Advanced Encryption Standard: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 11:16, 28 June 2025 edit 45.142.190.90 (talk) →The {{mono\|ShiftRows}} step Tag: Reverted ← Previous edit		Latest revision as of 13:04, 21 August 2025 edit undo 2a01:599:c24:3f5a:e451:ada2:edf6:f4b2 (talk) →External links: demo link added
(5 intermediate revisions by 5 users not shown)
Line 16: \| cryptanalysis = Attacks have been published that are computationally faster than a full [[brute-force attack]], though none as of 2023 are computationally feasible.<ref name="aesbc">{{cite web \|url=http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf \|archive-url=https://web.archive.org/web/20160306104007/http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf \|archive-date=March 6, 2016 \|title=Biclique Cryptanalysis of the Full AES \|access-date=May 1, 2019 \|url-status=dead \|df=mdy-all}}</ref> For AES-128, the key can be recovered with a [[computational complexity]] of 2<sup>126.1</sup> using the [[biclique attack]]. For biclique attacks on AES-192 and AES-256, the computational complexities of 2<sup>189.7</sup> and 2<sup>254.4</sup> respectively apply. [[Related-key attack]]s can break AES-~~256~~192 and AES-~~192~~256 with complexities 2<sup>99.5</sup> and 2<sup>176</sup> in both time and data, respectively.<ref name = relkey>Alex Biryukov and Dmitry Khovratovich, ''Related-key Cryptanalysis of the Full AES-192 and AES-256'', {{cite web \|url=https://eprint.iacr.org/2009/317 \|title=Related-key Cryptanalysis of the Full AES-192 and AES-256 \|access-date=2010-02-16 \|url-status=live \|archive-url=https://web.archive.org/web/20090928014006/http://eprint.iacr.org/2009/317 \|archive-date=2009-09-28 \|at=Table 1}}</ref> Another attack was blogged<ref name="Bruce Schneier">{{cite web \|url=http://www.schneier.com/blog/archives/2009/07/another_new_aes.html \|title=Another New AES Attack \|author=Bruce Schneier \|date=2009-07-30 \|work=Schneier on Security, A blog covering security and security technology \|access-date=2010-03-11 \|url-status=live \|archive-url=https://web.archive.org/web/20091005183132/http://www.schneier.com/blog/archives/2009/07/another_new_aes.html \|archive-date=2009-10-05}}</ref> and released as a [[preprint]]<ref>{{cite web \|url=https://eprint.iacr.org/2009/374 \|title=Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds \|author=Alex Biryukov \|author2=Orr Dunkelman \|author3=Nathan Keller \|author4=Dmitry Khovratovich \|author5=Adi Shamir \|date=2009-08-19 \|access-date=2010-03-11 \|archive-url=https://web.archive.org/web/20100128050656/http://eprint.iacr.org/2009/374 \|archive-date=28 January 2010 \|url-status=live}}</ref> in 2009. This attack is against AES-256 that uses only two related keys and 2<sup>39</sup> time to recover the complete 256-bit key of a 9-round version, or 2<sup>45</sup> time for a 10-round version with a stronger type of related subkey attack, or 2<sup>70</sup> time for an 11-round version. Line 83: === The {{mono\|ShiftRows}} step === [[Image:AES-ShiftRows.svg\|right\|320px\|thumbnail\|In the {{mono \| ShiftRows}} step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs incrementally for each row.]] The {{mono \| ShiftRows}} step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain [[Offset (computer science)\|offset]]. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively.<ref group="note">Rijndael variants with a larger block size have slightly different offsets. For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. Row <math>n</math> is shifted left circular by <math>n-1</math> bytes. For a 256-bit block, the first row is unchanged and the shifting for the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectively—this change only applies for the Rijndael cipher when used with a 256-bit block, as AES does not use 256-bit blocks.</ref> In this way, each column of the output state of the {{mono \| ShiftRows}} step is composed of bytes from each column of the input state. The importance of this step is to avoid the columns being encrypted independently, in which case AES would degenerate into four independent block ciphers.~~mitra~~ === The {{mono\|MixColumns}} step === Line 185: The Cryptographic Algorithm Validation Program (CAVP)<ref>{{cite web \|url=http://csrc.nist.gov/groups/STM/cavp/index.html \|title=NIST.gov – Computer Security Division – Computer Security Resource Center \|publisher=Csrc.nist.gov \|access-date=2012-12-23 \|url-status=live \|archive-url=https://web.archive.org/web/20130102044410/http://csrc.nist.gov/groups/STM/cavp/index.html \|archive-date=2013-01-02}}</ref> allows for independent validation of the correct implementation of the AES algorithm. Successful validation results in being listed on the NIST validations page.<ref>{{cite web \|url=http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm \|title=Validated FIPS 140-1 and FIPS 140-2 Cryptographic Modules \|url-status=dead \|archive-url=https://web.archive.org/web/20141226152243/http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm \|archive-date=2014-12-26 \|access-date=2014-06-26}}</ref> This testing is a pre-requisite for the FIPS 140-2 module validation. However, successful CAVP validation in no way implies that the cryptographic module implementing the algorithm is secure. A cryptographic module lacking FIPS 140-2 validation or specific approval by the NSA is not deemed secure by the US Government and cannot be used to protect government data.<ref name="cnss.gov"/> FIPS 140-2 validation is challenging to achieve both technically and fiscally.<ref name="openssl">{{cite web \|author=OpenSSL, openssl@openssl.org \|url=http://openssl.org/docs/fips/fipsnotes.html \|title=OpenSSL's Notes about FIPS certification \|publisher=Openssl.org \|access-date=2012-12-23 \|url-status=dead \|archive-url=https://web.archive.org/web/20130102203126/http://www.openssl.org/docs/fips/fipsnotes.html \|archive-date=2013-01-02}}</ref> There is a standardized battery of tests as well as an element of source code review that must be passed over a period of a few weeks. The cost to perform these tests through an approved laboratory can be significant (e.g., well over ~~$30,000 US~~{{currency\|30000\|USD}})<ref name="openssl" /> and does not include the time it takes to write, test, document and prepare a module for validation. After validation, modules must be re-submitted and re-evaluated if they are changed in any way. This can vary from simple paperwork updates if the security functionality did not change to a more substantial set of re-testing if the security functionality was impacted by the change. == Test vectors == Line 225: * [http://www.formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng.swf Animation of Rijndael] – AES deeply explained and animated using Flash (by Enrique Zabala / University ORT / Montevideo / Uruguay). This animation (in English, Spanish, and German) is also part of [[CrypTool\|CrypTool 1]] (menu Indiv. Procedures → Visualization of Algorithms → AES). * [https://formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng-html5.html HTML5 Animation of Rijndael] – Same Animation as above made in HTML5. * [https://infsec.de/aes-in-excel-eng/ AES Demo in Excel] - Example implementation and demonstration in Excel (without macros) by Tim Wambach. {{Cryptography navbox \| block}}