10 years of Rijndael Vincent Rijmen Overview The AES process - - PowerPoint PPT Presentation

10 years of Rijndael

Vincent Rijmen

Overview

• The AES process (participant’s perspective)
• Rijndael
• Security of Rijndael/AES
• Spreading of AES
• Stream ciphers: competitors?
• Conclusions

The early years (1997)

• Differential and linear attacks on DES (‘91, ‘93)
• 3-DES is slow on (then) modern processors
• EFF builds “Deep Crack” (‘97)
• NIST launches a competition

AES process

• 1997: public call for submission of new ciphers
• Encrypt blocks of 128 bits
• Key of lengths 128, 192, 256
• To be available royalty-free
• August 1998: first AES conference

Some opinions

• Is there enough time for people to invent strong

128-bit block ciphers? Probably not. Bruce Schneier, April 15, 1997

• The theoretical security level of most of the AES

candidates will be 2100 or less if about 5 to 10 man-years are spent in serious cryptanalytic effort Lars R. Knudsen, April 5, 1999

Public evaluation

• Only public comments taken into account
• Decisions by NIST, motivated by public reports
• Most analysis done by the public
• NSA had the right to veto NIST’s decision

Evaluation criteria

• Security
• Efficiency
• Intellectual Property issues
• Flexibility
• Elegance, ability to prove absence of trapdoors,

…

AES decision process

Two rounds of one year each:

• 1. Evaluation round (15 candidates)

– Security – Software performance – 7-8 candidates performing well

• 2. Selection round (5 candidates)

– Hardware performance – “Other criteria”

September 2000: announcement of winner Rijndael November 2001: AES FIPS becomes active

WIDE TRAIL DESIGN STRATEGY AND RIJNDAEL

Rijndael design history

• PhD Daemen
• PhD Rijmen
• AES process
• 1996: Shark
• 1997: Square
• 1998: BKSQ, Rijndael

1990- 1995-

• 2000-

Rijndael evolution

• ‘94: BaseKing

– Definition of optimal diffusion

• ‘96: SHARK

– MDS diffusion, S-box x → x-1

• ‘97: Square, BKSQ

– Matrix state – Square attack – Related key concerns

• ‘98: Rijndael

Iterative block cipher

p: plaintext

round round round round

. . . . .

Key Schedule

key

• Interm. result

c: ciphertext

Design trade-off

• Luke O’ Connor (IBM):

“Most ciphers are secure after sufficiently many rounds”

• James L. Massey (ETH Zuerich)::

“Most ciphers are too slow after sufficiently many rounds”

• Design challenge:

– security AND performance – provability

General design philosophy

1. Keep it simple

– Maximize symmetry

• Over rounds
• Within round transformation

– All operations in 1 algebra

• Finite field GF(256)

– Small number of building blocks

• Only add when necessity demonstrated

General design philosophy

2. Performance is important

– On variety of platforms – One security margin is enough

3. Don’t reinvent the wheel

– Coding theory – Existing S-boxes

Key-alternating cipher

• All key

dependency is through XOR

• Analysis of

security against differential, linear attacks more easy

round

. . . . .

round round round

key

Key Schedule

p: plaintext c: ciphertext

Iterative block cipher

Key Schedule round

. . . . .

round round round

Mixing transformation S S S S S S S S S

• Substitution boxes: permutations on GF(2m)
• Mixing transformation: linear over GF(2), GF(2m)
• Key schedule: ignored in basic attacks

Differential Cryptanalysis

• Instead of looking at values, look at differences
• Addition with unknown, but fixed, key, doesn’t

change a difference (a + k) – (b + k) = a – b

• Linear maps: deterministic propagation
• Nonlinear maps: probabilistic propagation
• Propagation path = characteristic Q
• Security: keep Pr(Q) low

Wide trail design strategy

Make bound on Pr(Q) easy to compute 1.Compute bound for Pr(Q) over 1 active S-box: d = maxQ ≠ (0,0) Pr(Q) 2.Compute bound on number of active S-boxes z = minimum number of active S-boxes Together: Pr(Q) ≤ dz

Bounding z: 1 round

Mixing transformation S S S S S S S S S

• Min 1 active S-box per round
• Independent of mixing transformation

Two rounds

Mixing transformation S S S S S S S S S

a0 a1

Mixing transformation S S S S S S S S S

a2

• Diffusion criterion for mixing transformation

– minimum number of active S-boxes in a0 + a1 – Branch number B

– B ≤ number of inputs plus 1

Optimal Mixing Transformation

Mixing transformation x y x y

• (x,y) with y = m(x) can be seen as an error-

correcting code

• B corresponds to the minimum distance of this code
• Maximum B: take a Maximum Distance Separable

