Scribd
Upload
44 views35 pages

Chapter 06-AC-Dolin - 20241002

Uploaded by

istudy539
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views35 pages

Chapter 06-AC-Dolin - 20241002

Uploaded by

istudy539
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

Cryptography and

Network Security
Eighth Edition, Global Edition
by William Stallings

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved.


Chapter 6
Advanced Encryption Standard

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Finite Field Arithmetic
• In the Advanced Encryption Standard (AES) all
operations are performed on 8-bit bytes
Groups, Rings, and Fields

• The arithmetic operations of addition, multiplication, and


division are performed over the finite field GF(28)
• A field is a set in which we can do addition, subtraction,
multiplication, and division without leaving the set
• Division is defined with the following rule:
• a /b = a (b-1 )

• An example of a finite field (one with a finite number of


elements) is the set Zp consisting of all the integers
{0, 1, . . . . , p - 1}, where p is a prime number and in which
arithmetic is carried out modulo p
Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Finite Field Arithmetic
If one of the operations For convenience and for
used in the algorithm is implementation efficiency
division, then we need to we would like to work with
work in arithmetic integers that fit exactly
defined over a field into a given number of bits
•Division requires that each with no wasted bit
nonzero element have a patterns
multiplicative inverse
•Integers in the range 0 through
2n – 1, which fit into an n-bit word

The set of such integers, A finite field containing 2n


Z2n, using modular elements is referred to as
arithmetic, is not a field GF(2n)
•For example, the integer 2 has no •Every polynomial in GF(2n) can
multiplicative inverse in Z2n, that be represented by an n-bit
is, there is no integer b, such that number
2b mod 2n = 1

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
in0 in4 in8 in12 s0,0 s0,1 s0,2 s0,3

in1 in5 in9 in13 s1,0 s1,1 s1,2 s1,3

in2 in6 in10 in14 s2,0 s2,1 s2,2 s2,3

in3 in7 in11 in15 s3,0 s3,1 s3,2 s3,3

s0,0 s0,1 s0,2 s0,3 out0 out4 out8 out12

s1,0 s1,1 s1,2 s1,3 out1 out5 out9 out13

s2,0 s2,1 s2,2 s2,3 out2 out6 out10 out14

s3,0 s3,1 s3,2 s3,3 out3 out7 out11 out15

(a) Input, state array, and output

k0 k4 k8 k12

k1 k5 k9 k13

k2 k6 k10 k14

k3 k7 k11 k15

w0 w1 w2 • • • w42 w43

(b) Key and expanded key

Figure 6.2 AES Data Structures

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Table 6.1
AES Parameters

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Detailed Structure
• Processes the entire data block as a single matrix during each round using substitutions and
permutation
• The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]

Four different stages are used:


•Substitute bytes – uses an S-box to perform a byte-by-byte substitution of the block
•ShiftRows – a simple permutation
•MixColumns – a substitution that makes use of arithmetic over GF(28)
•AddRoundKey – a simple bitwise XOR of the current block with a portion of the expanded key

• The cipher begins and ends with an AddRoundKey stage


• Can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block,
followed by scrambling of the block (the other three stages), followed by XOR encryption, and
so on
• Each stage is easily reversible
• The decryption algorithm makes use of the expanded key in reverse order, however the
decryption algorithm is not identical to the encryption algorithm
• State is the same for both encryption and decryption
• Final round of both encryption and decryption consists of only three stages

