The Advanced Encryption Standard (Rijndael)

Transcription

1 The Advanced Encryption Standard (Rijndael)

2 AES: Why a new Standard?. Old standard insecure against brute-force attacks 2. Straightforward fixes lead to inefficient Triple DES 3. implementations 4. New trends in fast software encryption use of basic instructions of the microprocessor 5. New ways of assessing cipher strength differential cryptanalysis linear cryptanalysis

3 AES: Why a Contest? Speed-up the acceptance of the standard Small number of specialists in the open research Focus the effort of cryptographic community Stimulate the research on methods of constructing secure ciphers Avoid backdoor theories

4 AES: General Form

5 AES: Rules of the Game Each team submits: Detailed cipher description Justification of design decisions Tentative results of cryptanalysis Source code in C Source code in Java Test vectors

6 AES: Candidates Round, June 998: 5 Candidates from USA, Canada, Belgium, France, Germany, Norway, UK, Isreal, Korea, Japan, Australia, Costa Rica. Security, Software efficiency Round 2, August 999: 5 final candidates Mars, RC6, Rijndael, Serpent, Twofish Security, Hardware efficiency October 2 winner: Rijndael Belgium

7 AES: Candidates USA: Mars, RC6, Twofish, Safer+, HPC Canada: CAST-256, Deal Costa Rica: Frog Australia: LOKI97 Japan: E2 Korea: Crypton Belgium: Rijndael France: DFC Germany: Magenta Israel, GB, Norway: Serpent America (8) Europe (4) Asia (2) Australia ()

8 AES: Candidates Survey filled by 4 participants of the Second AES Conference in Rome, March 999 Middle-of-the-Road 7. CAST Safer DFC -5 Mild NO. Crypton -5 Overwhelming NO. DEAL HPC Magenta Loki Frog -85

9 AES: Candidates Survey filled by 4 participants of the Second AES Conference in Rome, March 999 Overwhelming YES:. Rijndael RC Twofish Mars Serpent +45 Mild YES 6. E2 +4

10 AES: Final 5 USA Mars - IBM C. Burwick, D. Coppersmith, E. D Avignon, R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas, L. O Connor, M. Peyravian, D. Safford, N. Zunic RC6 - RSA Data Security, Inc. R. Rivest - MIT M. Robshaw, R. Sidney, Y. L. Yin - RSA Twofish - Counterpane Systems B. Schneier, J. Kelsey, C. Hall, N. Ferguson - Counterpane, D.Whiting - Hi/fn, D. Wagner - Berkeley

11 AES: Final 5 Europe Rijndael - J. Daemen, V. Rijmen Katholieke Universiteit Leuven Belgium Serpent - R. Anderson, Cambridge, England E. Biham - Technion, Israel L. Knudsen, University of Bergen, Norway AES Finalists (2)

12 RC6 The elegant AES choice Ron Rivest Matt Robshaw Yiqun Lisa Yin

13 RC6 is the right AES choice Security Performance Ease of implementation Simplicity Flexibility

14 RC6 is simple: only 2 lines B = B + S[ ] D = D + S[ ] for i = to 2 do { t = ( B x ( 2B + ) ) <<< 5 u = ( D x ( 2D + ) ) <<< 5 A = ( ( A t ) <<< u ) + S[ 2i ] C = ( ( C u ) <<< t ) + S[ 2i + ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 42 ] C = C + S[ 43 ]

15 Simplicity Facilitates and encourages analysis allows rapid understanding of security makes direct analysis straightforward (contrast with Mars and Twofish) Enables easy implementation allows compilers to produce high-quality code obviates complicated optimizations provides good performance with minimal effort

16 RC6 key schedule is rock-solid Studied for more than six years Secure thorough mixing one-way function no key separation (cf. Twofish) no related-key attacks (cf. Rijndael)

17 Original analysis still accurate RC6 meets original design criteria Security estimates from 998 still good today; independent analyses supportive. Secure, even in theory, even with analysis improvements far beyond those seen for DES during its lifetime RC6 provides a solid, well-tuned margin for security

18 How do we grade candidates? Security (corroborated) Performance (speed+memory) 32-bit (3%) Java (2%) DSP (5%) 64-bit (5%) Hardware (5%) 8-bit (5%) Ease of implementation Simplicity Flexibility Overall: 4/25/5//

19 Conclusions RC6 is a simple yet remarkably strong cipher good performance on most important platforms simple to code for good performance excellent flexibility the most studied finalist the best understood finalist RC6 is the secure and elegant choice for the AES

20 (The End)

