GNU Free Documentation License . .

Advanced Encryption Standard

: ,
AES, Rijndael-AES, Rijndael
:


:

1998 .
:

2001 .
:

128/192/256

:

128

:

10/12/14 ( )
:

-

Advanced Encryption Standard (AES), Rijndael ( [rɛindaːl])  ( 128 , 128/192/256 ), AES. , DES. (. National Institute of Standards and Technology, NIST) AES 26 2001 , 15 . 26 2002 AES . 2009 AES .[1][2] AES ( ) Intel x86 Intel Core i7-980X Extreme Edition, Sandy Bridge.

[] AES

: AES ()

2 1997 NIST [3] DES, 1977 . 2 2000 , Rijndael[4], . 28 2001 , 26 2001 AES FIPS 197. - NIST [5].

[] AES

[]

Block , input, output, State Round Key. Block
Cipher Key , , Key Expansion , (Round Keys); , Nk .
Ciphertext
Key Expansion Round Keys Cipher Key
Round Key Round Keys Cipher Key Key Expansion. State
State , 4 Nb
S-box , Key Expansion . S-box .
Nb (32- ), State. AES, Nb = 4
Nk 32- , . AES, Nk = 4,6, 8
Nr , Nk Nb. AES, Nr = 10, 12, 14
Rcon[] , 32- . Rcon[] .

S-box


Sbox = array{
        0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76,
        0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0,
        0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15,
        0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75,
        0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84,
        0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf,
        0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8,
        0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2,
        0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73,
        0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb,
        0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79,
        0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08,
        0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a,
        0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e,
        0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf,
        0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16
    };

S-box InvSubBytes

InvSbox = array{
        0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
        0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
        0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
        0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
        0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
        0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
        0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
        0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
        0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
        0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
        0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
        0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
        0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
        0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
        0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
        0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
        };

Rcon[]


Rcon = array(
        array(0x00, 0x00, 0x00, 0x00),
        array(0x01, 0x00, 0x00, 0x00),
        array(0x02, 0x00, 0x00, 0x00),
        array(0x04, 0x00, 0x00, 0x00),
        array(0x08, 0x00, 0x00, 0x00),
        array(0x10, 0x00, 0x00, 0x00),
        array(0x20, 0x00, 0x00, 0x00),
        array(0x40, 0x00, 0x00, 0x00),
        array(0x80, 0x00, 0x00, 0x00),
        array(0x1b, 0x00, 0x00, 0x00),
        array(0x36, 0x00, 0x00, 0x00)
    );
AddRoundKey()  , Round Key XOR c State. RoundKey State(, Nb = 4, RoundKey 128 16 )
InvMixColumns() MixColumns()
InvShiftRows() ShiftRows()
InvSubBytes() SubBytes()
MixColumns()[6] State ( ),
RotWord() , Key Expansion, 4-
ShiftRows() , State, State
SubBytes() State (S-box), State
SubWord() , Key Expansion, - S-box

[]

AES , Rijndael. AES input( ) State() 128 , K 128, 192, 256 . , Rijndael 128 256 32 . input, State Cipher Key Nb = 4 input State, Nk = 4, 6, 8 Cipher Key .

input State s[r,c] = in[r+4c] , 0 \le r < 4 0 \le c < Nb . State AddRoundKey() State () 10, 12, 14 ( ), , . , , State output out[r+4c] = s[r,c], 0 \le r < 4 0 \le c < Nb .

SubBytes(), ShiftRows(), MixColumns(), AddRoundKey()  State. w[]  key schedule.


Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
begin
    byte state[4,Nb]
    
    state = in

    AddRoundKey(state, w[0, Nb-1])

    for round = 1 step 1 to Nr-1
        SubBytes(state)
        ShiftRows(state)
        MixColumns(state)
        AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])
    end for

    SubBytes(state)
    ShiftRows(state)
    AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])

    out = state
end
1. Cipher

[] SubBytes()

SubBytes, state 8- , S; bij = S(aij).

SubBytes() , (S-box). . S-box . -, GF\left( {2^8 } \right). -, b S-box :

b'_i = b_i \oplus b_{\left( {i + 4} \right)\bmod 8} \oplus b_{\left( {i + 5} \right)\bmod 8} \oplus b_{\left( {i + 6} \right)\bmod 8} \oplus b_{\left( {i + 7} \right)\bmod 8} \oplus c_i

0 \le i < 8, b_i i- b, c_i  i- c = 63_{16} = 99_{10} = 01100011_2. , , .

\begin{Vmatrix} b^{'}_{0}\\b^{'}_{1}\\b^{'}_{2}\\b^{'}_{3}\\b^{'}_{4}\\b^{'}_{5}\\b^{'}_{6}\\b^{'}_{7} \end{Vmatrix} = \begin{Vmatrix} 1 & 0 & 0 & 0 & 1 & 1 & 1 & 1 \\ 1 & 1 & 0 & 0 & 0 & 1 & 1 & 1\\ 1 & 1 & 1 & 0 & 0 & 0 & 1 & 1\\ 1 & 1 & 1 & 1 & 0 & 0 & 0 & 1 \\ 1 & 1 & 1 & 1 & 1 & 0 & 0 & 0\\ 0 & 1 & 1 & 1 & 1 & 1 & 0 & 0\\ 0 & 0 & 1 & 1 & 1 & 1 & 1 & 0 \\ 0 & 0 & 0 & 1 & 1 & 1 & 1 & 1 \end{Vmatrix} * \begin{Vmatrix} b_{0}\\b_{1}\\b_{2}\\b_{3}\\b_{4}\\b_{5}\\b_{6}\\b_{7} \end{Vmatrix} + \begin{Vmatrix} 0\\1\\1\\0\\0\\0\\1\\1 \end{Vmatrix}

[] ShiftRows()

ShiftRows, state .

ShiftRows State. r , . r = 0, r = 1 . . ShiftRows . Rijndael 128- 192- . 256 , 2, 3, 4- 1, 3, 4 , .

[] MixColumns()

MixColumns, c(x).

MixColumns, State , . MixColumns , . GF(2^8) x^4+1 c(x) = 3x^3 + x^2 + x + 2. ShiftRows , MixColumns

[] AddRoundKey()

AddRoundKey, RoundKey XOR (⊕).

AddRoundKey, RoundKey State. Roundkey CipherKey KeyExpansion; RoundKey , State. XOR State RoundKey .

[]

:

  • ( )

[]

AES , KeyExpansion() Cipher Key, K, . Nb*(Nr + 1) : Nb , Nr Nb . w \left[ i \right], 0 \le i < Nb*(Nr + 1) . KeyExpansion() .

SubWord() S-box . , , . RotWord() [a_{0}, a_{1}, a_{2}, a_{3}] [a_{1}, a_{2}, a_{3}, a_{0}]. , , Rcon\left[ i \right], [x^{i-1}, {00}, {00}, {00}] , x = {02}, x^{i-1} x GF \left( 2^8 \right) (i 1).

, Nk Cipher Key. , w[i], XOR w[i-1] w\left[ {i - Nk} \right], XOR Nk . , Nk, XOR w[i-1] , XOR Rcon[i]. (RotWord()), SubWord()  , SubBytes(), .

, KeyExpansion() 256 Cipher Key , 128 192 . Nk = 8 i - 4 Nk, SubWord() w[i-1] XOR.

KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)], Nk)
begin
    word temp
    i = 0;
    
    while ( i < Nk)
        w[i] = word(key[4*i], key[4*i+1], key[4*i+2], key[4*i+3])
        i = i+1
    end while
    
    i = Nk

    while ( i < Nb * (Nr+1))
        temp = w[i-1]
        if (i mod Nk = 0)
            temp = SubWord(RotWord(temp)) xor Rcon[i/Nk]
        else if (Nk > 6 and i mod Nk = 4)
            temp = SubWord(temp)
        end if
        w[i] = w[i-Nk] xor temp
        i = i + 1
    end while
end
Key Expansion

[] 


InvCipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
begin
    byte state[4,Nb]
    
    state = in

    AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])

    for round = Nr-1 step -1 downto 1
        InvShiftRows(state)
        InvSubBytes(state)
        AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])
        InvMixColumns(state)
    end for

    InvShiftRows(state)
    InvSubBytes(state)
    AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])

    out = state
end
Inverse Cipher

[]

i AddRoundKey w \left[ i \right] w \left[ Nb * i \right] w \left[ Nb * \left( i + 1 \right) \right].

[]

Rijndael, AES, .   Nessie: Anubis ,   Grand Cru .

[]

2003 , AES , , (. classified information). SECRET 128 , TOP SECRET 192 256 [7].

[] XSL-

: XSL-

AES . (. Niels Ferguson), , (. «The security of Rijndael depends on a new and untested hardness assumption: it is computationally infeasible to solve equations of this type»)[8][9], , :

AES: . AES, . , , , AES.

Niels Ferguson, Bruce Schneier Practical Cryptography 2003 pp. 5657

(. Nicolas Courtois) (. Josef Pieprzyk) 2002 , , XSL- (. eXtended Sparse Linearization), AES Serpent[10][11]. , :

, - . . , [] Rijndael. , Rijndael .

,

, NESSIE 2002 , , , XSL- (. The XSL attack is not an attack. It is a dream) ( 2004 4- AES ). , AES (. It may also be a very bad dream and turn into a nightmare)[12].

2003 ̸ (. Matt Robshaw) , , , AES, 2128 2100. 4- AES (. Ilia Toli) (. Alberto Zanoni) , ̸ [13]. , 2007 , - (. Chu-Wee Lim) (. Khoongming Khoo) , , [14].

[]

:

, , , , . , AES.

2005 Daniel J. Bernstein , [15]. 200 [16].

2005 , , . - 800 . , [17].

2009 , (. Differential Fault Analysis) 232 [18].

[] .

[]

  1. Intel Core i5 (Clarkdale): AES  (.). THG (19  2010).  « »  19 2012. 14 2010.
  2. Biryukov, Alex and Khovratovich, Dmitry Related-key Cryptanalysis of the Full AES-192 and AES-256  (.) // Advances in Cryptology ASIACRYPT 2009. Springer Berlin / Heidelberg, 2009. . 5912. . 118. DOI:10.1007/978-3-642-10366-7_1
  3. http://csrc.nist.gov/CryptoToolkit/aes/pre-round1/aes_9701.txt
  4. NIST Error Page
  5. Bounce to index.html
  6. en:Rijndael mix columns
  7. National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information  (.). Committee on National Security Systems (June 2003). 19 2012. 27 2010.
  8. James McLaughlin The XSL controversy // A survey of block cipher cryptanalysis techniques.  preprint.  York: University of York, 2009.
  9. Niels Ferguson, Richard Schroeppel, and Doug Whiting A simple algebraic representation of Rijndael  (.) // Selected Areas in Cryptography, Proc. SAC 2001, Lecture Notes in Computer Science #2259. Springer Verlag, 2001. P. 103111.
  10. Bruce Schneier Crypto-Gram Newsletter  (.). Schneier on Security (15 September 2002). 19 2012. 27 2010.
  11. Nicolas Courtois, Josef Pieprzyk Cryptanalysis of Block Ciphers with Overdefined Systems of Equations  (.) // Advances in Cryptology ASIACRYPT 2002 8th International Conference on the Theory Application of Cryptology and Information Security Queenstown, New Zealand, December 15, 2002 Proceedings. Lecture Notes in Computer Science (2501). Springer, 2002. P. 267287. DOI:10.1007/3-540-36178-2
  12. NESSIE Discussion Forum
  13. Ilia Toli, Alberto Zanoni An Algebraic Interpretation of AES-128  (.) // Proc. of AES Conference. 2005. . 2005. . 8497. DOI:10.1007/11506447_8
  14. Chu-wee Lim, Khoongming Khoo An Analysis of XSL Applied to BES  (.) // Fast Software Encryption. Heidelberg: Springer Berlin / Heidelberg, 2007. . 4593. . 242253. DOI:10.1007/978-3-540-74619-5_16
  15. Daniel J. Bernstein Cache-timing attacks on AES  (.). 2004.
  16. Bruce Schneier AES Timing Attack  (.). Schneier on Security (17 May 2005). 19 2012. 27 2010.
  17. Dag Arne Osvik; Adi Shamir and Eran Tromer Cache Attacks and Countermeasures: the Case of AES // Topics in Cryptology CT-RSA 2006, The Cryptographers Track at the RSA Conference. Springer-Verlag, 2005. P. 120.
  18. Dhiman Saha, Debdeep Mukhopadhyay, Dipanwita RoyChowdhury A Diagonal Fault Attack on the Advanced Encryption Standar  (.) // Cryptology ePrint Archive. 2009.

[]

[]

«/w/index.php?title=Advanced_Encryption_Standard&oldid=44768218»