AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected.
Download ReportTranscript AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected.
Slide 1
AES Proposal: Rijndael
Joan Daemen
Vincent Rijmen
“Rijndael is expected, for all key and block
lengths defined, to behave as good as can
be expected from a block cipher with the
given block and key lengths.”
Presented by
Jianning TANG
Slide 2
Outline
Introduction
Applications of Rijndael
Design Criteria
Rijndael Encryption
Resistance Against Known Attacks
Security goal
Conclusion
Question
Slide 3
Introduction
AES:
Advanced Encryption Standard published by NIST
Block Cipher:
An encrypting method in which each block of plain text is
converted into a block of cipher text of the same length
Rijndael:
An iterated block cipher with a variable block length and a
variable key length. The block length and the key length can be
independently specified to 128, 192 or 256 bits.
Slide 4
Applications of Rijndael
Rijndael cipher is designed to be implemented efficiently on a wide range of
processors and in dedicated hardware. i.e. Smart Card, ATM, HDTV, B-ISDN,
Voice and Satellite (encryption).
Rijndael can also be used in MAC algorithm, iterated hash function,
synchronous stream cipher, pseudo-random number generator,
self-synchronizing stream cipher.
Slide 5
Design Criteria
• Resistance against all known attacks;
• Speed and code compactness on a wide range of platforms;
• Design simplicity.
Slide 6
Rijndael Encryption
Pseudo code of Rijndael encryption:
Rijndael(State,CipherKey)
{
KeyExpansion(CipherKey,ExpandedKey) ;
AddRoundKey(State,roundKey[0]);
For( i=1 ; i
}
Block Length(bits)
Nr
Key Length(bits) 1 28
1 92
2 56
Nr: number of rounds
1 28
10
12
1 92
12
12
2 56
14
14
14
14
14
Slide 7
Resistance Against Known
Attacks
Attack:
If the computational time of a cryptanalysis method(to find the key) is
less than the computational time of an exhausted key search, the method
is said to be an effective attack.
Plain Text--Cipher Text Pairs:
Known to cryptanalyst.
Keys:
NOT known to cryptanalyst
Slide 8
List of known cryptanalysis methods:
Symmetry properties and weak keys of the DES type
Differential cryptanalysis
Linear cryptanalysis
Truncated differentials
The Square attack
Interpolation attacks
Related-key attacks
No attack has yet been found to be effective
against Rijndael.
Slide 9
Security Goal
1.
K-security:
All possible attack strategies for Rijndael have the same expected work
factor and storage requirements as for the majority of possible block
ciphers with the same dimensions.
2.
Hermetic:
It does not have weaknesses that are not present for the majority of
block ciphers with the same block and key length.
Or:
its internal structure cannot be exploited in any application.
Rijndael is expected to achieve its security goal
Slide 10
Conclusion
In security aspect:
“Rijndael is expected, for all key and block lengths defined,
to behave as good as can be expected from a block cipher
with the given block and key lengths.”
Slide 11
Question
If a block cipher is k-security, do you think it is secure enough?
AES Proposal: Rijndael
Joan Daemen
Vincent Rijmen
“Rijndael is expected, for all key and block
lengths defined, to behave as good as can
be expected from a block cipher with the
given block and key lengths.”
Presented by
Jianning TANG
Slide 2
Outline
Introduction
Applications of Rijndael
Design Criteria
Rijndael Encryption
Resistance Against Known Attacks
Security goal
Conclusion
Question
Slide 3
Introduction
AES:
Advanced Encryption Standard published by NIST
Block Cipher:
An encrypting method in which each block of plain text is
converted into a block of cipher text of the same length
Rijndael:
An iterated block cipher with a variable block length and a
variable key length. The block length and the key length can be
independently specified to 128, 192 or 256 bits.
Slide 4
Applications of Rijndael
Rijndael cipher is designed to be implemented efficiently on a wide range of
processors and in dedicated hardware. i.e. Smart Card, ATM, HDTV, B-ISDN,
Voice and Satellite (encryption).
Rijndael can also be used in MAC algorithm, iterated hash function,
synchronous stream cipher, pseudo-random number generator,
self-synchronizing stream cipher.
Slide 5
Design Criteria
• Resistance against all known attacks;
• Speed and code compactness on a wide range of platforms;
• Design simplicity.
Slide 6
Rijndael Encryption
Pseudo code of Rijndael encryption:
Rijndael(State,CipherKey)
{
KeyExpansion(CipherKey,ExpandedKey) ;
AddRoundKey(State,roundKey[0]);
For( i=1 ; i
}
Block Length(bits)
Nr
Key Length(bits) 1 28
1 92
2 56
Nr: number of rounds
1 28
10
12
1 92
12
12
2 56
14
14
14
14
14
Slide 7
Resistance Against Known
Attacks
Attack:
If the computational time of a cryptanalysis method(to find the key) is
less than the computational time of an exhausted key search, the method
is said to be an effective attack.
Plain Text--Cipher Text Pairs:
Known to cryptanalyst.
Keys:
NOT known to cryptanalyst
Slide 8
List of known cryptanalysis methods:
Symmetry properties and weak keys of the DES type
Differential cryptanalysis
Linear cryptanalysis
Truncated differentials
The Square attack
Interpolation attacks
Related-key attacks
No attack has yet been found to be effective
against Rijndael.
Slide 9
Security Goal
1.
K-security:
All possible attack strategies for Rijndael have the same expected work
factor and storage requirements as for the majority of possible block
ciphers with the same dimensions.
2.
Hermetic:
It does not have weaknesses that are not present for the majority of
block ciphers with the same block and key length.
Or:
its internal structure cannot be exploited in any application.
Rijndael is expected to achieve its security goal
Slide 10
Conclusion
In security aspect:
“Rijndael is expected, for all key and block lengths defined,
to behave as good as can be expected from a block cipher
with the given block and key lengths.”
Slide 11
Question
If a block cipher is k-security, do you think it is secure enough?