Professional Documents
Culture Documents
Lecture Outline
AES Other block ciphers
1ost&
8 ro!alt!#free, computational efficienc!, memor! re9uirement
&
AES E#aluation
1riteria of the final e"aluation
8 general securit! 8 soft are implementation performance 8 hard are implementation (si*e < performance) 8 restricted#space en"ironments 8 attacks on implementations 8 encr!ption "s$ decr!ption
AES E#aluation
1riteria of the final e"aluation (continued)
8 ke! agilit! 8 other "ersatilit! and fle:ibilit!
= parameter fle:ibilit! = possibilit! of optimi*ing cipher elements for particular en"ironments
,i-n"ael Features
'esigned to be efficient in both hard are and soft are across a "ariet! of platforms$ Not a 6eistel Net ork >ses a "ariable block si*e, 128,192, 256bits, ke! si*e of 128-, 192-, or 256-bits. 5ariable number of rounds (13, 1+, 1?)&
8 13 if @ A B A 1+, bits 8 1+ if either @ or B is 19+ and the other is 19+ 8 1? if either @ or B is +-. bits
O#er#iew o( ,i-n"ael/AES
5ariable number of rounds (13, 1+, 1?)&
8 13 if B is 1+, bits 8 1+ if B is 19+ bites 8 1? if B is +-. bits
10
A"",oun" 3ey
State is represente" as (ollows 41) 5ytes6'
S3,3 S1,3 S+,3 SE,3 S3,1 S1,1 S+,1 SE,1 S3,+ S1,+ S+,+ SE,+ S3,E S1,E S+,E SE,E
A"",oun"3ey4State, 3ey6'
7ey
state
state 11
Su5Bytes
@!te substitution using non#linear S#@o: (independentl! on each b!te)$ S#bo: is represented as a 1.:1. arra!, ro s and columns inde:ed b! he:adecimal bits , b!tes replaced as follo s& , b!tes defines a he:adecimal number rc, then sr,c A binar!(S#bo:(r, c)) ;o is AES S#bo: different from 'ES S#bo:G 8 Onl! one S#bo: 8 S#bo:es based on modular arithmetic ith pol!nomials, can be defined algebraicall!, not random 8 Eas! to anal!*e, pro"e attacks fail
12
S25o8 9a5le
0 1 2 3 4 5 6 7 8 9 A B C D E F 0 63 C% B7 !( !' 3 $! " C$ 6! #! #7 B% 7! #" &C 1 7C &2 F$ C7 &3 $" #F %3 !C &" 32 C& 7& 3# F& %" 2 77 C' '3 23 2C !! %% (! 3 (F 3% 37 2 B '& &' 3 4 5 6 7 8 9 A B C D E F 7B F2 6B 6F C 3! !" 67 2B F# $7 %B 76 7$ F% ' (7 F! %$ $( %2 %F 'C %( 72 C! 26 36 3F F7 CC 3( % # F" 7" $& 3" " C3 "& '6 ! '% !7 "2 &! #2 #B 27 B2 7 "% "B 6# % %! 2 3B $6 B3 2' #3 2F &( ED 2! FC B" B 6% CB B# 3' (% (C & CF FB (3 ($ 33 & ( F' !2 7F ! 3C 'F %& &F '2 '$ 3& F BC B6 $% 2" "! FF F3 $2 #C F '7 (( "7 C( %7 7# 3$ 6( $ "' 73 $C 22 2% '! && (6 ## B& "( $# # !B $B !% (' !6 2( C C2 $3 %C 62 '" ' #( 7' 6$ &$ $ (# %' 6C 6 F( #% 6 7% %# !& 2# "C %6 B( C6 #& $$ 7( "F (B B$ &B &% 66 (& !3 F6 !# 6" 3 7 B' &6 C" "$ '# "" 6' $' &# '( 'B "# &7 #' C# 2& $F !$ BF #6 (2 6& (" '' 2$ !F B! ( BB "6
1!
Shi(t,ows
S3,3 S1,3 S+,3 SE,3 S3,1 S1,1 S+,1 SE,1 S3,+ S1,+ S+,+ SE,+ S3,E S1,E S+,E SE,E S3,3 S3,1 S1,1 S1,+ S+,+ S+,E SE,E SE,3 S3,+ S1,E S+,3 SE,1 S3,E S1,3 S+,1 SE,+
1$
;i8Colu:ns
Interpret each column as a "ector of length ?$ Each column of State is replaced b! another column obtained b! multipl!ing that column ith a matri: in a particular field$
1&
3ey E8pansion
Be!E:pansion (b!te ke!H1.I, ord H??I) word tempJ for (iA3JiK?JiCC) HiIA(ke!H?LiI, ke!H?LiC1I, ke!H?LiC+I, ke!H?LiCEI) for (iA?J iK??J iCC) temp A Hi#1IJ if (I mod ? A 3) temp A SubMord(0otMord(temp)) 0conHiN?IJ HiI A Hi#?I tempJ
1)
3ey E8pansion
0otMord(Hb!te3, b!te1, b!te+, b!teEI) A Hb!te1, b!te+, b!teE, b!te, 3I SubMord(Hb!te3, b!te1, b!te+, b!teEI) A HSbo:Hb!te1I, Sbo:Hb!te1I, Sbo:Hb!te+I, Sbo:Hb!teEII 0conH2I A (01H2I, 3, 3, 3)
13
01H2I 31 3+ 3? 3, 13 +3 ?3 ,3 1@ E.
