x + 1) = x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1, and (x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1) mod (x6 + x4 + x2 + x + 1) = x7 + x + 1. The set of 256 possible byte values, with XOR used as addition, and the multiplication defined as above, has the structure of the finite field GF(28).

  20. Basic Math Review: Matrix multiplication • Here is a key point: You cannot just multiply each number by the corresponding number in the other matrix. Matrix multiplication is not like addition or subtraction. From: http://www.freemathhelp.com/matrix-multiplication.html

  21. Basic Math Review: Matrix Multiplication Continued • The first two steps From: http://www.freemathhelp.com/matrix-multiplication.html

  22. Basic Math Review: Matrix Multiplication • Steps 3 & 4 From: http://www.freemathhelp.com/matrix-multiplication.html

  23. Basic Math Review: Matrix Multiplication • Step 5 From: http://www.freemathhelp.com/matrix-multiplication.html

  24. 2 columns 2 rows Basic Math Review: Matrix Multiplication • Matrix Multiplication is NOT Commutative! Order matters! • You can multiply matrices only if the number of columns in the first matrix equals the number of rows in the second matrix.

  25. Diagonal 2 = -2 Diagonal 1 = 12 Basic Math Review: Matrix Determinants To find the determinant of a 2 x 2 matrix, multiply diagonal #1 and subtract the product of diagonal #2.

  26. 18 60 16 -24 -20 36 Basic Math Review: Matrix Determinants To find the determinant of a 3 x 3 matrix, first recopy the first two columns. Then do 6 diagonal products.

  27. Basic Math Review: Inverse Matrices • When you multiply a matrix and its inverse, you get the identity matrix.

  28. Basic Math Review: Inverse Matrices • Not all matrices have an inverse! • To find the inverse of a 2 x 2 matrix, first find the determinant. • If the determinant = 0, the inverse does not exist! • The inverse of a 2 x 2 matrix is the reciprocal of the determinant times the matrix with the main diagonal swapped and the other terms multiplied by -1.

  29. Basic Math Review: Inverse Matrices Example 1:

  30. Basic Math Review: Scalar Multiplication To do this, multiply each entry in the matrix by the number outside (called the scalar). This is like distributing a number to a polynomial. Example:

  31. AES – Rijndael mathematics • Rijndael is defined in the Galois field GF (28) by the irreducible polynomial • In HEX this is 11B, in binary it is 100011011 • Why this one?” The polynomial m(x) (‘11B’) for the multiplication in GF(28) is the first one of the list of irreducible polynomials of degree 8, given in [LiNi86, p. 378].” page 22 of AES Proposal: Rijndael • LiNi86 is R. Lidl and H. Niederreiter, Introduction to finite fields and their applications, Cambridge University Press, 1986) P = x8 + x4 +x3 +x +1

  32. Irreducible Polynomials A polynomial is irreducible in GF(p) if it does not factor over GF(p). Otherwise it is reducible. Examples: The same polynomial is reducible in Z5 but irreducible in Z2. Are there other irreducible polynomials of power 8? Yes of course, the only list I am aware of is in the book cited by the inventors of Rijndael

  33. Irreducible Polynomials You can check the same source that was cited by the inventors of Rijndael. In fact on Amazon, there is the ‘look inside’ option and with a bit of work you can find the table. To save you some time, here are a few irreducible polynomials from that list (in binary form, you may place them in polynomial or hex form if you wish) 100101011 100111001 100111111 101001101 101011111 101110111 110001011 OK why degree 8 (9 digits) isn’t that one too many? “Clearly, the result will be a binary polynomial of degree below 8. Unlike for addition, there is no simple operation at byte level.” – page ¾ of the specification The reason an irreducible but not primitive polynomial is used is that we are trying to make a non-linear permutation function that has diffusion, spreading input bits to output bits in an non-linear way.

  34. The Finite Field GF(28). • The case in which n is greater than one is much more difficult to describe. In cryptography, one almost always takes p to be 2 in this case. This section just treats the special case of p = 2 and n = 8, that is. GF(28), because this is the field used by Advanced Encryption Standard (AES). • The AES works primarily with bytes (8 bits), represented from the right as: • b7b6b5b4b3b2b1b0.The 8-bit elements of the field are regarded as polynomials with coefficients in the field Z2: • b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x1 + b0. The field elements will be denoted by their sequence of bits, using two hex digits.

  35. The multiplicative inverse • Multiplication in Galois Field, however, requires more tedious work. Suppose f(p) and g(p) are polynomials in gf(pn) and let m(p) be an irreducible polynomial (or a polynomial that cannot be factored) of degree at least n in gf(pn). We want m(p) to be a polynomial of degree at least n so that the product of two f(p) and g(p) does not exceed 11111111 = 255 as the product needs to be stored as a byte. If h(p) denotes the resulting product then • h(p) = (f(p) * g(p)) (mod m(p)) • On the other hand, the multiplicative inverse of f(p) is given by a(p) such • that • (f(p) * a(p)) (mod m(p)) = 1

  36. The multiplicative inverse Note that calculating the product of two polynomials and the multiplicative inverse of a polynomial requires both reducing coeficients modulo p and reducing polynomials modulo m(p). The reduced polynomial can be calculated easily with long division while the best way to compute the multiplicative inverse is by using Extended Euclidean Algorithm. The details on the calculations in gf(28) is best explained in the following example. Princeton University offers this calculator for multiplicative inverse http://www.cs.princeton.edu/~dsri/modular-inversion-answer.php?n=9&p=8 We will look at two methods for calculating multiplicative inverse later in this lesson, but you can also use this calculator if you prefer, or the multiplicative inverse table I have provided. There is also a calculator online that does all modular arithmetic http://ptrow.com/perl/calculator.pl

  37. More on Galois Fields • Galois Field sizes can be defined with various field sizes like GF(16) or GF(256). AES is not the only cryptographic algorithm to use these finite fields. Quad also uses finite fields under a polynomial modulus

  38. Implementing GF(p^k) arithmetic Theorem: Let f(x) be an irreducible polynomial of degree k over Zp. The finite field GF(pk) can be realized as the set of degree k-1 polynomials over Zp, with addition and multiplication done modulo f(x).

