Download CSIS 5857: Encoding and Encryption

AES Background and
Mathematics
CSCI 5857: Encoding and Encryption
Outline
•
•
•
•
•
AES goals and history
Modular multiplicative inverses
Galois Field mathematics
Galois Field inverses
Uses in AES
AES History
• 1997: NIST calls for proposals for DES replacement
– 56-bit DES key not computationally secure
– Triple DES very slow
– DES S-Boxes poorly understood
• 1999: Several algorithms chosen as finalists
– Rijndael (selected)
– Twofish, Serpent, etc. (still used by some systems)
• 2001: Rijndael published by NIST as Advanced
Encryption Standard
Goals of AES
• Security
– Minimum key size: 128 bits
(computationally secure now)
– Expandable to 192 or 256 bits
(will still be computationally secure in future)
– Block size: 128 bits (more possible mappings)
– Designed for resistance to differential and linear
cryptanalysis
• Cost
– Structure optimized for efficiency
Mathematical Goals
• S-Boxes and other transformations should have
mathematical basis
– Can insure useful properties (nonlinearity, etc.)
– Can re-derive as needed for larger keys
– Mapping should appear “random”
(no simple patterns between inputs and outputs)
Modular Multiplication
• a  b mod m = remainder left after (a  b)/m
• Example: multiplication table mod 7
Modular Multiplicative Inverses
• b is inverse of a mod m if ab mod m = 1
(b = a -1 mod m)
• Example: 5 = 3-1 mod 7
since 3 x 5 = 15 = 1 mod 7
a
a -1
0
none
1
1
2
4
3
5
4
2
5
3
6
6
• Creates nonlinear “pseudorandom” mappings
Modular Multiplicative Inverses
• Problem: Only works if m is a prime number
Otherwise, some numbers have no inverse
• Example: modular inverses mod 8
a
a -1
0
none
1
1
2
none
3
3
4
none
5
5
6
none
7
7
Modular Multiplicative Inverses
• Goal: use this idea in cases where m = 2n
(that is, m is the size of a typical block)
• Galois Fields
– Represent byte to transform as a polynomial
– Compute inverse of that polynomial mod some
other “prime” polynomial
– Galois Field with m = 28 used to create S-Boxes for
AES , mapping 256 possible byte inputs to 256
possible byte outputs
Galois Field Mathematics
• Step 1:
Represent binary
numbers with n bits
as polynomial of
degree n
• Example: n = 3
GF(23)
000
001
010
011
100
101
110
111
0x2 + 0x + 0
0
0x2 + 0x + 1
1
0x2 + 1x + 0
x
0x2 + 1x + 1
x+1
1x2 + 0x + 0
x2
1x2 + 0x + 1
x2 + 1
1x2 + 1x + 0
x2 + x
1x2 + 1x + 1
x2 + x + 1
Galois Field Mathematics
• All coefficients are binary (1 or 0)
• Addition/subtraction in mod 2 = XOR function
• Examples:
x2 + x + 1
+
x+1
x2 + 2x + 2
= x2 + 0x + 0 = x2
since 2 mod 2 = 0
x2
-
(x + 1)
x2 - x – 1
= x2 + x + 1
since -1 mod 2 = 1
Galois Field Mathematics
• Step 2:
Find a “prime” polynomial Pn of degree n
– Not a multiple of any two other polynomials
(other than 1 and itself)
• Example for GF(23):
P3 = x3 + x + 1
• Used in AES for GF(28):
P8 = x8 + x4 + x3 + x + 1
Galois Field Mathematics
• Step 3:
Compute multiplication table for all pairs of polynomials
Pi x Pj mod Pn
– Will need to compute mod if order of Pi x Pj is k  n
– Simple (inefficient) way: compute Pi x Pj – xk-nPn
• Example for GF(23):
Galois Field Example
• Example: Multiplying 110 and 101
• 110  x2 + x
011  x + 1
• (x2 + x)(x + 1) = x3 + 2x2 + x
= x3 + x
2 mod 2 = 0
• (x3 + x) mod (x3 + x + 1) =
x3 + x
- x3 + x + 1
-1
= 1 -1 mod 2 = 1
Galois Field Inverses
• Inverse b-1 of a binary number b in GF(2n)
b-1 x b = 1 in GF(2n)
• Example: GF(23)
b
000
001
010
011
100
101
110
111
b-1
none 001
101
110
111
010
011
100
Galois Fields in AES
• AES mathematics based on GF(28)
• Prime polynomial = x8 + x4 + x3 + x + 1
• SubBytes stage
– Basis of S-Boxes
• MixColumns Stage
– Uses matrix multiplication in GF(28)
• Round Key Generation
– Adds extra “random” bits to each round key