Académique Documents
Professionnel Documents
Culture Documents
Standard (Rijndael)
Cdigos y Criptografa
secure ciphers
Cdigos y Criptografa
Cdigos y Criptografa
Source code in C
Test vectors
Cdigos y Criptografa
AES: Candidates
Round 1, June 1998:
15 Candidates
from USA, Canada, Belgium, France, Germany, Norway,
UK, Isreal, Korea, Japan, Australia, Costa Rica.
Security, Software efficiency
Round 2, August 1999:
5 final candidates
Mars, RC6, Rijndael, Serpent, Twofish
Security, Hardware efficiency
October 2000
1 winner: Rijndael
Belgium
Cdigos y Criptografa
AES: Candidates
USA: Mars, RC6, Twofish, Safer+, HPC
Canada: CAST-256, Deal
Costa Rica: Frog
Australia: LOKI97
Japan: E2
Korea: Crypton
Belgium: Rijndael
France: DFC
Germany: Magenta
Israel, GB, Norway: Serpent
America (8) Europe (4) Asia (2)
Australia (1)
Cdigos y Criptografa
AES: Candidates
Survey filled by 104 participants of the
Second AES Conference in Rome, March 1999
Middle-of-the-Road
7. CAST-256 -2
8. Safer+ -4
9. DFC -5
Mild NO
10. Crypton -15
Overwhelming NO
11. DEAL -70
12. HPC -77
13. Magenta -83
14. Loki97 -85
15. Frog -85
Cdigos y Criptografa
AES: Candidates
Survey filled by 104 participants of the
Second AES Conference in Rome, March 1999
Overwhelming YES:
1. Rijndael +76
2. RC6 +73
3. Twofish +61
4. Mars +52
5. Serpent +45
Mild YES
6. E2 +14
Cdigos y Criptografa
AES: Final 5
USA
Mars - IBM
C. Burwick, D. Coppersmith, E. DAvignon,
R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,
L. OConnor, M. Peyravian, D. Safford,
N. Zunic
RC6 - RSA Data Security, Inc.
R. Rivest - MIT
M. Robshaw, R. Sidney, Y. L. Yin - RSA
Twofish - Counterpane Systems
B. Schneier, J. Kelsey, C. Hall, N. Ferguson
- Counterpane, D.Whiting - Hi/fn,
D. Wagner - Berkeley
Cdigos y Criptografa
AES: Final 5
Europe
Rijndael - J. Daemen, V. Rijmen
Katholieke Universiteit Leuven
Belgium
Serpent - R. Anderson, Cambridge, England
E. Biham - Technion, Israel
L. Knudsen, University of Bergen, Norway
AES Finalists (2)
Cdigos y Criptografa
Ron Rivest
rivest@mit.edu
Matt Robshaw
mrobshaw@supanet.com
yiqun@nttmcl.com
Cdigos y Criptografa
Cdigos y Criptografa
Simplicity
Facilitates and encourages analysis
allows rapid understanding of security
makes direct analysis straightforward
(contrast with Mars and Twofish)
Cdigos y Criptografa
(30%)
Java
(20%)
DSP
(15%)
64-bit
(15%)
Hardware
(15%)
8-bit
(5%)
Ease of implementation
Simplicity
Flexibility
Cdigos
y Criptografa
Overall:
40/25/15/10/10
Conclusions
RC6 is a simple yet remarkably strong cipher
good performance on most important platforms
simple to code for good performance
excellent flexibility
the most studied finalist
the best understood finalist
(The End)
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
conservative construction
Minuses:
slow in software
moderate flexibility
Cdigos y Criptografa
fastest in hardware
security margin
novel ideas
Minuses:
security margin
Cdigos y Criptografa
US
strongly advertized
Minuses:
moderate flexibility
Cdigos y Criptografa
Rijndael OverView
3 Design Goals:
1. Resistance against known attacks
2. Speed and code compactness on a variety of
platforms
3. Design simplicity
Cdigos y Criptografa
Rijndael OverView
Vincent Rijmen,
Block cypher
Symmetric key
Arithmetic based in the Galois Field GF(28)
Fast and scalable
Resistant to all known cryptanalysis attacks
Cdigos y Criptografa
Cdigos y Criptografa
Rijndael
The block cipher Rijndael is designed to use only
simple whole-byte operations. Also, it provides
extra flexibility over that required of an AES
candidate, in that both the key size and the block
size may be chosen to be any of 128, 192, or 256
bits.
