Title: There is no security on this earth, there is only opportunity
1- There is no security on this earth, there is only
opportunity - - General Douglas MacArthur
2Origins
- A replacement for DES was needed
- worked out theoretical attacks, that may break
it - demonstrated exhaustive key search attacks
- 1999 NIST issued FIPS PUB 43 DES for legacy
systems only Triple DES prescribed for new
systems - can use Triple-DES up to 2030 but slow
particularly in software implementations-with
small blocks - Jan 2, 1997 NIST begins work on the new
standard. - Sept 12, 1997 formal call for AES proposals
3AES Requirements issued by
NIST in 1997
- private key, symmetric block cipher
- 128-bit data, 128/192/256-bit keys
- stronger faster than Triple-DES
- active life of 20-30 years ( archival use)
- provide full specification design details
- both C Java implementations
4History of Development of AES
- June 1998 21 proposals
- Aug 20, 1998 shortlisted to 15 proposals
CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI
197, MAGENTA, MARS, RC6, RIJNDAEL, SAFER,
SERPENT, TWOFISH - March 22, 23, 1999 AES2 Second AES Candidate
Conference, Rome - Aug 1999 five candidates MARS, RC6, RIJNDAEL,
SERPENT, TWOFISH equally secure issues of
efficiency, speed and less resource hunger were
to be studied.
5AES Shortlist
- shortlist in Aug-99
- MARS (IBM) - complex, fast, high security margin
- RC6 (USA) - v. simple, v. fast, low security
margin - Rijndael (Belgium) - clean, fast, good security
margin --academic - Serpent (Euro) slow (1/3rd the speed of AES),
clean, highest security margin out of the 5
finalists --academic - Twofish (USA) complex, Feistel, DES-like
structure v. fast (as fast as AES), high
security margin key dependent S-boxes Uses
whitening at both the start and the end of the
cipger process, add key-material to data - then subject to further analysis comment
6AES Evaluation Criteria
- initial criteria
- security effort to practically cryptanalyse
- cost computational
- algorithm implementation characteristics
- (Used to reduce the field from 21 proposals to
15. - Thereafter 5 candidates were shortlisted out of
the 15, - by using the same criterion. )
7final criteria for selecting Rijndael out of the
five
- 1.general security
- 2. software hardware implementation ease
- 3. implementation attacks
- 4. flexibility (in en/decrypt, other factors)
- 5. restricted memory requirement (for use in
smart devices) - 6. Key Agility ability to change keys fast, with
a minimum of resources.
8AES
- October 2, 2000 RIJNDAEL selected as AES
- Unclassified, publicly disclosed encryption
algorithm - Available royalty-free world-wide
- Symmetric-key block cipher
9Selection of AES
- saw contrast between algorithms
- with few complex rounds versus many simple rounds
- which refined existing ciphers versus new
proposals - which could be implemented efficiently both in
software only and through special purpose ICs - AES issued as FIPS PUB 197 standard in Nov-2001
- AES initially developed as Rijndael Cipher by
- Joan Daemen and Vincent Rijmen
10Rijndael Cipher
- an iterative rather than Feistel-type cipher
- operates on an entire block of data in every
round (and not on half the block, as in Feistel
type ciphers) - designed to be
- resistant against known attacks
- speed and code compactness on many CPUs
- design simplicity
- Plaintext Data written in the form of a matrix
- Input Key also written in the form of a matrix
11Key
- Key and data bytes arranged in rectangular arrays
K 0,0 K 0,1 K 0,2 K 0,3 K 0,4 K 0,5 K 0,6 K 0,7
K 1,0 K 1,1 K 1,2 K 1,3 K 1,4 K 1,5 K 1,6 K 1,7
K 2,0 K 2,1 K 2,2 K 2,3 K 2,4 K 2,5 K 2,6 K 2,7
K 3,0 K 3,1 K 3,2 K 3,3 K 3,4 K 3,5 K 3,6 K 3,7
Variable Key size 16,24 or 32 bytes Ki,j
represents a byte in the ith row and jth
column. Nk Number of column vectors of the key
(4-byte vectors)
12Block of data
a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,6 a 0,7
a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,6 a 1,7
a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 2,6 a 2,7
a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,6 a 3,7
Variable Block size 16,24 or 32 bytes ai,j
represents a byte in the ith row and jth
column. Nb Number of column vectors (4-byte
vectors)
13State
- The plaintext block of data is represented as a
matrix. Each cell of the matrix is a byte. - The en/de-cryption process is a multi-step
process. - The matrix is manipulated at each step to yield a
new matrix as the output of the step. - At each stage, the matrix of data, whether it is
the input to the stage or it is the output of the
stage, is called a STATE. - The final output of the multi-step encryption
process yields the ciphertext.
14Rijndael Cipher Each stage in the
en/de-cryption process
A matrix of output, also called a STATE (The
output state would be naturally different from
the input state.)
A stage in the en/de-cryption process
- A matrix of input,
- called a
- STATE
Given A key K KEY EXPANSION process One key is
expanded into multiple sub-keys of the same
size ROUND a collection of steps, which are
sequentially performed on a state, to produce a
new state.
15Rijandael encryption (and decryption) process
Number of Rounds (Nr)
- 10/12/14 times applying (nearly) the same round
function. - Nr 6 Max (Nk, Nb)
- Nb 4 Nb 6 Nb 8
- Nk 4 10 12 14
- Nk 6 12 12 14
- Nk 8 14 14 14
16Rijndael Cipher
- Rijndael Cipher Three-step Process of encryption
- initial XOR of the 128-bit block of plaintext
with the sub-key 1 - has 9/11/13 rounds. Each round consists of
- byte substitution (The same S-box used on every
byte, unlike DES, where 8 different S-boxes are
used.) - shift rows(permute bytes between columns)
- mix columns (subs using matrix multiply of
groups) - add round key (XOR state with separate sub-keys
for each round) - Incomplete last (i.e. 10/12/14th) round (without
mix columns operation)
17Example Key Expansion for a 128 bit key and
128 bit block
- If Nb be fixed at 4, the number of rounds
- Nr 1 10 or 12 or 14,
- depending upon the
value of Nk. - No of keys required Nr 1.
- Example Given A key of 128 bits. ? Nk 4
- Key first rewritten into four components of 4
bytes each, called w(0) to w(3) Each w is of 32
bits.. - Then the Key is expanded from 4 to 44 components
of 32 bits each, called w(i), i 0 to 43 - For the jth round, the sub-key consists of w(4j)
to w(4j3). - Total number of key bits N(Nr 1), where N
block size in bits -
18Rijandael Cipher continued
- The Rijndael cipher has a variable block length
and key length. - currently keys with a length of 128, 192, or
256 bits to encrypt blocks with a length of 128,
192 or 256 bits (all nine combinations of key
length and block length are possible). Both block
length and key length can be extended very easily
by multiples of 32 bits. - Rijndael can be implemented efficiently on a wide
range of processors and in hardware. - all operations can be combined into XOR and table
lookups - hence very fast efficient -
19Rijandael Cipher continued
- for 128 bit block processes data as 4 groups of
4 bytes each. - Each group is shown as a column in a matrix of
four columns. - Each column has 4 rows.
- Each cell of the 4x4 matrix contains one byte.
- The output in every round creates a new state of
128 bits or of 4 columns of 4bytes each. - The ciphertext is the final output generated by
the cipher system.
20Example of selection processCryptographic Hash
Algorithm (SHA-3)
- 2005 Prof. Xiaoyun Wang a differential attack
on SHA-1 can find a hash collision (two messages
with the same hash value) on the SHA-1 hash with
an estimated work of 263 operations - the ideal 280 operations should be required for
any good 160-bit hash function. - Recommendation Use SHA-2 family of hash
functions (SHA-224, SHA-256, SHA-384 and SHA-512) - A competition by NIST Entries received by
October 31, 2008 July 2009 Second Round
candidates selected (Reference
http//csrc.nist.gov/ as of Oct 5, 2009)
21The AES Cipher
- A FIPS approved cryptographic algorithm that can
be used to protect electronic data. - AES uses 128 bit block only.
- Key may be of 128, 192 or 256 bits.
- Nk may be 4/6/8.
- Nr Number of rounds 6 Nk
- Reference Federal Information Processing
Standards (FIPS) Publication 197
http//csrc.nist.gov/publications/fips/fips197/fip
s-197.pdf as of Oct 5, 2009 - Reference Federal Information Processing
Standards (FIPS) Publication 197
http//csrc.nist.gov/publications/fips/fips197/fip
s-197.pdf as of Oct 5, 2009 -
22- This authority (National Protection and Programs
Directorate) will assist us in recruiting the
best people in the world to come work for us over
the next few years as cyber analysts, developers
and engineers. So look out were coming. - -- Janet Napolitano,
Homeland Security Secretary - in "DHS could hire 1000
more cyber security professionals", -
FederalComputerWeek, October 1, 2009 - http//fcw.com/Articles/2009/10
/01/Web-DHS-hiring-cybersecurity-officials.aspx
as of 7th Oct 2009
23AES vs Rijandael
- AES uses 128 bit block only. (Nb 4 only.)
- Rijandael can use a block of 128/ 192/ 256 bits.
(Nb may be 4/6/8.) - Both AES and Rijandael may use cryptographic keys
of 128, 192 or 256 bits. (Nk may be 4/6/8.) - AES may have 10, 12 or 14 rounds depending upon
Nk of 4, 6 or 8 respectively.
24Steps of a Round Function
- Round function composed of 4 steps (except for
the incomplete without MixColumn-- last round) - Each step has its own particular function
- ByteSub non-linearity
- ShiftRow inter-column diffusion
- Mix Column inter-byte diffusion within columns
- Round key addition
- Figure on the next slide shows both encryption
and decryption processes STATE at
corresponding levels for encryption and
decryption is the same.
25AES Cipher continued
26Pseudo Code for Encryption for the earlier
rounds, and, for the last round
- Round(State, RoundKey)
-
- Bytesub(State)
- ShiftRow(State)
- MixColumn(State)
- AddRoundKey(State, Roundkey)
-
- For the last round, it is a little different
- Round(State, RoundKey)
-
- Bytesub(State)
- ShiftRow(State)
- AddRoundKey(State, Roundkey)
-
-
27Three Steps of Decryption
- initial XOR of the ciphertext with the sub-key
- has 9/11/13 rounds in which state undergoes
- InvShift rows(permute bytes between columns)
- InvByte substitution (The same Inverse S-box used
on every byte) - add round key (XOR state with separate sub-keys
for each round) - InvMix columns (subs using matrix multiply of
groups) - Incomplete last (i.e. 10/12/14th) round (without
InvMix columns operation)
28Pseudo Code for Decryption for the earlier
rounds, and, for the last round
- Round(State, RoundKey)
- InvShiftRow(State)
- InvByteSub(State)
- AddRoundKey(State, Roundkey)
- InvMixColumn(State)
-
- For the last round, it is a little different
- Round(State, RoundKey)
- InvShiftRow(State)
- InvBytesub(State)
- AddRoundKey(State, Roundkey)
-
29Sequence of Operations in a Round (SoOiaR)
of Encryption vs. SoOiaR of Decryption
- Let Si be the input state for round i and
- let Si 1 be the output
state. - Encryption
- Let w(4i, 4i 3) be the RoundKey for the ith
round. - Si 1 AddRoundKey(MixColumn(ShiftRow(Bytesub(Si
)))) - In the last round, the MixColumn operation is not
included. - Decryption
- Let w(4(10-i), 4(10-i)3) be the RoundKey for
the ith round. - Si 1 InvMixColumn(AddRoundKey
(InvBytesub(InvShiftRow (Si)))) - In the last round, the InvMixColumn operation is
not included. - Method of aligning the two sequences After a
study of the 4 operations.
