Document 7509788

Transcript Document 7509788

There is no security on this earth, there is only opportunity - General Douglas MacArthur

    

Origins

A replacement for DES was needed  worked out theoretical attacks, that may break it demonstrated exhaustive key search attacks  1999: NIST issued FIPS PUB 43: DES for legacy systems only; Triple DES prescribed for new systems can use Triple-DES up to 2030– but slow – particularly in software implementations-with small blocks Jan 2, 1997: NIST begins work on the new standard. Sept 12, 1997: formal call for AES proposals 2

AES Requirements issued by NIST in 1997

      private key, symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of 20-30 years (+ archival use) provide full specification & design details both C & Java implementations 3

   

History of Development of AES

June 1998: 21 proposals Aug 20, 1998: shortlisted to 15 proposals: CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI 197, MAGENTA, MARS, RC6, RIJNDAEL, SAFER+, SERPENT, TWOFISH March 22, 23, 1999: AES2: Second AES Candidate Conference, Rome Aug 1999: five candidates: MARS, RC6, RIJNDAEL, SERPENT, TWOFISH: equally secure; issues of efficiency, speed and less resource hunger were to be studied.

 

AES Shortlist

shortlist in Aug-99:  MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin     Rijndael (Belgium) - clean, fast, good security margin --academic Serpent (Euro) – slow (1/3 clean, highest security margin out of the 5 finalists --academic rd the speed of AES), Twofish (USA) – complex, Feistel, DES-like structure; v. fast (as fast as AES), high security margin– key dependent S-boxes; Uses whitening: at both the start and the end of the cipger process, add key-material to data then subject to further analysis & comment 5

AES Evaluation Criteria

initial criteria :   security – effort to practically cryptanalyse cost – computational  algorithm & implementation characteristics (Used to reduce the field from 21 proposals to 15.

Thereafter 5 candidates were shortlisted out of the 15, by using the same criterion. ) 6

final criteria for selecting Rijndael out of the five:

1.general security 2. software & hardware implementation ease 3. implementation attacks 4. flexibility (in en/decrypt, other factors) 5. restricted memory requirement (for use in smart devices) 6. Key Agility: ability to change keys fast, with a minimum of resources.

AES

 October 2, 2000: RIJNDAEL selected as AES    Unclassified, publicly disclosed encryption algorithm Available royalty-free world-wide Symmetric-key block cipher 8

  

Selection of AES

saw contrast between algorithms    with few complex rounds versus many simple rounds which refined existing ciphers versus new proposals which could be implemented efficiently both in software only and through special purpose ICs AES: issued as FIPS PUB 197 standard in Nov-2001 AES: initially developed as Rijndael Cipher by Joan Daemen and Vincent Rijmen ; 9

   

Rijndael Cipher

an iterative rather than Feistel-type cipher  operates on an entire block of data in every round (and not on half the block, as in Feistel type ciphers) designed to be:  resistant against known attacks   speed and code compactness on many CPUs design simplicity Plaintext Data: written in the form of a matrix Input Key: also written in the form of a matrix 10

Key

 Key and data bytes arranged in rectangular arrays K 0,0 K 1,0 K 0,1 K 1,1 K 0,2 K 1,2 K 0,3 K 1,3 K 0,4 K 1,4 K 0,5 K 1,5

K 0,6 K 1,6 K 0,7 K 1,7

K 2,0 K 2,1 K 2,2 K 2,3 K 2,4 K 2,5

K 2,6 K 2,7

K 3,0 K 3,1 K 3,2 K 3,3 K 3,4 K 3,5

K 3,6 K 3,7

Variable Key size: 16,24 or 32 bytes; K i,j represents a byte in the ith row and jth column.

Nk = Number of column vectors of the key (4 byte vectors) 11

Block of data

a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 a 0,4 a 1,4 a 2,4 a 3,4 a 0,5 a 1,5 a 2,5 a 3,5

a 0,6 a 1,6 a 2,6 a 3,6

Variable Block size: 16,24 or 32 bytes; a i,j represents a byte in the ith row and jth column.

Nb = Number of column vectors (4-byte vectors)

a 0,7 a 1,7 a 2,7 a 3,7

State

     The plaintext block of data is represented as a matrix. Each cell of the matrix is a byte.

The en/de-cryption process is a multi-step process.

The matrix is manipulated at each step to yield a new matrix as the output of the step.

At each stage, the matrix of data, whether it is the input to the stage or it is the output of the stage, is called a STATE.

The final output of the multi-step encryption process yields the ciphertext.

Rijndael Cipher

Each stage in the en/de-cryption process A matrix of input, called a STATE A stage in the en/de-cryption process A matrix of output, also called a STATE (The output state would be naturally different from the input state.) Given: A key K KEY EXPANSION process: One key is expanded into multiple sub-keys of the same size ROUND: a collection of steps, which are sequentially performed on a state, to produce a new state.

Rijandael encryption (and decryption) process:

Number of Rounds (Nr)

10/12/14 times applying (nearly) the same round function. Nr = 6 + Max (Nk, Nb)  Nb = 4 Nb = 6 Nb = 8 Nk = 4 10 12 14 Nk = 6 12 12 14 Nk = 8 14 14 14 15

Rijndael Cipher

Rijndael Cipher: Three-step Process of encryption :  initial XOR of the 128-bit block of plaintext with the sub-key 1  has 9/11/13 rounds. Each round consists of:  byte substitution (The same S-box used on every byte, unlike DES, where 8 different S-boxes are used.)    shift rows(permute bytes between columns) mix columns (subs using matrix multiply of groups) add round key (XOR state with separate sub-keys for each round)  Incomplete last (i.e. 10/12/14 th ) round (without mix columns operation) 16

Example: Key Expansion for a 128 bit key and 128 bit block

If Nb be fixed at 4, the number of rounds Nr = 1 + 10 or 12 or 14, depending upon the value of Nk.

