Loading...

PPT – There is no security on this earth, there is only opportunity PowerPoint presentation | free to download - id: 9170a-MGI1Y

The Adobe Flash plugin is needed to view this content

- There is no security on this earth, there is only

opportunity - - General Douglas MacArthur

Origins

- A replacement for DES was needed
- worked out theoretical attacks, that may break

it - demonstrated exhaustive key search attacks
- 1999 NIST issued FIPS PUB 43 DES for legacy

systems only Triple DES prescribed for new

systems - can use Triple-DES up to 2030 but slow

particularly in software implementations-with

small blocks - Jan 2, 1997 NIST begins work on the new

standard. - Sept 12, 1997 formal call for AES proposals

AES Requirements issued by

NIST in 1997

- private key, symmetric block cipher
- 128-bit data, 128/192/256-bit keys
- stronger faster than Triple-DES
- active life of 20-30 years ( archival use)
- provide full specification design details
- both C Java implementations

History of Development of AES

- June 1998 21 proposals
- Aug 20, 1998 shortlisted to 15 proposals

CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI

197, MAGENTA, MARS, RC6, RIJNDAEL, SAFER,

SERPENT, TWOFISH - March 22, 23, 1999 AES2 Second AES Candidate

Conference, Rome - Aug 1999 five candidates MARS, RC6, RIJNDAEL,

SERPENT, TWOFISH equally secure issues of

efficiency, speed and less resource hunger were

to be studied.

AES Shortlist

- shortlist in Aug-99
- MARS (IBM) - complex, fast, high security margin
- RC6 (USA) - v. simple, v. fast, low security

margin - Rijndael (Belgium) - clean, fast, good security

margin --academic - Serpent (Euro) slow (1/3rd the speed of AES),

clean, highest security margin out of the 5

finalists --academic - Twofish (USA) complex, Feistel, DES-like

structure v. fast (as fast as AES), high

security margin key dependent S-boxes Uses

whitening at both the start and the end of the

cipger process, add key-material to data - then subject to further analysis comment

AES Evaluation Criteria

- initial criteria
- security effort to practically cryptanalyse
- cost computational
- algorithm implementation characteristics
- (Used to reduce the field from 21 proposals to

15. - Thereafter 5 candidates were shortlisted out of

the 15, - by using the same criterion. )

final criteria for selecting Rijndael out of the

five

- 1.general security
- 2. software hardware implementation ease
- 3. implementation attacks
- 4. flexibility (in en/decrypt, other factors)
- 5. restricted memory requirement (for use in

smart devices) - 6. Key Agility ability to change keys fast, with

a minimum of resources.

AES

- October 2, 2000 RIJNDAEL selected as AES
- Unclassified, publicly disclosed encryption

algorithm - Available royalty-free world-wide
- Symmetric-key block cipher

Selection of AES

- saw contrast between algorithms
- with few complex rounds versus many simple rounds

- which refined existing ciphers versus new

proposals - which could be implemented efficiently both in

software only and through special purpose ICs - AES issued as FIPS PUB 197 standard in Nov-2001
- AES initially developed as Rijndael Cipher by
- Joan Daemen and Vincent Rijmen

Rijndael Cipher

- an iterative rather than Feistel-type cipher
- operates on an entire block of data in every

round (and not on half the block, as in Feistel

type ciphers) - designed to be
- resistant against known attacks
- speed and code compactness on many CPUs
- design simplicity
- Plaintext Data written in the form of a matrix
- Input Key also written in the form of a matrix

Key

- Key and data bytes arranged in rectangular arrays

Variable Key size 16,24 or 32 bytes Ki,j

represents a byte in the ith row and jth

column. Nk Number of column vectors of the key

(4-byte vectors)

Block of data

Variable Block size 16,24 or 32 bytes ai,j

represents a byte in the ith row and jth

column. Nb Number of column vectors (4-byte

vectors)

State

- The plaintext block of data is represented as a

matrix. Each cell of the matrix is a byte. - The en/de-cryption process is a multi-step

process. - The matrix is manipulated at each step to yield a

new matrix as the output of the step. - At each stage, the matrix of data, whether it is

the input to the stage or it is the output of the

stage, is called a STATE. - The final output of the multi-step encryption

process yields the ciphertext.

Rijndael Cipher Each stage in the

en/de-cryption process

A matrix of output, also called a STATE (The

output state would be naturally different from

the input state.)

A stage in the en/de-cryption process

- A matrix of input,
- called a
- STATE

Given A key K KEY EXPANSION process One key is

expanded into multiple sub-keys of the same

size ROUND a collection of steps, which are

sequentially performed on a state, to produce a

new state.

Rijandael encryption (and decryption) process

Number of Rounds (Nr)

- 10/12/14 times applying (nearly) the same round

function. - Nr 6 Max (Nk, Nb)
- Nb 4 Nb 6 Nb 8
- Nk 4 10 12 14
- Nk 6 12 12 14
- Nk 8 14 14 14

Rijndael Cipher

- Rijndael Cipher Three-step Process of encryption

- initial XOR of the 128-bit block of plaintext

with the sub-key 1 - has 9/11/13 rounds. Each round consists of
- byte substitution (The same S-box used on every

byte, unlike DES, where 8 different S-boxes are

used.) - shift rows(permute bytes between columns)
- mix columns (subs using matrix multiply of

groups) - add round key (XOR state with separate sub-keys

for each round) - Incomplete last (i.e. 10/12/14th) round (without

mix columns operation)

Example Key Expansion for a 128 bit key and

128 bit block

- If Nb be fixed at 4, the number of rounds
- Nr 1 10 or 12 or 14,

- depending upon the

value of Nk. - No of keys required Nr 1.
- Example Given A key of 128 bits. ? Nk 4
- Key first rewritten into four components of 4

bytes each, called w(0) to w(3) Each w is of 32

bits.. - Then the Key is expanded from 4 to 44 components

of 32 bits each, called w(i), i 0 to 43 - For the jth round, the sub-key consists of w(4j)

to w(4j3). - Total number of key bits N(Nr 1), where N

block size in bits

Rijandael Cipher continued

- The Rijndael cipher has a variable block length

and key length. - currently keys with a length of 128, 192, or

256 bits to encrypt blocks with a length of 128,

192 or 256 bits (all nine combinations of key

length and block length are possible). Both block

length and key length can be extended very easily

by multiples of 32 bits. - Rijndael can be implemented efficiently on a wide

range of processors and in hardware. - all operations can be combined into XOR and table

lookups - hence very fast efficient

Rijandael Cipher continued

- for 128 bit block processes data as 4 groups of

4 bytes each. - Each group is shown as a column in a matrix of

four columns. - Each column has 4 rows.
- Each cell of the 4x4 matrix contains one byte.

- The output in every round creates a new state of

128 bits or of 4 columns of 4bytes each. - The ciphertext is the final output generated by

the cipher system.

Example of selection processCryptographic Hash

Algorithm (SHA-3)

- 2005 Prof. Xiaoyun Wang a differential attack

on SHA-1 can find a hash collision (two messages

with the same hash value) on the SHA-1 hash with

an estimated work of 263 operations - the ideal 280 operations should be required for

any good 160-bit hash function. - Recommendation Use SHA-2 family of hash

functions (SHA-224, SHA-256, SHA-384 and SHA-512) - A competition by NIST Entries received by

October 31, 2008 July 2009 Second Round

candidates selected (Reference

http//csrc.nist.gov/ as of Oct 5, 2009)

The AES Cipher

- A FIPS approved cryptographic algorithm that can

be used to protect electronic data. - AES uses 128 bit block only.
- Key may be of 128, 192 or 256 bits.
- Nk may be 4/6/8.
- Nr Number of rounds 6 Nk
- Reference Federal Information Processing

Standards (FIPS) Publication 197

http//csrc.nist.gov/publications/fips/fips197/fip

s-197.pdf as of Oct 5, 2009 - Reference Federal Information Processing

Standards (FIPS) Publication 197

http//csrc.nist.gov/publications/fips/fips197/fip

s-197.pdf as of Oct 5, 2009

- This authority (National Protection and Programs

Directorate) will assist us in recruiting the

best people in the world to come work for us over

the next few years as cyber analysts, developers

and engineers. So look out were coming. - -- Janet Napolitano,

Homeland Security Secretary - in "DHS could hire 1000

more cyber security professionals", -

FederalComputerWeek, October 1, 2009 - http//fcw.com/Articles/2009/10

/01/Web-DHS-hiring-cybersecurity-officials.aspx

as of 7th Oct 2009

AES vs Rijandael

- AES uses 128 bit block only. (Nb 4 only.)
- Rijandael can use a block of 128/ 192/ 256 bits.

(Nb may be 4/6/8.) - Both AES and Rijandael may use cryptographic keys

of 128, 192 or 256 bits. (Nk may be 4/6/8.) - AES may have 10, 12 or 14 rounds depending upon

Nk of 4, 6 or 8 respectively.

Steps of a Round Function

- Round function composed of 4 steps (except for

the incomplete without MixColumn-- last round) - Each step has its own particular function
- ByteSub non-linearity
- ShiftRow inter-column diffusion
- Mix Column inter-byte diffusion within columns
- Round key addition
- Figure on the next slide shows both encryption

and decryption processes STATE at

corresponding levels for encryption and

decryption is the same.

AES Cipher continued

Pseudo Code for Encryption for the earlier

rounds, and, for the last round

- Round(State, RoundKey)
- Bytesub(State)
- ShiftRow(State)
- MixColumn(State)
- AddRoundKey(State, Roundkey)
- For the last round, it is a little different
- Round(State, RoundKey)
- Bytesub(State)
- ShiftRow(State)
- AddRoundKey(State, Roundkey)

Three Steps of Decryption

- initial XOR of the ciphertext with the sub-key
- has 9/11/13 rounds in which state undergoes
- InvShift rows(permute bytes between columns)
- InvByte substitution (The same Inverse S-box used

on every byte) - add round key (XOR state with separate sub-keys

for each round) - InvMix columns (subs using matrix multiply of

groups) - Incomplete last (i.e. 10/12/14th) round (without

InvMix columns operation)

Pseudo Code for Decryption for the earlier

rounds, and, for the last round

- Round(State, RoundKey)
- InvShiftRow(State)
- InvByteSub(State)
- AddRoundKey(State, Roundkey)
- InvMixColumn(State)
- For the last round, it is a little different
- Round(State, RoundKey)
- InvShiftRow(State)
- InvBytesub(State)
- AddRoundKey(State, Roundkey)