  39. Example: Implementing GF(2^k) By the theorem the finite field GF(25) can be realized as the set of degree 4 polynomials over Z2, with addition and multiplication done modulo the irreducible polynomial f(x)=x5+x4+x3+x+1. The coefficients of polynomials over Z2 are 0 or 1. So a degree k polynomial can be written down by k+1 bits. For example, with k=4: x3+x+1 (0,1,0,1,1) x4+ x3+x+1 (1,1,0,1,1)

  40. Implementing GF(2^k) Addition: bit-wise XOR (since 1+1=0) x3+x+1 (0,1,0,1,1) + x4+ x3+x (1,1,0,1,0) ------------------------------- x4 +1 (1,0,0,0,1)

  41. Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite field, a lookup table is the most efficient method for implementing multiplication.

  42. Mathematical background(Cont.) • Polynomials with coefficients in GF(28) • The operation consisting of multiplication by a fixed polynomial a( x ) can be written as matrix multiplication where the matrix is a circulant matrix. We have:

  43. What is a multiplicative inverse? • In mathematics, the reciprocal, or multiplicative inverse, of a number x is the number which, when multiplied by x, yields 1. The multiplicative inverse for the real numbers, for example, is 1/x. To avoid confusion by writing the inverse using set specific notation, we generally write x-1. • Zero does not have a reciprocal, as division by 0 is undefined

  44. Multiplication of polynomials • Finite field multiplication is more difficult than addition and is achieved by multiplying the polynomials for the two elements concerned and collecting like powers of x in the result. Since each polynomial can have powers of x up to 7, the result can have powers of x up to 14 and will no longer fit within a single byte. • This situation is handled by replacing the result with the remainder polynomial after division by a special eighth order irreducible polynomial, which, for Rijndael, is: • m(x) = x8 + x4 + x3 + x +1 Note: we will discuss why this irreducible polynomial in just a little while.

  45. Multiplication Polynomials by Repeated Shifts • The finite field element {00000010} is the polynomial x, which means that multiplying another element by this value increases all it’s powers of x by 1. This is equivalent to shifting its byte representation up by one bit so that the bit at position imoves to position i+1. If the top bit is set prior to this move it will overflow to create an x8 term, in which • case the modular polynomial is added to cancel this additional bit, leaving a result that fits within a single byte. • For example, multiplying {11001000} by x, that is {00000010}, the initial result is • 1{10010000}. The ‘overflow’ bit is then removed by adding 1{00011011}, the modular • polynomial, using an exclusive-or operation to give a final result of {10001011}. NOTE: This why the implementation of creating the S-boxes includes four steps of shifting. This is in essence, multiplying.

  46. Affine Transformation What is it This concept originates in graphics, and is also used in transforming graphics. Moving pixels in one direction or another is very similar to moving a value in a matrix, so the concept gets applied to matrices (as in AES) In geometry, an affine transformation or affine map or an affinity (from the Latin, affinis, "connected with") between two vector spaces (strictly speaking, two affine spaces) consists of a linear transformation followed by a translation: In general, an affine transform is composed of linear transformations (rotation, scaling or shear) and a translation (or "shift"). Several linear transformations can be combined into a single one, so that the general formula given above is still applicable. For our purposes it is just a word for a linear transformation. This video also gives a good explanation: http://www.youtube.com/watch?v=4vrYNxlkrpI Now what are linear transformation? Well for more detail http://www.samiam.org/galois.html

  47. Rijndael Galois • The Rijndael Block Chiper uses finite field arithmetic in the field of GF( 28 ) or the Galois • Field. For Rijndael we show this eld as a polynomial where each b is a bit in a byte that can contain the binary value of either 1 or 0. • b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x + b0 • The values used in Rijndael are displayed in hexadecimal value form and each hexadecimal value correspond to a polynomial representation. Fore example: Here is a byte containing the hexadecimal value of 57 and it corresponding binary and polynomial representations • Binary = 01010111 Polynomial = x6 + x4 + x2 + x + 1

  48. Rijndael Galois • The s-box is generated by determining the multiplicative inverse for a given number in the Galois led, zero would be set to zero. The multiplicative inverse is transformed using the following affine transformation • where [x0, ..., x7] is the multiplicative inverse as a vector. • Now you can do this with matrix mathematics, first multiplying the matrix by the vectors, then xoring with the values in the final column. This affine transformation is the sum of multiple rotations of the byte as a vector, where addition is the XOR operation. NOTE This is what we are duplicating in the function to create this transform that we did earlier this week

  49. Why these choices? • We don’t know all the why’s of these choices, but we do know some. • The last vector that is xord in is meant to prevent the generation of a fixed point In other words S-box(a)=a • The matrix obviously has meaning. Now they did not state it, but looking at it even briefly reveals a pattern. • Look at the next slide to analyze the choices

  50. AES S-Box Design • The S-box is generated by determining the multiplicative inverse for a given number in Rijndael's Galois field. The multiplicitive inverse is then transformed using the following affine transformation matrix • GF(28) = GF(2)[x]/(x8 + x4 + x3 + x + 1) Now you can do this with matrix math we already described, or you can do it with the function we provided to you yesterday (and is also at the end of this presentation)

More Related