Advanced Encryption

Standard Rijndael
CS220r: Cryptography
15/10/02
 Overview
• What is Rijndael?
• The U.S. Advanced Encryption Standard.
• How Rijndael Works
• Implementations of Rijndael
• Security of Rijndael
• Where To Learn More
 What is Rijndael?
• Symmetric key block cipher
• Joan Daemen and Vincent Rijmen
• Winner of the U.S. Advanced Encryption
Standard competition
• Royalty-free, patent-free
 U.S. Encryption Standards
• Administered by National Institute of
Science and Technology (NIST)
– FIPS = “Federal Information Processing Standard”

• Specify government standards for

encryption, digital signature.
• Drive U.S. federal government purchasing.
• Royalty-free, no patent licensing, open.
Data Encryption Standard(DES)
• NIST call for encryption standard in 1972
• IBM respond with “Lucifer” cipher in 1974
• NSA tweak Lucifer  DES
• Federal standard in 1976
• Secret design criteria (revealed later)
• Short key (56 bits)
• Backdoor? (none ever found)
 Birth of AES
• DES obsolete
– EFF keycracking machine 1998
• NIST calls for new encryption in 1997
• Two-round competition
• Intensive effort by cryptographers
– All submissions from public cryptographers
– No tweaks from NSA
• Winner announced October 2000
 AES Requirements
• Security
– No good if broken
• Speed
– Both PCs and smart cards
– Future platforms
• Low memory
• “Key agility”
• Block cipher for next 100 years at least…
 Rijndael is pronounced AES
• Rijndael wins AES competition in 2000.
• From NIST:
When considered together, Rijndael's combination of security, performance, efficiency, ease
of implementation and flexibility make it an appropriate selection for the AES.
Specifically, Rijndael appears to be consistently a very good performer in both
hardware and software across a wide range of computing environments regardless of its use in
feedback or non-feedback modes. Its key setup time is excellent, and its key agility is good.
Rijndael's very low memory requirements make it very well suited for restricted-space
environments, in which it also demonstrates excellent performance. Rijndael's operations are
among the easiest to defend against power and timing attacks.
Additionally, it appears that some defense can be provided against such attacks
without significantly impacting Rijndael's performance. Rijndael is designed with some
flexibility in terms of block and key sizes, and the algorithm can accommodate alterations in
the number of rounds, although these features would require further study and are not being
considered at this time. Finally, Rijndael's internal round structure appears to have good
potential to benefit from instruction-level parallelism.
 Block Ciphers
• DES, all AES candidates “block ciphers.”
• Symmetric – Alice, Bob share key
• Keyed permutation {0,1}^b  {0,1}^b
– Value of b is “block size.”
– Invertible if and only if know key.
– Need “chaining” for large messages.
• Typically much faster than public key.
 Why Block Ciphers?
• Faster than public-key crypto
– Hybrid encryption
• Different security principles
– Factoring may be easy! Rijndael may be hard!
• (or the other way around)
• Give us “pseudo-random permutation”
– Build PRG, message authentication code,
other useful tools…
 Inside Rijndael
• 128 bits of key
• 128 bit block size
• Other variants – 192 bit key, 256 bit key
• 9 “rounds” x 4 operations each
 Encryption in Rijndael
• “State” of Rijndael cipher
– 128 bits (1 block) in 4x4 matrix of bytes
• Start with plaintext as state
• Each round, “mix” plaintext, key
• Last round: state = ciphertext.
 Key Scheduling in Rijndael
• 128 bits of key, 9 rounds
• Need key for each round
• Which key bits go where?
• Stretch 128 bits to 1408 bits of round keys
• Uses Rijndael S-box (more later)
 Inside a Rijndael Round
• AddRoundKey(state, RoundKey)
• ByteSub(state)
