Embed Size (px)
Citation preview
CR
BlockCiphers
ChesterRebeiroIITMadras
STINSON:chapters3
CR
BlockCipher
2
Alice Bob
message“A?ackatDawn!!”
untrustedcommunicaGonlinkE D
KE KD
“A?ackatDawn!!”encrypGon decrypGon
#%AR3Xf34^$(ciphertext)
EncrypGonkeyisthesameasthedecrypGonkey(KE=KD)
CR
BlockCipher:Encryp2on
BlockCipher(Encryp2on)
SecretKeyPlaintext Ciphertext
BlockLength
KeyLength
• AblockcipherencrypGonalgorithmencryptsnbitsofplaintextataGme• Mayneedtopadtheplaintextifnecessary• y=ek(x)
3
CR
BlockCipher:Decryp2on
• AblockcipherdecrypGonalgorithmrecoverstheplaintextfromtheciphertext.• x=dk(y)
BlockCipher(Decryp2on)
SecretKeyCiphertext Plaintext
BlockLength
KeyLength
4
CR
InsidetheBlockCipher(anitera2vecipher)
5
KeyWhitening
Round1
Round2
Round3
Roundn
PlaintextBlock
CiphertextBlock
key1
key2
key3
keyn
• Eachroundhasthesameendomorphiccryptosystem,whichtakesakeyandproducesanintermediateouput
• Sizeofthekeyishuge…muchlargerthantheblocksize.
CR
InsidetheBlockCipher(thekeyschedule)
6
SecretKey
RoundKey1
RoundKey2
RoundKey3
RoundKeyn
KeyWhitening
Round1
Round2
Round3
Roundn
PlaintextBlock
CiphertextBlock
KeyExpansion
• Asinglesecretkeyoffixedsizeusedtogenerate‘roundkeys’foreachround
CR
InsidetheRoundFunc2on• AddRoundkey:MixingoperaGonbetweentheroundinputandtheroundkey.typically,anex-oroperaGon
• Confusionlayer:MakestherelaGonshipbetweenround
inputandoutputcomplex.• Diffusionlayer:
dissipatetheroundinput.Avalancheeffect:Asinglebitchangeintheroundinputshouldcausehugechangesintheoutput.
Makesitdifficultforthea?ackertopickoutsomebitsovertheothers(thinkHillcipher)
7
AddRoundKey
ConfusionLayer
DiffusionLayer
RoundInput
RoundOutput
CR
AchievingConfusionandDiffusion(Subs2tu2on-Permuta2onNetworks)
• ConfusionachievedbysmallsubsGtuGonfuncGons• DiffusionachievedbydiffusionfuncGons
– PermutaGons– LinearTransformaGons
8
CR
DiffusionwithPermuta2ons
• Spreadstheoutputofones-boxtoothers-boxes• Thuscausingadiffusion.
– Asinglebitchangeinoneinput(beforeS1forinstance)affectsfourinputsofthenextround
• BitwisepermutaGonsefficientinhardwarebutnotinsoiwareimplementaGons
9
CR
Permuta2onLayerTypes
• straight(24x24)
• expansion(12x24)
• compression(24x12)
10
012323
012323
01211
012323
01223
01211
0thbitofinputgoesto1stbitofoutput1stbitofinputgoesto15thbitofoutput
CR
Permuta2onLayer(morevariants)• CommonpermutaGonoperaGonswhichareusedinblock
ciphers– circularshii
• CircularshiiinputNbitstoright(orlei)– swap
• Specialcaseofcircularshiiwithshii=N/2
11
CR
DiffusionwithLinearTransforma2on
• LinearcombinaGonoftheinputs(canbedonebytewise;moresoiwarefriendly,asnobitmanipulaGonsneeded)
• HowtochoosethelineartransformaGoninthePermutaGonlayer?– NeedtohavegooddiffusionproperGes– ShouldhaveMaximumBranchNumber
12
x1x2x3x4
y1y2y3y4
*=Example.TheAESmixcolumnoperaGon
))(()(()0( aFWaWMINNumberBranch a += ≠
CR
BranchNumber
• ByteVector:Numberofnon-zeroinputbytes• W(a):Bytevectorofinput(i.e.non-zerobytesina)• W(F(a)):Bytevectorofoutput(i.e.non-zerobytesintheoutput)
• example:AESmixcolumnmatrixhasabranchnumberof5– 1non-zerobyteininputcausesall4bytesofoutputtochange– 2non-zerobyteininputcausesat-least3bytesofoutputtochange(andsoon…)
13
))(()(()0( aFWaWMINNumberBranch a += ≠
Example.TheAESmixcolumnoperaGon
x1x2x3x4
y1y2y3y4
*=
CR
Subs2tu2onLayer(Sbox)
• Alotoftheblockcipher’ssecurityrestswiththis.• Replacesitsinputwithanother
• AswiththepermutaGonlayer,canbestraightsbox(mxm)expansionsbox(mxn,m<n)compressionsbox(mxn,m>n)
14
CR
Sboxes
• Inans-boxeachoutputbitcanberepresentedasafuncGonofitsinputbits
15
sbox
x1x2x3x4
y1y2y3y4
xm
yn
ThefuncGonshavetobenon-linear.LinearfuncGonsareeasilyreversed.
),,,,(
),,,,(),,,,(),,,,(
321
32133
32122
32111
mnn
m
m
m
xxxxfy
xxxxfyxxxxfyxxxxfy
!"""""
!
!
!
=
=
=
=
CR
S-boxesareNon-lineartransforma2ons
16
sbox
x1x2x3x4
y1y2y3y4
xm
yn
CR
example:SimplifiedDESSBox
17h?p://mercury.webster.edu/aleshunas/COSC%205130/G-SDES.pdf
S0
abcd
qr
]||][||[0||)(0
cbdaSrqxSy
=
=
Non-linearequaGonsforS0
CR
WhyNon-linearity?• Wewanttomakeitdifficultforreversingans-box:
i.e.determinexfromy
– SolvinglinearequaGonscanbedoneinpolynomialGme– Solvingnon-linearequaGonisNPhard
• NotethedifferencewiththepermutaGonlayer,whichisalinearlayer.ThemainpurposeofthepermutaGonlayeristoprovidediffusionandnottoconfuse!