30AES Cipher continued
31AES sources of security
- AES Begins and ends with AddRoundKey ? These
steps do not provide much of a security to AES. - ByteSub, ShiftRow and MixColumn
- No use of key ? invertible by any one
- but provide non-linearity, diffusion and
confusion - Jointly the two above provide security.
32The process of Encryption
Add Round Key
- XOR state with 128-bits of the round key
- again processed by column (though effectively a
series of byte operations) - inverse for decryption is identical since XOR is
own inverse, just with correct round key
33ExampleReference http//csrc.nist.gov/publicatio
ns/fips/fips197/ fips-197.pdf, page 33
- Input M 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37
07 34 - Cipher Key K 2b 7e 15 16 28 ae d2 a6 ab f7 15
88 09 cf 4f 3c - 0th Round (The First Stage) M ? K M0
- 32 88 31 e0 2b 28 ab 09 19 a0 9a
e9 - 43 5a 31 37 ? 7e ae f7 cf 3d f4 c6
f8 - f6 30 98 07 15 d2 15 4f e3 e2 8d
48 - a8 8d a2 34 16 a6 88 3c be 2b 2a
08 - Each stage generates a new STATE. Thus from M
(the input state), this stage generates a new
state M0.
34First Step in a Round of Encryption
ByteSub
a 0,0 a 0,1 a 0,2 a 0,3
a 1,0 a 1,1 a 1,2 a 1,3
a 2,0 a 2,1 a 2,2 a 2,3
a 3,0 a 3,1 a 3,2 a 3,3
a i,j
S - box
- Bytes are transformed by applying invertible
S-box - One single S-box for the complete cipher
- High non-linearity
b 0,0 b 0,1 b 0,2 b 0,3
b 1,0 b 1,1 b 1,2 b 1,3
b 2,0 b 2,1 b 2,2 b 2,3
b 3,0 b 3,1 b 3,2 b 3,3
b i,j
35Byte Substitution
- a simple substitution of each byte
- uses one S-box of 16x16 bytes containing a
permutation of all 256 8-bit values - each byte of state is replaced by a byte
- from row (left 4-bits) column (right
4-bits) - eg. byte 95 is replaced by a byte from the 9th
row and 5th col of the S-box. - (The value in the 9th row and 5th col 2A)
- S-box is constructed using a defined
transformation of the values in GF(28) - designed to be resistant to all known attacks
36S-Box
Reference http//csrc.nist.gov/publications/fips/
fips197/fips-197.pdf, page 16
as of October 12, 2009
37Design Criteria for the S-box
- Low correlation between input and output bits
- Output cannot be a simple mathematical function
of the input. - No fixed point of S-box input and output for
S-box cannot be the same. - No opposite fixed point of S-box input and
output cannot be bit-wise complement of each
other.
38Construction of 16 X16 S-box
- Each cell of the s-box contains one byte.
- Rows and columns are numbered from 0 to F.
- Step 1 Initialization put in each box the value
equal to its position row column - Ex. in row 0, column 2, the value would be 0216
or 0000 00102 - Step 2 Replace the value in each cell by its
multiplicative inverse by GF(28) mod (x8 x4
x3 x 1). Use extended Euclids algorithm
given in the Mathematical Background.
39- Now
- Please Refer to the Mathematical background.
40Multiplicative inverse Extended
Euclidm(x), b(x) Algorithm
- (A1, A2, A3)? (1, 0, m)
- (B1, B2, B3)? (0, 1, b)
- If B3 0,
- return A3 gcd(m, b)no inverse exists.
- If B3 1
- return B2 as the multiplicative inverse of B.
- (i.e. b(x).B2 1 mod m(x) )
- Q ?A3/B3?
- (T1, T2, T3)? (A1 - Q B1, A2 - Q B2, A3 - QB3)
- (A1, A2, A3)? (B1, B2, B3)
- (B1, B2, B3)? (T1, T2, T3)
- Go to 2
41Construction of 16 X16 S-box multiplicative
inverse mod (x8x4x3x1)
- ExIn row 0, column 2,
- the value 0216 ( corresponding to a(x) x )is
- replaced by its multiplicative inverse (which
- is shown below to be 8D16 .)
- To find c(x) so that
- a(x).c(x) 1 mod (x8 x4 x3 x 1).
- A1 A2 A3 B1 B2 B3 Q
- 1 0 x8x4x3x1 0 1 x -
- 0 1 x 1 x7x3x21 1
x7x3x21 - c(x) x7x3x21 1000 11012 8D16
- Step3 Use the matrix transformation, of next
slide, to transform 8D16 (,called vector x, to a
new vector y).
42Example Row 0 and column 2 .. Contd.
