Advanced Encryption Standard
Lars R. Knudsen
June 2014
L.R. Knudsen Advanced Encryption Standard AES - Advanced Encryption Standard
US governmental encryption standard
Open (world) competition announced January 97
Blocks: 128 bits
Keys: choice of 128-bit, 192-bit, and 256-bit keys
October 2000: AES=Rijndael
Standard: FIPS 197, November 2001
L.R. Knudsen Advanced Encryption Standard AES=Rijndael
Designed by Joan Daemen and Vincent Rijmen
Simple design, byte-oriented
Operations: XOR and table lookup
S-box, substitutes a byte by a byte
Rounds 10 12 14 Key size 128 192 256
Focus on 128-bit key version with 10 iterations
L.R. Knudsen Advanced Encryption Standard Multiplication in GF(256) - AES
In AES the finite field GF (28) is determined by irreducible polynomial m(x)=x8 + x4 + x3 + x + 1
Elements of GF (28) are all polynomials of degree less than eight and with coefficients in GF (2) 1-to-1 correspondence between 8-bit vectors and elements in GF (28): 7 i finite field element p(x)= i=0 bi x .
8-bit vector v =(b7, b6, b5,Pb4, b3, b2, b1, b0)
L.R. Knudsen Advanced Encryption Standard Multiplication in GF(256) (cont.)
7 i Compute p(x) times q(x),wherep(x)= i=0 bi x , q(x)= 7 c xi : i=0 i P Do straightforward multiplication of polynomials p(x) q(x); P · Reduce result modulo m(x).
Example Compute x6 + x4 + x2 + x + 1 times x7 + x + 1 (x6 + x4 + x2 + x + 1)(x7 + x + 1)= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1
x13+x11+x9+x8+x6+x5+x4+x3+1modx8+x4+x3+x+1 = x7 + x6 + 1 Alternative representation: 57 83 = c1 (hex notation) x ⇥ x x
L.R. Knudsen Advanced Encryption Standard Multiplication by x in GF(256)
7 i 8 Find the product r(x) of p(x)= i=0 bi x and x in GF (2 ): 7 i+1 Compute p(x) x = biPx · i=0 If b = 0, r(x)=p(xP) x 7 · If b = 1, r(x)=p(x) x mod m(x)=p(x) x + m(x) 7 · · Example (x7 + x6 + x5 + x4 + x2) x = x8 + x7 + x6 + x5 + x3 ⇥ reduce modulo m(x)=x8 + x4 + x3 + x + 1
result is x7 + x6 + x5 + x4 + x + 1
Hex notation: f 4 02 = f 3 x ⇥ x x
L.R. Knudsen Advanced Encryption Standard Multiplication by x+1 in GF(256)
7 i 8 Find the product r(x) of p(x)= i=0 bi x and x + 1 in GF (2 ): 7 i i+1 Compute (p(x) x)+p(x)=P bi (x + x ) · i=0 If b = 0, r(x)=p(x) x + p(Px) 7 · If b7 = 1, r(x)=(p(x) x)+p(x) mod m(x)=p(x) x + p(x)+m(x) · · Example (x7 + x6 + x5 + x4 + x2) (x + 1) = x8 + x4 + x3 + x2 ⇥ reduce modulo m(x)=x8 + x4 + x3 + x + 1
result is x2 + x + 1
Hex notation: f 4 03 = 07 x ⇥ x x
L.R. Knudsen Advanced Encryption Standard AES - iterated cipher, key schedule
Input: user selected key of 128 bits
Output: 11 round keys k0, k1, k2,...,k10
p = c0 plaintext
ci = F (ki , ci 1)
c10 ciphertext Details of key-schedule are self-study
L.R. Knudsen Advanced Encryption Standard AES round tranformation
Arrange the 16 input bytes in a 4 4 matrix ⇥
Subfunctions 1 SubBytes (byte substitution via S-box)
2 ShiftRows
3 MixColumns
4 AddRoundKey
L.R. Knudsen Advanced Encryption Standard SubBytes
- S
a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3
a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3
S-box S is the S-box (invertible) One S-box for the whole cipher (simplicity)
L.R. Knudsen Advanced Encryption Standard ShiftRows
a b c d a b c d e f g h - f g h e i j k l - k l i j m n o p - p m n o
Rows shifted over different offsets: 0,1,2, and 3
L.R. Knudsen Advanced Encryption Standard MixColumns
- mix four bytes
a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3
