ON RIJNDAEL CRYPTOGRAPHY USING BASIS CONVERSION

Andry Alamsyah1, Intan Muchtadi2 Department of Informatics Engineering, Indonesian Computer University Jl. Dipati Ukur No. 112 Bandung Indonesia, andry.alamsyah@gmail.com 2 Algebra Research Group, Faculty of Mathematics and Natural Sciences, Institut Teknologi Bandung, Jl. Ganesha No. 10 Bandung 40132 Indonesia, ntan@math.itb.ac.id Abstract

The Advanced Encryption Standard (AES) is one of the most popular algorithms used in symmetric key cryptography and is available in many different encryption packages. It has been standardised by the National Institute of Standards and Technology of the United States (NIST) and comprises three block ciphers, AES-128, AES-192 and AES-256 (using 128, 192, 256-bit key respectively), adopted from Rijndael algorithm. An efficient implementation of binary field arithmetic is an important prerequisite in Rijndael because Rijndael operations are performed using arithmetic operations in the underlying field. Two of the most common basis used in binary elds are polynomial basis and normal basis. In normal basis, raising to the 2th power is just a cyclic shift of the coordinates and therefore essentially free. One of the step in Rijndael algorithm is BytesSub which consists of inversion and affine transformation. In this paper we propose algorithms to speed up the encryption/decryption process in Rijndael. To be more precise we propose the use of storage efficient basis conversion from polynomial basis into normal basis and vice versa and the use of inversion algorithm in normal basis. Keywords: Rijndael, encryption-decryption, normal basis, basis conversion, inversion 1. Introduction Rijndael algorithm consists of BytesSub, ShiftRow, MixColumns, and AddRoundKey, that are substitutions and permutations. The different transformations operate on the intermediate result, called the State. It is pictured as a rectangular array of bytes. We particularly interested in BytesSub transformation process which consists of inversion and affine transformation, operating on each of the State bytes independently. The substitution table (or S-box) is invertible and is constructed by the composition of two transformations (inversion and affine). Many AES architectures attempt compaction of the S-box ([17],[14], [2]) or the inverse function to improve the overall performance. The S-box operation is the largest device and requires more area in general than the other operations. Different approaches have been attempted for S-box compaction varying from the use of subelds [13] to the use of lookup techniques. Recent approaches have made use of lookup for the S-box [11] but this tends to consume large amounts of area. For this reason research into optimization of the Sbox [3] is important in its own right. As bytes representing elements in the finite field GF(2 8), many attempts are to be made to get efficient software and hardware implementations of the basic arithmetic operations (addition, multiplication and inversion) in the eld GF(2 8). Finite field arithmetic

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

333

can be further classified according the choice of basis for representing elements of the finite field: two common choices are polynomial basis and normal basis. The normal basis especially are known to be more efficient for hardware implementation than polynomial basis because the inversion can be achieved by repeated multiplication typically using the method of Itoh and Tsujii [7], and doubling can be executed by only one cyclic shift operation. The mathematical symbols of normal basis may seem overly complex, but the implementation in computer hardware or software is easy. Only AND, EXOR, and, ROTATE operations are needed. The fact that these are fastest operation possible on any microprocessor is what makes normal basis so attractive [12]. In this paper we propose storage efficient basis conversion algorithm as modification of [9] and Itoh and Tsujiis inversion algorithm [7] to speed up the encryption/decryption process in Rijndael, and especially in AES. To be more precise we propose the use of basis conversion from polynomial basis into normal basis and the use of normal basis inversion algorithm in BytesSub. In normal basis, raising to the 2th power is just a cyclic shift of the coordinates and therefore essentially free. As the Itoh and Tsujiis method of inversion basically consists of cyclic shifting and some multiplication, it can speed up the inversion process in BytesSub. This paper is organized as following: in section 2 we give mathematical backgrounds. In section 3 we provide the basis conversion algorithms. The inversion algorithm be given in section 4, and its use in Rijndael in section 5. In the last section we give conclusion and suggestions for further research. 2. Background Several operations in Rijndael are defined at byte level, with bytes representing elements in the finite field GF(28). A byte b, consisting of bits a7 a6 a5 a4 a3 a2 a1 a0, is considered as a polynomial with coefficient in {0,1}: a0 + a1 x + a2 x2 + a3 x3 + a4 x4 + a5 x5 + a6 x6 +a7 x7. For example, the byte with hexadecimal value 57 (binary 01010111) corresponds with polynomial 1 + x + x2 + x4 +x6 . 2.1 Addition In the polynomial representation, the sum of two elements is the polynomial with coefficients that are given by the sum modulo 2 (i.e., 1 + 1 = 0) of the coefficients of the two terms. For example, ( x6 + x4 + x2 + x + 1 ) + ( x7 + x + 1) = x7 + x6 + x4 + x2 . In binary notation we have: 01010111 + 10000011 = 11010100. Clearly, the addition corresponds with the simple bitwise EXOR at the byte level. As every element is its own additive inverse, subtraction and addition are the same. 2.2 Multiplication In the polynomial representation, multiplication in GF(2 8) corresponds with multiplication of polynomials modulo an irreducible polynomial of degree 8, i.e. a polynomial that has no divisors other than 1 and itself. For Rijndael, this polynomial is given by m(x ) = x8 + x4 + x3 + x + 1. For example: (x6 + x4 + x2 + x + 1) ( x7 + x + 1) = x13 + x11 + x9 + x8 + x7 + x7 + x5 + x3 + x2 + x + x6 + x4 + x2 + x + 1

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

334

= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 modulo x8 + x4 + x3 + x + 1 = x7 + x6 + 1 Clearly, the result will be a binary polynomial of degree below 8. Unlike for addition, there is no simple operation at byte level. For any binary polynomial b(x) of degree below 8, the extended algorithm of Euclid can be used to compute polynomials a(x), c(x) such that b(x)a(x) + m(x)c(x) = 1 Hence, a(x) b(x) mod m(x)= 1 or b1(x) = a(x) mod m(x) Moreover, it holds that a(x) (b(x) + c(x)) = a(x ) b(x) + a(x) c(x ). It follows that the set of 256 possible byte values, with the EXOR as addition and the multiplication defined as above has the structure of the finite field. 2.3 Basis

A basis for GF(28) is a set of 8 elements v0, v1, , v7 in GF(28) such that every element of the finite field can be written uniquely as a linear combination of basis elements, i.e., given w in GF(28), we can write

i 0

B[i]vi ,

where B[0],,B[7] GF(2) are the coefficients. The row vector B=(B[0],,B[7]) is called the representation of the element w in the basis v0,v1, v7. Two common choices of basis are polynomial basis and normal basis. A polynomial basis in GF(28) is a basis of the form {1,x, x2,, x7}, i.e., vi = xi, powers of the generator x. A normal basis in GF(28) is a basis of the form {x, x2, x2^2 ,, x2^7} , i.e., vi = x2^i, exponentiation of the generator x. A normal basis exists for all finite fields (see [10, Theorem 2.35]). In normal basis, raising to the 2th power is just a cyclic shift of the coordinates and therefore essentially free. The normal basis especially are known to be more efficient for hardware implementation than polynomial basis because the inversion can be achieved by repeated multiplication typically using the method of Itoh and Tsujii [7], and doubling can be executed by only one cyclic shift operation. The mathematical symbols of normal basis may seem overly complex, but the implementation in computer hardware or software is easy. Only AND, XOR, and, ROTATE operations are needed. The fact that these are fastest operation possible on any microprocessor is what makes normal basis so attractive [12]. A combination of both normal basis and polynomial basis can take advantage of the strength of each for maximum efficiency.