18
sbox
x1x2x3x4
y1y2y3y4
xm
yn
CR
ex-or(AnImportantOpera2on)
• UsedconsiderablyforkeyaddiGon
19
CR
BlockCipherDesignTechniques
• SubsGtuGon-PermutaGonNetworks(SPN)– AES,PRESENT,SHARK
• FeistelCiphers– DES,CLEFIA,SERPENT,RC5,…andmanymore
20
CR
AFourRoundSPNBlockCipher• AnSPNblockciphercontainsrepeaGng
roundsof– KeyaddiGon
• AddrandomizaGon
– SubsGtuGon• Anon-linearlayer
– Diffusion• Alinearlayerforspreading
• TherepeaGngrandomizaGon,non-linearandlinearlayersmakesitdifficulttocryptanalyse
• Usedincipherssuchas– AES(AdvancedEncrypGonStandard)
– PRESENT(TheLightweightblockcipherstandard)
21
SPN:SubsGtuGonPermutaGonNetwork
CR
DiffusionintheSPN
• Asinglebitofplaintextgetsdiffusedtoallbitsoftheciphertext.
• Ifasinglebitintheplaintextisflipped– Eachbitoftheciphertextwillflip
withprobability1/2– Inotherwords,halfthebitsofthe
ciphertextwillflip.
• If,evenasinglebitofthekeyiswrong,halfthebitsoftheciphertextisflipped
22
CR
Decryp2on
• Isthereverseprocess– Startwiththeciphertextanddoall
operaGonsinthereverseorder– Theroundkeysareappliedinthereverse
order– PermutaGonlayershouldbeinverse– SubsGtuGon(S-boxes)shouldbeinverse
• Thisalsomeansthattheinverseofthes-boxshouldexist
23
CR
FeistelCiphers• Apopulartechniquefordesigningblockciphers
– Examples:DES,RC5,CLEFIA,
• DoesnotrequireinverGblesubsGtuGonandpermutaGonlayers
24
F
Li-1 Ri-1
RiLi
roundinputsplitintotwopartsLi-1andRi-1
roundoutput
Encryp2on
),( 11 −−⊕=
=
iiii
ii
KRFLRRL
Ki-1Decryp2on
),( 111
1
−−−
−
⊕=
=
iiii
ii
KLFRLLR
CR
WhatdoesFcontain?• contains:keymixing,subsGtuGon,permutaGon• AsingleroundofDES
25
F
Li-1 Ri-1
RiLi
Ki-1
32bit 32bit
thesboxes(S1toS8)are6x4…theyarenotinverGble
CR
3roundFiestelcipher
• IteraGve
26
F
L1 R1
R2L2
F
R3L3
F
R4L4
plaintext
ciphertext
CR
LinearCryptanalysis
27
CR
Non-linearityinS-boxes
• Inthe1970s,cryptographerstookalotofcareindesignings-boxes– eachoutputbitofthes-boxwastheoutputofacomplexnon-linearfuncGonoftheinputbits.Likethis
– also,thevalueofeachoutputbitwasun-biasedi.e.
Thismeantthatitwasdifficulttoinferanythingaboutxfromanoutputbit
28
sbox
x1x2x3x4
y1y2y3y4
xm
yn
niforyy ii ≤≤==== 121]1Pr[]0Pr[
However….
CR
LinearApproxima2ons• theyoverlookedaboutlinearcombinaGonsofthes-box
outputwhichturnedouttobebiased...suchas
• ThisbiaswasexploitedbyMitsuruMatsuiin1993toa?ackDES.Thea?ackwasknownaslinearcryptanalysis– itisaknownplaintexta?ack– required243knownplaintext-ciphertextpairstobreakDES
29
21]1Pr[21]0Pr[
7511
7511
>>=⊕⊕⊕
<<=⊕⊕⊕
xxxy
orxxxy lowprobabilityofoccurrence
highprobabilityofoccurrence
backgroundneededfortheunderstandingthea?ack…
CR
Bias(Ameasureofdevia2onfromuniformrandomness)
• Considerdiscreteindependentrandomvariablesover{0,1}
• Letthusfori=1,2,3,….• Duetoindependence,thejointprobabilityisobtainedbysimply
mulGplying.Thusfori≠j,
• Considerdiscreterandomvariableswherei≠j
30
CR
Bias• DefinebiasofXias
• SomeproperGesofthebias
• Ifthebiasis0thenXicantakevaluesof0or1withequalprobabilityThefurtherthebiasisfrom0(ie.closeto±1/2)thenXitakes0withhigher(orlower)probability
• Thebiasisthereforeameasureoftherandomness
31
1
2 3
⎟⎠
⎞⎜⎝
⎛ +=⎟⎠
⎞⎜⎝
⎛ −⎟⎠
⎞⎜⎝
⎛ −+⎟⎠
⎞⎜⎝
⎛ +⎟⎠
⎞⎜⎝
⎛ +=
==+====⊕
jijiji
jijiji XXXXXX
εεεεεε 221
21
21
21
21
]1Pr[]1Pr[]0Pr[]0Pr[]0Pr[4
CR
LinearApproxima2onsofans-box
32
Howtoconstruct?
Representthes-boxinbinaryasinthefollowingtable
sbox
X1X2X3X4
Y1Y2Y3Y4
CR
LinearApproxima2onsofans-box
33
1011000110010011
Forexampleandfillinthetruthtable241 YXX ⊕⊕
#1s=8#0s=8
021
2/1]0Pr[ 241
=−=
==⊕⊕=
p
YXXp
ε
ConsideralinearcombinaGonofinputsandouputs
unbiased
CR
LinearApproxima2onsofans-box
34
1101100011111010
ConsideralinearcombinaGonofinputsandouputsforexampleandfillinthetruthtable2321 YXXX ⊕⊕⊕
#1s=10#0s=6
125.081
21
8/3]0Pr[ 2321
−=−=−=
==⊕⊕⊕=
p
YXXXp
ε
biased
CR
LinearApproxima2onsofans-box
35
1101011111111111
Consideranotherexampleandfillinthetruthtable4143 YYXX ⊕⊕⊕
#1s=14#0s=2
375.83
21
8/1]0Pr[ 4143
−=−=−=
==⊕⊕⊕=
p
YYXXp
ε
Highlybiased
CR
LinearApproxima2onTables
36
LinearApproximaGonTable
241 YXX ⊕⊕
4143 YYXX ⊕⊕⊕
2321 YXXX ⊕⊕⊕
168),(),( −
=baNLbaε
(capturesnumberof0sinthetruthtable)
CR
Whatdoesthelinearapproxima2onsmean
• Ifwedothefollowing
• Theprobabilitythatztakesthevalue0is1/8
Howdoweusethisfacttoa?ack
theblockcipher?
