ADVANCED ENCRYPTION STANDARD (AES) Tran Song Dat Phuc Department of Computer Science and Engineering Seoul National University of Science and Technology 2013-2014
ADVANCED ENCRYPTION STANDARD
(AES)
Tran Song Dat Phuc
Department of Computer Science and Engineering
Seoul National University of Science and Technology
2013-2014
Outline
AES History
AES Operations
Advanced Encryption Standard (AES)
AES Implementation
Security of AES
Summary
AES
History:
- A replacement of DES was needed
-> key size to small
- Triple-DES is a solution, but slow and small block
- AES Competition started in 1997 by NIST:
. Single block cipher
. Available royalty-free worldwide
. Have a public and flexible design
. 128-bits block data
. 128/192/256-bits key (based on round numbers)
AES
- Rijndael design was selected as AES Cipher in 2000
. Design by Vincent Rijmen and Joan Daemen
. Issued as FIPS PUB 197 standard in 2001
. Simplicity
. Support 128-bits block, 128/192/256-bits key
. Resistant against known attack
. Speed and code compactness on many CPU’s
AES Operations
In AES, all operations are performed on 8-bit bytes,
so it operates on the finite field GF(28), which can
be presented as a polynomial b(x) with binary
coefficient b {0,1}:
b7x7 + b6x
6 + b5x5 + b4x
4 + b3x3 + b2x
2 + b1x + b0
Addition of two bytes in AES is defined as the
bitwise XOR operation.
AES Operations
Multiplication in AES is defined as multiplication
in the finite field GF(28) of with the irreducible
polynomial of degree 8.
AES irreducible polynomial:
m(x) = x8 + x4 + x3 + x + 1
AES (Advance Encryption Standard)
AES is a symmetric block cipher.
- The same key is used to encrypt and decrypt
the message (128/192/256-bits key)
- The plaintext and cipher-text are the same size
(128-bits block)
AES Block AES has a block size of 128-bits(16bytes) called state
AES Key
AES Key
AES Multiple Rounds
First and last round are different
AES Round Stage
AES Structure
AES Encryption With 128-bits (16bytes), AES views data block as
4-by-4 table of bytes.
AddRoundKey Transformation At each round, the state array is combined with a
similarly sized array of subkey material.
AddRoundKey Transformation
Key Expansion
Use to create round key for each round.
If the number of round is , the key-expansion creates
Nr +1 128-bit round keys from one single 128-bit
cipher key.
The key expansion creates round keys word by word,
where a word is an array of four bytes (4 x Nr +1)
w0, w1, w2, … , w4(Nr +1) - 1
with 128-bits key (10 rounds, 44 words, ), 192-bits key
(12 rounds, 52 words) and 256-bits key (14 rounds, 60
words).
Key Expansion
Round Words
Pre-round w0 w1 w2 w3
1 w4 w5 w6 w7
2 w8 w9 w10 w11
… …
Nr w4Nr w4Nr+1 w4Nr+2 w4Nr+3
Key Expansion
Key Expansion
Key Expansion
Round Constant ( RCon )
1 (01 00 00 00)16
2 (02 00 00 00)16
3 (04 00 00 00)16
4 (08 00 00 00)16
5 (10 00 00 00)16
6 (20 00 00 00)16
7 (40 00 00 00)16
8 (80 00 00 00)16
9 (1B 00 00 00)16
10 (36 00 00 00)16
RCon Constants
Key Expansion
Key Expansion
Round Value of t First word Second word Third word Fourth word
__ W00 = 2475A2B3 W01 = 34755688 W02 = 31E21200 W03 = 13AA5487
1 AD20177D W04 = 8955B5CE W05 = BD20E346
W06 = 8CC2F146
W07 = 9F68A5C1
2 470678DB W08 = CE53CD15 W09 = 73732E53 W10 = FFB1DF15 W11 = 60D97AD4
… … … … … …
9 0A5E4F61 W36 = E43FE3BF W37 = 0EC1FCF4 W38 = 21A35A12 W39 = F940C780
10 3FC6CD99 W40 = DBF92E26 W041 = D538D2D2 W42 = F49B88C0 W43 = 0DDB4F40
Key Expansion
SubBytes Transformation Each byte of the array transformed by the S-box, provide
confusion for cipher.
This takes 8-bits input and returns 8-bits output.
Only one S-box(16x16 bytes) is used throughout AES
cipher, contains a permutation of all 256 8-bits values.
SubBytes Transformation
SubBytes Transformation
SubBytes Transformation using the S-Boxes Table :
State AddRoundKey
SubBytes Transformation
SubBytes Transformation using the GF(28) Field :
- AES defines the transformation algebraically using the
GF(28) field with the irreducible polynomials :
(x8 + x4 + x3 + x + 1) as the modulus.
- The multiplicative inverse of byte (as an 8-bit binary
string) is found in GF(28).
- The inverted byte is interpreted as a column matrix
with the least bit at the top and the most bit at the
bottom.
- This column matrix is multiplied by a constant square
matrix, X, and the result is added with a constant
column matrix, Y, to give a new byte.
SubBytes Transformation
SubBytes Process
SubBytes Transformation Ex: with byte 53 is transformed by SubBytes routine
- 53 in binary is 0101 0011, can be denoted in the finite field
GF(28) as polynomial : x6 + x4 + x + 1
- Multiplicative inverse of a byte in GF(28) with polynomial :
x8 + x4 + x3 + x + 1 as modulus
- Multiplicative inverse algorithm:
remainder[1] := f(x) auxiliary[1] := 0
remainder[2] := a(x) auxiliary[2] := 1
i := 2
while remainder[i] > 1
i := i + 1 remainder[i] := remainder(remainder[i-2] / remainder[i-1])
quotient[i] := quotient(remainder[i-2] / remainder[i-1])
auxiliary[i] := -quotient[i] * auxiliary[i-1] + auxiliary[i-2]
inverse := auxiliary[i]
SubBytes Transformation
- The multiplicative inverse of byte 53 is CA.
x7 + x6 + x3 + x = 1100 1010 (CA in Hex)
i Remainder[i] Quotient[i] Auxiliary[i]
1 x8 + x4 + x3 + x + 1 0
2 x6 + x4 + x + 1 1
3 x2 x2 + 1 x2 + 1
4 x + 1 x4 + x2 x6 + x4 + x4 + x2 + 1
5 1 x + 1 x7 + x6 + x3 + x2 + x2 + x + 1 + 1
6 0 x + 1
SubBytes Transformation
- Multiply the inverted byte with the matrix X.
- An easier way to view the matrix multiplication is as
polynomial multiplication.
Row 1 = 1000 1111 = N0 + N4 + N5 + N6 + N7 0 + 0 + 0 + 1 + 1 = 0
Row 2 = 1100 0111 = N0 + N1 + N5 + N6 + N7 0 + 1 + 0 + 1 + 1 = 1
Row 3 = 1110 0011 = N0 + N1 + N2 + N6 + N7 0 + 1 + 0 + 1 + 1 = 1
Row 4 = 1111 0001 = N0 + N1 + N2 + N3 + N7 0 + 1 + 0 + 1 + 1 = 1
Row 5 = 1111 1000 = N0 + N1 + N2 + N3 + N4 0 + 1 + 0 + 1 + 0 = 0
Row 6 = 0111 1100 = N1 + N2 + N3 + N4 + N5 1 + 0 + 1 + 0 + 0 = 0
Row 7 = 0011 1110 = N2 + N3 + N4 + N5 + N6 0 + 1 + 0 + 0 + 1 = 0
Row 8 = 0001 1111 = N3 + N4 + N5 + N6 + N7 1 + 0 + 0 + 1 + 1 = 1
- The result of multiplication is the vector : 0111 0001.
SubBytes Transformation
ShiftRows Transformation
ShiftRows Transformation
Before After
MixColumns Transformation
ShiftRows and MixColumns provide confusion for cipher.
Each column of the array is mixed together.
Each byte is replaced by a value dependent on all 4 bytes
of column.
MixColumns Transformation
MixColumns Transformation
MixColumns Transformation
MixColumns Transformation
MixColumns Transformation
. {02 . 63} :
02 = 0000 0010 (in Binary), be denoted in GF(28) as the
polynomial : x
63 = 0110 0011 (in Binary), in GF(28) as the polynomial :
x6 + x5 + x + 1
{02 . 63} = x(x6 + x5 + x + 1) = x7 + x6 + x2 + x
. {03 . F2} :
03 = 0000 0011 = x + 1
F2 = 1111 0010 = x7 + x6 + x5 + x4 + x
{03 . F2} = (x + 1)(x7 + x6 + x5 + x4 + x)
= x8 + x7 + x6 + x5 + x2 + x7 + x6 + x5 + x4 + x
= (x8 + x4 + x2 + x) mod (x8 + x4 + x3 + x + 1)
MixColumns Transformation
x8 + x4 + x2 + x x8 + x4 + x3 + x + 1
x8 + x4 + x3 + x + 1 1
x3 + x2 + 1
{03 . F2} = x3 + x2 + 1
. {01 . 7D} = x6 + x5 + x4 + x3 + x2 + 1
. {01 . D4} = x7 + x6 + x4 + x2
. P0 = {02 . 63} + {03 . F2} + {01 . 7D} + {01 . D4}
= x7 + x6 + x2 + x + x3 + x2 + 1
+ x6 + x5 + x4 + x3 + x2 + 1 + x7 + x6 + x4 + x2
= x6 + x5 + x = 0110 0010 = 62 (in Hex)
MixColumns Transformation
MixColumns Transformation
MixColumns Transformation
MixColumns Transformation
Decryption with AES Decryption do operations similar to encryption process, in
reverse order.
Use InvSubBytes, InvShiftRows, InvMixColumns replace to
SubBytes, ShiftRows and MixColumns.
Decryption with AES S-box S-1[.] of InvSubBytes.
Decryption with AES
InvSubBytes Process
Decryption with AES
Matrix M-1 of InvMixColumns.
M-1 =
0E 0B 0D 0909 0E 0B 0D0D 09 0E 0B0B 0D 09 0E
AES Implementation
AES Implementation
AES Implementation
The Avalanche Effect:
- A change in one bit of either the plaintext or the
key should produce a change in many bits of the
ciphertext.
AES Implementation
AES Implementation
AES Security AES was designed after DES. Most of the known
attacks on DES were already tested on AES.
Brute-Force Attack:
- AES is definitely more secure than DES due to the
larger-size key.
Statistical Attacks:
- Numerous tests have failed to do statistical analysis
of the cipher-text.
Differential and Linear Attacks:
- There are no differential and linear attacks on AES as
yet.
AES Security
Differential Cryptanalysis:
- Study of how differences in input affect differences in
output.
- Can greatly reduced due to high number of rounds.
Linear Cryptanalysis:
- Study of correlations between input and output.
- S-Box and MixColumns are designed to frustrate
Linear Analysis.
Summary
The Advanced Encryption Standard (AES) is a
symmetric-key block cipher published in 2000.
AES was given to improve DES weaknesses as
well as create stronger block cipher design.
AES uses 128-bits length as input, with 128, 192,
256-bits key size to produce 128-bits output.
AES showed its advantage to secure against most
known attacks (brute-force, statistical, differential
and linear cryptanalysis).