Advanced Encryption Standard and Modes of Operation

Similar documents
Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

AES Advanced Encryption Standard

A Specification for Rijndael, the AES Algorithm

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography and Network Security. Sixth Edition by William Stallings

FAULT DETECTION IN THE ADVANCED ENCRYPTION STANDARD. G. Bertoni, L. Breveglieri, I. Koren and V. Piuri

Week 5: Advanced Encryption Standard. Click

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

Block Ciphers Introduction

Representations and Transformations. Objectives

Piccolo: An Ultra-Lightweight Blockcipher

Laboratory Exercise 6

128 Bit ECB-AES Crypto Core Design using Rijndeal Algorithm for Secure Communication

A High-Performance VLSI Architecture for Advanced Encryption Standard (AES) Algorithm

Secret Key Cryptography

A SIMPLE IMPERATIVE LANGUAGE THE STORE FUNCTION NON-TERMINATING COMMANDS

Symmetric Key Cryptography

Chapter 7 Advanced Encryption Standard (AES) 7.1

Data Encryption Standard (DES)

Few Other Cryptanalytic Techniques

Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Chapter S:II (continued)

Cryptography and Network Security

Compact Dual Block AES core on FPGA for CCM Protocol

Laboratory Exercise 6

Cryptography and Network Security

Implementation of the block cipher Rijndael using Altera FPGA

Lecture 14: Minimum Spanning Tree I

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Shortest Paths Problem. CS 362, Lecture 20. Today s Outline. Negative Weights

Area Optimization in Masked Advanced Encryption Standard

Speeding Up AES By Extending a 32 bit Processor Instruction Set

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Edits in Xylia Validity Preserving Editing of XML Documents

Implementation of Full -Parallelism AES Encryption and Decryption

Computer Arithmetic Homework Solutions. 1 An adder for graphics. 2 Partitioned adder. 3 HDL implementation of a partitioned adder

Encryption Details COMP620

Design and analysis of an FPGA-based, multiprocessor HW-SW system for SCC applications

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Routing Definition 4.1

Content of this part

Optimized AES Algorithm Using FeedBack Architecture Chintan Raval 1, Maitrey Patel 2, Bhargav Tarpara 3 1, 2,

Efficient Software Implementation of AES on 32-Bit Platforms

1 The secretary problem

ES205 Analysis and Design of Engineering Systems: Lab 1: An Introductory Tutorial: Getting Started with SIMULINK

Topics. Lecture 37: Global Optimization. Issues. A Simple Example: Copy Propagation X := 3 B > 0 Y := 0 X := 4 Y := Z + W A := 2 * 3X

Modeling of underwater vehicle s dynamics

Today s Outline. CS 561, Lecture 23. Negative Weights. Shortest Paths Problem. The presence of a negative cycle might mean that there is

Operational Semantics Class notes for a lecture given by Mooly Sagiv Tel Aviv University 24/5/2007 By Roy Ganor and Uri Juhasz

Laboratory Exercise 6

AUTOMATIC TEST CASE GENERATION USING UML MODELS

Part XII. From theory to practice in cryptography

The norm Package. November 15, Title Analysis of multivariate normal datasets with missing values

Design and Implementation of Rijndael Encryption Algorithm Based on FPGA

An Intro to LP and the Simplex Algorithm. Primal Simplex

Hardware-Focused Performance Comparison for the Standard Block Ciphers AES, Camellia, and Triple-DES

DAROS: Distributed User-Server Assignment And Replication For Online Social Networking Applications

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

Design of an Efficient Architecture for Advanced Encryption Standard Algorithm Using Systolic Structures

See chapter 8 in the textbook. Dr Muhammad Al Salamah, Industrial Engineering, KFUPM

A New Approach to Pipeline FFT Processor

Winter 2011 Josh Benaloh Brian LaMacchia

Introduction to Cryptology. Lecture 17

An Improved Implementation of Elliptic Curve Digital Signature by Using Sparse Elements

Policy-based Injection of Private Traffic into a Public SDN Testbed

Generic Traverse. CS 362, Lecture 19. DFS and BFS. Today s Outline

Quadrilaterals. Learning Objectives. Pre-Activity

Image authentication and tamper detection using fragile watermarking in spatial domain

Algorithmic Discrete Mathematics 4. Exercise Sheet

Low area implementation of AES ECB on FPGA

Goals of Modern Cryptography

Laboratory Exercise 6

A Symmetric Cryptography Algorithm in Wireless Sensor Network Security

VLSI Implementation of Advanced Encryption Standard using Rijndael Algorithm

Laboratory Exercise 2

ECE 646 Lecture 8. Modes of operation of block ciphers

Introduction to cryptology (GBIN8U16)

EEC-484/584 Computer Networks

xy-monotone path existence queries in a rectilinear environment

CSC 474/574 Information Systems Security

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Symmetric key cryptography

FPGA CAN BE IMPLEMENTED BY USING ADVANCED ENCRYPTION STANDARD ALGORITHM

Chap. 3. Symmetric Key Crypto (Block Ciphers)

Distributed Packet Processing Architecture with Reconfigurable Hardware Accelerators for 100Gbps Forwarding Performance on Virtualized Edge Router

Secret Key Algorithms (DES)

Fully Pipelined High Throughput Cost Effective FPGA Based Implementation of AES Algorithm

Conventional Encryption Principles Conventional Encryption Algorithms Cipher Block Modes of Operation Location of Encryption Devices Key Distribution

Shortest Path Routing in Arbitrary Networks

A New hybrid method in watermarking using DCT and AES

A PROBABILISTIC NOTION OF CAMERA GEOMETRY: CALIBRATED VS. UNCALIBRATED

KS3 Maths Assessment Objectives

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

CPSC 467: Cryptography and Computer Security

Comparison of the Hardware Performance of the AES Candidates Using Reconfigurable Hardware

Transcription:

Advanced Encryption Standard and Mode of Operation G. Bertoni L. Breveglieri Foundation of Cryptography - AES pp. 1 / 50

AES Advanced Encryption Standard (AES) i a ymmetric cryptographic algorithm AES ha been originally requeted by NIST for replacing DES a long and open election proce ha choen one algorithm to become AES: Rijndael Rijndael wa deigned by the two Belgian cryptographer: Vincent Rijmen and Joan Daemen Foundation of Cryptography - AES pp. 2 / 50

Difference of AES and Rijndael AES i a ubet of the function of Rijndael: ha a fixed block ize of 128 bit and a ecret key of either 128, 192 or 256 bit Rijndael can work with any combination of key and data block length, from a minimum of 128 to a max of 256 bit, with a tep of 32 bit thi i the only difference between AES and Rijndael, the baic tructure i eentially the ame for both Foundation of Cryptography - AES pp. 3 / 50

Cipher Structure conider firt the verion with a ecret key of 128 bit and then explain the difference in the other two cae the cipher i divided into two part: key chedule data path a it i cutomary for ymmetric algorithm Foundation of Cryptography - AES pp. 4 / 50

Cipher Structure data path conit of the round function, repeated for 10 time at the beginning the plaintext i XORed with the ecret key (operation i called Initial KeyAddition) operation MixColumn i miing in the lat round Foundation of Cryptography - AES pp. 5 / 50

Cipher Structure the plaintext to encrypt i repreented a a matrix of byte, called tate or S the tate matrix S i a quare matrix of 4 4 =16 byte after 10 round the tate matrix S contain the ciphertext Foundation of Cryptography - AES pp. 6 / 50

AES Structure PLAINTEXT KeyAddition ROUND 1 encryption algorithm ROUND KEY 0 ROUND KEY 1 SECRET KEY KEY SCHEDULE tructure of a generic round INPUT DATA SUBBYTES SHIFTROWS MIXCOLUMNS ROUND 9 ROUND 10 ROUND KEY 9 ROUND KEY 10 ROUND KEY ADDROUNDKEY ENCRYPTED DATA OUTPUT DATA Foundation of Cryptography - AES pp. 7 / 50

SubByte AES Encryption S-BOX 0 4 5 5 6 1 12 2 13 3 14 7 8 9 10 11 15 tate array ShiftRow tate array one byte ' 0 ' 4 ' 8 ' 12 ' 1 ' ' 5 5 ' 9 ' 13 ' 2 ' 6 ' 10 ' 14 ' 3 ' 7 ' 11 ' 15 rotation of 0 4 1 12 5 2 13 6 3 14 7 8 9 10 11 15 1 byte 2 byte 3 byte 0 4 5 12 9 10 1 14 15 6 3 8 13 2 7 11 Foundation of Cryptography - AES pp. 8 / 50

AES Encryption MixColumn coeff. matrix tate array ' 0 ' 4 ' 8 ' 12 ' 1 ' 5 ' 9 ' 13 ' 2 ' 6 ' 10 ' 14 = ' 3 ' 7 ' 11 ' 15 field GF(2 8 ) AddRoundKey 02 01 01 03 03 02 01 01 01 03 02 01 01 01 03 02 bit-wie XOR tate matrix 0 4 1 12 5 2 13 6 3 14 7 8 9 10 11 15 polynomial multiplication round key ' 0 ' 4 ' 8 ' 12 ' 1 ' 5 ' 9 ' 13 ' 2 ' 6 ' 10 ' 14 = ' 3 ' 7 ' 11 ' 15 0 4 1 12 5 2 13 6 7 8 9 10 11 15 3 14 k 0 k 4 k 1 k 12 k 5 k 2 k 13 k 6 k 3 k 14 k 7 k 8 k 9 k 10 k 11 k 15 Foundation of Cryptography - AES pp. 9 / 50

SBOX SubByte tranformation i the application of a SBOX to the 16 byte of the tate matrix SBOX conit of two tranformation: an inverion in GF(2 8 ) and an affine function motivation of uch a tructure are: non linearity correlation between input-output i minimum max difference propagation probability i minimized algebraic complexity Foundation of Cryptography - AES pp. 10 / 50

SBOX - Inverion finite field GF(2 8 ) i repreented uing: G(x) = x 8 + x 4 + x 3 + x + 1 a irreducible generator polynomial the firt SBOX tranformation i inverion element 0 (which i not invertible in any field) i mapped to itelf Foundation of Cryptography - AES pp. 11 / 50

SBOX Affine Tranformation inverion i followed by an affine tranformation affine tranformation doe not alter the non-linear behaviour of inverion, but increae the difficulty of interpolation Foundation of Cryptography - AES pp. 12 / 50

SBOX Affine Tranformation affine tranformation conit firt of a multiplication by a contant matrix and then of the addition of a contant vector baic operation are executed in GF(2) contant matrix i invertible, thu the affine tranformation i a invertible invere affine tranformation i till an affine tranformation Foundation of Cryptography - AES pp. 13 / 50

InvSubByte InvSubByte i the application of the invere SBOX to the tate matrix invere SBOX i obtained by applying firt the invere affine tranformation and then inverion in GF(2 8 ), ince the invere of inverion i till an inverion Foundation of Cryptography - AES pp. 14 / 50

ShiftRow the purpoe of thi tranformation i to introduce diffuion and to minimize the cot of the operation it conit of rotating the row of the tate matrix (ee previou figure) tranformation i eaily invertible, jut hift to the oppoite direction Foundation of Cryptography - AES pp. 15 / 50

MixColumn tranformation work on a ingle column of the tate matrix at a time deign criteria are: diffuion through the column high performance on 8 bit proceor linearity for implicity Foundation of Cryptography - AES pp. 16 / 50

MixColumn the coefficient of the contant matrix are choen to facilitate multiplication: 01, 02 and 03 (thee are element of the finite field GF(2 8 ) repreented in hex) invere MixColumn i obtained by taking the invere coefficient matrix (which i non-ingular) Foundation of Cryptography - AES pp. 17 / 50

MixColumn notice that a column of the tate matrix affect only one column of the tate after the tranformation ' 0, c 02 03 01 01 0, c ' 1, c 01 02 03 01 = 1, c ' (0 c 3) 2, c 01 01 02 03 2, c ' c 3, 03 01 01 02 3, c Foundation of Cryptography - AES pp. 18 / 50

MixColumn MixColumn can be rewritten a follow: ' Foundation of Cryptography - AES pp. 19 / 50 = c c c c c c c c c c c c c c c c c c c c 0, 3, 2, 1, 1, 0, 3, 2, 2, 1, 0, 3, 3, 2, 1, 0, ' 3, ' 2, ' 1, ' 0, 03 02

Round Property two round uffice to yield a full diffuion: every bit of the output depend on all the bit of the input equivalently, complementing one bit of the input change 50% of the bit of the output Foundation of Cryptography - AES pp. 20 / 50

Key Schedule ecret key i expanded in 10 round key k j = k j 1 xor k j 4 if j 0 mod 4; if j = 0 mod 4 ee the ide figure every k i i a 32 bit word correponding to a column of the unrolled key round key 0 round key 1 K 0 K 1 K 2 K 3 K 4 ROT SBOX rcon + K 5... Foundation of Cryptography - AES pp. 21 / 50 +

Decryption decryption i obtained by applying the invere round tranformation in revere order and by uing the round key in revere order encryption round i defined a the equence of SubByte, ShiftRow, MixColumn and AddRoundKey decryption round i the equence of InvShiftRow, InvSubByte, AddRoundKey and InvMixColumn Foundation of Cryptography - AES pp. 22 / 50

Secret Key of 192 and 256 Bit in thee cae the round function i applied 12 time for 192 bit and 14 time for 256 bit key chedule i lightly different, for the detail ee the pecification by NIST Foundation of Cryptography - AES pp. 23 / 50

Note for a complete analyi of the deign choice there i a complete book: Joan Daemen and Vincent Rijmen The Deign of Rijndael Ed. Springer-Verlag Foundation of Cryptography - AES pp. 24 / 50

Implementing AES there are many poibilitie for implementing AES uch a great flexibility i due to the fact that AES wa explicitly deigned to: have both SW and HW efficient implementation work well at byte, word (32 bit) or block 8128 bit) level Foundation of Cryptography - AES pp. 25 / 50

SW Implementation the inverion neceary in the SBOX i too complex to compute in oftware the alternative i to implement the SBOX a a look-up table the bet choice i to ue two table, one for SBOX and one for InvSubByte (invere SBOX) Foundation of Cryptography - AES pp. 26 / 50

SW Implementation ShiftRow can be moved in front of or after SBOX a general olution i to integrate ShiftRow and SBOX: the byte are output from SBOX accordingly to the ShiftRow order MixColumn i directly implemented a a multiplication by x, x 2, x 4 or x 8 in GF(2 8 ) AddRoundKey i jut a XOR of bit equence Foundation of Cryptography - AES pp. 27 / 50

Optimization to peed up execution it i poible to create a T table T table tore directly the reult of the SBOX and MixColumn relative to a ingle byte the four byte of a tate column are paed through T table, rotated and added Foundation of Cryptography - AES pp. 28 / 50

Optimization to increae performance it i even poible to ue four different table toring the value already rotated thee table increae the memory pace from 1 k Byte to 16 k Byte Foundation of Cryptography - AES pp. 29 / 50

Equivalent Decryption decryption round can be rearranged to have the ame equence of tranformation a encryption: InvShiftRow, InvSbox, InvMixColumn and AddRoundKey thi i poible thank to the linearity of InvMixColumn now it i poible to create a unique table for InvSubByte and InvMixColumn but the round key have to be proceed accordingly Foundation of Cryptography - AES pp. 30 / 50

Equivalent Decryption the tranformation to be applied to the round key i the InvMixColumn, a: InvMixColumn(tate + key) = InvMixColumn(tate) + InvMixColumn(key) becaue MixColumn i linear thi tranformation can be applied only to the unrolled key, o it i not an overhead cot for decryption Foundation of Cryptography - AES pp. 31 / 50

Key Schedule it i generally better to chedule all the round key in advance and tore them thank to the tructure of the round one can run key chedule on-the-fly : compute a round key only when needed thi could be ueful for device ubject to memory contraint Foundation of Cryptography - AES pp. 32 / 50

HW Implementation the implet way to implement AES i to intantiate the HW circuit for one round and iterate it 10 time alo in HW the central point i the implementation of SBOX SBOX can be implemented by a look-up table (LUT), but better olution exit Foundation of Cryptography - AES pp. 33 / 50

HW Implementation if SBOX i implemented by a LUT, 16 SBOXe take about 80% of the area if SBOX i decompoed into inverion followed by affine tranformation, it i poible to compute the invere in the compoite finite field GF((2 4 ) 2 )) Foundation of Cryptography - AES pp. 34 / 50

HW Implementation an element of GF(2 8 ) can be viewed a: a polynomial of degree even with coefficient in GF(2) or a polynomial of degree one with coefficient in GF(2 4 ) both repreentation are equivalent, it i only neceary to have a tranformation to convert from one repreentation to the other one compoite field GF((2 4 ) 2 )) allow to reduce SBOX ilicon area of roughly 50% Foundation of Cryptography - AES pp. 35 / 50

