1 a clear a replacement for des was needed have theoretical attacks that can break it have...

11

A A clear a replacement for DES was neededclear a replacement for DES was needed have theoretical attacks that can break ithave theoretical attacks that can break it have demonstrated exhaustive key search attackshave demonstrated exhaustive key search attacks

US NIST issued call for ciphers in 1997US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000Rijndael was selected as the AES in Oct-2000 issued as FIPS (issued as FIPS (Federal Information ProcessiFederal Information Processi

ng Standard)ng Standard) PUB 197 standard on 26 Nov- PUB 197 standard on 26 Nov-2001 2001

Chapter 5 –Chapter 5 –Advanced Encryption Advanced Encryption Standard (AES)Standard (AES)

22

AES RequirementsAES Requirements

private key symmetric block cipher private key symmetric block cipher 128-bit data, 128/192/256-bit keys 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES stronger & faster than Triple-DES active life of 20-30 years (+ archival use) active life of 20-30 years (+ archival use) provide full specification & design details provide full specification & design details both C & Java implementationsboth C & Java implementations NIST have released all submissions & NIST have released all submissions &

unclassified analysesunclassified analyses

33

AES Evaluation CriteriaAES Evaluation Criteria

initial criteria:initial criteria: security – effort for practical cryptanalysissecurity – effort for practical cryptanalysis cost – in terms of computational efficiencycost – in terms of computational efficiency algorithm & implementation characteristicsalgorithm & implementation characteristics

final criteriafinal criteria general securitygeneral security ease of software & hardware implementationease of software & hardware implementation implementation attacksimplementation attacks flexibility (in en/decrypt, keying, other factors)flexibility (in en/decrypt, keying, other factors)

44

AES ShortlistAES Shortlist

after testing and evaluation, shortlist in Aug-99: after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin Twofish (USA) - complex, v. fast, high security margin

then subject to further analysis & commentthen subject to further analysis & comment saw contrast between algorithms with saw contrast between algorithms with

few complex rounds verses many simple rounds few complex rounds verses many simple rounds which refined existing ciphers verses new proposalswhich refined existing ciphers verses new proposals

55

The Rijndael Cipher AlThe Rijndael Cipher Algorithmgorithm

66

•designed by Rijmen-Daemen in Belgium designed by Rijmen-Daemen in Belgium •has 128/192/256 bit keys, 128 bit data has 128/192/256 bit keys, 128 bit data

•an an iterativeiterative rather than rather than feistelfeistel cipher cipherprocesses processes data as block of 4 columns data as block of 4 columns of 4 bytesof 4 bytesoperates on entire data block in every operates on entire data block in every roundround

•designed to be:designed to be:resistant against known attacksresistant against known attacksspeed and code compactness on speed and code compactness on many CPUsmany CPUsdesign simplicitydesign simplicity

77

RijndaelRijndael data block of data block of 4 columns of 4 bytes is state4 columns of 4 bytes is state key is expanded to array of wordskey is expanded to array of words has 9/11/13 rounds in which state undergoes: has 9/11/13 rounds in which state undergoes:

byte substitution (1 S-box used on every byte) byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material)add round key (XOR state with key material) view as alternating XOR key & scramble data bytesview as alternating XOR key & scramble data bytes

initial XOR key material & incomplete last roundinitial XOR key material & incomplete last round with fast XOR & table lookup implementationwith fast XOR & table lookup implementation

88

Mathematical preliminariesMathematical preliminaries

The field GF(2The field GF(288)) Example: (57)Example: (57)1616xx66+x+x44+x+x22+x+1+x+1 AdditionAddition MultiplicationMultiplication Multiplication by xMultiplication by x

Polynomials with coefficients in GF(2Polynomials with coefficients in GF(288)) Multiplication by xMultiplication by x

99

AdditionAddition

Sum of two elements: the sum of Sum of two elements: the sum of coefficients with modulus 2coefficients with modulus 2

Example: ’57’+’83’=‘D4’Example: ’57’+’83’=‘D4’ (x(x66+x+x44+x+x22+x+1)+(x+x+1)+(x77+x+1)=x+x+1)=x77+x+x66+x+x44+x+x22

1010

MultiplicationMultiplication

Multiplication in GF(2Multiplication in GF(288): multiplication of ): multiplication of polynomials modulo xpolynomials modulo x88+x+x44+x+x33+x+1 or (11B)+x+1 or (11B)16 16 ..

Example: ’57’Example: ’57’’83’=‘C1’’83’=‘C1’ (x(x66+x+x44+x+x22+x+1) +x+1) (x(x77+x+1) = +x+1) =

xx1313+x+x1111+x+x99+x+x88+x+x66+x+x55+x+x44+x+x33+1+1 xx1313+x+x1111+x+x99+x+x88+x+x66+x+x55+x+x44+x+x33+1 modulo x+1 modulo x88+x+x44+x+x33+x+1 = +x+1 =

xx77+x+x66+1+1

1111

Some PropertiesSome Properties

Multiplication is associative with a neutral element ‘Multiplication is associative with a neutral element ‘0101’. ’.

Inverse: bInverse: b-1-1(x)=a(x) mod m(x) with a(x)(x)=a(x) mod m(x) with a(x)b(x) mod m(x)= 1 b(x) mod m(x)= 1

a(x)a(x)(b(x)+c(x))=a(x)(b(x)+c(x))=a(x)b(x)+a(x)b(x)+a(x)c(x).c(x).

The set of 256 possible byte values, with addition and the The set of 256 possible byte values, with addition and the

multiplication defined as above has the structure of the multiplication defined as above has the structure of the

finite field GF(2finite field GF(288).).

1212

Multiplication by xMultiplication by x

Multiply b(x) with the polynomial x: bMultiply b(x) with the polynomial x: b77xx88+b+b66xx77+b+b55xx66+b+b44xx55+b+b33xx44+b+b22xx33+b+b11xx22+b+b00xx

If b7=0, the reduction is identity operation; if b7=If b7=0, the reduction is identity operation; if b7=1, m(x) must be subtracted (i.e. EXORed).1, m(x) must be subtracted (i.e. EXORed).

That is, multiplication by x (‘02’) can be implemeThat is, multiplication by x (‘02’) can be implemented by a left shift and a conditional EXOR with’1nted by a left shift and a conditional EXOR with’1B’. B’.

1313

ExampleExample

‘‘57’ 57’ ‘13’ =‘FE’ ‘13’ =‘FE’

‘‘57’ 57’ ’02’=xtime(57)=‘AE’’02’=xtime(57)=‘AE’

‘‘57’ 57’ ’04’=xtime(AE)=‘47’’04’=xtime(AE)=‘47’

‘‘57’ 57’ ’08’=xtime(47)=‘8E’ ’08’=xtime(47)=‘8E’

‘‘57’ 57’ ’10’=xtime(8E)=‘07’’10’=xtime(8E)=‘07’

‘ ‘57’ 57’ ‘13’ =‘57’ ‘13’ =‘57’(‘01’(‘01’’02’’02’’10’) = ’10’) = ‘5‘57’7’’AE’’AE’’07’=‘FE’’07’=‘FE’

1414

Polynomials with coefficients Polynomials with coefficients in GF(2in GF(288))

Two polynomials over GF(2Two polynomials over GF(288):):a(x)=aa(x)=a33xx33+a+a22xx22+a+a11x+ax+a00

b(x)=bb(x)=b33xx33+b+b22xx22+b+b11x+bx+b00

Their product c(x)=cTheir product c(x)=c66xx66+c+c55xx55+c+c44xx44+c+c33xx33+c+c22xx22+c+c11x+cx+c00

cc00=a=a00 b b00

cc11=a=a11 b b00 a a00 b b11

cc22=a=a22 b b00 a a11 b b11 a a00 b b22

cc33=a=a33 b b00 a a22 b b11 a a11 b b22+ + a a00 b b33

cc44=a=a33 b b11 a a22 b b22 a a11 b b33

cc55=a=a33 b b22 a a22 b b33

cc66=a=a33 b b33

1515


By reducing c(x) modulo a polynomial of By reducing c(x) modulo a polynomial of degree 4, the result can be reduced to a degree 4, the result can be reduced to a polynomial of degree below 4. polynomial of degree below 4.

M(x)=xM(x)=x44+1 and +1 and

xxii mod x mod x44+1=x+1=xi mod 4i mod 4..