37
x3x4
y1y4
while(large number of times){ generate a random plaintext z = ex-or(x3,x4,y1,y4) }
4143 YYXX ⊕⊕⊕
CR
Piling-upLemma
38
LemmaPilingupthebycomputedbecanbiasntresultaThe?ofbiastheisWhat
biashavingbiashaving
variablesrandom of nscombinatiolinear woConsider t
654
321
AB
BA
BB
AA
εXXXXXXXXXX
⊕
⊕⊕=
⊕⊕=
ε
ε
ProofbyMathemaGcalInducGon
CR
TheGeneralAZackScheme1. UsepilinguplemmatoidenGfylineartrails
inthecipher,whichhavehighbias.– ComputethebiasGllthepen-ulGmateround
2. Todeterminek=(K5,5---K5,8)dothefollowinga. Guessthevalueofk(16possibili2es)b. ComputeS-1(k^ci)foreachciphertext
(wegetadistribuGon)c. Determineifthebiasmatchesthe
theoreGcalesGmates.
39
CR
ApplyingPiling-upLemmaforthecipher
40
4/1,12,0100,1011
=
===
εLNba
4/1,4,0101,0100
−=
===
εLNba
4/1,4,0101,0100
−=
===
εLNba
Findpathswhicharehighlybiased
CR 41
CR 42
Fromthecipher
Thus,
Now,,thekeypartisaconstant(either0or1)
Thus,biasofiseither+1/32or-1/32dependingonthekeybits
CR
TheLinearCryptanalysisAZack
• Thea?ackerneeds– Alargenumberofplaintext-ciphertextpairs
• Wedenoteeachpairby(x,y)–x:plaintext,y:ciphertext
• FortheToycipherabove(approx8000)• ForacipherlikeDES248
– allplaintextsareencryptedwiththesamekey
• Thea?ack
1. Guessand(256possibiliGes)2. Foreachandcomputeand3. Thencomputeinv-sbox()andinv-sbox()
toobtainand4. Nowcompute
Ifthekeyguessiscorrect,thebiasofzmustbe±1/32(i.e.zmustbe0(or1)withprobability1/2±1/32)Ifthekeyguessiswrong,thebiasofzmustbe0(i.e.zmustbe0(or1)withprobability1/2)
43
52><k 5
4><k
52><k
54><k
52><y
54><y
42><v 4
4><v
42><v
44><v
52><y 5
4><y
42><v
44><v
42><u
44><u
CR
TheLinearCryptanalysisAZack
44
Thisistheguessedkeywhichvariesfrom0to255.
Forakeyguess,Countcountshowoienz=0.Forthecorrectkeyguess,countshouldbehighest
Foreachplaintext-ciphertextpair
Computeand42><u
44><u
Incrementcountifz=0
Determinemostprobablekeybyteofthe256possiblekeysThecorrectkeyshouldhavemaxcountvalueWrongkeysshouldhavecountvalueapproximatelyT/2
Theplaintext-ciphertextpairarrayNumberoftheptext-ctextpairs
Inverses-box
CR
Differen2alCryptanalysis
45
CR
Differen2alCryptanalysis
• A?ributedtoEliBihamandAdiShamirinCRYPTO’90– Althought,theideawasknowninthe1970sbyIBM(andtheNSA)
• InIBM,thisusedtobeknownasT-a?ackorTicklea?ack
• DifferenGalcryptanalysisisachosenplaintexta?ack– Itrequires247chosenplaintextstobreakDES
46
CR
Differen2als• IfwehavetwoBooleanlinearequaGonssuchas
• Then,thedifferenGalistheirex-or
• Notethatthecommontermsarecancelledout
47
2121 kkdcBkkbaA ⊕⊕⊕=⊕⊕⊕=
dcbaBA ⊕⊕⊕=⊕
CR
Differen2alsofans-box
• Letxandx*betheinputstoans-box• Letyandy*bethecorrespondingoutputs
• Ifx’is(1011)2:
48
*
*
':OutputalDifferenti':InputalDifferenti
yyyxxx
⊕=
⊕=sbox
x1x2x3x4
y1y2y3y4
CR
Differen2alsofans-box
49
Ifx’is(1011)2:
Notethenon-uniformity…..Thisnon-uniformityIsusedindifferenGalcryptanalysis
CR
Differen2alDistribu2onTableofthes-box
50
S-bo
xinpu
tdifferen
ce
S-boxoutputdifference
CountsthenumberofGmesinputdifferenceisx’andoutputdifferenceofthes-boxisy’
ProbabilitythatoutputdifferenceIsb’giventhatinputdifferenceisa’
ThisisknownasthePropaga8onRa8o
CR
Differen2altrailsinacipher
• FirstnotethatthedifferenGaloutput y’ does not depend on the secret key
• ChooseasetofconsecuGves-boxessothatdifferencespropagatewithhighpropagaGonraGo.ThisisthedifferenGaltrail.
• Assumingindependencebetweenthes-boxesinthetrail,propagaGonraGoforthetrailistheproductofindividualpropagaGonraGos.
– Thismeansthat,iftheinputdifferenceis(0000101100000000)thentheprobabilitythattheoutputdifferenceis(0000010101010000)is27/1024
51
CR
TheDifferen2alCryptanalysisAZack
52
• Thea?ackerneeds– Alargenumberofchosenplaintext-ciphertextpairs
encryptedwiththesamekey
• Thea?ack
1. Guessand(256possibiliGes)2. Computeandforeachplaintext–ciphertext
usingtheguessedkey3. Computethedifferencebetweentheinv-sbox()
andinv-sbox()4. TestiftherequireddifferenGalisobtained.
Ifthekeyguessiscorrect,thecorrectdifferenGalwillbeobtainedwithaprobabilityof27/1024
Ifthekeyguessiswrong,thedifferenGalwillbeobtainedwithaprobabilitywhichismuchlower(1/256)
52><k 5
4><k
42><v
44><v
42><v
44><v
52><y 5
4><y42><v
44><v
52><k
54><k
44><v
CR
TheDifferen2alCryptanalysisAlgorithm
• Co
53
FuncGoninputsaretheplaintext-ciphertextDifferenGals,Tisthenumberofthem,andtheInverseofthetargeteds-box
Theguessedkey(L1,L2):isof256values
ForeachdifferenGal,doaniniGalfiltering,andthencomputeu4<2>andu4<4>.IftheseresultinthetargeteddifferenGal0110,0110,thenincrementThecountforthecorrespondingkeyguess
Thevaluesof(L1,L2)whichhasthemaximumcountImplies,thatitisthecasewherethetargetedDifferenGalappearsmostoien.This(L1,L2)isthelikelykey.
