1 / 55

Lecture 5 The Advanced Encryption Standard (AES)

Lecture 5 The Advanced Encryption Standard (AES).

teal
Télécharger la présentation

Lecture 5 The Advanced Encryption Standard (AES)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 5 The Advanced Encryption Standard (AES)

  2. On January 2, 1997, the National Institute of Standards and Technology (NIST) announced the initiation of a new symmetric-key block cipher algorithm as the new encryption standard to replace the DES. The new algorithm would be named the Advanced Encryption Standard (AES). Unlike the closed design process for the DES, an open call for the AES algorithms was formally made on September 12, 1997.

  3. The requirements of AES is as follows: (1) The call stipulated that the AES would specify an unclassified, publicly disclosed symmetric-key encryption algorithm(s). (2) The algorithm(s) must support (at a minimum) block sizes of 128-bits, key sizes of 128-, 192-, and 256-bits, and should have a strength at the level of the triple DES, but should be more efficient then the triple DES. (3) It should work on a variety of different hardware. (4) The algorithm(s), if selected, must be available royalty-free, worldwide.

  4. On August 20, 1998, NIST announced a group of fifteen AES candidate algorithms. These algorithms had been submitted by members of the cryptographic community from around the world. Public comments on the fifteen candidates were solicited as the initial review of these algorithms (the period for the initial public comments was also called the Round 1). The Round 1 closed on April 15, 1999. Using the analyses and comments received, NIST selected five algorithms from the fifteen.

  5. The five AES finalist candidate algorithms were MARS (from IBM), RC6 (from RSA Laboratories), Rijndael (from Joan Daemen and Vincent Rijmen), Serpent (from Ross Anderson, Eli Biham, and Lars Knudsen), and Twofish (from Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson). These finalist algorithms received further analysis during a second, more in-depth review period (the Round 2).

  6. In the Round 2, comments and analysis were sought on any aspect of the candidate algorithms, including, but not limited to, the following topics: cryptanalysis, intellectual property, cross-cutting analyses of all of the AES finalists, overall recommendations and implementation issues. On October 2 , 2000, NIST announced that it has selected Rijndael to propose for the AES.

  7. Outline • About the Finite Field GF(pn) • The Basic Algorithm • The Layers • Decryption • Design Consideration • Implementation Concerns • Positive Impact of the AES • Modes of Operation • Message Authentication Code

  8. 1 About the Finite Field GF(pn)

  9. 1.1 The Construction of the Finite Field GF(pn)

  10. 1.2 Division

  11. 1.3 GF(28)

  12. 2 The Basic Algorithm For simplicity, we restrict to 128 bits, and firstly give a brief outline of the algorithm. The algorithm consists of 10 rounds. Each round has a round key, derived from the original key. There is also a 0th round key using the original of 128 bits. A round starts with an input of 128 bits and produces an output of 128 bits.

  13. There a four basic step, called layers, that are used to form the rounds: (1) The ByteSub (SB) Transformation: This non-linear layer is for resistance to differential and linear cryptanalysis attacks. (2) The ShiftRow (SR) Transformation: This linear mixing step causes diffusion of the bits over multiple rounds. (3) The MixColumn (MC) Transformation: This layer has a purpose similar to ShiftRow. (4) AddRoundKey (ARK) : The round key is XORed with the result of the above layer.

  14. ShiftRow ByteSub MixColumn AddRoundKey A round is then # The final round omits Mixcolumn layer.

  15. 3 The Layers

  16. 3.1 The ByteSub Transformation

  17. 3.1 The ByteSub Transformation (Continued)

  18. 3.2 The ShiftRow Transformation

  19. 3.3 The MixColumn Transformation

  20. 3.4 The RoundKey Addition

  21. 3.5 The Key Schedule

  22. 3.6 The Construction of the S-Box

  23. 3.6 The Construction of the S-Box (Continued)

  24. 4 Decryption Each of the steps ByteSub, ShiftRow, MixColumn, and AddRoundKey is invertible: (1) The inverse of ByteSub is another lookup table, called InvByteSub (IBS). (2) The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvShiftRow (ISR).

  25. (3) The transformation InvMixColumn (IMC) is given by multiplication by the matrix (4) AddRoundKey is its own inverse.

  26. # To keep the perfect structure, the MC is omitted in the last round of the encryption.

  27. 5 Design Consideration (1) The fact that encryption and decryption are not identical processes leads to the expectation that there are no weak keys, in contrast to DES. (2) Unlike the Feistel system, all bits are treat uniformly. This has effect of diffusing the input bits faster. It can be shown that two rounds are sufficient to obtain full diffusion.

  28. (3) The S-box is constructed in an explicit and simple algebraic way so as to avoid the mysteries of trapdoors built into the algorithm. It is excellent at resisting differential and linear cryptanalysis, as well as interpolation attacks. (4) The SR step is added to resist truncated differentials and square attack. (5) The MC causes diffusion among the bytes.

  29. (6) The ARK involves nonlinear mixing of the key bits. The mixing is designed to resist the known part key attack. The round constants are used to eliminate symmetries. (7) The number of rounds was chosen to be 10 because there are attacks that are better than brute force up to seven rounds in 2004. No known attack beats brute force for seven or more rounds. It was felt that four extra rounds provide a large enough margin of safety.

