Advanced Encryption
Standard
AES
• The Advanced Encryption Standard (AES) was published by the National Institute of Standards and Technology (NIST) in 2001
• AES is included in the ISO/IEC 18033-3 standard
• AES has been adopted by the U.S. government and is now used worldwide. It supersedes DES
• AES is a subset of the Rijndael block cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen
• Rijndael is a family of ciphers with different key and
block sizes. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits
Finite Field Arithmetic
Finite Fields
• In AES, all operations are performed on 8-bit bytes
• In particular, the arithmetic operations of addition,
multiplication, and division are performed over the finite field GF(28)
• A field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set
• Division is defined with the following rule: Τ𝑎 𝑏 = 𝑎 𝑏−1
• An example of a finite field (one with a finite number of elements) is the set 𝑍𝑝 consisting of all the integers {0, 1, …, p - 1}, where p is a prime number and in which arithmetic is carried out modulo p
Integers,
Encryption and Finite Fields
• Virtually all encryption algorithms, both conventional and public-key, involve arithmetic operations on integers
• If one of the operations used in the algorithm is division, then we need to work in arithmetic defined over a field
• For convenience and for implementation efficiency, we would also like to work with integers that fit exactly into a given number of bits
• Unfortunately, the set of integers {0, 1, … 2n - 1}, 𝑍2𝑛, using modular arithmetic, is not a field
• For example, the integer 2 has no multiplicative inverse in 𝑍2𝑛, that is, there is no integer 𝑏, such that
2𝑏 𝑚𝑜𝑑 2𝑛 = 1
The
Definition of GF(2 n )
• There is a way of defining a finite field containing 2n elements
• Such a field is referred to as GF(2n)
• Consider the set, 𝑆, of all polynomials of degree (n – 1) or less with binary coefficients:
𝑓 𝑥 = 𝑎𝑛−1𝑥𝑛−1 + 𝑎𝑛−2𝑥𝑛−2 + ⋯ + 𝑎1𝑥 + 𝑎0 =
𝑖=0 𝑛−1
𝑎𝑖𝑥𝑖
• There are a total of 2n different polynomials in 𝑆
• With the appropriate definition of arithmetic operations, each such set 𝑆 is a finite field
An Example of the Set
• For n = 3, the 23 = 8 polynomials in the set are
0 𝑥 𝑥2 𝑥2 + 𝑥
1 𝑥 + 1 𝑥2 + 1 𝑥2 + 𝑥 + 1
• With the appropriate definition of arithmetic operations, each such set 𝑆 is a finite field
The
Definition of Arithmetic
Operations
1. Arithmetic follows the ordinary rules of polynomial arithmetic using the basic rules of algebra with the following two refinements.
2. Arithmetic on the coefficients is performed modulo 2.
This is the same as the XOR operation
3. If multiplication results in a polynomial of degree greater than 𝑛 − 1, then the polynomial is reduced modulo some irreducible polynomial 𝑚(𝑥) of degree 𝑛. That is, we divide by 𝑚(𝑥) and keep the remainder.
For a polynomial 𝑓(𝑥), the remainder is expressed as 𝑟 𝑥 = 𝑓 𝑥 𝑚𝑜𝑑 𝑚(𝑥). A polynomial 𝑚(𝑥) is called irreducible if and only if 𝑚(𝑥) cannot be expressed as a product of two polynomials, both of degree lower than that of 𝑚(𝑥).
Arithmetic
Operations in GF(2 n )
• A polynomial in GF(2n) can be uniquely represented by its 𝑛 binary coefficients 𝑎𝑛−1𝑎𝑛−2 … 𝑎0
• Therefore, every polynomial in GF(2n) can be represented by an n-bit number
• Addition is performed by taking the bitwise XOR of the two n-bit elements
• There is no simple XOR operation that will accomplish multiplication in GF(2n)
• The multiplication of a number in GF(2n) by 2 consists of a left shift followed by a conditional XOR with a constant
• Multiplication by larger numbers can be achieved by repeated application of this rule
AES
Arithmetic
• AES operates on 8-bit bytes
• Addition of two bytes is defined as the bitwise XOR operation
• Multiplication of two bytes is defined as multiplication in the finite field GF(28), with the irreducible polynomial 𝑚 𝑥 = 𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1
AES Structure
General Structure
• The cipher takes a plaintext block size of 128 bits (16 bytes)
• The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits)
• The algorithm is referred to as AES-128, AES-192, or AES- 256, depending on the key length
• The cipher consists of N rounds, where the number of rounds depends on the key length:
• 10 rounds for a 16-byte key
• 12 rounds for a 24-byte key
• 14 rounds for a 32-byte key
• The first (N – 1) rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey
AES
Encryption and
Decryption
Detailed Structure
• AES structure is not a Feistel structure. AES processes the entire data block as a single matrix during each round using substitutions and permutation.
• The key that is provided as input is expanded into an array of forty-four 32-bit words, 𝒘 𝑖 . Four distinct words (128 bits) serve as a round key for each round.
• Four different stages are used, one of permutation and three of substitution:
o SubBytes: Uses an S-box to perform a byte-by-byte substitution of the block.
o ShiftRows: A simple permutation.
o MixColumns: A substitution that makes use of arithmetic over GF(28).
o AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.
Detailed Structure
• Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an
AddRoundKey stage. Any other stage, applied at the
beginning or end, is reversible without knowledge of the key and so would add no security.
• The AddRoundKey stage is, in effect, a form of Vernam cipher. The other three stages together provide
confusion, diffusion, and nonlinearity, but by
themselves would provide no security because they do not use the key.
• We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block, followed by
scrambling of the block (the other three stages),
followed by XOR encryption, and so on. This scheme is both efficient and highly secure.
Detailed Structure
• Each stage is easily reversible. For the SubBytes, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm.
• For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block, using the result that 𝐴 ⊕ 𝐵 ⊕ 𝐵 = 𝐴.
• As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However, the
decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES.
• The final round of both encryption and decryption consists of only three stages. This is a consequence of the structure of AES and is required to make the cipher reversible.
AES
Encryption
Round
AES Parameters
Key Size
(words/bytes/bits) 4/16/128 6/24/192 8/32/256 Plaintext Block Size
(words/bytes/bits) 4/16/128 4/16/128 4/16/128
Number of Rounds 10 12 14
Round Key Size
(words/bytes/bits) 4/16/128 4/16/128 4/16/128 Expanded Key Size
(words/bytes) 44/176 52/208 60/240
AES Transformation Functions
Substitute Byte Transformation
• The substitute byte
transformation is a simple table lookup
• AES defines a 16 x 16 matrix of byte values, called an S- box, that contains a
permutation of all possible
256 8-bit values.
Add Round Key Transformation
• In the add round key
transformation the 128 bits of State are bitwise XORed with the 128 bits of the round key
• The operation is viewed as a columnwise operation
between the 4 bytes of a
State column and one wordof the round key
Shift Row Transformation
• The forward shift row
transformation• The first row of State is not altered
• For the second row, a 1-byte circular left shift is performed
• For the third row, a 2-byte circular left shift is performed
• For the fourth row, a 3-byte
circular left shift is performed
Mix Column Transformation
• The mix column
transformation operates on each column individually
• Each byte of a column is
mapped into a new value that is a function of all four bytes in that column
• The transformation can be defined by the matrix
multiplication on State
Inputs for
Single AES
Round
Avalanche
Effect in AES:
Change in
Plaintext
Avalanche
Effect in AES:
Change in Key
Block Cipher Operation
Multiple Encryption and
Triple DES
Need for Multiple
Encryption
• Because of its vulnerability to brute-force attack, DES, once the most widely used symmetric cipher, has been largely replaced by stronger encryption schemes
• Two approaches have been taken:
1) To design a completely new algorithm that is resistant to both cryptanalytic and brute-force attacks, of which AES is a prime example
2) Another alternative, which preserves the existing investment in software and equipment, is to use multiple encryption with DES and multiple keys
Double DES
• The simplest form of multiple
encryption has two encryption stages and two keys:
𝐶 = 𝐸 𝐾
2, 𝐸 𝐾
1, 𝑀
• For DES this scheme apparently involves
a key length of 56 x 2 = 112 bits
Meet-in-the- Middle Attack
• If we have
𝐶 = 𝐸 𝐾2, 𝐸 𝐾1, 𝑀
• then
𝑋 = 𝐸 𝐾1, 𝑀 = 𝐷 𝐾2, 𝐶
• Given a known pair (𝑀, 𝐶):
• Encrypt 𝑀 for all 256 possible values of 𝐾1
• Decrypt 𝐶 using all 256 possible values of 𝐾2
• Find the match
• For two blocks of known plaintext–ciphertext, the
probability that the correct keys are determined is 1 − 2−16
• Thus, a known plaintext attack will succeed against double DES, which has a key size of 112 bits, with an effort on the order of 256
Triple DES
• An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with three different keys
• Using DES as the underlying algorithm, this approach is commonly referred to as 3DES, or Triple Data Encryption Algorithm (TDEA)
• NIST SP 800-67 (Recommendation for the Triple Data Encryption Block Cipher, January 2012) defines the two- key and three-key versions
Triple DES
• 3DES with two keys is a relatively
popular alternative to DES and has been adopted for use in the key management standards ANSI X9.17 and ISO 8732
• A number of Internet-based applications
have adopted three-key 3DES, including
PGP and S/MIME
Triple DES
• The function follows an encrypt-decrypt-encrypt (EDE) sequence
• There is no cryptographic significance to the use of decryption for the second stage
• Its only advantage is that it allows users of 3DES to
decrypt data encrypted by users of the older single DES:
𝐶 = 𝐸 𝐾1, 𝐷 𝐾1, 𝐸 𝐾1, 𝑀 𝑀 = 𝐷 𝐾1, 𝐸 𝐾1, 𝐷 𝐾1, 𝐶
Triple DES
• In SP 800-57, Part 1 (Recommendation for Key Management—Part 1: General, July 2012) NIST recommends that 2-key 3DES be retired as soon as practical and replaced with 3-key 3DES
• There is an attack on 3TDEA that reduces the strength to the work that would be involved in exhausting a 112-bit key
Block Cipher Modes of
Operation
Block Cipher Modes of
Operation
• A block cipher takes a fixed-length block of text of length 𝑏 bits and a key as input and produces a 𝑏-bit block of ciphertext
• If the amount of plaintext to be encrypted is greater than 𝑏 bits, then the block cipher can still be used by breaking the plaintext up into 𝑏-bit blocks
• When multiple blocks of plaintext are encrypted using the same key, a number of security issues arise
• To apply a block cipher in a variety of applications, five modes of operation have been defined by NIST (SP 800- 38A)
• These modes are intended for use with any symmetric block cipher, including triple DES and AES
Block Cipher Modes of Operation
Mode Description Typical Application
Electronic Codebook (ECB) Each block of plaintext bits is encoded independently using the same key.
• Secure transmission of single values (e.g., an encryption key)
Cipher Block Chaining (CBC) The input to the encryption algorithm is the XOR of the next block of plaintext and the preceding block of
ciphertext.
• General-purpose blockoriented transmission
• Authentication Cipher Feedback (CFB) Input is processed s bits at a time. Preceding ciphertext
is used as input to the encryption algorithm to produce pseudorandom output, which is XORed with plaintext to produce next unit of ciphertext.
• General-purpose stream-oriented transmission
• Authentication
Output Feedback (OFB) Similar to CFB, except that the input to the encryption algorithm is the preceding encryption output, and full blocks are used.
• Stream-oriented transmission over noisy channel (e.g., satellite
communication) Counter (CTR) Each block of plaintext is XORed with an encrypted
counter. The counter is incremented for each subsequent block.
• General-purpose blockoriented transmission
• Useful for high-speed requirements
Electronic Codebook (ECB) Mode
• For a message longer than 𝑏 bits, the
procedure is simply to break the message into 𝑏-bit blocks, padding the last block if necessary
• For lengthy messages, the ECB mode may not be secure
• If the message is highly structured, it may be possible for a cryptanalyst to exploit these regularities
Cipher Block Chaining (CBC) Mode
• The same plaintext block, if repeated, produces different ciphertext blocks
• The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block
• The CBC mode requires that the last block be padded to a full 𝑏 bits if it is a partial block
Stream Cipher
• For any block cipher, encryption is performed on a block of 𝑏 bits
• It is possible to convert a block cipher into a stream cipher, using one of the three modes:
o cipher feedback (CFB) mode o output feedback (OFB) mode o counter (CTR) mode
• A stream cipher eliminates the need to pad a message to be an integral number of blocks
• It also can operate in real time
• One desirable property of a stream cipher is that the ciphertext be of the same length as the plaintext
Cipher Feedback (CFB) Mode
• As with CBC, the units of plaintext are
chained together, so that the ciphertext of any plaintext unit is a function of all the preceding plaintext
• The leftmost (most significant) 𝑠 bits of the output of the encryption function are
XORed with the first segment of plaintext 𝑃1 to produce the first unit of ciphertext 𝐶1
• The contents of the shift register are shifted left by 𝑠 bits, and 𝐶1 is placed in the
rightmost 𝑠 bits of the shift register
Output Feedback (OFB) Mode
• For OFB, the output of the encryption function is fed back to become the input for encrypting the next block of plaintext
• The OFB mode operates on full blocks of plaintext and ciphertext, whereas CFB operates on an 𝑠-bit subset
• One advantage of the OFB method is that bit errors in transmission do not
propagate
Counter (CTR) Mode
• The counter value must be different for each plaintext block that is encrypted
• There is no chaining
• For the last plaintext block, which may be a partial block of 𝑢 bits, the most
significant 𝑢 bits of the last output block are used for the XOR operation; the
remaining 𝑏 − 𝑢 bits are discarded
• No need to use padding because of the structure of the CTR mode