1
Chapter 3 Secret Key Cryptography
Instructor: 孫宏民[email protected]
Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694
2
Conventional Ciphers(1)
• (a) Transposition cipherReorder plaintext letters to form ciphertext
Ex. Write message into a 54 matrix by row, read it out by column. permutation of input
Ex. TSINGHUAUNIVERSITY
T G U E T
S N H A N V R I Y
I U I S
TGUETSNHANVRIYIUIS
3
Conventional Ciphers(2)
• (b)Substitution cipher: Each letter m of M is replaced
by some letter c = f(m) to form C permutation of alpha
bet– There are four types of substitution ciphers:
• Simple substitution A single one-to-one mapping from plaintext to ciphertext characters• Homophonic substitution The mapping is one-to-many• Polyalphabetic substitution Multiple one-to-one mapping• Polygram substitution Permit arbitrary substitutions for groups of characters
4
Conventional Ciphers(3)
• (c) Combination of (a) and (b)
Ex. Data Encryption Standard (DES)
(a) (b) (a) (b) .... 16 times each
5
Simple Substitution Ciphers
• Ex. Keyword mixed alphabet The cipher alphabet is constructed by first listing the
keyword (INFORMATION in this example), omitting duplicates, and then listing the remaining letters of the alphabet in order.
TSINGHUAUNIVERSITY
SQBHATUIUHBVRPQBSY
A B C D E F G H I J K L M
I N F O R M A T B C D E G
N O P Q R S T U V W X Y Z
H J K L P Q S U V W X Y Z
6
• Ex. f(a) = ak mod n (k and n are relatively prime) When n = 26 and k = 9,
TSINGHUAUNIVERSITY
PGUNCLYAYNUHKXGUPI
A B C D E F G H I J K L M
A J S B K T C L U D M V E
N O P Q R S T U V W X Y Z
N W F O X G P Y H Q Z I R
7
• Ciphers may also use nonstandard ciphertext alphabets.
• Ciphertext:
8
• For English, in principle, it takes at most 27 or 28 letters to break a simple substitution cipher by frequency analysis.
9
Homophonic Substitution Ciphers
• Map each character a of the plaintext alphabet into a set of ciphertext elements f(a).
Each ci is picked at random from the set of f(mi).
M = m1 m2 m3 …
C = c1 c2 c3 …
ab
10
Homophonic Substitution Ciphers
• Ex. Suppose that the English letters are enciphered as integers between 0 and 99, where the number of integers assigned to a letter is proportional to the relative frequency of the letter, and no integer is assigned to more than one letter.
A 17 19 34 41 56 60 67 83
I 08 22 53 65 88 90
L 03 44 76
N 02 09 15 27 32 40 59
O 01 11 23 28 42 54 70 80
P 33 91
T 05 10 20 29 45 58 64 78 99
11
Homophonic Substitution Ciphers
• One possible encipherment of PLAINPILOT is:
• This cipher is much more difficult to solve than simple substitution ciphers.
M = P L A I N P I L O T
C = 91 44 56 65 59 33 08 76 28 78
12
Second-Order Homophonic Cipher • Given enough ciphertext, most ciphers are breakable. T
here will be a single key K that deciphers C into meaningful plaintext.
• It is possible to construct ciphers such that a ciphertext will decipher into more than one meaningful message under different keys.
• Ex. Second-order homophonics
E I L M S
E 10 22 18 02 11
I 12 01 25 05 20
L 19 06 23 13 07
M 03 16 08 24 15
S 17 09 21 14 04
M = S M I L E
X = L I M E S
C = 21 16 05 19 11
13
Polyalphabetic Substitution Ciphers
• For simple substitution ciphers, the single-letter frequency distribution of the plaintext letters is preserved in the ciphertext.
• Homophonic substitutions conceal this distribution by defining multiple ciphertext elements for each plaintext letter.
• Polyalphabetic substitution ciphers conceal it by using multiple substitutions.
• Most polyalphabetic ciphers are periodic substitution ciphers.
