1 / 19

Cryptography

Cryptography. Lecture 1 7 : Advanced Encryption Standard (AES) Piotr Faliszewski. Need for a new cipher DES no longer sufficient ... even with DESX and TripleDES NIST’s call for algorithms in 1997 MARS RC6 Rijndael Serpent Twofish. Requirements for new cipher keys: 128, 192, 256 bits

karma
Download Presentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski

  2. Need for a new cipher DES no longer sufficient ... even with DESX and TripleDES NIST’s call for algorithms in 1997 MARS RC6 Rijndael Serpent Twofish Requirements for new cipher keys: 128, 192, 256 bits block: 128 bits easily implemented 8 bit CPU’s 32 bit CPU’s ... Advanced Encryption Standard finalists

  3. Winner Rijndael Pronounciation: Anything different from „region deal” The algorithm not a Feistel system works in rounds, like DES firm mathematical grounds (GF(28) + algebra) Modes of operation ECB – electronic codebook CBC – cipher block chaining CFB – cipher feedback OFB – output feedback CTR – counter Note decryption slower than encryption AES

  4. Keys 128 bit  our focus 192 bit 256 bit Algorithm outline ARK 9 rounds BS  SR  MC  ARK 1 round BS  SR  ARK Rounds a round: BS – ByteSub Transformation SR – Shift Row Transformation MC – MixColumn Transofrmation ARK – AddRoundKey Key schedule Rijndael – AES 4 layers

  5. ByteSub Transform nonlinear anti differential and linear cryptanalysis big substitution ShiftRow Transform mixing step diffusion of bits over different rounds MixColumn Transform similar purpose as shiftrow moves bits around AddRoundKey round key is XORed with the result of the previous layer Rijndael – AES

  6. Input: 128 bits of data 16 bytes, 8 bits each arranged into 4x4 matrix a00, a10, a20, ... a33 a00, a01, a02, ... a03 a10, a11, a12, ... a13 a20, a21, a22, ... a23 a30, a31, a32, ... a33 Interpretation bytes  elements of GF(28) bytes  polynomials P(X) = X8 + X4 + X3 + X + 1 The Layers: Encoding Data

  7. ByteSub Transform each byte is substituted depending on its value 16 x 16 S-box Indexing the S-box: byte = abcdefgh abcd  row efgh  column The S-box is invertible Data Input: 4x4 matrix Outout: 4x4 matrix Note: transformation depends only on the value of each byte, not on its position The Layers: ByteSub

  8. AES S-Box | 0 1 2 3 4 5 6 7 8 9 a b c d e f ---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--| 00 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 |d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

  9. S-boxes mysterious in DES very clear in AES! result of a simple mathematical operation Motivation inverse – highly nonlinear matrix multiplication and the vector – to obfuscate Operation of the S-box input: x Step 1: y = x-1 inverse in GF(28) Step 2: 1 0 0 0 1 1 1 1 y0 1 z0 1 1 0 0 0 1 1 1 y1 1 z1 1 1 1 0 0 0 1 1 y2 0 z2 1 1 1 1 0 0 0 1 y3 + 0 = z3 1 1 1 1 1 0 0 0 y4 0 z4 0 1 1 1 1 1 0 0 y5 1 z5 0 0 1 1 1 1 1 0 y6 1 z6 0 0 0 1 1 1 1 1 y7 0 z7 The Layers: ByteSub

  10. ShiftRow Transform Input: 4x4 matrix Output: 4x4 matrix Operation rotate the first row cyclically by... 0 rotate the second row cyclically by... 1 rotate the third row cyclically by... 2 rotate the fourth row cyclically by... 3 Comments: rotation to the left clearly invertible The Layers: ShiftRow

  11. MixColumn Transform Input: 4x4 matrix output: 4x4 matrix Operation Mutiply the input matrix by a fixed matrix All computation in GF(28) Matrix used: a = 00000010 b = 00000001 c = 00000011 a c b b b a c b b b a c c b b a The Layers: MixColumn

  12. AddRoundKey Input: 4x4 matrix Key: 4x4 matrix – the round key Output: 4x4 matrix Operation: XOR the bits of the input and the key The Layers: AddRoundKey

  13. Keys Original key: 128 bits 4x4 matrix columns: W(0) W(1) W(2) W(3) Further keys 40 more columns Round key for i’th round W(4i), W(4i+1), W(4i+2), W(4i+3) Generating i’th column i is not a multiple of 4 W(i) = W(i-4)  W(i-1) i is a multiple of 4 W(i) = W(i-4)  T(W(i-1)) T – transformation of the key column Key Schedule

  14. Generating i’th column i is not a multiple of 4 W(i) = W(i-4)  W(i-1) i is a multiple of 4 W(i) = W(i-4)  T(W(i-1)) T – transformation of the key column T transformation T(W(i-1)) W(i-1) = (a, b, c, d) Apply the S-box to b,c,d,a to get e,f,g,h r(i) = 00000010(i-4)/4 GF(28) !!! T(W(i-1)) is then (e  r(i), f, g, h ) Key Schedule

  15. Decryption possible – all steps are invertible IBS – inverted BS ISR – inverted SR IMC – inverted MC ARK – inverted ARK  we can just run them backwards Encryption ARK BS, SR, MC, ARK ... BS, SR, MC, ARK BS, SR, ARK Decryption ARK, ISR, IBS ARK, IMC, ISR, IBS ... ARK, IMC, ISR, IBS ARK Decryption

  16. Decryption possible – all steps are invertible IBS – inverted BS ISR – inverted SR IMC – inverted MC ARK – inverted ARK  we can just run them backwards Note: We want decryption to resemble encryption Encryption ARK BS, SR, MC, ARK ... BS, SR, MC, ARK BS, SR, ARK Decryption ARK, ISR, IBS ARK, IMC, ISR, IBS ... ARK, IMC, ISR, IBS ARK Decryption

  17. Decryption IBS and ISR – can be executed in any order IBS manipulates single bytes ARK and IMC can be reversed as well a little more involved IMC, IARK Encryption ARK BS, SR, MC, ARK ... BS, SR, MC, ARK BS, SR, ARK Decryption ARK, ISR, IBS ARK, IMC, ISR, IBS ... ARK, IMC, ISR, IBS ARK Decryption

  18. Decryption IBS and ISR – can be executed in any order IBS manipulates single bytes ARK and IMC can be reversed as well a little more involved IMC, IARK Encryption ARK BS, SR, MC, ARK ... BS, SR, MC, ARK BS, SR, ARK Decryption ARK, IBS, ISR, IMC, IARK, IBS, ISR ... IMC, IARK, IBS, ISR ARK Decryption

  19. Encryption ARK 9 rounds: BS  SR  MC  ARK 1 round: BS  SR  ARK Decryption ARK 9 rounds: IBS  ISR  IMC  IARK 1 round: IBS  ISR  ARK Keys used in reverse order Encryption ARK BS, SR, MC, ARK ... BS, SR, MC, ARK BS, SR, ARK Decryption ARK, IBS, ISR, IMC, IARK, IBS, ISR ... IMC, IARK, IBS, ISR ARK Decryption

More Related