AES (Rijndael) Joan Daemen and Vincent Rijmen, “ The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3-540-42580-2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES ; fixed
AES requirements Block cipher Worldwide-royalty free 128-bit blocks 128/192/256-bit keys Worldwide-royalty free More secure than Triple DES More efficient than Triple DES
AES Calendar Jan. 2, 1997 : Announcement of intent to develop AES and request for comments Sep. 12, 1997 : Formal call for candidate algorithms Aug. 20-22, 1998 : First AES Candidate Conference and beginning of Round 1 evaluation (15 algorithms), Rome, Italy Mar. 22-23, 1999 : Second AES Candidate Conference, NY, USA Sep. 2000 : Final AES selection (Rijndael !) Apr. 2000 AES3 Jan. 1997 Call for algorithms Aug. 1998 AES1 15 algorithms Mar. 1999 AES2 Announce winner in Sep, 2000 5 algorithms selected
AES Round1 algorithms 15 algorithms are proposed at AES1 conference
AES Round 2 Algorithms After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm. Cipher Submitter Structure Nonlinear Component MARS IBM Feistel structure Sbox DD-Rotation RC6 RSA Lab. Rotation Rijndael Daemen, Rijmen SPN structure Serpent Anderson, Biham, Knudsen Twofish Schneier et. al
Security of AES Candidates Alg. (Round) Structure Rounds (Key size) Type of Attack Texts Mem. Bytes Ops MARS 16 Core (C) 16 Mixing (M) Feistel 11C Amp. Boomerang 265 270 2229 16M, 5C Diff. M-i-M 250 269 2197 273 2247 RC6(20) 14 Stat. Disting. 2118 2112 2122 12 15 (256) 294 2119 242 2138 2215 Rijndael 10 (128) 12 (192) 14 (256) SPN 6 Truncated Diff. 232 7*232 272 7 8 (256) 9 (256) Related Key 2128~ 2119 277 261 2101 NA 2120 2204 2224 Serpent(32) 8 (192,256) 2113 2179 6 (256) 7 (256) Meet-in-Middle Differential Boomerang 512 271 241 2110 2246 275 2126 2133 2212 2103 2248 2163 2252 Twofish(16) Impossible Diff. 2256
Comparison of AES2 algorithms(I) Encryption speed analysis by NIST
Comparison of AES2 algorithms(II) Java Implementation by A. Sterbenz (Graz Univ.)
* : omit to check “weak” in the key schedule Comparison of AES2 algorithms (III) Smart Card Implementation by F. Sano (Toshiba) * : omit to check “weak” in the key schedule
Comparison of AES2 algorithms(IV) CMOS ASIC Implementation by Ichikawa (Mitsubishi)
Rijndael – Overview Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices Square type Three distinct invertible uniform transformations(Layers) Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state Initial key addition, final key addition Representation of state and key Rectangular array of bytes with 4 rows (square type) Nb : number of column of the state (4~8) Nk : number of column of the cipher key (4~8) Nb is independent from Nk
Rijndael - States State (Nb=6) Key (Nk=4) Number of rounds (Nr)
Byte-wise substitution(BS) Rijndael - Encryption Block size: 128 Key size: 128/192/256 bit Component Functions ByteSubstitution(BS): S-box ShiftRow(SR): CircularShift MixColumn(MC): Linear(Branch number: 5) AddRoundKey(ARK): Omit MC in the last round. Bit-wise key addition Shift-Low(SR) Mix-Column(MC) Byte-wise substitution(BS) BS, SR, ARK 44 byte array Input Input whitening Round transformation Output
Properties Substitution-Permutation Network (SPN) Branch Number (Invertible) Nonlinear Layer: Confusion (Invertible) Linear Layer: Diffusion Branch Number Measure Diffusion Power of Linear Layer Let F be a linear transformation on n words. W(a): the number of nonzero words in a. (F) = mina0 {W(a) + W(F(a))} Rijndael: branch number =5
Security Goals K-secure Hermetic Rijndael is k-secure and hermetic No shortcut attacks key-recover attack faster than key-exhaustive search No symmetry property such as complementary in DES No non-negligible classes of weak key as in IDEA No Related-key attacks Hermetic No weakness found for the majority of block ciphers with same block and key length Rijndael is k-secure and hermetic
Component Functions ByteSubstitution ShiftRow by 0, C1, C2, and C3 S(x)=x-1 in GF(28) with almost maximal nonlinearity(p.105) over m(x) = x8 + x4 + x3 + x +1 ShiftRow by 0, C1, C2, and C3 MixedColumn:4 x 4 Matrix Mul. on GF(28 )(p.107) b0 02 03 01 01 a0 b1 = 02 03 01 01 a1 b2 02 03 01 01 a2 b3 02 03 01 01 a3 Nb C1 C2 C3 4 1 2 3 6 8
Rijndael: Pseudo-Code Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; p108 AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); } Round(State,RoundKey) { ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey); } FinalRound(State,RoundKey) { ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State,RoundKey); }
Mode of Operations
Mode of operation (I) ECB (Electronic CodeBook) mode P C n n IF Ci = Cj, DK(Ci) = DK(Cj) K E K D n n C P i) Encryption ii) Decryption
Mode of operation (II) CBC (Cipher Block Chaining) P1 P2 Pl IV K IV : Initialization Vector K E E K E Ci = EK(Pi Ci-1) Pi = DK(Ci) Ci-1 C1 C2 Cl C1 C2 Cl - 2 block Error Prog. - self-sync - If |Pl| |P|, Padding req’d K K D D K D IV P1 P2 Pl
Mode of operation (III) m-bit OFB (Output FeedBack) IV E m-bit Pi Ci K IV E Ci K Ci = Pi O(EK) Pi = Ci O(EK) m-bit - No Error Prog. - Req’d external sync - Stream cipher - EK or DK Pi I) Encryption II) Decryption
Mode of operation (IV) m-bit CFB (Cipher FeedBack) IV IV Ci = Pi EK(Ci-1) Pi = Ci EK(Ci-1) K E m-bit m-bit E K - Error prog. till an error disappears in the buffer - self-sync - EK or DK Pi Ci Ci Pi I) Encryption II) Decryption
Mode of operation (V) Counter mode Ci = Pi EK(Ti) Pi = Ci EK(Ti) ctr ctr+1 ctr+m-1 Ci = Pi EK(Ti) Pi = Ci EK(Ti) Ti = ctr+i -1 mod 2m |P|, |ctr|= m, Parallel computation K K E K E E P2 Pm-1 P1 C1 C2 Cm-1 ctr ctr+1 ctr+m-1 K E K E K E C1 C2 Cm-1 P1 P2 Pm-1
Mode of Operation (VI) CCM mode (Counter with CBC-MAC mode) Ctr + CBC Authenticated encryption by producing a MAC as a part of the encryption process
Mode of operation - summary Use of mode ECB : key management, useless for file encryption CBC : File encryption, useful for MAC m-bit CFB : self-sync, impossible to use channel with low BER m-bit OFB : external-sync. m= 1, 8 or n Ctr : secret ctr, parallel computation CCM : authenticated encryption Performance Degradation/ Cost Tradeoff