(Solution to Odd-Numbered Problems) Number of rounds. rounds

Similar documents
Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Module 2 Advanced Symmetric Ciphers

Symmetric Cryptography

A Five-Round Algebraic Property of the Advanced Encryption Standard

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl

arxiv: v1 [cs.cr] 13 Sep 2016

LOOKING INSIDE AES AND BES

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Extended Criterion for Absence of Fixed Points

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

Table Of Contents. ! 1. Introduction to AES

Some integral properties of Rijndael, Grøstl-512 and LANE-256

A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES

Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

The Advanced Encryption Standard

Differential Fault Analysis on A.E.S.

Lecture 12: Block ciphers

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Sidechannel Resistant Lightweight ASIC Implementations of DES and AES

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

An Analytical Approach to S-Box Generation

A Polynomial Description of the Rijndael Advanced Encryption Standard

The Hash Function JH 1

Structural Evaluation by Generalized Integral Property

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Symmetric Crypto Systems

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Symmetric Crypto Systems

A Multiple Bit Parity Fault Detection Scheme for The Advanced Encryption Standard Galois/ Counter Mode

Australian Journal of Basic and Applied Sciences

Applying Grover s algorithm to AES: quantum resource estimates

Affine equivalence in the AES round function

A New Approach for Designing Key-Dependent S-Box Defined over GF (2 4 ) in AES

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

Public-key Cryptography: Theory and Practice

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Part (02) Modem Encryption techniques

Subspace Trail Cryptanalysis and its Applications to AES

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

BISON Instantiating the Whitened Swap-Or-Not Construction November 14th, 2018

PARITY BASED FAULT DETECTION TECHNIQUES FOR S-BOX/ INV S-BOX ADVANCED ENCRYPTION SYSTEM

AES side channel attacks protection using random isomorphisms

Lecture 5. Block Diagrams. Modes of Operation of Block Ciphers

High Performance Computing techniques for attacking reduced version of AES using XL and XSL methods

Provably Secure Higher-Order Masking of AES

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration

The Rijndael Block Cipher

A New Algorithm to Construct. Secure Keys for AES

Essential Algebraic Structure Within the AES

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

MATH3302 Cryptography Problem Set 2

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Cryptography: Key Issues in Security

MATH 509 Differential Cryptanalysis on DES

Chapter 4 Mathematics of Cryptography

Hardware Design and Analysis of Block Cipher Components

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Block Cipher Cryptanalysis: An Overview

Lecture 4: DES and block ciphers

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

The Hash Function Fugue

720 IEEE TRANSACTIONS ON COMPUTERS, VOL. 55, NO. 6, JUNE 2006

Methods and Tools for Analysis of Symmetric Cryptographic Primitives

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Security of the AES with a Secret S-box

A Block Cipher using an Iterative Method involving a Permutation

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Lecture Notes. Advanced Discrete Structures COT S

Impossible Differential Cryptanalysis of Mini-AES

Introduction to Symmetric Cryptography

A block cipher enciphers each block with the same key.

Product Systems, Substitution-Permutation Networks, and Linear and Differential Analysis

Alternative Approaches: Bounded Storage Model

Differential Cache Trace Attack Against CLEFIA

Solutions to the Midterm Test (March 5, 2011)

Truncated differential cryptanalysis of five rounds of Salsa20

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

ECS 189A Final Cryptography Spring 2011

Block Ciphers and Systems of Quadratic Equations

Elliptic Curve Cryptography and Security of Embedded Devices

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

Applications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Akelarre. Akelarre 1

Block Ciphers that are Easier to Mask: How Far Can we Go?

Transcription:

CHAPTER 7 AES (Solution to Odd-Numbered Problems) Review Questions. The criteria defined by NIST for selecting AES fall into three areas: security, cost, and implementation. 3. The number of round keys and the number of transformation depend on the number of rounds. The following table list the information. Note that there is one transformation for pre-round. Also note that the last round uses only three transformations. Version rounds round keys Transformations AES-28 + 9 4 + 3 = 4 AES-92 2 3 + 4 + 3 = 48 AES-256 4 5 + 3 4 + 3 = 56 5. Before and after each stage, the data block is referred to as a state. States, like blocks, are made of 6 bytes, but they are normally treated as matrices of 4 4 bytes. The following table shows the number of states used in each version. We have used two extra states: one before the pre-round and one after the last round. If you do not consider this, the number of states is reduced by two. Version rounds States AES-28 () + + 9 4 + 3 + () = 42 AES-92 2 () + + 4 + 3 + () = 5 AES-256 4 () + + 3 4 + 3 + () = 58 7. Substitution in DES is done by S-boxes. Each box substitutes a 6-bit value with a 4-bit value. We need eight S-boxes to create a 32-bit half block. Substitution in

2 AES is done through SubBytes transformation that transforms a whole state to another state. However, we can say that SubBytes actually substitutes 6 bytes with new 6 bytes. 9. In DES, the size of the block is 64 bits, but the size of the round key is 48 bits. In AES the size of the block and the round key are both 28 bits (for all versions). Exercises. The disadvantage of using keyed S-boxes is that it makes the design of the cipher more difficult. In particular, it is more difficult to create S-boxes that are inverse of each other in the encryption and decryption cipher. The advantage of using keyed S-boxes is that a keyed S-box is normally non-linear, which protect the cipher against linear cryptanalysis. 3. Having different number of rounds has the advantage that new versions of cipher with more number of rounds can be used, without changing the structure of cipher, if the cipher is attacked by differential and linear cryptanalysis (or other attacks that depend on the number of rounds). For example, we can use AES with rounds as long as it is not secured. If it is attacked, we can move to the version with 2 or 4 rounds without changing the structure of the cipher. 5. A cipher in which the size of the round is the same as the size of the round key is easier to design because we do not have to use expansion (or compression) permutation to match the size of the block to the size of the round key. This enable us to make the non-feistel ciphers. 7. We use two plaintexts that differ only in the first bit: P : ( ) 6 P 2 : (8 ) 6 a. Applying the SubBytes transformation to P and P 2, we get: T : (6363 6363 6363 6363 6363 6363 6363 6363) 6 T 2 : (CD63 6363 6363 6363 6363 6363 6363 6363) 6 T 2 and T differ only in 5 bits. b. Applying the ShiftRows transformation to P and P 2, we get: T : ( ) 6 T 2 : (8 ) 6 T 2 and T differ only in bit.

3 Applying the MixColumn transformation to P and P 2, we get: T : ( ) 6 T 2 : (B8 89B ) 6 T 2 and T differ in 9 bits. c. Applying the AddRoundKey of 28 -bit transformation to P and P 2, we get: T : ( ) 6 T 2 : (8 ) 6 T 2 and T differ only in bit. Note that we have used a round key with 28 s, but the result is the same if we use any key. 9. a. The SubBytes transformation is repeated in each round. So we have N r of this transformation. b. The ShiftRows transformation is repeated in each round. So we have N r of this transformation. c. The MixColumns transformation is repeated in each round except the last round. So we have (N r ) of this transformation. d. The AddRoundKey transformation is repeated in each round. In addition, we have one of this transformation in the pre-round section. So we have (N r + ) of this transformation. e. The total number of transformation is Total number of transformation = N r + N r + (N r ) + (N r + ) = 4 N r 2. a. We can use (x mod prime) and (x 2 mod prime), in which the prime is the the irreducible polynomial (x 8 + x 4 + x 3 + x + ), to find the first terms of RCon[] and RCon[2]. The following shows the constants for AES-92. Round (RCon) Round (RCon) Round (RCon) ( ) 6 5 ( ) 6 9 (B ) 6 2 (2 ) 6 6 (2 ) 6 (36 ) 6 3 (4 ) 6 7 (4 ) 6 (6C ) 6 4 (8 ) 6 8 (8 ) 6 2 (D8 ) 6

4 b. We can use (x 3 mod prime) and (x 4 mod prime), in which the prime is the the irreducible polynomial (x 8 + x 4 + x 3 + x + ), to find the first terms of RCon[3] and RCon[4]. The following shows the constants for AES-256. Round (RCon) Round (RCon) Round (RCon) ( ) 6 6 (2 ) 6 (6C ) 6 2 (2 ) 6 7 (4 ) 6 2 (D8 ) 6 3 (4 ) 6 8 (8 ) 6 3 (AB ) 6 4 (8 ) 6 9 (B ) 6 4 (4D ) 6 5 ( ) 6 (36 ) 6 23. The result is an identity matrix as shown below. Note that the addition and multiplication of elements are in GF(2). X X = X X 25. Most of the code matches, line by line, with the steps in the process. The only section that needs some explanation is the loop. The iterations of the loop gives us c = b b 4 b 5 b 6 b 7 c = b b 4 b 5 b 6 b 7 c = b b 5 b 6 b 7 b c = b b b 5 b 6 b 7 c 2 = b 2 b 6 b 7 b b c 2 = b b b 2 b 6 b 7 c 3 = b 3 b 7 b b b 2 c 3 = b b b 2 b 3 b 7 c 4 = b 4 b b b 2 b 3 c 4 = b b b 2 b 3 b 4 c 5 = b 5 b b 2 b 3 b 4 c 5 = b b 2 b 3 b 4 b 5 c 6 = b 6 b 2 b 3 b 4 b 5 c 6 = b 2 b 3 b 4 b 5 b 6 c 7 = b 7 b 3 b 4 b 5 b 6 c 7 = b 3 b 4 b 5 b 6 b 7 The rearranged code is the result of matrix multiplication c = X b if we ignore the zero terms. After each line is created d = c + y is made.

5 27. InvSubBytes (S[ 3][ 3]) for (r = to 3) for (c = to 3) S[r][c] invsubbyte (S[r][c]) return (S) invsubbyte (byte) d ByteToMatrix (byte) c d ByteToMatrix (x63) b X c a MatrixToByte (b) return (a ) 29. CopyRow (row[ 3], t[ 3]) for (c = to 3) t[c] row [c] 3. The MixColumns algorithm calls the mixcolum routine four times, once for each column of the old state to create the correspond column of the new state. The mixcolumn routine actually performs the following matrix multiplication col = C t, in which col is the new column matrix, t is the old column matrix, and the C is the square constant matrix. We can write the code in the mixcolumn routine as col C t C t C 2 t 2 C 3 t 3 col C t C t C 2 t 2 C 3 t 3 col 2 C 2 t C 2 t C 22 t 2 C 23 t 3 col 3 C 3 t C 3 t C 32 t 2 C 33 t 3

6 33. MixColumns (S[ 3][ 3] for (c = to 3) mixcolumn (S[c]) 35. The algorithm uses a loop that iterates four times, one for each column of the current state. In each iteration, a column of the old state is exclusive-ored with a key word to create a new column. 37. mixcolumn (col [ 3]) For example, in round 5, we have a. CopyColumn (col, t) col[] MultField (x2, t[]) MultField (x3, t[]) t[2] t[3] col[] t[] MultField (x2, t[]) MultField (x3, t[2]) t[3] col[2] t[] t[] MultField (x2, t[2]) MultField (x3, t[3]) col[3] MultField (x3, t[]) t[] t[2] MultField (x2, t[3]) S[c] S[c] W[4 round + c] KeyExpansion (Key[ 23], W[ 5] for (i = to 5) for (i = 6 to 5) S[] S[] W[2] S[] S[] W[2] S[2] S[2] W[22] S[3] S[3] W[23] W[i] Key[4i] Key[4i +] Key[4i +2] Key[4i +3] if (i mod 6 = ) t subword(rotword (W[i ]) Rcon[i /6] W[i] t W[i 6]

7 b. else W[i] W[i ] W[i 6] 39. KeyExpansion (Key[ 3], W[ 59]) for (i = to 7) W[i] Key[4i] Key[4i +] Key[4i +2] Key[4i +3] for (i = 8 to 59) if (i mod 8 = ) t subword(rotword (W[i ]) Rcon[i /8] W[i] t W[i 8] if (i mod 8 = 4) t subword(w[i ]) W[i] t W[i 8] else W[i] W[i ] W[i 8] InvCipher (InBlock[ 6], outblock[ 6], W[ 43] BlockToState (Inblock, S) S AddRoundKey (S, W[4 43]) for (r = to ) // r defines the round S InvShiftRows (S) S InvSubBytes (S) S AddRoundKey (S, W[( r) 4 ( r) 4 + 3) if (r ) S InvMixColumns (S)

8 StateToBlock (S, outblock)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback