Lecture 8: Advanced Encryption Standard (AES) by Christof Paar
ฝัง
- เผยแพร่เมื่อ 21 ก.ย. 2024
- For slides, a problem set and more on learning cryptography, visit www.crypto-textbook.com.
The AES book chapter for this video is also available at the web site (click Sample Chapter).
![เขามัทรี - เอ็กซ์ ศุภกฤต - จอนนี่มิวสิค [ Official MV ]](http://i.ytimg.com/vi/AS9ufKuQIVs/mqdefault.jpg)
Your accent makes this 1000000x more entertaining.
Lecture outline: 0:01
History/Intro to AES: 2:00
Structure of AES: 18:10
Internals: Layers 32:25
---- Each layer in detail -----
SubBytes - 52:12
ShiftRows - 1:15:45
MixCol - 1:22:40
Doesn't seem to go into the round key add step in that very much detail, though.
I'm pretty sure the Add Round Key step is just XORing the Round SubKey with the State, nothing too complicated.
The 'Add' doesn't refer to making/generating a new Round Key but adding the round key to the state.
Thank you!
not all heroes wear capes!!
and there is no decryption...
@@fatihsonmez it's just everything in reverse
Professors who care about notes making are the best!
Hello, honestly say, your lecture is much, much better than my university two months lecture just about this AES stuffs. You're awesome. Clear. Exact. Specific. Understandable. I like when you said "Please silent to your students." Hopefully, you will get your good work blessed. ;)
Professor Paar,
I would like to thank you for providing this series of fantastic lectures. Your teaching inspired me to purchase the book which has only heightened my interested in the subject.
Lastly, I have to say that after about 2 hours of research and reading many different explanations that I found on-line, I finally figured out the "affine transformation"...that is pretty brutal without any real guidance.
Again, thanks ....you are really good at what you do.
Truly awesome, very deep coverage on AES.
This course is really helpfull i own the book, while i'm doing criptography in the Universidad Catolica del Norte, and this videos are extremely helpful, i really hope you can do a video with the key schedule and the decryption for AES, its very easy to understand the way you teach this.
Funny he keeps reminder the class... I would never fall asleep. Every hour with Professor Paar saves at least 10 hours of self-study.
What an amazing lecture deleivered by Sir Christof.
I enjoyed the lecture
Really, you are a very good lecturer. your discussion is very interesting , simple and attractive. Thanks.
I know absolutely nothing about any encryption, yet I watched the whole lecture. I don't know anymore now then I did before. Lol
This video series is fantastic! I'm taking crypto and it's following basically this exact trajectory. Shame about those chatty cathy's in the audience
Vielen Dank für die tollen Vorlesungen! Fantastisch zu schauen :)
Professor Paar, I just love you !
🥰
thank you very much "Christof Paar" you are really explained very easy and pro way.
1:08:51 ,Herr Paar: "yeah this is wrong. this is wrong. this is wrong. this is all wrong..."
Me(having just finished writing everything down): NOOOOOOOO! you have got to be kidding me😭😭😭
Anyways, thank you sooo much for these lectures, absolutely fascinating. It's one of the only truly understandable courses on internet for lower-level students. Incredible, I also bought the book!!!
Excellent lecture! I watched your galois field lecture in 2016 or so when I was doing a presentation on error correction codes and had this AES lecture on my watch later list. Finally got around to it and enjoyed it!
The motivation that you gives me a lot of motivation and also an idea that made me to get involved.
Thank you very much for these lectures, they are making my life much easier
Professor Paar, s there any chance of you recording the continuation of this course? You are the best teacher I found on crypto!
Thank you for this Video Lecture Pr. Christof Paar. Very helpful as a I am a Student in NYC.
that was a better lecture i found than others .. i found it very beneficial and detailed thank you very much
Great explanation! Great accent! Loving the videos! Thank you!!
-From California :)
Dear Professor, You have not discuss decryption and key schedule (I mean the way you done for DES) I hope we can see some video too. Thank you so much for such an interesting lecture.
