The Advanced Encryption Standard (Rijndael) : Códigos y Criptografía

The Advanced Encryption
Standard (Rijndael)
Cdigos y Criptografa
Francisco Rodrguez Henrquez
AES: Why a new Standard?

1. Old standard insecure against brute-force attacks
2. Straightforward fixes lead to inefficient
Triple DES
3. implementations
4. New trends in fast software encryption
use of basic instructions of the
microprocessor
5. New ways of assessing cipher strength
differential cryptanalysis
linear cryptanalysis
AES: Why a Contest?
Speed-up the acceptance of the standard
Small number of specialists in the open research
Focus the effort of cryptographic community
Stimulate the research on methods of constructing
secure ciphers
Avoid backdoor theories
AES: General Form
AES: Rules of the Game

Each team submits:
Detailed cipher description
Justification of design decisions
Tentative results of cryptanalysis
Source code in C
Source code in Java
Test vectors
AES: Candidates
Round 1, June 1998:
15 Candidates
from USA, Canada, Belgium, France, Germany, Norway, UK,
Isreal, Korea, Japan, Australia, Costa Rica.
Security, Software efficiency
Round 2, August 1999:
5 final candidates
Mars, RC6, Rijndael, Serpent, Twofish
Security, Hardware efficiency
October 2000
1 winner: Rijndael
Belgium
AES: Candidates
USA: Mars, RC6, Twofish, Safer+, HPC
Canada: CAST-256, Deal
Costa Rica: Frog
Australia: LOKI97
Japan: E2
Korea: Crypton
Belgium: Rijndael
France: DFC
Germany: Magenta
Israel, GB, Norway: Serpent
America (8) Europe (4) Asia (2)
Australia (1)
AES: Candidates
Survey filled by 104 participants of the
Second AES Conference in Rome, March 1999
Middle-of-the-Road
7. CAST-256 -2
8. Safer+ -4
9. DFC -5
Mild NO
10. Crypton -15
Overwhelming NO
11. DEAL -70
12. HPC -77
13. Magenta -83
14. Loki97 -85
15. Frog -85
AES: Candidates
Survey filled by 104 participants of the
Second AES Conference in Rome, March 1999
Overwhelming YES:
1. Rijndael +76
2. RC6 +73
3. Twofish +61
4. Mars +52
5. Serpent +45
Mild YES
6. E2 +14
AES: Final 5
USA
Mars - IBM
C. Burwick, D. Coppersmith, E. DAvignon,
R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,
L. OConnor, M. Peyravian, D. Safford,
N. Zunic
RC6 - RSA Data Security, Inc.
R. Rivest - MIT
M. Robshaw, R. Sidney, Y. L. Yin - RSA
Twofish - Counterpane Systems
B. Schneier, J. Kelsey, C. Hall, N. Ferguson
- Counterpane, D.Whiting - Hi/fn,
D. Wagner - Berkeley
AES: Final 5
Europe
Rijndael - J. Daemen, V. Rijmen
Katholieke Universiteit Leuven
Belgium
Serpent - R. Anderson, Cambridge, England
E. Biham - Technion, Israel
L. Knudsen, University of Bergen, Norway
AES Finalists (2)
RC6The elegant AES choice
Ron Rivest
Matt Robshaw
Yiqun Lisa Yin
rivest@mit.edu
mrobshaw@supanet.com
yiqun@nttmcl.com
RC6 is the right AES choice
Security
Performance
Ease of implementation
Simplicity
Flexibility
RC6 is simple: only 12 lines

B = B + S[ 0 ]
D = D + S[ 1 ]
for i = 1 to 20 do
{
t = ( B x ( 2B + 1 ) ) <<< 5
u = ( D x ( 2D + 1 ) ) <<< 5
A = ( ( A t ) <<< u ) + S[ 2i ]
C = ( ( C u ) <<< t ) + S[ 2i + 1 ]
(A, B, C, D) = (B, C, D, A)
}
A = A + S[ 42 ]
C = C + S[ 43 ]
Simplicity
Facilitates and encourages analysis
allows rapid understanding of security

makes direct analysis straightforward
(contrast with Mars and Twofish)
Enables easy implementation
allows compilers to produce high-quality

code
obviates complicated optimizations
provides good performance with minimal
effort
RC6 key schedule is rock-solid