- c(x) x7x3x21 8D16
- a7x7a6x6a1xa0
- a0 1
- x a1 0
- . 1
- 1
- 0
- . 0
- a6 0
- a7 1
43S-Box construction
Example. continued
- M1 1 0 0 0 1 1 1 1 m2 1
- 1 1 0 0 0 1 1 1
1 - 1 1 1 0 0 0 1 1
0 - 1 1 1 1 0 0 0 1
0 - 1 1 1 1 1 0 0 0
0 - 0 1 1 1 1 1 0 0
1 - 0 0 1 1 1 1 1 0
1 - 0 0 0 1 1 1 1 1
0 - y M1 x m2
44Construction of 16 X16 S-box
Example. continued
1
1
0
1
1
1
0
1
1
0
1
0
1
0
1
M1
Y2
1
0
0
0
0
0
0
1
0
1
0
1
0
1
1
0
1
0
1
1
1
0
0
0
0
NOTE The transformed value is 7716. The Inverse
S-box, provides the value 02 in the 7th row and
7th column.
AES uses two substitution boxes S-box for
encryption and Inverse S-box for decryption
The next slide again shows the S-box.
45S-Box
Reference http//csrc.nist.gov/publications/fips/
fips197/fips-197.pdf, page 16
46Example of Byte Sub Reference
http//csrc.nist.gov/publications/fips/fips197/
fips-197.pdf, page 33
- Use M0 of slide 33 as the input data for this
example. - M0 BYTE SUB ? M11
- 19 a0 9a e9 d4 e0 b8
1e - 3d f4 c6 f8 ? 27 bf b4
41 - e3 e2 8d 48 11 98 5d
52 - be 2b 2a 08 ae f1 e5
30
47- Inverse Byte Substitution
2a
95
S-Box
2a
95
Inv S-Box
95
ad
Inv S-Box
S-Box is NOT self-inverse. ? For the same input,
the S-Box and the Inv S-Box will NOT have the
same output.
48Inverse S-Box
x
y
Reference http//csrc.nist.gov/publications/fips/
fips197/fips-197.pdf,
page 22
49Construction of Inverse Substitution Box
- M3 0 0 1 0 0 1 0 1 m4 1
- 1 0 0 1 0 0 1 0
0 - 0 1 0 0 1 0 0 1
1 - 1 0 1 0 0 1 0 0
0 - 0 1 0 1 0 0 1 0
0 - 0 0 1 0 1 0 0 1
0 - 1 0 0 1 0 1 0 0
0 - 0 1 0 0 1 0 1 0
0 - x M3 y m4
50Justification
- x M3 y m4
- Using slide 38
- x M3 (M1 x m2 ) m4
- M3 .M1 x M3. m2 m4
- We find
- M3 .M1 unity matrix
- M3. m2 m4 0
51Second Step in a Round of Encryption
ShiftRows
- a circular byte shift to the left in each row
- 1st row is unchanged
- 2nd row does 1 byte circular shift to left
- 3rd row does 2 byte circular shift to left
- 4th row does 3 byte circular shift to left
- In this step, the 4 bytes of each column are
distributed over 4 different columns. - During decryption, the shifts are circular shifts
to the right. - This step provides permutation of the data.
52ShiftRow
m n o p
h i j g
y z w x
e b c d
m n o p
g h i j
w x y z
b c d e
- Rows are shifted over 4 different offsets
- High diffusion over multiple rounds
- Interaction with Mix Column
53Shift offsets Original Rijandael spec
- The first row no shift
- The second row circular shift by C1
- The third row circular shift by C2
- The fourth row circular shift by C3
- Nb 4 C1 1, C2 2, C3 3
- Nb 6 C1 1, C2 2, C3 3
- Nb 8 C1 1, C2 3, C3 4
- AES has Nb4 only.
54Example of ShiftRowReference
http//csrc.nist.gov/publications/fips/fips197/
fips-197.pdf, page 33
- Use M11 of slide 46 as the input data for this
example. - M11 ShiftRow ? M12
- d4 e0 b8 1e d4 e0 b8 1e
- 27 bf b4 41 ? bf b4 41 27
- 11 98 5d 52 5d 52 11
98 - ae f1 e5 30 30 ae f1
e5
55Third Step in a Round of Encryption
MixColumn
a 0,0 a 0,1 a 0,2 a 0,3
a 1,0 a 1,1 a 1,2 a 1,3
a 2,0 a 2,1 a 2,2 a 2,3
a 3,0 a 3,1 a 3,2 a 3,3
2 3 1 1 1 2 3 1 1 1 2
3 3 1 1 2
a 0,j
a 1,j
a 2,j
a 3,j
- Bytes in columns are linearly combined
- High intra-column diffusion
- Based on theory of error-correcting codes
b 0,0 b 0,1 b 0,2 b 0,3
b 1,0 b 1,1 b 1,2 b 1,3
b 2,0 b 2,1 b 2,2 b 2,3
b 3,0 b 3,1 b 3,2 b 3,3
b 0,j
b 1,j
b 2,j
b 3,j
56Mix Columns
- each column is processed separately
- each byte is replaced by a value dependent on all
4 bytes in the column - effectively a matrix multiplication, where each
byte is treated as a polynomial in GF(28) using
prime poly m(x) x8x4x3x1 - Input state S Output state S
57ExampleMix Column Evaluation of S00
Reference Mathematical background
- Use M12 of slide 54 as the input data for this
example. - S00(02. S00) ? (03.S10) ? (01.S20) ? (01.S30)
- values in first column S00d4, S10bf, S205d,
S3030 - 01.30 30 0011 0000
- 01.5d 5d 0101 1101
- 03.bf da 1101 1010
- 03.bf can be represented by (x 1). a (x) mod m
(x) - (x 1).(x7x5x4x3x2x1) mod (x8x4 x3 x
1) - x.(x7x5x4x3x2x1) mod (x8x4 x3 x 1)
- 02.bf shift left and XOR with 1b
- 0111 1110 ? 0001 1011 0110
0101 - 01.bf bf 1011 1111
- 03.bf 02.bf ? 01.bf 1101 1010
58ExampleMix Column Evaluation of S00
.2
- 02.d4 b3 1011 0011
- x.(x7x6x4 x2) mod (x8x4 x3 x 1)
- x.(x7x6x4 x2) requires
- 10101000 ? 0001 1011 10110011
- 0011 0000 ? 0101 1101 ? 1101 1010 ? 10110011
- S00 0000 0100 04
59ExampleMix Column Evaluation of S10
Reference Mathematical background
- S10(01. S00) ? (02.S10) ? (03.S20) ? (01.S30)
- S00 d4, S10 bf, S20 5d, S30 30
- 01.d4 d4
- 02.bf 65 by shifting bf once to the left and
xor-ing with 1b - Shift 1011 111 to left ? 0111 1110
- 0111 1110 ? 0001 1011 0110 01012 6516
- 03.5d 5d ? 02.5d by splitting 03 into 01 and 02
- 5d ? ba by shifting 5d once to
the left - 5d160101
11012 SL?1011 10102 ba16 - e7 0101 11012 ? 1011
10102 1110 01112 - 01.30 30
- S10 d4 ? 65 ? e7 ? 30 66
60Example Mix Column
- Use M12 of slide 54 as the input data for this
example. - Previous 3 slides show the calculation of s00
and s10. Similarly the whole of the state S can
be calculated. - M12 MixColumn ? M13
- d4 e0 b8 1e 04 e0 48 28
- bf b4 41 27 ? 66 cb f8 06
- 5d 52 11 98 81 19 d3 26
- 30 ae f1 e5 e5 9a 7a 4c
61Inverse Mix Column
MC
MC-1
Hence using MC-1 would be more difficult, since
it would require multiplication with more complex
polynomials.
62Selection of values in MixColumn
- Selected for good mixing based on a linear code,
with maximum distance between code words - Small values 01, 02 and 03 lead to faster
implementation ? require only shift and XOR - Leads to more difficult decryption CFB (Cipher
Feedback) and OFB (Output Feedback) require
encryption process for decryption.
63Cipher FeedBack (CFB)
64Output FeedBack (OFB)
65Inverse Mix Column transformation
- If s be the input matrix and s be the output
matrix, - 0E 0B 0D 09
- 09 0E 0B 0D
- 0D 09 0E 0B
- 0B 0D 09 0E
- 0E 0B 0D 09 02 03 01 01 01 00 00 00
- 09 0E 0B 0D 01 02 03 01 00 01 00 00
- 0D 09 0E 0B 01 01 02 03 00 00 01 00
- 0B 0D 09 0E 03 01 01 02 00 00 00 01
S
S
The above process is the inverse of the forward
process, of slide 51, because -
66Inverse Mix Column transformation cont
- Proof the output element in row 1 and column 1
- A11 0E . 02 ? OB . 01 ? 0D . 01 ? 09 . 03
- 0E . 02 1C by shifting 0E to the left
- 09 . 03 09 ? 09 . 02 by splitting 03 into 01
and 02 - 09 ? 12 by shifting 09 to the left
- 1B
- A11 1C ? 0B ? 0D ? 1B
- 01
67Mix Column transformation Comments
- Mix Column during encryption uses values of 01,
02 and 03. these are implemented by shift or by
shift XOR. - Inverse Mix Column for decryption is more
complex. - However it was possible to make only one of the
two processes simple. It was decided to make
encryption process simpler than decryption
because encryption is more important - AES may be used for authentication where only
encryption may be used. - CFB, OFB and CTP modes do not require decryption
process (refer DES part 2 slides 11 -23)
68Example (using the example of slide
60) Inverse MixColumn
- M13 InvMixColumn ? M12
- 0e 0b 0d 09 04 e0 48 28
- 09 0e 0b 0d 66 cb f8 06
- 0d 09 0e 0b . 81 19 d3 26
- 0b od 09 0e e5 9a 7a 4c
- S00 0e.04 ? 0b.66 ? 0d.81 ? 09.e5
- (In the next three 3 slides, we shall show the
calculation of S00)
69Example Inverse MixColumn.. 2
- 0e.04 (0000 1110).(0000 0100)
- Can be visualized as
- (x3 x2 x). b(x) mod (x8x4x3x1)
- x. b(x) 0000 1000
- x2. b(x) 0001 0000
- x3. b(x) 0010 0000
- 0e.04 0011 1000
70- 0b.66 b(x) 0110 0110
- 1. b(x) 0110 0110 x. b(x) 1100 1100
- x2.b(x)1001 1000?0001 10111000 0011
- x3.b(x)0000 0110?0001 10110001 1101
- 0b.66 0110 0110?1100 1100?0001 1101 1011 0111
- 0d.81 b(x) 1000 0001
- x. b(x)0000 0010?0001 10110001 1001
- x2.b(x)0011 0010 x3.b(x) 0110 0100
- 0d.811000 0001?0011 0010?0110 0100
- 1101 0111
71Example Inverse MixColumn .. 4
- 09.e5 b(x)1110 0101
- x.b(x)1100 1010?0001 10111101 0001
- x2.b(x)1010 0010?0001 10111011 1001
- x3.b(x)0111 0010?0001 10110110 1001
- 09.e5 0110 1001?1110 0101 1000 1100
- S11 0e.04 ? 0b.66 ? 0d.81 ? 09.e5
- 0011 1000?1011 0111?1101 0111?1000 1100
- 1101 0100 ? d4
72Example (using the example of slide
56) Inverse Mix Column .. 5
- Proceeding in a similar manner, we shall find
that, - M13 InvMixColumn ? M12
- 04 e0 48 28 d4 e0 b8 1e
- 66 cb f8 06 --IMC? bf b4 41 27
- 81 19 d3 26 5d 52 11 98
- e5 9a 7a 4c 30 ae f1 e5
-
73Fourth Step in a Round of Encryption
AddRoundKey
k 0,0 k 0,1 k 0,2 k 0,3
k 1,0 k 1,1 k 1,2 k 1,3
k 2,0 k 2,1 k 2,2 k 2,3
k 3,0 k 3,1 k 3,2 k 3,3
a 0,0 a 0,1 a 0,2 a 0,3
a 1,0 a 1,1 a 1,2 a 1,3
a 2,0 a 2,1 a 2,2 a 2,3
a 3,0 a 3,1 a 3,2 a 3,3
- Makes the round function dependent upon key
- Computation of round keys keep it simple
- Small number of operations
- Small amount of memory
b 0,0 b 0,1 b 0,2 b 0,3
b 1,0 b 1,1 b 1,2 b 1,3
b 2,0 b 2,1 b 2,2 b 2,3
b 3,0 b 3,1 b 3,2 b 3,3
74AES Round State of 16 bytes 16 bytes of Key
called ri (Ref Stallings Fig 5-3)