(MDS) code

Design the Mixing Transformation

• Take a (2n,n,d)-code
• Compute the generator matrix in echelon form:

G = [I A]

• Mixing transformation: y = m(x) = Ax

Shark, Khazad

• (16,8,9)-code over GF(256)
• Block length n = 8 x 8 = 64
• Optimal 2-round mixing
• Slow on software platforms of the 1990’s

Code concatenation

Forney 1966

• Outer code and inner code
• Cin: (n,k,d)-code over GF(q)
• Cout: (N,K,D)-code over GF(qk)
• Outer code uses as symbols the message words
• f the inner code
• Together: (nN,kK,dD)-code over GF(q)

Concatenated code

Mixing 1 S S S S S S

Mixing 2

Mixing 1 S S S S S S Mixing 1 S S S S S S Mixing 1 S S S S S S Mixing 1 S S S S S S Mixing 1 S S S S S S

Cin Cout Cin

Four-round view

Mixing transformation S S S S S S S S S

a0 a1

Mixing transformation S S S S S S S S S

a2

Mixing transformation S S S S S S S S S Mixing transformation S S S S S S S S S

a3 a4

Square, AES, Anubis, ...

• Cin: (8,4,5)-code over GF(256)
• Cout: (8,4,5)-code over GF(2564)
• Together: (64,16,25)-code
• Block length 16 x 8 = 128
• Ciphers are still iterative due to special relation

between Mixing 1 and Mixing 2

Avalanche of bit flips

key

round

. . . . .

Key Schedule

p: plaintext

round round round

c: ciphertext

Rijndael

• Substitution-Permutation Network with

10/12/14 rounds

• Round: composed of 4 steps:

– SubBytes: non-linearity – ShiftRows: inter-column diffusion – MixColumns: inter-byte diffusion within columns – AddRoundKey

Message input representation

a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3 a0,4 a1,4 a2,4 a3,4 a0,5 a1,5 a2,5 a3,5 a0,6 a1,6 a2,6 a3,6 a0,7 a1,7 a2,7 a3,7

• Rectangular array of bytes:

– 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit input) – AES: 4 columns only

Rijndael field

• Operations defined over GF(256)

– (sometimes: over GF(2))

• Representation:

– Polynomials of degree < 8, with binary coefficients – Modulo x8 + x4 + x3 + x + 1 – Shortened to two hex numbers

• E.g. 12 → x4 + x

Step 1: Substitute Bytes

a0,0 a0,1 a0,2 a0,3 a1,0 a1,1

a1,2 a1,3

a2,0 a2,1 a2,2 a2,3 a3,0 a3,1 a3,2 a3,3 b0,0 b0,1

b0,2 b0,3

b1,0 b1,1

b1,2 b1,3

b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3

ai,j bi,j

Substitution Substitution

• Bytes are transformed by invertible S-box.
• One S-box (lookup table) for complete cipher:

– High non-linearity – Complex algebraic expression

Rijndael S-box

• x → x-1

– Maximal nonlinearity for invertible 8-bit map, i.e. 7 – Good (maybe optimal) resistance against differential cryptanalysis

• Followed by affine map (GF(2))

– Destroying regularity – Complicating algebraic attacks (somewhat)

Round step 2: Shift Rows

m n

• p

g h i j w x y z b c d e m n

• p

h i j g

y z

w x e b c d

• Rows are shifted over 4 different offsets

– (Offsets depend on number of columns)

• High diffusion over multiple rounds:

– Interaction with MixColumns – Bits flip in minimum 25 S-boxes per 4 rounds

Step 3: Mix Columns

b0,0 b0,1

b0,2 b0,3

b1,0 b1,1

b1,2 b1,3

b2,0 b2,1

b2,2 b2,3

b3,0 b3,1

b3,2 b3,3

a0,0 a0,1

a0,2 a0,3

a1,0 a1,1

a1,2 a1,3

a2,0 a2,1

a2,2 a2,3

a3,0 a3,1

a3,2 a3,3

a1,j a0,j a2,j a3,j b1,j b0,j b2,j b3,j

⊗

⎥ ⎥ ⎥ ⎥ ⎦ ⎤ ⎢ ⎢ ⎢ ⎢ ⎣ ⎡ 2 1 1 3 3 2 1 1 1 3 2 1 1 1 3 2

• Columns transformed by matrix over GF(28)
• High intra-column diffusion:

– based on theory of error-correcting (MDS) codes

Key addition

a0,0 a0,1 a0,2 a0,3 a1,0 a1,1 a1,2 a1,3 a2,0 a2,1 a2,2 a2,3 a3,0 a3,1 a3,2 a3,3 k0,0 k0,1 k0,2 k0,3 k1,0 k1,1 k1,2 k1,3 k2,0 k2,1 k2,2 k2,3 k3,0 k3,1 k3,2 k3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3

