1996 NIST initiated program to choose Advanced Encryption Standard to replace

1996 nist initiated program to choose advanced

This preview shows page 39 - 49 out of 64 pages.

1996: NIST initiated program to choose Advanced Encryption Standard to replace DES Requested algorithm submissions Got 15 of them! Requirements: Secure for next 50–100 years Faster than 3DES Supports variable length keys (at least 128, 192 and 256 bits) Must be a block cipher AES: Advanced Encryption Standard 30
Open design DES: design criteria for S-boxes kept secret Open less chance for subversion Many decent choices DES: only one acceptable algorithm Less likelihood that the algorithm is “fixed” Public cryptanalysis efforts before choice Heavy involvements of academic community Leading public cryptographers tried to break it Very conservative: 4+ year process AES process 31
15 submissions accepted Weak ciphers quickly eliminated Magenta broken at conference! 5 finalists selected Security versus performance is main tradeoff Lots of complexity anything can be made secure Tougher to make simple ciphers secure… AES: Round 1 32
MARS (IBM) RC6 (Rivest, et. al.) Rijndael (top Belgium cryptographers) Serpent (Anderson, Biham, Knudsen) Twofish (Schneier, et. al.) AES finalists 33
[Schneier93] 64-bit block cipher Much faster than DES Variable key length: 32-448 bits Many attempted crytanalyses, none successful yet Widely used: ssh, OpenBSD Blowfish 34
Differential cryptanalysis depends on analyzing S-box input/ output different probabilities Prevent this by making the S-boxes key-dependent S-boxes differ by key, so no a priori analysis Problem for AES: too much setup time & space Must run algorithm 521 times to set up S-boxes Solution: Twofish Provides options for how many key-dependent S-boxes Trade off security for time-space Does other things Increases block size (128 required by AES) Changes key schedule Other stuff… Key-dependent S-boxes 35
Mathematical constants have good pseudorandom distribution Transcendental, so not predictable Generate as many digits as needed… Since they are public and well-known, little fear that choice is a trap door Still could be there, but just how powerful is the NSA? Used by RC5, RC6, Blowfish, etc. to help generate magic constants Why use π/e/Φin cryptography? 36
Choosing AES 37 Cipher Speed (32 bits) Speed (8 bits) Safety factor Simplicity (code size) Cycles per byte encrypted Serpent 62 69 3.56 341 KB MARS 23 34 1.9 85 KB RC6 15 43 1.18 48 KB Rijndael 18 20 1.33 98 KB Twofish 16 18 2.67 104 KB
Rijndael chosen as AES algorithm Key characteristics Fast Small Well-understood characteristics Twofish drawbacks Key-dependent S-boxes not well-understood Full implementation was a memory and space hog OK for some applications, but not for smart cards… And the winner is… 38
Central operation: xtime(a) xtime(a) = (a << 1) 0x1b This is multiplication by two in a Galois field—GF(2 8 ) Also represented by Apply repeatedly to perform operations on larger numbers Example: 57 13: 57 02 = AE 57 04 = 47 57 08 = 8E 57 10 = 07 57 13 = 57 AE 07 = FE Typically done by lookup tables or hardware barrel shifters Three layers

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture