The aes block cipher l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

The AES block cipher PowerPoint PPT Presentation


  • 230 Views
  • Updated On :
  • Presentation posted in: General

The AES block cipher. Niels Ferguson. What is it?. Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition. US government standard. Also known as Rijndael . Bias warning. I’m one of the designers of the Twofish block cipher.

Download Presentation

The AES block cipher

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The aes block cipher l.jpg

The AES block cipher

Niels Ferguson


What is it l.jpg

What is it?

  • Block cipher: encrypts fixed-size blocks.

  • Design by two Belgians.

  • Chosen from 15 entries in a competition.

  • US government standard.

  • Also known as Rijndael.


Bias warning l.jpg

Bias warning

  • I’m one of the designers of the Twofish block cipher.

  • Twofish was one of the other AES submissions.

  • AES (then called Rijndael) won.

  • I’ve spent several month trying to break AES.


Block cipher l.jpg

Block cipher

Plaintext (128 bits)

AES

Key (128-256 bits)

Ciphertext (128 bits)


Multiple rounds l.jpg

Multiple rounds

Plaintext

Key

schedule

Key

Ciphertext


Aes multiple rounds l.jpg

AES multiple rounds

  • 10-14 simple rounds.

  • Each round is a weak block cipher.

  • Rounds are (almost) identical.

  • Simple key schedule.


Aes single round l.jpg

AES single round

  • Add key

  • S-box

  • Shift row

  • Mix column


128 bit values l.jpg

128-bit values

  • Represented as 4 by 4 matrix of 8-bit bytes.


Add key operation l.jpg

Add key operation

key

Xor of corresponding bytes


S box l.jpg

S-box

  • 8-bit lookup table

  • 16 lookups in parallel

S

S


Shift row l.jpg

Shift row

  • Reordering of the bytes within each row.

  • Rotate rows by 0-3 byte positions.


Mix column l.jpg

Mix column

  • Interpret each column as a vector of length 4.

  • Multiply by 44 matrix over GF(28).

  • Matrix is an MDS matrix.


Single round l.jpg

Single round

Round key

S


Last round l.jpg

Last round

Round key

S

Round key


S box15 l.jpg

S-box

  • Inversion in GF(28)

  • Bitwise linear transformation

  • Xor with a constant


Mds matrix l.jpg

MDS matrix

  • Maximum Distance Separable.

  • Byte-Hamming weight of input + output is at least 5.


Decryption l.jpg

Decryption

  • Every operation is invertible.

  • Order of operations can be the same as for encryption.


Changing the order l.jpg

Changing the order

S

S

Round key

Round key


Decryption differences l.jpg

Decryption differences

  • Inverse S-box.

  • Inverse of MDS matrix.

  • Modified round keys, or modified operation order.

  • Requires extra hardware.


Key schedule 128 bits l.jpg

Key schedule (128 bits)

r

S


Key schedule 256 bits l.jpg

Key schedule (256 bits)

S

r

S


Key schedule l.jpg

Key schedule

  • Cannot directly generate round keys in reverse order.

  • Decryption must either store all round keys, or pre-compute the ‘final’ state and work backwards from that.

  • Requires extra time from getting key to start of first decryption.


Speed l.jpg

Speed

  • About 16 clock cycles/byte on modern 32-bit CPUs.

  • That’s 200 MByte/s on a 3.2 GHz P4!


Slide24 l.jpg

Uses

  • Almost never used as-is: most messages are not exactly 128 bits long.

  • Used with a block cipher mode to encrypt and/or authenticate messages.


Security properties l.jpg

Security properties

  • For any given key, a block cipher is a permutation (must be able to decrypt).

  • Should behave like a random permutation: no detectable structure.

  • Different keys result in “independent random permutations.”


Best known attacks l.jpg

Best known attacks

  • No known attacks on full AES.

  • Best attack on 79 rounds (out of 1014 rounds).

  • Clean design leaves algebraic structures: no attacks, but some worries.


  • Login