Advanced Encryption Standard Lars R. Knudsen June 2014 L.R. Knudsen Advanced Encryption Standard AES - Advanced Encryption Standard US governmental encryption standard Open (world) competition announced January 97 Blocks: 128 bits Keys: choice of 128-bit, 192-bit, and 256-bit keys October 2000: AES=Rijndael Standard: FIPS 197, November 2001 L.R. Knudsen Advanced Encryption Standard AES=Rijndael Designed by Joan Daemen and Vincent Rijmen Simple design, byte-oriented Operations: XOR and table lookup S-box, substitutes a byte by a byte Rounds 10 12 14 Key size 128 192 256 Focus on 128-bit key version with 10 iterations L.R. Knudsen Advanced Encryption Standard Multiplication in GF(256) - AES In AES the finite field GF (28) is determined by irreducible polynomial m(x)=x8 + x4 + x3 + x + 1 Elements of GF (28) are all polynomials of degree less than eight and with coefficients in GF (2) 1-to-1 correspondence between 8-bit vectors and elements in GF (28): 7 i finite field element p(x)= i=0 bi x . 8-bit vector v =(b7, b6, b5,Pb4, b3, b2, b1, b0) L.R. Knudsen Advanced Encryption Standard Multiplication in GF(256) (cont.) 7 i Compute p(x) times q(x),wherep(x)= i=0 bi x , q(x)= 7 c xi : i=0 i P Do straightforward multiplication of polynomials p(x) q(x); P · Reduce result modulo m(x). Example Compute x6 + x4 + x2 + x + 1 times x7 + x + 1 (x6 + x4 + x2 + x + 1)(x7 + x + 1)= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 x13+x11+x9+x8+x6+x5+x4+x3+1modx8+x4+x3+x+1 = x7 + x6 + 1 Alternative representation: 57 83 = c1 (hex notation) x ⇥ x x L.R. Knudsen Advanced Encryption Standard Multiplication by x in GF(256) 7 i 8 Find the product r(x) of p(x)= i=0 bi x and x in GF (2 ): 7 i+1 Compute p(x) x = biPx · i=0 If b = 0, r(x)=p(xP) x 7 · If b = 1, r(x)=p(x) x mod m(x)=p(x) x + m(x) 7 · · Example (x7 + x6 + x5 + x4 + x2) x = x8 + x7 + x6 + x5 + x3 ⇥ reduce modulo m(x)=x8 + x4 + x3 + x + 1 result is x7 + x6 + x5 + x4 + x + 1 Hex notation: f 4 02 = f 3 x ⇥ x x L.R. Knudsen Advanced Encryption Standard Multiplication by x+1 in GF(256) 7 i 8 Find the product r(x) of p(x)= i=0 bi x and x + 1 in GF (2 ): 7 i i+1 Compute (p(x) x)+p(x)=P bi (x + x ) · i=0 If b = 0, r(x)=p(x) x + p(Px) 7 · If b7 = 1, r(x)=(p(x) x)+p(x) mod m(x)=p(x) x + p(x)+m(x) · · Example (x7 + x6 + x5 + x4 + x2) (x + 1) = x8 + x4 + x3 + x2 ⇥ reduce modulo m(x)=x8 + x4 + x3 + x + 1 result is x2 + x + 1 Hex notation: f 4 03 = 07 x ⇥ x x L.R. Knudsen Advanced Encryption Standard AES - iterated cipher, key schedule Input: user selected key of 128 bits Output: 11 round keys k0, k1, k2,...,k10 p = c0 plaintext ci = F (ki , ci 1) − c10 ciphertext Details of key-schedule are self-study L.R. Knudsen Advanced Encryption Standard AES round tranformation Arrange the 16 input bytes in a 4 4 matrix ⇥ Subfunctions 1 SubBytes (byte substitution via S-box) 2 ShiftRows 3 MixColumns 4 AddRoundKey L.R. Knudsen Advanced Encryption Standard SubBytes - S a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3 a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3 a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3 a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3 S-box S is the S-box (invertible) One S-box for the whole cipher (simplicity) L.R. Knudsen Advanced Encryption Standard ShiftRows a b c d a b c d e f g h - f g h e i j k l - k l i j m n o p - p m n o Rows shifted over different offsets: 0,1,2, and 3 L.R. Knudsen Advanced Encryption Standard MixColumns - mix four bytes a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3 a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3 a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3 a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3 Each of four bi,j in a column depends on all four ai,j from same column L.R. Knudsen Advanced Encryption Standard AddRoundKey (bit-wise XOR) a0,0 a0,1 a0,2 a0,3 k0,0 k0,1 k0,2 k0,3 b0,0 b0,1 b0,2 b0,3 a1,0 a1,1 a1,2 a1,3 k1,0 k1,1 k1,2 k1,3 b1,0 b1,1 b1,2 b1,3 = a2,0 a2,1 a2,2 a2,3 ⊕ k2,0 k2,1 k2,2 k2,3 b2,0 b2,1 b2,2 b2,3 a3,0 a3,1 a3,2 a3,3 k3,0 k3,1 k3,2 k3,3 b3,0 b3,1 b3,2 b3,3 b = a k i,j i,j ⊕ i,j L.R. Knudsen Advanced Encryption Standard AES - 10-round version Arrange the 16 input bytes in a 4 4 matrix ⇥ AddRoundKey Do nine times SubBytes (byte substitution via S-box) ShiftRows MixColumns AddRoundKey SubBytes ShiftRows AddRoundKey L.R. Knudsen Advanced Encryption Standard SubBytes Input a,outputb,bothbytes Let f (x)=x 1 in GF (28)/ 0 and f (0)=0 − { } Then b = A(f (a)),whereA is affine mapping over GF (2). With t = f (a)=(t7, t6,...,t1, t0) output is: 1 0 0 0 1 1 1 1 t0 1 1 1 0 0 0 1 1 1 t1 1 2 3 2 3 2 3 1 1 1 0 0 0 1 1 t2 0 6 1 1 1 1 0 0 0 1 7 6 t 7 6 0 7 6 7 6 3 7 6 7 6 1 1 1 1 1 0 0 0 7 6 t 7 ⊕ 6 0 7 6 7 6 4 7 6 7 6 0 1 1 1 1 1 0 0 7 6 t 7 6 1 7 6 7 6 5 7 6 7 6 7 6 t 7 6 7 6 0 0 1 1 1 1 1 0 7 6 6 7 6 1 7 6 7 6 t 7 6 7 6 0 0 0 1 1 1 1 1 7 6 7 7 6 0 7 4 5 4 5 4 5 L.R. Knudsen Advanced Encryption Standard MixColumns 2 3 1 1 1 2 3 1 - 2 3 1 1 2 3 ⇥ 6 3 1 1 2 7 a a a a 6 7 0,0 0,1 0,2 0,3 4 5 b0,0 b0,1 b0,2 b0,3 a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3 a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3 a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3 Bytes in columns are combined linearly b = 2 a + 3 a + 1 a + 1 a 0,2 { }⇥ 0,2 { }⇥ 1,2 { }⇥ 2,2 { }⇥ 3,2 Multiplication is over GF(28) L.R. Knudsen Advanced Encryption Standard Diffusion in AES Shift Mix - - Rows Col. Shift Mix - - Rows Col. L.R. Knudsen Advanced Encryption Standard Differential characteristics and active S-boxes Consider SP-networks like AES, where a round consists of key addition S-box layer linear layer (linear mapping) Definition In a differential characteristic an S-box is active if the inputs to the S-box are assumed to be different. Fact (or assumption) The transition of differences is deterministic through the key additions and linear layers. is non-deterministic through the S-box layers. L.R. Knudsen Advanced Encryption Standard Differential characteristics and active S-boxes (2) Max probability Let pmax be the maximum probability for a non-trivial characteristic for the S-boxes. Active S-boxes Let d be the minimum number of active S-boxes in an r-round characteristic. Bound d Then pmax is an upper bound of any r-round characteristic. L.R. Knudsen Advanced Encryption Standard AES and Wide-Trail The AES design uses the wide-trail strategy: Theorem Any differential/linear characteristic over 4 rounds of AES has at least 25 active Sboxes. AES has 10 (or more) rounds Together with the good Sbox: More than enough. L.R. Knudsen Advanced Encryption Standard 2Rounds S S S S Linear Layer L S S S S Aim Give a bound on the number of active Sboxes in a differential characteristic. We assume S and L are bijective. L linear, so L(x y)=L(x) L(y). ⊕ ⊕ No further assumptions on S L.R. Knudsen Advanced Encryption Standard 2Rounds S S S S Linear Layer L S S S S Aim Give an lower bound on the number of active Sboxes in a differential characteristic. Trivial bounds: Lower Bound for the lower bound: 2 Upper Bound for the lower bound: #sboxes + 1 (here 5).