440 likes | 595 Views
Chapter 5 – Advanced Encryption Standard (AES). A clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99
E N D
Chapter 5 –Advanced Encryption Standard (AES) • A clear a replacement for DES was needed • have theoretical attacks that can break it • have demonstrated exhaustive key search attacks • US NIST issued call for ciphers in 1997 • 15 candidates accepted in Jun 98 • 5 were shortlisted in Aug-99 • Rijndael was selected as the AES in Oct-2000 • issued as FIPS (Federal Information Processing Standard) PUB 197 standard on 26 Nov-2001
AES Requirements • private key symmetric block cipher • 128-bit data, 128/192/256-bit keys • stronger & faster than Triple-DES • active life of 20-30 years (+ archival use) • provide full specification & design details • both C & Java implementations • NIST have released all submissions & unclassified analyses
AES Evaluation Criteria • initial criteria: • security – effort for practical cryptanalysis • cost – in terms of computational efficiency • algorithm & implementation characteristics • final criteria • general security • ease of software & hardware implementation • implementation attacks • flexibility (in en/decrypt, keying, other factors)
AES Shortlist • after testing and evaluation, shortlist in Aug-99: • MARS (IBM) - complex, fast, high security margin • RC6 (USA) - v. simple, v. fast, low security margin • Rijndael (Belgium) - clean, fast, good security margin • Serpent (Euro) - slow, clean, v. high security margin • Twofish (USA) - complex, v. fast, high security margin • then subject to further analysis & comment • saw contrast between algorithms with • few complex rounds verses many simple rounds • which refined existing ciphers verses new proposals
designed by Rijmen-Daemen in Belgium • has 128/192/256 bit keys, 128 bit data • an iterative rather than feistel cipher • processes data as block of 4 columns of 4 bytes • operates on entire data block in every round • designed to be: • resistant against known attacks • speed and code compactness on many CPUs • design simplicity
Rijndael • data block of 4 columns of 4 bytes is state • key is expanded to array of words • has 9/11/13 rounds in which state undergoes: • byte substitution (1 S-box used on every byte) • shift rows (permute bytes between groups/columns) • mix columns (subs using matrix multipy of groups) • add round key (XOR state with key material) • view as alternating XOR key & scramble data bytes • initial XOR key material & incomplete last round • with fast XOR & table lookup implementation
Mathematical preliminaries • The field GF(28) • Example: (57)16x6+x4+x2+x+1 • Addition • Multiplication • Multiplication by x • Polynomials with coefficients in GF(28) • Multiplication by x
Addition • Sum of two elements: the sum of coefficients with modulus 2 • Example: ’57’+’83’=‘D4’ • (x6+x4+x2+x+1)+(x7+x+1)=x7+x6+x4+x2
Multiplication • Multiplication in GF(28): multiplication of polynomials modulo x8+x4+x3+x+1 or (11B)16 . • Example: ’57’’83’=‘C1’ • (x6+x4+x2+x+1) (x7+x+1) = x13+x11+x9+x8+x6+x5+x4+x3+1 • x13+x11+x9+x8+x6+x5+x4+x3+1 modulo x8+x4+x3+x+1 = x7+x6+1
Some Properties • Multiplication is associative with a neutral element ‘01’. • Inverse: b-1(x)=a(x) mod m(x) with a(x)·b(x) mod m(x)= 1 • a(x)·(b(x)+c(x))=a(x)·b(x)+a(x)·c(x). • The set of 256 possible byte values, with addition and the multiplication defined as above has the structure of the finite field GF(28).
Multiplication by x • Multiply b(x) with the polynomial x: b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x • If b7=0, the reduction is identity operation; if b7=1, m(x) must be subtracted (i.e. EXORed). • That is, multiplication by x (‘02’) can be implemented by a left shift and a conditional EXOR with’1B’.
Example • ‘57’ ‘13’ =‘FE’ ‘57’ ’02’=xtime(57)=‘AE’ ‘57’ ’04’=xtime(AE)=‘47’ ‘57’ ’08’=xtime(47)=‘8E’ ‘57’ ’10’=xtime(8E)=‘07’ ‘57’ ‘13’ =‘57’(‘01’’02’’10’) = ‘57’’AE’’07’=‘FE’
Polynomials with coefficients in GF(28) • Two polynomials over GF(28): a(x)=a3x3+a2x2+a1x+a0 b(x)=b3x3+b2x2+b1x+b0 • Their product c(x)=c6x6+c5x5+c4x4+c3x3+c2x2+c1x+c0 c0=a0 b0 c1=a1 b0 a0 b1 c2=a2 b0 a1 b1 a0 b2 c3=a3 b0 a2 b1 a1 b2+ a0 b3 c4=a3 b1 a2 b2 a1 b3 c5=a3 b2 a2 b3 c6=a3 b3
Polynomials with coefficients in GF(28) • By reducing c(x) modulo a polynomial of degree 4, the result can be reduced to a polynomial of degree below 4. • M(x)=x4+1 and xi mod x4+1=xi mod 4.
