AES Rijndael Joan Daemen and Vincent Rijmen The
- Slides: 25
AES (Rijndael) Joan Daemen and Vincent Rijmen, “ The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3 -540 -42580 -2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES ; fixed 1 © Information Security Group, ICU
AES requirements q. Block cipher m 128 -bit blocks m 128/192/256 -bit keys q. Worldwide-royalty free q. More secure than Triple DES q. More efficient than Triple DES 2 © Information Security Group, ICU
AES Calendar m Jan. 2, 1997 : Announcement of intent to develop AES and request for comments m Sep. 12, 1997 : Formal call for candidate algorithms m Aug. 20 -22, 1998 : First AES Candidate Conference and beginning of Round 1 evaluation (15 algorithms), Rome, Italy m Mar. 22 -23, 1999 : Second AES Candidate Conference, NY, USA m Sep. 2000 : Final AES selection (Rijndael !) Jan. 1997 Call for algorithms Aug. 1998 AES 1 15 algorithms Apr. 2000 AES 3 Mar. 1999 AES 2 5 algorithms selected 3 Announce winner in Sep, 2000 © Information Security Group, ICU
AES Round 1 algorithms q 15 algorithms are proposed at AES 1 conference 4 © Information Security Group, ICU
AES Round 2 Algorithms q After AES 2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm. Cipher Submitter Structure Nonlinear Component MARS IBM Feistel structure Sbox DD-Rotation RC 6 RSA Lab. Feistel structure Rotation Rijndael Daemen, Rijmen SPN structure Sbox Serpent Anderson, Biham, Knudsen SPN structure Sbox Twofish Schneier et. al Feistel structure Sbox 5 © Information Security Group, ICU
Security of AES Candidates Alg. (Round) Structure MARS 16 Core (C) 16 Mixing (M) RC 6(20) Rijndael 10 (128) 12 (192) 14 (256) Serpent(32) Feistel SPN Rounds (Key size) Type of Attack Texts Mem. Bytes Ops 11 C Amp. Boomerang 265 270 2229 16 M, 5 C Diff. M-i-M Amp. Boomerang 250 269 2197 273 2247 2197 14 Stat. Disting. 2118 2112 2122 12 15 (256) Stat. Disting. 294 2119 242 2138 2119 2215 6 Truncated Diff. 232 7*232 272 7 8 (256) 9 (256) Truncated Diff. Related Key 2128~ 2119 277 261 2101 NA 2120 2204 2224 8 (192, 256) Amp. Boomerang 2113 2119 2179 6 (256) 6 7 (256) 8 (192, 256) 9 (256) Meet-in-Middle Differential Boomerang Amp. Boomerang 512 271 241 2122 2110 2246 275 2126 2133 2212 2247 2103 2248 2163 2252 6 © Information Security Group, ICU
Comparison of AES 2 algorithms(I) q Encryption speed analysis by NIST 7 © Information Security Group, ICU
Comparison of AES 2 algorithms(II) q Java Implementation by A. Sterbenz (Graz Univ. ) 8 © Information Security Group, ICU
Comparison of AES 2 algorithms (III) q Smart Card Implementation by F. Sano (Toshiba) * : omit to check “weak” in the key schedule 9 © Information Security Group, ICU
Comparison of AES 2 algorithms(IV) q CMOS ASIC Implementation by Ichikawa (Mitsubishi) 10 © Information Security Group, ICU
Rijndael – Overview q q Proposed by Joan Daemen, Vincent Rijmen(Belgium) Design choices – Square type – Three distinct invertible uniform transformations(Layers) u u u Linear mixing layer : guarantee high diffusion Non-linear layer : parallel application of S-boxes Key addition layer : XOR the round key to the intermediate state – Initial key addition, final key addition q Representation of state and key – – Rectangular array of bytes with 4 rows (square type) Nb : number of column of the state (4~8) Nk : number of column of the cipher key (4~8) Nb is independent from Nk 11 © Information Security Group, ICU
Rijndael - States Key (Nk=4) State (Nb=6) Number of rounds (Nr) 12 © Information Security Group, ICU
Rijndael - Encryption q Block size: 128 q Key size: 128/192/256 bit 4 4 byte array q Component Functions m Byte. Substitution(BS): S-box m Shift. Row(SR): Circular. Shift m Mix. Column(MC): Linear(Branch number: 5) m Add. Round. Key(ARK): q Omit MC in the last round. Input Bit-wise key addition Input whitening Byte-wise substitution(BS) Shift-Low(SR) Mix-Column(MC) Round transformation Bit-wise key addition BS, SR, ARK Output transformation Output 13 © Information Security Group, ICU
Properties q Substitution-Permutation Network (SPN) m(Invertible) Nonlinear Layer: Confusion m(Invertible) Linear Layer: Diffusion q Branch Number m. Measure Diffusion Power of Linear Layer m. Let F be a linear transformation on n words. m. W(a): the number of nonzero words in a. m (F) = mina 0 {W(a) + W(F(a))} m. Rijndael: branch number =5 14 © Information Security Group, ICU
Security Goals q K-secure m. No shortcut attacks key-recover attack faster than key-exhaustive search m. No symmetry property such as complementary in DES m. No non-negligible classes of weak key as in IDEA m. No Related-key attacks q Hermetic m. No weakness found for the majority of block ciphers with same block and key length q Rijndael is k-secure and hermetic 15 © Information Security Group, ICU
Component Functions q Byte. Substitution m S(x)=x-1 in GF(28) with almost maximal nonlinearity(p. 105) over m(x) = x 8 + x 4 + x 3 + x +1 q Shift. Row by 0, C 1, C 2, and C 3 Nb C 1 C 2 C 3 4 1 2 3 6 1 2 3 8 1 3 4 q Mixed. Column: 4 x 4 Matrix Mul. on GF(28 )(p. 107) b 0 02 b 1 = 02 b 2 02 b 3 02 03 03 01 01 a 0 a 1 a 2 a 3 16 © Information Security Group, ICU
Rijndael: Pseudo-Code Rijndael(State, Cipher. Key) { Key. Expansion(Cipher. Key, Expanded. Key) ; p 108 Add. Round. Key(State, Expanded. Key); For( i=1 ; i<Nr ; i++ ) Round(State, Expanded. Key Final. Round(State, Expanded. Key + Nb*Nr); } Round(State, Round. Key) Final. Round(State, Round. Key) { { Byte. Sub(State); Byte. Sub(State) ; Shift. Row(State) ; Mix. Column(State); Add. Round. Key(State, Round. Key); } } 17 © Information Security Group, ICU
Mode of Operations 18 © Information Security Group, ICU
Mode of operation (I) q ECB (Electronic Code. Book) mode C P n n K K E IF Ci = Cj, DK(Ci) = DK(Cj) D n n C P i) Encryption ii) Decryption 19 © Information Security Group, ICU
Mode of operation (II) q CBC (Cipher Block Chaining) P 1 P 2 Pl IV E K K IV K E C 1 C 2 Cl K D P 1 K D P 2 IV : Initialization Vector Ci = EK(Pi Ci-1) Pi = DK(Ci) Ci-1 - 2 block Error Prog. - self-sync - If |Pl| |P|, Padding req’d D Pl 20 © Information Security Group, ICU
Mode of operation (III) q m-bit OFB (Output Feed. Back) IV IV Ci = Pi O(EK) Pi = Ci O(EK) K E Pi m-bit Ci m-bit E K Ci I) Encryption - No Error Prog. - Req’d external sync - Stream cipher Pi - EK or DK II) Decryption 21 © Information Security Group, ICU
Mode of operation (IV) q m-bit CFB (Cipher Feed. Back) IV K IV E Pi m-bit Ci Ci = Pi EK(Ci-1) Pi = Ci EK(Ci-1) K E Pi Ci I) Encryption - Error prog. till an error disappears in the buffer - self-sync - EK or DK II) Decryption 22 © Information Security Group, ICU
Mode of operation (V) q Counter mode ctr K E K K E C 1 ctr E K C 2 Cm-1 ctr+m-1 E C 2 C 1 P 1 E Pm-1 P 2 P 1 K ctr+m-1 ctr+1 K Ci = Pi EK(Ti) Pi = Ci EK(Ti) Ti = ctr+i -1 mod 2 m |P|, |ctr|= m, Parallel computation E Cm-1 P 2 Pm-1 23 © Information Security Group, ICU
Mode of Operation (VI) q CCM mode (Counter with CBC-MAC mode) q Ctr + CBC q Authenticated encryption by producing a MAC as a part of the encryption process 24 © Information Security Group, ICU
Mode of operation - summary q Use of mode m. ECB : key management, useless for file encryption m. CBC : File encryption, useful for MAC mm-bit CFB : self-sync, impossible to use channel with low BER mm-bit OFB : external-sync. m= 1, 8 or n m. Ctr : secret ctr, parallel computation m. CCM : authenticated encryption m. Performance Degradation/ Cost Tradeoff 25 © Information Security Group, ICU
Aes proposal: rijndael
Krachtenmatrix
"daemen"
Cipher
Polybenzene
John daemen
"daemen"
Gruwelijke rijmen roodkapje
Gedicht ramadan
Woorden die rijmen op elkaar
Cache attacks and countermeasures: the case of aes
Aes and saes
Ben de kok zevenbergen
Concursus causarum
Vis ac metus
Vadiatura
Mancipacija
Aes des
Aes in network security
Aes algoritm
Aes vs aas
Aes transportes
Aes s-box calculator online
Aes exemption
60m height
Aes 7
