7/29/2019 4 AES Rijndael (7-8)

1/55

Lecture 4The Advanced Encryption

Standard (AES)

7/29/2019 4 AES Rijndael (7-8)

2/55

On January 2, 1997, the National Institute of

Standards and Technology (NIST)

announced the initiation of a newsymmetric-key block cipher algorithm as

the new encryption standard to replace the

DES. The new algorithm would be namedthe Advanced Encryption Standard (AES).

Unlike the closed design process for the

DES, an open call for the AES algorithmswas formally made on September 12, 1997.

7/29/2019 4 AES Rijndael (7-8)

3/55

The requirements of AES is as follows:

(1) The call stipulated that the AES would specify

an unclassified, publicly disclosed symmetric-keyencryption algorithm(s).

(2) The algorithm(s) must support (at a minimum)block sizes of 128-bits, key sizes of 128-, 192-, and

256-bits, and should have a strength at the level ofthe triple DES, but should be more efficient thenthe triple DES.

(3) It should work on a variety of differenthardware.

(4) The algorithm(s), if selected, must be availableroyalty-free, worldwide.

7/29/2019 4 AES Rijndael (7-8)

4/55

On August 20, 1998, NIST announced a group

of fifteen AES candidate algorithms. These

algorithms had been submitted by members ofthe cryptographic community from around the

world. Public comments on the fifteen

candidates were solicited as the initial reviewof these algorithms (the period for the initial

public comments was also called the Round 1).

The Round 1 closed on April 15, 1999. Usingthe analyses and comments received, NIST

selected five algorithms from the fifteen.

7/29/2019 4 AES Rijndael (7-8)

5/55

The five AES finalist candidate algorithms

were MARS (from IBM), RC6 (from RSA

Laboratories), Rijndael (from Joan Daemenand Vincent Rijmen), Serpent (from Ross

Anderson, Eli Biham, and Lars Knudsen),

and Twofish (from Bruce Schneier, JohnKelsey, Doug Whiting, David Wagner, Chris

Hall, and Niels Ferguson). These finalist

algorithms received further analysis during a

second, more in-depth review period (the

Round 2).

7/29/2019 4 AES Rijndael (7-8)

6/55

In the Round 2, comments and analysis were

sought on any aspect of the candidatealgorithms, including, but not limited to, the

following topics: cryptanalysis, intellectual

property, cross-cutting analyses of all of theAES finalists, overall recommendations and

implementation issues. On October 2 , 2000,

NIST announced that it has selected Rijndael

to propose for the AES.

7/29/2019 4 AES Rijndael (7-8)

7/55

Outline

About the Finite Field GF(p

n

) The Basic Algorithm

The Layers

Decryption Design Consideration

Implementation Concerns

Positive Impact of the AES

Modes of Operation

Message Authentication Code

7/29/2019 4 AES Rijndael (7-8)

8/55

1 About the Finite Field GF(pn)

solution.

ahavenotdoes)(mod1econgrucenc

thesincefield,aformnotdoesmodulo

integerBut theelements.withfieldfiniteone

exactlyisthereprime,aofpowereveryFor

n

n

n

n

ppx

p

p

p

7/29/2019 4 AES Rijndael (7-8)

9/55

elements.4withfieldaisit,1mod

tionmultiplicaandadditionFor1.mostatdegreeofspolynomialof

}1,,1,0{setthebeto)1](mod[definecanwe

Therefore,).1(mod1asthiscan writeWe

.)1)(1(1get,1into1

divideweexample,Forintegers.with theasjustremainder,with

divisionperformcanWe.1)1)(1(

assuch,2modtscoefficienthework withweaslongasset,in this

multiplyandsubtract,add,canWe].[in Zalsoare1,0spolynomial

constantThe.,1assuch,2modintegersaretscoefficien

whosespolynomialofsetthebe][Let Z:Solution

.)GF(2Construct

2

2

2

234

2234342

2343

2

6

2

2

XX

XXXXXZ

XXXXX

XXXXXXXXXX

XXXXXX

X

XXX

X

1Example

7/29/2019 4 AES Rijndael (7-8)

10/55

7/29/2019 4 AES Rijndael (7-8)

11/55

1.2 Division

).1(mod1)1)((

:obtainwe,1modReducing

).1)(1()1)((1

Therefore,

.1))(1(1

)()1)(1(1

:integersforassametheis

)dividenddivisorremainder)(1

,1gcd(Calculate:Solution

.1ofinversethefind),1](mod[Z)GF(2Consider

AlgorithmEuclideanExtendedThe

3483672

348

3483672

26367

26367348

3

48367

3673

48

2

8

XXXXXXXXX

XXXX

XXXXXXXXXX

XXXXXXXX

XXXXXXXXXXXX

ignoreXX

XXXXXX

XXXXXXXXX

2Example

7/29/2019 4 AES Rijndael (7-8)

12/55

1.3 GF(28)

y.efficientlis)2(inoperationsthat theseewesummary,In

.010001101)1isbitfirsttheif,1

subtract(100011011110010110110010110

)0aappendandleftshift(11001011)(1

istionMultiplica

.11010010

000110011100101111:bitstheof

theisAddition.11001011becomes1example,

For.bytearepresentbits8The.1or0iseachwhere

,

polynomialaasuniquelydrepresentebecanelement

Every.exampleanas)1](mod[Z)GF(2Use

8

348

367

467

34367

367

01234567

012

23

34

45

56

67

7

3482

8

GF

X

XXXXOR

XXXXX

XXXX

XORXXXXXX

XORXXXX

bbbbbbbbb

bXbXbXbXbXbXbXb

XXXXX

i

7/29/2019 4 AES Rijndael (7-8)

13/55

2 The Basic Algorithm

For simplicity, we restrict to 128 bits, and

firstly give a brief outline of the algorithm.

The algorithm consists of 10 rounds. Each

round has a round key, derived from theoriginal key. There is also a 0th round key

using the original of 128 bits. A round starts

with an input of 128 bits and produces anoutput of 128 bits.

7/29/2019 4 AES Rijndael (7-8)

14/55

There a four basic step, called layers, that areused to form the rounds:

(1) The ByteSub (SB) Transformation: Thisnon-linear layer is for resistance todifferential and linear cryptanalysis attacks.

(2) The ShiftRow (SR) Transformation: This

linear mixing step causes diffusion of thebits over multiple rounds.

(3) The MixColumn (MC) Transformation:

This layer has a purpose similar to ShiftRow.(4) AddRoundKey (ARK) Transformation:The round key is XORed with the result ofthe above layer.

7/29/2019 4 AES Rijndael (7-8)

15/55

A round is then

ByteSub ShiftRow MixColumn AddRoundKey

Rijndael Encryption

(1) ARK, using the 0th round key.

(2) Nine rounds ofBS, SR, MC, ARK, using round

keys 1 to 9.

(3) A final round: BS, SR, ARK, using the 10thround key.

# The final round omits Mixcolumn layer.

7/29/2019 4 AES Rijndael (7-8)

16/55

3 The Layers

inverse.

tivemultiplicaahaselementEachy.certain waainmultipliedbealso

They.byaddedcanTheybytes.bydrepresentebecan)(2of

elementsThe.1isRijndealforchoiceThe8.degreeofpolynomialeirreduciblofchoiceaondepends)(2ofmodel

The).(2fieldfinitethework withtoneedllwe'following,In the

.

matrix44intarrangedareand

,,,,,,,,

themcalleach,bits8ofbytes16intogroupedarebitsinput128The

8

348

8

8

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,31,11,00,30,20,10,0

XORGF

XXXXGF

GF

aaaa

aaaa

aaaa

aaaa

aaaaaaa

7/29/2019 4 AES Rijndael (7-8)

17/55

3.1 The ByteSub Transformation

22187841761545153651046623019113137161140

22340852062331353015514814221710517152248225

158291931341858753971424637210218162112

13813918975116221232198180166284637120186

8174122101234244861081697821314110955200231

121228149145981722111949236673105850224

2191194222201842387013614442342207912996

11525931001261671962368151952361912205

21024325516332181821882455615714614364163811681596980127224969133517767251170239208

207887674571902031069117725232237020983

13247227411792145982160901102726441319

11717839235226128187154515024195351994

214921611324122916552204247635438147253183

1921141641561751622121732407189250125201130202

1181712152544310314819711110724212311912499

16)(16BoxS

31

61

7/29/2019 4 AES Rijndael (7-8)

18/55

3.1 The ByteSub Transformation (Continued)

.

bytes.ofmatrix44aagainisByteSubofoutputThe

binary.in111101iswhich61,isentryThe12.column

and9rowinlookwe10001011,isbyteinputthe

ifexample,Forcolumn.androwin the

entryfor theLook.:bits8asbyteaWirte

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

bbbb

bbbb

bbbb

bbbb

aaaa

aaaa

aaaa

aaaa

efghabcd

abcdefgh

7/29/2019 4 AES Rijndael (7-8)

19/55

3.2 The ShiftRow Transformation

.

obtainto3,and0,1,2,ofoffsetsbylefttheto

cyclicallyshiftedarematrixtheofrowsfourThe

2,31,30,33,3

1,20,23,22,2

0,13,12,11,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

bbbb

bbbb

bbbb

bbbb

cccc

cccc

cccc

cccc

7/29/2019 4 AES Rijndael (7-8)

20/55

3.3 The MixColumn Transformation

.

00000010000000010000000100000011

00000011000000100000000100000001

00000001000000110000001000000001

00000001000000010000001100000010

:followsas),(outputtheproduceto),(2inentries

again withmatrix,abyhisMultiply t).(2inentries

with)(matrix44aisstepShiftRowtheofoutputThe

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

,8

8

,

dddd

dddddddd

dddd

cccc

cccc

cccc

cccc

dGF

GF

c

ji

ji

7/29/2019 4 AES Rijndael (7-8)

21/55

3.4 The RoundKey Addition

.

:step

MixColumnin the)(outputwith theXORedisThisbytes.of

consisting)(matrix44ainarrangedarewhichbits,128

ofconsistskeyoriginalthefromderivedkey,roundThe

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

3,32,31,30,3

3,22,21,20,2

3,12,11,10,1

3,02,01,00,0

,

,

eeee

eeee

eeeeeeee

kkkk

kkkk

kkkk

kkkk

dddd

dddd

dddd

dddd

d

k

ji

ji

7/29/2019 4 AES Rijndael (7-8)

22/55

3.5 The Key Schedule

3).(42),(41),(4

),(4columnstheofconsistsroundthfor thekeyroundThe

)).1((

)10(

.)1(Let

).1(ofationtransformtheis))1((where)),1((

)4()(then,|4If).1()4()(then

,|4Ify.recursivelgeneratedarecolumnsnewThe(3).(2),(1),(0),columsfourfirsttheLabelbytes.ofmatrix44a

intogeneratedarewhichbits,128ofconsistskeyoriginalThe

4/)4(

iWiWiW

iWi

iWT

h

g

f

e

h

g

f

e

a

d

c

b

d

c

b

a

d

c

b

a

iW

iWiWTiWT

iWiWiiWiWiW

iWWWW

i

boxS

7/29/2019 4 AES Rijndael (7-8)

23/55

3.6 The Construction of the S-Box

.

0

1

1

0

0

0

1

1

11111000

01111100

00111110

00011111

10001111

11000111

11100011

11110001

bycomputebecanbox-Sin theofentry

The0000000.0is00000000bytetheofinversetheSuppose.

bydrepresentebecan)(2inbyte

theofinverseThen.descriptioalmathematicsimpleahasbox-SThe

7

6

5

4

3

2

1

0

7

6

5

4

3

2

1

0

01234567

012

34567

8

01234567

z

z

z

z

z

z

z

z

y

y

y

y

y

y

y

y

xxxxxxxx

yyy

yyyyyGFxxxxxxxx

7/29/2019 4 AES Rijndael (7-8)

24/55

3.6 The Construction of the S-Box (Continued)

31.entryobtian thealsoWebox.-Sin the1211011columntheand

1311001rowcheck theWe31.00011111bytetheyieldThis

.

0

0

0

11

1

1

1

0

1

1

00

0

1

1

0

0

0

00

1

0

0

11111000

01111100

00111110

0001111110001111

11000111

11100011

11110001calculateWe

.00000100is)(2in10010111bytetheofinverseThe 8

GF3Example

7/29/2019 4 AES Rijndael (7-8)

25/55

4 Decryption

Each of the steps ByteSub, ShiftRow,MixColumn, and AddRoundKey is invertible:

(1) The inverse of ByteSub is another lookup

table, called InvByteSub (IBS).(2) The inverse of ShiftRow is obtained by

shifting the rows to the right instead of to the

left, yielding InvShiftRow (ISR).

