Areas for Discussion Cryptographic Algorithms - AES CNPA - Network Security Joseph Spring Department of Computer Science Advanced Encryption Standard 1 Motivation Contenders Finalists AES Design Feistel v non-feistel Ciphers Key Size Block Size AES Algorithm AES Sub-Algorithms Advanced Encryption Standard 2 Motivation DES For legacy systems only 3DES A natural successor? Yes from a security perspective No from an efficiency perspective Des slow software implementation, 3DES even slower Advanced Encryption Standard 3 Contenders and Finalists 21 original contenders for the AES, This was narrowed down to 15, then to 5; the subsequent winner being Rijndael: Rijndael Mars Serpent Twofish RC5 Advanced Encryption Standard 4 Feistel Cipher Structure Advanced Encryption Standard 5 Design Feistel Cipher Structure Feistel Ciphers are algorithms such as DES (NOT AES) Input data of size 2m and a key K Plaintext block divided into 2 halves these: pass through n rounds are combined into the ciphertext block each round has inputs L i-1, R i-1 from previous round and subkey K i derived from key K. These are in general different from each other and from K Advanced Encryption Standard 6 1
Design Feistel Cipher Structure All rounds have the same structure Substitution performed on left half of data, by applying a round function F to the right half of the data and then taking XOR of the output with the left half of the data Followed by a Permutation consisting of the interchange of the two halves of data The above is a particular form of the Substitution- Permutation Network proposed by C. Shannon At each round: One half operated on by a cipher function (Confusion) Design Feistel Cipher Structure So at each round: One half operated on by a cipher function (Confusion) Other half untouched Each half is then swapped over and the round process repeats but with the cipher function acting on the other half (permutation + function = Diffusion) Decryption is the reverse of encryption with keys in reverse order Advanced Encryption Standard 7 Advanced Encryption Standard 8 Other half untouched Design Feistel Cipher Structure Exact realisation of Feistel cipher dependent upon: Block size Key size Number of rounds Subkey generation algorithm Round function Fast software encryption/decryption Ease of analysis (See W. Stallings: Cryptography and Network Security) Advanced Encryption Standard 9 Design Standard Feistel Cipher L 0 R 0 Plaintext (2m bits) L 1 R 1 F F Round 1 K i Round i L i R i F K n Round n L n R n L n + 1 R n + 1 Ciphertext (2m bits) Advanced Encryption Standard 10 K 1 Design Rijndael Advanced Encryption Standard Design Requirements: Security strength equal to or better than 3DES with significantly improved efficiency Resistant against all known attacks Speed and code compactness on a wide range of platforms Design simplicity Symmetric block cipher, block length 128 bits Key size: 128, 192, 256 bits Advanced Encryption Standard 11 Advanced Encryption Standard 12 2
NOT a Feistel Structure acts on the complete block doesn t split the block into halves, (or fractions of any sort) for different treatment Key Sizes accommodated are 128, 192 or 256 bit. (128 likely to be the most common implementation) We assume a key size of 128 bits as input. This is expanded into 44 32 bit words, w[i]. 4 words used at a time (128 bit), used once only at initial Add round key in each of the 10 rounds Block size = 128 bit The AES Algorithm - Overview Encryption Plaintext Key w[0,3] Expand Key Round 1 w[4,7] Round 9 w[36,39] Round 10 w[40,43] Ciphertext Plaintext Round 10 Round 9 Round 1 Ciphertext Decryption Advanced Encryption Standard 13 Advanced Encryption Standard 14 Rounds 1 9 consist of 4 different stages: Rounds 10 consists of 3 different stages: Substitute Bytes Substitute Bytes Shift Rows Mix Columns Rounds 1 9 in Encryption w[40, 43] Shift Rows Rounds 10 of Encryption w[4i, 4i+3] Ciphertext Advanced Encryption Standard 15 Advanced Encryption Standard 16 The 4 stages used in the rounds consist of three substitutions and one permutation Substitution Bytes (Substitution) S Boxes in byte to byte substitution of block Shift Rows (Simple Permutation) Mix Columns (Substitution) Uses Finite field arithmetic on GF(2 8 ) (Substitution) Simple bitwise XOR of current block with portion of expanded key This is the only stage that uses the key Advanced Encryption Standard 17 Advanced Decryption Algorithm Decryption makes use of keys in reverse order just as with DES Decryption algorithm is not the same as the Encryption algorithm unlike DES The 4 stages used in the rounds consist of three substitutions and one permutation Inverse Shift Rows (Simple Permutation) Inverse Substitution Bytes (Substitution) (Substitution) Inverse Mix Columns (Substitution) 10 th round involves 3 stages as in encryption Advanced Encryption Standard 18 3
