Outline Arithmetic on Bytes and 4-Byte Vectors 1 CPSC 418/MATH 318 Introduction to Cryptography The Rijndael Algorithm 2 Advanced Encryption Standard, Brute Force Attacks on Block Ciphers Overview Description of the Algorithm Renate Scheidler AES Key Schedule and Decryption 3 Key Schedule Department of Mathematics & Statistics Decryption Department of Computer Science University of Calgary Strengths and Weaknesses of Rijndael 4 Week 4 Exhaustive Attacks on Block Ciphers 5 Simple Exhaustive Key Search Meet-in-the-Middle (Double Encryption) Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 1 / 34 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 2 / 34 Arithmetic on Bytes and 4-Byte Vectors Arithmetic on Bytes and 4-Byte Vectors Arithmetic on Bytes Addition of Bytes in Rijndael Consider a byte b = ( b 7 , b 6 , . . . , b 1 , b 0 ) (an 8-bit vector) as a polynomial with coefficients in { 0 , 1 } : Polynomial addition by taking X-OR of coefficients. b �→ b ( x ) = b 7 x 7 + b 6 x 6 + · · · + b 1 x + b 0 . b 7 x 7 b 6 x 6 + + · · · + b 1 x + b 0 c 7 x 7 c 6 x 6 + + + · · · + + c 1 x c 0 Rijndael makes use of the following operations on bytes, interpreting them ( b 7 ⊕ c 7 ) x 7 ( b 6 ⊕ c 6 ) x 6 as polynomials: + + · · · + ( b 1 ⊕ c 1 ) x + ( b 0 ⊕ c 0 ) 1 Addition The sum of two polynomials taken in this manner yields another 2 Modular multiplication polynomial of degree ≤ 7 . 3 Inversion In other words, component-wise X-OR of bytes is identified with this Under these operations, polynomials of degree ≤ 7 with coefficients in addition operation on polynomials. { 0 , 1 } form the field GF (2 8 ). By associating bytes with these polynomials, we obtain these operations on bytes. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 3 / 34 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 4 / 34
Arithmetic on Bytes and 4-Byte Vectors Arithmetic on Bytes and 4-Byte Vectors Modular Multiplication in Rijndael Inversion of Bytes in Rijndael Polynomial multiplication (coefficients are in { 0 , 1 } ) modulo b ( x ) − 1 , the inverse of b ( x ) = b 7 x 7 + b 6 x 6 + · · · + b 1 x + b 0 , is the m ( x ) = x 8 + x 4 + x 3 + x + 1 polynomial of degree ≤ 7 with coefficients in { 0 , 1 } such that (remainder when dividing by m ( x ), analogous to modulo arithmetic with b ( x ) b ( x ) − 1 ≡ 1 (mod m ( x )) . integers). Note that this is completely analogous to the case of integer arithmetic The remainder when dividing by a degree 8 polynomial will have degree modulo n . ≤ 7 . Thus, the “product” of two bytes is associated with the product of their polynomial equivalents modulo m ( x ) . The “inverse” of the byte b = ( b 7 , b 6 , . . . , b 1 , b 0 ) is the byte associated with the inverse of b ( x ) = b 7 x 7 + b 6 x 6 + · · · + b 1 x + b 0 . Note 1 m ( x ) is the lexicographically first polynomial that is irreducible over Rijndael uses inverse as above in its SubByte operation. GF (2), i.e. does not split into two polynomials of smaller positive degree with coefficients in { 0 , 1 } . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 5 / 34 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 6 / 34 Arithmetic on Bytes and 4-Byte Vectors Arithmetic on Bytes and 4-Byte Vectors Arithmetic on 4-byte Vectors Operations on 4-byte Vectors We have the following operations on these polynomials: 1 addition: component-wise “addition” of coefficients (addition as In Rijndael’s MixColumn operation, 4-byte vectors are considered as degree 3 polynomials with coefficients in GF (2 8 ) . That is, the 4-byte described above) vector ( a 3 , a 2 , a 1 , a 0 ) is associated with the polynomial 2 multiplication: polynomial multiplication (addition and multiplication of coefficients as described above) modulo M ( y ) = y 4 + 1 . Result is a a ( y ) = a 3 y 3 + a 2 y 2 + a 1 y + a 0 , degree 3 polynomial with coefficients in GF (2 8 ) . where each coefficient is a byte viewed as an element of GF (2 8 ) (addition, multiplication, and inversion of the coefficients is performed as described Note 2 above). Using M ( y ) = y 4 + 1 makes for very efficient arithmetic (simple circular shifts) Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 7 / 34 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 8 / 34
