Advanced Encryption Standard and Mode of Operation G. Bertoni L. Breveglieri Foundation of Cryptography - AES pp. 1 / 50
AES Advanced Encryption Standard (AES) i a ymmetric cryptographic algorithm AES ha been originally requeted by NIST for replacing DES a long and open election proce ha choen one algorithm to become AES: Rijndael Rijndael wa deigned by the two Belgian cryptographer: Vincent Rijmen and Joan Daemen Foundation of Cryptography - AES pp. 2 / 50
Difference of AES and Rijndael AES i a ubet of the function of Rijndael: ha a fixed block ize of 128 bit and a ecret key of either 128, 192 or 256 bit Rijndael can work with any combination of key and data block length, from a minimum of 128 to a max of 256 bit, with a tep of 32 bit thi i the only difference between AES and Rijndael, the baic tructure i eentially the ame for both Foundation of Cryptography - AES pp. 3 / 50
Cipher Structure conider firt the verion with a ecret key of 128 bit and then explain the difference in the other two cae the cipher i divided into two part: key chedule data path a it i cutomary for ymmetric algorithm Foundation of Cryptography - AES pp. 4 / 50
Cipher Structure data path conit of the round function, repeated for 10 time at the beginning the plaintext i XORed with the ecret key (operation i called Initial KeyAddition) operation MixColumn i miing in the lat round Foundation of Cryptography - AES pp. 5 / 50
Cipher Structure the plaintext to encrypt i repreented a a matrix of byte, called tate or S the tate matrix S i a quare matrix of 4 4 =16 byte after 10 round the tate matrix S contain the ciphertext Foundation of Cryptography - AES pp. 6 / 50
AES Structure PLAINTEXT KeyAddition ROUND 1 encryption algorithm ROUND KEY 0 ROUND KEY 1 SECRET KEY KEY SCHEDULE tructure of a generic round INPUT DATA SUBBYTES SHIFTROWS MIXCOLUMNS ROUND 9 ROUND 10 ROUND KEY 9 ROUND KEY 10 ROUND KEY ADDROUNDKEY ENCRYPTED DATA OUTPUT DATA Foundation of Cryptography - AES pp. 7 / 50
SubByte AES Encryption S-BOX 0 4 5 5 6 1 12 2 13 3 14 7 8 9 10 11 15 tate array ShiftRow tate array one byte ' 0 ' 4 ' 8 ' 12 ' 1 ' ' 5 5 ' 9 ' 13 ' 2 ' 6 ' 10 ' 14 ' 3 ' 7 ' 11 ' 15 rotation of 0 4 1 12 5 2 13 6 3 14 7 8 9 10 11 15 1 byte 2 byte 3 byte 0 4 5 12 9 10 1 14 15 6 3 8 13 2 7 11 Foundation of Cryptography - AES pp. 8 / 50
AES Encryption MixColumn coeff. matrix tate array ' 0 ' 4 ' 8 ' 12 ' 1 ' 5 ' 9 ' 13 ' 2 ' 6 ' 10 ' 14 = ' 3 ' 7 ' 11 ' 15 field GF(2 8 ) AddRoundKey 02 01 01 03 03 02 01 01 01 03 02 01 01 01 03 02 bit-wie XOR tate matrix 0 4 1 12 5 2 13 6 3 14 7 8 9 10 11 15 polynomial multiplication round key ' 0 ' 4 ' 8 ' 12 ' 1 ' 5 ' 9 ' 13 ' 2 ' 6 ' 10 ' 14 = ' 3 ' 7 ' 11 ' 15 0 4 1 12 5 2 13 6 7 8 9 10 11 15 3 14 k 0 k 4 k 1 k 12 k 5 k 2 k 13 k 6 k 3 k 14 k 7 k 8 k 9 k 10 k 11 k 15 Foundation of Cryptography - AES pp. 9 / 50
SBOX SubByte tranformation i the application of a SBOX to the 16 byte of the tate matrix SBOX conit of two tranformation: an inverion in GF(2 8 ) and an affine function motivation of uch a tructure are: non linearity correlation between input-output i minimum max difference propagation probability i minimized algebraic complexity Foundation of Cryptography - AES pp. 10 / 50
SBOX - Inverion finite field GF(2 8 ) i repreented uing: G(x) = x 8 + x 4 + x 3 + x + 1 a irreducible generator polynomial the firt SBOX tranformation i inverion element 0 (which i not invertible in any field) i mapped to itelf Foundation of Cryptography - AES pp. 11 / 50
SBOX Affine Tranformation inverion i followed by an affine tranformation affine tranformation doe not alter the non-linear behaviour of inverion, but increae the difficulty of interpolation Foundation of Cryptography - AES pp. 12 / 50
SBOX Affine Tranformation affine tranformation conit firt of a multiplication by a contant matrix and then of the addition of a contant vector baic operation are executed in GF(2) contant matrix i invertible, thu the affine tranformation i a invertible invere affine tranformation i till an affine tranformation Foundation of Cryptography - AES pp. 13 / 50
InvSubByte InvSubByte i the application of the invere SBOX to the tate matrix invere SBOX i obtained by applying firt the invere affine tranformation and then inverion in GF(2 8 ), ince the invere of inverion i till an inverion Foundation of Cryptography - AES pp. 14 / 50
ShiftRow the purpoe of thi tranformation i to introduce diffuion and to minimize the cot of the operation it conit of rotating the row of the tate matrix (ee previou figure) tranformation i eaily invertible, jut hift to the oppoite direction Foundation of Cryptography - AES pp. 15 / 50
MixColumn tranformation work on a ingle column of the tate matrix at a time deign criteria are: diffuion through the column high performance on 8 bit proceor linearity for implicity Foundation of Cryptography - AES pp. 16 / 50
MixColumn the coefficient of the contant matrix are choen to facilitate multiplication: 01, 02 and 03 (thee are element of the finite field GF(2 8 ) repreented in hex) invere MixColumn i obtained by taking the invere coefficient matrix (which i non-ingular) Foundation of Cryptography - AES pp. 17 / 50
MixColumn notice that a column of the tate matrix affect only one column of the tate after the tranformation ' 0, c 02 03 01 01 0, c ' 1, c 01 02 03 01 = 1, c ' (0 c 3) 2, c 01 01 02 03 2, c ' c 3, 03 01 01 02 3, c Foundation of Cryptography - AES pp. 18 / 50
MixColumn MixColumn can be rewritten a follow: ' Foundation of Cryptography - AES pp. 19 / 50 = c c c c c c c c c c c c c c c c c c c c 0, 3, 2, 1, 1, 0, 3, 2, 2, 1, 0, 3, 3, 2, 1, 0, ' 3, ' 2, ' 1, ' 0, 03 02
Round Property two round uffice to yield a full diffuion: every bit of the output depend on all the bit of the input equivalently, complementing one bit of the input change 50% of the bit of the output Foundation of Cryptography - AES pp. 20 / 50
Key Schedule ecret key i expanded in 10 round key k j = k j 1 xor k j 4 if j 0 mod 4; if j = 0 mod 4 ee the ide figure every k i i a 32 bit word correponding to a column of the unrolled key round key 0 round key 1 K 0 K 1 K 2 K 3 K 4 ROT SBOX rcon + K 5... Foundation of Cryptography - AES pp. 21 / 50 +
Decryption decryption i obtained by applying the invere round tranformation in revere order and by uing the round key in revere order encryption round i defined a the equence of SubByte, ShiftRow, MixColumn and AddRoundKey decryption round i the equence of InvShiftRow, InvSubByte, AddRoundKey and InvMixColumn Foundation of Cryptography - AES pp. 22 / 50
Secret Key of 192 and 256 Bit in thee cae the round function i applied 12 time for 192 bit and 14 time for 256 bit key chedule i lightly different, for the detail ee the pecification by NIST Foundation of Cryptography - AES pp. 23 / 50
Note for a complete analyi of the deign choice there i a complete book: Joan Daemen and Vincent Rijmen The Deign of Rijndael Ed. Springer-Verlag Foundation of Cryptography - AES pp. 24 / 50
Implementing AES there are many poibilitie for implementing AES uch a great flexibility i due to the fact that AES wa explicitly deigned to: have both SW and HW efficient implementation work well at byte, word (32 bit) or block 8128 bit) level Foundation of Cryptography - AES pp. 25 / 50
