Upload
aric
View
64
Download
0
Embed Size (px)
DESCRIPTION
AES (Rijndael). Joan Daemen and Vincent Rijmen, “ The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3-540-42580-2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES ; fixed. AES requirements. Block cipher - PowerPoint PPT Presentation
Citation preview
1 © Information Security Group, ICU
AES (Rijndael)AES (Rijndael)
Joan Daemen and Vincent Rijmen, “ The Design of
Rijndael, AES – The Advanced Encryption Standard”,
Springer, 2002, ISBN 3-540-42580-2
FIPS Pub 197, Advanced Encryption Standard (AES),
December 04, 2001
Rijndael : variable, AES ; fixed
2 © Information Security Group, ICU
AES requirements
Block cipher 128-bit blocks128/192/256-bit keys
Worldwide-royalty freeMore secure than Triple DESMore efficient than Triple DES
3 © Information Security Group, ICU
AES Calendar Jan. 2, 1997 : Announcement of intent to develop AES and
request for comments Sep. 12, 1997 : Formal call for candidate algorithms Aug. 20-22, 1998 : First AES Candidate Conference and
beginning of Round 1 evaluation (15 algorithms), Rome, Italy Mar. 22-23, 1999 : Second AES Candidate Conference, NY,
USA Sep. 2000 : Final AES selection (Rijndael !)
Jan. 1997Call for
algorithms
Aug. 1998AES1
15 algorithms
Mar. 1999AES2
5 algorithms selected
Apr. 2000AES3
Announce winner in Sep, 2000
4 © Information Security Group, ICU
AES Round1 algorithms 15 algorithms are proposed at AES1 conference
5 © Information Security Group, ICU
AES Round 2 Algorithms
After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm.
Cipher Submitter Structure Nonlinear Component
MARS IBM Feistel structure Sbox
DD-Rotation
RC6 RSA Lab. Feistel structure Rotation
Rijndael Daemen, Rijmen SPN structure Sbox
Serpent Anderson, Biham, Knudsen
SPN structure Sbox
Twofish Schneier et. al Feistel structure Sbox
6 © Information Security Group, ICU
Security of AES Candidates
Alg. (Round) StructureRounds (Key
size)Type of Attack Texts
Mem. Bytes
Ops
MARS
16 Core (C)
16 Mixing (M)
Feistel
11C Amp. Boomerang 265 270 2229
16M, 5C
16M, 5C
Diff. M-i-M
Amp. Boomerang
250
269
2197
273
2247
2197
RC6(20) Feistel
14 Stat. Disting. 2118 2112 2122
12
15 (256)
Stat. Disting.
Stat. Disting.
294
2119
242
2138
2119
2215
Rijndael
10 (128)
12 (192)
14 (256)
SPN
6 Truncated Diff. 232 7*232 272
7
8 (256)
9 (256)
Truncated Diff.
Truncated Diff.
Related Key
2128~ 2119
2128~ 2119
277
261
2101
NA
2120
2204
2224
Serpent(32)SPN
8 (192,256) Amp. Boomerang 2113 2119 2179
6 (256)
6
7 (256)
8 (192,256)
9 (256)
Meet-in-Middle
Differential
Differential
Boomerang
Amp. Boomerang
512
271
241
2122
2110
2246
275
2126
2133
2212
2247
2103
2248
2163
2252
Twofish(16) Feistel 6 (256) Impossible Diff. NA NA 2256
7 © Information Security Group, ICU
Comparison of AES2 algorithms(I)
Encryption speed analysis by NIST
8 © Information Security Group, ICU
Java Implementation by A. Sterbenz (Graz Univ.)
Comparison of AES2 algorithms(II)
9 © Information Security Group, ICU
Smart Card Implementation by F. Sano (Toshiba)
Comparison of AES2 algorithms (III)
* : omit to check “weak” in the key schedule
10 © Information Security Group, ICU
Comparison of AES2 algorithms(IV)
CMOS ASIC Implementation by Ichikawa (Mitsubishi)
11 © Information Security Group, ICU
Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices
– Square type
– Three distinct invertible uniform transformations(Layers) Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state
– Initial key addition, final key addition Representation of state and key
– Rectangular array of bytes with 4 rows (square type)
– Nb : number of column of the state (4~8)
– Nk : number of column of the cipher key (4~8)
– Nb is independent from Nk
Rijndael – Overview
12 © Information Security Group, ICU
State (Nb=6) Key (Nk=4)
Number of rounds (Nr)
Rijndael - States
13 © Information Security Group, ICU
Rijndael - Encryption
Block size: 128 Key size: 128/192/256 bit
Component FunctionsByteSubstitution(BS): S-boxShiftRow(SR): CircularShift MixColumn(MC):
Linear(Branch number: 5) AddRoundKey(ARK):
Omit MC in the last round.