No of keys required= Nr + 1.

Example: Given: A key of 128 bits.  Nk = 4 Key: first rewritten into four components of 4 bytes each, called w(0) to w(3); Each w is of 32 bits.. Then the Key is expanded from 4 to 44 components of 32 bits each, called w(i), i = 0 to 43 For the jth round, the sub-key consists of w(4j) to w(4j+3).

Total number of key bits = N(Nr + 1), where N = block size in bits 17

Rijandael Cipher continued

   The Rijndael cipher has a variable block length and key length. currently keys with a length of 128 , 192, or 256 bits to encrypt blocks with a length of bits.

128 , 192 or 256 bits (all nine combinations of key length and block length are possible). Both block length and key length can be extended very easily by multiples of 32 Rijndael can be implemented efficiently on a wide range of processors and in hardware.

all operations can be combined into XOR and table lookups - hence very fast & efficient 18

Rijandael Cipher continued

  for 128 bit block: processes data as 4 groups of 4 bytes each. Each group is shown as a column in a matrix of four columns . Each column has 4 rows. Each cell of the 4x4 matrix contains one byte.

  The output in every round creates a new state of 128 bits or of 4 columns of 4bytes each.

The ciphertext is the final output generated by the cipher system.

Example of selection process: Cryptographic Hash Algorithm (SHA-3)

    2005: Prof. Xiaoyun Wang: a differential attack on SHA-1: can find a hash collision (two messages with the same hash value) on the SHA-1 hash with an estimated work of 2 63 operations the ideal: 2 80 operations should be required for any good 160-bit hash function. Recommendation: Use SHA-2” family of hash functions (SHA-224, SHA-256, SHA-384 and SHA 512) A competition by NIST: Entries received by October 31, 2008; July 2009: Second Round candidates selected 5, 2009 ) (Reference: http://csrc.nist.gov/ as of Oct 20

The AES Cipher

 A FIPS –approved cryptographic algorithm that can be used to protect electronic data.

 AES: uses 128 bit block only. Key may be of 128, 192 or 256 bits.

Nk may be 4/6/8.

 Nr = Number of rounds = 6 + Nk

Reference: Federal Information Processing Standards (FIPS) Publication 197 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

as of Oct 5, 2009

“This authority (National Protection and Programs Directorate) will assist us in recruiting the best people in the world to come work for us over the next few years as cyber analysts, developers and engineers. So look out – we’re coming.” - Janet Napolitano, Homeland Security Secretary in "DHS could hire 1000 more cyber security professionals", FederalComputerWeek, October 1, 2009 http://fcw.com/Articles/2009/10/01/Web-DHS-hiring-cybersecurity-officials.aspx as of 7th Oct 2009 22

AES vs Rijandael

 AES: uses 128 bit block only. (Nb = 4 only.) Rijandael can use a block of 128/ 192/ 256 bits. (Nb may be 4/6/8.)   Both AES and Rijandael may use cryptographic keys of 128, 192 or 256 bits. (Nk may be 4/6/8.) AES may have 10, 12 or 14 rounds depending upon Nk of 4, 6 or 8 respectively .

Steps of a Round Function

   Round function: composed of 4 steps (except for the incomplete– without MixColumn-- last round) Each step has its own particular function:   ByteSub: non-linearity ShiftRow: inter-column diffusion   Mix Column: inter-byte diffusion within columns Round key addition Figure on the next slide: shows both encryption and decryption processes; STATE at corresponding levels for encryption and decryption is the same.

AES Cipher continued

Pseudo Code for Encryption

 for the earlier rounds, and, for the last round Round(State, RoundKey) { Bytesub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State, Roundkey); }  Round(State, RoundKey) { For the last round Bytesub(State); ShiftRow(State); AddRoundKey(State, Roundkey); } , it is a little different: 26

  

Three Steps of Decryption

initial XOR of the ciphertext with the sub-key has 9/11/13 rounds in which state undergoes:  InvShift rows(permute bytes between columns)    InvByte substitution (The same Inverse S-box used on every byte) add round key (XOR state with separate sub-keys for each round) InvMix columns (subs using matrix multiply of groups) Incomplete last (i.e. 10/12/14 th ) round (without InvMix columns operation) 27

Pseudo Code for Decryption

for the earlier rounds, and, for the last round   Round(State, RoundKey) { InvShiftRow (State); InvByteSub (State); AddRoundKey(State, Roundkey); InvMixColumn (State); } For the last round , it is a little different: Round(State, RoundKey) { InvShiftRow (State); InvBytesub (State); AddRoundKey(State, Roundkey); } 28

Sequence of Operations in a Round (SoOiaR) of Encryption vs. SoOiaR of Decryption

Let S i be the input state for round i and  let S i + 1 be the output state.

Encryption Let w(4*i, 4*i + 3) be the RoundKey for the ith round.