CR
DES(DataEncryp2onStandard)
54
CR
HistoryofDES
• Standardizedin1977byFIPS,asthestandardfordataencrypGon
• BasedonaFeistelciphercalledLucifer(LuciferisaFeistelcipherdevelopedbyIBMintheearly‘70s)
• NSAmadesomeminor(supposedlycontroversial)modificaGonstotheLuciferalgorithm– Reducedthekeysizefrom64bitsto56bits– ModificaGonstothes-boxes
55
CR
DESSpecifica2on
• BlockSize:64bits• Keysize:56bits(+8paritybits)• Structure:Fiestel• Rounds:16• Algorithmspecifies:
encrypGon/decrypGonalgorithmkeyexpansionalgorithm
56
CR
DESIni2alandFinalPermuta2on
57
• PlaintextsubjectedtoanIniGalpermutaGon(IP)iniGally• Aier16rounds,thereisafinalpermutaGon(FP)beforetheciphertextisgenerated
neitheroperaGonhasanycryptographicsignificance.Usedtofacilitateloadingofblocksinandoutof1970seightbitcomputer
32 32
32 32
CR
IPandFPIniGalPermutaGon(IP)
58
FinalPermutaGon(FP=IP-1)Thefirstbitoftheo/pistakenfromthe58thinputbit
ThisistheinverseofIP
CR
DESFFunc2on(EandKeymixing)
59
Eistheexpansionblock.The32bitinputisexpandedto48bitsbyduplicaGngsomeofthebits
keymixingwithsubkey,
ExpansionFuncGon
32 32
32
48 48
32
32
CR
DESFFunc2on(S-boxes)
60
S1toS8arecompressions-boxes.Eachs-boxtakes6inputbitsand
outputs4bits.
S1
32
48 48
32
32
CR
DESFFunc2on(Permuta2on)
61
PermutaGonLayer
32
48 48
32
32
CR
DESKeyExpansion• 64bitsinput
– Ofwhich8arediscarded(orusedforparity)
• Nonon-linearcomponents
62
Rotatelei
PC1
PC2 Select48outofthe56bits
CR
DESDecryp2on
• SameasencrypGonalgorithm,withsubkeysappliedinreverseorder
63
CR
DESWeakKeys• InaDESweakkey,allthesubkeysare
thesameThusDESWK(DESWK(x))=x(WKisaweakkey)• DESweakkeysareasfollows
64
56bitDESweakkeys
00000000000000
FFFFFFFFFFFFFF
0000000FFFFFFF
FFFFFFF0000000
CR
DESSemiweakkeys• Semi-weakkeyshavethe
followingproperGes– Theyappearinpairs:(SK1and
SK1’)– DESSK1(DESSK1’(x))=x– Eachsemi-weakkeyhasonly
twosubkeys.
65
SK1 SK1’
CR
DESSemiweakkeypairs
66
CR
Objec2onstoDES
• Keysizema?ers– BruteForceA?acksduetothesmallkeysize
• S-boxsecrecy– DuringtheiniGalyears,theraGonalefortheDESs-boxwaskeptsecret(…toincreasesecurity).
• MathemaGcala?acks:– DifferenGalCryptanalysis– LinearCryptanalysis
67
CR
DESCracker• SpecializedASICsforDES
bruteforce• Coulddeterminethesecretkey
inlessthanaday….Needtoincreasekeylength!!
68
CR
DESComposi2on
• KeysizecanbeincreasedbycomposiGonC=DESK1(DESK2(P))• DESdoesnotformagroupundercomposiGon.i.e.ItisnotpossibletoobtainDESK1(DESK2(P))=DESK3(P)forsomekeyK3
69
DES DESP C
K2K12DESkeysize=2*56=112bits
CR
MeetintheMiddleAZackagainst2-DES
• A?ackercollectsapairof(P,C)1. ForP,computeQK1*=DESK1*(P)foreverypossiblevalueofK1*.
RecordthecorrespondingQK1*2. ForC,computeQK2*=DES-1K2*(C)foreverypossiblevalueofK2*.
RecordthecorrespondingQK2*3. FindallK1*andK2*suchthatQK1*=QK2*4. IfMulGplesuchK1*andK2*arefound,thenrepeatwithanother
pairof(P,C)• Complexityofthisa?ackis256+256=257
70
DES DESP C
K2K1Q
CR
3-DES
71
DES DESP C
K1K1
QDES-1
K2
encrypt decrypt encrypt
• 112bitsecurityasin2-DES• EncryptàDecryptàEncrypt• K1àK2àK1(two56bitkeys)• WhyEDEandnotEEE?
– CompaGbilitywiththeclassicalDESifK1=K2• UsedextensivelyasastopgaparrangementunGlanewcipherstandard
(AES)wasestablished• Drawbacksof3-DES:
– Sluggishinsoiware– Couldonlyencrypt64bitblocksataGme
CR
ModesofOpera2on
72
CR
WhatareModesofOpera2on?• Blockcipheralgorithmsonlyencryptasingleblockofmessage• AmodeofoperaGondescribeshowtorepeatedlyapplya
cipher'ssingle-blockoperaGontosecurelytransformamountsofdatalargerthanablock
• ModesofOperaGon– Electroniccodebookmode(ECBMode)– Cipherfeedbackmode(CFBMode)– Cipherblockchainingmode(CBCmode)– Outputfeedbackmode(OFBmode)– Countermode
73
CR
ECBMode
• Everyblockinthemessageisencryptedindependentlywiththesamekey• Drawback1:Ifpi=pj(i≠j)thenci=cj
– EncrypGonshouldprotectagainstknownplaintexta?acks(sincethea?ackercouldguesspartsofthemessage…..Likestereotypebeginnings)
• Drawback2:Aninterceptormayaltertheorderoftheblocksduringtransmission
• NotrecommendedforencrypGonofmorethanoneblock
74
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
CR
CBCMode
• CipherBlockChaining• Advantage1:EncrypGondependentonatheciphertextofapreviousblock,
therefore– ci≠cj(i≠j)evenifpi=pj
• Advantage2:Intrudercannotaltertheorderoftheblocksduringtransmission• Ifanerrorispresentinonereceivedblock(sayci)
– Thenciandci+1willnotbedecryptedcorrectly– Allremainingblockswillbecorrectlydecrypted
75
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
IV
CR
CBCModeDecryp2on
76
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
IV
dK
c0
p0
dK
c1
p1
dK
c2
p2
dK
c3
p3
dK
c4
p4
IV
CR
CFB(CipherfeedbackMode)
Cantransformablockcipherintoastreamcipher.– i.e.Eachblockencryptedwithadifferentkey
UsesashiiregisterthatisiniGalizedwithanIV
77
IV
eK
register
messagestream(8bitsataGme) ciphertextstream
(8bitstransmi?edataGme)
EncrypGonScheme
CR
CFB-ErrorPropaga2on
UsesashiiregisterthatisiniGalizedwithanIVPreviousciphertextblockfedintoshiiregister
78
eK
register
Ciphertextstream(8bitsataGme) Plaintextstream
(8bitsdecryptedataGme)
DecrypGonScheme
CR
OutputFeedbackMode(OFB)• VerysimilartoCFBbutfeedback
takenfromoutputofek
• AnerrorinonebyteoftheciphertextsaffectsonlyonedecrypGon
79
eK
shiireg
messagestream(8bitsataGme) ciphertextstream
(8bitstransmi?edataGme)
EncrypGonScheme(DecrypGonschemeissimilar)
CR
CounterMode
• ArandomlyiniGalizedcounterisincrementedwitheveryencrypGon• Canbeparallelized
– Ie.MulGpleencrypGonenginescansimultaneouslyrun
• AswithOFB,anerrorinasingleciphertextblockaffectsonlyonedecryptedplaintext
80
eK
counter
c0
eK
counter+1
c1
eK
counter+2
c2
eK
counter+3
c3
eK
counter+4
c4
p0 p1 p2 p3 p4
CR
Howtochooseagoods-box?
81
Mod-01,Lec-07,OverviewofS-boxPrinciples,byDebdeepMukhopadhyayh?ps://www.youtube.com/watch?v=cJ7hmwHVwtc&list=PL71FE85723FD414D7&index=17
CR
Criteriaforagoods-box
• Completeness• Balance• Non-linearity• PropagaGoncriteria• GoodXORprofile• HighAlgebraicDegree
82
CR
Sboxes
• Inans-boxeachoutputbitcanberepresentedasaBooleanfunc2onofitsinputbits
83
sbox
x1x2x3x4
y1y2y3y4
xm
yn
ThefuncGonshavetobenon-linear.LinearfuncGonsareeasilyreversed.
),,,,(
),,,,(),,,,(),,,,(
321
32133
32122
32111
mnn
m
m
m
xxxxfy
xxxxfyxxxxfyxxxxfy
!"""""
!
!
!
=
=
=
=
CR
BooleanFunc2ons• ABooleanfuncGonisamappingfrom{0,1}mà{0,1}• AlgebraicNormalFormrepresenta2onofaBoolean
func2on– ABooleanfuncGononm-inputscanberepresentedwithsum(XOR+)ofproducts(AND.)form:
whereaiiseither0or1.
• AffineForm:ifallthetermshavecoefficients0(a3=0intheaboveexample)
• Linearform:Affineformanda0=0
84
21322110 xxaxaxaay ⊕⊕⊕=
CR
TruthTables• ConsideraBooleanfuncGon• ThefollowingBinarysequenceisthetruthtableoff
– Thetruthtableistherefore(0,1,1,1)
– Sequenceis(1,-1,-1,-1)
85
f (α0 ), f (α1), f (α2 ),!, f (α 2m−1)( )
where αi arembit numbersandαi ≠αi unlessi = j
X1 X2 Y
0 0 0
0 1 1
1 0 1
1 1 1
2121: xxxxyf ⊕⊕=}1,0{}1,0{: →mf
CR
BalancedBooleanFunc2ons• ABooleanfuncGonissaidtobebalancedifitstruthtablehasequal
numberof0sand1s.• S-boxequaGonsshouldbebalanced(i.e.0and1haveanequalprobability
ofoccurrence)
86
X1 X2 Y
0 0 0
0 1 1
1 0 1
1 1 1
2121: xxxxyf ⊕⊕=X1 X2 Y
0 0 0
0 1 1
1 0 1
1 1 0
21: xxyg ⊕=
Unb
alancedfuncGo
n
Balanced
Fun
cGon
CR
DistanceBetweenfunc2ons
87
gfgf
foretruth tabltheandfortabletruththebeLetfunctionsBooleantwobeandLet
εη
sequencestwothebetweendistanceHammingtheis),( εηHD
X1 X2 Y1 Y2
0 0 0 0
0 1 1 1
1 0 1 1
1 1 1 0
21211: xxxxyf ⊕⊕=
212: xxyg ⊕=
HD(η,ε) =1
CR
NonlinearityofaBooleanFunc2on
• Thenon-linearityofaBooleanfuncGonistheminimumdistancebetweenthefunc2onandthesetofalllinearfunc2ons.
