Post on 01-Jan-2016
Rijndael Rijndael Advanced Encryption StandardAdvanced Encryption Standard
OverviewOverview
DefinitionsDefinitionsWho created Rijndael and the reason Who created Rijndael and the reason
behind itbehind itAlgorithm breakdownAlgorithm breakdownAttacks on AES/RijndaelAttacks on AES/Rijndael
DefinitionsDefinitions Block cipherBlock cipher
Consists of two paired algorithms, one for encryption, Consists of two paired algorithms, one for encryption, EE, and another for decryption, , and another for decryption, E-1E-1. Both algorithms . Both algorithms accept two inputs: an accept two inputs: an NbNb-bit input block and a -bit input block and a NkNk-bit -bit key.key.
Iterated block cipherIterated block cipher Constructed by composing several simpler functions. Constructed by composing several simpler functions.
Each iteration is termed a Each iteration is termed a roundround, and there are rarely , and there are rarely less than 4 or more than 64 of them.less than 4 or more than 64 of them.
The Galois Fields (GF)The Galois Fields (GF) A field that contains only finitely many elements. The A field that contains only finitely many elements. The
order of a finite field is always a prime or a power of a order of a finite field is always a prime or a power of a prime prime
Who created Rijndael and why?Who created Rijndael and why?
Designed by Joan Daemen and Vincent Designed by Joan Daemen and Vincent Rijmen as a candidate for the Advanced Rijmen as a candidate for the Advanced Encryption Standard.Encryption Standard.
Joan Daemen and Vincent Rijmen also Joan Daemen and Vincent Rijmen also designed block cipher.designed block cipher.
The algorithm must implement symmetric The algorithm must implement symmetric key cryptography as a block cipher and (at key cryptography as a block cipher and (at a minimum) support block sizes of 128 bits a minimum) support block sizes of 128 bits and key sizes of 128, 192, and 256 bits. and key sizes of 128, 192, and 256 bits.
Who created Rijndael and why?Who created Rijndael and why?(cont.)(cont.)
3 design goals3 design goalsResistance against know attacksResistance against know attacksSpeed and code compactness on a variety of Speed and code compactness on a variety of
platformsplatformsDesign simplicityDesign simplicity
Algorithm breakdownAlgorithm breakdownDescriptionDescription
Variable block lengths and key lengths supportedVariable block lengths and key lengths supported 128, 192, 256128, 192, 256
Number of columns in the state and round key arrays Number of columns in the state and round key arrays depend on the sizesdepend on the sizes
Algorithm breakdownAlgorithm breakdownRound transformationRound transformation
Step 1: ByteSub TransformationStep 1: ByteSub TransformationStep 2: ShiftRow TransformationStep 2: ShiftRow TransformationStep 3: MixColumn TransformationStep 3: MixColumn TransformationStep 4: Round Key AdditionStep 4: Round Key Addition
Final round is a little different because it Final round is a little different because it removes the MixColumns step.removes the MixColumns step.
Algorithm breakdownAlgorithm breakdown
Algorithm breakdownAlgorithm breakdownStep 1: ByteSub TransformationStep 1: ByteSub Transformation
Each byte of the block is replaced by its Each byte of the block is replaced by its substitute in an S-box. substitute in an S-box.
Each byte is treated independentlyEach byte is treated independently Single S-box is used for the entire stateSingle S-box is used for the entire state
Algorithm breakdownAlgorithm breakdownStep 2: ShiftRow TransformationStep 2: ShiftRow Transformation
Each row of the state is shifted cyclically a Each row of the state is shifted cyclically a certain number of steps. certain number of steps. The number a row is shifted can’t be the same.The number a row is shifted can’t be the same.
Algorithm breakdownAlgorithm breakdownStep 3: MixColumn TransformationStep 3: MixColumn Transformation
State columns are treated as polynomials over State columns are treated as polynomials over GF(2GF(288))
Each column is multiplied by modulo xEach column is multiplied by modulo x44 + 1 by a + 1 by a fixed polynomial c(x) = `03` xfixed polynomial c(x) = `03` x33 + `01` x + `01` x22 + `01`x + + `01`x + `02``02`
Algorithm breakdownAlgorithm breakdownStep 4: Round Key AdditionStep 4: Round Key Addition
XOR round key with stateXOR round key with state
Attacks on AES/RijndaelAttacks on AES/Rijndael
Algebraic attacks Algebraic attacks People have shown Rijndael can be written as an People have shown Rijndael can be written as an
over defined system of multivariate quadratic over defined system of multivariate quadratic equations equations
Paper published at Eurocrypt 2000 Shamir describe Paper published at Eurocrypt 2000 Shamir describe an algorithm called XL able to solve efficiently many an algorithm called XL able to solve efficiently many such systems of equations.such systems of equations.
However this fails miserably However this fails miserably 128-bit Rijndael, the problem of recovering the secret 128-bit Rijndael, the problem of recovering the secret
key from one single plaintext can be written as a key from one single plaintext can be written as a system of 8000 quadratic equations with 1600 binary system of 8000 quadratic equations with 1600 binary unknowns. unknowns.
Attacks on AES/RijndaelAttacks on AES/Rijndael(cont.)(cont.)
Nicolas Courtois and Josef Pieprzyk Nicolas Courtois and Josef Pieprzyk investigate how to improve XL and adapt it investigate how to improve XL and adapt it to such special systems. They propose a to such special systems. They propose a new class of attacks, attack, called XSL new class of attacks, attack, called XSL attacks. attacks. Ciphers like Rijndael were referred to as XSL Ciphers like Rijndael were referred to as XSL
ciphers, because their rounds are composed ciphers, because their rounds are composed of the XOR of key material, a nonlinear of the XOR of key material, a nonlinear substitution provided by an S-box, and a substitution provided by an S-box, and a linear diffusion stage. linear diffusion stage.
Attacks on AES/RijndaelAttacks on AES/Rijndael(cont.)(cont.)
Assuming that one could build a machine Assuming that one could build a machine that could recover a DES key in a second that could recover a DES key in a second (i.e., try 2(i.e., try 25555 keys per second), then it would keys per second), then it would take that machine approximately 149 take that machine approximately 149 trillion years to crack a 128-bit AES key. trillion years to crack a 128-bit AES key.