C04 Rijndael

Fundamentals
Fundamentals of
of Cryptography
Cryptography
Lecture C-04
Rijndael:
The Advanced Encryption Standard (AES)
1
Outline
1. Introduction: AES
2. AES: Round 1 and 2
3. Introducing Rijndael
4. Rijndael round function
5. Rijndael key schedule
6. Decryption
7. Practical aspects
Author: W T Penzhorn 2
Motivation for Replacing DES
◆ DES is 10 years past its original certification period

◆ DES parameters
+ 64-bit block
+ 56-bit keys (much too small)
◆ DES is not secure against a brute force attacks
+ Internet attack (’97)
◆ Various “DES Crackers” have been designed/built:
+ Wiener (’93)
+ EFF (’98)
◆ Triple DES (112-bit key) is currently used, but is slow
◆ DES not suitable for modern processors and
NIST’s AES Initiative
◆ NIST initiated a process to develop a new data encryption

algorithm, called the Advanced Encryption Standard
(AES), to replace DES.
◆ The AES should be:
+ Designed for government and commercial use in the 21st century
+ Publicly defined and evaluated
+ World-wide royalty-free
AES specifications
◆ Broad specification:
+ More secure than Triple DES
+ More efficient than Triple DES
◆ Parameter specifications
+ Key sizes: 128, 192, 256 bits
+ Block size: 128 bits (other sizes optional)
◆ Design criteria
+ Secure
+ Fast
+ Scalable (key size)
+ Efficient implementation in both H/W and S/W
+ Flexible for a variety of platforms and operating systems
+ Key agility in a dynamic environment
Key Space Comparison: DES vs AES
◆ DES
+ 56-bit = 7.2 × 1016 combinations
◆ AES
◆ DES in 1s = AES-128 in 149,000 billion years
◆ The Universe is 20 billion years old
Outline
6. Decryption
AES Time Table
◆ 1997 NIST’s international call for algorithms

◆ June 1988 15 submissions received
◆ August 1998 1st AES Conference
◆ August – April 1999 Review of 15 submissions
◆ March 1999 2nd AES Conference
◆ April 1999 5 AES finalists selected
◆ April 2000 3rd AES Conference
◆ May 2000 Close of public comments
◆ October 2, 2000 Rijndael announced AES winner
◆ February 28, 2001 NIST’s Draft FIPS for AES available
for public review
Evaluation: Round 1
◆ Criteria:
+ Cryptographic strength
+ Efficiency (on various platforms)
+ Flexibility
+ Elegance
+ Absence of trapdoors
Results from Round 1
◆ Security problems:
+ DEAL, Frog, HPC, LOKI97, Magenta
◆ Very slow:
+ DEAL, Frog, Magenta, SAFER+
◆ No problems, but not good enough:
+ CAST-256, DFC, E2
AES Finalists
◆ MARS IBM
◆ RC6™ RSA Laboratories
◆ Rijndael Daemen & Rijmen Univ. Leuven - Belgium
◆ Serpent Anderson, Biham & Knudsen
◆ Twofish Counterpane Sys & Univ. Berkley (CA)
Feistel Ciphers and S-P-Networks
S
S S S S S S S S S
P
S
S
P
Feistel Cipher S/P-Network
Generic Block Cipher Structure
User key Plaintext block
Pre-whitening
Key schedule:
•Simple Subkey r iterations of
r+2
•Complex generator a processing
Subkeys
•One-way function
Post-whitening
Ciphertext block
Classification of Finalists
Cipher Based on Type Rounds

TWOFISH Feistel 16
MARS M-Feistel 32
RC6 RC5 M-Feistel 20
RIJNDAEL SQUARE SP-Network 10, 12, 14
SERPENT DES SP-Network 32
Block Cipher Design Tradeoff
◆ L. O’Connor:
“Most ciphers are secure after sufficiently many rounds.”
◆ J.L. Massey:
“Most ciphers are too slow after sufficiently many rounds.”
◆ Basic Design Tradeoff:

+ Sufficient security for the smallest “cost”
Summary of Finalist’s Features
◆ MARS
+ complex, fast, high security margin
◆ RC6
+ very simple, very slow on 8-bit architectures, low security margin
◆ Rijndael
+ clean, fast, good security margin
◆ Serpent
+ slow, clean, very high security margin
◆ Twofish
+ complex, very fast, high security margin
Evaluation: Round 2
◆ Performance in software and hardware

◆ IP-Issues
◆ Cross-cutting analysis
Attacks on Block Ciphers
◆ Exhaustive search (brute force attack)

◆ Attacks based on statistical analysis of chosen plaintext-
ciphertext pairs
+ Differential cryptanalysis (Biham and Shamir)
+ Linear cryptanalysis (Matsui)
◆ Other attacks
+ Interpolation attacks
+ Related key attacks
Discussion
◆ The AES candidate ciphers reflect the state of block cipher

design in the late 1990’s
◆ All 5 finalists made the criteria and have no security
weaknesses
◆ All were implemented in both H/W and S/W for evaluation
◆ User-related aspects had a strong influence on the final
choice:
+ flexibility
+ speed on various platforms
+ cost of implementation (code size and IC complexity)
Outline
6. Decryption
Rijndael
◆ Submitted by:
+ Joan Daemen (of Proton World International)
+ Vincent Rijmen (of Katholieke Universiteit Leuven)
◆ Design rationale
+ Resistance against all known attacks
+ Speed and code compactness on a wide range of platforms
+ Design simplicity
Rijndael - Parameters
◆ Variable block length and variable key length

◆ Block length (Nb × 32):
+ 128, 160, 192, 224, 256 bits
◆ Key length (Nk × 32):
+ 128, 160, 192, 224 or 256 bits
◆ Number of rounds:
+ 10 / 12 / 14 rounds
◆ Iterated, invertible S-P Network
◆ Operations:
+ XOR
+ S-box
+ Arithmetic over GF(28)
+ No arithmetic operations (addition / multiplication)
Definition: State
◆ The transformations in a round operate on the

intermediate result, called the State
◆ The State can be pictured as a rectangular array of bytes
◆ The State array has four rows
◆ The number of columns in the State is denoted by Nb
+ Nb = block length ÷ 32
◆ Example: Nb = 6
a0,0 a0,1 a0,2 a0,3 a0,4 a0,5
a1,0 a1,1 a1,2 a1,3 a1,4 a1,5

a2,0 a2,1 a2,2 a2,3 a2,4 a2,5
a3,0 a3,1 a3,2 a3,3 a3,4 a3,5

Definition: Cipher Key
◆ The Cipher Key is similarly pictured as a rectangular array

with four rows
◆ The number of columns of the Cipher Key is denoted by
Nk
+ Nk = key length ÷ 32
◆ Example: Nk = 4
k0,0 k0,1 k0,2 k0,3
k1,0 k1,1 k1,2 k1,3
k2,0 k2,1 k2,2 k2,3
k3,0 k3,1 k3,2 k3,3
Number of rounds
◆ Plaintext and Cipher are specified as 8-bit bytes

◆ Block length: 16, 24, or 32 bytes
◆ Key length: 16, 24, or 32 bytes
◆ The number of rounds, Nr, depends on block length and
key length:
Nr Nb=4 Nb=6 Nb=8
Nk=4 10 12 14
Nk=6 12 12 14
Nk=8 14 14 14
Rijndael: Algorithm Overview
Key Expansion
Add Round-Key
Transformations:
Repeat -ByteSub
(Nr-1) -ShiftRow
-MixColumn
Times
Add Round-Key
Transformation:
-ByteSub
-ShiftRow
Add Round-Key
Outline
6. Decryption
Rijndael Round Function (1)
Kn
ByteSub ShiftRow MixColumn AddRoundKey

Result from Pass to
round n-1 round n+1
◆ Each round performs three transformations :

