Standard Advanced Encryption

Advanced Encryption

Standard

AES

• The Advanced Encryption Standard (AES) was published by the National Institute of Standards and Technology (NIST) in 2001

• AES is included in the ISO/IEC 18033-3 standard

• AES has been adopted by the U.S. government and is now used worldwide. It supersedes DES

• AES is a subset of the Rijndael block cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen

• Rijndael is a family of ciphers with different key and

block sizes. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits

Finite Field Arithmetic

Finite Fields

• In AES, all operations are performed on 8-bit bytes

• In particular, the arithmetic operations of addition,

multiplication, and division are performed over the finite field GF(2⁸)

• A field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set

• Division is defined with the following rule: Τ𝑎 𝑏 = 𝑎 𝑏⁻¹

• An example of a finite field (one with a finite number of elements) is the set 𝑍_𝑝 consisting of all the integers {0, 1, …, p - 1}, where p is a prime number and in which arithmetic is carried out modulo p

Integers,

Encryption and Finite Fields

• Virtually all encryption algorithms, both conventional and public-key, involve arithmetic operations on integers

• If one of the operations used in the algorithm is division, then we need to work in arithmetic defined over a field

• For convenience and for implementation efficiency, we would also like to work with integers that fit exactly into a given number of bits

• Unfortunately, the set of integers {0, 1, … 2ⁿ - 1}, 𝑍₂^𝑛, using modular arithmetic, is not a field

• For example, the integer 2 has no multiplicative inverse in 𝑍₂^𝑛, that is, there is no integer 𝑏, such that

2𝑏 𝑚𝑜𝑑 2^𝑛 = 1

The

Definition of GF(2 ⁿ )

• There is a way of defining a finite field containing 2ⁿ elements

• Such a field is referred to as GF(2ⁿ)

• Consider the set, 𝑆, of all polynomials of degree (n – 1) or less with binary coefficients:

𝑓 𝑥 = 𝑎_𝑛−1𝑥^𝑛−1 + 𝑎_𝑛−2𝑥^𝑛−2 + ⋯ + 𝑎₁𝑥 + 𝑎₀ = ෍

𝑖=0 𝑛−1

𝑎_𝑖𝑥^𝑖

• There are a total of 2ⁿ different polynomials in 𝑆

• With the appropriate definition of arithmetic operations, each such set 𝑆 is a finite field

An Example of the Set

• For n = 3, the 2³ = 8 polynomials in the set are

0 𝑥 𝑥² 𝑥² + 𝑥

1 𝑥 + 1 𝑥² + 1 𝑥² + 𝑥 + 1

• With the appropriate definition of arithmetic operations, each such set 𝑆 is a finite field

The

Definition of Arithmetic

Operations

1. Arithmetic follows the ordinary rules of polynomial arithmetic using the basic rules of algebra with the following two refinements.

2. Arithmetic on the coefficients is performed modulo 2.

This is the same as the XOR operation

3. If multiplication results in a polynomial of degree greater than 𝑛 − 1, then the polynomial is reduced modulo some irreducible polynomial 𝑚(𝑥) of degree 𝑛. That is, we divide by 𝑚(𝑥) and keep the remainder.

For a polynomial 𝑓(𝑥), the remainder is expressed as 𝑟 𝑥 = 𝑓 𝑥 𝑚𝑜𝑑 𝑚(𝑥). A polynomial 𝑚(𝑥) is called irreducible if and only if 𝑚(𝑥) cannot be expressed as a product of two polynomials, both of degree lower than that of 𝑚(𝑥).

Arithmetic

Operations in GF(2 ⁿ )

• A polynomial in GF(2ⁿ) can be uniquely represented by its 𝑛 binary coefficients 𝑎_𝑛−1𝑎_𝑛−2 … 𝑎₀

• Therefore, every polynomial in GF(2ⁿ) can be represented by an n-bit number

• Addition is performed by taking the bitwise XOR of the two n-bit elements

• There is no simple XOR operation that will accomplish multiplication in GF(2ⁿ)

• The multiplication of a number in GF(2ⁿ) by 2 consists of a left shift followed by a conditional XOR with a constant

• Multiplication by larger numbers can be achieved by repeated application of this rule

AES

Arithmetic

• AES operates on 8-bit bytes

• Addition of two bytes is defined as the bitwise XOR operation

• Multiplication of two bytes is defined as multiplication in the finite field GF(2⁸), with the irreducible polynomial 𝑚 𝑥 = 𝑥⁸ + 𝑥⁴ + 𝑥³ + 𝑥 + 1

AES Structure

General Structure

• The cipher takes a plaintext block size of 128 bits (16 bytes)

• The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits)

• The algorithm is referred to as AES-128, AES-192, or AES- 256, depending on the key length

• The cipher consists of N rounds, where the number of rounds depends on the key length:

• 10 rounds for a 16-byte key

• 12 rounds for a 24-byte key

• 14 rounds for a 32-byte key

• The first (N – 1) rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey

AES

Encryption and

Decryption

Detailed Structure

• AES structure is not a Feistel structure. AES processes the entire data block as a single matrix during each round using substitutions and permutation.

