lecture6.pdf

January 26, 2012 1
Cryptography and Network Security
Lecture 6: Advanced Encryption Standard (AES)
Ion Petre
Department of IT, Åbo Akademi University
Spring 2012
http://users.abo.fi/ipetre/crypto/

January 26, 2012 2
Origin of AES
 1999: NIST indicates that DES should be replaced as a standard
 have theoretical attacks that can break it
 have demonstrated exhaustive key search attacks
 Triple-DES should be used before a new standard is approved
 3DES has 168-bit key: brute-force attack is infeasible
 Same engine as for DES is running – software/hardware can be reused
 Confident that no effective attack exists: DES has been around for a long time
 As far as security is concerned, 3DES is ideal to replace DES
 Drawbacks of 3DES
 Relatively slow software implementations – DES was designed for 1970’s hardware
 DES and 3DES use 64-bit blocks: for efficiency and security, larger blocks should be used
 US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were shortlisted in Aug-99
 Rijndael was selected as the AES in Oct-2000
 issued as FIPS PUB 197 standard in Nov-2001

January 26, 2012 3
Requirements for the new standard
 Private key symmetric block cipher
 128-bit data, 128/192/256-bit keys
 Stronger and faster than 3DES
 Active life of 20-30 years (+ archival use)
 Provide full specification and design details
 Both C and Java implementations
 NIST have released all submissions & unclassified analyses

January 26, 2012 4
AES Evaluation Criteria
 Initial criteria:
 security – effort to practically cryptanalyze
 cost – computational efficiency, so as to be used in high-speed applications, such as
broadband links
 algorithm and implementation characteristics: should be suitable for a variety of
soft/hard implementations, simple enough to make analysis straightforward
 Final criteria
 general security: this was conducted by the public (academic) cryptographic
community: people published various attacks and weaknesses of the candidates
 software and hardware implementation ease: execution speed, performance on
various platforms, variation of speed with key size
 Attacks on implementation: timing attacks and power analysis
 Multiplication consumes more power and takes more time than addition
 Writing 1s consumes more power and takes more time than writing 0s
 Flexibility (in encryption/decryption, key change, other factors)

January 26, 2012 5
AES Shortlist
 After testing and evaluation, shortlist in Aug-99:
 MARS (IBM) - complex, fast, high security margin
 RC6 (USA) - v. simple, v. fast, low security margin
 Rijndael (Belgium) - clean, fast, good security margin
 Serpent (Euro) - slow, clean, v. high security margin
 Twofish (USA) - complex, v. fast, high security margin
 Then subject to further analysis & comment
 Analysed contrast between algorithms with
 few complex rounds vs. many simple rounds
 which refined existing ciphers vs. new proposals

January 26, 2012 6
The AES Cipher – Rijndael
 Designed by Rijmen-Daemen in Belgium
 128/192/256-bit keys, 128 bit data
 Does not have the structure of a classical feistel cipher
 treats data in 4 groups of 4 bytes
 operates an entire block in every round
 Designed to be:
 resistant against known attacks
 speed and code compactness on many platforms
 design simplicity
 Decryption algorithm different than the encryption

January 26, 2012 7
Rijndael
 Processes data as 4 groups of 4 bytes – 128-bit block
 Input block copied into State array, modified at each stage of encryption
or decryption and copied to the output matrix after the final round
 has 9/11/13 rounds (depending on which variant is used) in which State
undergoes:
 byte substitution (one S-box used on every byte)
 shift rows: a simple permutation
 mix columns: substitution using arithmetic in GF(28)
 add round key (XOR State with the round key)
 initial XOR of the plaintext with a round key
 There is an incomplete last round (the 10th/12th/14th)
 Note: all operations can be combined into XOR and table lookups - hence
very fast and efficient

Structure of AES
January 26, 2012 http://users.abo.fi/ipetre/crypto/ 8
Source: Stallings, fig 5.1

January 26, 2012 10
Rijndael – the structure
 Discuss each of the four stages in each round
 For each stage, describe the encryption and decryption algorithms
 Describe the rationale of each stage
 Describe key expansion
 Each stage operates on the 128-bit State, i.e., 16 bytes – these will be
treated as a 4x4 matrix of bytes
 The first four bytes are on the first column, the following 4 on the second
column, etc.
 In this description we assume key length of 128
 Details are only slightly different for longer keys
 The 128-bit key is also shown as a matrix of 4x4 bytes (each byte is a
number from 0 to 255): first 4 bytes on the first column, following 4 on the
2nd columns, etc.
 The key is expanded in an array of 44 words – each word has 4 bytes;
these key words are used throughout the rounds: in each XOR are involved
4 words

January 26, 2012 11
Rijndael data structures

January 26, 2012 12
Rijndael

January 26, 2012 13
Substitute bytes transformation
 Note: we will denote hexadecimal numbers in parenthesis: {45}, {A6},
{CF}
 SubBytes is a simple table lookup (see next slide)
 table of 16x16 bytes containing a permutation of all 256 8-bit values
 Each byte of state is replaced by a byte in the table
 The row is given by the leftmost 4-bits of the byte
 The column is given by the rightmost 4-bits of the byte
 Example: byte {95} (in hexa) is replaced by the byte on row 9, column 5:
{2A} (see next slide)
 For decryption, use the inverse S-box

January 26, 2012 14
The S-box transformation

January 26, 2012 15
AES S-boxes

January 26, 2012 16
How is the S-box constructed?
 S-box is constructed using a certain transformation of the values in GF(28)
 Designed to be resistant to all known attacks
1. Initialize the S-box with the byte values in ascending order row by row: first row
contains {00}, {01}, {02}, …,{0F}, second row contains {10}, {11}, {12},…,{1F},
etc.
2. Map each nonzero byte in the S-box to its multiplicative inverse in GF(28), {00} is
mapped to itself
3. Each byte in the S-box is a sequence of 8 bits (b7,b6,…,b1,b0). Apply the
following transformation to each bit of each byte:
bi’=bi⊕b(i+4)mod 8⊕b(i+5)mod 8⊕b(i+6)mod 8⊕b(i+7)mod 8⊕ci
where ci is the ith bit of {63}: (c7,c6,c5,c4,c3,c2,c1,c0)=(01100011)

January 26, 2012 17
How are the S-boxes constructed?
Note that the Step 3 in producing the S-box is the transformation shown
bellow – in there, the addition is XOR and the multiplication is the
normal multiplication of 0 and 1 (i.e., operations in Z2)

January 26, 2012 18
How are the S-boxes constructed?
 The inverse S-box (used in the decryption) is computed as follows:
1. Apply to the S-box the inverse of the transformation in Step 3 (multiply
with the inverse of the matrix shown on the previous slide):
bi’=bi ⊕ b(i+2)mod 8 ⊕ b(i+5)mod 8 ⊕ b(i+7)mod 8 ⊕ di
where byte d={05}, i.e., d=(00000101)
2. Replace each byte of the table with its multiplicative inverse in GF(28)

January 26, 2012 19
Why are the S-boxes constructed in this way?
 The S-box should be resistant to known cryptanalytical attacks
 Low correlation between input bits and output bits
 Output cannot be described as a simple math function of the input
 The transformation was chosen so that the S-box has no fixed point (S-
box(a)=a) and no opposite fixed points (S-box(a)=a’, where a’ is the
bitwise complement of a)
 S-box should be invertible
 S-box should not be self-inverse (avoid S-box(a)=IS-box(a))

January 26, 2012 20
Rijndael

January 26, 2012 21
Shift Row Transformations
 For encryption, circular byte shift in each row
 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 For decryption, all shifts are done to right
 Why this particular shift?
 Since state is processed by columns, this step permutes bytes between the
columns
 The 4 bytes of one column are spread out to 4 different columns
 This step provides “permutation” of the data, whereas the other steps
provide substitutions (recall Shannon’s S-P networks)

January 26, 2012 22
Shift Row
Transformations
Mix Column
Transformations

January 26, 2012 23
Rijndael

January 26, 2012 http://users.abo.fi/ipetre/crypto/ 24
Mix Column
Transformations

January 26, 2012 25
Mix Columns
 MixColumns operates on each column independently
 Each byte is replaced by a value dependent on all 4 bytes in its
column, where all operations are done in GF(28), with m(x)=
x8+x4+x3+x+1
s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j
s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j
s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j)
s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j)
for all 0≤j ≤3.

January 26, 2012 26
Mix Columns
 MixColumns is in fact a matrix multiplication in GF(28) using prime
polynomial m(x) =x8+x4+x3+x+1
 Why those constants in the matrix?
 Equivalent definition: take each column as a polynomial of degree at most 3 and
multiply it with {03}x3+{01}x2+{01}x+{02} mod x4+1
 Multiplication with {00},{01},{02},{03} is easy to implement: at most one shift and
XOR
 Gives good mixing of the bytes within each column
 Combined with the “shift rows” step, it provides good avalanche, so that within a
few rounds, all output bits depend on all input bits.

January 26, 2012 27
Example on how to do computations in GF(28)
 An element of GF(28) is a byte (b7,b6,…,b1,b0) or, equivalently, a polynomial of
degree at most 7 with coefficients 0 and 1:
f(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0
 Doing computations with polynomials in GF(28) can be implemented easily as
operations with bytes
 Addition u⊕v is simply bitwise XOR of the two bytes
 Multiplication u v more complicated: a series of is shift & XOR – example bellow for
GF(28) with m(x)= x8+x4+x3+x+1 (as in AES)
 x8 mod m(x) = (m(x)- x8) = x4+x3+x+1
 Consider a byte v, i.e., polynomial in GF(28), v(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0
 Multiplying by x we have xv(x)=b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x
 If b7=0, then the result is in GF(28). If b7=1, then we need to reduce x8 mod m(x):
xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + (x4+x3+x+1)
 Thus, multiplication by x is in fact a 1-bit left shift potentially followed by a conditional XOR
with (00011011)
 Multiplication by higher powers of x implies an iteration of the above procedure

