1 AES Proposal : Rijndael Joan Daeman Vincent Rijmen

2 Outline zIntroduction zRijndael zRound Function zKey Schedule zEncryption & Decryption zRijndael on Modern Processors

3 Introduction zAdvanced Encryption Standard (AES) yA crypto algorithm for the twenty-first century y the algorithm must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128- bits and key sizes of 128, 192, and 256 bits. yThe AES finalist candidate algorithms are MARS, RC6, Rijndael, Serpent, and Twofish. yOn October 2, 2000, Rijndael was select by the National Institute of Standards and Technology (NIST) for the proposed AES. zRijndael yRijmen & Daemen

4 Rijndael ziterated block cipher zThe block length and the key length can be independently specified to 128, 192 or 256 bits. (16, 24, or 32 bytes) zState : the intermediate cipher result zState and Key bytes arranged in rectangular array zNb : # of columns of the array (Nb : 4,6,8) Nk : # of the columns of the Cipher Key (Nk : 4,6,8)

5 zNr : # of rounds zNr = Max(Nb,Nk) + 6 z Rijndael

6 Round Function zRound function : uniform, parallel, and composed of 4 steps zEach step has its own particular function yByteSub : nonlinearity yShiftRow : inter-column diffusion yMixcolumn : inter-byte diffusion with column yRound key addition z

7 zThe final round of the cipher is slightly different. ywith the MixColumn step removed z Round Function

8 Round Step 1 : ByteSub zThe ByteSub Transformation is a non-linear byte substitution zS-box yReplace each byte with its reciprocal in the same GF(2 8 ) yA bitwise modulo-two matrix multiply is used. yThe hexadecimal number 63( ) is XORed with the result

9 Round Step 1 : ByteSub

10 zS-box Round Step 1 : ByteSub

11 zInverse S-box (InvByteSub) Round Step 1 : ByteSub

12 zRow 0 is not shifted, Row 1 is shifted over C1 bytes, Row 2 over C2 bytes and Row 3 over C3 bytes. zThe inverse of ShiftRow is a cyclic shift of the 3 bottom rows over (Nb-C1), (Nb-C2), and (Nb-C3) bytes  the byte at position j in row i moves to position (j+Nb-Ci) mod Nb no shift cyclic shift by C1(1) cyclic shift by C2(2) cyclic shift by C3(3) Round Step 2 : ShiftRow

13 zThe columns of the State are considered as polynomials over GF(2 8 ) and multiplied modulo (x 4 +1) with a fixed polynomial c(x) c(x)=‘03’x 3 +‘01’x 2 +‘01’x+‘02’ zAssume we have two polynomials over GF(2 8 ) a(x)=a 3 x 3 +a 2 x 2 +a 1 x+a 0 and b(x)=b 3 x 3 +b 2 x 2 +b 1 x+b 0 c(x)=a(x)b(x) Round Step 3 : Mixcolumn

14 zBy reducing c(x) modulo a polynomial of degree 4, the result can be reduced a polynomial of degree below 4. (M(x) = x 4 +1) x i mod (x 4 +1) = x i mod 4 zd(x) = a(x)  b(x) = d 3 x 3 +d 2 x 2 +d 1 x+d 0 Round Step 3 : Mixcolumn

15 zBytes in column are linearly combined zInvMixColumn yEvery column is transformed by multiplying it with a specific polynomial d(x) d(x)=‘0B’x 3 +‘0D’x 2 +‘09’x+‘0E’ yc(x)  d(x) = ‘01’ mod M(x) Round Step 3 : Mixcolumn

16 zThe Round Key is derived from the Cipher Key. zThe Round Key length is equal to the block length Nb. zAddRoundKey is its own inverse. Round Step 4 : Round Key Addition

17 Key Schedule zThe total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. yEx : Nb= 4 (128 bits), Nr=10  Round Key bits = 128*11=1408 bits zThe Cipher Key is expanded into Expanded Key zRound Keys are taken from the Expanded Key ythe first Round Key consists of the first Nb words the second one of the following Nb words, and so on. zThe Expanded Key is a linear array of 4-byte words and is denoted by W[Nb*(Nr+1)]. zThe key expansion function depends on the value of Nk yNk ≦ 6 yNk > 6

18 zKey Expansion yNk ≦ 6 x Key Schedule  The first Nk words contain the Cipher Key

19 z Key Schedule  RotByte(W[i])  ( a,b,c,d )  ( b,c,d,a )  SubByte(W[i])  Rijndael S-box to the byte at the corresponding position in the input word  Round constants  Rcon[i] = ( RC[i], ‘00’, ‘00’, ‘00’)  RC[1]=1  RC[i]= x  (RC[i-1]) = x i-1  RC[i]  GF(2 8 )

20 Key Schedule zNk > 6 y

21 zRound Key Selection yRound Key i is given by the Round Key buffer words W[Nb*i] to W[Nb*(i+1)] yEx : Nb=4 Key Schedule

22 Encryption

23 Decryption

24 Decryption

25  The ByteSub step and the ShiftRow step can change their order without affecting the cipher.  A BSMA BSMA BSMA …….. BSMA BSA A SBMA SBMA SBMA ………SBMA SBA  ASB AMSB AMSB …….. AMSB AMSB A  y = [x  c]  k x’ = [y  d]  k’  x’ = {{[x  c]  k}  d }  k’ = [x  c  d ]  [k  d ]  k’  if k’ = k  d  x’ = x Decryption xy y x’

26 Rijndael on Modern Processors

27 Rijndael on Modern Processors  Define tables T 0 to T 3 :  4 tables with byte  total : 4KByte

28 Rijndael on Modern Processors

29 Rijndael in Hardware