S i + 1 = AddRoundKey( MixColumn( ShiftRow( Bytesub(S i ) ) ) ) In the last round, the MixColumn operation is not included.

 Decryption Let w(4*(10-i), 4*(10-i)+3) be the RoundKey for the ith round.

S i + 1 = InvMixColumn (AddRoundKey ( InvBytesub( InvShiftRow ( S i ) ) ) ) In the last round, the InvMixColumn operation is not included.

Method of aligning the two sequences: After a study of the 4 operations.

AES Cipher continued



AES: sources of security

AES: Begins and ends with AddRoundKey These steps do not provide much of a security to AES.

   ByteSub, ShiftRow and MixColumn:  No use of key  invertible by any one;  but provide non-linearity, diffusion and confusion Jointly the two above provide security.

The process of Encryption: Add Round Key

   XOR state with 128-bits of the round key again processed by column (though effectively a series of byte operations) inverse for decryption is identical since XOR is own inverse, just with correct round key 32

Example

Reference: http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf, page 33  Input M 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34   Cipher Key K = 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c 0 th Round (The First Stage): M 32 88 31 e0 2b 28 ab 09  K = M0 19 a0 9a e9 43 5a 31 37 f6 30 98 07  7e ae f7 cf 15 d2 15 4f = 3d f4 c6 f8 e3 e2 8d 48 a8 8d a2 34 16 a6 88 3c be 2b 2a 08 Each stage generates a new STATE. Thus from M (the input state), this stage generates a new state M0.

First Step in a Round of Encryption: ByteSub

a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a a a

i,j

a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 S - box •Bytes are transformed by applying invertible S-box •One single S-box complete cipher for the •High non-linearity b 0,0 b 1,0 b 2,0 b 3,0 b 0,1 b 1,1 b 2,1 b 3,1 b 0,2 b

i,j

b 2,2 b 3,2 b 0,3 b 1,3 b 2,3 b 3,3 34

    

Byte Substitution

a simple substitution of each byte uses one S-box of 16x16 bytes containing a permutation of all 256 8-bit values each byte of state is replaced by a byte from row (left 4-bits) & column (right 4-bits)  eg. byte {95} is replaced by a byte from the 9 th row and 5th col of the S-box.

(The value in the 9 th row and 5th col {2A}) S-box is constructed using a defined transformation of the values in GF(2 8 ) designed to be resistant to all known attacks 35

S-Box

Reference: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, page 16 as of October 12, 2009 36

Design Criteria for the S-box

 Low correlation between input and output bits  Output cannot be a simple mathematical function of the input.

  No fixed point of S-box: input and output for S-box cannot be the same .

No opposite fixed point each other. of S-box: input and output cannot be bit-wise complement of 37

Construction of 16 X16 S-box

Each cell of the s-box contains one byte. Rows and columns are numbered from 0 to F.

Step 1: Initialization: put in each box the value equal to its position row: column Ex. : in row 0, column 2, the value would be 02 16 or 0000 0010 2 Step 2: Replace the value in each cell by its multiplicative inverse by GF(2 8 ) mod (x 8 + x 4 + x 3 + x + 1). Use extended Euclid’s algorithm – given in the Mathematical Background.

Now Please Refer to the Mathematical background.

Multiplicative inverse Extended Euclid[m(x), b(x)] Algorithm

(A1, A2, A3)  (B1, B2, B3)  (1, 0, m); (0, 1, b)

B3 = 0,

return

A3 = gcd(m, b);no inverse exists.

B3 = 1

return

B2 as the multiplicative inverse of

(

i.e.

(x).B2 = 1 mod m(x) ) Q =  A3/B3  (T1, T2, T3)  A3 - QB3) (A1 - Q B1, A2 - Q B2, (A1, A2, A3)  (B1, B2, B3)  Go to 2 (B1, B2, B3) (T1, T2, T3) 40

Construction of 16 X16 S-box

multiplicative inverse mod (x 8 +x 4 +x 3 +x+1) Ex:In row 0, column 2, the value 02 16 ( corresponding to a(x) = x )is replaced by its multiplicative inverse (which is shown below to be 8D 16 .) To find c(x) so that a(x).c(x) = 1 mod (x 8 + x 4 + x 3 + x + 1).

A1 A2 A3 1 0 x 8 +x 4 +x 3 B1 B2 B3 Q +x+1 0 1 x 0 1 x 1 x 7 +x 3 +x 2 +1 1 x 7 +x 3 +x 2 +1 c(x) = x 7 +x 3 +x transform 8D 16 2 +1 = 1000 1101 2 = 8D 16 Step3: Use the matrix transformation, of next slide, to (,called vector x], to a new vector y]).

Example: Row 0 and column 2 .. Contd.

c(x) = x 7 +x 3 +x 2 +1 = 8D 16 = a 7 x 7 +a 6 x 6 +…+a 1 x+a 0 a 0 1 x] = a 1 = 0 .

1 1 0 .

a 6 a 7 0 0 1 42

S-Box construction: Example…. continued

[M1] = 1 0 0 0 1 1 1 1 m2] = 1 1 1 0 0 0 1 1 1 1 1 1 1 0 0 0 1 1 0 1 1 1 1 0 0 0 1 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 1 0 0 1 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 y] = [M1] x] + m2] 43

Construction of 16 X16 S-box Example…. continued

Step3 (continued): Y2] = M1 1 0 1 1 0 0 0 1 + 1 1 0 0 0 1 1 0 = 0 0 1 0 1 0 0 0 + 1 1 0 0 0 1 1 0 = 1 1 1 0 1 1 1 0 NOTE: The transformed value is 77 16 .