Studied for more than six years
Secure
thorough mixing
one-way function
no key separation (cf. Twofish)
no related-key attacks (cf. Rijndael)
Original analysis still accurate

RC6 meets original design criteria
Security estimates from 1998 still
good today; independent analyses
supportive.
Secure, even in theory, even with
analysis improvements far beyond
those seen for DES during its lifetime
RC6 provides a solid, well-tuned margin
for security
How do we grade candidates?

Security (corroborated)
Performance (speed+memory)
(30%)
32-bit
(20%)
Java
(15%)
DSP
(15%)
64-bit
(15%)
Hardware
(5%)
8-bit
Ease of implementation
Simplicity
Flexibility
Overall:
40/25/15/10/10
Conclusions
RC6 is a simple yet remarkably strong cipher
good performance on most important platforms

simple to code for good performance
excellent flexibility
the most studied finalist
the best understood finalist
RC6 is the secure and elegant choice for

the AES
(The End)
AES: Performance Evaluation
AES: Summary of Final-5 Evaluation

Serpent [2]
Pluses:
large security margin
cryptanalytical reputation of authors
conservative construction
very fast in hardware
Minuses:
slow in software
moderate flexibility

Rijndael [1]
Pluses:
fastest in hardware
close to the fastest in software
security margin
novel ideas
very high flexibility
Minuses:
security margin

Twofish
Pluses:
good security margin
fast encryption/decryption in software
US
strongly advertized
Minuses:
moderately fast in hardware
slow key setup in software
moderate flexibility
Rijndael OverView
Designed by Joan Daemen and Vincent Rijmen (from

Leuven Belgium)
Based upon the Square Cipher
3 Design Goals:
1. Resistance against known attacks
2. Speed and code compactness on a variety of
platforms
3. Design simplicity
Rijndael OverView
Rijndael/AESDesignedby:
JoanDaemen, ProtonWorldInternational
VincentRijmen,
KatholiqueUniversiteitLueven
Blockcypher
Symmetrickey
ArithmeticbasedintheGaloisFieldGF(28)
Fastandscalable
Resistanttoallknowncryptanalysisattacks
Dr. Vincent Rijmen
Rijndael
The block cipher Rijndael is designed to use only
simple whole-byte operations. Also, it provides
extra flexibility over that required of an AES
candidate, in that both the key size and the block
size may be chosen to be any of 128, 192, or 256
bits.
Rijndael OverView
Rijndael is not a Feistel cipher

3 distinct invertible layers per round
Encryption and decryption algorithms are different
Rijndael uses the Wide Trail Strategy

1. Non-linear layer (confusion)
2. Linear mixing layer (diffusion)
3. Key addition layer
Rijndael OverView
State and Round Key representations
The State is the intermediate cipher result
Both the State and the Round Key are interpreted as

rectangular arrays of bytes
Number of columns in the State and Round Key

arrays depend on block and key sizes, respectively
Rijndael OverView
Rijndael is a block cipher that encrypts and decrypts

128, 192, and 256 bit blocks, using 128, 192, and 256
byte keys in any combination. The block is considered
to be structured as 4, 6, or 8 columns of 4 bytes,
depending on block size.
Rijndael
During an early stage of the AES process, a draft
version of the requirements would have required
each algorithm to have three versions, with both the
key and block sizes equal to each of 128, 192, and
256 bits. This was later changed to make the three
required versions have those three key sizes, but
only a block size of 128 bits, which is more easily
accommodated by many types of block cipher
design.
Rijndael
The original description of Rijndael is available at: http://
www.esat.kuleuven.ac.be/~rijmen/rijndael/.
However, the variations of Rijndael which act on larger
block sizes apparently will not be included in the actual
standard, on the basis that the cryptanalytic study of Rijndael
during the standards process primarily focused on the
version with the 128-bit block size.
Rijndael is a relatively simple cipher in many respects.
Rijndael: Number of Rounds
Rijndael has a variable number of rounds. The number of

rounds in Rijndael is:
1. 10 if both the block and the key are 128 bits long.
2. 12 if either the block or the key is 192 bits long, and
neither of them is longer than that.
3. 14 if either the block or the key is 256 bits long.
Rijndael OverView
Each round consists of 4 steps
Step 1: ByteSub Transformation (Confusion)
Step 2: ShiftRow Transformation (Diffusion)
Step 3: MixColumn Transformation (Diffusion)
Step 4: Round Key Addition
Final round slightly different from other rounds
Rijndael OverView
The basic operations applied to the block are:
1) ByteSub: Applying an S-box (substituting each
byte with another, based on an equation in GF(2^8));
2) ShiftRow: Shifting the rows in a circular way, the
amount of shift (0, 1, 2, 3, or 4 bytes) depending on the
position from the top and on the block size,
Rijndael OverView
3) MixColumn: Mixing the 4, 6, or 8 columns vertically
by taking invertible linear combinations (in GF(2^8) of
the elements in each column and;
4) Round Key Addition: XORing each byte with a round
key (done before the first round for whitening, and
again at the end of each round),
Rijndael: Algorithm
RijndaelCypherAES(data_block,key)
{inState,RoundKeys
StateStatexorRoundKey0
forRound=1toNr
SubBytes(State)
ShiftRow(State)
Ifnot(lastRound)thenMixColumn(State)
StateStatexorRoundKeyRound
outState}
Rijndael: Sequence of Operations

The extra final round omits the Mix Column step, but is
otherwise the same as a regular round. Thus, the sequence of
steps in Rijndael is:
ARK
BSB, SR,
BSB, SR,
BSB, SR,
.....
BSB, SR,
BSB, SR,
MC, ARK;
MC, ARK;
MC, ARK;
9 of them!!
MC, ARK;
ARK;
Where:
ARK = Add Round Key
BSB = Byte Sub Block
SR = Shift Row
MC = Mix Column
Rijndael
Rijndael: two-Dimensions Scheme
Rijndael: Block Representation

Rijndael considers a 128-bit block grouped into 16 bytes of 8
bits each. Let us call each of these 16 bytes as, b15 b14 b13
b2 b1 b0. Rijndael deals with this block as bytes arranged into
a 4*4 matrix,
b0
b1
b4
b5
b8
b9
b12
b13
b6
b10
b7
b11
b
2
b
3
b14
b15
Rijndael: Rounds Steps
In the Byte Sub step each byte of the block is replaced

by its substitute in an S-box.
b0
b1
b
2
b
3
b4
b5
b6
b7
b8
b9
b10
b11
b12
S b0
b13
S b1
b14
S b2
Sb
b15
3
S b4
S b5
S b6
S b7
S b8
S b9
S b10
S b11
S b12
S b13
S b14
S b15
S-Box: Look-up Table method
Write a byte as 8 bits: x7 x6 x5 x4