Why does it say in other places that the MixColumns multiplication uses modulo x^4+1 rather than what you've said here - modulo x^8+x^4+x^3+x+1 ???
Awesome explanation, thank you!
Keep up the good work, sir.
It might be a dumb question, but I wonder: If you enter the same plaintext with the same key in an AES, you always get the same cyphertext, right? Then would it be possible to make a block cypher which always give different cyphertexts even if the plaintext and the key stay the same? Would such a cypher be decrypteable by Bob?
Thanks again for the amazing lectures! You're so clear that even a total newbie like me can understand (I think)
+Elitios Excellent comment. What you describe is known as "probabilistic encryption". In many modern security protocols it is recommended to use block ciphers in this way. This can be achieved by using a "mode of operation" that is probabilistic, i.e., which requires as input not only plaintext and the key, but also a random value. The random value is transmitted in clear to Bob so that he can decrypt. Please have a look at my Lecture 9 where I talk about this a bit. regards, christof
Thanks for the explanation, Sir. It really helped me to understand the AES concept.
addictive course to someone new to cryptography..
Thank you sir for your explanation! It helps a lot. Can you explain about Key schedule?
thank you good sir, great lecture very helpful.
I love these and thank you for sharing them. I will say I disagree about the statement at 17:25 though about AES being generally secure because the agencies use it. What was later found since this time period was that AES has this property where some keys are strong and others are weak. There were certain attacks possible with poorly chosen keys and of course the NSA requires their own use of AES to get keys provided from a central key authority within the NSA. This key authority then only provides strong keys for their internal use and if laymen use AES they lack the knowledge of how to select these extra strong keys. Now that future attacks such as Invariant Subspace were discovered we can see how clever this was.
So the statement at 17:25 I highly disagree with and we learned that this kind of logic fails with new side-channel and mathematical attacks. The simple use of an algorithm by the government means nothing unless you also can use their key selection processes. They are willing to bless subpar implementations and utilize those weaknesses against others while shielding themselves.
Otherwise excellent lecture.
thank you very much professor... this lecture helped me a lot to complete my project...
Thank you for the video, but a few questions if you don't mind.
i) How to you find the inverse of a hex number; we were given A = C2 with inv B' = 2F but I should like to know how we work this out.
ii) in the affine mapping we have the matrix constant, reading down the rows of the matrix (in hex) we have 8F, C7, E3, F1 and then each one reversed (so to speak) F8, 7C, 3E and 1F. All I can see here is that each row includes five 1s and three 0s, but what is the thinking behind this choice? Could we move them, or change them, without loss of security?
iii) lastly, a similar question to (ii), what is the reason behind the choice of the vector constant? Could it be any vector constant?
Your answers would be very helpful and much appreciated. I have tried to find the answers online but to no avail...
My thanks in advance...
+7x34hj The first answer is firm, number ii) and iii) less so:
i) You have to compute the multiplicative inverse in the Galois field GF(2^8). Please have a look at Lecture 7 and Table 4.2 of our texbook, Understanding Cryptography. Chapter 4 of the textbook is available on our companion website, www.crypto-textbook.com
ii + iii) Roughly speaking, the affine mapping assures that the S-Box cannot described mathematically as only a Galois field inversion, i.e., we have to combine GF-inversion with some other operation which is NOT defined in Galois fields. I assume it is safer to use a matrix with many 1 entries. The same goes for the additive vector. At the same time, I assume there are other matrices and vectors that would work here. For more information, I recommend the book "Algebraic Aspects of the Advanced Encryption Standard"
regards, christof
+Introduction to Cryptography by Christof Paar Thank you for such a quick reply. I have looked at lecture 7 and I have the book but (forgive me) I am still unaware. I know the inverse of C2 is 2F (from the book) but I want to work it out. I set 194 (i.e. C2 in denary) equal to 1mod283 (the polynomial in denary). My answer after doing the Eu. Alg extended is 124x194 - 85x283 = 1. This seems to work but 124 is NOT 2F when converted back into hex. I have also tried setting A(x)B(x) = 1 modP(x) with A(x) = x^7 + x^6 + x and P(x) = x^8 + x^4 + x^3 + x + 1. Applying the E. Alg is fine (I finish with a remainder of 1) but when I try the extended algorithm to find B(x) things get rather 'messy'. Is there a 'fully worked' example that shows the process of finding the hex inverses in GF(2^8)? My apologies for bothering you again with (perhaps) a daft question, but it is something I should really like to learn. Thank you, once again.
