1 AES (Rijndael) Joan Daemen and Vincent Rijmen, “The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3-540-42580-2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES : fixed Vincent
AES (Rijndael). Joan Daemen and Vincent Rijmen, “The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3-540-42580-2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES : fixed. Vincent. AES- Requirements. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
AES (Rijndael)AES (Rijndael)
Joan Daemen and Vincent Rijmen, “The Design of
Rijndael, AES – The Advanced Encryption Standard”,
Springer, 2002, ISBN 3-540-42580-2
FIPS Pub 197, Advanced Encryption Standard (AES),
December 04, 2001
Rijndael : variable, AES : fixed Vincent
Block cipher ◦128-bit blocks◦128/192/256-bit keys
Worldwide-royalty free More secure than Triple DES More efficient than Triple DES
2
3
◦ Jan. 2, 1997 : Announcement of intent to develop AES and request for comments
◦ Sep. 12, 1997 : Formal call for candidate algorithms◦ Aug. 20-22, 1998 : First AES Candidate Conference and
beginning of Round 1 evaluation (15 algorithms), Rome, Italy
◦ Mar. 22-23, 1999 : Second AES Candidate Conference, NY, USA
◦ Sep. 2000 : Final AES selection (Rijndael !)
Jan. 1997Call for
algorithms
Aug. 1998AES1
15 algorithms
Mar. 1999AES2
5 algorithms selected
Apr. 2000AES3
Announce winner in Sep, 2000
15 algorithms are proposed at AES1 conference
4
After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm.
5
Cipher Submitter Structure Nonlinear Component
MARS IBM Feistel structure Sbox
DD-Rotation
RC6 RSA Lab. Feistel structure Rotation
Rijndael Daemen, Rijmen SPN structure Sbox
Serpent Anderson, Biham, Knudsen
SPN structure Sbox
Twofish Schneier et. al Feistel structure Sbox
Alg. (Round) StructureRounds (Key
size)Type of Attack Texts
Mem. Bytes
Ops
MARS
16 Core (C)
16 Mixing (M)Feistel
11C Amp. Boomerang 265 270 2229
16M, 5C
16M, 5C
Diff. M-i-M
Amp. Boomerang
250
269
2197
273
2247
2197
RC6(20) Feistel
14 Stat. Disting. 2118 2112 2122
12
15 (256)
Stat. Disting.
Stat. Disting.
294
2119
242
2138
2119
2215
Rijndael
10 (128)
12 (192)
14 (256)
SPN
6 Truncated Diff. 232 7*232 272
7
8 (256)
9 (256)
Truncated Diff.
Truncated Diff.
Related Key
2128~ 2119
2128~ 2119
277
261
2101
NA
2120
2204
2224
Serpent(32)SPN
8 (192,256) Amp. Boomerang 2113 2119 2179
6 (256)
6
7 (256)
8 (192,256)
9 (256)
Meet-in-Middle
Differential
Differential
Boomerang
Amp. Boomerang
512
271
241
2122
2110
2246
275
2126
2133
2212
2247
2103
2248
2163
2252
Twofish(16) Feistel 6 (256) Impossible Diff. NA NA 22566
7
Encryption speed analysis by NIST
Comparison(I)Comparison(I)
8
Java Implementation by A. Sterbenz (Graz Univ.)
Comparison(II)Comparison(II)
9
Smart Card Implementation by F. Sano (Toshiba)
* : omit to check “weak” in the key schedule
Comparison(III)Comparison(III)
10
CMOS ASIC Implementation by Ichikawa (Mitsubishi)
Comparison(IV)Comparison(IV)
11
Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices
– Square type
– Three distinct invertible uniform transformations(Layers) Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state
– Initial key addition, final key addition Representation of state and key
– Rectangular array of bytes with 4 rows (square type)
Branch Number◦ Measure Diffusion Power of Linear Layer◦ Let F be a linear transformation on n words.◦ W(a): the number of nonzero words in a. ◦ (F) = mina0 {W(a) + W(F(a))}◦ Rijndael: branch number =5
14
K-secure ◦ No shortcut attacks key-recover attack faster than
key-exhaustive search◦ No symmetry property such as complementary in
DES◦ No non-negligible classes of weak key as in IDEA◦ No Related-key attacks
Hermetic ◦ No weakness found for the majority of block
ciphers with same block and key length Rijndael is k-secure and hermetic
15
ByteSubstitution◦ S(x)=x-1 in GF(28) with almost maximal nonlinearity over m(x) = x8 + x4 + x3 + x +1