Lecture 8: Advanced Encryption Standard (AES) by Christof Paar
HTML-код
- Опубликовано: 26 авг 2024
- For slides, a problem set and more on learning cryptography, visit www.crypto-textbook.com.
The AES book chapter for this video is also available at the web site (click Sample Chapter).
Lecture outline: 0:01
History/Intro to AES: 2:00
Structure of AES: 18:10
Internals: Layers 32:25
---- Each layer in detail -----
SubBytes - 52:12
ShiftRows - 1:15:45
MixCol - 1:22:40
Doesn't seem to go into the round key add step in that very much detail, though.
I'm pretty sure the Add Round Key step is just XORing the Round SubKey with the State, nothing too complicated.
The 'Add' doesn't refer to making/generating a new Round Key but adding the round key to the state.
Thank you!
not all heroes wear capes!!
and there is no decryption...
@@fatihsonmez it's just everything in reverse
Your accent makes this 1000000x more entertaining.
Hello, honestly say, your lecture is much, much better than my university two months lecture just about this AES stuffs. You're awesome. Clear. Exact. Specific. Understandable. I like when you said "Please silent to your students." Hopefully, you will get your good work blessed. ;)
Professor Paar,
I would like to thank you for providing this series of fantastic lectures. Your teaching inspired me to purchase the book which has only heightened my interested in the subject.
Lastly, I have to say that after about 2 hours of research and reading many different explanations that I found on-line, I finally figured out the "affine transformation"...that is pretty brutal without any real guidance.
Again, thanks ....you are really good at what you do.
Professors who care about notes making are the best!
This course is really helpfull i own the book, while i'm doing criptography in the Universidad Catolica del Norte, and this videos are extremely helpful, i really hope you can do a video with the key schedule and the decryption for AES, its very easy to understand the way you teach this.
Funny he keeps reminder the class... I would never fall asleep. Every hour with Professor Paar saves at least 10 hours of self-study.
Truly awesome, very deep coverage on AES.
I know absolutely nothing about any encryption, yet I watched the whole lecture. I don't know anymore now then I did before. Lol
What an amazing lecture deleivered by Sir Christof.
I enjoyed the lecture
Really, you are a very good lecturer. your discussion is very interesting , simple and attractive. Thanks.
1:08:51 ,Herr Paar: "yeah this is wrong. this is wrong. this is wrong. this is all wrong..."
Me(having just finished writing everything down): NOOOOOOOO! you have got to be kidding me😭😭😭
Anyways, thank you sooo much for these lectures, absolutely fascinating. It's one of the only truly understandable courses on internet for lower-level students. Incredible, I also bought the book!!!
Professor Paar, s there any chance of you recording the continuation of this course? You are the best teacher I found on crypto!
This video series is fantastic! I'm taking crypto and it's following basically this exact trajectory. Shame about those chatty cathy's in the audience
Vielen Dank für die tollen Vorlesungen! Fantastisch zu schauen :)
Why does it say in other places that the MixColumns multiplication uses modulo x^4+1 rather than what you've said here - modulo x^8+x^4+x^3+x+1 ???
Excellent lecture! I watched your galois field lecture in 2016 or so when I was doing a presentation on error correction codes and had this AES lecture on my watch later list. Finally got around to it and enjoyed it!
Professor Paar, I just love you !
thank you very much "Christof Paar" you are really explained very easy and pro way.
The motivation that you gives me a lot of motivation and also an idea that made me to get involved.
Dear Professor, You have not discuss decryption and key schedule (I mean the way you done for DES) I hope we can see some video too. Thank you so much for such an interesting lecture.
I love these and thank you for sharing them. I will say I disagree about the statement at 17:25 though about AES being generally secure because the agencies use it. What was later found since this time period was that AES has this property where some keys are strong and others are weak. There were certain attacks possible with poorly chosen keys and of course the NSA requires their own use of AES to get keys provided from a central key authority within the NSA. This key authority then only provides strong keys for their internal use and if laymen use AES they lack the knowledge of how to select these extra strong keys. Now that future attacks such as Invariant Subspace were discovered we can see how clever this was.
So the statement at 17:25 I highly disagree with and we learned that this kind of logic fails with new side-channel and mathematical attacks. The simple use of an algorithm by the government means nothing unless you also can use their key selection processes. They are willing to bless subpar implementations and utilize those weaknesses against others while shielding themselves.
Otherwise excellent lecture.
Thank you sir for your explanation! It helps a lot. Can you explain about Key schedule?
It might be a dumb question, but I wonder: If you enter the same plaintext with the same key in an AES, you always get the same cyphertext, right? Then would it be possible to make a block cypher which always give different cyphertexts even if the plaintext and the key stay the same? Would such a cypher be decrypteable by Bob?
Thanks again for the amazing lectures! You're so clear that even a total newbie like me can understand (I think)
+Elitios Excellent comment. What you describe is known as "probabilistic encryption". In many modern security protocols it is recommended to use block ciphers in this way. This can be achieved by using a "mode of operation" that is probabilistic, i.e., which requires as input not only plaintext and the key, but also a random value. The random value is transmitted in clear to Bob so that he can decrypt. Please have a look at my Lecture 9 where I talk about this a bit. regards, christof
You can skip the history bit by going to 18:20
Thank you very much for these lectures, they are making my life much easier
Thank you for this Video Lecture Pr. Christof Paar. Very helpful as a I am a Student in NYC.
that was a better lecture i found than others .. i found it very beneficial and detailed thank you very much
Professor u didn't do the last topic so where can I find the decryption part, it's really important to me Professor, as I am not in any University, your lectures are my only way to learn
addictive course to someone new to cryptography..
Q: Where does all that sexy Extension Field stuff from last lecture come into play?
A: In the S-boxes 59:00
Thank you for the video, but a few questions if you don't mind.
i) How to you find the inverse of a hex number; we were given A = C2 with inv B' = 2F but I should like to know how we work this out.
ii) in the affine mapping we have the matrix constant, reading down the rows of the matrix (in hex) we have 8F, C7, E3, F1 and then each one reversed (so to speak) F8, 7C, 3E and 1F. All I can see here is that each row includes five 1s and three 0s, but what is the thinking behind this choice? Could we move them, or change them, without loss of security?
iii) lastly, a similar question to (ii), what is the reason behind the choice of the vector constant? Could it be any vector constant?
Your answers would be very helpful and much appreciated. I have tried to find the answers online but to no avail...
My thanks in advance...
+7x34hj The first answer is firm, number ii) and iii) less so:
i) You have to compute the multiplicative inverse in the Galois field GF(2^8). Please have a look at Lecture 7 and Table 4.2 of our texbook, Understanding Cryptography. Chapter 4 of the textbook is available on our companion website, www.crypto-textbook.com
ii + iii) Roughly speaking, the affine mapping assures that the S-Box cannot described mathematically as only a Galois field inversion, i.e., we have to combine GF-inversion with some other operation which is NOT defined in Galois fields. I assume it is safer to use a matrix with many 1 entries. The same goes for the additive vector. At the same time, I assume there are other matrices and vectors that would work here. For more information, I recommend the book "Algebraic Aspects of the Advanced Encryption Standard"
regards, christof
+Introduction to Cryptography by Christof Paar Thank you for such a quick reply. I have looked at lecture 7 and I have the book but (forgive me) I am still unaware. I know the inverse of C2 is 2F (from the book) but I want to work it out. I set 194 (i.e. C2 in denary) equal to 1mod283 (the polynomial in denary). My answer after doing the Eu. Alg extended is 124x194 - 85x283 = 1. This seems to work but 124 is NOT 2F when converted back into hex. I have also tried setting A(x)B(x) = 1 modP(x) with A(x) = x^7 + x^6 + x and P(x) = x^8 + x^4 + x^3 + x + 1. Applying the E. Alg is fine (I finish with a remainder of 1) but when I try the extended algorithm to find B(x) things get rather 'messy'. Is there a 'fully worked' example that shows the process of finding the hex inverses in GF(2^8)? My apologies for bothering you again with (perhaps) a daft question, but it is something I should really like to learn. Thank you, once again.
+7x34hj I know where your problem is. ALL ARITHMETIC MUST BE DONE WITH POLNYOMIALS IN THE GALOIS FIELD GF(2^8) (sorry for the caps :)) That means you can NOT do integer arithmetic. Rather, you have to perform the extended Eucl. Alg. with polynomials. The input to the EEA would be x^7 + x^6 + x ("C2") and P(x). The EEA should then compute a gcd of 1 and the inverse as x^5+x^3+x^2+x+^("2F"). Sorry, but we do not show the EEA with polynomials in the book. It works completely the same way as the EEA with integers, though. cheers, christof
Introduction to Cryptography by Christof Paar Thank you. Actually I also tried that but I did not get the inverse. Perhaps I am making a blunder in my calculations; I'll try again!
Wirklich klasse! Mich hätten ein paar mehr Hintergrundinfos zum Design von AES interessiert. Ich weiss nun genau, wie es funktionniert, aber verschiedene Design-Entscheidungen (warum 10 Runden, und nicht 9 oder 11?) erscheinen weiterhin willkürlich. Sehr gut fand ich z.B. den Exkurs über die Diffusion.. Es kann natürlich sein, dass die Hintergründe einfach zu kompliziert für eine 90 minütige Vorlesung sind.
sorry, but i couldn't really catch your last sentence, where would decryption be done? (:
In case it still matters: In the "Übung", the exercise class.
Professor is there any explanation for key expansion for AES available.
I do need the same
thank you good sir, great lecture very helpful.
Great explanation! Great accent! Loving the videos! Thank you!!
-From California :)
still i am having doubt in s-box functionality...
Some silliness...
AES-Variant 1 : Double-AES with a twist ...
*Init :* Let Key2 = SHA1 of (Key1 XORed with previous blocks plaintext)
*Round 1 :* Perform AES with Key1
*Do the twist ...*
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
Rotate both bitfields clockwise 90 degrees
*Round 2 :* Perform AES with Key 2
AES-Variant 2 : AES-512/infested
*Init :* Let Key1 and Key2 be halves of the 512bit key
Then, For block 0...
*Round 1:* Perform AES-256 with Key1
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
*Langtons Ants round :* _(do nothing, yet)_
*Round 2:* Perform AES-256 with Key2
Use the first 128 bytes of sent plaintext (Block 0) as a random IV ... for both sides to define the positions and states of 16 Langton Ants. 8 in each 8x8 field. These first bytes are sunk by the receiving side, thus never make it out of the decoder. Actual message passing will begin in block 1.
Now, for all subsequent blocks ...
*Round 1:* Perform AES-256 with Key1
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
*Langtons Ants round :* with 8 ants in each 8x8 bitfield, let them wander 'n' times corrupting the field. (++ see note)
*Round 2:* Perform AES-256 with Key2
Actual messages begin from Block1, once Ants are active
(++ Important Note) In this system, the langtons ants live in the stored bitfield of the previous block, but duplicate their bit-flipping to the bitfield of the current block. This prevents the ants from permutating data in a way that the the recipient cannot know _(thus avoiding a one-way function)._ By using the previous round as the langtons playground, and duplicating their bit-flipping antics in the current bitfield, both sides ants can remain synchronised using data both sides already know.
Neither of these are actual security algorithms, but they're fun : ) I doubt either scheme weakens AES - but then, I'm not a cryptographer... so, y'know... don't trust 'em, they might cause some unknown weakness compared to regular AES. Especially the first one. The second one, though, I have a lot of faith in ; )
But neither of these are serious proposals...
... I'm just a guy who dreams up weird code when he's drunk... oh, and has a peculiar fascination for Langtons Ants : )
Intro to AES 2:00
Structure of AES 18:10
Internals of AES 32:25
Great Lecturer Series,,,, Keep the good work Going
how do you get B' ? Oh, got it. It is the inverse of A^(-1)=B', such
that AxB'=1. And B' to be computed using Euclidean Algoth. Once B' is
found B can be computed, and actually it is on that table from the book,
right?
Great lecture! Got a bit lost around the SBOX explaination part
Thanks for the explanation, Sir. It really helped me to understand the AES concept.
1:14:50 "this is really complicated in a very clear mathematical way" :D
very nice and helpful :) thank you for all ur lectures...they are very enlightening and make the topics so easily understandable compared to the complex chapters in the cryptography books
INDIAn
thank you very much professor... this lecture helped me a lot to complete my project...
Great Lecturer series. thank you
so simple, easy to understand and interesting lectures. one thing that didnt get is that in which university it is recorded it looks like american but the lecturer is talking in german too.
I teach at Ruhr University Bochum, a large university in North-Western Germany. The lecture is in English (as opposed to German) because we always have several foreign exchange students who often speak only English.
I commented after watching the previous video.In this video i can see ruhr university written. Thank you very much for uploading the video it helped me alot.
Awesome explanation, thank you!
Keep up the good work, sir.
Hello Prof Paar
It is my understanding that for any (existing) block cipher or mode that the cipher test key and therefore the round keys are exactly the same for each block that is processed by the block cipher. Is that correct?
Second part of the question: If that is correct what does that say to the relative strengths of block vs stream ciphers where (in stream ciphers) the key is always being expanded by a CSPRNG with an extremely low predictability factor
Thank you for this course
Steve
Awesome! Thanks for sharing this lecture!
Sir. I would like to know about the fixed matrix of affine transformation for S-box construction in AES, What is the logic behind that matrix?
Mix Columns in AES
Would someone please explain how the number of XOR gates are 3 and 11 respectively for the following:
Number of XOR gates needed for constant 02 multiplication in GF(2 power 8) is 3
Number of XOR gates needed for constant 03 multiplication in GF(2 power 8) is 11
Beautiful teaching... there is ans for every "why?"
awesome lecture
Thank you Sir for such an amazing Lecture Series .
Great lecture, thanks a lot.
why is the number of rounds required for aes 128 bit algorithm equal to 10?is there any formula for it?
Well done lecture. Enjoyed it.
What would be the case if the input byte has no inverse, which would be the case if the input byte is the same as the mod polynomial? the remainder would be Zero.
Could you please provide the information regarding the confidentiality and integrity algorithms EEA3 and EIA3 or ZUC?
Can anyone tell me where can I find a book that has to do with C# and encryption
: something like this " Encryption Programming in C# " sorry for my bad english
Waiting for the Decryption part. Although I know it, continuity is the reason I'm asking for it.
Both Key Schedule generation and Decryption are missing. I believe they were covered during the Lab which may not have been recorded unfortunately.
Zach Miller
Sorry, there is not lecture about key schedule and decryption. I always assigned those as homework :) Chapter 4 (AES) of our book can be downloaded for free at www.crypto-textbook.com (click Sample Chapters). I would recommend that you have a look at it there, key schedule and decryption are not that complicated once you've worked through encryption. Cheers, christof
Someguy tell me one time AES 256 is uncrackeable just cant, nobody can crack AES 256 even quantum pc
+jorge cabrera Just for balance, know that implementation matters: hardwear.io/wp-content/uploads/2015/10/got-HW-crypto-slides_hardwear_gunnar-christian.pdf Then there are BlackHat conference results where the key or plaintext data are leaked by just keeping a user session uninterrupted (avoiding ACPI S4 sleep or greater, which would have the user re-authenticate.) Looking forward to drives and drive service updates of 2016.
Much love to you sir! Very clear explanation! Love you!
Please don't talk, but sleep..
Sir In 1.10.50 why the inverse of Ai (1100 0010) is Bi(0010 1111)? Should't be Bi = (0011 1101)? I mean for example a bit 1 in Ai become 0 in Bi?
how to find the a inverse if anyone had got it please explain i am stuck
This course is from 2010 but I'm in 2019 is there anything that has changed in cryptography in the past decade or is this course enough
I'm not seeing discussion of "Key Addition".
Very well explain sir thak you sir
sir ,can u explain me how u caluculated inverse substitution layer
Hello Professor,
I have a question on key length. As per AES, it can be 128, 192 or 256 bits. What would be the deciding factor to choose the key length?
And w.r.t cost i assume 192 and 256 key lengths cost more. Am i right?
AES-128 has 10 rounds, AES-192 has 12 rounds and AES-256 has 14 rounds. The only "cost" that we have is the increased runtime if you choose 192 or 256 bit compared to 128 bits. Please not that AES runs very fast on modern CPUs and it really depends on your application whether the AES performance is a limiting factor.
Also, AES-128 is considered highly secure. The only realistic threat are large-scale quantum computers, which might or might not become available in 10-20 years. AES-256 is believed to be secure against quantum computers too.
cant easily understand substitution layer sir can u explain this more frequently
prof , there are no decryption part of aes!
Question: I might not be understanding this correctly but how does AES ensure that at the end of 14 rounds, it hasnt done enough bit flips that is now the original unencrypted byte?
Also thank you for this video.
It is HIGHLY unlikely that the ciphertext after 14 rounds will be identical to the original plaintext. A strong block cipher can be approximated as a so-called "random permutation". That means for every plaintext, each ciphertext has a probability of roughly 2^128. Thus, the chance that the ciphertext becomes the original plaintext is tiny, tiny, tiny, namely roughly 2^(-128). regards
buy the text book. It makes the lecture easier!
The most commonly used algorithm in the world is simple counter . :D for( x=0;x
I don’t understand how he went from Ai to Ai(x) in the example at 1:03:38
Good question. I try to explain this in the lecture: In the computer, this is a just a vector consisting of 8 bits. But you can also view that as polynomial with binary coefficients. And that's exactly what we do in AES: We view the 8 bits as a polynomial and do computations with it. -- I know it is a bit confusing :)
Thank you.
I'm confused. He says that you simply XOR the MixCol output with the key. This paper says that key addition is more involved than : engineering.purdue.edu/kak/compsec/NewLectures/Lecture8.pdf Does anyone know the reason for the discrepancy?
Never mind, he's just going through the first round.
easy to understand, thanks professor
thank u very much sir
is des hardware implementation actually use look up table?
No, in hardware, the S-boxes are usually implemented as with regular Boolean gates (AND, NAND, ...). There is a rich literature on how to minimize the gate count per S-box.
Sir you are the best
I believe this is the former life of Klaus from American Dad 😁
Thank you for this lecture.
hi sir thank u for the lecture sir it is very helpful..... but I want to know some disadvantage of aes and how can these disadvantages can be overcome but joining some other algorithm with this algorithm... can u respond to my question sir.....
+Meena Charming AES is the best block encryption currently, the key length can go up to 256 bits and this key is soo huge a brute force attack is not currently possible with todays technology. If it even came close, we could make triple AES but this would be very slow
Joshua of X thank u sir...... Currently iam doing my proj on aes algorithm.... Can i use geographical based protocol along wit aes algorithm??? Wil it give best result?????
Meena Charming Hello I am not the lecturer, I am also just a student. sorry I cannot help you with this question
+Joshua of X oh kk.... Anyways thank u joshua......
When does decryption start?
can any help me to ,how we are getting keys k0,k1,.........k14.What is the process involved in that.
These are just from the input that you have provided. eg.. if key is 128 bit like .. 1111000011001100.....(upto 128 bits) , here the first 8 bits 11110000 is your k0 .. and 11001100 is the k1 and so on ...
what about decryption??
Sorry, I don't have a video yet about decryption. However, I might video tape my AES decryption lecture and put it on RUclips.
More concretely: Please have a look at the companion website of our textbook, www.crypto-textbook.com. You'll see a link Sample Chapters where you can find the AES chapter (Chapter 4) of our book for download. The description of the decryption & key schedule should be helpful. cheers, christof
I aware of the fact that AES is more secure and stuff, but I've used DM5 in my school project coz it's simple to implement in java app.
Any thoughts on DM5 algorithm?
i dont really think there is an encryption named dm5.
Great lecture
This is really helpful!
Couldn't understand what he said about decryption at the very end. Is it explained in other video or simply left behind?
Sorry, We do not have a video on decryption. It was done in the "Übung", i.e., an additional help session which the students have every week. Again, I am sorry. But if you a look in our book, decryption is explained quite clearly using the same style as the lecture. regards, christof
Prof. could you please tell us the name of the book. Thanks
We use our textbook Understanding Cryptography, cf. www.cryptotextbook.com
Can any1 pls elaborate how to do matric multiplications of polynomials with example?
In mix columns
59:09: Microsoft: "Macro Warning"
Cyber Security Professor: "Should be fine."
Really good!! Thanks :D
super professor
This is taught in which course? Undergrad or post grad?
This is first-year course for our (popular) program "Bachelor in IT Security". There are between 150 freshman students in the class, plus some B.Sc. and M.Sc. computer science students.