+7x34hj I know where your problem is. ALL ARITHMETIC MUST BE DONE WITH POLNYOMIALS IN THE GALOIS FIELD GF(2^8) (sorry for the caps :)) That means you can NOT do integer arithmetic. Rather, you have to perform the extended Eucl. Alg. with polynomials. The input to the EEA would be x^7 + x^6 + x ("C2") and P(x). The EEA should then compute a gcd of 1 and the inverse as x^5+x^3+x^2+x+^("2F"). Sorry, but we do not show the EEA with polynomials in the book. It works completely the same way as the EEA with integers, though. cheers, christof
Introduction to Cryptography by Christof Paar Thank you. Actually I also tried that but I did not get the inverse. Perhaps I am making a blunder in my calculations; I'll try again!
Awesome! Thanks for sharing this lecture!
Professor u didn't do the last topic so where can I find the decryption part, it's really important to me Professor, as I am not in any University, your lectures are my only way to learn
Thank you Sir for such an amazing Lecture Series .
Much love to you sir! Very clear explanation! Love you!
Great Lecturer Series,,,, Keep the good work Going
You can skip the history bit by going to 18:20
Some silliness...
AES-Variant 1 : Double-AES with a twist ...
*Init :* Let Key2 = SHA1 of (Key1 XORed with previous blocks plaintext)
*Round 1 :* Perform AES with Key1
*Do the twist ...*
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
Rotate both bitfields clockwise 90 degrees
*Round 2 :* Perform AES with Key 2
AES-Variant 2 : AES-512/infested
*Init :* Let Key1 and Key2 be halves of the 512bit key
Then, For block 0...
*Round 1:* Perform AES-256 with Key1
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
*Langtons Ants round :* _(do nothing, yet)_
*Round 2:* Perform AES-256 with Key2
Use the first 128 bytes of sent plaintext (Block 0) as a random IV ... for both sides to define the positions and states of 16 Langton Ants. 8 in each 8x8 field. These first bytes are sunk by the receiving side, thus never make it out of the decoder. Actual message passing will begin in block 1.
Now, for all subsequent blocks ...
*Round 1:* Perform AES-256 with Key1
Take the 128 (8x16) table of bits - to be two separate bitfields of 64 bits (8x8)
*Langtons Ants round :* with 8 ants in each 8x8 bitfield, let them wander 'n' times corrupting the field. (++ see note)
*Round 2:* Perform AES-256 with Key2
Actual messages begin from Block1, once Ants are active
(++ Important Note) In this system, the langtons ants live in the stored bitfield of the previous block, but duplicate their bit-flipping to the bitfield of the current block. This prevents the ants from permutating data in a way that the the recipient cannot know _(thus avoiding a one-way function)._ By using the previous round as the langtons playground, and duplicating their bit-flipping antics in the current bitfield, both sides ants can remain synchronised using data both sides already know.
Neither of these are actual security algorithms, but they're fun : ) I doubt either scheme weakens AES - but then, I'm not a cryptographer... so, y'know... don't trust 'em, they might cause some unknown weakness compared to regular AES. Especially the first one. The second one, though, I have a lot of faith in ; )
But neither of these are serious proposals...
... I'm just a guy who dreams up weird code when he's drunk... oh, and has a peculiar fascination for Langtons Ants : )
very nice and helpful :) thank you for all ur lectures...they are very enlightening and make the topics so easily understandable compared to the complex chapters in the cryptography books
INDIAn
Wirklich klasse! Mich hätten ein paar mehr Hintergrundinfos zum Design von AES interessiert. Ich weiss nun genau, wie es funktionniert, aber verschiedene Design-Entscheidungen (warum 10 Runden, und nicht 9 oder 11?) erscheinen weiterhin willkürlich. Sehr gut fand ich z.B. den Exkurs über die Diffusion.. Es kann natürlich sein, dass die Hintergründe einfach zu kompliziert für eine 90 minütige Vorlesung sind.
