1 / 104

The Advanced Encryption Standard (Rijndael)

The Advanced Encryption Standard (Rijndael). Old standard insecure against brute-force attacks Straightforward fixes lead to inefficient Triple DES implementations New trends in fast software encryption use of basic instructions of the microprocessor New ways of assessing cipher strength

risa
Download Presentation

The Advanced Encryption Standard (Rijndael)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Advanced Encryption Standard (Rijndael)

  2. Old standard insecure against brute-force attacks Straightforward fixes lead to inefficientTriple DES implementations New trends in fast software encryption use of basic instructions of the microprocessor New ways of assessing cipher strength • differential cryptanalysis • linear cryptanalysis AES: Why a new Standard?

  3. Speed-up the acceptance of the standard Small number of specialists in the open research Focus the effort of cryptographic community Stimulate the research on methods of constructing secure ciphers Avoid backdoor theories AES: Why a Contest?

  4. AES: General Form

  5. Each team submits: Detailed cipher description Justification of design decisions Tentative results of cryptanalysis Source code in C Source code in Java Test vectors AES: Rules of the Game

  6. Round 1, June 1998: 15 Candidates from USA, Canada, Belgium, France, Germany, Norway, UK, Isreal, Korea, Japan, Australia, Costa Rica. Security, Software efficiency Round 2, August 1999: 5 final candidates Mars, RC6, Rijndael, Serpent, Twofish Security, Hardware efficiency October 2000 1 winner: Rijndael Belgium AES: Candidates

  7. USA:Mars, RC6, Twofish, Safer+, HPC Canada:CAST-256, Deal Costa Rica:Frog Australia: LOKI97 Japan: E2 Korea: Crypton Belgium: Rijndael France: DFC Germany: Magenta Israel, GB, Norway: Serpent America (8) Europe (4) Asia (2) Australia (1) AES: Candidates

  8. Survey filled by 104 participants of the Second AES Conference in Rome, March 1999 Middle-of-the-Road 7. CAST-256 -2 8. Safer+ -4 9. DFC -5 Mild NO 10. Crypton -15 Overwhelming NO 11. DEAL -70 12. HPC -77 13. Magenta -83 14. Loki97 -85 15. Frog -85 AES: Candidates

  9. Survey filled by 104 participants of the Second AES Conference in Rome, March 1999 Overwhelming YES: 1. Rijndael +76 2. RC6 +73 3. Twofish +61 4. Mars +52 5. Serpent +45 Mild YES 6. E2 +14 AES: Candidates

  10. USA Mars- IBM C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas, L. O’Connor, M. Peyravian, D. Safford, N. Zunic RC6 - RSA Data Security, Inc. R. Rivest - MIT M. Robshaw, R. Sidney, Y. L. Yin - RSA Twofish - Counterpane Systems B. Schneier, J. Kelsey, C. Hall, N. Ferguson - Counterpane, D.Whiting - Hi/fn, D. Wagner - Berkeley AES: Final 5

  11. Europe Rijndael- J. Daemen, V. Rijmen Katholieke Universiteit Leuven Belgium Serpent- R. Anderson, Cambridge, England E. Biham - Technion, Israel L. Knudsen, University of Bergen, Norway AES Finalists (2) AES: Final 5

  12. RC6—The elegant AES choice Ron Rivest rivest@mit.edu Matt Robshaw mrobshaw@supanet.com Yiqun Lisa Yin yiqun@nttmcl.com

  13. Security Performance Ease of implementation Simplicity Flexibility RC6 is the right AES choice

  14. B = B + S[ 0 ]D = D + S[ 1 ]for i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A  t ) <<< u ) + S[ 2i ] C = ( ( C  u ) <<< t ) + S[ 2i+ 1 ] (A, B, C, D) = (B, C, D, A) }A = A + S[ 42 ]C = C + S[ 43 ] RC6 is simple: only 12 lines

  15. Facilitates and encourages analysis allows rapid understanding of security makes direct analysis straightforward (contrast with Mars and Twofish) Enables easy implementation allows compilers to produce high-quality code obviates complicated optimizations provides good performance with minimal effort Simplicity

  16. Studied for more than six years Secure thorough mixing one-way function no key separation (cf. Twofish) no related-key attacks (cf. Rijndael) RC6 key schedule is rock-solid

  17. RC6 meets original design criteria Security estimates from 1998 still good today; independent analyses supportive. Secure, even in theory, even with analysis improvements far beyond those seen for DES during its lifetime RC6 provides a solid, well-tuned margin for security Original analysis still accurate

  18. Security (corroborated) Performance (speed+memory) 32-bit (30%) Java (20%) DSP (15%) 64-bit (15%) Hardware (15%) 8-bit (5%) Ease of implementation Simplicity Flexibility Overall: 40/25/15/10/10 How do we grade candidates?