The Inverse S-box, provides the value 02 in the 7 th row and 7 th column.

AES uses two substitution boxes : S-box for encryption and Inverse S-box for decryption The next slide again shows the S-box. 44

S-Box

Reference: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

, page 16 45

Example of Byte Sub

Reference: http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf, page 33 Use M0 of slide 33 as the input data for this example.

M0 – BYTE SUB  M11 19 a0 9a e9 d4 e0 b8 1e 3d f4 c6 f8  27 bf b4 41 e3 e2 8d 48 11 98 5d 52 be 2b 2a 08 ae f1 e5 30 46

Inverse Byte Substitution

95 2a S-Box Inv S-Box 2a 95 95 ad Inv S-Box S-Box is NOT self-inverse.  For the same input, the S Box and the Inv S-Box will NOT have the same output.

Inverse S-Box

x Reference: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

, page 22 48

Construction of Inverse Substitution Box

[M3] = 0 0 1 0 0 1 0 1 m4] = 1 1 0 0 1 0 0 1 0 0 0 1 0 0 1 0 0 1 1 x] 1 0 1 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 0 0 1 0 1 0 0 1 0 1 0 0 1 0 1 0 0 0 0 1 0 0 1 0 1 0 0 = [M3] y] + m4] 49

Justification

x] = [M3] y] + m4] Using slide 38: x] = [M3] ([M1] x] + m2] ) + m4] = [M3] .[M1] x] + [M3]. m2] + m4] We find [M3] .[M1] = unity matrix [M3]. m2] + m4] = 0] 50

   

Second Step in a Round of Encryption: ShiftRows

a circular byte shift to the left in each row   1 st 2 nd row is unchanged row does 1 byte circular shift to left   3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left In this step, the 4 bytes of each column are distributed over 4 different columns.

During decryption , the shifts are circular shifts to the right .

This step provides “permutation” of the data.

m g w b

ShiftRow

n h x c i o y d j p z e m h y e •Rows are shifted over 4 different offsets •High diffusion over multiple rounds: •Interaction with Mix Column i n z b j o w c p g x d 52

Shift offsets:

Original Rijandael spec  The first row: no shift   The second row: circular shift by C1 The third row: circular shift by C2   The fourth row: circular shift by C3 Nb= 4 C1= 1, C2 = 2, C3 = 3 Nb= 6 C1= 1, C2 = 2, C3 = 3 Nb= 8 C1= 1, C2 = 3, C3 = 4 AES has Nb=4 only.

Example of ShiftRow

Reference: http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf, page 33 Use M11 of slide 46 as the input data for this example.

M11 – ShiftRow  M12 d4 e0 b8 1e d4 e0 b8 1e 27 bf b4 41  bf b4 41 27 11 98 5d 52 5d 52 11 98 ae f1 e5 30 30 ae f1 e5 54

Third Step in a Round of Encryption: MixColumn

a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 •Bytes in columns are linearly combined a 0,2 a a

0,j

a a

1,j

a a

2,j

3,j

•High intra-column diffusion: a 0,3 a 1,3 a 2,3 a 3,3 •Based on theory of error correcting codes b 0,0 b 1,0 b 2,0 b 3,0 2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2 b 0,1 b 1,1 b 2,1 b 3,1 b b 0,2 1,2 b b

1,j 2,j

3,j

b 0,3 b 1,3 b 2,3 b 3,3 55

   

Mix Columns

each column is processed separately each byte is replaced by a value dependent on all 4 bytes in the column effectively a matrix multiplication, where each byte is treated as a polynomial in GF(2 8 ) using prime poly m(x) =x 8 +x 4 +x 3 +x+1 Input state =S; Output state = S’ 56

Example:Mix Column: Evaluation of S’

00 Reference: Mathematical background Use M12 of slide 54 as the input data for this example.

S’ 00 =(02. S 00 )  (03.S

10 )  (01.S

20 )  (01.S

30 ) values in first column: S 00 =d4, S 10 =bf, S 20 =5d, S 30 =30 01.30 = 30 0011 0000 01.5d = 5d 0101 1101 03.bf = da 1101 1010 03.

b f can be represented by (x +1). a (x) mod m (x) =

(x +1).(

x 7 +x 5 +x 4 + x 3 +x 2 +x+1

) mod (x 8 +x 4 + x 3 + x + 1) x .(

x 7 +x 5 +x 4 + x 3 +x 2 +x+1) mod (x

8 +x 4 + x 3 + x + 1) = 02 .bf = shift left and XOR with 1b = 0111 1110

 0001 1011 = 0110 0101 01 .bf = bf = 1011 1111 03.bf =

02.bf

 01.bf = 1101 1010 57

Example: Mix Column: Evaluation of S’

00 ….2

02 .

d4 = b3 1011 0011 x .( x 7 +x 6 +x 4 + x 2 ) mod (x 8 +x 4 + x 3 + x + 1) x .( x 7 +x 6 +x 4 + x 2 ) requires 10101000  0001 1011 = 10110011 0011 0000  0101 1101  1101 1010  10110011 =S’ 00 = 0000 0100 = 04 58

Example:Mix Column: Evaluation of S’

10 Reference: Mathematical background S’ 10 =(01. S 00 )  (02.S

10 )  (03.S

20 )  S 00 = d4, S 10 = bf, S 20 = 5d, S 30 = 30 (01.S

30 ) 01.d4 = d4 02.bf = 65 by shifting bf once to the left and xor-ing with 1b Shift 1011 111 to left  0111 1110 0111 1110  0001 1011 = 0110 0101 2 03.5d = 5d  02.5d = 65 16 by splitting 03 into 01 and 02 = 5d = e7  ba by shifting 5d once to the left 5d 16 =0101 1101 2 –SL  1011 1010 2 01.30 = 30 S’ 10 = d4  65  e7  0101 1101 2 30 = 66  1011 1010 2 = ba 16 = 1110 0111 2 59

Example: Mix Column

Use M12 of slide 54 as the input data for this example.

Previous 3 slides: show the calculation of s 00 ’ and s 10 ’. Similarly the whole of the state S’ can be calculated.

M12 – MixColumn  M13 d4 e0 b8 1e 04 e0 48 28 bf b4 41 27  66 cb f8 06 5d 52 11 98 81 19 d3 26 30 ae f1 e5 e5 9a 7a 4c 60

Inverse Mix Column

MC = MC -1 = Hence using MC polynomials. -1 would be more difficult, since it would require multiplication with more complex 61

Selection of values in MixColumn

 Selected for good mixing: based on a linear code, with maximum distance between code words   Small values 01, 02 and 03 lead to faster implementation  require only shift and XOR Leads to more difficult decryption; CFB (Cipher Feedback) and OFB (Output Feedback) require encryption process for decryption.

Cipher FeedBack (CFB)

Output FeedBack (OFB)

Inverse Mix Column transformation

If s be the input matrix and s’ be the output matrix, 0E 0B 09 0E 0D 09 0D 0B 0E 09 0D 0B [S]’ = [S] 0B 0D 09 0E The above process is the inverse of the forward process, of slide 51, because 0E 0B 0D 09 09 0E 0B 0D 0D 09 0E 0B 0B 0D 09 0E 02 03 01 01 01 02 03 01 01 01 02 03 03 01 01 02 = 01 00 00 00 00 01 00 00 00 00 01 00 00 00 00 01 65

Inverse Mix Column transformation cont…

Proof: the output – element in row 1 and column 1 A 11 = 0E . 02  OB . 01  0D . 01 0E . 02 = 1C by shifting 0E to the left  09 . 03 09 . 03 = 09  = 09  09 . 02 by splitting 03 into 01 and 02 12 by shifting 09 to the left A 11 = 1B = 1C  = 01 0B  0D  1B 66

Mix Column transformation: Comments

  Mix Column during encryption uses values of 01, 02 and 03. these are implemented by shift or by shift XOR.

Inverse Mix Column for decryption is more complex.

However it was possible to make only one of the two processes simple. It was decided to make encryption process simpler than decryption because encryption is more important :   AES may be used for authentication where only encryption may be used.

CFB, OFB and CTP modes do not require decryption process (refer DES part 2 slides 11 -23) 67

Example

(using the example of slide 60)

Inverse MixColumn

M13 – InvMixColumn  0e 0b 0d 09 09 0e 0b 0d 04 e0 48 28 66 cb f8 06 0d 09 0e 0b 0b od 09 0e . 81 19 d3 26 e5 9a 7a 4c M12 S 00 = 0e.04  0b.66  0d.81  09.e5

(In the next three 3 slides, we shall show the calculation of S 00 ) 68

Example Inverse MixColumn

…….. 2  0e .04: (0000 1110) .(0000 0100)  Can be visualized as (x 3 + x 2 + x). b(x) mod (x 8 +x 4 +x 3 +x+1) x. b(x): 0000 1000 x 2 . b(x): 0001 0000 x 3 . b(x): 0010 0000  0e .04: 0011 1000 69

 1.

0b .66: b(x): 0110 0110 b(x): 0110 0110; x. b(x): 1100 1100 x 2 .

b(x):1001 1000  0001 1011=1000 0011 x 3 .b(x):0000 0110  0001 1011=0001 1101 0b .66: 0110 0110  1100 1100  0001 1101 = 1011 0111  0d.

81: b(x): 1000 0001 x. b(x):0000 0010  0001 1011=0001 1001 x 2 .

b(x):0011 0010; x 3 .b(x): 0110 0100 0d.81:1000 0001  0011 0010  0110 0100 =1101 0111 70

Example: Inverse MixColumn

…….. 4  09 .e5: b(x):1110 0101 x.

b(x):1100 1010  0001 1011=1101 0001 x 2 .

b(x):1010 0010  0001 1011=1011 1001 x 3 .b(x):0111 0010  0001 1011=0110 1001 09 .e5: 0110 1001  1110 0101 = 1000 1100  S 11 = 0e.04  0b.66  0d.81  09.e5= 0011 1000  1011 0111  1101 0111  1000 1100 = 1101 0100  d4 71

Example

(using the example of slide 56)

Inverse Mix Column

…….. 5 Proceeding in a similar manner, we shall find that, M13 – InvMixColumn  M12 04 e0 48 28 d4 66 cb f8 06 --IMC  e0 b8 1e bf b4 41 27 81 19 d3 26 5d 52 11 98 e5 9a 7a 4c 30 ae f1 e5 72