14
Vigenère and Beaufort Ciphers(1)
• Vigenère cipher
Key: K = k1 ... Kd fi(a) = (a + ki) mod n
• Ex. Key: BAND
• The Vigenère Tableau facilitates encryption and decryption (see the table on next page).
M = INFO RMAT ION
K = BAND BAND BAN
C = JNSR SMNW JOA
15
Vigenère and Beaufort Ciphers(2)
• Beaufort cipher
Key: K = k1 ... kd fi(a) = (ki a) mod n
• Ex. Key: D
A B C D E F G H I J K L M
D C B A Z Y X W V U T S R
N O P Q R S T U V W X Y Z
Q P O N M L K J I H G F E
PlaintextPlaintext
CiphertextCiphertext
PlaintextPlaintext
CiphertextCiphertext
16
Vigenère Tableau
17
Running-Key Ciphers
• The key is as long as the plaintext message.• One method is to use the text in a book as a key
sequence. The key is the title of the book and the starting position (section, paragraph, etc.).
• EX:
M = T H E T R E A S U R E I S B U R I E D A T T W
K = T H E K E Y I S A S L O N G A S T H E P L A I
C = M O I D V C I K U J P W F H U J B L H P E T E
18
Rotor Machine 24
321
2625
87654
11109
1312
161514
191817
222120
23
21
10191
153
168
202614
4227
511
129
17
21823
246
25
13
20
315461
165
231214
19222
1811
132425
8107
269
21
17
8
2220172618
411133
10
245
23
129
191625
21156
172
14
24
2625
321
87654
11109
1312
161514
191817
222120
23
2425
321
26
87654
11109
1312
161514
191817
222120
23YZ
DCBA
IHGFE
LKJ
NM
QPO
TSR
WVU
XYZ
DCBA
IHGFE
LKJ
NM
QPO
TSR
WVU
X
Fast rotorMedium rotorSlow rotor
Initial setting
19
Rotor Machine
• The machine consists of a set of independently rotating cylinders through which electrical pulses can flow. Each cylinder has 26 input pins and 26 output pins.
• Consider a machine with a single cylinder. After each input key is depressed, the cylinder rotates one position and thus a different substitution cipher is defined. After 26 letters of plaintext, the cylinder will be back to the initial position. The period is 26.
20
Rotor Machine
• For a machine with three cylinders, the one farthest from the operator rotates one pin position per keystroke. For every complete rotation of the outer cylinder, the inner cylinder rotates one pin position. Thus there are 263 = 17576 different substitution alphabets used before system repeats.
• Rotor machines were used by the Germans during World War II.
21
Rotor Machine 24
321
2625
87654
11109
1312
161514
191817
222120
23
21
10191
153
168
202614
4227
511
129
17
21823
246
25
13
20
315461
165
231214
19222
1811
132425
8107
269
21
17
81426
2425
321
26
87654
11109
1312
161514
191817
222120
23YZ
DCBA
IHGFE
LKJ
NM
QPO
TSR
WVU
XYZ
DCBA
IHGFE
LKJ
NM
QPO
TSR
WVU
X
Fast rotorMedium rotorSlow rotor
2425
321
87654
11109
1312
161514
191817
222120
23
2220172618
411133
10
245
23
129
191625
21156
172
Setting after one keystroke
22
Vernam Cipher and One-Time Pads
• Vernam designed a system (in 1918) which works on binary data rather than letters. To encipher:
ci = mi ki
To decipher:
ci ki = mi ki ki = mi
Thus enciphering and deciphering are performed with the same operation.
• Mauborgne suggested using a random key that was as long as the message, and the key tape is used only once. Such a scheme, known as a one-time pad, is unbreakable.
23
Vernam Cipher and One-Time Pads
• The only drawback of the cipher is that it requires a long key sequence.
• EX:
M = 11000 C = 01010
K = 10010 K = 10010
C = 01010 M = 11000
24
Polygram Substitution Ciphers
• All of the preceding substitution ciphers encipher a single letter of plaintext at a time.
• By enciphering larger blocks of letters, polygram substitution ciphers make cryptanalysis harder by destroying the significance of single-letter frequencies.
