Cryptography and Network Security

Transcription

1 Cryptography and Network Security Spring Lecture 6: Advanced Encryption Standard (AES) Ion Petre Department of IT, Åbo Akademi University 1

2 Origin of AES 1999: NIST indicates that DES should be replaced as a standard have theoretical attacks that can break it have demonstrated exhaustive key search attacks Triple-DES should be used before a new standard is approved 3DES has 168-bit key: brute-force attack is infeasible Same engine as for DES is running software/hardware can be reused Confident that no effective attack exists: DES has been around for a long time As far as security is concerned, 3DES is ideal to replace DES Drawbacks of 3DES Relatively slow software implementations DES was designed for 1970 s hardware DES and 3DES use 64-bit blocks: for efficiency and security, larger blocks should be used US NIST issued call for ciphers in candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov

3 Requirements for the new standard Private key symmetric block cipher 128-bit data, 128/192/256-bit keys Stronger and faster than 3DES Active life of years (+ archival use) Provide full specification and design details Both C and Java implementations NIST have released all submissions & unclassified analyses 3

4 AES Evaluation Criteria Initial criteria: security effort to practically cryptanalyze cost computational efficiency, so as to be used in high-speed applications, such as broadband links algorithm and implementation characteristics: should be suitable for a variety of soft/hard implementations, simple enough to make analysis straightforward Final criteria general security: this was conducted by the public (academic) cryptographic community: people published various attacks and weaknesses of the candidates software and hardware implementation ease: execution speed, performance on various platforms, variation of speed with key size Attacks on implementation: timing attacks and power analysis Multiplication consumes more power and takes more time than addition Writing 1s consumes more power and takes more time than writing 0s Flexibility (in encryption/decryption, key change, other factors) 4

5 AES Shortlist After testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin Then subject to further analysis & comment Analysed contrast between algorithms with few complex rounds vs. many simple rounds which refined existing ciphers vs. new proposals 5

6 The AES Cipher Rijndael Designed by Rijmen-Daemen in Belgium 128/192/256-bit keys, 128 bit data Does not have the structure of a classical feistel cipher treats data in 4 groups of 4 bytes operates an entire block in every round Designed to be: resistant against known attacks speed and code compactness on many platforms design simplicity Decryption algorithm different than the encryption 6

7 Rijndael Processes data as 4 groups of 4 bytes 128-bit block Input block copied into State array, modified at each stage of encryption or decryption and copied to the output matrix after the final round has 9/11/13 rounds (depending on which variant is used) in which State undergoes: byte substitution (one S-box used on every byte) shift rows: a simple permutation mix columns: substitution using arithmetic in GF(2 8 ) add round key (XOR State with the round key) initial XOR of the plaintext with a round key There is an incomplete last round (the 10 th /12 th /14 th ) Note: all operations can be combined into XOR and table lookups - hence very fast and efficient 7

8 Structure of AES Source: Stallings, fig 5.1 8

9 Rijndael the structure Discuss each of the four stages in each round For each stage, describe the encryption and decryption algorithms Describe the rationale of each stage Describe key expansion Each stage operates on the 128-bit State, i.e., 16 bytes these will be treated as a 4x4 matrix of bytes The first four bytes are on the first column, the following 4 on the second column, etc. In this description we assume key length of 128 Details are only slightly different for longer keys The 128-bit key is also shown as a matrix of 4x4 bytes (each byte is a number from 0 to 255): first 4 bytes on the first column, following 4 on the 2 nd columns, etc. The key is expanded in an array of 44 words each word has 4 bytes; these key words are used throughout the rounds: in each XOR are involved 4 words 10

10 Rijndael data structures 11

11 Rijndael 12

12 Substitute bytes transformation Note: we will denote hexadecimal numbers in parenthesis: {45}, {A6}, {CF} SubBytes is a simple table lookup (see next slide) table of 16x16 bytes containing a permutation of all bit values Each byte of state is replaced by a byte in the table The row is given by the leftmost 4-bits of the byte The column is given by the rightmost 4-bits of the byte Example: byte {95} (in hexa) is replaced by the byte on row 9, column 5: {2A} (see next slide) For decryption, use the inverse S-box 13