+ ByteSub
+ ShiftRow
+ MixColumn
+ AddRoundKey
◆ The transformations are referred to as layers
◆ The transformations are invertible (for decryption)
◆ In the Final Round the MixColumn step is removed
+ similar to the missing swap in the last round of DES
◆ “Pre-whitening” and “post-whitening” before and after the
round function has been included
◆ Each round consists of three layers:

◆ Non-linear Substitution Layer:
+ Use an S-box to introduce non-linearity
+ Possible to introduce much parallelism
◆ Linear Mixing Layer:
+ Guarantees high diffusion over multiple rounds
+ Very small correlation between input bytes and output bytes
◆ Key Addition Layer:
+ Bytes of the input are simply XOR’ed with the expanded round
key
◆ This gives “full diffusion” after only two rounds
ByteSub Operation
S-box
a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3

a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 b1,2 b1,3
a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3
◆ Transformation is byte-by-byte
◆ Use an invertible S-box
◆ One S-box is used for the whole cipher (simplicity)
Rijndael S-box
◆ Each input byte is substituted by its multiplicative

inverse modulo GF(28)
◆ The zero element remains unchanged
◆ Apply an affine (matrix) transformation over GF(2)
◆ Add a constant: 63H (0110 0011)
S-box Design (1)
◆ Design criteria for the S-box are motivated by:

+ differential and linear cryptanalysis
+ attacks using algebraic manipulations, such as interpolation
attacks
◆ Requirements / Criteria:
1. Invertibility
2. Minimisation of the correlation between linear combinations
of input bits and linear combination of output bits
3. Minimisation of the largest value in the XOR table
4. Complexity of the algebraic expression in GF(28)
5. Simplicity of description
S-box Design (2)
◆ The basic idea for constructing the S-box is due to K.

Nyberg (provable properties)
◆ S-box is defined by the mapping: x ⇒ x -1 in GF(28)
◆ This mapping has a very simple algebraic expression
◆ Need to prevent algebraic manipulations leading to
interpolation attacks
◆ Therefore an invertible affine transformation is added
◆ The affine transformation was chosen as follows:
+ It has a very simple description, but a complicated algebraic
expression if combined with the ‘inverse’ mapping of the S-box
+ It does not affect the S-box Criteria 1. – 3.
+ But it allows the S-box to satisfy the Criterium 4.
S-box Design (3)
◆ The affine mapping corresponds to the following

polynomial product:
b(x) = (x7 + x6 + x2 + x) + (x7 + x6 + x5 + x4 + 1) mod (x8 + 1)
◆ The modulus the simplest possible choice
◆ The multiplication polynomial was chosen such that:
+ It is coprime with the modulus
+ Selected as the polynomial with the simplest description
◆ The constant polynomial was chosen such that
+ The S-box has no fixed points: S-box (a) ≠ a
+ The S-box has no “opposite fixed points”: S-box (a) ≠ a’
ShiftRow Operation (1)
a b c d No shift a b c d
e f g h Shift by C1 (1) f g h e
i j k l Shift by C2 (2) k l i j
m n o p Shift by C3 (3) p m n o
◆ Each row of the block is cyclically left-shifted

◆ Rows are left-shifted over different offsets
◆ Results in diffusion over the columns
ShiftRow Operation (2)
◆ Depending on the block length Nb, each row of the block is

cyclically shifted according to the following table
Nb C1 C2 C3
4 1 2 3
6 1 2 3
8 1 3 4
Choice of ShiftRow offsets
◆ The choice from all possible combinations has been made

based on the following criteria:
1. The four offsets are different and C0= 0
2. Resistance against attacks using truncated differentials
3. Resistance against the Square attack
4. Simplicity
MixColumn Operation (1)
a0,j b0,j
a0,0 a0,1 a0,2 a0,3 a0,4 a0,5 b0,0 b0,1 a0,2 b0,3 b0,4 b0,5
⊗ c(x)
a1,0 a1,1 aa1,j
1,2 a1,3 a1,4 a1,5
b1,0 b1,1 b
a1,j
1,2 b1,3 b1,4 b1,5
a2,0 a2,1 aa2,j

