# Computer Science 653 --- Lecture 7 Rijndael – Advanced Encryption Algorithm Professor Wayne Patterson Howard University Fall 2009.

## Presentation on theme: "Computer Science 653 --- Lecture 7 Rijndael – Advanced Encryption Algorithm Professor Wayne Patterson Howard University Fall 2009."— Presentation transcript:

Computer Science 653 --- Lecture 7 Rijndael – Advanced Encryption Algorithm Professor Wayne Patterson Howard University Fall 2009

2 The Underlying Mathematics: Galois Fields In the RSA, we studied modular arithmetic systems:  p This system can also be thought of as the integers ,  /(p), which means in this new system, we collapse all the values which have the same remainder mod p We saw that if p is a prime, the system  p has the special property that all non-zero elements have multiplicative inverses Such an algebraic system is called a field In Rijndael, all of the mathematics can be done in a system called a Galois Field GF(p,n) This system can also be thought of as all polynomials Z p [x] in a single variable, then Z p [x]/(q(x)), where q(x) is an irreducible polynomial of degree n Irreducible polynomials are like prime numbers --- they cannot be factored. By analogy, the system where we collapse polynomials with the same remainder mod q(x) also becomes a field, which we call GF(p,n), the Galois field.

3 The Main Result Concerning Galois Fields It was a result developed by Evariste Galois, in the early nineteenth century, that all algebraic fields with a finite number of elements can be described as a GF(p,n) (including the fields Z p, since they can be thought of as GF(p,1), i.e. dividing by an irreducible polynomial of degree 1 (such as ax+b). Furthermore, all of the possible choices for a Galois field of type GF(p,n) are equivalent, and their number of elements is p n.

4 And a Bit About Galois Himself Lived in the early 19 th century in Paris Developed very important results in algebra while a teenager Was also a political radical and went to prison Upon his release, his interest in a young woman led to a duel in which he was killed at age 21 He didn’t name Galois fields, they were named after him.

5 Looking at Rijndael Lucifer or Feistel –type cipher Simplest version: 128-bit messages, 128-bit keys, 10 rounds Created by Vincent Rijmen and Joan Daemen Belgians --- Catholic University of Louvain and Proton Corporation Adopted as Advanced Encryption Standard After two-stage competition originally involving 18 proposals from around the world Five finalists, including several non-US Winner obviously non-US Adapted as AES in late 2001

6 Best Reference Although there are many papers, books, articles about Rijndael/AES, most thorough reference is: “The Design of Rijndael,” Joan Daemen and Vincent Rijmen, Springer 2001 Rijndael is best pronounced “RAIN-DOLL”

7 Test Vectors On page 215 and 216 of the handout, Appendix D, are the results of each round of a Rijndael encryption Assumes 128-bit (or 16-byte) test message and cipher key Message or plaintext is (in hex bytes): 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 Key is: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

8 Outputs at Each Stage Note that under the column heading “ENCRYPT” on page 216 are partial results, i.e. R[00].input R[00].k_sch R[01].start R[01].s_box R[01].s_row R[01].m_col R[01].k_sch R[02].start … and so on

9 What Does R[xx].xxxx mean? The R[00] vectors are the inputs, in other words –R[00].input is the message from the previous page –32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 –R[00].k_sch is the “key schedule” for round 0, in other words, the original input key or –2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

10 R[01].xxxxx We will compute all the R[01].xxxxx’s They are the first round computations Thus the entire encryption takes one to R[10].output R[01].start is simply the XOR of the plaintext and key R[01].s_box is a procedure called “ByteSub” using the single S- box used in the method R[01].s_row is the result of a procedure called “ShiftRow” R[01].m_col is the result of a procedure called “MixColumn” R[01].k_sch is the “Key Schedule” or the generated key for the next round R[02].start is, again, the XOR of the result of round one and the key schedule generated at the end of round one.

