Kryptographie Advanced Encryption Standard Uwe Egly Vienna - PowerPoint PPT Presentation

Kryptographie Advanced Encryption Standard Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group 1 / 23

History ◮ Due to severe problems, DES, 3DES had to be replaced ◮ 1997: NIST published “request for candidates” for the AES: ◮ Fully specified and explained algorithm ◮ Symmetric block cipher with (at least) 128 bit block size ◮ Variable strength by variable key size (128, 192, 256 bits) ◮ Efficient implementation on various SW & HW platforms ◮ 1998: Crypto. community was asked to comment on 15 candidates ◮ 1999: Selection of 5 candidates for the 2nd round: MARS, RC6, Rijndael, Serpent, and Twofish ◮ 2000/2001: Selection of Rijndael 2 / 23

Selection Criteria for the First Round ◮ Security ◮ Resistance to cryptanalysis ◮ Soundness of its mathematical basis ◮ Randomness of the algorithm output ◮ Relative security compared with other candidates ◮ Costs ◮ Efficiency (speed, memory) on various SW platforms ◮ Cost of HW implementation (e.g., chip area) ◮ Royalty-free ◮ Algorithm and implementation characteristics ◮ Versatility (flexible and suitable to SW and HW) ◮ Complexity of the algorithm 3 / 23

Relative Evaluation of the Finalists Relative scores of the five candidate (3 is the best!) MARS RC6 Rijndael Serpent Twofish General security 3 2 2 3 3 Implementation of security 1 1 3 3 2 SW performance 2 2 3 1 1 HW performance 1 2 3 3 2 Smart card performance 1 1 3 3 2 Design features 2 1 2 1 3 4 / 23

Overview of AES ◮ Key size: 128 bit, 192 bit or 256 bit ◮ Block size: 128 bit (Rijndael: 128–256 bit in 32 bit steps) ◮ No of rounds ( N r ): variable, depending on the key size ◮ AES with 128 bit key: 10 rounds ◮ AES with 192 bit key: 12 rounds ◮ AES with 256 bit key: 14 rounds ◮ Round key: 128 bit RK for each round + 1 RK for addRoundKey 5 / 23

Input, Output, and Central Data Structures ◮ Plaintext: sequence of bytes (padded to multiple of block length) ◮ p 0 · · · p 4 N b − 1 where N b =block length/32, i.e., N b = 4 in AES ◮ state: the data structure: matrix of 4 rows and N b columns ◮ plaintext block �→ state: a i , j = p i + 4 j ( 0 ≤ i < 4 , 0 ≤ j < N b ) a 0 , 0 a 0 , 1 a 0 , 2 a 0 , 3 p 0 p 4 p 8 p 12 a 1 , 0 a 1 , 1 a 1 , 2 a 1 , 3 p 1 p 5 p 9 p 13 = a 2 , 0 a 2 , 1 a 2 , 2 a 2 , 3 p 2 p 6 p 10 p 14 a 3 , 0 a 3 , 1 a 3 , 2 a 3 , 3 p 3 p 7 p 11 p 15 ◮ state �→ ciphertext block: c i = a i mod 4 , i div 4 ( 0 ≤ i < 4 N b ) (mod rest, div integer division, e.g., 7 div 3 = 2) ◮ After decryption: p i = a i mod 4 , i div 4 ( 0 ≤ i < 4 N b ) 6 / 23

The Key and its Data Structures ◮ Key: sequence of bytes (length varies!) z 0 z 1 z 2 · · · z 4 N k − 1 where N k is key length / 32 ◮ Key array: matrix of 4 rows and N k columns ◮ key �→ key array: k i , j = z i + 4 j ( 0 ≤ i < 4 , 0 ≤ j < N k ) ◮ Key array K for N k = 6 k 0 , 0 k 0 , 1 k 0 , 2 k 0 , 3 k 0 , 4 k 0 , 5 z 0 z 4 z 8 z 12 z 16 z 20 k 1 , 0 k 1 , 1 k 1 , 2 k 1 , 3 k 1 , 4 k 1 , 5 z 1 z 5 z 9 z 13 z 17 z 21 = k 2 , 0 k 2 , 1 k 2 , 2 k 2 , 3 k 2 , 4 k 2 , 5 z 2 z 6 z 10 z 14 z 18 z 22 k 3 , 0 k 3 , 1 k 3 , 2 k 3 , 3 k 3 , 4 k 3 , 5 z 3 z 7 z 11 z 15 z 19 z 23 7 / 23

Overall Structure ◮ Rijndael is a key-iterated block cipher ◮ Apply round transformation to the state Algorithm 1 : Rijndael(State, CipherKey) begin KeyExpansion(CipherKey, ExpandedK); /* ExpandedK[0 ], ..., ExpandedK[ N r ]: round keys */ AddRoundKey(State, ExpandedK[0 ]); for i=1 to N r -1 step 1 do Round(State, ExpandedK[ i ]); FinalRound(State, ExpandedK[ N r ]); end 8 / 23

Overall Description of Round and FinalRound Algorithm 2 : Round(State, ExpandedK[ i ]) /* has to be invertible */ ; begin Subbytes(State); ShiftRows(State); MixColumns(State); AddRoundKey(State,ExpandedK[ i ]); end Algorithm 3 : FinalRound(State, ExpandedK[ N r ]) /* has to be invertible */ ; begin Subbytes(State); ShiftRows(State); /* No MixColumns */ ; AddRoundKey(State,ExpandedK[ N r ]); end 9 / 23

Description of the Steps of a Round ◮ SubBytes: Non-linear operation (using an S-Box) for resistance to differential and linear attacks ◮ ShiftRows: Linear transformation causes diffusion of the bits over multiple rounds (for resistance to differential and linear attacks) ◮ MixColumns: Similar purpose and effects as ShiftRows ◮ AddRoundKey: XOR the round key with the currently processed state (resulting from the transformations above) 10/ 23

SubBytes ◮ Maps each byte in the state to S-Box(byte): b i , j = S ( a i , j ) ◮ S-Box: This is the only non-linear function in the round ◮ S-Box operation is invertible ◮ S-Box properties crucial for security (as in DES) ◮ S-Box is described as an “algebraic operation” but implemented as a look-up table (very fast) 11/ 23

The (Only) S-Box of AES ◮ a i , j = 8 b �→ b i , j = 3 d with the following S-Box of AES 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16 12/ 23

The Algebraic Basics of the S-Box: The Preparation ◮ Represent a byte as a polynomial with coefficients in GF(2) b 7 · x 7 + b 6 · x 6 + · · · + b 1 · x + b 0 b 7 b 6 · · · b 1 b 0 �→ ◮ Use the following irreducible polynomial of degree 8 for reduction m ( x ) = x 8 + x 4 + x 3 + x + 1 ◮ Then GF(2)[x]/(m(x)) is a finite field of order 2 8 as expected ◮ We need the concept of an affine translation: It is an array-vector product + a translation vector ◮ Recall: Multiplicative inverses can be computed with the extended Euclidean algortithm 13/ 23

The Algebraic Basics of the S-Box ◮ S-Box constructed by composing two transformations: 1. Take y = g ( x ) defined as follows: � if x = 00 16 , 00 16 y = x − 1 (the multiplicative inverse) otherwise . 2. Apply the affine transformation (AT) z = f ( y ) (over GF(2)) z i = y i ⊕ y i + 4 mod 8 ⊕ y i + 5 mod 8 ⊕ y i + 6 mod 8 ⊕ y i + 7 mod 8 ⊕ c i ( ⊕ denotes exclusive or and corresponds to addition in Z 2 ) ◮ x i , y i , z i is the i th bit of the byte x , y , z ◮ c i is the i th bit of a byte c with value 63 16 or 01100011 ◮ We will compute some entries of the S-box in the exercises 14/ 23

The Affine Translation in Matrix Notation z 7 y 7 1 1 1 1 1 0 0 0 0         z 6 y 6 0 1 1 1 1 1 0 0 1         z 5 y 5         0 0 1 1 1 1 1 0 1         z 4 y 4         0 0 0 1 1 1 1 1 0         = · ⊕ z 3 y 3         1 0 0 0 1 1 1 1 0         z 2 y 2         1 1 0 0 0 1 1 1 0         z 1 y 1         1 1 1 0 0 0 1 1 1         z 0 y 0 1 1 1 1 0 0 0 1 1 15/ 23

ShiftRows ◮ Rotation of rows: row i is rotated by C i positions (0 ≤ i < 4) ◮ C i depend on N b , e.g.: ( C 0 , . . . , C 3 ) = (0, 1, 2, 3) for N b = 4 , 5 , 6 (for Rijndael N b = 4 , 5 , 6 , 7 , 8, for AES N b = 4) ◮ Example for N b = 4: ◮ Value of a i , j moves to position ( i , ( j − C i ) mod N b ) Exa: ( 1 , 0 ) �→ ( 1 , ( 0 − 1 ) mod 4 ) = ( 1 , 3 ) since − 1 = − 1 · 4 + 3 16/ 23

MixColumns ◮ It is a bricklayer function, i.e., it can be decomposed into a number of Boolean functions operating independently on subsets of bits of the input ◮ View (4 byte) column of state as a polynomial over GF(2 8 ) ➥ Such polynomials a ( x ) have degree less than 4 and coefficients between 0 and 255 ◮ l ( x ) = x 4 + 1 used as reduction polynomial in multiplications ◮ l ( x ) reducible over GF(2 8 ) since x 4 + 1 = ( x + 1 ) 4 ➥ Not all a ( x ) have inverses ( a ( x ) has one if l ( x ) does not divide it) 17/ 23

MixColumns (cont’d) ◮ Multiply modulo l ( x ) each a ( x ) with a fixed polynomial c ( x ) ◮ Fixed polynomial c ( x ) = 03 · x 3 + 01 · x 2 + 01 · x + 02 ➥ c ( x ) is invertible because c ( x ) coprime to l ( x ) ◮ b ( x ) = ( c ( x ) · a ( x )) mod l ( x ) 18/ 23