+ All Categories
Home > Documents > Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M....

Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M....

Date post: 26-Dec-2015
Category:
Upload: lynne-ramsey
View: 234 times
Download: 1 times
Share this document with a friend
25
Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli
Transcript
Page 1: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Cryptography and Network Security

Advanced Encryption Standard By William Stallings

Modified by M. Sakalli

Page 2: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Origins• clear a replacement for DES was needed

– have theoretical attacks that can break it– have demonstrated exhaustive key search attacks

• can use Triple-DES – but slow with small blocks• US NIST issued call for ciphers in 1997• 5 were short-listed in Aug-99

– MARS (IBM) - complex, fast, high security margin – RC6 (USA) - v. simple, v. fast, low security margin – Rijndael (Belgium) - clean, fast, good security margin – Serpent (Euro) - slow, clean, v. high security margin – Twofish (USA) - complex, v. fast, high security margin

• Rijndael was selected as the AES in Oct-2000• issued as FIPS PUB 197 standard in Nov-2001

Page 3: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

AES Requirements• private key symmetric block cipher • 128-bit data, 128/192/256-bit keys • stronger & faster than Triple-DES • active life of 20-30 years (+ archival use) • provide full specification & design details • both C & Java implementations• NIST have released all submissions & unclassified

analyses• Evaluation criteria of submitted ones

– General security – effort to practically cryptanalyse– algorithm & implementation characteristics– cost – computational, software & hardware implementation

ease, minimize implementation attacks– flexibility (in en/decrypt, keying, other factors)

Page 4: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Rijndael • processes data as 4 groups of 4 bytes (state)• has 9/11/13 rounds in which state undergoes:

1. byte substitution (1 S-box; byte to byte substitution) 2. shift rows (permutation of bytes) 3. mix columns (subs using gf28) 4. Add Round Key (XOR state with a portion of expended K)

• initial XOR key material & incomplete last round• all operations can be combined into XOR and table lookups - hence

very fast & efficient

The AES Cipher• designed by Rijmen-Daemen in Belgium • has 128/192/256 bit keys, 128 bit data • an iterative rather than feistel cipher

– treats data in 4 groups of 4 bytes– operates an entire block in every round

• designed to be:– resistant against known attacks– speed and code compactness on many CPUs– design simplicity

Page 5: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.
Page 6: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

InvAddRoundKey• (A B) B = A • Key is used in reverse order

AddRoundKey• Each round uses four different words from the expanded key array.• Each column in the state matrix is XORed with a different word.• The heart of the encryption. All other functions’ properties are

permanent and known to all.

Page 7: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Substitution Byte (Subbyte)• It is a bytewise lookup process that returns a 4-

byte word in which each byte is the result of applying the Rijndael S-box. Designed to be resistant to all known attacks

• Simple substitution of each byte using one table of 16x16 bytes containing a permutation of all 256 8-bit values

• each byte of state is replaced by byte in row (left 4-bits) & column (right 4-bits)– eg. byte {95} is replaced by row 9 col 5 byte– which is the value {2A}

• S-box is constructed using a transformation of the values in GF(28)

Page 8: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Shift Rows

• a circular byte shift in each row– 1st row is unchanged– 2nd row does 1 byte circular shift to left– 3rd row does 2 byte circular shift to left– 4th row does 3 byte circular shift to left

• decrypt does shifts to right

• since state is processed by columns, this step permutes bytes between the columns

Page 9: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Mix Columns• each column is processed separately• each byte is replaced by a value dependent on all 4 bytes in the column• effectively a matrix multiplication in GF(28) using prime poly m(x)

=x8+x4+x3+x+1

Add Round Key• XOR state with 128-bits of the round key• again processed by column (though effectively a series of byte operations)• inverse for decryption is identical since XOR is own inverse, just with

correct round key• designed to be simple

Page 10: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

AES Round

Page 11: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Mathematical Review• Performing arithmetic operations on bytes requires to work

in a finite field and treat each byte as an element.• GF(28) - Finite field containing 256 elements. • Each element is a polynomial of degree 7 over Z2, hence

an element is defined by 8 binary values – a byte. • Addition – polynomial addition, over Z2, implemented using

XOR.• Multiplication – polynomial multiplication , over Z2, modulo

irreducible polynomial X8 + X4 + X3 + X + 1 Implemented using repetitive left shifts and XOR.

SubBytes - 16 X 16 table• Each byte is considered as an element in GF(28)• Called S-BoxA. 16 X 16 table contains all possible 256

elements.• Row Column Indices: Left and Right halves of the byte.• Each byte B in the state matrix is substituted with f(B).

Page 12: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

SubBytes, S-Box computationComputing S-Box cells in three stages:-The cells are numbered in ascending order.-Each cell’s number is substituted with its multiplicative inverse over GF(28).- The cell’s bits go through the following transformation:

bi’ = bi b(i+4)mod(8) b(i+5)mod(8) b(i+6)mod(8) b(i+7)mod(8) ci

bi’ = new bit value, ci = the i’th bit of 63={11000110} irreducible polynomial

Page 13: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

S-Box eg. byte {95} is replaced by row 9 col 5 byte which is the value {2A}

Page 14: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

InvSubBytes• Same routine as SubBytes, but uses the inverse S-Box.

