The Advanced Encryption Standard (Rijndael)
Download
Report
Transcript The Advanced Encryption Standard (Rijndael)
The Advanced Encryption
Standard (Rijndael)
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Why a new Standard?
1. Old standard insecure against brute-force
attacks
2. Straightforward fixes lead to inefficient
Triple DES
3. implementations
4. New trends in fast software encryption
• use of basic instructions of the
microprocessor
5. New ways of assessing cipher strength
• differential cryptanalysis
• linear cryptanalysis
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Why a Contest?
•
Speed-up the acceptance of the standard
•
Small number of specialists in the open research
•
Focus the effort of cryptographic community
•
Stimulate the research on methods of constructing
•
secure ciphers
•
Avoid backdoor theories
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: General Form
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Rules of the Game
Each team submits:
•
Detailed cipher description
•
Justification of design decisions
•
Tentative results of cryptanalysis
•
Source code in C
•
Source code in Java
•
Test vectors
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Candidates
Round 1, June 1998:
15 Candidates
from USA, Canada, Belgium, France, Germany, Norway,
UK, Isreal, Korea, Japan, Australia, Costa Rica.
Security, Software efficiency
Round 2, August 1999:
5 final candidates
Mars, RC6, Rijndael, Serpent, Twofish
Security, Hardware efficiency
October 2000
1 winner: Rijndael
Belgium
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Candidates
USA: Mars, RC6, Twofish, Safer+, HPC
Canada: CAST-256, Deal
Costa Rica: Frog
Australia: LOKI97
Japan: E2
Korea: Crypton
Belgium: Rijndael
France: DFC
Germany: Magenta
Israel, GB, Norway: Serpent
America (8) Europe (4) Asia (2)
Australia (1)
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Candidates
Survey filled by 104 participants of the
Second AES Conference in Rome, March 1999
Middle-of-the-Road
7. CAST-256 -2
8. Safer+ -4
9. DFC -5
Mild NO
10. Crypton -15
Overwhelming NO
11. DEAL -70
12. HPC -77
13. Magenta -83
14. Loki97 -85
15. Frog -85
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Candidates
Survey filled by 104 participants of the
Second AES Conference in Rome, March 1999
Overwhelming YES:
1. Rijndael +76
2. RC6 +73
3. Twofish +61
4. Mars +52
5. Serpent +45
Mild YES
6. E2 +14
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Final 5
USA
Mars - IBM
C. Burwick, D. Coppersmith, E. D’Avignon,
R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,
L. O’Connor, M. Peyravian, D. Safford,
N. Zunic
RC6 - RSA Data Security, Inc.
R. Rivest - MIT
M. Robshaw, R. Sidney, Y. L. Yin - RSA
Twofish - Counterpane Systems
B. Schneier, J. Kelsey, C. Hall, N. Ferguson
- Counterpane, D.Whiting - Hi/fn,
D. Wagner - Berkeley
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Final 5
Europe
Rijndael - J. Daemen, V. Rijmen
Katholieke Universiteit Leuven
Belgium
Serpent - R. Anderson, Cambridge, England
E. Biham - Technion, Israel
L. Knudsen, University of Bergen, Norway
AES Finalists (2)
Códigos y Criptografía
Francisco Rodríguez Henríquez
RC6—The elegant AES choice
Ron Rivest
Matt Robshaw
Yiqun Lisa Yin
Códigos y Criptografía
[email protected]
[email protected]
[email protected]
Francisco Rodríguez Henríquez
RC6 is the right AES choice
•
•
•
•
•
Security
Performance
Ease of implementation
Simplicity
Flexibility
Códigos y Criptografía
Francisco Rodríguez Henríquez
RC6 is simple: only 12 lines
B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to 20 do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A t ) <<< u ) + S[ 2i ]
C = ( ( C u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 42 ]
C = C + S[ 43 ]
Códigos y Criptografía
Francisco Rodríguez Henríquez
Simplicity
• Facilitates and encourages analysis
– allows rapid understanding of security
– makes direct analysis straightforward
(contrast with Mars and Twofish)
• Enables easy implementation
– allows compilers to produce high-quality
code
– obviates complicated optimizations
– provides good performance with minimal
effort
Códigos y Criptografía
Francisco Rodríguez Henríquez
RC6 key schedule is rock-solid
• Studied for more than six years
• Secure
–
–
–
–
thorough mixing
one-way function
no key separation (cf. Twofish)
no related-key attacks (cf. Rijndael)
Códigos y Criptografía
Francisco Rodríguez Henríquez
Original analysis still accurate
• RC6 meets original design criteria
• Security estimates from 1998 still
good today; independent analyses
supportive.