SubByte s AddRoundKey MixColumn s ShiftRow s Arithmetic on Bytes and 4-Byte Vectors The Rijndael Algorithm Overview Examples for Rijndael Arithmetic Rijndael Properties Example 1 Designed for block sizes and key lengths to be any multiple of 32 , Let b 1 = (10001110) and b 2 = (00001101) be bytes. Compute including those specified in the AES. b 3 = b 1 + b 2 and b 4 = b 1 b 2 in the Rijndael field GF(2 8 ). Iterated cipher: number of rounds N r depends on the key length. 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for Example 2 256-bit keys. Let Algorithm operates on a 4 × 4 array of bytes (8 bit vectors) called the a 1 = (00000001 , 00000000 , 10001110 , 00000010) and state : a 2 = (00000000 , 00000001 , 00001101 , 00000000) s 0 , 0 s 0 , 1 s 0 , 2 s 0 , 3 s 1 , 0 s 1 , 1 s 1 , 2 s 1 , 3 be vectors whose entries are bytes in the Rijndael field GF(2 8 ). Compute s 2 , 0 s 2 , 1 s 2 , 2 s 2 , 3 a 3 = a 1 + a 2 and a 4 = a 1 a 2 using Rijndael’s arithmetic on 4-byte vectors. s 3 , 0 s 3 , 1 s 3 , 2 s 3 , 3 See the Rijndael arithmetic examples handout on the “handouts” page. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 9 / 34 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 10 / 34 The Rijndael Algorithm Overview The Rijndael Algorithm Overview AES Initialization AES Overview The Rijndael algorithm (given plaintext M ) proceeds as follows: 1 Initialize State with M : s 0 , 0 s 0 , 1 s 0 , 2 s 0 , 3 m 0 m 4 m 8 m 12 s 1 , 0 s 1 , 1 s 1 , 2 s 1 , 3 m 1 m 5 m 9 m 13 ← s 2 , 0 s 2 , 1 s 2 , 2 s 2 , 3 m 2 m 6 m 10 m 14 s 3 , 0 s 3 , 1 s 3 , 2 s 3 , 3 m 3 m 7 m 11 m 15 where M consists of the 16 bytes m 0 , m 1 , . . . , m 15 . Graphic taken with modifications from the cover of NIST GCR 18-017 “The Economic Impacts of the Advanced Encryption Standard, 1996-2017” (NIST, September 2018) Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 11 / 34 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 12 / 34
The Rijndael Algorithm Overview The Rijndael Algorithm Description of the Algorithm AES Algorithm The SubBytes Operation Each byte of State is substituted independently, using an invertible S-box On input the State whose columns are the 16 message bytes: (see p. 16 of FIPS 197 for the exact S-Box). 2 Perform AddRoundKey , which X-OR’s the first RoundKey with State . Algebraically, SubBytes performs on each byte: 3 For each of the first N r − 1 rounds: an inversion as described above (the inverse of the zero byte is Perform SubBytes on State (using an S-box on each byte of State ), defined to be zero here), followed by Perform ShiftRows (a permutation) on State , an affine transformation, i.e. a linear transformation (like in linear Perform MixColumns (a linear transformation) on State , algebra) followed by the addition of a fixed vector. More exactly, the Perform AddRoundKey . 4 For the last round: i -th bit of the output byte is Perform SubBytes , b ′ i = b i ⊕ b i +4 mod 8 ⊕ b i +5 mod 8 ⊕ b i +6 mod 8 ⊕ b i +7 mod 8 ⊕ c i Perform ShiftRows , Perform AddRoundKey . where b i is the i -th input bit and c i is the i th -th bit of 5 Define the ciphertext C to be State (using the same byte ordering). c = (11000110) . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 13 / 34 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 14 / 34 The Rijndael Algorithm Description of the Algorithm The Rijndael Algorithm Description of the Algorithm Inverse of SubBytes The ShiftRows Operation Shifts the first, second, third, and last rows of State by 0 , 1 , 2 , or 3 cells to the left, respectively: The inverse of SubBytes (called InvSubBytes ) applies the inverse S-box to each byte in the State (see p. 22 of FIPS 197 for the inverse of s 0 , 0 s 0 , 1 s 0 , 2 s 0 , 3 s 0 , 0 s 0 , 1 s 0 , 2 s 0 , 3 the S-Box). s 1 , 0 s 1 , 1 s 1 , 2 s 1 , 3 s 1 , 1 s 1 , 2 s 1 , 3 s 1 , 0 ← s 2 , 0 s 2 , 1 s 2 , 2 s 2 , 3 s 2 , 2 s 2 , 3 s 2 , 0 s 2 , 1 Algebraically, you first apply the inverse affine transformation to each bit s 3 , 0 s 3 , 1 s 3 , 2 s 3 , 3 s 3 , 3 s 3 , 0 s 3 , 1 s 3 , 2 and then byte inversion. The inverse operation InvShiftRows applies right shifts instead of left shifts. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 15 / 34 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 4 16 / 34
Recommend
More recommend