AES Proposal : Rijndael
description
Transcript of AES Proposal : Rijndael
1
AES Proposal : Rijndael
Joan DaemanVincent Rijmen
2
Outline Introduction Rijndael Round Function Key Schedule Encryption & Decryption Rijndael on Modern Processors
3
Introduction Advanced Encryption Standard (AES)
A crypto algorithm for the twenty-first century the algorithm must implement symmetric key
cryptography as a block cipher and (at a minimum) support block sizes of 128-bits and key sizes of 128, 192, and 256 bits.
The AES finalist candidate algorithms are MARS, RC6, Rijndael, Serpent, and Twofish.
On October 2, 2000, Rijndael was select by the National Institute of Standards and Technology (NIST) for the proposed AES.
Rijndael Rijmen & Daemen
4
Rijndael iterated block cipher The block length and the key length can be independently
specified to 128, 192 or 256 bits. (16, 24, or 32 bytes) State : the intermediate cipher result State and Key bytes arranged in rectangular array
Nb : # of columns of the array (Nb : 4,6,8)Nk : # of the columns of the Cipher Key (Nk : 4,6,8)
5
Nr : # of rounds Nr = Max(Nb,Nk) + 6
Rijndael
6
Round Function Round function : uniform, parallel, and composed of 4
steps Each step has its own particular function
ByteSub : nonlinearity ShiftRow : inter-column diffusion Mixcolumn : inter-byte diffusion with column Round key addition
7
The final round of the cipher is slightly different. with the MixColumn step removed
Round Function
8
Round Step 1 : ByteSub
The ByteSub Transformation is a non-linear byte substitution
S-box Replace each byte with its reciprocal in the same GF(28) A bitwise modulo-two matrix multiply is used. The hexadecimal number 63(01100011) is XORed with
the result
9
Round Step 1 : ByteSub
10
S-box
Round Step 1 : ByteSub
11
Inverse S-box (InvByteSub)
Round Step 1 : ByteSub
12
Row 0 is not shifted, Row 1 is shifted over C1 bytes, Row 2 over C2 bytes and Row 3 over C3 bytes.
The inverse of ShiftRow is a cyclic shift of the 3 bottom rows over (Nb-C1), (Nb-C2), and (Nb-C3) bytes the byte at position j in row i moves to position (j+Nb-Ci) mod Nb
no shift
cyclic shift by C1(1)
cyclic shift by C2(2)
cyclic shift by C3(3)
Round Step 2 : ShiftRow
13
The columns of the State are considered as polynomials over GF(28) and multiplied modulo (x4+1) with a fixed polynomial c(x)c(x)=‘03’x3+‘01’x2+‘01’x+‘02’
Assume we have two polynomials over GF(28) a(x)=a3x3+a2x2+a1x+a0 and b(x)=b3x3+b2x2+b1x+b0
c(x)=a(x)b(x)
Round Step 3 : Mixcolumn
14
By reducing c(x) modulo a polynomial of degree 4, the result can be reduced a polynomial of degree below 4. (M(x) = x4+1) xi mod (x4+1) = xi mod 4
d(x) = a(x) b(x) = d3x3+d2x2+d1x+d0
Round Step 3 : Mixcolumn
15
Bytes in column are linearly combined InvMixColumn
Every column is transformed by multiplying it with a specific polynomial d(x)d(x)=‘0B’x3+‘0D’x2+‘09’x+‘0E’
c(x) d(x) = ‘01’ mod M(x)
Round Step 3 : Mixcolumn
16
The Round Key is derived from the Cipher Key. The Round Key length is equal to the block length Nb.
AddRoundKey is its own inverse.
Round Step 4 : Round Key Addition
17
Key Schedule
The total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. Ex : Nb= 4 (128 bits), Nr=10
Round Key bits = 128*11=1408 bits The Cipher Key is expanded into Expanded Key Round Keys are taken from the Expanded Key
the first Round Key consists of the first Nb words the second one of the following Nb words, and so on.
The Expanded Key is a linear array of 4-byte words and is denoted by W[Nb*(Nr+1)].
The key expansion function depends on the value of Nk Nk ≦ 6 Nk > 6
18
Key Expansion Nk ≦ 6
Key Schedule
The first Nk words contain the Cipher Key
19
Key Schedule
RotByte(W[i]) ( a,b,c,d ) ( b,c,d,a )
SubByte(W[i]) Rijndael S-box to the byte at the corresponding position in the input word
Round constants Rcon[i] = ( RC[i], ‘00’, ‘00’, ‘00’) RC[1]=1 RC[i]= x (RC[i-1]) = xi-1 RC[i] GF(28)
20
Key Schedule
Nk > 6
21
Round Key Selection Round Key i is given by the Round Key buffer words
W[Nb*i] to W[Nb*(i+1)] Ex : Nb=4
Key Schedule
22
Encryption
23
Decryption
24
Decryption
25
The ByteSub step and the ShiftRow step can change their order without affecting the cipher.
A BSMA BSMA BSMA …….. BSMA BSA
A SBMA SBMA SBMA ………SBMA SBA
ASB AMSB AMSB …….. AMSB AMSB A
y = [x c] kx’ = [y d] k’ x’ = {{[x c] k} d } k’ = [x c d ] [k d ] k’ if k’ = k d x’ = x
Decryption
x y
yx’
26
Rijndael on Modern Processors
27
Rijndael on Modern Processors
Define tables T0 to T3 :
4 tables with 256 4-byte total : 4KByte
28
Rijndael on Modern Processors
29
Rijndael in Hardware