Beruflich Dokumente
Kultur Dokumente
Network Security
Advance Encryption Standard (AES)
Session : 10
Advance Encryption Standard
(AES)
2
Advance Encryption Standard (AES)
• Published National Institute of Standards and Technology in 2001
• AES is symmetric block cipher intended to replace DES
• Key requirements
• Security: 128 bit key to resist cryptoanalysis and brute-force attacks
• Cost: Good computational efficiency and storage requirement for different implementations of hardware,
software and smart cards
• Implementation: Algorithm must have flexibility and simplicity to be implemented on any platform
• AES usage variant Rijindael algorithm
3
AES Basics
• Encrypts and decrypts using 128 bits of data block
• Usage 10, 12 or 14 rounds
• Usage a 128, 192 or 256 bit key
• Relationship between rounds and key size
• 10 rounds 128 bit
• 12 rounds 192 bit
• 14 rounds 256 bit
• Round keys are always 128 bits
4
AES Outline
• Encrypts and decrypts using 128
bits of data block
• Usage 10, 12 or 14 rounds
• Usage a 128, 192 or 256 bit key
5
AES Data units
• Bit: Binary digit with a value of 0 or 1
• Byte: Group of 8 bits which can be treated as a
single entity i.e. a row matrix (1x8) or a column
matrix (8x1)
• Word: Group of 32 bits or 4 bytes which can be
treated as a single entity i.e. a row/column
matrix of 4 bytes
• Block: Group of 128 bits i.e. row matrix of 16
bytes
6
AES State
• State is constructed column
wise (up to down, left to
right) using bits of block (left
to right)
• Block is constructed using
bits from state column wise
(up to down, left to right)
7
Structure of a round
• Encrypts and decrypts using 128 bits of data block
• Usage 10, 12 or 14 rounds
• Usage a 128, 192 or 256 bit key
8
SubByte transformation
• A byte is interpreted as a hexadecimal
digit
• Each byte-to-byte transformation
involve 16 independent byte-to-byte
transformation
9
Sub Byte transformation table
• A byte is interpreted as a
hexadecimal digit
• Each byte-to-byte
transformation involve 16
independent byte-to-byte
transformation
10
InvSub Byte transformation table
• A byte is interpreted as a
hexadecimal digit
• Each byte-to-byte
transformation involve 16
independent byte-to-byte
transformation
11
Sub Byte transformation example
• If two bytes have the same value their transformation has same value
• InvSub Byte results into original text
12
Permutation – Shift rows
13
Permutation – Shift rows - example
14
Mix columns
• Mixing provides interbyte transformation that changes the bits inside a byte using bits
from neighbouring bytes
• Bytes are mixed to provide diffusion at bit level
• Mix columns transformation operates at column level
• Each column of the state is transformed to a new column using a constant matrix
15
Mix columns
Mixing bytes using matrix multiplication
• Mixing provides interbyte
transformation that changes
the bits inside a byte using
bits from neighbouring bytes
• Bytes are mixed to provide
diffusion at bit level
• Mix columns transformation
operates at column level
Constant matrix used for mixing • Each column of the state is
transformed to a new column
using a constant matrix
16
Mix columns - example
17
Add round key transformation
18
Key expansion – AES128
• The first 4 words are from cipher
key – four bytes from each word
• Rest of the words (wi for i=4 to 43):
• If (i mod 4) = 0, wi = wi-1 wi-4
• If (I mod 4) = 0, wi = ti wi-4
• ti is a temporary word derived by
applying two functions RotWord and
SubWord on wi-1 and XORing the result
with a round constant Rcon
19
Key expansion – temporary word
• RotWord (rotate word): Circular shifts byte to left in
word by 1
• SubWord (substitute word): similar to SubByte
transformation, take eah byte from word and substitute
it using the same S-box
• Round Constant
ti = SubWord(RotWord(Wi-1)) Rconi/4 • A 4 byte value in which rightmost 3 bytes are always
zero. The values for AES128 are as under:
• Round 1: 01 00 00 00
• Round 2: 02 00 00 00
• Round 3: 04 00 00 00
• Round 4: 08 00 00 00
• Round 5: 10 00 00 00
• Round 6: 20 00 00 00
• Round 7: 40 00 00 00
• Round 8: 80 00 00 00
• Round 9: 1B 00 00 00
• Round 10: 36 00 00 00
20
Key expansion – AES192 & AES256
The algorithm is similar except following differences
• AES192: The words are generated in groups of 6 instead of 4
• Cipher key creates the first 6 words (w0 to w5)
• If (i mod 6) = 0, wi = wi-1 wi-6 ; otherwise wi = ti wi-6
21
AES Structure 5.2 / AES STRUCTURE 133
Plaintext—16 bytes (128 bits) Key—M bytes
Initial transformation
State after
AES128, AES192, AES256 algorithm
initial
transformation
(16 bytes) • Input block of 128 bits converted into 4x4 matrix of
Round 1 Round 1 key bytes and copied into an Stage array
Key expansion
(4 transformations) (16 bytes)
22
as input and produces a 4 * 4 matrix as output. Figure 5.1 shows that the output of
each round is a 4 * 4 matrix, with the output of the final round being the ciphertext.
Input, State Array, Output & Key Expansion
in 0 in 4 in 8 in 12 s0,0 s0,1 s0,2 s0,3 s0,0 s0,1 s0,2 s0,3 out0 out4 out8 out12
in 1 in 5 in 9 in 13 s1,0 s1,1 s1,2 s1,3 s1,0 s1,1 s1,2 s1,3 out1 out5 out9 out13
in 2 in 6 in 10 in 14 s2,0 s2,1 s2,2 s2,3 s2,0 s2,1 s2,2 s2,3 out2 out6 out10 out14
in 3 in 7 in 11 in 15 s3,0 s3,1 s3,2 s3,3 s3,0 s3,1 s3,2 s3,3 out3 out7 out11 out15
k0 k4 k8 k12
k1 k5 k9 k13
w0 w1 w2 w42 w43
k2 k6 k10 k14
k3 k7 k11 k15
5.2 / AES STRUCTURE 135
(b) Key and expanded key
Table5.2
Figure 5.1 AES
AESData
Parameters
Structures
Key Size (words/bytes/bits) 4/16/128 6/24/192 8/32/256
Plaintext Block Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Number of Rounds 10 12 14
Round Key Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Expanded Key Size (words/bytes) 44/176 52/208 60/240
Key
Plaintext
(16 bytes)
(16 bytes)
Expand key
Plaintext
(16 bytes)
• Each round has 4 different stages – one permutation and 3
Add round key w[0, 3] Add round key
substitution
• Substitute Bytes: Usage an S-box to performs byte-by-byte substation of a block
Round 10
Substitute bytes Inverse sub bytes
• Shift Rows: A simple permutation
Shift rows Inverse shift rows
Round 1
Round 9
Inverse sub bytes
Mix columns Inverse mix cols • In both encryption and decryption final round usage only 3 stages
Add round key w[36, 39] Add round key – Substitute Byte, Shift Rows and Add Round Key.
Round 1
Ciphertext Ciphertext
(16 bytes) (16 bytes)
24
of the block (the other three stages), followed by XOR encryption, and so on.
This scheme is both efficient and highly secure.
is mapped into the value {2A}.
output5 /value.
ADVANCED ENCRYPTION STANDARD
s2,0 s2,1 s2,2 s2,3 s2,0
′ s2,1
′ s2,2
′ s′
2,3
87 F2 4D 97 87 F2 4D 97
EC 6E 4C 90 6E 4C 90 EC
4A C3 46 E7 S 46 E7 4A C3
8C D8 95 A6 A6 8C D8 95
SHANNON.IR
26
transformation can be defined by the following matrix multiplication on State
Mix ColumnTransformation
(Figure 5.7b):
Each element in the product matrix is the sum of products of elements of one row
5
and •one column.
Each byte ofIn this case,
a column the individual
is mapped additions
into a new and is
value that multiplications
a are
function of all four bytes in that column
5
• The transformation usage the matrix multiplication defined above
finite field GF(28) and ⊕ to indicate bitwise XOR, which corresponds to addition in GF(28).
SHANNON.IR
27
plication by these coefficients involves at most a shift and an XOR. The coefficients
47 40 A3 4C AC 19 28 57 EB 59 8B 1B
37 D4 70 9F 77 FA D1 5C 40 2E A1 C3
94 E4 3A 42 ⊕SHANNON.IR
66 DC 29 00 = F2 38 13 42
ED A5 A6 BC F3 21 41 6A 1E 84 E7 D6
The first matrix is State, and the second matrix is the round key.
The inverse add round key transformation is identical to the forward add
round key transformation, because the XOR operation is its own inverse.
RATIONALE The add round key transformation is as simple as possible and affects
every bit of State. The complexity of the round key expansion, plus the complexity
28
of the other stages of AES, ensure security.
Inputs for Single Round of AES
148 CHAPTER 5 / ADVANCED ENCRYPTION STANDARD
State matrix
at beginning
of round
SubBytes
S-box
ShiftRows
02 03 01 01
01 02 03 01
MixColumns
01 01 02 03
03 01 01 02
MixColumns matrix
Round
key
AddRoundKey
State matrix
at end
of round
Constant inputs Variable input
Figure 5.8 Inputs for Single AES Round
29
5.4 AES KEY EXPANSION
AES Key Expansion
• Takes input of four word (16 byte, 128 bits) key and produces linear array of 44 words
• This provides 4 word round key for initial Add Round Key stage and 10 rounds of cipher
• In the expanded key, the first 4 words are copied from the given key. Remainder of the expanded key is
filled 4 words at a time.
• Each added word W(i) depends on immediate previous word W(i-1) and word four positions back W(i-4)
150 CHAPTER 5 / ADVANCED ENCRYPTION STANDARD
• For 3 out of four words a simple XOR is used
1. RotWord performs a one-byte circular left shift on a word. This means that an
• For a word whose
input position
word [B is3]multiple
0, B 1, B 2, B of 4,
is transformed intoa[B
complex
1, B 2, B 3, Bfunction
0]. is used
2. SubWord
• RotWord: performs
Perform a oneabyte
byte circular
substitution
left on each
shift onbyte
the of its input word, using the
word
S-box (Table 5.2a).
• SubWord: byte substitution on each byte of word using S-Box
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].
• Result of RotWord and SubWord is XORed with a round constant (a word with three rightmost bytes as 0) – only perform XOR
on leftThe
most byteconstant is a word in which the three rightmost bytes are always 0.
round
Thus, the effect of an XOR of a word with Rcon is to only perform an XOR on the
• Round constant is different for each round
leftmost byte of the word. The round constant is different for each round and is
• Rcon[j]
defined=as( Rcon[j]
RC[j], 0,=0,(RC[j],
0) 0, 0, 0), with RC[1] = 1, RC[j] = 2 # RC[j-1] and with
8
• RC [1] = 1, RC [j]
multiplication = 2* RC
defined over[j-1]
the with multiplication
field GF(2 defined
). The values overinfield
of RC[j] GF(28) are
hexadecimal
j 1 2 3 4 5 6 7 8 9 10
RC[j] 01 02 04 08 10 20 40 80 1B 36
EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F 30
Implementation of AES
• AES encryption and Decryption are not similar
• Sequence of transformation for Decryption differs from
that of Encryption
• Encryption has SubByte, ShiftRows, MixColumns and
AddRoundKey
• Decryption has InvShiftRows, InvSubByte,
InvAddRoundKey, InvMIxColumns
• For Decryption the order of first two transformations
needs to be inter changed and order of last two
transformations needs to be inter changed
31
THANK YOU
32