SW Implementation the inverion neceary in the SBOX i too complex to compute in oftware the alternative i to implement the SBOX a a look-up table the bet choice i to ue two table, one for SBOX and one for InvSubByte (invere SBOX) Foundation of Cryptography - AES pp. 26 / 50
SW Implementation ShiftRow can be moved in front of or after SBOX a general olution i to integrate ShiftRow and SBOX: the byte are output from SBOX accordingly to the ShiftRow order MixColumn i directly implemented a a multiplication by x, x 2, x 4 or x 8 in GF(2 8 ) AddRoundKey i jut a XOR of bit equence Foundation of Cryptography - AES pp. 27 / 50
Optimization to peed up execution it i poible to create a T table T table tore directly the reult of the SBOX and MixColumn relative to a ingle byte the four byte of a tate column are paed through T table, rotated and added Foundation of Cryptography - AES pp. 28 / 50
Optimization to increae performance it i even poible to ue four different table toring the value already rotated thee table increae the memory pace from 1 k Byte to 16 k Byte Foundation of Cryptography - AES pp. 29 / 50
Equivalent Decryption decryption round can be rearranged to have the ame equence of tranformation a encryption: InvShiftRow, InvSbox, InvMixColumn and AddRoundKey thi i poible thank to the linearity of InvMixColumn now it i poible to create a unique table for InvSubByte and InvMixColumn but the round key have to be proceed accordingly Foundation of Cryptography - AES pp. 30 / 50
Equivalent Decryption the tranformation to be applied to the round key i the InvMixColumn, a: InvMixColumn(tate + key) = InvMixColumn(tate) + InvMixColumn(key) becaue MixColumn i linear thi tranformation can be applied only to the unrolled key, o it i not an overhead cot for decryption Foundation of Cryptography - AES pp. 31 / 50
Key Schedule it i generally better to chedule all the round key in advance and tore them thank to the tructure of the round one can run key chedule on-the-fly : compute a round key only when needed thi could be ueful for device ubject to memory contraint Foundation of Cryptography - AES pp. 32 / 50
HW Implementation the implet way to implement AES i to intantiate the HW circuit for one round and iterate it 10 time alo in HW the central point i the implementation of SBOX SBOX can be implemented by a look-up table (LUT), but better olution exit Foundation of Cryptography - AES pp. 33 / 50
HW Implementation if SBOX i implemented by a LUT, 16 SBOXe take about 80% of the area if SBOX i decompoed into inverion followed by affine tranformation, it i poible to compute the invere in the compoite finite field GF((2 4 ) 2 )) Foundation of Cryptography - AES pp. 34 / 50
HW Implementation an element of GF(2 8 ) can be viewed a: a polynomial of degree even with coefficient in GF(2) or a polynomial of degree one with coefficient in GF(2 4 ) both repreentation are equivalent, it i only neceary to have a tranformation to convert from one repreentation to the other one compoite field GF((2 4 ) 2 )) allow to reduce SBOX ilicon area of roughly 50% Foundation of Cryptography - AES pp. 35 / 50
HW Implementation SW implementation relay on key chedule executed in advance in the cae of HW implementation, the memory for toring all the round key i too expenive key chedule i executed on-the-fly Foundation of Cryptography - AES pp. 36 / 50
HW Implementation if ilicon area i a contraint, then it i poible to implement the AES round by uing 4 SBOXe intead of 16 thi require 4 clock cycle to execute the round function, intead of 1 cycle if throughput i the major iue, it i poible to pipeline the round function Foundation of Cryptography - AES pp. 37 / 50
