1 C C lassical lassical & ontempory ontempory ryptology ryptology AES AES
1
CClassicallassical &&ontemporyontemporyryptologyryptology
AESAESAESAES
2
CClassicallassical &&ontemporyontemporyryptologyryptology
Advanced Encryption Advanced Encryption StandardStandard
Advanced Encryption Advanced Encryption StandardStandard
Since DES was becoming less reliable as new Since DES was becoming less reliable as new cryptanalysis techniques were developed, the National cryptanalysis techniques were developed, the National Institute of Standards and Technology (NIST) put out a Institute of Standards and Technology (NIST) put out a notice in early 1999 requesting submissions for a new notice in early 1999 requesting submissions for a new encryption standard. The requirements were:encryption standard. The requirements were:– A symmetric block cipher with a variable length key (128, 192, A symmetric block cipher with a variable length key (128, 192,
or 256 bits) and a 128-bit blockor 256 bits) and a 128-bit block– It must be more secure than TripleDES It must be more secure than TripleDES – It must be in the public domain – royalty free world wideIt must be in the public domain – royalty free world wide– It should remain secure for at least 30 yearsIt should remain secure for at least 30 years
Fifteen algorithms were submitted from ten different Fifteen algorithms were submitted from ten different countries.countries.
3
CClassicallassical &&ontemporyontemporyryptologyryptology
Submitted AlgorithmsSubmitted AlgorithmsSubmitted AlgorithmsSubmitted Algorithms
Australia– LOKI97Belgium– RIJNDAELCanada– CAST-256– DEALCosta Rica– FROGFrance– DFC Germany– MAGENTA
Japan– E2Korea– CRYPTONUSA– HPC– MARS– RC6– SAFER+– TWOFISH• UK, Israel, Norway– SERPENT
4
CClassicallassical &&ontemporyontemporyryptologyryptology Selection ProcessSelection ProcessSelection ProcessSelection Process
NIST relied on public participation:NIST relied on public participation:– algorithm proposalsalgorithm proposals– cryptanalysiscryptanalysis– efficiency testingefficiency testing
AES TimetableAES Timetable– Round 1: Round 1: Aug. 20 - April 15, 1999Aug. 20 - April 15, 1999– Submit papers for 2nd AES conference: Submit papers for 2nd AES conference: Feb 1, 1999Feb 1, 1999– Second AES conference: Second AES conference: March 22-23, 1999March 22-23, 1999– Announcement of (about) five finalistsAnnouncement of (about) five finalists– Round 2 analysis of finalists: Round 2 analysis of finalists: 6-9 months6-9 months– Third AES ConferenceThird AES Conference– Selection of AES AlgorithmSelection of AES Algorithm
5
CClassicallassical &&ontemporyontemporyryptologyryptology AES FinalistsAES FinalistsAES FinalistsAES Finalists
MARS (IBM) MARS (IBM) RC6 (Rivest, et. al.)RC6 (Rivest, et. al.) Rijndael (top Belgium Rijndael (top Belgium
cryptographers)cryptographers) Serpent (Anderson, Biham, Serpent (Anderson, Biham,
Knudsen)Knudsen) Twofish (Schneier, et. al.)Twofish (Schneier, et. al.)
And the winner was . . .And the winner was . . .
Pronounced“rain-doll”
6
CClassicallassical &&ontemporyontemporyryptologyryptology
Introduction to RijndaelIntroduction to RijndaelIntroduction to RijndaelIntroduction to Rijndael
One of the fastest and One of the fastest and strongest algorithmsstrongest algorithms– Variable block length: 128, 192, 256 bitsVariable block length: 128, 192, 256 bits– Variable key length: 128, 192, 256 bitsVariable key length: 128, 192, 256 bits– Variable number of rounds (iterations): Variable number of rounds (iterations):
10, 12, 1410, 12, 14–Number of rounds depend on key/block Number of rounds depend on key/block
lengthlength
7
CClassicallassical &&ontemporyontemporyryptologyryptology Rijndael StructureRijndael StructureRijndael StructureRijndael Structure
The general structure of Rijndael is shown below The general structure of Rijndael is shown below – Rather than using just a substitution and a permutation at each Rather than using just a substitution and a permutation at each
stage like DES, Rijndael consists of multiple cycles of Substitution, stage like DES, Rijndael consists of multiple cycles of Substitution, Shifting, Column mixing and a KeyAdd operation.Shifting, Column mixing and a KeyAdd operation.
