Lezione 7

The Advanced Encryption Standard (AES)

On January 2, 1997, the National Institute of Standards and Technology (NIST) announced the initiation of a new symmetric-key block cipher algorithm as the new encryption standard to replace the DES. The new algorithm would be named the Advanced Encryption Standard (AES). Unlike the closed design process for the DES, an open call for the AES algorithms was formally made on September 12, 1997.

The requirements of AES is as follows: (1) The call stipulated that the AES would specify

an unclassified, publicly disclosed symmetric-key encryption algorithm(s).

(2) The algorithm(s) must support (at a minimum) block sizes of 128-bits, key sizes of 128-, 192-, and 256-bits, and should have a strength at the level of the triple DES, but should be more efficient then the triple DES.

(3) It should work on a variety of different hardware.

(4) The algorithm(s), if selected, must be available royalty-free, worldwide.

On August 20, 1998, NIST announced a group of fifteen AES candidate algorithms. These algorithms had been submitted by members of the cryptographic community from around the world. Public comments on the fifteen candidates were solicited as the initial review of these algorithms (the period for the initial public comments was also called the Round 1). The Round 1 closed on April 15, 1999. Using the analyses and comments received, NIST selected five algorithms from the fifteen.

The five AES finalist candidate algorithms were MARS (from IBM), RC6 (from RSA Laboratories), Rijndael (from Joan Daemen and Vincent Rijmen), Serpent (from Ross Anderson, Eli Biham, and Lars Knudsen), and Twofish (from Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson). These finalist algorithms received further analysis during a second, more in-depth review period (the Round 2).

In the Round 2, comments and analysis were sought on any aspect of the candidate algorithms, including, but not limited to, the following topics: cryptanalysis, intellectual property, cross-cutting analyses of all of the AES finalists, overall recommendations and implementation issues. On October 2 , 2000, NIST announced that it has selected Rijndael to propose for the AES.

Outline About the Finite Field GF(pn) The Basic Algorithm The Layers Decryption Design Consideration

1 About the Finite Field GF(pn)

solution.

a havenot does ) (mod1 econgrucenc

thesince field, a formnot does modulo

integer But the elements. with field finite one

exactly is thereprime, a of powerevery For

n

n

n

n

ppx

p

p

p

≡

elements. 4 with field a isit ,1mod

tionmultiplica andaddition For 1.most at degree of spolynomial of

}1,,1,0{

set thebe to)1](mod[ definecan we

Therefore, ).1(mod1 as thiscan write We

.)1)(1(1get ,1 into 1

divide weexample,For integers. with theasjust remainder,with

division performcan We.1)1)(1(

assuch ,2modtscoefficien the work with weas long as set, in this

multiply and subtract, add,can We].[in Z also are 1,0 spolynomial

constant The .,1 assuch ,2mod integers are tscoefficien

whosespolynomial ofset thebe][Let Z :Solution

.)GF(2Construct

2

22

234

2234342

2343

2

6

2

2

++

+++

++≡++

++++=++++++

+++=+++

++

XX

XX

XXXZ

XXXXX

XXXXXXXXXX

XXXXXX

X

XXX

X

1 Example

1.1 The Construction of the Finite Field GF(pn)

field. same y theessentiall are e that thesshow topossible

isIt ? degree ofboth s,polynomial eirreducibldifferent

for twoon constructi same thedo weif happensWhat #

elements. with field

a is )(Then .)( ]mod[ be )(Let (3)

. degree

of mod polynomial eirreduciblan be to)( Choose (2)

.mod tscoefficien with spolynomial ofset theis ][ (1)