Cdigos y Criptografa
Rijndael OverView
2.
3.
Cdigos y Criptografa
Rijndael OverView
Cdigos y Criptografa
Rijndael OverView
Cdigos y Criptografa
Rijndael
During an early stage of the AES process, a draft
version of the requirements would have required
each algorithm to have three versions, with both the
key and block sizes equal to each of 128, 192, and
256 bits. This was later changed to make the three
required versions have those three key sizes, but
only a block size of 128 bits, which is more easily
accommodated by many types of block cipher
design.
Cdigos y Criptografa
Rijndael
The original description of Rijndael is available at:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/.
However, the variations of Rijndael which act on larger
block sizes apparently will not be included in the actual
standard, on the basis that the cryptanalytic study of
Rijndael during the standards process primarily focused on
the version with the 128-bit block size.
Rijndael is a relatively simple cipher in many respects.
Cdigos y Criptografa
10 if both the block and the key are 128 bits long.
2.
3.
Cdigos y Criptografa
Rijndael OverView
Each round consists of 4 steps
Cdigos y Criptografa
Rijndael OverView
The basic operations applied to the block are:
1) ByteSub: Applying an S-box (substituting each
byte with another, based on an equation in GF(2^8));
2) ShiftRow: Shifting the rows in a circular way, the
amount of shift (0, 1, 2, 3, or 4 bytes) depending on the
position from the top and on the block size,
Cdigos y Criptografa
Rijndael OverView
3) MixColumn: Mixing the 4, 6, or 8 columns vertically
by taking invertible linear combinations (in GF(2^8) of
the elements in each column and;
4) Round Key Addition: XORing each byte with a round
key (done before the first round for whitening, and
again at the end of each round),
Cdigos y Criptografa
Rijndael: Algorithm
Rijndael CypherAES(data_block, key)
{in State, RoundKeys
State State xor RoundKey0
for Round = 1 to Nr
SubBytes(State)
ShiftRow (State)
If not(last Round) then MixColumn(State)
State State xor RoundKeyRound
out State }
Cdigos y Criptografa
9 of them!!
Where:
ARK = Add Round Key
BSB = Byte Sub Block
SR = Shift Row
MC = Mix Column
Cdigos y Criptografa
Rijndael
Cdigos y Criptografa
Cdigos y Criptografa
& b0
$
$ b1
$b
$ 2
$b
% 3
Cdigos y Criptografa
b4
b5
b6
b7
b8 b12 #
!
b9 b13 !
b10 b14 !
!
b11 b15 !"
Francisco Rodrguez Henrquez
& b0
$
$ b1
$b
$ 2
$b
% 3
b4
b5
b6
b7
Cdigos y Criptografa
S (b4 )
S (b5 )
S (b6 )
S (b7 )
S (b8 )
S (b9 )
S (b10 )
S (b11 )
S (b12 )#
!
S (b13 )!
S (b14 )!
!
S (b15 )!"
Cdigos y Criptografa
Rijndael: S-Box
99 124 119 123 242 107 111 197 48 1 103 43 254 215 171 118
202 130 201 125 250 89 71 240 173 212 162 175 156 164 114 192
183 253 147 38 54 63 247 204 52 165 229 241 113 216 49 21
4 199 35 195 24 150 5 154 7 18 128 226 235 39 178 117
9 131 44 26 27 110 90 160 82 59 214 179 41 227 47 132
83 209 0 237 32 252 177 91 106 203 190 57 74 76 88 207
208 239 170 251 67 77 51 133 69 249 2 127 80 60 159 168
81 163 64 143 146 157 56 245 188 182 218 33 16 255 243 210
205 12 19 236 95 151 68 23 196 167 126 61 100 93 25 115
96 129 79 220 34 42 144 136 70 238 184 20 222 94 11 219
224 50 58 10 73 6 36 92 194 211 172 98 145 149 228 121
231 200 55 109 141 213 78 169 108 86 244 234 101 122 174 8
186 120 37 46 28 166 180 198 232 221 116 31 75 189 139 138
112 62 181 102 72 3 246 14 97 53 87 185 134 193 29 158
225 248 152 17 105 217 142 148 155 30 135 233 206 85 40 223
