5 AES Contest Vincent Rijmen AES Contest : Rijndael selected as the finalist: official publication as FIPS PUB 197Joan Daemen and Vincent Rijmen, “The Design ofRijndael, AES – The Advanced Encryption Standard”,Springer, 2002, ISBNVincent Rijmen
6 SPN- Structure Block Cipher More constraints on the round function: must be invertibleRelatively new architecture than Feistel-structureFaster than Feistel-structureParallel computationTypically E D
9 Finite Field Every nonzero element has multiplicative inverse. Prime number, ZpGcd, Extended Euclidean AlgorithmRepresentation of n-bit dataBinaryHexadecimalPolynomialGF(p), GF(2n) over irreducible polynomialEx) GF(23) /x3 + x + 1Addition and multiplicationAES uses GF(28) /f(x)= x8 + x4 + x3 + x +1
10 The input block is XOR-ed Round TransformationS-box c(x)b0ja00a01a0ja02a03b00b01b02b03a00a02a03b00b02b03a10a11a12a13b10b11b12b13a10a1ja12a13b10b1jb12b13aijbija20a21a22a23b20b21b22b23a20a2ja22a23b20b2jb22b23a30a31a32a33b30b31b32b33a30a3ja32a33b30b3jb32b33SubBytesMixColumnsNo shifta00a01a02a03a00a01a02a03Cyclic shift by 1 bytea10a11The input block is XOR-edwith the round keya12a13a11a12a13a10Cyclic shift by 2 bytea20a21a22a23a22a23a20a21AddRoundKeyCyclic shift by 3 bytea30a31a32a33a33a30a31a32ShiftRows
11 AddRoundKeyThe input block is XOR-ed with the round key
12 Best Known Attackrelated-key attack can break 256-bit AES with a complexity of 2119, which is faster than brute force but is still infeasible. 192-bit AES can also be defeated in a similar manner, but at a complexity of bit AES is not affected by this attack.chosen-plaintext attack can break 8 rounds of 192- and 256-bit AES, and 7 rounds of 128-bit AES, although the workload is impractical at (Ferguson et al., 2000).
13 Feistel vs. SPN Structures Feistel structureSPN structure64-bit block128-bit block64-bit block128-bit blockDES/3DESBLOWFISHCAST128RC5SEEDTWOFISHCAST256RC6MARSSAFERSAFER+IDEAAESCRYPTONSERPENTFewer constraints on the round functionMore cryptanalytic experienceSerial in natureTypically E = D with round keys in reverse orderMore constraints on the round function: must be invertibleLess cryptanalytic experience: relatively new architecturemore parallel computationTypically E D