75Key Expansion for 128 bit key and 128 bit block
slide 12
- A key of 128 bits or of Nk 4 first rewritten
into four components of 4 bytes each, called w(0)
to w(3). Then it is expanded from 4 to 44
components of 32 bits each, called w(i), i 0 to
43 - w(4j) to w(4j3)
- For the jth round of encryption, the sub-key
consists of w(4j) to w(4j3). - (For decryption, this would be the key for the
(10-j)th round.)
76AES Cipher continued
77AES Key Expansion
- takes 128-bit (16-byte) key and expands into
array of 44/52/60 32-bit words - start by copying key into first 4 32-bit words,
called w(0) to w(3). - then use a loop, in which,
- each new 4-byte word depends on values in
- the immediately previous word
- the word, which is 4 places back.
- in 3 of 4 cases just XOR these together
- (For w(i) where i ? 0 mod 4)
78AES Key Expansion continued
K4
K0
K12
K8
K5
K1
K13
K9
K6
K2
K14
K10
K7
K3
K15
K11
O
w1
w0
w3
w2
g
? ? ? ?
w5
w4
w7
w6
79AES Key Expansion continued
- every 4th case (For w(i), where i is a multiple
of 4.) - The immediately preceding word goes through a
process described by a function g. - Three steps of g
- RotWord one byte circular left shift of the
previous word - SubWord substitute each of the 4 bytes using the
S-box - XOR with a 32-bit round constant called Rcon(j)
where j is the round number
80Example Key Expansion
Calculation of w4
- Cipher Key 2b 7e 15 16 28 ae d2 a6 ab f7 15 88
09 cf 4f 3c - w0 2b7e1516 w1 28aed2a6
- w2 abf71588 w3 09cf4f3c
- Calculation of w4 RotWord and SubWord
- X1 RotWord (w3) cf4f3c09
- By using the S-box
- cf4f3c09 -- S-box ? 8a84eb01 X2
- Example continued
after two slides
81AES Key Expansion Rcon(j) Reference for
Key expansion Problemhttp//csrc.nist.gov/
publications/fips/fips197/fips-97.pdf Page 28
- Calculation of w(i) for every 4th case (For
w(i), where i - is a multiple of 4.)
continued from previous slide - The first byte of Rcon(j) is called RC(j). The
second, third and the fourth bytes of Rcon(j) are
0. - RC(1) 1
- RC(j) 2.RC(j 1) for j2 to 10. The
multiplication is defined over the field GF(28),
with m(x) x8x4x3x - Thus RC(2) 2,RC(8) 128
- rc9(x) x8 mod m(x) x4x3x1 ? RC(9) 1B
- RC(10) 0011 0110 3616 x5x4x2x
- obtained by shifting RC(9) to
the left
82AES Key Expansion
Rcon(j) Formulae
- Key expansion formulae for i 0 to 43
- w (i) w (i-1) ? w (i 4) if i is not a
multiple of 4 - w (i) g w (i-1) ? w (i-4) if i is a multiple
of 4 - g w (i-1)R con j ? Subword (Rotword
(w(i-1))) - where j Round number
- J 1 2 3 4 5 6 7
8 9 10 - RCj 01 02 04 08 10 20 40 80
1B 36
R con j RCj 00 00 00 given in HEX
83Example Key Expansion continued from slide 75
Calculation of w4, w5, w6 and w7 ...2
- Rcon(1) 01 00 00 00
- X3 8a84eb01 ? 01000000 8b84eb01
- w4 w0 ? X3
- 2b7e1516 ? 8b84eb01 a0fafe17
- For w5, w6 and w7, only XOR is reqd
- w5 w1 ? w4 28aed2a6 ? a0fafe17 88 54 2c b1
- w6 w2?w5 abf71588?88542cb123 a3 39 39
- w7w3 ?w6 09cf4f3c?23a339392a 6c 76 05
84Important Considerations Round Key Generation
Algorithm
- Knowledge of a part of the cipher key or less
than Nk consecutive parts of a round key
Insufficient for calculation of the key - Use of round constants to eliminate symmetries
85AES Key Expansion Example
Calculation of the 9th round key
- Example given the key for 8th round is
- EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D
29 2F - The Sub-key for the 8th round consists of w(32)
to w(35). The - Sub-key for the 9th round consists of w(36) to
w(39). - w(36) g w(35) ? w(32)
- gw(35) (1B00 0000) ? subword (rotword(7F 8D
29 2F)) - (1B00 0000) ? subword (8D 29 2F 7F)
- Now use S-Box
- gw(35) (1B00 0000) ? (5D A5 15 D2)
- 46 A5 15 D2
- w(36) (46 A5 15 D2) ? (EA D2 73 21)
- AC 77 66 F3
86AES Key Expansion Example
Calculation of the 9th round key 2
- w(37) w(36) ? w(33)
- (AC 77 66 F3) ? (B5 8D BA D2)
- 19 FA DC 21
- w(38) w(37) ? w(34)
- (19 FA DC 21) ? (31 2B F5 60)
- 28 D1 29 41
- w(39) w(38) ? w(35)
- (28 D1 29 41) ? ( 7F 8D 29 2F)
- 57 5C 00 6E
- Key for the 9th round
- AC 77 66 F3 19 FA DC 21 28 D1 29 41 57
5C 00 6E
87AES Decryption vs Encryption
- Steps in AES decryption vs those in AES
encryption - The steps for encryption and decryption
processes are not identical (unlike the case for
DES). - Moreover in each round, the steps are not in a
similar sequence for encryption and decryption. - Each Round of Encryption
- SubBytes ? ShiftRows ? MixColumns ? AddRoundkey
- Each Round of Decryption
- InvShiftRows ? InvSubBytes ? AddRoundkey ?
InvMixColumns - Disadvantage AES requires 2 separate
software/firmware systems for encryption and
decryption
88Methods for en/de-crypting larger amount of data,
by using only the AES Encryption process
- Cipher Feedback (CFB) used over a reliable
network layer for stream data encryption,
authentication - Output Feedback (OFB) Can be used over noisy
channels for bursty traffic aplications OFB
requires that sender and receiver must remain in
sync - Counter Mode (CTR) for high-speed network
encryptions as in ATM or IPSec good for bursty
high speed links
89Sequence of Steps in a Round of Decryption
- An equivalent inverse cipher with the same
sequence ( but of inverse operation) of steps, as
for encryption requires an additional step of
InverseMixColumn on the Round Key, before the
step of AddRoundKey ( except for the first and
the last steps of AddRoundKey) - Reference Cryptography Network Security by
William Stalling, Prentice Hall, 4th Ed ,Figure
5.7, page 158.
90- Some tools may get the job done,
- but they may not get the job
done well - - Mike Shema et al,
Anti-Hacker Toolkit, - pp xxiv, 3rd Ed,
McGraw Hill, 2006
91AES Implementation Aspects
- can be efficiently implemented on 8-bit CPUs
- byte substitution works on bytes using a S-box of
256 entries - shift rows is simple byte shifting
- add round key works on byte XORs
- mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified to
use a table lookup
92MixColumn 8-bit processor Implementation
- Tmp Soj ? S1j ? S2j ? S3j
- On putting the value of TMP and on replacing
- 03.x 02.x ? x, the following 4
equations are equivalent to the above MixColumn
operation. - Soj Soj ? Tmp ? 2.(Soj ? S1j )
- S1j S1j ? Tmp ? 2.(S1j ? S2j )
- S2j S2j ? Tmp ? 2.(S2j ? S3j )
- S3j S3j ? Tmp ? 2.(S3j ? S0j )
93To ProveSoj Soj ? Tmp ? 2.(Soj ? S1j )
- From the matrix equation in the previous slide,
- Soj 02. Soj ? 03. S1j ? S2j ? S3j
- We know 03. S1j 02. S1j ? S1j
- RHS Soj ? Tmp ? 2.(Soj ? S1j )
- Soj ? Soj ? S1j ? S2j ? S3j ? 2.(Soj ? S1j )
- S1j ? S2j ? S3j ? 2.(Soj) ? 2. (S1j )
- 2.(Soj) ? 03. S1j ? S2j ? S3j Soj LHS
94MixColumn 8-bit processor Implementation2
- 02.x requires (i) A left-shift if b7 0 OR
(ii) A left-shift followed by XOR with 1b16 if b7
1. - ? a timing attack.
- SOLUTION
- The 4 terms (Sij ? S((i1)mod4)j) for i 0 to
3 can yield 256 different types of byte values. - Let X 02.Y where Y is a byte variable and
can have any one of the 256 possible values. X is
pre-calculated and stored in a 256-byte look-up
table. - Soj Soj ? Tmp ? XSoj ? S1j
- S1j S1j ? Tmp ? XS1j ? S2j
- S2j S2j ? Tmp ? XS2j ? S3j
- S3j S3j ? Tmp ? XS3j ? S0j
95Implementation Aspects
- can be efficiently implemented on 32-bit CPUs
- redefine steps to use 32-bit words
- can pre-compute 4 tables (Pl see page 159-160.)
