Advanced Encryption Standard (AES) Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Advanced Encryption Standard (AES) Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
History Clear a replacement for DES was needed -Have theoretical attacks that can break it -Have demonstrated exhaustive key search attacks -Block size small -Can use Triple-DES-but slow US NIST issued call for ciphers in 1997 -15 candidates accepted in Jun 98 -5 were shortlisted in Aug-99 -Rijndael was selected as the AES in Oct 2000 -Issued as FIPS PUB 197 standard in Nov 2001 2
2 History Clear a replacement for DES was needed ─ Have theoretical attacks that can break it ─ Have demonstrated exhaustive key search attacks ─ Block size small ─ Can use Triple-DES – but slow US NIST issued call for ciphers in 1997 ─ 15 candidates accepted in Jun 98 ─ 5 were shortlisted in Aug-99 ─ Rijndael was selected as the AES in Oct 2000 ─ Issued as FIPS PUB 197 standard in Nov 2001
AES Requirements Symmetric key block cipher 128-bit data.128/192/256-bit keys Stronger faster than Triple-DES Active life of 20-30 years (archival use) Provide full specification design details Both C Java implementations -NIST have released all submissions unclassified analyses 3
3 AES Requirements Symmetric key block cipher 128-bit data, 128/192/256-bit keys Stronger & faster than Triple-DES Active life of 20-30 years (+ archival use) Provide full specification & design details Both C & Java implementations NIST have released all submissions & unclassified analyses
Aes Evaluation criteria Initial criteria: 一 Security-randomness,soundness,effort for practical cryptanalysis -Cost-computational efficiency,no licensing fee,small memory -Algorithm implementation characteristics-flexibility,implementable in both software and hardware,simplicity Final criteria -General security-NIST relies on the cryptanalysis by crypto researchers Ease of software hardware implementation 一 Implementation attacks-finding keys based on implementation characteristics .Timing attacks:an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. Power analysis:the power consumed by a smart card at any particular time during the cryptographic operation is related to the instruction being executed and to the data being processed.For example,multiplication consumes more power than addition,and writing 1s consumes more power than writing 0s -Flexibility (encryption,decryption,keying,and other factors) 4
4 AES Evaluation Criteria Initial criteria: ─ Security – randomness, soundness, effort for practical cryptanalysis ─ Cost – computational efficiency, no licensing fee, small memory ─ Algorithm & implementation characteristics – flexibility, implementable in both software and hardware, simplicity Final criteria ─ General security – NIST relies on the cryptanalysis by crypto researchers ─ Ease of software & hardware implementation ─ Implementation attacks – finding keys based on implementation characteristics ● Timing attacks: an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. ● Power analysis: the power consumed by a smart card at any particular time during the cryptographic operation is related to the instruction being executed and to the data being processed. For example, multiplication consumes more power than addition, and writing 1s consumes more power than writing 0s ─ Flexibility (encryption, decryption, keying, and other factors)
AES Shortlist After testing and evaluation,shortlist in Aug 99: -MARS (IBM)-complex,fast,high security margin -RC6 (USA)-very simple,very fast,low security margin -Rijndael(Belgium)-clean,fast,good security margin -Serpent(Euro)-slow,clean,very high security margin -Twofish(USA)-complex,very fast,high security margin Then subject to further analysis comment Saw contrast between algorithms with -Few complex rounds vs.many simple rounds -which refined existing ciphers vs.new proposals 5
5 AES Shortlist After testing and evaluation, shortlist in Aug 99: ─ MARS (IBM) - complex, fast, high security margin ─ RC6 (USA) - very simple, very fast, low security margin ─ Rijndael (Belgium) - clean, fast, good security margin ─ Serpent (Euro) - slow, clean, very high security margin ─ Twofish (USA) - complex, very fast, high security margin Then subject to further analysis & comment Saw contrast between algorithms with ─ Few complex rounds vs. many simple rounds ─ which refined existing ciphers vs. new proposals