Scribd Logo
Upload

Welcome to Scribd!

  • AES Key Expansition

    Uploaded by

    sureshkumarmtech
    69 views20 pages
    AES Key Expansition

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    AES Key Expansition

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    69 views20 pages

    AES Key Expansition

    Uploaded by

    sureshkumarmtech
    AES Key Expansition

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    This Lecture:

    AES Key Expansion Equivalent Inverse Cipher Rijndael performance summary

    Key Expansion
    Takes as input a Nb word key and produces a linear array of Nb * (Nr+1) words. Expanded key provide a Nb word round key for the initial AddRoundKey() stage and for each of the Nr rounds of the cipher. The key is first copied into the first Nb words, the remainder of the expanded key is filled Nb words at a time.

    Key Expansion Pseudo Code


    16 byte key
    KeyExpansion(byte key[16], word w[44]) { word temp; for (i = 0; i < 4; i++) w[i] = (key[4*i], key[4*i+1], key[4*i+3], key[4*i+3]); for (i = 4; i < 44; i++) } temp = w[i-1]; if ( i mod 4 = 0 ) temp = SubWord(RotWord(temp)) XOR Rcon[i/4]; w[i] = w[i-4] XOR temp; } }

    Key Expansion
    RotWord performs a one byte circular left shift on a word. For example: RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0] SubWord performs a byte substitution on each byte of input word using the S-box. SubWord(RotWord(temp)) is XORed with Rcon[j] the round constant.

    Key Expansion
    The round constant - Explained
    The round constant is a word in which the three rightmost bytes are zero. It is different for each round and defined as: Rcon[j] = (RC[j],0,0,0) where RC[1] = 1, RC[j] = 2 * RC[j-1] Multiplication is defined over GF(2^8). Values of RC[j] in hexadecimal are:
    j
    Rc[j]

    1
    01

    2
    02

    3
    04

    4
    08

    5
    10

    6
    20

    Key Expansion
    The round constant - Example
    Example of expansion of a 128-bit cipher key
    Cipher key = 2b7e151628aed2a6abf7158809cf4f3c w0=2b7e1516 w1=28aed2a6 w2=abf71588 w3=09cf4f3c
    i 4 temp 09cf4f3c RotWord cf4f3c09 SubWord 8a84eb01 Rcon[i/4] 01000000 XOR 8b84eb01 w[i-4] 2b7e1516 result a0fafe17

    5
    6 7

    A0fafe17
    88542cb1 23a33939

    28aed2a6
    Abf71588 09cf4f3c

    88542cb1
    23a33939 2a6c7605

    Key Expansion
    Rationale
    Criteria used for key expansion algorithms design: Simple description. Non-linearity prohibits the full determination of round key differences from cipher key differences. Diffusion each cipher key bit affects many round key bits. Round constant eliminates symmetry or similarity between the way round keys are generated.
    Knowledge of less than Nk consecutive of either cipher or round key makes it difficult to reconstruct the remaining unknown bits.

    Equivalent Inverse Cipher


    The Rijndael decryption cipher is not identical to the encryption cipher. Disadvantage Two separate software or hardware modules are required if performing both encryption and decryption. There is an equivalent version of the decryption algorithm that has the same structure ( the same sequence of transformations) as the encryption algorithm.

    InvCipher, Scheme

    The original sequence is : Encryption: Decryption:

    Equivalent Inverse Cipher

    SubBytes ShiftRows MixColumns AddRoundKey

    InvShiftRows InvSubBytes AddRoundKey InvMixColumns

    Thus InvShiftRows needs to be interchanged with InvSubBytes and AddRoundKey with InvMixColumns.

    Equivalent Inverse Cipher


    InvShiftRows Affects sequence of bytes but does not alter byte content and does not depend on the byte content to perform transformation. InvSubBytes Affects content of bytes but does not alter byte sequence and does not depend on the byte sequence to perform transformation. Thus InvShiftRows and InvSubBytes can be interchanged. For given state S,

    InvShiftRows(InvSubBytes(S)) = InvSubBytes(InvShiftRows(S))

    Equivalent Inverse Cipher


    If key is viewed as sequence of words then both AddRoundKey and InvMixColumns operate on state one column at a time. These operations are linear with respect to the column input: State S and key - w InvMixColumns(S XOR w) = [InvMixColumns(S)] XOR [InvMixColumns(w)]

    Equivalent Inverse Cipher


    0E 09 0D 0B 0B 0E 09 0D 0D 0B 0E 09 09 0D 0B 0E y0 XOR k0 y1 XOR k1 y2 XOR k2 y3 XOR k3 0E 09 0B 0E 0D 09 0B 0E 0D 0B 0E y0 y1 y2 y3

    0D 09 0B

    0D 09

    0E 09

    0B 0E

    0D 09 0B 0E 0D 0B 0E

    y0 y1 y2 y3

    0D 09 0B

    0D 09

    Thus InvMixColumns and AddRoundKey can be interchanged.

    Rijndael performance summary


    As evaluated by the National Institute for Standards and Technology

    General Security: Rijndael has no known security attacks and has an adequate security margin. Received some criticism suggesting its simple mathematical structure may lead to attacks. On the other hand the simple structure may have facilitated the security analysis.

    Rijndael performance summary


    As evaluated by the National Institute for Standards and Technology

    Software Implementation: Performs encryption and decryption very well across a variety of platforms (including 8 bit, 32 bit and 64 bit processors). There is a decrease in performance with higher key sizes because of the increased number of rounds. High parallelism facilitates the efficient use of processor resources. Very well suited for restricted space environments (small amounts of RAM and/or ROM) where either encryption or decryption is performed (but not both).

    Rijndael performance summary


    As evaluated by the National Institute for Standards and Technology

    Hardware Implementation: Has the highest throughput for feedback mode and second highest for non feedback mode. Efficiency is generally very good. Attacks on Implementation: Timing Attacks attacks on operations that execute in different amounts of time. General defense is to make encryption and decryption run in the same amount of time.

    Rijndael performance summary


    As evaluated by the National Institute for Standards and Technology

    Attacks on Implementation continued: Power Attacks attacks on operations that use different amounts of power. General defense is to process the data and its complement (nearly) simultaneously. The boolean operations, table lookups and fixed shift rotations are the easiest operations to defend against those attacks. The use of masking (executing the same operation twice to mask power consumption) does not cause significant performance degradation.

    Rijndael performance summary


    As evaluated by the National Institute for Standards and Technology

    Key Agility: Defined as the ability to change keys quickly and with a minimum or resources. Provides on the fly subkey computation (computation of the specific subkey needed for a particular round just prior to use in the round). First decryption subkey cannot be generated directly from the original key and there is a need to scale through all the subkeys. This places a slight resource burden on key agility.

    Rijndael performance summary


    As evaluated by the National Institute for Standards and Technology

    Encryption vs. Decryption: Speed does not vary significantly between encryption and decryption, although key setup performance is slower decryption.

    You might also like