7/29/2019 4 AES Rijndael (7-8)

26/55

(3) The transformation InvMixColumn (IMC)

is given by multiplication by the matrix

(4) AddRoundKey is its own inverse.

.

00001110000010010000110100001011

00001011000011100000100100001101

00001101000010110000111000001001

00001001000011010000101100001110

Therefore

7/29/2019 4 AES Rijndael (7-8)

27/55

IMC".andARK"replacetoIARK"andIMC"usecanWe).(withXORingbe

dKey(IARK)InvAddRounLetIMC.isarrowfirstThe).()()(where

),()()()()()(

isprocessthe,)()()()())()((

)()(Since).())(()(solvingbyobtainedisinverseThe

).())(()())(()(

asgaveis)(

matrixaARK tothenandMCApplyingreversed.becanIBSandISRofoderthe

Clearly,.encryptionasstructuresametheachievetodecryptiontherewritecanWe

ARK.

IBSISR,IMC,ARK,

IBSISR,IMC,ARK,

IBSISR,ARK,

ARK.SR,BS,

ARKMC,SR,BS,

ARKMC,SR,BS,

ARK

decryptionRijndaelencryptionRijndael

Therefore,

,

,1

,,

,,1

,,1

,,

,1

,,1

,,,

1

,,,,,,

,,,,,,,

,

ji

jijiji

jijijijijiji

jijijijijiji

jijijijijiji

jijijijijijiji

ji

k

kmk

kememe

kmemke

mckcme

kcmecmc

c

7/29/2019 4 AES Rijndael (7-8)

28/55

ARK.

ISRIBS,IARK,IMC,

ISRIBS,IARK,IMC,

ISRIBS,ARK,

decryptionRijndael

bygivenisdecryptiontheNow,

Rijndael Decryption

(1) ARK, using the 10th round key.

(2) Nine rounds of IBS, ISR, IMC, IARK, using round

keys 9 to 1.

(3) A final round: IBS, ISR, ARK, using the 0th roundkey.

# To keep the perfect structure, the MC is omitted

in the last round of the encryption.

7/29/2019 4 AES Rijndael (7-8)

29/55

5 Design Consideration

(1) The fact that encryption and decryptionare not identical processes leads to the

expectation that there are no weak keys, in

contrast to DES.

(2) Unlike the Feistel system, all bits are

treat uniformly. This has effect of diffusing

the input bits faster. It can be shown that

two rounds are sufficient to obtain full

diffusion.

7/29/2019 4 AES Rijndael (7-8)

30/55

(3) The S-box is constructed in an explicit

and simple algebraic way so as to avoidthe mysteries of trapdoors built into thealgorithm. It is excellent at resistingdifferential and linear cryptanalysis, as

well as interpolation attacks.(4) The SR step is added to resisttruncated differentials and square attack.

(5) The MC causes diffusion among thebytes.

7/29/2019 4 AES Rijndael (7-8)

31/55

(6) The ARK involves nonlinear mixing of

the key bits. The mixing is designed to

resist the known part key attack. The roundconstants are used to eliminate symmetries.

(7) The number of rounds was chosen to be

10 because there are attacks that are betterthan brute force up to seven rounds in 2004.

No known attack beats brute force for seven

or more rounds. It was felt that three extrarounds provide a large enough margin of

safety.

7/29/2019 4 AES Rijndael (7-8)

32/55

6 Implementation Concerns

We have seen that the Rijndael internalfunctions are very simple and operate in

trivially small algebraic spaces. As a result,

implementations of these internal functionscan be done with extremely good efficiency.

From our descriptions of the Rijndael internal

functions, SB/ISB and MC/IMC are worthy of

fast implementation considerations.

7/29/2019 4 AES Rijndael (7-8)

33/55

(1) For SB/ISB, we suggest to use the "S-box

lookup" method: a small S-box with 28 = 256

pairs of bytes can be built once and used

forever (i.e., the table can be "hardwired" into

hardware or software implementations). The "

S-box lookup" method not only is efficient,but also prevents a timing analysis attack

which is based on observing the operation

time difference for different data which maysuggest whether an operation is performed on

bit 0 or bit 1.

