The Advanced Encryption Standard (AES)

The Advanced Encryption

Standard (AES)

Conception - Why A New Cipher?

Conception - Why A New Cipher?

DES had outlived its usefulness

Vulnerabilities were becoming known 56-bit key was too small

Too slow in software implementations

Conception - Why A New Cipher?

DES had outlived its usefulness

Vulnerabilities were becoming known 56-bit key was too small

Too slow in software implementations NIST wanted increased trust in cipher

Previous processes very closed

DES suspected of having 'back doors'

Conception - The Process

January 2, 1997 - NIST announces need for DES successor Asks for input from interested parties

Conception - The Process

January 2, 1997 - NIST announces need for DES successor Asks for input from interested parties

September 12, 1997 - Call for new algorithms

Conception - The Process

January 2, 1997 - NIST announces need for DES successor Asks for input from interested parties

September 12, 1997 - Call for new algorithms Requirements

Publicly defined, publicly available

Variable-length key, symmetric block cipher Implemented in both Hardware and Software

Conception - The Process

January 2, 1997 - NIST announces need for DES successor Asks for input from interested parties

September 12, 1997 - Call for new algorithms Requirements

Publicly defined, publicly available

Variable-length key, symmetric block cipher Implemented in both Hardware and Software Judgement Criteria

Security

Computational Efficiency, Memory Requirements Hardware/Software suitability

Simplicity, Flexibility

Licensing requirements

Conception - The Process

15 Ciphers submitted 5 Finalists

MARS - IBM

RC6 - RSA Laboratories

Rijndael - Daemon and Rijment

Serpent - Anderson, Biham, Knudsen

Twofish - Schneier, Kelsey, Whiting, (and others) Final winner: Rijndael

The Cipher

The Cipher - Background Math

The Mathematics needed to understand AES look and sound very complicated - Don't worry, they aren't.

Fields

Real Numbers and Rational numbers are fields Set of values such that addition, subtraction,

multiplication, division can be applied to values in it Other fields exist, and can be defined

Finite Fields

A field, with a finite number of elements (unlike Real #s) Modular Arithmetic

9 Ξ 14 Ξ 24 Ξ 4 (mod 5)

Works on integers, but also works on other groups and fields

The Cipher - Background Math

Rijndael's Finite Field

a 'characteristic 2 finite field with 8 terms' (strings of 8 bits)

The Galois field GF(2⁸)

Addition done with XOR operator

Uses the reducing polynomial x⁸ + x⁴ + x³ + x + 1 for multiplication (an irreducible polynomial in GF(2⁸))

The Cipher - Background Math

A Higher Level Finite Field:

Polynomials with Coefficients in GF(2⁸) a(x) = a₃x³ + a₂x² + a₁x + a₀

Each of a_i are bytes, elements of GF(2⁸) Addition:

a(x) + b(x) = (a₃⊕b

3)x³ + (a₂⊕b

2)x² + (a₁⊕b

1)x + (a₀⊕b

0) Multiplication:

Same as multiplying two polynomials

We reduce to degree 4 by using mod x⁴+1

For fixed polynomial, multiplication can turn into Matrix- Vector multiplication

The Cipher 

That's it. That's all the Math you need to know. You made it.

The Cipher

The Cipher - SubBytes

AES's single S-Box

Does a non-linear substitution which is invertible

For Each Byte of Input, {XY}

1. Let {AB} := the multiplicative inverse of {XY} in GF(2⁸) 2. Let {XY}' := An affine transform of {AB}

The Cipher - SubBytes

{A8} => {C2}, {21} => {FD}, {27} => {CC}, {CF} => {8A}

The Cipher - ShiftRows

Cyclical Shift of the rows of the state

The Cipher - MixColumns

Treats each column as a four-term polynomial

Apply a polynomial to each column, returning a new polynomial

a(x) = {03}x³ + {01}x² + {01}x + {02}

The Cipher - AddRoundKey

The Key Expansion takes a Cipher Key K and makes 4*NR 32-bit words, where NR = Number of Rounds

AddRoundKey takes the state, (4 words), and the next 4 Round Keys, and returns a new state

For each column, return Col ⊕ Key_l+i, l = Round#, i = column#

The Cipher - Key Expansion

Given the initial key (size 128, 196 or 256), and the number of rounds Nr, will generate 4*(Nr+1) 32-bit words

Uses SubWord function (which applies SubByte to 4 bytes) Uses RotWord function (permutes a set of 4 words)

First 4-8 Round Keys are cipher key

Later keys are generated based on those, using

given functions

The Cipher - Inversion

Each sub-function of the Cipher is invertible

SubBytes: Reverse the Affine Cipher, then find the Inverse of the result

ShiftRows: Shift the rows by reverse amounts

MixColumns: Apply the inverse matrix to each column AddRoundKey: Use AddRoundKey again with same key

The Cipher

Example Encryption

For Simplicity's sake, we will do AES with 1-round Block: 4422 6f44 7a7d 337d 3973 332C 5dae 2763 Key: 2b7e 1516 28ae d2a6 abf7 1588 09cf 4f3c Key Schedule:

2b7e1516 28aed2a6 abf71588 09cf4f3c a0fafe17 88542cb1 23a33939 2a6c7605 f2c295f2 7a96b943 5935807a 7359f67f

Example Encryption

Initial State: {4422 6f44 7a7d 337d 3973 332C 5dae 2763}

For Initial Round:

AddRoundKey:

⊕

Example Encryption

For our 1 round (typically, 10+ rounds):

SubByes:

ShiftRows:

MixColums:

AddRoundKey:

⊕

Example Encryption

For Final Round:

SubByes: ShiftRows:

(Skip MixColumns) AddRoundKey:

Final Output: {DFFD 649C 65A2 C8A2 66B1 8B18 184A 6FBB}

⊕

Security of AES

"I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic."

-Bruce Schneier

Some related-key attacks on 192-bit, 256-bit versions, and on reduced-round versions

The attacks are better than exhaustive search, but are still entirely infeasible for real world applications

256-bit version in 2¹¹⁷ time, 196-bit version in 2¹¹⁹ time Related key attacks require the attacker to know how plaintext is encrypted with more than 1 key

Even the best mathematical attacks are still not usable on AES-128, or AES-196, AES-256 with full rounds

Security of AES

Certain Side-channel attacks exist for specific implementations of AES

These do not exploit the actual cryptography of the cipher, but instead attack how specific versions are implemented

Ex: Using Timing Attacks to guess SSL Keys

Usually, these attacks require the ability to run code on the victim machine

Very strong features built in to avoid DES-style attacks Use of finite field inversion in the S-Box construction helps make Linear and Differential attacks difficult

MixColumns helps ensure that there are no "narrow"

paths using only a few S-Boxes, again preventing Linear and Differential attacks

References

1. Federal Information Processing Standards Publication 197, November 26, 2001 - Advanced Encryption Standard

2. "AES Announced", Bruce Schneier, Crypto-Gram

Newsletter, Oct 15, 2000 http://www.schneier.com/crypto- gram-0010.html#8

3. "Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds", Biryukov, Dunkelman, Keller, Khovratovich, Shamir. Cryptology ePrint Archive:

Report 2009/374, http://eprint.iacr.org/2009/374

4. "Cache-timing attacks on AES", Daniel Bernstein, University of Illinois at Chicago. http://cr.yp.to/antiforgery/cachetiming- 20050414.pdf

5. Stinson, Douglas. Cryptography, Theory and Practice. 3rd ed. Boca Raton, FL, Chapman & Hall/CRC, 2006.