a simple algebraic representation of rijndael
DESCRIPTION
A simple algebraic representation of Rijndael. Niels Ferguson Richard Schroeppel Doug Whiting. I am biased. I’m one of the designers of Twofish, an AES finalist that lost to Rijndael in the AES competition. I spent several month attacking Rijndael. The finite field GF(2 8 ). - PowerPoint PPT PresentationTRANSCRIPT
1
A simple algebraic representation of Rijndael
Niels FergusonRichard Schroeppel
Doug Whiting
2
I am biased
• I’m one of the designers of Twofish, an AES finalist that lost to Rijndael in the AES competition.
• I spent several month attacking Rijndael.
3
The finite field GF(28)
• It is a field: you can add, subtract, multiply, and divide.
• There are 28 = 256 elements.
• Field addition is the XOR operation.
• Multiplication is similar to modular multiplication, without any carries.
4
Squaring in GF(28)
We all know that
(a + b)2 = a2 + ab + ab + b2
but as addition in GF(28) is a XOR we get
(a + b)2 = a2 + b2
This is known as the Freshman’s Dream.
Squaring is a bit-linear operation!
5
The MixColumn operation
Matrix multiplication: each output byte is a linear combination of input bytes.
b0 = 2a0 + 3a1 + a2 + a3
b1 = a0 + 2a1 + 3a2 + a3
b2 = a0 + a1 + 2a2 + 3a3
b3 = 3a0 + a1 + a2 + 2a3
6
S-box has three layers
• Inversion in the field GF(28).
• Bit-linear function (each output bit is the sum of some input bits).
• Addition of a constant.
7
Bit-linear functions in GF(28)
• Any bit-linear function in GF(28) can be written as
ax128+bx64+cx32+dx16+ex8+fx4+gx2+hx
• Squaring is bit-linear, so all polynomials of this form are bit-linear.
• There are 264 polynomials of this form, and 264 bit-linear functions.
8
Rewriting the S-box
• The constant can be moved into the key schedule.
• We can rewrite the S-box as
7
02
7
0
21
)(d
d
dd d
d
x
w
xwxS
9
Combined S-box and MixColumn
• MixColumn:
• Combined:
3
0,
eeeii amb
de e
dei
e d e
deii
d
d
a
w
a
wmb
,2
,,
3
0
7
02,
)(
10
One round
11
1
1111
11
,2
,)0(
,
,,)1(,
)2(,
)(de jeejee
deijiji d
pk
wka
Can be written as:
or
11 ,**
*)2(
, )(deji pK
CKa
11
Four rounds
44
33
22
11
,
,
,
,**
*
**
**
**
)5(,
de
de
de
de
ji
pKC
K
CK
CK
CKa
12
Conclusions
• Rijndael depends on a new complexity assumption:
You cannot solve equations of this form efficiently in GF(28).
• We have no idea how hard this problem is.
13
Which block cipher to choose
• Rijndael/AES: fast, available, and the safe choice (for your career).
• Serpent: built like a tank, but slow
• Twofish: most of the security of Serpent, with most of the speed of Rijndael.