Sequence of Operations in a Round (SoOiaR)

of Encryption vs. SoOiaR of Decryption

- Let Si be the input state for round i and
- let Si 1 be the output

state. - Encryption
- Let w(4i, 4i 3) be the RoundKey for the ith

round. - Si 1 AddRoundKey(MixColumn(ShiftRow(Bytesub(Si

)))) - In the last round, the MixColumn operation is not

included. - Decryption
- Let w(4(10-i), 4(10-i)3) be the RoundKey for

the ith round. - Si 1 InvMixColumn(AddRoundKey

(InvBytesub(InvShiftRow (Si)))) - In the last round, the InvMixColumn operation is

not included. - Method of aligning the two sequences After a

study of the 4 operations.

AES Cipher continued

AES sources of security

- AES Begins and ends with AddRoundKey ? These

steps do not provide much of a security to AES. - ByteSub, ShiftRow and MixColumn
- No use of key ? invertible by any one
- but provide non-linearity, diffusion and

confusion - Jointly the two above provide security.

The process of Encryption

Add Round Key

- XOR state with 128-bits of the round key
- again processed by column (though effectively a

series of byte operations) - inverse for decryption is identical since XOR is

own inverse, just with correct round key

ExampleReference http//csrc.nist.gov/publicatio

ns/fips/fips197/ fips-197.pdf, page 33

- Input M 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37

07 34 - Cipher Key K 2b 7e 15 16 28 ae d2 a6 ab f7 15

88 09 cf 4f 3c - 0th Round (The First Stage) M ? K M0
- 32 88 31 e0 2b 28 ab 09 19 a0 9a

e9 - 43 5a 31 37 ? 7e ae f7 cf 3d f4 c6

f8 - f6 30 98 07 15 d2 15 4f e3 e2 8d

48 - a8 8d a2 34 16 a6 88 3c be 2b 2a

08 - Each stage generates a new STATE. Thus from M

(the input state), this stage generates a new

state M0.

First Step in a Round of Encryption

ByteSub

a i,j

S - box

- Bytes are transformed by applying invertible

S-box - One single S-box for the complete cipher
- High non-linearity

b i,j

Byte Substitution

- a simple substitution of each byte
- uses one S-box of 16x16 bytes containing a

permutation of all 256 8-bit values - each byte of state is replaced by a byte
- from row (left 4-bits) column (right

4-bits) - eg. byte 95 is replaced by a byte from the 9th

row and 5th col of the S-box. - (The value in the 9th row and 5th col 2A)
- S-box is constructed using a defined

transformation of the values in GF(28) - designed to be resistant to all known attacks

S-Box

Reference http//csrc.nist.gov/publications/fips/

fips197/fips-197.pdf, page 16

as of October 12, 2009

Design Criteria for the S-box

- Low correlation between input and output bits
- Output cannot be a simple mathematical function

of the input. - No fixed point of S-box input and output for

S-box cannot be the same. - No opposite fixed point of S-box input and

output cannot be bit-wise complement of each

other.

Construction of 16 X16 S-box

- Each cell of the s-box contains one byte.
- Rows and columns are numbered from 0 to F.
- Step 1 Initialization put in each box the value

equal to its position row column - Ex. in row 0, column 2, the value would be 0216

or 0000 00102 - Step 2 Replace the value in each cell by its

multiplicative inverse by GF(28) mod (x8 x4

x3 x 1). Use extended Euclids algorithm

given in the Mathematical Background.

- Now
- Please Refer to the Mathematical background.

Multiplicative inverse Extended

Euclidm(x), b(x) Algorithm

- (A1, A2, A3)? (1, 0, m)
- (B1, B2, B3)? (0, 1, b)
- If B3 0,
- return A3 gcd(m, b)no inverse exists.
- If B3 1
- return B2 as the multiplicative inverse of B.
- (i.e. b(x).B2 1 mod m(x) )
- Q ?A3/B3?
- (T1, T2, T3)? (A1 - Q B1, A2 - Q B2, A3 - QB3)
- (A1, A2, A3)? (B1, B2, B3)
- (B1, B2, B3)? (T1, T2, T3)
- Go to 2

Construction of 16 X16 S-box multiplicative

inverse mod (x8x4x3x1)

- ExIn row 0, column 2,
- the value 0216 ( corresponding to a(x) x )is

- replaced by its multiplicative inverse (which

- is shown below to be 8D16 .)
- To find c(x) so that
- a(x).c(x) 1 mod (x8 x4 x3 x 1).
- A1 A2 A3 B1 B2 B3 Q
- 1 0 x8x4x3x1 0 1 x -
- 0 1 x 1 x7x3x21 1

x7x3x21 - c(x) x7x3x21 1000 11012 8D16
- Step3 Use the matrix transformation, of next

slide, to transform 8D16 (,called vector x, to a

new vector y).

Example Row 0 and column 2 .. Contd.

- c(x) x7x3x21 8D16
- a7x7a6x6a1xa0
- a0 1
- x a1 0
- . 1
- 1
- 0
- . 0
- a6 0
- a7 1

S-Box construction

Example. continued

- M1 1 0 0 0 1 1 1 1 m2 1
- 1 1 0 0 0 1 1 1

1 - 1 1 1 0 0 0 1 1

0 - 1 1 1 1 0 0 0 1

0 - 1 1 1 1 1 0 0 0

0 - 0 1 1 1 1 1 0 0

1 - 0 0 1 1 1 1 1 0

1 - 0 0 0 1 1 1 1 1

0 - y M1 x m2

Construction of 16 X16 S-box

Example. continued

- Step3 (continued)

1

1

0

1

1

1

0

1

1

0

1

0

1

0

1

M1

Y2

1

0

0

0

0

0

0

1

0

1

0

1

0

1

1

0

1

0

1

1

1

0

0

0

0

NOTE The transformed value is 7716. The Inverse

S-box, provides the value 02 in the 7th row and

7th column.

AES uses two substitution boxes S-box for

encryption and Inverse S-box for decryption

The next slide again shows the S-box.

S-Box

Reference http//csrc.nist.gov/publications/fips/

fips197/fips-197.pdf, page 16

Example of Byte Sub Reference

http//csrc.nist.gov/publications/fips/fips197/

fips-197.pdf, page 33

- Use M0 of slide 33 as the input data for this

example. - M0 BYTE SUB ? M11
- 19 a0 9a e9 d4 e0 b8

1e - 3d f4 c6 f8 ? 27 bf b4

41 - e3 e2 8d 48 11 98 5d

52 - be 2b 2a 08 ae f1 e5

30

- Inverse Byte Substitution

2a

95

S-Box

2a

95

Inv S-Box

95

ad

Inv S-Box

S-Box is NOT self-inverse. ? For the same input,

the S-Box and the Inv S-Box will NOT have the

same output.

Inverse S-Box

x

y

Reference http//csrc.nist.gov/publications/fips/

fips197/fips-197.pdf,

page 22

Construction of Inverse Substitution Box

- M3 0 0 1 0 0 1 0 1 m4 1
- 1 0 0 1 0 0 1 0

0 - 0 1 0 0 1 0 0 1

1 - 1 0 1 0 0 1 0 0

0 - 0 1 0 1 0 0 1 0

0 - 0 0 1 0 1 0 0 1

0 - 1 0 0 1 0 1 0 0

0 - 0 1 0 0 1 0 1 0

0 - x M3 y m4

Justification

- x M3 y m4
- Using slide 38
- x M3 (M1 x m2 ) m4
- M3 .M1 x M3. m2 m4
- We find
- M3 .M1 unity matrix
- M3. m2 m4 0

Second Step in a Round of Encryption

ShiftRows

- a circular byte shift to the left in each row
- 1st row is unchanged
- 2nd row does 1 byte circular shift to left
- 3rd row does 2 byte circular shift to left
- 4th row does 3 byte circular shift to left
- In this step, the 4 bytes of each column are

distributed over 4 different columns. - During decryption, the shifts are circular shifts

to the right. - This step provides permutation of the data.

ShiftRow

- Rows are shifted over 4 different offsets
- High diffusion over multiple rounds
- Interaction with Mix Column

Shift offsets Original Rijandael spec

- The first row no shift
- The second row circular shift by C1
- The third row circular shift by C2
- The fourth row circular shift by C3
- Nb 4 C1 1, C2 2, C3 3
- Nb 6 C1 1, C2 2, C3 3
- Nb 8 C1 1, C2 3, C3 4
- AES has Nb4 only.

Example of ShiftRowReference

http//csrc.nist.gov/publications/fips/fips197/

fips-197.pdf, page 33

- Use M11 of slide 46 as the input data for this

example. - M11 ShiftRow ? M12
- d4 e0 b8 1e d4 e0 b8 1e
- 27 bf b4 41 ? bf b4 41 27

- 11 98 5d 52 5d 52 11

98 - ae f1 e5 30 30 ae f1

e5

Third Step in a Round of Encryption

MixColumn

2 3 1 1 1 2 3 1 1 1 2

3 3 1 1 2

a 0,j

a 1,j

a 2,j

a 3,j

- Bytes in columns are linearly combined
- High intra-column diffusion
- Based on theory of error-correcting codes

b 0,j

b 1,j

b 2,j

b 3,j

Mix Columns

- each column is processed separately
- each byte is replaced by a value dependent on all

4 bytes in the column - effectively a matrix multiplication, where each

byte is treated as a polynomial in GF(28) using

prime poly m(x) x8x4x3x1 - Input state S Output state S

ExampleMix Column Evaluation of S00

Reference Mathematical background

- Use M12 of slide 54 as the input data for this

example. - S00(02. S00) ? (03.S10) ? (01.S20) ? (01.S30)
- values in first column S00d4, S10bf, S205d,

S3030 - 01.30 30 0011 0000
- 01.5d 5d 0101 1101
- 03.bf da 1101 1010
- 03.bf can be represented by (x 1). a (x) mod m

(x) - (x 1).(x7x5x4x3x2x1) mod (x8x4 x3 x

1) - x.(x7x5x4x3x2x1) mod (x8x4 x3 x 1)
- 02.bf shift left and XOR with 1b
- 0111 1110 ? 0001 1011 0110

