1 / 19

This Lecture:

This Lecture:. AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary. Key Expansion. Takes as input a Nb word key and produces a linear array of Nb * (Nr+1) words.

sylvie
Télécharger la présentation

This Lecture:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. This Lecture: AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary

  2. Key Expansion • Takes as input a Nb word key and produces a linear array of Nb * (Nr+1) words. • Expanded key provide a Nb word round key for the initial AddRoundKey() stage and for each of the Nr rounds of the cipher. • The key is first copied into the first Nb words, the remainder of the expanded key is filled Nb words at a time.

  3. Key Expansion Pseudo Code16 byte key KeyExpansion(byte key[16], word w[44]) { word temp; for (i = 0; i < 4; i++) w[i] = (key[4*i], key[4*i+1], key[4*i+3], key[4*i+3]); for(i = 4; i < 44; i++) } temp = w[i-1]; if ( i mod 4 = 0 ) temp = SubWord(RotWord(temp)) XOR Rcon[i/4]; w[i] = w[i-4] XOR temp; } }

  4. Key Expansion • RotWordperforms a one byte circular left shift on a word. For example: RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0] • SubWordperforms a byte substitution on each byte of input word using the S-box. • SubWord(RotWord(temp)) is XORed with Rcon[j] – the round constant.

  5. Key ExpansionThe round constant - Explained • The round constant is a word in which the three rightmost bytes are zero. It is different for each round and defined as: Rcon[j] = (RC[j],0,0,0) where RC[1] = 1, RC[j] = 2 * RC[j-1] • Multiplication is defined over GF(2^8). • Values of RC[j] in hexadecimal are:

  6. Key ExpansionThe round constant - Example • Example of expansion of a 128-bit cipher key Cipher key = 2b7e151628aed2a6abf7158809cf4f3c w0=2b7e1516 w1=28aed2a6 w2=abf71588 w3=09cf4f3c

  7. Key ExpansionRationale Criteria used for key expansion algorithm’s design: • Simple description. • Non-linearity – prohibits the full determination of round key differences from cipher key differences. • Diffusion – each cipher key bit affects many round key bits. • Round constant – eliminates symmetry or similarity between the way round keys are generated. Knowledge of less than Nk consecutive of either cipher or round key makes it difficult to reconstruct the remaining unknown bits.

  8. Equivalent Inverse Cipher • The Rijndael decryption cipher is not identical to the encryption cipher. • Disadvantage – Two separate software or hardware modules are required if performing both encryption and decryption. • There is an equivalent version of the decryption algorithm that has the same structure ( the same sequence of transformations) as the encryption algorithm.

  9. InvCipher, Scheme

  10. Equivalent Inverse Cipher • The original sequence is : Encryption: SubBytes ShiftRows MixColumns AddRoundKey Decryption: InvShiftRows InvSubBytes AddRoundKey InvMixColumns • ThusInvShiftRows needs to be interchanged with InvSubBytes and AddRoundKey with InvMixColumns.

  11. Equivalent Inverse Cipher • InvShiftRows – Affects sequence of bytes but does not alter byte content and does not depend on the byte content to perform transformation. • InvSubBytes – Affects content of bytes but does not alter byte sequence and does not depend on the byte sequence to perform transformation. • Thus InvShiftRows and InvSubBytescan be interchanged. For given state S, InvShiftRows(InvSubBytes(S)) = InvSubBytes(InvShiftRows(S))

  12. Equivalent Inverse Cipher • If key is viewed as sequence of words then both AddRoundKey and InvMixColumns operate on state one column at a time. • These operations are linear with respect to the column input: State – S and key - w InvMixColumns(S XOR w) = [InvMixColumns(S)] XOR [InvMixColumns(w)]

  13. Equivalent Inverse Cipher • Thus InvMixColumns and AddRoundKey can be interchanged.

  14. Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology General Security: • Rijndael has no known security attacks and has an adequate security margin. • Received some criticism suggesting it’s simple mathematical structure may lead to attacks. On the other hand the simple structure may have facilitated the security analysis.

  15. Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology Software Implementation: • Performs encryption and decryption very well across a variety of platforms (including 8 bit, 32 bit and 64 bit processors). • There is a decrease in performance with higher key sizes because of the increased number of rounds. • High parallelism facilitates the efficient use of processor resources. • Very well suited for restricted space environments (small amounts of RAM and/or ROM) where either encryption or decryption is performed (but not both).

  16. Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology Hardware Implementation: • Has the highest throughput for feedback mode and second highest for non feedback mode. • Efficiency is generally very good. Attacks on Implementation: • Timing Attacks – attacks on operations that execute in different amounts of time. General defense is to make encryption and decryption run in the same amount of time.

  17. Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology Attacks on Implementation continued: • Power Attacks – attacks on operations that use different amounts of power. General defense is to process the data and it’s complement (nearly) simultaneously. • The boolean operations, table lookups and fixed shift rotations are the easiest operations to defend against those attacks. • The use of masking (executing the same operation twice to mask power consumption) does not cause significant performance degradation.

  18. Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology Key Agility: • Defined as the ability to change keys quickly and with a minimum or resources. • Provides on the fly subkey computation (computation of the specific subkey needed for a particular round just prior to use in the round). • First decryption subkey cannot be generated directly from the original key and there is a need to scale through all the subkeys. This places a slight resource burden on key agility.

  19. Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology Encryption vs. Decryption: • Speed does not vary significantly between encryption and decryption, although key setup performance is slower decryption.

More Related