x3 x2 x1 x0. Look for the entry in
the x7 x6 x5 x4 row and x3 x2 x1 x0
column.
Rijndael: S-Box
99
202
183
4
9
83
208
81
205
96
224
231
186
112
225
140
124
130
253
199
131
209
239
163
12
129
50
200
120
62
248
161
119
201
147
35
44
0
170
64
19
79
58
55
37
181
152
137
123
125
38
195
26
237
251
143
236
220
10
109
46
102
17
13
242
250
54
24
27
32
67
146
95
34
73
141
28
72
105
191
107
89
63
150
110
252
77
157
151
42
6
213
166
3
217
230
111
71
247
5
90
177
51
56
68
144
36
78
180
246
142
66
197
240
204
154
160
91
133
245
23
136
92
169
198
14
148
104
48
173
52
7
82
106
69
188
196
70
194
108
232
97
155
65
1
212
165
18
59
203
249
182
167
238
211
86
221
53
30
153
103
162
229
128
214
190
2
218
126
184
172
244
116
87
135
45
43
175
241
226
179
57
127
33
61
20
98
234
31
185
233
15
254
156
113
235
41
74
80
16
100
222
145
101
75
134
206
176
215
164
216
39
227
76
60
255
93
94
149
122
189
193
85
84
171 118
114 192
49 21
178 117
47 132
88 207
159 168
243 210
25 115
11 219
228 121
174
8
139 138
29 158
40 223
187 22
Rijndael: Rounds Steps
The specification for Rijndael only provided an explanation of

how the S-box was calculated: the first step was to replace
each byte with its reciprocal in the same GF(28) as used below
in the Mix Column step, except that 0, which has no
reciprocal, is replaced by itself (since it isn't anything's
reciprocal either, it is the only value not used, so that makes
sense) then a bitwise modulo-two matrix multiply was used,
and finally the hexadecimal number 63 is XORed with the
result.
Rijndael: ByteSub Step
SBoxArithmeticElementsin
G:=GF(28,1++3+4+8)
nhexnbin(polynomialwithnsbitsforcoeffs)
Arithmeticin2(+/*),thenmodby1++3+4+8
polynomialnbinnhex
ByteSub(x)=AMx1+63hex
Precomputeanduselookuptable
The Construction of the S-Box
Although the S-box is implemented as a lookup

table, it has a simple mathematical description.
Start with a byte x7 x6 x5 x4 x3 x2 x1 x0, where each xi is a

binary bit. Compute its inverse in GF(28). If the byte
is 0, use the same 0 as its inverse.
The resulting byte y7 y6 y5 y4 y3 y2 y1 y0 represents an 8dimensional column vector, with the rightmost bit y0
in the top position. Multiply by a matrix and add the
column vector (1, 1, 0, 0, 1, 1, 0) to obtain a vector z7
z6 z5 z4 z3 z2 z1 z0 as shown in the next slide:
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
y0
y1
y
2
1

1
y3
y
4
y5
y6
0 0 0 1 1 1 1 1 y
7
z0

z1
z
2
0

0 z3

0 z4
1 z5

1 z6
0 z
7

For example, start with the byte 11001011 = CB. Its inverse
in GF(28) is 00000100 = 04, then:
1 0 0 0 1 1 1 1 0 1 1

1 1 0 0 0 1 1 1 0 1 1
1 1 1 0 0 0 1 1 1 0 1

1 1 1 1 0 0 0 1 0 0 1
1 1 1 1 1 0 0 0 0 0 1

0 1 1 1 1 1 0 0 0 1 0

0
0
1
1
1
1
1
0
0 1 0
0 0 0 1 1 1 1 1 0 0 0


This yields the byte 00011111 = 1F. Note that the
input vector was 11001011. The 4 MSBs of the input
vector are thus 1100 and this gives us the 13th row in
the S-Box. Similarly, 1011 yields us the 14th column
in the S-Box. By checking the S-box we see that
indeed 31 = 1F is the corresponding entry in the SBox as claimed.
Rijndael: Shift Row Step

Next is the Shift Row step. Considering the 128-bit block grouped
into 16 bytes of 8 bits each, call them, b15 b14 b13 b2 b1 b0.
these bytes are arranged into a 4*4 matrix, and shifted as follows:
Rijndael: Shift Row Step

Blocks that are 192 and 256 bits long are shifted like this:
from
to
1 5 9 13 17 21
1 5 9 13 17 21
2 6 10 14 18 22
3 7 11 15 19 23
6 10 14 18 22 2
11 15 19 23 3 7
4 8 12 16 20 24
from
16 20 24 4 8 12
to
1 5 9 13 17 21 25 29
1 5 9 13 17 21 25 29
2 6 10 14 18 22 26 30
6 10 14 18 22 26 30 2
3 7 11 15 19 23 27 31
15 19 23 27 31 3 7 11
4 8 12 16 20 24 28 32
20 24 28 32 4 8 12 16
Rijndael: Mix Column step
Next comes the Mix Column step. Matrix multiplication is

performed: each column, in the arrangement we have seen
above, is multiplied by the matrix:
2311
1231
1123
3112
However, this multiplication is done over GF(28). This means

that the bytes being multiplied are treated as polynomials
rather than numbers.
GF(28)TheGaloisFieldwith28elementsistheFiniteField
GF(28)=Z2[x]/m(x)
where m is irreducible in Z2[x] and has degree 8.
Rijndaelchoosesm(x)=1+x+x3+x4+x8
If the result has more than 8 bits, the extra bits are not
simply discarded: instead, they're cancelled out by XORing
the binary 9-bit string 100011011 with the result (shifted
right if necessary). This string stands for the generating
polynomial of the particular version of GF(2^8) used by
Rijndael.

For example, multiplying the binary string 11001010 by 3 within
this Galois Field works like this:
11001010
11
-------------11001010
11001010
--------------101011110 (XOR instead of addition)
100011011 (this is XORed, instead of subt. 256)
-------------1000101

MixColumn ArithmeticMixColumn is equivalent to
witharithmeticinGF(28).
Rijndael: Add Round Key
The final step is Add Round Key.

This simply XORs in the subkey
for the current round.
Rijndael: Key Schedule

Round keys extracted from the cipher key in two steps:
1. Initial key expansion
First bits of the expanded key are set to the bits of the
cipher key
Remaining bits calculated recursively as a non-linear

function of the previous bits of the expanded key
2. Round key selection from expanded key

The original key consists of 128 bits, which are arranged
into a 4*4 matrix of bytes. This matrix is expanded by
adjoining 40 more columns, as follows.
Label the first four columns W(0), W(1), W(2), W(3).
The new columns are generated recursively. Suppose
columns up through W(i-1) have been defined. If i is not
a multiple of 4, then form the new column as,
W(i) = W(i-4)W(i-1).

If i is a multiple of 4, then
W(i) = W(i-4)T(W(i-1)),
Where T(W(i-1)) is the transformation of W(i-1) as follows.
Let the elements of the columns are w0 w1 w2 w3. Shift
these cyclically to obtain w1 w2 w3 w0. Then replace each
of these bytes with the corresponding element in the Sbox from the ByteSub step, to get 4 bytes y0 y1 y2 y3.

Finally compute the round constant
r i 00000010
i 4
4
In GF(28). Recall that we are in the case where i is a

multiple of 4. Then T(W(i-1)) is the column vector
(y0 r(i), y1 y2 y3)

In this way, columns W(4),,W(43) are
generated from the initial four columns. The
round key for the ith round consists of the
columns:
W(4i), W(4i+1), W(4i+2), W(4i+3.)

Because it begins and ends with an ARK (Add Round
Key) step, there is no wasted unkeyed step at the
beginning or end. The sequence of operations is important
for facilitating decipherment, as well.
Although the sequence is not symmetrical, the order of
some of the steps in Rijndael could be changed without
affecting the cipher. The Byte Sub step could just as easily
be done after the Shift Row step as before it.
For keys 128 and 192 bits in length, the subkey material,
which consists of all the round keys in order, consists of the
original key, followed by stretches, each the length of the
original key, consisting of four-byte words such that each
word is the XOR of the preceding four-byte word and either
the corresponding word in the previous stretch or a function
of it.
For the first word in a stretch, the word is first

rotated one byte to the left, and then its bytes are
transformed using the S-box from the Byte Sub step,
and then a round-dependent constant is XORed to its
first byte.
The round constants are:

1
16
54 108
216
171
77 154
94 188 99
198
151
53 106 212
179 125 250
239
197 145
27
32
64 128
47
57 114
228 211 189 97...
Rijndael: Decryption
InverseCypher:
ReverseSteps
UseKeysinReverseOrder
ByteSubandShiftRowCommute
MixColumnMatrixisInvertible
1. TheinverseofByteSubisanotherlookup
table,calledInvByteSub.
2. The inverse of ShiftRow is obtained by
shiftingtherowstotherightinsteadofto
theleft,yieldingInvShiftRow.
3.
The inverse of MixColumn exists because the 4*4 matrix used in

MixColumn is invertible. The transformation InvMixColumn is given
bymultiplicationbythematrix
E B D 9
9 E B D
D 9 E B
B D 9 E
Rijndael: Sequence of Operations for

Encryption
The extra final round omits the Mix Column step, but is
otherwise the same as a regular round. Thus, the sequence of
steps in Rijndael is:
ARK
BSB, SR,
BSB, SR,
BSB, SR,
.....
BSB, SR,
BSB, SR,
MC, ARK;
MC, ARK;
MC, ARK;
9 of them!!
MC, ARK;
ARK;
Where:
ARK = Add Round Key
BSB = Byte Sub Block
SR = Shift Row
MC = Mix Column
4.
AddRoundKeyisitsowninverse.
Hencetodecryptwehavetoperformthefollowingsteps:
ARK, ISR, IBS
ARK, IMC, ISR, IBS;
ARK, IMC, ISR, IBS;
.....
ARK, IMC, ISR, IBS;
ARK;
However, we would like to rewrite this decryption in

order tomake itlook more like encryption. We makethe
followingobservations:
I.
TheorderofBSandtheSRoperationsareexchangable
(why??).
II.
We also would like to reverse the order of ARK and

IMC but this is not possible.Instead we proceed as
follows:
c m c e m c k .
i, j
i, j
i, j
i, j
i, j
i, j
i, j
Where(mi,j)isthe4*4matrixin MixColumnand(ki,j)
e
is the round key matrix. The inverse is obtained by

i, j
solvingfor(c
i,j)intermsof
ei , j mi , j ci , j ki , j .
(ei,j),namely,
c m e m k .
1
i, j
i, j
i, j
i, j
i, j
Thereforethedecryptionprocesstofollowis:
e m e m e k ,
Where k m k
1
i, j
i, j
i, j
i, j
i, j
i, j
i, j
i, j
i, j
The first arrow is simply InvMixColumn applied to (ei,j). If

we let InvAddRoundKey be XORing with (ki,j), then
we have that the inverse of MC then ARK is IMC
thenIARK.
Wenowseethatdecryptionisgivenby:
ARK, IBS, ISR
IMC, IARK, IBS, ISR;
.....
ARK.
Summarizing we have the following procedures to perform
encryption/decryptionwithRijndaelalgorithm:
Rijndael: Encryption
1.
ARKusingthe0thkey.
2.
NineroundsofBS,SR,MC,ARKusingroundkeys1
to9.
3.
Afinalround:BS,SR,ARK,usingthe10throundkey.
1.
ARKusingthe10thkey.
2.
Nine rounds of IBS, ISR, IMC, IARK using round

keys9to1.
3.
Afinalround:IBS,ISR,ARK,usingthe0throundkey.
Rijndael: Why MixColumn is omitted

in the last round?
Suppose MixColumn had been left in. Then the

encryption would start ARK, BS, SR, MC, ARK, ,
anditwouldendARK,BS,SR,MC,ARK.Therefore,
the beginning o fthe decryption would be (after the
reorderings)IMC,IARK,IBS,ISR,.Thismeansthe
decryption would have an unnecessary IMC at the
beginning.