1*
1+
Su::ary o( ,i-n"ael
0i2ndaelOs strength is in design simplicit!, rich algebraic structure, and efficienc!$ Algorithms composed of three la!ers 8 Pinear diffusion 8 Non#linear diffusion 8 Be! mi:ing
1.
Decryption
The decr!ption algorithm is not identical ith the encr!ption algorithm, but uses the same ke! schedule$ There is also a a! of implementing the decr!ption ith an algorithm that is e9ui"alent to the encr!ption algorithm (each operation replaced ith its in"erse), ho e"er in this case, the ke! schedule must be changed$
20
,i-an"el Cryptanalysis
0esistant to linear and differential cr!ptanal!sis 'ifferential trail 8 7robabilit! that a gi"en difference aO pattern at input produces an output difference of bO 8 1hoose S#bo: and multiplication pol!nomial to minimi*e ma:imum difference probabilit!
21
,i-n"ael Cryptanalysis
Academic break on eaker "ersion of the cipher, 9 rounds 0e9uires +++? ork and +,- chosen related-key plainte:ts$ Attack not practical$
22
2!
2$
2&
IDEA
'esign goals& 8 @lock Pength& deter statistical anal!sis 8 Be! Pength& deter e:hausti"e search 6eatures& 8 1+,#bit ke! 8 .? bit blocks 8 , rounds, 8 operates on 1.#bit numbers
2)
IDEA' Encryption
.?#bit data block is di"ided in ? parts& D1 D+ DE D? In each of eight rounds ith 1? steps the sub# blocks are DO0d, added, multiplied ith one another and ith si: 1.#bit sub#blocks of ke! material, and the second and third sub#blocks are s apped$ 6inall! some more ke! material is combined ith the sub#blocks$
2*
2+
IDEA Cryptanalysis
1urrentl! there is no kno n practical attack against I'EA$ Appears secure against differential cr!ptanal!sis$ Be! length protects against e:hausti"e search$ I'EA has eak ke!s, a"oided at ke! generation$
2.
Blow(ish
A s!mmetric block cipher designed b! @ruce Schneier in 199EN9?$ 6ast implementation on E+#bit 17>s$ 1ompact& runs in less than -B of memor!$ Simple to implement and anal!*e its strength$ 5ariable securit!& can gi"e it larger ke!s$
!0
!1
Blow(ish Cryptanalysis
Be! dependent S#bo:es and subke!s, generated using cipher itself, makes anal!sis "er! difficult$ 1hanging both hal"es in each round increases securit!$ 7ro"ided ke! is large enough, brute#force ke! search is not practical$
!2
Blow(ish Spee"
Fro: www.counterpane.com
Algorith: Blow(ish ,C& DES IDEA 9riple2DES Cloc7 cycles per roun" . 12 1+ &0 1+ = roun"s 1) 1) 1) + $+ = o( cloc7 cycles per 5yte encrypte" 1+ 2! $& &0 10+ (ree ,SA security &)25it 7ey Asco:2Systec
!!
,C&
7roprietar! cipher o ned b! 0SA 'ata Securit! (designed b! 0on 0i"est)$ 5er! fast, operates on ords$ 5ariable ke! si*e, block si*e and number of rounds$ 1lean and simple design$ Po memor! re9uirement$ 'ata#dependent rotations that strengthen the algorithm against cr!ptanal!sis$
!$
,C& Features
01- is a famil! of ciphers rc-# NrNb 8 M A ord si*e in bits (1.NE+N.?) nb dataA+ 8 0 A number of rounds (3$$+--) 8 @ A number of b!tes in the ke! (3$$+--) Nominal "ersion is 01-#E+N1+N1. 8 E+#bit ords so encr!pts .?#bit data blocks 8 >sing 1+ rounds 8 1. b!tes (1+,#bit) secret ke!
!&
!)
,C& Encryption
P3 A A C SH3I 03 A @ C SH1I for i A 1 to r do Pi A ((Pi#1 0i#1) KKK 0i#1) C SH+ L iI 0i A ((0i#1 Pi) KKK Pi) C SH+ L i C 1I
0otation is main source of non#linearit! : KKK ! c!clic rotation of ord : left b! ! bits : RRR ! c!clic rotation of ord : right b! ! bits
!*
,C& Decryption
for i A 1 down to r do 0i#1 A ((0i#1 # SH+ L i C1I) RRR Pi) Pi Pi#1 A ((Pi 8 SH+ L iI) KKK 0i#1) 0i#1 @ A 03 8 SH1I A A P3 8 SH3I
: KKK ! c!clic rotation of ord : left b! ! bits : RRR ! c!clic rotation of ord : right b! ! bits
!+
!.
Su::ary
AES (1+, block si*e, ke! si*e 1+,, 19+, +-.) ne encr!ption standard that replaced 'ES$ No practical kno n attack e:ist$
$0