Cow

Food
Milk
3
4
12
Linear ?
Linear : There is correlation between
input and output
Cow
Food
Man
Confusion (or) Non-Linear ?
Confusion : There is no correlation
between input and output
Diffusion?
Diffusion : All output bits depend on all input bits
Is there any way to represent binary
in polynomial equation ?


Yes
4.6
000 0


001 1


010 x


011 x+1


100 x
2



101 x
2
+1


110 x
2
+ x


111 x
2
+ x+1
Binary numbers in
polynomial exp.
finite field ?



Members in a relation (finite)
x
2
+ 1, x , 1
Members
Galois field :
A Galois field, GF(p
n
), is a finite field with p
n

elements.
What is Galois field ?
x
2
+ 1, x , 1
Finite field
Finite Field Arithmetic ?



Marrying a person within our relation.
x
2
+ 1, x , 1
x
2
+ 1, x , 1
x
2
+ 1, x , 1
x
3
+ x
NOT THIS
4 , 3, 2 ,1
12
NOT THIS
4 , 3, 2 ,1
4 , 3, 2 ,1
If you beat your wife, she go to her
parents home. Not out the field (Relation)
Finite Field Arithmetic Result ?
Ordinary Polynomial Arithmetic


POLYNOMIAL DIVISION
Find the result of (x
5
+ x
2
+ x) (x
7
+ x
4
+ x
3
+ x
2
+ x) in
GF(2
8
) with irreducible polynomial (x
8
+ x
4
+ x
3
+ x + 1).
Finite field
P
1
P
2

XOR

00 0
01 1
10 1
11 0
Even means ZERO
Is this inside finite field?
To find the final result, divide the polynomial of degree
12 by the polynomial of degree 8 (the modulus) and
keep only the remainder.
Advanced Encryption Standard
(AES)
What is AES ?


AES is a 128 bit symmetric block cipher

Why AES?

