1

AES (Rijndael)AES (Rijndael)

Joan Daemen and Vincent Rijmen, “The Design of

Rijndael, AES – The Advanced Encryption Standard”,

Springer, 2002, ISBN 3-540-42580-2

FIPS Pub 197, Advanced Encryption Standard (AES),

December 04, 2001

Rijndael : variable, AES : fixed Vincent

Block cipher ◦128-bit blocks◦128/192/256-bit keys

Worldwide-royalty free More secure than Triple DES More efficient than Triple DES

2

3

◦ Jan. 2, 1997 : Announcement of intent to develop AES and request for comments

◦ Sep. 12, 1997 : Formal call for candidate algorithms◦ Aug. 20-22, 1998 : First AES Candidate Conference and

beginning of Round 1 evaluation (15 algorithms), Rome, Italy

◦ Mar. 22-23, 1999 : Second AES Candidate Conference, NY, USA

◦ Sep. 2000 : Final AES selection (Rijndael !)

Jan. 1997Call for

algorithms

Aug. 1998AES1

15 algorithms

Mar. 1999AES2

5 algorithms selected

Apr. 2000AES3

Announce winner in Sep, 2000

15 algorithms are proposed at AES1 conference

4

After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm.

5

Cipher Submitter Structure Nonlinear Component

MARS IBM Feistel structure Sbox

DD-Rotation

RC6 RSA Lab. Feistel structure Rotation

Rijndael Daemen, Rijmen SPN structure Sbox

Serpent Anderson, Biham, Knudsen

SPN structure Sbox

Twofish Schneier et. al Feistel structure Sbox

Alg. (Round) StructureRounds (Key

size)Type of Attack Texts

Mem. Bytes

Ops

MARS

16 Core (C)

16 Mixing (M)Feistel

11C Amp. Boomerang 265 270 2229

16M, 5C

16M, 5C

Diff. M-i-M

Amp. Boomerang

250

269

2197

273

2247

2197

RC6(20) Feistel

14 Stat. Disting. 2118 2112 2122

12

15 (256)

Stat. Disting.

Stat. Disting.

294

2119

242

2138

2119

2215

Rijndael

10 (128)

12 (192)

14 (256)

SPN

6 Truncated Diff. 232 7*232 272

7

8 (256)

9 (256)

Truncated Diff.

Truncated Diff.

Related Key

2128~ 2119

2128~ 2119

277

261

2101

NA

2120

2204

2224

Serpent(32)SPN

8 (192,256) Amp. Boomerang 2113 2119 2179

6 (256)

6

7 (256)

8 (192,256)

9 (256)

Meet-in-Middle

Differential

Differential

Boomerang

Amp. Boomerang

512

271

241

2122

2110

2246

275

2126

2133

2212

2247

2103

2248

2163

2252

Twofish(16) Feistel 6 (256) Impossible Diff. NA NA 22566

7

Encryption speed analysis by NIST

Comparison(I)Comparison(I)

8

Java Implementation by A. Sterbenz (Graz Univ.)

Comparison(II)Comparison(II)

9

Smart Card Implementation by F. Sano (Toshiba)

* : omit to check “weak” in the key schedule

Comparison(III)Comparison(III)

10

CMOS ASIC Implementation by Ichikawa (Mitsubishi)

Comparison(IV)Comparison(IV)

11

Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices

– Square type

– Three distinct invertible uniform transformations(Layers) Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state

– Initial key addition, final key addition Representation of state and key

– Rectangular array of bytes with 4 rows (square type)

– Nb : number of column of the state (4~8)

– Nk : number of column of the cipher key (4~8)

– Nb is independent from Nk

12

State (Nb=6) Key (Nk=4)

Number of rounds (Nr)

Block size: 128 Key size: 128/192/256 bit

Component Functions◦ ByteSubstitution(BS): S-

box◦ ShiftRow(SR):

CircularShift ◦ MixColumn(MC): Linear(Branch number: 5) ◦ AddRoundKey(ARK):

Omit MC in the last round.

13

Bit-wise key addition

Shift-Low(SR)

Mix-Column(MC)

Bit-wise key addition

Byte-wise substitution(BS)

BS, SR, ARK

44 bytearray Input

Input whitening

Roundtransformation

Outputtransformation

Output

Substitution-Permutation Network (SPN)◦ (Invertible) Nonlinear Layer: Confusion◦ (Invertible) Linear Layer: Diffusion

Branch Number◦ Measure Diffusion Power of Linear Layer◦ Let F be a linear transformation on n words.◦ W(a): the number of nonzero words in a. ◦ (F) = mina0 {W(a) + W(F(a))}◦ Rijndael: branch number =5

14

K-secure ◦ No shortcut attacks key-recover attack faster than

key-exhaustive search◦ No symmetry property such as complementary in

DES◦ No non-negligible classes of weak key as in IDEA◦ No Related-key attacks

Hermetic ◦ No weakness found for the majority of block

ciphers with same block and key length Rijndael is k-secure and hermetic

15

ByteSubstitution◦ S(x)=x-1 in GF(28) with almost maximal nonlinearity over m(x) = x8 + x4 + x3 + x +1

Shift Rows

16

Mixcolumn

AddRoundKey

17

18

Rijndael: Pseudo-Code

Round(State,RoundKey){ ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey);}

FinalRound(State,RoundKey){ ByteSub(State); ShiftRow(State); AddRoundKey(State,RoundKey);}

Rijndael(State,CipherKey){ KeyExpansion(CipherKey,ExpandedKey); AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i); FinalRound(State,ExpandedKey + Nb*Nr);}

19

Mode of OperationsMode of Operations

20

ECB (Electronic CodeBook) mode

EK

P

C

n

n

DK

C

P

n

n

i) Encryption ii) Decryption

IF Ci = Cj,DK(Ci) = DK(Cj)

CBC (Cipher Block Chaining)

21

P1 P2

IV

E E

C1 C2

E

Pl

Cl

IV

D D

P1 P2

D

Pl

C1 C2 Cl

Ci = EK(Pi Ci-1)

Pi = DK(Ci) Ci-1

IV : Initialization Vector

- 2 block Error Prog.- self-sync- If |Pl| |P|, Padding req’d

K

K

KK

KK

22

m-bit OFB (Output FeedBack)

m-bit

Pi

- No Error Prog.- Req’d external sync- Stream cipher- EK or DK

Ci = Pi O(EK)Pi = Ci O(EK)

I) Encryption II) Decryption

IV

E m-bit

Pi Ci

K

IV

E

Ci

K

23

m-bit CFB (Cipher FeedBack)

IV

E m-bit

Pi Ci

IV

Em-bit

CiPi

- Error prog. till an error disappears in the buffer- self-sync- EK or DK

Ci = Pi EK(Ci-1)Pi = Ci EK(Ci-1)

I) Encryption II) Decryption

K K

Counter mode

24

Ci = Pi EK(Ti)Pi = Ci EK(Ti)Ti = ctr+i -1 mod 2m

|P|, |ctr|= m,Parallel computation

P1

ctr

E

C1

C2

P2

Cm-1

K

ctr+1

E

ctr+m-1

EK K

Pm-1

C1

ctr

E

P1 P2

C2

Pm-1

K

ctr+1

E

ctr+m-1

EK K

Cm-1

CCM mode (Counter with CBC-MAC mode) Ctr + CBC Authenticated encryption by producing a

MAC as a part of the encryption process

25

Use of mode◦ ECB : key management, useless for file

encryption ◦ CBC : File encryption, useful for MAC ◦ m-bit CFB : self-sync, impossible to use

channel with low BER ◦ m-bit OFB : external-sync. m= 1, 8 or n◦ Ctr : secret ctr, parallel computation◦ CCM : authenticated encryption◦ Performance Degradation/ Cost Tradeoff

26