the aes block cipher
Download
Skip this Video
Download Presentation
The AES block cipher

Loading in 2 Seconds...

play fullscreen
1 / 26

The AES block cipher - PowerPoint PPT Presentation


  • 273 Views
  • Uploaded on

The AES block cipher. Niels Ferguson. What is it?. Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition. US government standard. Also known as Rijndael . Bias warning. I’m one of the designers of the Twofish block cipher.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The AES block cipher' - Anita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the aes block cipher

The AES block cipher

Niels Ferguson

what is it
What is it?
  • Block cipher: encrypts fixed-size blocks.
  • Design by two Belgians.
  • Chosen from 15 entries in a competition.
  • US government standard.
  • Also known as Rijndael.
bias warning
Bias warning
  • I’m one of the designers of the Twofish block cipher.
  • Twofish was one of the other AES submissions.
  • AES (then called Rijndael) won.
  • I’ve spent several month trying to break AES.
block cipher
Block cipher

Plaintext (128 bits)

AES

Key (128-256 bits)

Ciphertext (128 bits)

multiple rounds
Multiple rounds

Plaintext

Key

schedule

Key

Ciphertext

aes multiple rounds
AES multiple rounds
  • 10-14 simple rounds.
  • Each round is a weak block cipher.
  • Rounds are (almost) identical.
  • Simple key schedule.
aes single round
AES single round
  • Add key
  • S-box
  • Shift row
  • Mix column
128 bit values
128-bit values
  • Represented as 4 by 4 matrix of 8-bit bytes.
add key operation
Add key operation

key

Xor of corresponding bytes

s box
S-box
  • 8-bit lookup table
  • 16 lookups in parallel

S

S

shift row
Shift row
  • Reordering of the bytes within each row.
  • Rotate rows by 0-3 byte positions.
mix column
Mix column
  • Interpret each column as a vector of length 4.
  • Multiply by 44 matrix over GF(28).
  • Matrix is an MDS matrix.
single round
Single round

Round key

S

last round
Last round

Round key

S

Round key

s box15
S-box
  • Inversion in GF(28)
  • Bitwise linear transformation
  • Xor with a constant
mds matrix
MDS matrix
  • Maximum Distance Separable.
  • Byte-Hamming weight of input + output is at least 5.
decryption
Decryption
  • Every operation is invertible.
  • Order of operations can be the same as for encryption.
changing the order
Changing the order

S

S

Round key

Round key

decryption differences
Decryption differences
  • Inverse S-box.
  • Inverse of MDS matrix.
  • Modified round keys, or modified operation order.
  • Requires extra hardware.
key schedule
Key schedule
  • Cannot directly generate round keys in reverse order.
  • Decryption must either store all round keys, or pre-compute the ‘final’ state and work backwards from that.
  • Requires extra time from getting key to start of first decryption.
speed
Speed
  • About 16 clock cycles/byte on modern 32-bit CPUs.
  • That’s 200 MByte/s on a 3.2 GHz P4!
slide24
Uses
  • Almost never used as-is: most messages are not exactly 128 bits long.
  • Used with a block cipher mode to encrypt and/or authenticate messages.
security properties
Security properties
  • For any given key, a block cipher is a permutation (must be able to decrypt).
  • Should behave like a random permutation: no detectable structure.
  • Different keys result in “independent random permutations.”
best known attacks
Best known attacks
  • No known attacks on full AES.
  • Best attack on 79 rounds (out of 1014 rounds).
  • Clean design leaves algebraic structures: no attacks, but some worries.
ad