As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Extending AES-128 Attacks to AES-256
Many of the tutorials in this wiki discuss attacks on AES-128 encryption. It turns out that its big brother, AES-256, can be attacked by extending the same attacks. This page discusses AES-256 and how to reuse an AES-128 attack to obtain the key.
Contents
The AES-256 Algorithm
In AES-128, we used the following steps to encrypt 16 bytes of plaintext:
- Use a 16 byte key to generate a key schedule, which is 176 bytes long (11 words made up of 16 bytes).
- Put the 16 bytes of plaintext into a 4x4 state matrix.
- Combine the first word of the key schedule with the state.
- Apply 10 rounds of transformations to the state, involving the key schedule.
- Retrieve 16 bytes of ciphertext from the state matrix.
The transformations involve several functions which mix together the bytes of the state. These functions are SubBytes()
, MixColumns()
, and ShiftRows()
.
AES-256 is not much different from AES-128. The encryption process is:
- Use a 32 byte key to generate a key schedule, which is 240 bytes long (15 words made up of 16 bytes).
- Put the 16 bytes of plaintext into a 4x4 state matrix.
- Combine the first word of the key schedule with the state.
- Apply 14 rounds of transformations to the state, involving the key schedule.
- Retrieve 16 bytes of ciphertext from the state matrix.
Notice that most of this algorithm is the same. Earlier, we could attack a target by examining the output of a substitution box; since AES-256 uses these same S-boxes, we should have no problem finding a sensitive point to attack.
The following code is an example of the AES-256 decryption algorithm, written by Ilya O. Levin:
aes_addRoundKey_cpy(buf, ctx->deckey, ctx->key); aes_shiftRows_inv(buf); aes_subBytes_inv(buf); for (i = 14, rcon = 0x80; --i;) { if( ( i & 1 ) ) { aes_expandDecKey(ctx->key, &rcon); aes_addRoundKey(buf, &ctx->key[16]); } else aes_addRoundKey(buf, ctx->key); aes_mixColumns_inv(buf); aes_shiftRows_inv(buf); aes_subBytes_inv(buf); } aes_addRoundKey( buf, ctx->key);
Note that this implementation chooses to expand the key during the decryption process. This order of events isn't a big deal to us - the subBytes()
operation will still be visible in a power trace.