Intended to replace DES and 3DES

DES is vulnerable to differential attacks
3DES has slow performances

Plaintext size(bits) 128 128 128
Key size (bits) 128 192 256
Number of rounds 10 12 14
What about AES ?
Rijndael
Transformation
1.Sub Byte
2.Shift Row
3.Mix Columns
4.Add Round Key
50 10 D0 81
60 20 4A 93
70 30 E1 A1
00 C0 F7 AF
53 CA 70 0C
D0 B7 D6 DC
51 04 F8 32
63 BA 68 79
Input State
Transformation
Output State
AES Round
Substitute Byte
What is S-box ? : lookup table
0a
6d
2e
66
11 69
48
1c
8d
49
22
5f
92
43
20
1b
18
dc
40
aa
00
2c
23
93
c9
77 7b
7d
26
c3
1a
ed
fb
8f
ec
36
bf e6
6f
47
f7
05
5a
b1
33
42
90
24
4e
b4
f6
8e
44
0d
fa
f2 6b
59
3f
96
6e
fc
4d
9d
97
2a
06
d5
a6
03
d9
13
4
5
6
8
9
a
b
c
d
7
e
f
x
e f
63
ca
3
1 2 3 4 5 6 7 8 9 a b c d
y
0
1
2 b7
ef
a3
0c
81
32
c8
78
3e
f8
a1 89
98
b5
25
37
3a
4f
d1
04
09
53
d0
51
cd
60
e0
e7
ba
70
e1
8c
7c
82
fd
c7
83
38
29
eb
71
9c
fe d7 ab 76
a4 72 c0
15 31 d8
27 b2 75
4a
14
62
ea
1f
b9
e9
0f b0
ce
86
4b
65
91
de
64
10
50
e3
8b
ae
e4
0b
19
f3
9f
58 cf
a8
d2
73
db
79
08
8a
9e 1d
2f 84
4c
3c
ff
5d
5e
95
7a
bd
c1
55
54 bb 16
df 28
3d
61
e8
6c
c2
46
c4
bc
45
6a
52
07
34
ad
30 01
d4
a5
9b
c5
f0
cc
9a
a0
5b
85
f5
17
88
5c
a9
c6
0e
94
68 41
12
7e
da
02
be
d6
80
e5
a2
67 2b
af
f1
e2
b3
39
7f
21
b8
3b
cb
f9
b6
a7
ee
d3
56
dd
35
1e
99 2d
87
57
74
f4
ac
0
Where S-box is used ?
In substitution
Why S-box ?
To make Confusion or Non-Linearity
What is substitute byte?
A byte is replaced by another byte
95 2A : How this ?
95 2A
95
Left 4 bits - Row Right 4 bits - Colm
0a
6d
2e
66
11 69
48
1c
8d
49
22
5f
92
43
20
1b
18
dc
40
aa
00
2c
23
93
c9
77 7b
7d
26
c3
1a
ed
fb
8f
ec
36
bf e6
6f
47
f7
05
5a
b1
33
42
90
24
4e
b4
f6
8e
44
0d
fa
f2 6b
59
3f
96
6e
fc
4d
9d
97
2a
06
d5
a6
03
d9
13
4
5
6
8
9
a
b
c
d
7
e
f
x
e f
63
ca
3
1 2 3 4 5 6 7 8 9 a b c d
y
0
1
2 b7
ef
a3
0c
81
32
c8
78
3e
f8
a1 89
98
b5
25
37
3a
4f
d1
04
09
53
d0
51
cd
60
e0
e7
ba
70
e1
8c
7c
82
fd
c7
83
38
29
eb
71
9c
fe d7 ab 76
a4 72 c0
15 31 d8
27 b2 75
4a
14
62
ea
1f
b9
e9
0f b0
ce
86
4b
65
91
de
64
10
50
e3
8b
ae
e4
0b
19
f3
9f
58 cf
a8
d2
73
db
79
08
8a
9e 1d
2f 84
4c
3c
ff
5d
5e
95
7a
bd
c1
55
54 bb 16
df 28
3d
61
e8
6c
c2
46
c4
bc
45
6a
52
07
34
ad
30 01
d4
a5
9b
c5
f0
cc
9a
a0
5b
85
f5
17
88
5c
a9
c6
0e
94
68 41
12
7e
da
02
be
d6
80
e5
a2
67 2b
af
f1
e2
b3
39
7f
21
b8
3b
cb
f9
b6
a7
ee
d3
56
dd
35
1e
99 2d
87
57
74
f4
ac
0
S-box
Is there another method for above
transformation (sub byte) ?
YES : by finite field GF(2 )
8
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
1
1
0
0
0
1
1
0
x
0
x
1
x
2
x
3
x
4
x
5
x
6
x
7
+
=
b'
0
b'
1
b'
2
b'
3
b'
4
b'
5
b'
6
b'
7
b b x c
An input byte in
state
An output byte in
state
Finite field GF(2 )
Arithmetic
8
Shift Rows
Shift Rows
Shift Rows
s
15
s
11
s
7
s
3
s
14
s
10
s
6
s
2
s
13
s
9
s
5
s
1
s
12

s
8
s
4
s
0

s
11
s
7
s
3
s
15
s
6
s
2
s
14
s
10
s
1
s
13
s
9
s
5
s
12
s
8
s
4
s
0

1 byte
2 bytes
3 bytes
state array
rotation of
this step permutes bytes between the
columns

Four bytes of one column are spread
out to four different column
Why Shift Rows?
Mix Columns :
Mix Columns
s'
15
s'
11
s'
7
s'
3
s'
14
s'
10
s'
6
s'
2
s'
13
s'
9
s'
5
s'
1
s'
12
s'
8
s'
4
s'
0

=
(
(
(
(

02 01 01 03
03 02 01 01
01 03 02 01
01 01 03 02
s
15
s
11
s
7
s
3
s
14
s
10
s
6
s
2
s
13
s
9
s
5
s
1
s
12
s
8
s
4
s
0


MixColumns
coeff.s matrix state array
field GF(2
8
)
polynomial
multiplications
s'
15
s'
11
s'
7
s'
3
s'
14
s'
10
s'
6
s'
2
s'
13
s'
9
s'
5
s'
1
s'
12
s'
8
s'
4
s'
0

=
(
(
(
(

02 01 01 03
03 02 01 01
01 03 02 01
01 01 03 02
s
15
s
11
s
7
s
3
s
14
s
10
s
6
s
2
s
13
s
9
s
5
s
1
s
12
s
8
s
4
s
0


MixColumns
coeff.s matrix state array
field GF(2
8
)
polynomial
multiplications
Combination of Shift Row & Mix Column will
produce DIFFUSION
Add Round Key
AES Key Expansion?
Rot Word
Sub Word
W
4

R con.
g
Complex Function : g
Key Expansion Rationale
designed to resist known attacks
design criteria included
knowing part key insufficient to find many more
invertible transformation
fast on wide range of CPUs
use round constants to break symmetry
diffuse key bits into round keys
enough non-linearity to hinder analysis
AES Decryption
Rijndael
Two software can be avoid ?
Yes : by inverse cipher
inverse
cipher
Implementation Aspects
can efficiently implement on 8-bit CPU
byte substitution works on bytes using
a table of 256 entries
shift rows is simple byte shift
add round key works on byte XORs
mix columns requires matrix multiply in GF(2
8
)
which works on byte values, can be simplified to
use table lookups & byte XORs
Implementation Aspects
can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be
computed using 4 table lookups + 4 XORs
at a cost of 4Kb to store tables
designers believe this very efficient implementation
was a key factor in its selection as the AES cipher
%8 Example
Multiplication and inverses
Multiplicative inverse (w
-1
)
For a given prime, p, the finite field of order p, GF(p) is
defined as the set Z
p
of integers {0, 1,..., p - 1},
together with the arithmetic operations modulo p.
For each weZ
p
, w0, there exists a
weZ
p
, such that w x z 1 (mod p).
Because w is relatively prime to p, if we multiply all
the elements of Z
p
by w, the resulting residues are all
of the elements of Z
p
permuted. Thus, exactly one of
the residues has the value 1.

Ordinary Polynomial Arithmetic


GF(7)
The simplest finite field is GF(2).
1 2 3 4 5 6 7
4 8 4 12 4 8 4
7 7 7 7 7 7 7
Integer
Occurrences in Z
8
Occurrences in GF(2
3
)

Z
8
GF(2
3
)
In GF(2),
addition and
multiplication
are equivalent
to the XOR,
and the logical
AND,
respectively.
Addition and
subtraction are
equivalent.
Therefore
GF(2
n
) is of
most interest in.
Consider the set S of all polynomials of degree n-1 or less over the field Z
p
.
Thus, each polynomial has the form
where each a
i
takes on a value in the set {0, 1,..., p -1}. There are a total of p
n

different polynomials in S.
For p = 3 and n = 2, the 3
2
= 9 polynomials in the set are
0 x 2x
1 x + 1 2x + 1
2 x + 2 2x + 2
For p = 2 and n = 3, the 2
3
= 8 the polynomials in the set are
0 x + 1 x
2
+ x
1 x
2
x
2
+ x + 1
X x
2
+ 1
mod 2:
1 + 1 = 1-1 = 0;
1 + 0 = 1 - 0 = 1;
0 + 1 = 0 - 1 = 1.

if f(x) has no divisors other than itself & 1 it is said irreducible (or prime)
polynomial, an irreducible polynomial forms a field.
f(x) = x
4
+ 1 over GF(2) is reducible,
because x
4
+ 1 = (x + 1)(x
3
+ x
2
+ x + 1)
f(x) = x
3
+ x + 1 is irreducible residual 1.



eg. let f(x) = x
3
+ x
2
and g(x) = x
2
+ x + 1
f(x) + g(x) = x
3
+ x + 1
f(x) x g(x) = x
5
+ x
2
Example GF(2
3
)

