10 years of rijndael
play

10 years of Rijndael Vincent Rijmen Overview The AES process - PowerPoint PPT Presentation

Aug 13, 2022 •229 likes •939 views

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective) Rijndael Security of Rijndael/AES Spreading of AES Stream ciphers: competitors? Conclusions The early years (1997)

  1. 10 years of Rijndael Vincent Rijmen

  2. Overview • The AES process (participant’s perspective) • Rijndael • Security of Rijndael/AES • Spreading of AES • Stream ciphers: competitors? • Conclusions

  3. The early years (1997) • Differential and linear attacks on DES (‘91, ‘93) • 3-DES is slow on (then) modern processors • EFF builds “Deep Crack” (‘97) • NIST launches a competition

  4. AES process • 1997: public call for submission of new ciphers • Encrypt blocks of 128 bits • Key of lengths 128, 192, 256 • To be available royalty-free • August 1998: first AES conference

  5. Some opinions • Is there enough time for people to invent strong 128-bit block ciphers? Probably not. Bruce Schneier, April 15, 1997 • The theoretical security level of most of the AES candidates will be 2 100 or less if about 5 to 10 man-years are spent in serious cryptanalytic effort Lars R. Knudsen, April 5, 1999

  6. Public evaluation • Only public comments taken into account • Decisions by NIST, motivated by public reports • Most analysis done by the public • NSA had the right to veto NIST’s decision

  7. Evaluation criteria • Security • Efficiency • Intellectual Property issues • Flexibility • Elegance, ability to prove absence of trapdoors, …

  8. AES decision process Two rounds of one year each: 1. Evaluation round (15 candidates) – Security – Software performance – 7-8 candidates performing well 2. Selection round (5 candidates) – Hardware performance – “Other criteria” September 2000: announcement of winner Rijndael November 2001: AES FIPS becomes active

  9. WIDE TRAIL DESIGN STRATEGY AND RIJNDAEL

  10. Rijndael design history • PhD Daemen • PhD Rijmen 1990- - - • AES process - - 1995- - • 1996: Shark - - - • 1997: Square 2000- • 1998: BKSQ, Rijndael

  11. Rijndael evolution • ‘94: BaseKing – Definition of optimal diffusion • ‘96: SHARK – MDS diffusion, S-box x → x -1 • ‘97: Square, BKSQ – Matrix state – Square attack – Related key concerns • ‘98: Rijndael

  12. Iterative block cipher p : plaintext round round round Key Schedule key . . . . . Interm. result round c : ciphertext

  13. Design trade-off • Luke O’ Connor (IBM): “ Most ciphers are secure after sufficiently many rounds ” • James L. Massey (ETH Zuerich):: “ Most ciphers are too slow after sufficiently many rounds ” • Design challenge: – security AND performance – provability

  14. General design philosophy 1. Keep it simple – Maximize symmetry • Over rounds • Within round transformation – All operations in 1 algebra • Finite field GF(256) – Small number of building blocks • Only add when necessity demonstrated

  15. General design philosophy 2. Performance is important – On variety of platforms – One security margin is enough 3. Don’t reinvent the wheel – Coding theory – Existing S-boxes

  16. Key-alternating cipher • All key p : plaintext key dependency is through XOR round • Analysis of round security against Key Schedule differential, round linear attacks . . more easy . . . round c : ciphertext

  17. Iterative block cipher round S S S S S S S S S round round Mixing transformation Key Schedule . . . . . • Substitution boxes: permutations on GF(2 m ) round • Mixing transformation: linear over GF(2), GF(2 m ) • Key schedule: ignored in basic attacks

  18. Differential Cryptanalysis • Instead of looking at values, look at differences • Addition with unknown, but fixed, key, doesn’t change a difference (a + k) – (b + k) = a – b • Linear maps: deterministic propagation • Nonlinear maps: probabilistic propagation • Propagation path = characteristic Q • Security: keep Pr(Q) low

  19. Wide trail design strategy Make bound on Pr(Q) easy to compute 1.Compute bound for Pr(Q) over 1 active S-box: d = max Q ≠ (0,0) Pr(Q) 2.Compute bound on number of active S-boxes z = minimum number of active S-boxes Together: Pr(Q) ≤ d z

  20. Bounding z: 1 round S S S S S S S S S Mixing transformation • Min 1 active S-box per round • Independent of mixing transformation

  21. Two rounds a 0 S S S S S S S S S Mixing transformation a 1 S S S S S S S S S Mixing transformation a 2 • Diffusion criterion for mixing transformation – minimum number of active S-boxes in a 0 + a 1 – Branch number B – B ≤ number of inputs plus 1

