03 5 block annotated tủ tài liệu bách khoa
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (808.05 KB, 10 trang )
Online
Cryptography
Course
Dan
Boneh
Block
ciphers
The
AES
block
cipher
Dan
Boneh
The
AES
process
• 1997:
NIST
publishes
request
for
proposal
• 1998:
15
submissions.
Five
claimed
aJacks.
• 1999:
NIST
chooses
5
finalists
• 2000:
NIST
chooses
Rijndael
as
AES
(designed
in
Belgium)
Key
sizes:
128,
192,
256
bits.
Block
size:
128
bits
Dan
Boneh
AES
is
a
Subs-‐Perm
network
(not
Feistel)
S2
S2
S2
S3
S3
S3
⋯
⋯
⋯
S8
S8
S8
subs.
perm.
layer
layer
inversion
output
S1
⨁
S1
S1
kn
⨁
k2
⋯
⨁
input
k1
Dan
Boneh
AES-‐128
schemaZc
key
16
bytes
inverZble
k1
k2
⋯
⨁
(1) ByteSub
(2) Shi\Row
(3) MixColumn
k9
k10
key
expansion:
16
bytes
⟶176
bytes
(1) ByteSub
(2) Shi\Row
⨁
k0
(1) ByteSub
(2) Shi\Row
(3) MixColumn
⨁
4
input
⨁
4
⨁
10
rounds
4
output
4
Dan
Boneh
The
round
funcZon
• ByteSub:
a
1
byte
S-‐box.
256
byte
table
(easily
computable)
• Shi+Rows:
• MixColumns:
Dan
Boneh
Code
size/performance
tradeoff
Code
size
Performance
Pre-‐compute
round
funcZons
(24KB
or
4KB)
largest
fastest:
table
lookups
and
xors
Pre-‐compute
S-‐box
only
(256
bytes)
smaller
slower
No
pre-‐computaZon
smallest
slowest
Dan
Boneh
Example:
Javascript
AES
AES
in
the
browser:
AES
library
(6.4KB)
no
pre-‐computed
tables
Prior
to
encrypZon:
pre-‐compute
tables
Then
encrypt
using
tables
hJp://crypto.stanford.edu/sjcl/
Dan
Boneh
AES
in
hardware
AES
instrucZons
in
Intel
Westmere:
• aesenc,
aesenclast:
do
one
round
of
AES
128-‐bit
registers:
xmm1=state,
xmm2=round
key
aesenc
xmm1,
xmm2
;
puts
result
in
xmm1
• aeskeygenassist:
performs
AES
key
expansion
• Claim
14
x
speed-‐up
over
OpenSSL
on
same
hardware
Similar
instrucZons
on
AMD
Bulldozer
Dan
Boneh
AJacks
Best
key
recovery
aJack:
four
Zmes
beJer
than
ex.
search
[BKR’11]
Related
key
aJack
on
AES-‐256:
[BK’09]
Given
299
inp/out
pairs
from
four
related
keys
in
AES-‐256
can
recover
keys
in
Zme
≈299
Dan
Boneh
End
of
Segment
Dan
Boneh
