Overview of Modern Cryptography - Chuck Easttom

sunflowerplateAI and Robotics

Nov 21, 2013 (3 years and 9 months ago)

69 views

Symmetric Cryptography

AES in depth

Replacing DES




Between 1972 and 1974 NIST issued the first public request for an
encryption standard. As a result DES became the accepted encryption
standard. Although this algorithm was very popular, it has always been
surrounded by controversy as many cryptographers objected to the
“closed
-
door” design of the algorithm. There was also a suspicion that
NSA planted a “back
-
door” in the algorithm, as NSA modified it before it
was standardized, although none was able to prove this until now.


Furthermore the key length of DES became to small for acceptable
commercial security, so as a interim solution Triple
-
DES was used for a
while because it provided increased security.


Responding to the desire to replace DES with stronger and more reliable
algorithm, NIST announced another public request for an encryption
standard, called Advanced Encryption Standard(AES), in 1997.


Twofish is one of the candidates that made it to the final round of the
AES program.

NIST General Criteria for AES



A 128
-
bit symmetric block cipher.


Key lengths of 128 bits, 192 bits, and 256 bits.


No weak keys.


Efficiency, both on the Intel Pentium Pro and other
software and hardware platforms.


Flexible design: e.g., accept additional key lengths;
be implementable on a wide variety of platforms
and applications; and be suitable for a stream
cipher, hash function, and MAC.


Simple design, both to facilitate ease of analysis and
ease of implementation.

AES

Advanced Encryption
Standard was ultimately chosen as
a replacement for DES. AES is also Known as
Rijndael

block
cipher. It was officially designated as a
replacement for DES in 2001 after a 5 year process
involving 15 competing algorithms. AES is designated
as
FIPS
197. Other algorithms that did not win that
competition include such well known algorithms as
Twofish
.

AES can have three different key sizes, they are:128
, 192,
or 256
bits. The three different implementations of AES
are referred to as AES 128, AES 192, and AES 256. All
three operate on a block size of 128 bits.

This algorithm was developed
by two Belgian
cryptographers, Joan
Daemen

and Vincent
Rijmen
.
Unlike both DES And 3DES, AES is not based on a
Feistel

network.


AES Continued


This uses a substitution
-
permutation matrix rather than a Feistel
network


AES operates on a 4
×
4 column
-
major order matrix of bytes, termed
the state (versions of AES with a larger block size have additional
columns in the state).

AES General Overview


1.Key Expansion

round keys are derived from the cipher key using
Rijndael's key schedule


2.Initial Round


1.AddRoundKey

each byte of the state is combined with the round key using bitwise
xor


3.Rounds


1.SubBytes

a non
-
linear substitution step where each byte is replaced with another
according to a lookup table.


2.ShiftRows

a transposition step where each row of the state is shifted cyclically a certain
number of steps.


3.MixColumns

a mixing operation which operates on the columns of the state, combining
the four bytes in each column.


4.AddRoundKey


4.Final Round (no
MixColumns
)


1.SubBytes


2.ShiftRows


3.AddRoundKey

AES specifics


In the SubBytes step, each byte in the matrix is substitued
for another byte using an 8
-
bit substitution box, called the
Rijndael S
-
box


The ShiftRows step by shifting the bytes in each row by a
certain amount. The first row is left unchanged. The second
row is shifted one to the left. The third row by two, etc.


In the MixColumns step, the four bytes of each column of
the state are combined using an invertible linear
transformation. This takes four bytes as input and outputs
four bytes. Together with ShiftRows, MixColumns provides
diffusion in the cipher.

Rijndael key schedule

The Steps


Rotate
: The rotate operation takes a 32
-
bit word (in hexadecimal) and
rotates it eight bits to the left such that the high eight bits "wrap
around" and become the low eight bits of the result.