– Strengthensagainstlinearcryptanalysis
88
X1 X2 Y1 Y2 Y3 Y4 Y5
0 0 0 0 0 0 0
0 1 1 0 0 1 1
1 0 1 0 1 0 1
1 1 1 0 1 1 0215
24
13
2
21211
0
xxyxyxy
yxxxxy
⊕=
=
=
=
⊕⊕=
3
1
1
1
Nonlinearity: N f =MINgε linear HD( f ,g)( )
1:11 =yNyoftyNonlineari
CR
WalshHadamandMatrix• AcompactcombinatorialrepresentaGonofallaffinefuncGons• EachrowoftheWHmatrixformsthetruthtableofallaffine
funcGonswithNvariablescanberepresentedbythematrix
89
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
=
⎥⎦
⎤⎢⎣
⎡=
0111
1000
1000
1000
)2(
1000
)2(
2
1
H
H
⎥⎦
⎤⎢⎣
⎡=
−−
−−
))2(()2()2()2(
)2( 11
11
NN
NNN
HcomplementHHH
H
0
x10x2x1x2^x1
CR
OntheNon-linearityofBooleanFunc2ons
• HDofanytwolinearfuncGonsisalways2n-1• HDbetweentwonon-linearfuncGonsis<2n-1
90
Let ξ,η = #( f = g)− #( f ≠ g)
= 2n −#( f ≠ g)−#( f ≠ g)=2n − 2#( f ≠ g)
HD( f ,g) =#( f ≠ g) = 2n−1 − 12ξ,η
Scalarproduct
CR
BentFunc2ons
• BentfuncGonsarenon-linearBooleanfuncGonswhichhavemaximumnon-linearity
• Thenon-linearityofaBentfuncGonis• TheysaGsfySACbutarenotbalanced
• Example:f(x)=x1x2+x3x4
91
121 22−− −n
n
CR
AffineTransforma2onsandNon-linearity
• IfaBooleanfuncGonisbalanced,thenanaffinetransformaGondoesnotaffectitsnon-linearity
92
)(oftynonlineari)(oftynonlineariThevectorbitanis
matrixinvertiblebinaryais),...,,,(
balancedalsois)(thenfunction,Booleanbalancedais)(
321
AxBfxfnAnnB
xxxxxAxBfxf
n
⊕=
×
=
⊕
CR
StrictAvalancheCriteria(SAC)• ForafuncGon(f)tosaGsfySAC,
• Alsocalledpropaga6oncriteriaoforder1• HigherorderSAC,
– PropagaGoncriteriaoforder>1– Wheninputchangesinmorethan1bit
• Showthat
93
1)(withanyforbalanced,bemust)()( =⊕⊕ ααα HWxfxf
SACxxxxzSACxxxy
satisfiessatisfynot does
4321
321
⊕=
⊕=
NotethatzisaBentfuncGon
CR
HowtomakeaBooleanfunc2onsa2sfySAC
• LetbeaBooleanfuncGonofordern• LetAbeannxnnon-singularBooleanmatrix• IfrisarowinthematrixAand
isbalancedthensaGsfiesSACExample:
94
)(xf
)()( rxfxf ⊕⊕
)()( xAfxg =
SACsatisfiesxAfxgthen
A
xxxf
)()(111010001321
=
⎥⎥⎥
⎦
⎤
⎢⎢⎢
⎣
⎡
=
⊕=
verifythis?
CR
Completeness
• Moreacriteriaforthecompletecipher(SP)• Givens-boxeswithafixedmapping,
– P-layerneedstobefixedandroundsneedtobefixedsuchthatciphertextisacomplexfuncGonofeveryplaintextinput
95
CR
XORProfile
• ThedifferencedistribuGontableofthes-boxmustcontainsmallvariaGons
96
CR
TheAdvancedEncryp2onStandard(AES)
97
CR
AdvancedEncryp2onStandard(AES)
• NIST’sstandardforblockciphersinceOctober2000.
• SPNnetworkwitheachroundhaving
– RandomnessLayer:Roundkeyaddi6on– ConfusionLayer:ByteSubs6tu6on– DiffusionLayer:Shi@rowandMixcolumn(thelastrounddoesnothavemixcolumnstep)
KeyLength
No.ofrounds
AES-128 16bytes 10
AES-192 24bytes 12
AES-256 32bytes 14
98
CR
FiniteFields
99
Mathema2calBackground
CR
TheAESStateRepresenta2on
• 16bytesarrangedina4x4matrixofbytes
mieanjfbokgcplhd
ponmlkjihgfedcba16byteplaintext
MIEANJFBOKGCPLHD
16byteciphertext
AES
100
CR
AES-128Encryp2on
SecretKey
XORkey
ByteSubs2tu2on
CiphertextBlock
ShifRows
MixColumns(exceptforthelastround)
AddRoundKey
Loop
10Gm
es
PlaintextBlock
KeyExpansion
RK1RK2RK3
RK10
101
4OperaGons• ByteSubsGtuGon• ShiiRows• MixColumns• AddRoundKey
CR
AES-128Encryp2on
SecretKey
XORkey
ByteSubs2tu2on
CiphertextBlock
ShifRows
MixColumns(exceptforthelastround)
AddRoundKey
Loop
10Gm
es
PlaintextBlock
KeyExpansion
RK1RK2RK3
RK10
102
confusion
diffusion
CR
AESOpera2ons
• AllAESoperaGonsareperformedinthefieldGF(28).• Thefield’sirreduciblepolynomialisx8+x4+x3+x+1
inbinarynotaGon(100011011)2inhexnotaGon(11B)16
103
CR
ByteSubs2tu2on
a i mb j nc k od l p
A E I MB F J NC G K OD H L P
F
efgh
f
Sbox
7 7
6 6
5 5
4 4
3 3
2 2
1 1
0 0
1 1 1 1 1 0 0 0 00 1 1 1 1 1 0 0 10 0 1 1 1 1 1 0 10 0 0 1 1 1 1 1 01 0 0 0 1 1 1 1 01 1 0 0 0 1 1 1 01 1 1 0 0 0 1 1 11 1 1 1 0 0 0 1 1
b ab ab ab ab ab ab ab a
⎡ ⎤ ⎡ ⎤⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢= ⊕⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢
⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦⎣ ⎦ ⎣ ⎦
⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥
• Makesanon-linearsubsGtuGonforeverybyteinthe4x4matrix
AffineTransforma8on
⎩⎨⎧
=
≠=
−
0)( if)0(0)( if)(
)(1
θ
θ
AAffineAAAffine
ASbox
104
CR
AESS-boxDesignRa2onale
• Thiss-boxconstrucGonwasproposedbyKaiserNybergin1993
• Steps:1. InverseinGF(28)
• Provideshighdegreesofnon-linearity• KnowntohavegoodresistanceagainstdifferenGalandlinear
cryptanalysis2. AffinetransformaGon
• ensuresnofixedpoints:i.e.Fixedpoints:S(x)=x• ComplicatesAlgebraica?acks
105
⎩⎨⎧
=
≠=
−
0)( if)0(0)( if)(
)(1
θ
θ
AAffineAAAffine
ASbox
CR
S-boxEncryp2onTable
• UseatabletodothebytesubsGtuGon• eg. 2c Sbox[42]=
106
CR
ShifRows
• Shi>Rows• LeavetheFirstrowuntouched• LeiRotate(2ndRowby8bits)• LeiRotate(3rdRowby16bits)• LeiRotate(4thRowby24bits)
• AlongwithMixColumnsprovideshighdiffusion• Bitsflipinat-least25s-boxesaier4rounds
a e i mb f j nc g k od h l p
a e i mf j n bk o c gp d h l
mnop
abcdefghijkl
mbgl
afkpejodinch
107
CR
MixColumns
The4x4matrixismulGpliedwiththematrix
a i mb j nc k od l p
A E I MB F J NC G K OD H L P
e
f
g
h
E
F
G
H
h g f e H h g f e G
h g f e F h g f e E
2332
3232
+++=
+++=
+++=
+++=
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
×
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