25
Playfair Cipher
• The key is a 55 matrix of 25 letters (J was not used). Each pair of plaintext letters m1m2 is enciphered as follows:– 1. If m1 and m2 are in the same row, then c1 and c2 are
the two characters to the right of m1 and m2, respectively.
– 2. If m1 and m2 are in the same column, then c1 and c2 are the two characters below m1 and m2, respectively.
26
Playfair Cipher
– 3. If m1 and m2 are in different rows and column, then
c1 and c2 are the other two corners of the rectangle
having m1 and m2 as corners, where c1 is in m1's row
and c2 is in m2's row.
– 4. If m1 = m2, null letter (e.g., X) is inserted into the
plaintext between m1 and m2 .
– 5. If the plaintext has an odd number of characters, a null letter is appended to the end of the plaintext.
27
Playfair Cipher
• Ex. Keyword: MONARCHY
• Playfair cipher was invented in 1854 and was used by the British during World War I.
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
28
Hill Cipher
• To encipher:
C = KM mod n
• To decipher:
K1C mod n = K1KM mod n = M
• where C, K, and M are d1, dd, d1 matrices,
respectively.
29
Hill Cipher• Ex. d = 2
Suppose M = EG (4, 6) (or YQ)
• To decipher:
• Hill cipher is easy to break.
917
2015 ,
53
23 1KK
16
24 26 mod
6
4
53
23
2
1
c
c
6
4 26 mod
16
24
917
2015
30
Data Encryption Standard (DES)
• DES was published in 1977 by the National Bureau of Standards (since renamed to the National Institute of Standards and Technology) for use in commercial and unclassified (hmm…) U.S. Government.
• It was designed by IBM based on their own Lucifer cipher and input from NSA.
• DES enciphers 64-bit blocks of data with a 56-bit key.
• DES has been implemented both in software and in hardware.
31
• The same algorithm is used both to encipher and to decipher.
• Most widely used cipher ever• Security based on Shannon’s Theory
– Confusion : a piece of information is changed so that the output bits have no obvious relationship to the input bits.
– Disfussion : To spread the effect of one plaintext bit to
other bits in the ciphertext.
32
• Block Cipher:
– Block size= 64 bits.
– Key Length= 56 bits (64 bits contains the bits 8, 16,
24, 32, 40, 48, 56, 64 for the odd parity check)
• Advantages of DES: – DES can be implemented by software and hardware
for its simple arithmetic and logical operations.
– High Speed
33
DES IP
L 0 R 0
R 1 = L 0 f (R 0 , K 1)L 1 = R 0
R 2 = L 1 f (R 1 , K 2)L 2 = R 1
R 15 = L 14 f (R 14 , K 1 5)L 15 = R 14
R 16 = L 15 f (R 1 5 , K 1 6) L 1 6 = R 15
64
32 32
K 1
K 2
K 16
f 4832
f
f
IP -1
output
T
In: 64 bits,
Out: 64 bits,
Key: 56 bits
34
IP (Initial Permutation)
• The table should be read left-to-right, top-to-bottom.
• T = t1t2 ... t64 T0 = t58t50 ... t7 = L0R0
35
IP1 (Final Permutation)
• IP1 is the inverse of IP.• All tables are fixed.
36
Function f
S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8
P
32
32
48
f(R i-1 , K i)
E
48 48
32
K i
R i-1
37
E (Bit-Selection Table)
• In: 32 bits, Out: 48 bits
38
P (Permutation)
• In: 32 bits, Out: 32 bits
39
S-boxes (Selection Functions)
40
• Each S-box Sj maps a 6-bit block b1b2b3b4b5b6 into a 4-bit block. (In: 6 bits, Out: 4 bits)
• The integer corresponding to b1b6 selects a row and the integer corresponding to b2b3b4b5 selects a column.
• Example: (100001)2 for S-box 1
• Row # = (11)2= 3 and Column # = (0000)2= 0 Ourput= 15= (1111)2.
41
Key Calculation
PC-128
PC-2
PC-2
K
28
C 0 D 0
LS 1LS 1
C 1 D 1
K 1
K 2
LS 2LS 2
C 2 D 2
LS 16LS 16
C 16 D 16
PC-2 K 16
K1, K2, ..., K16 : 48 bits/each
42
PC-1 (Key Permutation)
In: 64 bits (with 8 parity bits), Out: 56 bits
43
PC-2 (Key Permutation)
• In: 56 bits, Out: 48 bits
44
LSi (Left Circular Shift) Iteration
i
Number ofLeft Shifts
1 1
2 1
3 2
4 2
5 2
6 2
7 2
8 2
9 1
10 2
11 2
12 2
13 2
14 2
15 2
16 1
45
Deciphering
• Deciphering is performed using the same algorithm, except that K16 is used in the first iteration, K15 in the second iteration, and so on.
• The last round of enciphering:
R 15L 15
R 16 = L 15 f (R 1 5 , K 1 6) L 1 6 = R 15
K 16f
IP -1
output
46
Deciphering
• The first round of deciphering:
IP
L 0 R 0
R 1 = L 0 f (R 0 , K 1 6)L 1 = R 0
K 16f
47
Deciphering
• The last round of enciphering:
LE16 = RE15
RE16 = LE15 f(RE15, K16)
• The first round of deciphering:
LD1 = RD0 = LE16 = RE15
RD1 = LD0 f(RD0, K16)
= RE16 f(RE15, K16)
= (LE15 f(RE15, K16)) f(RE15, K16)
= LE15 (f(RE15, K16) f(RE15, K16))
= LE15 0
= LE15
• Thus, the output of the first round of deciphering is the swap of the input to the sixteenth round of the enciphering.
48
• The order of subkeys is the reverse order (k16, k1
5, …, k1).– Key shift 改成 shift right circularly.– 每一個 round 的 shift bit 數為 (1, 0), (2, 1), (3, 2), (4, 2),
(5, 2), (6, 2), (7, 2), (8, 2), (9, 1), (10, 2), (11, 2), (12, 2), (13, 2), (14, 2), (15, 2), (16, 1).
49
Weakness of DES
• Complements: If C= Ek(P), then ¬C= Ek(¬P), where ¬x is the cpmplement of x.– Reduce the complexity for finding keys from 256 to 25
5.• Weak Keys(4):
– 56 bits key left and right half are all 0 or 1,then it would cause all subkeys are the same.
50
• Semi-Weak Keys:– the encryption using two different keys could get the sa
me result [Ek(P)= Ek’(P)]
51
Security of DES
• Differential Cryptanalysis Attacks– 1990 Biham & Shamir prevent.– Belong Chosen-plaintext attacks.– Results: it is secure that DES have 16 rounds
52
International Data Encryption Algorithm (IDEA)
• IDEA was originally called IPES (Improved Proposed Encryption Standard).
• IDEA encrypts a 64-bit block of plaintext into a 64-bit block of ciphertext using a 128-bit key.
• IDEA is similar to DES in some ways. Both of them operate in rounds, and both have a complicated mangler function that does not have to be reversible in order for decryption to work.
53
Basic Structure of IDEA
54
Primitive operations
• Bitwise exclusive(⊕)• A slightly modified add(+)
– Addition in IDEA is done by throwing away carries, which is equivalent to saying addition is mod216
• A slightly modified multiply(⊗)– Multiplication in IDEA is done by first calculating the
32-bit result, and then taking the remainder when divided by 216+1.
– Multiplication mod 216+1 is reversible, in the sense that every number x between 1 and 216 has an inverse y.
55
– The number 0, which can be expressed in 16 bits, would not have an inverse. And the number 216, which is in the proper range for mod 216+1 arthmetic, cannot be expressed in 16 bits. So both problems are solved by treating 0 as an encoding for 216.
• the only part of IDEA that isn’t necessarily reversible is the mangler function, and it is truly marvelous to note how IDEA’s design manages not to require a reversible mangler function.
56
Key Expansion
• The 128-bit key is expanded into 52 keys(16-bit),K1,K2,…,K52.
• The 52 encryption keys are generated by writing out the 128-bit key and, staring from the left, chopping off 16-bit at a time. This generates eight 16-bit keys.
