Upload
barry-wilkerson
View
216
Download
0
Embed Size (px)
Citation preview
1
Number Theory and Advanced Cryptography 1. Finite Fields and AES
Chih-Hung Wang
Sept. 2011
Part I: Introduction to Number TheoryPart II: Advanced Cryptography
2
Group A set of elements or “numbers” obeys:
(A1) Closure: If a and b belong to G, then ab is also in G.
(A2) Associative: (ab) c = a(b c) (A3) Identity element: There is an element e in G such
that a e = e a = a (A4) Inverses element: For each a in G there is an
element a’ in G such that a a’ = a’ a = e If commutative (A5) a b = b a for all a, b in G then
forms an abelian group
3
Cyclic Group Define exponentiation as repeated application of
operator example: a-3 = a a a
Define identity: e=a0
a-n=(a’)n
A group is cyclic if every element is a power of some fixed element ie b = ak for some a and every b in group G
a is said to generate the group G or to be a generator of G.
4
Ring A set of “numbers” with two operations (addition + and multiplication
) which are: An abelian group with addition operation (A1-A5) Multiplication:
(M1) Closure (M2) Associative: a(bc)=(ab)c (M3) Distributive law: a(b+c) = ab + ac
If multiplication operation is commutative, it forms a commutative ring (M4) Commutativity of multiplication: ab=ba
If multiplication operation has identity and no zero divisors, it forms an integral domain (M5) Multiplicative identity: There is an element 1 in R such that
a1=1a =a (M6) No zero divisors: If a,b in R and ab=0, then either a=0 or b=0.
5
Field A set of numbers with two operations:
Abelian group for addition (A1-A5) Abelian group for multiplication (ignoring 0) (M1-
M6) (M7) Multiplicative inverse: For each a in F,
except 0, there is an element a-1 in F such that
aa-1=(a-1)a =1.
6
Group, Ring and Field
7
Modular Arithmetic Define modulo operator a mod n to be remainder
when a is divided by n Use the term congruence for: a ≡ b mod n
when divided by n, a & b have the same remainder eg. 73 ≡ 4 mod 23
r is called the residue of a mod n since with integers can always write: a = qn + r
Usually have 0 <= b <= n-1 -12 mod 7 ≡ -5 mod 7 ≡ 2 mod 7 ≡ 9 mod 7
8
The Relationship
a = qn + r, 0r<n
9
Modulo 7 Example... -21 -20 -19 -18 -17 -16 -15 -14 -13 -12 -11 -10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ...
10
Divisors Say a non-zero number b divides a if for
some m have a=mb (a,b,m are all integers) That is b divides into a with no remainder Denote this b|a Also say that b is a divisor of a eg. all of 1,2,3,4,6,8,12,24 divide 24
11
Modular Arithmetic Operations is 'clock arithmetic' uses a finite number of values, and loops back
from either end modular arithmetic is when do addition &
multiplication and modulo reduce answer can do reduction at any point, ie
a+b mod n = [(a mod n) + (b mod n)] mod n a-b mod n = [(a mod n) – (b mod n)] mod n ab mod n = [(a mod n) (b mod n)] mod n
12
Property
ncancbnba
nabnba
bannba
mod imply mod and mod
mod implies mod
)(| if mod
13
Modular Arithmetic Can do modular arithmetic with any group of
integers: Zn = {0, 1, … , n-1} form a commutative ring for addition with a multiplicative identity note some peculiarities
if (a+b)≡(a+c) mod n then b≡c mod n but (ab)≡(ac) mod n then b≡c mod n only if a is
relatively prime to n
14
Relatively Prime Relative prime: their only common positive integer
factor is 1. An integer has a multiplicative inverse in Zn if that
integer is relatively prime to n.
Example: 63=18 ≡ 2 mod 8 67=42 ≡ 2 mod 8 3 ≡ 7 mod 8
ncb
nacaaba
mod
mod ))(())(( 11
6 and 8 are not relatively prime
15
Residue Class The residue classes modulo n as
[0], [1], [2], …, [n-1] where [r] = {a: a is an integer, a ≡ r mod n}
Z8 0 1 2 3 4 5 6 7
6 0 6 12 18 24 30 36 42
Residues 0 6 4 2 0 6 4 2
16
Multiplicative Inverse
If p is a prime number, then all the elements of Zp are relatively prime to p Multiplicative inverse (w-1)
For each there exists a z such that w z 1 mod p For each and gcd(w,n)=1, there exists a z such that w
z 1 mod n
Z8 0 1 2 3 4 5 6 7
5 0 5 10 15 20 25 30 35
Residues 0 5 2 7 4 1 6 3
pZw
nZw
17
Modulo 8 Example (1)
18
Modulo 8 Example (2)
19
Properties of Modular Arithmetic for Integer Zn
20
Greatest Common Divisor (GCD) A common problem in number theory GCD (a,b) of a and b is the largest number
that divides evenly into both a and b eg GCD(60,24) = 12
Often want no common factors (except 1) and hence numbers are relatively prime eg GCD(8,15) = 1 hence 8 & 15 are relatively prime
21
Euclid's GCD Algorithm An efficient way to find the GCD(a,b) uses theorem that:
GCD(a,b) = GCD(b, a mod b) gcd(55,22)=gcd(22,55 mod 22)=gcd(22,11)=11
Euclid's Algorithm to compute GCD(a,b): EUCLID(a,b)1. A a; B b2. If B=0 return A=gcd(a,b)3. R = A mod B4. A B5. B R6. goto 2
22
Example GCD(1970,1066)
1970 = 1 x 1066 + 904 gcd(1066, 904)1066 = 1 x 904 + 162 gcd(904, 162)904 = 5 x 162 + 94 gcd(162, 94)162 = 1 x 94 + 68 gcd(94, 68)94 = 1 x 68 + 26 gcd(68, 26)68 = 2 x 26 + 16 gcd(26, 16)26 = 1 x 16 + 10 gcd(16, 10)16 = 1 x 10 + 6 gcd(10, 6)10 = 1 x 6 + 4 gcd(6, 4)6 = 1 x 4 + 2 gcd(4, 2)4 = 2 x 2 + 0 gcd(2, 0)
23
Galois Fields Finite fields play a key role in cryptography Can show number of elements in a finite field
must be a power of a prime pn
Known as Galois fields Denoted GF(pn) In particular often use the fields:
GF(p) GF(2n)
24
Galois Fields GF(p) GF(p) is the set of integers {0,1, … , p-1}
with arithmetic operations modulo prime p These form a finite field
since have multiplicative inverses Hence arithmetic is “well-behaved” and can
do addition, subtraction, multiplication, and division without leaving the field GF(p)
25
Example GF(7) -- (1)
26
Example GF(7) -- (2)
27
Finding Inverses (1) Can extend Euclid’s algorithm:
EXTENDED EUCLID(m, b)1. (A1, A2, A3)=(1, 0, m); (B1, B2, B3)=(0, 1, b)2. if B3 = 0
return A3 = gcd(m, b); no inverse3. if B3 = 1
return B3 = gcd(m, b); B2 = b–1 mod m4. Q = A3 / B35. (T1, T2, T3)=(A1 – Q B1, A2 – Q B2, A3 – Q B3)6. (A1, A2, A3)=(B1, B2, B3)7. (B1, B2, B3)=(T1, T2, T3)8. goto 2
28
Finding Inverses (2)
321
321
321
BbBmB
AbAmA
TbTmT
mbB
mBbB
bBmB
BbBmB
mod 1
1
1
2
12
21
321
29
Inverse of 550 in GF(1759)
17591650
550545
3
109
5
5
30
Polynomial Arithmetic Ordinary polynomial arithmetic
A polynomial with degree n
n
i
ii
nn
nn xaaxaxaxaxf
001
11 ...)(
011110
0
0 1
00
...
where,)()(
)()()(
,)( ,)(
babababac
xcxgxf
xaxbaxgxf
mnxbxgxaxf
kkkkk
mn
i
ii
m
i
n
mi
ii
iii
m
i
ii
n
i
ii
31
Polynomial Arithmetic with Coefficients in Zp Polynomial ring Example of GF(2)
32
Example of GF(2)
33
Irreducible A polynomial f(x) over a field F is called irreducible
if and only if f(x) cannot be expressed as a product of two polynomials.
The polynomial over GF(2) is reducible because
1)( 4 xxf
)1)(1(1 234 xxxxx
13 xx is irreducible
34
Finding the GCD EUCLID Algorithm
35
Finite Fields of the Form GF(2n) To work with integers that fit exactly into a given
number of bits, with no wasted bit patterns. (for implementation efficiency)
Arithmetic in GF(23) Addition
36
Arithmetic in GF(23) Multiplication
37
Arithmetic in GF(23) Additive and multiplicative inverses
38
Modular Polynomial Arithmetic Consider the set S of all polynomials of degree n-1
or less over the field Zp. Thus, each polynomial has the form
where each ai takes on a value in the set {0,1,…,p-1}. There are a total of pn different polynomials in S.
1
1
)(n
i
ii xaxf
39
Arithmetic Operations Arithmetic follows the ordinary rules of polynomial
arithmetic using the basic rules of algebra, with the following refinements.
Arithmetic on the coefficients is performed modulo p. That is, we use the rules of arithmetic for the finite field Zp.
If multiplication results in a polynomial of degree greater than n-1, than the polynomial is reduced modulo some irreducible polynomial m(x) of degree n. That is, we divide by m(x) and keep the remainder. For a polynomial f(x), the remainder is expressed as
r(x)=f(x) mod m(x).
40
Example of GF(28) – in AES (1)
41
Example of GF(28) – in AES (2)
42
Construction of GF(23) Two irreducible
polynomials in GF(23)
1
13
23
xx
xx
43
Polynomial Arithmetic Modulo (1)13 xx
44
Polynomial Arithmetic Modulo (2)13 xx
45
Finding the Multiplicative Inverse
46
Implementation Considerations (1) Addition
47
Implementation Considerations (2) Multiplication (1)
48
Implementation Considerations (3) Multiplication (2)
49
Implementation Considerations (4) Multiplication (3)
50
AES (Advanced Encryption Standard) Next generation encryption standard of
NIST/FIPS It will replace the use of DES in the following
30 years The sensitive information protected by AES
can not be revealed within 100 years It is selected by the competition from
international selection process
51
Calendar of AES
Announcement January 1997 Requirements workshop April 1997 Final requirements September 1997 Pre-submission April 15,1998 Submission June15,1998 AES conference 1-presentation August 20-22,1998 AES conference 2-analysis March 22-23,1999 Selection of 5 finalists April 15,1999 AES conference 3 Beginning of 2000? Final AES selection October 2, 2000
52
AES Requirements Block cipher 128-bit block 128/192/256-bit keys It is equal to Triple DES at least on security and is
more efficient Provide descriptions and analysis Provide three implementations in two languages
(reference and optimized in C , optimized in Java) IF selected, royalty free world wide
53
The 15 Submission for AES (1)
Cipher
Submitted
Country
CAST-256 Entrust Canada Crypton Future Korea
Deal Outerbridge Canada DFC ENS-CNRS France E2 NTT Japan
Frog TecApro Costa Rica HPC Schroeppel USA
LOKI97 Brown,Pieprzyk,Seberry Australia
54
The 15 Submission for AES (2)
Magenta Deutsche Germany * Mars IBM USA * RC6 RSA USA
* Rijndael Daeman,Rijmen Belgium Safer+ Cylink USA
* Serpent Anderson,Biham ,Kundsen
UK,Israel ,Norway
* Twofish Counterpane USA
55
Final AES Selection Rijndael
Block cipher with block size 128 bits Accept 128-, 192-, 256-bit length keys Easy to implement in H/W
56
The Implementation of Crypto Algorithms (W32)
http://www.cryptosoft.com Different platforms: win16, win32, linux, OS/2,… Triple DES, Rijndael, Safer+, Blowfish, Cast-128, …
Crypto++: a C++ Class Library of Cryptographic Primitives Version 3.0 1/1/1999 http://www.eskimo.com/~weidai/cryptlib.html
Microsoft CryptoAPI
57
More AES Information NIST AES Homepage
http://csrc.nist.gov/encryption/aes/ Rijndael Specification Those who are interested in the
AES specification (i.e., what will be in the standard) should refer to the Draft FIPS for the AES.