• Inverse S-box is computed by applying the inverse affine transformation and then substituting with the multiplicative inverse, of the cell’s value in the S-Box.

• The Inverse transformation:

bi’ = b(i+2)mod8 b(i+5)mod8 b(i+7)mod8 dibi’ = new bit value, di = the i’th bit of

05={00000101}.

Page 15: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.
Page 16: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

SubBytes, crypto properties • S-Box design makes it resistant to cryptanalitic attacks. • Conditions:

– No fixed points S(a) a, no opposite fixed points IS(a) a complement.

– Invertible s box, IS[S(a)] = a;– but not self invertible, which means

S(a) IS(a), ie. S({95}) = {2A}, but IS({95}) = {AD} think S({2A})=?{95}

• To see that InvSubBytes is the inverse of SubBytes, – label the matrices in SubBytes and InvSubBytes as X and Y,

respectively, and the vector versions of constants c and d as C and D, respectively.

– For some 8-bit vector B B' = XB C. – To show that Y(XB C) D = B. – Must show YXB YC D = B.

• B’=XBC; (Y(XBC)D) = [YX][B][YC][D] = B

– Which means …

Page 17: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

ShiftRows• Rows 2-4 in the state matrix are left shifted by different

offsets of 1-3 bytes respectively.• Strong diffusion effect. Separation of each four,

originally consecutive, bytes.

Page 18: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

• A transformation which operates on individual columns – 32 bits/4 bytes.• Each column is treated as a 3 degree polynomial over GF(23)• Multiplied by the fixed polynomial:

a(x)=({03}X3 + {01}X2 + {01}X + {02})mod(x4+1)• a(x) was chosen so the multiplication/transformation is invertible. • Generally, multiplication in the above group mod(x4+1) doesn’t provide

inverse for each element. *coefficients multiplication is the GF(28) multiplication mentioned earlier.

Page 19: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

MixColumn, props- The transformation is a linear code with a maximal distance between code words.- Combined with ShiftRows, after several rounds all output bits depend on all input bits.

Page 20: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

• In GF(28), irreducible polynomial mod(x4+x3+x+1) ─ ({02} · {87}) ({03} · {6E}) {46} {A6} = {47}─ {87} ({02} · {6E}) ({03}· {46}) {A6} = {37}─ {87} {6E} ({02} · {46} ({03} · {A6}) = {94}─ ({03} · {87}) {6E} {46} ({02} · {A6} = {ED}• For the first equation,

– {02} · {87} = x*(x7 + x2+x+1) = (1 0000 1110) l because of the most left 1, (0000 1110) (0001 1011) = (0001 0101);

• and – {03} · {6E} = (x+1)*(x6 +x5 + x3+ x2+x)

= (x6 +x5 + x3+ x2+x) (x)*(x6 +x5 + x3+ x2+x), the same statement for the second side.

= {6E} ({02} · {6E}) = (0110 1110) (1101 1100) = (1011 0010).

• {02} · {87} = 0001 0101  • {03} · {6E} = 1011 0010  • {46} = 0100 0110  • {A6} = 1010 0110   • Total 0100 0111 = {47}

Page 21: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

InvMixColumn

• Same routine as MixColumn, only instead of a(x) the inverse of a(x) is used:

a-1(x)={0B}x3{0D}x2{09}x{0E}

Page 22: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

AES Key Expansion

• takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words

• start by copying key into first 4 words• then loop creating words that depend on

values in previous & 4 places back– in 3 of 4 cases just XOR these together– every 4th has S-box + rotate + XOR constant

of previous before XOR together

• designed to resist known attacks

Page 23: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

AES Decryption

• AES decryption is not identical to encryption since steps done in reverse

• but can define an equivalent inverse cipher with steps as for encryption– but using inverses of each step– with a different key schedule

• works since result is unchanged when– swap byte substitution & shift rows– swap mix columns & add (tweaked) round key

Page 24: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Implementation Aspects• can efficiently implement on 8-bit CPU

– byte substitution works on bytes using a table of 256 entries

– shift rows is simple byte shifting– add round key works on byte XORs– mix columns requires matrix multiply in GF(28) which

works on byte values, can be simplified to use a table lookup

• can efficiently implement on 32-bit CPU– redefine steps to use 32-bit words– can pre-compute 4 tables of 256-words– then each column in each round can be computed using 4

table lookups + 4 XORs– at a cost of 16Kb to store tables

• designers believe this very efficient implementation was a key factor in its selection as the AES cipher

Page 25: Cryptography and Network Security Advanced Encryption Standard By William Stallings Modified by M. Sakalli.

Summary

• have considered:– the AES selection process– the details of Rijndael – the AES cipher– looked at the steps in each round– the key expansion– implementation aspects


Recommended