Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown
"It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable. “ — Talking to Strange Men, Ruth Rendell
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
Origins of AES DES problems have theoretical attacks that can break it have demonstrated exhaustive key search attacks DES solution Triple-DES – but slow with small blocks US NIST issued call for ciphers in candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001
AES Requirements private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of years provide full specification & design details both C & Java implementations NIST have released all submissions & unclassified analyses
AES Evaluation Criteria initial criteria (Table 5.1): security – effort for practical cryptanalysis Brute-force for 128-bit key is impractical cost – computational efficiency algorithm & implementation characteristics final criteria: general security – public security analysis for 3 years software & hardware implementation ease Attacks on implementations Timing attacks, power analysis flexibility (in en/decrypt, keying, other factors)
AES Shortlist after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin then subject to further analysis & comment saw contrast between algorithms with few complex rounds verses many simple rounds which refined existing ciphers verses new proposals
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
The AES Cipher - Rijndael designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data
Rijndael an iterative rather than Feistel cipher Feistel cipher: half of the data block is used to modify the other half, then swap the halves Rijndael cipher: treats data in 4 groups of 4 bytes, operates an entire block in every round designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity
AES sub. perm.
AES preview has 9/11/13 full rounds: byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material) initial XOR key material & incomplete last round all operations can be combined into XOR and table lookups - hence very fast & efficient
AES data structure 128-bit data block => 16 bytes input output Round 1 Round n a byte A column of 4 bytes(1 word) row state
Add Round Key XOR state with 128-bits of the round key inverse for decryption is identical since XOR is own inverse, just with correct round key
Add round key (cont.) processed by column (though effectively a series of byte operations) bit key Original keyExpanded key +
AES key expansion takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words start by copying key into first 4 words Expanded key: loop creating words that depend on values in previous & 4 places back in 3 of 4 cases just XOR these together every 4 th has S-box + rotate + XOR constant of previous before XOR together
AES key expansion (cont.) Original 128-bit key g: w 3 = 7F 8D 29 2F 1. Rotate word - 8D 29 2F 7F 2. Substitute byte (S-Box) - 5D A5 15 D2 3. XOR a round constant - 5C A5 15 D2
S-Box 8D 29 2F 7F=> 5D A5 15 D2
Round constant in g Round constant (RC) word 3 rightmost bytes are 0 Leftmost byte follows RC[j]=2 RC[j-1] over GF(2 8 ) 5D A5 15 D2 3. XOR a round constant 5C A5 15 D2 Round j RC[j] B 36 22 22
Fast multiplication in GF(2 8 ) Textbook p. 133 Irreducible poly. for AES: m(x)=x 8 + x 4 + x 3 +x+1 {80} 2=? x7x7 x = x 8 which exceeds the range of GF(2 8 ) = {1B}
Fast multiplication Example: x 4 + x 3 +x+1
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
AES
Substitute bytes transformation One byte:
S-Box (the only one in AES)
Construction of S-box 1. Initialize S-box 2. Map each entry to its multiplicative inverse in GF(2 8 ) 3. Apply transformation formula … E F … 0E 0F … 1E 1F … F F0 F1 F2 F3 F4 F5 … FE FF … E F … 1 … 9 … 8A … F …
Mathematics behind S-Box Modulo 2 arithmetic =7C
Mathematics behind S-Box Modulo 2 arithmetic Input bitsOutput bits To avoid Fixed point
Inverse transform Modulo 2 arithmetic Input bitsOutput bits
Rationale behind S-Box Low correlation between input bits and output bits (check linear approximation table) No fixed points: S-box(a)=a By the added constant No opposite fixed points: S-box(a)=a a : the bitwise complement of a S-box is not self-inverse S-box(a) = Inv_S-box(a)
S-box design criterion (p.88) Strict avalanche criterion (SAC) Any output bit j of an S-box should change with probability ½ when any single input bit i is inverted for all i, j Bit independence criterion (BIC) Output bits j and k should change independently when any single input bit i is inverted, for all i, j, k Guaranteed avalanche (GA) For a 1-bit input change, at least r output bits change. (r=2 to 5 provides strong diffusion)
S-box design approaches Random: use pseudo-random number generator for each entry in the S-box Suitable for large S-box Random with testing: test results against various criteria Human-made: ex. DES Suitable for small S-box Math-made: ex. AES Key-dependent S-box: Blowfish (Chap. 6)
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
Shift Rows 4 bytes of one column are spread out to 4 different columns Shift left 1 byte Shift left 2 bytes Shift left 3 bytes
Mix column transformation Input state Output state column
Mix Columns (cont.) each column is processed separately each byte is replaced by a value dependent on all 4 bytes in the column a matrix multiplication in GF(2 8 ) using prime poly m(x) =x 8 +x 4 +x 3 +x+1
Matrix computation in GF(2 8 ) Example: Only 1, 2, 3 * Only shift, conditional XOR, and XOR
Matrix computation in GF(2 8 ) Example: ={47} +
For 8-bit processor (p.165) => 2 x => can be replaced by a table lookup
Implementation Aspects can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256 entries shift rows is simple byte shifting add round key works on byte XORs mix columns requires matrix multiply in GF(2 8 ) which works on byte values, can be simplified to use a table lookup
Outline Introduction, evaluation criteria for AES AES cipher Overview AES key expansion Substitute bytes transformation Shift row transformation Mix column transformation Add round key transformation Equivalent inverse cipher
AES Decryption AES decryption is not identical to encryption since steps done in reverse
AES decryption Two separate software/hardware for both encryption and decryption Is it possible that the decryption algorithm has the same sequence of transformation (inverse transform) as the encryption algorithm?
Inverse shift rows and sub. bytes inverse
Inverse shift rows then Sub. bytes = Sub. bytes then Inverse shift rows According to the previous figure, both operations are on each bytes, and they are commute.
Add round key and inverse mix columns The order can be exchanged
AES Implementation by table look-up and XOR a ij : element of status matrix SubBytes b ij = S[a ij ] ShiftRows MixColumns AddRoundKey
Summary have considered: the AES selection process the details of Rijndael – the AES cipher the key expansion looked at the steps in each round implementation aspects