The Advanced Encryption Standard (Rijndael) - PowerPoint PPT Presentation

Loading...

PPT – The Advanced Encryption Standard (Rijndael) PowerPoint presentation | free to download - id: 6ceef5-MTBkM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

The Advanced Encryption Standard (Rijndael)

Description:

The Advanced Encryption Standard (Rijndael) AES: Why a new Standard? Old standard insecure against brute-force attacks Straightforward fixes lead to inefficient ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 105
Provided by: anaro9
Learn more at: http://delta.cs.cinvestav.mx
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: The Advanced Encryption Standard (Rijndael)


1
The Advanced Encryption Standard (Rijndael)
2
AES Why a new Standard?
  • Old standard insecure against brute-force attacks
  • Straightforward fixes lead to inefficientTriple
    DES
  • implementations
  • New trends in fast software encryption
  • use of basic instructions of the microprocessor
  • New ways of assessing cipher strength
  • differential cryptanalysis
  • linear cryptanalysis

3
AES Why a Contest?
  • Speed-up the acceptance of the standard
  • Small number of specialists in the open research
  • Focus the effort of cryptographic community
  • Stimulate the research on methods of constructing
  • secure ciphers
  • Avoid backdoor theories

4
AES General Form
5
AES Rules of the Game
  • Each team submits
  • Detailed cipher description
  • Justification of design decisions
  • Tentative results of cryptanalysis
  • Source code in C
  • Source code in Java
  • Test vectors

6
AES Candidates
  • Round 1, June 1998
  • 15 Candidates
  • from USA, Canada, Belgium, France, Germany,
    Norway, UK, Isreal, Korea, Japan, Australia,
    Costa Rica.
  • Security, Software efficiency
  • Round 2, August 1999
  • 5 final candidates
  • Mars, RC6, Rijndael, Serpent, Twofish
  • Security, Hardware efficiency
  • October 2000
  • 1 winner Rijndael
  • Belgium

7
AES Candidates
  • USA Mars, RC6, Twofish, Safer, HPC
  • Canada CAST-256, Deal
  • Costa Rica Frog
  • Australia LOKI97
  • Japan E2
  • Korea Crypton
  • Belgium Rijndael
  • France DFC
  • Germany Magenta
  • Israel, GB, Norway Serpent
  • America (8) Europe (4) Asia (2)
  • Australia (1)

8
AES Candidates
  • Survey filled by 104 participants of the
  • Second AES Conference in Rome, March 1999
  • Middle-of-the-Road
  • 7. CAST-256 -2
  • 8. Safer -4
  • 9. DFC -5
  • Mild NO
  • 10. Crypton -15
  • Overwhelming NO
  • 11. DEAL -70
  • 12. HPC -77
  • 13. Magenta -83
  • 14. Loki97 -85
  • 15. Frog -85

9
AES Candidates
  • Survey filled by 104 participants of the
  • Second AES Conference in Rome, March 1999
  • Overwhelming YES
  • 1. Rijndael 76
  • 2. RC6 73
  • 3. Twofish 61
  • 4. Mars 52
  • 5. Serpent 45
  • Mild YES
  • 6. E2 14

10
AES Final 5
  • USA
  • Mars - IBM
  • C. Burwick, D. Coppersmith, E. DAvignon,
  • R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,
  • L. OConnor, M. Peyravian, D. Safford,
  • N. Zunic
  • RC6 - RSA Data Security, Inc.
  • R. Rivest - MIT
  • M. Robshaw, R. Sidney, Y. L. Yin - RSA
  • Twofish - Counterpane Systems
  • B. Schneier, J. Kelsey, C. Hall, N. Ferguson
  • - Counterpane, D.Whiting - Hi/fn,
  • D. Wagner - Berkeley

11
AES Final 5
  • Europe
  • Rijndael - J. Daemen, V. Rijmen
  • Katholieke Universiteit Leuven
  • Belgium
  • Serpent - R. Anderson, Cambridge, England
  • E. Biham - Technion, Israel
  • L. Knudsen, University of Bergen, Norway
  • AES Finalists (2)

