SlideShare a Scribd company logo

sheet7.pdf

A
aminasouyah

sheet7

Engineering
1 of 36
Download to read offline
January 26, 2012 1 Cryptography and Network Security Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University Spring 2012 http://users.abo.fi/ipetre/crypto/ http://users.abo.fi/ipetre/crypto/
January 26, 2012 2 Origin of AES  1999: NIST indicates that DES should be replaced as a standard  have theoretical attacks that can break it  have demonstrated exhaustive key search attacks  Triple-DES should be used before a new standard is approved  3DES has 168-bit key: brute-force attack is infeasible  Same engine as for DES is running – software/hardware can be reused  Confident that no effective attack exists: DES has been around for a long time  As far as security is concerned, 3DES is ideal to replace DES  Drawbacks of 3DES  Relatively slow software implementations – DES was designed for 1970’s hardware  DES and 3DES use 64-bit blocks: for efficiency and security, larger blocks should be used  US NIST issued call for ciphers in 1997  15 candidates accepted in Jun 98  5 were shortlisted in Aug-99  Rijndael was selected as the AES in Oct-2000  issued as FIPS PUB 197 standard in Nov-2001 http://users.abo.fi/ipetre/crypto/
January 26, 2012 3 Requirements for the new standard  Private key symmetric block cipher  128-bit data, 128/192/256-bit keys  Stronger and faster than 3DES  Active life of 20-30 years (+ archival use)  Provide full specification and design details  Both C and Java implementations  NIST have released all submissions & unclassified analyses http://users.abo.fi/ipetre/crypto/
January 26, 2012 4 AES Evaluation Criteria  Initial criteria:  security – effort to practically cryptanalyze  cost – computational efficiency, so as to be used in high-speed applications, such as broadband links  algorithm and implementation characteristics: should be suitable for a variety of soft/hard implementations, simple enough to make analysis straightforward  Final criteria  general security: this was conducted by the public (academic) cryptographic community: people published various attacks and weaknesses of the candidates  software and hardware implementation ease: execution speed, performance on various platforms, variation of speed with key size  Attacks on implementation: timing attacks and power analysis  Multiplication consumes more power and takes more time than addition  Writing 1s consumes more power and takes more time than writing 0s  Flexibility (in encryption/decryption, key change, other factors) http://users.abo.fi/ipetre/crypto/
January 26, 2012 5 AES Shortlist  After testing and evaluation, shortlist in Aug-99:  MARS (IBM) - complex, fast, high security margin  RC6 (USA) - v. simple, v. fast, low security margin  Rijndael (Belgium) - clean, fast, good security margin  Serpent (Euro) - slow, clean, v. high security margin  Twofish (USA) - complex, v. fast, high security margin  Then subject to further analysis & comment  Analysed contrast between algorithms with  few complex rounds vs. many simple rounds  which refined existing ciphers vs. new proposals http://users.abo.fi/ipetre/crypto/
January 26, 2012 6 The AES Cipher – Rijndael  Designed by Rijmen-Daemen in Belgium  128/192/256-bit keys, 128 bit data  Does not have the structure of a classical feistel cipher  treats data in 4 groups of 4 bytes  operates an entire block in every round  Designed to be:  resistant against known attacks  speed and code compactness on many platforms  design simplicity  Decryption algorithm different than the encryption http://users.abo.fi/ipetre/crypto/
January 26, 2012 7 Rijndael  Processes data as 4 groups of 4 bytes – 128-bit block  Input block copied into State array, modified at each stage of encryption or decryption and copied to the output matrix after the final round  has 9/11/13 rounds (depending on which variant is used) in which State undergoes:  byte substitution (one S-box used on every byte)  shift rows: a simple permutation  mix columns: substitution using arithmetic in GF(28)  add round key (XOR State with the round key)  initial XOR of the plaintext with a round key  There is an incomplete last round (the 10th/12th/14th)  Note: all operations can be combined into XOR and table lookups - hence very fast and efficient http://users.abo.fi/ipetre/crypto/
Structure of AES January 26, 2012 http://users.abo.fi/ipetre/crypto/ 8 Source: Stallings, fig 5.1
January 26, 2012 10 Rijndael – the structure  Discuss each of the four stages in each round  For each stage, describe the encryption and decryption algorithms  Describe the rationale of each stage  Describe key expansion  Each stage operates on the 128-bit State, i.e., 16 bytes – these will be treated as a 4x4 matrix of bytes  The first four bytes are on the first column, the following 4 on the second column, etc.  In this description we assume key length of 128  Details are only slightly different for longer keys  The 128-bit key is also shown as a matrix of 4x4 bytes (each byte is a number from 0 to 255): first 4 bytes on the first column, following 4 on the 2nd columns, etc.  The key is expanded in an array of 44 words – each word has 4 bytes; these key words are used throughout the rounds: in each XOR are involved 4 words http://users.abo.fi/ipetre/crypto/
January 26, 2012 11 Rijndael data structures http://users.abo.fi/ipetre/crypto/
January 26, 2012 12 Rijndael http://users.abo.fi/ipetre/crypto/
January 26, 2012 13 Substitute bytes transformation  Note: we will denote hexadecimal numbers in parenthesis: {45}, {A6}, {CF}  SubBytes is a simple table lookup (see next slide)  table of 16x16 bytes containing a permutation of all 256 8-bit values  Each byte of state is replaced by a byte in the table  The row is given by the leftmost 4-bits of the byte  The column is given by the rightmost 4-bits of the byte  Example: byte {95} (in hexa) is replaced by the byte on row 9, column 5: {2A} (see next slide)  For decryption, use the inverse S-box http://users.abo.fi/ipetre/crypto/
January 26, 2012 14 The S-box transformation http://users.abo.fi/ipetre/crypto/
January 26, 2012 15 AES S-boxes http://users.abo.fi/ipetre/crypto/
January 26, 2012 16 How is the S-box constructed?  S-box is constructed using a certain transformation of the values in GF(28)  Designed to be resistant to all known attacks 1. Initialize the S-box with the byte values in ascending order row by row: first row contains {00}, {01}, {02}, …,{0F}, second row contains {10}, {11}, {12},…,{1F}, etc. 2. Map each nonzero byte in the S-box to its multiplicative inverse in GF(28), {00} is mapped to itself 3. Each byte in the S-box is a sequence of 8 bits (b7,b6,…,b1,b0). Apply the following transformation to each bit of each byte: bi’=bi⊕b(i+4)mod 8⊕b(i+5)mod 8⊕b(i+6)mod 8⊕b(i+7)mod 8⊕ci where ci is the ith bit of {63}: (c7,c6,c5,c4,c3,c2,c1,c0)=(01100011) http://users.abo.fi/ipetre/crypto/
January 26, 2012 17 How are the S-boxes constructed? Note that the Step 3 in producing the S-box is the transformation shown bellow – in there, the addition is XOR and the multiplication is the normal multiplication of 0 and 1 (i.e., operations in Z2) http://users.abo.fi/ipetre/crypto/
January 26, 2012 18 How are the S-boxes constructed?  The inverse S-box (used in the decryption) is computed as follows: 1. Apply to the S-box the inverse of the transformation in Step 3 (multiply with the inverse of the matrix shown on the previous slide): bi’=bi ⊕ b(i+2)mod 8 ⊕ b(i+5)mod 8 ⊕ b(i+7)mod 8 ⊕ di where byte d={05}, i.e., d=(00000101) 2. Replace each byte of the table with its multiplicative inverse in GF(28) http://users.abo.fi/ipetre/crypto/
January 26, 2012 19 Why are the S-boxes constructed in this way?  The S-box should be resistant to known cryptanalytical attacks  Low correlation between input bits and output bits  Output cannot be described as a simple math function of the input  The transformation was chosen so that the S-box has no fixed point (S- box(a)=a) and no opposite fixed points (S-box(a)=a’, where a’ is the bitwise complement of a)  S-box should be invertible  S-box should not be self-inverse (avoid S-box(a)=IS-box(a)) http://users.abo.fi/ipetre/crypto/
January 26, 2012 20 Rijndael http://users.abo.fi/ipetre/crypto/
January 26, 2012 21 Shift Row Transformations  For encryption, circular byte shift in each row  1st row is unchanged  2nd row does 1 byte circular shift to left  3rd row does 2 byte circular shift to left  4th row does 3 byte circular shift to left  For decryption, all shifts are done to right  Why this particular shift?  Since state is processed by columns, this step permutes bytes between the columns  The 4 bytes of one column are spread out to 4 different columns  This step provides “permutation” of the data, whereas the other steps provide substitutions (recall Shannon’s S-P networks) http://users.abo.fi/ipetre/crypto/
January 26, 2012 22 Shift Row Transformations Mix Column Transformations http://users.abo.fi/ipetre/crypto/
January 26, 2012 23 Rijndael http://users.abo.fi/ipetre/crypto/
January 26, 2012 http://users.abo.fi/ipetre/crypto/ 24 Mix Column Transformations
January 26, 2012 25 Mix Columns  MixColumns operates on each column independently  Each byte is replaced by a value dependent on all 4 bytes in its column, where all operations are done in GF(28), with m(x)= x8+x4+x3+x+1 s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j) s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j) for all 0≤j ≤3. http://users.abo.fi/ipetre/crypto/
January 26, 2012 26 Mix Columns  MixColumns is in fact a matrix multiplication in GF(28) using prime polynomial m(x) =x8+x4+x3+x+1  Why those constants in the matrix?  Equivalent definition: take each column as a polynomial of degree at most 3 and multiply it with {03}x3+{01}x2+{01}x+{02} mod x4+1  Multiplication with {00},{01},{02},{03} is easy to implement: at most one shift and XOR  Gives good mixing of the bytes within each column  Combined with the “shift rows” step, it provides good avalanche, so that within a few rounds, all output bits depend on all input bits. http://users.abo.fi/ipetre/crypto/