0101 - 01.bf bf 1011 1111
- 03.bf 02.bf ? 01.bf 1101 1010

ExampleMix Column Evaluation of S00

.2

- 02.d4 b3 1011 0011
- x.(x7x6x4 x2) mod (x8x4 x3 x 1)
- x.(x7x6x4 x2) requires
- 10101000 ? 0001 1011 10110011
- 0011 0000 ? 0101 1101 ? 1101 1010 ? 10110011
- S00 0000 0100 04

ExampleMix Column Evaluation of S10

Reference Mathematical background

- S10(01. S00) ? (02.S10) ? (03.S20) ? (01.S30)
- S00 d4, S10 bf, S20 5d, S30 30
- 01.d4 d4
- 02.bf 65 by shifting bf once to the left and

xor-ing with 1b - Shift 1011 111 to left ? 0111 1110
- 0111 1110 ? 0001 1011 0110 01012 6516
- 03.5d 5d ? 02.5d by splitting 03 into 01 and 02
- 5d ? ba by shifting 5d once to

the left - 5d160101

11012 SL?1011 10102 ba16 - e7 0101 11012 ? 1011

10102 1110 01112 - 01.30 30
- S10 d4 ? 65 ? e7 ? 30 66

Example Mix Column

- Use M12 of slide 54 as the input data for this

example. - Previous 3 slides show the calculation of s00

and s10. Similarly the whole of the state S can

be calculated. - M12 MixColumn ? M13
- d4 e0 b8 1e 04 e0 48 28
- bf b4 41 27 ? 66 cb f8 06
- 5d 52 11 98 81 19 d3 26
- 30 ae f1 e5 e5 9a 7a 4c

Inverse Mix Column

MC

MC-1

Hence using MC-1 would be more difficult, since

it would require multiplication with more complex

polynomials.

Selection of values in MixColumn

- Selected for good mixing based on a linear code,

with maximum distance between code words - Small values 01, 02 and 03 lead to faster

implementation ? require only shift and XOR - Leads to more difficult decryption CFB (Cipher

Feedback) and OFB (Output Feedback) require

encryption process for decryption.

Cipher FeedBack (CFB)

Output FeedBack (OFB)

Inverse Mix Column transformation

- If s be the input matrix and s be the output

matrix, - 0E 0B 0D 09
- 09 0E 0B 0D
- 0D 09 0E 0B
- 0B 0D 09 0E
- 0E 0B 0D 09 02 03 01 01 01 00 00 00
- 09 0E 0B 0D 01 02 03 01 00 01 00 00
- 0D 09 0E 0B 01 01 02 03 00 00 01 00
- 0B 0D 09 0E 03 01 01 02 00 00 00 01

S

S

The above process is the inverse of the forward

process, of slide 51, because -

Inverse Mix Column transformation cont

- Proof the output element in row 1 and column 1
- A11 0E . 02 ? OB . 01 ? 0D . 01 ? 09 . 03
- 0E . 02 1C by shifting 0E to the left
- 09 . 03 09 ? 09 . 02 by splitting 03 into 01

and 02 - 09 ? 12 by shifting 09 to the left
- 1B
- A11 1C ? 0B ? 0D ? 1B
- 01

Mix Column transformation Comments

- Mix Column during encryption uses values of 01,

02 and 03. these are implemented by shift or by

shift XOR. - Inverse Mix Column for decryption is more

complex. - However it was possible to make only one of the

two processes simple. It was decided to make

encryption process simpler than decryption

because encryption is more important - AES may be used for authentication where only

encryption may be used. - CFB, OFB and CTP modes do not require decryption

process (refer DES part 2 slides 11 -23)

Example (using the example of slide

60) Inverse MixColumn

- M13 InvMixColumn ? M12
- 0e 0b 0d 09 04 e0 48 28
- 09 0e 0b 0d 66 cb f8 06
- 0d 09 0e 0b . 81 19 d3 26
- 0b od 09 0e e5 9a 7a 4c
- S00 0e.04 ? 0b.66 ? 0d.81 ? 09.e5
- (In the next three 3 slides, we shall show the

calculation of S00)

Example Inverse MixColumn.. 2

- 0e.04 (0000 1110).(0000 0100)
- Can be visualized as
- (x3 x2 x). b(x) mod (x8x4x3x1)
- x. b(x) 0000 1000
- x2. b(x) 0001 0000
- x3. b(x) 0010 0000
- 0e.04 0011 1000

- 0b.66 b(x) 0110 0110
- 1. b(x) 0110 0110 x. b(x) 1100 1100
- x2.b(x)1001 1000?0001 10111000 0011
- x3.b(x)0000 0110?0001 10110001 1101
- 0b.66 0110 0110?1100 1100?0001 1101 1011 0111
- 0d.81 b(x) 1000 0001
- x. b(x)0000 0010?0001 10110001 1001
- x2.b(x)0011 0010 x3.b(x) 0110 0100
- 0d.811000 0001?0011 0010?0110 0100
- 1101 0111

Example Inverse MixColumn .. 4

- 09.e5 b(x)1110 0101
- x.b(x)1100 1010?0001 10111101 0001
- x2.b(x)1010 0010?0001 10111011 1001
- x3.b(x)0111 0010?0001 10110110 1001
- 09.e5 0110 1001?1110 0101 1000 1100
- S11 0e.04 ? 0b.66 ? 0d.81 ? 09.e5
- 0011 1000?1011 0111?1101 0111?1000 1100
- 1101 0100 ? d4