57
• The next eight keys are generated by staring at bit 25, and wrapping around to the beginning when the end is reached.
• The next eight keys are generated by offsetting 25 more bit, and so forth, until 52 keys are generated.
58
One Round
• IDEA has 17 rounds, where the odd-numbered rounds are different from the even-numbered rounds.
• Each round takes the input, a 64-bit quantity, and treats it as four 16-bit quantities, which we’ll call xa, xb, xc, and xd. Mathematical functions are performed on xa, xb, xc, xd to yield new versions of xa, xb, xc, xd
• The odd rounds use four of the Ki, which we’ll call Ka, Kb, Kc, and Kd . The even rounds use two Ki , which we’ll call Ke, Kf.
59
Odd round
60
• Note that this is easily reversible. To get from the new Xa to the old Xa, we perform ⊗ with the multiplicative inverse of Ka, mod 216+1. Likewise with Xd. To get the old Xb, given the new Xc, we add the additive inverse of Kb, i.e. we subtract Kb.
61
Even round
62
• The even round is its own inverse! When performing decryption, the same keys are used as when performing encryption (not the mathematical inverses of the keys, as in the odd rounds).
• Ex. the new
first output = first input ⊕ Yout
first output = (new Xa) ⊕ Yout
first output = (Xa ⊕ Yout) ⊕ Yout = Xa
With an input of new Xa, we get an output of Xa.
outaa YXX
63
Inverse key for decryption
• Since we are working backwards, the first decryption keys should be inverses of the last-used encryption keys. Given that the final keys used are K49, K50, K51, K52, in an odd round, the first four decryption keys will be inverses of the keys K49-K52. K49 is used in ⊗, so the decryption key K1 will be the multiplicative inverse of K49 mod 216+1. And the decryption key K4 is the multiplicative inverse of K52. Decryption keys K2 and K3 are the additive inverse of K50 and K51.
64
AES
• On January 2, 1997, NIST announced a contest to select a new encryption standard to be used for protecting sensitive, non-classified, U.S. government information.
• After lots of investigation and discussion in the cryptographic community, NIST chose an algorithm called Rijndael, named sfter two Belgian cryptographers who developed and submitted it.
65
AES
• As of 26 November 2001, AES, a standardization of Rijndael, is a Federal Information Processing Standard.
66
The Rijndael Cipher Algorithm
67
Mathematical preliminaries
• The field GF(28)Example: (57)16x6+x4+x2+x+1
AdditionMultiplicationMultiplication by x
• Polynomials with coefficients in GF(28)Multiplication by x
68
Addition
• Sum of two elements: the sum of coefficients with modulus 2
• Example: ’57’+’83’=‘D4’(x6+x4+x2+x+1)+(x7+x+1)=x7+x6+x4+x2
69
Multiplication
• Multiplication in GF(28): multiplication of polynomials modulo x8+x4+x3+x+1 or (11B)16 .
• Example: ’57’’83’=‘C1’ (x6+x4+x2+x+1) (x7+x+1) =
x13+x11+x9+x8+x6+x5+x4+x3+1x13+x11+x9+x8+x6+x5+x4+x3+1 modulo x8+x4+x3+x+1 =
x7+x6+1
70
Some Properties
• Multiplication is associative with a neutral element ‘01’.
• Inverse: b-1(x)=a(x) mod m(x) with a(x)b(x) mod m(x)= 1
• a(x)(b(x)+c(x))=a(x)b(x)+a(x)c(x).
• The set of 256 possible byte values, with addition and the
multiplication defined as above has the structure of the
finite field GF(28).
71
Multiplication by x
• Multiply b(x) with the polynomial x: b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x
• If b7=0, the reduction is identity operation; if b7=1, m(x) must be subtracted (i.e. EXORed).
• That is, multiplication by x (‘02’) can be implemented by a left shift and a conditional EXOR with’1B’.
