AES Background and Mathematics CSCI 5857: Encoding and Encryption

Outline AES goals and history Modular multiplicative inverses Galois Field mathematics Galois Field inverses Uses in AES

AES History 1997: NIST calls for proposals for DES replacement –56-bit DES key not computationally secure –Triple DES very slow –DES S-Boxes poorly understood 1999: Several algorithms chosen as finalists –Rijndael (selected) –Twofish, Serpent, etc. (still used by some systems) 2001: Rijndael published by NIST as Advanced Encryption Standard

Goals of AES Security –Minimum key size: 128 bits (computationally secure now) –Expandable to 192 or 256 bits (will still be computationally secure in future) –Block size: 128 bits (more possible mappings) –Designed for resistance to differential and linear cryptanalysis Cost –Structure optimized for efficiency

Mathematical Goals S-Boxes and other transformations should have mathematical basis –Can insure useful properties (nonlinearity, etc.) –Can re-derive as needed for larger keys –Mapping should appear “random” (no simple patterns between inputs and outputs)

Modular Multiplication a  b mod m = remainder left after (a  b)/m Example: multiplication table mod 7

b is inverse of a mod m if ab mod m = 1 (b = a -1 mod m) Example: 5 = 3 -1 mod 7 since 3 x 5 = 15 = 1 mod 7 Creates nonlinear “pseudorandom” mappings Modular Multiplicative Inverses aa -1 0none

Modular Multiplicative Inverses Problem: Only works if m is a prime number Otherwise, some numbers have no inverse Example: modular inverses mod 8 aa -1 0none

Modular Multiplicative Inverses Goal: use this idea in cases where m = 2 n (that is, m is the size of a typical block) Galois Fields –Represent byte to transform as a polynomial –Compute inverse of that polynomial mod some other “prime” polynomial –Galois Field with m = 2 8 used to create S-Boxes for AES, mapping 256 possible byte inputs to 256 possible byte outputs

Galois Field Mathematics Step 1: Represent binary numbers with n bits as polynomial of degree n Example: n = 3 GF(2 3 ) 000 0x 2 + 0x x 2 + 0x x 2 + 1x + 0x 011 0x 2 + 1x + 1x x 2 + 0x + 0x2x x 2 + 0x + 1x x 2 + 1x + 0x 2 + x 111 1x 2 + 1x + 1x 2 + x + 1

Galois Field Mathematics x 2 + x x + 1 x 2 + 2x + 2 = x 2 + 0x + 0 = x 2 since 2 mod 2 = 0 x2x2 - (x + 1) x 2 - x – 1 = x 2 + x + 1 since -1 mod 2 = 1 All coefficients are binary (1 or 0) Addition/subtraction in mod 2 = XOR function Examples:

Galois Field Mathematics Step 2: Find a “prime” polynomial P n of degree n –Not a multiple of any two other polynomials (other than 1 and itself) Example for GF(2 3 ): P 3 = x 3 + x + 1 Used in AES for GF(2 8 ): P 8 = x 8 + x 4 + x 3 + x + 1

Galois Field Mathematics Step 3: Compute multiplication table for all pairs of polynomials P i x P j mod P n –Will need to compute mod if order of P i x P j is k  n –Simple (inefficient) way: compute P i x P j – x k-n P n Example for GF(2 3 ):

Galois Field Example Example: Multiplying 110 and  x 2 + x 011  x + 1 (x 2 + x)(x + 1) = x 3 + 2x 2 + x = x 3 + x 2 mod 2 = 0 (x 3 + x) mod (x 3 + x + 1) = x 3 + x - x 3 + x = 1 -1 mod 2 = 1

Galois Field Inverses Inverse b -1 of a binary number b in GF(2 n ) b -1 x b = 1 in GF(2 n ) Example: GF(2 3 ) b b -1 none

Galois Fields in AES AES mathematics based on GF(2 8 ) Prime polynomial = x 8 + x 4 + x 3 + x + 1 SubBytes stage –Basis of S-Boxes MixColumns Stage –Uses matrix multiplication in GF(2 8 ) Round Key Generation –Adds extra “random” bits to each round key