ICT 6541

Applied Cryptography
Lecture 4
Dr. Hossen Asiful Mustafa
The Advanced
Encryption Standard
(AES)
 Introduction
 In January 1997, US NIST solicited proposals for new
Advanced Encryption Standard (AES) to replace DES
as a federal standard.
 Five algorithms shortlisted.
 Winner: Rijndael (by Joan Rijmen & Vincent Daemen from
Belgium).
 AES is minor variant of Rijndael
 Web Page: csrc.nist.gov/encryption/aes
 US FIPS PUB197, Nov 2001
3
 AES Features
 Resistant to Known Attacks, at least in “full” version
 Very fast.
 Parallel Design.
 Blocksize: 128 bits
Keysizes (Rounds): 128 (10), 192 (12) & 256 (14) bits.
 Simple operations over bytes and 32-bit words.
 Bytes/words -> polynomials
 Implementations for wide range of processors
including smartcards.
4
 Encryption # Decryption
 AES Process
 KeyExpansions
 round keys are derived from the cipher key
 128-bit round key block for each round plus one more.

 InitialRound
 AddRoundKey: each byte of the state is combined with a
block of the round key using bitwise xor.

5
 AES Process
 Rounds
 SubBytes: a non-linear substitution step where each byte is replaced
with another according to a lookup table.
 ShiftRows: a transposition step where the last three rows of the state
are shifted cyclically a certain number of steps.
 MixColumns: a mixing operation which operates on the columns of
the state, combining the four bytes in each column.
 AddRoundKey
 Final Round
 SubBytes
 ShiftRows
 AddRoundKey.
6
 Byte - b7b6b5b4b3b2b1b0
 Bytes represent finite field elements in GF(28), GF
means “Galois Field” and is a field of finite elements
 Correspond to a 8 term polynomial, with 0 or 1
coefficients.
b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x + b0
x6 + x5 + x3 + x2 + 1 polynomial
Example:
{0110 1101} binary

6D hex
7
 Byte Addition in GF(28)
 To add 2 finite fields elements in GF(28), we add
coefficients of corresponding powers modulo 2
 In binary: xor () the bytes
(x6 + x4 + x2 + x + 1) + (x7 + x + 1) = (x7 + x6 + x4 + x2)

{0101 0111}  {1000 0011} = {1101 0100} binary

57  83 = D4 hex

Example:
8
 Byte Multiplication in GF(28)
 To multiply (denoted by  ) 2 finite fields elements in
GF(28), we multiply the polynomials modulo an
irreducible polynomial of degree 8 (to ensure the result
is less than degree 8).
 Irreducible if only divisors are 1 and itself.
 Can find multiplicative inverse using Extended
Euclidean algorithm

9
 Byte Multiplication in GF(28)
 For AES, we use (x8 + x4 + x3 + x + 1) or 0x11B as the
irreducible polynomial, i.e., multiplication is:
c(x) = a(x)  b(x) mod m(x)
where m(x) = (x8 + x4 + x3 + x + 1)

 Multiplication is the basis for non-linear behaviour of AES:

 it’s easy to understand over polynomials, but
 hard to predict as operation on bytes.

10
 Byte Multiplication in GF(28)
- Example
(x7 + x6 + 1)  (x2 + x) = (x9 + x8 + x2) + (x8 + x7 + x)
= x9 + x 7 + x2 + x

x 8 + x4 + x 3 + x + 1 x9 + x7 + x2 + x
x9 + x5 + x 4 + x2 + x
x 7 + x5 + x 4

Result = x7 + x5 + x4

11
 xtime - multiplication by
x(0x02)
 If we multiply a byte by x we have
b7x8 + b6x7 + b5x6 + b4x5 + b3x4 + b3x3 + b1x2 + b0x
 If b7=0, then the result is okay, otherwise we need to subtract m(x).
 This is known as the xtime operation in AES: <<1 is shift left one
xtime (byte p) = (p << 1)  (if p < 80 then 00 else 1B)
 We can use xtime repeatedly to multiply by higher powers

AE  02 = xtime AE = (AE << 1)  1B

= {1010 1110} << 1  {0001 1011} = {0101 1100}  {0001 1011}
= {0100 0111} = 47 i.e. x6 + x2 + x + 1
12
 Word
 Word = 32-bits = 4 bytes.
 Words corresponds to 4 term polynomials, where
coefficients are finite field elements in GF(28), i.e.,
coefficients are bytes
a(x) = a3x3 + a2x2 + a1x + a0
o Addition of two (word) polynomials corresponds to
“adding” the coefficients (i.e., xor-ing the words)
a(x) + b(x) = (a3b3)x3 + (a2b2)x2 + (a1b1)x + (a0b0)

13
 Word Multiplication
 We multiply word-polynomials modulo a polynomial of
degree 4 (i.e. to ensure result is less than degree 4).
 For AES, we use (x4 + 1) as the polynomial.
 Note: this polynomial is not irreducible.
 In AES, we only multiply word-polynomials by the fixed
word polynomial:
a(x) = {03}x3 + {01}x2 + {01}x + {02} which does have
an inverse
a-1(x) = {0B}x3 + {0D}x2 + {09}x + {0E}
14
 Word Multiplication
Modular product d(x) = a(x)  b(x)
= a(x)  b(x) mod (x4 + 1)

d(x) = d3 x3 + d2 x2 + d1 x + d0 where

d0 = (a0  b0)  (a3  b1)  (a2  b2)  (a1  b3)

d1 = (a1  b0)  (a0  b1)  (a3  b2)  (a2  b3)
d2 = (a2  b0)  (a1  b1)  (a0  b2)  (a3  b3)
d3 = (a3  b0)  (a2  b1)  (a1  b2)  (a0  b3)

15
 Encrypt Block (simplified)
encrypt (plaintext, roundkey)
state = plaintext // note plaintext is 1-dim., state 2-dim.
state = AddRoundKey (state, roundkey[0])
for round = 1 to ROUNDS
state = SubBytes (state)
state = ShiftRows (state)
if round < ROUNDS then state = MixColumns (state)
state = AddRoundKey (state, roundkey[round])
end
return state // convert to 1-dim. and return as ciphertext
16
 State
 State is a 4 by 4 array of bytes, initialised (col-by-col)
with the 16-byte plaintext block (see below)
 Final value of state is returned as ciphertext
State 0 1 2 3
0 in[0] in[4] in[8] in[12]
1 in[1] in[5] in[9] in[13]
2 in[2] in[6] in[10] in[14]
3 in[3] in[7] in[11] in[15]
 Bytes of State correspond to finite field elements in GF(28)
 Columns of State correspond to WORDS, i.e., 4-term polynomials
with finite field elements in GF(28), as coefficients. 17
 AddRoundKey
Transformation
 XOR round key with state.
 The cipher key (either 128/192/256 bits) is
“expanded” into round keys
 1 for each round, plus 1 for the initial AddRoundKey
transformation
 Each 128-bit round key treated as a 2-dimentional
byte array.
 The cipher key words occupy the start of these round
key words, the remaining ones are calculated from it.
18
 AddRoundKey Process
 RotWord: performs a one-byte circular left shift on a
word.
 This means that an input word [b0, b1, b2, b3] is transformed
into [b1, b2, b3, b0].
 SubWord: performs a byte substitution on each byte of
its input word, using the S-box.
 The result of steps 1 and 2 is XORed with a round
constant, Rcon[j] = (RC[j], 0, 0, 0)
j 1 2 3 4 5 6 7 8 9 10

RC[j] 01 02 04 08 10 20 40 80 1B 36
19
AddRoundKey Transformation

20
 AddRoundKey Example
 Round 8 Key = EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F
W[3] 7F 8D 29 2F
After rotation of W[3] 8D 29 2F 7F
After SubByte 5D A5 15 D2
Rcon(9) 1B 00 00 00
After XOR: G(W[3]) 46 A5 15 D2
W[0] EA D2 73 21
W[4] = W[0] XOR G(W[3]) AC 77 66 F3
W[5] = W[4] XOR W[1] 19 FA DC 21
W[6] = W[5] XOR W[2] CB CB F7 D4
W[7] = W[6] XOR W[3] B4 46 DE FB
Round 9 Key = W[4] W[5] W[6] W[7]
21
 SubBytes Transformation
 Change each byte of State with corresponding byte
from SBOX matrix:
 State [Row, Col] = SBOX [X, Y]
where X = State[Row, Col] div 16,
Y = State [Row, Col] mod 16
 For example if State [3,6]= 4F, we would lookup SBOX[4,F]

 SBOX is 16x16 byte array

 indexed by hex digits 0..F, 0..F

22
SubBytes Transformation

23
SubBytes Transformation

If S(1,0) = 71 => S`(1,0) = ? 24

 ShiftRows Transformation
 Cyclically ROTATE LEFT each row by row number
where row number is 0, 1, 2, 3.

25
 MixColumns Transformation
 Multiply each column by {03}x3 + {01}x2 + {01}x + {02}
mod (x4 + 1)
i.e., columns are word-polynomials
 This is equivalent to replacing the 4 bytes (m, n, p, q)
in a column as follows:

26
 Encrypt Block (Cipher) //
simplified
encrypt (plaintext, roundkey)
state = plaintext // note plaintext is 1-dim., state 2-dim.
state = AddRoundKey (state, roundkey[0])
for round = 1 to ROUNDS
state = SubBytes (state)
state = ShiftRows (state)
if round < ROUNDS then state = MixColumns (state)
state = AddRoundKey (state, roundkey[round])
end
return state // convert to 1-dim. and return as ciphertext
27
 Decrypt Block (Inverse
Cipher)
decrypt (ciphertext, roundkey)
state = ciphertext // note cipher is 1-dim., state 2-dim.
state = AddRoundKey (state, roundkey[ROUNDS])
for round = ROUNDS-1 to 0
state = InvShiftRows (state) // ShiftRows inverse mode
state = InvSubBytes (state) // SubBytes inverse mode
state = AddRoundKey (state, roundkey[round])
if round > 0 then state = InvMixColumns (state)
end
return state // convert to 1D and return as plaintext
28
29
 Inverse Transformations
 InvShiftRows: Rotate Right last 3 rows of state
 InvSubBytes: Inverse SBOX table
 InvMixColumns: Multiply columns by inverse of a(x),
i.e., by
a-1(x) = {0B}x3 + {0D}x2 + {09}x + {0E}

 AddKeyRound: Is its own inverse!

30
 Implementation
 8-bit Processors, e.g., Smartcards (typically 1Kbyte of
code)
 ShiftRows and AddRoundKey -> Straightforward
 SubBytes requires a table of 256 bytes
 Above three transformations combined and executed serially
for each byte
 MixColumns can be simplified to xor and xtime operations.
 InvMixColumns is much slower due to large coefficents of
a-1(x)
 The Round keys can be expanded on-the-fly during each
round.
31
 Implementation
 32-bit Processors
 With straightforward algebraic manipulations, the four
transformations in a round can be combined to produce a
table-lookup implementation
 Requires four table lookups plus four xor’s per column.
 Each table is 256 words.
 Most of the operations of the key expansion can be
implemented by 32-bit xor’s, plus use of the S-box and a
cyclic byte rotation.

32
 Security of AES
 Resistance to Differential and Linear Cryptanalysis
 Each round has three distinct invertible layers of
transformations
 Linear Mixing layer - ShiftRows & MixColumns provide
high diffusion
 Non-Linear layer - Parallel S-Boxes provide optimal
worst-case non-linear properties
 Key addition layer - XOR of round key.

33
 Security of AES
 Attacks aim to have less complexity than Brute Force
 Reduced round attacks:
 7 rounds for AES-128
 8 rounds for AES-192
 9 rounds for AES-256
 Algebraic Attacks
 AES can be expressed in equations - huge number of terms
however.
 Some claim to able to solve such equations with less
complexity than brute force (e.g. XSL attack)
34
 Security of AES
 Side Channel Attacks
 Most successful technique to date.
 Bernstein showed that delays in encryption-time due to cache-
misses could be used to work out the AES key.
 Demonstrated against a remote server running OpenSSL's
AES implementation.
 More recently, Osvik et al. demonstrated memory timing
attacks that can crack AES in milli-seconds! (.. given access
to the encrypting host)

35
AES Reference
“Cryptography and Network Security”, 5/e,
William Stallings,
Chapter 5 –”Advanced Encryption Standard”.

36
 One Way Hash Function
 A one-way hash function, H(M), operates on an
arbitrary-length pre-image message, M.
 It returns a fixed-length hash value, h.
h = H(M), where h is of length m
 Characteristics:
 Given M, it is easy to compute h.
 Given h, it is hard to compute M such that H(M)= h.
 Given M, it is hard to find another message, M’, such that
H(M) = H(M’).
37
 Two Attacks
 Given the hash of message, H(M), an adversary would
like to be able to create another document, M´, such
that H(M) = H(M´).

 The second attack is more subtle: An adversary would

like to find two random messages, M, and M´, such
that H(M) = H(M´). This is called a collision.

38
 Birthday Attacks
 How many people must there be for the chance to be
greater than even that at least two of them will share
the same birthday?

39
 Birthday Attacks
 How many people must there be for the
chance to be greater than even that at least
two of them will share the same birthday?
 The probability of different birthday for a pair:
 P(1) = 1/365
 P(2) = (1/365)2 x 1 x 364/365
 P(3) = (1/365)3 x 1 x 364/365 x 363/365
 P(23) = (1/365)23 x 1 x 364/365 …. x 336/365 =
50.8%
 23 people will have 253 pairs
 So, the answer is 23.
40
 Birthday Attacks
 Finding someone with a specific birthday is analogous
to the first attack;
 Finding two people with the same random birthday is
analogous to the second attack.
 The second attack is commonly known as a birthday
attack.

41
 Choosing Length
 Hash functions of 64 bits are just too small to survive a
birthday attack.
 Most practical one-way hash functions produce 128-bit
hashes.
 NIST, in its Secure Hash Standard (SHS), uses a 160-
bit hash value. This makes the birthday attack even
harder, requiring 280 random hashes.

42
Message Digest 5
(MD5)

43
 MD5
 MD5 is an improved version of MD4
 Although more complex than MD4, it is similar in
design and also produces a 128-bit hash
 Input: 512-bit blocks divided into 16 32-bit sub-blocks
 Output: 4 32-bit blocks concatenated to 128-bit block
 Designed by Ron Rivest

44
 Step 1: Append padding bits
 The input message is "padded" (extended) so that its
length (in bits) equals to 448 mod 512.
 Padding is always performed, even if the length of the
message is already 448 mod 512.
 Padding is performed by adding a single "1" bit to the
message, and then "0" bits are appended so that the
length in bits of the padded message becomes
congruent to 448 mod 512.
 At least one bit and at most 512 bits are appended.

45
 Step 2: Append length
 A 64-bit representation of the length of the message is
appended to the result of step1. If the length of the
message is greater than 264, only the low-order 64 bits
will be used.
 The resulting message (after padding with bits and
with b) has a length that is an exact multiple of 512
bits.
 The input message will have a length that is an exact
multiple of 16 (32-bit) words.
m1, m2, …, m16

46
 Example Message Format

Message 1 0…0 Message length

1 bit 64 bits

Multiple of 512

47
 Step 3: Initialize MD buffer
 A four-word buffer (A, B, C, D) is used to compute the
message digest. Each of A, B, C, D is a 32-bit register.
These registers are initialized to the following values in
hexadecimal, low-order bytes first:
word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10
 Known as chaining variables 48
 Step 4: Process message in
16-word blocks
 Four functions will be defined such that each function
takes an input of three 32-bit words and produces a
32-bit word output.

F (X, Y, Z) = (X and Y) or (not (X) and Z)

G (X, Y, Z) = (X and Z) or (Y and not (Z))
H (X, Y, Z) = X xor Y xor Z
I (X, Y, Z) = Y xor (X or (not Z))

49
Main Process with 4 Rounds

50
 4 Operation in 4 Rounds
 Round 1: FF(a,b,c,d,Mj,s,ti) denotes
a = b + ((a + F(b,c,d ) + Mj + ti) <<< s)
 Round 2: GG(a,b,c,d,Mj,s,ti) denotes
a = b + ((a + G(b,c,d ) + Mj + ti) <<< s)
 Round 3: HH(a,b,c,d,Mj,s,ti) denotes
a = b + ((a + H(b,c,d) + Mj + ti) <<< s)
 Round 4: II(a,b,c,d,Mj,s,ti) denotes
a = b + ((a + I(b,c,d ) + Mj + ti) <<< s)

51
 4 Operation in 4 Rounds
 j = 0 – 15
 ti = int(232 * abs(sin(i))), 0<i<65
 s

R 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 7 12 17 22 7 12 17 22 7 12 17 22 7 12 17 22
2 5 9 14 20 5 9 14 20 5 9 14 20 5 9 14 20
3 4 11 16 23 4 11 16 23 4 11 16 23 4 11 16 23
4 6 10 15 21 6 10 15 21 6 10 15 21 6 10 15 21

52
 Example:
 Round 1, Block 1:
FF (a, b, c, d, M0, 7, 0xd76aa478)
 Round 1, Block 2:
FF (d, a, b, c, M1, 12, 0xe8c7b756)
 Round 2, Block 1:
GG (a, b, c, d, M1, 5, 0xf61e2562)
 Round 2, Block 2:
GG (d, a, b, c, M6, 9, 0xc040b340)

53
 MD5 Security
 Each step has a unique additive constant to make is
non-linear
 Each step adds in the result of the previous step.
 This promotes a faster avalanche effect
 The order in which message sub-blocks are accessed
in rounds 2 and 3 makes these patterns less alike.

54
 MD5 Security
 Differential cryptanalysis against MD5 was ineffective
 A more successful attack by den Boer and Bosselaers
produces collisions using the compression function in
MD5.
 It means that one of the basic design principles of MD5—to
design a collision-resistant compression function—has
been violated
 However, there is no practical application yet.

55