plhdokgcnjfbmiea
2113321113211132
108
NotethatmulGplicaGonsareinGF(28)field
CR
MixColumnsRa2onale
Whyusethismatrix?• ItisanMDSmatrix(MaximumDistance
Separablecodes)– Iftheinputofacolumnchangesthenalloutputschange
– Thismaximizesthebranchnumber– ForAES,thebranchnumberis5
• Values[2,3,1,1],arethesmallestwhichresultinMDSmatrixthatisalsocirculant
• HasaninverseintheAESfield
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
2113321113211132
109
CR
AESOpera2ons(AddRoundKey)
AddiGonhereisaddiGoninGF(28),whichistheex-oroperaGon
a e i mb f j nc g k od h l p
k0 k4 k8 k12k1 k5 k9 k13k2 k6 k10k14
k15k11k7k3
a+k0e+k4 i+k8m+k12b+k1 f+k5 j+k9 n+k13c+k2 g+k6k+k10o+k14
p+k15l+k11h+k7d+k3
110
CR
AES-128Decryp2on
SecretKey
XORRK10
InverseByteSubs2tu2on
InverseShifRows
AddRoundKey
InverseMixColumns(exceptforthelastround)
Loop
10Gm
es
PlaintextBlock
CiphertextBlock
KeyExpansion
RK9RK8
RK1key
111
CR
InverseS-box
112
• SimplytheAESs-boxruninreverse• Aswiththes-boxoperaGon,alookuptablecanbeused
CR
InverseShifRows
• Shi>Rows• LeavetheFirstrowuntouched• RightRotate(2ndRowby8bits)• RightRotate(3rdRowby16bits)• RightRotate(4thRowby24bits)
a e i mf j n bk o c gp d h l
mbgl
afkpejodinch
mnop
abcdefghijkl
a e i mb f j nc g k od h l p
113
CR
InverseMixColumn
h g f e H h gfe G h g f e F h g f e E
E9DBDE9DDBE99DBE
+++=
+++=
+++=
+++=
a i mb j nc k od l p
e
f
g
h
A E I MB F J NC G K OD H L P
E
F
G
H
• The4x4matrixismulGpliedwiththematrix
• ThehardwareimplementaGoncanbedoneinasimilarwayasmixcolumns
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
E9DBBE9DDBE99DBE
114
CR
AESKeySchedule
115
• Howtoexpandthesecretkey• DesignCriteria
o Efficiento Non-symmetric:Ensuredbyroundconstantso EfficientdiffusionproperGesofsecretkeyintoroundkeyso Itshouldexhibitenoughnon-linearitytoprohibitthefull
determinaGonofdifferencesintheexpandedkeyfromcipherkeydifferencesonly.
SecretKey
KeyExpansion
RK1RK2RK3
RK10
CR
AESKeySchedule
116
K0,0
K0,4
K0,8
K0,12
K0,1
K0,5
K0,9
K0,13
K0,2
K0,6
K0,10
K0,14
K0,3
K0,7
K0,11
K0,15
rotword
S-boxoperaGon
roundconstantxor
K1,0
K1,4
K1,8
K1,12
secretkey
1stroundkey
K1,1
K1,5
K1,9
K1,13
K1,2
K1,6
K1,10
K1,14
K1,3
K1,7
K1,11
K1,15
2i-1000
CR 117
Implementa2onAspectsofAES
CR
SofwareImplementa2onsofAESEncryp2on
• S-boximplementedasalookup-table(256bytes)• ShiirowscombinedwithMixcolumns• MulGplicaGonwithMDSmatrixeasilyachieved
– x2,donebyleishii.Ifthereisanoverflowanex-orwith0x1Bisneeded
– x3=x2+x
118
CR
AESon32bitSystems
119
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
aaaaaaaaaaaaaaaa
AESstate }3,2,1,0{,)( ,, ∈= jiforaSb jiji
ByteSubs2tu2on
⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢
⎣
⎡
=
⎥⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢⎢
⎣
⎡
−
−
−
jC
jC
jC
j
j
j
j
j
bbbb
cccc
3,3
2,2
1,1
,0
,3
,2
,1
,0
ShifRows(c1=c2=c3=1arecyclicshifs)
MixColumns
AddRoundKey}3,2,1,0{,,,, ∈⊕= jiforkde jijiji
CombiningOpera2ons
CR
TTables
120
CombiningOpera2ons
Define4T-Tables
OneRoundofAESusingT-Tables
CR
OpenSSLImplementa2onofAES(withT-tables)
121
CR
LastRoundofAES
• Usesadifferenttable(Te4)
122
CR
AESNI
• AcceleraGngAESonmodernIntelandAMDprocessorswithdedicatedinstrucGons
123
CR
CompactImplementa2onsofAES
• HowshouldtheS-boxbeimplemented?– Lookuptable(256bytes)
• Thismaybetoolargeforsomedevices
– Findingtheinverse(usingItoh-TsujiiortheextendedEuclideanalgorithm)andthenaffinetransformaGon
• Againexpensive(toobig!!!)– ThirdalternaGve
• Usecompositefields
124
CR
CompositeFields(referMath.Background)
125
CR
CompositeFieldsforAES• TheAESFieldisGF(28)/x8+x4+x3+x+1
– Hasorder256• ManycompositefieldsforAESexists
– GF(24)2• Requirestwoirreduciblepolynomials
Onehastheformx4+....,wherecoefficientsareinGF(2)Thesecondhastheformx2+ax+b,wherea,bareinGF(24)
– GF((22)2)2• Requiresthreeirreduciblepolynomials
Firstoftheformx2+a1x+b1,wherea1,b1inGF(2)Secondhastheformx2+a2x+b2,wherea2,b2inGF(22)Thirdhastheformx2+a3x+b3,wherea3,b3inGF(22)2
126
CR
MappingbetweenGF(28)andCompositeFields
127h?ps://drive.google.com/file/d/0BwxUBZXYoUKCTEJmNUozMl9xM3M/edit?usp=sharing
}andreturn
']'[']'[
)GF(2fieldtheination(Multiplic''))GF(2fieldtheination(Multiplic''
2551For1';1'
)2(fieldofrootprimitiveaFind)2(fieldofrootprimitiveaFind0]0[and0]0[Initilize
FindMap(){
24
8
24
8
REVMAPMAPREVMAPMAP
toi
GFGF
REVMAPMAP
αβ
βα
βββ
ααα
βα
β
α
=
=
⋅=
⋅=
=
==
==
CR
Implemen2ngtheAESS-boxinCompositeFields
128
MapInversein
CompositeFieldeg.InGF((24)2)
ReverseMapx Sbox(x)
AffineTransform
CR
S-boxBasedonCompositeFields
-boxApproach
S-boxApproach
No.ofSlices
CriGcalPath
GateCount
Lookuptablebased
64 11.9ns 1128
CompositeFieldbased
30 18.3ns 312
PerformanceofS-boxesonFPGA*XOR NAND NOR TotalGatesin
termsofNAND(usingstdcelllib)
80 34 6 180
GateCountforcompositeSbox#
# D. Canright, A Very Compact S-box for AES, CHES-2005 * Simulation Results using Xilinx ISE
CR
OverheadofCompositeFields-boxes
• Compositefields-boxesrequiremappingandreversemappingtoandfromthecompositefieldsineachround
• AnalternateapproachistoconvertallotherroundoperaGonsintocompositefieldoperaGons.– ThiswouldrequirejustonemappingandonereversemappingfortheenGreencrypGon
– OperaGonsAddRoundKeyandShiiRowsarenotaltered.
