Crypto Aes

8/12/2019 Crypto Aes

1/15

The Advanced Encryption Standard

- see Susan Landaus paper: Communications security for thetwenty-first century: the advanced encryption standard.

In 1997, the NIST (the National Institute of Standards andTechnology, formerly the NBS) began the process of choosinga replacement for DES, to be called the Advanced EncryptionStandard (AES).

At that time, triple-DES had become popular, but it was tooslow and the 64-bit block length was too small. (Aside: recall

that double-DES is not much harder to break by brute-forcethan DES using a meet-in-the-middle attack.)


2/15

AES Requirements

The NIST solicited proposals from the internationalcommunity.

The requirements for the algorithms were as follows:

The algorithm must implement private-key cryptography.

The algorithm must be a block cipher.

The algorithm must work on 128-bit blocks and support 3

keys sizes: 128, 192, and 256 bits.

If selected, the algorithm should be available world-wide ona royalty-free basis.


3/15

AES Requirements

Evaluation criteria would be: security, cost, and algorithm andimplementation characteristics.

Submissions were due on June 15, 1998. Of the 21 submissions,15 fulfilled the AES criteria.

In August 1999, the NIST chose the following 5 finalists:MARS, RC6, Rijndael, Serpent, and Twofish.

All finalists were felt to be secure. On October 2, 2000,

Rijndael was selected as the AES. You can find shortdescriptions of the 5 finalists in Landaus paper, and judge foryourself


4/15

Description of AES

Recall that AES has block length 128, and three allowable keylengths: 128 bits, 192 bits, and 256 bits.

AES is an iterated cipher. The number of rounds (N) dependson the key length: N = 10 for 128-bit keys, N = 12 for 192-bit keys, and N = 14 for 256-bit keys.

Here is a high-level description of AES:

1. Perform operation AddRoundKey, which XORs the round key with thestate.

2. For each of the N rounds:- perform operation ByteSub (a substitution using an S-box)- perform operation ShiftRow (a permutation)- perform operation MixColumn (unless it is the last round)

- perform AddRoundKey.


5/15

State

All operations in AES are byte-based.The state consists of 128 bits = 16 bytes, viewed as a 4x4array of bytes.

Initially, the 16 bytes of plaintext x0, , x15 are arranged asfollows:

x15x11x7x3

x14x10x6x2

x13x9x5x1x12x8x4x0


6/15

ByteSub

- operation performs a substitution on each byte- uses one S-box S that maps bytes to bytes (see page 155)- represented as a 16 x 16 array: for hexadecimal digits X and

Y, S(XY) is at position (row X, column Y)

In contrast to the DES S-boxes, the AES S-box can bedefined algebraically. It was designed for resistance againstlinear and differential cryptanalysis and it is invertible.The AES box incorporates operations in the finite field with

28

elements:

GF(28) = Z2[X] (mod X8+X4+X3+X+1).


7/15

What ???

A field is a set containing elements 0 and 1, where 0 1, withtwo operations: multiplication and addition. Both operationsare closed, commutative, and associative, and the distributive

law holds. 0 is the additive identity, and 1 is the multiplicativeidentity. Every element has an additive inverse.Every non-zero element has a multiplicative inverse.

Example fields ?

For every prime power pk, there is exactly one field with pk

elements. This field is called GF(pk

) (Galois field).

We will now see how to construct these fields.


8/15

Polynomials

Z2[X] is the set of all polynomials with coefficients in Z2.

Examples:

Can we add/subtract/multiply elements of Z2[X] ?

Is there an additive identity ?

Is there a multiplicative identity ?

Can we divide with remainder ?

Divide X4+X3+1 by X2+X+1,

get quotient: and remainder:


9/15

Polynomials

Z2[X] is the set of all polynomials with coefficients in Z2.

Since X4+X3+1 divided by X2+X+1 equals X2+1 with remainder X,

we can write

X4+X3+1 X (mod X2+X+1).

It turns out that Z2[X] (mod X2+X+1) is the finite field GF(4).

The elements of the field are 0, 1,X, and X+1, and the

operations are addition and multiplication modulo X2

+X+1.


10/15

Irreducible Polynomials

You cannot just use any polynomial to get a field; you must usean irreducible polynomial.

A polynomial F(X) in Z2[X] is irreducible if it doesnt factorinto two polynomials of lower degree.

Z2[X] (mod F(X)) is a field if and only if F(X) is irreducible.


11/15

Back to AES

Recall ;-)

GF(28) = Z2[X] (mod X8+X4+X3+X+1).

Every byte corresponds to a field element and vice versa.


12/15

More about the S-box

As mentioned previously, although the S-box is implemented asa lookup table (see Table 5.1), it has a simple mathematicaldescription.

View a byte as an element of GF(28). For example, view thebyte 01010011 as the field element X6+X4+X+1.

Now take the inverse of this field element in GF(28). In ourexample, this is X7+X6+X3+X.

How would you compute the inverse?


13/15


Computing the inverse of X6+X4+X+1 mod X8+X4+X3+X+1:


14/15


S-box mapping of 01010011:- Compute the inverse of X6+X4+X+1, get X7+X6+X^3+X.- View this element as a bit vector, with the right-most bit in

the top position. In our example, we get the vector(0,1,0,1,0,0,1,1).- Multiply this vector by the matrix on page 157, and addvector (1,1,0,0,0,1,1,0).- View the resulting vector as a byte (taking the top bit to bethe rightmost bit).

This is the output of the S-box.In our example, the output is 11101101, which we can verifywith the S-box table.


15/15

ShiftRow, MixColumn, Key Schedule

The operation ShiftRow cyclically shifts the elements of thei-th row i elements to the left.

The operation MixColumn replaces each column of the state bya new column. This operation uses polynomials over GF(28).

Key Schedule

The book describes the key schedule for 10-round AES, which

used a 128-bit key. We need 11 round keys, each of whichconsists of 16 bytes. The key schedule is word oriented. Theconcatenation of the 11 round keys is called the expanded key,and consists of 44 words.

You can find the exact algorithm on page 156/157.

Crypto Aes

Documents