in the last round?
Another way to look at encryption is that there is an

initialARK,thenasequenceofalternatinghalfrounds
(BS,SR),(MC,ARK),(BS,SR),,(MC,ARK),(BS,SR),
followedbyafinalARK.
The decryption is ARK, followed by a sequence of

alternatinghalfrounds:
(IBS, ISR), (IMC, IARK), (IBS, ISR),, (IMC, IARK), (IBS,

ISR)

in the last round?
Followed by a final ARK. From this

pointofview,weseethatafinalMC
wouldnotfitnaturallyintoanyofthe
half rounds, and it results natural to
leaveitout.
Rijndael: SOme design consideration

comments.
On 8bit processors, decryption is not quite as fast as

encryption.Thisisbecausetheentriesofthe4*4matrix
for InvMixColumn are more complex than those for
MixColumn, and this is enough to make decryption
take around 30% longer than encryption for those
processors.

comments.
The fact that encryption and decryption are not

identical processes leads to the expectation that there
are no weak keys in Rijndael, in contrast to DES and
severalotheralgorithms.
In Rijndaelallthe bitsaretreateduniformly.Thishas
theeffectofdiffusingtheinputbitsfaster.

comments.
It can be shown that two rounds are enough to obtain

full difussion, namely, each of the 128 output bits
dependsoneachofthe128inputbits.
TheRijndaelSboxishighlynonlinear,sinceitisbased
on the mapping x x1 in GF(28). This means that
Rijndael is excellent resisting differential and linear
cryptoanalysisattacks.

comments.
The ShiftRow step was added to resist two recently

developed attacks, namely truncated differentials and
theSquareattack(SquareisapredecessorofRijndael).
The MixColumn causes diffusion among the bytes. A

changeinoneinputbyteinthisstepalwaysresultsinall
four output bytes changing. If two input bytes are
changed,atleastthreeoutputbytesarechanged.

comments.
TheKeyScheduleinvolvesnonlinearmixingofthekey
bits,sinceitusestheSbox.Themixingisdesignedto
resistattackswherethecryptoanalystknowspartofthe
keyandtriestodeducetheremainingbits.
Theroundconstantsareusedtoeliminatesymmetriesin
theencryptionprocessbymakingeachrounddifferent.

comments.
The number of rounds was chosen to be 10 because

thereareattacksthatarebetterthanbruteforceuptosix
rounds.
No known attack beats brute force for seven or more

rounds.
Itwasfeltthatfourextraroundsprovidealargeenough
marginofsafety.Ofcourse,thenumberofroundscould
easilybeincreasedifneeded.

The Advanced Encryption Standard (Rijndael) : Códigos y Criptografía

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Advanced Encryption Standard (Rijndael) : Códigos y Criptografía

Uploaded by

Copyright:

Available Formats

The Advanced Encryption

Francisco Rodrguez Henrquez

AES: Why a new Standard?

Francisco Rodrguez Henrquez

AES: Why a Contest?

Speed-up the acceptance of the standard

Small number of specialists in the open research

Focus the effort of cryptographic community

Stimulate the research on methods of constructing

Avoid backdoor theories

Francisco Rodrguez Henrquez

AES: General Form

Francisco Rodrguez Henrquez

AES: Rules of the Game

Detailed cipher description

Justification of design decisions

Tentative results of cryptanalysis

Source code in Java

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

RC6The elegant AES choice

Francisco Rodrguez Henrquez

RC6 is the right AES choice

Francisco Rodrguez Henrquez

RC6 is simple: only 12 lines

Francisco Rodrguez Henrquez

allows rapid understanding of security

Enables easy implementation

allows compilers to produce high-quality

Francisco Rodrguez Henrquez

RC6 key schedule is rock-solid

Francisco Rodrguez Henrquez

Original analysis still accurate

Francisco Rodrguez Henrquez

How do we grade candidates?

Francisco Rodrguez Henrquez

good performance on most important platforms

RC6 is the secure and elegant choice for

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez

AES: Performance Evaluation

Francisco Rodrguez Henrquez