aes (rijndael)

1 © Information Security Group, ICU

AES (Rijndael)AES (Rijndael)

Joan Daemen and Vincent Rijmen, “ The Design of

Rijndael, AES – The Advanced Encryption Standard”,

Springer, 2002, ISBN 3-540-42580-2

FIPS Pub 197, Advanced Encryption Standard (AES),

December 04, 2001

Rijndael : variable, AES ; fixed


AES requirements

Block cipher 128-bit blocks128/192/256-bit keys

Worldwide-royalty freeMore secure than Triple DESMore efficient than Triple DES


AES Calendar Jan. 2, 1997 : Announcement of intent to develop AES and

request for comments Sep. 12, 1997 : Formal call for candidate algorithms Aug. 20-22, 1998 : First AES Candidate Conference and

beginning of Round 1 evaluation (15 algorithms), Rome, Italy Mar. 22-23, 1999 : Second AES Candidate Conference, NY,

USA Sep. 2000 : Final AES selection (Rijndael !)

Jan. 1997Call for

algorithms

Aug. 1998AES1

15 algorithms

Mar. 1999AES2

5 algorithms selected

Apr. 2000AES3

Announce winner in Sep, 2000


AES Round1 algorithms 15 algorithms are proposed at AES1 conference


AES Round 2 Algorithms

After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm.

Cipher Submitter Structure Nonlinear Component

MARS IBM Feistel structure Sbox

DD-Rotation

RC6 RSA Lab. Feistel structure Rotation

Rijndael Daemen, Rijmen SPN structure Sbox

Serpent Anderson, Biham, Knudsen

SPN structure Sbox

Twofish Schneier et. al Feistel structure Sbox


Security of AES Candidates

Alg. (Round) StructureRounds (Key

size)Type of Attack Texts

Mem. Bytes

Ops

MARS

16 Core (C)

16 Mixing (M)

Feistel

11C Amp. Boomerang 265 270 2229

16M, 5C

16M, 5C

Diff. M-i-M

Amp. Boomerang

250

269

2197

273

2247

2197

RC6(20) Feistel

14 Stat. Disting. 2118 2112 2122

12

15 (256)

Stat. Disting.

Stat. Disting.

294

2119

242

2138

2119

2215

Rijndael

10 (128)

12 (192)

14 (256)

SPN

6 Truncated Diff. 232 7*232 272

7

8 (256)

9 (256)

Truncated Diff.

Truncated Diff.

Related Key

2128~ 2119

2128~ 2119

277

261

2101

NA

2120

2204

2224

Serpent(32)SPN

8 (192,256) Amp. Boomerang 2113 2119 2179

6 (256)

6

7 (256)

8 (192,256)

9 (256)

Meet-in-Middle

Differential

Differential

Boomerang

Amp. Boomerang

512

271

241

2122

2110

2246

275

2126

2133

2212

2247

2103

2248

2163

2252

Twofish(16) Feistel 6 (256) Impossible Diff. NA NA 2256


Comparison of AES2 algorithms(I)

Encryption speed analysis by NIST


Java Implementation by A. Sterbenz (Graz Univ.)

Comparison of AES2 algorithms(II)


Smart Card Implementation by F. Sano (Toshiba)

Comparison of AES2 algorithms (III)

* : omit to check “weak” in the key schedule


Comparison of AES2 algorithms(IV)

CMOS ASIC Implementation by Ichikawa (Mitsubishi)


Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices

– Square type

– Three distinct invertible uniform transformations(Layers) Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state

– Initial key addition, final key addition Representation of state and key

– Rectangular array of bytes with 4 rows (square type)

– Nb : number of column of the state (4~8)

– Nk : number of column of the cipher key (4~8)

– Nb is independent from Nk

Rijndael – Overview


State (Nb=6) Key (Nk=4)

Number of rounds (Nr)

Rijndael - States


Rijndael - Encryption

Block size: 128 Key size: 128/192/256 bit

Component FunctionsByteSubstitution(BS): S-boxShiftRow(SR): CircularShift MixColumn(MC):

Linear(Branch number: 5) AddRoundKey(ARK):

Omit MC in the last round.

