Announcements:Announcements: Quiz grades enteredQuiz grades entered Homework 4 updated with more details. Homework 4 updated with more details. Discussion forum is picking up trafficDiscussion forum is picking up traffic

Today:Today: Prep. for Rijndael and Discrete Logs: Prep. for Rijndael and Discrete Logs: GF(2GF(288)) RijndaelRijndael

Questions?Questions?

DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 18Day 18

Rijndael Rijndael

A.k.a. A.k.a. AESAES (Advanced Encryption Standard) (Advanced Encryption Standard)

128-bit blocks128-bit blocks

Encrypted using functions of 128-bit key for 10 Encrypted using functions of 128-bit key for 10 roundsrounds Versions exist for keys with 192 bits (12 rounds), 256 Versions exist for keys with 192 bits (12 rounds), 256

bits (14 rounds)bits (14 rounds)

The S-boxes, round keys, and MixColumn The S-boxes, round keys, and MixColumn functions require the use of GF(2functions require the use of GF(288), so…), so…

Fields (T&W, 3.11)Fields (T&W, 3.11)

A A fieldfield is a is a set of numbers set of numbers with the following properties:with the following properties: Addition, with identity: a + 0 = a and inverse a+(-a)=0 Addition, with identity: a + 0 = a and inverse a+(-a)=0 Multiplication with identity: a*1=a, and inverse Multiplication with identity: a*1=a, and inverse

(a * a(a * a-1-1 = 1 for all a != 0) = 1 for all a != 0) Subtraction and division (using inverses)Subtraction and division (using inverses) Commutative, associative, and distributive propertiesCommutative, associative, and distributive properties Closure over all four operationsClosure over all four operations

Examples:Examples: Real numbersReal numbers GF(4) = {0, 1, GF(4) = {0, 1, , , 22} with these additional laws: x + x = 0 for all x } with these additional laws: x + x = 0 for all x

and and + 1 = + 1 = 22.. GF(pGF(pnn) for prime p is called a Galois Field.) for prime p is called a Galois Field.

Galois fieldsGalois fields

For every power of n with prime p, there is For every power of n with prime p, there is only 1 finite field with ponly 1 finite field with pnn elements. elements.

The integers (mod pThe integers (mod pnn) aren’t a field. (Why ) aren’t a field. (Why not?)not?)

Another way to get GF(4) = GF(2Another way to get GF(4) = GF(222) using ) using polynomialspolynomials Technique extends to GF(2Technique extends to GF(288))

Finish discussion of ZFinish discussion of Z22[X][X]

Galois fieldsGalois fields

If ZIf Zpp[X] is set of polynomials with coefficients (mod p)[X] is set of polynomials with coefficients (mod p)

……and P(X) is degree n and irreducible (mod p)and P(X) is degree n and irreducible (mod p)

Then GF(pThen GF(pnn) = Z) = Zpp[X] (mod P(X) is a field with p[X] (mod P(X) is a field with pnn elements. elements.

Wasn’t ZWasn’t Z22[X] (mod X[X] (mod X22 + X + 1) = GF(4)? + X + 1) = GF(4)?

Consider GF(2Consider GF(2nn) with P(X) = X) with P(X) = X88 + X + X44 + X + X33 + X + 1 + X + 1Rijndael uses this!Rijndael uses this!

Back to Rijndael/AESBack to Rijndael/AESParallels with DES? Parallels with DES?

Multiple roundsMultiple rounds(7 enough to force brute (7 enough to force brute force)force)

DiffusionDiffusion XOR with round keysXOR with round keys No MixColumn in last No MixColumn in last

roundround

Major differencesMajor differences Not a Feistel systemNot a Feistel system Much quicker diffusion of Much quicker diffusion of

bits (2 rounds)bits (2 rounds) Much stronger against Much stronger against

linear, diffy. crypt., linear, diffy. crypt., interpolation attacksinterpolation attacks

ByteSub (BS)ByteSub (BS)

1.1. Write 128-bit input Write 128-bit input aa as matrix as matrix with 16 byte entries (column with 16 byte entries (column major ordering):major ordering):

2.2. For each byte, abcdefgh, For each byte, abcdefgh, replace with byte in location replace with byte in location (abcd, efgh)(abcd, efgh)

Example: 00011111 Example: 00011111 ___ ___Example: 11001011 Example: 11001011 31 31

3.3. Output is a matrix called bOutput is a matrix called b

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

aaaa

aaaa

aaaa

aaaa

a

Why were these numbers chosen?

