Lecture 8: Advanced Encryption Standard (AES) by Christof Paar
Вставка
- Опубліковано 29 січ 2014
- For slides, a problem set and more on learning cryptography, visit www.crypto-textbook.com.
The AES book chapter for this video is also available at the web site (click Sample Chapter).
Lecture outline: 0:01
History/Intro to AES: 2:00
Structure of AES: 18:10
Internals: Layers 32:25
---- Each layer in detail -----
SubBytes - 52:12
ShiftRows - 1:15:45
MixCol - 1:22:40
Doesn't seem to go into the round key add step in that very much detail, though.
I'm pretty sure the Add Round Key step is just XORing the Round SubKey with the State, nothing too complicated.
The 'Add' doesn't refer to making/generating a new Round Key but adding the round key to the state.
Thank you!
not all heroes wear capes!!
and there is no decryption...
@@fatihsonmez it's just everything in reverse
Your accent makes this 1000000x more entertaining.
Professors who care about notes making are the best!
Hello, honestly say, your lecture is much, much better than my university two months lecture just about this AES stuffs. You're awesome. Clear. Exact. Specific. Understandable. I like when you said "Please silent to your students." Hopefully, you will get your good work blessed. ;)
Professor Paar,
I would like to thank you for providing this series of fantastic lectures. Your teaching inspired me to purchase the book which has only heightened my interested in the subject.
Lastly, I have to say that after about 2 hours of research and reading many different explanations that I found on-line, I finally figured out the "affine transformation"...that is pretty brutal without any real guidance.
Again, thanks ....you are really good at what you do.
Truly awesome, very deep coverage on AES.
thank you very much "Christof Paar" you are really explained very easy and pro way.
This course is really helpfull i own the book, while i'm doing criptography in the Universidad Catolica del Norte, and this videos are extremely helpful, i really hope you can do a video with the key schedule and the decryption for AES, its very easy to understand the way you teach this.
Professor Paar, I just love you !
What an amazing lecture deleivered by Sir Christof.
I enjoyed the lecture
Funny he keeps reminder the class... I would never fall asleep. Every hour with Professor Paar saves at least 10 hours of self-study.
The motivation that you gives me a lot of motivation and also an idea that made me to get involved.
Vielen Dank für die tollen Vorlesungen! Fantastisch zu schauen :)
Really, you are a very good lecturer. your discussion is very interesting , simple and attractive. Thanks.
Thank you very much for these lectures, they are making my life much easier
Great explanation! Great accent! Loving the videos! Thank you!!
-From California :)
Excellent lecture! I watched your galois field lecture in 2016 or so when I was doing a presentation on error correction codes and had this AES lecture on my watch later list. Finally got around to it and enjoyed it!
Thank you for this Video Lecture Pr. Christof Paar. Very helpful as a I am a Student in NYC.
Awesome explanation, thank you!
Keep up the good work, sir.
I know absolutely nothing about any encryption, yet I watched the whole lecture. I don't know anymore now then I did before. Lol
Thanks for the explanation, Sir. It really helped me to understand the AES concept.
that was a better lecture i found than others .. i found it very beneficial and detailed thank you very much
Professor Paar, s there any chance of you recording the continuation of this course? You are the best teacher I found on crypto!
Awesome! Thanks for sharing this lecture!
Much love to you sir! Very clear explanation! Love you!
Thank you Sir for such an amazing Lecture Series .
This video series is fantastic! I'm taking crypto and it's following basically this exact trajectory. Shame about those chatty cathy's in the audience
thank you very much professor... this lecture helped me a lot to complete my project...
Great Lecturer Series,,,, Keep the good work Going
Great Lecturer series. thank you
1:08:51 ,Herr Paar: "yeah this is wrong. this is wrong. this is wrong. this is all wrong..."
Me(having just finished writing everything down): NOOOOOOOO! you have got to be kidding me😭😭😭
Anyways, thank you sooo much for these lectures, absolutely fascinating. It's one of the only truly understandable courses on internet for lower-level students. Incredible, I also bought the book!!!
Thank you sir for your explanation! It helps a lot. Can you explain about Key schedule?
Great lecture, thanks a lot.
Beautiful teaching... there is ans for every "why?"
Thank you for this lecture.
easy to understand, thanks professor
You can skip the history bit by going to 18:20
thank you good sir, great lecture very helpful.
Well done lecture. Enjoyed it.
Really good!! Thanks :D
Great lecture! Got a bit lost around the SBOX explaination part
I'm 14 and I could understand this perfectly and also I can encrypt and decrypt in aes, if someone failed this it's because they are not willing to learn.
Dear Professor, You have not discuss decryption and key schedule (I mean the way you done for DES) I hope we can see some video too. Thank you so much for such an interesting lecture.
