Rijndael Rijndael Advanced Encryption StandardAdvanced Encryption Standard

OverviewOverview

DefinitionsDefinitionsWho created Rijndael and the reason Who created Rijndael and the reason

behind itbehind itAlgorithm breakdownAlgorithm breakdownAttacks on AES/RijndaelAttacks on AES/Rijndael

DefinitionsDefinitions Block cipherBlock cipher

Consists of two paired algorithms, one for encryption, Consists of two paired algorithms, one for encryption, EE, and another for decryption, , and another for decryption, E-1E-1. Both algorithms . Both algorithms accept two inputs: an accept two inputs: an NbNb-bit input block and a -bit input block and a NkNk-bit -bit key.key.

Iterated block cipherIterated block cipher Constructed by composing several simpler functions. Constructed by composing several simpler functions.

Each iteration is termed a Each iteration is termed a roundround, and there are rarely , and there are rarely less than 4 or more than 64 of them.less than 4 or more than 64 of them.

The Galois Fields (GF)The Galois Fields (GF) A field that contains only finitely many elements. The A field that contains only finitely many elements. The

order of a finite field is always a prime or a power of a order of a finite field is always a prime or a power of a prime prime

Who created Rijndael and why?Who created Rijndael and why?

Designed by Joan Daemen and Vincent Designed by Joan Daemen and Vincent Rijmen as a candidate for the Advanced Rijmen as a candidate for the Advanced Encryption Standard.Encryption Standard.

Joan Daemen and Vincent Rijmen also Joan Daemen and Vincent Rijmen also designed block cipher.designed block cipher.

The algorithm must implement symmetric The algorithm must implement symmetric key cryptography as a block cipher and (at key cryptography as a block cipher and (at a minimum) support block sizes of 128 bits a minimum) support block sizes of 128 bits and key sizes of 128, 192, and 256 bits. and key sizes of 128, 192, and 256 bits.

Who created Rijndael and why?Who created Rijndael and why?(cont.)(cont.)

3 design goals3 design goalsResistance against know attacksResistance against know attacksSpeed and code compactness on a variety of Speed and code compactness on a variety of

platformsplatformsDesign simplicityDesign simplicity

Algorithm breakdownAlgorithm breakdownDescriptionDescription

Variable block lengths and key lengths supportedVariable block lengths and key lengths supported 128, 192, 256128, 192, 256

Number of columns in the state and round key arrays Number of columns in the state and round key arrays depend on the sizesdepend on the sizes

Algorithm breakdownAlgorithm breakdownRound transformationRound transformation

Step 1: ByteSub TransformationStep 1: ByteSub TransformationStep 2: ShiftRow TransformationStep 2: ShiftRow TransformationStep 3: MixColumn TransformationStep 3: MixColumn TransformationStep 4: Round Key AdditionStep 4: Round Key Addition

Final round is a little different because it Final round is a little different because it removes the MixColumns step.removes the MixColumns step.

Algorithm breakdownAlgorithm breakdown

Algorithm breakdownAlgorithm breakdownStep 1: ByteSub TransformationStep 1: ByteSub Transformation

Each byte of the block is replaced by its Each byte of the block is replaced by its substitute in an S-box. substitute in an S-box.

Each byte is treated independentlyEach byte is treated independently Single S-box is used for the entire stateSingle S-box is used for the entire state

Algorithm breakdownAlgorithm breakdownStep 2: ShiftRow TransformationStep 2: ShiftRow Transformation

Each row of the state is shifted cyclically a Each row of the state is shifted cyclically a certain number of steps. certain number of steps. The number a row is shifted can’t be the same.The number a row is shifted can’t be the same.

Algorithm breakdownAlgorithm breakdownStep 3: MixColumn TransformationStep 3: MixColumn Transformation

State columns are treated as polynomials over State columns are treated as polynomials over GF(2GF(288))

Each column is multiplied by modulo xEach column is multiplied by modulo x44 + 1 by a + 1 by a fixed polynomial c(x) = `03` xfixed polynomial c(x) = `03` x33 + `01` x + `01` x22 + `01`x + + `01`x + `02``02`

Algorithm breakdownAlgorithm breakdownStep 4: Round Key AdditionStep 4: Round Key Addition

XOR round key with stateXOR round key with state

Attacks on AES/RijndaelAttacks on AES/Rijndael

Algebraic attacks Algebraic attacks People have shown Rijndael can be written as an People have shown Rijndael can be written as an

over defined system of multivariate quadratic over defined system of multivariate quadratic equations equations

Paper published at Eurocrypt 2000 Shamir describe Paper published at Eurocrypt 2000 Shamir describe an algorithm called XL able to solve efficiently many an algorithm called XL able to solve efficiently many such systems of equations.such systems of equations.

However this fails miserably However this fails miserably 128-bit Rijndael, the problem of recovering the secret 128-bit Rijndael, the problem of recovering the secret

key from one single plaintext can be written as a key from one single plaintext can be written as a system of 8000 quadratic equations with 1600 binary system of 8000 quadratic equations with 1600 binary unknowns. unknowns.

Attacks on AES/RijndaelAttacks on AES/Rijndael(cont.)(cont.)

Nicolas Courtois and Josef Pieprzyk Nicolas Courtois and Josef Pieprzyk investigate how to improve XL and adapt it investigate how to improve XL and adapt it to such special systems. They propose a to such special systems. They propose a new class of attacks, attack, called XSL new class of attacks, attack, called XSL attacks. attacks. Ciphers like Rijndael were referred to as XSL Ciphers like Rijndael were referred to as XSL

ciphers, because their rounds are composed ciphers, because their rounds are composed of the XOR of key material, a nonlinear of the XOR of key material, a nonlinear substitution provided by an S-box, and a substitution provided by an S-box, and a linear diffusion stage. linear diffusion stage.

Attacks on AES/RijndaelAttacks on AES/Rijndael(cont.)(cont.)

Assuming that one could build a machine Assuming that one could build a machine that could recover a DES key in a second that could recover a DES key in a second (i.e., try 2(i.e., try 25555 keys per second), then it would keys per second), then it would take that machine approximately 149 take that machine approximately 149 trillion years to crack a 128-bit AES key. trillion years to crack a 128-bit AES key.