4.70
4.2.1 Continued
Example 4.19
Find the result of (x
5
+ x
2
+ x) (x
7
+ x
4
+ x
3
+ x
2
+ x) in GF(2
8
) with irreducible
polynomial (x
8
+ x
4
+ x
3
+ x + 1). Note that we use the symbol to show the
multiplication of two polynomials.
Solution
To find the final result, divide the polynomial of degree 12 by the polynomial of degree
8 (the modulus) and keep only the remainder. Figure 4.10 shows the process of
division.
Byte Substitution
a simple substitution of each byte
uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
each byte of state is replaced by byte indexed by
row (left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by byte in row 9 column 5
which has value {2A}
S-box constructed using defined transformation
of values in GF(2
8
)
designed to be resistant to all known attacks
Byte Substitution
Specification(Cont.)
ByteSub






Invertible S-Box
One single S-Box for completely cipher
High non-linearity

Shift Rows
a circular byte shift in each each
1
st
row is unchanged
2
nd
row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
decrypt inverts using shifts to right
since state is processed by columns, this step
permutes bytes between the columns


Shift Rows
Mix Columns
each column is processed separately
each byte is replaced by a value
dependent on all 4 bytes in the column
effectively a matrix multiplication in GF(2
8
)
using prime poly m(x) =x
8
+x
4
+x
3
+x+1
Ordinary Polynomial Arithmetic
add or subtract corresponding coefficients
multiply all terms by each other
eg
let f(x) = x
3
+ x
2
+ 2 and g(x) = x
2
x + 1
f(x) + g(x) = x
3
+ 2x
2
x + 3
f(x) g(x) = x
3
+ x + 1
f(x) x g(x) = x
5
+ 3x
2
2x + 2


Mix Columns
can express each col as 4 equations
to derive each new byte in col
decryption requires use of inverse matrix
with larger coefficients, hence a little harder
have an alternate characterisation
each column a 4-term polynomial
with coefficients in GF(2
8
)
and polynomials multiplied modulo (x
4
+1)

Add Round Key
XOR state with 128-bits of the round key
again processed by column (though
effectively a series of byte operations)
inverse for decryption identical
since XOR own inverse, with reversed keys
designed to be as simple as possible
a form of Vernam cipher on expanded key
requires other stages for complexity / security
Add Round Key
AES Key Expansion
takes 128-bit (16-byte) key and expands
into array of 44/52/60 32-bit words
start by copying key into first 4 words
then loop creating words that depend on
values in previous & 4 places back
in 3 of 4 cases just XOR these together
1
st
word in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4
th
back
AES Key Expansion
Key Expansion Rationale
designed to resist known attacks
design criteria included
knowing part key insufficient to find many more
invertible transformation
fast on wide range of CPUs
use round constants to break symmetry
diffuse key bits into round keys
enough non-linearity to hinder analysis
AES Decryption
AES decryption is not identical to
encryption since steps done in reverse
but can define an equivalent inverse
cipher with steps as for encryption
but using inverses of each step
with a different key schedule
works since result is unchanged when
swap byte substitution & shift rows
swap mix columns & add (tweaked) round key
AES Decryption
The AES Cipher - Rijndael
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
processes data as block of 4 columns of 4 bytes
operates on entire data block in every round
designed to be:
resistant against known attacks
speed and code compactness on many CPUs
design simplicity

Implementation Aspects
can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table
of 256 entries
shift rows is simple byte shift
add round key works on byte XORs
mix columns requires matrix multiply in GF(2
8
)
which works on byte values, can be simplified
to use table lookups & byte XORs
Implementation Aspects
can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words
can precompute 4 tables of 256-words
then each column in each round can be
computed using 4 table lookups + 4 XORs
at a cost of 4Kb to store tables
designers believe this very efficient
implementation was a key factor in its
selection as the AES cipher
Summary
have considered:
the AES selection process
the details of Rijndael the AES cipher
looked at the steps in each round
the key expansion
implementation aspects


Why AES?
Symmetric block cipher, published in 2001
Intended to replace DES and 3DES
DES is vulnerable to differential attacks
3DES has slow performances