Example (using the example of slide

56) Inverse Mix Column .. 5

- Proceeding in a similar manner, we shall find

that, - M13 InvMixColumn ? M12
- 04 e0 48 28 d4 e0 b8 1e
- 66 cb f8 06 --IMC? bf b4 41 27
- 81 19 d3 26 5d 52 11 98
- e5 9a 7a 4c 30 ae f1 e5

Fourth Step in a Round of Encryption

AddRoundKey

- Makes the round function dependent upon key
- Computation of round keys keep it simple
- Small number of operations
- Small amount of memory

AES Round State of 16 bytes 16 bytes of Key

called ri (Ref Stallings Fig 5-3)

Key Expansion for 128 bit key and 128 bit block

slide 12

- A key of 128 bits or of Nk 4 first rewritten

into four components of 4 bytes each, called w(0)

to w(3). Then it is expanded from 4 to 44

components of 32 bits each, called w(i), i 0 to

43 - w(4j) to w(4j3)
- For the jth round of encryption, the sub-key

consists of w(4j) to w(4j3). - (For decryption, this would be the key for the

(10-j)th round.)

AES Cipher continued

AES Key Expansion

- takes 128-bit (16-byte) key and expands into

array of 44/52/60 32-bit words - start by copying key into first 4 32-bit words,

called w(0) to w(3). - then use a loop, in which,
- each new 4-byte word depends on values in
- the immediately previous word
- the word, which is 4 places back.
- in 3 of 4 cases just XOR these together
- (For w(i) where i ? 0 mod 4)

AES Key Expansion continued

K4

K0

K12

K8

K5

K1

K13

K9

K6

K2

K14

K10

K7

K3

K15

K11

O

w1

w0

w3

w2

g

? ? ? ?

w5

w4

w7

w6

AES Key Expansion continued

- every 4th case (For w(i), where i is a multiple

of 4.) - The immediately preceding word goes through a

process described by a function g. - Three steps of g
- RotWord one byte circular left shift of the

previous word - SubWord substitute each of the 4 bytes using the

S-box - XOR with a 32-bit round constant called Rcon(j)

where j is the round number

Example Key Expansion

Calculation of w4

- Cipher Key 2b 7e 15 16 28 ae d2 a6 ab f7 15 88

09 cf 4f 3c - w0 2b7e1516 w1 28aed2a6
- w2 abf71588 w3 09cf4f3c
- Calculation of w4 RotWord and SubWord
- X1 RotWord (w3) cf4f3c09
- By using the S-box
- cf4f3c09 -- S-box ? 8a84eb01 X2
- Example continued

after two slides

AES Key Expansion Rcon(j) Reference for

Key expansion Problemhttp//csrc.nist.gov/

publications/fips/fips197/fips-97.pdf Page 28

- Calculation of w(i) for every 4th case (For

w(i), where i - is a multiple of 4.)

continued from previous slide - The first byte of Rcon(j) is called RC(j). The

second, third and the fourth bytes of Rcon(j) are

0. - RC(1) 1
- RC(j) 2.RC(j 1) for j2 to 10. The

multiplication is defined over the field GF(28),

with m(x) x8x4x3x - Thus RC(2) 2,RC(8) 128
- rc9(x) x8 mod m(x) x4x3x1 ? RC(9) 1B
- RC(10) 0011 0110 3616 x5x4x2x
- obtained by shifting RC(9) to

the left

AES Key Expansion

Rcon(j) Formulae

- Key expansion formulae for i 0 to 43
- w (i) w (i-1) ? w (i 4) if i is not a

multiple of 4 - w (i) g w (i-1) ? w (i-4) if i is a multiple

of 4 - g w (i-1)R con j ? Subword (Rotword

(w(i-1))) - where j Round number
- J 1 2 3 4 5 6 7

8 9 10 - RCj 01 02 04 08 10 20 40 80

1B 36

R con j RCj 00 00 00 given in HEX

Example Key Expansion continued from slide 75

Calculation of w4, w5, w6 and w7 ...2

- Rcon(1) 01 00 00 00
- X3 8a84eb01 ? 01000000 8b84eb01
- w4 w0 ? X3
- 2b7e1516 ? 8b84eb01 a0fafe17
- For w5, w6 and w7, only XOR is reqd
- w5 w1 ? w4 28aed2a6 ? a0fafe17 88 54 2c b1
- w6 w2?w5 abf71588?88542cb123 a3 39 39
- w7w3 ?w6 09cf4f3c?23a339392a 6c 76 05

Important Considerations Round Key Generation

Algorithm

- Knowledge of a part of the cipher key or less

than Nk consecutive parts of a round key

Insufficient for calculation of the key - Use of round constants to eliminate symmetries

AES Key Expansion Example

Calculation of the 9th round key

- Example given the key for 8th round is
- EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D

29 2F - The Sub-key for the 8th round consists of w(32)

to w(35). The - Sub-key for the 9th round consists of w(36) to

w(39). - w(36) g w(35) ? w(32)
- gw(35) (1B00 0000) ? subword (rotword(7F 8D

29 2F)) - (1B00 0000) ? subword (8D 29 2F 7F)
- Now use S-Box
- gw(35) (1B00 0000) ? (5D A5 15 D2)
- 46 A5 15 D2
- w(36) (46 A5 15 D2) ? (EA D2 73 21)
- AC 77 66 F3