S-box DerivationS-box Derivation

The S-box maps byte x to byte z via the function z = Ax-1+b:

Input byte x: x7x6x5x4x3x2x1x0

Compute the inverse in GF(28): y7y6y5y4y3y2y1y0 (non-linear, vs. attacks)(use 0 as inverse of 0)

Compute this linear function z in GF(28): (to complicate attacks) (A is simple to implement) b chosen so

xzandxz

ShiftRow (SR)ShiftRow (SR)

Shifts the entries of Shifts the entries of each row by each row by increasing offset:increasing offset:

Gives resistance to newer attacks Gives resistance to newer attacks (truncated differentials, (truncated differentials, Square attack)Square attack)

2,31,30,33,3

1,20,23,22,2

0,13,12,11,1

3,02,01,00,0

bbbb

bbbb

bbbb

bbbb

c

MixColumn (MC)MixColumn (MC)

Multiply -- via GF(2Multiply -- via GF(288) – with ) – with the fixed matrix shown.the fixed matrix shown.

Speed? Speed?

64 multiplications, each 64 multiplications, each involving at most 1 shift involving at most 1 shift + XOR+ XOR

Gives quick diffusion of bitsGives quick diffusion of bits

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

010..001..001..000000011

011..0010..001..000000001

01..0011..0010..000000001

01..001..0011..000000010

cccc

cccc

cccc

cccc

d

AddRoundKey (AddRoundKey (ARKARK))

XOR the round key XOR the round key with matrix d. with matrix d.

Key schedule on next slideKey schedule on next slide

ikde

Key ScheduleKey Schedule

)43(...)5()4()3()2()1()0( WWWWWWW

Write original key as 4x4matrix with 4 columns: W(0), W(1), W(2), W(3). Key for round i is (W(4i), W(4i+1), W(4i+2), W(4i+3))

Other columns defined recursively:

otherwiseiW

iifiWTiWiW

)1(

|4))1(()4()(

)2()00000010()(

))((

0

0

0

)(

)(

84/)4( GFinir

iWT

ir

h

g

f

e

d

c

b

a

iW

i

Sbox

Highly non-linear. Resists attacks at finding whole key when part is known

K0K1 K10

192-, 256-bit versions similar

DecryptionDecryptionE(k) is:E(k) is:

(ARK(ARK00, BS, SR, MC, ARK, BS, SR, MC, ARK11, … BS, SR, , … BS, SR,

MC, ARKMC, ARK99, BS, SR, ARK, BS, SR, ARK1010))

Each function is invertible:Each function is invertible:

ARK; IBS; ISR; IMC (IMC is slower)ARK; IBS; ISR; IMC (IMC is slower)

So D(k) is:So D(k) is:

ARKARK1010, ISR, IBS, ARK, ISR, IBS, ARK99, IMC, ISR, IBS, , IMC, ISR, IBS,

… ARK… ARK11, IMC, ISR, IBS, ARK, IMC, ISR, IBS, ARK00))

Half-round structure:Half-round structure:Write E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARKWrite E(k) = ARK, (BS, SR), (MC, ARK), … (BS, SR), (MC, ARK), (BS, SR), ARK

(Note that last MC wouldn’t fit)(Note that last MC wouldn’t fit)D(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARKD(k) = ARK, (ISR, IBS), (ARK, IMC), (ISR, IBS), … (ARK, IMC), (ISR, IBS), ARK

Can write:Can write:D(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARKD(k) = ARK, (IBS, ISR), (IMC, IARK), … (IBS, ISR), (IMC, IARK), (IBS, ISR), ARK

Wrap-upWrap-up

Do you trust 128-bit encryption now?Do you trust 128-bit encryption now?

Wikipedia’s entry has some nice Wikipedia’s entry has some nice visualsvisuals