Professional Documents
Culture Documents
C04 Rijndael
C04 Rijndael
C04 Rijndael
Fundamentals of
of Cryptography
Cryptography
Lecture C-04
Rijndael:
The Advanced Encryption Standard (AES)
1
Outline
1. Introduction: AES
2. AES: Round 1 and 2
3. Introducing Rijndael
4. Rijndael round function
5. Rijndael key schedule
6. Decryption
7. Practical aspects
Author: W T Penzhorn 2
Motivation for Replacing DES
Author: W T Penzhorn 3
NIST’s AES Initiative
Author: W T Penzhorn 4
AES specifications
◆ Broad specification:
+ More secure than Triple DES
+ More efficient than Triple DES
◆ Parameter specifications
+ Key sizes: 128, 192, 256 bits
+ Block size: 128 bits (other sizes optional)
◆ Design criteria
+ Secure
+ Fast
+ Scalable (key size)
+ Efficient implementation in both H/W and S/W
+ Flexible for a variety of platforms and operating systems
+ Key agility in a dynamic environment
Author: W T Penzhorn 5
Key Space Comparison: DES vs AES
◆ DES
+ 56-bit = 7.2 × 1016 combinations
◆ AES
+ 128-bit = 3.4 × 1038 combinations
+ 192-bit = 6.2 × 1057 combinations
+ 256-bit = 1.1 × 1077 combinations
◆ DES in 1s = AES-128 in 149,000 billion years
◆ The Universe is 20 billion years old
Author: W T Penzhorn 6
Outline
1. Introduction: AES
2. AES: Round 1 and 2
3. Introducing Rijndael
4. Rijndael round function
5. Rijndael key schedule
6. Decryption
7. Practical aspects
Author: W T Penzhorn 7
AES Time Table
Author: W T Penzhorn 8
Evaluation: Round 1
◆ Criteria:
+ Cryptographic strength
+ Efficiency (on various platforms)
+ Flexibility
+ Elegance
+ Absence of trapdoors
Author: W T Penzhorn 9
Results from Round 1
◆ Security problems:
+ DEAL, Frog, HPC, LOKI97, Magenta
◆ Very slow:
+ DEAL, Frog, Magenta, SAFER+
◆ No problems, but not good enough:
+ CAST-256, DFC, E2
Author: W T Penzhorn 10
AES Finalists
◆ MARS IBM
◆ RC6™ RSA Laboratories
◆ Rijndael Daemen & Rijmen Univ. Leuven - Belgium
◆ Serpent Anderson, Biham & Knudsen
◆ Twofish Counterpane Sys & Univ. Berkley (CA)
Author: W T Penzhorn 11
Feistel Ciphers and S-P-Networks
S
S S S S S S S S S
P
S
S
P
Author: W T Penzhorn 12
Generic Block Cipher Structure
Pre-whitening
Key schedule:
•Simple Subkey r iterations of
r+2
•Complex generator a processing
Subkeys
•One-way function
Post-whitening
Ciphertext block
Author: W T Penzhorn 13
Classification of Finalists
Author: W T Penzhorn 14
Block Cipher Design Tradeoff
◆ L. O’Connor:
“Most ciphers are secure after sufficiently many rounds.”
◆ J.L. Massey:
“Most ciphers are too slow after sufficiently many rounds.”
Author: W T Penzhorn 15
Summary of Finalist’s Features
◆ MARS
+ complex, fast, high security margin
◆ RC6
+ very simple, very slow on 8-bit architectures, low security margin
◆ Rijndael
+ clean, fast, good security margin
◆ Serpent
+ slow, clean, very high security margin
◆ Twofish
+ complex, very fast, high security margin
Author: W T Penzhorn 16
Evaluation: Round 2
Author: W T Penzhorn 17
Attacks on Block Ciphers
Author: W T Penzhorn 18
Discussion
Author: W T Penzhorn 19
Outline
1. Introduction: AES
2. AES: Round 1 and 2
3. Introducing Rijndael
4. Rijndael round function
5. Rijndael key schedule
6. Decryption
7. Practical aspects
Author: W T Penzhorn 20
Rijndael
◆ Submitted by:
+ Joan Daemen (of Proton World International)
+ Vincent Rijmen (of Katholieke Universiteit Leuven)
◆ Design rationale
+ Resistance against all known attacks
+ Speed and code compactness on a wide range of platforms
+ Design simplicity
Author: W T Penzhorn 21
Rijndael - Parameters
◆ Example: Nb = 6
a0,0 a0,1 a0,2 a0,3 a0,4 a0,5
◆ Example: Nk = 4
Author: W T Penzhorn 24
Number of rounds
Nk=4 10 12 14
Nk=6 12 12 14
Nk=8 14 14 14
Author: W T Penzhorn 25
Rijndael: Algorithm Overview
Key Expansion
Add Round-Key
Transformations:
Repeat -ByteSub
