1 / 26

The AES block cipher

The AES block cipher. Niels Ferguson. What is it?. Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition. US government standard. Also known as Rijndael . Bias warning. I’m one of the designers of the Twofish block cipher.

Anita
Download Presentation

The AES block cipher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The AES block cipher Niels Ferguson

  2. What is it? • Block cipher: encrypts fixed-size blocks. • Design by two Belgians. • Chosen from 15 entries in a competition. • US government standard. • Also known as Rijndael.

  3. Bias warning • I’m one of the designers of the Twofish block cipher. • Twofish was one of the other AES submissions. • AES (then called Rijndael) won. • I’ve spent several month trying to break AES.

  4. Block cipher Plaintext (128 bits) AES Key (128-256 bits) Ciphertext (128 bits)

  5. Multiple rounds Plaintext Key schedule Key Ciphertext

  6. AES multiple rounds • 10-14 simple rounds. • Each round is a weak block cipher. • Rounds are (almost) identical. • Simple key schedule.

  7. AES single round • Add key • S-box • Shift row • Mix column

  8. 128-bit values • Represented as 4 by 4 matrix of 8-bit bytes.

  9. Add key operation key Xor of corresponding bytes

  10. S-box • 8-bit lookup table • 16 lookups in parallel S S

  11. Shift row • Reordering of the bytes within each row. • Rotate rows by 0-3 byte positions.

  12. Mix column • Interpret each column as a vector of length 4. • Multiply by 44 matrix over GF(28). • Matrix is an MDS matrix.

  13. Single round Round key  S

  14. Last round Round key  S Round key 

  15. S-box • Inversion in GF(28) • Bitwise linear transformation • Xor with a constant

  16. MDS matrix • Maximum Distance Separable. • Byte-Hamming weight of input + output is at least 5.

  17. Decryption • Every operation is invertible. • Order of operations can be the same as for encryption.

  18. Changing the order S S Round key  Round key 

  19. Decryption differences • Inverse S-box. • Inverse of MDS matrix. • Modified round keys, or modified operation order. • Requires extra hardware.

  20. Key schedule (128 bits)  r S

  21. Key schedule (256 bits)  S r S

  22. Key schedule • Cannot directly generate round keys in reverse order. • Decryption must either store all round keys, or pre-compute the ‘final’ state and work backwards from that. • Requires extra time from getting key to start of first decryption.

  23. Speed • About 16 clock cycles/byte on modern 32-bit CPUs. • That’s 200 MByte/s on a 3.2 GHz P4!

  24. Uses • Almost never used as-is: most messages are not exactly 128 bits long. • Used with a block cipher mode to encrypt and/or authenticate messages.

  25. Security properties • For any given key, a block cipher is a permutation (must be able to decrypt). • Should behave like a random permutation: no detectable structure. • Different keys result in “independent random permutations.”

  26. Best known attacks • No known attacks on full AES. • Best attack on 79 rounds (out of 1014 rounds). • Clean design leaves algebraic structures: no attacks, but some worries.

More Related