21 AES: Performance Evaluation

22 AES: Performance Evaluation

23 AES: Performance Evaluation

24 AES: Performance Evaluation

25 AES: Performance Evaluation

26 AES: Performance Evaluation

27 AES: Performance Evaluation

28 AES: Performance Evaluation

29 AES: Performance Evaluation

30 AES: Performance Evaluation

31 AES: Performance Evaluation

32 AES: Performance Evaluation

33 AES: Performance Evaluation

34 AES: Performance Evaluation

35 AES: Summary of Final-5 Evaluation Serpent [2] Pluses: large security margin cryptanalytical reputation of authors conservative construction very fast in hardware Minuses: slow in software moderate flexibility

36 AES: Summary of Final-5 Evaluation Rijndael [] Pluses: fastest in hardware close to the fastest in software security margin novel ideas very high flexibility Minuses: security margin

37 AES: Summary of Final-5 Evaluation Twofish Pluses: good security margin fast encryption/decryption in software US strongly advertized Minuses: moderately fast in hardware slow key setup in software moderate flexibility

38 Rijndael OverView Designed by Joan Daemen and Vincent Rijmen (from Leuven Belgium) Based upon the Square Cipher 3 Design Goals:. Resistance against known attacks 2. Speed and code compactness on a variety of platforms 3. Design simplicity

39 Rijndael OverView Rijndael/AES Designed by: Joan Daemen, Proton World International Vincent Rijmen, Katholique Universiteit Lueven Block cypher Symmetric key Arithmetic based in the Galois Field GF(2 8 ) Fast and scalable Resistant to all known cryptanalysis attacks

40 Dr. Vincent Rijmen

41 Rijndael The block cipher Rijndael is designed to use only simple whole-byte operations. Also, it provides extra flexibility over that required of an AES candidate, in that both the key size and the block size may be chosen to be any of 28, 92, or 256 bits.

42 Rijndael OverView Rijndael is not a Feistel cipher 3 distinct invertible layers per round Encryption and decryption algorithms are different Rijndael uses the Wide Trail Strategy. Non-linear layer (confusion) 2. Linear mixing layer (diffusion) 3. Key addition layer

43 Rijndael OverView State and Round Key representations The State is the intermediate cipher result Both the State and the Round Key are interpreted as rectangular arrays of bytes Number of columns in the State and Round Key arrays depend on block and key sizes, respectively

44 Rijndael OverView Rijndael is a block cipher that encrypts and decrypts 28, 92, and 256 bit blocks, using 28, 92, and 256 byte keys in any combination. The block is considered to be structured as 4, 6, or 8 columns of 4 bytes, depending on block size.

45 Rijndael During an early stage of the AES process, a draft version of the requirements would have required each algorithm to have three versions, with both the key and block sizes equal to each of 28, 92, and 256 bits. This was later changed to make the three required versions have those three key sizes, but only a block size of 28 bits, which is more easily accommodated by many types of block cipher design.

46 Rijndael The original description of Rijndael is available at: However, the variations of Rijndael which act on larger block sizes apparently will not be included in the actual standard, on the basis that the cryptanalytic study of Rijndael during the standards process primarily focused on the version with the 28-bit block size. Rijndael is a relatively simple cipher in many respects.

47 Rijndael: Number of Rounds Rijndael has a variable number of rounds. The number of rounds in Rijndael is:. if both the block and the key are 28 bits long if either the block or the key is 92 bits long, and neither of them is longer than that if either the block or the key is 256 bits long.

48 Rijndael OverView Each round consists of 4 steps Step : ByteSub Transformation (Confusion) Step 2: ShiftRow Transformation (Diffusion) Step 3: MixColumn Transformation (Diffusion) Step 4: Round Key Addition Final round slightly different from other rounds

49 Rijndael OverView The basic operations applied to the block are: ) ByteSub: Applying an S-box (substituting each byte with another, based on an equation in GF(2^8)); 2) ShiftRow: Shifting the rows in a circular way, the amount of shift (,, 2, 3, or 4 bytes) depending on the position from the top and on the block size,

50 Rijndael OverView 3) MixColumn: Mixing the 4, 6, or 8 columns vertically by taking invertible linear combinations (in GF(2^8) of the elements in each column and; 4) Round Key Addition: XORing each byte with a round key (done before the first round for whitening, and again at the end of each round),

51 Rijndael: Algorithm Rijndael CypherAES(data_block, key) {in State, RoundKeys State  State xor RoundKey for Round = to Nr SubBytes(State) ShiftRow (State) If not(last Round) then MixColumn(State) State  State xor RoundKey Round out State }

52 Rijndael: Sequence of Operations The extra final round omits the Mix Column step, but is otherwise the same as a regular round. Thus, the sequence of steps in Rijndael is: ARK BSB, SR, MC, ARK; BSB, SR, MC, ARK; BSB, SR, MC, ARK;... BSB, SR, MC, ARK; BSB, SR, ARK; 9 of them

53 Rijndael: Sequence of Operations Where: ARK = Add Round Key BSB = Byte Sub Block SR = Shift Row MC = Mix Column

54 Rijndael

55 Rijndael: two-dimensions Scheme

56 Rijndael: Block Representation Rijndael considers a 28-bit block grouped into 6 bytes of 8 bits each. Let us call each of these 6 bytes as, b 5 b 4 b 3 b 2 b b. Rijndael deals with this block as bytes arranged into a 4*4 matrix, & b b b % b 2 3 b b b b b b b b 8 9 b b b b # "

57 Rijndael: Round s Steps In the Byte Sub step each byte of the block is replaced by its substitute in an S-box. ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) " # % & ' " # % & b S b S b S b S b S b S b S b S b S b S b S b S b S b S b S b S b b b b b b b b b b b b b b b b

58 S-Box: Look-up Table method Write a byte as 8 bits: x 7 x 6 x 5 x 4 x 3 x 2 x x. Look for the entry in the x 7 x 6 x 5 x 4 row and x 3 x 2 x x column.

59 Rijndael: S-Box Códigos 6 y 37 Criptografía Francisco 5 76 Rodríguez Henríquez 22

60 Rijndael: Round s Steps The specification for Rijndael only provided an explanation of how the S-box was calculated: the first step was to replace each byte with its reciprocal in the same GF(2 8 ) as used below in the Mix Column step, except that, which has no reciprocal, is replaced by itself (since it isn't anything's reciprocal either, it is the only value not used, so that makes sense) then a bitwise modulo-two matrix multiply was used, and finally the hexadecimal number 63 is XORed with the result.

61 Rijndael: ByteSub Step S-Box ArithmeticElements in G := GF(2 8, +a+a 3 +a 4 +a 8 ) n hex Þ n bin Þ (polynomial with nõs bits for coeffs) Arithmetic in Z 2 (+/*), then mod by +a+a 3 +a 4 +a 8 polynomial Þ n bin Þ n hex ByteSub(x) = A «Mx hex Precompute and use look-up table

62 The Construction of the S-Box Although the S-box is implemented as a lookup table, it has a simple mathematical description. Start with a byte x 7 x 6 x 5 x 4 x 3 x 2 x x, where each x i is a binary bit. Compute its inverse in GF(2 8 ). If the byte is, use the same as its inverse.

63 The Construction of the S-Box The resulting byte y 7 y 6 y 5 y 4 y 3 y 2 y y represents an 8-dimensional column vector, with the rightmost bit y in the top position. Multiply by a matrix and add the column vector (,,,,,, ) to obtain a vector z 7 z 6 z 5 z 4 z 3 z 2 z z as shown in the next slide:

64 The Construction of the S-Box " # % & = " # % & + " # % & " # % & z z z z z z z z y y y y y y y y

65 The Construction of the S-Box For example, start with the byte = CB. Its inverse in GF(2 8 ) is = 4, then: " # % & = " # % & + " # % & " # % &

66 The Construction of the S-Box This yields the byte = F. Note that the input vector was. The 4 MSBs of the input vector are thus and this gives us the 3 th row in the S-Box. Similarly, yields us the 4 th column in the S-Box. By checking the S-box we see that indeed 3 = F is the corresponding entry in the S- Box as claimed.

67 Rijndael: Shift Row Step Next is the Shift Row step. Considering the 28-bit block grouped into 6 bytes of 8 bits each, call them, b 5 b 4 b 3 b 2 b b. these bytes are arranged into a 4*4 matrix, and shifted as follows:

68 Rijndael: Shift Row Step Blocks that are 92 and 256 bits long are shifted like this: from to from to Códigos y 2 Criptografía

69 Rijndael: Mix Column step Next comes the Mix Column step. Matrix multiplication is performed: each column, in the arrangement we have seen above, is multiplied by the matrix: However, this multiplication is done over GF(2 8 ). This means that the bytes being multiplied are treated as polynomials rather than numbers.