– MixColumnswillneedtobere-implemented
CR 131
AZacksonAES
CR
Differen2alandLinearProper2esofAES
• DifferenGalCryptanalysis– No4rounddifferenGaltrail>1/2150andno8rounddifferenGaltrail>1/2300exists.
• LinearCryptanalysis– No4roundbias>1/275andno8roundbias>1/2150exists
AEScaneasilyresistdifferenGalandlinearcryptanalysis
132
CR
AZackon4RoundsofAES
SecretKey
XORkey
ByteSubs2tu2on
CiphertextBlock
ShifRows
MixColumns(exceptforthelastround)
AddRoundKey
Loop
4Gmes
PlaintextBlock
KeyExpansion
RK1RK2RK3
RK4
133
4OperaGons• ByteSubsGtuGon• ShiiRows• MixColumns• AddRoundKey
CR
SquareAZack(knownbytheAESdesigners)
• Worksfor4roundofAES• Canbeextendedupto6rounds• Consider256plaintextblockshavingthefollowingproperGes
1.byte0isdifferentforinallcases(i.e.pi,0≠pj,0),fori,j=0to255andi≠j2.bytes1to15arethesame(i.e.pi,k=pj,k),fori,j=0to255and1≤k≤15
134
0
1
2
3
FF
256plaintextblocks
AcGveBytealldifferentvalues
CR
SquareAZack• Consider256plaintextblockshavingthefollowingproperGes
1.byte0isdifferentinallcases(i.e.pi,0≠pj,0),fori,j=0to255andi≠j2.bytes1to15arethesame(i.e.pi,k=pj,k),fori,j=0to255and1≤k≤15
135
0
1
2
3
FF00,
255
0 =⊕ = ii p
TwoproperGes
0,255
0 =⊕ = kii pForsomek;1≤k≤15Thestateisbalanced
AcGvebyte
CR
SquareAZack(Propaga2onin3rounds)
136
AddWhiteningKey
00,255
0 =⊕ = ii p
ShiiRows MixColumnsSubsBytes AddRoundKeyRound1
Round2SubBytes ShiiRows MixColumns AddRoundKey
AcGvebyteproperty
Round3SubBytes ShiiRows MixColumns
00000
32
)32(
255
0
255
0
255
0
255
0
255
0
=+++=
+++=
+++=
⊕⊕⊕⊕
⊕
====
=
dcba
dcba
iiii
i
Balancedretained
CR
SquareAZack(Propaga2onin3rounds)
137
AddWhiteningKey
00,255
0 =⊕ = ii p
ShiiRows MixColumnsSubsBytes AddRoundKeyRound1
Round2SubBytes ShiiRows MixColumns AddRoundKey
AcGvebyteproperty
Round3SubBytes ShiiRows AddRoundKeyMixColumns
ThispropertydoesnotholdaierSubBytesinthe4thRound
)150(,3 ≤≤ is i
CR
A4roundsquareaZack
138
SubBytes ShiiRows AddRoundKeyMixColumnsRound3
Round4
ciphertext
SubBytes ShiiRows AddRoundKeyMixColumns
30)( ≤≤⊕ iforkc ii
))(9)()()(( 332211001 kckcDkcBkcES ⊕⊕⊕⊕⊕⊕⊕−
CR
4roundsquareaZack(AchosenplaintextaZack)
139
incorrect iskey guessed not, If correct be )||||||( guessed then 0, is thisIf
computeb.
,,, themcall
)such 256 are (there each toingcorrespond Computea.following, thedo )||||||(key potentialeach For .3
plaintexteach for encryption round 4 Perform.2byte active one with plaintexts 256 Choose 1.
3210
(i)255
0
(255)(2)(1)(0)
03
3210
3,0
3,03,03,03,0
maykkkk
s
ssss
ccskkkk
i
ii,
⊕=
!
CR
WhysquareaZackmayleadtoanincorrectkey
• Ifthekeyguessiswrong,maysGllbe0.• Thisisbecauseevaluatedtooneof{0,1,2,3,….,255}withequalprobability
• Thuswithprobability2-8,wemaygetforthewrongkey.
140
(i)255
03,0s
i⊕=
(i)255
03,0s
i⊕=
0(i)255
03,0=⊕
=
si
CR
Extendingbeyond4rounds
Readhowthesquarea?ackcanbeextendedto5roundsand6rounds.
141math.boisestate.edu/~liljanab/Math509Spring10/AES-security.pdf
CR
RelatedKeyAZacksonAES(theore2calaZacksonfullAES)
• ByAlexBiryukovandDmitryKhovratovich(2009)• StrongassumpGon:thea?ackerforcesthevicGmtochoose
keysofparGcularform.• Determinehowkeydifferencesaffecttheciphertext
difference
142
CR
Tracingkeydifferences
143
