SlideShare a Scribd company logo

4. The Advanced Encryption Standard (AES)

Sam Bowne
Sam Bowne

A lecture for a college course -- CNIT 140: Cryptography for Computer Networks at City College San Francisco Based on "Understanding Cryptography: A Textbook for Students and Practitioners" by Christof Paar, Jan Pelzl, and Bart Preneel, ISBN: 3642041000 Instructor: Sam Bowne More info: https://samsclass.info/141/141_F17.shtml

Education
1 of 31
Download to read offline
Understanding Cryptography by Christof Paar and JanPelzl www.crypto-textbook.com Chapter 4 – The Advanced Encryption Standard (AES) ver. October 28, 2009 These slides were prepared by Daehyun Strobel, Christof Paar and Jan Pelzl Modified by Sam Bowne
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl2 Some legal stuff (sorry): Terms of Use • The slides can used free of charge. All copyrights for the slides remain with Christof Paar and Jan Pelzl. • The title of the accompanying book “Understanding Cryptography” by Springer and the author’s names must remain on eachslide. • If the slides are modified, appropriate credits to the book authorsand the book title must remain within the slides. • It is not permitted to reproduce parts or all of the slides in printedform whatsoever without written consent by the authors.
Chapter 3 of Understanding Cryptography by Christof Paar and Jan Pelzl3 Contents of this Chapter • 4.1 Introduction • 4.2 Overview of the AES Algorithm • 4.3 Galois Fields (SKIP) • 4.4 Internal Structure of AES • 4.5 Decryption (SKIP) • 4.6 Implementation
4.1 Introduction
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl5 •AES is the most widely used symmetric ciphertoday •The algorithm for AES was chosen by the US National Institute of Standards and Technology (NIST) in a multi-year selection process • The requirements for all AES candidate submissions were: •Block cipher with 128-bit block size •Three supported key lengths: 128, 192 and 256 bit •Security relative to other submitted algorithms •Efficiency in software and hardware Some Basic Facts
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl6 •The need for a new block cipher announced by NIST in January, 1997 •15 candidates algorithms accepted in August, 1998 •5 finalists announced in August, 1999: •Mars – IBM Corporation •RC6 – RSA Laboratories •Rijndael – J. Daemen & V. Rijmen •Serpent – Eli Biham et al. •Twofish – B. Schneier etal. •In October 2000, Rijndael was chosen as the AES Chronology of AES Selection
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl7 •AES was formally approved as a US federal standard in November 2001 •In 1993, the NSA allows AES to encrypt classified documents •Up to SECRET for all key lengths •Up to TOP SECRET for 192 and 256-bit keys Chronology of AES Selection
4.2 Overview of the AES Algorithm
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl AES: Overview The number of rounds depends on the chosen key length: Key length (bits) Number of rounds 128 10 192 12 256 14 9
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl AES: Overview •Iterated cipher with 10/12/14 rounds •Each round consists of “Layers” •Unline DES, all 128 bits are encrypted in each round 10
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Three Layer Types •Key Addition Layer •A 128-bit round key (or subkey) •Derived from the main key in the key schedule •XORed to the state •Byte Substitution Layer (S-Box) •Nonlinear transformation using lookup tables •Introduces confusion to the data •(Obscures relationship between key and ciphertext) 11
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Three Layer Types •Diffusion Layer •Two sublayers: ShiftRows and MixColumn •(Makes sure that changing one plaintext bit affects many ciphertext bits) 12
Video: Link Ch 4a
4.4 Internal Structure of AES
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl16 Internal Structure of AES • AES is a byte-oriented cipher • The state A (i.e., the 128-bit data path) can be arranged in a 4x4 matrix: with A0,…, A15 denoting the 16-byte input of AES A0 A4 A8 A12 A1 A5 A9 A13 A2 A6 A10 A14 A3 A7 A11 A15
