1 / 29

AES Proposal : Rijndael

AES Proposal : Rijndael. Joan Daeman Vincent Rijmen. Outline. Introduction Rijndael Round Function Key Schedule Encryption & Decryption Rijndael on Modern Processors. Introduction. Advanced Encryption Standard (AES) A crypto algorithm for the twenty-first century

ion
Download Presentation

AES Proposal : Rijndael

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AES Proposal : Rijndael Joan Daeman Vincent Rijmen

  2. Outline • Introduction • Rijndael • Round Function • Key Schedule • Encryption & Decryption • Rijndael on Modern Processors

  3. Introduction • Advanced Encryption Standard (AES) • A crypto algorithm for the twenty-first century • the algorithm must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128-bits and key sizes of 128, 192, and 256 bits. • The AES finalist candidate algorithms are MARS, RC6, Rijndael, Serpent, and Twofish. • On October 2, 2000, Rijndael was select by the National Institute of Standards and Technology (NIST) for the proposed AES. • Rijndael • Rijmen &Daemen

  4. Rijndael • iterated block cipher • The block length and the key length can be independently specified to 128, 192 or 256 bits. (16, 24, or 32 bytes) • State : the intermediate cipher result • State and Key bytes arranged in rectangular array • Nb : # of columns of the array (Nb : 4,6,8)Nk : # of the columns of the Cipher Key (Nk : 4,6,8)

  5. Rijndael • Nr : # of rounds • Nr = Max(Nb,Nk) + 6

  6. Round Function • Round function : uniform, parallel, and composed of 4 steps • Each step has its own particular function • ByteSub : nonlinearity • ShiftRow : inter-column diffusion • Mixcolumn : inter-byte diffusion with column • Round key addition

  7. Round Function • The final round of the cipher is slightly different. • with the MixColumn step removed

  8. Round Step 1 : ByteSub • The ByteSub Transformation is a non-linear byte substitution • S-box • Replace each byte with its reciprocal in the same GF(28) • A bitwise modulo-two matrix multiply is used. • The hexadecimal number 63(01100011) is XORed with the result

  9. Round Step 1 : ByteSub

  10. Round Step 1 : ByteSub • S-box

  11. Round Step 1 : ByteSub • Inverse S-box (InvByteSub)

  12. no shift cyclic shift by C1(1) cyclic shift by C2(2) cyclic shift by C3(3) Round Step 2 : ShiftRow • Row 0 is not shifted, Row 1 is shifted over C1 bytes, Row 2 over C2 bytes and Row 3 over C3 bytes. • The inverse of ShiftRow is a cyclic shift of the 3 bottom rows over (Nb-C1), (Nb-C2), and (Nb-C3) bytes the byte at position j in row i moves to position (j+Nb-Ci) mod Nb

  13. Round Step 3 : Mixcolumn • The columns of the State are considered as polynomials over GF(28) and multiplied modulo (x4+1) with a fixed polynomial c(x)c(x)=‘03’x3+‘01’x2+‘01’x+‘02’ • Assume we have two polynomials over GF(28) a(x)=a3x3+a2x2+a1x+a0 and b(x)=b3x3+b2x2+b1x+b0c(x)=a(x)b(x)

  14. Round Step 3 : Mixcolumn • By reducing c(x) modulo a polynomial of degree 4, the result can be reduced a polynomial of degree below 4. (M(x) = x4+1) xi mod (x4+1) = xi mod 4 • d(x) = a(x)  b(x) = d3x3+d2x2+d1x+d0

  15. Round Step 3 : Mixcolumn • Bytes in column are linearly combined • InvMixColumn • Every column is transformed by multiplying it with a specific polynomial d(x)d(x)=‘0B’x3+‘0D’x2+‘09’x+‘0E’ • c(x)  d(x) = ‘01’ mod M(x)

  16. Round Step 4 : Round Key Addition • The Round Key is derived from the Cipher Key. • The Round Key length is equal to the block length Nb. • AddRoundKey is its own inverse.

  17. Key Schedule • The total number of Round Key bits is equal to the block length multiplied by the number of rounds plus 1. • Ex : Nb= 4 (128 bits), Nr=10 Round Key bits = 128*11=1408 bits • The Cipher Key is expanded into Expanded Key • Round Keys are taken from the Expanded Key • the first Round Key consists of the first Nb words the second one of the following Nb words, and so on. • The Expanded Key is a linear array of 4-byte words and is denoted by W[Nb*(Nr+1)]. • The key expansion function depends on the value of Nk • Nk ≦ 6 • Nk > 6

  18. Key Schedule • Key Expansion • Nk ≦ 6 • The first Nk words contain the Cipher Key

  19. Key Schedule • RotByte(W[i]) • ( a,b,c,d )  ( b,c,d,a ) • SubByte(W[i]) • Rijndael S-box to the byte at the corresponding position in the input word • Round constants • Rcon[i] = ( RC[i], ‘00’, ‘00’, ‘00’) • RC[1]=1 • RC[i]= x  (RC[i-1]) = xi-1 • RC[i]  GF(28)

  20. Key Schedule • Nk > 6

  21. Key Schedule • Round Key Selection • Round Key i is given by the Round Key buffer words W[Nb*i] to W[Nb*(i+1)] • Ex : Nb=4

  22. Encryption

  23. Decryption

  24. Decryption

  25. Decryption • The ByteSub step and the ShiftRow step can change their order without affecting the cipher. • A BSMA BSMA BSMA …….. BSMA BSA A SBMA SBMA SBMA ………SBMA SBA • ASB AMSB AMSB …….. AMSB AMSB A • y = [x  c]  kx’ = [y  d]  k’  x’ = {{[x  c]  k}  d } k’ = [x  c  d ]  [k  d ]  k’ if k’ = k  d  x’ = x x y y x’

  26. Rijndael on Modern Processors

  27. Rijndael on Modern Processors • Define tables T0 to T3 : • 4 tables with 256 4-byte total : 4KByte

  28. Rijndael on Modern Processors

  29. Rijndael in Hardware

More Related