72
Example
• ‘57’ ‘13’ =‘FE’
‘57’ ’02’=xtime(57)=‘AE’
‘57’ ’04’=xtime(AE)=‘47’
‘57’ ’08’=xtime(47)=‘8E’
‘57’ ’10’=xtime(8E)=‘07’
‘57’ ‘13’ =‘57’(‘01’’02’’10’) = ‘57’’AE’’07’=‘FE’
73
Polynomials with coefficients in GF(28)
• Two polynomials over GF(28):a(x)=a3x3+a2x2+a1x+a0
b(x)=b3x3+b2x2+b1x+b0
• Their product c(x)=c6x6+c5x5+c4x4+c3x3+c2x2+c1x+c0
c0=a0 b0
c1=a1 b0 a0 b1
c2=a2 b0 a1 b1 a0 b2
c3=a3 b0 a2 b1 a1 b2+ a0 b3
c4=a3 b1 a2 b2 a1 b3
c5=a3 b2 a2 b3
c6=a3 b3
74
Polynomials with coefficients in GF(28)
• By reducing c(x) modulo a polynomial of degree 4, the result can be reduced to a polynomial of degree below 4.
• M(x)=x4+1 and
xi mod x4+1=xi mod 4.
75
Polynomials with coefficients in GF(28)
• Product of a( x ) and b( x ):
d( x ) = a( x ) b( x )= d3x3+d2x2+d1x+d0
d0 = ab0 ab1 ab2 ab3
d1 = ab0 ab1 ab2 ab3
d2 = ab0 ab1 ab2 ab3
d3 = ab0 ab1 ab2 ab3
76
Polynomials with coefficients in GF(28)
circulant matrix:
77
Multiplication by x
• Multiply b( x ) by the polynomial x: b3x4+b2x3+b1x2+b0x
• x b( x ) modulo 1+x4= b2x3+b1x2+b0x+b3
• It is equivalent to multiplication by a matrix with all ai =‘00’ except a1 =‘01’. Let c( x ) = xb( x ). We have:
78
Specification
• Variable block length and key length• Block length and the key length can be
128, 192, or 256 bits.• The state: the intermediate cipher result.• The Cipher Key is similarly picture as a
rectangular array with four rows.
79
The state and the Cipher Key
80
The rounds
• The number of rounds is denoted by Nr and depends on the values Nb and Nk. It is given in Table 1.
81
The cipher
• The cipher Rijndael consists of• An initial Round Key addition;• Nr-1 Rounds;• A final round.
• In pseudo C code,Rijndael(State,CipherKey){KeyExpansion(CipherKey,ExpandedKey) ;AddRoundKey(State,ExpandedKey);For( i=1 ; i<Nr ; i++ )
Round(State,ExpandedKey + Nb*i) ;FinalRound(State,ExpandedKey + Nb*Nr);}
82
The cipher• The key expansion can be done on beforehand and
Rijndael can be specified in terms of the Expanded Key.
Rijndael(State,ExpandedKey){AddRoundKey(State,ExpandedKey);For( i=1 ; i<Nr ; i++ )
Round(State,ExpandedKey + Nb*i) ;FinalRound(State,ExpandedKey + Nb*Nr);}
83
The round transformation
Round(State,RoundKey){ByteSub(State);ShiftRow(State);MixColumn(State);AddRoundKey(State,RoundKey);}
84
The final round
FinalRound(State,RoundKey)
{
ByteSub(State) ;
ShiftRow(State) ;
AddRoundKey(State,RoundKey);
}
85
The ByteSub transformation(1/2)
1. Taking the multiplicative inverse in GF(28). 2. Applying an affine transformation defined by:
86
The ByteSub transformation(2/2)
87
The ShiftRow transformation(1/2)
88
The ShiftRow transformation(2/2)
89
The MixColumn transformation(1/2)
• The columns of the State are considered as polynomials over GF(28) and multiplied modulo x4+1 with a fixed polynomial c(x)= ‘03’x3+‘01’x2+‘01’x+‘02’.
• This can be written as a matrix multiplication. Let b(x) = c(x) a(x),
90
The MixColumn transformation(2/2)
91
The Round Key addition
92
Key schedule
• The Round Keys are derived from the Cipher Key by means of the key schedule. This consists of two components: the Key Expansion and the Round Key Selection. The basic principle is the following:• The total number of Round Key bits is equal to the block len
gth multiplied by the number of rounds plus 1. (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits are needed).