January 26, 2012 28
Example on applying MixColumns
s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j
s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j
s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j)
s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j)
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 9
47 40 A3 4C
37 D4 70 9F
94 E4 3A 42
ED A5 A6 BC
• Consider the computation of the value on the top left corner:
({02}•{87}) ⊕ ({03}•{6E}) ⊕ {46} ⊕ {A6}
• {02}•{87}: {02}=(0000 0010) , i.e., polynomial X: we have here multiplication with X:
xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + b7(x4+x3+x+1)
• Since v(X)={87}=(1000 0111), i.e., b7=1, we get
{02}•{87}=(0000 1110) ⊕ (0001 1011)=(0001 0101)
• Similarly, {03}•{6E}=(1011 0010)
• The top-left value should be:
(0001 0101) ⊕
(1011 0010) ⊕
(0100 0110) ⊕
(1010 0110) =
(0100 0111) =
{47}

January 26, 2012 29
Inverse Mix Columns
 The inverse mix column transformation InvMixColumns is defined by
the following matrix multiplication in GF(28)
0E 0B 0D 09 S0,0 S0,1 S0,3 S0,4 S’0,0 S’0,1 S’0,2 S’0,3
09 0E 0B 0D S1,0 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3
OD 09 0E 0B S2,0 S2,1 S2,2 S2,3 = S’2,0 S’2,1 S’2,2 S’2,3
0B 0D 09 0E S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3

January 26, 2012 31
Rijndael

January 26, 2012 32
Add Round Key
 XOR state with 128-bits of the round key
 Same in the decryption – use the round keys in reverse order
⊕

January 26, 2012 33
AES Key Expansion
 Takes 128-bit (16-byte) key and expands into an array of 44 32-bit words
(each word has 4 bytes)
 KeyExpansion(byte key[16], word w[44])
{
Word temp;
For (i=0;i<4; i++) // key is copied into the first 4 words
w[i]=(key[4*i], key[4*i+1],key[4*i+2],key[4*i+3])
For (i=4;i<44;i++) // the rest of the words are produced here
{
temp=w[i-1];
if (i mod 4 == 0)
temp=SubWord( RotWord(temp) ) ⊕ Rcon[i/4];
w[i]=w[i-4] ⊕ temp; // Most of the words are just XOR of two earlier values
}
}

January 26, 2012 34
AES key expansion
 Key is copied first into the first 4 words of the expanded key
 Each added word depends on the previous word and on the one 4 positions
earlier
 In 3 cases out of 4 a simple XOR is used
 For every fourth word a more complex function is used
 RotWord performs one-byte circular left-shift on a word: [b0,b1,b2,b3] is
transformed into [b1,b2,b3,b0]
 SubWord performs a byte substitution on each byte of the input word, using the
S-box of AES
 Results of step 1 and 2 are XORED with a round constant Rcon[j] (a geometric
progression with rate 2 computed in GF(28):
J 1 2 3 4 5 6 7 8 9 10
Rcon[J] {01} {02} {04} {08} {10} {20} {40} {80} {1B} {36}

January 26, 2012 35
AES Decryption
 AES decryption is not identical to encryption since steps must be
performed in reverse
 This is a disadvantage because different software is needed for encryption
and decryption
 Encryption is an interation of SubBytes, ShiftRows, MixColumns,
AddRoundKey
 Decryption is an interation of InvShiftRows, InvSubBytes, AddRoundKey,
InvMixColumns
 Decryption can be modified to use the encryption software (switch the
order of the first two operations and the order of the last two operations
in each round), provided we operate a small change in the key
expansion
 Before we apply AddRoundKey in each round, we apply InvMixColumns to
the matrix formed by the 4 words participating in the current round

January 26, 2012 36
Implementation aspects: AES Round with State seen as an
array with 16 bytes rather than as a 4x4 matrix

January 26, 2012 37
Implementation Aspects
 Can efficiently implement on 8-bit CPU
 byte substitution works on bytes using a table of 256 entries
 shift rows is simple byte shifting
 add round key works on byte XORs
 mix columns requires matrix multiply in GF(28) which works on byte
values, can be simplified to use a table lookup

January 26, 2012 38
Implementation Aspects
 Can efficiently implement on 32-bit CPU
 redefine steps to use 32-bit words
 can precompute 4 tables of 256-words
 then each column in each round can be computed using 4 table lookups
+ 4 XORs
 at a cost of 16Kb to store tables
 Designers believe this very efficient implementation was a key factor
in its selection as the AES cipher

lecture6.pdf

More Related Content

Similar to lecture6.pdf

More from aminasouyah

Recently uploaded

lecture6.pdf