It might be a dumb question, but I wonder: If you enter the same plaintext with the same key in an AES, you always get the same cyphertext, right? Then would it be possible to make a block cypher which always give different cyphertexts even if the plaintext and the key stay the same? Would such a cypher be decrypteable by Bob?
Thanks again for the amazing lectures! You're so clear that even a total newbie like me can understand (I think)
+Elitios Excellent comment. What you describe is known as "probabilistic encryption". In many modern security protocols it is recommended to use block ciphers in this way. This can be achieved by using a "mode of operation" that is probabilistic, i.e., which requires as input not only plaintext and the key, but also a random value. The random value is transmitted in clear to Bob so that he can decrypt. Please have a look at my Lecture 9 where I talk about this a bit. regards, christof
Q: Where does all that sexy Extension Field stuff from last lecture come into play?
A: In the S-boxes 59:00
awesome lecture
Great lecture
Why does it say in other places that the MixColumns multiplication uses modulo x^4+1 rather than what you've said here - modulo x^8+x^4+x^3+x+1 ???
This is helpful! thank you
This is really helpful!
Hello Prof Paar
It is my understanding that for any (existing) block cipher or mode that the cipher test key and therefore the round keys are exactly the same for each block that is processed by the block cipher. Is that correct?
Second part of the question: If that is correct what does that say to the relative strengths of block vs stream ciphers where (in stream ciphers) the key is always being expanded by a CSPRNG with an extremely low predictability factor
Thank you for this course
Steve
Sir. I would like to know about the fixed matrix of affine transformation for S-box construction in AES, What is the logic behind that matrix?
Man, you rock;-) Thanks a lot!
Wirklich klasse! Mich hätten ein paar mehr Hintergrundinfos zum Design von AES interessiert. Ich weiss nun genau, wie es funktionniert, aber verschiedene Design-Entscheidungen (warum 10 Runden, und nicht 9 oder 11?) erscheinen weiterhin willkürlich. Sehr gut fand ich z.B. den Exkurs über die Diffusion.. Es kann natürlich sein, dass die Hintergründe einfach zu kompliziert für eine 90 minütige Vorlesung sind.
Intro to AES 2:00
Structure of AES 18:10
Internals of AES 32:25
Professor u didn't do the last topic so where can I find the decryption part, it's really important to me Professor, as I am not in any University, your lectures are my only way to learn
Could you please provide the information regarding the confidentiality and integrity algorithms EEA3 and EIA3 or ZUC?
Sir you are the best
I love these and thank you for sharing them. I will say I disagree about the statement at 17:25 though about AES being generally secure because the agencies use it. What was later found since this time period was that AES has this property where some keys are strong and others are weak. There were certain attacks possible with poorly chosen keys and of course the NSA requires their own use of AES to get keys provided from a central key authority within the NSA. This key authority then only provides strong keys for their internal use and if laymen use AES they lack the knowledge of how to select these extra strong keys. Now that future attacks such as Invariant Subspace were discovered we can see how clever this was.
So the statement at 17:25 I highly disagree with and we learned that this kind of logic fails with new side-channel and mathematical attacks. The simple use of an algorithm by the government means nothing unless you also can use their key selection processes. They are willing to bless subpar implementations and utilize those weaknesses against others while shielding themselves.
Otherwise excellent lecture.
Good Job!
Very well explain sir thak you sir
Professor is there any explanation for key expansion for AES available.
I do need the same
sir ,can u explain me how u caluculated inverse substitution layer
how do you get B' ? Oh, got it. It is the inverse of A^(-1)=B', such
that AxB'=1. And B' to be computed using Euclidean Algoth. Once B' is
found B can be computed, and actually it is on that table from the book,
right?
good explanation
addictive course to someone new to cryptography..
Thank you.
Thank you very much
Some silliness...
AES-Variant 1 : Double-AES with a twist ...
*Init :* Let Key2 = SHA1 of (Key1 XORed with previous blocks plaintext)
*Round 1 :* Perform AES with Key1
*Do the twist ...*
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
Rotate both bitfields clockwise 90 degrees
*Round 2 :* Perform AES with Key 2
AES-Variant 2 : AES-512/infested
*Init :* Let Key1 and Key2 be halves of the 512bit key
Then, For block 0...
*Round 1:* Perform AES-256 with Key1
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
*Langtons Ants round :* _(do nothing, yet)_
*Round 2:* Perform AES-256 with Key2
Use the first 128 bytes of sent plaintext (Block 0) as a random IV ... for both sides to define the positions and states of 16 Langton Ants. 8 in each 8x8 field. These first bytes are sunk by the receiving side, thus never make it out of the decoder. Actual message passing will begin in block 1.
Now, for all subsequent blocks ...
