Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. - PowerPoint PPT Presentation

Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption Standard

AES - Advanced Encryption Standard US governmental encryption standard Open (world) competition announced January 97 Blocks: 128 bits Keys: choice of 128-bit, 192-bit, and 256-bit keys October 2000: AES=Rijndael Standard: FIPS 197, November 2001 L.R. Knudsen Advanced Encryption Standard

AES=Rijndael Designed by Joan Daemen and Vincent Rijmen Simple design, byte-oriented Operations: XOR and table lookup S-box, substitutes a byte by a byte Rounds 10 12 14 Key size 128 192 256 Focus on 128-bit key version with 10 iterations L.R. Knudsen Advanced Encryption Standard

Multiplication in GF(256) - AES In AES the finite field GF ( 2 8 ) is determined by irreducible polynomial m ( x ) = x 8 + x 4 + x 3 + x + 1 Elements of GF ( 2 8 ) are all polynomials of degree less than eight and with coe ffi cients in GF ( 2 ) 1-to-1 correspondence between 8-bit vectors and elements in GF ( 2 8 ) : finite field element p ( x ) = P 7 i = 0 b i x i . 8-bit vector v = ( b 7 , b 6 , b 5 , b 4 , b 3 , b 2 , b 1 , b 0 ) L.R. Knudsen Advanced Encryption Standard

Multiplication in GF(256) (cont.) Compute p ( x ) times q ( x ) , where p ( x ) = P 7 i = 0 b i x i , q ( x ) = P 7 i = 0 c i x i : Do straightforward multiplication of polynomials p ( x ) · q ( x ) ; Reduce result modulo m ( x ) . Example Compute x 6 + x 4 + x 2 + x + 1 times x 7 + x + 1 ( x 6 + x 4 + x 2 + x + 1 )( x 7 + x + 1 ) = x 13 + x 11 + x 9 + x 8 + x 6 + x 5 + x 4 + x 3 + 1 x 13 + x 11 + x 9 + x 8 + x 6 + x 5 + x 4 + x 3 + 1 mod x 8 + x 4 + x 3 + x + 1 = x 7 + x 6 + 1 Alternative representation: 57 x ⇥ 83 x = c 1 x (hex notation) L.R. Knudsen Advanced Encryption Standard

Multiplication by x in GF(256) i = 0 b i x i and x in GF ( 2 8 ) : Find the product r ( x ) of p ( x ) = P 7 Compute p ( x ) · x = P 7 i = 0 b i x i + 1 If b 7 = 0, r ( x ) = p ( x ) · x If b 7 = 1, r ( x ) = p ( x ) · x mod m ( x ) = p ( x ) · x + m ( x ) Example ( x 7 + x 6 + x 5 + x 4 + x 2 ) ⇥ x = x 8 + x 7 + x 6 + x 5 + x 3 reduce modulo m ( x ) = x 8 + x 4 + x 3 + x + 1 result is x 7 + x 6 + x 5 + x 4 + x + 1 Hex notation: f 4 x ⇥ 02 x = f 3 x L.R. Knudsen Advanced Encryption Standard

Multiplication by x+1 in GF(256) i = 0 b i x i and x + 1 in GF ( 2 8 ) : Find the product r ( x ) of p ( x ) = P 7 i = 0 b i ( x i + x i + 1 ) Compute ( p ( x ) · x ) + p ( x ) = P 7 If b 7 = 0, r ( x ) = p ( x ) · x + p ( x ) If b 7 = 1, r ( x ) = ( p ( x ) · x ) + p ( x ) mod m ( x ) = p ( x ) · x + p ( x ) + m ( x ) Example ( x 7 + x 6 + x 5 + x 4 + x 2 ) ⇥ ( x + 1 ) = x 8 + x 4 + x 3 + x 2 reduce modulo m ( x ) = x 8 + x 4 + x 3 + x + 1 result is x 2 + x + 1 Hex notation: f 4 x ⇥ 03 x = 07 x L.R. Knudsen Advanced Encryption Standard

AES - iterated cipher, key schedule Input: user selected key of 128 bits Output: 11 round keys k 0 , k 1 , k 2 , . . . , k 10 p = c 0 plaintext c i = F ( k i , c i − 1 ) c 10 ciphertext Details of key-schedule are self-study L.R. Knudsen Advanced Encryption Standard

AES round tranformation Arrange the 16 input bytes in a 4 ⇥ 4 matrix Subfunctions 1 SubBytes (byte substitution via S-box) 2 ShiftRows 3 MixColumns 4 AddRoundKey L.R. Knudsen Advanced Encryption Standard

SubBytes S - a 0 , 0 a 0 , 1 a 0 , 2 a 0 , 3 b 0 , 0 b 0 , 1 b 0 , 2 b 0 , 3 a 1 , 0 a 1 , 1 a 1 , 2 a 1 , 3 b 1 , 0 b 1 , 1 b 1 , 2 b 1 , 3 a 2 , 0 a 2 , 1 a 2 , 2 a 2 , 3 b 2 , 0 b 2 , 1 b 2 , 2 b 2 , 3 a 3 , 0 a 3 , 1 a 3 , 2 a 3 , 3 b 3 , 0 b 3 , 1 b 3 , 2 b 3 , 3 S-box S is the S-box (invertible) One S-box for the whole cipher (simplicity) L.R. Knudsen Advanced Encryption Standard

ShiftRows a c a c b d b d g g e e f h f h - j j i i k l k l - p p m n o m n o - Rows shifted over di ff erent o ff sets: 0,1,2, and 3 L.R. Knudsen Advanced Encryption Standard

MixColumns mix four bytes - a 0 , 0 a 0 , 1 a 0 , 2 a 0 , 3 b 0 , 0 b 0 , 1 b 0 , 2 b 0 , 3 a 1 , 0 a 1 , 1 a 1 , 2 a 1 , 3 b 1 , 0 b 1 , 1 b 1 , 2 b 1 , 3 a 2 , 0 a 2 , 1 a 2 , 2 a 2 , 3 b 2 , 0 b 2 , 1 b 2 , 2 b 2 , 3 a 3 , 0 a 3 , 1 a 3 , 2 a 3 , 3 b 3 , 0 b 3 , 1 b 3 , 2 b 3 , 3 Each of four b i , j in a column depends on all four a i , j from same column L.R. Knudsen Advanced Encryption Standard

AddRoundKey (bit-wise XOR) a 0 , 0 a 0 , 1 a 0 , 2 a 0 , 3 k 0 , 0 k 0 , 1 k 0 , 2 k 0 , 3 b 0 , 0 b 0 , 1 b 0 , 2 b 0 , 3 a 1 , 0 a 1 , 1 a 1 , 2 a 1 , 3 k 1 , 0 k 1 , 1 k 1 , 2 k 1 , 3 b 1 , 0 b 1 , 1 b 1 , 2 b 1 , 3 = � a 2 , 0 a 2 , 1 a 2 , 2 a 2 , 3 k 2 , 0 k 2 , 1 k 2 , 2 k 2 , 3 b 2 , 0 b 2 , 1 b 2 , 2 b 2 , 3 a 3 , 0 a 3 , 1 a 3 , 2 a 3 , 3 k 3 , 0 k 3 , 1 k 3 , 2 k 3 , 3 b 3 , 0 b 3 , 1 b 3 , 2 b 3 , 3 b i , j = a i , j � k i , j L.R. Knudsen Advanced Encryption Standard

AES - 10-round version Arrange the 16 input bytes in a 4 ⇥ 4 matrix AddRoundKey Do nine times SubBytes (byte substitution via S-box) ShiftRows MixColumns AddRoundKey SubBytes ShiftRows AddRoundKey L.R. Knudsen Advanced Encryption Standard

SubBytes Input a , output b , both bytes Let f ( x ) = x − 1 in GF ( 2 8 ) / { 0 } and f ( 0 ) = 0 Then b = A ( f ( a )) , where A is a ffi ne mapping over GF ( 2 ) . With t = f ( a ) = ( t 7 , t 6 , . . . , t 1 , t 0 ) output is: 1 0 0 0 1 1 1 1 1 2 3 2 t 0 3 2 3 1 1 0 0 0 1 1 1 t 1 1 6 7 6 7 6 7 6 1 1 1 0 0 0 1 1 7 6 7 6 0 7 t 2 6 7 6 7 6 7 6 7 6 7 6 7 1 1 1 1 0 0 0 1 t 3 0 6 7 6 7 6 7 � 6 7 6 7 6 7 1 1 1 1 1 0 0 0 t 4 0 6 7 6 7 6 7 6 7 6 7 6 7 0 1 1 1 1 1 0 0 t 5 1 6 7 6 7 6 7 6 7 6 7 6 7 0 0 1 1 1 1 1 0 t 6 1 4 5 4 5 4 5 0 0 0 1 1 1 1 1 0 t 7 L.R. Knudsen Advanced Encryption Standard

MixColumns 2 2 3 1 1 3 1 2 3 1 6 7 5 ⇥ - 6 7 1 1 2 3 4 3 1 1 2 a 0 , 0 a 0 , 1 a 0 , 2 a 0 , 3 b 0 , 0 b 0 , 1 b 0 , 2 b 0 , 3 a 1 , 0 a 1 , 1 a 1 , 2 a 1 , 3 b 1 , 0 b 1 , 1 b 1 , 2 b 1 , 3 a 2 , 0 a 2 , 1 a 2 , 2 a 2 , 3 b 2 , 0 b 2 , 1 b 2 , 2 b 2 , 3 a 3 , 0 a 3 , 1 a 3 , 2 a 3 , 3 b 3 , 0 b 3 , 1 b 3 , 2 b 3 , 3 Bytes in columns are combined linearly b 0 , 2 = { 2 } ⇥ a 0 , 2 + { 3 } ⇥ a 1 , 2 + { 1 } ⇥ a 2 , 2 + { 1 } ⇥ a 3 , 2 Multiplication is over GF ( 2 8 ) L.R. Knudsen Advanced Encryption Standard

Di ff usion in AES  Shift Mix    - - Rows Col.        Shift Mix      - - Rows Col.           L.R. Knudsen Advanced Encryption Standard

Di ff erential characteristics and active S-boxes Consider SP-networks like AES, where a round consists of key addition S-box layer linear layer (linear mapping) Definition In a di ff erential characteristic an S-box is active if the inputs to the S-box are assumed to be di ff erent. Fact (or assumption) The transition of di ff erences is deterministic through the key additions and linear layers. is non-deterministic through the S-box layers. L.R. Knudsen Advanced Encryption Standard

Di ff erential characteristics and active S-boxes (2) Max probability Let p max be the maximum probability for a non-trivial characteristic for the S-boxes. Active S-boxes Let d be the minimum number of active S-boxes in an r -round characteristic. Bound Then p d max is an upper bound of any r -round characteristic. L.R. Knudsen Advanced Encryption Standard

AES and Wide-Trail The AES design uses the wide-trail strategy: Theorem Any di ff erential/linear characteristic over 4 rounds of AES has at least 25 active Sboxes. AES has 10 (or more) rounds Together with the good Sbox: More than enough. L.R. Knudsen Advanced Encryption Standard

2 Rounds S S S S Linear Layer L S S S S Aim Give a bound on the number of active Sboxes in a di ff erential characteristic. We assume S and L are bijective. L linear, so L ( x � y ) = L ( x ) � L ( y ) . No further assumptions on S L.R. Knudsen Advanced Encryption Standard

2 Rounds S S S S Linear Layer L S S S S Aim Give an lower bound on the number of active Sboxes in a di ff erential characteristic. Trivial bounds: Lower Bound for the lower bound: 2 Upper Bound for the lower bound: # sboxes + 1 (here 5). L.R. Knudsen Advanced Encryption Standard

2 Rounds Picture with di ff erences: α 0 α 1 α 2 α 3 ∆ = α S S S S ∆ = β β 0 β 1 β 2 β 3 Linear Layer L γ 0 γ 1 γ 2 γ 3 ∆ = γ S S S S γ = L ( β ) # active Sboxes is |{ i | α i 6 = 0 }| + |{ j | γ j 6 = 0 }| = |{ i | β i 6 = 0 }| + |{ j | γ j 6 = 0 }| L.R. Knudsen Advanced Encryption Standard

Trivial lower bound on 2 rounds α 0 α 1 α 2 α 3 ∆ = α S S S S ∆ = β β 0 β 1 β 2 β 3 Linear Layer L γ 0 γ 1 γ 2 γ 3 ∆ = γ S S S S Lower bound: 2 α 6 = 0 (at least one α i 6 = 0). ) β 6 = 0 (at least one β i 6 = 0). (Sbox bijective) ) γ 6 = 0 (at least one γ i 6 = 0). (L is bijective) ) |{ i | α i 6 = 0 }| + |{ j | γ j 6 = 0 }| � 1 + 1 = 2 L.R. Knudsen Advanced Encryption Standard

Trivial upper bound on 2 rounds α 0 α 1 α 2 α 3 ∆ = α S S S S ∆ = β β 0 β 1 β 2 β 3 Linear Layer L γ 0 γ 1 γ 2 γ 3 ∆ = γ S S S S Upper bound on the lower bound: # sboxes + 1 (here 5). |{ i | α i 6 = 0 }| + |{ j | γ j 6 = 0 }|  1 + 4 = 5 Definition The branch number of a linear transformation L is the minimum number of active words (Sboxes) in the inputs and outputs of L . L.R. Knudsen Advanced Encryption Standard