• Secure, even in theory, even with
analysis improvements far beyond
those seen for DES during its lifetime
• RC6 provides a solid, well-tuned margin
for security
Códigos y Criptografía
Francisco Rodríguez Henríquez
How do we grade candidates?
• Security (corroborated)
• Performance (speed+memory)
– 32-bit
(30%)
– Java
(20%)
– DSP
(15%)
– 64-bit
(15%)
– Hardware
(15%)
– 8-bit
(5%)
• Ease of implementation
• Simplicity
• Flexibility
Overall:
40/25/15/10/10
Códigos y Criptografía
Francisco Rodríguez Henríquez
Conclusions
• RC6 is a simple yet remarkably strong cipher
–
–
–
–
–
good performance on most important platforms
simple to code for good performance
excellent flexibility
the most studied finalist
the best understood finalist
• RC6 is the secure and “elegant” choice for
the AES
Códigos y Criptografía
Francisco Rodríguez Henríquez
(The End)
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Performance Evaluation
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Summary of Final-5 Evaluation
Serpent [2]
Pluses:
•
large security margin
•
cryptanalytical reputation of authors
•
conservative construction
•
very fast in hardware
Minuses:
•
slow in software
•
moderate flexibility
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Summary of Final-5 Evaluation
Rijndael [1]
Pluses:
•
fastest in hardware
•
close to the fastest in software
•
security margin
•
novel ideas
•
very high flexibility
Minuses:
•
security margin
Códigos y Criptografía
Francisco Rodríguez Henríquez
AES: Summary of Final-5 Evaluation
Twofish
Pluses:
•
good security margin
•
fast encryption/decryption in software
•
US
•
strongly advertized
Minuses:
•
moderately fast in hardware
•
slow key setup in software
•
moderate flexibility
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael OverView
•
Designed by Joan Daemen and Vincent Rijmen (from
Leuven Belgium)
•
Based upon the Square Cipher
•
3 Design Goals:
1. Resistance against known attacks
2. Speed and code compactness on a variety of
platforms
3. Design simplicity
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael OverView
¥
Rijndael/AES Designed by:
Joan Daemen,
Proton World International
Vincent Rijmen,
Katholique Universiteit Lueven
Block cypher
Symmetric key
Arithmetic based in the Galois Field GF(28)
Fast and scalable
Resistant to all known cryptanalysis attacks
Códigos y Criptografía
Francisco Rodríguez Henríquez
Dr. Vincent Rijmen
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael
• The block cipher Rijndael is designed to use only
simple whole-byte operations. Also, it provides
extra flexibility over that required of an AES
candidate, in that both the key size and the block
size may be chosen to be any of 128, 192, or 256
bits.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael OverView
•
Rijndael is not a Feistel cipher
3 distinct invertible layers per round
Encryption and decryption algorithms are different
•
Rijndael uses the Wide Trail Strategy
1.
Non-linear layer (confusion)
2.