+ =

• Makes round function key-dependent
• Round keys derived in a simple way from the

master key

Key input representation

k0,0 k1,0 k2,0 k3,0 k0,1 k1,1 k2,1 k3,1 k0,2 k1,2 k2,2 k3,2 k0,3 k1,3 k2,3 k3,3 k0,4 k1,4 k2,4 k3,4 k0,5 k1,5 k2,5 k3,5 k0,6 k1,6 k2,6 k3,6 k0,7 k1,7 k2,7 k3,7

• Rectangular array of bytes:

– 4 rows – 4, 6, or 8 columns (128-, 192-, 256-bit key)

Key schedule

k0,0 k1,0 k2,0 k3,0 k0,1 k1,1 k2,1 k3,1 k0,2 k1,2 k2,2 k3,2 k0,3 k1,3 k2,3 k3,3 k0,4 k1,4 k2,4 k3,4 k0,5 k1,5 k2,5 k3,5 k0,6 k1,6 k2,6 k3,6 k0,7 k1,7 k2,7 k3,7

round key table (virtual) 1+ 10/12/14 round keys

...

Key schedule for 128-bit keys

k0,0 k1,0 k2,0 k3,0 k0,1 k1,1 k2,1 k3,1 k0,2 k1,2 k2,2 k3,2 k0,3 k1,3 k2,3 k3,3 k0,4 k1,4 k2,4 k3,4 k0,5 k1,5 k2,5 k3,5 k0,6 k1,6 k2,6 k3,6 k0,7 k1,7 k2,7 k3,7

+ + + +

k1,3 k2,3 k3,3 k0,3

Substitution Substitution

RC

+

Key schedule for 192-bit keys

k0,0 k1,0 k2,0 k3,0 k0,3 k1,3 k2,3 k3,3 k0,4 k1,4 k2,4 k3,4 k0,5 k1,5 k2,5 k3,5 k0,6 k1,6 k2,6 k3,6 k0,9 k1,9 k2,9 k3,9 k0,10 k1,10 k2,10 k3,10 k0,11 k1,11 k2,11 k3,11

+ + + +

k1,5 k2,5 k3,5 k0,5

Substitution Substitution

RC

+

k0,1 k1,1 k2,1 k3,1 k0,7 k1,7 k2,7 k3,7

+

k0,2 k1,2 k2,2 k3,2 k0,8 k1,8 k2,8 k3,8

+

Key schedule for 256-bit keys

k0,0 k1,0 k2,0 k3,0 k0,3 k1,3 k2,3 k3,3 k0,5 k1,5 k2,5 k3,5 k0,7 k1,7 k2,7 k3,7 k0,8 k1,8 k2,8 k3,8 k0,11 k1,11 k2,11 k3,11 k0,13 k1,13 k2,13 k3,13 k0,15 k1,15 k2,15 k3,15

+ + + +

k1,7 k2,7 k3,7 k0,7

Substitution Substitution

RC

+

k0,1 k1,1 k2,1 k3,1 k0,9 k1,9 k2,9 k3,9

+

k0,2 k1,2 k2,2 k3,2 k0,10 k1,10 k2,10 k3,10

+ Substitution Substitution

k0,6 k1,6 k2,6 k3,6 k0,14 k1,14 k2,14 k3,14

+

k0,4 k1,4 k2,4 k3,4 k0,12 k1,12 k2,12 k3,12

+

Benefits

• Algorithm easy to understand
• Easy to implement
• Provable resistance against specific attacks

– Proofs are elegant and easy

Disadvantages

• Simplicity as a design rule is contested

– Resistance against unknown attacks – Risk for catastrophic failure – `Surprising’ properties – Confusion between ease of analysis and ease of cryptanalysis

Disadvantages

• Simplicity depends on your point of view

– Finite fields not supported (yet) by popular scripting languages – S-box is bottleneck in hardware – Encryption different from decryption (?)

Security of AES

• Goal: practical security
• Very important attacks:

– Differential cryptanalysis – Linear cryptanalysis – Saturation attack – Implementation attacks – Algebraic attacks

Differential & linear cryptanalysis

• Bounds on trails [Daemen & Rijmen ‘98]

2-150 , 2-75

• Bounds on differentials, hulls [Hong et al., Park

et al., Keliher-Sui]: 2-113 , 2-55

Impossible differentials

• No results during AES process
• Afterwards: 7 rounds
• Non-AES variants of Rijndael: 8 rounds

Saturation attack

• Chosen plaintexts
• Dedicated attack, exploits that AES is fully byte-
• riented
• E.g. keep 15 bytes constant, vary 1 byte over all

possibilities

• Can break AES reduced to 6 rounds

[DR’97,W+’00]

– More rounds if longer key

• Improvement: 7 rounds [B+’07], [L+’08]

Algebraic attacks

• Rijndael S-box has (implicit) quadratic equations:

S[x] = x-1 → S[x]x = 1, S[x]x2 = x, ...