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


State

SubBytes S S S S S S S S S S S S S S S S

State

ShiftRows

State

MixColumns M M M M

State

r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15


AddRoundKey

State

Figure 6.4 AES Encryption Round


Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
y

s0,0 s0,1 s0,2 s0,3 S-box s'0,0 s'0,1 s'0,2 s'0,3


s1,1 s s'1,0 s'1,1 s'
s1,0 1,2 s1,3 1,2 s'1,3

s2,0 s2,1 s2,2 s2,3 s'2,0 s'2,1 s'2,2 s'2,3

s3,0 s3,1 s3,2 s3,3 s'3,0 s'3,1 s'3,2 s'3,3

(a) Substitute byte transformation

s0,1 s'0,1 '


s0,0 s0,2 s0,3 s'0,0 s0,2 s'0,3
s1,1 s'1,1 '
s1,0 s1,2 s1,3 wi+1 s'1,0 s1,2 s'1,3
wi wi+2 wi+3 =
s2,1 s'2,1 '
s2,0 s2,2 s2,3 s'2,0 s2,2 s'2,3
s3,1 s'3,1 '
s3,0 s3,2 s3,3 s'3,0 s3,2 s'3,3

(b) Add round key Transformation

Figure 6.5 AES Byte-Level Operations


Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Table 6.2

(a) S-box

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Table 6.2

(b) Inverse S-box

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Byte at row y, Byte at row y,
column x yx column x yx
initialized to yx initialized to yx

Inverse Byte to bit


in GF(28) column vector

Byte to bit b0
' 0 0 1 0 0 1 0 1 b0 1
column vector b1' 1 0 0 1 0 0 1 0 b1 0
b'2 0 1 0 0 1 0 0 1 b2 1
'
b3 1 0 1 0 0 1 0 0 b3 0
' b0 ' = 0 b4
+
b0 1 0 0 0 1 1 1 1 1 b4 1 0 1 0 0 1 0 0
b1' 1 1 0 0 0 1 1 1 b1 1 '
b5 0 0 1 0 1 0 0 1 b5 0
'
b2 1 1 1 0 0 0 1 1 b2 0 '
b6 1 0 0 1 0 1 0 0 b6 0
b'3 1 1 1 1 0 0 0 1 b3 0 '
b7 0 1 0 0 1 0 1 0 b7 0
= +
'
b4 1 1 1 1 1 0 0 0 b4 0
'
b5 0 1 1 1 1 1 0 0 b5 1
'
b6 0 0 1 1 1 1 1 0 b6 1 Bit column
b'7 0 0 0 1 1 1 1 1 b7 0 vector to byte

Bit column Inverse


vector to byte in GF(28)

S(yx) IS(yx)

(a) Calculation of byte at (a) Calculation of byte at


row y, column x of S-box row y, column x of IS-box

Figure 6.6 Construction of S-Box and IS-B ox


Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
S-Box Rationale
• The S-box is designed to be resistant to known
cryptanalytic attacks

• The Rijndael developers sought a design that


has a low correlation between input bits and
output bits and the property that the output is
not a linear mathematical function of the input

• The nonlinearity is due to the use of the


multiplicative inverse

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Shift Row Rationale
• More substantial than it may first appear
• The State, as well as the cipher input and output, is
treated as an array of four 4-byte columns
• On encryption, the first 4 bytes of the plaintext are
copied to the first column of State, and so on
• The round key is applied to State column by column
• Thus, a row shift moves an individual byte from one
column to another, which is a linear distance of a
multiple of 4 bytes

• Transformation ensures that the 4 bytes of one


column are spread out to four different columns
Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Mix Columns Rationale
• Coefficients of a matrix based on a linear code
with maximal distance between code words
ensures a good mixing among the bytes of
each column

• The mix column transformation combined with


the shift row transformation ensures that after
a few rounds all output bits depend on all
input bits

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


AddRoundKey
Transformation
• The 128 bits of State are
bitwise XORed with the
128 bits of the round key
Rationale:
• Operation is viewed as a
columnwise operation Is as simple as possible and
affects every bit of State
between the 4 bytes of a
State column and one
word of the round key The complexity of the
• Can also be viewed as a round key expansion plus
the complexity of the other
byte-level operation stages of AES ensure
security