KeyAdd
subkey
Plaintext block
Substitution ShiftRow MixColumn KeyAdd
subkey
subkey
Final round?no
yes
KeyAddCiphertext block ShiftRow Substitution
8
CClassicallassical &&ontemporyontemporyryptologyryptology Initial StepInitial StepInitial StepInitial Step
The process begins by grouping the plaintext bits into a The process begins by grouping the plaintext bits into a column array by bytes.column array by bytes.
– The first four bytes form the first column; the second four The first four bytes form the first column; the second four bytes form the second column, and so on. bytes form the second column, and so on.
– If the block size is 128 bits then this becomes a 4x4 array. If the block size is 128 bits then this becomes a 4x4 array. For larger block sizes the array has additional columns. For larger block sizes the array has additional columns.
– The key is also grouped into an array using the same process. The key is also grouped into an array using the same process.
a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3
a3,0
a2,0
a1,0
a0,0
a3,1
a2,1
a1,1
a0,1
a3,2
a2,2
a1,2
a0,2
a3,3
a2,3
a1,3
a0,3
9
CClassicallassical &&ontemporyontemporyryptologyryptology SubstitutionSubstitutionSubstitutionSubstitution
The substitution layer uses a single S-box (rather than the 8 The substitution layer uses a single S-box (rather than the 8 Sboxes used in DES). The Rijndael S-box is a 16 x 16 array Sboxes used in DES). The Rijndael S-box is a 16 x 16 array
– Each element in the current column array serves as an address into Each element in the current column array serves as an address into the S-box where the first four bits identify the S-box row and the last the S-box where the first four bits identify the S-box row and the last 4 bits identify the S-box column. 4 bits identify the S-box column.
– The S-box element at that location replaces the current column The S-box element at that location replaces the current column array element. array element.
a3,0
a2,0
a1,0
a0,0
a3,1
a2,1
a1,1
a0,1
a3,2
a2,2
a1,2
a0,2
a3,3
a2,3
a1,3
a0,3
b3,0
b2,0
b1,0
b0,0
b3,1
b2,1
b1,1
b0,1
b3,2
b2,2
b1,2
b0,2
b3,3
b2,3
b1,3
b0,3SBox
a1,2b1,2
10
CClassicallassical &&ontemporyontemporyryptologyryptology Row Shift OperationRow Shift OperationRow Shift OperationRow Shift Operation
A row shift operation is applied to the output A row shift operation is applied to the output of the S-box in which the four rows of the of the S-box in which the four rows of the column array are cyclically shifted to the left.column array are cyclically shifted to the left.– The first row is shifted by 0, the second by 1, the The first row is shifted by 0, the second by 1, the
third by 2, and the fourth by 3third by 2, and the fourth by 3
b3,0
b2,0
b1,0
b0,0
b3,1
b2,1
b1,1
b0,1
b3,2
b2,2
b1,2
b0,2
b3,3
b2,3
b1,3
b0,3
b3,3
b2,2
b1,1
b0,0
b3,0
b2,3
b1,2
b0,1
b3,1
b2,0
b1,3
b0,2
b3,2
b2,1
b1,0
b0,3No shift
Shift 1
Shift 2
Shift 3
11
CClassicallassical &&ontemporyontemporyryptologyryptology Matrix MultiplyMatrix MultiplyMatrix MultiplyMatrix Multiply
