Rjindael Presentation

7/24/2019 Rjindael Presentation

http://slidepdf.com/reader/full/rjindael-presentation 1/8

DARPADARPA

AES Finalist Algorithm: AES Finalist Algorithm:

The Rijndael Block Cipher The Rijndael Block Cipher

Mel TsaiMel TsaiUniversity of Californ ia at BerkeleyUniversity of Californ ia at Berkeley

10/18/2000 2

Introduction and History Introduction and History

uuNational Insti tute of Science and Techno logyNational Insti tute of Science and Techno logy

ss DES is an aging standard that no longer addresses today’s needsDES is an aging standard that no longer addresses today’s needs for strongfor strongencryptionencryption

ss TripleTriple--DES: Endorsed by NIST as today’sDES: Endorsed by NIST as today’s defactodefacto standardstandard

uu AES: The Advanced Encryption Standard AES: The Advanced Encryption Standard

ss To be finalized in 2001To be finalized in 2001

ss Goal is to define the Federal Information Processing Standard (FGoal is to define the Federal Information Processing Standard (FIPS) byIPS) by

selecting a new powerful encryption algorithm suitable for encryselecting a new powerful encryption algorithm suitable for encryptingptinggovernment documentsgovernment documents

ss AES candidate algor ithms must be: AES candidate algor ithms must be:

tt SymmetricSymmetric --key ciphers supporting 128, 192, and 256 bit keyskey ciphers supporting 128, 192, and 256 bit keys

tt RoyaltyRoyalty --FreeFree

tt Unclassified (i.e. public domain)Unclassified (i.e. public domain)

tt Available for worldwide export Available for worldwide export



10/18/2000 3

Overview of Secret Key Cryptography Overview of Secret Key Cryptography

uu To transmit data securely over an insecure medium, two parties aTo transmit data securely over an insecure medium, two parties agree on agree on a key key ininwhich to encrypt data.which to encrypt data.

ss This key is usually exchanged through publicThis key is usually exchanged through public --key cryptographic methodskey cryptographic methods

uu User A encrypts a block of dataUser A encrypts a block of data X X with keywith key W W and sends this data to user B.and sends this data to user B.

uu By using the same keyBy using the same key W W , user B decrypts the, user B decrypts the ciphertext ciphertext Y Y back intoback into X X

X Z Insecure MediumY

W

Y Z-1 X

W

A B

Fundamental Concept:Fundamental Concept:Due to algorithm Z, it’s nearly impossible to recover dataDue to algorithm Z, it’s nearly impossible to recover data X X fromfrom ciphertextciphertext

Y Y without keywithout key W W . “Guessing” the key. “Guessing” the key W W through exhaustive search is generally infeasible.through exhaustive search is generally infeasible.

10/18/2000 4

Introduction and History (cont.) Introduction and History (cont.)

uu AES Round AES Round--3 Finalist Algorithms:3 Finalist Algorithms:

ss MARSMARStt Candidate offering f rom IBMCandidate offering f rom IBM

ss RC6RC6

tt Developed by RonDeveloped by Ron RivestRivest of RSA Labs, creator of the widely used RC4of RSA Labs, creator of the widely used RC4algorithmalgorithm

ss

TwofishTwofishtt From Counterpane Internet Security, Inc.From Counterpane Internet Security, Inc.

ss SerpentSerpenttt Designed by Ross Anderson, EliDesigned by Ross Anderson, Eli BihamBiham and Lars Knudsenand Lars Knudsen

ss RijndaelRijndael

tt Designed by JoanDesigned by Joan DaemenDaemen and Vincentand Vincent RijmenRijmen



10/18/2000 5

Rijndael Rijndael

uuThe Winner: RijndaelThe Winner: Rijndaelss JoanJoan DaemenDaemen (of Proton World International)(of Proton World International) and Vincentand Vincent RijmenRijmen (of(of

Katholieke Universiteit LeuvenKatholieke Universiteit Leuven))..

ss (pronounced “ Rhine(pronounced “ Rhine--doll”)doll”)

ss Al lows only 128, 192, and 256 Al lows only 128, 192, and 256--bit key sizesbit key sizes (unlike the other(unlike the othercandidates)candidates)

ss Variable block length of 128, 192, or 256 bits . All n ineVariable block length of 128, 192, or 256 bits . All n inecombinations of key/block length possible.combinations of key/block length possible.tt A block is the smallest data size the algori thm wil l encrypt A block is the smallest data size the algori thm wil l encrypt

ss Vast speed improvement over DES in both hardware andVast speed improvement over DES in both hardware andsoftware implementationssoftware implementations

tt 8416 bytes/sec on a 20MHz 8051 (@ 12 CPI)8416 bytes/sec on a 20MHz 8051 (@ 12 CPI)

tt 8.8 Mbytes/sec on a 200MHz Pentium Pro8.8 Mbytes/sec on a 200MHz Pentium Pro

10/18/2000 6

Rijndael Rijndael

X r 1

Key

r 2 Rn-1 r nr 3 YRn-2

k1 k2 Kn-1 knk3 Kn-2

W

KE Key Expansion

Round

Keys

Encryption Rounds r 1 … r n

uu Key is expanded to a set of n r ound keysKey is expanded to a set of n r ound keys

uu Input block X undergoes n rounds of operations (each operation iInput block X undergoes n rounds of operations (each operation is based on value of thes based on value of thenth round key), until it reaches a final round.nth round key), until it reaches a final round.

uu Strength of algorithm relies on the fact that it’s very difficulStrength of algorithm relies on the fact that it’s very difficult to obtain the intermediatet to obtain the intermediateresult (orresult (or state state ) of round n from round n+1 without the round key.) of round n from round n+1 without the round key.



10/18/2000 7

Rijndael Rijndael

Detailed view of round n

uu Each round performs the following operations:Each round performs the following operations:

uuNonNon--linear Layer: No linear relationship between the input and outplinear Layer: No linear relationship between the input and output of aut of aroundround

uuLinear Mixing Layer: Guarantees high diffusion over multip le roLinear Mixing Layer: Guarantees high diffusion over multip le roundsundsuuVery small correlation between bytes of the round input and theVery small correlation between bytes of the round input and the bytes ofbytes of

the outputthe output

uuKey Addition Layer: Bytes of the input are simplyKey Addition Layer: Bytes of the input are simply EXOR’edEXOR’ed with thewith theexpanded round keyexpanded round key

ByteSub ShiftRow MixColumn AddRoundKey

Kn

Result from

round n -1

Pass to

round n+1

10/18/2000 8

Rijndael Rijndael

uuThree layers prov ide strength against known types ofThree layers prov ide strength against known types ofcryptographic attacks: Rijndael provides “ful l diffusion” after cryptographic attacks: Rijndael provides “ful l diffusion” after onlyonlytwo roundstwo rounds

ss Linear and differential cryptanalysisLinear and differential cryptanalysis

ss KnownKnown--key and relatedkey and related--key attackskey attacks

ss Square attackSquare attack

ss Interpolation attacksInterpolation attacks

ss WeakWeak--keyskeys

uuRijndael has been shown to be KRijndael has been shown to be K--secure secure ::

ss No keyNo key--recovery attacks faster than exhaustive search existrecovery attacks faster than exhaustive search exist

ss No known symmetry properties in the round mappingNo known symmetry properties in the round mapping

ss No weak keysNo weak keys

ss No relatedNo related--key attacks: No two keys have a high number of expanded roundkey attacks: No two keys have a high number of expanded roundkeys in commonkeys in common



10/18/2000 9

Rijndael:Rijndael: ByteSub ByteSub

Each byte at the input of a round undergoes a

non-linear byte substitution according to the following transform:

Substitution (“ S”)-box

10/18/2000 10

Rijndael:Rijndael: ShiftRow ShiftRow

Depending on the block length, each “ row” of the

block is cyclically shifted according to the above table



10/18/2000 11

Rijndael:Rijndael: MixColumn MixColumn

Each column is multipl ied by a fixed polynomial

C(x) = ’03’*X3 + ’01’*X2 + ’01’*X + ’02’

This corresponds to matrix multiplication b(x) = c(x)⊗a(x):

10/18/2000 12

Rijndael: Key Expansion and Addition Rijndael: Key Expansion and Addition

Each word is simply EXOR’ed with the expanded round key

KeyExpansion(int* Key[4*Nk], int* EKey[Nb*(Nr+1)])

{

for(i = 0; i < Nk; i++)

EKey[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);

for(i = Nk; i < Nb * (Nr + 1); i++)

{

temp = EKey[i - 1];

if (i % Nk == 0)

temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];

EKey[i] = EKey[i - Nk] ̂ temp;}

}

Key Expansion algorithm:



10/18/2000 13

Rijndael: Implementations Rijndael: Implementations

uuRijndael is well suited for software implementations on 8Rijndael is well suited for software implementations on 8--bitbitprocessors (important for “Smart Cards” )processors (important for “Smart Cards” )ss Atomic operat ions focus on by tes and nibbles, not 32 or 64 bit i Atomic operat ions focus on by tes and nibbles, not 32 or 64 bit i ntegersntegers

ss Layers such asLayers such as ByteSubByteSub can be efficiently implemented using small tables incan be efficiently implemented using small tables inROM (e.g. < 256 bytes).ROM (e.g. < 256 bytes).

ss No special instructions are required to speed up operation, e.g.No special instructions are required to speed up operation, e.g. barrel rotatesbarrel rotates

uuFor 32For 32--bit implementations:bit implementations:ss An enti re round can be implemented via a fast table lookup routi An enti re round can be implemented via a fast table lookup routine onne on

machines with 32machines with 32--bit or higher word lengthsbit or higher word lengths

ss Considerable parallelism exists in the algorithmConsiderable parallelism exists in the algorithm

tt

Each layer of Rijndael operates in a parallel manner on the byteEach layer of Rijndael operates in a parallel manner on the bytes of the rounds of the roundstate, all four component transforms act on individual parts ofstate, all four component transforms act on individual parts of the blockthe block

tt Al though the Key expansion is compl icated and cannot benefi t muc Although the Key expansion is compl icated and cannot benefi t much fromh fromparallelism, it onl y needs to be performedparallelism, it onl y needs to be performedonce once until the two parties switch keys.until the two parties switch keys.

10/18/2000 14

Rijndael: Implementations Rijndael: Implementations

uuHardware ImplementationsHardware Implementations

ss Rijndael performs very well in software, but there still existsRijndael performs very well in software, but there still exists cases wherecases wheremore performance is required (e.g. server and VPN applications ).more performance is required (e.g. server and VPN applications ).

ss Multiple SMultiple S--Box engines, roundBox engines, round--keykey EXORsEXORs, and byte shifts can all be, and byte shifts can all beimplemented efficientl y in hardware when absolute speed is requiimplemented efficientl y in hardware when absolute speed is requiredred

ss Small amount of hardware can vastly speed up 8Small amount of hardware can vastly speed up 8--bit implementationsbit implementations

uu Inverse Cipher Inverse Cipher ss Except for the nonExcept for the non--linearlinear ByteSubByteSub step, each part of Rijndael has astep, each part of Rijndael has a

straightforward inverse and the operations simply need to be undstraightforward inverse and the operations simply need to be undone in theone in thereverse order.reverse order.

ss However, Rijndael was specially wr itten so that the same code thHowever, Rijndael was specially wr itten so that the same code that encrypts aat encrypts ablock can also decrypt the same block simply by changing certainblock can also decrypt the same block simply by changing certain tables andtables andpolynomials for each layer. The rest of the operation remains ipolynomials for each layer. The rest of the operation remains identical.dentical.



10/18/2000 15

Conclusions and The Future Conclusions and The Future

uuRijndael i s an extremely fast, stateRijndael i s an extremely fast, state--of of --thethe--art, highly secureart, highly securealgorithmalgorithm

uuRijndael has efficient implementations in both hardware andRijndael has efficient implementations in both hardware andsoftware; it requires no special inst ructions to obtain goodsoftware; it requires no special inst ructions to obtain goodperformance on any computing platformperformance on any computing platform

uuDespite being the chosen by NIST as the AES candidate winner,Despite being the chosen by NIST as the AES candidate winner,Rijndael is not yet automatically the new encryption standardRijndael is not yet automatically the new encryption standardss Rijndael will soon be formally announced in the Federal Register Rijndael will soon be formally announced in the Federal Register

ss NIST will then undergo publi c review and comments on the draft FNIST will then undergo publi c review and comments on the draft Federalederal

Information Processing Standard for 90 daysInformation Processing Standard for 90 daysss TripleTriple--DES, still highly secure and supported by NIST, is expected to bDES, still highly secure and supported by NIST, is expected to bee

common for the foreseeable future.common for the foreseeable future.

Sources: Algorit hm Information and most images taken fromThe Rijndael AES Proposal by Daemen & Rijmen, © 1998

Rjindael Presentation

Documents

Transcript of Rjindael Presentation