  22. Optimal Mixing Transformation x Mixing transformation y x y • ( x , y ) with y = m( x ) can be seen as an error- correcting code • B corresponds to the minimum distance of this code • Maximum B : take a Maximum Distance Separable (MDS) code

  23. Design the Mixing Transformation • Take a (2n,n,d)-code • Compute the generator matrix in echelon form: G = [I A] • Mixing transformation: y = m(x) = Ax

  24. Shark, Khazad • (16,8,9)-code over GF(256) • Block length n = 8 x 8 = 64 • Optimal 2-round mixing • Slow on software platforms of the 1990’s

  25. Code concatenation Forney 1966 • Outer code and inner code • C in : (n,k,d)-code over GF(q) • C out : (N,K,D)-code over GF(q k ) • Outer code uses as symbols the message words of the inner code • Together: (nN,kK,dD)-code over GF(q)

  26. Concatenated code S S S S S S S S S Mixing 1 Mixing 1 Mixing 1 C in S S S S S S S S S Mixing 2 C out S S S S S S S S S Mixing 1 Mixing 1 Mixing 1 C in S S S S S S S S S

  27. Four-round view a 0 S S S S S S S S S Mixing transformation a 1 S S S S S S S S S Mixing transformation a 2 S S S S S S S S S Mixing transformation a 3 S S S S S S S S S Mixing transformation a 4

  28. Square, AES, Anubis, ... • C in : (8,4,5)-code over GF(256) • C out : (8,4,5)-code over GF(256 4 ) • Together: (64,16,25)-code • Block length 16 x 8 = 128 • Ciphers are still iterative due to special relation between Mixing 1 and Mixing 2

  29. Avalanche of bit flips key p : plaintext round round Key Schedule round . . . . . round c : ciphertext

  30. Rijndael • Substitution-Permutation Network with 10/12/14 rounds • Round: composed of 4 steps: – SubBytes: non-linearity – ShiftRows: inter-column diffusion – MixColumns: inter-byte diffusion within columns – AddRoundKey

  31. Message input representation a 0,0 a 0,1 a 0,2 a 0,3 a 0,4 a 0,5 a 0,6 a 0,7 a 1,0 a 1,1 a 1,2 a 1,3 a 1,4 a 1,5 a 1,6 a 1,7 a 2,0 a 2,1 a 2,2 a 2,3 a 2,4 a 2,5 a 2,6 a 2,7 a 3,0 a 3,1 a 3,2 a 3,3 a 3,4 a 3,5 a 3,6 a 3,7 • Rectangular array of bytes: – 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit input) – AES: 4 columns only

  32. Rijndael field • Operations defined over GF(256) – (sometimes: over GF(2)) • Representation: – Polynomials of degree < 8, with binary coefficients – Modulo x 8 + x 4 + x 3 + x + 1 – Shortened to two hex numbers • E.g. 12 → x 4 + x

  33. Step 1: Substitute Bytes Substitution Substitution a 0,0 a 0,1 a 0,2 a 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a i,j b i,j a 1,0 a 1,1 a 1,2 a 1,3 b 1,0 b 1,1 b 1,2 b 1,3 a 2,0 a 2,1 a 2,2 a 2, 3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 • Bytes are transformed by invertible S-box. • One S-box (lookup table) for complete cipher: – High non-linearity – Complex algebraic expression

  34. Rijndael S-box • x → x -1 – Maximal nonlinearity for invertible 8-bit map, i.e. 7 – Good (maybe optimal) resistance against differential cryptanalysis • Followed by affine map (GF(2)) – Destroying regularity – Complicating algebraic attacks (somewhat)

  35. Round step 2: Shift Rows m n o p m n o p g h i j h i j g w x y z w x y z b c d e e b c d • Rows are shifted over 4 different offsets – (Offsets depend on number of columns) • High diffusion over multiple rounds: – Interaction with MixColumns – Bits flip in minimum 25 S-boxes per 4 rounds

  36. Step 3: Mix Columns ⎡ ⎤ a 0 ,j 2 3 1 1 b 0 ,j ⎢ ⎥ a 0,0 a 0,1 a 0,2 a 0,3 ⊗ 1 2 3 1 ⎢ ⎥ b 0,0 b 0,1 b 0,2 b 0,3 a 1 ,j a 1,0 a 1,1 a 1,2 a 1,3 ⎢ ⎥ b 1 ,j 1 1 2 3 ⎢ ⎥ b 1,0 b 1,1 b 1,2 b 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 2 ,j ⎣ ⎦ 3 1 1 2 b 2 ,j b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 3,0 b 3,1 b 3,2 b 3,3 a 3 ,j b 3 ,j • Columns transformed by matrix over GF(2 8 ) • High intra-column diffusion: – based on theory of error-correcting (MDS) codes

