Professional Documents
Culture Documents
Standard (AES)
and
Finite Fields
Shervin Erfani
Fall 2015
9/30/2015
Outline
1. A Bit of History
2. Basic Structure
3. Evaluation Criteria
4. AES Data Units
5. High-Level Description
6. AES Key Expansion
7. Algebraic Structures
8. Rings
9. Fields
10.Summary
9/30/2015
A Bit of History
On January 2, 1997, the U.S. National
Institute od Standards and Technology
(NIST) began the process of choosing a
replacement for DES. The replacement
would be called Advanced Encryption
Standard (AES).
AES is required to have block length 128
bits, and supports three different key
lengths of 128, 192, and 256 bits.
AES should be available to the public
worldwide on a royalty-free basis.
88-590-02 E-Commerce, S. Erfani
Submission deadline
9/30/2015
was June 15,3 1998. 21
University of Windsor
A Bit of History
(Contd
)
On August 2, 1998,
NIST announced
fifteen
Evaluation Criteria
Implementations of all of the above
were tested extensively inANSI,C
andJava languages for speed and
reliability in encryption and
decryption,keyand algorithm
setup time, and resistance to
various attacks, both in hardwareand software-centric systems.
Members of the global
cryptographic community
88-590-02 E-Commerce, S. Erfani
9/30/2015 conducted detailed analyses
5
University of Windsor
Security Strength
Randomness
Soundness
Resistance to Cryptanalysis
Cost
Licensing Requirements
Computational Efficiency
Memory Requirements
9/30/2015
AES Background
Rijdael cipher was developed by two Belgian
cryptographers
Joan Daemen of Proton World International, and
Vincent Rijmen of Katholieke Universiteit Leuven in
Belgium.
9/30/2015
AES is a non-Feistel
cipher that
encrypts/decrypts data
blocks of 128 bits.
Uses 10, 12, or 14
rounds depending on
the key size.
Uses key sizes of 128,
192, or 256 bits.
There are three
different versions:
AES-128, AES-192, and
The General Structure of
AES-256
AES for the case of 128-bit
Uses a round key
encryption key
E-Commerce, S. Erfani
obtained through88-590-02
a
9/30/2015
10
University of Windsor
Byte
is
a
group
of
8
bits
(Words/Bytes/Bits)
Plaintext Block
Size
(words/bytes/bits)
4/16/128
4/16/128
4/16/128
Number of Rounds
10
12
14
4/16/128
4/16/128
4/16/128
44/176
52/208
11
60/240
Wor
d
State
B
A
A
A
9/30/2015
12
9/30/2015
13
1.
High-Level Description of
Key Expansions Round keys are derived from the cipher key
usingAES
Rijndael's key schedule. AES requires a separate 128-bit
3. Rounds:
1.
2.
3.
4.
14
Sta
te
9/30/2015
16
Tex
A E S U S E S A M A T R I X Z Z
t
Hexadeci
00
mal
04 12 14 12 04 12 00 0C 00 13 11 08 23
Sta
te
9/30/2015
17
SubBytes Transformation
Replace
The output
of SubBytes
is the byte , which is at the
each
byte with
a
junction
of the row and the column of the table (Smatrix of bytes.
box).
9/30/2015
18
9/30/2015
19
9/30/2015
20
9/30/2015
ta
S e
t
ta
S e
t
88-590-02 E-Commerce, S. Erfani
University of Windsor
21
9/30/2015
22
The step first multiplies each byte with a different constant and
then mixes them.
=C
Inverse
Multiplication of bytes is done in with modulus 100011011 or
irreducible polynomial .
Addition is the same as XORing of 8-bit words.
The coefficients are displayed in their hexadecimal equivalent of
the binary representation of bit polynomials from .
23
9/30/2015
University of Windsor
24
Mix Column
Illustrated
9/30/2015
25
9/30/2015
26
27
9/30/2015
28
9/30/2015
29
where is a transformation of
resulting of applying two
operations of SubWord and rotate
word on and XORing the result
with a round constant (Rcon).
The round key for the i-th round
consists of :
9/30/2015
30
Roun
d
Constant
(RCon)
Rou
nd
Constant
(RCon)
(01 00 00
00)16
(20 00 00
00)16
(02 00 00
00)16
(40 00 00
00)16
3
(04 00 00
8
(80 00 00
00)16 is similar to the00)
The RotWord transformation
ShiftRows;
takes a
16
word and shifts4 each byte
to00
the left9with wrapping.
(08 00
(1B 00 00
The SubWord is similar to
SubBytes;
takes
each
byte in the word
00)16
00)16
and substitutes another byte for it.
00 in
00which
10
(36 00 00three bytes
Each RCon is a 54-byte(10
value
the rightmost
00)16
00)16 of AES-128
are always zero. The RCon
constants for 10 rounds
are given in the above table.
The key-expansion process can either use this table or use field
to calculate the leftmost byte dynamically.
Key-expansion in AES-192
and AES-256 versions are similar to
88-590-02 E-Commerce, S. Erfani
9/30/2015
31
Universityslight
of Windsor differences.
the one for AES-128 with
AES Decryption
The nature of
substitutions and
permutations in AES
allows for a fast
software
implementation of the
algorithm.
AES decryption is not
identical to encryption.
But each step in the
encryption process has
E-Commerce, S. Erfani
an inverse in 88-590-02
9/30/2015
University of Windsor
32
Attacks on AES
For cryptographers, a cryptographic "break" is anything faster than a brute force.
AES has a fairly simple algebraic description. In 2002, a theoretical attack,
termed the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk,
purporting to show a weakness in the AES algorithm due to its simple description.
On July 1, 2009, Bruce Schneier reported about a related-key attack on the 192bit and 256-bit versions of AES, discovered by Alex Biryukov and Dmitry
Khovratovich, which exploits AES's somewhat simple key schedule.
However, related-key attacks are not of concern in any properly designed cryptographic
protocol, as properly designed software will not use related-keys.
In November 2009, the first known-key distinguishing attack against a reduced 8round version of AES-128 was released as a preprint.
In July 2010 Vincent Rijmen published an ironic paper on "chosen-key-relations-inthe-middle" attacks on AES-128.
The first key-recovery attacks on full AES were due to Andrey Bogdanov, Dmitry
Khovratovich, and Christian Rechberger, and were published in 2011. The attack
is a biclique attack and is faster than brute force by a factor of about four.
As for now, there are no known practical attacks that would allow anyone to read
correctly implemented AES encrypted data.
According to the Snowden documents, the NSA is doing research on whether a
cryptographic attack based on tau statistic may help to break AES.
9/30/2015
33
Summary of AES
The AES is a symmetric-key block cipher published by NIST as FIPS 197. AES is based on
the Rindael algorithm.
AES is a non-Feistel cipher that encrypts/decrypts a data block of 128 bits. It uses 10, 12,
or 14 number of rounds.
The key size, which can be 128, 192, or 256 bits depends on the number of rounds.
AES is byte-oriented. The 128-bit plaintext or ciphertext is considered as sixteen 8-bit
bytes. A state is a 4 X 4 matrix in which each entry is a byte.
AES uses four types of transformations: Substitution, permutation, mixing, and key-adding.
Each round has 4 steps of SubBytes, ShiftRows, MixColumns, and AddRoundKey. Last
round has only 3 steps; no MixColumns.
Substitution is defined by either a table lookup process or mathematical calculation in the
field.
Decryption is not the same as encryption (as in DES). Decryption consists of inverse steps.
Most of the known attacks on DES were already tested on AES, and none of them has
broken the security of AES so far. There are no effective differential and linear
cryptanalysis attacks on AES as yet.
AES can be implemented in software, hardware, and firmware.
The algorithms used in AES are so simple that they can be easily implemented using cheap
processors and a minimum amount of memory.
In the byte-oriented version, the whole algorithm can use an 8-bit processor; in the wordoriented version, it can use a 32-bit processor.
9/30/2015
34
AES Arithmetic
AES
9/30/2015
An example of
Galois rather
undisciplined
notes
36
37
9/30/2015
38
39
40
41
42
(Contd)
43
Examples of Operations in
4
GF(2
The following are some examples of )
arithmetic operations in
with
reduction polynomial .
Addition:
Subtraction:. We use the symbol to show
subtraction of two polynomials.
Multiplication: . Since
.
Inversion: , since
44
9/30/2015
45
References
The AES standard is described in the following official document:
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
B. Forouzan, Cryptography and Network Security, Chap. 7, pp. 191 224.
New York, NY: McGraw Hill, 2008.
C. Paar, J. Pelzl, "The Advanced Encryption Standard", Chapter 4 of
"Understanding Cryptography, A Textbook for Students and Practitioners".
(companion web site contains online lectures on AES), Springer, 2009:
http://wiki.crypto.rub.de/Buch/sample_chapters.php
W. Stallings, Cryptography and Network Security, 5th ed. Upper Saddle
River, NJ: Prentice Hall, 2011.
Cryptography and Network Security Chapter 5, 5 th edition, by William
Stallings, Lecture slides by Lawrie Brown Advanced Encryption Standard:
www.cise.ufl.edu/~ nemo/security/slides/AES.ppt
W. Stallings, Network Security Essentials: Applications and Standards, 5th
Edition, Chap. 2, pp. 30-36. Upper Saddle River, NJ: Prentice Hall, 2014.
Avi Kak, Lecture 8, AES: The Advanced Encryption Standard, Purdue
University, May 2015:
https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture8.pdf
B. Schneier, Another new AES attack, July 30, 2009.
9/30/2015
46
9/30/2015
47