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

335

3. Conversion Algorithm The basis conversion is to compute the representation of an element of a finite field in one basis, given its representation in another basis. The general solution is to apply the change-ofbasis matrix relating the two basis. Suppose that we are converting from the representation B of w in the basis v0, v1, , v7 to another basis. The representation A of w in the second basis can be computed as the matrix product At = MBt, where M is an matrix whose columns are the representation of vi in the second basis and we view A and B as row vectors of dimension n. We can convert in the reverse direction by computing Bt = M-1At. The matrix M is called the transition matrix from normal basis to polynomial basis and M-1 is called the transition matrix from polynomial basis to normal basis. As the matrix M is potentially quite large, here we propose a modification of [9] to convert from one basis to another without involving a large amount of storage or requiring a large number of operations. Using the properties of normal basis and field operations, we obtain the following conversion algorithms. 3.1 Storage efficient algorithm We will make use of these two lemmas: Lemma 2 Let B be a normal basis representation of an element w, and let B be a normal basis representation of the element w2 -1) mod 8]. Lemma 3 Let x be the generator of a polynomial basis, A be a polynomial basis representation of an element w and A be a polynomial basis representation of the element wx-1. Then for all 0 < i< n-1, A[i] = A[i+1], provided that A[0] = 0. Lemma 2 shows that if the basis is a normal basis, then squaring rotates the coefficients up. Lemma 3 shows that if the basis is a polynomial basis, then multiplication by the inverse x-1 of the generator x shifts the coefficients down, provided that the coefficient at index 0 is initially 0. Using only the last row of the matrix M-1 and Lemma 2 we obtain POLY to NB algorithm and using only the first row of the matrix M and Lemma 3 we obtain NB to POLY algorithm. 3.2.1. Polynomial Basis to Normal Basis Input: A=(A[0],,A[7]), the representation of an element in polynomial basis. Output: B=(B[0],,B[7]), the representation of the same element in normal basis. FOR i = 7 downto 0 DO B[i] 0 FOR j=7 downto 0 DO B[i] A[j] M-1[7,j] + B[i] ENDFOR
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 336

A A2 ENDFOR Note: To obtain A2, notice that if w i 0 B[i]x i , then w 2 i 0 B[i]x 2i . The representation of
7 7

x2i for i=4,,7 is the following:

i 4 5 6 7 x 2i x
8 4

rep x x3 x 1 x 6 x5 x3 x 2 x 7 x5 x3 x 1 x 7 x 4 x3 x

x10 x12 x14

3.2.2. Normal Basis to Polynomial Basis Input: B=(B[0],,B[7]), the representation of an element in normal basis. Output: A=(A[0],,A[7]), the representation of the same element in polynomial basis. Constant: X-1 which is the representation of x-1 in normal basis FOR i = 0 to 7 DO A[i] 0 FOR j= 0 to 7 DO A[i] = B[j] M[0,j] + A[i] ENDFOR B B - (A[i],, A[i]) B B X-1 ENDFOR 4. Inversion Algorithm Efforts in developing normal basis multiplicative inversion algorithms in finite fields GF(28) have produced only a limited number of choices. Al-Somani and Amin [1] made a survey and comparison between different inversion algorithms in normal basis, such as the method of Wang et. al. [15], Itoh and Tsujii [7], Feng [5], Fenn [6] et al, Jimenez Calvo and Torres [8] and Yen [16]. The exponent decomposing inversion algorithm of Itoh and Tsujii, however, is found to be the best requiring only log2 (m-1) multiplications, hence the most efficient. The algorithm is shown in the following (taken from [4]): Input : A Output : L = A-1 S := [log2 (7)] - 1 P := A for i := S downto 0 do R := Shift(7) to right by S bits Q := P Rotate Q to left by [R/2] bits T := PQ

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

337

if last bit of R = 1 then Rotate T to left by 1 bit P := TA else P := T end if S := S - 1 end for Rotate P to the left by 1 bit L := P return L The Itoh-Tsujii algorithm achieves inversion by computing the exponential A -1=A2^8-2, using a clever recursive decomposition technique applied on the exponent. The efficiency of the algorithm is based on the efficient squaring property of the normal basis and on the reduction of the number of required multiplications to O (log m). It must be noted that the shift (left, right) and rotate operations in the algorithm refer to a bit ordering from 7 down to 0. 5. BytesSub using Normal Basis Inversion The first step of Rijndael algorithm is the BytesSub which consists of inversion of each bytes of array and an affine transformation. Given an element A in GF(2 8), one may convert A into normal basis representation then finding its inverse using the methods in previous sections.

PB representation

NB representation

Inverse in NB rep

The next step can be done by either converting back into polynomial basis representation first or doing all the rest of the steps using normal basis representation then convert it later. 6. Conclusion We have described in this paper a combination of several algorithms; basis conversion and inversion in normal basis. These algorithms are theoretically efficient since they involve primarily finite-field operations, and applicable to AES in particular in BytesSub which consists of inversion and affine transformation. For further research, one may try to modify the S-BOX used in BytesSub by using converted basis in affine transformation, and also to build some implementation of this combination of algorithms, in order to compare the Rijndael without normal basis and with normal basis. Another direction is by using the composite fields. As GF(28) is isomorphic to
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 338

the composite field GF((22)4), one may also try to use composite field algorithms and some modification on polynomial-normal basis conversion in AES especially in BytesSub and Mix Columns. References T. F. Al-Somani and A.Amin, Hardware Implementations of. GF(2m) Arithmetic using Normal Basis, Journal of Applied Sciences 6 (6): 1362-1372, 2006. F. Burns, J. Murphy, A. Koelmans and A. Yakovlev, "Efficient AES LookUp implementation using Normal Basis" Technical Report Series, School of Electrical, Electronic and Computer Engineering, Merz Court, University of Newcastle Upon Tyne, 2008. D. Canright, A Very compact S-box for AES, Proc. 7th Int. Workshop on Cryptographic Hardware and Embedded Systems (CHES 2005), LCNS 3659, pp. 441-455, 2005. J. P. Deschamps, J.L. Imana and G.D. Sutter "Hardware Implementation of Finite-Field Arithmetic". McGraw-Hill, 2009. G.L. Feng. A VLSI Architecture for Fast Inversion in GF (2m). IEEE Trans. Computers, 38: 13831386, 1989. S.T.J. Fenn, M. Benaissa and D. Taylor. Fast normal basis inversion in GF (2m). Electronics Lett., 32: 17, 1996. T. Itoh and S. Tsujii "A Fast Algorithm for Computing Multiplicatives Inverse in GF(2m) Using Normal Basis" Information and Computing, vol. 78, pp. 171-177, 1988 I. Jimenez Calvo, and M. Torres. Complexity of the inversion in GE (2m). Electronics Letters, 1997. B. Kaliski, Y.L.Yin, Storage-efcient nite eld basis conversion, in S.Tavares and H.Meijer (Eds.): SAC98, LCNS 156, 81-93, 1999. R. Lidl and H. Niederreiter, Harald, Finite Fields, volume 20 of Encyclopedia of Mathematics and Its Applications, Addison-Wesley, 1983. M. McLoone and J. McCanny, Rijndael FPGA Implementation utilizing Look-Up Tables, Journal of VLSI Signal Processing Systems, Vol 34, no. 3, Aug. 2003. M. Rosing, Implementing Elliptic Curve Cryptography, Manning Publications Co., 1999. S. Tillich, M. Feldhofer and J. Grosch adl, Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-box, Proc. Embedded Computer Systems: Architectures, Model ling, and Simulation, LNCS 4017, pp. 457-466, Jul. 2006. Verbauwhede, P. Schaumont and H. Kuo, Design and Performance Testing of a 2.29 GB/s Rijndael Processor, IEEE Journal of Solid-State Circuits, Vol. 38, no. 3, Mar. 2003. C.C.Wang, T.K. Truong, H.M. Shao, L.J. Deutsch, J.K. Omura and I. Reed. VLSI architectures for computing multiplications and inverses in GF (2m). IEEE Trans. Comput., 34: 709-716, 1985. S. Yen. Improved normal basis inversion in GF (2m). Electronics Lett., 33: 1 96-1 97, 1997. N. Yu and H. Heys, Investigation of Compact Hardware Implementation of the Advanced Encryption Standard, Proc. IEEE Conf. CCECE., Saskatoon, Saskatchewan, pp. 1069-1072, May 2005.

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

339