).( field finite a ngconstructifor procedure general The

n

p

pGFXPXZpGF

n

pXP

pXZ

pGF

n

np

n

p

n

1.2 Division

).1(mod1)1)((

:obtain we,1 mod Reducing

).1)(1()1)((1

Therefore,

.1))(1(1

)()1)(1(1

:integersfor as same theis

)dividenddivisorremainder)(1

,1gcd( Calculate :Solution

.1 of inverse thefind ),1

](mod[Z)GF(2Consider

AlgorithmEuclidean Extended The

3483672

348

3483672

26367

26367348

3

48367

3673

482

8

++++≡++++

++++

++++++++++=

++++=++++

++++++++=++++

→→→+++

+++++

+++++++

+=

XXXXXXXXX

XXXX

XXXXXXXXXX

XXXXXXXX

XXXXXXXXXXXX

ignoreXX

XXXXXX

XXXXXX

XXX2 Example

1.3 GF(28)

y.efficientl is )2(in operations that thesee wesummary,In

.010001101)1 isbit first theif,1

subtract (100011011110010110110010110

)0 a append andleft shift (11001011)(1

istion Multiplica

.11010010

000110011100101111

:bits theof

theisAddition .11001011 becomes 1 example,

For .byte arepresent bits 8 The .1or 0 is each where

,

polynomial a asuniquely drepresente becan element

Every .examplean as )1](mod[Z)GF(2 Use

8

348

367

467

34367

367

01234567

012

23

34

45

56

67

7

3482

8

GF

X

XXXXOR

XXXXX

XXXX

XORXXXXXX

XORXXXX

bbbbbbbbb

bXbXbXbXbXbXbXb

XXXXX

i

=++++→

→→++++

+++→

=→+++++++

++++

+++++++

++++=

）（

）（）（

2 The Basic Algorithm

For simplicity, we restrict to 128 bits, and firstly give a brief outline of the algorithm. The algorithm consists of 10 rounds. Each round has a round key, derived from the original key. There is also a 0th round key using the original of 128 bits. A round starts with an input of 128 bits and produces an output of 128 bits.

There a four basic step, called layers, that are used to form the rounds:

(1) The ByteSub (SB) Transformation: This non-linear layer is for resistance to differential and linear cryptanalysis attacks.

(2) The ShiftRow (SR) Transformation: This linear mixing step causes diffusion of the bits over multiple rounds.

(3) The MixColumn (MC) Transformation: This layer has a purpose similar to ShiftRow.

(4) AddRoundKey (ARK) Transformation: The round key is XORed with the result of the above layer.

A round is then

ByteSub ShiftRow MixColumn AddRoundKey

Rijndael Encryption

(1) ARK, using the 0th round key.(2) Nine rounds of BS, SR, MC, ARK, using round keys 1 to 9.(3) A final round: BS, SR, ARK, using the 10th round key.

# The final round omits Mixcolumn layer.

3 The Layers

inverse.

tivemultiplica a haselement Each y.certain wa ain multiplied be also

They .by addedcan They bytes.by drepresente becan )(2 of

elements The .1 is Rijndealfor choice The 8. degree

of polynomial eirreducibl of choice aon depends )(2 of model

The ).(2 field finite the work with toneed ll we'following, In the

.

matrix 44int arranged are and

,,,,,,,,

themcall each, bits 8 of bytes 16 into grouped are bitsinput 128 The

8

348

8

8

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,31,11,00,30,20,10,0

XORGF

XXXX

GF

GF

aaaa

aaaa

aaaa

aaaa

aaaaaaa

++++

×

3.1 The ByteSub Transformation

22187841761545153651046623019113137161140

22340852062331353015514814221710517152248225

158291931341858753971424637210218162112

13813918975116221232198180166284637120186

8174122101234244861081697821314110955200231

121228149145981722111949236673105850224

2191194222201842387013614442342207912996

11525931001261671962368151952361912205

2102432551633218182188245561571461436416381

1681596980127224969133517767251170239208

207887674571902031069117725232237020983

13247227411792145982160901102726441319

11717839235226128187154515024195351994

214921611324122916552204247635438147253183

1921141641561751622121732407189250125201130202

1181712152544310314819711110724212311912499

16)(16Box S

31

61

×−

3.1 The ByteSub Transformation (Continued)

.

bytes. ofmatrix 44 aagain is ByteSub ofoutput The

binary.in 111101 is which 61, isentry The 12.column

and 9 rowin look we10001011, is byteinput the

if example,For column. and row in the

entry for theLook . :bits 8 as byte a Wirte

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

→

×

bbbb

bbbb

bbbb

bbbb

aaaa

aaaa

aaaa

aaaa

efghabcd

abcdefgh

3.2 The ShiftRow Transformation

.

obtain to3, and 0,1,2, of offsetsby left theto

cyclically shifted arematrix theof rowsfour The

2,31,30,33,3

1,20,23,22,2

0,13,12,11,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

=

bbbb

bbbb

bbbb

bbbb

cccc

cccc

cccc

cccc

3.3 The MixColumn Transformation

.

00000010000000010000000100000011

00000011000000100000000100000001

00000001000000110000001000000001

00000001000000010000001100000010

:follows as ),(output theproduce to),(2in entries

again with matrix, aby hisMultiply t ).(2in entries

with)(matrix 44 a is step ShiftRow theofoutput The

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

,8

8

,

=

×

dddd

dddd

dddd

dddd

cccc

cccc

cccc

cccc

dGF

GF

c

ji

ji

3.4 The RoundKey Addition

.