Other Algorithm there are other ymmetric algorithm: Safer, ued in Bluetooth Kaumi/Mity, propoed for UMTS RC5 and RC6 trend i to rely on AES for everything Foundation of Cryptography - AES pp. 38 / 50
Mode of Operation A block cipher can be ued in a imple way, called Electronic Code Book plaintext i divided into block of the ame ize if the length of the meage i not a multiple of the block ize, padding i required: jut add bit to reach the required length one of the mot ued padding i 10*: concatenate at the end of the plaintext a ingle 1 and a many 0e a needed very imple to undertand where the padding end, if it i known that padding i preent Foundation of Cryptography - AES pp. 39 / 50
Drawback of ECB ECB ha a drawback: equal plaintext block are encrypted to identical ciphertext block thi give advantage to an attacker alternative mode of operation have been introduced Foundation of Cryptography - AES pp. 40 / 50
Example of ECB Foundation of Cryptography - AES pp. 41 / 50
Cipher Text Stealing P m-1 P m CP E k E k C m CP C m-1 C m-1 C m Foundation of Cryptography - AES pp. 42 / 50
CBC Cipher Block Chain P 1 P 2 P 3 P 4 IV Output IV Encryption E k E k E k E k C 1 C 2 C 3 C 4 an Initialization Vector (IV) i needed to tart the chain but there i no need of keeping the IV ecret Foundation of Cryptography - AES pp. 43 / 50
Cipher Feedback (CFB) P 1 P 2 P 3 P 4 Encryption E k E k E k E k IV Output IV C 1 C 2 C 3 C 4 Foundation of Cryptography - AES pp. 44 / 50
Output Feedback (OFB) P 1 P 2 P 3 P 4 IV Output IV Encryption E k E k E k E k C 1 C 2 C 3 C 4 Foundation of Cryptography - AES pp. 45 / 50
Counter Mode P 1 P 2 P 3 P 4 IV +1 +1 +1 Encryption E k E k E k E k C 1 C 2 C 3 C 4 Foundation of Cryptography - AES pp. 46 / 50
Note on Mode OFB, CFB and Counter Mode do not need the decryption primitive CBC i the mot ued mode, but Counter Mode i gaining interet there are other mode for guaranteeing data integrity intead of confidentiality CBC, CFB and OFB mode can not be parallelized, while CTR and ECB mode can be Foundation of Cryptography - AES pp. 47 / 50
Error Propagation in CBC mode a bit flip in the ciphertext affect the complete deciphered block and alo the next one In Counter Mode a bit flip affect only the pecific bit affected, there i no error propagation remember that error injection could be an attack (fault-injection attack) Foundation of Cryptography - AES pp. 48 / 50
CBC-MAC (Meage Authentication Code) P 1 P 2 P 3 P 4 IV E k E k E k E k the cheme i equal to the CBC mode, but only the lat output i ued a a TAG TAG Foundation of Cryptography - AES pp. 49 / 50
CBC-MAC Note CBC-MAC i ecure only for meage with length multiple of the data block ize and meage of fixed length for a general MAC, a derivation ha been tandardized recently to pad the lat block in a proper way: named CMAC or OMAC Foundation of Cryptography - AES pp. 50 / 50
Privacy and Data Integrity it i poible to ue mode that guarantee both privacy and data integrity one of thee mode i CCM: a combination of CBC-MAC and Counter Mode Foundation of Cryptography - AES pp. 51 / 50
Authentication it i poible to create a imple authentication protocol device that have to be authenticated are equipped with the ame ecret key when they need to authenticate, one device (verifier) end a random number (challenge) the econd device (prover) encrypt the challenge and end it back the verifier decrypt the anwer of the prover and check whether it i equal to the original challenge (or encrypt the challenge and compare the reult) Foundation of Cryptography - AES pp. 52 / 50