*Round 1:* Perform AES-256 with Key1
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
*Langtons Ants round :* with 8 ants in each 8x8 bitfield, let them wander 'n' times corrupting the field. (++ see note)
*Round 2:* Perform AES-256 with Key2
Actual messages begin from Block1, once Ants are active
(++ Important Note) In this system, the langtons ants live in the stored bitfield of the previous block, but duplicate their bit-flipping to the bitfield of the current block. This prevents the ants from permutating data in a way that the the recipient cannot know _(thus avoiding a one-way function)._ By using the previous round as the langtons playground, and duplicating their bit-flipping antics in the current bitfield, both sides ants can remain synchronised using data both sides already know.
Neither of these are actual security algorithms, but they're fun : ) I doubt either scheme weakens AES - but then, I'm not a cryptographer... so, y'know... don't trust 'em, they might cause some unknown weakness compared to regular AES. Especially the first one. The second one, though, I have a lot of faith in ; )
But neither of these are serious proposals...
... I'm just a guy who dreams up weird code when he's drunk... oh, and has a peculiar fascination for Langtons Ants : )
super professor
1:14:50 "this is really complicated in a very clear mathematical way" :D
very nice and helpful :) thank you for all ur lectures...they are very enlightening and make the topics so easily understandable compared to the complex chapters in the cryptography books
INDIAn
Very Helpful
Thank you for the video, but a few questions if you don't mind.
i) How to you find the inverse of a hex number; we were given A = C2 with inv B' = 2F but I should like to know how we work this out.
ii) in the affine mapping we have the matrix constant, reading down the rows of the matrix (in hex) we have 8F, C7, E3, F1 and then each one reversed (so to speak) F8, 7C, 3E and 1F. All I can see here is that each row includes five 1s and three 0s, but what is the thinking behind this choice? Could we move them, or change them, without loss of security?
iii) lastly, a similar question to (ii), what is the reason behind the choice of the vector constant? Could it be any vector constant?
Your answers would be very helpful and much appreciated. I have tried to find the answers online but to no avail...
My thanks in advance...
+7x34hj The first answer is firm, number ii) and iii) less so:
i) You have to compute the multiplicative inverse in the Galois field GF(2^8). Please have a look at Lecture 7 and Table 4.2 of our texbook, Understanding Cryptography. Chapter 4 of the textbook is available on our companion website, www.crypto-textbook.com
ii + iii) Roughly speaking, the affine mapping assures that the S-Box cannot described mathematically as only a Galois field inversion, i.e., we have to combine GF-inversion with some other operation which is NOT defined in Galois fields. I assume it is safer to use a matrix with many 1 entries. The same goes for the additive vector. At the same time, I assume there are other matrices and vectors that would work here. For more information, I recommend the book "Algebraic Aspects of the Advanced Encryption Standard"
regards, christof
+Introduction to Cryptography by Christof Paar Thank you for such a quick reply. I have looked at lecture 7 and I have the book but (forgive me) I am still unaware. I know the inverse of C2 is 2F (from the book) but I want to work it out. I set 194 (i.e. C2 in denary) equal to 1mod283 (the polynomial in denary). My answer after doing the Eu. Alg extended is 124x194 - 85x283 = 1. This seems to work but 124 is NOT 2F when converted back into hex. I have also tried setting A(x)B(x) = 1 modP(x) with A(x) = x^7 + x^6 + x and P(x) = x^8 + x^4 + x^3 + x + 1. Applying the E. Alg is fine (I finish with a remainder of 1) but when I try the extended algorithm to find B(x) things get rather 'messy'. Is there a 'fully worked' example that shows the process of finding the hex inverses in GF(2^8)? My apologies for bothering you again with (perhaps) a daft question, but it is something I should really like to learn. Thank you, once again.
+7x34hj I know where your problem is. ALL ARITHMETIC MUST BE DONE WITH POLNYOMIALS IN THE GALOIS FIELD GF(2^8) (sorry for the caps :)) That means you can NOT do integer arithmetic. Rather, you have to perform the extended Eucl. Alg. with polynomials. The input to the EEA would be x^7 + x^6 + x ("C2") and P(x). The EEA should then compute a gcd of 1 and the inverse as x^5+x^3+x^2+x+^("2F"). Sorry, but we do not show the EEA with polynomials in the book. It works completely the same way as the EEA with integers, though. cheers, christof
Introduction to Cryptography by Christof Paar Thank you. Actually I also tried that but I did not get the inverse. Perhaps I am making a blunder in my calculations; I'll try again!
Thank you!!!
This course is from 2010 but I'm in 2019 is there anything that has changed in cryptography in the past decade or is this course enough
why is the number of rounds required for aes 128 bit algorithm equal to 10?is there any formula for it?
thank u very much sir
buy the text book. It makes the lecture easier!