Great Lecturer series. thank you
1:14:50 "this is really complicated in a very clear mathematical way" :D
Great lecture! Got a bit lost around the SBOX explaination part
Great lecture, thanks a lot.
awesome lecture
Q: Where does all that sexy Extension Field stuff from last lecture come into play?
A: In the S-boxes 59:00
Very well explain sir thak you sir
Beautiful teaching... there is ans for every "why?"
Intro to AES 2:00
Structure of AES 18:10
Internals of AES 32:25
sorry, but i couldn't really catch your last sentence, where would decryption be done? (:
In case it still matters: In the "Übung", the exercise class.
so simple, easy to understand and interesting lectures. one thing that didnt get is that in which university it is recorded it looks like american but the lecturer is talking in german too.
I teach at Ruhr University Bochum, a large university in North-Western Germany. The lecture is in English (as opposed to German) because we always have several foreign exchange students who often speak only English.
I commented after watching the previous video.In this video i can see ruhr university written. Thank you very much for uploading the video it helped me alot.
how do you get B' ? Oh, got it. It is the inverse of A^(-1)=B', such
that AxB'=1. And B' to be computed using Euclidean Algoth. Once B' is
found B can be computed, and actually it is on that table from the book,
right?
Professor is there any explanation for key expansion for AES available.
I do need the same
Waiting for the Decryption part. Although I know it, continuity is the reason I'm asking for it.
Both Key Schedule generation and Decryption are missing. I believe they were covered during the Lab which may not have been recorded unfortunately.
Zach Miller
Sorry, there is not lecture about key schedule and decryption. I always assigned those as homework :) Chapter 4 (AES) of our book can be downloaded for free at www.crypto-textbook.com (click Sample Chapters). I would recommend that you have a look at it there, key schedule and decryption are not that complicated once you've worked through encryption. Cheers, christof
Someguy tell me one time AES 256 is uncrackeable just cant, nobody can crack AES 256 even quantum pc
+jorge cabrera Just for balance, know that implementation matters: hardwear.io/wp-content/uploads/2015/10/got-HW-crypto-slides_hardwear_gunnar-christian.pdf Then there are BlackHat conference results where the key or plaintext data are leaked by just keeping a user session uninterrupted (avoiding ACPI S4 sleep or greater, which would have the user re-authenticate.) Looking forward to drives and drive service updates of 2016.
Well done lecture. Enjoyed it.
Thank you.
easy to understand, thanks professor
Hello Prof Paar
It is my understanding that for any (existing) block cipher or mode that the cipher test key and therefore the round keys are exactly the same for each block that is processed by the block cipher. Is that correct?
Second part of the question: If that is correct what does that say to the relative strengths of block vs stream ciphers where (in stream ciphers) the key is always being expanded by a CSPRNG with an extremely low predictability factor
Thank you for this course
Steve
Thank you for this lecture.
thank u very much sir
Sir you are the best
Mix Columns in AES
Would someone please explain how the number of XOR gates are 3 and 11 respectively for the following:
Number of XOR gates needed for constant 02 multiplication in GF(2 power 8) is 3
Number of XOR gates needed for constant 03 multiplication in GF(2 power 8) is 11
buy the text book. It makes the lecture easier!
still i am having doubt in s-box functionality...
This is really helpful!
Sir. I would like to know about the fixed matrix of affine transformation for S-box construction in AES, What is the logic behind that matrix?
Hello Professor,
I have a question on key length. As per AES, it can be 128, 192 or 256 bits. What would be the deciding factor to choose the key length?
And w.r.t cost i assume 192 and 256 key lengths cost more. Am i right?
AES-128 has 10 rounds, AES-192 has 12 rounds and AES-256 has 14 rounds. The only "cost" that we have is the increased runtime if you choose 192 or 256 bit compared to 128 bits. Please not that AES runs very fast on modern CPUs and it really depends on your application whether the AES performance is a limiting factor.
Also, AES-128 is considered highly secure. The only realistic threat are large-scale quantum computers, which might or might not become available in 10-20 years. AES-256 is believed to be secure against quantum computers too.
Sir In 1.10.50 why the inverse of Ai (1100 0010) is Bi(0010 1111)? Should't be Bi = (0011 1101)? I mean for example a bit 1 in Ai become 0 in Bi?
Man, you rock;-) Thanks a lot!
Really good!! Thanks :D
This course is from 2010 but I'm in 2019 is there anything that has changed in cryptography in the past decade or is this course enough
Could you please provide the information regarding the confidentiality and integrity algorithms EEA3 and EIA3 or ZUC?
I believe this is the former life of Klaus from American Dad 😁
The most commonly used algorithm in the world is simple counter . :D for( x=0;x
Question: I might not be understanding this correctly but how does AES ensure that at the end of 14 rounds, it hasnt done enough bit flips that is now the original unencrypted byte?
Also thank you for this video.
It is HIGHLY unlikely that the ciphertext after 14 rounds will be identical to the original plaintext. A strong block cipher can be approximated as a so-called "random permutation". That means for every plaintext, each ciphertext has a probability of roughly 2^128. Thus, the chance that the ciphertext becomes the original plaintext is tiny, tiny, tiny, namely roughly 2^(-128). regards
What would be the case if the input byte has no inverse, which would be the case if the input byte is the same as the mod polynomial? the remainder would be Zero.
thank you very much sir!!!!!!!!!
59:09: Microsoft: "Macro Warning"
Cyber Security Professor: "Should be fine."
This is helpful! thank you
why is the number of rounds required for aes 128 bit algorithm equal to 10?is there any formula for it?
Thank you very much
Great lecture
Please don't talk, but sleep..
hi sir thank u for the lecture sir it is very helpful..... but I want to know some disadvantage of aes and how can these disadvantages can be overcome but joining some other algorithm with this algorithm... can u respond to my question sir.....
+Meena Charming AES is the best block encryption currently, the key length can go up to 256 bits and this key is soo huge a brute force attack is not currently possible with todays technology. If it even came close, we could make triple AES but this would be very slow
Joshua of X thank u sir...... Currently iam doing my proj on aes algorithm.... Can i use geographical based protocol along wit aes algorithm??? Wil it give best result?????
Meena Charming Hello I am not the lecturer, I am also just a student. sorry I cannot help you with this question
+Joshua of X oh kk.... Anyways thank u joshua......
Can anyone tell me where can I find a book that has to do with C# and encryption
: something like this " Encryption Programming in C# " sorry for my bad english
super professor
I'm not seeing discussion of "Key Addition".
I aware of the fact that AES is more secure and stuff, but I've used DM5 in my school project coz it's simple to implement in java app.
Any thoughts on DM5 algorithm?
i dont really think there is an encryption named dm5.
I'm confused. He says that you simply XOR the MixCol output with the key. This paper says that key addition is more involved than : engineering.purdue.edu/kak/compsec/NewLectures/Lecture8.pdf Does anyone know the reason for the discrepancy?
Never mind, he's just going through the first round.
Thank you!!!
Thanks a lot
good explanation
Good Job!
Couldn't understand what he said about decryption at the very end. Is it explained in other video or simply left behind?
Sorry, We do not have a video on decryption. It was done in the "Übung", i.e., an additional help session which the students have every week. Again, I am sorry. But if you a look in our book, decryption is explained quite clearly using the same style as the lecture. regards, christof
Prof. could you please tell us the name of the book. Thanks
We use our textbook Understanding Cryptography, cf. www.cryptotextbook.com
I don’t understand how he went from Ai to Ai(x) in the example at 1:03:38
Good question. I try to explain this in the lecture: In the computer, this is a just a vector consisting of 8 bits. But you can also view that as polynomial with binary coefficients. And that's exactly what we do in AES: We view the 8 bits as a polynomial and do computations with it. -- I know it is a bit confusing :)
sir ,can u explain me how u caluculated inverse substitution layer
Very Helpful