January 26, 2012 27 Example on how to do computations in GF(28)  An element of GF(28) is a byte (b7,b6,…,b1,b0) or, equivalently, a polynomial of degree at most 7 with coefficients 0 and 1: f(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0  Doing computations with polynomials in GF(28) can be implemented easily as operations with bytes  Addition u⊕v is simply bitwise XOR of the two bytes  Multiplication u v more complicated: a series of is shift & XOR – example bellow for GF(28) with m(x)= x8+x4+x3+x+1 (as in AES)  x8 mod m(x) = (m(x)- x8) = x4+x3+x+1  Consider a byte v, i.e., polynomial in GF(28), v(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0  Multiplying by x we have xv(x)=b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x  If b7=0, then the result is in GF(28). If b7=1, then we need to reduce x8 mod m(x): xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + (x4+x3+x+1)  Thus, multiplication by x is in fact a 1-bit left shift potentially followed by a conditional XOR with (00011011)  Multiplication by higher powers of x implies an iteration of the above procedure http://users.abo.fi/ipetre/crypto/
January 26, 2012 28 Example on applying MixColumns s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j) s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j) 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 9 47 40 A3 4C 37 D4 70 9F 94 E4 3A 42 ED A5 A6 BC • Consider the computation of the value on the top left corner: ({02}•{87}) ⊕ ({03}•{6E}) ⊕ {46} ⊕ {A6} • {02}•{87}: {02}=(0000 0010) , i.e., polynomial X: we have here multiplication with X: xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + b7(x4+x3+x+1) • Since v(X)={87}=(1000 0111), i.e., b7=1, we get {02}•{87}=(0000 1110) ⊕ (0001 1011)=(0001 0101) • Similarly, {03}•{6E}=(1011 0010) • The top-left value should be: (0001 0101) ⊕ (1011 0010) ⊕ (0100 0110) ⊕ (1010 0110) = (0100 0111) = {47} http://users.abo.fi/ipetre/crypto/
January 26, 2012 29 Inverse Mix Columns  The inverse mix column transformation InvMixColumns is defined by the following matrix multiplication in GF(28) 0E 0B 0D 09 S0,0 S0,1 S0,3 S0,4 S’0,0 S’0,1 S’0,2 S’0,3 09 0E 0B 0D S1,0 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3 OD 09 0E 0B S2,0 S2,1 S2,2 S2,3 = S’2,0 S’2,1 S’2,2 S’2,3 0B 0D 09 0E S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3 http://users.abo.fi/ipetre/crypto/
January 26, 2012 31 Rijndael http://users.abo.fi/ipetre/crypto/
January 26, 2012 32 Add Round Key  XOR state with 128-bits of the round key  Same in the decryption – use the round keys in reverse order ⊕ http://users.abo.fi/ipetre/crypto/
January 26, 2012 33 AES Key Expansion  Takes 128-bit (16-byte) key and expands into an array of 44 32-bit words (each word has 4 bytes)  KeyExpansion(byte key[16], word w[44]) { Word temp; For (i=0;i<4; i++) // key is copied into the first 4 words w[i]=(key[4*i], key[4*i+1],key[4*i+2],key[4*i+3]) For (i=4;i<44;i++) // the rest of the words are produced here { temp=w[i-1]; if (i mod 4 == 0) temp=SubWord( RotWord(temp) ) ⊕ Rcon[i/4]; w[i]=w[i-4] ⊕ temp; // Most of the words are just XOR of two earlier values } } http://users.abo.fi/ipetre/crypto/
January 26, 2012 34 AES key expansion  Key is copied first into the first 4 words of the expanded key  Each added word depends on the previous word and on the one 4 positions earlier  In 3 cases out of 4 a simple XOR is used  For every fourth word a more complex function is used  RotWord performs one-byte circular left-shift on a word: [b0,b1,b2,b3] is transformed into [b1,b2,b3,b0]  SubWord performs a byte substitution on each byte of the input word, using the S-box of AES  Results of step 1 and 2 are XORED with a round constant Rcon[j] (a geometric progression with rate 2 computed in GF(28): J 1 2 3 4 5 6 7 8 9 10 Rcon[J] {01} {02} {04} {08} {10} {20} {40} {80} {1B} {36} http://users.abo.fi/ipetre/crypto/
January 26, 2012 35 AES Decryption  AES decryption is not identical to encryption since steps must be performed in reverse  This is a disadvantage because different software is needed for encryption and decryption  Encryption is an interation of SubBytes, ShiftRows, MixColumns, AddRoundKey  Decryption is an interation of InvShiftRows, InvSubBytes, AddRoundKey, InvMixColumns  Decryption can be modified to use the encryption software (switch the order of the first two operations and the order of the last two operations in each round), provided we operate a small change in the key expansion  Before we apply AddRoundKey in each round, we apply InvMixColumns to the matrix formed by the 4 words participating in the current round http://users.abo.fi/ipetre/crypto/
January 26, 2012 36 Implementation aspects: AES Round with State seen as an array with 16 bytes rather than as a 4x4 matrix http://users.abo.fi/ipetre/crypto/
January 26, 2012 37 Implementation Aspects  Can efficiently implement on 8-bit CPU  byte substitution works on bytes using a table of 256 entries  shift rows is simple byte shifting  add round key works on byte XORs  mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use a table lookup http://users.abo.fi/ipetre/crypto/
January 26, 2012 38 Implementation Aspects  Can efficiently implement on 32-bit CPU  redefine steps to use 32-bit words  can precompute 4 tables of 256-words  then each column in each round can be computed using 4 table lookups + 4 XORs  at a cost of 16Kb to store tables  Designers believe this very efficient implementation was a key factor in its selection as the AES cipher http://users.abo.fi/ipetre/crypto/

Recommended

Aes
AesAes
AesManju Hegde
 
Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4Federal Urdu University
 
Design and Implementation A different Architectures of mixcolumn in FPGA
Design and Implementation A different Architectures of mixcolumn in FPGADesign and Implementation A different Architectures of mixcolumn in FPGA
Design and Implementation A different Architectures of mixcolumn in FPGAVLSICS Design
 
A03530107
A03530107A03530107
A03530107inventionjournals
 
Ci25500508
Ci25500508Ci25500508
Ci25500508IJERA Editor
 
Aes
AesAes
AesSijo Mathew
 
Aes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportAes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportsakhi rehman
 
Final report
Final reportFinal report
Final reportJagbir Kalirai
 

Recommended

Aes
AesAes
AesManju Hegde
 
Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4Federal Urdu University
 
Design and Implementation A different Architectures of mixcolumn in FPGA
Design and Implementation A different Architectures of mixcolumn in FPGADesign and Implementation A different Architectures of mixcolumn in FPGA
Design and Implementation A different Architectures of mixcolumn in FPGAVLSICS Design
 
A03530107
A03530107A03530107
A03530107inventionjournals
 
Ci25500508
Ci25500508Ci25500508
Ci25500508IJERA Editor
 
Aes
AesAes
AesSijo Mathew
 
Aes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportAes 128 192_256_bits_project_report
Aes 128 192_256_bits_project_reportsakhi rehman
 
Final report
Final reportFinal report
Final reportJagbir Kalirai
 
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSORIMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSORacijjournal
 
Js2517181724
Js2517181724Js2517181724
Js2517181724IJERA Editor
 
Js2517181724
Js2517181724Js2517181724
Js2517181724IJERA Editor
 
icwet1097
icwet1097icwet1097
icwet1097Sapna Agarwal
 
An Efficient VLSI Architecture for AES and It's FPGA Implementation
An Efficient VLSI Architecture for AES and It's FPGA ImplementationAn Efficient VLSI Architecture for AES and It's FPGA Implementation
An Efficient VLSI Architecture for AES and It's FPGA ImplementationIRJET Journal
 
A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...ijcsit
 
Design of area optimized aes encryption core using pipelining technology
Design of area optimized aes encryption core using pipelining technologyDesign of area optimized aes encryption core using pipelining technology
Design of area optimized aes encryption core using pipelining technologyIAEME Publication
 
Implementation of Fast Pipelined AES Algorithm on Xilinx FPGA
Implementation of Fast Pipelined AES Algorithm on Xilinx FPGAImplementation of Fast Pipelined AES Algorithm on Xilinx FPGA
Implementation of Fast Pipelined AES Algorithm on Xilinx FPGAInternational Journal of Science and Research (IJSR)
 
Arm recognition encryption by using aes algorithm
Arm recognition encryption by using aes algorithmArm recognition encryption by using aes algorithm
Arm recognition encryption by using aes algorithmeSAT Journals
 
Implementation of Various Cryptosystem Using Chaos
Implementation of Various Cryptosystem Using ChaosImplementation of Various Cryptosystem Using Chaos
Implementation of Various Cryptosystem Using ChaosIOSR Journals
 
FPGA Implementation of SubByte & Inverse SubByte for AES Algorithm
FPGA Implementation of SubByte & Inverse SubByte for AES AlgorithmFPGA Implementation of SubByte & Inverse SubByte for AES Algorithm
FPGA Implementation of SubByte & Inverse SubByte for AES Algorithmijsrd.com
 
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...IJECEIAES
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
AES effecitve software implementation
AES effecitve software implementationAES effecitve software implementation
AES effecitve software implementationRoman Oliynykov
 
IRJET- A Review on Various Secured Data Encryption Models based on AES Standard
IRJET- A Review on Various Secured Data Encryption Models based on AES StandardIRJET- A Review on Various Secured Data Encryption Models based on AES Standard
IRJET- A Review on Various Secured Data Encryption Models based on AES StandardIRJET Journal
 
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASICDesign and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASICpaperpublications3
 
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AES
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AESCFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AES
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AESidescitation
 
Module 2 network and computer security
Module 2 network and computer securityModule 2 network and computer security
Module 2 network and computer securityDeepak John
 
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,paperpublications3
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networkingSreenatha Reddy K R
 
paper10.pdf
paper10.pdfpaper10.pdf
paper10.pdfaminasouyah
 
paper9.pdf
paper9.pdfpaper9.pdf
paper9.pdfaminasouyah
 

More Related Content

Similar to sheet7.pdf

IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSORIMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSORacijjournal
 
An Efficient VLSI Architecture for AES and It's FPGA Implementation
An Efficient VLSI Architecture for AES and It's FPGA ImplementationAn Efficient VLSI Architecture for AES and It's FPGA Implementation
An Efficient VLSI Architecture for AES and It's FPGA ImplementationIRJET Journal
 
A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...ijcsit
 
Design of area optimized aes encryption core using pipelining technology
Design of area optimized aes encryption core using pipelining technologyDesign of area optimized aes encryption core using pipelining technology
Design of area optimized aes encryption core using pipelining technologyIAEME Publication
 
Arm recognition encryption by using aes algorithm
Arm recognition encryption by using aes algorithmArm recognition encryption by using aes algorithm
Arm recognition encryption by using aes algorithmeSAT Journals
 
Implementation of Various Cryptosystem Using Chaos
Implementation of Various Cryptosystem Using ChaosImplementation of Various Cryptosystem Using Chaos
Implementation of Various Cryptosystem Using ChaosIOSR Journals
 
FPGA Implementation of SubByte & Inverse SubByte for AES Algorithm
FPGA Implementation of SubByte & Inverse SubByte for AES AlgorithmFPGA Implementation of SubByte & Inverse SubByte for AES Algorithm
FPGA Implementation of SubByte & Inverse SubByte for AES Algorithmijsrd.com
 
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...IJECEIAES
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
AES effecitve software implementation
AES effecitve software implementationAES effecitve software implementation
AES effecitve software implementationRoman Oliynykov
 