1616


Product of a( x ) and b( x ):Product of a( x ) and b( x ):

d( x ) = a( x ) d( x ) = a( x ) b( x )= db( x )= d33xx33+d+d22xx22+d+d11x+dx+d00

dd00 = a = abb00 aabb11 aabb22 aabb33




1717


circulant matrix:

1818

Multiplication by xMultiplication by x

Multiply b( x ) by the polynomial x: bMultiply b( x ) by the polynomial x: b33xx44+b+b22xx33+b+b11xx22+b+b00xx

x x b( x ) modulo 1+xb( x ) modulo 1+x44= b= b22xx33+b+b11xx22+b+b00x+bx+b33

It is equivalent to multiplication by a matrix with all aIt is equivalent to multiplication by a matrix with all a ii =‘00’ except a =‘00’ except a11

=‘01’. Let c( x ) = x=‘01’. Let c( x ) = xb( x ). We have:b( x ). We have:

1919

SpecificationSpecification

Variable block length and key lengthVariable block length and key length Block length and the key length can be Block length and the key length can be

128, 192, or 256 bits.128, 192, or 256 bits. The state: the intermediate cipher result.The state: the intermediate cipher result. The Cipher Key is similarly picture as a The Cipher Key is similarly picture as a

rectangular array with four rows.rectangular array with four rows.

2020

The state and the Cipher KeyThe state and the Cipher Key

2121

The roundsThe rounds

The number of rounds is denoted by The number of rounds is denoted by Nr Nr anand depends on the values d depends on the values Nb Nb and and NNkk. . It is It is given in Table 1.given in Table 1.

2222

The cipherThe cipher

The cipher Rijndael consists ofThe cipher Rijndael consists of• An initial Round Key addition;An initial Round Key addition;• NNr-1 Rounds;r-1 Rounds;• A final round.A final round.

• In pseudo C code,In pseudo C code,Rijndael(State,CipherKey)Rijndael(State,CipherKey){{KeyExpansion(CipherKey,ExpandedKey) ;KeyExpansion(CipherKey,ExpandedKey) ;AddRoundKey(State,ExpandedKey);AddRoundKey(State,ExpandedKey);For( i=1 ; i<Nr ; i++ ) For( i=1 ; i<Nr ; i++ )

Round(State,ExpandedKey + Nb*i) ;Round(State,ExpandedKey + Nb*i) ;FinalRound(State,ExpandedKey + Nb*Nr);FinalRound(State,ExpandedKey + Nb*Nr);}}

2323

The cipherThe cipher The key expansion can be done on beforehand and The key expansion can be done on beforehand and

Rijndael can be specified in terms of the Expanded KRijndael can be specified in terms of the Expanded Key.ey.

Rijndael(State,ExpandedKey)Rijndael(State,ExpandedKey){{AddRoundKey(State,ExpandedKey);AddRoundKey(State,ExpandedKey);For( i=1 ; i<Nr ; i++ ) For( i=1 ; i<Nr ; i++ )

Round(State,ExpandedKey + Nb*i) ;Round(State,ExpandedKey + Nb*i) ;FinalRound(State,ExpandedKey + Nb*Nr);FinalRound(State,ExpandedKey + Nb*Nr);}}

2424

The round transformationThe round transformation

Round(State,RoundKey)Round(State,RoundKey){{ByteSub(State);ByteSub(State);ShiftRow(State);ShiftRow(State);MixColumn(State);MixColumn(State);AddRoundKey(State,RoundKey);AddRoundKey(State,RoundKey);}}

2525

The final roundThe final round

FinalRound(State,RoundKey)FinalRound(State,RoundKey)

{{

ByteSub(State) ;ByteSub(State) ;

ShiftRow(State) ;ShiftRow(State) ;

AddRoundKey(State,RoundKey);AddRoundKey(State,RoundKey);

}}

2626

The ByteSub transformation(1The ByteSub transformation(1/2)/2)

1. Taking the multiplicative inverse in GF(21. Taking the multiplicative inverse in GF(288). ). 2. Applying an affine transformation defined by:2. Applying an affine transformation defined by:

2727

The ByteSub transformation(2The ByteSub transformation(2/2)/2)

2828

The ShiftRow transformationThe ShiftRow transformation(1/2)(1/2)

2929

The ShiftRow transformationThe ShiftRow transformation(2/2)(2/2)

3030

The MixColumn transformation(1The MixColumn transformation(1/2)/2)

The columns of the State are considered as The columns of the State are considered as polynomials over GF(2polynomials over GF(288) and multiplied modulo x) and multiplied modulo x44+1 +1 with a fixed polynomial c(x)= with a fixed polynomial c(x)= ‘03‘03’x’x33++‘01‘01’x’x22++‘01‘01’x+’x+‘02‘02’.’.

