1 / 21

Computer Science 653 --- Lecture 7 Rijndael – Advanced Encryption Algorithm

Computer Science 653 --- Lecture 7 Rijndael – Advanced Encryption Algorithm. Professor Wayne Patterson Howard University Fall 2009. In the RSA, we studied modular arithmetic systems:  p

kimball
Download Presentation

Computer Science 653 --- Lecture 7 Rijndael – Advanced Encryption Algorithm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Science 653 --- Lecture 7Rijndael – Advanced Encryption Algorithm Professor Wayne Patterson Howard University Fall 2009

  2. In the RSA, we studied modular arithmetic systems: p This system can also be thought of as the integers , /(p), which means in this new system, we collapse all the values which have the same remainder mod p We saw that if p is a prime, the system p has the special property that all non-zero elements have multiplicative inverses Such an algebraic system is called a field In Rijndael, all of the mathematics can be done in a system called a Galois Field GF(p,n) This system can also be thought of as all polynomials Zp[x] in a single variable, then Zp[x]/(q(x)), where q(x) is an irreducible polynomial of degree n Irreducible polynomials are like prime numbers --- they cannot be factored. By analogy, the system where we collapse polynomials with the same remainder mod q(x) also becomes a field, which we call GF(p,n), the Galois field. The Underlying Mathematics: Galois Fields

  3. The Main Result Concerning Galois Fields • It was a result developed by Evariste Galois, in the early nineteenth century, that all algebraic fields with a finite number of elements can be described as a GF(p,n) (including the fields Zp , since they can be thought of as GF(p,1), i.e. dividing by an irreducible polynomial of degree 1 (such as ax+b). • Furthermore, all of the possible choices for a Galois field of type GF(p,n) are equivalent, and their number of elements is pn.

  4. And a Bit About Galois Himself • Lived in the early 19th century in Paris • Developed very important results in algebra while a teenager • Was also a political radical and went to prison • Upon his release, his interest in a young woman led to a duel in which he was killed at age 21 • He didn’t name Galois fields, they were named after him.

  5. Looking at Rijndael • Lucifer or Feistel –type cipher • Simplest version: 128-bit messages, 128-bit keys, 10 rounds • Created by Vincent Rijmen and Joan Daemen • Belgians --- Catholic University of Louvain and Proton Corporation • Adopted as Advanced Encryption Standard • After two-stage competition originally involving 18 proposals from around the world • Five finalists, including several non-US • Winner obviously non-US • Adapted as AES in late 2001

  6. Best Reference • Although there are many papers, books, articles about Rijndael/AES, most thorough reference is: • “The Design of Rijndael,” Joan Daemen and Vincent Rijmen, Springer 2001 • Rijndael is best pronounced “RAIN-DOLL”

  7. Test Vectors • On page 215 and 216 of the handout, Appendix D, are the results of each round of a Rijndael encryption • Assumes 128-bit (or 16-byte) test message and cipher key • Message or plaintext is (in hex bytes): • 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 • Key is: • 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

  8. Outputs at Each Stage • Note that under the column heading “ENCRYPT” on page 216 are partial results, i.e. • R[00].input • R[00].k_sch • R[01].start • R[01].s_box • R[01].s_row • R[01].m_col • R[01].k_sch • R[02].start … and so on

  9. What Does R[xx].xxxx mean? • The R[00] vectors are the inputs, in other words • R[00].input is the message from the previous page • 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 • R[00].k_sch is the “key schedule” for round 0, in other words, the original input key or • 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

  10. R[01].xxxxx • We will compute all the R[01].xxxxx’s • They are the first round computations • Thus the entire encryption takes one to R[10].output • R[01].start is simply the XOR of the plaintext and key • R[01].s_box is a procedure called “ByteSub” using the single S-box used in the method • R[01].s_row is the result of a procedure called “ShiftRow” • R[01].m_col is the result of a procedure called “MixColumn” • R[01].k_sch is the “Key Schedule” or the generated key for the next round • R[02].start is, again, the XOR of the result of round one and the key schedule generated at the end of round one.