:step

MixColumn in the )(output with theXORed is This bytes. of

consisting )(matrix 44 ain arranged are which bits, 128

of consistskey original thefrom derivedkey, round The

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

,

,

=

⊕

×

eeee

eeee

eeee

eeee

kkkk

kkkk

kkkk

kkkk

dddd

dddd

dddd

dddd

d

k

ji

ji

3.5 The Key Schedule

3).(42),(4 1),(4

),(4columns theof consists roundth for thekey round The

)).1((

)10(

.)1(Let

).1( ofation transform theis ))1(( where)),1((

)4()( then , |4 If ).1()4()(then

, |4 If y.recursivel generated are columns new The (3).(2),

(1),(0), columsfour first theLabel bytes. ofmatrix 44 a

into generated are which bits, 128 of consistskey original The

4/)4(

+++

−=

⊕

→

→

→

=−

−−−⊕−=−⊕−=/

×

−

−

iWiWiW

iWi

iWT

h

g

f

e

h

g

f

e

a

d

c

b

d

c

b

a

d

c

b

a

iW

iWiWTiWT

iWiWiiWiWiW

iWW

WW

i

boxS

3.6 The Construction of the S-Box

.

0

1

1

0

0

0

1

1

11111000

01111100

00111110

00011111

10001111

11000111

11100011

11110001

by compute becan box -S in the ofentry

The 0000000.0 is 00000000 byte theof inverse theSuppose .

by drepresente becan )(2in byte

theof inverse The n.descriptio almathematic simple a hasbox -S The

7

6

5

4

3

2

1

0

7

6

5

4

3

2

1

0

01234567

012

345678

01234567

=

+

z

z

z

z

z

z

z

z

y

y

y

y

y

y

y

y

xxxxxxxx

yyy

yyyyyGFxxxxxxxx

3.6 The Construction of the S-Box (Continued)

31.entry obtian the also Webox.-S in the 12 1 1011column theand

1311001 row check the We31.00011111 byte theyield This

.

0

0

0

1

1

1

1

1

0

1

1

0

0

0

1

1

0

0

0

0

0

1

0

0

11111000

01111100

00111110

00011111

10001111

11000111

11100011

11110001

calculate We

.00000100 is )(2in 10010111 byte theof inverse The 8

=+=+=

=

+

GF3 Example

4 Decryption

Each of the steps ByteSub, ShiftRow, MixColumn, and AddRoundKey is invertible:

(1) The inverse of ByteSub is another lookup table, called InvByteSub (IBS).

(2) The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvShiftRow (ISR).

(3) The transformation InvMixColumn (IMC) is given by multiplication by the matrix

(4) AddRoundKey is its own inverse.

.

00001110000010010000110100001011

00001011000011100000100100001101

00001101000010110000111000001001

00001001000011010000101100001110

IMC". andARK " replace toIARK" and IMC" usecan We).( with XORing be

dKey(IARK)InvAddRounLet IMC. is arrowfirst The ).()()( where

),()()()()()(

is process the,)()()()())()((

)()( Since ).())(()( solvingby obtained is inverse The

).())(()())(()(

as gave is )(

matrix a ARK to then and MC Applying reversed. becan IBS and ISR ofoder the

Clearly, .encryption as structure same theachieve todecryption therewritecan We

ARK.

IBSISR,IMC,ARK,

IBSISR,IMC,ARK,

IBSISR,ARK,

ARK.SR,BS,

ARKMC,SR,BS,

ARKMC,SR,BS,

ARK

decryption Rijndael encryption Rijndael

Therefore,

,

,1

,,

,,1

,,1

,,

,1

,,1

,,,

1,,,,,,

,,,,,,,

,

ji

jijiji

jijijijijiji

jijijijijiji

jijijijijiji

jijijijijijiji

ji

k

kmk

kememe

kmemke

mckcme

kcmecmc

c

′=′

′⊕→→

⊕=⊕

=⊕=

⊕=→→

⇒

−

−−

−−

−

ARK.

ISRIBS,IARK,IMC,

ISRIBS,IARK,IMC,

ISRIBS,ARK,

decryption Rijndael

bygiven is decryption theNow,

Rijndael Decryption

(1) ARK, using the 10th round key.(2) Nine rounds of IBS, ISR, IMC, IARK, using round keys 9 to 1.(3) A final round: IBS, ISR, ARK, using the 0th round key.

# To keep the perfect structure, the MC is omitted in the last round of the encryption.

5 Design Consideration

(1) Unlike the Feistel system, all bits are treat uniformly. This has effect of diffusing the input bits faster. It can be shown that two rounds are sufficient to obtain full diffusion.

(2) The S-box is constructed in an explicit and simple algebraic way so as to avoid the mysteries of trapdoors built into the algorithm. It is excellent at resisting differential and linear cryptanalysis, as well as interpolation attacks.

(3) The SR step is added to resist truncated differentials and square attack.

(4) The MC causes diffusion among the bytes.

(5) The ARK involves nonlinear mixing of the key bits. The mixing is designed to resist the known part key attack. The round constants are used to eliminate symmetries.

(6) The number of rounds was chosen to be 10 because there are attacks that are better than brute force up to seven rounds in 2004. No known attack beats brute force for seven or more rounds. It was felt that three extra rounds provide a large enough margin of safety.