The AES Cipher
Single 128 bit block as input
Copied to a State array with Nb columns
(Nb=4)

in0 in4 in8 in12
in1
in2
in3
in5
in6
in7
in9
in10
in11
in13
in14
in15
S00 S01 S02 S03
S10
S20
S30
S11
S21
S31
S12
S22
S32
S13
S23
S33
o0 o4 o8 o12
o1
o2
o3
o5
o6
o7
o9
o10
o11
o13
o14
o15
Input
State array
Output
19/08/2012 pp. 92 / 23 CHES 2002 Workshop Redwood
City (SF Bay), CA, USA
Algorithm Description Encrypt.
SubBytes
s
15
s
11
s
7
s
3
s
14
s
10
s
6
s
2
s
13
s
9
s
5
s
1
s
12

s
8
s
4
s
0

s
11
s
7
s
3
s
15
s
6
s
2
s
14
s
10
s
1
s
13
s
9
s
5
s
12
s
8
s
4
s
0

1 byte
2 bytes
3 bytes
s
15
s
11
s
7
s
3
s
14
s
10
s
6
s
2
s
13
s
9
s
5
s
1
s
12

s
8
s
4
s
0

s
5
s'
15
s'
11
s'
7
s'
3
s'
14
s'
10
s'
6
s'
2
s'
13
s'
9
s'
5
s'
1
s'
12
s'
8
s'
4
s'
0

s'
5
S-BOX

ShiftRows
state array
state array
one
byte
rotation of
SubByte() (2)
Laboratory for Reliable
Computing(LaRC)
93
0a
6d
2e
66
11 69
48
1c
8d
49
22
5f
92
43
20
1b
18
dc
40
aa
00
2c
23
93
c9
77 7b
7d
26
c3
1a
ed
fb
8f
ec
36
bf e6
6f
47
f7
05
5a
b1
33
42
90
24
4e
b4
f6
8e
44
0d
fa
f2 6b
59
3f
96
6e
fc
4d
9d
97
2a
06
d5
a6
03
d9
13
4
5
6
8
9
a
b
c
d
7
e
f
x
e f
63
ca
3
1 2 3 4 5 6 7 8 9 a b c d
y
0
1
2 b7
ef
a3
0c
81
32
c8
78
3e
f8
a1 89
98
b5
25
37
3a
4f
d1
04
09
53
d0
51
cd
60
e0
e7
ba
70
e1
8c
7c
82
fd
c7
83
38
29
eb
71
9c
fe d7 ab 76
a4 72 c0
15 31 d8
27 b2 75
4a
14
62
ea
1f
b9
e9
0f b0
ce
86
4b
65
91
de
64
10
50
e3
8b
ae
e4
0b
19
f3
9f
58 cf
a8
d2
73
db
79
08
8a
9e 1d
2f 84
4c
3c
ff
5d
5e
95
7a
bd
c1
55
54 bb 16
df 28
3d
61
e8
6c
c2
46
c4
bc
45
6a
52
07
34
ad
30 01
d4
a5
9b
c5
f0
cc
9a
a0
5b
85
f5
17
88
5c
a9
c6
0e
94
68 41
12
7e
da
02
be
d6
80
e5
a2
67 2b
af
f1
e2
b3
39
7f
21
b8
3b
cb
f9
b6
a7
ee
d3
56
dd
35
1e
99 2d
87
57
74
f4
ac
0
Ex: If input {xy} is {66}, output will be {33} from SubByte()
Specification(Cont.)
ByteSub






Invertible S-Box
One single S-Box for completely cipher
High non-linearity

Specification(Cont.)
Round transfermation
Rijndael, the Advanced Encryption Standard, is a
symmetric block cipher.

It uses the same key between sender and receiver to
encrypt and decrypt the message.

Speed and cost make symmetric algorithms as the
algorithm of choice for encrypting large amounts of data.
Rijndael = Rijmen & Daemen


Mathematics Behind Rijndael


Field
Finite Field
Inverses
AES Algorithm
SubBytes
50 10 D0 81
60 20 4A 93
70 30 E1 A1
00 C0 F7 AF
Sbox( 50 ) Sbox( 10 ) Sbox( D0 ) Sbox( 81 )
Sbox( 60 ) Sbox( 20 ) Sbox( 4A ) Sbox( 93 )
Sbox( 70 ) Sbox( 30 ) Sbox( E1 ) Sbox( A1 )
Sbox( 00 ) Sbox( C0 ) Sbox( F7 ) Sbox( AF )
53 CA 70 0C
D0 B7 D6 DC
51 04 F8 32
63 BA 68 79
State
AES Algorithm - MixColumns
This with shift rows provides diffusion
The columns are considered polynomials over GF(2
8
)
and multiplied modulo x
4
+1 with a(x) where a(x) =
{03}x
3
+ {01}x
2
+ {01}x + {02} NOTE: x
4
+1 is relatively
prime to a(x)
a

j
(a
j
*a(x))mod(x
4
+1)
This can also be written as matrix multiplication.


02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
a
0
a
1
a
2
a
3
a

0
a

1
a

2
a

3
=
AES Algorithm - MixColumns
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
a
0
a
1
a
2
a
3
a

0
a

1
a

2
a

3
=
a

0
= 2a
0
+ 3a
1
+ a
2
+ a
3
a

1
= a
0
+ 2a
1
+ 3a
2
+ a
3
a

2
= a
0
+ a
1
+ 2a
2
+ 3a
3
a

3
= 3a
0
+ a
1
+ a
2
+ 2a
3

Addition is easy in GF(2
8
) : Addition is just the XOR operation
Multiplication by 1 is easy in GF(2
8
) : Multiplication by one is the identity
Multiplication by 2 in GF(2
8
) takes some work:
. If multiplying by a value < 0x80 just shift all the bits left by 1
. If multiplying by a value 0x80 shift left by 1 and XOR with 0x1b
. This prevents overflow and keeps the values within range
To Multiply by 3 in GF(2
8
) : a * 0x03 = a * (0x02 + 0x01) = (a * 0x02) (a * 0x01)
a

0
= 2a
0
3a
1
a
2

a
3
a

1
= a
0
2a
1
3a
2

a
3
a

2
= a
0
a
1
2a
2

3a
3
a

3
= 3a
0
a
1
a
2

2a
3
Laboratory for Reliable
Computing(LaRC)
101
AES Specification (2)
Using a round function for both its Cipher
and Inverse Cipher.
A round function is composed of four
different byte-oriented transformations
Non-linear transformation:
byte substitution (SubByte())
Linear transformation:
shifting rows of the State array (ShiftRow())
mixing the data within each column
(MixColumn())
adding a Round Key to the State
(AddRoundKey())

When a(x) is a fixed polynomial, the operation can be written in matrix
form as:
Polynomial with coefficients in GF(2
8
) (con)
Mathematical Preliminaries (con)
the AES algorithm specifies a fixed four-term polynomial that does have
an inverse
12.3.1. What is
Steganography?
Study of techniques to send sensitive info and
hide the fact that sensitive info is being sent
Ex: All the tools are carefully kept -> Attack
Other Examples: Invisible ink, Hidden in Images
Least significant bit of image pixels
Modifications to image not noticeable by an observer
Recipient can check for modifications to get message


Red Green Blue
00000000 00000000 00000000
00000001 00000000 00000001 101
AES Evaluation Criteria
initial criteria:
security effort for practical cryptanalysis
cost in terms of computational efficiency
algorithm & implementation characteristics
final criteria
general security
ease of software & hardware implementation
implementation attacks
flexibility (in en/decrypt, keying, other factors)
Rijndael
data block of 4 columns of 4 bytes is state
key is expanded to array of words
has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte)
shift rows (permute bytes between groups/columns)
mix columns (subs using matrix multipy of groups)
add round key (XOR state with key material)
view as alternating XOR key & scramble data bytes
initial XOR key material & incomplete last round
with fast XOR & table lookup implementation
Example: DES (Data Encryption
Standard)
input size: 64
output size: 64
key size: 56
16 rounds
Feistel structure

106/80
Initial Permutation
F +
F +
F +
F +

Initial Permutation
-1
(64)
(64)
(32) (32)
(48)
(48)
(48)
(48)
K
e
y

S
c
h
e
d
u
l
e
r

(56)
K
K
1
K
2
K
16
K
3
X
Y
A.2 Encryption
Block ciphers
Specification(Cont.)
ShiftRow

Specification(Cont.)
MixColumn





c(x) = 03x
3
+01x
2
+01x+02
High Intra-column diffusion
Interaction with Shiftrow
High diffusion over multiple rounds


109/80
Example: the DES round function F
Si substitution box (S-box)
P permutation box (P-box)

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
S1 S2 S3 S4 S5 S6 S7 S8
P
key
injection
A.2 Encryption
Block ciphers
Swankoski
MAPLD 2005 / B103
Maintaining High Security
ECB-encrypted image has observable patterns
CTR/CBC/SCBC encryption looks like random noise
AES Shortlist
after testing and evaluation, shortlist in Aug-99:
MARS (IBM) - complex, fast, high security margin
RC6 (USA) - v. simple, v. fast, low security margin
Rijndael (Belgium) - clean, fast, good security margin
Serpent (Euro) - slow, clean, v. high security margin
Twofish (USA) - complex, v. fast, high security margin
then subject to further analysis & comment
saw contrast between algorithms with
few complex rounds verses many simple rounds
which refined existing ciphers verses new proposals
19/08/2012 pp. 112 / 23 CHES 2002 Workshop Redwood
City (SF Bay), CA, USA
Old MixColumns - Cost
(
(
(
(

(
(
(
(

(
(
(
(

(
(
(
(

=
(
(
(
(
(

c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
, 0
, 3
, 2
, 1
, 1
, 0
, 3
, 2
, 2
, 1
, 0
, 3
, 3
, 2
, 1
, 0
'
, 3
'
, 2
'
, 1
'
, 0
03 02
The cost per column is: a single doubling, 4 additions (XOR) and 3
rotations (all operations work on 32 bits).
For a complete MixColumns transformation 4 doublings, 16 additions
(XOR) and 12 rotations are required.
doubling means 4 multiplications in GF(2
8
) of each byte of the 32-bit
word.
19/08/2012 pp. 113 / 23 CHES 2002 Workshop Redwood
City (SF Bay), CA, USA
Algorithm Description Encrypt.
s
15
s
11
s
7
s
3
s
14
s
10
s
6
s
2
s
13
s
9
s
5
s
1
s
12
s
8
s
4
s
0

k
15
k
11
k
7
k
3
k
14
k
10
k
6
k
2
k
13
k
9
k
5
k
1
k
12
k
8
k
4
k
0

AddRoundKey
s'
15
s'
11
s'
7
s'
3
s'
14
s'
10
s'
6
s'
2
s'
13
s'
9
s'
5
s'
1
s'
12
s'
8
s'
4
s'
0

s'
15
s'
11
s'
7
s'
3
s'
14
s'
10
s'
6
s'
2
s'
13
s'
9
s'
5
s'
1
s'
12
s'
8
s'
4
s'
0

=
=
(
(
(
(

02 01 01 03
03 02 01 01
01 03 02 01
01 01 03 02
s
15
s
11
s
7
s
3
s
14
s
10
s
6
s
2
s
13
s
9
s
5
s
1
s
12
s
8
s
4
s
0


MixColumns coeff.s matrix state array
state array round key
bit-wise XOR field GF(2
8
)
polynomial
multiplications
AES Requirements
private key symmetric block cipher
128-bit data, 128/192/256-bit keys
stronger & faster than Triple-DES
active life of 20-30 years (+ archival use)
provide full specification & design details
both C & Java implementations
NIST have released all submissions &
unclassified analyses
19/08/2012 pp. 115 / 23 CHES 2002 Workshop Redwood
City (SF Bay), CA, USA
Old MixColumns - Cost
(
(
(
(