7/29/2019 4 AES Rijndael (7-8)

34/55

(2) In MC, multiplication between elements in

GF(28) can also be realized via a "table

lookup" method:z=xy (field multiplication)wherex {01, 10, 11} andyGF(28). Further

notice that the byte 01 is simply the

multiplicative identity in the field, i.e., 01y =y.

Thus, implementation (either in software or

hardware) of this multiplication table only

needs 2256=512 entries. This small table is

not much larger than one which every primaryschool pupil has to recite. This realization not

only is fast, but also decreases the risk of the

timing analysis attack.

7/29/2019 4 AES Rijndael (7-8)

35/55

(3) IMC is not quite as fast as MC. This is

because the entries in the 44 matrix for

IMC are more complex than those for MC,and 30% longer than encryption for these

processors. However, in some applications,

decryption is not needed.

7/29/2019 4 AES Rijndael (7-8)

36/55

7 Positive Impact of the AES

(1) Multiple encryption, such as triple-DES,will become unnecessary with the AES.

Since multiple encryption uses a plural

number of keys, the avoidance of usingmultiple encryption will mean a reduction

on the number of cryptographic keys that

an application has to manage, and hence

will simplify the design of security

protocols and systems.

(2) Wid f th AES ill l d t th

7/29/2019 4 AES Rijndael (7-8)

37/55

(2) Wide use of the AES will lead to theemergence of new hash functions of compatiblesecurity strengths. In several ways, block cipher

encryption algorithms are closely related to hashfunctions. It has been a standard practice thatblock cipher encryption algorithms are often usedto play the role of one-way hash functions. Thelogging-in authentication protocol of the UNIXoperating system is a well-known example. Wehave seen a typical "one-way transformation"

usage of the DES function in the realization of theUNIX password scheme. Another example is touse block cipher encryption algorithms to realize(keyed) one-way hash functions.

7/29/2019 4 AES Rijndael (7-8)

38/55

(3) As in the case that the DES's standard

position had attracted much cryptanalysis

attention trying to break the algorithm, andthat these efforts have contributed to the

advance of knowledge in block cipher

cryptanalysis, the AES as the new blockcipher standard will also give rise to a new

resurgence of high research interest in block

cipher cryptanalysis which will certainlyfurther advance the knowledge in the area.

7/29/2019 4 AES Rijndael (7-8)

39/55

8 Modes of OperationUsually, the long message is divided into a series of

sequentially listed message blocks, and the cipherprocesses these blocks one at a time. A number of

different modes of operation have been devised on

top of an underlying block cipher algorithm. Thesemodes of operation provide several desirable

properties to the ciphertext blocks, such as adding

non-determinism (randomness) to a block cipher

algorithm, padding plaintext messages to an

arbitrary length, control of error propagation,

generation of key stream for a stream cipher, etc.

7/29/2019 4 AES Rijndael (7-8)

40/55

8.1 Electronic Codebook (ECB)

only.blockthatofntdeciphermeaffectblock

ciphertextsingleainerrorsbitmoreorone:npropagatioError(3)

blocks.plaintextordered-reinglycorrespondinresultsblocksciphertextReorderingblocks.other

oftlyindependenencipheredareblocks:esdependenciChaining(2)

.ciphertext

identicalinresultkey)same(under theblocksplaintextIdentical(1)

:operationofmodeECBtheofProperties

.keytheusingofencryptiontheis)(where

],,,[isciphertext

theand],,,[chunkssmallerintobrokenisplaintextThe

21

21

KPPEC

CCCC

PPPPP

jjKj

L

L

7/29/2019 4 AES Rijndael (7-8)

41/55

8.1 Electronic Codebook (ECB) (Continued)

block.

eachinbitspaddingrandomofinclusionbysomewhat

improvedbemaySecuritymessage.block-onesingle

athanmoreforreusedarekeysiforblock,onethan

longermessagesfordrecommendenotismodeECBthe

reason,For thisblocks.plaintextidenticalimplyblocks

ciphertextidentical-patternsdatahidenotdociphers

blocke,Furthermorblocks.adjacentofdecryption

affect thenotdoesblock)occurringfrequentlyaofinsertion(e.g.,blocksECBofonsubstitutimalicious

t,independenareblocksciphertextSinceComment.