This can be written as a matrix multiplication. Let b(x) This can be written as a matrix multiplication. Let b(x) = c(x) = c(x) a(x),a(x),

3131

The MixColumn transformation(2The MixColumn transformation(2/2)/2)

3232

The Round Key additionThe Round Key addition

3333

Key scheduleKey schedule

The Round Keys are derived from the Cipher Key by The Round Keys are derived from the Cipher Key by means of the key schedule. This consists of two commeans of the key schedule. This consists of two components: the Key Expansion and the Round Key Seleponents: the Key Expansion and the Round Key Selection. The basic principle is the following:ction. The basic principle is the following:

• The total number of Round Key bits is equal to the block lenThe total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. (e.g., for a blogth multiplied by the number of rounds plus 1. (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits arck length of 128 bits and 10 rounds, 1408 Round Key bits are needed).e needed).

• The Cipher Key is expanded into an Expanded Key.The Cipher Key is expanded into an Expanded Key.• Round Keys are taken from this Expanded Key in the followiRound Keys are taken from this Expanded Key in the followi

ng way: the first Round Key consists of the first ng way: the first Round Key consists of the first Nb Nb words, thwords, the second one of the following e second one of the following Nb Nb words, and so on.words, and so on.

3434

Key expansionKey expansion The Expanded Key is a linear array of 4-byte words and is The Expanded Key is a linear array of 4-byte words and is

denoted by Wdenoted by W[Nb*(Nr+1)[Nb*(Nr+1)]. The first NK]. The first NK words contain the words contain the Cipher Key. All other words are defined recursively in termCipher Key. All other words are defined recursively in terms of words with smaller indices.s of words with smaller indices.

For For Nk Nk 6, we have:6, we have:KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i = for(i =

0; i < Nk; i++)0; i < Nk; i++)W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);for(i = Nk; i < Nb * (Nr + 1); i++) {for(i = Nk; i < Nb * (Nr + 1); i++) {

temp = W[i - 1];temp = W[i - 1];if (i % Nk == 0)if (i % Nk == 0)temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];W[i] = W[i - Nk] ^ temp;W[i] = W[i - Nk] ^ temp; }} }}

3535

Key expansionKey expansionFor For Nk Nk > 6, we have:> 6, we have:KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) {KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) {

for(i = 0; i < Nk; i++)for(i = 0; i < Nk; i++)W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]);W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]);

for(i = Nk; i < Nb * (Nr + 1); i++)for(i = Nk; i < Nb * (Nr + 1); i++){{ temp = W[i - 1];temp = W[i - 1];if (i % Nk == 0)if (i % Nk == 0)temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];else if (i % Nk == 4)else if (i % Nk == 4)temp = SubByte(temp);temp = SubByte(temp);W[i] = W[i - Nk] ^ temp;W[i] = W[i - Nk] ^ temp; }}

}}

3636

Round Key selectionRound Key selection

Round key Round key i i is given by the Round Key buffis given by the Round Key buffer words Wer words W[Nb*i[Nb*ito Wto W[Nb*(i+[Nb*(i+1)].1)].

3737

Strength against known Strength against known attacksattacks

• Symmetry properties and weak keys of the Symmetry properties and weak keys of the DES typeDES type Round constants are different in each round Round constants are different in each round

to eliminate symmetry in the cipher.to eliminate symmetry in the cipher. The cipher and its inverse use different The cipher and its inverse use different

components to eliminates the possibility for components to eliminates the possibility for weak and semi-weak keys, as existing for weak and semi-weak keys, as existing for DES.DES.

The non-linearity of the key expansion The non-linearity of the key expansion eliminates the possibility of equivalent keys.eliminates the possibility of equivalent keys.

3838


• Differential cryptanalysis(DC)Differential cryptanalysis(DC) First described by Eli Biham and Adi Shamir in 1991.First described by Eli Biham and Adi Shamir in 1991. A differential propagation is composed of differential trA differential propagation is composed of differential tr

ails(DT), where its prop ratio(PR) is the sum of the PRails(DT), where its prop ratio(PR) is the sum of the PRs of all DTs that have the specified initial and final diffs of all DTs that have the specified initial and final difference patterns.erence patterns.

