Online Cryptography Course Dan Boneh Block ciphers The AES block cipher Dan Boneh The AES process • 1997: NIST publishes request for proposal • 1998: 15 submissions Five claimed aJacks • 1999: NIST chooses 5 finalists • 2000: NIST chooses Rijndael as AES (designed in Belgium) Key sizes: 128, 192, 256 bits Block size: 128 bits Dan Boneh AES is a Subs-‐Perm network (not Feistel) S2 S2 S2 S3 S3 S3 ⋯ ⋯ ⋯ S8 S8 S8 subs perm layer layer inversion output S1 ⨁ S1 S1 kn ⨁ k2 ⋯ ⨁ input k1 Dan Boneh AES-‐128 schemaZc key 16 bytes inverZble k1 k2 ⋯ ⨁ (1) ByteSub (2) Shi\Row (3) MixColumn k9 k10 key expansion: 16 bytes ⟶176 bytes (1) ByteSub (2) Shi\Row ⨁ k0 (1) ByteSub (2) Shi\Row (3) MixColumn ⨁ input ⨁ ⨁ 10 rounds output Dan Boneh The round funcZon • ByteSub: a 1 byte S-‐box 256 byte table (easily computable) • Shi+Rows: • MixColumns: Dan Boneh Code size/performance tradeoff Code size Performance Pre-‐compute round funcZons (24KB or 4KB) largest fastest: table lookups and xors Pre-‐compute S-‐box only (256 bytes) smaller slower No pre-‐computaZon smallest slowest Dan Boneh Example: Javascript AES AES in the browser: AES library (6.4KB) no pre-‐computed tables Prior to encrypZon: pre-‐compute tables Then encrypt using tables hJp://crypto.stanford.edu/sjcl/ Dan Boneh AES in hardware AES instrucZons in Intel Westmere: • aesenc, aesenclast: do one round of AES 128-‐bit registers: xmm1=state, xmm2=round key aesenc xmm1, xmm2 ; puts result in xmm1 • aeskeygenassist: performs AES key expansion • Claim 14 x speed-‐up over OpenSSL on same hardware Similar instrucZons on AMD Bulldozer Dan Boneh AJacks Best key recovery aJack: four Zmes beJer than ex search [BKR’11] Related key aJack on AES-‐256: [BK’09] Given 299 inp/out pairs from four related keys in AES-‐256 can recover keys in Zme ≈299 Dan Boneh End of Segment Dan Boneh