10 years of Rijndael Vincent Rijmen Overview The AES process - PowerPoint PPT Presentation

10 years of Rijndael Vincent Rijmen

Overview • The AES process (participant’s perspective) • Rijndael • Security of Rijndael/AES • Spreading of AES • Stream ciphers: competitors? • Conclusions

The early years (1997) • Differential and linear attacks on DES (‘91, ‘93) • 3-DES is slow on (then) modern processors • EFF builds “Deep Crack” (‘97) • NIST launches a competition

AES process • 1997: public call for submission of new ciphers • Encrypt blocks of 128 bits • Key of lengths 128, 192, 256 • To be available royalty-free • August 1998: first AES conference

Some opinions • Is there enough time for people to invent strong 128-bit block ciphers? Probably not. Bruce Schneier, April 15, 1997 • The theoretical security level of most of the AES candidates will be 2 100 or less if about 5 to 10 man-years are spent in serious cryptanalytic effort Lars R. Knudsen, April 5, 1999

Public evaluation • Only public comments taken into account • Decisions by NIST, motivated by public reports • Most analysis done by the public • NSA had the right to veto NIST’s decision

Evaluation criteria • Security • Efficiency • Intellectual Property issues • Flexibility • Elegance, ability to prove absence of trapdoors, …

AES decision process Two rounds of one year each: 1. Evaluation round (15 candidates) – Security – Software performance – 7-8 candidates performing well 2. Selection round (5 candidates) – Hardware performance – “Other criteria” September 2000: announcement of winner Rijndael November 2001: AES FIPS becomes active

WIDE TRAIL DESIGN STRATEGY AND RIJNDAEL

Rijndael design history • PhD Daemen • PhD Rijmen 1990- - - • AES process - - 1995- - • 1996: Shark - - - • 1997: Square 2000- • 1998: BKSQ, Rijndael

Rijndael evolution • ‘94: BaseKing – Definition of optimal diffusion • ‘96: SHARK – MDS diffusion, S-box x → x -1 • ‘97: Square, BKSQ – Matrix state – Square attack – Related key concerns • ‘98: Rijndael

Iterative block cipher p : plaintext round round round Key Schedule key . . . . . Interm. result round c : ciphertext

Design trade-off • Luke O’ Connor (IBM): “ Most ciphers are secure after sufficiently many rounds ” • James L. Massey (ETH Zuerich):: “ Most ciphers are too slow after sufficiently many rounds ” • Design challenge: – security AND performance – provability

General design philosophy 1. Keep it simple – Maximize symmetry • Over rounds • Within round transformation – All operations in 1 algebra • Finite field GF(256) – Small number of building blocks • Only add when necessity demonstrated

General design philosophy 2. Performance is important – On variety of platforms – One security margin is enough 3. Don’t reinvent the wheel – Coding theory – Existing S-boxes

Key-alternating cipher • All key p : plaintext key dependency is through XOR round • Analysis of round security against Key Schedule differential, round linear attacks . . more easy . . . round c : ciphertext

Iterative block cipher round S S S S S S S S S round round Mixing transformation Key Schedule . . . . . • Substitution boxes: permutations on GF(2 m ) round • Mixing transformation: linear over GF(2), GF(2 m ) • Key schedule: ignored in basic attacks

Differential Cryptanalysis • Instead of looking at values, look at differences • Addition with unknown, but fixed, key, doesn’t change a difference (a + k) – (b + k) = a – b • Linear maps: deterministic propagation • Nonlinear maps: probabilistic propagation • Propagation path = characteristic Q • Security: keep Pr(Q) low

Wide trail design strategy Make bound on Pr(Q) easy to compute 1.Compute bound for Pr(Q) over 1 active S-box: d = max Q ≠ (0,0) Pr(Q) 2.Compute bound on number of active S-boxes z = minimum number of active S-boxes Together: Pr(Q) ≤ d z

Bounding z: 1 round S S S S S S S S S Mixing transformation • Min 1 active S-box per round • Independent of mixing transformation

Two rounds a 0 S S S S S S S S S Mixing transformation a 1 S S S S S S S S S Mixing transformation a 2 • Diffusion criterion for mixing transformation – minimum number of active S-boxes in a 0 + a 1 – Branch number B – B ≤ number of inputs plus 1

Optimal Mixing Transformation x Mixing transformation y x y • ( x , y ) with y = m( x ) can be seen as an error- correcting code • B corresponds to the minimum distance of this code • Maximum B : take a Maximum Distance Separable (MDS) code

Design the Mixing Transformation • Take a (2n,n,d)-code • Compute the generator matrix in echelon form: G = [I A] • Mixing transformation: y = m(x) = Ax