HW Implementation SW implementation relay on key chedule executed in advance in the cae of HW implementation, the memory for toring all the round key i too expenive key chedule i executed on-the-fly Foundation of Cryptography - AES pp. 36 / 50

HW Implementation if ilicon area i a contraint, then it i poible to implement the AES round by uing 4 SBOXe intead of 16 thi require 4 clock cycle to execute the round function, intead of 1 cycle if throughput i the major iue, it i poible to pipeline the round function Foundation of Cryptography - AES pp. 37 / 50

Other Algorithm there are other ymmetric algorithm: Safer, ued in Bluetooth Kaumi/Mity, propoed for UMTS RC5 and RC6 trend i to rely on AES for everything Foundation of Cryptography - AES pp. 38 / 50

Mode of Operation A block cipher can be ued in a imple way, called Electronic Code Book plaintext i divided into block of the ame ize if the length of the meage i not a multiple of the block ize, padding i required: jut add bit to reach the required length one of the mot ued padding i 10*: concatenate at the end of the plaintext a ingle 1 and a many 0e a needed very imple to undertand where the padding end, if it i known that padding i preent Foundation of Cryptography - AES pp. 39 / 50

Drawback of ECB ECB ha a drawback: equal plaintext block are encrypted to identical ciphertext block thi give advantage to an attacker alternative mode of operation have been introduced Foundation of Cryptography - AES pp. 40 / 50

Example of ECB Foundation of Cryptography - AES pp. 41 / 50

Cipher Text Stealing P m-1 P m CP E k E k C m CP C m-1 C m-1 C m Foundation of Cryptography - AES pp. 42 / 50

CBC Cipher Block Chain P 1 P 2 P 3 P 4 IV Output IV Encryption E k E k E k E k C 1 C 2 C 3 C 4 an Initialization Vector (IV) i needed to tart the chain but there i no need of keeping the IV ecret Foundation of Cryptography - AES pp. 43 / 50

Cipher Feedback (CFB) P 1 P 2 P 3 P 4 Encryption E k E k E k E k IV Output IV C 1 C 2 C 3 C 4 Foundation of Cryptography - AES pp. 44 / 50

Output Feedback (OFB) P 1 P 2 P 3 P 4 IV Output IV Encryption E k E k E k E k C 1 C 2 C 3 C 4 Foundation of Cryptography - AES pp. 45 / 50

Counter Mode P 1 P 2 P 3 P 4 IV +1 +1 +1 Encryption E k E k E k E k C 1 C 2 C 3 C 4 Foundation of Cryptography - AES pp. 46 / 50

Note on Mode OFB, CFB and Counter Mode do not need the decryption primitive CBC i the mot ued mode, but Counter Mode i gaining interet there are other mode for guaranteeing data integrity intead of confidentiality CBC, CFB and OFB mode can not be parallelized, while CTR and ECB mode can be Foundation of Cryptography - AES pp. 47 / 50

Error Propagation in CBC mode a bit flip in the ciphertext affect the complete deciphered block and alo the next one In Counter Mode a bit flip affect only the pecific bit affected, there i no error propagation remember that error injection could be an attack (fault-injection attack) Foundation of Cryptography - AES pp. 48 / 50

CBC-MAC (Meage Authentication Code) P 1 P 2 P 3 P 4 IV E k E k E k E k the cheme i equal to the CBC mode, but only the lat output i ued a a TAG TAG Foundation of Cryptography - AES pp. 49 / 50

CBC-MAC Note CBC-MAC i ecure only for meage with length multiple of the data block ize and meage of fixed length for a general MAC, a derivation ha been tandardized recently to pad the lat block in a proper way: named CMAC or OMAC Foundation of Cryptography - AES pp. 50 / 50

Privacy and Data Integrity it i poible to ue mode that guarantee both privacy and data integrity one of thee mode i CCM: a combination of CBC-MAC and Counter Mode Foundation of Cryptography - AES pp. 51 / 50

Authentication it i poible to create a imple authentication protocol device that have to be authenticated are equipped with the ame ecret key when they need to authenticate, one device (verifier) end a random number (challenge) the econd device (prover) encrypt the challenge and end it back the verifier decrypt the anwer of the prover and check whether it i equal to the original challenge (or encrypt the challenge and compare the reult) Foundation of Cryptography - AES pp. 52 / 50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback