1 / 25

AES (Rijndael)

AES (Rijndael). Joan Daemen and Vincent Rijmen, “ The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3-540-42580-2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES ; fixed. AES requirements. Block cipher

aric
Télécharger la présentation

AES (Rijndael)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AES (Rijndael) Joan Daemen and Vincent Rijmen, “ The Design of Rijndael, AES – The Advanced Encryption Standard”, Springer, 2002, ISBN 3-540-42580-2 FIPS Pub 197, Advanced Encryption Standard (AES), December 04, 2001 Rijndael : variable, AES ; fixed

  2. AES requirements • Block cipher • 128-bit blocks • 128/192/256-bit keys • Worldwide-royalty free • More secure than Triple DES • More efficient than Triple DES

  3. AES Calendar • Jan. 2, 1997 : Announcement of intent to develop AES and request for comments • Sep. 12, 1997 : Formal call for candidate algorithms • Aug. 20-22, 1998 : First AES Candidate Conference and beginning of Round 1 evaluation (15 algorithms), Rome, Italy • Mar. 22-23, 1999 : Second AES Candidate Conference, NY, USA • Sep. 2000 : Final AES selection (Rijndael !) Apr. 2000 AES3 Jan. 1997 Call for algorithms Aug. 1998 AES1 15 algorithms Mar. 1999 AES2 Announce winner in Sep, 2000 5 algorithms selected

  4. AES Round1 algorithms • 15 algorithms are proposed at AES1 conference

  5. AES Round 2 Algorithms • After AES2 conference, NIST selected the following 5 algorithms as the round 2 candidate algorithm.

  6. Security of AES Candidates

  7. Comparison of AES2 algorithms(I) Encryption speed analysis by NIST

  8. Comparison of AES2 algorithms(II) Java Implementation by A. Sterbenz (Graz Univ.)

  9. Comparison of AES2 algorithms (III) Smart Card Implementation by F. Sano (Toshiba) * : omit to check “weak” in the key schedule

  10. Comparison of AES2 algorithms(IV) CMOS ASIC Implementation by Ichikawa (Mitsubishi)

  11. Rijndael – Overview • Proposed by Joan Daemen, Vincent Rijmen(Belgium) • Design choices • Square type • Three distinct invertible uniform transformations(Layers) • Linear mixing layer : guarantee high diffusion • Non-linear layer : parallel application of S-boxes • Key addition layer : XOR the round key to the intermediate state • Initial key addition, final key addition • Representation of state and key • Rectangular array of bytes with 4 rows (square type) • Nb : number of column of the state (4~8) • Nk : number of column of the cipher key (4~8) • Nb is independent from Nk

  12. Key (Nk=4) State (Nb=6) Number of rounds (Nr) Rijndael - States

  13. Round transformation Output transformation Input whitening Output Input Mix-Column(MC) BS, SR, ARK Byte-wise substitution(BS) Shift-Low(SR) Bit-wise key addition Bit-wise key addition 44 byte array Rijndael - Encryption • Block size: 128 • Key size: 128/192/256 bit • Component Functions • ByteSubstitution(BS): S-box • ShiftRow(SR): CircularShift • MixColumn(MC): Linear(Branch number: 5) • AddRoundKey(ARK): • Omit MC in the last round.

  14. Properties • Substitution-Permutation Network (SPN) • (Invertible) Nonlinear Layer: Confusion • (Invertible) Linear Layer: Diffusion • Branch Number • Measure Diffusion Power of Linear Layer • Let F be a linear transformation on n words. • W(a): the number of nonzero words in a. • (F) = mina0 {W(a) + W(F(a))} • Rijndael: branch number =5

  15. Security Goals • K-secure • No shortcut attacks key-recover attack faster than key-exhaustive search • No symmetry property such as complementary in DES • No non-negligible classes of weak key as in IDEA • No Related-key attacks • Hermetic • No weakness found for the majority of block ciphers with same block and key length • Rijndael is k-secure and hermetic

  16. Component Functions • ByteSubstitution • S(x)=x-1 in GF(28) with almost maximal nonlinearity(p.105) over m(x) = x8 + x4 + x3 + x +1 • ShiftRow by 0, C1, C2, and C3 • MixedColumn:4 x 4 Matrix Mul. on GF(28 )(p.107) b0 02 03 01 01 a0 b1 = 02 03 01 01 a1 b2 02 03 01 01 a2 b3 02 03 01 01 a3

  17. Rijndael: Pseudo-Code Rijndael(State,CipherKey) { KeyExpansion(CipherKey,ExpandedKey) ; p108 AddRoundKey(State,ExpandedKey); For( i=1 ; i<Nr ; i++ ) Round(State,ExpandedKey + Nb*i) ; FinalRound(State,ExpandedKey + Nb*Nr); } Round(State,RoundKey) { ByteSub(State); ShiftRow(State); MixColumn(State); AddRoundKey(State,RoundKey); } FinalRound(State,RoundKey) { ByteSub(State) ; ShiftRow(State) ; AddRoundKey(State,RoundKey); }

  18. Mode of Operations

  19. Modeofoperation (I) • ECB (Electronic CodeBook) mode C P n n IF Ci = Cj, DK(Ci) = DK(Cj) K D K E n n P C i) Encryption ii) Decryption

  20. Mode of operation (II) • CBC (Cipher Block Chaining) P1 P2 Pl IV K IV : Initialization Vector E E K K E Ci = EK(Pi  Ci-1) Pi = DK(Ci)  Ci-1 C1 C2 Cl C1 C2 Cl - 2 block Error Prog. - self-sync - If |Pl|  |P|, Padding req’d K K D D D K IV P1 P2 Pl

  21. IV IV K K E m-bit E Pi Ci Ci Modeofoperation (III) • m-bit OFB (Output FeedBack) Ci = Pi  O(EK) Pi = Ci  O(EK) m-bit - No Error Prog. - Req’d external sync - Stream cipher - EK or DK Pi I) Encryption II) Decryption

  22. Modeofoperation (IV) m-bit CFB (Cipher FeedBack) IV IV Ci = Pi  EK(Ci-1) Pi = Ci  EK(Ci-1) K E m-bit m-bit E K - Error prog. till an error disappears in the buffer - self-sync - EK or DK Pi Ci Pi Ci I) Encryption II) Decryption

  23. Mode of operation (V) • Counter mode ctr+m-1 ctr ctr+1 Ci = Pi  EK(Ti) Pi = Ci  EK(Ti) Ti = ctr+i -1 mod 2m |P|, |ctr|= m, Parallel computation K E E E K K Pm-1 P2 P1 C2 Cm-1 C1 ctr+1 ctr+m-1 ctr E K E K K E C2 C1 Cm-1 P2 Pm-1 P1

  24. Mode of Operation (VI) • CCM mode (Counter with CBC-MAC mode) • Ctr + CBC • Authenticated encryption by producing a MAC as a part of the encryption process

  25. Mode of operation - summary • Use of mode • ECB : key management, useless for file encryption • CBC : File encryption, useful for MAC • m-bit CFB : self-sync, impossible to use channel with low BER • m-bit OFB : external-sync. m= 1, 8 or n • Ctr : secret ctr, parallel computation • CCM : authenticated encryption • Performance Degradation/ Cost Tradeoff

More Related