Fourth Step in a Round of Encryption: AddRoundKey

a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 •Makes the round function dependent upon key •Computation of round keys: “keep it simple” •Small number of operations •Small amount of memory k 0,0 k 1,0 k 2,0 k 3,0 k 0,1 k 1,1 k 2,1 k 3,1 k 0,2 k 1,2 k 2,2 k 3,2 k 0,3 k 1,3 k 2,3 k 3,3 b 0,0 b 1,0 b 2,0 b 3,0 b 0,1 b 1,1 b 0,2 b 1,2 b 2,1 b 3,1 b 2,2 b 3,2 b 0,3 b 1,3 b 2,3 b 3,3 73

AES Round: State of 16 bytes: 16 bytes of Key called r

(Ref: Stallings Fig 5-3)

Key Expansion for 128 bit key and 128 bit block

slide 12 A key of 128 bits – or of Nk = 4: first rewritten into four components of 4 bytes each, called w(0) to w(3). Then it is expanded from 4 to 44 components of 32 bits each, called w(i), i = 0 to 43 w(4j) to w(4j+3): For the jth round of encryption, the sub-key consists of w(4j) to w(4j+3). (For decryption, this would be the key for the (10-j)th round.) 75

AES Cipher continued

  

AES Key Expansion

takes 128-bit (16-byte) key and expands into array of 44 /52/60 32-bit words start by copying key into first 4 32-bit words, called w(0) to w(3).

then use a loop, in which, each new 4-byte word depends on values in  the immediately previous word &   the word, which is 4 places back.

in 3 of 4 cases just XOR these together (For w(i) where i  0 mod 4) 77

AES Key Expansion continued

K 0 K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 K 11 K 12 K 13 K 14 K 15 w 0 w 1 w 2 w 3     w 4 w 5 w 6 w 7 78

AES Key Expansion continued

 every 4 th case: (For w(i), where i is a multiple of 4.)  The immediately preceding word goes through a process described by a function g.

Three steps of g:    RotWord: one byte circular left shift of the previous word SubWord: substitute each of the 4 bytes using the S-box XOR with a 32-bit round constant called Rcon(j) where j is the round number 79

Example: Key Expansion: Calculation of w 4

  Cipher Key = 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c w 0 = 2b7e1516 w 1 = 28aed2a6 w 2 = abf71588 w 3 = 09cf4f3c Calculation of w 4: RotWord and SubWord X1 = RotWord ( w 3) = cf4f3c09 By using the S-box : cf4f3c09 - S-box  8a84eb01 = X2 Example continued after two slides 80

AES Key Expansion: Rcon(j)

Reference for Key expansion Problem: http://csrc.nist.gov/ publications/fips/fips197/fips-97.pdf Page 28 Calculation of w(i) for every 4 th is a multiple of 4.): case: (For w(i), where i continued from previous slide The first byte of Rcon(j) is called RC(j). The second, third and the fourth bytes of Rcon(j) are 0.

RC(1) = 1; RC(j) = 2.RC(j –1) for j=2 to 10. The multiplication is defined over the field GF(2 8 ), with m(x) = x 8 +x 4 +x 3 +x+ Thus RC(2) = 2,………………………RC(8) = 128 rc

(x) = x 8 mod m(x) = x 4 +x 3 +x+1  RC(9) = 1B RC(10) = 0011 0110 = 3 6 16 = x 5 +x 4 +x 2 +x – obtained by shifting RC(9) to the left 81

AES Key Expansion

Rcon(j)

Formulae

Key expansion formulae for i = 0 to 43 w (i) = w (i-1)  w (i – 4) *if i is not a multiple of 4 w (i) = g {w (i-1)}  w (i-4) *if i is a multiple of 4 g {w (i-1)}=R con [j]  [ Subword (Rotword (w(i-1))) ] J where j = Round number 1 2 3 4 5 6 7 8 9 10 RC[j] 01 02 04 08 10 20 40 80 1B 36 R con [j] = RC[j] 00 00 00 given in HEX 82

Example: Key Expansion:

continued from slide 75

Calculation of w 4, w5, w6 and w7

..….2

   Rcon(1) = 01 00 00 00 X3 = 8a84eb01  w 4 = w 0  X3 01000000 = 8b84eb01 = 2b7e1516  8b84eb01 = a0fafe17    For w 5, w6 and w7 , only XOR is reqd: w5 = w1  w 4 = 28aed2a6  a0fafe17= 88 54 2c b1 w6 = w2  w 5 =abf71588  88542cb1=23 a3 39 39 w7 = w3  w6 = 09cf4f3c  23a33939=2a 6c 76 05 83

Important Considerations: Round Key Generation Algorithm

  Knowledge of a part of the cipher key or less than Nk consecutive parts of a round key: Insufficient for calculation of the key Use of round constants to eliminate symmetries 84

AES Key Expansion

Example: Calculation of the 9 th round key Example: given the key for 8 th EA D2 73 21 round is B5 8D BA D2 31 2B F5 60 7F 8D 29 2F The Sub-key for the 8 th Sub-key for the 9 th round consists of w(32) to w(35). The round consists of w(36) to w(39).

w(36) = g { w(35) }  w(32) g[w(35)] = (1B00 0000)  [subword (rotword( 7F 8D 29 2F )) ] = (1B00 0000)  [subword (8D 29 2F 7F)] Now use S-Box: g[w(35)] = (1B00 0000)  = 46 A5 15 D2 w(36) = (46 A5 15 D2) = AC 77 66 F3 (5D A5 15 D2)  ( EA D2 73 21 ) 85

