![• The Rijndael proposal [DAEM99] provides some suggestions for efficient
implementation on 8- bit processors, typical for current smart cards, and
on 32-bit processors, typical for PCs.
• AES can be implemented very efficiently on an 8-bit processor.
• AddRoundKey is a bytewise XOR operation.
• ShiftRows is a simple byte shifting operation.
• SubBytes operates at the byte level and only requires a lookup of a 256
byte table S.
• MixColumns (matrix multiply) can be implemented as byte XOR’s & table
lookups with a 2nd 256 byte table X2, using the formulae shown in Stallings
equation 5.9.](https://image.slidesharecdn.com/informationandnetworksecurity26aesdecryptionandimplementationalissues-210723160711/85/Information-and-network-security-26-aes-decryption-and-implementational-issues-14-320.jpg)
Information and network security 26 aes decryption and implementational issues
- 1. Information and Network Security:26 AES Decryption and Implementation Issues Prof Neeraj Bhargava Vaibhav Khanna Department of Computer Science School of Engineering and Systems Sciences Maharshi Dayanand Saraswati University Ajmer
- 2. Add Round Key XOR state with 128-bits of the round key again processed by column (though effectively a series of byte operations) inverse for decryption identical since XOR own inverse, with reversed keys designed to be as simple as possible a form of Vernam cipher on expanded key requires other stages for complexity / security
- 3. AES Round Key State Manipulation
- 4. AES Key Expansion takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words start by copying key into first 4 words then loop creating words that depend on values in previous & 4 places back in 3 of 4 cases just XOR these together 1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th back
- 5. • The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of words, providing a 4-word round key for the initial AddRoundKey stage and each of the 10/12/14 rounds of the cipher. • It involves copying the key into the first group of 4 words, and then constructing subsequent groups of 4 based on the values of the previous & 4th back words. • The first word in each group of 4 gets “special treatment” with rotate + S-box + XOR constant on the previous word before XOR’ing the one from 4 back. In the 256-bit key/14 round version, there’s also an extra step on the middle word.
- 7. Key Expansion Rationale • designed to resist known attacks • design criteria included • knowing part key insufficient to find many more • invertible transformation • fast on wide range of CPU’s • use round constants to break symmetry • diffuse key bits into round keys • enough non-linearity to hinder analysis • simplicity of description
- 8. • The Rijndael developers designed the expansion key algorithm to be resistant to known cryptanalytic attacks. • It is designed to be simple to implement, but by using round constants break symmetries, and make it much harder to deduce other key bits if just some are known (but once have as many consecutive bits as are in key, can then easily recreate the full expansion). • The design criteria used are listed above.
- 9. AES Decryption • AES decryption is not identical to encryption since steps done in reverse • but can define an equivalent inverse cipher with steps as for encryption • but using inverses of each step • with a different key schedule • works since result is unchanged when • swap byte substitution & shift rows • swap mix columns & add (tweaked) round key
- 10. • The AES decryption cipher is not identical to the encryption cipher • The sequence of transformations for decryption differs from that for encryption, although the form of the key schedules for encryption and decryption is the same. • This has the disadvantage that two separate software or firmware modules are needed for applications that require both encryption and decryption. • There is, however, an equivalent version of the decryption algorithm that has the same structure as the encryption algorithm, with the same sequence of transformations as the encryption algorithm (with transformations replaced by their inverses). • To achieve this equivalence, a change in key schedule is needed.
- 11. • By constructing an equivalent inverse cipher with steps in same order as for encryption, we can derive a more efficient implementation. • Clearly swapping the byte substitutions and shift rows has no effect, since work just on bytes. • Swapping the mix columns and add round key steps requires the inverse mix columns step be applied to the round keys first – this makes the decryption key schedule a little more complex with this construction, but allows the use of same h/w or s/w for the data en/decrypt computation.
- 12. AES Decryption
- 13. Implementation Aspects • can efficiently implement on 8-bit CPU • byte substitution works on bytes using a table of 256 entries • shift rows is simple byte shift • add round key works on byte XOR’s • mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use table lookups & byte XOR’s
- 14. • The Rijndael proposal [DAEM99] provides some suggestions for efficient implementation on 8- bit processors, typical for current smart cards, and on 32-bit processors, typical for PCs. • AES can be implemented very efficiently on an 8-bit processor. • AddRoundKey is a bytewise XOR operation. • ShiftRows is a simple byte shifting operation. • SubBytes operates at the byte level and only requires a lookup of a 256 byte table S. • MixColumns (matrix multiply) can be implemented as byte XOR’s & table lookups with a 2nd 256 byte table X2, using the formulae shown in Stallings equation 5.9.
- 15. Implementation Aspects can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables designers believe this very efficient implementation was a key factor in its selection as the AES cipher
- 16. • AES can also be very efficiently implemented on an 32-bit processor, by rewriting the stage transformation to use 4 table lookups & 4 XOR’s per column of state. • These tables can be computed in advance using the formulae shown in the text, and need 4Kb to store. • The developers of Rijndael believe that this compact, efficient implementation was probably one of the most important factors in the selection of Rijndael for AES.
- 17. Assignment • Explain the AES Key Expansion • Explain the AES Decryption