12
RC6The elegant AES choice
  • Ron Rivest rivest_at_mit.edu
  • Matt Robshaw mrobshaw_at_supanet.com
  • Yiqun Lisa Yin yiqun_at_nttmcl.com

13
RC6 is the right AES choice
  • Security
  • Performance
  • Ease of implementation
  • Simplicity
  • Flexibility

14
RC6 is simple only 12 lines
  • B B S 0 D D S 1 for i 1
    to 20 do t ( B x ( 2B 1
    ) ) ltltlt 5 u ( D x ( 2D 1 ) )
    ltltlt 5 A ( ( A ? t ) ltltlt u ) S
    2i C ( ( C ? u ) ltltlt t ) S
    2i 1 (A, B, C, D) (B, C, D, A)
    A A S 42 C C S 43

15
Simplicity
  • Facilitates and encourages analysis
  • allows rapid understanding of security
  • makes direct analysis straightforward (contrast
    with Mars and Twofish)
  • Enables easy implementation
  • allows compilers to produce high-quality code
  • obviates complicated optimizations
  • provides good performance with minimal effort

16
RC6 key schedule is rock-solid
  • Studied for more than six years
  • Secure
  • thorough mixing
  • one-way function
  • no key separation (cf. Twofish)
  • no related-key attacks (cf. Rijndael)

17
Original analysis still accurate
  • RC6 meets original design criteria
  • Security estimates from 1998 still good today
    independent analyses supportive.
  • Secure, even in theory, even with analysis
    improvements far beyond those seen for DES during
    its lifetime
  • RC6 provides a solid, well-tuned margin for
    security

18
How do we grade candidates?
  • Security (corroborated)
  • Performance (speedmemory)
  • 32-bit (30)
  • Java (20)
  • DSP (15)
  • 64-bit (15)
  • Hardware (15)
  • 8-bit (5)
  • Ease of implementation
  • Simplicity
  • Flexibility
  • Overall 40/25/15/10/10

19
Conclusions
  • RC6 is a simple yet remarkably strong cipher
  • good performance on most important platforms
  • simple to code for good performance
  • excellent flexibility
  • the most studied finalist
  • the best understood finalist
  • RC6 is the secure and elegant choice for the AES

20
(The End)

21
AES Performance Evaluation
22
AES Performance Evaluation
23
AES Performance Evaluation
24
AES Performance Evaluation
25
AES Performance Evaluation
26
AES Performance Evaluation
27
AES Performance Evaluation
28
AES Performance Evaluation
29
AES Performance Evaluation
30
AES Performance Evaluation
31
AES Performance Evaluation
32
AES Performance Evaluation
33
AES Performance Evaluation
34
AES Performance Evaluation
35
AES Summary of Final-5 Evaluation
  • Serpent 2
  • Pluses
  • large security margin
  • cryptanalytical reputation of authors
  • conservative construction
  • very fast in hardware
  • Minuses
  • slow in software
  • moderate flexibility

36
AES Summary of Final-5 Evaluation
  • Rijndael 1
  • Pluses
  • fastest in hardware
  • close to the fastest in software
  • security margin
  • novel ideas
  • very high flexibility
  • Minuses
  • security margin

37
AES Summary of Final-5 Evaluation
  • Twofish
  • Pluses
  • good security margin
  • fast encryption/decryption in software
  • US
  • strongly advertized
  • Minuses
  • moderately fast in hardware
  • slow key setup in software
  • moderate flexibility

38
Rijndael OverView
  • Designed by Joan Daemen and Vincent Rijmen (from
    Leuven Belgium)
  • Based upon the Square Cipher
  • 3 Design Goals
  • Resistance against known attacks
  • Speed and code compactness on a variety of
    platforms
  • Design simplicity

39
Rijndael OverView
  • Rijndael/AES Designed by Joan Daemen,
    Proton World International Vincent
    Rijmen, Katholique Universiteit LuevenBlock
    cypherSymmetric keyArithmetic based in the
    Galois Field GF(28)Fast and scalableResistant
    to all known cryptanalysis attacks

40
Dr. Vincent Rijmen 
41
Rijndael
  • The block cipher Rijndael is designed to use only
    simple whole-byte operations. Also, it provides
    extra flexibility over that required of an AES
    candidate, in that both the key size and the
    block size may be chosen to be any of 128, 192,
    or 256 bits.

42
Rijndael OverView
  • Rijndael is not a Feistel cipher
  • 3 distinct invertible layers per round
  • Encryption and decryption algorithms are
    different
  • Rijndael uses the Wide Trail Strategy
  • Non-linear layer (confusion)
  • Linear mixing layer (diffusion)
  • Key addition layer

43
Rijndael OverView
  • State and Round Key representations
  • The State is the intermediate cipher result
  • Both the State and the Round Key are interpreted
    as rectangular arrays of bytes
  • Number of columns in the State and Round Key
    arrays depend on block and key sizes,
    respectively

44
Rijndael OverView
  • Rijndael is a block cipher that encrypts and
    decrypts 128, 192, and 256 bit blocks, using 128,
    192, and 256 byte keys in any combination. The
    block is considered to be structured as 4, 6, or
    8 columns of 4 bytes, depending on block size.

45
Rijndael
  • During an early stage of the AES process, a draft
    version of the requirements would have required
    each algorithm to have three versions, with both
    the key and block sizes equal to each of 128,
    192, and 256 bits. This was later changed to make
    the three required versions have those three key
    sizes, but only a block size of 128 bits, which
    is more easily accommodated by many types of
    block cipher design.

46
Rijndael
  • The original description of Rijndael is available
    at http//www.esat.kuleuven.ac.be/rijmen/rijndae
    l/.
  • However, the variations of Rijndael which act on
    larger block sizes apparently will not be
    included in the actual standard, on the basis
    that the cryptanalytic study of Rijndael during
    the standards process primarily focused on the
    version with the 128-bit block size.
  • Rijndael is a relatively simple cipher in many
    respects.

47
Rijndael Number of Rounds
  • Rijndael has a variable number of rounds. The
    number of rounds in Rijndael is
  • 10 if both the block and the key are 128 bits
    long.
  • 12 if either the block or the key is 192 bits
    long, and neither of them is longer than that.
  • 14 if either the block or the key is 256 bits
    long.

48
Rijndael OverView
  • Each round consists of 4 steps
  • Step 1 ByteSub Transformation (Confusion)
  • Step 2 ShiftRow Transformation (Diffusion)
  • Step 3 MixColumn Transformation (Diffusion)
  • Step 4 Round Key Addition
  • Final round slightly different from other rounds

49
Rijndael OverView
  • The basic operations applied to the block are
  • 1) ByteSub Applying an S-box (substituting each
  • byte with another, based on an equation in
    GF(28))
  • 2) ShiftRow Shifting the rows in a circular way,
    the
  • amount of shift (0, 1, 2, 3, or 4 bytes)
    depending on the
  • position from the top and on the block size,

50
Rijndael OverView
  • 3) MixColumn Mixing the 4, 6, or 8 columns
    vertically
  • by taking invertible linear combinations (in
    GF(28) of
  • the elements in each column and
  • 4) Round Key Addition XORing each byte with a
    round key (done before the first round for
    whitening, and again at the end of each round),

51
Rijndael Algorithm
  • Rijndael CypherAES(data_block, key) in State,
    RoundKeysState  State xor RoundKey0for Round
    1 to Nr SubBytes(State) ShiftRow (State) If
    not(last Round) then MixColumn(State) State Â
    State xor RoundKeyRoundout State

52
Rijndael Sequence of Operations
  • The extra final round omits the Mix Column step,
    but is otherwise the same as a regular round.
    Thus, the sequence of steps in Rijndael is
  •  ARK 
  • BSB, SR, MC, ARK 
  • BSB, SR, MC, ARK 
  • BSB, SR, MC, ARK 
  • .....
  • BSB, SR, MC, ARK 
  • BSB, SR, ARK 