- Each 16x16 table Input of a byte Output of
32 bits (1 KB of storage) - then each column in each round can be computed
using 4 table lookups 4 XORs - at a cost of 4 KB to store tables
- Joan Daemen and Vincent Rijmen believe This
very efficient implementation a key factor in
its selection as the AES cipher
96Each Round of Rijndael
on Modern ProcessorsFor bj use a(0,j),
a(1,j-1), a(2,j-2) and a(3,j-3)
a 0,0 a 0,1 a 0,2 a 0,3
a 1,0 a 1,1 a 1,2 a 1,3
a 2,0 a 2,1 a 2,2 a 2,3
a 3,0 a 3,1 a 3,2 a 3,3
T1
b0 b1 b2 b3
T2
T3
T4
K2
X3,2
X2,2
X1,2
X0,2
b2
just (4 table-lookups and 4 XORS) per column and
per round Storage of 4 tables of 256 entries of
32 bits each. Each table Input of a byte Output
of 32 bits
97Implementation Aspects .2
- Most efficient on Itanium (64 bit machine)
- Highest performer on limited processing power and
limited memory devices twice as fast as the
nearest rival from the 5 finalists (MARS, RC6,
RIJNDAEL, SERPENT, TWOFISH) - Most efficient in feedback modes second best in
CBC/ECB MODES
98Implementation Aspects ...2
- Throughput decreases by 20 and 40 on increase
of key size from 128 to 192 and 256 respectively - If implemented in hardware in ECB (Electronic
Code Book, where each block of 128 bits is sent
separately after encryption) mode, speed matched
only by SERPENT - Safety Margin 7 for 10 round case
- (Safety Margin number of rounds, above which
efficient attacks on the algorithm cannot be
mounted and key-space exhaustion becomes the
only way to crack it.)
99Timing and Power Attacks
Some Facts
- writing 1s consumes more power than for writing
0s. - Table lookups in S-boxes, shifts, rotations, NOT,
OR, AND, XOR - Not vulnerable to timing attacks
- To avoid power attacks software balancing is
required
100Characteristics of Rijndael
- symmetrical parallel structure
- Gives implementers a lot of flexibility
- has not allowed effective cryptanalytic attacks
- Well adapted to modern processors
- Pentium
- RISC and parallel processors
- Suited for Smart cards
- Flexible in dedicated hardware
- designed to resist known attacks
101Misgivings about AES
- AES (and Serpent) encryption can be written as a
group of linear and quadratic equations in a
finite field. - Mathematicians are trying to develop methods
to solve such equations. (XSL, XL and FXL
methods). If they succeed, the Encryption method
will fail. - Due to Birthday and man-in-the-middle attack, for
128 bit security, a key size of 256 bits is
required. But AES is slower for 256 bit key.
(Serpent has the same speed for all key sizes.
Twofish is slower.)
102Relative Performance
- Fast
- RC4 (Stream Cipher)
- Blowfish, CAST-128, AES
- Skipjack
- DES, IDEA, RC2
- 3DES, GOST
- Typical speeds
- RC4 Tens of MB/second
- 3DES MB/second
- Recommendations For performance, use Blowfish
For job security, use 3DES
103Advanced Encryption Standard Algorithm (Rijndael)
References
- http//csrc.nist.gov/publications/fips/fips197/fip
s-197.pdf - For historical information http//csrc.nist.gov/C
ryptoToolkit/aes/ - http//www.esat.kuleuven.ac.be/rijmen/rijndael/
104Stream Cipher
- Streaming Cipher encrypts data unit by unit,
where a unit is of certain number of bits
(Example If the unit be a bit, a stream cipher
encrypts data unit by unit. Or if the unit be a
byte, it encrypts byte by byte) - simpler and faster than block cipher but less
secure - Two Modes of Stream Cipher
- Synchronous Stream Cipher Sender uses a key to
encrypt. Receiver uses the same key to decrypt. - Self-Synchronizing Stream Cipher The key stream
generator (KSG) generates a key, which depends
upon the original key and the cipher output.
105Key Stream Generator (KSG)
Pseudorandom Byte Generator
Key
Stream of bytes
The stream of bytes cannot be determined, if the
Key is not known. The stream is
deterministic. The stream repeats after a long
chain of bits.
106Self-Synchronizing Stream Cipher
Stream of bytes
Ciphertext
In a stream Cipher, a key must not be repeated.
107Example of a Stream Cipher
- RC4 A byte by byte encryption algorithm, used in
- SSL (Secure socket Layer)
- WEP (Wired Equivalent Privacy)
- Developed in 1987 by Ron Rivest for RSA
- Sept 1994 RC4 algorithm anonymously posted on
Cypherpunks anonymous remailers list
108RC4 Key and the Temporary Vector
- Key 1 to 256 octets
- First byte of Key K0 Second byte of key K1
- No of bytes of key kbytes
- A 256 byte Temporary vector T0 to T255
- If kbytes 256, for i 0 to 255, Ti Ki
- If kbytes lt 256, for i0 to 255,
- Ti Ki mod kbytes
109RC4 The State Vector
- A 256 byte State vector S0 to S255
- INITIALIZATION For i 0 to 255, Si i
- Initial PERMUTATION of S j 0
- For i 0 to 255,
- j (j Si Ti)
mod 256 - Swap (Si and Sj).
- After initial permutation, the key is not used.
110Stream Encryption
- mth byte of Plaintext Pm
- i j 0 m 0
- while (true)
- i (i 1) mod 256
- j (j Si) mod 256
- swap (Si, Sj)
- t (Si Sj) mod 256
- k St
- Cm Pm ? k
- m m 1
111Strength of RC4
- For decryption, xor k with the next byte of
ciphertext. - For a key length of 128 bits or more, RC4 is
secure. - The weakness in WEP due to the weakness of the
protocol for key generation ( not due to weakness
in RC4). - Reference Fluhrer, S. Mantin, I. and Shamir,
A. Weakness in the Key Scheduling Algorithm of
RC4, Proceedings, Workshop in Selected Areas of
Cryptography, 2001
112Symmetric Key Ciphers
- Symmetric key ciphers efficient, secure
- Problem How to share a key securely between the
sender and the receiver? - If 100 persons want to send message securely to
one another ? 4950 different keys are required
(Reference Niels Ferguson and Bruce Schneier ,
Practical Cryptography, Wiley 2003)