(Nr-1) -ShiftRow
-MixColumn
Times
Add Round-Key
Transformation:
-ByteSub
-ShiftRow
Add Round-Key
Author: W T Penzhorn 26
Outline
1. Introduction: AES
2. AES: Round 1 and 2
3. Introducing Rijndael
4. Rijndael round function
5. Rijndael key schedule
6. Decryption
7. Practical aspects
Author: W T Penzhorn 27
Rijndael Round Function (1)
Kn
Author: W T Penzhorn 28
Rijndael Round Function (2)
Author: W T Penzhorn 29
Rijndael Round Function (3)
Author: W T Penzhorn 30
ByteSub Operation
S-box
◆ Transformation is byte-by-byte
◆ Use an invertible S-box
◆ One S-box is used for the whole cipher (simplicity)
Author: W T Penzhorn 31
Rijndael S-box
Author: W T Penzhorn 32
S-box Design (1)
Author: W T Penzhorn 33
S-box Design (2)
Author: W T Penzhorn 34
S-box Design (3)
Author: W T Penzhorn 35
ShiftRow Operation (1)
a b c d No shift a b c d
e f g h Shift by C1 (1) f g h e
i j k l Shift by C2 (2) k l i j
m n o p Shift by C3 (3) p m n o
Author: W T Penzhorn 36
ShiftRow Operation (2)
Nb C1 C2 C3
4 1 2 3
6 1 2 3
8 1 3 4
Author: W T Penzhorn 37
Choice of ShiftRow offsets
Author: W T Penzhorn 38
MixColumn Operation (1)
a0,j b0,j
a0,0 a0,1 a0,2 a0,3 a0,4 a0,5 b0,0 b0,1 a0,2 b0,3 b0,4 b0,5
⊗ c(x)
a1,0 a1,1 aa1,j
1,2 a1,3 a1,4 a1,5
b1,0 b1,1 b
a1,j
1,2 b1,3 b1,4 b1,5
a3,0 a3,1 a3,2 a3,3 a3,4 a3,5 b3,0 b3,1 a3,2 b3,3 b3,4 b3,5
a3,j b3,j
+ Each column is multiplied by a fixed polynomial
+ C(x) = ’03’ × x3 + ’01’ × x2 + ’01’ × x + ’02’
+ This corresponds to matrix multiplication b(x) = c(x) ⊗ a(x):
Author: W T Penzhorn 39
MixColumn Operation (2)
Author: W T Penzhorn 40
Design of MixColumn
Author: W T Penzhorn 41
Round Key Addition
a0,0 a0,1 a0,2 a0,3 k0,0 k0,1 k0,2 k0,3 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 k1,0 k1,1 k1,2 k1,3 b1,0 b1,1 b1,2 b1,3
a2,0 a2,1 a2,2 a2,3
⊕ k2,0 k2,1 k2,2 k2,3 = b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 k3,0 k3,1 k3,2 k3,3 b3,0 b3,1 b3,2 b3,3
Author: W T Penzhorn 42
Illustration of Round Function
Author: W T Penzhorn 43
Author: W T Penzhorn 44
Author: W T Penzhorn 45
Graphical Illustration of the Algorithm
Author: W T Penzhorn 46
Outline
1. Introduction: AES
2. AES: Round 1 and 2
3. Introducing Rijndael
4. Rijndael round function
5. Rijndael key schedule
6. Decryption
7. Practical aspects
Author: W T Penzhorn 47
Key Schedule
Author: W T Penzhorn 48
Key Expansion I
Author: W T Penzhorn 49
Key Expansion II
Cipher Key
(128-, 192-, 256-bits)
Author: W T Penzhorn 50
Key Expansion III
Cipher Key W
KE Key Expansion
X r1 r2 r3 Rn-2 Rn-1 rn Y
Encryption Rounds r1 … rn
Author: W T Penzhorn 51
Illustration: Key Expansion and Round Key selection
Author: W T Penzhorn 52
Key Schedule Characteristics
Author: W T Penzhorn 53
Key Expansion Design Criteria
Author: W T Penzhorn 54
Outline
1. Introduction: AES
2. AES: Round 1 and 2
3. Introducing Rijndael
4. Rijndael round function
5. Rijndael key schedule
6. Decryption
7. Practical aspects
Author: W T Penzhorn 55
Decryption
Author: W T Penzhorn 56
Decryption: MixColumn Operation
Author: W T Penzhorn 57
Encryption vs. Decryption
Author: W T Penzhorn 58
Rijndael Security Against Known Attacks
Author: W T Penzhorn 59
Outline
1. Introduction: AES
2. AES: Round 1 and 2
3. Introducing Rijndael
4. Rijndael round function
5. Rijndael key schedule
6. Decryption
7. Practical aspects
Author: W T Penzhorn 60
Rijndael: Implementations (1)
Author: W T Penzhorn 61
Rijndael: Implementations (2)
Author: W T Penzhorn 62
Encryption Performance (Relative)
Author: W T Penzhorn 63
Computational Efficiencies
Author: W T Penzhorn 64
Key Setup Performace (Relative)
Author: W T Penzhorn 65
Overall Performace (Relative)
Author: W T Penzhorn 66
Code Size and Copyright
Author: W T Penzhorn 67
Summary: Rijndael Characterstics
Author: W T Penzhorn 68