(
(
(
(

(
(
(
(

(
(
(
(

=
(
(
(
(
(

c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
, 0
, 3
, 2
, 1
, 1
, 0
, 3
, 2
, 2
, 1
, 0
, 3
, 3
, 2
, 1
, 0
'
, 3
'
, 2
'
, 1
'
, 0
03 02
The cost per column is: a single doubling, 4 additions (XOR) and 3
rotations (all operations work on 32 bits).
For a complete MixColumns transformation 4 doublings, 16 additions
(XOR) and 12 rotations are required.
doubling means 4 multiplications in GF(2
8
) of each byte of the 32-bit
word.
19/08/2012 pp. 116 / 23 CHES 2002 Workshop Redwood
City (SF Bay), CA, USA
Old MixColumns - Cost
(
(
(
(

(
(
(
(

(
(
(
(

(
(
(
(

=
(
(
(
(
(

c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
, 0
, 3
, 2
, 1
, 1
, 0
, 3
, 2
, 2
, 1
, 0
, 3
, 3
, 2
, 1
, 0
'
, 3
'
, 2
'
, 1
'
, 0
03 02
The cost per column is: a single doubling, 4 additions (XOR) and 3
rotations (all operations work on 32 bits).
For a complete MixColumns transformation 4 doublings, 16 additions
(XOR) and 12 rotations are required.
doubling means 4 multiplications in GF(2
8
) of each byte of the 32-bit
word.
19/08/2012 pp. 117 / 23 CHES 2002 Workshop Redwood
City (SF Bay), CA, USA
New MixColumns
y
0
= ({02} x
0
) + ({03} x
1
) + x
2
+ x
3

y
1
= x
0
+ ({02} x
1
) + ({03} x
2
) + x
3

y
2
= x
0
+ x
1
+ ({02} x
2
) + ({03} x
3
)
y
3
= ({03} x
0
) + x
1
+ x
2
+ ({02} x
3
)
The New MixColumns transformation is:
The symbols x
i
and y
i
(0 s i s 3) indicate the 32-bit rows of the
state array before and after New MixColumns, respectively.
The 32-bit word x
i
accommodates 4 bytes coming from 4
different columns (and similarly for y
i
).
The operation {02} x
i
or doublings consists of 4
multiplications in GF(2
8
) of each byte of the 32bits word.
19/08/2012 pp. 118 / 23 CHES 2002 Workshop Redwood
City (SF Bay), CA, USA
New MixColumns
y
0
= x
1
+ x
2
+ x
3

y
1
= x
0
+ x
2
+ x
3

y
2
= x
0
+ x
1
+ x
3

y
3
= x
0
+ x
1
+ x
2

x
0
= {02} x
0

x
1
= {02} x
1

x
2
= {02} x
2

x
3
= {02} x
3

y
0
+= x
0
+ x
1

y
1
+= x
1
+ x
2

y
2
+= x
2
+ x
3

y
3
+= x
3
+ x
0

The transformation
can be executed in
three steps.
It can be conceived
as a sort of double
and add algorithm.
(
(
(
(

02 01 01 03
03 02 01 01
01 03 02 01
01 01 03 02
Remainder:
ECB vs CBC
Which mode would you choose?
Yingjiu Li 2007 119
Original image Encrypted with
ECB
Encrypted with
CBC
Encrypted communication
ENCRYPTION
CIPHERTEXT
(SECRETE CODE)
PLAINTEXT
(KNOWN CODE)
Yingjiu Li 2007 122
Yingjiu Li 2007 123
Yingjiu Li 2007 124
Yingjiu Li 2007 125
Two types of cryptosystems

Symmetric key cryptosystems
(Ex: DES, Triple DES, AES)

Asymmetric key (Public key) cryptosystems
(Ex: RSA, Diffie-Hellman, ECC, HECC)