  37. Key addition a 0,0 a 0,1 a 0,2 a 0,3 k 0,0 k 0,1 k 0,2 k 0,3 b 0,0 b 0,1 b 0,2 b 0,3 a 1,0 a 1,1 a 1,2 a 1,3 k 1,0 k 1,1 k 1,2 k 1,3 b 1,0 b 1,1 b 1,2 b 1,3 + = a 2,0 a 2,1 a 2,2 a 2,3 k 2,0 k 2,1 k 2,2 k 2,3 b 2,0 b 2,1 b 2,2 b 2,3 a 3,0 a 3,1 a 3,2 a 3,3 k 3,0 k 3,1 k 3,2 k 3,3 b 3,0 b 3,1 b 3,2 b 3,3 • Makes round function key-dependent • Round keys derived in a simple way from the master key

  38. Key input representation k 0,0 k 0,1 k 0,2 k 0,3 k 0,4 k 0,5 k 0,6 k 0,7 k 1,0 k 1,1 k 1,2 k 1,3 k 1,4 k 1,5 k 1,6 k 1,7 k 2,0 k 2,1 k 2,2 k 2,3 k 2,4 k 2,5 k 2,6 k 2,7 k 3,0 k 3,1 k 3,2 k 3,3 k 3,4 k 3,5 k 3,6 k 3,7 • Rectangular array of bytes: – 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit key)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rijndael Note on naming Vincent Rijmen Note on naming 1. Introduction After the selection of

Rijndael Note on naming Vincent Rijmen Note on naming 1. Introduction After the selection of

Joan Daemen Rijndael Note on naming Vincent Rijmen Note on naming 1. Introduction After the selection of Rijndael as the AES, it was decided to change the names of some of its component functions in order to improve the readability of the

762 views • 47 slides
Rijndael for AES Vincent Rijmen Joan Daemen COSIC Proton World Security Intrinsic

Rijndael for AES Vincent Rijmen Joan Daemen COSIC Proton World Security Intrinsic

Rijndael for AES Vincent Rijmen Joan Daemen COSIC Proton World Security Intrinsic security: no algorithm has been broken Implementation attacks (e.g., DPA): Table-lookup and XOR operations only Rijndael lends itself to secure

515 views • 3 slides
DTTF/NB479: Dszquphsbqiz Day 17 Announcements: DES due Thursday. Careful with putting it

DTTF/NB479: Dszquphsbqiz Day 17 Announcements: DES due Thursday. Careful with putting it

DTTF/NB479: Dszquphsbqiz Day 17 Announcements: DES due Thursday. Careful with putting it off since Ch 3 test Friday too. Today: Finish GF(2 8 ) Rijndael Questions? AES (Rijndael) The S-boxes, round keys, and MixColumn

611 views • 13 slides
D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t years Figure 2. Precipitation anomalies during 11 years of the dust bowl (1930-1940) Station Set-up Montana Mesonet January 2018 4 36 ranchers

533 views • 36 slides
Cryptomaniac A Cautionary Tale Dont Let This Happen to You! AES Selection Process Started

Cryptomaniac A Cautionary Tale Dont Let This Happen to You! AES Selection Process Started

Cryptomaniac A Cautionary Tale Dont Let This Happen to You! AES Selection Process Started in 1997 3 years 15 proposals (CAST- 256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael,SAFER+, Serpent, and

487 views • 13 slides
CLASS OF 2020 Four years of English Three years of social studies Three years of

CLASS OF 2020 Four years of English Three years of social studies Three years of

CLASS OF 2020 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

1.25k views • 88 slides
CLASS OF 2023 Four years of English Three years of social studies Three years of

CLASS OF 2023 Four years of English Three years of social studies Three years of

CLASS OF 2023 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

915 views • 67 slides
CLASS OF 2021 Four years of English Three years of social studies Three years of

CLASS OF 2021 Four years of English Three years of social studies Three years of

CLASS OF 2021 Four years of English Three years of social studies Three years of science Three years of mathematics Two years of a world language Four years of physical education Five credits of visual/performing arts

1.04k views • 72 slides
Who Cares About the Impact on Performance Memory Hierarchy? Suppose a processor executes at