Linear mixing layer (diffusion)
3. Key addition layer
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael OverView
•
State and Round Key representations
•
The State is the intermediate cipher result
•
Both the State and the Round Key are interpreted as
rectangular arrays of bytes
•
Number of columns in the State and Round Key
arrays depend on block and key sizes, respectively
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael OverView
•
Rijndael is a block cipher that encrypts and decrypts
128, 192, and 256 bit blocks, using 128, 192, and 256
byte keys in any combination. The block is considered
to be structured as 4, 6, or 8 columns of 4 bytes,
depending on block size.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael
• During an early stage of the AES process, a draft
version of the requirements would have required
each algorithm to have three versions, with both the
key and block sizes equal to each of 128, 192, and
256 bits. This was later changed to make the three
required versions have those three key sizes, but
only a block size of 128 bits, which is more easily
accommodated by many types of block cipher
design.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael
• The original description of Rijndael is available at:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/.
• However, the variations of Rijndael which act on larger
block sizes apparently will not be included in the actual
standard, on the basis that the cryptanalytic study of Rijndael
during the standards process primarily focused on the
version with the 128-bit block size.
• Rijndael is a relatively simple cipher in many respects.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Number of Rounds
•
Rijndael has a variable number of rounds. The number of
rounds in Rijndael is:
1. 10 if both the block and the key are 128 bits long.
2. 12 if either the block or the key is 192 bits long, and
neither of them is longer than that.
3. 14 if either the block or the key is 256 bits long.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael OverView
Each round consists of 4 steps
•
Step 1: ByteSub Transformation (Confusion)
•
Step 2: ShiftRow Transformation (Diffusion)
•
Step 3: MixColumn Transformation (Diffusion)
•
Step 4: Round Key Addition
•
Final round slightly different from other rounds
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael OverView
The basic operations applied to the block are:
1) ByteSub: Applying an S-box (substituting each
byte with another, based on an equation in GF(2^8));
2) ShiftRow: Shifting the rows in a circular way, the
amount of shift (0, 1, 2, 3, or 4 bytes) depending on the
position from the top and on the block size,
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael OverView
3) MixColumn: Mixing the 4, 6, or 8 columns vertically
by taking invertible linear combinations (in GF(2^8) of
the elements in each column and;
4) Round Key Addition: XORing each byte with a round
key (done before the first round for “whitening,” and
again at the end of each round),
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Algorithm
– Rijndael CypherAES(data_block, key)
{in State, RoundKeys
State State xor RoundKey0
for Round = 1 to Nr
SubBytes(State)
ShiftRow (State)
If not(last Round) then MixColumn(State)
State State xor RoundKeyRound
out State }
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Sequence of Operations
•The extra final round omits the Mix Column step, but is
otherwise the same as a regular round. Thus, the sequence of
steps in Rijndael is:
ARK
BSB, SR, MC, ARK;
BSB, SR, MC, ARK;
BSB, SR, MC, ARK;
.....
BSB, SR, MC, ARK;
BSB, SR, ARK;
Códigos y Criptografía
9 of them!!
Francisco Rodríguez Henríquez
Rijndael: Sequence of Operations
Where:
ARK = Add Round Key
BSB = Byte Sub Block
SR = Shift Row
MC = Mix Column
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: two-Dimensions Scheme
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Block Representation
Rijndael considers a 128-bit block grouped into 16 bytes of 8
bits each. Let us call each of these 16 bytes as, b15 b14 b13…
b2 b1 b0. Rijndael deals with this block as bytes arranged
into a 4*4 matrix,
b0
b1
b
2
b
3
Códigos y Criptografía
b4
b8
b5
b6
b9
b10
b7
b11
b12
b13
b14
b15
Francisco Rodríguez Henríquez
Rijndael: Round’s Steps
•
In the Byte Sub step each byte of the block is replaced
by its substitute in an S-box.
b0
b1
b
2
b
3
b4
b8
b5
b6
b9
b10
b7
b11
Códigos y Criptografía
b12 S b0
b13 S b1
b14
S b2
b15 S b3
S b4
S b8
S b5 S b9
S b6 S b10
S b7 S b11
S b12
S b13
S b14
S b15
Francisco Rodríguez Henríquez
S-Box: Look-up Table method
• Write a byte as 8 bits: x7 x6 x5 x4
x3 x2 x1 x0. Look for the entry in
the x7 x6 x5 x4 row and x3 x2 x1 x0
column.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: S-Box
99 124 119 123 242 107 111 197 48 1 103 43 254 215 171 118
202 130 201 125 250 89 71 240 173 212 162 175 156 164 114 192
183 253 147 38 54 63 247 204 52 165 229 241 113 216 49 21
4 199 35 195 24 150 5 154 7 18 128 226 235 39 178 117
9 131 44 26 27 110 90 160 82 59 214 179 41 227 47 132
83 209 0 237 32 252 177 91 106 203 190 57 74 76 88 207
208 239 170 251 67 77 51 133 69 249 2 127 80 60 159 168
81 163 64 143 146 157 56 245 188 182 218 33 16 255 243 210
205 12 19 236 95 151 68 23 196 167 126 61 100 93 25 115
96 129 79 220 34 42 144 136 70 238 184 20 222 94 11 219
224 50 58 10 73 6 36 92 194 211 172 98 145 149 228 121
231 200 55 109 141 213 78 169 108 86 244 234 101 122 174 8
186 120 37 46 28 166 180 198 232 221 116 31 75 189 139 138
112 62 181 102 72 3 246 14 97 53 87 185 134 193 29 158
225 248 152 17 105 217 142 148 155 30 135 233 206 85 40 223
140 161 137 13 191 230 66 104 65 153 45 15 176 84 187 22
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Round’s Steps
•
The specification for Rijndael only provided an explanation of
how the S-box was calculated: the first step was to replace
each byte with its reciprocal in the same GF(28) as used below
in the Mix Column step, except that 0, which has no
reciprocal, is replaced by itself (since it isn't anything's
reciprocal either, it is the only value not used, so that makes
sense) then a bitwise modulo-two matrix multiply was used,
and finally the hexadecimal number 63 is XORed with the
result.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: ByteSub Step
¥
¥
S-Box ArithmeticElements in
G := GF(28, 1+a+a3+a4+a8 )
nhex nbin (polynomial with nÕs bits for coeffs)
Arithmetic in Z2 (+/*), then mod by 1+a+a3+a4+a8
polynomial nbin nhex
ByteSub(x) = A Mx-1 + 63hex
Precompute and use look-up table
Códigos y Criptografía
Francisco Rodríguez Henríquez
The Construction of the S-Box
•
Although the S-box is implemented as a lookup
table, it has a simple mathematical description.
•
Start with a byte x7 x6 x5 x4 x3 x2 x1 x0, where each xi is
a binary bit. Compute its inverse in GF(28). If the
byte is 0, use the same 0 as its inverse.
Códigos y Criptografía
Francisco Rodríguez Henríquez
The Construction of the S-Box
•
The resulting byte y7 y6 y5 y4 y3 y2 y1 y0 represents an
8-dimensional column vector, with the rightmost bit
y0 in the top position. Multiply by a matrix and add
the column vector (1, 1, 0, 0, 1, 1, 0) to obtain a
vector z7 z6 z5 z4 z3 z2 z1 z0 as shown in the next slide:
Códigos y Criptografía
Francisco Rodríguez Henríquez
The Construction of the S-Box
1
1
1
1
1
0
0
0
0 0 0 1 1 1 1 y0 1 z0
1 0 0 0 1 1 1 y1 1 z1
1 1 0 0 0 1 1 y2 0 z2
1 1 1 0 0 0 1 y3 0 z3
y z
1 1 1 1 0 0 0 4 0 4
1 1 1 1 1 0 0 y5 1 z5
0 1 1 1 1 1 0 y6 1 z6
0 0 1 1 1 1 1 y7 0 z7
Códigos y Criptografía
Francisco Rodríguez Henríquez
The Construction of the S-Box
• For example, start with the byte 11001011 = CB. Its inverse
in GF(28) is 00000100 = 04, then:
1
1
1
1
1
0
0
0
0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
0
Códigos y Criptografía
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1 0 1 1
1 0 1 1
1 1 0 1
1 0 0 1
0 0 0 1
0 0 1 0
0 0 1 0
1 0 0 0
Francisco Rodríguez Henríquez
The Construction of the S-Box
• This yields the byte 00011111 = 1F. Note that the
input vector was 11001011. The 4 MSBs of the input
vector are thus 1100 and this gives us the 13th row in
the S-Box. Similarly, 1011 yields us the 14th column
in the S-Box. By checking the S-box we see that
indeed 31 = 1F is the corresponding entry in the SBox as claimed.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Shift Row Step
Next is the Shift Row step. Considering the 128-bit block grouped
into 16 bytes of 8 bits each, call them, b15 b14 b13… b2 b1 b0.
these bytes are arranged into a 4*4 matrix, and shifted as follows:
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Shift Row Step
Blocks that are 192 and 256 bits long are shifted like this:
from
to
1 5 9 13 17 21
1 5 9 13 17 21
2 6 10 14 18 22
6 10 14 18 22 2
3 7 11 15 19 23
11 15 19 23 3 7
4 8 12 16 20 24
16 20 24 4 8 12
from
to
1 5 9 13 17 21 25 29
1 5 9 13 17 21 25 29
2 6 10 14 18 22 26 30
6 10 14 18 22 26 30 2
3 7 11 15 19 23 27 31
15 19 23 27 31 3 7 11
4 8 12 16 20 24 28 32
20 24 28 32 4 8 12 16
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Mix Column step
•
Next comes the Mix Column step. Matrix multiplication is
performed: each column, in the arrangement we have seen
above, is multiplied by the matrix:
2311
1231
1123
3112
•
However, this multiplication is done over GF(28). This means
that the bytes being multiplied are treated as polynomials
rather than numbers.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Mix Column step
•
GF(28)The Galois Field with 28 elements is the Finite Field
GF(28)=Z2[x]/m(x)
where m is irreducible in Z2[x] and has degree 8.
Rijndael chooses m(x) = 1 + x + x3 + x4 + x8
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Mix Column step
•
If the result has more than 8 bits, the extra bits are not
simply discarded: instead, they're cancelled out by XORing
the binary 9-bit string 100011011 with the result (shifted
right if necessary). This string stands for the generating
polynomial of the particular version of GF(2^8) used by
Rijndael.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Mix Column step
For example, multiplying the binary string 11001010 by 3
within this Galois Field works like this:
11001010
11
-------------11001010
11001010
--------------101011110 (XOR instead of addition)
100011011 (this is XORed, instead of subt. 256)
-------------1000101
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Mix Column step
MixColumn ArithmeticMixColumn is equivalent to
with arithmetic in GF( 28 ).
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Add Round Key
The final step is Add Round Key.
This simply XORs in the subkey
for the current round.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
Round keys extracted from the cipher key in two steps:
1. Initial key expansion
•
First bits of the expanded key are set to the bits of the
cipher key
•
Remaining bits calculated recursively as a non-linear
function of the previous bits of the expanded key
2. Round key selection from expanded key
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
• The original key consists of 128 bits, which are arranged
into a 4*4 matrix of bytes. This matrix is expanded by
adjoining 40 more columns, as follows.
• Label the first four columns W(0), W(1), W(2), W(3).
The new columns are generated recursively. Suppose
columns up through W(i-1) have been defined. If i is not
a multiple of 4, then form the new column as,
W(i) = W(i-4)W(i-1).
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
• If i is a multiple of 4, then
W(i) = W(i-4)T(W(i-1)),
Where T(W(i-1)) is the transformation of W(i-1) as follows.
Let the elements of the columns are w0 w1 w2 w3. Shift
these cyclically to obtain w1 w2 w3 w0. Then replace each
of these bytes with the corresponding element in the Sbox from the ByteSub step, to get 4 bytes y0 y1 y2 y3.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
• Finally compute the round constant
i 4
4
r i 00000010
In GF(28). Recall that we are in the case where i is a
multiple of 4. Then T(W(i-1)) is the column vector
(y0 r(i), y1 y2 y3)
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
• In this way, columns W(4),…,W(43) are
generated from the initial four columns. The
round key for the ith round consists of the
columns:
W(4i), W(4i+1), W(4i+2), W(4i+3.)
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
•Because it begins and ends with an ARK (Add Round
Key) step, there is no wasted unkeyed step at the
beginning or end. The sequence of operations is important
for facilitating decipherment, as well.
•Although the sequence is not symmetrical, the order of
some of the steps in Rijndael could be changed without
affecting the cipher. The Byte Sub step could just as easily
be done after the Shift Row step as before it.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
•
For keys 128 and 192 bits in length, the subkey material,
which consists of all the round keys in order, consists of the
original key, followed by stretches, each the length of the
original key, consisting of four-byte words such that each
word is the XOR of the preceding four-byte word and either
the corresponding word in the previous stretch or a function
of it.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
•
For the first word in a stretch, the word is first
rotated one byte to the left, and then its bytes are
transformed using the S-box from the Byte Sub step,
and then a round-dependent constant is XORed to its
first byte.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Key Schedule
•
The round constants are:
1
16
32
216
171
77 154
94 188 99
198
151
53 106 212
179 125 250
239
197 145
27
2
4
8
54 108
64 128
47
57 114
228 211 189 97...
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Decryption
Inverse Cypher:
•
Reverse Steps
•
Use Keys in Reverse Order
•
ByteSub and ShiftRow Commute
•
MixColumn Matrix is Invertible
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Decryption
1. The inverse of ByteSub is another lookup
table, called InvByteSub.
2. The inverse of ShiftRow is obtained by
shifting the rows to the right instead of to
the left, yielding InvShiftRow.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Decryption
3.
The inverse of MixColumn exists because the 4*4 matrix used in
MixColumn is invertible. The transformation InvMixColumn is given
by multiplication by the matrix
E B D 9
9 E B D
D 9 E B
B D 9 E
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Sequence of Operations for
Encryption
•The extra final round omits the Mix Column step, but is
otherwise the same as a regular round. Thus, the sequence of
steps in Rijndael is:
ARK
BSB, SR, MC, ARK;
BSB, SR, MC, ARK;
BSB, SR, MC, ARK;
.....
BSB, SR, MC, ARK;
BSB, SR, ARK;
Códigos y Criptografía
9 of them!!
Francisco Rodríguez Henríquez
Rijndael: Sequence of Operations
Where:
ARK = Add Round Key
BSB = Byte Sub Block
SR = Shift Row
MC = Mix Column
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Decryption
4.
AddRoundKey is its own inverse.
Hence to decrypt we have to perform the following steps:
ARK, ISR, IBS
ARK, IMC, ISR, IBS;
ARK, IMC, ISR, IBS;
.....
ARK, IMC, ISR, IBS;
ARK;
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Decryption
•
However, we would like to rewrite this decryption in order
to make it look more like encryption. We make the
following observations:
I.
The order of BS and the SR operations are exchangable
(why??).
II.
We also would like to reverse the order of ARK and
IMC but this is not possible.Instead we proceed as
follows:
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Decryption
c m c e m c k .
i, j
•
i, j
i, j
i, j
i, j
i, j
i, j
Where (mi,j) is the 4*4 matrix in MixColumn and (ki,j)
e
i, j
is the round key matrix. The inverse is obtained by
solving ei, j mi , j ci , j ki, j .
for (ci,j) in terms of
(ei,j), namely,
c m e m k .
1
i, j
Códigos y Criptografía
i, j
1
i, j
i, j
i, j
Francisco Rodríguez Henríquez
Rijndael: Decryption
Therefore the decryption process to follow is:
e m e m e k ,
Wherek m k
1
i, j
i, j
1
i, j
i, j
i, j
i, j
1
i, j
i, j
i, j
The first arrow is simply InvMixColumn applied to (ei,j). If
we let InvAddRoundKey be XORing with (k’i,j), then
we have that the inverse of “MC then ARK” is “IMC
then IARK”.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Decryption
We now see that decryption is given by:
ARK, IBS, ISR
IMC, IARK, IBS, ISR;
IMC, IARK, IBS, ISR;
.....