AES Key Expansion Example

Calculation of the 9th round key 2

- w(37) w(36) ? w(33)
- (AC 77 66 F3) ? (B5 8D BA D2)
- 19 FA DC 21
- w(38) w(37) ? w(34)
- (19 FA DC 21) ? (31 2B F5 60)
- 28 D1 29 41
- w(39) w(38) ? w(35)
- (28 D1 29 41) ? ( 7F 8D 29 2F)
- 57 5C 00 6E
- Key for the 9th round
- AC 77 66 F3 19 FA DC 21 28 D1 29 41 57

5C 00 6E

AES Decryption vs Encryption

- Steps in AES decryption vs those in AES

encryption - The steps for encryption and decryption

processes are not identical (unlike the case for

DES). - Moreover in each round, the steps are not in a

similar sequence for encryption and decryption. - Each Round of Encryption
- SubBytes ? ShiftRows ? MixColumns ? AddRoundkey
- Each Round of Decryption
- InvShiftRows ? InvSubBytes ? AddRoundkey ?

InvMixColumns - Disadvantage AES requires 2 separate

software/firmware systems for encryption and

decryption

Methods for en/de-crypting larger amount of data,

by using only the AES Encryption process

- Cipher Feedback (CFB) used over a reliable

network layer for stream data encryption,

authentication - Output Feedback (OFB) Can be used over noisy

channels for bursty traffic aplications OFB

requires that sender and receiver must remain in

sync - Counter Mode (CTR) for high-speed network

encryptions as in ATM or IPSec good for bursty

high speed links

Sequence of Steps in a Round of Decryption

- An equivalent inverse cipher with the same

sequence ( but of inverse operation) of steps, as

for encryption requires an additional step of

InverseMixColumn on the Round Key, before the

step of AddRoundKey ( except for the first and

the last steps of AddRoundKey) - Reference Cryptography Network Security by

William Stalling, Prentice Hall, 4th Ed ,Figure

5.7, page 158.

- Some tools may get the job done,
- but they may not get the job

done well - - Mike Shema et al,

Anti-Hacker Toolkit, - pp xxiv, 3rd Ed,

McGraw Hill, 2006

AES Implementation Aspects

- can be efficiently implemented on 8-bit CPUs
- byte substitution works on bytes using a S-box of

256 entries - shift rows is simple byte shifting
- add round key works on byte XORs
- mix columns requires matrix multiply in GF(28)

which works on byte values, can be simplified to

use a table lookup

MixColumn 8-bit processor Implementation

- Tmp Soj ? S1j ? S2j ? S3j
- On putting the value of TMP and on replacing
- 03.x 02.x ? x, the following 4

equations are equivalent to the above MixColumn

operation. - Soj Soj ? Tmp ? 2.(Soj ? S1j )
- S1j S1j ? Tmp ? 2.(S1j ? S2j )
- S2j S2j ? Tmp ? 2.(S2j ? S3j )
- S3j S3j ? Tmp ? 2.(S3j ? S0j )

To ProveSoj Soj ? Tmp ? 2.(Soj ? S1j )

- From the matrix equation in the previous slide,
- Soj 02. Soj ? 03. S1j ? S2j ? S3j
- We know 03. S1j 02. S1j ? S1j
- RHS Soj ? Tmp ? 2.(Soj ? S1j )
- Soj ? Soj ? S1j ? S2j ? S3j ? 2.(Soj ? S1j )
- S1j ? S2j ? S3j ? 2.(Soj) ? 2. (S1j )
- 2.(Soj) ? 03. S1j ? S2j ? S3j Soj LHS

MixColumn 8-bit processor Implementation2

- 02.x requires (i) A left-shift if b7 0 OR

(ii) A left-shift followed by XOR with 1b16 if b7

1. - ? a timing attack.
- SOLUTION
- The 4 terms (Sij ? S((i1)mod4)j) for i 0 to

3 can yield 256 different types of byte values. - Let X 02.Y where Y is a byte variable and

can have any one of the 256 possible values. X is

pre-calculated and stored in a 256-byte look-up

table. - Soj Soj ? Tmp ? XSoj ? S1j
- S1j S1j ? Tmp ? XS1j ? S2j
- S2j S2j ? Tmp ? XS2j ? S3j
- S3j S3j ? Tmp ? XS3j ? S0j

Implementation Aspects

- can be efficiently implemented on 32-bit CPUs
- redefine steps to use 32-bit words
- can pre-compute 4 tables (Pl see page 159-160.)
- Each 16x16 table Input of a byte Output of

32 bits (1 KB of storage) - then each column in each round can be computed

using 4 table lookups 4 XORs - at a cost of 4 KB to store tables
- Joan Daemen and Vincent Rijmen believe This

very efficient implementation a key factor in

its selection as the AES cipher

Each Round of Rijndael

on Modern ProcessorsFor bj use a(0,j),

a(1,j-1), a(2,j-2) and a(3,j-3)

T1

T2

T3

T4

just (4 table-lookups and 4 XORS) per column and

per round Storage of 4 tables of 256 entries of

32 bits each. Each table Input of a byte Output

of 32 bits

Implementation Aspects .2

- Most efficient on Itanium (64 bit machine)
- Highest performer on limited processing power and

limited memory devices twice as fast as the

nearest rival from the 5 finalists (MARS, RC6,

RIJNDAEL, SERPENT, TWOFISH) - Most efficient in feedback modes second best in

CBC/ECB MODES

Implementation Aspects ...2

- Throughput decreases by 20 and 40 on increase

of key size from 128 to 192 and 256 respectively - If implemented in hardware in ECB (Electronic

Code Book, where each block of 128 bits is sent

separately after encryption) mode, speed matched

only by SERPENT - Safety Margin 7 for 10 round case
- (Safety Margin number of rounds, above which

efficient attacks on the algorithm cannot be

mounted and key-space exhaustion becomes the

only way to crack it.)