Can anyone tell me where can I find a book that has to do with C# and encryption
: something like this " Encryption Programming in C# " sorry for my bad english
still i am having doubt in s-box functionality...
it is very helpfull
thank you very much sir!!!!!!!!!
What would be the case if the input byte has no inverse, which would be the case if the input byte is the same as the mod polynomial? the remainder would be Zero.
Thanks a lot
I aware of the fact that AES is more secure and stuff, but I've used DM5 in my school project coz it's simple to implement in java app.
Any thoughts on DM5 algorithm?
i dont really think there is an encryption named dm5.
Mix Columns in AES
Would someone please explain how the number of XOR gates are 3 and 11 respectively for the following:
Number of XOR gates needed for constant 02 multiplication in GF(2 power 8) is 3
Number of XOR gates needed for constant 03 multiplication in GF(2 power 8) is 11
Question: I might not be understanding this correctly but how does AES ensure that at the end of 14 rounds, it hasnt done enough bit flips that is now the original unencrypted byte?
Also thank you for this video.
It is HIGHLY unlikely that the ciphertext after 14 rounds will be identical to the original plaintext. A strong block cipher can be approximated as a so-called "random permutation". That means for every plaintext, each ciphertext has a probability of roughly 2^128. Thus, the chance that the ciphertext becomes the original plaintext is tiny, tiny, tiny, namely roughly 2^(-128). regards
so simple, easy to understand and interesting lectures. one thing that didnt get is that in which university it is recorded it looks like american but the lecturer is talking in german too.
I teach at Ruhr University Bochum, a large university in North-Western Germany. The lecture is in English (as opposed to German) because we always have several foreign exchange students who often speak only English.
I commented after watching the previous video.In this video i can see ruhr university written. Thank you very much for uploading the video it helped me alot.
Nice!
Sir In 1.10.50 why the inverse of Ai (1100 0010) is Bi(0010 1111)? Should't be Bi = (0011 1101)? I mean for example a bit 1 in Ai become 0 in Bi?
Waiting for the Decryption part. Although I know it, continuity is the reason I'm asking for it.
Both Key Schedule generation and Decryption are missing. I believe they were covered during the Lab which may not have been recorded unfortunately.
Zach Miller
Sorry, there is not lecture about key schedule and decryption. I always assigned those as homework :) Chapter 4 (AES) of our book can be downloaded for free at www.crypto-textbook.com (click Sample Chapters). I would recommend that you have a look at it there, key schedule and decryption are not that complicated once you've worked through encryption. Cheers, christof
Someguy tell me one time AES 256 is uncrackeable just cant, nobody can crack AES 256 even quantum pc
+jorge cabrera Just for balance, know that implementation matters: hardwear.io/wp-content/uploads/2015/10/got-HW-crypto-slides_hardwear_gunnar-christian.pdf Then there are BlackHat conference results where the key or plaintext data are leaked by just keeping a user session uninterrupted (avoiding ACPI S4 sleep or greater, which would have the user re-authenticate.) Looking forward to drives and drive service updates of 2016.
When does decryption start?
Hello Professor,
I have a question on key length. As per AES, it can be 128, 192 or 256 bits. What would be the deciding factor to choose the key length?
And w.r.t cost i assume 192 and 256 key lengths cost more. Am i right?
AES-128 has 10 rounds, AES-192 has 12 rounds and AES-256 has 14 rounds. The only "cost" that we have is the increased runtime if you choose 192 or 256 bit compared to 128 bits. Please not that AES runs very fast on modern CPUs and it really depends on your application whether the AES performance is a limiting factor.
Also, AES-128 is considered highly secure. The only realistic threat are large-scale quantum computers, which might or might not become available in 10-20 years. AES-256 is believed to be secure against quantum computers too.
how to find the a inverse if anyone had got it please explain i am stuck
cant easily understand substitution layer sir can u explain this more frequently
Please don't talk, but sleep..
sorry, but i couldn't really catch your last sentence, where would decryption be done? (:
In case it still matters: In the "Übung", the exercise class.
prof , there are no decryption part of aes!
hi sir thank u for the lecture sir it is very helpful..... but I want to know some disadvantage of aes and how can these disadvantages can be overcome but joining some other algorithm with this algorithm... can u respond to my question sir.....
+Meena Charming AES is the best block encryption currently, the key length can go up to 256 bits and this key is soo huge a brute force attack is not currently possible with todays technology. If it even came close, we could make triple AES but this would be very slow
Joshua of X thank u sir...... Currently iam doing my proj on aes algorithm.... Can i use geographical based protocol along wit aes algorithm??? Wil it give best result?????
Meena Charming Hello I am not the lecturer, I am also just a student. sorry I cannot help you with this question
+Joshua of X oh kk.... Anyways thank u joshua......