Shark, Khazad • (16,8,9)-code over GF(256) • Block length n = 8 x 8 = 64 • Optimal 2-round mixing • Slow on software platforms of the 1990’s

Code concatenation Forney 1966 • Outer code and inner code • C in : (n,k,d)-code over GF(q) • C out : (N,K,D)-code over GF(q k ) • Outer code uses as symbols the message words of the inner code • Together: (nN,kK,dD)-code over GF(q)

Concatenated code S S S S S S S S S Mixing 1 Mixing 1 Mixing 1 C in S S S S S S S S S Mixing 2 C out S S S S S S S S S Mixing 1 Mixing 1 Mixing 1 C in S S S S S S S S S

Four-round view a 0 S S S S S S S S S Mixing transformation a 1 S S S S S S S S S Mixing transformation a 2 S S S S S S S S S Mixing transformation a 3 S S S S S S S S S Mixing transformation a 4

Square, AES, Anubis, ... • C in : (8,4,5)-code over GF(256) • C out : (8,4,5)-code over GF(256 4 ) • Together: (64,16,25)-code • Block length 16 x 8 = 128 • Ciphers are still iterative due to special relation between Mixing 1 and Mixing 2

Avalanche of bit flips key p : plaintext round round Key Schedule round . . . . . round c : ciphertext

Rijndael • Substitution-Permutation Network with 10/12/14 rounds • Round: composed of 4 steps: – SubBytes: non-linearity – ShiftRows: inter-column diffusion – MixColumns: inter-byte diffusion within columns – AddRoundKey

Message input representation a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,6 a 0,7 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,6 a 1,7 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 2,6 a 2,7 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,6 a 3,7 • Rectangular array of bytes: – 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit input) – AES: 4 columns only

Rijndael field • Operations defined over GF(256) – (sometimes: over GF(2)) • Representation: – Polynomials of degree < 8, with binary coefficients – Modulo x 8 + x 4 + x 3 + x + 1 – Shortened to two hex numbers • E.g. 12 → x 4 + x

Step 1: Substitute Bytes Substitution Substitution a 0,0 a 0,1 a 0,2 a 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a i,j b i,j a 1,0 a 1,1 a 1,2 a 1,3 b 1,0 b 1,1 b 1,2 b 1,3 a 2,0 a 2,1 a 2,2 a 2, 3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 • Bytes are transformed by invertible S-box. • One S-box (lookup table) for complete cipher: – High non-linearity – Complex algebraic expression

Rijndael S-box • x → x -1 – Maximal nonlinearity for invertible 8-bit map, i.e. 7 – Good (maybe optimal) resistance against differential cryptanalysis • Followed by affine map (GF(2)) – Destroying regularity – Complicating algebraic attacks (somewhat)

Round step 2: Shift Rows m n o p m n o p g h i j h i j g w x y z w x y z b c d e e b c d • Rows are shifted over 4 different offsets – (Offsets depend on number of columns) • High diffusion over multiple rounds: – Interaction with MixColumns – Bits flip in minimum 25 S-boxes per 4 rounds

Step 3: Mix Columns ⎡ ⎤ a 0 ,j 2 3 1 1 b 0 ,j ⎢ ⎥ a 0,0 a 0,1 a 0,2 a 0,3 ⊗ 1 2 3 1 ⎢ ⎥ b 0,0 b 0,1 b 0,2 b 0,3 a 1 ,j a 1,0 a 1,1 a 1,2 a 1,3 ⎢ ⎥ b 1 ,j 1 1 2 3 ⎢ ⎥ b 1,0 b 1,1 b 1,2 b 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 2 ,j ⎣ ⎦ 3 1 1 2 b 2 ,j b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 a 3 ,j b 3 ,j • Columns transformed by matrix over GF(2 8 ) • High intra-column diffusion: – based on theory of error-correcting (MDS) codes

Key addition a 0,0 a 0,1 a 0,2 a 0,3 k 0,0 k 0,1 k 0,2 k 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a 1,0 a 1,1 a 1,2 a 1,3 k 1,0 k 1,1 k 1,2 k 1,3 b 1,0 b 1,1 b 1,2 b 1,3 + = a 2,0 a 2,1 a 2,2 a 2,3 k 2,0 k 2,1 k 2,2 k 2,3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 k 3,0 k 3,1 k 3,2 k 3,3 b 3,0 b 3,1 b 3,2 b 3,3 • Makes round function key-dependent • Round keys derived in a simple way from the master key

Key input representation k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 • Rectangular array of bytes: – 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit key)