  30. 6 Implementation Concerns We have seen that the Rijndael internal functions are very simple and operate in trivially small algebraic spaces. As a result, implementations of these internal functions can be done with extremely good efficiency. From our descriptions of the Rijndael internal functions, SB/ISB and MC/IMC are worthy of fast implementation considerations.

  31. (1) For SB/ISB, we suggest to use the "S-box lookup" method: a small S-box with 28 = 256 pairs of bytes can be built once and used forever (i.e., the table can be "hardwired" into hardware or software implementations). The " S-box lookup" method not only is efficient, but also prevents a timing analysis attack which is based on observing the operation time difference for different data which may suggest whether an operation is performed on bit 0 or bit 1.

  32. (2) In MC, multiplication between elements in GF(28) can also be realized via a "table lookup" method: z = xy (field multiplication) where x {01, 10, 11} and yGF(28). Further notice that the byte 01 is simply the multiplicative identity in the field, i.e., 01y = y. Thus, implementation (either in software or hardware) of this multiplication table only needs 2256=512 entries. This small table is not much larger than one which every primary school pupil has to recite. This realization not only is fast, but also decreases the risk of the timing analysis attack.

  33. (3) IMC is not quite as fast as MC. This is because the entries in the 44 matrix for IMC are more complex than those for MC, and 30% longer than encryption for these processors. However, in some applications, decryption is not needed.

  34. 7 Positive Impact of the AES (1) Multiple encryption, such as triple-DES, will become unnecessary with the AES. Since multiple encryption uses a plural number of keys, the avoidance of using multiple encryption will mean a reduction on the number of cryptographic keys that an application has to manage, and hence will simplify the design of security protocols and systems.

  35. (2) Wide use of the AES will lead to the emergence of new hash functions of compatible security strengths. In several ways, block cipher encryption algorithms are closely related to hash functions. It has been a standard practice that block cipher encryption algorithms are often used to play the role of one-way hash functions. The logging-in authentication protocol of the UNIX operating system is a well-known example. We have seen a typical "one-way transformation" usage of the DES function in the realization of the UNIX password scheme. Another example is to use block cipher encryption algorithms to realize (keyed) one-way hash functions.

  36. (3) As in the case that the DES's standard position had attracted much cryptanalysis attention trying to break the algorithm, and that these efforts have contributed to the advance of knowledge in block cipher cryptanalysis, the AES as the new block cipher standard will also give rise to a new resurgence of high research interest in block cipher cryptanalysis which will certainly further advance the knowledge in the area.

  37. 8 Modes of Operation Usually, the long message is divided into a series of sequentially listed message blocks, and the cipher processes these blocks one at a time. A number of different modes of operation have been devised on top of an underlying block cipher algorithm. These modes of operation provide several desirable properties to the ciphertext blocks, such as adding non-determinism (randomness) to a block cipher algorithm, padding plaintext messages to an arbitrary length, control of error propagation, generation of key stream for a stream cipher, etc.

  38. 8.1 Electronic Codebook (ECB)

  39. 8.1 Electronic Codebook (ECB) (Continued)

  40. P1 P2 C0 … EK EK C2 C1 8.2 Cipher Block Chaining (CBC)

  41. 8.2 Cipher Block Chaining (CBC) (Continued)

  42. 8.3 Cipher Feedback (CFB)

  43. 8.3 Cipher Feedback (CFB) (Continued)

  44. 8.3 Cipher Feedback (CFB) (Continued)

  45. 9 Message Authentication Code Definition1 A message authentication code (MAC) algorithm is a family of functions hk parameterized by a secret key k, with the following properties: (1) Ease of computation: for a known function hk, given a value k and an input x, hk(x) is easy to compute. This result is called the MAC-value or MAC.

  46. (2) Compression: hk maps an input x of arbitrary finite bit length to an output hk(x) of fixed bit length n. Furthermore, given a description of the function family h, for every fixed allowable value of k (unknown to an adversary), the following property holds: (3) Computation-resistance: given zero or more text-MAC pairs (xi, hk(xi)), it is computationally infeasible to compute any text-MAC pair (x, hk(x)) for any new input xxi (including possibly for hk(x)=hk(xi) for some i).

  47. 9.1 Objectives of Adversaries vs. MAC The goal: without prior knowledge of a key k, compute a new text-MAC pair (x, hk(x)) for some text xxi, given one or more pairs (xi, hk(xi)). The potential abilities of the adversaries: (1) Known-text attack. (2) Chosen-text attack: one or more text-MAC pairs (xi, hk(xi)) are available for xi chosen by the adversary. (3) Adaptive chosen-text attack: now allowing successive choices to be based on the results of prior queries.

  48. 9.2 Types of Forgery The severity of the practical consequences may differ depending on the degree of control an adversary has over the value x for which a MAC may be forged. (1) Selective forgery: attacks whereby an adversary is able to produce a new text-MAC pair for a text of his choice (or perhaps partially under his control). (2) Existential forgery: attacks whereby an adversary is able to produce a new text-MAC pair, but with no control over the value of that text.

More Related