Who Cares About the Impact on Performance Memory Hierarchy? Suppose a processor executes at

8/20/08 Technology Trends Computer System Architecture Capacity Speed (latency) Logic: 2x in 3 years 2x in 3 years DRAM: 4x in 3 years 2x in 10 years Memory Part I Disk: 4x in 3 years 2x in 10 years DRAM Chalermek

290 views • 5 slides
Announcements About Homework 1 Available on the course website If you cannot see it, it

Announcements About Homework 1 Available on the course website If you cannot see it, it

Announcements About Homework 1 Available on the course website If you cannot see it, it could be due to caching --- so try refreshing the webpage Due in two weeks : 10/22/19 11:59pm Submit through GradeScope 1 Rijndael K n

605 views • 31 slides
Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10

Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10

Nature Education Kickoff 2018 Years of Service Recognition Heidi Brown 10 years Lois Peterson 10 years Tom Taber 10 years Gary Keeth 15 years Betty Murray 15 years Bob Walker 15 years Jackie James 25 years Carol Matthews 25 years Program

396 views • 22 slides
Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12

Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12

Now You Got a Search Engine MICES 14. June 2017 Peter Rieger Who Am I 10 years factory planing 4 years live sience 3 years research assistent 12 years search Dropped 3 courses of study Freelancer for 12 years CEO for 8 years

487 views • 20 slides
2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years

2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years

2 Years of Real World FP at REA @KenScambler Scala Developer at Me 14 years 5 years 5 years when possible when bored when forced - 3 teams @ - 17 codebases - 43K LOC Jul 13 Jan 14 Jul 14 Jan 15 Why Functional Programming?

1.95k views • 160 slides
ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years

ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years

ALL ABOUT ME JULIE EDWARDS 25 years in Marketing/PR 8 years in NPO Management 4 years as Executive Director Mom to rescues Roxie &amp; Charlie Vegetarian home chef Lover of naps, folk art and happy hours Show

132 views • 11 slides
Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan

Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan

Floral Design Committee Kickoff 2018 Years of Service Recognition Irene Kane - 10 years Joan Upton -10 years Michelle Bosschart -16 years Debbie Kundrat - 20 years Georgine Premo - 20 years Marian Vanden Bosch - 20 years Meeting Agenda 1)

112 views • 10 slides
Migrate Python from 2.X to 3.X WHO AM I? C++ &amp; PYTHON DEVELOPER 6,5 years in 20,5 years in

Migrate Python from 2.X to 3.X WHO AM I? C++ &amp; PYTHON DEVELOPER 6,5 years in 20,5 years in

Migrate Python from 2.X to 3.X WHO AM I? C++ &amp; PYTHON DEVELOPER 6,5 years in 20,5 years in CAD&amp;Numeric C++ simulations PHILIPPE BOULANGER 3 years in 19,5 years in embedded Python programming 11,5 years in finance

879 views • 51 slides
Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons

Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons

Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported. 1 66 / Agenda The Theory What is it ? Why should I care ? The Practice The

974 views • 66 slides
Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition

Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition

9:22 AM Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. Security Appliance (noun) -

1.1k views • 63 slides
WITH GREATFET+FD TROOPERS18 KATE TEMKIN &amp; DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin):

WITH GREATFET+FD TROOPERS18 KATE TEMKIN &amp; DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin):

OPENING BLACK BOX SYSTEMS WITH GREATFET+FD TROOPERS18 KATE TEMKIN &amp; DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin): Dominic Spill (@dominicgs): slayer of Tegras, destroyer of worlds cannot stop being extraordinary, on penalty of

861 views • 21 slides
Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires http://oasis.coralcdn.org/ Whats the replica-selection problem? mycdn ? Client needs to choose a good replica server Performance and cost

798 views • 56 slides
Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum

Adaptive Application Security Testing Model Ashish Khandelwal Gunankar Tyagi Agendum Confidential McAfee Internal Use Only Security Testing Confidential McAfee Internal Use Only Cost Impact m suffered a heavy The TJX Company breach, which m

429 views • 20 slides
Analyse de primitives sym etriques Pierre Karpman a lInria Saclay &amp; Rennes, l Th`

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay &amp; Rennes, l Th`

Analyse de primitives sym etriques Pierre Karpman a lInria Saclay &amp; Rennes, l Th` ese pr epar ee ` Ecole polytechnique, et la Nanyang Technological University Sous la direction de Daniel Augot, Pierre-Alain Fouque et

906 views • 58 slides

More recommend