1 / 13

A simple algebraic representation of Rijndael

A simple algebraic representation of Rijndael. Niels Ferguson Richard Schroeppel Doug Whiting. I am biased. I’m one of the designers of Twofish, an AES finalist that lost to Rijndael in the AES competition. I spent several month attacking Rijndael. The finite field GF(2 8 ).

miakoda-young
Download Presentation

A simple algebraic representation of Rijndael

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A simple algebraic representation of Rijndael Niels FergusonRichard SchroeppelDoug Whiting

  2. I am biased • I’m one of the designers of Twofish, an AES finalist that lost to Rijndael in the AES competition. • I spent several month attacking Rijndael.

  3. The finite field GF(28) • It is a field: you can add, subtract, multiply, and divide. • There are 28 = 256 elements. • Field addition is the XOR operation. • Multiplication is similar to modular multiplication, without any carries.

  4. Squaring in GF(28) We all know that (a + b)2 = a2 + ab + ab + b2 but as addition in GF(28) is a XOR we get (a + b)2 = a2 + b2 This is known as the Freshman’s Dream. Squaring is a bit-linear operation!

  5. The MixColumn operation Matrix multiplication: each output byte is a linear combination of input bytes. b0 = 2a0 + 3a1 + a2 + a3 b1 = a0 + 2a1 + 3a2 + a3 b2 = a0 + a1 + 2a2 + 3a3 b3 = 3a0 + a1 + a2 + 2a3

  6. S-box has three layers • Inversion in the field GF(28). • Bit-linear function (each output bit is the sum of some input bits). • Addition of a constant.

  7. Bit-linear functions in GF(28) • Any bit-linear function in GF(28) can be written as ax128+bx64+cx32+dx16+ex8+fx4+gx2+hx • Squaring is bit-linear, so all polynomials of this form are bit-linear. • There are 264 polynomials of this form, and 264 bit-linear functions.

  8. Rewriting the S-box • The constant can be moved into the key schedule. • We can rewrite the S-box as

  9. Combined S-box and MixColumn • MixColumn: • Combined:

  10. One round Can be written as: or

  11. Four rounds

  12. Conclusions • Rijndael depends on a new complexity assumption: You cannot solve equations of this form efficiently in GF(28). • We have no idea how hard this problem is.

  13. Which block cipher to choose • Rijndael/AES: fast, available, and the safe choice (for your career). • Serpent: built like a tank, but slow • Twofish: most of the security of Serpent, with most of the speed of Rijndael.

More Related