70 Rijndael: Mix Column step GF(2 8 )The Galois Field with 2 8 elements is the Finite Field GF(2 8 )=Z 2 [x]/m(x) where m is irreducible in Z 2 [x] and has degree 8. Rijndael chooses m(x) = + x + x 3 + x 4 + x 8

71 Rijndael: Mix Column step If the result has more than 8 bits, the extra bits are not simply discarded: instead, they're cancelled out by XORing the binary 9-bit string with the result (shifted right if necessary). This string stands for the generating polynomial of the particular version of GF(2^8) used by Rijndael.

72 Rijndael: Mix Column step For example, multiplying the binary string by 3 within this Galois Field works like this: (XOR instead of addition) (this is XORed, instead of subt. 256)

73 Rijndael: Mix Column step MixColumn ArithmeticMixColumn is equivalent to with arithmetic in GF( 2 8 ).

74 Rijndael: Add Round Key The final step is Add Round Key. This simply XORs in the subkey for the current round.

75 Rijndael: Key Schedule Round keys extracted from the cipher key in two steps:. Initial key expansion First bits of the expanded key are set to the bits of the cipher key Remaining bits calculated recursively as a non-linear function of the previous bits of the expanded key 2. Round key selection from expanded key

76 Rijndael: Key Schedule The original key consists of 28 bits, which are arranged into a 4*4 matrix of bytes. This matrix is expanded by adjoining 4 more columns, as follows. Label the first four columns W(), W(), W(2), W(3). The new columns are generated recursively. Suppose columns up through W(i-) have been defined. If i is not a multiple of 4, then form the new column as, W(i) = W(i-4) W(i-).

77 Rijndael: Key Schedule If i is a multiple of 4, then W(i) = W(i-4) T(W(i-)), Where T(W(i-)) is the transformation of W(i-) as follows. Let the elements of the columns are w w w 2 w 3. Shift these cyclically to obtain w w 2 w 3 w. Then replace each of these bytes with the corresponding element in the S-box from the ByteSub step, to get 4 bytes y y y 2 y 3.

78 Rijndael: Key Schedule Finally compute the round constant r i 4 ( i) = 4 In GF(2 8 ). Recall that we are in the case where i is a multiple of 4. Then T(W(i-)) is the column vector (y r(i), y y 2 y 3 )

79 Rijndael: Key Schedule In this way, columns W(4),,W(43) are generated from the initial four columns. The round key for the ith round consists of the columns: W(4i), W(4i+), W(4i+2), W(4i+3.)

80 Rijndael: Key Schedule Because it begins and ends with an ARK (Add Round Key) step, there is no wasted unkeyed step at the beginning or end. The sequence of operations is important for facilitating decipherment, as well. Although the sequence is not symmetrical, the order of some of the steps in Rijndael could be changed without affecting the cipher. The Byte Sub step could just as easily be done after the Shift Row step as before it.

81 Rijndael: Key Schedule For keys 28 and 92 bits in length, the subkey material, which consists of all the round keys in order, consists of the original key, followed by stretches, each the length of the original key, consisting of four-byte words such that each word is the XOR of the preceding four-byte word and either the corresponding word in the previous stretch or a function of it.

82 Rijndael: Key Schedule For the first word in a stretch, the word is first rotated one byte to the left, and then its bytes are transformed using the S-box from the Byte Sub step, and then a round-dependent constant is XORed to its first byte.

83 Rijndael: Key Schedule The round constants are:

84 Rijndael: Decryption Inverse Cypher: Reverse Steps Use Keys in Reverse Order ByteSub and ShiftRow Commute MixColumn Matrix is Invertible

85 Rijndael: Decryption. The inverse of ByteSub is another lookup table, called InvByteSub. 2. The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvShiftRow.

86 Rijndael: Decryption 3. The inverse of MixColumn exists because the 4*4 matrix used in MixColumn is invertible. The transformation InvMixColumn is given by multiplication by the matrix " # % & E D B B E D D B E D B E

87 Rijndael: Sequence of Operations for Encryption The extra final round omits the Mix Column step, but is otherwise the same as a regular round. Thus, the sequence of steps in Rijndael is: ARK BSB, SR, MC, ARK; BSB, SR, MC, ARK; BSB, SR, MC, ARK;... BSB, SR, MC, ARK; BSB, SR, ARK; 9 of them

88 Rijndael: Sequence of Operations Where: ARK = Add Round Key BSB = Byte Sub Block SR = Shift Row MC = Mix Column

89 Rijndael: Decryption 4. AddRoundKey is its own inverse. Hence to decrypt we have to perform the following steps: ARK, ISR, IBS ARK, IMC, ISR, IBS; ARK, IMC, ISR, IBS;... ARK, IMC, ISR, IBS; ARK;