8 2 Ci h Bl k Ch i i (CBC)

7/29/2019 4 AES Rijndael (7-8)

42/55

8.2 Cipher Block Chaining (CBC)

function.

decryptiontheiswhereandvalueinitialchosensomeiswhere

,)(),(

asspecifiedoperationofmode(CBC)chainingblock-cipherThe

0

11

K

jjKjjjKj

DC

CCDPCPEC

C0

P1

EK

C1

P2

EK

C2

8 2 Ci h Bl k Ch i i (CBC) (C ti d)

7/29/2019 4 AES Rijndael (7-8)

43/55

8.2 Cipher Block Chaining (CBC) (Continued)

.todecryptedcorrectlyis,notbutblockinoccursblocks)

entiremoreoroneofloss(includingerroranifthatsensein theautokey

ciphertextoringsynchroniz-selfismodeCBCthe:recoveryError(4)

.andblocksofntdecipherme

affectsblockciphertextinerrorbitsinglea:npropagatioError(3)

block.ciphertext

precedingcorrectarequiresblockciphertextcorrectaofdecryption

Proper.decryptionaffectsblocksciphertextoforderthegrearrangin

ly,Consequentblocks.plaintextprecedingallandondependto

ciphertextcausesmechanismchainingthe:esdependenciChaining(2)

.ciphertextdifferentinresultsfield)randomorcounterausing(e.g.,blockplaintextfirstChanging.encipheredisplaintext

samen theresult wheblocksciphertextidentical:plaintextsIdentical(1)

operationofmodeCBCtheofProperties

211

1

j+j+j+j

j+j

j

jj

PCCC

CC

C

PC

8 3 Ci h F db k (CFB)

7/29/2019 4 AES Rijndael (7-8)

44/55

8.3 Cipher Feedback (CFB)

.||||||andregisterbit-64

thefromddisappearehasinitialtheround,8ththeofendBy the#

.||)())((

ProcedureDecryption

ion.concatenatthedenotes||and,ofbitsrightmost56the

denotes)(,ofbitsleftmost8thedenotes)(where

,||)())((:performedisfollowing

the,1,2,3,forThenchosen.isbit-bit64initialAn

ProcedureEncryption

.operationsfollowingthe

hasmodeCFBThebits.64nrather thabits,8haseachwhere

],,,,[:piecesbit-8intobrokenisplaintextThe

8219

5618

568

5618

1

821

CCCX

CXRXXELCP

YXX

XRXXL

CXRXXELPC

jX

P

PPPP

jjjjKjj

jjjjKjj

j

8 3 Ci h F db k (CFB) (C i d)

7/29/2019 4 AES Rijndael (7-8)

45/55

8.3 Cipher Feedback (CFB) (Continued)

blocks.ciphertext

8nexttheandthatofntdeciphermetheaffectsblockciphertext

singleanyinerrorsbitmoreorone:npropagatioError(3)

correct.

betoblocksciphertext8precedingtherequiresblockciphertext

correctaofdecryptionProper.decryptionaffectsblocks

ciphertextordering-rely,Consequentblocks.plaintextprecedingandbothondependtoblockciphertextcausesmechanism

chainingthe,encryptionCBCsimilar to:esdependenciChaining(2)

secret.benotneed

Theoutput.differentatoencipheredbeinginputplaintext

samein theresultsthechanging:plaintextsIdentical(1)

operationofmodeCFBtheofProperties

1

1

j

jj

C

PC

X

X

8 3 Ci h F db k (CFB) (C i d)

7/29/2019 4 AES Rijndael (7-8)

46/55

8.3 Cipher Feedback (CFB) (Continued)

used.beshouldmodeCBCtheinstead,

algorithm;key-publicaiscipherblocktheifusedbenotmustmodeCFBthe,decryptionandencryptionCFBboth

forusedisfunctionencryptiontheSince

output.ciphertextofbits8onlyyieldsofexecutioneachin thatCBC)(vs.64/8

offactorabydecreasedistthroughpu:Throughput(5)

recover.to)bits(64blocksciphertext8requiresbutCBC,similar to

ingsynchroniz-selfismodeCFBthe:recoveryError(4)

E

E

E

Comment.

7/29/2019 4 AES Rijndael (7-8)

47/55

9 Message Authentication Code

Definition1 A message authentication code(MAC) algorithm is a family of functions hk

parameterized by a secret key k, with the

following properties:

(1) Ease of computation: for a known function

hk, given a value kand an inputx, hk(x) is easy

to compute. This result is called the MAC-value

or MAC.

7/29/2019 4 AES Rijndael (7-8)

48/55

(2) Compression: hkmaps an input x of arbitrary

finite bit length to an output hk(x) of fixed bit

length n. Furthermore, given a description ofthe function family h, for every fixed allowable

value ofk(unknown to an adversary), the

following property holds:(3) Computation-resistance: given zero or more

text-MAC pairs (xi, hk(xi)), it is computationally

infeasible to compute any text-MAC pair (x,hk(x)) for any new inputxxi (including

possibly forhk(x)=hk(xi) for some i).

9 1 Obj ti f Ad i MAC

7/29/2019 4 AES Rijndael (7-8)

49/55

9.1 Objectives of Adversaries vs. MAC

The goal: without prior knowledge of a key k,

compute a new text-MAC pair (x, hk(x)) for sometextxxi, given one or more pairs (xi, hk(xi)).

The potential abilities of the adversaries:

(1) Known-text attack.(2) Chosen-text attack: one or more text-MAC

pairs (xi, hk(xi)) are available forxi chosen by the

adversary.(3) Adaptive chosen-text attack: now allowing

successive choices to be based on the results of

prior queries.

9 2 T f F

7/29/2019 4 AES Rijndael (7-8)

50/55

9.2 Types of Forgery

The severity of the practical consequences

may differ depending on the degree of controlan adversary has over the valuex for which aMAC may be forged.

(1) Selective forgery: attacks whereby an

adversary is able to produce a new text-MACpair for a text of his choice (or perhapspartially under his control).

(2) Existential forgery: attacks whereby anadversary is able to produce a new text-MACpair, but with no control over the value of thattext.

9 3 Case Study CBC Based MAC

7/29/2019 4 AES Rijndael (7-8)

51/55

9.3 Case Study CBC-Based MAC

.blockbit-theisMACThe.Completion(3)

).(

,:computeoptionally,keysecretseconda

UsingMAC.ofstrengthincreasetoprocessOptional(2)

.2),();(

:followsasblocktheCompute.processingCBC(1)

:stepsfollowing

theperformsalgorithmMAC-CBCThe.oflengthblocktheiswhere],,,,[blocksbit-

intobrokenismessageThecipher.blockabeLet

111

21

t

tKt

tKt

iiKiK

t

K

t

K

Hn

HEH

)(HDHKK

tiMHEHMEH

H

EnMMMMn

ME

9 3 Case Study CBC-Based MAC (Continued)

7/29/2019 4 AES Rijndael (7-8)

52/55

9.3 Case Study CBC-Based MAC (Continued)M1

0

EK

H1

M2

EK

H2 Ht1

Mt

EK

Ht

EK

DK'

Ht

optional

9 3 Case Study CBC-Based MAC (Continued)

7/29/2019 4 AES Rijndael (7-8)

53/55

9.3 Case Study CBC-Based MAC (Continued)

Comment.

(1)It is obvious that the computation forcreating a CBC-MAC involves noninvertibledata compression (in essence, a CBC-MAC is a'short digest' of the whole message), and so a

CBC-MAC is a one-way transformation.(2) The mixing-transformation property of theunderlying block cipher adds a hash feature tothis one-way transformation (i.e., distributes aMAC over the MAC space as uniform as theunderlying block cipher should do over itsciphertext message space).

7/29/2019 4 AES Rijndael (7-8)

54/55

(3) We can assume that in order to create a

valid CBC-MAC, a principal actually has

to be in possession of the keyKfor theunderlying block cipher algorithm. The

receiver who shares the keyKwith the

transmitter should recalculate the MACfrom the received message and check that

it agrees with the version received. If so,

the message can be believed to have comefrom the claimed transmitter.

7/29/2019 4 AES Rijndael (7-8)

55/55

Thank You !