Test Values Supporting Documentation Rijndael Developers' Contact Information Rijndael Code: C/C++/Java/Visual Basic
Rijndael Homepage http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
58
The AES Cipher AES Parameters
59
The AES Cipher - Rijndael Designed by Rijmen-Daemen in Belgium 128/192/256 bit keys, 128 bit data An iterative rather than feistel cipher
treats data in 4 groups of 4 bytes operates an entire block in every round
Designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity
60
Rijndael Processes data as 4 groups of 4 bytes (state) Steps
byte substitution (uses an S-box to perform a byte-by-byte substitution of the block)
shift rows (a simple permutation) mix columns (substitution uses arithmetic over GF(28)) add round key (a simple bitwise XOR of the current block
with a portion of the expanded key) All operations can be combined into XOR and table
lookups - hence very fast & efficient
61
Rijndael
62
AES Data Structure
63
Byte Substitution A simple substitution of each byte Uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values Each byte of state is replaced by byte in row (left 4-
bits) & column (right 4-bits) eg. byte {95} is replaced by row 9 col 5 byte which is the value {2A}
S-box is constructed using a defined transformation of the values in GF(28)
Designed to be resistant to all known attacks
64
Example of the SubBytes
65
S-box of AES (1)
66
S-box of AES (2)
67
AES Byte-Level Operations (1)
68
AES Byte-Level Operations (2)
69
Construction of the S-box (1)
70
Construction of the S-box (2)
71
Construction of the S-box (3)
{95}-1 in GF(28) = {8A} = {10001010}
72
Construction of the S-box (4) Inverse substitute byte transformation
73
Construction of the S-box (5)
74
Shift Rows (1) A circular byte shift in each each
1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left
Decrypt does shifts to right Since state is processed by columns, this step
permutes bytes between the columns
75
Shift Rows (2)
76
Mix Columns (1) Each column is processed separately Each byte is replaced by a value dependent on
all 4 bytes in the column Effectively a matrix multiplication in GF(28)
using prime polynomial m(x) =x8+x4+x3+x+1
77
Mix Columns (2)
78
Example of the MixColumns (1)
79
Example of the MixColumns (2)
80
Inverse MixColumns (1)
81
Inverse MixColumns (2)
82
Add Round Key XOR state with 128-bits of the round key Again processed by column (though
effectively a series of byte operations) Inverse for decryption is identical since XOR
is own inverse, just with correct round key Designed to be as simple as possible
83
AES Round
84
Example of Add Round Key
85
AES Key Expansion Takes 128-bit (16-byte) key and expands into
array of 44/52/60 32-bit words Start by copying key into first 4 words Then loop creating words that depend on
values in previous & 4 places back in 3 of 4 cases just XOR these together every 4th has S-box + rotate + XOR constant of
previous before XOR together Designed to resist known attacks
86
Algorithm (1)
87
Algorithm (2)
88
Example of AES Key Expansion
89
AES Decryption (1) AES decryption is not identical to encryption
since steps done in reverse But can define an equivalent inverse cipher
with steps as for encryption but using inverses of each step with a different key schedule
Works since result is unchanged when swap byte substitution & shift rows swap mix columns & add (tweaked) round key
90
AES Decryption (2) Equivalent Inverse
91
Implementation Aspects Can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of 256 entries
shift rows is simple byte shifting add round key works on byte XORs mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified to use a table lookup
92
Implementation Aspects Can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed
using 4 table lookups + 4 XORs at a cost of 4*(1024 bytes) to store tables
Designers believe this very efficient implementation was a key factor in its selection as the AES cipher