Rjindael Presentation
-
Upload
vikas-khandelwal -
Category
Documents
-
view
219 -
download
0
Transcript of Rjindael Presentation
7/24/2019 Rjindael Presentation
http://slidepdf.com/reader/full/rjindael-presentation 1/8
DARPADARPA
AES Finalist Algorithm: AES Finalist Algorithm:
The Rijndael Block Cipher The Rijndael Block Cipher
Mel TsaiMel TsaiUniversity of Californ ia at BerkeleyUniversity of Californ ia at Berkeley
10/18/2000 2
Introduction and History Introduction and History
uuNational Insti tute of Science and Techno logyNational Insti tute of Science and Techno logy
ss DES is an aging standard that no longer addresses today’s needsDES is an aging standard that no longer addresses today’s needs for strongfor strongencryptionencryption
ss TripleTriple--DES: Endorsed by NIST as today’sDES: Endorsed by NIST as today’s defactodefacto standardstandard
uu AES: The Advanced Encryption Standard AES: The Advanced Encryption Standard
ss To be finalized in 2001To be finalized in 2001
ss Goal is to define the Federal Information Processing Standard (FGoal is to define the Federal Information Processing Standard (FIPS) byIPS) by
selecting a new powerful encryption algorithm suitable for encryselecting a new powerful encryption algorithm suitable for encryptingptinggovernment documentsgovernment documents
ss AES candidate algor ithms must be: AES candidate algor ithms must be:
tt SymmetricSymmetric --key ciphers supporting 128, 192, and 256 bit keyskey ciphers supporting 128, 192, and 256 bit keys
tt RoyaltyRoyalty --FreeFree
tt Unclassified (i.e. public domain)Unclassified (i.e. public domain)
tt Available for worldwide export Available for worldwide export
7/24/2019 Rjindael Presentation
http://slidepdf.com/reader/full/rjindael-presentation 2/8
10/18/2000 3
Overview of Secret Key Cryptography Overview of Secret Key Cryptography
uu To transmit data securely over an insecure medium, two parties aTo transmit data securely over an insecure medium, two parties agree on agree on a key key ininwhich to encrypt data.which to encrypt data.
ss This key is usually exchanged through publicThis key is usually exchanged through public --key cryptographic methodskey cryptographic methods
uu User A encrypts a block of dataUser A encrypts a block of data X X with keywith key W W and sends this data to user B.and sends this data to user B.
uu By using the same keyBy using the same key W W , user B decrypts the, user B decrypts the ciphertext ciphertext Y Y back intoback into X X
X Z Insecure MediumY
W
Y Z-1 X
W
A B
Fundamental Concept:Fundamental Concept:Due to algorithm Z, it’s nearly impossible to recover dataDue to algorithm Z, it’s nearly impossible to recover data X X fromfrom ciphertextciphertext
Y Y without keywithout key W W . “Guessing” the key. “Guessing” the key W W through exhaustive search is generally infeasible.through exhaustive search is generally infeasible.
10/18/2000 4
Introduction and History (cont.) Introduction and History (cont.)
uu AES Round AES Round--3 Finalist Algorithms:3 Finalist Algorithms:
ss MARSMARStt Candidate offering f rom IBMCandidate offering f rom IBM
ss RC6RC6
tt Developed by RonDeveloped by Ron RivestRivest of RSA Labs, creator of the widely used RC4of RSA Labs, creator of the widely used RC4algorithmalgorithm
ss
TwofishTwofishtt From Counterpane Internet Security, Inc.From Counterpane Internet Security, Inc.
ss SerpentSerpenttt Designed by Ross Anderson, EliDesigned by Ross Anderson, Eli BihamBiham and Lars Knudsenand Lars Knudsen
ss RijndaelRijndael
tt Designed by JoanDesigned by Joan DaemenDaemen and Vincentand Vincent RijmenRijmen
7/24/2019 Rjindael Presentation
http://slidepdf.com/reader/full/rjindael-presentation 3/8
10/18/2000 5
Rijndael Rijndael
uuThe Winner: RijndaelThe Winner: Rijndaelss JoanJoan DaemenDaemen (of Proton World International)(of Proton World International) and Vincentand Vincent RijmenRijmen (of(of
Katholieke Universiteit LeuvenKatholieke Universiteit Leuven))..
ss (pronounced “ Rhine(pronounced “ Rhine--doll”)doll”)
ss Al lows only 128, 192, and 256 Al lows only 128, 192, and 256--bit key sizesbit key sizes (unlike the other(unlike the othercandidates)candidates)
ss Variable block length of 128, 192, or 256 bits . All n ineVariable block length of 128, 192, or 256 bits . All n inecombinations of key/block length possible.combinations of key/block length possible.tt A block is the smallest data size the algori thm wil l encrypt A block is the smallest data size the algori thm wil l encrypt
ss Vast speed improvement over DES in both hardware andVast speed improvement over DES in both hardware andsoftware implementationssoftware implementations
tt 8416 bytes/sec on a 20MHz 8051 (@ 12 CPI)8416 bytes/sec on a 20MHz 8051 (@ 12 CPI)
tt 8.8 Mbytes/sec on a 200MHz Pentium Pro8.8 Mbytes/sec on a 200MHz Pentium Pro
10/18/2000 6
Rijndael Rijndael
X r 1
Key
r 2 Rn-1 r nr 3 YRn-2
k1 k2 Kn-1 knk3 Kn-2
W
KE Key Expansion
Round
Keys
Encryption Rounds r 1 … r n
uu Key is expanded to a set of n r ound keysKey is expanded to a set of n r ound keys
uu Input block X undergoes n rounds of operations (each operation iInput block X undergoes n rounds of operations (each operation is based on value of thes based on value of thenth round key), until it reaches a final round.nth round key), until it reaches a final round.
uu Strength of algorithm relies on the fact that it’s very difficulStrength of algorithm relies on the fact that it’s very difficult to obtain the intermediatet to obtain the intermediateresult (orresult (or state state ) of round n from round n+1 without the round key.) of round n from round n+1 without the round key.
7/24/2019 Rjindael Presentation
http://slidepdf.com/reader/full/rjindael-presentation 4/8
10/18/2000 7
Rijndael Rijndael
Detailed view of round n
uu Each round performs the following operations:Each round performs the following operations:
uuNonNon--linear Layer: No linear relationship between the input and outplinear Layer: No linear relationship between the input and output of aut of aroundround
uuLinear Mixing Layer: Guarantees high diffusion over multip le roLinear Mixing Layer: Guarantees high diffusion over multip le roundsundsuuVery small correlation between bytes of the round input and theVery small correlation between bytes of the round input and the bytes ofbytes of
the outputthe output
uuKey Addition Layer: Bytes of the input are simplyKey Addition Layer: Bytes of the input are simply EXOR’edEXOR’ed with thewith theexpanded round keyexpanded round key
ByteSub ShiftRow MixColumn AddRoundKey
Kn
Result from
round n -1
Pass to
round n+1
10/18/2000 8
Rijndael Rijndael
uuThree layers prov ide strength against known types ofThree layers prov ide strength against known types ofcryptographic attacks: Rijndael provides “ful l diffusion” after cryptographic attacks: Rijndael provides “ful l diffusion” after onlyonlytwo roundstwo rounds
ss Linear and differential cryptanalysisLinear and differential cryptanalysis
ss KnownKnown--key and relatedkey and related--key attackskey attacks
ss Square attackSquare attack
ss Interpolation attacksInterpolation attacks
ss WeakWeak--keyskeys
uuRijndael has been shown to be KRijndael has been shown to be K--secure secure ::
ss No keyNo key--recovery attacks faster than exhaustive search existrecovery attacks faster than exhaustive search exist
ss No known symmetry properties in the round mappingNo known symmetry properties in the round mapping
ss No weak keysNo weak keys
ss No relatedNo related--key attacks: No two keys have a high number of expanded roundkey attacks: No two keys have a high number of expanded roundkeys in commonkeys in common
7/24/2019 Rjindael Presentation
http://slidepdf.com/reader/full/rjindael-presentation 5/8
10/18/2000 9
Rijndael:Rijndael: ByteSub ByteSub
Each byte at the input of a round undergoes a
non-linear byte substitution according to the following transform:
Substitution (“ S”)-box
10/18/2000 10
Rijndael:Rijndael: ShiftRow ShiftRow
Depending on the block length, each “ row” of the
block is cyclically shifted according to the above table
7/24/2019 Rjindael Presentation
http://slidepdf.com/reader/full/rjindael-presentation 6/8
10/18/2000 11
Rijndael:Rijndael: MixColumn MixColumn
Each column is multipl ied by a fixed polynomial
C(x) = ’03’*X3 + ’01’*X2 + ’01’*X + ’02’
This corresponds to matrix multiplication b(x) = c(x)⊗a(x):
10/18/2000 12
Rijndael: Key Expansion and Addition Rijndael: Key Expansion and Addition
Each word is simply EXOR’ed with the expanded round key
KeyExpansion(int* Key[4*Nk], int* EKey[Nb*(Nr+1)])
{
for(i = 0; i < Nk; i++)
EKey[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);
for(i = Nk; i < Nb * (Nr + 1); i++)
{
temp = EKey[i - 1];
if (i % Nk == 0)
temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];
EKey[i] = EKey[i - Nk] ̂ temp;}
}
Key Expansion algorithm:
7/24/2019 Rjindael Presentation
http://slidepdf.com/reader/full/rjindael-presentation 7/8
10/18/2000 13
Rijndael: Implementations Rijndael: Implementations
uuRijndael is well suited for software implementations on 8Rijndael is well suited for software implementations on 8--bitbitprocessors (important for “Smart Cards” )processors (important for “Smart Cards” )ss Atomic operat ions focus on by tes and nibbles, not 32 or 64 bit i Atomic operat ions focus on by tes and nibbles, not 32 or 64 bit i ntegersntegers
ss Layers such asLayers such as ByteSubByteSub can be efficiently implemented using small tables incan be efficiently implemented using small tables inROM (e.g. < 256 bytes).ROM (e.g. < 256 bytes).
ss No special instructions are required to speed up operation, e.g.No special instructions are required to speed up operation, e.g. barrel rotatesbarrel rotates
uuFor 32For 32--bit implementations:bit implementations:ss An enti re round can be implemented via a fast table lookup routi An enti re round can be implemented via a fast table lookup routine onne on
machines with 32machines with 32--bit or higher word lengthsbit or higher word lengths
ss Considerable parallelism exists in the algorithmConsiderable parallelism exists in the algorithm
tt
Each layer of Rijndael operates in a parallel manner on the byteEach layer of Rijndael operates in a parallel manner on the bytes of the rounds of the roundstate, all four component transforms act on individual parts ofstate, all four component transforms act on individual parts of the blockthe block
tt Al though the Key expansion is compl icated and cannot benefi t muc Although the Key expansion is compl icated and cannot benefi t much fromh fromparallelism, it onl y needs to be performedparallelism, it onl y needs to be performedonce once until the two parties switch keys.until the two parties switch keys.
10/18/2000 14
Rijndael: Implementations Rijndael: Implementations
uuHardware ImplementationsHardware Implementations
ss Rijndael performs very well in software, but there still existsRijndael performs very well in software, but there still exists cases wherecases wheremore performance is required (e.g. server and VPN applications ).more performance is required (e.g. server and VPN applications ).
ss Multiple SMultiple S--Box engines, roundBox engines, round--keykey EXORsEXORs, and byte shifts can all be, and byte shifts can all beimplemented efficientl y in hardware when absolute speed is requiimplemented efficientl y in hardware when absolute speed is requiredred
ss Small amount of hardware can vastly speed up 8Small amount of hardware can vastly speed up 8--bit implementationsbit implementations
uu Inverse Cipher Inverse Cipher ss Except for the nonExcept for the non--linearlinear ByteSubByteSub step, each part of Rijndael has astep, each part of Rijndael has a
straightforward inverse and the operations simply need to be undstraightforward inverse and the operations simply need to be undone in theone in thereverse order.reverse order.
ss However, Rijndael was specially wr itten so that the same code thHowever, Rijndael was specially wr itten so that the same code that encrypts aat encrypts ablock can also decrypt the same block simply by changing certainblock can also decrypt the same block simply by changing certain tables andtables andpolynomials for each layer. The rest of the operation remains ipolynomials for each layer. The rest of the operation remains identical.dentical.
7/24/2019 Rjindael Presentation
http://slidepdf.com/reader/full/rjindael-presentation 8/8
10/18/2000 15
Conclusions and The Future Conclusions and The Future
uuRijndael i s an extremely fast, stateRijndael i s an extremely fast, state--of of --thethe--art, highly secureart, highly securealgorithmalgorithm
uuRijndael has efficient implementations in both hardware andRijndael has efficient implementations in both hardware andsoftware; it requires no special inst ructions to obtain goodsoftware; it requires no special inst ructions to obtain goodperformance on any computing platformperformance on any computing platform
uuDespite being the chosen by NIST as the AES candidate winner,Despite being the chosen by NIST as the AES candidate winner,Rijndael is not yet automatically the new encryption standardRijndael is not yet automatically the new encryption standardss Rijndael will soon be formally announced in the Federal Register Rijndael will soon be formally announced in the Federal Register
ss NIST will then undergo publi c review and comments on the draft FNIST will then undergo publi c review and comments on the draft Federalederal
Information Processing Standard for 90 daysInformation Processing Standard for 90 daysss TripleTriple--DES, still highly secure and supported by NIST, is expected to bDES, still highly secure and supported by NIST, is expected to bee
common for the foreseeable future.common for the foreseeable future.
Sources: Algorit hm Information and most images taken fromThe Rijndael AES Proposal by Daemen & Rijmen, © 1998