IRJET- A Review on Various Secured Data Encryption Models based on AES Standard
IRJET- A Review on Various Secured Data Encryption Models based on AES StandardIRJET- A Review on Various Secured Data Encryption Models based on AES Standard
IRJET- A Review on Various Secured Data Encryption Models based on AES StandardIRJET Journal
 
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASICDesign and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASICpaperpublications3
 
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AES
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AESCFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AES
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AESidescitation
 
Module 2 network and computer security
Module 2 network and computer securityModule 2 network and computer security
Module 2 network and computer securityDeepak John
 
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,paperpublications3
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networkingSreenatha Reddy K R
 

Similar to sheet7.pdf (20)

IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSORIMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
IMPLEMENTATION OF AES AS A CUSTOM HARDWARE USING NIOS II PROCESSOR
 
Js2517181724
Js2517181724Js2517181724
Js2517181724
 
Js2517181724
Js2517181724Js2517181724
Js2517181724
 
icwet1097
icwet1097icwet1097
icwet1097
 
An Efficient VLSI Architecture for AES and It's FPGA Implementation
An Efficient VLSI Architecture for AES and It's FPGA ImplementationAn Efficient VLSI Architecture for AES and It's FPGA Implementation
An Efficient VLSI Architecture for AES and It's FPGA Implementation
 
A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...A design of a fast parallel pipelined implementation of aes advanced encrypti...
A design of a fast parallel pipelined implementation of aes advanced encrypti...
 
Design of area optimized aes encryption core using pipelining technology
Design of area optimized aes encryption core using pipelining technologyDesign of area optimized aes encryption core using pipelining technology
Design of area optimized aes encryption core using pipelining technology
 
Implementation of Fast Pipelined AES Algorithm on Xilinx FPGA
Implementation of Fast Pipelined AES Algorithm on Xilinx FPGAImplementation of Fast Pipelined AES Algorithm on Xilinx FPGA
Implementation of Fast Pipelined AES Algorithm on Xilinx FPGA
 
Arm recognition encryption by using aes algorithm
Arm recognition encryption by using aes algorithmArm recognition encryption by using aes algorithm
Arm recognition encryption by using aes algorithm
 
Implementation of Various Cryptosystem Using Chaos
Implementation of Various Cryptosystem Using ChaosImplementation of Various Cryptosystem Using Chaos
Implementation of Various Cryptosystem Using Chaos
 
FPGA Implementation of SubByte & Inverse SubByte for AES Algorithm
FPGA Implementation of SubByte & Inverse SubByte for AES AlgorithmFPGA Implementation of SubByte & Inverse SubByte for AES Algorithm
FPGA Implementation of SubByte & Inverse SubByte for AES Algorithm
 
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...
Comparison of AES and DES Algorithms Implemented on Virtex-6 FPGA and Microbl...
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2
 
AES effecitve software implementation
AES effecitve software implementationAES effecitve software implementation
AES effecitve software implementation
 
IRJET- A Review on Various Secured Data Encryption Models based on AES Standard
IRJET- A Review on Various Secured Data Encryption Models based on AES StandardIRJET- A Review on Various Secured Data Encryption Models based on AES Standard
IRJET- A Review on Various Secured Data Encryption Models based on AES Standard
 
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASICDesign and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC
 
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AES
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AESCFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AES
CFA based SBOX and Modified Mixcolumn Implementation of 8 Bit Datapath for AES
 
Module 2 network and computer security
Module 2 network and computer securityModule 2 network and computer security
Module 2 network and computer security
 
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,
Design and Implementation of Area Efficiency AES Algoritham with FPGA and ASIC,
 
Introduction to tcp ip linux networking
Introduction to tcp ip linux networkingIntroduction to tcp ip linux networking
Introduction to tcp ip linux networking
 

More from aminasouyah

More from aminasouyah (20)

paper10.pdf
paper10.pdfpaper10.pdf
paper10.pdf
 
paper9.pdf
paper9.pdfpaper9.pdf
paper9.pdf
 
paper8.pdf
paper8.pdfpaper8.pdf
paper8.pdf
 
paper7.pdf
paper7.pdfpaper7.pdf
paper7.pdf
 
paper6.pdf
paper6.pdfpaper6.pdf
paper6.pdf
 
paper5.pdf
paper5.pdfpaper5.pdf
paper5.pdf
 
paper4.pdf
paper4.pdfpaper4.pdf
paper4.pdf
 
paper3.pdf
paper3.pdfpaper3.pdf
paper3.pdf
 
paper2.pdf
paper2.pdfpaper2.pdf
paper2.pdf
 
paper1.pdf
paper1.pdfpaper1.pdf
paper1.pdf
 
sheet6.pdf
sheet6.pdfsheet6.pdf
sheet6.pdf
 
sheet5.pdf
sheet5.pdfsheet5.pdf
sheet5.pdf
 
sheet4.pdf
sheet4.pdfsheet4.pdf
sheet4.pdf
 
sheet3.pdf
sheet3.pdfsheet3.pdf
sheet3.pdf
 
sheet2.pdf
sheet2.pdfsheet2.pdf
sheet2.pdf
 
sheet1.pdf
sheet1.pdfsheet1.pdf
sheet1.pdf
 
doc4.pdf
doc4.pdfdoc4.pdf
doc4.pdf
 
doc7.pdf
doc7.pdfdoc7.pdf
doc7.pdf
 
doc6.pdf
doc6.pdfdoc6.pdf
doc6.pdf
 
doc5.pdf
doc5.pdfdoc5.pdf
doc5.pdf
 

Recently uploaded

Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGSIVASHANKAR N
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 

