the advanced encryption standard ( aes ) simplified
DESCRIPTION
The Advanced Encryption Standard ( AES ) Simplified. Cryptosystems and Secrecy. With cryptosystems, we desire perfect secrecy : the probability that the contents of some intercepted data corresponds to some plaintext message is unaltered by knowledge of the ciphertext for that message. - PowerPoint PPT PresentationTRANSCRIPT
The Advanced Encryption Standard (AES) Simplified
Cryptosystems and SecrecyWith cryptosystems, we desire perfect secrecy:
the probability that the contents of some intercepted data corresponds to some plaintext message is unaltered by knowledge of the ciphertext for that message.
Measuring the strength for cryptosystem by what is known as its work factor:
the amount of time needed to decipher a message without knowledge of the key. A cryptosystem is considered secure when its workfactor is exponential in the length of the key: 2.
2
Cryptosystem DesignGeneral goals for designing secure encryption algorithms:
ConfusionDiffusion
A good encryption algorithm would satisfy the following two criteria:
No output bit should be a linear function of the input bits. In other words, the algorithm must induce non-linearity. This ensures confusion. Avalanche Criteria: the probability of changing a given bit in the output is ½ when any subset of the input bits are complemented
3
Advanced Encryption Standard (AES)
the US "standard" secret key cryptosystem, replacing DES (Data Encryption Standard, adopted in 1977)AES is the result of a three year competition. This competition was announced in September 1997 and had entries from 12 different countries The one submission that eventually won was called "Rijndael" and was invented by two Belgians, Joan Daemen and Vincent Rijmen.
4
A Brief History of DES
In 1974, IBM proposed "Lucifer", an encryption algorithm that uses 64-bit keys. Two years later, NBS (in consultation with NSA) made a modified version of that algorithm into a standard. DES takes in 64 bits of data, employs a 56-bit key, and executes 16 cycles of substitution and permutation before outputting 64 bits of encrypted data.
5
A Brief History of DES
6
A Brief History of DESIn the summer of 1998, the Electronic Frontier Foundation (EFF) built a DES cracker machine at a cost of $250,000 It had 1536 chips, worked at a rate of 88 billion keys per second, and was able to break a DES encrypted message in 56 hours One year later, with the cracker working in tandem with 100,000 PCs over the Internet, a DES encrypted message was cracked in only 22 hours. One common way to make DES more secure today is to encrypt three times using DES.
triple-DES (3DES). 3DES is extremely slow, so a better algorithm was needed.
7
Requirements for AESAES had to be a private key algorithm. It had to use a shared secret key. It had to support the following key sizes:
128 bits ( = 3.4 x 10 keys, equivalent to 2560-bit RSA) 192 bits ( = 6.2 x 10 keys) 256 bits ( = 1.1 x 10 keys)
DES uses only 56-bit keys, giving a key space of 7.2 x 10 keys If you were able to search half the DES key space in 1 second, then on average, it would take 149 trillion years to crack a 128-bit AES key.
38
57
77
16
8
Requirements for AES
It had to satisfy certain engineering criteria:performance, efficiency, implementability, and flexibility. Rijndael can be implemented easily in both hardware and software, has realizations that require little memory (so the algorithm can be used in smartcards).
9
Requirements for AESIt had to be a block cipher
an encryption algorithm structured in terms of an internal function and runs that function repeatedly on the input. Each iteration is called a round; AES uses 10 rounds.
10
Requirements for AESAES is also an instance of a Feistel cipher, a special case of a block cipher.
The input to such a cipher consists of 2t bits. The input is first divided into 2 parts: L and R The cipher then proceeds in rounds.
In the i-th round, Li := Ri-1 Ri := Li-1 XOR f(Ri-1, ki),
where f is some function, and k is some number derived from the key, to be used in round i.
0 0
ii
11
The AES Cipher
Block length is limited to 128 bitThe key size can be independently specified to 128, 192 or 256 bits
Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256Number of rounds 10 12 14
Expanded key size (words/byte) 44/176 52/208 60/240
12
The AES CipherKey received as input array of 4 rows and Nk columnsNk = 4,6, or 8, parameter which depends key sizeInput key is expanded into an array of 44/52/60 words of 32 bits each4 different words serve as a key for each round
k0 k4 k8 k12
k1
k2
k3
k5
k6
k7
k9
k10
k11
k13
k14
k15
w0 w1 w2 …… w42 w43
13
The AES Cipher
Single 128 bit block as inputCopied to a State array with Nb columns (Nb=4)
in0 in4 in8 in12
in1
in2
in3
in5
in6
in7
in9
in10
in11
in13
in14
in15
S00 S01 S02 S03
S10
S20
S30
S11
S21
S31
S12
S22
S32
S13
S23
S33
o0 o4 o8 o12
o1
o2
o3
o5
o6
o7
o9
o10
o11
o13
o14
o15
Input State array Output
14
The AES Cipher
Number of rounds, Nr, depends on key sizeEach round is a repetition of functions that perform a transformation over State arrayConsists of 4 main functions: one permutation and three substitutions
Substitute bytes, Shift rows, Mix columns, Add round key
15
The AES CipherAddRoundKey() – round key is added to the State using XOR operationMixColumns() – takes all the columns of the State and mixes their data, independently of one another, making use of arithmetic over GF(2^8)ShiftRows() – processes the State by cyclically shifting the last three rows of the State by different offsetsSubBytes() – uses S-box to perform a byte-by-byte substitution of State
16
The AES CipherAdd round key
Substitute bytes
Shift rows
Mix columns
Add Round key
Substitute bytes
Shift rows
Mix columns
Add round key
Substitute bytes
Shift rows
Add round key
plaintext
Cipher text
keyW[4,7] W[36,39
]W[40,43]
Round 1
Round 9
17
The AES CipherCipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])Begin byte state[4,Nb] state = in AddRoundKey(state, w[0, Nb-1])
for round=1 to Nr-1 SubBytes(state) ShiftRows(state) MixColumns(state) AddRoundKey(state, w[round*Nb, round+1)*Nb-1]) end for
SubBytes(state) ShiftRows(state) AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1)
Out = stateend
18
The AES Cipher
Only Add round key makes use of the keyOther three functions are used for diffusion and confusion Final round consists of only three stages
19
The AES Inverse CipherAdd round key
Inv. Shift rows
Inv. Sub bytes
Add round key
Inv. Mix Columns
Inv. Shift rows
Inv. Sub bytes
Add round key
Inv. Mix columns
Inv. Shift rows
Inv. Sub bytes
Add round key
ciphertext
plaintext
keyW[36,39]
W[4,7] W[0,3]R
ound 1
Round 9
20
The AES Inverse CipherInvCipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])Begin byte state[4,Nb] state = in AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1)
for round=1 to Nr-1 InvShiftRows(state) InvSubBytes(state) AddRoundKey(state, w[round*Nb, round+1)*Nb-1]) InvMixColumns(state) end for
InvShiftRows(state) InvSubBytes(state) AddRoundKey(state, w[0, Nb-1])
Out = stateend
21
The AES Inverse Cipher
Decryption algorithm uses the expanded key in reverse orderAll functions are easily reversible and their inverse form is used in decryptionDecryption algorithm is not identical to the encryption algorithmAgain, final round consists of only three stages
22