Advanced Encryption Standard Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK) - Krypto Group Faculty of Computer Science Graz University of Technology
Outline Modern cryptography Data encryption & advanced data encryption AES structure AES in use Ongoing research 2
A cryptographer s view on the world Clear %^C& %^C& E D text @&^( @&^( Clear text KEY KEY 3
Caesar cipher Substitute characters by characters 3 positions later in the alphabet Yhql ylgl ylfl Veni vidi vici Key is always the same Not enough variability possible 4
Simple substitution cipher Define permutation on 26 characters in: A B Z out: W E M 26! (= 4 x 10 26 ) different keys Break: frequency of characters, digraphs, trigraphs 5
Frequency distribution 14 12 10 8 6 4 2 0 E T A O I N S H R D L C U M W F G Y P B V K J Q X Z 6
Advanced substitution cipher Define permutation on blocks of characters in: AAAA AAAB ZZZZ out: WIJT ENTO MIHB code book Many different keys Frequency analysis impossible 7
Block cipher Transport & storage of huge permutation table Introduce computation rule: T[X] = f(x,key) Good rule: effective (secure) and efficient (fast) Iterative: f(x,key)=g(g(g(x,k 1 ),K 2 ), ) 8
The Advanced Encryption Standard (AES) 1997: public call for submission Encrypt blocks of 128 bits Key of lengths 128, 192, 256 To be available royalty-free August 1998: start of evaluation October 2000: selection of Rijndael November 2001: Federal Information Processing Standard July 2003: approved for top secret data 9
The design of Rijndael Based on doctoral dissertations of Daemen ( 95), Rijmen ( 97) Design of round transformation g: Security Efficiency Simplicity Luke O Connor (IBM): Most ciphers are secure after sufficiently many rounds James L. Massey (ETH Zuerich): Most ciphers are too slow after sufficiently many rounds 10
Step 1: SubBytes S-box a 0,0 a 0,1 a 0,2 a 0,3 a i,j a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b i,j b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 Bytes are transformed by invertible lookup. One lookup table for complete cipher: High non-linearity 11
Step 2: ShiftRows m n o p g h i j w x y z b c d e m n o p h i j g y z w x e b c d Rows are shifted over 4 different offsets Diffusion of the columns 12
Step 3: MixColumns a 0,j a 0,0 a 0,1 a 0,2 a 0,3 a 1,j a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 2,j a 3,0 a 3,1 a 3,2 a 3,3 2 1 1 3 3 2 1 1 1 3 2 1 1 1 3 2 b 0,j b 0,0 b 0,1 b 0,2 b 0,3 b 1,j b 1,0 b 1,1 b 1,2 b 1,3 b 2,j b 2,0 b 2,1 b 2,2 b 2,3 a 3,j b 3,0 b 3,1 b 3,2 b 3,3 b 3,j Columns transformed by matrix multiplication High intra-column diffusion: based on theory of error-correcting codes 13
Step 4: Key addition a 0,0 a 0,1 a 0,2 a 0,3 k 0,0 k 0,1 k 0,2 k 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 + k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 = b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 k 3,0 k 3,1 k 3,2 k 3,3 b 3,0 b 3,1 b 3,2 b 3,3 Makes round function key-dependent As simple as possible 14
AES Use AES is a building block Used for Confidentiality (encryption) Authentication Is symmetric cryptography 15
Symmetric cryptography versus PKI Symmetric cryptography Sender and receiver use the same key Key management problem PKI Sender and receiver use different keys Easier key management (somewhat) Nice wrapper around symmetric cryptography 16
AES is used in US federal administration applications AES or 3-DES Software applications Cipher suites (SSL, ) New applications 17
AES in RFC RFC 3853: S/MIME RFC 3825: SNMP RFC 3686: confidentiality in ESP RFC 3664: pseudo-random function RFC 3602: IPSec RFC 3566: Message Authentication Code (MAC) RFC 3565: CMS RFC 3537: Key wrap RFC 3394: Key wrap RFC 3268: TLS 18
Other 3GPP: Milenage cipher suite IEEE 802.11i (wep) ISO/IEC 18033-3: block ciphers Winzip and similar tools Backup software, RfID tags Remote controls 19
AES is not used in Bank cards Applications with large installed base 20
Ongoing research Security against mathematical attacks Security against implementation attacks Implementations for special environments 21
Mathematical attacks Pre-1997 attacks: wide trail design strategy 1997-2000: NIST s evaluation process Post 2000: controversy 22
Rijndael controversy Simple, elegant structure (mathematically speaking) Easier to optimize for different platforms Easier to reason about the security, trapdoors Easier to protect against implementation attacks Too simple to be true? 23
Algebraic attacks: principle Very simple description [Murphy & Robshaw, 00] BES [Murphy & Robshaw, 02] XSL [Courtois & Pieprzyk, 02] 1. Write out equations, round by round Many intermediate variables Equations of low degree (2, 3) 2. Solve for the unknown key 24
Algebraic attacks: results Attacks work on simplified variant: Byte nibble 4x4 matrix 1x1 matrix Theoretical estimations for full version: Mostly wrong Difficult to exclude 100% 25
Implementation attacks Power consumption of a chip correlates to: Instruction being executed Address of operands Value of operands Also execution time, chip radiation, Serious problem for any cryptographic algorithm using secret parameters 26
Solutions 1. Reduce signal by careful design of HW, SW (uniformity) 2. Increase noise 3. Remove correlation between operands and secret values (masking) 27
Implementations `Difficult environments: Low-power Low-energy Small area/ small code size Competing against `niche ciphers Satellites, broadband, car immobilizer 28
Tiny AES (Tina) Features: Encryption and decryption, 128-bit key Microcontroller interface Specs: 0.27 mm 2 in 0.35 µm (4800 gate eq.) 3 µa @ 100kHz, 1.5V 100 encr./s 29
Conclusions AES has been standardized by many bodies Usage is still taking off Active research: Secure (elegant) implementation Proving that certain attacks don t work 30