Rodrguez
Henrquez
140
161 y137
13 191 230 66 104 65 153 45 Francisco
15 176
84 187
22
Cdigos
Criptografa
S-Box ArithmeticElements in
G := GF(28, 1+a+a 3+a 4+a 8 )
nhex nbin (polynomial with ns bits for coeffs)
Arithmetic in Z2 (+/*), then mod by 1+a+a 3+a 4+a 8
polynomial nbin nhex
ByteSub(x) = A Mx-1 + 63hex
Precompute and use look-up table
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
&1
$
$1
$1
$
$1
$1
$
$0
$
$0
$0
%
Cdigos y Criptografa
0
1
1
1
1
0
0
1
1
1
Cdigos y Criptografa
0
0
0
1
1
1
0
0
0
1
1
1
0
0
0
1
1
1
0
0
Cdigos y Criptografa
to
1 5 9 13 17 21
1 5 9 13 17 21
2 6 10 14 18 22
6 10 14 18 22 2
3 7 11 15 19 23
11 15 19 23 3 7
4 8 12 16 20 24
16 20 24 4 8 12
from
to
1 5 9 13 17 21 25 29
1 5 9 13 17 21 25 29
2 6 10 14 18 22 26 30
6 10 14 18 22 26 30 2
3 7 11 15 19 23 27 31
15 19 23 27 31 3 7 11
4 Cdigos
8 12 16y 20
24 28 32
Criptografa
Cdigos y Criptografa
If the result has more than 8 bits, the extra bits are not
simply discarded: instead, they're cancelled out by XORing
the binary 9-bit string 100011011 with the result (shifted
right if necessary). This string stands for the generating
polynomial of the particular version of GF(2^8) used by
Rijndael.
Cdigos y Criptografa
Cdigos y Criptografa
First bits of the expanded key are set to the bits of the
cipher key
Cdigos y Criptografa
r (i ) = 00000010
i !4
4
Cdigos y Criptografa
For keys 128 and 192 bits in length, the subkey material,
which consists of all the round keys in order, consists of the
original key, followed by stretches, each the length of the
original key, consisting of four-byte words such that each
word is the XOR of the preceding four-byte word and either
the corresponding word in the previous stretch or a function
of it.
Cdigos y Criptografa
Cdigos y Criptografa
16
54 108
216
171
77 154
94 188 99
198
151
53 106 212
239
197 145
27
32
64 128
47
57 114
Rijndael: Decryption
Inverse Cypher:
Reverse Steps
Cdigos y Criptografa
Rijndael: Decryption
1. The inverse of ByteSub is another lookup
table, called InvByteSub.
2. The inverse of ShiftRow is obtained by
shifting the rows to the right instead of to
the left, yielding InvShiftRow.
Cdigos y Criptografa
Rijndael: Decryption
3.
&E B D 9#
$
!
$ 9 E B D!
$D 9 E B!
$
!
$B D 9 E!
%
"
Cdigos y Criptografa
9 of them!!
Where:
ARK = Add Round Key
BSB = Byte Sub Block
SR = Shift Row
MC = Mix Column
Cdigos y Criptografa
Rijndael: Decryption
4.
Cdigos y Criptografa
Rijndael: Decryption
II.
Cdigos y Criptografa
Rijndael: Decryption
i, j
i, j
i, j
i, j
i, j
i, j
(ei,j), namely,
(c )= (m ) (e )" (m ) (k ).
!1
i, j
Cdigos y Criptografa
i, j
!1
i, j
i, j
i, j
Rijndael: Decryption
Therefore the decryption process to follow is:
(e )$ (m ) (e )$ (m ) (e )# (k " ),
Where (k " )= (m ) (k )
!1
i, j
i, j
!1
i, j
i, j
i, j
i, j
!1
i, j
i, j
i, j
Rijndael: Decryption
We now see that decryption is given by:
ARK, IBS, ISR
IMC, IARK, IBS, ISR;
IMC, IARK, IBS, ISR;
.....
IMC, IARK, IBS, ISR;
ARK.
Summarizing we have the following procedures to perform
encryption/decryption with Rijndael algorithm:
Cdigos y Criptografa
Rijndael: Encryption
1.
2.
3.
A final round: BS, SR, ARK, using the 10th round key.
Cdigos y Criptografa
Rijndael: Decryption
1.
2.
3.
A final round: IBS, ISR, ARK, using the 0th round key.
Cdigos y Criptografa
Cdigos y Criptografa
(BS, SR), (MC, ARK), (BS, SR),, (MC, ARK), (BS, SR),
followed by a final ARK.
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
Cdigos y Criptografa
different.
Cdigos y Criptografa