códigos y criptografía francisco rodríguez henríquez the advanced encryption standard (rijndael)

Códigos y Criptografía Francisco Rodríguez Henríquez

The Advanced Encryption Standard (Rijndael)


1. Old standard insecure against brute-force attacks

2. Straightforward fixes lead to inefficientTriple DES

3. implementations4. New trends in fast software encryption

• use of basic instructions of the microprocessor

5. New ways of assessing cipher strength• differential cryptanalysis• linear cryptanalysis

AES: Why a new Standard?


• Speed-up the acceptance of the standard

• Small number of specialists in the open research

• Focus the effort of cryptographic community

• Stimulate the research on methods of constructing

• secure ciphers

• Avoid backdoor theories

AES: Why a Contest?


AES: General Form


Each team submits:

• Detailed cipher description

• Justification of design decisions

• Tentative results of cryptanalysis

• Source code in C

• Source code in Java

• Test vectors

AES: Rules of the Game


Round 1, June 1998: 15 Candidatesfrom USA, Canada, Belgium, France, Germany, Norway,

UK, Isreal, Korea, Japan, Australia, Costa Rica.Security, Software efficiency

Round 2, August 1999:5 final candidatesMars, RC6, Rijndael, Serpent, TwofishSecurity, Hardware efficiency

October 20001 winner: RijndaelBelgium

AES: Candidates


USA: Mars, RC6, Twofish, Safer+, HPCCanada: CAST-256, DealCosta Rica: FrogAustralia: LOKI97Japan: E2Korea: CryptonBelgium: RijndaelFrance: DFCGermany: MagentaIsrael, GB, Norway: Serpent

America (8) Europe (4) Asia (2)Australia (1)

AES: Candidates


Survey filled by 104 participants of theSecond AES Conference in Rome, March 1999Middle-of-the-Road7. CAST-256 -28. Safer+ -49. DFC -5Mild NO 10. Crypton -15Overwhelming NO11. DEAL -7012. HPC -7713. Magenta -8314. Loki97 -8515. Frog -85

AES: Candidates


Survey filled by 104 participants of the

Second AES Conference in Rome, March 1999

Overwhelming YES:

1. Rijndael +76

2. RC6 +73

3. Twofish +61

4. Mars +52

5. Serpent +45

Mild YES

6. E2 +14

AES: Candidates


USA

Mars - IBM

C. Burwick, D. Coppersmith, E. D’Avignon,

R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,

L. O’Connor, M. Peyravian, D. Safford,

N. Zunic

RC6 - RSA Data Security, Inc.

R. Rivest - MIT

M. Robshaw, R. Sidney, Y. L. Yin - RSA

Twofish - Counterpane Systems

B. Schneier, J. Kelsey, C. Hall, N. Ferguson

- Counterpane, D.Whiting - Hi/fn,

D. Wagner - Berkeley

AES: Final 5


Europe

Rijndael - J. Daemen, V. Rijmen

Katholieke Universiteit Leuven

Belgium

Serpent - R. Anderson, Cambridge, England

E. Biham - Technion, Israel

L. Knudsen, University of Bergen, Norway

AES Finalists (2)

AES: Final 5


RC6—The elegant AES choice

Ron Rivest [email protected]

Matt Robshaw [email protected]

Yiqun Lisa Yin [email protected]


RC6 is the right AES choice

• Security• Performance• Ease of implementation• Simplicity• Flexibility


RC6 is simple: only 12 lines

B = B + S[ 0 ]D = D + S[ 1 ]for i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A t ) <<< u ) + S[ 2i ] C = ( ( C u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) }A = A + S[ 42 ]C = C + S[ 43 ]


Simplicity

• Facilitates and encourages analysis– allows rapid understanding of security– makes direct analysis straightforward

(contrast with Mars and Twofish)• Enables easy implementation

– allows compilers to produce high-quality code

– obviates complicated optimizations– provides good performance with

minimal effort


RC6 key schedule is rock-solid

• Studied for more than six years• Secure

– thorough mixing – one-way function – no key separation (cf. Twofish)– no related-key attacks (cf. Rijndael)


Original analysis still accurate

• RC6 meets original design criteria• Security estimates from 1998 still

good today; independent analyses supportive.

• Secure, even in theory, even with analysis improvements far beyond those seen for DES during its lifetime

• RC6 provides a solid, well-tuned margin for security


How do we grade candidates?

• Security (corroborated)• Performance (speed+memory)

– 32-bit (30%)– Java (20%)– DSP (15%)– 64-bit (15%)– Hardware (15%)– 8-bit (5%)

• Ease of implementation• Simplicity• FlexibilityOverall: 40/25/15/10/10


Conclusions

• RC6 is a simple yet remarkably strong cipher– good performance on most important platforms– simple to code for good performance – excellent flexibility– the most studied finalist– the best understood finalist

• RC6 is the secure and “elegant” choice for the AES


(The End)


AES: Performance Evaluation


Serpent [2]

Pluses:

• large security margin

• cryptanalytical reputation of authors

• conservative construction

• very fast in hardware

Minuses:

• slow in software

• moderate flexibility

AES: Summary of Final-5 Evaluation


Rijndael [1]

Pluses:

• fastest in hardware

• close to the fastest in software

• security margin

• novel ideas

• very high flexibility

Minuses:

• security margin



Twofish

Pluses:

• good security margin

• fast encryption/decryption in software

• US

• strongly advertized

Minuses:

• moderately fast in hardware

• slow key setup in software

• moderate flexibility



• Designed by Joan Daemen and Vincent Rijmen (from

Leuven Belgium)

• Based upon the Square Cipher

• 3 Design Goals:

1. Resistance against known attacks

2. Speed and code compactness on a variety of

platforms

3. Design simplicity

Rijndael OverView


¥ Rijndael/AES Designed by:

Joan Daemen, Proton World International

Vincent Rijmen, Katholique Universiteit Lueven

Block cypher

Symmetric key

Arithmetic based in the Galois Field GF(28)

Fast and scalable

Resistant to all known cryptanalysis attacks

Rijndael OverView


Dr. Vincent Rijmen


Rijndael

• The block cipher Rijndael is designed to use only

simple whole-byte operations. Also, it provides

extra flexibility over that required of an AES

candidate, in that both the key size and the block

size may be chosen to be any of 128, 192, or 256

bits.


• Rijndael is not a Feistel cipher

3 distinct invertible layers per round

Encryption and decryption algorithms are different

• Rijndael uses the Wide Trail Strategy

1. Non-linear layer (confusion)

2. Linear mixing layer (diffusion)

3. Key addition layer

Rijndael OverView


• State and Round Key representations

• The State is the intermediate cipher result

• Both the State and the Round Key are interpreted as

rectangular arrays of bytes

• Number of columns in the State and Round Key

arrays depend on block and key sizes, respectively

Rijndael OverView


• Rijndael is a block cipher that encrypts and decrypts

128, 192, and 256 bit blocks, using 128, 192, and 256

byte keys in any combination. The block is considered

to be structured as 4, 6, or 8 columns of 4 bytes,

depending on block size.

Rijndael OverView


• During an early stage of the AES process, a draft

version of the requirements would have required

each algorithm to have three versions, with both the

key and block sizes equal to each of 128, 192, and

256 bits. This was later changed to make the three

required versions have those three key sizes, but

only a block size of 128 bits, which is more easily

accommodated by many types of block cipher

design.

Rijndael


• The original description of Rijndael is available at: http://

www.esat.kuleuven.ac.be/~rijmen/rijndael/.

• However, the variations of Rijndael which act on larger

block sizes apparently will not be included in the actual

standard, on the basis that the cryptanalytic study of Rijndael

during the standards process primarily focused on the

version with the 128-bit block size.

• Rijndael is a relatively simple cipher in many respects.

Rijndael


Rijndael: Number of Rounds

• Rijndael has a variable number of rounds. The number of

rounds in Rijndael is:

1. 10 if both the block and the key are 128 bits long.

2. 12 if either the block or the key is 192 bits long, and

neither of them is longer than that.

3. 14 if either the block or the key is 256 bits long.


Each round consists of 4 steps

• Step 1: ByteSub Transformation (Confusion)

• Step 2: ShiftRow Transformation (Diffusion)

• Step 3: MixColumn Transformation (Diffusion)

• Step 4: Round Key Addition

• Final round slightly different from other rounds

Rijndael OverView


The basic operations applied to the block are:

1) ByteSub: Applying an S-box (substituting each

byte with another, based on an equation in GF(2^8));

2) ShiftRow: Shifting the rows in a circular way, the

amount of shift (0, 1, 2, 3, or 4 bytes) depending on the

position from the top and on the block size,

Rijndael OverView


3) MixColumn: Mixing the 4, 6, or 8 columns vertically

by taking invertible linear combinations (in GF(2^8) of

the elements in each column and;

4) Round Key Addition: XORing each byte with a round

key (done before the first round for “whitening,” and

again at the end of each round),

Rijndael OverView


Rijndael: Algorithm

– Rijndael CypherAES(data_block, key)

{in State, RoundKeys

State State xor RoundKey0

for Round = 1 to Nr

SubBytes(State)

ShiftRow (State)

If not(last Round) then MixColumn(State)

State State xor RoundKeyRound

out State }


Rijndael: Sequence of Operations

•The extra final round omits the Mix Column step, but is otherwise the same as a regular round. Thus, the sequence of steps in Rijndael is:

ARK BSB, SR, MC, ARK; BSB, SR, MC, ARK; BSB, SR, MC, ARK; .....BSB, SR, MC, ARK; BSB, SR, ARK;

9 of them!!



Where:ARK = Add Round KeyBSB = Byte Sub BlockSR = Shift Row MC = Mix Column


Rijndael


Rijndael: two-Dimensions Scheme


Rijndael: Block Representation

Rijndael considers a 128-bit block grouped into 16 bytes of 8

bits each. Let us call each of these 16 bytes as, b15 b14 b13…

b2 b1 b0. Rijndael deals with this block as bytes arranged into

a 4*4 matrix,

151173

141062

13951

12840

bbbb

bbbb

bbbb

bbbb


Rijndael: Round’s Steps

• In the Byte Sub step each byte of the block is replaced by its substitute in an S-box.

151173

141062

13951

12840

151173

141062

13951

12840

bSbSbSbS

bSbSbSbS

bSbSbSbS

bSbSbSbS

bbbb

bbbb

bbbb

bbbb


S-Box: Look-up Table method

• Write a byte as 8 bits: x7 x6 x5 x4

x3 x2 x1 x0. Look for the entry in

the x7 x6 x5 x4 row and x3 x2 x1 x0

column.


Rijndael: S-Box

99 124 119 123 242 107 111 197 48 1 103 43 254 215 171 118 202 130 201 125 250 89 71 240 173 212 162 175 156 164 114 192 183 253 147 38 54 63 247 204 52 165 229 241 113 216 49 21 4 199 35 195 24 150 5 154 7 18 128 226 235 39 178 117 9 131 44 26 27 110 90 160 82 59 214 179 41 227 47 132 83 209 0 237 32 252 177 91 106 203 190 57 74 76 88 207 208 239 170 251 67 77 51 133 69 249 2 127 80 60 159 168 81 163 64 143 146 157 56 245 188 182 218 33 16 255 243 210205 12 19 236 95 151 68 23 196 167 126 61 100 93 25 115 96 129 79 220 34 42 144 136 70 238 184 20 222 94 11 219224 50 58 10 73 6 36 92 194 211 172 98 145 149 228 121231 200 55 109 141 213 78 169 108 86 244 234 101 122 174 8186 120 37 46 28 166 180 198 232 221 116 31 75 189 139 138112 62 181 102 72 3 246 14 97 53 87 185 134 193 29 158225 248 152 17 105 217 142 148 155 30 135 233 206 85 40 223140 161 137 13 191 230 66 104 65 153 45 15 176 84 187 22


Rijndael: Round’s Steps

• The specification for Rijndael only provided an explanation of

how the S-box was calculated: the first step was to replace

each byte with its reciprocal in the same GF(28) as used below

in the Mix Column step, except that 0, which has no

reciprocal, is replaced by itself (since it isn't anything's

reciprocal either, it is the only value not used, so that makes

sense) then a bitwise modulo-two matrix multiply was used,

and finally the hexadecimal number 63 is XORed with the

result.


Rijndael: ByteSub Step

¥ S-Box ArithmeticElements in ¥ G := GF(28, 1++3+4+8 )

nhex nbin (polynomial with nÕs bits for coeffs)Arithmetic in 2 (+/*), then mod by 1++3+4+8

polynomial nbin nhex

ByteSub(x) = A Mx-1 + 63hex

Precompute and use look-up table


The Construction of the S-Box

• Although the S-box is implemented as a lookup

table, it has a simple mathematical description.

• Start with a byte x7 x6 x5 x4 x3 x2 x1 x0, where each xi is a

binary bit. Compute its inverse in GF(28). If the byte

is 0, use the same 0 as its inverse.



• The resulting byte y7 y6 y5 y4 y3 y2 y1 y0 represents an 8-

dimensional column vector, with the rightmost bit y0

in the top position. Multiply by a matrix and add the

column vector (1, 1, 0, 0, 1, 1, 0) to obtain a vector z7

z6 z5 z4 z3 z2 z1 z0 as shown in the next slide:



7

6

5

4

3

2

1

0

7

6

5

4

3

2

1

0

0

1

1

0

0

0

1

1

11111000

01111100

00111110

00011111

10001111

11000111

11100011

11110001

z

z

z

z

z

z

z

z

y

y

y

y

y

y

y

y



• For example, start with the byte 11001011 = CB. Its inverse in GF(28) is 00000100 = 04, then:

0

0

0

1

1

1

1

1

0

1

1

0

0

0

1

1

0

0

0

0

0

1

0

0

11111000

01111100

00111110

00011111

10001111

11000111

11100011

11110001



• This yields the byte 00011111 = 1F. Note that the

input vector was 11001011. The 4 MSBs of the input

vector are thus 1100 and this gives us the 13th row in

the S-Box. Similarly, 1011 yields us the 14th column

in the S-Box. By checking the S-box we see that

indeed 31 = 1F is the corresponding entry in the S-

Box as claimed.


Rijndael: Shift Row Step

Next is the Shift Row step. Considering the 128-bit block grouped

into 16 bytes of 8 bits each, call them, b15 b14 b13… b2 b1 b0.

these bytes are arranged into a 4*4 matrix, and shifted as follows:


Rijndael: Shift Row Step

Blocks that are 192 and 256 bits long are shifted like this:

from to

1 5 9 13 17 21 1 5 9 13 17 21

2 6 10 14 18 22 6 10 14 18 22 2

3 7 11 15 19 23 11 15 19 23 3 7

4 8 12 16 20 24 16 20 24 4 8 12

from to

1 5 9 13 17 21 25 29 1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30 6 10 14 18 22 26 30 2

3 7 11 15 19 23 27 31 15 19 23 27 31 3 7 11

4 8 12 16 20 24 28 32 20 24 28 32 4 8 12 16


Rijndael: Mix Column step

• Next comes the Mix Column step. Matrix multiplication is

performed: each column, in the arrangement we have seen

above, is multiplied by the matrix:

2 3 1 1

1 2 3 1

1 1 2 3

3 1 1 2

• However, this multiplication is done over GF(28). This means

that the bytes being multiplied are treated as polynomials

rather than numbers.



• GF(28)The Galois Field with 28 elements is the Finite Field

GF(28)=Z2[x]/m(x)

where m is irreducible in Z2[x] and has degree 8.

Rijndael chooses m(x) = 1 + x + x3 + x4 + x8



• If the result has more than 8 bits, the extra bits are not

simply discarded: instead, they're cancelled out by XORing

the binary 9-bit string 100011011 with the result (shifted

right if necessary). This string stands for the generating

polynomial of the particular version of GF(2^8) used by

Rijndael.



For example, multiplying the binary string 11001010 by 3 within this Galois Field works like this:

11001010 11 -------------- 11001010 11001010 --------------- 101011110 (XOR instead of addition) 100011011 (this is XORed, instead of subt. 256)

-------------- 1000101



MixColumn ArithmeticMixColumn is equivalent to

with arithmetic in GF( 28 ).


Rijndael: Add Round Key

The final step is Add Round Key. This simply XORs in the subkey for the current round.


Rijndael: Key Schedule

Round keys extracted from the cipher key in two steps:

1. Initial key expansion

• First bits of the expanded key are set to the bits of the

cipher key

• Remaining bits calculated recursively as a non-linear

function of the previous bits of the expanded key

2. Round key selection from expanded key


• The original key consists of 128 bits, which are arranged

into a 4*4 matrix of bytes. This matrix is expanded by

adjoining 40 more columns, as follows.

• Label the first four columns W(0), W(1), W(2), W(3).

The new columns are generated recursively. Suppose

columns up through W(i-1) have been defined. If i is not

a multiple of 4, then form the new column as,

W(i) = W(i-4)W(i-1).



• If i is a multiple of 4, then

W(i) = W(i-4)T(W(i-1)),

Where T(W(i-1)) is the transformation of W(i-1) as follows.

Let the elements of the columns are w0 w1 w2 w3. Shift

these cyclically to obtain w1 w2 w3 w0. Then replace each of

these bytes with the corresponding element in the S-box

from the ByteSub step, to get 4 bytes y0 y1 y2 y3.




• Finally compute the round constant

In GF(28). Recall that we are in the case where i is a multiple

of 4. Then T(W(i-1)) is the column vector

(y0 r(i), y1 y2 y3)

4

4

00000010

i

ir



• In this way, columns W(4),…,W(43) are

generated from the initial four columns. The

round key for the ith round consists of the

columns:

W(4i), W(4i+1), W(4i+2), W(4i+3.)


•Because it begins and ends with an ARK (Add Round

Key) step, there is no wasted unkeyed step at the

beginning or end. The sequence of operations is important

for facilitating decipherment, as well.

•Although the sequence is not symmetrical, the order of

some of the steps in Rijndael could be changed without

affecting the cipher. The Byte Sub step could just as easily

be done after the Shift Row step as before it.



• For keys 128 and 192 bits in length, the subkey material,

which consists of all the round keys in order, consists of the

original key, followed by stretches, each the length of the

original key, consisting of four-byte words such that each

word is the XOR of the preceding four-byte word and either

the corresponding word in the previous stretch or a function

of it.



• For the first word in a stretch, the word is first

rotated one byte to the left, and then its bytes are

transformed using the S-box from the Byte Sub step,

and then a round-dependent constant is XORed to its

first byte.



• The round constants are:

1 2 4 8 16 32 64 128

27 54 108 216 171 77 154 47

94 188 99 198 151 53 106 212

179 125 250 239 197 145 57 114

228 211 189 97...



Rijndael: Decryption

Inverse Cypher:

• Reverse Steps

• Use Keys in Reverse Order

• ByteSub and ShiftRow Commute

• MixColumn Matrix is Invertible



1. The inverse of ByteSub is another lookup

table, called InvByteSub.

2. The inverse of ShiftRow is obtained by

shifting the rows to the right instead of to

the left, yielding InvShiftRow.



3. The inverse of MixColumn exists because the 4*4 matrix used in

MixColumn is invertible. The transformation InvMixColumn is given

by multiplication by the matrix

EDB

BED

DBE

DBE

9

9

9

9


Rijndael: Sequence of Operations for Encryption

•The extra final round omits the Mix Column step, but is otherwise the same as a regular round. Thus, the sequence of steps in Rijndael is:

ARK BSB, SR, MC, ARK; BSB, SR, MC, ARK; BSB, SR, MC, ARK; .....BSB, SR, MC, ARK; BSB, SR, ARK;

9 of them!!



Where:ARK = Add Round KeyBSB = Byte Sub BlockSR = Shift Row MC = Mix Column



4. AddRoundKey is its own inverse.

Hence to decrypt we have to perform the following steps:

ARK, ISR, IBS

ARK, IMC, ISR, IBS;

ARK, IMC, ISR, IBS;

.....

ARK, IMC, ISR, IBS;

ARK;



• However, we would like to rewrite this decryption in

order to make it look more like encryption. We make the

following observations:

I. The order of BS and the SR operations are exchangable

(why??).

II. We also would like to reverse the order of ARK and

IMC but this is not possible.Instead we proceed as

follows:



• Where (mi,j) is the 4*4 matrix in MixColumn and (ki,j)

is the round key matrix. The inverse is obtained by

solving for (ci,j) in terms of

(ei,j), namely,

.,,,,,,, jijijijijijiji kcmecmc

jie ,

.,,,, jijijiji kcme

.,1

,,1

,, jijijijiji kmemc



Therefore the decryption process to follow is:

The first arrow is simply InvMixColumn applied to (ei,j). If

we let InvAddRoundKey be XORing with (k’i,j), then

we have that the inverse of “MC then ARK” is “IMC

then IARK”.

jijiji

jijijijijiji

kmk

kememe

,1

,,

,,1

,,1

,,

Where

,



We now see that decryption is given by:

ARK, IBS, ISR

IMC, IARK, IBS, ISR;


.....


ARK.

Summarizing we have the following procedures to perform

encryption/decryption with Rijndael algorithm:


Rijndael: Encryption

1. ARK using the 0th key.

2. Nine rounds of BS, SR, MC, ARK using round keys 1

to 9.

3. A final round: BS, SR, ARK, using the 10th round key.



1. ARK using the 10th key.

2. Nine rounds of IBS, ISR, IMC, IARK using round

keys 9 to 1.

3. A final round: IBS, ISR, ARK, using the 0th round key.


Rijndael: Why MixColumn is omitted in the last round?

• Suppose MixColumn had been left in. Then the

encryption would start ARK, BS, SR, MC, ARK, …,

and it would end ARK, BS, SR, MC, ARK. Therefore,

the beginning o fthe decryption would be (after the

reorderings) IMC, IARK, IBS, ISR, …. This means the

decryption would have an unnecessary IMC at the

beginning.



• Another way to look at encryption is that there is an

initialARK, then a sequence of alternating half rounds

(BS, SR), (MC, ARK), (BS, SR),…, (MC, ARK), (BS, SR),

followed by a final ARK.

• The decryption is ARK, followed by a sequence of

alternating half rounds:

(IBS, ISR), (IMC, IARK), (IBS, ISR),…, (IMC, IARK), (IBS,

ISR)



• Followed by a final ARK. From this

point of view, we see that a final MC

would not fit naturally into any of the

half rounds, and it results natural to

leave it out.


Rijndael: SOme design consideration comments.

• On 8-bit processors, decryption is not quite as fast as

encryption. This is because the entriesof the 4*4 matrix

for InvMixColumn are more complex than those for

MixColumn, and this is enough to make decryption

take around 30% longer than encryption for those

processors.



• The fact that encryption and decryption are not

identical processes leads to the expectation that there

are no weak keys in Rijndael, in contrast to DES and

several other algorithms.

• In Rijndael all the bits are treated uniformly. This has

the effect of diffusing the input bits faster.



• It can be shown that two rounds are enough to obtain

full difussion, namely, each of the 128 output bits

depends on each of the 128 input bits.

• The Rijndael S-box is highly nonlinear, since it is based

on the mapping x x-1 in GF(28). This means that

Rijndael is excellent resisting differential and linear

cryptoanalysis attacks.



• The ShiftRow step was added to resist two recently

developed attacks, namely truncated differentials and

the Square attack (Square is a predecessor of Rijndael).

• The MixColumn causes diffusion among the bytes. A

change in one input byte in this step always results in all

four output bytes changing. If two input bytes are

changed, at least three output bytes are changed.



• The Key Schedule involves nonlinear mixing of the key

bits, since it uses the S-box. The mixing is designed to

resist attacks where the cryptoanalyst knows part of the

key and tries to deduce the remaining bits.

• The round constants are used to eliminate symmetries in

the encryption process by making each round different.



• The number of rounds was chosen to be 10 because

there are attacks that are better than brute force up to six

rounds.

• No known attack beats brute force for seven or more

rounds.

• It was felt that four extra rounds provide a large enough

margin of safety. Of course, the number of rounds could

easily be increased if needed.

códigos y criptografía francisco rodríguez henríquez the advanced encryption standard (rijndael)

Documents