Download - 4 AES Rijndael (7-8)
-
7/29/2019 4 AES Rijndael (7-8)
1/55
Lecture 4The Advanced Encryption
Standard (AES)
-
7/29/2019 4 AES Rijndael (7-8)
2/55
On January 2, 1997, the National Institute of
Standards and Technology (NIST)
announced the initiation of a newsymmetric-key block cipher algorithm as
the new encryption standard to replace the
DES. The new algorithm would be namedthe Advanced Encryption Standard (AES).
Unlike the closed design process for the
DES, an open call for the AES algorithmswas formally made on September 12, 1997.
-
7/29/2019 4 AES Rijndael (7-8)
3/55
The requirements of AES is as follows:
(1) The call stipulated that the AES would specify
an unclassified, publicly disclosed symmetric-keyencryption algorithm(s).
(2) The algorithm(s) must support (at a minimum)block sizes of 128-bits, key sizes of 128-, 192-, and
256-bits, and should have a strength at the level ofthe triple DES, but should be more efficient thenthe triple DES.
(3) It should work on a variety of differenthardware.
(4) The algorithm(s), if selected, must be availableroyalty-free, worldwide.
-
7/29/2019 4 AES Rijndael (7-8)
4/55
On August 20, 1998, NIST announced a group
of fifteen AES candidate algorithms. These
algorithms had been submitted by members ofthe cryptographic community from around the
world. Public comments on the fifteen
candidates were solicited as the initial reviewof these algorithms (the period for the initial
public comments was also called the Round 1).
The Round 1 closed on April 15, 1999. Usingthe analyses and comments received, NIST
selected five algorithms from the fifteen.
-
7/29/2019 4 AES Rijndael (7-8)
5/55
The five AES finalist candidate algorithms
were MARS (from IBM), RC6 (from RSA
Laboratories), Rijndael (from Joan Daemenand Vincent Rijmen), Serpent (from Ross
Anderson, Eli Biham, and Lars Knudsen),
and Twofish (from Bruce Schneier, JohnKelsey, Doug Whiting, David Wagner, Chris
Hall, and Niels Ferguson). These finalist
algorithms received further analysis during a
second, more in-depth review period (the
Round 2).
-
7/29/2019 4 AES Rijndael (7-8)
6/55
In the Round 2, comments and analysis were
sought on any aspect of the candidatealgorithms, including, but not limited to, the
following topics: cryptanalysis, intellectual
property, cross-cutting analyses of all of theAES finalists, overall recommendations and
implementation issues. On October 2 , 2000,
NIST announced that it has selected Rijndael
to propose for the AES.
-
7/29/2019 4 AES Rijndael (7-8)
7/55
Outline
About the Finite Field GF(p
n
) The Basic Algorithm
The Layers
Decryption Design Consideration
Implementation Concerns
Positive Impact of the AES
Modes of Operation
Message Authentication Code
-
7/29/2019 4 AES Rijndael (7-8)
8/55
1 About the Finite Field GF(pn)
solution.
ahavenotdoes)(mod1econgrucenc
thesincefield,aformnotdoesmodulo
integerBut theelements.withfieldfiniteone
exactlyisthereprime,aofpowereveryFor
n
n
n
n
ppx
p
p
p
-
7/29/2019 4 AES Rijndael (7-8)
9/55
elements.4withfieldaisit,1mod
tionmultiplicaandadditionFor1.mostatdegreeofspolynomialof
}1,,1,0{setthebeto)1](mod[definecanwe
Therefore,).1(mod1asthiscan writeWe
.)1)(1(1get,1into1
divideweexample,Forintegers.with theasjustremainder,with
divisionperformcanWe.1)1)(1(
assuch,2modtscoefficienthework withweaslongasset,in this
multiplyandsubtract,add,canWe].[in Zalsoare1,0spolynomial
constantThe.,1assuch,2modintegersaretscoefficien
whosespolynomialofsetthebe][Let Z:Solution
.)GF(2Construct
2
2
2
234
2234342
2343
2
6
2
2
XX
XXXXXZ
XXXXX
XXXXXXXXXX
XXXXXX
X
XXX
X
1Example
-
7/29/2019 4 AES Rijndael (7-8)
