1 / 15

AES

AES. In Depth. NIST General Criteria for AES. A 128-bit symmetric block cipher. Key lengths of 128 bits, 192 bits, and 256 bits. No weak keys. Efficiency, both on the Intel Pentium Pro and other software and hardware platforms.

sherise-karis
Download Presentation

AES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AES In Depth

  2. NIST General Criteria for AES • A 128-bit symmetric block cipher. • Key lengths of 128 bits, 192 bits, and 256 bits. • No weak keys. • Efficiency, both on the Intel Pentium Pro and other software and hardware platforms. • Flexible design: e.g., accept additional key lengths; be implementable on a wide variety of platforms and applications; and be suitable for a stream cipher, hash function, and MAC. • Simple design, both to facilitate ease of analysis and ease of implementation.

  3. Origins • clear a replacement for DES was needed • Key size is too small • The variants are just patches • can use Triple-DES – but slow, has small blocks • US NIST issued call for ciphers in 1997 • 15 candidates accepted in Jun 98 • 5 were shortlisted in Aug-99

  4. AES Competition Requirements • private key symmetric block cipher • 128-bit data, 128/192/256-bit keys • stronger & faster than Triple-DES • provide full specification & design details • both C & Java implementations • NIST have released all submissions & unclassified analyses

  5. AES Evaluation Criteria • initial criteria: • security – effort for practical cryptanalysis • cost – in terms of computational efficiency • algorithm & implementation characteristics • final criteria • general security • ease of software & hardware implementation • implementation attacks • flexibility (in en/decrypt, keying, other factors)

  6. AES Shortlist • after testing and evaluation, shortlist in Aug-99: • MARS (IBM) - complex, fast, high security margin • RC6 (USA) - v. simple, v. fast, low security margin • Rijndael (Belgium) - clean, fast, good security margin • Serpent (Euro) - slow, clean, v. high security margin • Twofish (USA) - complex, v. fast, high security margin • then subject to further analysis & comment • saw contrast between algorithms with • few complex rounds versus many simple rounds • Refined versions of existing ciphers versus new proposals

  7. AES Advanced Encryption Standard was ultimately chosen as a replacement for DES. AES is also Known as Rijndaelblock cipher. It was officially designated as a replacement for DES in 2001 after a 5 year process involving 15 competing algorithms. AES is designated as FIPS 197. Other algorithms that did not win that competition include such well known algorithms as Twofish. AES can have three different key sizes, they are:128, 192, or 256 bits. The three different implementations of AES are referred to as AES 128, AES 192, and AES 256. All three operate on a block size of 128 bits. This algorithm was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. Unlike both DES And 3DES, AES is not based on a Feistel network.

  8. AES Continued • This uses a substitution-permutation matrix rather than a Feistel network • AES operates on a 4×4 column-major order matrix of bytes, termed the state (versions of AES with a larger block size have additional columns in the state).

  9. AES General Overview • 1.Key Expansion—round keys are derived from the cipher key using Rijndael's key schedule • 2.Initial Round • 1.AddRoundKey—each byte of the state is combined with the round key using bitwise xor • 3.Rounds • 1.SubBytes—a non-linear substitution step where each byte is replaced with another according to a lookup table. • 2.ShiftRows—a transposition step where each row of the state is shifted cyclically a certain number of steps. • 3.MixColumns—a mixing operation which operates on the columns of the state, combining the four bytes in each column. • 4.AddRoundKey • 4.Final Round (no MixColumns) • 1.SubBytes • 2.ShiftRows • 3.AddRoundKey

  10. AES specifics • In the SubBytes step, each byte in the matrix is substitued for another byte using an 8-bit substitution box, called the Rijndael S-box • The ShiftRows step by shifting the bytes in each row by a certain amount. The first row is left unchanged. The second row is shifted one to the left. The third row by two, etc. • In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. This takes four bytes as input and outputs four bytes. Together with ShiftRows, MixColumns provides diffusion in the cipher.

  11. AES specifics • In the AddRoundKey step, the subkey is xord with the state. For each round, a subkey is derived from the main key using Rijndael's key schedule; each subkey is the same size as the state.

  12. Rijndael S Boxes • The S-box is generated by determining the multiplicative inverse for a given number in GF(28) = GF(2)[x]/(x8 + x4 + x3 + x + 1), Rijndael's finite field (zero, which has no inverse, is set to zero). The multiplicative inverse is then transformed using the following affine transformation: • The matrix math continues until the S Box is produced. There are alternate implementations including the inverse box.

  13. Rijndael key scheduleThe Steps • Rotate: The rotate operation takes a 32-bit word (in hexadecimal) and rotates it eight bits to the left such that the high eight bits "wrap around" and become the low eight bits of the result. • Rcon: Rcon is what the Rijndael documentation calls the exponentiation of 2 to a user-specified value. Note that this operation is not performed with regular integers, but in Rijndael's finite field. In polynomial form, 2 is 2 = 00000010 = 0 x^7 + 0 x^6 + 0 x^5 + 0 x^4 + 0 x^3 + 0 x^2 + 1 x + 0 = x. • For example, the rcon(1) = 1, the rcon(2) = 2, the rcon(3) = 4, and the rcon(9) is the hexadecimal number 0x1b (27 in decimal). • Key schedule inner loop • The input is a 32-bit word and at an iteration number i. The output is a 32-bit word. • Copy the input over to the output. • Use the above described rotate operation to rotate the output eight bits to the left • Apply Rijndael's S-box on all four individual bytes in the output word • On just the first (leftmost) byte of the output word, exclusive OR the byte with 2 to the power of (i-1). In other words, perform the rcon operation with i as the input, and exclusive or the rcon output with the first byte of the output word

  14. Rijndael key scheduleSome constants • Since the key schedule for 128-bit, 192-bit, and 256-bit encryption are very similar, with only some constants changed, the following keysize constants are defined here: • n has a value of 16 for 128-bit keys, 24 for 192-bit keys, and 32 for 256-bit keys • b has a value of 176 for 128-bit keys, 208 for 192-bit keys, and 240 for 256-bit keys (with 128-bit blocks as in AES, it is correspondingly larger for variants of Rijndael with larger block sizes).

  15. Rijndael key scheduleThe actual key schedule • The first n bytes of the expanded key are simply the encryption key. • The rcon iteration value i is set to 1 • Until we have b bytes of expanded key, we do the following to generate n more bytes of expanded key: • We do the following to create 4 bytes of expanded key: • We create a 4-byte temporary variable, t • We assign the value of the previous four bytes in the expanded key to t • We perform the key schedule core (see above) on t, with i as the rcon iteration value • We increment i by 1 • We exclusive-OR t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key • We then do the following three times to create the next twelve bytes of expanded key: • We assign the value of the previous 4 bytes in the expanded key to t • We exclusive-OR t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key • If we are processing a 256-bit key, we do the following to generate the next 4 bytes of expanded key: • We assign the value of the previous 4 bytes in the expanded key to t • We run each of the 4 bytes in t through Rijndael's S-box • We exclusive-OR t with the 4-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key. • If we are processing a 128-bit key, we do not perform the following steps. If we are processing a 192-bit key, we run the following steps twice. If we are processing a 256-bit key, we run the following steps three times: • We assign the value of the previous 4 bytes in the expanded key to t • We exclusive-OR t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key

More Related