Recently uploaded (20)

Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 

sheet7.pdf

  • 1. January 26, 2012 1 Cryptography and Network Security Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University Spring 2012 http://users.abo.fi/ipetre/crypto/ http://users.abo.fi/ipetre/crypto/
  • 2. January 26, 2012 2 Origin of AES  1999: NIST indicates that DES should be replaced as a standard  have theoretical attacks that can break it  have demonstrated exhaustive key search attacks  Triple-DES should be used before a new standard is approved  3DES has 168-bit key: brute-force attack is infeasible  Same engine as for DES is running – software/hardware can be reused  Confident that no effective attack exists: DES has been around for a long time  As far as security is concerned, 3DES is ideal to replace DES  Drawbacks of 3DES  Relatively slow software implementations – DES was designed for 1970’s hardware  DES and 3DES use 64-bit blocks: for efficiency and security, larger blocks should be used  US NIST issued call for ciphers in 1997  15 candidates accepted in Jun 98  5 were shortlisted in Aug-99  Rijndael was selected as the AES in Oct-2000  issued as FIPS PUB 197 standard in Nov-2001 http://users.abo.fi/ipetre/crypto/
  • 3. January 26, 2012 3 Requirements for the new standard  Private key symmetric block cipher  128-bit data, 128/192/256-bit keys  Stronger and faster than 3DES  Active life of 20-30 years (+ archival use)  Provide full specification and design details  Both C and Java implementations  NIST have released all submissions & unclassified analyses http://users.abo.fi/ipetre/crypto/
  • 4. January 26, 2012 4 AES Evaluation Criteria  Initial criteria:  security – effort to practically cryptanalyze  cost – computational efficiency, so as to be used in high-speed applications, such as broadband links  algorithm and implementation characteristics: should be suitable for a variety of soft/hard implementations, simple enough to make analysis straightforward  Final criteria  general security: this was conducted by the public (academic) cryptographic community: people published various attacks and weaknesses of the candidates  software and hardware implementation ease: execution speed, performance on various platforms, variation of speed with key size  Attacks on implementation: timing attacks and power analysis  Multiplication consumes more power and takes more time than addition  Writing 1s consumes more power and takes more time than writing 0s  Flexibility (in encryption/decryption, key change, other factors) http://users.abo.fi/ipetre/crypto/
  • 5. January 26, 2012 5 AES Shortlist  After testing and evaluation, shortlist in Aug-99:  MARS (IBM) - complex, fast, high security margin  RC6 (USA) - v. simple, v. fast, low security margin  Rijndael (Belgium) - clean, fast, good security margin  Serpent (Euro) - slow, clean, v. high security margin  Twofish (USA) - complex, v. fast, high security margin  Then subject to further analysis & comment  Analysed contrast between algorithms with  few complex rounds vs. many simple rounds  which refined existing ciphers vs. new proposals http://users.abo.fi/ipetre/crypto/
  • 6. January 26, 2012 6 The AES Cipher – Rijndael  Designed by Rijmen-Daemen in Belgium  128/192/256-bit keys, 128 bit data  Does not have the structure of a classical feistel cipher  treats data in 4 groups of 4 bytes  operates an entire block in every round  Designed to be:  resistant against known attacks  speed and code compactness on many platforms  design simplicity  Decryption algorithm different than the encryption http://users.abo.fi/ipetre/crypto/
  • 7. January 26, 2012 7 Rijndael  Processes data as 4 groups of 4 bytes – 128-bit block  Input block copied into State array, modified at each stage of encryption or decryption and copied to the output matrix after the final round  has 9/11/13 rounds (depending on which variant is used) in which State undergoes:  byte substitution (one S-box used on every byte)  shift rows: a simple permutation  mix columns: substitution using arithmetic in GF(28)  add round key (XOR State with the round key)  initial XOR of the plaintext with a round key  There is an incomplete last round (the 10th/12th/14th)  Note: all operations can be combined into XOR and table lookups - hence very fast and efficient http://users.abo.fi/ipetre/crypto/
  • 8. Structure of AES January 26, 2012 http://users.abo.fi/ipetre/crypto/ 8 Source: Stallings, fig 5.1
  • 9. January 26, 2012 10 Rijndael – the structure  Discuss each of the four stages in each round  For each stage, describe the encryption and decryption algorithms  Describe the rationale of each stage  Describe key expansion  Each stage operates on the 128-bit State, i.e., 16 bytes – these will be treated as a 4x4 matrix of bytes  The first four bytes are on the first column, the following 4 on the second column, etc.  In this description we assume key length of 128  Details are only slightly different for longer keys  The 128-bit key is also shown as a matrix of 4x4 bytes (each byte is a number from 0 to 255): first 4 bytes on the first column, following 4 on the 2nd columns, etc.  The key is expanded in an array of 44 words – each word has 4 bytes; these key words are used throughout the rounds: in each XOR are involved 4 words http://users.abo.fi/ipetre/crypto/
  • 10. January 26, 2012 11 Rijndael data structures http://users.abo.fi/ipetre/crypto/
  • 11. January 26, 2012 12 Rijndael http://users.abo.fi/ipetre/crypto/
  • 12. January 26, 2012 13 Substitute bytes transformation  Note: we will denote hexadecimal numbers in parenthesis: {45}, {A6}, {CF}  SubBytes is a simple table lookup (see next slide)  table of 16x16 bytes containing a permutation of all 256 8-bit values  Each byte of state is replaced by a byte in the table  The row is given by the leftmost 4-bits of the byte  The column is given by the rightmost 4-bits of the byte  Example: byte {95} (in hexa) is replaced by the byte on row 9, column 5: {2A} (see next slide)  For decryption, use the inverse S-box http://users.abo.fi/ipetre/crypto/
  • 13. January 26, 2012 14 The S-box transformation http://users.abo.fi/ipetre/crypto/
  • 14. January 26, 2012 15 AES S-boxes http://users.abo.fi/ipetre/crypto/
  • 15. January 26, 2012 16 How is the S-box constructed?  S-box is constructed using a certain transformation of the values in GF(28)  Designed to be resistant to all known attacks 1. Initialize the S-box with the byte values in ascending order row by row: first row contains {00}, {01}, {02}, …,{0F}, second row contains {10}, {11}, {12},…,{1F}, etc. 2. Map each nonzero byte in the S-box to its multiplicative inverse in GF(28), {00} is mapped to itself 3. Each byte in the S-box is a sequence of 8 bits (b7,b6,…,b1,b0). Apply the following transformation to each bit of each byte: bi’=bi⊕b(i+4)mod 8⊕b(i+5)mod 8⊕b(i+6)mod 8⊕b(i+7)mod 8⊕ci where ci is the ith bit of {63}: (c7,c6,c5,c4,c3,c2,c1,c0)=(01100011) http://users.abo.fi/ipetre/crypto/
  • 16. January 26, 2012 17 How are the S-boxes constructed? Note that the Step 3 in producing the S-box is the transformation shown bellow – in there, the addition is XOR and the multiplication is the normal multiplication of 0 and 1 (i.e., operations in Z2) http://users.abo.fi/ipetre/crypto/
  • 17. January 26, 2012 18 How are the S-boxes constructed?  The inverse S-box (used in the decryption) is computed as follows: 1. Apply to the S-box the inverse of the transformation in Step 3 (multiply with the inverse of the matrix shown on the previous slide): bi’=bi ⊕ b(i+2)mod 8 ⊕ b(i+5)mod 8 ⊕ b(i+7)mod 8 ⊕ di where byte d={05}, i.e., d=(00000101) 2. Replace each byte of the table with its multiplicative inverse in GF(28) http://users.abo.fi/ipetre/crypto/
  • 18. January 26, 2012 19 Why are the S-boxes constructed in this way?  The S-box should be resistant to known cryptanalytical attacks  Low correlation between input bits and output bits  Output cannot be described as a simple math function of the input  The transformation was chosen so that the S-box has no fixed point (S- box(a)=a) and no opposite fixed points (S-box(a)=a’, where a’ is the bitwise complement of a)  S-box should be invertible  S-box should not be self-inverse (avoid S-box(a)=IS-box(a)) http://users.abo.fi/ipetre/crypto/
  • 19. January 26, 2012 20 Rijndael http://users.abo.fi/ipetre/crypto/
  • 20. January 26, 2012 21 Shift Row Transformations  For encryption, circular byte shift in each row  1st row is unchanged  2nd row does 1 byte circular shift to left  3rd row does 2 byte circular shift to left  4th row does 3 byte circular shift to left  For decryption, all shifts are done to right  Why this particular shift?  Since state is processed by columns, this step permutes bytes between the columns  The 4 bytes of one column are spread out to 4 different columns  This step provides “permutation” of the data, whereas the other steps provide substitutions (recall Shannon’s S-P networks) http://users.abo.fi/ipetre/crypto/
  • 21. January 26, 2012 22 Shift Row Transformations Mix Column Transformations http://users.abo.fi/ipetre/crypto/
  • 22. January 26, 2012 23 Rijndael http://users.abo.fi/ipetre/crypto/
  • 23. January 26, 2012 http://users.abo.fi/ipetre/crypto/ 24 Mix Column Transformations
  • 24. January 26, 2012 25 Mix Columns  MixColumns operates on each column independently  Each byte is replaced by a value dependent on all 4 bytes in its column, where all operations are done in GF(28), with m(x)= x8+x4+x3+x+1 s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j) s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j) for all 0≤j ≤3. http://users.abo.fi/ipetre/crypto/
  • 25. January 26, 2012 26 Mix Columns  MixColumns is in fact a matrix multiplication in GF(28) using prime polynomial m(x) =x8+x4+x3+x+1  Why those constants in the matrix?  Equivalent definition: take each column as a polynomial of degree at most 3 and multiply it with {03}x3+{01}x2+{01}x+{02} mod x4+1  Multiplication with {00},{01},{02},{03} is easy to implement: at most one shift and XOR  Gives good mixing of the bytes within each column  Combined with the “shift rows” step, it provides good avalanche, so that within a few rounds, all output bits depend on all input bits. http://users.abo.fi/ipetre/crypto/
  • 26. January 26, 2012 27 Example on how to do computations in GF(28)  An element of GF(28) is a byte (b7,b6,…,b1,b0) or, equivalently, a polynomial of degree at most 7 with coefficients 0 and 1: f(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0  Doing computations with polynomials in GF(28) can be implemented easily as operations with bytes  Addition u⊕v is simply bitwise XOR of the two bytes  Multiplication u v more complicated: a series of is shift & XOR – example bellow for GF(28) with m(x)= x8+x4+x3+x+1 (as in AES)  x8 mod m(x) = (m(x)- x8) = x4+x3+x+1  Consider a byte v, i.e., polynomial in GF(28), v(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0  Multiplying by x we have xv(x)=b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x  If b7=0, then the result is in GF(28). If b7=1, then we need to reduce x8 mod m(x): xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + (x4+x3+x+1)  Thus, multiplication by x is in fact a 1-bit left shift potentially followed by a conditional XOR with (00011011)  Multiplication by higher powers of x implies an iteration of the above procedure http://users.abo.fi/ipetre/crypto/
  • 27. January 26, 2012 28 Example on applying MixColumns s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j) s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j) 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 9 47 40 A3 4C 37 D4 70 9F 94 E4 3A 42 ED A5 A6 BC • Consider the computation of the value on the top left corner: ({02}•{87}) ⊕ ({03}•{6E}) ⊕ {46} ⊕ {A6} • {02}•{87}: {02}=(0000 0010) , i.e., polynomial X: we have here multiplication with X: xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + b7(x4+x3+x+1) • Since v(X)={87}=(1000 0111), i.e., b7=1, we get {02}•{87}=(0000 1110) ⊕ (0001 1011)=(0001 0101) • Similarly, {03}•{6E}=(1011 0010) • The top-left value should be: (0001 0101) ⊕ (1011 0010) ⊕ (0100 0110) ⊕ (1010 0110) = (0100 0111) = {47} http://users.abo.fi/ipetre/crypto/
  • 28. January 26, 2012 29 Inverse Mix Columns  The inverse mix column transformation InvMixColumns is defined by the following matrix multiplication in GF(28) 0E 0B 0D 09 S0,0 S0,1 S0,3 S0,4 S’0,0 S’0,1 S’0,2 S’0,3 09 0E 0B 0D S1,0 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3 OD 09 0E 0B S2,0 S2,1 S2,2 S2,3 = S’2,0 S’2,1 S’2,2 S’2,3 0B 0D 09 0E S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3 http://users.abo.fi/ipetre/crypto/
  • 29. January 26, 2012 31 Rijndael http://users.abo.fi/ipetre/crypto/
  • 30. January 26, 2012 32 Add Round Key  XOR state with 128-bits of the round key  Same in the decryption – use the round keys in reverse order ⊕ http://users.abo.fi/ipetre/crypto/
  • 31. January 26, 2012 33 AES Key Expansion  Takes 128-bit (16-byte) key and expands into an array of 44 32-bit words (each word has 4 bytes)  KeyExpansion(byte key[16], word w[44]) { Word temp; For (i=0;i<4; i++) // key is copied into the first 4 words w[i]=(key[4*i], key[4*i+1],key[4*i+2],key[4*i+3]) For (i=4;i<44;i++) // the rest of the words are produced here { temp=w[i-1]; if (i mod 4 == 0) temp=SubWord( RotWord(temp) ) ⊕ Rcon[i/4]; w[i]=w[i-4] ⊕ temp; // Most of the words are just XOR of two earlier values } } http://users.abo.fi/ipetre/crypto/
  • 32. January 26, 2012 34 AES key expansion  Key is copied first into the first 4 words of the expanded key  Each added word depends on the previous word and on the one 4 positions earlier  In 3 cases out of 4 a simple XOR is used  For every fourth word a more complex function is used  RotWord performs one-byte circular left-shift on a word: [b0,b1,b2,b3] is transformed into [b1,b2,b3,b0]  SubWord performs a byte substitution on each byte of the input word, using the S-box of AES  Results of step 1 and 2 are XORED with a round constant Rcon[j] (a geometric progression with rate 2 computed in GF(28): J 1 2 3 4 5 6 7 8 9 10 Rcon[J] {01} {02} {04} {08} {10} {20} {40} {80} {1B} {36} http://users.abo.fi/ipetre/crypto/
  • 33. January 26, 2012 35 AES Decryption  AES decryption is not identical to encryption since steps must be performed in reverse  This is a disadvantage because different software is needed for encryption and decryption  Encryption is an interation of SubBytes, ShiftRows, MixColumns, AddRoundKey  Decryption is an interation of InvShiftRows, InvSubBytes, AddRoundKey, InvMixColumns  Decryption can be modified to use the encryption software (switch the order of the first two operations and the order of the last two operations in each round), provided we operate a small change in the key expansion  Before we apply AddRoundKey in each round, we apply InvMixColumns to the matrix formed by the 4 words participating in the current round http://users.abo.fi/ipetre/crypto/
  • 34. January 26, 2012 36 Implementation aspects: AES Round with State seen as an array with 16 bytes rather than as a 4x4 matrix http://users.abo.fi/ipetre/crypto/
  • 35. January 26, 2012 37 Implementation Aspects  Can efficiently implement on 8-bit CPU  byte substitution works on bytes using a table of 256 entries  shift rows is simple byte shifting  add round key works on byte XORs  mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use a table lookup http://users.abo.fi/ipetre/crypto/
  • 36. January 26, 2012 38 Implementation Aspects  Can efficiently implement on 32-bit CPU  redefine steps to use 32-bit words  can precompute 4 tables of 256-words  then each column in each round can be computed using 4 table lookups + 4 XORs  at a cost of 16Kb to store tables  Designers believe this very efficient implementation was a key factor in its selection as the AES cipher http://users.abo.fi/ipetre/crypto/