AES Key Expansion

Example: Calculation of the 9 th round key … 2 w(37) = w(36)  w(33) = (AC 77 66 F3)  = 19 FA DC 21 (B5 8D BA D2) w(38) = w(37)  w(34) = (19 FA DC 21)  = 28 D1 29 41 (31 2B F5 60) w(39) = w(38)  w(35) = (28 D1 29 41)  = 57 5C 00 6E ( 7F 8D 29 2F) Key for the 9 th round = AC 77 66 F3 19 FA DC 21 28 D1 29 41 57 5C 00 6E 86



AES Decryption vs Encryption

Steps in AES decryption vs those in AES encryption:  The steps for encryption and decryption processes are not identical (unlike the case for DES).  Moreover in each round, the steps are not in a similar sequence for encryption and decryption.  Each Round of Encryption: SubBytes  ShiftRows  MixColumns  AddRoundkey  InvShiftRows  Each Round of Decryption:  InvSubBytes  AddRoundkey  InvMixColumns Disadvantage: AES requires 2 separate software/firmware systems for encryption and decryption 87

   Methods for en/de-crypting larger amount of data, by using

only the AES Encryption process

Cipher Feedback (CFB): used over a reliable network layer for stream data encryption, authentication Output Feedback (OFB): Can be used over noisy channels remain in sync for bursty traffic aplications; OFB requires that sender and receiver must Counter Mode (CTR): for high-speed network encryptions as in ATM or IPSec; good for bursty high speed links 88

Sequence of Steps

in a

Round of Decryption

An equivalent inverse cipher with the same sequence ( but of inverse operation) of steps, as for encryption: requires an additional step of InverseMixColumn on the Round Key, before the step of AddRoundKey

except for the first and the last steps of AddRoundKey)

Reference: Cryptography & Network Security by William Stalling, Prentice Hall, 4 th Ed ,Figure 5.7, page 158 .

(

“Some tools may get the job done, but they may not get the job done well” Mike Shema et al, “ Anti-Hacker Toolkit”, pp xxiv, 3 rd Ed, McGraw –Hill, 2006 90

AES: Implementation Aspects

 can be efficiently implemented on 8-bit CPUs     byte substitution works on bytes using a S box of 256 entries shift rows is simple byte shifting add round key works on byte XORs mix columns requires matrix multiply in GF(2 8 ) which works on byte values, can be simplified to use a table lookup 91

MixColumn 8-bit processor Implementation

     Tmp = S oj  S 1j  S 2j  S 3j On putting the value of TMP and on replacing {03}.x = {02}.x  x, the following 4 equations are equivalent to the above MixColumn operation.

S’ oj = S oj S’ 1j = S 1j S’ 2j = S 2j S’ 3j = S 3j     Tmp  Tmp  Tmp  Tmp  [2.(S oj [2.(S 1j [2.(S 2j [2.(S 3j     S 1j )] S 2j )] S 3j )] S 0j )] 92

To Prove: S’

= S

oj 

Tmp



[2.(S

oj 

S

)]

From the matrix equation in the previous slide, S’ oj = {02}. S oj  {03}. S 1j  S 2j  S 3j We know: {03}. S 1j = {02}. S 1j  S 1j RHS = S oj = S oj  S oj   Tmp  S 1j  [2.(S S 2j  S oj 3j   = S 1j  S 2j  S 3j  {2}.(S oj )  S 1j )] [2.(S oj  S 1j )] {2}. (S 1j ) = {2}.(S oj )  {03}. S 1j  S 2j  S 3j = S’ oj = LHS 93

MixColumn 8-bit processor Implementation………2

      {02}.x requires (i) left-shift followed by XOR with 1b  A left-shift if b 7 a timing attack.

= 0 OR (ii) A 16 if b 7 = 1.

SOLUTION:  The 4 terms (S ij  S ((i+1)mod4)j ) for i = 0 to 3: 256 different types of byte values.

can yield Let X = = {02}.Y where Y is a byte variable and can have any one of the 256 possible values. X is pre-calculated and stored in a 256-byte look-up table.

S’ oj = S oj S’ 1j = S 1j S’ 2j = S 2j S’ 3j = S 3j     Tmp Tmp Tmp Tmp     X[S X[S X[S X[S oj 1j 2j 3j     S S S S 1j 2j 3j 0j ] ] ] ] 94

Implementation Aspects

  can be efficiently implemented on 32-bit CPUs:  redefine steps to use 32-bit words   can pre-compute 4 tables; (Pl see page 159-160.) Each 16x16 table: Input of a byte; Output of 32 bits (1 KB of storage) then each column in each round can be computed using 4 table lookups + 4 XORs  at a cost of 4 KB to store tables Joan Daemen and Vincent Rijmen believe: This very efficient implementation: a key factor in its selection as the AES cipher 95

Each Round of Rijndael on Modern Processors

For bj: use a(0,j), a(1,j-1), a(2,j-2) and a(3,j-3) a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 0,2 a 0,3 a 1,1 a 1,2 a 1,3 a 2,1 a 2,2 a 2,3 a 3,1 a 3,2 a 3,3 T4 T3 T2 T1

b0 b1 b2 b3

X 3,2 X 2,2 X 1,2 X 0,2 b2 just (4 table-lookups and 4 XORS) per column and per round ; Storage of 4 tables of 256 entries of 32 bits each.

Each table: Input of a byte; Output of 32 bits 96

Implementation Aspects ….2

 Most efficient on Itanium (64 bit machine)   Highest performer on limited processing power and limited memory devices – twice as fast as the nearest rival from the 5 finalists (MARS, RC6, RIJNDAEL, SERPENT, TWOFISH) Most efficient in feedback modes; second best in CBC/ECB MODES 97

Implementation Aspects ……..….2

 Throughput decreases by 20% and 40% on increase of key size from 128 to 192 and 256 respectively  If implemented in hardware in ECB (Electronic Code Book, where each block of 128 bits is sent separately after encryption) mode, speed matched only by SERPENT  Safety Margin 7 for 10 round case (Safety Margin: number of rounds, above which efficient attacks on the algorithm cannot be mounted and key space exhaustion becomes the only way to crack it.) 98

Timing and Power Attacks: Some Facts

  writing 1’s consumes more power than for writing 0’s.

Table lookups in S-boxes, shifts, rotations, NOT, OR, AND, XOR:   Not vulnerable to timing attacks To avoid power attacks: software balancing is required 99

Characteristics of Rijndael

     symmetrical parallel structure   Gives implementers a lot of flexibility has not allowed effective cryptanalytic attacks Well adapted to modern processors  Pentium  RISC and parallel processors Suited for Smart cards Flexible in dedicated hardware designed to resist known attacks 100

Misgivings about AES

 AES (and Serpent) encryption can be written as a group of linear and quadratic equations in a finite field.

Mathematicians are trying to develop methods to solve such equations. (XSL, XL and FXL methods). If they succeed, the Encryption method will fail.

 Due to Birthday and man-in-the-middle attack, for 128 bit security, a key size of 256 bits is required. But AES is slower for 256 bit key. (Serpent has the same speed for all key sizes. Twofish is slower.) 101

Relative Performance

 Fast     RC4 (Stream Cipher) Blowfish, CAST-128, AES Skipjack DES, IDEA, RC2 3DES, GOST    Typical speeds  RC4 = Tens of MB/second  3DES = MB/second Recommendations: For performance, use Blowfish; For job security, use 3DES

Advanced Encryption Standard Algorithm

(Rijndael)

References:

   http://csrc.nist.gov/publications/fips/fips197/fips 197.pdf

For historical information: http://csrc.nist.gov/CryptoToolkit/aes/

http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ 103

  

Stream Cipher

Streaming Cipher: encrypts data unit by unit, where a unit is of certain number of bits (Example: If the unit be a bit, a stream cipher encrypts data unit by unit. Or if the unit be a byte, it encrypts byte by byte) simpler and faster than block cipher; but less secure Two Modes of Stream Cipher:  Synchronous Stream Cipher: Sender uses a key to encrypt. Receiver uses the same key to decrypt.

 Self-Synchronizing Stream Cipher: The key stream generator (KSG) generates a key, which depends upon the original key and the cipher output. 104

Key Stream Generator (KSG)

Key Pseudorandom Byte Generator Stream of bytes The stream of bytes cannot be determined, if the Key is not known.

The stream is deterministic.

The stream repeats after a long chain of bits.

105

Self-Synchronizing Stream Cipher

Stream of bytes Plaintext  Ciphertext In a stream Cipher, a key must not be repeated.

106

Example of a Stream Cipher

 RC4: A byte by byte encryption algorithm, used in   SSL (Secure socket Layer) WEP (Wired Equivalent Privacy)  Developed in 1987 by Ron Rivest for RSA  Sept 1994: RC4 algorithm: remailers list” anonymously posted on “Cypherpunks anonymous 107

RC4: Key and the Temporary Vector

 Key: 1 to 256 octets      First byte of Key: K[0]; Second byte of key: K[1] …… No of bytes of key = kbytes A 256 byte Temporary vector: T[0] to T[255] If kbytes = 256, for i = 0 to 255, T[i] = K[i] If kbytes < 256, for i=0 to 255, T[i] = K[i mod kbytes] 108

RC4: The State Vector

   A 256 byte State vector: S[0] to S[255] INITIALIZATION: For i = 0 to 255, S[i] = i Initial PERMUTATION of S: j = 0; For i = 0 to 255, j = ( j + S[i] + T[i] ) mod 256 Swap (S[i] and S[j]).

After initial permutation, the key is not used.

109



Stream Encryption

 m th byte of Plaintext P[m]  i = j = 0; m = 0 while (true){ i = (i + 1) mod 256; j = (j + S[i]) mod 256; swap (S[i], S[j]); t = (S[i] + S[j]) mod 256; k = S[t]; C[m] = P[m]  k; m = m + 1 } 110

Strength of RC4

 For decryption, xor k with the next byte of ciphertext.

 For a key length of 128 bits or more, RC4 is secure.

 The weakness in WEP: due to the weakness of the protocol for key generation ( not due to weakness in RC4). Reference: Fluhrer, S.; Mantin, I.; and Shamir, A. “Weakness in the Key Scheduling Algorithm of RC4,” Proceedings, Workshop in Selected Areas of Cryptography, 2001 111

Symmetric Key Ciphers

   Symmetric key ciphers: efficient, secure Problem: How to share a key securely between the sender and the receiver?

If 100 persons want to send message securely to one another  4950 different keys are required Ferguson and Bruce Schneier ,” Practical Cryptography”, Wiley 2003) (Reference: Niels 112