Title: Advanced Encryption Standard
1Advanced Encryption Standard
2This Lecture
- Why AES?
- NIST Criteria for potential candidates
- The AES Cipher
- AES Functions and Inverse Functions
- AES Key Expansion
- Implementation Aspects
- AES Security and Strength
3Why AES?
- Symmetric block cipher, published in 2001
- Intended to replace DES and 3DES
- DES is vulnerable to differential attacks
- 3DES has slow performances
4NIST Criteria to Evaluate Potential Candidates
- Security The effort to crypt analyze an
algorithm. - Cost The algorithm should be practical in a wide
range of applications. - Algorithm and Implementation Characteristics
Flexibility, simplicity etc. - 5 final candidates have been chosen out of
15
5NIST Criteria cont.
- General Security
- Software Implementations
- Hardware Implementations
- Restricted-Space Environments
- Attacks on Implementations
- Encryption vs. Decryption
- Key Agility
- Potential for Instruction-Level Parallelism
- Other versatility and Flexibility
- NIST selected Rijndael as the proposed AES
algorithm
6The AES Cipher
- Block length is limited to 128 bit
- The key size can be independently specified to
128, 192 or 256 bits
Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256
Number of rounds 10 12 14
Expanded key size (words/byte) 44/176 52/208 60/240
7The AES Cipher
- Key received as input array of 4 rows and Nk
columns - Nk 4,6, or 8, parameter which depends key size
- Input key is expanded into an array of 44/52/60
words of 32 bits each - 4 different words serve as a key for each round
k0
k4
k8
k12
k1
k5
k9
k13
w0
w1
w2
w42
w43
k2
k6
k10
k14
k3
k7
k11
k15
8The AES Cipher
- Single 128 bit block as input
- Copied to a State array with Nb columns (Nb4)
-
Input
State array
Output
in0
in4
in8
in12
S00
S01
S02
S03
o0
o4
o8
o12
in1
in5
in9
in13
S10
S11
S12
S13
o1
o5
o9
o13
in2
in6
in10
in14
S20
S21
S22
S23
o2
o6
o10
o14
in3
in7
in11
in15
S30
S31
S32
S33
o3
o7
o11
o15
9The AES Cipher
- Number of rounds, Nr, depends on key size
- Each round is a repetition of functions that
perform a transformation over State array - Consists of 4 main functions one permutation and
three substitutions - Substitute bytes, Shift rows, Mix columns,
Add round key
10The AES Cipher
- AddRoundKey() round key is added to the State
using XOR operation - MixColumns() takes all the columns of the State
and mixes their data, independently of one
another, making use of arithmetic over GF(28) - ShiftRows() processes the State by cyclically
shifting the last three rows of the State by
different offsets - SubBytes() uses S-box to perform a byte-by-byte
substitution of State
11The AES Cipher
plaintext
Add round key
Substitute bytes
Substitute bytes
Substitute bytes
Shift rows
Shift rows
Shift rows
Round 1
Round 9
Mix columns
Mix columns
Add round key
Add Round key
Add round key
Cipher text
W4,7
W36,39
W40,43
key
12The AES Cipher
Cipher(byte in4Nb, byte out4Nb, word
wNb(Nr1)) Begin byte state4,Nb
state in AddRoundKey(state, w0, Nb-1)
for round1 to Nr-1 SubBytes(state)
ShiftRows(state) MixColumns(state)
AddRoundKey(state, wroundNb,
round1)Nb-1) end for SubBytes(state)
ShiftRows(state) AddRoundKey(state,
wNrNb, (Nr1)Nb-1) Out state end
13The AES Cipher
- Only Add round key makes use of the key
- Other three functions are used for diffusion and
confusion - Final round consists of only three stages
14The AES Inverse Cipher
ciphertext
Add round key
Inv. Shift rows
Inv. Shift rows
Inv. Shift rows
Inv. Sub bytes
Inv. Sub bytes
Inv. Sub bytes
Round 1
Round 9
Add round key
Add round key
Add round key
Inv. Mix Columns
Inv. Mix columns
plaintext
W36,39
W4,7
W0,3
key
15The AES Inverse Cipher
InvCipher(byte in4Nb, byte out4Nb, word
wNb(Nr1)) Begin byte state4,Nb
state in AddRoundKey(state, wNrNb,
(Nr1)Nb-1) for round1 to Nr-1
InvShiftRows(state) InvSubBytes(state)
AddRoundKey(state, wroundNb,
round1)Nb-1) InvMixColumns(state)
end for InvShiftRows(state)
InvSubBytes(state) AddRoundKey(state, w0,
Nb-1) Out state end
16The AES Inverse Cipher
- Decryption algorithm uses the expanded key in
reverse order - All functions are easily reversible and their
inverse form is used in decryption - Decryption algorithm is not identical to the
encryption algorithm - Again, final round consists of only three stages