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


State matrix
at beginning
of round

SubBytes

S-box

ShiftRows

02 03 01 01
01 02 03 01
MixColumns
01 01 02 03
03 01 01 02
MixColumns matrix
Round
key

AddRoundKey

State matrix
at end
of round
Constant inputs Variable input

Figure 6.8 Inputs for Single AES Round

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


AES Key Expansion
• Takes as input a four-word (16 byte) key and produces a
linear array of 44 words (176) bytes
• This is sufficient to provide a four-word round key for the
initial AddRoundKey stage and each of the 10 rounds of the
cipher

• Key is copied into the first four words of the expanded key
• The remainder of the expanded key is filled in four words at a
time

• Each added word w[i] depends on the immediately


preceding word, w[i – 1], and the word four positions back,
w[i – 4]
• In three out of four cases a simple XOR is used
• For a word whose position in the w array is a multiple of 4, a
more complex function is used
Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
k0 k4 k8 k12
w
k1 k5 k9 k13
k2 k6 k10 k14
g
k3 k7 k11 k15
B0 B1 B2 B3

w0 w1 w2 w3 g
B1 B2 B3 B0

S S S S

B1' B2' B3' B0'


w4 w5 w6 w7
RCj 0 0 0

w'

(b) Function g
w40 w41 w42 w43

(a) Overall algorithm

Figure 6.9 AES Key Expansion


Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Key Expansion Rationale
• The Rijndael developers The specific criteria that were used are:
designed the expansion •Knowledge of a part of the cipher key
key algorithm to be or round key does not enable
resistant to known calculation of many other round-key bits
cryptanalytic attacks •An invertible transformation
•Speed on a wide range of processors
•Usage of round constants to eliminate
• Inclusion of a round- symmetries
dependent round •Diffusion of cipher key differences into
constant eliminates the the round keys
symmetry between the •Enough nonlinearity to prohibit the full
determination of round key differences
ways in which round keys from cipher key differences only
are generated in different •Simplicity of description
rounds

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Table 6.3 Example Round Key Calculation

Description Value
i (decimal) 36
temp = w[i - 1] 7F8D292F
RotWord (temp) 8D292F7F

SubWord (RotWord (temp)) 5DA515D2


Rcon (9) 1B000000
SubWord (RotWord (temp)) Å Rcon (9) 46A515D2
w[i – 4] EAD27321
w[i] = w[i – 4] Å SubWord (RotWord (temp)) Å Rcon (9) AC7766F3

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Key Words Auxiliary Function
w0 = 0f 15 71 c9 RotWord(w3)= 7f 67 98 af = x 1
w1 = 47 d9 e8 59 SubWord(x1)= d2 85 46 79 = y 1
w2 = 0c b7 ad d6 Rcon(1)= 01 00 00 00
w3 = af 7f 67 98 y1 Å Rcon(1)= d3 85 46 79 = z 1
w4 = w0 Å z1 = dc 90 37 b0 RotWord(w7)= 81 15 a7 38 = x 2
SubWord(x4)= 0c 59 5c 07 = y 2
w5 = w4 Å w1 = 9b 49 df e9 Rcon(2)= 02 00 00 00
w6 = w5 Å w2 = 97 fe 72 3f
y2 Å Rcon(2)= 0e 59 5c 07 = z 2
w7 = w6 Å w3 = 38 81 15 a7
w8 = w4 Å z2 = d2 c9 6b b7 RotWord(w11)= ff d3 c6 e6 = x 3
w9 = w8 Å w5 = 49 80 b4 5e SubWord(x2)= 16 66 b4 8e = y 3