• The Cipher Key is expanded into an Expanded Key.• Round Keys are taken from this Expanded Key in the followi
ng way: the first Round Key consists of the first Nb words, the second one of the following Nb words, and so on.
93
Key expansion• The Expanded Key is a linear array of 4-byte words and is
denoted by W[Nb*(Nr+1)]. The first NK words contain the Cipher Key. All other words are defined recursively in terms of words with smaller indices.
For Nk 6, we have:KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i =
0; i < Nk; i++)W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);for(i = Nk; i < Nb * (Nr + 1); i++) {
temp = W[i - 1];if (i % Nk == 0)temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];W[i] = W[i - Nk] ^ temp; } }
94
Key expansionFor Nk > 6, we have:KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) {
for(i = 0; i < Nk; i++)W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]);
for(i = Nk; i < Nb * (Nr + 1); i++){ temp = W[i - 1];if (i % Nk == 0)temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];else if (i % Nk == 4)temp = SubByte(temp);W[i] = W[i - Nk] ^ temp; }
}
95
Round Key selection
• Round key i is given by the Round Key buffer words W[Nb*ito W[Nb*(i+1)].
96
Strength against known attacks
• Symmetry properties and weak keys of the DES typeRound constants are different in each round
to eliminate symmetry in the cipher.The cipher and its inverse use different
components to eliminates the possibility for weak and semi-weak keys, as existing for DES.
The non-linearity of the key expansion eliminates the possibility of equivalent keys.
97
Strength against known attacks
• Differential cryptanalysis(DC)First described by Eli Biham and Adi Shamir in 1991.A differential propagation is composed of differential tr
ails(DT), where its prop ratio(PR) is the sum of the PRs of all DTs that have the specified initial and final difference patterns.
Necessary condition to be resistant against DC: No DT with predicated PR > 21-n, n the block length.
For Rijndael: No 4-round DT with predicated PR above 2-150 (no 8-round trails with PR above 2-300 ).
98
Strength against known attacks
• Linear cryptanalysis(LC)First described by Mitsuru Matsui in 1994.An input-output correlation is composed of linear trails
(LT) that have the specified initial and final selection patterns.
Necessary condition to be resistant against LC: No LTs with a correlation coefficients > 2n/2
For Rijndael: No 4-round LTs with a correlation above 2-75 (no 8-round trails with a correlation above 2-150).
99
Strength against known attacks
• Interpolation attacks Introduced by Jakobsen and Knudsen in 1997.The attacker constructs polynomials using cipher inpu
t/output pairs. If the polynomials have a small degree, only a few pairs are necessary to solve for the coefficients of the polynomial.
The expression for the S-box is given by63+8fX127+b5X191+01X223+f4X239+25X247+f9X251+09X253+05X254
100
Strength against known attacks
• Other attacks considered:Truncated differentialsThe Square attackRelated-key attacksWeak keys as in IDEA
101
Advantages and limitations
• Advantages Implementation aspects
Rijndael can be implemented to run at speeds unusually fast on a Pentium (Pro). Trade-off between table size/performance.
Rijndael can be implemented on a smart card in a small code, using a small amount of RAM and a small number of cycles.
The round transformation is parallel by design.As the cipher does not make use of arithmetic operations, it h
as no bias towards processor architectures.
102
Advantages and limitations
• AdvantagesSimplicity of design
The cipher is fully “self-supporting”.The cipher does not base its security on obscure and not
well understood arithmetic operations.The tight cipher design does not leave enough room to hide
a trapdoor.Variable block length and extensions
Block lengths and key length both range from 128 to 256 in steps of 32 bits.
Round number can be also modified as a parameter.
103
Advantages and limitations
• LimitationsThe inverse cipher is less suited to be
implemented on a smart card than the cipher itself: it takes more code and cycles.
In software, the cipher and its inverse make use of different code and/or tables.
In hardware, the inverse cipher can only partially re-use the circuitry that implements the cipher.