1  A clear a replacement for DES was needed have theoretical attacks that can break it have theoretical attacks that can break it have demonstrated exhaustive key search attacks have demonstrated exhaustive key search attacks  US NIST issued call for ciphers in 1997  15 candidates accepted in Jun 98  5 were shortlisted in Aug-99  Rijndael was selected as the AES in Oct-2000  issued as FIPS (Federal Information Processing Standard) PUB 197 standard on 26 Nov-2001 Chapter 5 –Advanced Encryption Standard (AES)

2 AES Requirements  private key symmetric block cipher  128-bit data, 128/192/256-bit keys  stronger & faster than Triple-DES  active life of years (+ archival use)  provide full specification & design details  both C & Java implementations  NIST have released all submissions & unclassified analyses

3 AES Evaluation Criteria  initial criteria: security – effort for practical cryptanalysis security – effort for practical cryptanalysis cost – in terms of computational efficiency cost – in terms of computational efficiency algorithm & implementation characteristics algorithm & implementation characteristics  final criteria general security general security ease of software & hardware implementation ease of software & hardware implementation implementation attacks implementation attacks flexibility (in en/decrypt, keying, other factors) flexibility (in en/decrypt, keying, other factors)

4 AES Shortlist  after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin Twofish (USA) - complex, v. fast, high security margin  then subject to further analysis & comment  saw contrast between algorithms with few complex rounds verses many simple rounds few complex rounds verses many simple rounds which refined existing ciphers verses new proposals which refined existing ciphers verses new proposals

5 The Rijndael Cipher Algorithm

6 designed by Rijmen-Daemen in Belgiumdesigned by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit datahas 128/192/256 bit keys, 128 bit data an iterative rather than feistel cipheran iterative rather than feistel cipher processes data as block of 4 columns of 4 bytes operates on entire data block in every round designed to be:designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity

7 Rijndael  data block of 4 columns of 4 bytes is state  key is expanded to array of words  has 9/11/13 rounds in which state undergoes: byte substitution (1 S-box used on every byte) byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material) add round key (XOR state with key material) view as alternating XOR key & scramble data bytes view as alternating XOR key & scramble data bytes  initial XOR key material & incomplete last round  with fast XOR & table lookup implementation

8 Mathematical preliminaries  The field GF(2 8 )  Example: (57) 16  x 6 +x 4 +x 2 +x+1  Addition  Multiplication  Multiplication by x  Polynomials with coefficients in GF(2 8 )  Multiplication by x

9 Addition  Sum of two elements: the sum of coefficients with modulus 2  Example: ’57’+’83’=‘D4’  (x 6 +x 4 +x 2 +x+1)+(x 7 +x+1)=x 7 +x 6 +x 4 +x 2

10 Multiplication  Multiplication in GF(2 8 ): multiplication of polynomials modulo x 8 +x 4 +x 3 +x+1 or (11B) 16.  Example: ’57’  ’83’=‘C1’  (x 6 +x 4 +x 2 +x+1)  (x 7 +x+1) = x 13 +x 11 +x 9 +x 8 +x 6 +x 5 +x 4 +x 3 +1  x 13 +x 11 +x 9 +x 8 +x 6 +x 5 +x 4 +x 3 +1 modulo x 8 +x 4 +x 3 +x+1 = x 7 +x 6 +1

11 Some Properties  Multiplication is associative with a neutral element ‘01’.  Inverse: b -1 (x)=a(x) mod m(x) with a(x)  b(x) mod m(x)= 1  a(x)  (b(x)+c(x))=a(x)  b(x)+a(x)  c(x).  The set of 256 possible byte values, with addition and the multiplication defined as above has the structure of the finite field GF(2 8 ).

12 Multiplication by x  Multiply b(x) with the polynomial x: b 7 x 8 +b 6 x 7 +b 5 x 6 +b 4 x 5 +b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x  If b7=0, the reduction is identity operation; if b7=1, m(x) must be subtracted (i.e. EXORed).  That is, multiplication by x (‘02’) can be implemented by a left shift and a conditional EXOR with’1B’.

13 Example  ‘57’  ‘13’ =‘FE’ ‘57’  ’02’=xtime(57)=‘AE’ ‘57’  ’02’=xtime(57)=‘AE’ ‘57’  ’04’=xtime(AE)=‘47’ ‘57’  ’08’=xtime(47)=‘8E’ ‘57’  ’10’=xtime(8E)=‘07’ ‘57’  ‘13’ =‘57’  (‘01’  ’02’  ’10’) = ‘57’  ’AE’  ’07’=‘FE’ ‘57’  ‘13’ =‘57’  (‘01’  ’02’  ’10’) = ‘57’  ’AE’  ’07’=‘FE’

14 Polynomials with coefficients in GF(2 8 )  Two polynomials over GF(2 8 ): a(x)=a 3 x 3 +a 2 x 2 +a 1 x+a 0 b(x)=b 3 x 3 +b 2 x 2 +b 1 x+b 0  Their product c(x)=c 6 x 6 +c 5 x 5 +c 4 x 4 +c 3 x 3 +c 2 x 2 +c 1 x+c 0 c 0 =a 0  b 0 c 1 =a 1  b 0  a 0  b 1 c 2 =a 2  b 0  a 1  b 1  a 0  b 2 c 3 =a 3  b 0  a 2  b 1  a 1  b 2 +  a 0  b 3 c 4 =a 3  b 1  a 2  b 2  a 1  b 3 c 5 =a 3  b 2  a 2  b 3 c 6 =a 3  b 3

15 Polynomials with coefficients in GF(2 8 )  By reducing c(x) modulo a polynomial of degree 4, the result can be reduced to a polynomial of degree below 4.  M(x)=x 4 +1 and x i mod x 4 +1=x i mod 4.

16 Polynomials with coefficients in GF(2 8 )  Product of a( x ) and b( x ): d( x ) = a( x )  b( x )= d 3 x 3 +d 2 x 2 +d 1 x+d 0 d 0 = a   b 0  a   b 1  a   b 2  a   b 3 d 1 = a   b 0  a   b 1  a   b 2  a   b 3 d 2 = a   b 0  a   b 1  a   b 2  a   b 3 d 3 = a   b 0  a   b 1  a   b 2  a   b 3

17 Polynomials with coefficients in GF(2 8 ) circulant matrix:

18 Multiplication by x  Multiply b( x ) by the polynomial x: b 3 x 4 +b 2 x 3 +b 1 x 2 +b 0 x  x  b( x ) modulo 1+x 4 = b 2 x 3 +b 1 x 2 +b 0 x+b 3  It is equivalent to multiplication by a matrix with all a i =‘00’ except a 1 =‘01’. Let c( x ) = x  b( x ). We have:

19 Specification  Variable block length and key length  Block length and the key length can be 128, 192, or 256 bits.  The state: the intermediate cipher result.  The Cipher Key is similarly picture as a rectangular array with four rows.

20 The state and the Cipher Key

21 The rounds  The number of rounds is denoted by Nr and depends on the values Nb and Nk. It is given in Table 1.

22 The cipher  The cipher Rijndael consists of An initial Round Key addition; An initial Round Key addition; Nr-1 Rounds; Nr-1 Rounds; A final round. A final round. In pseudo C code, In pseudo C code,Rijndael(State,CipherKey){ KeyExpansion(CipherKey,ExpandedKey) ; AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); }

23 The cipher  The key expansion can be done on beforehand and Rijndael can be specified in terms of the Expanded Key. Rijndael(State,ExpandedKey){AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); }

24 The round transformation Round(State,RoundKey){ByteSub(State);ShiftRow(State);MixColumn(State);AddRoundKey(State,RoundKey);}

25 The final round FinalRound(State,RoundKey){ ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State,RoundKey);}

26 The ByteSub transformation(1/2) 1. Taking the multiplicative inverse in GF(2 8 ). 2. Applying an affine transformation defined by:

27 The ByteSub transformation(2/2)

28 The ShiftRow transformation(1/2)

29 The ShiftRow transformation(2/2)

30 The MixColumn transformation(1/2)  The columns of the State are considered as polynomials over GF(2 8 ) and multiplied modulo x 4 +1 with a fixed polynomial c(x)= ‘03’x 3 +‘01’x 2 +‘01’x+‘02’.  This can be written as a matrix multiplication. Let b(x) = c(x)  a(x),

31 The MixColumn transformation(2/2)

32 The Round Key addition

33 Key schedule  The Round Keys are derived from the Cipher Key by means of the key schedule. This consists of two components: the Key Expansion and the Round Key Selection. The basic principle is the following: The total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits are needed). The total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits are needed). The Cipher Key is expanded into an Expanded Key. The Cipher Key is expanded into an Expanded Key. Round Keys are taken from this Expanded Key in the following way: the first Round Key consists of the first Nb words, the second one of the following Nb words, and so on. Round Keys are taken from this Expanded Key in the following way: the first Round Key consists of the first Nb words, the second one of the following Nb words, and so on.

34 Key expansion  The Expanded Key is a linear array of 4-byte words and is denoted by W[Nb*(Nr+1)]. The first NK words contain the Cipher Key. All other words are defined recursively in terms of words with smaller indices. For Nk  6, we have: KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i = 0; i < Nk; i++) W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) { temp = W[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; W[i] = W[i - Nk] ^ temp;}}

35 Key expansion For Nk > 6, we have: KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i = 0; i < Nk; i++) W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]); for(i = Nk; i < Nb * (Nr + 1); i++) {temp = W[i - 1]; if (i % Nk == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk]; else if (i % Nk == 4) temp = SubByte(temp); W[i] = W[i - Nk] ^ temp;} }

36 Round Key selection  Round key i is given by the Round Key buffer words W[Nb*i  to W[Nb*(i+1)].

37 Strength against known attacks Symmetry properties and weak keys of the DES type Symmetry properties and weak keys of the DES type  Round constants are different in each round to eliminate symmetry in the cipher.  The cipher and its inverse use different components to eliminates the possibility for weak and semi-weak keys, as existing for DES.  The non-linearity of the key expansion eliminates the possibility of equivalent keys.

38 Strength against known attacks Differential cryptanalysis(DC) Differential cryptanalysis(DC)  First described by Eli Biham and Adi Shamir in  A differential propagation is composed of differential trails(DT), where its prop ratio(PR) is the sum of the PRs of all DTs that have the specified initial and final difference patterns.  Necessary condition to be resistant against DC: No DT with predicated PR > 2 1-n, n the block length.  For Rijndael: No 4-round DT with predicated PR above (no 8-round trails with PR above ).

39 Strength against known attacks Linear cryptanalysis(LC) Linear cryptanalysis(LC)  First described by Mitsuru Matsui in  An input-output correlation is composed of linear trails (LT) that have the specified initial and final selection patterns.  Necessary condition to be resistant against LC: No LTs with a correlation coefficients > 2 n/2  For Rijndael: No 4-round LTs with a correlation above (no 8-round trails with a correlation above ).

40 Strength against known attacks  Interpolation attacks  Introduced by Jakobsen and Knudsen in  The attacker constructs polynomials using cipher input/output pairs. If the polynomials have a small degree, only a few pairs are necessary to solve for the coefficients of the polynomial.  The expression for the S-box is given by 63+8fX 127 +b5X X 223 +f4X X 247 +f9X X X 254

41 Strength against known attacks  Other attacks considered:  Truncated differentials  The Square attack  Related-key attacks  Weak keys as in IDEA

42 Advantages and limitations  Advantages  Implementation aspects Rijndael can be implemented to run at speeds unusually fast on a Pentium (Pro). Trade-off between table size/performance. Rijndael can be implemented to run at speeds unusually fast on a Pentium (Pro). Trade-off between table size/performance. Rijndael can be implemented on a smart card in a small code, using a small amount of RAM and a small number of cycles. Rijndael can be implemented on a smart card in a small code, using a small amount of RAM and a small number of cycles. The round transformation is parallel by design. The round transformation is parallel by design. As the cipher does not make use of arithmetic operations, it has no bias towards processor architectures. As the cipher does not make use of arithmetic operations, it has no bias towards processor architectures.

43 Advantages and limitations  Advantages  Simplicity of design The cipher is fully “self-supporting”. The cipher is fully “self-supporting”. The cipher does not base its security on obscure and not well understood arithmetic operations. The cipher does not base its security on obscure and not well understood arithmetic operations. The tight cipher design does not leave enough room to hide a trapdoor. The tight cipher design does not leave enough room to hide a trapdoor.  Variable block length and extensions Block lengths and key length both range from 128 to 256 in steps of 32 bits. Block lengths and key length both range from 128 to 256 in steps of 32 bits. Round number can be also modified as a parameter. Round number can be also modified as a parameter.

44 Advantages and limitations  Limitations  The inverse cipher is less suited to be implemented on a smart card than the cipher itself: it takes more code and cycles.  In software, the cipher and its inverse make use of different code and/or tables.  In hardware, the inverse cipher can only partially re-use the circuitry that implements the cipher.