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Round function for rounds 1,2,…,nr-1: 17 • Note: In the last round, the MixColumn transformation is omitted Diffusion Layer Byte Substution Layer (S-Box) Key Addition Layer
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Byte Substitution Layer • The Byte Substitution layer consists of 16 S-Boxes with the following properties: The S-Boxes are • identical • the only nonlinear elements of AES, i.e., ByteSub(Ai) + ByteSub(Aj) ≠ ByteSub(Ai + Aj), for i,j = 0,…,15 • bijective, i.e., there exists a one-to-one mapping of input and output bytes S-Box can be uniquely reversed • In software implementations, the S-Box is usually realized as a lookup table 18
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl S-Box 19
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Diffusion Layer • provides diffusion over all input state bits • consists of two sublayers: • ShiftRows Sublayer: Permutation of the data on a byte level • MixColumn Sublayer: Matrix operation which combines (“mixes”) blocks of four bytes • performs a linear operation on state matrices A, B,i.e., DIFF(A) + DIFF(B) = DIFF(A + B) 20
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl ShiftRows Sublayer • Rows of the state matrix are shifted cyclically: Output matrix B0 B4 B8 B12 B1 B5 B9 B13 B2 B6 B10 B14 B3 B7 B11 B15 21 B0 B4 B8 B12 B5 B9 B13 B1 B10 B14 B2 B6 B15 B3 B7 B11 no shift ← one position left shift ← two positions left shift ← three positions left shift Input matrix
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl MixColumn Sublayer • Linear transformation which mixes each column of the state matrix • Each 4-byte column is considered as a vector and multiplied by a fixed 4x4 matrix, e.g., 22
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Key Addition Layer •Inputs: •16-byte state matrix C •16-byte subkey ki •Output: C ⊕ ki •Combined with XOR •The subkeys are generated in the key schedule 23
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 24 Key Schedule • Subkeys are derived recursively from the original 128/192/256-bit input key • Each round has 1 subkey, plus 1 subkey at the beginning ofAES • Key whitening: Subkey is used both at the input and output of AES ⇒ # subkeys = # rounds + 1 • There are different key schedules for the different key sizes Key length (bits) Number of subkeys 128 11 192 13 256 15
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Key Schedule Example: Key schedule for 128-bit keyAES • Word-oriented: 1 word = 32 bits • 11 subkeys are stored in W[0]…W[3], W[4]… W[7], … , W[40]…W[43] • First subkey W[0]…W[3] is the original AES key 25
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Key Schedule • Function g rotates its four input bytes and performs a bytewise 
 S-Box substitution ⇒ nonlinearity • The round coefficient RC is only added to the leftmost byte and varies from round to round: RC[1] = x0 = (00000001)2 RC[2] = x1 = (00000010)2 RC[3] = x2 = (00000100)2 ... RC[10] = x9 = (00110110)2 26
4.6 Implementation
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl28 Implementation in Software • One requirement of AES was the possibility of an efficient software implementation • Straightforward implementation is well suited for 8-bit processors (e.g., smart cards), but inefficient on 32-bit or 64-bit processors • A more sophisticated approach: Merge all round functions (except the key addition) into one table look-up • This results in four tables with 256 entries, where each entry is 32 bits wide • One round can be computed with 16 table look-ups • Typical SW speeds are more than 1.6 Gbit/s on modern 64-bit processors
Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl29 Security • Brute-force attack: Due to the key length of 128, 192 or 256 bits, a brute-force attack is not possible • Analytical attacks: There is no analytical attack known that is better than brute-force • Side-channel attacks: • Several side-channel attacks have been published • Note that side-channel attacks do not attack the underlying algorithm but the implementation of it
AES in Python
4. The Advanced Encryption Standard (AES)

Recommended

AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption StandardPrince Rachit
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationsarhadisoftengg
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)SAurabh PRajapati
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)farazvirk554
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithmSunita Kharayat
 

Recommended

AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption StandardPrince Rachit
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationsarhadisoftengg
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)SAurabh PRajapati
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)farazvirk554
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIMESou Jana
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithmSunita Kharayat
 
Information and network security 13 playfair cipher
Information and network security 13 playfair cipherInformation and network security 13 playfair cipher
Information and network security 13 playfair cipherVaibhav Khanna
 
Cryptography with caesar Cipher
Cryptography with caesar CipherCryptography with caesar Cipher
Cryptography with caesar CipherDushhyant Kumar
 
Encryption And Decryption Using AES Algorithm
Encryption And Decryption Using AES AlgorithmEncryption And Decryption Using AES Algorithm
Encryption And Decryption Using AES AlgorithmAhmed Raza Shaikh
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And DecryptionNA
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5Mohamed El-Serngawy
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxUrjaDhabarde
 
Rc4
Rc4Rc4
Rc4Amjad Rehman
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
One Time Pad Encryption Technique
One Time Pad Encryption TechniqueOne Time Pad Encryption Technique
One Time Pad Encryption TechniqueJohn Adams
 
Rsa
RsaRsa
RsaNavneet Sharma
 
Key management
Key managementKey management
Key managementSujata Regoti
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
Des lecture
Des lectureDes lecture
Des lectureANIKET UTTAM
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyJorgeVillamarin5
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption StandardAdri Jovin
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.pptssuserec53e73
 
3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and AlternativesSam Bowne
 
Information and network security 24 advanced encryption standard aes
Information and network security 24 advanced encryption standard aesInformation and network security 24 advanced encryption standard aes
Information and network security 24 advanced encryption standard aesVaibhav Khanna
 

More Related Content

What's hot

Information and network security 13 playfair cipher
Information and network security 13 playfair cipherInformation and network security 13 playfair cipher
Information and network security 13 playfair cipherVaibhav Khanna
 
Cryptography with caesar Cipher
Cryptography with caesar CipherCryptography with caesar Cipher
Cryptography with caesar CipherDushhyant Kumar
 
Encryption And Decryption Using AES Algorithm
Encryption And Decryption Using AES AlgorithmEncryption And Decryption Using AES Algorithm
Encryption And Decryption Using AES AlgorithmAhmed Raza Shaikh
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSAMohamed Loey
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And DecryptionNA
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxUrjaDhabarde
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
One Time Pad Encryption Technique
One Time Pad Encryption TechniqueOne Time Pad Encryption Technique
One Time Pad Encryption TechniqueJohn Adams
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyJorgeVillamarin5
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption StandardAdri Jovin
 

What's hot (20)

Information and network security 13 playfair cipher
Information and network security 13 playfair cipherInformation and network security 13 playfair cipher
Information and network security 13 playfair cipher
 
Cryptography with caesar Cipher
Cryptography with caesar CipherCryptography with caesar Cipher
Cryptography with caesar Cipher
 
Encryption And Decryption Using AES Algorithm
Encryption And Decryption Using AES AlgorithmEncryption And Decryption Using AES Algorithm
Encryption And Decryption Using AES Algorithm
 
Computer Security Lecture 7: RSA
Computer Security Lecture 7: RSAComputer Security Lecture 7: RSA
Computer Security Lecture 7: RSA
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And Decryption
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptx
 
Rc4
Rc4Rc4
Rc4
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipher
 
One Time Pad Encryption Technique
One Time Pad Encryption TechniqueOne Time Pad Encryption Technique
One Time Pad Encryption Technique
 
Rsa
RsaRsa
Rsa
 
Key management
Key managementKey management
Key management
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
 
Des lecture
Des lectureDes lecture
Des lecture
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
 
Data Encryption Standard
Data Encryption StandardData Encryption Standard
Data Encryption Standard
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
 

Similar to 4. The Advanced Encryption Standard (AES)

3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and AlternativesSam Bowne
 
Information and network security 24 advanced encryption standard aes
Information and network security 24 advanced encryption standard aesInformation and network security 24 advanced encryption standard aes
Information and network security 24 advanced encryption standard aesVaibhav Khanna
 
CNIT 141: 11. Hash Functions
CNIT 141: 11. Hash FunctionsCNIT 141: 11. Hash Functions
CNIT 141: 11. Hash FunctionsSam Bowne
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmRifat Tasnim
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)SoumyaBhattacharyya14
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptographyRAMPRAKASHT1
 
Information and network security 20 data encryption standard des
Information and network security 20 data encryption standard desInformation and network security 20 data encryption standard des
Information and network security 20 data encryption standard desVaibhav Khanna
 
DES-lecture (1).ppt
DES-lecture (1).pptDES-lecture (1).ppt
DES-lecture (1).pptMrsPrabhaBV
 
information security(Feistal Cipher)
information security(Feistal Cipher)information security(Feistal Cipher)
information security(Feistal Cipher)Zara Nawaz
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfMohammedMorhafJaely
 
Modified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxesModified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxeschuxuantinh
 
modified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxesmodified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxeschutinhha
 
Lecture 05 - 04 Nov 21.pptx
Lecture 05 - 04 Nov 21.pptxLecture 05 - 04 Nov 21.pptx
Lecture 05 - 04 Nov 21.pptxHammadAsghar26
 

Similar to 4. The Advanced Encryption Standard (AES) (20)

3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives
 
Information and network security 24 advanced encryption standard aes
Information and network security 24 advanced encryption standard aesInformation and network security 24 advanced encryption standard aes
Information and network security 24 advanced encryption standard aes
 