  19. RC6 is a simple yet remarkably strong cipher good performance on most important platforms simple to code for good performance excellent flexibility the most studied finalist the best understood finalist RC6 is the secure and “elegant” choice for the AES Conclusions

  20. (The End)

  21. AES: Performance Evaluation

  22. AES: Performance Evaluation

  23. AES: Performance Evaluation

  24. AES: Performance Evaluation

  25. AES: Performance Evaluation

  26. AES: Performance Evaluation

  27. AES: Performance Evaluation

  28. AES: Performance Evaluation

  29. AES: Performance Evaluation

  30. AES: Performance Evaluation

  31. AES: Performance Evaluation

  32. AES: Performance Evaluation

  33. AES: Performance Evaluation

  34. AES: Performance Evaluation

  35. Serpent [2] Pluses: large security margin cryptanalytical reputation of authors conservative construction very fast in hardware Minuses: slow in software moderate flexibility AES: Summary of Final-5 Evaluation

  36. Rijndael [1] Pluses: fastest in hardware close to the fastest in software security margin novel ideas very high flexibility Minuses: security margin AES: Summary of Final-5 Evaluation

  37. Twofish Pluses: good security margin fast encryption/decryption in software US strongly advertized Minuses: moderately fast in hardware slow key setup in software moderate flexibility AES: Summary of Final-5 Evaluation

  38. Designed by Joan Daemen and Vincent Rijmen (from Leuven Belgium) Based upon the Square Cipher 3 Design Goals: Resistance against known attacks Speed and code compactness on a variety of platforms Design simplicity Rijndael OverView

  39. Rijndael/AESDesigned by:Joan Daemen, Proton World InternationalVincent Rijmen, Katholique UniversiteitLuevenBlock cypherSymmetric keyArithmetic based in the Galois Field GF(28)Fast and scalableResistant to all known cryptanalysis attacks Rijndael OverView

  40. Dr. Vincent Rijmen 

  41. The block cipher Rijndael is designed to use only simple whole-byte operations. Also, it provides extra flexibility over that required of an AES candidate, in that both the key size and the block size may be chosen to be any of 128, 192, or 256 bits. Rijndael

  42. Rijndael is not a Feistel cipher 3 distinct invertible layers per round Encryption and decryption algorithms are different Rijndael uses the Wide Trail Strategy Non-linear layer (confusion) Linear mixing layer (diffusion) Key addition layer Rijndael OverView

  43. State and Round Key representations The State is the intermediate cipher result Both the State and the Round Key are interpreted as rectangular arrays of bytes Number of columns in the State and Round Key arrays depend on block and key sizes, respectively Rijndael OverView

  44. Rijndael is a block cipher that encrypts and decrypts 128, 192, and 256 bit blocks, using 128, 192, and 256 byte keys in any combination. The block is considered to be structured as 4, 6, or 8 columns of 4 bytes, depending on block size. Rijndael OverView

  45. During an early stage of the AES process, a draft version of the requirements would have required each algorithm to have three versions, with both the key and block sizes equal to each of 128, 192, and 256 bits. This was later changed to make the three required versions have those three key sizes, but only a block size of 128 bits, which is more easily accommodated by many types of block cipher design. Rijndael

  46. The original description of Rijndael is available at: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. However, the variations of Rijndael which act on larger block sizes apparently will not be included in the actual standard, on the basis that the cryptanalytic study of Rijndael during the standards process primarily focused on the version with the 128-bit block size. Rijndael is a relatively simple cipher in many respects. Rijndael

  47. Rijndael has a variable number of rounds. The number of rounds in Rijndael is: 10 if both the block and the key are 128 bits long. 12 if either the block or the key is 192 bits long, and neither of them is longer than that. 14 if either the block or the key is 256 bits long. Rijndael: Number of Rounds

  48. Each round consists of 4 steps Step 1: ByteSub Transformation (Confusion) Step 2: ShiftRow Transformation (Diffusion) Step 3: MixColumn Transformation (Diffusion) Step 4: Round Key Addition Final round slightly different from other rounds Rijndael OverView

  49. The basic operations applied to the block are: 1) ByteSub: Applying an S-box (substituting each byte with another, based on an equation in GF(2^8)); 2) ShiftRow: Shifting the rows in a circular way, the amount of shift (0, 1, 2, 3, or 4 bytes) depending on the position from the top and on the block size, Rijndael OverView

  50. 3) MixColumn: Mixing the 4, 6, or 8 columns vertically by taking invertible linear combinations (in GF(2^8) of the elements in each column and; 4) Round Key Addition: XORing each byte with a round key (done before the first round for “whitening,” and again at the end of each round), Rijndael OverView

More Related