ModAES 4096

1

• ModAES 4096
• an Algorithm for Sector Disk Level Encryption
• Klaus Helbig, Zyfer Inc.

2
Scope

• ModAES-4096 Blockstructure
• Function F One Round AES128
• Key Expansion AES Key Expansion
• Permutation P makes the Algorithm to a Feistel
  Network
• Permutation P and RoundKey
• Use of the Sector Number SN
• Number of Rounds and Key Length
• Encryption Mode and Inverse Cipher
• Performance
• Accomplishing the Basic Requirements
• Diffusion Exambles
• Algorithm Properties

3
ModAES-4096 Blockstructure
4
ModAES-4096 Blockstructure

5
Function F One Round AES128
Round Key
6
Key Expansion AES Key Expansion

• Key with 128 bit (Nk4), 192 bit (Nk6) or
  256 bit (Nk8)
• AES key expansion Key(0), , Key(Nk-1) to
  W(0), W(1),,W(4(Nr2)-1)

W(0,0) W(0,1) W(0,2) W(o,3) W(1,0)
.
V(0) V(1) V(2) V(3)
V(4)
RoundKeys
K(0) V(0), V(1), , V(15) K(1) V(1), V(2),
, V(16) K(i) V(i), V(i1), ,
V(i15) K(16(Nr1)15) V(16(Nr1)15), ,
V(16(Nr1)31)
7
Permutation P makes the Algorithm to a Feistel
Network
8
Permutation P and RoundKey
Block (i, j )
K(16 r i 4 j )
F
uses Key element V(16(r1) i 4j k 4l)
9
Use of the Sector Number SN

• Function F (state) F (state .xor. SN )
• pro easy fast
• contra if the algorithm has some weakness and
  the key can be defined, than all sectors can be
  decrypted
• needs more research
• 2. SectorKey AES ( Key, SN )
• pro high secure if the algorithm has some
  weakness than only the SectorKey could be
  defined, the Key is still secure
• contra lower performance, higher complexity
• 3. Other methods needs more research

10
Encryption Mode and Inverse Cipher
The encryption mode is ECB. The algorithm is a
Feistel Network defined by the Permutation P,
therefore work cipher and inverse cipher with the
same algorithm but the inverse cipher with
inverted RoundKey sequences. When the use of
the inverse cipher is the predominant case, then
for the encryption should be used the inverted
RondKey sequence. When the cipher and the
inverse cipher will be used equably, then the
RoundKey sequence should be symmetric ( ! needs
more research ).
11
Number of Rounds and Key Length

• Nr 16 rounds, 18 or 20 rounds are better.
• Key Lenght 128 bits, 192 or 256 bits are
  better.
• The Rijndael developers proposed 10 rounds as a
  conservative margin for AES128. Others think 10
  is to small.
• For AES no shortcut attacks (more efficient than
  exhaustive key search) for more than 9 rounds
  have been found yet.
• After 6 rounds ModAES-4096 provides full
  diffusion Every state bit depends on all state
  bits 6 rounds ago.
• 16 rounds are 6 rounds full diffusion 10
  rounds AES128.
• For up to 7 rounds exist Lambda-sets. After 8
  rounds no Lambda-sets exist any more. Lambda-sets
  can be used for dedicated Square attacks better
  than exhaustive key search for up to 5 more
  rounds what would mean here for up to 7 5 12
  rounds.

12
Performance

• Software
• is faster than 16 x AES256 in ECB mode
• is faster than 32 x AES128 in ECB mod
• Dedicated Hardware
• - 16 parallel One round AES128 Key expansion
• lt 400 K gates, lt 50 clock cycles
• - performance for 100 MHz internal clock
• 100/50 10exp6 512 byte /sec gt 8 Gbit/sec

13
Accomplishing the Basic Requirements

• Confidentiality on the level of AES AES round
  function is used, the results of
  AES128 research can be used but
  needs more research
• Sector encryption 512 byte plaintext Yes
• to 512 ciphertext, needs no additional room
• for any expansion
• Sector encryption with no sector chaining Yes
• Any change in the ciphertext randomizes Yes
• the plaintext
• Dictionary attacks are limited to individual
  Yes
• sectors

14
Example Diffusion after 5 Rounds
Plaintext1 00 00 00 00 ... 00 00 (512
byte) Plaintext2 01 00 00 00 ... 00 00
Cipher Key 2b 7e 15 16 28 ae d2 a6 ab f7 15 88
09 cf 4f 3c (example key from FIPS 197) The
result of the xor of the generated ciphertext1
and ciphertext2 shows the diffusion of the
difference in plaintext1 and plaintext2. After 5
rounds (difference in any block (0, i, j ) )
respective after 6 rounds (difference in any
block (1, i, j) ) the difference in one plaintext
byte generates a difference in all 512 ciphertext
bytes.
15
Example Diffusion after 5 Rounds
16
Example Diffusion after 6 Rounds
17
Algorithm Properties

• The properties of the AES128 in relation to
  differential and linear cryptanalysis supports
  also ModAES-4096. No differential and no linear
  based attack should work.
• Ferguson, Schneier and others wrote about the
  key schedule of the AES, that it does not achieve
  its stated design goals, especially for 192 and
  256 bit keys, and they find them worrisome. (
  Improved Cryptoanalysis of Rijndael, www. ...).
  In relation to ModAES-4096 the key expansion and
  the use of the expanded key is more important and
  needs more research.
• Diffusion A byte difference in one of the 16
  left blocks (0,i,j) generates a difference of gt
  4 bytes after 1 round, gt 4x4 bytes after 2
  rounds, ... , 512 bytes after 5 rounds. A byte
  difference in one of the 16 right blocks (1,i,j)
  generates the same number of differences after
  one round more.
• Square attacks A one byte Lambda-set in the
  plaintext in one of the 16 left blocks (0,i,j)
  generates in the ciphertext after 6 rounds in
  about 190 byte positions the Xor sum 0 over all
  releated ciphertext bytes. Same for a one byte
  Lambda-set in the plaintext in one of the 16
  right blocks (1,i,j) after 7 rounds. After 7
  respective 8 rounds this property does not exists
  any more.