IMC, IARK, IBS, ISR;
ARK.
Summarizing we have the following procedures to perform
encryption/decryption with Rijndael algorithm:
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Encryption
1.
ARK using the 0th key.
2.
Nine rounds of BS, SR, MC, ARK using round keys 1
to 9.
3.
A final round: BS, SR, ARK, using the 10th round key.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Decryption
1.
ARK using the 10th key.
2.
Nine rounds of IBS, ISR, IMC, IARK using round
keys 9 to 1.
3.
A final round: IBS, ISR, ARK, using the 0th round key.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Why MixColumn is omitted
in the last round?
•
Suppose MixColumn had been left in. Then the
encryption would start ARK, BS, SR, MC, ARK, …,
and it would end ARK, BS, SR, MC, ARK. Therefore,
the beginning o fthe decryption would be (after the
reorderings) IMC, IARK, IBS, ISR, …. This means the
decryption would have an unnecessary IMC at the
beginning.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Why MixColumn is omitted
in the last round?
•
Another way to look at encryption is that there is an
initialARK, then a sequence of alternating half rounds
(BS, SR), (MC, ARK), (BS, SR),…, (MC, ARK), (BS, SR),
followed by a final ARK.
•
The decryption is ARK, followed by a sequence of
alternating half rounds:
(IBS, ISR), (IMC, IARK), (IBS, ISR),…, (IMC, IARK), (IBS,
ISR)
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: Why MixColumn is omitted
in the last round?
•
Followed by a final ARK. From this
point of view, we see that a final MC
would not fit naturally into any of the
half rounds, and it results natural to
leave it out.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: SOme design consideration
comments.
•
On 8-bit processors, decryption is not quite as fast as
encryption. This is because the entriesof the 4*4 matrix
for InvMixColumn are more complex than those for
MixColumn, and this is enough to make decryption
take around 30% longer than encryption for those
processors.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: SOme design consideration
comments.
•
The fact that encryption and decryption are not
identical processes leads to the expectation that there
are no weak keys in Rijndael, in contrast to DES and
several other algorithms.
•
In Rijndael all the bits are treated uniformly. This has
the effect of diffusing the input bits faster.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: SOme design consideration
comments.
•
It can be shown that two rounds are enough to obtain
full difussion, namely, each of the 128 output bits
depends on each of the 128 input bits.
•
The Rijndael S-box is highly nonlinear, since it is based
on the mapping x x-1 in GF(28). This means that
Rijndael is excellent resisting differential and linear
cryptoanalysis attacks.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: SOme design consideration
comments.
•
The ShiftRow step was added to resist two recently
developed attacks, namely truncated differentials and
the Square attack (Square is a predecessor of Rijndael).
•
The MixColumn causes diffusion among the bytes. A
change in one input byte in this step always results in all
four output bytes changing. If two input bytes are
changed, at least three output bytes are changed.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: SOme design consideration
comments.
•
The Key Schedule involves nonlinear mixing of the key
bits, since it uses the S-box. The mixing is designed to
resist attacks where the cryptoanalyst knows part of the
key and tries to deduce the remaining bits.
•
The round constants are used to eliminate symmetries in
the encryption process by making each round different.
Códigos y Criptografía
Francisco Rodríguez Henríquez
Rijndael: SOme design consideration
comments.
•
The number of rounds was chosen to be 10 because
there are attacks that are better than brute force up to six
rounds.
•
No known attack beats brute force for seven or more
rounds.
•
It was felt that four extra rounds provide a large enough
margin of safety. Of course, the number of rounds could
easily be increased if needed.
Códigos y Criptografía
Francisco Rodríguez Henríquez