90 Rijndael: Decryption However, we would like to rewrite this decryption in order to make it look more like encryption. We make the following observations: I. The order of BS and the SR operations are exchangable (why??). II. We also would like to reverse the order of ARK and IMC but this is not possible.instead we proceed as follows:

91 Rijndael: Decryption ( c )" ( m )( c )" ( e ) = ( m )( c ) ( k ). i, j i, j i, j i, j i, j i, j i, j Where (m i,j ) is the 4*4 matrix in MixColumn and (k i,j ) i j is the round key matrix. The inverse is obtained by solving (e i,j ), namely, ( ) ( e ) = ( m )( c ) ( k ). i, j i, j i, j i, j e, for (c i,j ) in terms of ( c ) = ( m ) ( e )" ( m ) ( k ). i, j i, j i, j i, j i, j

92 Rijndael: Decryption Therefore the decryption process to follow is: The first arrow is simply InvMixColumn applied to (e i,j ). If we let InvAddRoundKey be XORing with (k i,j ), then we have that the inverse of MC then ARK is IMC then IARK. ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) j i j i j i j i j i j i j i j i j i k m k k e m e m e,,,,,,,,, Where, = " " #

93 Rijndael: Decryption We now see that decryption is given by: ARK, IBS, ISR IMC, IARK, IBS, ISR; IMC, IARK, IBS, ISR;... IMC, IARK, IBS, ISR; ARK. Summarizing we have the following procedures to perform encryption/decryption with Rijndael algorithm:

94 Rijndael: Encryption. ARK using the th key. 2. Nine rounds of BS, SR, MC, ARK using round keys to A final round: BS, SR, ARK, using the th round key.

95 Rijndael: Decryption. ARK using the th key. 2. Nine rounds of IBS, ISR, IMC, IARK using round keys 9 to. 3. A final round: IBS, ISR, ARK, using the th round key.

96 Rijndael: Why MixColumn is omitted in the last round? Suppose MixColumn had been left in. Then the encryption would start ARK, BS, SR, MC, ARK,, and it would end ARK, BS, SR, MC, ARK. Therefore, the beginning o fthe decryption would be (after the reorderings) IMC, IARK, IBS, ISR,. This means the decryption would have an unnecessary IMC at the beginning.

97 Rijndael: Why MixColumn is omitted in the last round? Another way to look at encryption is that there is an initialark, then a sequence of alternating half rounds (BS, SR), (MC, ARK), (BS, SR),, (MC, ARK), (BS, SR), followed by a final ARK. The decryption is ARK, followed by a sequence of alternating half rounds: (IBS, ISR), (IMC, IARK), (IBS, ISR),, (IMC, IARK), (IBS, ISR)

98 Rijndael: Why MixColumn is omitted in the last round? Followed by a final ARK. From this point of view, we see that a final MC would not fit naturally into any of the half rounds, and it results natural to leave it out.

99 Rijndael: SOme design consideration comments. On 8-bit processors, decryption is not quite as fast as encryption. This is because the entriesof the 4*4 matrix for InvMixColumn are more complex than those for MixColumn, and this is enough to make decryption take around 3% longer than encryption for those processors.

100 Rijndael: SOme design consideration comments. The fact that encryption and decryption are not identical processes leads to the expectation that there are no weak keys in Rijndael, in contrast to DES and several other algorithms. In Rijndael all the bits are treated uniformly. This has the effect of diffusing the input bits faster.

101 Rijndael: SOme design consideration comments. It can be shown that two rounds are enough to obtain full difussion, namely, each of the 28 output bits depends on each of the 28 input bits. The Rijndael S-box is highly nonlinear, since it is based on the mapping x x - in GF(2 8 ). This means that Rijndael is excellent resisting differential and linear cryptoanalysis attacks.

102 Rijndael: SOme design consideration comments. The ShiftRow step was added to resist two recently developed attacks, namely truncated differentials and the Square attack (Square is a predecessor of Rijndael). The MixColumn causes diffusion among the bytes. A change in one input byte in this step always results in all four output bytes changing. If two input bytes are changed, at least three output bytes are changed.

103 Rijndael: SOme design consideration comments. The Key Schedule involves nonlinear mixing of the key bits, since it uses the S-box. The mixing is designed to resist attacks where the cryptoanalyst knows part of the key and tries to deduce the remaining bits. The round constants are used to eliminate symmetries in the encryption process by making each round different.

104 Rijndael: SOme design consideration comments. The number of rounds was chosen to be because there are attacks that are better than brute force up to six rounds. No known attack beats brute force for seven or more rounds. It was felt that four extra rounds provide a large enough margin of safety. Of course, the number of rounds could easily be increased if needed.