Cryptography and Network Security

1
Cryptography and Network Security

• Advanced Encryption Standard
• By William Stallings
• Modified by M. Sakalli

2
Origins

• clear a replacement for DES was needed
• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• can use Triple-DES but slow with small blocks
• US NIST issued call for ciphers in 1997
• 5 were short-listed in Aug-99
• MARS (IBM) - complex, fast, high security margin
• RC6 (USA) - v. simple, v. fast, low security
  margin
• Rijndael (Belgium) - clean, fast, good security
  margin
• Serpent (Euro) - slow, clean, v. high security
  margin
• Twofish (USA) - complex, v. fast, high security
  margin
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001

3
AES Requirements

• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger faster than Triple-DES
• active life of 20-30 years ( archival use)
• provide full specification design details
• both C Java implementations
• NIST have released all submissions unclassified
  analyses
• Evaluation criteria of submitted ones
• General security effort to practically
  cryptanalyse
• algorithm implementation characteristics
• cost computational, software hardware
  implementation ease, minimize implementation
  attacks
• flexibility (in en/decrypt, keying, other factors)

4

• Rijndael
• processes data as 4 groups of 4 bytes (state)
• has 9/11/13 rounds in which state undergoes
• byte substitution (1 S-box byte to byte
  substitution)
• shift rows (permutation of bytes)
• mix columns (subs using gf28)
• Add Round Key (XOR state with a portion of
  expended K)
• initial XOR key material incomplete last round
• all operations can be combined into XOR and table
  lookups - hence very fast efficient
• The AES Cipher
• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than feistel cipher
• treats data in 4 groups of 4 bytes
• operates an entire block in every round
• designed to be
• resistant against known attacks
• speed and code compactness on many CPUs

5
(No Transcript)
6

• AddRoundKey
• Each round uses four different words from the
  expanded key array.
• Each column in the state matrix is XORed with a
  different word.
• The heart of the encryption. All other functions
  properties are permanent and known to all.

• InvAddRoundKey
• (A ? B) ? B A
• Key is used in reverse order

7
Substitution Byte (Subbyte)

• It is a bytewise lookup process that returns a
  4-byte word in which each byte is the result of
  applying the Rijndael S-box. Designed to be
  resistant to all known attacks
• Simple substitution of each byte using one table
  of 16x16 bytes containing a permutation of all
  256 8-bit values
• each byte of state is replaced by byte in row
  (left 4-bits) column (right 4-bits)
• eg. byte 95 is replaced by row 9 col 5 byte
• which is the value 2A
• S-box is constructed using a transformation of
  the values in GF(28)

8
Shift Rows

• a circular byte shift in each row
• 1st row is unchanged
• 2nd row does 1 byte circular shift to left
• 3rd row does 2 byte circular shift to left
• 4th row does 3 byte circular shift to left
• decrypt does shifts to right
• since state is processed by columns, this step
  permutes bytes between the columns

9

• Mix Columns
• each column is processed separately
• each byte is replaced by a value dependent on all
  4 bytes in the column
• effectively a matrix multiplication in GF(28)
  using prime poly m(x) x8x4x3x1
• Add Round Key
• XOR state with 128-bits of the round key
• again processed by column (though effectively a
  series of byte operations)
• inverse for decryption is identical since XOR is
  own inverse, just with correct round key
• designed to be simple

10
AES Round
11

• Mathematical Review
• Performing arithmetic operations on bytes
  requires to work in a finite field and treat each
  byte as an element.
• GF(28) - Finite field containing 256 elements.
• Each element is a polynomial of degree 7 over Z2,
  hence an element is defined by 8 binary values
  a byte.
• Addition polynomial addition, over Z2,
  implemented using XOR.
• Multiplication polynomial multiplication , over
  Z2, modulo irreducible polynomial X8 X4 X3
  X 1
• Implemented using repetitive left shifts and
  XOR.
• SubBytes - 16 X 16 table
• Each byte is considered as an element in GF(28)
• Called S-BoxA. 16 X 16 table contains all
  possible 256 elements.
• Row Column Indices Left and Right halves of the
  byte.
• Each byte B in the state matrix is substituted
  with f(B).

12
SubBytes, S-Box computation Computing S-Box cells
in three stages -The cells are numbered in
ascending order. -Each cells number is
substituted with its multiplicative inverse over
GF(28). - The cells bits go through the
following transformation
bi bi ? b(i4)mod(8) ? b(i5)mod(8) ?
b(i6)mod(8) ? b(i7)mod(8) ? ci bi new bit
value, ci the ith bit of 6311000110
irreducible polynomial
13
S-Box eg. byte 95 is replaced by row 9 col 5
byte which is the value 2A
14

• InvSubBytes
• Same routine as SubBytes, but uses the inverse
  S-Box.
• Inverse S-box is computed by applying the inverse
  affine transformation and then substituting with
  the multiplicative inverse, of the cells value
  in the S-Box.
• The Inverse transformation
• bi b(i2)mod8 ? b(i5)mod8 ? b(i7)mod8 ?
  di
• bi new bit value, di the ith bit of
  0500000101.