CNIT 141: 11. Hash Functions
CNIT 141: 11. Hash FunctionsCNIT 141: 11. Hash Functions
CNIT 141: 11. Hash Functions
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption Algorithm
 
section-7.ppt
section-7.pptsection-7.ppt
section-7.ppt
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)Cryptography Symmetric Key Algorithm (CSE)
Cryptography Symmetric Key Algorithm (CSE)
 
1 DES.pdf
1 DES.pdf1 DES.pdf
1 DES.pdf
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptography
 
Information and network security 20 data encryption standard des
Information and network security 20 data encryption standard desInformation and network security 20 data encryption standard des
Information and network security 20 data encryption standard des
 
DES-lecture (1).ppt
DES-lecture (1).pptDES-lecture (1).ppt
DES-lecture (1).ppt
 
information security(Feistal Cipher)
information security(Feistal Cipher)information security(Feistal Cipher)
information security(Feistal Cipher)
 
Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4
 
Ch05
Ch05Ch05
Ch05
 
SymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdfSymmetricCryptography-Part3 - Tagged.pdf
SymmetricCryptography-Part3 - Tagged.pdf
 
Modified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxesModified aes algorithm using multiple s boxes
Modified aes algorithm using multiple s boxes
 
modified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxesmodified aes algorithm using multiple s-boxes
modified aes algorithm using multiple s-boxes
 
Lecture 05 - 04 Nov 21.pptx
Lecture 05 - 04 Nov 21.pptxLecture 05 - 04 Nov 21.pptx
Lecture 05 - 04 Nov 21.pptx
 
Cryptography
CryptographyCryptography
Cryptography
 
Msc 1
Msc 1Msc 1
Msc 1
 

More from Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 

Recently uploaded (20)

