Академический Документы
Профессиональный Документы
Культура Документы
Standard (Rijndael)
Cdigos y Criptografa
secure ciphers
Cdigos y Criptografa
Cdigos y Criptografa
Source code in C
Test vectors
Cdigos y Criptografa
AES: Candidates
Round 1, June 1998:
15 Candidates
from USA, Canada, Belgium, France, Germany, Norway, UK,
Isreal, Korea, Japan, Australia, Costa Rica.
Security, Software efficiency
Round 2, August 1999:
5 final candidates
Mars, RC6, Rijndael, Serpent, Twofish
Security, Hardware efficiency
October 2000
1 winner: Rijndael
Belgium
Cdigos y Criptografa
AES: Candidates
USA: Mars, RC6, Twofish, Safer+, HPC
Canada: CAST-256, Deal
Costa Rica: Frog
Australia: LOKI97
Japan: E2
Korea: Crypton
Belgium: Rijndael
France: DFC
Germany: Magenta
Israel, GB, Norway: Serpent
America (8) Europe (4) Asia (2)
Australia (1)
Cdigos y Criptografa
AES: Candidates
Survey filled by 104 participants of the
Second AES Conference in Rome, March 1999
Middle-of-the-Road
7. CAST-256 -2
8. Safer+ -4
9. DFC -5
Mild NO
10. Crypton -15
Overwhelming NO
11. DEAL -70
12. HPC -77
13. Magenta -83
14. Loki97 -85
15. Frog -85
Cdigos y Criptografa
AES: Candidates
Survey filled by 104 participants of the
Second AES Conference in Rome, March 1999
Overwhelming YES:
1. Rijndael +76
2. RC6 +73
3. Twofish +61
4. Mars +52
5. Serpent +45
Mild YES
6. E2 +14
Cdigos y Criptografa
AES: Final 5
USA
Mars - IBM
C. Burwick, D. Coppersmith, E. DAvignon,
R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,
L. OConnor, M. Peyravian, D. Safford,
N. Zunic
RC6 - RSA Data Security, Inc.
R. Rivest - MIT
M. Robshaw, R. Sidney, Y. L. Yin - RSA
Twofish - Counterpane Systems
B. Schneier, J. Kelsey, C. Hall, N. Ferguson
- Counterpane, D.Whiting - Hi/fn,
D. Wagner - Berkeley
Cdigos y Criptografa
AES: Final 5
Europe
Rijndael - J. Daemen, V. Rijmen
Katholieke Universiteit Leuven
Belgium
Serpent - R. Anderson, Cambridge, England
E. Biham - Technion, Israel
L. Knudsen, University of Bergen, Norway
AES Finalists (2)
Cdigos y Criptografa
Ron Rivest
Matt Robshaw
Yiqun Lisa Yin
Cdigos y Criptografa
rivest@mit.edu
mrobshaw@supanet.com
yiqun@nttmcl.com
Security
Performance
Ease of implementation
Simplicity
Flexibility
Cdigos y Criptografa
Simplicity
Facilitates and encourages analysis
Cdigos y Criptografa
thorough mixing
one-way function
no key separation (cf. Twofish)
no related-key attacks (cf. Rijndael)
Cdigos y Criptografa
Conclusions
RC6 is a simple yet remarkably strong cipher
(The End)
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
conservative construction
Minuses:
slow in software
moderate flexibility
Cdigos y Criptografa
fastest in hardware
security margin
novel ideas
Minuses:
security margin
Cdigos y Criptografa
US
strongly advertized
Minuses:
moderate flexibility
Cdigos y Criptografa
Rijndael OverView
3 Design Goals:
1. Resistance against known attacks
2. Speed and code compactness on a variety of
platforms
3. Design simplicity
Cdigos y Criptografa
Rijndael OverView
Rijndael/AESDesignedby:
JoanDaemen, ProtonWorldInternational
VincentRijmen,
KatholiqueUniversiteitLueven
Blockcypher
Symmetrickey
ArithmeticbasedintheGaloisFieldGF(28)
Fastandscalable
Resistanttoallknowncryptanalysisattacks
Cdigos y Criptografa
Cdigos y Criptografa
Rijndael
The block cipher Rijndael is designed to use only
simple whole-byte operations. Also, it provides
extra flexibility over that required of an AES
candidate, in that both the key size and the block
size may be chosen to be any of 128, 192, or 256
bits.
Cdigos y Criptografa
Rijndael OverView
Cdigos y Criptografa
Rijndael OverView
Cdigos y Criptografa
Rijndael OverView
Cdigos y Criptografa
Rijndael
During an early stage of the AES process, a draft
version of the requirements would have required
each algorithm to have three versions, with both the
key and block sizes equal to each of 128, 192, and
256 bits. This was later changed to make the three
required versions have those three key sizes, but
only a block size of 128 bits, which is more easily
accommodated by many types of block cipher
design.
Cdigos y Criptografa
Rijndael
The original description of Rijndael is available at: http://
www.esat.kuleuven.ac.be/~rijmen/rijndael/.
However, the variations of Rijndael which act on larger
block sizes apparently will not be included in the actual
standard, on the basis that the cryptanalytic study of Rijndael
during the standards process primarily focused on the
version with the 128-bit block size.
Rijndael is a relatively simple cipher in many respects.
Cdigos y Criptografa
Cdigos y Criptografa
Rijndael OverView
Each round consists of 4 steps
Cdigos y Criptografa
Rijndael OverView
The basic operations applied to the block are:
1) ByteSub: Applying an S-box (substituting each
byte with another, based on an equation in GF(2^8));
2) ShiftRow: Shifting the rows in a circular way, the
amount of shift (0, 1, 2, 3, or 4 bytes) depending on the
position from the top and on the block size,
Cdigos y Criptografa
Rijndael OverView
3) MixColumn: Mixing the 4, 6, or 8 columns vertically
by taking invertible linear combinations (in GF(2^8) of
the elements in each column and;
4) Round Key Addition: XORing each byte with a round
key (done before the first round for whitening, and
again at the end of each round),
Cdigos y Criptografa
Rijndael: Algorithm
RijndaelCypherAES(data_block,key)
{inState,RoundKeys
StateStatexorRoundKey0
forRound=1toNr
SubBytes(State)
ShiftRow(State)
Ifnot(lastRound)thenMixColumn(State)
StateStatexorRoundKeyRound
outState}
Cdigos y Criptografa
MC, ARK;
MC, ARK;
MC, ARK;
9 of them!!
MC, ARK;
ARK;
Cdigos y Criptografa
Where:
ARK = Add Round Key
BSB = Byte Sub Block
SR = Shift Row
MC = Mix Column
Cdigos y Criptografa
Rijndael
Cdigos y Criptografa
Cdigos y Criptografa
b0
b1
b4
b5
b8
b9
b12
b13
b6
b10
b7
b11
b
2
b
3
Cdigos y Criptografa
b14
b15
Francisco Rodrguez Henrquez
b0
b1
b
2
b
3
b4
b5
b6
b7
b8
b9
b10
b11
Cdigos y Criptografa
b12
S b0
b13
S b1
b14
S b2
Sb
b15
3
S b4
S b5
S b6
S b7
S b8
S b9
S b10
S b11
S b12
S b13
S b14
S b15
Cdigos y Criptografa
Rijndael: S-Box
99
202
183
4
9
83
208
81
205
96
224
231
186
112
225
140
124
130
253
199
131
209
239
163
12
129
50
200
120
62
248
161
119
201
147
35
44
0
170
64
19
79
58
55
37
181
152
137
123
125
38
195
26
237
251
143
236
220
10
109
46
102
17
13
242
250
54
24
27
32
67
146
95
34
73
141
28
72
105
191
Cdigos y Criptografa
107
89
63
150
110
252
77
157
151
42
6
213
166
3
217
230
111
71
247
5
90
177
51
56
68
144
36
78
180
246
142
66
197
240
204
154
160
91
133
245
23
136
92
169
198
14
148
104
48
173
52
7
82
106
69
188
196
70
194
108
232
97
155
65
1
212
165
18
59
203
249
182
167
238
211
86
221
53
30
153
103
162
229
128
214
190
2
218
126
184
172
244
116
87
135
45
43
175
241
226
179
57
127
33
61
20
98
234
31
185
233
15
254
156
113
235
41
74
80
16
100
222
145
101
75
134
206
176
215
164
216
39
227
76
60
255
93
94
149
122
189
193
85
84
171 118
114 192
49 21
178 117
47 132
88 207
159 168
243 210
25 115
11 219
228 121
174
8
139 138
29 158
40 223
187 22
SBoxArithmeticElementsin
G:=GF(28,1++3+4+8)
nhexnbin(polynomialwithnsbitsforcoeffs)
Arithmeticin2(+/*),thenmodby1++3+4+8
polynomialnbinnhex
ByteSub(x)=AMx1+63hex
Precomputeanduselookuptable
Cdigos y Criptografa
Cdigos y Criptografa
The resulting byte y7 y6 y5 y4 y3 y2 y1 y0 represents an 8dimensional column vector, with the rightmost bit y0
in the top position. Multiply by a matrix and add the
column vector (1, 1, 0, 0, 1, 1, 0) to obtain a vector z7
z6 z5 z4 z3 z2 z1 z0 as shown in the next slide:
Cdigos y Criptografa
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
y0
y1
y
2
1
1
y3
y
4
y5
y6
0 0 0 1 1 1 1 1 y
7
Cdigos y Criptografa
z0
z1
z
2
0
0 z3
0 z4
1 z5
1 z6
0 z
7
Francisco Rodrguez Henrquez
1 1 0 0 0 1 1 1 0 1 1
1 1 1 0 0 0 1 1 1 0 1
1 1 1 1 0 0 0 1 0 0 1
1 1 1 1 1 0 0 0 0 0 1
0 1 1 1 1 1 0 0 0 1 0
0
0
1
1
1
1
1
0
0 1 0
0 0 0 1 1 1 1 1 0 0 0
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
to
1 5 9 13 17 21
1 5 9 13 17 21
2 6 10 14 18 22
3 7 11 15 19 23
6 10 14 18 22 2
11 15 19 23 3 7
4 8 12 16 20 24
from
16 20 24 4 8 12
to
1 5 9 13 17 21 25 29
1 5 9 13 17 21 25 29
2 6 10 14 18 22 26 30
6 10 14 18 22 26 30 2
3 7 11 15 19 23 27 31
15 19 23 27 31 3 7 11
4 8 12 16 20 24 28 32
Cdigos y Criptografa
20 24 28 32 4 8 12 16
Francisco Rodrguez Henrquez
GF(28)TheGaloisFieldwith28elementsistheFiniteField
GF(28)=Z2[x]/m(x)
Rijndaelchoosesm(x)=1+x+x3+x4+x8
Cdigos y Criptografa
If the result has more than 8 bits, the extra bits are not
simply discarded: instead, they're cancelled out by XORing
the binary 9-bit string 100011011 with the result (shifted
right if necessary). This string stands for the generating
polynomial of the particular version of GF(2^8) used by
Rijndael.
Cdigos y Criptografa
11001010
11
-------------11001010
11001010
--------------101011110 (XOR instead of addition)
100011011 (this is XORed, instead of subt. 256)
-------------1000101
Cdigos y Criptografa
witharithmeticinGF(28).
Cdigos y Criptografa
Cdigos y Criptografa
First bits of the expanded key are set to the bits of the
cipher key
Cdigos y Criptografa
Cdigos y Criptografa
r i 00000010
i 4
4
Cdigos y Criptografa
For keys 128 and 192 bits in length, the subkey material,
which consists of all the round keys in order, consists of the
original key, followed by stretches, each the length of the
original key, consisting of four-byte words such that each
word is the XOR of the preceding four-byte word and either
the corresponding word in the previous stretch or a function
of it.
Cdigos y Criptografa
Cdigos y Criptografa
16
54 108
216
171
77 154
94 188 99
198
151
53 106 212
239
197 145
27
32
64 128
47
57 114
Cdigos y Criptografa
Rijndael: Decryption
InverseCypher:
ReverseSteps
UseKeysinReverseOrder
ByteSubandShiftRowCommute
MixColumnMatrixisInvertible
Cdigos y Criptografa
Rijndael: Decryption
1. TheinverseofByteSubisanotherlookup
table,calledInvByteSub.
2. The inverse of ShiftRow is obtained by
shiftingtherowstotherightinsteadofto
theleft,yieldingInvShiftRow.
Cdigos y Criptografa
Rijndael: Decryption
3.
E B D 9
9 E B D
D 9 E B
B D 9 E
Cdigos y Criptografa
MC, ARK;
MC, ARK;
MC, ARK;
9 of them!!
MC, ARK;
ARK;
Cdigos y Criptografa
Where:
ARK = Add Round Key
BSB = Byte Sub Block
SR = Shift Row
MC = Mix Column
Cdigos y Criptografa
Rijndael: Decryption
4.
AddRoundKeyisitsowninverse.
Hencetodecryptwehavetoperformthefollowingsteps:
ARK, ISR, IBS
ARK, IMC, ISR, IBS;
ARK, IMC, ISR, IBS;
.....
ARK, IMC, ISR, IBS;
ARK;
Cdigos y Criptografa
Rijndael: Decryption
TheorderofBSandtheSRoperationsareexchangable
(why??).
II.
Cdigos y Criptografa
Rijndael: Decryption
c m c e m c k .
i, j
i, j
i, j
i, j
i, j
i, j
i, j
Where(mi,j)isthe4*4matrixin MixColumnand(ki,j)
e
solvingfor(c
i,j)intermsof
ei , j mi , j ci , j ki , j .
(ei,j),namely,
c m e m k .
1
i, j
Cdigos y Criptografa
i, j
i, j
i, j
i, j
Rijndael: Decryption
Thereforethedecryptionprocesstofollowis:
e m e m e k ,
Where k m k
1
i, j
i, j
i, j
i, j
i, j
i, j
i, j
i, j
i, j
Rijndael: Decryption
Wenowseethatdecryptionisgivenby:
ARK, IBS, ISR
IMC, IARK, IBS, ISR;
IMC, IARK, IBS, ISR;
.....
IMC, IARK, IBS, ISR;
ARK.
Summarizing we have the following procedures to perform
encryption/decryptionwithRijndaelalgorithm:
Cdigos y Criptografa
Rijndael: Encryption
1.
ARKusingthe0thkey.
2.
NineroundsofBS,SR,MC,ARKusingroundkeys1
to9.
3.
Afinalround:BS,SR,ARK,usingthe10throundkey.
Cdigos y Criptografa
Rijndael: Decryption
1.
ARKusingthe10thkey.
2.
3.
Afinalround:IBS,ISR,ARK,usingthe0throundkey.
Cdigos y Criptografa
Cdigos y Criptografa
(BS,SR),(MC,ARK),(BS,SR),,(MC,ARK),(BS,SR),
followedbyafinalARK.
Cdigos y Criptografa
Cdigos y Criptografa
In Rijndaelallthe bitsaretreateduniformly.Thishas
theeffectofdiffusingtheinputbitsfaster.
Cdigos y Criptografa
TheRijndaelSboxishighlynonlinear,sinceitisbased
on the mapping x x1 in GF(28). This means that
Rijndael is excellent resisting differential and linear
cryptoanalysisattacks.
Cdigos y Criptografa
Cdigos y Criptografa
TheKeyScheduleinvolvesnonlinearmixingofthekey
bits,sinceitusestheSbox.Themixingisdesignedto
resistattackswherethecryptoanalystknowspartofthe
keyandtriestodeducetheremainingbits.
Theroundconstantsareusedtoeliminatesymmetriesin
theencryptionprocessbymakingeachrounddifferent.
Cdigos y Criptografa
Itwasfeltthatfourextraroundsprovidealargeenough
marginofsafety.Ofcourse,thenumberofroundscould
easilybeincreasedifneeded.
Cdigos y Criptografa