10/55
-
7/29/2019 4 AES Rijndael (7-8)
11/55
1.2 Division
).1(mod1)1)((
:obtainwe,1modReducing
).1)(1()1)((1
Therefore,
.1))(1(1
)()1)(1(1
:integersforassametheis
)dividenddivisorremainder)(1
,1gcd(Calculate:Solution
.1ofinversethefind),1](mod[Z)GF(2Consider
AlgorithmEuclideanExtendedThe
3483672
348
3483672
26367
26367348
3
48367
3673
48
2
8
XXXXXXXXX
XXXX
XXXXXXXXXX
XXXXXXXX
XXXXXXXXXXXX
ignoreXX
XXXXXX
XXXXXXXXX
2Example
-
7/29/2019 4 AES Rijndael (7-8)
12/55
1.3 GF(28)
y.efficientlis)2(inoperationsthat theseewesummary,In
.010001101)1isbitfirsttheif,1
subtract(100011011110010110110010110
)0aappendandleftshift(11001011)(1
istionMultiplica
.11010010
000110011100101111:bitstheof
theisAddition.11001011becomes1example,
For.bytearepresentbits8The.1or0iseachwhere
,
polynomialaasuniquelydrepresentebecanelement
Every.exampleanas)1](mod[Z)GF(2Use
8
348
367
467
34367
367
01234567
012
23
34
45
56
67
7
3482
8
GF
X
XXXXOR
XXXXX
XXXX
XORXXXXXX
XORXXXX
bbbbbbbbb
bXbXbXbXbXbXbXb
XXXXX
i
-
7/29/2019 4 AES Rijndael (7-8)
13/55
2 The Basic Algorithm
For simplicity, we restrict to 128 bits, and
firstly give a brief outline of the algorithm.
The algorithm consists of 10 rounds. Each
round has a round key, derived from theoriginal key. There is also a 0th round key
using the original of 128 bits. A round starts
with an input of 128 bits and produces anoutput of 128 bits.
-
7/29/2019 4 AES Rijndael (7-8)
14/55
There a four basic step, called layers, that areused to form the rounds:
(1) The ByteSub (SB) Transformation: Thisnon-linear layer is for resistance todifferential and linear cryptanalysis attacks.
(2) The ShiftRow (SR) Transformation: This
linear mixing step causes diffusion of thebits over multiple rounds.
(3) The MixColumn (MC) Transformation:
This layer has a purpose similar to ShiftRow.(4) AddRoundKey (ARK) Transformation:The round key is XORed with the result ofthe above layer.
-
7/29/2019 4 AES Rijndael (7-8)
15/55
A round is then
ByteSub ShiftRow MixColumn AddRoundKey
Rijndael Encryption
(1) ARK, using the 0th round key.
(2) Nine rounds ofBS, SR, MC, ARK, using round
keys 1 to 9.
(3) A final round: BS, SR, ARK, using the 10thround key.
# The final round omits Mixcolumn layer.
-
7/29/2019 4 AES Rijndael (7-8)
16/55
3 The Layers
inverse.
tivemultiplicaahaselementEachy.certain waainmultipliedbealso
They.byaddedcanTheybytes.bydrepresentebecan)(2of
elementsThe.1isRijndealforchoiceThe8.degreeofpolynomialeirreduciblofchoiceaondepends)(2ofmodel
The).(2fieldfinitethework withtoneedllwe'following,In the
.
matrix44intarrangedareand
,,,,,,,,
themcalleach,bits8ofbytes16intogroupedarebitsinput128The
8
348
8
8
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,31,11,00,30,20,10,0
XORGF
XXXXGF
GF
aaaa
aaaa
aaaa
aaaa
aaaaaaa
-
7/29/2019 4 AES Rijndael (7-8)
17/55
3.1 The ByteSub Transformation
22187841761545153651046623019113137161140
22340852062331353015514814221710517152248225
158291931341858753971424637210218162112
13813918975116221232198180166284637120186
8174122101234244861081697821314110955200231
121228149145981722111949236673105850224
2191194222201842387013614442342207912996
11525931001261671962368151952361912205
21024325516332181821882455615714614364163811681596980127224969133517767251170239208
207887674571902031069117725232237020983
13247227411792145982160901102726441319
11717839235226128187154515024195351994
214921611324122916552204247635438147253183
1921141641561751622121732407189250125201130202
1181712152544310314819711110724212311912499
16)(16BoxS
31
61
-
7/29/2019 4 AES Rijndael (7-8)
18/55
3.1 The ByteSub Transformation (Continued)
.
bytes.ofmatrix44aagainisByteSubofoutputThe
binary.in111101iswhich61,isentryThe12.column
and9rowinlookwe10001011,isbyteinputthe
ifexample,Forcolumn.androwin the
entryfor theLook.:bits8asbyteaWirte
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
bbbb
bbbb
bbbb
bbbb
aaaa
aaaa
aaaa
aaaa
efghabcd
abcdefgh
-
7/29/2019 4 AES Rijndael (7-8)
19/55
3.2 The ShiftRow Transformation
.
obtainto3,and0,1,2,ofoffsetsbylefttheto
cyclicallyshiftedarematrixtheofrowsfourThe
2,31,30,33,3
1,20,23,22,2
0,13,12,11,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
bbbb
bbbb
bbbb
bbbb
cccc
cccc
cccc
cccc
-
7/29/2019 4 AES Rijndael (7-8)
20/55
3.3 The MixColumn Transformation
.
00000010000000010000000100000011
00000011000000100000000100000001
00000001000000110000001000000001
00000001000000010000001100000010
:followsas),(outputtheproduceto),(2inentries
again withmatrix,abyhisMultiply t).(2inentries
with)(matrix44aisstepShiftRowtheofoutputThe
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
,8
8
,
dddd
dddddddd
dddd
cccc
cccc
cccc
cccc
dGF
GF
c
ji
ji
-
7/29/2019 4 AES Rijndael (7-8)
21/55
3.4 The RoundKey Addition
.
:step
MixColumnin the)(outputwith theXORedisThisbytes.of
consisting)(matrix44ainarrangedarewhichbits,128
ofconsistskeyoriginalthefromderivedkey,roundThe
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
,
,
eeee
eeee
eeeeeeee
kkkk
kkkk
kkkk
kkkk
dddd
dddd
dddd
dddd
d
k
ji
ji
-
7/29/2019 4 AES Rijndael (7-8)
22/55
3.5 The Key Schedule
3).(42),(41),(4
),(4columnstheofconsistsroundthfor thekeyroundThe
)).1((
)10(
.)1(Let
).1(ofationtransformtheis))1((where)),1((
)4()(then,|4If).1()4()(then
,|4Ify.recursivelgeneratedarecolumnsnewThe(3).(2),(1),(0),columsfourfirsttheLabelbytes.ofmatrix44a
intogeneratedarewhichbits,128ofconsistskeyoriginalThe
4/)4(
iWiWiW
iWi
iWT
h
g
f
e
h
g
f
e
a
d
c
b
d
c
b
a
d
c
b
a
iW
iWiWTiWT
iWiWiiWiWiW
iWWWW
i
boxS
-
7/29/2019 4 AES Rijndael (7-8)
23/55
3.6 The Construction of the S-Box
.
0
1
1
0
0
0
1
1
11111000
01111100
00111110
00011111
10001111
11000111
11100011
11110001
bycomputebecanbox-Sin theofentry
The0000000.0is00000000bytetheofinversetheSuppose.
bydrepresentebecan)(2inbyte
theofinverseThen.descriptioalmathematicsimpleahasbox-SThe
7
6
5
4
3
2
1
0
7
6
5
4
3
2
1
0
01234567
012
34567
8
01234567
z
z
z
z
z
z
z
z
y
y
y
y
y
y
y
y
xxxxxxxx
yyy
yyyyyGFxxxxxxxx
-
7/29/2019 4 AES Rijndael (7-8)
24/55
3.6 The Construction of the S-Box (Continued)
31.entryobtian thealsoWebox.-Sin the1211011columntheand
1311001rowcheck theWe31.00011111bytetheyieldThis
.
0
0
0
11
1
1
1
0
1
1
00
0
1
1
0
0
0
00
1
0
0
11111000
01111100
00111110
0001111110001111
11000111
11100011
11110001calculateWe
.00000100is)(2in10010111bytetheofinverseThe 8
GF3Example
-
7/29/2019 4 AES Rijndael (7-8)
25/55
4 Decryption
Each of the steps ByteSub, ShiftRow,MixColumn, and AddRoundKey is invertible:
(1) The inverse of ByteSub is another lookup
table, called InvByteSub (IBS).(2) The inverse of ShiftRow is obtained by
shifting the rows to the right instead of to the
left, yielding InvShiftRow (ISR).
-
7/29/2019 4 AES Rijndael (7-8)
26/55
(3) The transformation InvMixColumn (IMC)
is given by multiplication by the matrix
(4) AddRoundKey is its own inverse.
.
00001110000010010000110100001011
00001011000011100000100100001101
00001101000010110000111000001001
00001001000011010000101100001110
Therefore
-
7/29/2019 4 AES Rijndael (7-8)
27/55
IMC".andARK"replacetoIARK"andIMC"usecanWe).(withXORingbe
dKey(IARK)InvAddRounLetIMC.isarrowfirstThe).()()(where
),()()()()()(
isprocessthe,)()()()())()((
)()(Since).())(()(solvingbyobtainedisinverseThe
).())(()())(()(
asgaveis)(
matrixaARK tothenandMCApplyingreversed.becanIBSandISRofoderthe
Clearly,.encryptionasstructuresametheachievetodecryptiontherewritecanWe
ARK.
IBSISR,IMC,ARK,
IBSISR,IMC,ARK,
IBSISR,ARK,
ARK.SR,BS,
ARKMC,SR,BS,
ARKMC,SR,BS,
ARK
decryptionRijndaelencryptionRijndael
Therefore,
,
,1
,,
,,1
,,1
,,
,1
,,1
,,,
1
,,,,,,
,,,,,,,
,
ji
jijiji
jijijijijiji
jijijijijiji
jijijijijiji
jijijijijijiji
ji
k
kmk
kememe
kmemke
mckcme
kcmecmc
c
-
7/29/2019 4 AES Rijndael (7-8)
28/55
ARK.
ISRIBS,IARK,IMC,
ISRIBS,IARK,IMC,
ISRIBS,ARK,
decryptionRijndael
bygivenisdecryptiontheNow,
Rijndael Decryption
(1) ARK, using the 10th round key.
(2) Nine rounds of IBS, ISR, IMC, IARK, using round
keys 9 to 1.
(3) A final round: IBS, ISR, ARK, using the 0th roundkey.
# To keep the perfect structure, the MC is omitted
in the last round of the encryption.
-
7/29/2019 4 AES Rijndael (7-8)
29/55
5 Design Consideration
(1) The fact that encryption and decryptionare not identical processes leads to the
expectation that there are no weak keys, in
contrast to DES.
(2) Unlike the Feistel system, all bits are
treat uniformly. This has effect of diffusing
the input bits faster. It can be shown that
two rounds are sufficient to obtain full
diffusion.
-
7/29/2019 4 AES Rijndael (7-8)
30/55
(3) The S-box is constructed in an explicit
and simple algebraic way so as to avoidthe mysteries of trapdoors built into thealgorithm. It is excellent at resistingdifferential and linear cryptanalysis, as
well as interpolation attacks.(4) The SR step is added to resisttruncated differentials and square attack.
(5) The MC causes diffusion among thebytes.
-
7/29/2019 4 AES Rijndael (7-8)
31/55
(6) The ARK involves nonlinear mixing of
the key bits. The mixing is designed to
resist the known part key attack. The roundconstants are used to eliminate symmetries.
(7) The number of rounds was chosen to be
10 because there are attacks that are betterthan brute force up to seven rounds in 2004.
No known attack beats brute force for seven
or more rounds. It was felt that three extrarounds provide a large enough margin of
safety.
-
7/29/2019 4 AES Rijndael (7-8)
32/55
6 Implementation Concerns
We have seen that the Rijndael internalfunctions are very simple and operate in
trivially small algebraic spaces. As a result,
implementations of these internal functionscan be done with extremely good efficiency.
From our descriptions of the Rijndael internal
functions, SB/ISB and MC/IMC are worthy of
fast implementation considerations.
-
7/29/2019 4 AES Rijndael (7-8)
33/55
(1) For SB/ISB, we suggest to use the "S-box
lookup" method: a small S-box with 28 = 256
pairs of bytes can be built once and used
forever (i.e., the table can be "hardwired" into
hardware or software implementations). The "
S-box lookup" method not only is efficient,but also prevents a timing analysis attack
which is based on observing the operation
time difference for different data which maysuggest whether an operation is performed on
bit 0 or bit 1.
-
7/29/2019 4 AES Rijndael (7-8)
34/55
(2) In MC, multiplication between elements in
GF(28) can also be realized via a "table
lookup" method:z=xy (field multiplication)wherex {01, 10, 11} andyGF(28). Further
notice that the byte 01 is simply the
multiplicative identity in the field, i.e., 01y =y.
Thus, implementation (either in software or
hardware) of this multiplication table only
needs 2256=512 entries. This small table is
not much larger than one which every primaryschool pupil has to recite. This realization not
only is fast, but also decreases the risk of the
timing analysis attack.
-
7/29/2019 4 AES Rijndael (7-8)
35/55
(3) IMC is not quite as fast as MC. This is
because the entries in the 44 matrix for
IMC are more complex than those for MC,and 30% longer than encryption for these
processors. However, in some applications,
decryption is not needed.
-
7/29/2019 4 AES Rijndael (7-8)
36/55
7 Positive Impact of the AES
(1) Multiple encryption, such as triple-DES,will become unnecessary with the AES.
Since multiple encryption uses a plural
number of keys, the avoidance of usingmultiple encryption will mean a reduction
on the number of cryptographic keys that
an application has to manage, and hence
will simplify the design of security
protocols and systems.
(2) Wid f th AES ill l d t th
-
7/29/2019 4 AES Rijndael (7-8)
37/55
(2) Wide use of the AES will lead to theemergence of new hash functions of compatiblesecurity strengths. In several ways, block cipher
encryption algorithms are closely related to hashfunctions. It has been a standard practice thatblock cipher encryption algorithms are often usedto play the role of one-way hash functions. Thelogging-in authentication protocol of the UNIXoperating system is a well-known example. Wehave seen a typical "one-way transformation"
usage of the DES function in the realization of theUNIX password scheme. Another example is touse block cipher encryption algorithms to realize(keyed) one-way hash functions.
-
7/29/2019 4 AES Rijndael (7-8)
38/55
(3) As in the case that the DES's standard
position had attracted much cryptanalysis
attention trying to break the algorithm, andthat these efforts have contributed to the
advance of knowledge in block cipher
cryptanalysis, the AES as the new blockcipher standard will also give rise to a new
resurgence of high research interest in block
cipher cryptanalysis which will certainlyfurther advance the knowledge in the area.
-
7/29/2019 4 AES Rijndael (7-8)
39/55
8 Modes of OperationUsually, the long message is divided into a series of
sequentially listed message blocks, and the cipherprocesses these blocks one at a time. A number of
different modes of operation have been devised on
top of an underlying block cipher algorithm. Thesemodes of operation provide several desirable
properties to the ciphertext blocks, such as adding
non-determinism (randomness) to a block cipher
algorithm, padding plaintext messages to an
arbitrary length, control of error propagation,
generation of key stream for a stream cipher, etc.
-
7/29/2019 4 AES Rijndael (7-8)
40/55
8.1 Electronic Codebook (ECB)
only.blockthatofntdeciphermeaffectblock
ciphertextsingleainerrorsbitmoreorone:npropagatioError(3)
blocks.plaintextordered-reinglycorrespondinresultsblocksciphertextReorderingblocks.other
oftlyindependenencipheredareblocks:esdependenciChaining(2)
.ciphertext
identicalinresultkey)same(under theblocksplaintextIdentical(1)
:operationofmodeECBtheofProperties
.keytheusingofencryptiontheis)(where
],,,[isciphertext
theand],,,[chunkssmallerintobrokenisplaintextThe
21
21
KPPEC
CCCC
PPPPP
jjKj
L
L
-
7/29/2019 4 AES Rijndael (7-8)
41/55
8.1 Electronic Codebook (ECB) (Continued)
block.
eachinbitspaddingrandomofinclusionbysomewhat
improvedbemaySecuritymessage.block-onesingle
athanmoreforreusedarekeysiforblock,onethan
longermessagesfordrecommendenotismodeECBthe
reason,For thisblocks.plaintextidenticalimplyblocks
ciphertextidentical-patternsdatahidenotdociphers
blocke,Furthermorblocks.adjacentofdecryption
affect thenotdoesblock)occurringfrequentlyaofinsertion(e.g.,blocksECBofonsubstitutimalicious
t,independenareblocksciphertextSinceComment.
8 2 Ci h Bl k Ch i i (CBC)
-
7/29/2019 4 AES Rijndael (7-8)
42/55
8.2 Cipher Block Chaining (CBC)
function.
decryptiontheiswhereandvalueinitialchosensomeiswhere
,)(),(
asspecifiedoperationofmode(CBC)chainingblock-cipherThe
0
11
K
jjKjjjKj
DC
CCDPCPEC
C0
P1
EK
C1
P2
EK
C2
8 2 Ci h Bl k Ch i i (CBC) (C ti d)
-
7/29/2019 4 AES Rijndael (7-8)
43/55
8.2 Cipher Block Chaining (CBC) (Continued)
.todecryptedcorrectlyis,notbutblockinoccursblocks)
entiremoreoroneofloss(includingerroranifthatsensein theautokey
ciphertextoringsynchroniz-selfismodeCBCthe:recoveryError(4)
.andblocksofntdecipherme
affectsblockciphertextinerrorbitsinglea:npropagatioError(3)
block.ciphertext
precedingcorrectarequiresblockciphertextcorrectaofdecryption
Proper.decryptionaffectsblocksciphertextoforderthegrearrangin
ly,Consequentblocks.plaintextprecedingallandondependto
ciphertextcausesmechanismchainingthe:esdependenciChaining(2)
.ciphertextdifferentinresultsfield)randomorcounterausing(e.g.,blockplaintextfirstChanging.encipheredisplaintext
samen theresult wheblocksciphertextidentical:plaintextsIdentical(1)
operationofmodeCBCtheofProperties
211
1
j+j+j+j
j+j
j
jj
PCCC
CC
C
PC
8 3 Ci h F db k (CFB)
-
7/29/2019 4 AES Rijndael (7-8)
44/55
8.3 Cipher Feedback (CFB)
.||||||andregisterbit-64
thefromddisappearehasinitialtheround,8ththeofendBy the#
.||)())((
ProcedureDecryption
ion.concatenatthedenotes||and,ofbitsrightmost56the
denotes)(,ofbitsleftmost8thedenotes)(where
,||)())((:performedisfollowing
the,1,2,3,forThenchosen.isbit-bit64initialAn
ProcedureEncryption
.operationsfollowingthe
hasmodeCFBThebits.64nrather thabits,8haseachwhere
],,,,[:piecesbit-8intobrokenisplaintextThe
8219
5618
568
5618
1
821
CCCX
CXRXXELCP
YXX
XRXXL
CXRXXELPC
jX
P
PPPP
jjjjKjj
jjjjKjj
j
8 3 Ci h F db k (CFB) (C i d)
-
7/29/2019 4 AES Rijndael (7-8)
45/55
8.3 Cipher Feedback (CFB) (Continued)
blocks.ciphertext
8nexttheandthatofntdeciphermetheaffectsblockciphertext
singleanyinerrorsbitmoreorone:npropagatioError(3)
correct.
betoblocksciphertext8precedingtherequiresblockciphertext
correctaofdecryptionProper.decryptionaffectsblocks
ciphertextordering-rely,Consequentblocks.plaintextprecedingandbothondependtoblockciphertextcausesmechanism
chainingthe,encryptionCBCsimilar to:esdependenciChaining(2)
secret.benotneed
Theoutput.differentatoencipheredbeinginputplaintext
samein theresultsthechanging:plaintextsIdentical(1)
operationofmodeCFBtheofProperties
1
1
j
jj
C
PC
X
X
8 3 Ci h F db k (CFB) (C i d)
-
7/29/2019 4 AES Rijndael (7-8)
46/55
8.3 Cipher Feedback (CFB) (Continued)
used.beshouldmodeCBCtheinstead,
algorithm;key-publicaiscipherblocktheifusedbenotmustmodeCFBthe,decryptionandencryptionCFBboth
forusedisfunctionencryptiontheSince
output.ciphertextofbits8onlyyieldsofexecutioneachin thatCBC)(vs.64/8
offactorabydecreasedistthroughpu:Throughput(5)
recover.to)bits(64blocksciphertext8requiresbutCBC,similar to
ingsynchroniz-selfismodeCFBthe:recoveryError(4)
E
E
E
Comment.
-
7/29/2019 4 AES Rijndael (7-8)
47/55
9 Message Authentication Code
Definition1 A message authentication code(MAC) algorithm is a family of functions hk
parameterized by a secret key k, with the
following properties:
(1) Ease of computation: for a known function
hk, given a value kand an inputx, hk(x) is easy
to compute. This result is called the MAC-value
or MAC.
-
7/29/2019 4 AES Rijndael (7-8)
48/55
(2) Compression: hkmaps an input x of arbitrary
finite bit length to an output hk(x) of fixed bit
length n. Furthermore, given a description ofthe function family h, for every fixed allowable
value ofk(unknown to an adversary), the
following property holds:(3) Computation-resistance: given zero or more
text-MAC pairs (xi, hk(xi)), it is computationally
infeasible to compute any text-MAC pair (x,hk(x)) for any new inputxxi (including
possibly forhk(x)=hk(xi) for some i).
9 1 Obj ti f Ad i MAC
-
7/29/2019 4 AES Rijndael (7-8)
49/55
9.1 Objectives of Adversaries vs. MAC
The goal: without prior knowledge of a key k,
compute a new text-MAC pair (x, hk(x)) for sometextxxi, given one or more pairs (xi, hk(xi)).
The potential abilities of the adversaries:
(1) Known-text attack.(2) Chosen-text attack: one or more text-MAC
pairs (xi, hk(xi)) are available forxi chosen by the
adversary.(3) Adaptive chosen-text attack: now allowing
successive choices to be based on the results of
prior queries.
9 2 T f F
-
7/29/2019 4 AES Rijndael (7-8)
50/55
9.2 Types of Forgery
The severity of the practical consequences
may differ depending on the degree of controlan adversary has over the valuex for which aMAC may be forged.
(1) Selective forgery: attacks whereby an
adversary is able to produce a new text-MACpair for a text of his choice (or perhapspartially under his control).
(2) Existential forgery: attacks whereby anadversary is able to produce a new text-MACpair, but with no control over the value of thattext.
9 3 Case Study CBC Based MAC
-
7/29/2019 4 AES Rijndael (7-8)
51/55
9.3 Case Study CBC-Based MAC
.blockbit-theisMACThe.Completion(3)
).(
,:computeoptionally,keysecretseconda
UsingMAC.ofstrengthincreasetoprocessOptional(2)
.2),();(
:followsasblocktheCompute.processingCBC(1)
:stepsfollowing
theperformsalgorithmMAC-CBCThe.oflengthblocktheiswhere],,,,[blocksbit-
intobrokenismessageThecipher.blockabeLet
111
21
t
tKt
tKt
iiKiK
t
K
t
K
Hn
HEH
)(HDHKK
tiMHEHMEH
H
EnMMMMn
ME
9 3 Case Study CBC-Based MAC (Continued)
-
7/29/2019 4 AES Rijndael (7-8)
52/55
9.3 Case Study CBC-Based MAC (Continued)M1
0
EK
H1
M2
EK
H2 Ht1
Mt
EK
Ht
EK
DK'
Ht
optional
9 3 Case Study CBC-Based MAC (Continued)
-
7/29/2019 4 AES Rijndael (7-8)
53/55
9.3 Case Study CBC-Based MAC (Continued)
Comment.
(1)It is obvious that the computation forcreating a CBC-MAC involves noninvertibledata compression (in essence, a CBC-MAC is a'short digest' of the whole message), and so a
CBC-MAC is a one-way transformation.(2) The mixing-transformation property of theunderlying block cipher adds a hash feature tothis one-way transformation (i.e., distributes aMAC over the MAC space as uniform as theunderlying block cipher should do over itsciphertext message space).
-
7/29/2019 4 AES Rijndael (7-8)
54/55
(3) We can assume that in order to create a
valid CBC-MAC, a principal actually has
to be in possession of the keyKfor theunderlying block cipher algorithm. The
receiver who shares the keyKwith the
transmitter should recalculate the MACfrom the received message and check that
it agrees with the version received. If so,
the message can be believed to have comefrom the claimed transmitter.
-
7/29/2019 4 AES Rijndael (7-8)
55/55
Thank You !