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 

4. The Advanced Encryption Standard (AES)

  • 1. Understanding Cryptography by Christof Paar and JanPelzl www.crypto-textbook.com Chapter 4 – The Advanced Encryption Standard (AES) ver. October 28, 2009 These slides were prepared by Daehyun Strobel, Christof Paar and Jan Pelzl Modified by Sam Bowne
  • 2. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl2 Some legal stuff (sorry): Terms of Use • The slides can used free of charge. All copyrights for the slides remain with Christof Paar and Jan Pelzl. • The title of the accompanying book “Understanding Cryptography” by Springer and the author’s names must remain on eachslide. • If the slides are modified, appropriate credits to the book authorsand the book title must remain within the slides. • It is not permitted to reproduce parts or all of the slides in printedform whatsoever without written consent by the authors.
  • 3. Chapter 3 of Understanding Cryptography by Christof Paar and Jan Pelzl3 Contents of this Chapter • 4.1 Introduction • 4.2 Overview of the AES Algorithm • 4.3 Galois Fields (SKIP) • 4.4 Internal Structure of AES • 4.5 Decryption (SKIP) • 4.6 Implementation
  • 5. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl5 •AES is the most widely used symmetric ciphertoday •The algorithm for AES was chosen by the US National Institute of Standards and Technology (NIST) in a multi-year selection process • The requirements for all AES candidate submissions were: •Block cipher with 128-bit block size •Three supported key lengths: 128, 192 and 256 bit •Security relative to other submitted algorithms •Efficiency in software and hardware Some Basic Facts
  • 6. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl6 •The need for a new block cipher announced by NIST in January, 1997 •15 candidates algorithms accepted in August, 1998 •5 finalists announced in August, 1999: •Mars – IBM Corporation •RC6 – RSA Laboratories •Rijndael – J. Daemen & V. Rijmen •Serpent – Eli Biham et al. •Twofish – B. Schneier etal. •In October 2000, Rijndael was chosen as the AES Chronology of AES Selection
  • 7. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl7 •AES was formally approved as a US federal standard in November 2001 •In 1993, the NSA allows AES to encrypt classified documents •Up to SECRET for all key lengths •Up to TOP SECRET for 192 and 256-bit keys Chronology of AES Selection
  • 8. 4.2 Overview of the AES Algorithm
  • 9. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl AES: Overview The number of rounds depends on the chosen key length: Key length (bits) Number of rounds 128 10 192 12 256 14 9
  • 10. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl AES: Overview •Iterated cipher with 10/12/14 rounds •Each round consists of “Layers” •Unline DES, all 128 bits are encrypted in each round 10
  • 11. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Three Layer Types •Key Addition Layer •A 128-bit round key (or subkey) •Derived from the main key in the key schedule •XORed to the state •Byte Substitution Layer (S-Box) •Nonlinear transformation using lookup tables •Introduces confusion to the data •(Obscures relationship between key and ciphertext) 11
  • 12. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Three Layer Types •Diffusion Layer •Two sublayers: ShiftRows and MixColumn •(Makes sure that changing one plaintext bit affects many ciphertext bits) 12
  • 14.
  • 16. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl16 Internal Structure of AES • AES is a byte-oriented cipher • The state A (i.e., the 128-bit data path) can be arranged in a 4x4 matrix: with A0,…, A15 denoting the 16-byte input of AES A0 A4 A8 A12 A1 A5 A9 A13 A2 A6 A10 A14 A3 A7 A11 A15
  • 17. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Round function for rounds 1,2,…,nr-1: 17 • Note: In the last round, the MixColumn transformation is omitted Diffusion Layer Byte Substution Layer (S-Box) Key Addition Layer
  • 18. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Byte Substitution Layer • The Byte Substitution layer consists of 16 S-Boxes with the following properties: The S-Boxes are • identical • the only nonlinear elements of AES, i.e., ByteSub(Ai) + ByteSub(Aj) ≠ ByteSub(Ai + Aj), for i,j = 0,…,15 • bijective, i.e., there exists a one-to-one mapping of input and output bytes S-Box can be uniquely reversed • In software implementations, the S-Box is usually realized as a lookup table 18
  • 19. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl S-Box 19
  • 20. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Diffusion Layer • provides diffusion over all input state bits • consists of two sublayers: • ShiftRows Sublayer: Permutation of the data on a byte level • MixColumn Sublayer: Matrix operation which combines (“mixes”) blocks of four bytes • performs a linear operation on state matrices A, B,i.e., DIFF(A) + DIFF(B) = DIFF(A + B) 20
  • 21. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl ShiftRows Sublayer • Rows of the state matrix are shifted cyclically: Output matrix B0 B4 B8 B12 B1 B5 B9 B13 B2 B6 B10 B14 B3 B7 B11 B15 21 B0 B4 B8 B12 B5 B9 B13 B1 B10 B14 B2 B6 B15 B3 B7 B11 no shift ← one position left shift ← two positions left shift ← three positions left shift Input matrix
  • 22. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl MixColumn Sublayer • Linear transformation which mixes each column of the state matrix • Each 4-byte column is considered as a vector and multiplied by a fixed 4x4 matrix, e.g., 22
  • 23. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Key Addition Layer •Inputs: •16-byte state matrix C •16-byte subkey ki •Output: C ⊕ ki •Combined with XOR •The subkeys are generated in the key schedule 23
  • 24. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl 24 Key Schedule • Subkeys are derived recursively from the original 128/192/256-bit input key • Each round has 1 subkey, plus 1 subkey at the beginning ofAES • Key whitening: Subkey is used both at the input and output of AES ⇒ # subkeys = # rounds + 1 • There are different key schedules for the different key sizes Key length (bits) Number of subkeys 128 11 192 13 256 15
  • 25. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Key Schedule Example: Key schedule for 128-bit keyAES • Word-oriented: 1 word = 32 bits • 11 subkeys are stored in W[0]…W[3], W[4]… W[7], … , W[40]…W[43] • First subkey W[0]…W[3] is the original AES key 25
  • 26. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl Key Schedule • Function g rotates its four input bytes and performs a bytewise 
 S-Box substitution ⇒ nonlinearity • The round coefficient RC is only added to the leftmost byte and varies from round to round: RC[1] = x0 = (00000001)2 RC[2] = x1 = (00000010)2 RC[3] = x2 = (00000100)2 ... RC[10] = x9 = (00110110)2 26
  • 28. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl28 Implementation in Software • One requirement of AES was the possibility of an efficient software implementation • Straightforward implementation is well suited for 8-bit processors (e.g., smart cards), but inefficient on 32-bit or 64-bit processors • A more sophisticated approach: Merge all round functions (except the key addition) into one table look-up • This results in four tables with 256 entries, where each entry is 32 bits wide • One round can be computed with 16 table look-ups • Typical SW speeds are more than 1.6 Gbit/s on modern 64-bit processors
  • 29. Chapter 4 of Understanding Cryptography by Christof Paar and Jan Pelzl29 Security • Brute-force attack: Due to the key length of 128, 192 or 256 bits, a brute-force attack is not possible • Analytical attacks: There is no analytical attack known that is better than brute-force • Side-channel attacks: • Several side-channel attacks have been published • Note that side-channel attacks do not attack the underlying algorithm but the implementation of it