Bit-wise key addition
Shift-Low(SR)
Mix-Column(MC)
Bit-wise key addition
Byte-wise substitution(BS)
BS, SR, ARK
44 bytearray Input
Input whitening
Roundtransformation
Outputtransformation
Output
14 © Information Security Group, ICU
Properties
Substitution-Permutation Network (SPN)(Invertible) Nonlinear Layer: Confusion(Invertible) Linear Layer: Diffusion
Branch NumberMeasure Diffusion Power of Linear LayerLet F be a linear transformation on n words.W(a): the number of nonzero words in a. (F) = mina0 {W(a) + W(F(a))}Rijndael: branch number =5
15 © Information Security Group, ICU
Security Goals
K-secure No shortcut attacks key-recover attack faster than ke
y-exhaustive searchNo symmetry property such as complementary in DE
SNo non-negligible classes of weak key as in IDEANo Related-key attacks
Hermetic No weakness found for the majority of block ciphers
with same block and key length
Rijndael is k-secure and hermetic
16 © Information Security Group, ICU
Component Functions
ByteSubstitution S(x)=x-1 in GF(28) with almost maximal nonlinearity(p.105)
over m(x) = x8 + x4 + x3 + x +1
ShiftRow by 0, C1, C2, and C3
MixedColumn:4 x 4 Matrix Mul. on GF(28 )(p.107)b0 02 03 01 01 a0
b1 = 02 03 01 01 a1
b2 02 03 01 01 a2
b3 02 03 01 01 a3
Nb C1 C2 C3
4 1 2 3
6 1 2 3
8 1 3 4
17 © Information Security Group, ICU
Rijndael: Pseudo-Code
Round(State,RoundKey){ ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey);}
FinalRound(State,RoundKey){ ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State,RoundKey);}
Rijndael(State,CipherKey){ KeyExpansion(CipherKey,ExpandedKey) ; p108 AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr);}
18 © Information Security Group, ICU
Mode of OperationsMode of Operations
19 © Information Security Group, ICU
Mode of operation (I)
ECB (Electronic CodeBook) mode
EK
P
C
n
n
DK
C
P
n
n
i) Encryption ii) Decryption
IF Ci = Cj,DK(Ci) = DK(Cj)
20 © Information Security Group, ICU
Mode of operation (II)
CBC (Cipher Block Chaining)P1 P2
IV
E E
C1 C2
E
Pl
Cl
IV
D D
P1 P2
D
Pl
C1 C2 Cl
Ci = EK(Pi Ci-1)
Pi = DK(Ci) Ci-1
IV : Initialization Vector
- 2 block Error Prog.- self-sync- If |Pl| |P|, Padding req’d
K
K
KK
KK
21 © Information Security Group, ICU
Mode of operation (III)
m-bit OFB (Output FeedBack)
m-bit
Pi
- No Error Prog.- Req’d external sync- Stream cipher- EK or DK
Ci = Pi O(EK)Pi = Ci O(EK)
I) Encryption II) Decryption
IV
E m-bit
Pi Ci
K
IV
E
Ci
K
22 © Information Security Group, ICU
Mode of operation (IV)
m-bit CFB (Cipher FeedBack)
IV
E m-bit
Pi Ci
IV
Em-bit
CiPi
- Error prog. till an error disappears in the buffer- self-sync- EK or DK
Ci = Pi EK(Ci-1)Pi = Ci EK(Ci-1)
I) Encryption II) Decryption
K K
23 © Information Security Group, ICU
Mode of operation (V)
Counter mode
Ci = Pi EK(Ti)Pi = Ci EK(Ti)Ti = ctr+i -1 mod 2m
|P|, |ctr|= m,Parallel computation
P1
ctr
E
C1
C2
P2
Cm-1
K
ctr+1
E
ctr+m-1
EK K
Pm-1
C1
ctr
E
P1 P2
C2
Pm-1
K
ctr+1
E
ctr+m-1
EK K
Cm-1
24 © Information Security Group, ICU
Mode of Operation (VI)
CCM mode (Counter with CBC-MAC mode)Ctr + CBCAuthenticated encryption by producing a MAC a
s a part of the encryption process
25 © Information Security Group, ICU
Mode of operation - summary
Use of modeECB : key management, useless for file encryption CBC : File encryption, useful for MAC m-bit CFB : self-sync, impossible to use channel w
ith low BER
m-bit OFB : external-sync. m= 1, 8 or nCtr : secret ctr, parallel computationCCM : authenticated encryptionPerformance Degradation/ Cost Tradeoff