Table 6.4 w10 = w9 Å w6 = de 7e c6 61


w11 = w10 Å w7 = e6 ff d3 c6
Rcon(3)= 04 00 00 00
y3 Å Rcon(3)= 12 66 b4 8e = z 3

w12 = w8 Å z3 = c0 af df 39 RotWord(w15)= ae 7e c0 b1 = x 4
SubWord(x3)= e4 f3 ba c8 = y 4
w13 = w12 Å w9 = 89 2f 6b 67 Rcon(4)= 08 00 00 00
w14 = w13 Å w10 = 57 51 ad 06
y4 Å Rcon(4)= ec f3 ba c8 = 4
Key Expansion w15 = w14 Å w11 = b1 ae 7e c0
RotWord(w19)= 8c dd 50 43 = x 5
w16 = w12 Å z4 = 2c 5c 65 f1
w17 = w16 Å w13 = a5 73 0e 96 SubWord(x4)= 64 c1 53 1a = y 5
Rcon(5)= 10 00 00 00
w18 = w17 Å w14 = f2 22 a3 90
y5 Å Rcon(5)= 74 c1 53 1a = z 5
for w19 = w18 Å w15 = 43 8c dd 50
w20 = w16 Å z5 = 58 9d 36 eb RotWord(w23)= 40 46 bd 4c = x 6
SubWord(x5)= 09 5a 7a 29 = y 6
w21 = w20 Å w17 = fd ee 38 7d Rcon(6)= 20 00 00 00
w22 = w21 Å w18 = 0f cc 9b ed y6 Å Rcon(6)= 29 5a 7a 29 = z 6
w23 = w22 Å w19 = 4c 40 46 bd
AES Example w24 = w20 Å z6 = 71 c7 4c c2 RotWord(w27)= a5 a9 ef cf = x 7
SubWord(x6)= 06 d3 df 8a = y 7
w25 = w24 Å w21 = 8c 29 74 bf
Rcon(7)= 40 00 00 00
w26 = w25 Å w22 = 83 e5 ef 52
y7 Å Rcon(7)= 46 d3 df 8a = z 7
w27 = w26 Å w23 = cf a5 a9 ef
w28 = w24 Å z7 = 37 14 93 48 RotWord(w31)= 7d a1 4a f7 = x 8
SubWord(x7)= ff 32 d6 68 = y 8
w29 = w28 Å w25 = bb 3d e7 f7 Rcon(8)= 80 00 00 00
w30 = w29 Å w26 = 38 d8 08 a5 y8 Å Rcon(8)= 7f 32 d6 68 = z 8
w31 = w30 Å w27 = f7 7d a1 4a
w32 = w28 Å z8 = 48 26 45 20 RotWord(w35)= be 0b 38 3c = x 9
w33 = w32 Å w29 = f3 1b a2 d7 SubWord(x8)= ae 2b 07 eb = y 9
Rcon(9)= 1B 00 00 00
w34 = w33 Å w30 = cb c3 aa 72
y9 Å Rcon(9)= b5 2b 07 eb = z 9
w35 = w34 Å w32 = 3c be 0b 38
w36 = w32 Å z9 = fd 0d 42 cb RotWord(w39)= 6b 41 56 f9 = x 10
SubWord(x9)= 7f 83 b1 99 = y 10
w37 = w36 Å w33 = 0e 16 e0 1c Rcon(10)= 36 00 00 00
w38 = w37 Å w34 = c5 d5 4a 6e y10 Å Rcon(10)= 49 83 b1 99 = z 10
w39 = w38 Å w35 = f9 6b 41 56
w40 = w36 Å z10 = b4 8e f3 52
w41 = w40 Å w37 = ba 98 13 4e
w42 = w41 Å w38 = 7f 4d 59 20
w43 = w42 Å w39 = 86 26 18 76

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Table 6.5

AES
EXAMPLE

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Table 6.6

Avalanche
Effect
in AES:
Change
in Plaintext

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Number of Bits
Round
that Differ
0123456789abcdeffedcba9876543210
0
0123456789abcdeffedcba9876543210
Table 6.7 0
0e3634aece7225b6f26b174ed92b5588
1
0f3634aece7225b6f26b174ed92b5588
657470750fc7ff3fc0e8e8ca 4dd02a9c
1 22
c5a9ad090ec7ff3fc1e8e8ca4cd02a9c
Avalanche 2
5c7bb49a6b72349b05a2317ff46d1294
58
90905fa9563356d15f3760f3b8259985
Effect 3
7115262448dc747e5cdac7227da9bd9c
67
18aeb7aa794b3b66629448d575c7cebf
in 4
f867aee8b437a5210c24c1974cffeabc
f81015f993c978a876ae017cb49e7ee c
63

721eb200ba06206dcbd4bce704fa654e
AES: 5
5955c91b4e769f3cb4a94768e98d5267
81

0ad9d85689f9f77bc1c5f71185e5fb14
6 70
Change in dc60a24d137662181e45b8d3726b2920
db18a8ffa16d30d5f88b08d777ba4eaa
Key 7
fe8343b8f88bef66cab7e977d005a03c
74

f91b4fbfe934c9bf8f2f85812b084989
8 67
da7dad581d1725c5b72fa0f9d9d1366a
cca104a13e678500ff59025f3bafaa34
9 59
0ccb4c66bbfd912f4b511d72996345e0
ff0b844a0853bf7c6934ab4364148fb9
10 53
fc8923ee501a7d207ab670686839996b
Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
AES Implementation
• AES decryption cipher is
not identical to the Two separate changes are
encryption cipher needed to bring the
decryption structure in line
• The sequence of with the encryption structure
transformations differs
although the form of the
key schedules is the
same The first two stages of the
decryption round need to be
• Has the disadvantage interchanged
that two separate
software or firmware
modules are needed for
applications that require The second two stages of the
both encryption and decryption round need to be
decryption interchanged

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Interchanging
InvShiftRows and InvSubBytes
• InvShiftRows affects the sequence of bytes in
State but does not alter byte contents and does
not depend on byte contents to perform its
transformation
• InvSubBytes affects the contents of bytes in
State but does not alter byte sequence and
does not depend on byte sequence to perform
its transformation
Thus, these two operations commute
and can be interchanged
Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Interchanging
AddRoundKey and InvMixColumns

If we view the
key as a
The sequence of
transformations words, then
These two
AddRoundKey both
operations are
and AddRoundKey
linear with
InvMixColumns and
respect to the
do not alter the InvMixColumns
column input
sequence of operate on
bytes in State State one
column at a
time

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Ciphertext

w[40, 43] Add round key

Inverse sub bytes

Inverse shift rows

Round 1
Inverse mix cols

Inverse mix cols Add round key

w[36, 39] •

Inverse sub bytes

Inverse shift rows

Round 9
Inverse mix cols

Inverse mix cols Add round key

w[4, 7] Inverse sub bytes

Round 10
Expand key Inverse shift rows

w[0, 3] Add round key

Key Plaintext

Figure 6.10 Equivalent Inverse Cipher


Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Implementation Aspects
• AES can be implemented very efficiently on an 8-
bit processor

• AddRoundKey is a bytewise XOR operation


• ShiftRows is a simple byte-shifting operation

• SubBytes operates at the byte level and only


requires a table of 256 bytes
• MixColumns requires matrix multiplication in the
field GF(28), which means that all operations are
carried out on bytes
Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..
Implementation Aspects
• Can efficiently implement on a 32-bit processor
• Redefine steps to use 32-bit words
• Can precompute 4 tables of 256-words
• Then each column in each round can be
computed using 4 table lookups + 4 XORs
• At a cost of 4Kb to store tables

• Designers believe this very efficient


implementation was a key factor in its
selection as the AES cipher

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..


Summary

• Present an overview of • Explain the AES key


the general structure expansion algorithm
of Advanced
• Understand the use of
Encryption Standard
polynomials with
(AES)
coefficients in GF(28)
• Understand the four
transformations used
in AES

Copyright © 2023 Pearson Education, Ltd. All Rights Reserved..

You might also like