a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3
Each of four bi,j in a column depends on all four ai,j from same column
L.R. Knudsen Advanced Encryption Standard AddRoundKey (bit-wise XOR)
a0,0 a0,1 a0,2 a0,3 k0,0 k0,1 k0,2 k0,3 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 k1,0 k1,1 k1,2 k1,3 b1,0 b1,1 b1,2 b1,3 = a2,0 a2,1 a2,2 a2,3 k2,0 k2,1 k2,2 k2,3 b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 k3,0 k3,1 k3,2 k3,3 b3,0 b3,1 b3,2 b3,3
b = a k i,j i,j i,j
L.R. Knudsen Advanced Encryption Standard AES - 10-round version
Arrange the 16 input bytes in a 4 4 matrix ⇥ AddRoundKey Do nine times SubBytes (byte substitution via S-box) ShiftRows MixColumns AddRoundKey
SubBytes
ShiftRows
AddRoundKey
L.R. Knudsen Advanced Encryption Standard SubBytes
Input a,outputb,bothbytes
Let f (x)=x 1 in GF (28)/ 0 and f (0)=0 { } Then b = A(f (a)),whereA is affine mapping over GF (2). With t = f (a)=(t7, t6,...,t1, t0) output is:
1 0 0 0 1 1 1 1 t0 1 1 1 0 0 0 1 1 1 t1 1 2 3 2 3 2 3 1 1 1 0 0 0 1 1 t2 0 6 1 1 1 1 0 0 0 1 7 6 t 7 6 0 7 6 7 6 3 7 6 7 6 1 1 1 1 1 0 0 0 7 6 t 7 6 0 7 6 7 6 4 7 6 7 6 0 1 1 1 1 1 0 0 7 6 t 7 6 1 7 6 7 6 5 7 6 7 6 7 6 t 7 6 7 6 0 0 1 1 1 1 1 0 7 6 6 7 6 1 7 6 7 6 t 7 6 7 6 0 0 0 1 1 1 1 1 7 6 7 7 6 0 7 4 5 4 5 4 5
L.R. Knudsen Advanced Encryption Standard MixColumns 2 3 1 1 1 2 3 1 - 2 3 1 1 2 3 ⇥ 6 3 1 1 2 7 a a a a 6 7 0,0 0,1 0,2 0,3 4 5 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3
a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3
Bytes in columns are combined linearly
b = 2 a + 3 a + 1 a + 1 a 0,2 { }⇥ 0,2 { }⇥ 1,2 { }⇥ 2,2 { }⇥ 3,2
Multiplication is over GF(28)
L.R. Knudsen Advanced Encryption Standard Diffusion in AES
Shift Mix - - Rows Col.
Shift Mix - - Rows Col.
L.R. Knudsen Advanced Encryption Standard Differential characteristics and active S-boxes
Consider SP-networks like AES, where a round consists of key addition S-box layer linear layer (linear mapping)
Definition In a differential characteristic an S-box is active if the inputs to the S-box are assumed to be different.
Fact (or assumption) The transition of differences is deterministic through the key additions and linear layers.
is non-deterministic through the S-box layers.
L.R. Knudsen Advanced Encryption Standard Differential characteristics and active S-boxes (2)
Max probability
Let pmax be the maximum probability for a non-trivial characteristic for the S-boxes.
Active S-boxes Let d be the minimum number of active S-boxes in an r-round characteristic.
Bound d Then pmax is an upper bound of any r-round characteristic.
L.R. Knudsen Advanced Encryption Standard AES and Wide-Trail
The AES design uses the wide-trail strategy: Theorem Any differential/linear characteristic over 4 rounds of AES has at least 25 active Sboxes.
AES has 10 (or more) rounds Together with the good Sbox: More than enough.
L.R. Knudsen Advanced Encryption Standard 2Rounds
S S S S
Linear Layer L
S S S S
Aim Give a bound on the number of active Sboxes in a differential characteristic. We assume S and L are bijective. L linear, so L(x y)=L(x) L(y). No further assumptions on S
L.R. Knudsen Advanced Encryption Standard 2Rounds
S S S S
Linear Layer L
S S S S
Aim Give an lower bound on the number of active Sboxes in a differential characteristic. Trivial bounds: Lower Bound for the lower bound: 2 Upper Bound for the lower bound: #sboxes + 1 (here 5).
L.R. Knudsen Advanced Encryption Standard 2Rounds
Picture with differences: