UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
sheet7.pdf
1. January 26, 2012 1
Cryptography and Network Security
Lecture 6: Advanced Encryption Standard (AES)
Ion Petre
Department of IT, Åbo Akademi University
Spring 2012
http://users.abo.fi/ipetre/crypto/
http://users.abo.fi/ipetre/crypto/
2. January 26, 2012 2
Origin of AES
1999: NIST indicates that DES should be replaced as a standard
have theoretical attacks that can break it
have demonstrated exhaustive key search attacks
Triple-DES should be used before a new standard is approved
3DES has 168-bit key: brute-force attack is infeasible
Same engine as for DES is running – software/hardware can be reused
Confident that no effective attack exists: DES has been around for a long time
As far as security is concerned, 3DES is ideal to replace DES
Drawbacks of 3DES
Relatively slow software implementations – DES was designed for 1970’s hardware
DES and 3DES use 64-bit blocks: for efficiency and security, larger blocks should be used
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001
http://users.abo.fi/ipetre/crypto/
3. January 26, 2012 3
Requirements for the new standard
Private key symmetric block cipher
128-bit data, 128/192/256-bit keys
Stronger and faster than 3DES
Active life of 20-30 years (+ archival use)
Provide full specification and design details
Both C and Java implementations
NIST have released all submissions & unclassified analyses
http://users.abo.fi/ipetre/crypto/
4. January 26, 2012 4
AES Evaluation Criteria
Initial criteria:
security – effort to practically cryptanalyze
cost – computational efficiency, so as to be used in high-speed applications, such as
broadband links
algorithm and implementation characteristics: should be suitable for a variety of
soft/hard implementations, simple enough to make analysis straightforward
Final criteria
general security: this was conducted by the public (academic) cryptographic
community: people published various attacks and weaknesses of the candidates
software and hardware implementation ease: execution speed, performance on
various platforms, variation of speed with key size
Attacks on implementation: timing attacks and power analysis
Multiplication consumes more power and takes more time than addition
Writing 1s consumes more power and takes more time than writing 0s
Flexibility (in encryption/decryption, key change, other factors)
http://users.abo.fi/ipetre/crypto/
5. January 26, 2012 5
AES Shortlist
After testing and evaluation, shortlist in Aug-99:
MARS (IBM) - complex, fast, high security margin
RC6 (USA) - v. simple, v. fast, low security margin
Rijndael (Belgium) - clean, fast, good security margin
Serpent (Euro) - slow, clean, v. high security margin
Twofish (USA) - complex, v. fast, high security margin
Then subject to further analysis & comment
Analysed contrast between algorithms with
few complex rounds vs. many simple rounds
which refined existing ciphers vs. new proposals
http://users.abo.fi/ipetre/crypto/
6. January 26, 2012 6
The AES Cipher – Rijndael
Designed by Rijmen-Daemen in Belgium
128/192/256-bit keys, 128 bit data
Does not have the structure of a classical feistel cipher
treats data in 4 groups of 4 bytes
operates an entire block in every round
Designed to be:
resistant against known attacks
speed and code compactness on many platforms
design simplicity
Decryption algorithm different than the encryption
http://users.abo.fi/ipetre/crypto/
7. January 26, 2012 7
Rijndael
Processes data as 4 groups of 4 bytes – 128-bit block
Input block copied into State array, modified at each stage of encryption
or decryption and copied to the output matrix after the final round
has 9/11/13 rounds (depending on which variant is used) in which State
undergoes:
byte substitution (one S-box used on every byte)
shift rows: a simple permutation
mix columns: substitution using arithmetic in GF(28)
add round key (XOR State with the round key)
initial XOR of the plaintext with a round key
There is an incomplete last round (the 10th/12th/14th)
Note: all operations can be combined into XOR and table lookups - hence
very fast and efficient
http://users.abo.fi/ipetre/crypto/
8. Structure of AES
January 26, 2012 http://users.abo.fi/ipetre/crypto/ 8
Source: Stallings, fig 5.1
9. January 26, 2012 10
Rijndael – the structure
Discuss each of the four stages in each round
For each stage, describe the encryption and decryption algorithms
Describe the rationale of each stage
Describe key expansion
Each stage operates on the 128-bit State, i.e., 16 bytes – these will be
treated as a 4x4 matrix of bytes
The first four bytes are on the first column, the following 4 on the second
column, etc.
In this description we assume key length of 128
Details are only slightly different for longer keys
The 128-bit key is also shown as a matrix of 4x4 bytes (each byte is a
number from 0 to 255): first 4 bytes on the first column, following 4 on the
2nd columns, etc.
The key is expanded in an array of 44 words – each word has 4 bytes;
these key words are used throughout the rounds: in each XOR are involved
4 words
http://users.abo.fi/ipetre/crypto/
10. January 26, 2012 11
Rijndael data structures
http://users.abo.fi/ipetre/crypto/
12. January 26, 2012 13
Substitute bytes transformation
Note: we will denote hexadecimal numbers in parenthesis: {45}, {A6},
{CF}
SubBytes is a simple table lookup (see next slide)
table of 16x16 bytes containing a permutation of all 256 8-bit values
Each byte of state is replaced by a byte in the table
The row is given by the leftmost 4-bits of the byte
The column is given by the rightmost 4-bits of the byte
Example: byte {95} (in hexa) is replaced by the byte on row 9, column 5:
{2A} (see next slide)
For decryption, use the inverse S-box
http://users.abo.fi/ipetre/crypto/
13. January 26, 2012 14
The S-box transformation
http://users.abo.fi/ipetre/crypto/
14. January 26, 2012 15
AES S-boxes
http://users.abo.fi/ipetre/crypto/
15. January 26, 2012 16
How is the S-box constructed?
S-box is constructed using a certain transformation of the values in GF(28)
Designed to be resistant to all known attacks
1. Initialize the S-box with the byte values in ascending order row by row: first row
contains {00}, {01}, {02}, …,{0F}, second row contains {10}, {11}, {12},…,{1F},
etc.
2. Map each nonzero byte in the S-box to its multiplicative inverse in GF(28), {00} is
mapped to itself
3. Each byte in the S-box is a sequence of 8 bits (b7,b6,…,b1,b0). Apply the
following transformation to each bit of each byte:
bi’=bi⊕b(i+4)mod 8⊕b(i+5)mod 8⊕b(i+6)mod 8⊕b(i+7)mod 8⊕ci
where ci is the ith bit of {63}: (c7,c6,c5,c4,c3,c2,c1,c0)=(01100011)
http://users.abo.fi/ipetre/crypto/
16. January 26, 2012 17
How are the S-boxes constructed?
Note that the Step 3 in producing the S-box is the transformation shown
bellow – in there, the addition is XOR and the multiplication is the
normal multiplication of 0 and 1 (i.e., operations in Z2)
http://users.abo.fi/ipetre/crypto/
17. January 26, 2012 18
How are the S-boxes constructed?
The inverse S-box (used in the decryption) is computed as follows:
1. Apply to the S-box the inverse of the transformation in Step 3 (multiply
with the inverse of the matrix shown on the previous slide):
bi’=bi ⊕ b(i+2)mod 8 ⊕ b(i+5)mod 8 ⊕ b(i+7)mod 8 ⊕ di
where byte d={05}, i.e., d=(00000101)
2. Replace each byte of the table with its multiplicative inverse in GF(28)
http://users.abo.fi/ipetre/crypto/
18. January 26, 2012 19
Why are the S-boxes constructed in this way?
The S-box should be resistant to known cryptanalytical attacks
Low correlation between input bits and output bits
Output cannot be described as a simple math function of the input
The transformation was chosen so that the S-box has no fixed point (S-
box(a)=a) and no opposite fixed points (S-box(a)=a’, where a’ is the
bitwise complement of a)
S-box should be invertible
S-box should not be self-inverse (avoid S-box(a)=IS-box(a))
http://users.abo.fi/ipetre/crypto/
20. January 26, 2012 21
Shift Row Transformations
For encryption, circular byte shift in each row
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
For decryption, all shifts are done to right
Why this particular shift?
Since state is processed by columns, this step permutes bytes between the
columns
The 4 bytes of one column are spread out to 4 different columns
This step provides “permutation” of the data, whereas the other steps
provide substitutions (recall Shannon’s S-P networks)
http://users.abo.fi/ipetre/crypto/
23. January 26, 2012 http://users.abo.fi/ipetre/crypto/ 24
Mix Column
Transformations
24. January 26, 2012 25
Mix Columns
MixColumns operates on each column independently
Each byte is replaced by a value dependent on all 4 bytes in its
column, where all operations are done in GF(28), with m(x)=
x8+x4+x3+x+1
s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j
s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j
s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j)
s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j)
for all 0≤j ≤3.
http://users.abo.fi/ipetre/crypto/
25. January 26, 2012 26
Mix Columns
MixColumns is in fact a matrix multiplication in GF(28) using prime
polynomial m(x) =x8+x4+x3+x+1
Why those constants in the matrix?
Equivalent definition: take each column as a polynomial of degree at most 3 and
multiply it with {03}x3+{01}x2+{01}x+{02} mod x4+1
Multiplication with {00},{01},{02},{03} is easy to implement: at most one shift and
XOR
Gives good mixing of the bytes within each column
Combined with the “shift rows” step, it provides good avalanche, so that within a
few rounds, all output bits depend on all input bits.
http://users.abo.fi/ipetre/crypto/
26. January 26, 2012 27
Example on how to do computations in GF(28)
An element of GF(28) is a byte (b7,b6,…,b1,b0) or, equivalently, a polynomial of
degree at most 7 with coefficients 0 and 1:
f(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0
Doing computations with polynomials in GF(28) can be implemented easily as
operations with bytes
Addition u⊕v is simply bitwise XOR of the two bytes
Multiplication u v more complicated: a series of is shift & XOR – example bellow for
GF(28) with m(x)= x8+x4+x3+x+1 (as in AES)
x8 mod m(x) = (m(x)- x8) = x4+x3+x+1
Consider a byte v, i.e., polynomial in GF(28), v(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0
Multiplying by x we have xv(x)=b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x
If b7=0, then the result is in GF(28). If b7=1, then we need to reduce x8 mod m(x):
xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + (x4+x3+x+1)
Thus, multiplication by x is in fact a 1-bit left shift potentially followed by a conditional XOR
with (00011011)
Multiplication by higher powers of x implies an iteration of the above procedure
http://users.abo.fi/ipetre/crypto/
27. January 26, 2012 28
Example on applying MixColumns
s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j
s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j
s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j)
s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j)
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 9
47 40 A3 4C
37 D4 70 9F
94 E4 3A 42
ED A5 A6 BC
• Consider the computation of the value on the top left corner:
({02}•{87}) ⊕ ({03}•{6E}) ⊕ {46} ⊕ {A6}
• {02}•{87}: {02}=(0000 0010) , i.e., polynomial X: we have here multiplication with X:
xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + b7(x4+x3+x+1)
• Since v(X)={87}=(1000 0111), i.e., b7=1, we get
{02}•{87}=(0000 1110) ⊕ (0001 1011)=(0001 0101)
• Similarly, {03}•{6E}=(1011 0010)
• The top-left value should be:
(0001 0101) ⊕
(1011 0010) ⊕
(0100 0110) ⊕
(1010 0110) =
(0100 0111) =
{47}
http://users.abo.fi/ipetre/crypto/
28. January 26, 2012 29
Inverse Mix Columns
The inverse mix column transformation InvMixColumns is defined by
the following matrix multiplication in GF(28)
0E 0B 0D 09 S0,0 S0,1 S0,3 S0,4 S’0,0 S’0,1 S’0,2 S’0,3
09 0E 0B 0D S1,0 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3
OD 09 0E 0B S2,0 S2,1 S2,2 S2,3 = S’2,0 S’2,1 S’2,2 S’2,3
0B 0D 09 0E S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3
http://users.abo.fi/ipetre/crypto/
30. January 26, 2012 32
Add Round Key
XOR state with 128-bits of the round key
Same in the decryption – use the round keys in reverse order
⊕
http://users.abo.fi/ipetre/crypto/
31. January 26, 2012 33
AES Key Expansion
Takes 128-bit (16-byte) key and expands into an array of 44 32-bit words
(each word has 4 bytes)
KeyExpansion(byte key[16], word w[44])
{
Word temp;
For (i=0;i<4; i++) // key is copied into the first 4 words
w[i]=(key[4*i], key[4*i+1],key[4*i+2],key[4*i+3])
For (i=4;i<44;i++) // the rest of the words are produced here
{
temp=w[i-1];
if (i mod 4 == 0)
temp=SubWord( RotWord(temp) ) ⊕ Rcon[i/4];
w[i]=w[i-4] ⊕ temp; // Most of the words are just XOR of two earlier values
}
}
http://users.abo.fi/ipetre/crypto/
32. January 26, 2012 34
AES key expansion
Key is copied first into the first 4 words of the expanded key
Each added word depends on the previous word and on the one 4 positions
earlier
In 3 cases out of 4 a simple XOR is used
For every fourth word a more complex function is used
RotWord performs one-byte circular left-shift on a word: [b0,b1,b2,b3] is
transformed into [b1,b2,b3,b0]
SubWord performs a byte substitution on each byte of the input word, using the
S-box of AES
Results of step 1 and 2 are XORED with a round constant Rcon[j] (a geometric
progression with rate 2 computed in GF(28):
J 1 2 3 4 5 6 7 8 9 10
Rcon[J] {01} {02} {04} {08} {10} {20} {40} {80} {1B} {36}
http://users.abo.fi/ipetre/crypto/
33. January 26, 2012 35
AES Decryption
AES decryption is not identical to encryption since steps must be
performed in reverse
This is a disadvantage because different software is needed for encryption
and decryption
Encryption is an interation of SubBytes, ShiftRows, MixColumns,
AddRoundKey
Decryption is an interation of InvShiftRows, InvSubBytes, AddRoundKey,
InvMixColumns
Decryption can be modified to use the encryption software (switch the
order of the first two operations and the order of the last two operations
in each round), provided we operate a small change in the key
expansion
Before we apply AddRoundKey in each round, we apply InvMixColumns to
the matrix formed by the 4 words participating in the current round
http://users.abo.fi/ipetre/crypto/
34. January 26, 2012 36
Implementation aspects: AES Round with State seen as an
array with 16 bytes rather than as a 4x4 matrix
http://users.abo.fi/ipetre/crypto/
35. January 26, 2012 37
Implementation Aspects
Can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of 256 entries
shift rows is simple byte shifting
add round key works on byte XORs
mix columns requires matrix multiply in GF(28) which works on byte
values, can be simplified to use a table lookup
http://users.abo.fi/ipetre/crypto/
36. January 26, 2012 38
Implementation Aspects
Can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be computed using 4 table lookups
+ 4 XORs
at a cost of 16Kb to store tables
Designers believe this very efficient implementation was a key factor
in its selection as the AES cipher
http://users.abo.fi/ipetre/crypto/