• Not “typical” for 8x8 bit S-box
• Very bad choice [Courtois 2002]
• XL, XSL, XLS, ... attacks
• Surprisingly resistant against algebraic attacks

[Courtois 2007]

Algebraic observations

• (Very) simple description for Rijndael [Murphy

& Robshaw, ’00]

• BES (Embedding in larger map) [Murphy &

Robshaw, ’02]

– Rewriting of equations – No impact on security demonstrated

• Symmetry in the S-box [Fuller & Millan ‘02]

– No impact on security

Opinions

• Many NESSIE partners have significant

concerns that the simple algebraic structure of the AES […] may lead to future breakthroughs in the analysis NESSIE Project, final decision February 27, 2003

Local collision attack [2009]

(Biryukov, Khovratovich, Nikolić)

• Related-key scenario

E E

P C ∆K P + ∆P C + ∆C K

Reduced avalanche effect

key

round

. . . . .

p: plaintext

round round round

c: ciphertext

Related-key scenario

Extended related-key scenario

round

. . . . .

key p: plaintext c: ciphertext

round round round

K and K + ∆K → K and f(K)

“Practical attacks”

• Oracle access to encryption with keys K and f(K)
• AES-192: 2176
• AES-256: 2100
• AES-128 with key schedule of AES-256 : 240
• AES-256 with # rounds of AES-128: 240
• RSA with key length of AES-128: 220

Impact

• AES-128 not affected
• 2100 is a large number (= 2000-bit RSA)
• AES is still a Strong Pseudo-Random

Permutation (SPRP)

• First verifiable result on cryptanalysis of full AES

Cache-timing attack

• [Bernstein 2005] and others
• Implementation attacks with variable level of

realism in the assumptions

• Be careful when using table-based

implementations on machines that attackers have access to

AES USE

USA

• Original scope of FIPS: sensitive data
• CNSS June 2003: AES for classified information,

AES-192/256 for secret and top secret

• 2004: NIST withdraws DES

– 2-key triple DES: until 2009 – 3-key triple DES: until 2030

• More than 1500 products certified by NIST

International

• Included in ISO, IETF, IEEE standards
• 3GPP MILENAGE algorithm suite
• Software: ubiquitous (SSL, WPA2)
• Hardware & smartcards:

– Legacy issues, e.g. EMV v4.2 (2008) still uses DES – Minimal size issues (due to block length, key length) – Intel processors: AES instruction

AES for quality protection

AES influence on designs

• AES S-box is used in

– Camellia (e-Govt. Japan) – SNOW 3G (3GPP) – CLEFIA (Sony DRM solution)

• AES-inspired diffusion is used in

– CLEFIA

AES-based hash functions

• AES round

– Arirang, ECHO, Lane, Lesamnta, Shamata, Shavite-3, Twister, Vortex

• AES S-box x → x-1

– Aurora, Cheetah, Fugue, Grøstl, Sgail, Spectral hash

• AES-like Diffusion

– Aurora, Cheetah, Grøstl, Luffa, Sarmal, (Whirlpool)

• AES-inspired diffusion

– Fugue, JH, Sgail

Competitors: stream ciphers

Goal:

• More efficient than AES

– Software: faster – Hardware: using less resources

• Security

– Equal to AES – Just enough (80 bit)

Performance of Focus Phase II software ciphers (128-bit key)

5 10 15 20 25 30 35 40 45 50 stream 1500 576 40 AES Dragon HC-256 LEX Phelix Py Salsa20 Sosemanuk

50 100 150 200 250 stream 1500 576 40

Cycles/ byte

Tiny AES (Tina)

• Features:

– Encryption and decryption, 128-bit key – Microcontroller interface

• Specs:

– 0.27 mm2 in 0.35 µm (4800 gate eq.) – 3 µA @ 100kHz, 1.5V – 100 encr./s (12.8 kbit/s)

Chip area in low-energy environment

SHA-256 SHA-1 AES Trivium Grain 2000 4000 6000 8000 10000 12000 Gate equivalents [GEs]

Conclusions

• AES is in many standards and products
• ... But so is 3-DES
• AES has inspired many designers
• Interesting advances in cryptanalysis