  11. Pseudo-C Code for a Round • Round(State, ExpandedKey[i]) • { • SubBytes(State); • ShiftRows(State); • MixColumns(State); • AddRoundKey(State, ExpandedKey[i]); • }

  12. Recall from last week: The Hex XOR Table

  13. Computing R[01].start • We have R[00].input • 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 • To XOR with R[00].k_sch • 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c • Which gives R[01].start • 19 3d e3 be a0 f4 e2 2b 9a c6 8d 2a e9 f8 48 08

  14. Computing R[01].s_box • This is the SubBytes or S-box step • Note the S-box table on page 211 (and its inverse on page 212) • The operation is simply to look up the S-box value for each byte in R[01].start • 19 3d e3 be a0 f4 e2 2b 9a c6 8d 2a e9 f8 48 08 • R[01].s_box is • d4 27 11 ae e0 bf 98 f1 b8 b4 5d e5 1e 41 52 30

  15. Computing R[01].s_row • This is the “Shift Rows” step • Basically, one writes R[01].s_box into a 4-by-4 array, writing column-wise (that is, fill the first column first, then the second column, …) • Recall R[01].s_box is • d4 27 11 ae e0 bf 98 f1 b8 b4 5d e5 1e 41 52 30 • Writing column-wise Now a circular left-shift • d4 e0 b8 1e d4 e0 b8 1e • 27 bf b4 41 bf b4 41 27 • 11 98 5d 52 5d 52 11 98 • ae f1 e5 30 30 ae f1 e5 • Where the shift is 0, 1, 2, or 3 in the 0, 1, 2, 3 row • Write this out in a single row to get R[01].s_row • d4 bf 5d 30 e0 b4 52 ae b8 41 11 f1 1e 27 98 e5

  16. Computing R[01]m_col • This is the “Mix Columns” step, undoubtedly the trickiest • This is actually a computation in the Galois Field of polynomials over GF(28). • But let’s not worry about that. It can also be expressed as a matrix product of a fixed matrix C with R[01].s_row again written columnwise: • 02 03 01 01 d4 e0 b8 1e • 01 02 03 01 bf b4 41 27 • 01 01 02 03 5d 52 11 98 • 03 01 01 02 30 ae f1 e5

  17. Matrix Multiplication Revisited • The result of this multiplication will be, as you know, another 4x4 matrix. Again, when we string out the column-wise version, we will get R[01].m_col • However, these multiplications are in GF(28), or mod 256 arithmetic, and the handout conveniently supplies “log tables” (pages 221 and 222) to make the computation simpler • Indeed, in the code is a brief function to do the multiplication (mul, p. 223) • Essentially, mul is • Alogtable[(Logtable[a]+Logtable[b]) % (mod) 255]

  18. Showing the Calculation of the First Byte • We will only compute the first byte of the matrix product, which is gotten by the usual method of the first row of the left-hand matrix by the first column of the right-hand matrix, thus • 02 03 01 01 d4 e0 b8 1e • 01 02 03 01 bf b4 41 27 • 01 01 02 03 5d 52 11 98 • 03 01 01 02 30 ae f1 e5 • Yields for the first component • 02 d4  03 bf  01 5d  01 30

  19. Using mul • 02 d4  03 bf  01 5d  01 30 • Using the mul function for the first two terms (the right-hand side will be decimal numbers): • mul(2, d4) = Alogtable[Logtable[2]+Logtable[212]] = Alogtable[25 + 65] = Alogtable[90] = 179 = b3 (hex) • mul(3, bf) = Alogtable[Logtable[3]+Logtable[191]] = Alogtable[1 + 157] = Alogtable[158] = 218 = da (hex) Thus, we need to compute b3  da  5d  30

  20. Maybe easier in bits? Thus, we need to compute b3  da  5d  30 Or, b 1011 3 0011 d 1101 a 1010 5 0101 d 1101 • 0011 0 0000 Or 0000 0100 = 04 Note the first byte in R[01].m_col (maybe we were just lucky!)

  21. Last Step --- Key Schedule In the key schedule, we use the previous key, XOR it with another part of the previous key, run through the S-box, and with a possible counter added This time, I will only calculate the first word, or 4 bytes of the key. Take the first 4 bytes of the former key: 2b 7e 15 16 Left rotate once the last 4 bytes: 09 cf 4f 3c  cf 4f 3c 09 Run this last part through the S-box: SubByte(cf 4f 3c 09) = 8a 84 eb 01 XOR these, with a counter of 1 on the first byte: 2b  8a  01 7e  84 15  eb 16  01 = a0 fa fe 17

More Related