2,2 a2,3 a2,4 a2,5
b2,0 b2,1 ba2,j
2,2 b2,3 b2,4 b2,5
a3,0 a3,1 a3,2 a3,3 a3,4 a3,5 b3,0 b3,1 a3,2 b3,3 b3,4 b3,5
a3,j b3,j
+ Each column is multiplied by a fixed polynomial
+ C(x) = ’03’ × x3 + ’01’ × x2 + ’01’ × x + ’02’
+ This corresponds to matrix multiplication b(x) = c(x) ⊗ a(x):
MixColumn Operation (2)
◆ A column is taken as a polynomial over GF(28)

◆ Each column is multiplied by a fixed polynomial
c(x) = a3 x3 + a2 x2 + a1 x + a0
= ’03’ x3 + ’01’ x2 + ’01’ x + ’02’
◆ The coefficients of c(x) are over GF(28)
◆ MixColumn corresponds to multiplication in the ring
modulo 1 + x 4 :
b(x) = c(x) ⊗ a(x) modulo (1 + x4)
◆ c(x) was selected to have an inverse modulo 1 + x 4
Design of MixColumn
◆ The MixColumn operaqtion was chosen from the space of

4-byte to 4-byte linear transformations according to the
following criteria:
1. Invertibility
2. Linearity in GF(2)
3. Relevant diffusion power
4. Speed on 8-bit processors
5. Symmetry
6. Simplicity of description
◆ Based on Maximum Separable Codes (MDS) codes
◆ Diffusion properties are provable
Round Key Addition
a0,0 a0,1 a0,2 a0,3 k0,0 k0,1 k0,2 k0,3 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 k1,0 k1,1 k1,2 k1,3 b1,0 b1,1 b1,2 b1,3
a2,0 a2,1 a2,2 a2,3
⊕ k2,0 k2,1 k2,2 k2,3 = b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 k3,0 k3,1 k3,2 k3,3 b3,0 b3,1 b3,2 b3,3
◆ Simple bitwise addition of Round Keys
Illustration of Round Function
Graphical Illustration of the Algorithm
Outline
6. Decryption
Key Schedule
◆ The Round Keys are derived from the Cipher Key by

means of the Key Schedule
◆ The Key Schedule consists of two components:
+ Key Expansion
+ Round Key Selection
◆ Number of Round Key bits needed = blocklength × (Nr +1)
◆ Example:
+ blocklength = 128 bits
+ Nr = 10 rounds
+ Number of Round Key bits = 1408
Key Expansion I
◆ The Expanded Key consists of a linear array of 4-byte

words, denoted by W [Nb * (Nr +1)]
◆ The first Nk 32-bit words contain the Cipher Key
◆ The Expanded Key is obtained recursively in terms of the
Cipher Key:
+ W[i] = W[i-6] ⊕ W[i-1]
+ W[6i] = W[6i – 6] ⊕ f (W[6i – 1])
◆ The function f( ) makes use of the S-box and also adds a
round constant
Key Expansion II
Cipher Key
(128-, 192-, 256-bits)
Key Expansion Function

(block length x (number of rounds+1)
Round Key 0 Round Key 1 Round Key Nr
Key Expansion III
Cipher Key W
KE Key Expansion
Round Keys k1 k2 k3 Kn-2 Kn-1 kn
X r1 r2 r3 Rn-2 Rn-1 rn Y
Encryption Rounds r1 … rn
Illustration: Key Expansion and Round Key selection
W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 W10 W11 W12 W13 W14 …
Round Key 0 Round Key 1 …
◆ Key expansion and Round Key selection for:

+ Nb = 6 (block length = 192 bits)
+ Nk = 4 (key length = 128 bits)
Key Schedule Characteristics
◆ The key schedule can be implemented without explicit use

of the array W [Nb * (Nr +1)]
◆ When RAM is scarce:
+ Round Keys can be computed on-the-fly
+ Only a buffer of Nk words is required
Key Expansion Design Criteria
◆ Key Expansion recursion is invertible:

+ knowledge of any Nk consecutive words of the Expanded Key
allow regeneration of the whole table
◆ Simple and efficient on a wide range of processors
◆ The round constants eliminate symmetries
◆ Diffusion of Cipher Key differences into the Round Keys
◆ Knowledge of a part of the Cipher Key or Round Key bits
does not allow to calculate “many” other Round Key bits
◆ Introduce enough non-linearity to prohibit the full
determination of Round Key differences from Cipher Key
differences only (resistance against related-key attacks)
Outline
6. Decryption
Decryption
◆ For decryption the order of operations is reversed

◆ For operation, an inverse counterpart is required
◆ InvRound
+ AddRoundKey
+ InvMixColumn
+ InvShiftRow
+ InvByteSub
◆ The first 3 operations are linear = same as encryption
◆ The S-box cannot be re-used – require inverse S-box
◆ The MixColumn operation uses a different polynomial:
+ Decryption is slower
Decryption: MixColumn Operation
◆ For MixColumn, the polynomial c(x) in GF(28) is used:

c(x) = ’03’ x3 + ’01’ x2 + ’01’ x + ’02’
◆ Multiplication with these coefficients is very efficient
◆ The inverse of c(x) modulo (x4+1) is:
d(x) = ’0B’ x3 + ’0D’ x2 + ’09’ x + ’0E’
◆ Multiplication the multiplications of d(x) take significantly
more time
◆ Decryption is therefore slower than encryption
◆ A considerable speed-up can be obtained by using table
lookups at the cost of additional tables
Encryption vs. Decryption
◆ This asymmetry in encryption and decryption is

considered to be less important
◆ In many applications of a block cipher, the inverse cipher
operation is not used:
+ Calculation of MACs
+ Cipher used in CFB-mode or OFB-mode
◆ Important: In dedicated hardware implementations, only
part of the hardware can be re-used
◆ It is possible to reverse the Key Schedule:
+ start with the last Nk Round Key bytes
+ “roll backwrds” to the original Cipher Key
Rijndael Security Against Known Attacks
◆ No symmetry properties and weak keys of DES type

◆ Differential cryptanalysis (no truncated differentials)
◆ Linear cryptanalysis
◆ Square attack
◆ Interpolation attacks
◆ Weak keys as in IDEA
◆ Related-key attacks
◆ Known-key attracks
◆ No key-recovery attacks faster than exhaustive search
exist
◆ Rijndael is K-secure
Outline
6. Decryption
Rijndael: Implementations (1)
◆ Well suited for software implementations on 8-bit

processors (e.g. Smart Cards)
+ Operations focus on bytes and nibbles, not 32 or 64-bit integers
+ Only simple operations are used, e.g. XOR, byte shifts
+ No special instructions are required to speed up operation, e.g.
barrel rotates
+ Uses small amount of code and RAM
+ ROM/performance trade-off is possible
+ Layers such as ByteSub can be efficiently implemented using
small tables in ROM (e.g. < 256 bytes)
Rijndael: Implementations (2)
◆ For 32-bit implementations:

+ An entire round can be implemented via a lookup table
+ No bias towards big-or little endian processors
+ No delay due to carry propagation
◆ Dedicated hardware / specialised processors

+ Considerable parallelism exists in the round function
+ Simple operations are easily implemented: e.g. XOR, byte shifts
Encryption Performance (Relative)
Computational Efficiencies
◆ 200 Mhz Pentium-Pro; MS Visual C++ ver 6
Algorithm Rate (Mbit/s) Key set-up

