1
AES (Rijndael)AES (Rijndael)
Joan Daemen and Vincent Rijmen, “The Design of
Rijndael, AES – The Advanced Encryption Standard”,
Springer, 2002, ISBN 3-540-42580-2
FIPS Pub 197, Advanced Encryption Standard (AES),
December 04, 2001
Rijndael : variable, AES : fixed Vincent
Block cipher ◦128-bit blocks◦128/192/256-bit keys
Worldwide-royalty free More secure than Triple DES More efficient than Triple DES
2
3
◦ Jan. 2, 1997 : Announcement of intent to develop AES and request for comments
◦ Sep. 12, 1997 : Formal call for candidate algorithms◦ Aug. 20-22, 1998 : First AES Candidate Conference and
beginning of Round 1 evaluation (15 algorithms), Rome, Italy
◦ Mar. 22-23, 1999 : Second AES Candidate Conference, NY, USA
◦ Sep. 2000 : Final AES selection (Rijndael !)
Jan. 1997Call for
algorithms
Aug. 1998AES1
15 algorithms
Mar. 1999AES2
5 algorithms selected
Apr. 2000AES3
Announce winner in Sep, 2000
15 algorithms are proposed at AES1 conference
4
After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm.
5
Cipher Submitter Structure Nonlinear Component
MARS IBM Feistel structure Sbox
DD-Rotation
RC6 RSA Lab. Feistel structure Rotation
Rijndael Daemen, Rijmen SPN structure Sbox
Serpent Anderson, Biham, Knudsen
SPN structure Sbox
Twofish Schneier et. al Feistel structure Sbox
Alg. (Round) StructureRounds (Key
size)Type of Attack Texts
Mem. Bytes
Ops
MARS
16 Core (C)
16 Mixing (M)Feistel
11C Amp. Boomerang 265 270 2229
16M, 5C
16M, 5C
Diff. M-i-M
Amp. Boomerang
250
269
2197
273
2247
2197
RC6(20) Feistel
14 Stat. Disting. 2118 2112 2122
12
15 (256)
Stat. Disting.
Stat. Disting.
294
2119
242
2138
2119
2215
Rijndael
10 (128)
12 (192)
14 (256)
SPN
6 Truncated Diff. 232 7*232 272
7
8 (256)
9 (256)
Truncated Diff.
Truncated Diff.
Related Key
2128~ 2119
2128~ 2119
277
261
2101
NA
2120
2204
2224
Serpent(32)SPN
8 (192,256) Amp. Boomerang 2113 2119 2179
6 (256)
6
7 (256)
8 (192,256)
9 (256)
Meet-in-Middle
Differential
Differential
Boomerang
Amp. Boomerang
512
271
241
2122
2110
2246
275
2126
2133
2212
2247
2103
2248
2163
2252
Twofish(16) Feistel 6 (256) Impossible Diff. NA NA 22566
7
Encryption speed analysis by NIST
Comparison(I)Comparison(I)
8
Java Implementation by A. Sterbenz (Graz Univ.)
Comparison(II)Comparison(II)
9
Smart Card Implementation by F. Sano (Toshiba)
* : omit to check “weak” in the key schedule
Comparison(III)Comparison(III)
10
CMOS ASIC Implementation by Ichikawa (Mitsubishi)
Comparison(IV)Comparison(IV)
11
Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices
– Square type
– Three distinct invertible uniform transformations(Layers) Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state
– Initial key addition, final key addition Representation of state and key
– Rectangular array of bytes with 4 rows (square type)
– Nb : number of column of the state (4~8)
– Nk : number of column of the cipher key (4~8)
– Nb is independent from Nk
12
State (Nb=6) Key (Nk=4)
Number of rounds (Nr)
Block size: 128 Key size: 128/192/256 bit
Component Functions◦ ByteSubstitution(BS): S-
box◦ ShiftRow(SR):
CircularShift ◦ MixColumn(MC): Linear(Branch number: 5) ◦ AddRoundKey(ARK):
Omit MC in the last round.
13
Bit-wise key addition
Shift-Low(SR)
Mix-Column(MC)
Bit-wise key addition
Byte-wise substitution(BS)
BS, SR, ARK
44 bytearray Input
Input whitening
Roundtransformation
Outputtransformation
Output
Substitution-Permutation Network (SPN)◦ (Invertible) Nonlinear Layer: Confusion◦ (Invertible) Linear Layer: Diffusion
Branch Number◦ Measure Diffusion Power of Linear Layer◦ Let F be a linear transformation on n words.◦ W(a): the number of nonzero words in a. ◦ (F) = mina0 {W(a) + W(F(a))}◦ Rijndael: branch number =5
14
K-secure ◦ No shortcut attacks key-recover attack faster than
key-exhaustive search◦ No symmetry property such as complementary in
DES◦ No non-negligible classes of weak key as in IDEA◦ No Related-key attacks
Hermetic ◦ No weakness found for the majority of block
ciphers with same block and key length Rijndael is k-secure and hermetic
15
ByteSubstitution◦ S(x)=x-1 in GF(28) with almost maximal nonlinearity over m(x) = x8 + x4 + x3 + x +1
Shift Rows
16
Mixcolumn
AddRoundKey
17
18
Rijndael: Pseudo-Code
Round(State,RoundKey){ ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey);}
FinalRound(State,RoundKey){ ByteSub(State); ShiftRow(State); AddRoundKey(State,RoundKey);}
Rijndael(State,CipherKey){ KeyExpansion(CipherKey,ExpandedKey); AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i); FinalRound(State,ExpandedKey + Nb*Nr);}
19
Mode of OperationsMode of Operations
20
ECB (Electronic CodeBook) mode
EK
P
C
n
n
DK
C
P
n
n
i) Encryption ii) Decryption
IF Ci = Cj,DK(Ci) = DK(Cj)
CBC (Cipher Block Chaining)
21
P1 P2
IV
E E
C1 C2
E
Pl
Cl
IV
D D
P1 P2
D
Pl
C1 C2 Cl
Ci = EK(Pi Ci-1)
Pi = DK(Ci) Ci-1
IV : Initialization Vector
- 2 block Error Prog.- self-sync- If |Pl| |P|, Padding req’d
K
K
KK
KK
22
m-bit OFB (Output FeedBack)
m-bit
Pi
- No Error Prog.- Req’d external sync- Stream cipher- EK or DK
Ci = Pi O(EK)Pi = Ci O(EK)
I) Encryption II) Decryption
IV
E m-bit
Pi Ci
K
IV
E
Ci
K
23
m-bit CFB (Cipher FeedBack)
IV
E m-bit
Pi Ci
IV
Em-bit
CiPi
- Error prog. till an error disappears in the buffer- self-sync- EK or DK
Ci = Pi EK(Ci-1)Pi = Ci EK(Ci-1)
I) Encryption II) Decryption
K K
Counter mode
24
Ci = Pi EK(Ti)Pi = Ci EK(Ti)Ti = ctr+i -1 mod 2m
|P|, |ctr|= m,Parallel computation
P1
ctr
E
C1
C2
P2
Cm-1
K
ctr+1
E
ctr+m-1
EK K
Pm-1
C1
ctr
E
P1 P2
C2
Pm-1
K
ctr+1
E
ctr+m-1
EK K
Cm-1
CCM mode (Counter with CBC-MAC mode) Ctr + CBC Authenticated encryption by producing a
MAC as a part of the encryption process
25
Use of mode◦ ECB : key management, useless for file
encryption ◦ CBC : File encryption, useful for MAC ◦ m-bit CFB : self-sync, impossible to use
channel with low BER ◦ m-bit OFB : external-sync. m= 1, 8 or n◦ Ctr : secret ctr, parallel computation◦ CCM : authenticated encryption◦ Performance Degradation/ Cost Tradeoff
26