13 The S-box transformation 14

14 AES S-boxes 15

15 How is the S-box constructed? S-box is constructed using a certain transformation of the values in GF(2 8 ) Designed to be resistant to all known attacks 1. Initialize the S-box with the byte values in ascending order row by row: first row contains {00}, {01}, {02},,{0F}, second row contains {10}, {11}, {12},,{1F}, etc. 2. Map each nonzero byte in the S-box to its multiplicative inverse in GF(2 8 ), {00} is mapped to itself 3. Each byte in the S-box is a sequence of 8 bits (b 7,b 6,,b 1,b 0 ). Apply the following transformation to each bit of each byte: b i =b i b (i+4)mod 8 b (i+5)mod 8 b (i+6)mod 8 b (i+7)mod 8 c i where c i is the i th bit of {63}: (c 7,c 6,c 5,c 4,c 3,c 2,c 1,c 0 )=( ) 16

16 How are the S-boxes constructed? Note that the Step 3 in producing the S-box is the transformation shown bellow in there, the addition is XOR and the multiplication is the normal multiplication of 0 and 1 (i.e., operations in Z 2 ) 17

17 How are the S-boxes constructed? The inverse S-box (used in the decryption) is computed as follows: 1. Apply to the S-box the inverse of the transformation in Step 3 (multiply with the inverse of the matrix shown on the previous slide): b i =b i b (i+2)mod 8 b (i+5)mod 8 b (i+7)mod 8 d i where byte d={05}, i.e., d=( ) 2. Replace each byte of the table with its multiplicative inverse in GF(2 8 ) 18

18 Why are the S-boxes constructed in this way? The S-box should be resistant to known cryptanalytical attacks Low correlation between input bits and output bits Output cannot be described as a simple math function of the input The transformation was chosen so that the S-box has no fixed point (Sbox(a)=a) and no opposite fixed points (S-box(a)=a, where a is the bitwise complement of a) S-box should be invertible S-box should not be self-inverse (avoid S-box(a)=IS-box(a)) 19

19 Rijndael 20

20 Shift Row Transformations For encryption, circular byte shift in each row 1 st row is unchanged 2 nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left For decryption, all shifts are done to right Why this particular shift? Since state is processed by columns, this step permutes bytes between the columns The 4 bytes of one column are spread out to 4 different columns This step provides permutation of the data, whereas the other steps provide substitutions (recall Shannon s S-P networks) 21

21 Shift Row Transformations Mix Column Transformations 22

22 Rijndael 23

23 Mix Column Transformations 24

24 Mix Columns MixColumns operates on each column independently Each byte is replaced by a value dependent on all 4 bytes in its column, where all operations are done in GF(2 8 ), with m(x)= x 8 +x 4 +x 3 +x+1 s 0,j =(2 s 0,j ) (3 s 1,j ) s 2,j s 3,j s 1,j =s 0,j (2 s 1,j ) (3 s 2,j ) s 3,j s 2,j =s 0,j s 1,j (2 s 2,j ) (3 s 3,j ) s 3,j =(3 s 0,j ) s 1,j s 2,j (2 s 3,j ) for all 0 j 3. 25

25 Mix Columns MixColumns is in fact a matrix multiplication in GF(2 8 ) using prime polynomial m(x) =x 8 +x 4 +x 3 +x+1 Why those constants in the matrix? Equivalent definition: take each column as a polynomial of degree at most 3 and multiply it with {03}x 3 +{01}x 2 +{01}x+{02} mod x 4 +1 Multiplication with {00},{01},{02},{03} is easy to implement: at most one shift and XOR Gives good mixing of the bytes within each column Combined with the shift rows step, it provides good avalanche, so that within a few rounds, all output bits depend on all input bits. 26

26 Example on how to do computations in GF(2 8 ) An element of GF(2 8 ) is a byte (b 7,b 6,,b 1,b 0 ) or, equivalently, a polynomial of degree at most 7 with coefficients 0 and 1: f(x)=b 7 x 7 +b 6 x 6 +b 5 x 5 +b 4 x 4 +b 3 x 3 +b 2 x 2 +b 1 x+b 0 Doing computations with polynomials in GF(2 8 ) can be implemented easily as operations with bytes Addition u v is simply bitwise XOR of the two bytes Multiplication u v more complicated: a series of is shift & XOR example bellow for GF(2 8 ) with m(x)= x 8 +x 4 +x 3 +x+1 (as in AES) x 8 mod m(x) = (m(x)- x 8 ) = x 4 +x 3 +x+1 Consider a byte v, i.e., polynomial in GF(2 8 ), v(x)=b 7 x 7 +b 6 x 6 +b 5 x 5 +b 4 x 4 +b 3 x 3 +b 2 x 2 +b 1 x+b 0 Multiplying by x we have xv(x)=b 7 x 8 +b 6 x 7 +b 5 x 6 +b 4 x 5 +b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x If b 7 =0, then the result is in GF(2 8 ). If b 7 =1, then we need to reduce x 8 mod m(x): xv(x) = (b 6 x 7 +b 5 x 6 +b 4 x 5 +b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x) + (x 4 +x 3 +x+1) Thus, multiplication by x is in fact a 1-bit left shift potentially followed by a conditional XOR with ( ) Multiplication by higher powers of x implies an iteration of the above procedure 27

27 Example on applying MixColumns 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D A3 4C 37 D4 70 9F 94 E4 3A 42 ED A5 A6 BC s 0,j =(2 s 0,j ) (3 s 1,j ) s 2,j s 3,j s 1,j =s 0,j (2 s 1,j ) (3 s 2,j ) s 3,j s 2,j =s 0,j s 1,j (2 s 2,j ) (3 s 3,j ) s 3,j =(3 s 0,j ) s 1,j s 2,j (2 s 3,j ) Consider the computation of the value on the top left corner: ({02} {87}) ({03} {6E}) {46} {A6} {02} {87}: {02}=( ), i.e., polynomial X: we have here multiplication with X: xv(x) = (b 6 x 7 +b 5 x 6 +b 4 x 5 +b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x) + b 7 (x 4 +x 3 +x+1) Since v(x)={87}=( ), i.e., b 7 =1, we get {02} {87}=( ) ( )=( ) Similarly, {03} {6E}=( ) The top-left value should be: ( ) ( ) ( ) ( ) = ( ) = {47} 28

28 Inverse Mix Columns The inverse mix column transformation InvMixColumns is defined by the following matrix multiplication in GF(2 8 ) 0E 0B 0D 09 S 0,0 S 0,1 S 0,3 S 0,4 S 0,0 S 0,1 S 0,2 S 0,3 09 0E 0B 0D S 1,0 S 1,1 S 1,2 S 1,3 S 1,0 S 1,1 S 1,2 S 1,3 OD 09 0E 0B S 2,0 S 2,1 S 2,2 S 2,3 = S 2,0 S 2,1 S 2,2 S 2,3 0B 0D 09 0E S 3,0 S 3,1 S 3,2 S 3,3 S 3,0 S 3,1 S 3,2 S 3,3 29

29 Rijndael 31

30 Add Round Key XOR state with 128-bits of the round key Same in the decryption use the round keys in reverse order 32

31 AES Key Expansion Takes 128-bit (16-byte) key and expands into an array of bit words (each word has 4 bytes) KeyExpansion(byte key[16], word w[44]) { Word temp; For (i=0;i<4; i++) // key is copied into the first 4 words w[i]=(key[4*i], key[4*i+1],key[4*i+2],key[4*i+3]) For (i=4;i<44;i++) // the rest of the words are produced here { temp=w[i-1]; if (i mod 4 == 0) temp=subword( RotWord(temp) ) Rcon[i/4]; w[i]=w[i-4] temp; // Most of the words are just XOR of two earlier values } } 33

32 AES key expansion Key is copied first into the first 4 words of the expanded key Each added word depends on the previous word and on the one 4 positions earlier In 3 cases out of 4 a simple XOR is used For every fourth word a more complex function is used RotWord performs one-byte circular left-shift on a word: [b0,b1,b2,b3] is transformed into [b1,b2,b3,b0] SubWord performs a byte substitution on each byte of the input word, using the S-box of AES Results of step 1 and 2 are XORED with a round constant Rcon[j] (a geometric progression with rate 2 computed in GF(2 8 ): J Rcon[J] {01} {02} {04} {08} {10} {20} {40} {80} {1B} {36} 34

33 AES Decryption AES decryption is not identical to encryption since steps must be performed in reverse This is a disadvantage because different software is needed for encryption and decryption Encryption is an interation of SubBytes, ShiftRows, MixColumns, AddRoundKey Decryption is an interation of InvShiftRows, InvSubBytes, AddRoundKey, InvMixColumns Decryption can be modified to use the encryption software (switch the order of the first two operations and the order of the last two operations in each round), provided we operate a small change in the key expansion Before we apply AddRoundKey in each round, we apply InvMixColumns to the matrix formed by the 4 words participating in the current round 35

34 Implementation aspects: AES Round with State seen as an array with 16 bytes rather than as a 4x4 matrix 36

35 Implementation Aspects Can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256 entries shift rows is simple byte shifting add round key works on byte XORs mix columns requires matrix multiply in GF(2 8 ) which works on byte values, can be simplified to use a table lookup 37

36 Implementation Aspects Can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 16Kb to store tables Designers believe this very efficient implementation was a key factor in its selection as the AES cipher 38