RC6 98.2 6.5X
MARS 67.6 11.4X
RIJNDAEL 87.7 4.7X
SERPENT 53.5 2.9X
TWOFISH 64.6 41.2X
Key Setup Performace (Relative)
Overall Performace (Relative)
Code Size and Copyright
Cipher Code size Subkey Public

generator domain
MARS ≈ 3.5 kbytes Complex No
RC6 < 1kbyte One-way No
RIJNDAEL ≈ 1 kbyte Fast Yes
SERPENT ≈ 1 kbyte Simple Yes
TWOFISH ≈ 2.5 kbytes Simple Yes

(flexible)
Summary: Rijndael Characterstics
◆ Low key set-up time

◆ Low memory requirement
◆ Flexible configuration (block length and key length)
◆ Very suitable for hash/MAC applications
+ 192 and 256 block and key lengths
+ Collision-resistant hash function
◆ Efficient implementation on wide variety of platforms
◆ No carry delay due to addition or multiplication
◆ Round function has large degree of parallelism

C04 Rijndael

Uploaded by

Copyright:

Available Formats

You might also like

C04 Rijndael

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

C04 Rijndael

Uploaded by

Copyright:

Available Formats

Fundamentals

◆ DES is 10 years past its original certification period

◆ NIST initiated a process to develop a new data encryption

◆ 1997 NIST’s international call for algorithms

Feistel Cipher S/P-Network

User key Plaintext block

Cipher Based on Type Rounds

◆ Basic Design Tradeoff:

◆ Performance in software and hardware

◆ Exhaustive search (brute force attack)

◆ The AES candidate ciphers reflect the state of block cipher

◆ Variable block length and variable key length

◆ The transformations in a round operate on the

a1,0 a1,1 a1,2 a1,3 a1,4 a1,5

a3,0 a3,1 a3,2 a3,3 a3,4 a3,5

◆ The Cipher Key is similarly pictured as a rectangular array

k0,0 k0,1 k0,2 k0,3

k1,0 k1,1 k1,2 k1,3

k2,0 k2,1 k2,2 k2,3

k3,0 k3,1 k3,2 k3,3

◆ Plaintext and Cipher are specified as 8-bit bytes

Nr Nb=4 Nb=6 Nb=8

ByteSub ShiftRow MixColumn AddRoundKey

◆ Each round performs three transformations :

◆ Each round consists of three layers:

a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3

◆ Each input byte is substituted by its multiplicative

◆ Design criteria for the S-box are motivated by:

◆ The basic idea for constructing the S-box is due to K.

◆ The affine mapping corresponds to the following

◆ Each row of the block is cyclically left-shifted

◆ Depending on the block length Nb, each row of the block is

◆ The choice from all possible combinations has been made

a2,0 a2,1 aa2,j

◆ A column is taken as a polynomial over GF(28)

◆ The MixColumn operaqtion was chosen from the space of

◆ Simple bitwise addition of Round Keys

◆ The Round Keys are derived from the Cipher Key by

◆ The Expanded Key consists of a linear array of 4-byte

Key Expansion Function

Round Key 0 Round Key 1 Round Key Nr

Round Keys k1 k2 k3 Kn-2 Kn-1 kn

W0 W1 W2 W3 W4 W5 W6 W7 W8 W9 W10 W11 W12 W13 W14 …

Round Key 0 Round Key 1 …

◆ Key expansion and Round Key selection for:

◆ The key schedule can be implemented without explicit use

◆ Key Expansion recursion is invertible:

◆ For decryption the order of operations is reversed

◆ For MixColumn, the polynomial c(x) in GF(28) is used:

◆ This asymmetry in encryption and decryption is

◆ No symmetry properties and weak keys of DES type

◆ Well suited for software implementations on 8-bit

◆ For 32-bit implementations:

◆ Dedicated hardware / specialised processors

◆ 200 Mhz Pentium-Pro; MS Visual C++ ver 6

Algorithm Rate (Mbit/s) Key set-up

Cipher Code size Subkey Public

RC6 < 1kbyte One-way No