• The key that is provided as input is expanded into an array of forty-four 32-bit words, 𝒘 𝑖 . Four distinct words (128 bits) serve as a round key for each round.

• Four different stages are used, one of permutation and three of substitution:

o SubBytes: Uses an S-box to perform a byte-by-byte substitution of the block.

o ShiftRows: A simple permutation.

o MixColumns: A substitution that makes use of arithmetic over GF(2⁸).

o AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.

Detailed Structure

• Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an

AddRoundKey stage. Any other stage, applied at the

beginning or end, is reversible without knowledge of the key and so would add no security.

• The AddRoundKey stage is, in effect, a form of Vernam cipher. The other three stages together provide

confusion, diffusion, and nonlinearity, but by

themselves would provide no security because they do not use the key.

• We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block, followed by

scrambling of the block (the other three stages),

followed by XOR encryption, and so on. This scheme is both efficient and highly secure.

Detailed Structure

• Each stage is easily reversible. For the SubBytes, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm.

• For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block, using the result that 𝐴 ⊕ 𝐵 ⊕ 𝐵 = 𝐴.

• As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However, the

decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES.

• The final round of both encryption and decryption consists of only three stages. This is a consequence of the structure of AES and is required to make the cipher reversible.

AES

Encryption

Round

AES Parameters

Key Size

(words/bytes/bits) 4/16/128 6/24/192 8/32/256 Plaintext Block Size

(words/bytes/bits) 4/16/128 4/16/128 4/16/128

Number of Rounds 10 12 14

Round Key Size

(words/bytes/bits) 4/16/128 4/16/128 4/16/128 Expanded Key Size

(words/bytes) 44/176 52/208 60/240

AES Transformation Functions

Substitute Byte Transformation

• The substitute byte

transformation is a simple table lookup

• AES defines a 16 x 16 matrix of byte values, called an S- box, that contains a

permutation of all possible

256 8-bit values.

Add Round Key Transformation

• In the add round key

transformation the 128 bits of State are bitwise XORed with the 128 bits of the round key

• The operation is viewed as a columnwise operation

between the 4 bytes of a

of the round key

Shift Row Transformation

• The forward shift row

• The first row of State is not altered

• For the second row, a 1-byte circular left shift is performed

• For the third row, a 2-byte circular left shift is performed

• For the fourth row, a 3-byte

circular left shift is performed

Mix Column Transformation

• The mix column

transformation operates on each column individually

• Each byte of a column is

mapped into a new value that is a function of all four bytes in that column

• The transformation can be defined by the matrix

multiplication on State

Inputs for

Single AES

Round

Avalanche

Effect in AES:

Change in

Plaintext

Avalanche

Effect in AES:

Change in Key

Block Cipher Operation

Multiple Encryption and

Triple DES

Need for Multiple

Encryption

• Because of its vulnerability to brute-force attack, DES, once the most widely used symmetric cipher, has been largely replaced by stronger encryption schemes

• Two approaches have been taken:

1) To design a completely new algorithm that is resistant to both cryptanalytic and brute-force attacks, of which AES is a prime example

2) Another alternative, which preserves the existing investment in software and equipment, is to use multiple encryption with DES and multiple keys

Double DES

• The simplest form of multiple

encryption has two encryption stages and two keys:

𝐶 = 𝐸 𝐾

, 𝐸 𝐾

, 𝑀

• For DES this scheme apparently involves

a key length of 56 x 2 = 112 bits

Meet-in-the- Middle Attack

• If we have

𝐶 = 𝐸 𝐾₂, 𝐸 𝐾₁, 𝑀

• then

𝑋 = 𝐸 𝐾₁, 𝑀 = 𝐷 𝐾₂, 𝐶

• Given a known pair (𝑀, 𝐶):

• Encrypt 𝑀 for all 2⁵⁶ possible values of 𝐾₁

• Decrypt 𝐶 using all 2⁵⁶ possible values of 𝐾₂

• Find the match

• For two blocks of known plaintext–ciphertext, the

probability that the correct keys are determined is 1 − 2⁻¹⁶

• Thus, a known plaintext attack will succeed against double DES, which has a key size of 112 bits, with an effort on the order of 2⁵⁶

Triple DES

• An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with three different keys

• Using DES as the underlying algorithm, this approach is commonly referred to as 3DES, or Triple Data Encryption Algorithm (TDEA)

• NIST SP 800-67 (Recommendation for the Triple Data Encryption Block Cipher, January 2012) defines the two- key and three-key versions

Triple DES

• 3DES with two keys is a relatively

popular alternative to DES and has been adopted for use in the key management standards ANSI X9.17 and ISO 8732

• A number of Internet-based applications

have adopted three-key 3DES, including

PGP and S/MIME

Triple DES

• The function follows an encrypt-decrypt-encrypt (EDE) sequence

• There is no cryptographic significance to the use of decryption for the second stage

• Its only advantage is that it allows users of 3DES to

decrypt data encrypted by users of the older single DES:

𝐶 = 𝐸 𝐾₁, 𝐷 𝐾₁, 𝐸 𝐾₁, 𝑀 𝑀 = 𝐷 𝐾₁, 𝐸 𝐾₁, 𝐷 𝐾₁, 𝐶

Triple DES

• In SP 800-57, Part 1 (Recommendation for Key Management—Part 1: General, July 2012) NIST recommends that 2-key 3DES be retired as soon as practical and replaced with 3-key 3DES

• There is an attack on 3TDEA that reduces the strength to the work that would be involved in exhausting a 112-bit key

Block Cipher Modes of

Operation

Block Cipher Modes of

Operation

• A block cipher takes a fixed-length block of text of length 𝑏 bits and a key as input and produces a 𝑏-bit block of ciphertext

• If the amount of plaintext to be encrypted is greater than 𝑏 bits, then the block cipher can still be used by breaking the plaintext up into 𝑏-bit blocks

• When multiple blocks of plaintext are encrypted using the same key, a number of security issues arise

• To apply a block cipher in a variety of applications, five modes of operation have been defined by NIST (SP 800- 38A)

• These modes are intended for use with any symmetric block cipher, including triple DES and AES

Block Cipher Modes of Operation

Mode Description Typical Application

Electronic Codebook (ECB) Each block of plaintext bits is encoded independently using the same key.

• Secure transmission of single values (e.g., an encryption key)

Cipher Block Chaining (CBC) The input to the encryption algorithm is the XOR of the next block of plaintext and the preceding block of

ciphertext.

• General-purpose blockoriented transmission

• Authentication Cipher Feedback (CFB) Input is processed s bits at a time. Preceding ciphertext

is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext.

• General-purpose stream-oriented transmission

• Authentication

Output Feedback (OFB) Similar to CFB, except that the input to the encryption algorithm is the preceding encryption output, and full blocks are used.

• Stream-oriented transmission over noisy channel (e.g., satellite

communication) Counter (CTR) Each block of plaintext is XORed with an encrypted

counter. The counter is incremented for each subsequent block.

• General-purpose blockoriented transmission

• Useful for high-speed requirements

Electronic Codebook (ECB) Mode

• For a message longer than 𝑏 bits, the

procedure is simply to break the message into 𝑏-bit blocks, padding the last block if necessary

• For lengthy messages, the ECB mode may not be secure

• If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities

Cipher Block Chaining (CBC) Mode

• The same plaintext block, if repeated, produces different ciphertext blocks

• The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block

• The CBC mode requires that the last block be padded to a full 𝑏 bits if it is a partial block

Stream Cipher

• For any block cipher, encryption is performed on a block of 𝑏 bits

• It is possible to convert a block cipher into a stream cipher, using one of the three modes:

o cipher feedback (CFB) mode o output feedback (OFB) mode o counter (CTR) mode

• A stream cipher eliminates the need to pad a message to be an integral number of blocks

• It also can operate in real time

• One desirable property of a stream cipher is that the ciphertext be of the same length as the plaintext

Cipher Feedback (CFB) Mode

• As with CBC, the units of plaintext are

chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext

• The leftmost (most significant) 𝑠 bits of the output of the encryption function are

XORed with the first segment of plaintext 𝑃₁ to produce the first unit of ciphertext 𝐶₁

• The contents of the shift register are shifted left by 𝑠 bits, and 𝐶₁ is placed in the

rightmost 𝑠 bits of the shift register

Output Feedback (OFB) Mode

• For OFB, the output of the encryption function is fed back to become the input for encrypting the next block of plaintext

• The OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates on an 𝑠-bit subset

• One advantage of the OFB method is that bit errors in transmission do not

propagate

Counter (CTR) Mode

• The counter value must be different for each plaintext block that is encrypted

• There is no chaining

• For the last plaintext block, which may be a partial block of 𝑢 bits, the most

significant 𝑢 bits of the last output block are used for the XOR operation; the

remaining 𝑏 − 𝑢 bits are discarded

• No need to use padding because of the structure of the CTR mode