Lecture 4

The Advanced Encryption

Standard (AES)
On January 2, 1997, the National Institute of
Standards and Technology (NIST)
announced the initiation of a new
symmetric-key block cipher algorithm as
the new encryption standard to replace the
DES. The new algorithm would be named
the Advanced Encryption Standard (AES).
Unlike the closed design process for the
DES, an open call for the AES algorithms
was formally made on September 12, 1997.
The requirements of AES is as follows:
(1) The call stipulated that the AES would specify
an unclassified, publicly disclosed symmetric-key
encryption algorithm(s).
(2) The algorithm(s) must support (at a minimum)
block sizes of 128-bits, key sizes of 128-, 192-, and
256-bits, and should have a strength at the level of
the triple DES, but should be more efficient then
the triple DES.
(3) It should work on a variety of different
hardware.
(4) The algorithm(s), if selected, must be available
royalty-free, worldwide.
On August 20, 1998, NIST announced a group
of fifteen AES candidate algorithms. These
algorithms had been submitted by members of
the cryptographic community from around the
world. Public comments on the fifteen
candidates were solicited as the initial review
of these algorithms (the period for the initial
public comments was also called the Round 1).
The Round 1 closed on April 15, 1999. Using
the analyses and comments received, NIST
selected five algorithms from the fifteen.
The five AES finalist candidate algorithms
were MARS (from IBM), RC6 (from RSA
Laboratories), Rijndael (from Joan Daemen
and Vincent Rijmen), Serpent (from Ross
Anderson, Eli Biham, and Lars Knudsen),
and Twofish (from Bruce Schneier, John
Kelsey, Doug Whiting, David Wagner, Chris
Hall, and Niels Ferguson). These finalist
algorithms received further analysis during a
second, more in-depth review period (the
Round 2).
In the Round 2, comments and analysis were
sought on any aspect of the candidate
algorithms, including, but not limited to, the
following topics: cryptanalysis, intellectual
property, cross-cutting analyses of all of the
AES finalists, overall recommendations and
implementation issues. On October 2 , 2000,
NIST announced that it has selected Rijndael
to propose for the AES.
Outline
About the Finite Field GF(p
n
)
The Basic Algorithm
The Layers
Decryption
Design Consideration
Implementation Concerns
Positive Impact of the AES
Modes of Operation
Message Authentication Code
1 About the Finite Field GF(p
n
)
solution.
a have not does ) (mod 1 e congrucenc
the since field, a form not does modulo
integer But the elements. with field finite one
exactly is there prime, a of power every For
n
n
n
n
p px
p
p
p

elements. 4 with field a is it , 1 mod

tion multiplica and addition For 1. most at degree of s polynomial of
} 1 , , 1 , 0 {
set the be to ) 1 ](mod [ define can we
Therefore, ). 1 (mod 1 as this can write We
. ) 1 )( 1 ( 1 get , 1 into 1
divide we example, For integers. with the as just remainder, with
division perform can We . 1 ) 1 )( 1 (
as such , 2 mod ts coefficien the work with we as long as set, in this
multiply and subtract, add, can We ]. [ in Z also are 1 , 0 s polynomial
constant The . , 1 as such , 2 mod integers are ts coefficien
whose s polynomial of set the be ] [ Let Z : Solution
. ) GF(2 Construct
2
2
2
2 3 4
2 2 3 4 3 4 2
2 3 4 3
2
6
2
2
+ +
+
+ +
+ + + +
+ + + + = + + + + + +
+ + + = + + +
+ +
X X
X X
X X X Z
X X X X X
X X X X X X X X X X
X X X X X X
X
X X X
X
1 Example
1.1 The Construction of the Finite Field GF(p
n
)
field. same y the essentiall are e that thes show to possible
is It ? degree of both s, polynomial e irreducibl different
for two on constructi same the do we if happens What #
elements. with field
a is ) ( Then . ) ( ]mod [ be ) ( Let (3)
. degree
of mod polynomial e irreducibl an be to ) ( Choose (2)
. mod ts coefficien with s polynomial of set the is ] [ (1)
). ( field finite a ng constructi for procedure general The
n
p
p GF X P X Z p GF
n
p X P
p X Z
p GF
n
n
p
n
p
n
1.2 Division

). 1 (mod 1 ) 1 )( (
: obtain we , 1 mod Reducing
). 1 )( 1 ( ) 1 )( ( 1
Therefore,
. 1 ) )( 1 ( 1
) ( ) 1 )( 1 ( 1
: integers for as same the is
) dividend divisor remainder )( 1
, 1 gcd( Calculate : Solution
. 1 of inverse the find ), 1
](mod [ Z ) GF(2 Consider
Algorithm Euclidean Extended The
3 4 8 3 6 7 2
3 4 8
3 4 8 3 6 7 2
2 6 3 6 7
2 6 3 6 7 3 4 8
3
4 8 3 6 7
3 6 7 3
4 8
2
8
+ + + + + + + +
+ + + +
+ + + + + + + + + + =
+ + + + = + + + +
+ + + + + + + + = + + + +
+ + +
+ + + + +
+ + + + + + +
+ =
X X X X X X X X X
X X X X
X X X X X X X X X X
X X X X X X X X
X X X X X X X X X X X X
ignore X X
X X X X X X
X X X X X X
X X X 2 Example
1.3 GF(2
8
)
y. efficientl is ) 2 ( in operations that the see we summary, In
. 010001101 ) 1 is bit first the if , 1
subtract ( 100011011 110010110 110010110
) 0 a append and left shift ( 11001011 ) ( 1
is tion Multiplica
. 11010010
00011001 11001011 1 1
: bits the of
the is Addition . 11001011 becomes 1 example,
For . byte a represent bits 8 The . 1 or 0 is each where
,
polynomial a as uniquely d represente be can element
Every . example an as ) 1 ](mod [ Z ) GF(2 Use
8
3 4 8
3 6 7
4 6 7
3 4 3 6 7
3 6 7
0 1 2 3 4 5 6 7
0 1
2
2
3
3
4
4
5
5
6
6
7
7
3 4 8
2
8
GF
X
X X X XOR
X X X X X
X X X X
XOR X X X X X X
XOR X X X X
b b b b b b b b b
b X b X b X b X b X b X b X b
X X X X X
i
= +
+ + +
+ + + +
+ + +
= + + + + + + +
+ + + +
+ + + + + + +
+ + + + =


2 The Basic Algorithm
For simplicity, we restrict to 128 bits, and
firstly give a brief outline of the algorithm.
The algorithm consists of 10 rounds. Each
round has a round key, derived from the
original key. There is also a 0th round key
using the original of 128 bits. A round starts
with an input of 128 bits and produces an
output of 128 bits.
There a four basic step, called layers, that are
used to form the rounds:
(1) The ByteSub (SB) Transformation: This
non-linear layer is for resistance to
differential and linear cryptanalysis attacks.
(2) The ShiftRow (SR) Transformation: This
linear mixing step causes diffusion of the
bits over multiple rounds.
(3) The MixColumn (MC) Transformation:
This layer has a purpose similar to ShiftRow.
(4) AddRoundKey (ARK) Transformation:
The round key is XORed with the result of
the above layer.
A round is then
ByteSub ShiftRow MixColumn AddRoundKey
Rijndael Encryption
(1) ARK, using the 0th round key.
(2) Nine rounds of BS, SR, MC, ARK, using round
keys 1 to 9.
(3) A final round: BS, SR, ARK, using the 10th
round key.
# The final round omits Mixcolumn layer.
3 The Layers
inverse.
tive multiplica a has element Each y. certain wa a in multiplied be also
They . by added can They bytes. by d represente be can ) (2 of
elements The . 1 is Rijndeal for choice The 8. degree
of polynomial e irreducibl of choice a on depends ) (2 of model
The ). (2 field finite the work with to need ll we' following, In the
.
matrix 4 4 int arranged are and
, , , , , , , ,
them call each, bits 8 of bytes 16 into grouped are bits input 128 The
8
3 4 8
8
8
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
3 , 3 1 , 1 1 , 0 0 , 3 0 , 2 0 , 1 0 , 0
XOR GF
X X X X
GF
GF
a a a a
a a a a
a a a a
a a a a
a a a a a a a
+ + + +
(
(
(
(
(

3.1 The ByteSub Transformation
22 187 84 176 15 45 153 65 104 66 230 191 13 137 161 140
223 40 85 206 233 135 30 155 148 142 217 105 17 152 248 225
158 29 193 134 185 87 53 97 14 246 3 72 102 181 62 112
138 139 189 75 116 221 232 198 180 166 28 46 37 120 186
8 174 122 101 234 244 86 108 169 78 213 141 109 55 200 231
121 228 149 145 98 172 211 194 92 36 6 73 10 58 50 224
219 11 94 222 20 184 238 70 136 144 42 34 220 79 129 96
115 25 93 100 126 167 196 23 68 151 95 236 19 12 205
210 243 255 16 33 218 182 188 245 56 157 146 143 64 163 81
168 159 69 80 127 2 249 69 133 51 77 67 251 170 239 208
207 88 76 74 57 190 203 106 91 177 252 32 237 0 209 83
132 47 227 41 179 214 59 82 160 90 110 27 26 44 131 9
117 178 39 235 226 128 18 7 154 5 150 24 195 35 199 4
21 49 216 113 241 229 165 52 204 247 63 54 38 147 253 183
192 114 164 156 175 162 212 173 240 71 89 250 125 201 130 202
118 171 215 254 43 103 1 48 197 111 107 242 123 119 124 99
16) (16 Box S
31
61

3.1 The ByteSub Transformation (Continued)
.
bytes. of matrix 4 4 a again is ByteSub of output The
binary. in 111101 is which 61, is entry The 12. column
and 9 row in look we 10001011, is byte input the
if example, For column. and row in the
entry for the Look . : bits 8 as byte a Wirte
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
(
(
(
(
(

(
(
(
(
(

b b b b
b b b b
b b b b
b b b b
a a a a
a a a a
a a a a
a a a a
ef gh abcd
abcdef gh
3.2 The ShiftRow Transformation
.
obtain to 3, and 0,1,2, of offsets by left the to
cyclically shifted are matrix the of rows four The
2 , 3 1 , 3 0 , 3 3 , 3
1 , 2 0 , 2 3 , 2 2 , 2
0 , 1 3 , 1 2 , 1 1 , 1
3 , 0 2 , 0 1 , 0 0 , 0
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
(
(
(
(
(

=
(
(
(
(
(

b b b b
b b b b
b b b b
b b b b
c c c c
c c c c
c c c c
c c c c
3.3 The MixColumn Transformation
.

00000010 00000001 00000001 00000011
00000011 00000010 00000001 00000001
00000001 00000011 00000010 00000001
00000001 00000001 00000011 00000010
: follows as ), ( output the produce to ), (2 in entries
again with matrix, a by his Multiply t ). (2 in entries
with ) ( matrix 4 4 a is step ShiftRow the of output The
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
,
8
8
,
(
(
(
(
(

=
(
(
(
(
(

(
(
(
(

d d d d
d d d d
d d d d
d d d d
c c c c
c c c c
c c c c
c c c c
d GF
GF
c
j i
j i
3.4 The RoundKey Addition

.

: step
MixColumn in the ) ( output with the XORed is This bytes. of
consisting ) ( matrix 4 4 a in arranged are which bits, 128
of consists key original the from derived key, round The
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
3 , 3 2 , 3 1 , 3 0 , 3
3 , 2 2 , 2 1 , 2 0 , 2
3 , 1 2 , 1 1 , 1 0 , 1
3 , 0 2 , 0 1 , 0 0 , 0
,
,
(
(
(
(
(

=
(
(
(
(
(

(
(
(
(
(

e e e e
e e e e
e e e e
e e e e
k k k k
k k k k
k k k k
k k k k
d d d d
d d d d
d d d d
d d d d
d
k
j i
j i
3.5 The Key Schedule

3). (4 2), (4 1), (4
), (4 columns the of consists round th for the key round The
)). 1 ( (
) 10 (
. ) 1 ( Let
). 1 ( of ation transform the is )) 1 ( ( where )), 1 ( (
) 4 ( ) ( then , | 4 If ). 1 ( ) 4 ( ) ( then
, | 4 If y. recursivel generated are columns new The (3). (2),
(1), (0), colums four first the Label bytes. of matrix 4 4 a
into generated are which bits, 128 of consists key original The
4 / ) 4 (
+ + +
=
(
(
(
(
(

(
(
(
(

(
(
(
(

(
(
(
(

(
(
(
(

=

= =
/

i W i W i W
i W i
i W T
h
g
f
e
h
g
f
e
a
d
c
b
d
c
b
a
d
c
b
a
i W
i W i W T i W T
i W i W i i W i W i W
i W W
W W
i
box S
3.6 The Construction of the S-Box
.
0
1
1
0
0
0
1
1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
by compute be can box - S in the of entry
The 0000000. 0 is 0000000 0 byte the of inverse the Suppose .
by d represente be can ) (2 in byte
the of inverse The n. descriptio al mathematic simple a has box - S The
7
6
5
4
3
2
1
0
7
6
5
4
3
2
1
0
0 1 2 3 4 5 6 7
0 1 2
3 4 5 6 7
8
0 1 2 3 4 5 6 7
(
(
(
(
(
(
(
(
(
(
(

=
(
(
(
(
(
(
(
(
(
(
(

+
(
(
(
(
(
(
(
(
(
(
(

(
(
(
(
(
(
(
(
(
(
(

z
z
z
z
z
z
z
z
y
y
y
y
y
y
y
y
x x x x x x x x
y y y
y y y y y GF x x x x x x x x
3.6 The Construction of the S-Box (Continued)
31. entry obtian the also We box. - S in the 12 1 1011 column the and
13 1 100 1 row check the We 31. 00011111 byte the yield This
.
0
0
0
1
1
1
1
1
0
1
1
0
0
0
1
1
0
0
0
0
0
1
0
0
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
calculate We
. 00000100 is ) (2 in 1001011 1 byte the of inverse The
8
= +
= + =
(
(
(
(
(
(
(
(
(
(
(

=
(
(
(
(
(
(
(
(
(
(
(

+
(
(
(
(
(
(
(
(
(
(
(

(
(
(
(
(
(
(
(
(
(
(

GF 3 Example
4 Decryption
Each of the steps ByteSub, ShiftRow,
MixColumn, and AddRoundKey is invertible:
(1) The inverse of ByteSub is another lookup
table, called InvByteSub (IBS).
(2) The inverse of ShiftRow is obtained by
shifting the rows to the right instead of to the
left, yielding InvShiftRow (ISR).
(3) The transformation InvMixColumn (IMC)
is given by multiplication by the matrix





(4) AddRoundKey is its own inverse.
.
00001110 00001001 00001101 00001011
00001011 00001110 00001001 00001101
00001101 00001011 00001110 00001001
00001001 00001101 00001011 00001110
(
(
(
(

IMC". and ARK " replace to IARK" and IMC " use can We ). ( with XORing be
dKey(IARK) InvAddRoun Let IMC. is arrow first The ). ( ) ( ) ( where
), ( ) ( ) ( ) ( ) ( ) (
is process the , ) ( ) ( ) ( ) ( ) ) ( ) ( (
) ( ) ( Since ). ( ) )( ( ) ( solving by obtained is inverse The
). ( ) )( ( ) ( ) )( ( ) (
as gave is ) (
matrix a ARK to then and MC Applying reversed. be can IBS and ISR of oder the
Clearly, . encryption as structure same the achieve to decryption the rewrite can We
ARK.
IBS ISR, IMC, ARK,
IBS ISR, IMC, ARK,
IBS ISR, ARK,

ARK. SR, BS,
ARK MC, SR, BS,
ARK MC, SR, BS,
ARK
decryption Rijndael encryption Rijndael
Therefore,
,
,
1
, ,
, ,
1
, ,
1
, ,
,
1
, ,
1
, , ,
1
, , , , , ,
, , , , , , ,
,
j i
j i j i j i
j i j i j i j i j i j i
j i j i j i j i j i j i
j i j i j i j i j i j i
j i j i j i j i j i j i j i
j i
k
k m k
k e m e m e
k m e m k e
m c k c m e
k c m e c m c
c
'
=
'
'

=
= =
=

ARK.
ISR IBS, IARK, IMC,
ISR IBS, IARK, IMC,
ISR IBS, ARK,
decryption Rijndael
by given is decryption the Now,

