580 likes | 1.18k Views
The Advanced Encryption Standard. CSIS 5857: Encoding and Encryption. AES History. 1997: NIST calls for proposals for DES replacement 56-bit DES key not computationally secure Triple DES very slow DES S-Boxes poorly understood 1999: Several algorithms chosen as finalists
E N D
The Advanced Encryption Standard CSIS 5857: Encoding and Encryption
AES History • 1997: NIST calls for proposals for DES replacement • 56-bit DES key not computationally secure • Triple DES very slow • DES S-Boxes poorly understood • 1999: Several algorithms chosen as finalists • Rijndael (selected) • Twofish, Serpent, etc. (still used by some systems) • 2001: Rijndael published by NIST as Advanced Encryption Standard
Goals of AES • Security • Minimum key size: 128 bits(computationally secure now) • Expandable to 192 or 256 bits (will still be computationally secure in future) • Block size: 128 bits (more possible mappings) • Designed for resistance to differential and linear cryptanalysis • Cost • Structure optimized for efficiency in current computer architectures
Mathematical Goals • S-Boxes and other transformations should have mathematical basis • Can insure useful properties (nonlinearity, etc.) • Can re-derive as needed for larger keys • Mapping should appear “random”(no simple patterns between inputs and outputs)
Modular Multiplication • a b mod m = remainder left after (a b)/m • Example: multiplication table mod 7
Modular Multiplicative Inverses • b isinverse of a mod m if ab mod m = 1(b = a -1 mod m) • Example:5 = 3-1 mod 7since 3 x 5 = 15 = 1 mod 7 • Creates nonlinear “pseudorandom” mappings
Modular Multiplicative Inverses • Problem: Only works if m is a prime numberOtherwise, some numbers have no inverse • Example: modular inverses mod8
Modular Multiplicative Inverses • Goal: use this idea in cases where m = 2n(that is, m is the size of a typical block) • Galois Fields • Represent byte to transform as a polynomial • Compute inverse of that polynomial mod some other “prime” polynomial • Galois Field with m = 28 used to create S-Boxes for AES , mapping 256 possible byte inputs to 256 possible byte outputs
Galois Field Mathematics • Step 1: Represent binary numbers with n bits as polynomial of degree n • Example: n = 3GF(23)
Galois Field Mathematics • All coefficients are binary (1 or 0) • Addition/subtraction in mod 2= XOR function • Examples: x2 + x + 1 x2 + x + 1- (x + 1) x2 + 2x + 2 x2 - x - 1 = x2 + 0x + 0 = x2 + x + 1 = x2since -1 mod 2 = 1since 2 mod 2 = 0
Galois Field Mathematics • Step 2:Find a “prime” polynomial Pnof degree n • Not a multiple of any two other polynomials(other than 1 and itself) • Example for GF(23):P3 = x3 + x + 1 • Used in AES for GF(28):P8 = x8 + x4 + x3 + x + 1
Galois Field Mathematics • Step 3:Compute multiplication table for all pairs of polynomials Pi x Pj mod Pn • Will need to compute mod if order of Pi x Pj is kn • Simple (inefficient) way: compute Pi x Pj – xk-nPn • Example for GF(23):
Galois Field Example • Example: Multiplying 110 and 101 • 110 x2 + x011 x + 1 • (x2 + x)(x + 1) = x3 + 2x2 + x = x3 + x2 mod 2 = 0 • (x3 + x) mod (x3 + x + 1) = x3 + x- x3 + x + 1 - 1 = 1-1 mod 2 = 1
Galois Field Inverses • Inverseb-1 of a binary number b in GF(2n)b-1 x b = 1 in GF(2n) • Example: GF(23)
Galois Fields in AES • AES mathematics based on GF(28) • Prime polynomial= x8 + x4 + x3 + x + 1 • SubBytes stage • Basis of S-Boxes • MixColumns Stage • Uses matrix multiplication in GF(28) • Round Key Generation • Adds extra “random” bits to each round key
AES Bytes and Words Blocks represented as arrays of smaller groups of bits • Byte: 8 bits • Word: 32 bits (4 bytes in word)
AES States • Each word (each 4 bytes) corresponds to column in state • Used to simplify mathematics
AES States • Example: 17 17 Note that a byte can be represented by a 2-digit hexadecimal (base 16) number