Polynomials with coefficients in GF(28) • Product of a( x ) and b( x ): d( x ) = a( x ) Ä b( x )= d3x3+d2x2+d1x+d0 d0 = a0· b0Å a3· b1Å a2· b2Å a1· b3 d1 = a1· b0Å a0· b1Å a3· b2Å a2· b3 d2 = a2· b0Å a1· b1Å a0· b2Å a3· b3 d3 = a3· b0Å a2· b1Å a1· b2Å a0· b3
Polynomials with coefficients in GF(28) circulant matrix:
Multiplication by x • Multiply b( x ) by the polynomial x: b3x4+b2x3+b1x2+b0x • x Ä b( x ) modulo 1+x4= b2x3+b1x2+b0x+b3 • It is equivalent to multiplication by a matrix with all ai =‘00’ except a1 =‘01’. Let c( x ) = xb( x ). We have:
Specification • Variable block length and key length • Block length and the key length can be 128, 192, or 256 bits. • The state: the intermediate cipher result. • The Cipher Key is similarly picture as a rectangular array with four rows.
The rounds • The number of rounds is denoted by Nr and depends on the values Nb and Nk. It is given in Table 1.
The cipher • The cipher Rijndael consists of • An initial Round Key addition; • Nr-1 Rounds; • A final round. • In pseudo C code, Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); }
The cipher • The key expansion can be done on beforehand and Rijndael can be specified in terms of the Expanded Key. Rijndael(State,ExpandedKey) { AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); }
The round transformation Round(State,RoundKey) { ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey); }
The final round FinalRound(State,RoundKey) { ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State,RoundKey); }
The ByteSub transformation(1/2) 1. Taking the multiplicative inverse in GF(28). 2. Applying an affine transformation defined by:
The MixColumn transformation(1/2) • The columns of the State are considered as polynomials over GF(28) and multiplied modulo x4+1 with a fixed polynomial c(x)= ‘03’x3+‘01’x2+‘01’x+‘02’. • This can be written as a matrix multiplication. Let b(x) = c(x) Ä a(x),
Key schedule • The Round Keys are derived from the Cipher Key by means of the key schedule. This consists of two components: the Key Expansion and the Round Key Selection. The basic principle is the following: • The total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits are needed). • The Cipher Key is expanded into an Expanded Key. • Round Keys are taken from this Expanded Key in the following way: the first Round Key consists of the first Nb words, the second one of the following Nb words, and so on.
Key expansion • The Expanded Key is a linear array of 4-byte words and is denoted by W[Nb*(Nr+1)]. The first NKwords contain the Cipher Key. All other words are defined recursively in terms of words with smaller indices. For Nk £ 6, we have: KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i = 0; i < Nk; i++) W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) { temp = W[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; W[i] = W[i - Nk] ^ temp; } }
Key expansion For Nk > 6, we have: KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i = 0; i < Nk; i++) W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) { temp = W[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; else if (i % Nk == 4) temp = SubByte(temp); W[i] = W[i - Nk] ^ temp; } }
Round Key selection • Round key i is given by the Round Key buffer words W[Nb*i] to W[Nb*(i+1)].
Strength against known attacks • Symmetry properties and weak keys of the DES type • Round constants are different in each round to eliminate symmetry in the cipher. • The cipher and its inverse use different components to eliminates the possibility for weak and semi-weak keys, as existing for DES. • The non-linearity of the key expansion eliminates the possibility of equivalent keys.
Strength against known attacks • Differential cryptanalysis(DC) • First described by Eli Biham and Adi Shamir in 1991. • A differential propagation is composed of differential trails(DT), where its prop ratio(PR) is the sum of the PRs of all DTs that have the specified initial and final difference patterns. • Necessary condition to be resistant against DC: No DT with predicated PR > 21-n, n the block length. • For Rijndael: No 4-round DT with predicated PR above 2-150 (no 8-round trails with PR above 2-300 ).
Strength against known attacks • Linear cryptanalysis(LC) • First described by Mitsuru Matsui in 1994. • An input-output correlation is composed of linear trails (LT) that have the specified initial and final selection patterns. • Necessary condition to be resistant against LC: No LTs with a correlation coefficients > 2n/2 • For Rijndael: No 4-round LTs with a correlation above 2-75 (no 8-round trails with a correlation above 2-150).
Strength against known attacks • Interpolation attacks • Introduced by Jakobsen and Knudsen in 1997. • The attacker constructs polynomials using cipher input/output pairs. If the polynomials have a small degree, only a few pairs are necessary to solve for the coefficients of the polynomial. • The expression for the S-box is given by 63+8fX127+b5X191+01X223+f4X239+25X247+f9X251+09X253+05X254
Strength against known attacks • Other attacks considered: • Truncated differentials • The Square attack • Related-key attacks • Weak keys as in IDEA
Advantages and limitations • Advantages • Implementation aspects • Rijndael can be implemented to run at speeds unusually fast on a Pentium (Pro). Trade-off between table size/performance. • Rijndael can be implemented on a smart card in a small code, using a small amount of RAM and a small number of cycles. • The round transformation is parallel by design. • As the cipher does not make use of arithmetic operations, it has no bias towards processor architectures.
Advantages and limitations • Advantages • Simplicity of design • The cipher is fully “self-supporting”. • The cipher does not base its security on obscure and not well understood arithmetic operations. • The tight cipher design does not leave enough room to hide a trapdoor. • Variable block length and extensions • Block lengths and key length both range from 128 to 256 in steps of 32 bits. • Round number can be also modified as a parameter.
Advantages and limitations • Limitations • The inverse cipher is less suited to be implemented on a smart card than the cipher itself: it takes more code and cycles. • In software, the cipher and its inverse make use of different code and/or tables. • In hardware, the inverse cipher can only partially re-use the circuitry that implements the cipher.