Rijndael Decryption
(1) ARK, using the 10th round key.
(2) Nine rounds of IBS, ISR, IMC, IARK, using round
keys 9 to 1.
(3) A final round: IBS, ISR, ARK, using the 0th round
key.
# To keep the perfect structure, the MC is omitted
in the last round of the encryption.
5 Design Consideration
(1) The fact that encryption and decryption
are not identical processes leads to the
expectation that there are no weak keys, in
contrast to DES.
(2) Unlike the Feistel system, all bits are
treat uniformly. This has effect of diffusing
the input bits faster. It can be shown that
two rounds are sufficient to obtain full
diffusion.
(3) The S-box is constructed in an explicit
and simple algebraic way so as to avoid
the mysteries of trapdoors built into the
algorithm. It is excellent at resisting
differential and linear cryptanalysis, as
well as interpolation attacks.
(4) The SR step is added to resist
truncated differentials and square attack.
(5) The MC causes diffusion among the
bytes.
(6) The ARK involves nonlinear mixing of
the key bits. The mixing is designed to
resist the known part key attack. The round
constants are used to eliminate symmetries.
(7) The number of rounds was chosen to be
10 because there are attacks that are better
than brute force up to seven rounds in 2004.
No known attack beats brute force for seven
or more rounds. It was felt that three extra
rounds provide a large enough margin of
safety.
6 Implementation Concerns
We have seen that the Rijndael internal
functions are very simple and operate in
trivially small algebraic spaces. As a result,
implementations of these internal functions
can be done with extremely good efficiency.
From our descriptions of the Rijndael internal
functions, SB/ISB and MC/IMC are worthy of
fast implementation considerations.
(1) For SB/ISB, we suggest to use the "S-box
lookup" method: a small S-box with 2
8
= 256
pairs of bytes can be built once and used
forever (i.e., the table can be "hardwired" into
hardware or software implementations). The "
S-box lookup" method not only is efficient,
but also prevents a timing analysis attack
which is based on observing the operation
time difference for different data which may
suggest whether an operation is performed on
bit 0 or bit 1.
(2) In MC, multiplication between elements in
GF(2
8
) can also be realized via a "table
lookup" method: z = xy (field multiplication)
where x e {01, 10, 11} and yeGF(2
8
). Further
notice that the byte 01 is simply the
multiplicative identity in the field, i.e., 01y = y.
Thus, implementation (either in software or
hardware) of this multiplication table only
needs 2256=512 entries. This small table is
not much larger than one which every primary
school pupil has to recite. This realization not
only is fast, but also decreases the risk of the
timing analysis attack.
(3) IMC is not quite as fast as MC. This is
because the entries in the 44 matrix for
IMC are more complex than those for MC,
and 30% longer than encryption for these
processors. However, in some applications,
decryption is not needed.
7 Positive Impact of the AES
(1) Multiple encryption, such as triple-DES,
will become unnecessary with the AES.
Since multiple encryption uses a plural
number of keys, the avoidance of using
multiple encryption will mean a reduction
on the number of cryptographic keys that
an application has to manage, and hence
will simplify the design of security
protocols and systems.
(2) Wide use of the AES will lead to the
emergence of new hash functions of compatible
security strengths. In several ways, block cipher
encryption algorithms are closely related to hash
functions. It has been a standard practice that
block cipher encryption algorithms are often used
to play the role of one-way hash functions. The
logging-in authentication protocol of the UNIX
operating system is a well-known example. We
have seen a typical "one-way transformation"
usage of the DES function in the realization of the
UNIX password scheme. Another example is to
use block cipher encryption algorithms to realize
(keyed) one-way hash functions.
(3) As in the case that the DES's standard
position had attracted much cryptanalysis
attention trying to break the algorithm, and
that these efforts have contributed to the
advance of knowledge in block cipher
cryptanalysis, the AES as the new block
cipher standard will also give rise to a new
resurgence of high research interest in block
cipher cryptanalysis which will certainly
further advance the knowledge in the area.
8 Modes of Operation
Usually, the long message is divided into a series of
sequentially listed message blocks, and the cipher
processes these blocks one at a time. A number of
different modes of operation have been devised on
top of an underlying block cipher algorithm. These
modes of operation provide several desirable
properties to the ciphertext blocks, such as adding
non-determinism (randomness) to a block cipher
algorithm, padding plaintext messages to an
arbitrary length, control of error propagation,
generation of key stream for a stream cipher, etc.
8.1 Electronic Codebook (ECB)
only. block that of nt decipherme affect block
ciphertext single a in errors bit more or one : n propagatio Error (3)
blocks. plaintext ordered - re
ingly correspond in results blocks ciphertext Reordering blocks. other
of tly independen enciphered are blocks : es dependenci Chaining (2)
. ciphertext
identical in result key) same (under the blocks plaintext Identical (1)
: operation of mode ECB the of Properties
. key the using of encryption the is ) ( where
] , , , [
is ciphertext
the and ] , , , [ chunks smaller into broken is plaintext The
2 1
2 1
K P P E C
C C C C
P P P P P
j j K j
L
L
=
=
=

8.1 Electronic Codebook (ECB) (Continued)

block.
each in bits padding random of inclusion by somewhat
improved be may Security message. block - one single
a than more for reused are keys if or block, one than
longer messages for d recommende not is mode ECB the
reason, For this blocks. plaintext identical imply blocks
ciphertext identical - patterns data hide not do ciphers
block e, Furthermor blocks. adjacent of decryption
affect the not does block) occurring frequently a of
insertion (e.g., blocks ECB of on substituti malicious
t, independen are blocks ciphertext Since Comment.
8.2 Cipher Block Chaining (CBC)
function.
decryption the is where and value initial chosen some is where
, ) ( ), (
as specified operation of mode (CBC) chaining block - cipher The
0
1 1
K
j j K j j j K j
D C
C C D P C P E C

= =
C
0
P
1
E
K
C
1
P
2
E
K
C
2

8.2 Cipher Block Chaining (CBC) (Continued)
. to decrypted correctly is , not but block in occurs blocks)
entire more or one of loss (including error an if that sense in the autokey
ciphertext or ing synchroniz - self is mode CBC the : recovery Error (4)
. and blocks of nt decipherme
affects block ciphertext in error bit single a : n propagatio Error (3)
block. ciphertext
preceding correct a requires block ciphertext correct a of decryption
Proper . decryption affects blocks ciphertext of order the g rearrangin
ly, Consequent blocks. plaintext preceding all and on depend to
ciphertext causes mechanism chaining the : es dependenci Chaining (2)
. ciphertext different in results field) random or counter
a using (e.g., block plaintext first Changing . enciphered is plaintext
same n the result whe blocks ciphertext identical : plaintexts Identical (1)
operation of mode CBC the of Properties
2 1 1
1
j+ j+ j+ j
j+ j
j
j j
P C C C
C C
C
P C
8.3 Cipher Feedback (CFB)
. || || || and register bit - 64
the from d disappeare has initial the round, 8th the of end By the #
. || ) ( )) ( (
Procedure Decryption
ion. concatenat the denotes || and , of bits rightmost 56 the
denotes ) ( , of bits leftmost 8 the denotes ) ( where
, || ) ( )) ( (
: performed is following
the , 1,2,3, for Then chosen. is bit - bit 64 initial An
Procedure Encryption
. operations following the
has mode CFB The bits. 64 n rather tha bits, 8 has each where
], , , , [ : pieces bit - 8 into broken is plaintext The
8 2 1 9
56 1 8
56 8
56 1 8
1
8 2 1
C C C X
C X R X X E L C P
Y X X
X R X X L
C X R X X E L P C
j X
P
P P P P
j j j j K j j
j j j j K j j
j

=
= =
= =
=
=
+
+
8.3 Cipher Feedback (CFB) (Continued)
blocks. ciphertext
8 next the and that of nt decipherme the affects block ciphertext
single any in errors bit more or one : n propagatio Error (3)
correct.
be to blocks ciphertext 8 preceding the requires block ciphertext
correct a of decryption Proper . decryption affects blocks
ciphertext ordering - re ly, Consequent blocks. plaintext preceding
and both on depend to block ciphertext causes mechanism
chaining the , encryption CBC similar to : es dependenci Chaining (2)
secret. be not need
The output. different a to enciphered being input plaintext
same in the results the changing : plaintexts Identical (1)
operation of mode CFB the of Properties
1
1
j
j j
C
P C
X
X
8.3 Cipher Feedback (CFB) (Continued)
used. be should mode CBC the instead,
algorithm; key - public a is cipher block the if used be not
must mode CFB the , decryption and encryption CFB both
for used is function encryption the Since
output. ciphertext of bits
8 only yields of execution each in that CBC) (vs. 64/8
of factor a by decreased is t throughpu : Throughput (5)
recover. to
) bits (64 blocks ciphertext 8 requires but CBC, similar to
ing synchroniz - self is mode CFB the : recovery Error (4)
E
E
E
Comment.
9 Message Authentication Code
Definition 1 A message authentication code
(MAC) algorithm is a family of functions h
k

parameterized by a secret key k, with the
following properties:
(1) Ease of computation: for a known function
h
k
, given a value k and an input x, h
k
(x) is easy
to compute. This result is called the MAC-value
or MAC.
(2) Compression: h
k
maps an input x of arbitrary
finite bit length to an output h
k
(x) of fixed bit
length n. Furthermore, given a description of
the function family h, for every fixed allowable
value of k (unknown to an adversary), the
following property holds:
(3) Computation-resistance: given zero or more
text-MAC pairs (x
i
, h
k
(x
i
)), it is computationally
infeasible to compute any text-MAC pair (x,
h
k
(x)) for any new input x = x
i
(including
possibly for h
k
(x)=h
k
(x
i
) for some i).

9.1 Objectives of Adversaries vs. MAC
The goal: without prior knowledge of a key k,
compute a new text-MAC pair (x, h
k
(x)) for some
text x=x
i
, given one or more pairs (x
i
, h
k
(x
i
)).
The potential abilities of the adversaries:
(1) Known-text attack.
(2) Chosen-text attack: one or more text-MAC
pairs (x
i
, h
k
(x
i
)) are available for x
i
chosen by the
adversary.
(3) Adaptive chosen-text attack: now allowing
successive choices to be based on the results of
prior queries.
9.2 Types of Forgery
The severity of the practical consequences
may differ depending on the degree of control
an adversary has over the value x for which a
MAC may be forged.
(1) Selective forgery: attacks whereby an
adversary is able to produce a new text-MAC
pair for a text of his choice (or perhaps
partially under his control).
(2) Existential forgery: attacks whereby an
adversary is able to produce a new text-MAC
pair, but with no control over the value of that
text.
9.3 Case Study CBC-Based MAC
. block bit - the is MAC The . Completion (3)
). (
, : compute optionally , key secret second a
Using MAC. of strength increase to process Optional (2)
. 2 ), ( ); (
: follows as block the Compute . processing CBC (1)
: steps following
the performs algorithm MAC - CBC The . of length
block the is where ], , , , [ blocks bit -
into broken is message The cipher. block a be Let
1 1 1
2 1
t
t K t
t K t
i i K i K
t
K
t
K
H n
H E H
) (H D H K K
t i M H E H M E H
H
E
n M M M M n
M E
'
=
=
'
=
'
s s = =
=
'

9.3 Case Study CBC-Based MAC (Continued)

M
1
0
E
K
H
1
M
2
E
K
H
2

H
t1

M
t
E
K
H
t
E
K
D
K'
H
t
optional
9.3 Case Study CBC-Based MAC (Continued)
Comment.
(1) It is obvious that the computation for
creating a CBC-MAC involves noninvertible
data compression (in essence, a CBC-MAC is a
'short digest' of the whole message), and so a
CBC-MAC is a one-way transformation.
(2) The mixing-transformation property of the
underlying block cipher adds a hash feature to
this one-way transformation (i.e., distributes a
MAC over the MAC space as uniform as the
underlying block cipher should do over its
ciphertext message space).
(3) We can assume that in order to create a
valid CBC-MAC, a principal actually has
to be in possession of the key K for the
underlying block cipher algorithm. The
receiver who shares the key K with the
transmitter should recalculate the MAC
from the received message and check that
it agrees with the version received. If so,
the message can be believed to have come
from the claimed transmitter.
Thank You !