Column mixing is accomplished by a matrix Column mixing is accomplished by a matrix multiplication operation. multiplication operation. – The shifted column array is multiplied by a fixed The shifted column array is multiplied by a fixed
matrix matrix
b3,3
b2,2
b1,1
b0,0
b3,0
b2,3
b1,2
b0,1
b3,1
b2,0
b1,3
b0,2
b3,2
b2,1
b1,0
b0,3
MatrixMultiply
c3,3
c2,2
c1,1
c0,0
c3,0
c2,3
c1,2
c0,1
c3,1
c2,0
c1,3
c0,2
c3,2
c2,1
c1,0
c0,3
c3,1
c2,0
c1,3
c0,2
b3,1
b2,0
b1,3
b0,2
12
CClassicallassical &&ontemporyontemporyryptologyryptology Key AddKey AddKey AddKey Add
The final operation adds a subkey derived The final operation adds a subkey derived from the original key to the column array from the original key to the column array – This completes one round of AES This completes one round of AES
c3,3
c2,2
c1,1
c0,0
c3,0
c2,3
c1,2
c0,1
c3,1
c2,0
c1,3
c0,2
c3,2
c2,1
c1,0
c0,3
d3,3
d2,2
d1,1
d0,0
d3,0
d2,3
d1,2
d0,1
d3,1
d2,0
d1,3
d0,2
d3,2
d2,1
d1,0
d0,3
k3,3
k2,2
k1,1
k0,0
k3,0
k2,3
k1,2
k0,1
k3,1
k2,0
k1,3
k0,2
k3,2
k2,1
k1,0
k0,3
XOR
This is repeated 9 more timesThis is repeated 9 more times
13
CClassicallassical &&ontemporyontemporyryptologyryptology Key ScheduleKey ScheduleKey ScheduleKey Schedule
The key is grouped into a column array and then expanded The key is grouped into a column array and then expanded by adding 40 new columns. by adding 40 new columns.
– If the first four columns (given by the key) are C(0), C(1), C(2) and If the first four columns (given by the key) are C(0), C(1), C(2) and C(3) then the new columns are generated in a recursive manner.C(3) then the new columns are generated in a recursive manner.
If i is not a multiple of 4 then column i is determined by:If i is not a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR C(i-1) C(i) = C(i-4) XOR C(i-1)
If i is a multiple of 4 then column i is determined by:If i is a multiple of 4 then column i is determined by: C(i) = C(i-4) XOR T(C(i-1)) C(i) = C(i-4) XOR T(C(i-1))
– Where T(C(i-1)) is a transformation of C(i-1) implemented as:Where T(C(i-1)) is a transformation of C(i-1) implemented as: 1. Cyclically shift the elements of C(i-1) by one byte 1. Cyclically shift the elements of C(i-1) by one byte 2. Use each of these 4 bytes as input into the S-box to create 2. Use each of these 4 bytes as input into the S-box to create four new bytes e,f,g,h. four new bytes e,f,g,h. 3. Calculate a round constant r(i) = 2(i-4)/4 3. Calculate a round constant r(i) = 2(i-4)/4 4. Create the transformed column as: (e XOR r(i), f, g, h) 4. Create the transformed column as: (e XOR r(i), f, g, h)
The round key for the ith round consists of the columns C(4i), C(4i+1), The round key for the ith round consists of the columns C(4i), C(4i+1), C(4i+2), C(4i+3).C(4i+2), C(4i+3).
14
CClassicallassical &&ontemporyontemporyryptologyryptology Key Generation FlowKey Generation FlowKey Generation FlowKey Generation Flow
For what’s worth:For what’s worth:
W(i)
XOR
Rot
W(i+4)
XOR
W(i+1)
XOR
W(i+2)
W(i+5) XOR
W(i+3)
W(i+6) XOR W(i+7)
S-Box
RCON