Bit-wise key addition

Shift-Low(SR)

Mix-Column(MC)

Bit-wise key addition

Byte-wise substitution(BS)

BS, SR, ARK

44 bytearray Input

Input whitening

Roundtransformation

Outputtransformation

Output


Properties

Substitution-Permutation Network (SPN)(Invertible) Nonlinear Layer: Confusion(Invertible) Linear Layer: Diffusion

Branch NumberMeasure Diffusion Power of Linear LayerLet F be a linear transformation on n words.W(a): the number of nonzero words in a. (F) = mina0 {W(a) + W(F(a))}Rijndael: branch number =5


Security Goals

K-secure No shortcut attacks key-recover attack faster than ke

y-exhaustive searchNo symmetry property such as complementary in DE

SNo non-negligible classes of weak key as in IDEANo Related-key attacks

Hermetic No weakness found for the majority of block ciphers

with same block and key length

Rijndael is k-secure and hermetic


Component Functions

ByteSubstitution S(x)=x-1 in GF(28) with almost maximal nonlinearity(p.105)

over m(x) = x8 + x4 + x3 + x +1

ShiftRow by 0, C1, C2, and C3

MixedColumn:4 x 4 Matrix Mul. on GF(28 )(p.107)b0 02 03 01 01 a0

b1 = 02 03 01 01 a1

b2 02 03 01 01 a2

b3 02 03 01 01 a3

Nb C1 C2 C3

4 1 2 3

6 1 2 3

8 1 3 4


Rijndael: Pseudo-Code

Round(State,RoundKey){ ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey);}

FinalRound(State,RoundKey){ ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State,RoundKey);}

Rijndael(State,CipherKey){ KeyExpansion(CipherKey,ExpandedKey) ; p108 AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr);}


Mode of OperationsMode of Operations


Mode of operation (I)

ECB (Electronic CodeBook) mode

EK

P

C

n

n

DK

C

P

n

n

i) Encryption ii) Decryption

IF Ci = Cj,DK(Ci) = DK(Cj)


Mode of operation (II)

CBC (Cipher Block Chaining)P1 P2

IV

E E

C1 C2

E

Pl

Cl

IV

D D

P1 P2

D

Pl

C1 C2 Cl

Ci = EK(Pi Ci-1)

Pi = DK(Ci) Ci-1

IV : Initialization Vector

- 2 block Error Prog.- self-sync- If |Pl| |P|, Padding req’d

K

K

KK

KK


Mode of operation (III)

m-bit OFB (Output FeedBack)

m-bit

Pi

- No Error Prog.- Req’d external sync- Stream cipher- EK or DK

Ci = Pi O(EK)Pi = Ci O(EK)

I) Encryption II) Decryption

IV

E m-bit

Pi Ci

K

IV

E

Ci

K


Mode of operation (IV)

m-bit CFB (Cipher FeedBack)

IV

E m-bit

Pi Ci

IV

Em-bit

CiPi

- Error prog. till an error disappears in the buffer- self-sync- EK or DK

Ci = Pi EK(Ci-1)Pi = Ci EK(Ci-1)

I) Encryption II) Decryption

K K


Mode of operation (V)

Counter mode

Ci = Pi EK(Ti)Pi = Ci EK(Ti)Ti = ctr+i -1 mod 2m

|P|, |ctr|= m,Parallel computation

P1

ctr

E

C1

C2

P2

Cm-1

K

ctr+1

E

ctr+m-1

EK K

Pm-1

C1

ctr

E

P1 P2

C2

Pm-1

K

ctr+1

E

ctr+m-1

EK K

Cm-1


Mode of Operation (VI)

CCM mode (Counter with CBC-MAC mode)Ctr + CBCAuthenticated encryption by producing a MAC a

s a part of the encryption process


Mode of operation - summary

Use of modeECB : key management, useless for file encryption CBC : File encryption, useful for MAC m-bit CFB : self-sync, impossible to use channel w

ith low BER

m-bit OFB : external-sync. m= 1, 8 or nCtr : secret ctr, parallel computationCCM : authenticated encryptionPerformance Degradation/ Cost Tradeoff

aes (rijndael)

Documents