Rounds 1 9 consist of 4 different stages: Inverse Mix Columns Rounds 10 consists of 3 different stages: Plaintext Inverse Substitute Bytes Rounds 1 9 in Decryption w[0, 3] Inverse Substitute Bytes Round 10 of Decryption Inverse Shift Rows Inverse Shift Rows w[4(10 - i), 4(10 - i) + 3] Advanced Encryption Standard 19 Advanced Encryption Standard 20 For comparison of encryption and decryption stages and how they relate key wise see: Figure 5.1AES Encryption and Decryption diagram in W. Stallings Cryptography and Network Security 3 rd Ed. P146 (Handout) See also figure 5.3 for more detail regarding encryption round (Handout) Algorithm The 128 bit input block is initially copied into an input matrix and then into the state array (See Figure 5.2 Handout) The state array is modified after each stage of encryption/decryption (See Figure 5.3) After Round 10 the final state is copied to an output matrix (See Figure 5.2 Handout) Advanced Encryption Standard 21 Advanced Encryption Standard 22 Advanced Encryption Standard Subalgorithms Input A 4 word (16 byte) key 128 bits in all! Output 44 word (156 bytes) as linear array 4 words used in Initial stage Each of the 10 AES rounds Advanced Encryption Standard 23 Advanced Encryption Standard 24 4
AES Key Expansion Pseudocode KeyExpansion(byte key[16], word w[44]) { word temp for(i = 0; i < 4; i + +) } w[i] = (key[4*i], key[4*i + 1], key[4*i + 2], key[4*i + 3]); for(i = 4; i < 44; i + +) { temp = w[i 1]; if ( i mod 4 = 0) temp = SubWord(RotWord(temp)) Rcon[i/4]; w[i] = w[i-4] temp } Advanced Encryption Standard 25 The key is copied into the first 4 words of the expanded key Each subsequent word w[i] depends upon w[i-1] and w[i-4] For words whose positions are NOT a multiple of 4 w[i] = w[i-4] w[i-1] Otherwise w[i] = w[i-4] SubWord(RotWord(temp)) Rcon[i/4] Advanced Encryption Standard 26 k 0 k 4 K 8 k 12 k 1 k 5 K 9 k 6 k 10 k 3 k 11 k 2 k 13 k 7 k 14 k 15 Key Expansion for first 8 words RotWord This function performs a one byte circular left shift on a word (compare to DES) So RotWord([a 0, a 1, a 2, a 3 ] = [a 1, a 2, a 3, a 0 ] w 0 w[0,3] w 1 w 2 w 3 g w 4 w 5 w 6 w 7 w[4,7] SubWord This function performs a byte substitution on each of its input words using the S-Box Advanced Encryption Standard 27 Advanced Encryption Standard 28 Rcon This function is referred to as the round constant It is a word in which only the leftmost byte is nonzero. The other3 bytes are zero By XOR ing a word with Rcon you only XOR the leftmost byte of that word The values for Rcon are different for each round Rcon[j] = (RC[j], 0, 0, 0) such that RC[1] = 1, and RC[j] = 2*Rcon[j 1] multiplication being evaluated in GF(2 8 ) Rcon The values of RC[j] in hexadecimal are: j RC[j] 1 1 2 2 3 4 4 8 5 10 6 20 7 40 8 80 9 1B 10 36 Advanced Encryption Standard 29 Advanced Encryption Standard 30 5
AES Transformations Substitute Bytes Transformation A simple table lookup 16x16 matrix of byte values This is the S-Box containing a permutation of all possible 256 8-bit values Designed to be resistant against all known cryptanalytic attacks To have a low correlation between input and output bits To have no simple mathematical function that can be used to relate the output to the input To be invertible for decryption purposes Advanced Encryption Standard 31 AES Transformations Shift Row Transformation Incorporates a variety of circular shifts No shift for first row of state 1 shift for second row of state 2 shifts for third row of state 3 shifts for fourth row of state More substantial than it first appears since input is arranged according to columns and shift row then mixes these together Clearly invertible Advanced Encryption Standard 32 AES Transformations Mix Column Transformation Operates on each column individually Matrix multiplication is applied so that each output in a column is a linear combination of the input from the same column Matrix entries are based on linear code that ensures a good mixing among the bytes of a column These sums and products are performed in GF(2 8 ) After a few rounds the mix column and shift row transformations ensure all output bits depend upon all input bits Advanced Encryption Standard 33 Summary Motivation Contenders Finalists AES Design Feistel v non-feistel Ciphers Key Size Block Size AES Algorithm AES Sub-Algorithms Advanced Encryption Standard 34 References J. Daemen and V. Rijmen: The Design of Rijndael, Information Security and Cryptography, Springer- Verlag, 2002 W. Stallings: Cryptography and Network Security, Principles and Practices, Prentice Hall, 3 rd Ed. 2003 M. Welschenbach: Cryptography in C and C++, Apress, Springer-Verlag, 2001 Advanced Encryption Standard 35 6