• ShiftColumn(state)
• MatrixMultiply(state)
• 9 rounds
• 10 total rounds – last has no MatrixMultiply
 Add Round Key
• XOR round key with state
• “preps” state for rest of round
• Self-inverse for decryption
 ByteSub
• Each byte in state  S-Box(byte)
• “Substitution Box” S-box
• Nonlinear function over GF(2)
• Lookup table  very fast
 The Rijndael S-Box
• S-box only nonlinear in round
• S-box properties critical for security
• Composition of 2 functions
– 1) Inverse of element in GF(2^8)
– 2) matrix mult + vector addition in GF(2)
– Two different fields!
 The Field GF(2^8)
• Finite field, 256 elements
• Polynomials over GF(2)[x]/f(x)
• f(x) irreducible poly degree 8
• GF(2^8) represented as bytes
– e.g `03’  x + 1
• Addition just XOR! (Wicked fast)
 Multiplication in GF(2^8)
• Multiplication = multiply polynomials
• Take modulo irreducible polynomial
• Many speedup tricks
See CHES workshops
http://islab.oregonstate.edu/ches/
• Bottom line #1: matrix mult fast
• Bottom line #2: not same as GF(2) !
 ShiftRow
• Shift rows of state matrix
• Guarantee “diffusion”
– Small changes in plaintext  large changes in
ciphertext
– Next round key `mixes’ in state
 MixColumn
• Multiply state matrix by special matrix
• Matrix multiplication over GF(2^8)
• Guarantee “diffusion”
• Equivalent to multiplying columns by
c(x) = `03’ x^3 + `01’ x^2 + `01’ x + `02’
 Decryption in Rijndael
• All operations invertible (if key known!)
– XOR round key  XOR round key
– S-box  inverse lookup table
– ShiftColumn  shift back
– MatrixMult  inverse matrix
• 30% slower than encryption
– Inverse matrix more complicated
 Security in Block Ciphers
• Different from public-key world.
• “Smart people couldn’t find an answer.”
• Prove cipher resistant to certain attacks.
• ANY attack better than brute force = break
• “Academic” attacks  real attacks.
• Maybe NSA knows better?
 Rijndael Security Rationales
• Key scheduling
– Eliminate related-key attacks, symmetry
• S-box
– Matrix over GF(2) chosen carefully
– “complicated” expression in GF(2^8)
• Linear “mixing layer”
– ShiftRow offsets resist previous attacks
– MixColumn polynomial chosen for diffusion
 Recent Work on Rijndael
• Murphy and Robshaw – ‘generalized AES’ over
GF(2^8) alone
http://www.isg.rhul.ac.uk/~mrobshaw/rijndael.html
– S-box in Rijndael over GF(2)
– Matrix mult over GF(2^8) – not the same!
– `generalized AES’ over one field only
 Easier analysis?
• Courtois and Pieprzyk – algebraic attack??
http://www.minrank.org/aes/
– Controversial (may not actually work??)
– Requires solving many sparse polynomial equations
• Is there an algebaic geometer in the audience?
 Implementing Rijndael
• Byte-oriented operations
• Small S-boxes
• Key schedule space saving tricks
 Rijndael Performance
• 200Mhz Pentium Pro: 70.5 Mbits/sec
• 8-bit
– 8051: 3744 cycles/826 bytes code size
– 68HC08 : 8390 cycles/ 36 byte RAM
• Java on 200Mhz Pentium: 1100 Kbit/sec
 Where Next for AES?
• Chaining modes
– How to encrypt BIG messages?
– Encrypt in ``non-malleable” way with 1 pass?
– Encrypting streams (not all message known)
• Interoperable implementations
– Test vectors, vendor implementations
– Google for free libraries
• More cryptanalysis!
 Where To Learn More
• Rijndael Candidate Submission
http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
• Federal Information Processing Standard
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
• NIST AES Facts
http://csrc.nist.gov/encryption/aes/aesfact.html

• John Savard’s Rijndael Page

http://home.ecn.ab.ca/~jsavard/crypto/co040801.htm
• Rijndael Fan Club
http://www.rijndael.com
 Where To Learn More (2)
• Helger Lipmaa’s Block Cipher Links
http://www.tcs.hut.fi/~helger/crypto/link/block/

• Rivest’s Crypto Links

http://theory.lcs.mit.edu/~rivest/crypto-security.html

• IACR eprint archive

http://eprint.iacr.org