Presentation is loading. Please wait.

Presentation is loading. Please wait.

AES (Rijndael) Joan Daemen and Vincent Rijmen, “ The Design of

Published byMyrtle Campbell Modified over 6 years ago

Similar presentations

Presentation on theme: "AES (Rijndael) Joan Daemen and Vincent Rijmen, “ The Design of"— Presentation transcript:

1 AES (Rijndael) Joan Daemen and Vincent Rijmen, “ The Design of
Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES ; fixed

2 AES requirements Block cipher Worldwide-royalty free
128-bit blocks 128/192/256-bit keys Worldwide-royalty free More secure than Triple DES More efficient than Triple DES

3 AES Calendar Jan. 2, 1997 : Announcement of intent to develop AES and request for comments Sep. 12, 1997 : Formal call for candidate algorithms Aug , 1998 : First AES Candidate Conference and beginning of Round 1 evaluation (15 algorithms), Rome, Italy Mar , 1999 : Second AES Candidate Conference, NY, USA Sep : Final AES selection (Rijndael !) Apr. 2000 AES3 Jan. 1997 Call for algorithms Aug. 1998 AES1 15 algorithms Mar. 1999 AES2 Announce winner in Sep, 2000 5 algorithms selected

4 AES Round1 algorithms 15 algorithms are proposed at AES1 conference

5 AES Round 2 Algorithms After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm. Cipher Submitter Structure Nonlinear Component MARS IBM Feistel structure Sbox DD-Rotation RC6 RSA Lab. Rotation Rijndael Daemen, Rijmen SPN structure Serpent Anderson, Biham, Knudsen Twofish Schneier et. al

6 Security of AES Candidates
Alg. (Round) Structure Rounds (Key size) Type of Attack Texts Mem. Bytes Ops MARS 16 Core (C) 16 Mixing (M) Feistel 11C Amp. Boomerang 265 270 2229 16M, 5C Diff. M-i-M 250 269 2197 273 2247 RC6(20) 14 Stat. Disting. 2118 2112 2122 12 15 (256) 294 2119 242 2138 2215 Rijndael 10 (128) 12 (192) 14 (256) SPN 6 Truncated Diff. 232 7*232 272 7 8 (256) 9 (256) Related Key 2128~ 2119 277 261 2101 NA 2120 2204 2224 Serpent(32) 8 (192,256) 2113 2179 6 (256) 7 (256) Meet-in-Middle Differential Boomerang 512 271 241 2110 2246 275 2126 2133 2212 2103 2248 2163 2252 Twofish(16) Impossible Diff. 2256

7 Comparison of AES2 algorithms(I)
Encryption speed analysis by NIST

8 Comparison of AES2 algorithms(II)
Java Implementation by A. Sterbenz (Graz Univ.)

9 * : omit to check “weak” in the key schedule
Comparison of AES2 algorithms (III) Smart Card Implementation by F. Sano (Toshiba) * : omit to check “weak” in the key schedule

10 Comparison of AES2 algorithms(IV)
CMOS ASIC Implementation by Ichikawa (Mitsubishi)

11 Rijndael – Overview Proposed by Joan Daemen, Vincent Rijmen(Belgium)
Design choices Square type Three distinct invertible uniform transformations(Layers) Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state Initial key addition, final key addition Representation of state and key Rectangular array of bytes with 4 rows (square type) Nb : number of column of the state (4~8) Nk : number of column of the cipher key (4~8) Nb is independent from Nk

12 Rijndael - States State (Nb=6) Key (Nk=4) Number of rounds (Nr)

13 Byte-wise substitution(BS)
Rijndael - Encryption Block size: 128 Key size: 128/192/256 bit Component Functions ByteSubstitution(BS): S-box ShiftRow(SR): CircularShift MixColumn(MC): Linear(Branch number: 5) AddRoundKey(ARK): Omit MC in the last round. Bit-wise key addition Shift-Low(SR) Mix-Column(MC) Byte-wise substitution(BS) BS, SR, ARK 44 byte array Input Input whitening Round transformation Output

