AES Key Expansition

7/29/2019 AES Key Expansition

1/20

This Lecture:

AES Key Expansion

Equivalent Inverse Cipher Rijndael performance summary


2/20

Key Expansion

Takes as input a Nb word key and produces a linear array of

Nb * (Nr+1) words.

Expanded key provide a Nb word round key for the initial

AddRoundKey() stage and for each of the Nr rounds of the

cipher.

The key is first copied into the first Nb words, the remainder

of the expanded key is filled Nb words at a time.


3/20

Key Expansion Pseudo Code16 byte key

KeyExpansion(byte key[16],wordw[44])

{

wordtemp;

for (i = 0; i < 4; i++) w[i] = (key[4*i],

key[4*i+1],key[4*i+3], key[4*i+3]);

for(i = 4; i < 44; i++)

}

temp = w[i-1];

if ( i mod 4 = 0 ) temp =SubWord(RotWord(temp))XOR Rcon[i/4];

w[i] = w[i-4] XOR temp;

}

}


4/20

Key Expansion

RotWordperforms a one byte circular left shift on a word.For example:

RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0]

SubWordperforms a byte substitution on each byte of input

word using the S-box.

SubWord(RotWord(temp)) is XORed with Rcon[j]theround constant.


5/20


6/20

Key Expansion

The round constant - Explained The round constant is a word in which the three rightmost

bytes are zero. It is different for each round and defined as:

Rcon[j] = (RC[j],0,0,0)

where RC[1] = 1, RC[j] = 2 * RC[j-1]

Multiplication is defined over GF(2^8).

Values of RC[j] in hexadecimal are:

j 1 2 3 4 5 6

Rc[j] 01 02 04 08 10 20


7/20

Key Expansion

The round constant - Example Example of expansion of a 128-bit cipher key

Cipher key = 2b7e151628aed2a6abf7158809cf4f3c

w0=2b7e1516w1=28aed2a6w2=abf71588w3=09cf4f3c

i temp RotWord SubWord Rcon[i/4] XOR w[i-4] result

4 09cf4f3c cf4f3c09 8a84eb01 01000000 8b84eb01 2b7e1516 a0fafe17

5 A0fafe17 28aed2a6 88542cb1

6 88542cb1 Abf71588 23a33939

7 23a33939 09cf4f3c 2a6c7605


8/20

Key ExpansionRationale

Criteria used for key expansion algorithms design:

Simple description.

Non-linearityprohibits the full determination of roundkey differences from cipher key differences.

Diffusioneach cipher key bit affects many round keybits.

Round constanteliminates symmetry or similarity

between the way round keys are generated.

Knowledge of less than Nk consecutive of either cipher orround key makes it difficult to reconstruct the remainingunknown bits.


9/20

Equivalent Inverse Cipher

The Rijndael decryption cipher is not identical to the

encryption cipher.

DisadvantageTwo separate software or hardware modules

are required if performing both encryption and decryption.

There is an equivalent version of the decryption algorithm that

has the same structure ( the same sequence of transformations)

as the encryption algorithm.


10/20

InvCipher, Scheme


11/20

Equivalent Inverse Cipher The original sequence is :

Encryption:SubBytes ShiftRows MixColumns AddRoundKey

Decryption:

InvShiftRows InvSubBytes AddRoundKey InvMixColumns

ThusInvShiftRows needs to be interchanged with

InvSubBytes andAddRoundKey with

InvMixColumns.


12/20


InvShiftRowsAffects sequence of bytes butdoes not alter byte content and does not depend onthe byte content to perform transformation.

InvSubBytesAffects content of bytes but doesnot alter byte sequence and does not depend on the

byte sequence to perform transformation.

Thus InvShiftRows and InvSubBytescanbe interchanged. For given state S,

InvShiftRows(InvSubBytes(S))

=

InvSubBytes(InvShiftRows(S))


13/20


If key is viewed as sequence of words then bothAddRoundKey and InvMixColumns operate on state one

column at a time.

These operations are linear with respect to the column input:StateS and key - w

InvMixColumns(S XOR w) =

[InvMixColumns(S)] XOR [InvMixColumns(w)]


14/20


0E 0B 0D 09

09 0E 0B 0D

0D 09 0E 0B

0B 0D 09 0E

y0 XOR k0

y1 XOR k1

y2 XOR k2

y3 XOR k3

0E 0B 0D 09

09 0E 0B 0D

0D 09 0E 0B

0B 0D 09 0E

0E 0B 0D 09

09 0E 0B 0D

0D 09 0E 0B

0B 0D 09 0E

y0

y1

y2

y3

y0

y1

y2

y3

Thus InvMixColumns andAddRoundKey can be

interchanged.


15/20

Rijndael performance summaryAs evaluated by the National Institute for Standards and Technology

General Security:

Rijndael has no known security attacks and has an adequate

security margin.

Received some criticism suggesting its simple mathematicalstructure may lead to attacks. On the other hand the simple

structure may have facilitated the security analysis.


16/20


Software Implementation:

Performs encryption and decryption very well across a variety

of platforms (including 8 bit, 32 bit and 64 bit processors). There is a decrease in performance with higher key sizes

because of the increased number of rounds.

High parallelism facilitates the efficient use of processor

resources. Very well suited for restricted space environments (small

amounts of RAM and/or ROM) where either encryption or

decryption is performed (but not both).


17/20


Hardware Implementation:

Has the highest throughput for feedback mode and second

highest for non feedback mode.

Efficiency is generally very good.

Attacks on Implementation:

Timing Attacksattacks on operations that execute indifferent amounts of time. General defense is to make

encryption and decryption run in the same amount of time.


18/20


Attacks on Implementation continued:

Power Attacksattacks on operations that use different

amounts of power. General defense is to process the data and

its complement (nearly) simultaneously.

The boolean operations, table lookups and fixed shift rotations

are the easiest operations to defend against those attacks.

The use of masking (executing the same operation twice to

mask power consumption) does not cause significantperformance degradation.


19/20


Key Agility:

Defined as the ability to change keys quickly and with a

minimum or resources.

Provides on the fly subkey computation (computation of the

specific subkey needed for a particular round just prior to use

in the round).

First decryption subkey cannot be generated directly from the

original key and there is a need to scale through all thesubkeys. This places a slight resource burden on key agility.


20/20


Encryption vs. Decryption:

Speed does not vary significantly between encryption and

decryption, although key setup performance is slower

decryption.

Documents

AES Key Expansition