Necessary condition to be resistant against DC: No DNecessary condition to be resistant against DC: No DT with predicated PR > 2T with predicated PR > 21-n1-n, n the block length., n the block length.

For Rijndael: No 4-round DT with predicated PR abovFor Rijndael: No 4-round DT with predicated PR above 2e 2-150 -150 (no 8-round trails with PR above 2(no 8-round trails with PR above 2-300 -300 ).).

3939


• Linear cryptanalysis(LC)Linear cryptanalysis(LC) First described by Mitsuru Matsui in 1994.First described by Mitsuru Matsui in 1994. An input-output correlation is composed of linear trails An input-output correlation is composed of linear trails

(LT) that have the specified initial and final selection p(LT) that have the specified initial and final selection patterns.atterns.

Necessary condition to be resistant against LC: No LTNecessary condition to be resistant against LC: No LTs with a correlation coefficients > 2s with a correlation coefficients > 2n/2n/2

For Rijndael: No 4-round LTs with a correlation above For Rijndael: No 4-round LTs with a correlation above 22-75 -75 (no 8-round trails with a correlation above 2(no 8-round trails with a correlation above 2-150-150).).

4040


Interpolation attacksInterpolation attacks Introduced by Jakobsen and Knudsen in 1997.Introduced by Jakobsen and Knudsen in 1997. The attacker constructs polynomials using cipher inpuThe attacker constructs polynomials using cipher inpu

t/output pairs. If the polynomials have a small degree, t/output pairs. If the polynomials have a small degree, only a few pairs are necessary to solve for the coefficionly a few pairs are necessary to solve for the coefficients of the polynomial.ents of the polynomial.

The expression for the S-box is given byThe expression for the S-box is given by63+8fX63+8fX127127+b5X+b5X191191+01X+01X223223+f4X+f4X239239+25X+25X247247+f9X+f9X251251+09X+09X253253+05X+05X254254

4141


Other attacks considered:Other attacks considered: Truncated differentialsTruncated differentials The Square attackThe Square attack Related-key attacksRelated-key attacks Weak keys as in IDEAWeak keys as in IDEA

4242

Advantages and limitationsAdvantages and limitations

AdvantagesAdvantages Implementation aspectsImplementation aspects

Rijndael can be implemented to run at speeds unusually fast Rijndael can be implemented to run at speeds unusually fast on a Pentium (Pro). Trade-off between table size/performancon a Pentium (Pro). Trade-off between table size/performance.e.

Rijndael can be implemented on a smart card in a small code,Rijndael can be implemented on a smart card in a small code, using a small amount of RAM and a small number of cycles. using a small amount of RAM and a small number of cycles.

The round transformation is parallel by design.The round transformation is parallel by design.As the cipher does not make use of arithmetic operations, it hAs the cipher does not make use of arithmetic operations, it h

as no bias towards processor architectures. as no bias towards processor architectures.

4343


AdvantagesAdvantages Simplicity of designSimplicity of design

The cipher is fully “self-supporting”.The cipher is fully “self-supporting”.The cipher does not base its security on obscure and not The cipher does not base its security on obscure and not

well understood arithmetic operations.well understood arithmetic operations.The tight cipher design does not leave enough room to hide The tight cipher design does not leave enough room to hide

a trapdoor.a trapdoor. Variable block length and extensionsVariable block length and extensions

Block lengths and key length both range from 128 to 256 in Block lengths and key length both range from 128 to 256 in steps of 32 bits.steps of 32 bits.

Round number can be also modified as a parameter.Round number can be also modified as a parameter.

4444


LimitationsLimitations The inverse cipher is less suited to be The inverse cipher is less suited to be

implemented on a smart card than the cipher implemented on a smart card than the cipher itself: it takes more code and cycles.itself: it takes more code and cycles.

In software, the cipher and its inverse make In software, the cipher and its inverse make use of different code and/or tables.use of different code and/or tables.

In hardware, the inverse cipher can only In hardware, the inverse cipher can only partially re-use the circuitry that implements partially re-use the circuitry that implements the cipher. the cipher.

1 a clear a replacement for des was needed have theoretical attacks that can break it have...

Documents