14 Properties Substitution-Permutation Network (SPN) Branch Number
(Invertible) Nonlinear Layer: Confusion (Invertible) Linear Layer: Diffusion Branch Number Measure Diffusion Power of Linear Layer Let F be a linear transformation on n words. W(a): the number of nonzero words in a. (F) = mina0 {W(a) + W(F(a))} Rijndael: branch number =5

15 Security Goals K-secure Hermetic Rijndael is k-secure and hermetic
No shortcut attacks key-recover attack faster than key-exhaustive search No symmetry property such as complementary in DES No non-negligible classes of weak key as in IDEA No Related-key attacks Hermetic No weakness found for the majority of block ciphers with same block and key length Rijndael is k-secure and hermetic

16 Component Functions ByteSubstitution ShiftRow by 0, C1, C2, and C3
S(x)=x-1 in GF(28) with almost maximal nonlinearity(p.105) over m(x) = x8 + x4 + x3 + x +1 ShiftRow by 0, C1, C2, and C3 MixedColumn:4 x 4 Matrix Mul. on GF(28 )(p.107) b a0 b1 = a1 b a2 b a3 Nb C1 C2 C3 4 1 2 3 6 8

17 Rijndael: Pseudo-Code
Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; p108 AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); } Round(State,RoundKey) { ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey); } FinalRound(State,RoundKey) { ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State,RoundKey); }

18 Mode of Operations

19 Mode of operation (I) ECB (Electronic CodeBook) mode P C n n
IF Ci = Cj, DK(Ci) = DK(Cj) K E K D n n C P i) Encryption ii) Decryption

20 Mode of operation (II) CBC (Cipher Block Chaining) P1 P2 Pl IV K
IV : Initialization Vector K E E K E Ci = EK(Pi  Ci-1) Pi = DK(Ci)  Ci-1 C1 C2 Cl C1 C2 Cl - 2 block Error Prog. - self-sync - If |Pl|  |P|, Padding req’d K K D D K D IV P1 P2 Pl

21 Mode of operation (III)
m-bit OFB (Output FeedBack) IV E m-bit Pi Ci K IV E Ci K Ci = Pi  O(EK) Pi = Ci  O(EK) m-bit - No Error Prog. - Req’d external sync - Stream cipher - EK or DK Pi I) Encryption II) Decryption

22 Mode of operation (IV) m-bit CFB (Cipher FeedBack) IV IV
Ci = Pi  EK(Ci-1) Pi = Ci  EK(Ci-1) K E m-bit m-bit E K - Error prog. till an error disappears in the buffer - self-sync - EK or DK Pi Ci Ci Pi I) Encryption II) Decryption

23 Mode of operation (V) Counter mode Ci = Pi  EK(Ti) Pi = Ci  EK(Ti)
ctr ctr+1 ctr+m-1 Ci = Pi  EK(Ti) Pi = Ci  EK(Ti) Ti = ctr+i -1 mod 2m |P|, |ctr|= m, Parallel computation K K E K E E P2 Pm-1 P1 C1 C2 Cm-1 ctr ctr+1 ctr+m-1 K E K E K E C1 C2 Cm-1 P1 P2 Pm-1

24 Mode of Operation (VI) CCM mode (Counter with CBC-MAC mode) Ctr + CBC
Authenticated encryption by producing a MAC as a part of the encryption process

25 Mode of operation - summary
Use of mode ECB : key management, useless for file encryption CBC : File encryption, useful for MAC m-bit CFB : self-sync, impossible to use channel with low BER m-bit OFB : external-sync. m= 1, 8 or n Ctr : secret ctr, parallel computation CCM : authenticated encryption Performance Degradation/ Cost Tradeoff

Download ppt "AES (Rijndael) Joan Daemen and Vincent Rijmen, “ The Design of"

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Lect. 8 : Advanced Encryption Standard

Lect. 8 : Advanced Encryption Standard
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Cryptography and Network Security

Cryptography and Network Security
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 2 Data Encryption algorithms Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 2 Data Encryption algorithms Part II.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Encryption Schemes Second Pass Brice Toth 21 November 2001.

Encryption Schemes Second Pass Brice Toth 21 November 2001.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.

AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.

Similar presentations

Ads by Google