Professional Documents
Culture Documents
Aes
Aes
http://ouray.cudenver.edu/~wrroche/Security/Presentation.html
AES Block
AES has a fixed block size of 128 bits called a state
ABCDEFGHIJKLMNOP
A B C D E F G H I J K L M N O P
(ASCII)
41 42 43 44
45 46 47 48
49 4A 4B 4C
4D 4E 4F 50
AES Key
AES key is either 128 bits, 192 bits or 256 bits
128 bits (4 words): 11223344556677889900AABBCCDDEEFF
11 55 99 CC
22 66 00 DD
33 77 AA EE
44 88 BB FF
AES Key
or 192 bits (6 words) 1122334455667788 9900AABBCCDDEEFF 1122334455667788 11 55 99 CC 11 55 22 66 00 DD 22 66 33 77 AA EE 33 77 44 88 BB FF 44 88 or 256 bits (8 words) 1122334455667788 9900AABBCCDDEEFF 1122334455667788 9900AABBCCDDEEFF
11 55 99 CC 11 55 99 CC
22 66 00 DD 22 66 00 DD
33 77 AA EE 33 77 AA EE
44 88 BB FF 44 88 BB FF
Comparisons
Expanded Key Length Key Length Block Size Number of (words) (Nk words) (Nb words) Rounds Nr AES-128 4 44 4 10 AES-192 6 52 4 12 AES-256 8 60 4 14 4 10 Rijndael - 128 4 44 6 12 8 14 4 12 Rijndael - 192 6 52 6 12 8 14 4 14 Rijndael - 256 8 60 6 14 8 14 DES 256 2 16 2* * of 64 bits, only 56 are used
Security
The key security feature is the size of the key.
Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.
Accepting Moore's Law, doubling processor speed every 18 months, AES will be secure for another 109.5 years.
AES Operations
AES Operates on the binary field GF(28).
This can be represented as a polynomial b(x) with binary coefficients b {0,1}: b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x + b0
Multiplication in GF(28) consists of multiplying two polynomials modulo an irreducible polynomial of degree 8.
AES uses the following irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk) Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb-1]) for round = 1 step 1 to Nr1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state,w[round*Nb,(round+1)*Nb-1]) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) out = state end
AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk) Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb-1]) for round = 1 step 1 to Nr1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state,w[round*Nb,(round+1)*Nb-1]) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) out = state end
11 55 99 CC
22 66 00 DD
33 77 AA EE
44 88 BB FF
i = Nk // Nk = 4 while (i < Nb*(Nr+1)) { // Nb*(Nr+1)= 4*(10+1)= 44 temp = w[ i 1 ] If ( i%Nk == 0 ) rotate word left 1 byte process each byte through sbox XOR with RCON[i/Nk-1] // just first byte of w[i] w[ i ] = w[ i-4 ] XOR temp i++}
i xi
8 0x1b
D 0x4d
E 0x9a
rCon can be implemented with a look-up-table 2i in GF(28) Removes symmetry and linearity from key expansion.
i=4 i = Nk // Nk = 4 while (i < Nb*(Nr+1)) {// Nb*(Nr+1)= 4*(10+1)= 44 temp = W[i-1] If (i%Nk == 0) rotate word left 1 byte process each byte through sbox XOR with RCON[i] // just first temp = C0 element16 w 4B 28 of w[i] = w[i-4] XOR temp i++}
i=5 temp = D1 0A 25 0F w[i] = w[i-4] XOR temp w[5] = (55 D1) (66 0A) (77 25) w[5] = 84 C6 52 87 (88 0F)
C1 28 16 4B
C0 28 16 4B
C8 47 2E 3E
CA 47 2E 3E
B0 A9 3B ED
B4 A9 3B ED
92 D2 D3 F8
9A D2 D3 F8
76 27 C5 B1
66 27 C5 B1
90 66 40 A9
B0 66 40 A9
B8 68 E1 11
F8 68 E1 11
9C 0B 6C D4
1C 0B 6C D4
F2 D1 66 D6
E9 D1 66 D6
A0 D5 49 58
96 D5 49 58
AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk) Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb-1]) for round = 1 step 1 to Nr1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state,w[round*Nb,(round+1)*Nb-1]) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) out = state end
AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk) Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb-1]) for round = 1 step 1 to Nr1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state,w[round*Nb,(round+1)*Nb-1]) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) out = state end
After AddRoundKey
41 11 42 22 43 33 44 44 45 55 46 66 47 77 48 88 49 99 4A 00 4B AA 4C BB 4D CC 4E DD 4F EE 50 FF 50 60 70 00 10 20 30 C0 D0 4A E1 F7 81 93 A1 AF
AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk) Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb-1]) for round = 1 step 1 to Nr1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state,w[round*Nb,(round+1)*Nb-1]) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) out = state end
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 0 0 0 1 1 0
53 D0 51 63
CA B7 04 BA
70 D6 F8 68
0C DC 32 79
AES Algorithm
KeyExpansion(byte key[4*Nk],word w[Nb*(Nr+1)],Nk) Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb-1]) for round = 1 step 1 to Nr1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state,w[round*Nb,(round+1)*Nb-1]) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) out = state end
53 D0 51 63
CA B7 04 BA
70 D6 F8 68
0C DC 32 79
53 B7 F8 79
CA D6 32 63
70 DC 51 BA
0C D0 04 68
AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk) Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb-1]) for round = 1 step 1 to Nr1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state,w[round*Nb,(round+1)*Nb-1]) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1]) out = state end
a 1 a
2
01 02 03 01 01 01 02 03 03 01 01 02
a1 a2
a3
a 3
a1 = a0 a 1 3a+ a 2 = a0 + 2a+ 2a2 2 3a3 01 01 02 03 a2 1 2 a3 a3 = 3a0 + a1 + a2 + 2a3 a3 03 01 01 02 a3 a 2 = a0 a1 2a2 3a3 Addition is easy in GF(28) : Addition is just the XOR operation a3 one is identity Multiplication by 1 is easy in GF(28) : Multiplication by = 3a0 thea1 a2
01 02 03 01
a0 = 2a0 + 3a1 + a2 + a3 1 a2 a3 = a + 2a + 3a + a a
1 0 1 2 3
2a3 Multiplication by 2 in GF(28) takes some work: . If multiplying by a value < 0x80 just shift all the bits left by 1 . If multiplying by a value 0x80 shift left by 1 and XOR with 0x1b . This prevents overflow and keeps the values within range
To Multiply by 3 in GF(28) : a * 0x03 = a * (0x02 + 0x01) = (a * 0x02) (a * 0x01)
AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb* (Nr+1)],Nk) Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)]) begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb -1]) for round = 1 step 1 to Nr 1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state, w[round*Nb, (round+1)*Nb -1]) end for SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb -1]) out = state end
Sample Conversions
Input String Key Output String (HEX) BC4784A37D6F46452656B993D53393F5 855866490543FDF6504FC84088FEDCA0 372CCA446C0D391C4381392344630EE1 ABCDEFGHIJKLMNOP 11223344556677889900AABBCCDDEEFF ABCDEFGHIJKLMNOP 01223344556677889900AABBCCDDEEFF ABCDEFFHIJKLMNOP 11223344556677889900AABBCCDDEEFF
AES Algorithm
Encryption
PlainText
Decryption
Cipher Text 1st Round
RoundKey
RoundKey*
AddRoundKey InvShiftRows
1st Round
Repeat Nr -1 Round
Repeat Nr -1 Round
RoundKey
AddRoundKey SubBytes
ShiftRows
RoundKey
InvSubBytes AddRoundKey
Last Round
AddRoundKey
CipherText
Padding
If plaintext messages are not divisible by 16 bytes. Padding may be a solution. An easy method is to add a single 1 bit at the end of the message followed by enough 0s to fill the block.
If the block is filled, encode one more block with a 1 followed by 0s.
Attacks on AES
Differential Cryptanalysis Study of how differences in input affect differences in output.
Greatly reduced due to high number of rounds.
Attacks on AES
Side Channel Attacks Attacks based on studying and measuring the actual implementation of the code.
For some implementations of AES the key has been obtained in under 100 minutes.
Computer running AES was 850MHz, Pentium III running FreeBSD 4.8
Attack Precautions
Avoid use of arrays. Compute values in SBOX and rCon. Design algorithms and devices to work with constant time intervals. (independent of key and plaintext.)
Hidden CPU timing data is a threat.
Use same memory throughout, Cache is faster than DRAM Compute Key Expansion on the fly. Utilize pipelining to stabilize CPU power consumption.
References
About AES AES Proposal : Rijndael Joan Daemen, Vincent Rijmen, 2nd version of document to NIST Polynomials in the Nations Service: Using Algebra to Design the Advanced Encryption Standard Susan Landau The Mathmatical Association of America, Monthly 111 Feb 2004 Page(s):89-117 Selecting the Advanced Encryption Standard Security & Privacy Magazine, IEEE Volume 1, Issue 2, Mar-Apr 2003 Page(s):43 - 52 Burr, W.E.;
Title: Introduction to Cryptography Author: Johannes A Buchman Publisher: Springer; 2 edition (July 13, 2004)
References
Security and Attacking AES Power-analysis attack on an ASIC AES implementation Ors, S.B.; Gurkaynak, F.; Oswald, E.; Preneel, B.;Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference onVolume 2, 2004 Page(s):546 - 552 Vol.2 Algebraic attacks on cipher systems Penzhorn, W.T.; AFRICON, 2004. 7th AFRICON Conference in Africa Volume 2, 2004 Page(s):969 - 974 Vol.2 Cache-Timing attacks on AES Daniel J Bernstein Preliminary version of report to National Science Foundation, grant CCR9983950
References
Applications / Implementations: AES A high throughput low cost AES processor Chih-Pin Su; Tsung-Fu Lin; Chih-Tsiun Huang; Cheng-Wen Wu; Communications Magazine, IEEE Volume 41, Issue 12, Dec. 2003 Page(s):86 - 91 An efficient FPGA implementation of advanced encryption standard algorithm Shuenn-Shyang Wang; Wan-Sheng Ni; Circuits and Systems, 2004. ISCAS '04. Volume 2, 23-26 May 2004 Page(s):II - 597-600 Vol.2 High-speed VLSI architectures for the AES algorithm Xinmiao Zhang; Parhi, K.K.; Very Large Scale Integration (VLSI) Systems Volume 12, Issue 9, Sept. 2004 Page(s):957 967 Fast implementation of AES cryptographic algorithms in smart cards Chi-Feng Lu; Yan-Shun Kao; Hsia-Ling Chiang; Chung-Huang Yang; Security Technology, 2003. 14-16 Oct. 2003 Page(s):573 - 579
References
Applications / Implementations : AES
A new VLSI implementation of the AES algorithm Liang Deng; Hongyi Chen; Communications, Circuits and Systems and West Sino Expositions, IEEE 2002 International Conference on Volume 2, 29 June-1 July 2002 Page(s):1500 - 1504 vol.2