Timing and Power Attacks

Some Facts

- writing 1s consumes more power than for writing

0s. - Table lookups in S-boxes, shifts, rotations, NOT,

OR, AND, XOR - Not vulnerable to timing attacks
- To avoid power attacks software balancing is

required

Characteristics of Rijndael

- symmetrical parallel structure
- Gives implementers a lot of flexibility
- has not allowed effective cryptanalytic attacks
- Well adapted to modern processors
- Pentium
- RISC and parallel processors
- Suited for Smart cards
- Flexible in dedicated hardware
- designed to resist known attacks

Misgivings about AES

- AES (and Serpent) encryption can be written as a

group of linear and quadratic equations in a

finite field. - Mathematicians are trying to develop methods

to solve such equations. (XSL, XL and FXL

methods). If they succeed, the Encryption method

will fail. - Due to Birthday and man-in-the-middle attack, for

128 bit security, a key size of 256 bits is

required. But AES is slower for 256 bit key.

(Serpent has the same speed for all key sizes.

Twofish is slower.)

Relative Performance

- Fast
- RC4 (Stream Cipher)
- Blowfish, CAST-128, AES
- Skipjack
- DES, IDEA, RC2
- 3DES, GOST
- Typical speeds
- RC4 Tens of MB/second
- 3DES MB/second
- Recommendations For performance, use Blowfish

For job security, use 3DES

Advanced Encryption Standard Algorithm (Rijndael)

References

- http//csrc.nist.gov/publications/fips/fips197/fip

s-197.pdf - For historical information http//csrc.nist.gov/C

ryptoToolkit/aes/ - http//www.esat.kuleuven.ac.be/rijmen/rijndael/

Stream Cipher

- Streaming Cipher encrypts data unit by unit,

where a unit is of certain number of bits

(Example If the unit be a bit, a stream cipher

encrypts data unit by unit. Or if the unit be a

byte, it encrypts byte by byte) - simpler and faster than block cipher but less

secure - Two Modes of Stream Cipher
- Synchronous Stream Cipher Sender uses a key to

encrypt. Receiver uses the same key to decrypt. - Self-Synchronizing Stream Cipher The key stream

generator (KSG) generates a key, which depends

upon the original key and the cipher output.

Key Stream Generator (KSG)

Pseudorandom Byte Generator

Key

Stream of bytes

The stream of bytes cannot be determined, if the

Key is not known. The stream is

deterministic. The stream repeats after a long

chain of bits.

Self-Synchronizing Stream Cipher

- Plaintext ?

Stream of bytes

Ciphertext

In a stream Cipher, a key must not be repeated.

Example of a Stream Cipher

- RC4 A byte by byte encryption algorithm, used in

- SSL (Secure socket Layer)
- WEP (Wired Equivalent Privacy)
- Developed in 1987 by Ron Rivest for RSA
- Sept 1994 RC4 algorithm anonymously posted on

Cypherpunks anonymous remailers list

RC4 Key and the Temporary Vector

- Key 1 to 256 octets
- First byte of Key K0 Second byte of key K1

- No of bytes of key kbytes
- A 256 byte Temporary vector T0 to T255
- If kbytes 256, for i 0 to 255, Ti Ki
- If kbytes lt 256, for i0 to 255,
- Ti Ki mod kbytes

RC4 The State Vector

- A 256 byte State vector S0 to S255
- INITIALIZATION For i 0 to 255, Si i
- Initial PERMUTATION of S j 0
- For i 0 to 255,
- j (j Si Ti)

mod 256 - Swap (Si and Sj).
- After initial permutation, the key is not used.

Stream Encryption

- mth byte of Plaintext Pm
- i j 0 m 0
- while (true)
- i (i 1) mod 256
- j (j Si) mod 256
- swap (Si, Sj)
- t (Si Sj) mod 256
- k St
- Cm Pm ? k
- m m 1

Strength of RC4

- For decryption, xor k with the next byte of

ciphertext. - For a key length of 128 bits or more, RC4 is

secure. - The weakness in WEP due to the weakness of the

protocol for key generation ( not due to weakness

in RC4). - Reference Fluhrer, S. Mantin, I. and Shamir,

A. Weakness in the Key Scheduling Algorithm of

RC4, Proceedings, Workshop in Selected Areas of

Cryptography, 2001

Symmetric Key Ciphers

- Symmetric key ciphers efficient, secure
- Problem How to share a key securely between the

sender and the receiver? - If 100 persons want to send message securely to

one another ? 4950 different keys are required

(Reference Niels Ferguson and Bruce Schneier ,

Practical Cryptography, Wiley 2003)