15
(No Transcript)
16
SubBytes, crypto properties

• S-Box design makes it resistant to cryptanalitic
  attacks.
• Conditions
• No fixed points S(a) ? a, no opposite fixed
  points IS(a) ? a complement.
• Invertible s box, ISS(a) a
• but not self invertible, which means
• S(a) ? IS(a), ie. S(95) 2A, but IS(95)
  AD think S(2A)?95
• To see that InvSubBytes is the inverse of
  SubBytes,
• label the matrices in SubBytes and InvSubBytes as
  X and Y, respectively, and the vector versions of
  constants c and d as C and D, respectively.
• For some 8-bit vector B ? B' XB ? C.
• To show that Y(XB ? C) ? D B.
• Must show YXB ? YC ? D B.
• BXB?C (Y(XB?C)?D) YXB?YC?D B
• Which means

17
ShiftRows

• Rows 2-4 in the state matrix are left shifted by
  different offsets of 1-3 bytes respectively.
• Strong diffusion effect. Separation of each four,
  originally consecutive, bytes.

18

• A transformation which operates on individual
  columns 32 bits/4 bytes.
• Each column is treated as a 3 degree polynomial
  over GF(23)
• Multiplied by the fixed polynomial
• a(x)(03X3 01X2 01X 02)mod(x41)
• a(x) was chosen so the multiplication/transformati
  on is invertible.
• Generally, multiplication in the above group
  mod(x41) doesnt provide inverse for each
  element.
• coefficients multiplication is the GF(28)
  multiplication mentioned earlier.

19
MixColumn, props- The transformation is a linear
code with a maximal distance between code
words.- Combined with ShiftRows, after several
rounds all output bits depend on all input bits.
20

• In GF(28), irreducible polynomial mod(x4x3x1)
• (02 87) ? (03 6E) ? 46 ? A6
  47
• 87 ? (02 6E) ? (03 46) ? A6
  37
• 87 ? 6E ? (02 46 ? (03 A6) 94
• (03 87) ? 6E ? 46 ? (02 A6
  ED
• For the first equation,
• 02 87 x(x7 x2x1) (1 0000 1110) l
  because of the most left 1,
• (0000 1110) ? (0001 1011) (0001 0101)
• and
• 03 6E (x1)(x6 x5 x3 x2x)
• (x6 x5 x3 x2x) ? (x)(x6 x5 x3
  x2x), the same statement for the second side.
• 6E ? (02 6E) (0110 1110) ? (1101
  1100)
• (1011 0010).
• 02 87 0001 0101  
• 03 6E 1011 0010  
• 46 0100 0110  
• A6 1010 0110   
• Total 0100 0111 47

21
InvMixColumn

• Same routine as MixColumn, only instead of a(x)
  the inverse of a(x) is used
• a-1(x)0Bx3?0Dx2?09x?0E

22
AES Key Expansion

• takes 128-bit (16-byte) key and expands into
  array of 44/52/60 32-bit words
• start by copying key into first 4 words
• then loop creating words that depend on values in
  previous 4 places back
• in 3 of 4 cases just XOR these together
• every 4th has S-box rotate XOR constant of
  previous before XOR together
• designed to resist known attacks

23
AES Decryption

• AES decryption is not identical to encryption
  since steps done in reverse
• but can define an equivalent inverse cipher with
  steps as for encryption
• but using inverses of each step
• with a different key schedule
• works since result is unchanged when
• swap byte substitution shift rows
• swap mix columns add (tweaked) round key

24
Implementation Aspects

• can efficiently implement on 8-bit CPU
• byte substitution works on bytes using a table of
  256 entries
• shift rows is simple byte shifting
• add round key works on byte XORs
• mix columns requires matrix multiply in GF(28)
  which works on byte values, can be simplified to
  use a table lookup
• can efficiently implement on 32-bit CPU
• redefine steps to use 32-bit words
• can pre-compute 4 tables of 256-words
• then each column in each round can be computed
  using 4 table lookups 4 XORs
• at a cost of 16Kb to store tables
• designers believe this very efficient
  implementation was a key factor in its selection
  as the AES cipher

25
Summary

• have considered
• the AES selection process
• the details of Rijndael the AES cipher
• looked at the steps in each round
• the key expansion
• implementation aspects