Rcon
: Rcon is what the Rijndael documentation calls the exponentiation
of 2 to a user
-
specified value. Note that this operation is not performed
with regular integers, but in Rijndael's finite field. In polynomial form, 2
is 2 = 00000010 = 0 x^7 + 0 x^6 + 0 x^5 + 0 x^4 + 0 x^3 + 0 x^2 + 1 x + 0 =
x.


For example, the rcon(1) = 1, the rcon(2) = 2, the rcon(3) = 4, and the
rcon(9) is the hexadecimal number 0x1b (27 in decimal).


Key schedule inner loop


The input is a 32
-
bit word and at an iteration number
i
. The output is a 32
-
bit word.


Copy the input over to the output.


Use the above described rotate operation to rotate the output eight bits to the left


Apply Rijndael's S
-
box on all four individual bytes in the output word


On just the first (leftmost) byte of the output word, exclusive OR the byte with 2 to the
power of (
i
-
1). In other words, perform the rcon operation with
i

as the input, and
exclusive or the rcon output with the first byte of the output word


Rijndael key schedule

Some constants


Since the key schedule for 128
-
bit, 192
-
bit, and 256
-
bit encryption
are very similar, with only some constants changed, the following
keysize constants are defined here:


n

has a value of 16 for 128
-
bit keys, 24 for 192
-
bit keys, and 32 for 256
-
bit
keys


b

has a value of 176 for 128
-
bit keys, 208 for 192
-
bit keys, and 240 for 256
-
bit
keys (with 128
-
bit blocks as in AES, it is correspondingly larger for variants of
Rijndael with larger block sizes).


Rijndael key schedule

The actual key schedule


The first
n

bytes of the expanded key are simply the encryption key.


The rcon iteration value
i

is set to 1


Until we have
b

bytes of expanded key, we do the following to generate
n

more
bytes of expanded key:


We do the following to create 4 bytes of expanded key:


We create a 4
-
byte temporary variable,
t


We assign the value of the previous four bytes in the expanded key to
t


We perform the key schedule core (see above) on
t
, with
i

as the rcon iteration value


We increment
i

by 1


We exclusive
-
OR
t

with the four
-
byte block
n

bytes before the new expanded key. This becomes the next 4
bytes in the expanded key


We then do the following three times to create the next twelve bytes of expanded key:


We assign the value of the previous 4 bytes in the expanded key to
t


We exclusive
-
OR
t

with the four
-
byte block
n

bytes before the new expanded key. This becomes the next 4
bytes in the expanded key


If we are processing a 256
-
bit key, we do the following to generate the next 4 bytes of expanded
key:


We assign the value of the previous 4 bytes in the expanded key to
t


We run each of the 4 bytes in
t

through Rijndael's
S
-
box


We exclusive
-
OR
t

with the 4
-
byte block
n

bytes before the new expanded key. This becomes the next 4 bytes
in the expanded key.


If we are processing a 128
-
bit key, we do not perform the following steps. If we are processing a
192
-
bit key, we run the following steps twice. If we are processing a 256
-
bit key, we run the
following steps three times:


We assign the value of the previous 4 bytes in the expanded key to
t


We exclusive
-
OR
t

with the four
-
byte block
n

bytes before the new expanded key. This becomes the next 4
bytes in the expanded key


References


http://www.samiam.org/key
-
schedule.html


https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture8
.pdf


http://www.utdallas.edu/~muratk/courses/crypto09s_files/aes.pdf


http://www.utdallas.edu/~muratk/courses/crypto09s_files/aes.pdf


http://buzzard.ups.edu/courses/2013spring/projects/berger
-
aes
-
ups
-
434
-
2013.pdf



http://www.math.wisc.edu/~boston/nover.pdf


http://eprint.iacr.org/2009/317.pdf


http://comp.utm.my/pars/files/2013/04/A
-
Survey
-
on
-
the
-
Cryptanalysis
-
of
-
the
-
Advanced
-
Encryption
-
Standard.pdf