AES Round Structure • SubBytes: Each byte transformed by an S-Box • ShiftRows: Permutation to swap bytes around • MixColumns: Matrix multiplication to permute bits within bytes • AddRoundKey: XOR result with current round key • Notes: • Extra AddRoundKey before first round • No MixColumns in last round
SubBytes Stage • 128-bit input 16 bytes • Each byte transformed by same S-Box • S-Box structure: 2 dimensional 16 x 16 table • First 4 bits of input determine row • Last 4 bits of input determine column • Example: 1101 0101row 13, column 5 • Often represented in hexadecimal:1011 0110row d, column 5 • Result (see table next slide): 03 0000 0011
S-Box Basis • Inverse of each byte computed in GF(28) using x8 + x4 + x3 + x + 1 • Additional confusion created by array multiplication and addition • Multiplication/addition in mod 2 • Resulting byte with bits b0 – b7multiplied by 8 x 8 matrix X • Each output bit cjis effectively xor of different bi’s • Resulting byte with bits c0 – c7added to 8 x 1 matrix d • Has effect of inverting bits 0, 1, 5, and 6
Inverse S-Box • Subtract matrix d • Multiply by inverse of matrix X • Invert in GF(28)
ShiftRows Stage • Goal: Swap bytesaround within a state • State = bytes arranged in columns • Shift rows around within this 2 dimensional structure to add diffusion
ShiftRows Stage • Circular shift used on each row • Each row shifted by different number of bytes • Inverse just reverses shift
ShiftRows Example • Input: 63F2C9FAC9F2C963FE637D823026D4D4 • Output: 63F27DD4C963D4FAFE26C96330F2C982 Shift 0 Shift 1 Shift 2 Shift 3
MixColumns Stage • Goal: permute bits within each 4-byte word(column of state) • Matrix multiplication with 4x4 byte constant matrix • Multiplication in GF(28), mod x8 + x4 + x3 + x + 1
MixColumns Stage • Idea: Matrix multiplication makes each bit depend on every other bit in word (diffusion)
MixColumns Stage • Matrices used: • Hexadecimal representation • Example: 0E 00001110 x3+ x2+ x • Computed to maximize diffusion • Decryption uses inverse of encryption matrix
MixColumns Stage • Example: column 1, row 1 of example 63*02 + F2*03 + 7D*01 + D4*01 = 01100011*10 = 11000110(shift 1 digit) + 11110010*11 = 100010110 (111100100+11110010) + 01111101*01 = 01111101 + 11010100*01 = 11010100 101111001 (addition = XOR) -100011011(mod x8+x4+x3+x+1) 001100010 (subtraction = XOR) = 62
AddRoundKey Stage • Round Key: 128 bits • Broken into 4 round key words (32 bits each) • Round key words combined with columns using XOR
Round Key Expansion • Generates rounds + 1 round keys of size 128 bits • First used at beginning of cipher • Rest used at end of each round
Round Key Expansion • Keys broken down into 4 4-byte words • Initial round key = cipher key • Subsequent key words are wn function of : • Previous word (wn-1) • Corresponding word in previous round key (wn-4)
Round Key Expansion • For nnot multiple of 4: Wn= Wn-1 Wn-4 • Difficult to work back from final ciphertext to key • For nmultiple of 4: Wn= tn Wn-4tn = more complex function of Wn-1 • Adds confusion to relationship between key and ciphertext
Round Key Expansion • RotWord: Circular left shift of byte (like ShiftRows) • B1 B2 B3 B4 B2 B3 B4 B1 • SubWordUse S-Box to transform each of the 4 bytes (like SubBytes) • Adds more nonlinearity
Round Key Expansion • RCon: Round constant • Recursive functionRCon[i] = 2 x RCon[i-1] over GF(28)
AES Analysis • Security • Key size prevents exhaustive key search • Designed to be resistant to cryptanalysis • Substitution (SubBytes) and permutation (ShiftRows/MixColumns) prevent statistical analysis • Multiple rounds prevent differential analysis • S-Box design prevent linear cryptanalysis
AES Analysis • Efficiency • Operations done at byte level for 8–bit devices • SubBytes: byte-wise substitution • ShiftRows: moves bytes • MixColumns: multiplies bytes • Operations can be done one word at a time for maximum speed on 32-bit processors • All 4 bytes in word can be processed simultaneously in each operation