9 of them!!
53
Rijndael Sequence of Operations
Where ARK Add Round Key BSB Byte Sub
Block SR Shift Row MC Mix Column
54
Rijndael
55
Rijndael two-Dimensions Scheme
56
Rijndael Block Representation
  •   Rijndael considers a 128-bit block grouped into
    16 bytes of 8 bits each. Let us call each of
    these 16 bytes as, b15 b14 b13 b2 b1 b0.
    Rijndael deals with this block as bytes arranged
    into a 44 matrix,

57
Rijndael Rounds Steps
  • In the Byte Sub step each byte of the block is
    replaced by its substitute in an S-box.

58
S-Box Look-up Table method
  • Write a byte as 8 bits x7 x6 x5 x4 x3 x2 x1 x0.
    Look for the entry in the x7 x6 x5 x4 row and x3
    x2 x1 x0 column.

59
Rijndael S-Box
  •   99 124 119 123 242 107 111 197 48 1 103
    43 254 215 171 118
  • 202 130 201 125 250 89 71 240 173 212 162
    175 156 164 114 192
  • 183 253 147 38 54 63 247 204 52 165 229
    241 113 216 49 21
  • 4 199 35 195 24 150 5 154 7
    18 128 226 235 39 178 117
  • 9 131 44 26 27 110 90 160 82 59
    214 179 41 227 47 132
  • 83 209 0 237 32 252 177 91 106 203
    190 57 74 76 88 207
  • 208 239 170 251 67 77 51 133 69 249
    2 127 80 60 159 168
  • 81 163 64 143 146 157 56 245 188 182 218
    33 16 255 243 210
  • 205 12 19 236 95 151 68 23 196 167
    126 61 100 93 25 115
  • 96 129 79 220 34 42 144 136 70 238
    184 20 222 94 11 219
  • 224 50 58 10 73 6 36 92 194 211
    172 98 145 149 228 121
  • 231 200 55 109 141 213 78 169 108 86 244
    234 101 122 174 8
  • 186 120 37 46 28 166 180 198 232 221 116
    31 75 189 139 138
  • 112 62 181 102 72 3 246 14 97 53
    87 185 134 193 29 158
  • 225 248 152 17 105 217 142 148 155 30 135
    233 206 85 40 223
  • 140 161 137 13 191 230 66 104 65 153 45
    15 176 84 187 22

60
Rijndael Rounds Steps
  • The specification for Rijndael only provided an
    explanation of how the S-box was calculated the
    first step was to replace each byte with its
    reciprocal in the same GF(28) as used below in
    the Mix Column step, except that 0, which has no
    reciprocal, is replaced by itself (since it isn't
    anything's reciprocal either, it is the only
    value not used, so that makes sense) then a
    bitwise modulo-two matrix multiply was used, and
    finally the hexadecimal number 63 is XORed with
    the result.

61
Rijndael ByteSub Step
  • S-Box ArithmeticElements in
  • G GF(28, 1aa3a4a8 )nhex Þ nbin Þ
    (polynomial with nÕs bits for coeffs)Arithmetic
    in Z2 (/), then mod by 1aa3a4a8polynomial
    Þ nbin Þ nhex ByteSub(x) A Mx-1 63hex
    Precompute and use look-up table

62
The Construction of the S-Box
  •  Although the S-box is implemented as a lookup
    table, it has a simple mathematical description.
  • Start with a byte x7 x6 x5 x4 x3 x2 x1 x0, where
    each xi is a binary bit. Compute its inverse in
    GF(28). If the byte is 0, use the same 0 as its
    inverse.

63
The Construction of the S-Box
  •  The resulting byte y7 y6 y5 y4 y3 y2 y1 y0
    represents an 8-dimensional column vector, with
    the rightmost bit y0 in the top position.
    Multiply by a matrix and add the column vector
    (1, 1, 0, 0, 1, 1, 0) to obtain a vector z7 z6 z5
    z4 z3 z2 z1 z0 as shown in the next slide

64
The Construction of the S-Box
65
The Construction of the S-Box
  • For example, start with the byte 11001011 CB.
    Its inverse in GF(28) is 00000100 04, then

66
The Construction of the S-Box
  • This yields the byte 00011111 1F. Note that the
    input vector was 11001011. The 4 MSBs of the
    input vector are thus 1100 and this gives us the
    13th row in the S-Box. Similarly, 1011 yields us
    the 14th column in the S-Box. By checking the
    S-box we see that indeed 31 1F is the
    corresponding entry in the S-Box as claimed.

67
Rijndael Shift Row Step
  •   Next is the Shift Row step. Considering the
    128-bit block grouped into 16 bytes of 8 bits
    each, call them, b15 b14 b13 b2 b1 b0.
  • these bytes are arranged into a 44 matrix, and
    shifted as follows
  •  

68
Rijndael Shift Row Step
  •   Blocks that are 192 and 256 bits long are
    shifted like this
  •  from to
  • 1 5 9 13 17 21 1 5 9 13 17 21
  • 2 6 10 14 18 22 6 10 14 18 22 2
  • 3 7 11 15 19 23 11 15 19 23 3 7
  • 4 8 12 16 20 24 16 20 24 4 8 12 
  • from to
  • 1 5 9 13 17 21 25 29 1 5 9 13 17 21 25
    29
  • 2 6 10 14 18 22 26 30 6 10 14 18 22 26 30 2
  • 3 7 11 15 19 23 27 31 15 19 23 27 31 3 7
    11
  • 4 8 12 16 20 24 28 32 20 24 28 32 4 8 12
    16

69
Rijndael Mix Column step
  •   Next comes the Mix Column step. Matrix
    multiplication is performed each column, in the
    arrangement we have seen above, is multiplied by
    the matrix
  •   2 3 1 1
  • 1 2 3 1
  • 1 1 2 3
  • 3 1 1 2
  • However, this multiplication is done over GF(28).
    This means that the bytes being multiplied are
    treated as polynomials rather than numbers.

70
Rijndael Mix Column step
  •   GF(28)The Galois Field with 28 elements is the
    Finite Field GF(28)Z2x/m(x)where m is
    irreducible in Z2x and has degree 8.Rijndael
    chooses m(x) 1 x x3 x4 x8

71
Rijndael Mix Column step
  •   If the result has more than 8 bits, the extra
    bits are not simply discarded instead, they're
    cancelled out by XORing the binary 9-bit string
    100011011 with the result (shifted right if
    necessary). This string stands for the generating
    polynomial of the particular version of GF(28)
    used by Rijndael.

72
Rijndael Mix Column step
  •   For example, multiplying the binary string
    11001010 by 3 within this Galois Field works like
    this
  •   11001010
  • 11
  • --------------
  • 11001010
  • 11001010
  • ---------------
  • 101011110 (XOR instead of addition)
  • 100011011 (this is XORed, instead of
    subt. 256)
  • --------------
  • 1000101

73
Rijndael Mix Column step
  •   MixColumn ArithmeticMixColumn is equivalent
    to
  • with arithmetic in GF( 28 ).

74
Rijndael Add Round Key
  •   The final step is Add Round Key. This simply
    XORs in the subkey for the current round.

75
Rijndael Key Schedule
  • Round keys extracted from the cipher key in two
    steps
  • Initial key expansion
  • First bits of the expanded key are set to the
    bits of the cipher key
  • Remaining bits calculated recursively as a
    non-linear function of the previous bits of the
    expanded key
  • Round key selection from expanded key

76
Rijndael Key Schedule
  • The original key consists of 128 bits, which are
    arranged into a 44 matrix of bytes. This matrix
    is expanded by adjoining 40 more columns, as
    follows.
  • Label the first four columns W(0), W(1), W(2),
    W(3). The new columns are generated recursively.
    Suppose columns up through W(i-1) have been
    defined. If i is not a multiple of 4, then form
    the new column as,
  • W(i) W(i-4)?W(i-1).

77
Rijndael Key Schedule
  • If i is a multiple of 4, then
  • W(i) W(i-4)?T(W(i-1)),
  • Where T(W(i-1)) is the transformation of W(i-1)
    as follows. Let the elements of the columns are
    w0 w1 w2 w3. Shift these cyclically to obtain w1
    w2 w3 w0. Then replace each of these bytes with
    the corresponding element in the S-box from the
    ByteSub step, to get 4 bytes y0 y1 y2 y3.

78
Rijndael Key Schedule
  • Finally compute the round constant
  • In GF(28). Recall that we are in the case where i
    is a multiple of 4. Then T(W(i-1)) is the column
    vector
  • (y0 ?r(i), y1 y2 y3)

79
Rijndael Key Schedule
  • In this way, columns W(4),,W(43) are generated
    from the initial four columns. The round key for
    the ith round consists of the columns
  • W(4i), W(4i1), W(4i2), W(4i3.)

80
Rijndael Key Schedule
  • Because it begins and ends with an ARK (Add Round
    Key) step, there is no wasted unkeyed step at the
    beginning or end. The sequence of operations is
    important for facilitating decipherment, as well.
  • Although the sequence is not symmetrical, the
    order of some of the steps in Rijndael could be
    changed without affecting the cipher. The Byte
    Sub step could just as easily be done after the
    Shift Row step as before it.

81
Rijndael Key Schedule
  • For keys 128 and 192 bits in length, the subkey
    material, which consists of all the round keys in
    order, consists of the original key, followed by
    stretches, each the length of the original key,
    consisting of four-byte words such that each word
    is the XOR of the preceding four-byte word and
    either the corresponding word in the previous
    stretch or a function of it.

82
Rijndael Key Schedule
  • For the first word in a stretch, the word is
    first rotated one byte to the left, and then its
    bytes are transformed using the S-box from the
    Byte Sub step, and then a round-dependent
    constant is XORed to its first byte.

83
Rijndael Key Schedule
  • The round constants are
  •   1 2 4 8 16 32
    64 128
  • 27 54 108 216 171 77 154
    47
  • 94 188 99 198 151 53 106 212
  • 179 125 250 239 197 145 57 114
  • 228 211 189 97...

84
Rijndael Decryption
  • Inverse Cypher
  • Reverse Steps
  • Use Keys in Reverse Order
  • ByteSub and ShiftRow Commute
  • MixColumn Matrix is Invertible

85
Rijndael Decryption
  1. The inverse of ByteSub is another lookup table,
    called InvByteSub.
  2. The inverse of ShiftRow is obtained by shifting
    the rows to the right instead of to the left,
    yielding InvShiftRow.

86
Rijndael Decryption
  1. The inverse of MixColumn exists because the 44
    matrix used in MixColumn is invertible. The
    transformation InvMixColumn is given by
    multiplication by the matrix

87
Rijndael Sequence of Operations for Encryption
  • The extra final round omits the Mix Column step,
    but is otherwise the same as a regular round.
    Thus, the sequence of steps in Rijndael is
  •  ARK 
  • BSB, SR, MC, ARK 
  • BSB, SR, MC, ARK 
  • BSB, SR, MC, ARK 
  • .....
  • BSB, SR, MC, ARK 
  • BSB, SR, ARK 

9 of them!!
88
Rijndael Sequence of Operations
Where ARK Add Round Key BSB Byte Sub
Block SR Shift Row MC Mix Column
89
Rijndael Decryption
  • AddRoundKey is its own inverse.
  • Hence to decrypt we have to perform the following
    steps
  • ARK, ISR, IBS
  • ARK, IMC, ISR, IBS
  • ARK, IMC, ISR, IBS
  •  .....
  • ARK, IMC, ISR, IBS
  • ARK 

90
Rijndael Decryption
  • However, we would like to rewrite this
    decryption in order to make it look more like
    encryption. We make the following observations
  • The order of BS and the SR operations are
    exchangable (why??).
  • We also would like to reverse the order of ARK
    and IMC but this is not possible.Instead we
    proceed as follows

91
Rijndael Decryption
  • Where (mi,j) is the 44 matrix in MixColumn and
    (ki,j) is the round key matrix. The inverse is
    obtained by solving
    for (ci,j) in terms of (ei,j), namely,

92
Rijndael Decryption
  • Therefore the decryption process to follow is
  • The first arrow is simply InvMixColumn applied to
    (ei,j). If we let InvAddRoundKey be XORing with
    (ki,j), then we have that the inverse of MC
    then ARK is IMC then IARK.

93
Rijndael Decryption
  • We now see that decryption is given by
  • ARK, IBS, ISR
  • IMC, IARK, IBS, ISR
  • IMC, IARK, IBS, ISR
  •  .....
  • IMC, IARK, IBS, ISR
  • ARK. 
  • Summarizing we have the following procedures to
    perform encryption/decryption with Rijndael
    algorithm

94
Rijndael Encryption
  1. ARK using the 0th key.
  2. Nine rounds of BS, SR, MC, ARK using round keys 1
    to 9.
  3. A final round BS, SR, ARK, using the 10th round
    key.

95
Rijndael Decryption
  1. ARK using the 10th key.
  2. Nine rounds of IBS, ISR, IMC, IARK using round
    keys 9 to 1.
  3. A final round IBS, ISR, ARK, using the 0th round
    key.

96
Rijndael Why MixColumn is omitted in the last
round?
  • Suppose MixColumn had been left in. Then the
    encryption would start ARK, BS, SR, MC, ARK, ,
    and it would end ARK, BS, SR, MC, ARK. Therefore,
    the beginning o fthe decryption would be (after
    the reorderings) IMC, IARK, IBS, ISR, . This
    means the decryption would have an unnecessary
    IMC at the beginning.

97
Rijndael Why MixColumn is omitted in the last
round?
  • Another way to look at encryption is that there
    is an initialARK, then a sequence of alternating
    half rounds
  • (BS, SR), (MC, ARK), (BS, SR),, (MC, ARK), (BS,
    SR),
  • followed by a final ARK.
  • The decryption is ARK, followed by a sequence of
    alternating half rounds
  • (IBS, ISR), (IMC, IARK), (IBS, ISR),, (IMC,
    IARK), (IBS, ISR)

98
Rijndael Why MixColumn is omitted in the last
round?
  • Followed by a final ARK. From this point of view,
    we see that a final MC would not fit naturally
    into any of the half rounds, and it results
    natural to leave it out.

99
Rijndael SOme design consideration comments.
  • On 8-bit processors, decryption is not quite as
    fast as encryption. This is because the entriesof
    the 44 matrix for InvMixColumn are more complex
    than those for MixColumn, and this is enough to
    make decryption take around 30 longer than
    encryption for those processors.

100
Rijndael SOme design consideration comments.
  • The fact that encryption and decryption are not
    identical processes leads to the expectation that
    there are no weak keys in Rijndael, in contrast
    to DES and several other algorithms.
  • In Rijndael all the bits are treated uniformly.
    This has the effect of diffusing the input bits
    faster.

101
Rijndael SOme design consideration comments.
  • It can be shown that two rounds are enough to
    obtain full difussion, namely, each of the 128
    output bits depends on each of the 128 input
    bits.
  • The Rijndael S-box is highly nonlinear, since it
    is based on the mapping x ? x-1 in GF(28). This
    means that Rijndael is excellent resisting
    differential and linear cryptoanalysis attacks.

102
Rijndael SOme design consideration comments.
  • The ShiftRow step was added to resist two
    recently developed attacks, namely truncated
    differentials and the Square attack (Square is a
    predecessor of Rijndael).
  • The MixColumn causes diffusion among the bytes. A
    change in one input byte in this step always
    results in all four output bytes changing. If two
    input bytes are changed, at least three output
    bytes are changed.

103
Rijndael SOme design consideration comments.
  • The Key Schedule involves nonlinear mixing of the
    key bits, since it uses the S-box. The mixing is
    designed to resist attacks where the
    cryptoanalyst knows part of the key and tries to
    deduce the remaining bits.
  • The round constants are used to eliminate
    symmetries in the encryption process by making
    each round different.

104
Rijndael SOme design consideration comments.
  • The number of rounds was chosen to be 10 because
    there are attacks that are better than brute
    force up to six rounds.
  • No known attack beats brute force for seven or
    more rounds.
  • It was felt that four extra rounds provide a
    large enough margin of safety. Of course, the
    number of rounds could easily be increased if
    needed.
About PowerShow.com