11 Pseudo-C Code for a Round Round(State, ExpandedKey[i]) { –SubBytes(State); –ShiftRows(State); –MixColumns(State); –AddRoundKey(State, ExpandedKey[i]); }

12 The Hex XOR Table Recall from last week:  0123456789ABCDEF 00123456789ABCDEF 11032547698BADCFE 223016745AB89EFCD 332107654BA98FEDC 445670123CDEF89AB 554761032DCFE98BA 667452301EFCDAB89 776543210FEDCBA98 889ABCDEF01234567 998BADCFE10325476 AAB89EFCD23016745 BBA98FEDC32107654 CCDEF89AB45670123 DDCFE98BA54761032 EEFCDAB8967452301 FFEDCBA9876543210

13 Computing R[01].start We have R[00].input 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 To XOR with R[00].k_sch 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c Which gives R[01].start 19 3d e3 be a0 f4 e2 2b 9a c6 8d 2a e9 f8 48 08

14 Computing R[01].s_box This is the SubBytes or S-box step Note the S-box table on page 211 (and its inverse on page 212) The operation is simply to look up the S-box value for each byte in R[01].start 19 3d e3 be a0 f4 e2 2b 9a c6 8d 2a e9 f8 48 08 R[01].s_box is d4 27 11 ae e0 bf 98 f1 b8 b4 5d e5 1e 41 52 30

15 Computing R[01].s_row This is the “Shift Rows” step Basically, one writes R[01].s_box into a 4-by-4 array, writing column-wise (that is, fill the first column first, then the second column, …) Recall R[01].s_box is d4 27 11 ae e0 bf 98 f1 b8 b4 5d e5 1e 41 52 30 Writing column-wise Now a circular left-shift –d4 e0 b8 1ed4 e0 b8 1e –27 bf b4 41 bf b4 41 27 –11 98 5d 525d 52 11 98 –ae f1 e5 3030 ae f1 e5 Where the shift is 0, 1, 2, or 3 in the 0, 1, 2, 3 row Write this out in a single row to get R[01].s_row d4 bf 5d 30 e0 b4 52 ae b8 41 11 f1 1e 27 98 e5

16 Computing R[01]m_col This is the “Mix Columns” step, undoubtedly the trickiest This is actually a computation in the Galois Field of polynomials over GF(2 8 ). But let’s not worry about that. It can also be expressed as a matrix product of a fixed matrix C with R[01].s_row again written columnwise: 02 03 01 01 d4 e0 b8 1e 01 02 03 01bf b4 41 27 01 01 02 035d 52 11 98 03 01 01 0230 ae f1 e5

17 Matrix Multiplication Revisited The result of this multiplication will be, as you know, another 4x4 matrix. Again, when we string out the column-wise version, we will get R[01].m_col However, these multiplications are in GF(2 8 ), or mod 256 arithmetic, and the handout conveniently supplies “log tables” (pages 221 and 222) to make the computation simpler Indeed, in the code is a brief function to do the multiplication (mul, p. 223) Essentially, mul is Alogtable[(Logtable[a]+Logtable[b]) % (mod) 255]

18 Showing the Calculation of the First Byte We will only compute the first byte of the matrix product, which is gotten by the usual method of the first row of the left-hand matrix by the first column of the right-hand matrix, thus 02 03 01 01 d4 e0 b8 1e 01 02 03 01bf b4 41 27 01 01 02 035d 52 11 98 03 01 01 0230 ae f1 e5 Yields for the first component 02 d4  03 bf  01 5d  01 30

19 Using mul 02 d4  03 bf  01 5d  01 30 Using the mul function for the first two terms (the right-hand side will be decimal numbers): mul(2, d4) = Alogtable[Logtable[2]+Logtable[212]] = Alogtable[25 + 65] = Alogtable[90] = 179 = b3 (hex) mul(3, bf) = Alogtable[Logtable[3]+Logtable[191]] = Alogtable[1 + 157] = Alogtable[158] = 218 = da (hex) Thus, we need to compute b3  da  5d  30

20 Maybe easier in bits? Thus, we need to compute b3  da  5d  30 Or, b101130011 d1101a1010 50101d1101 3 001100000 Or 0000 0100 = 04 Note the first byte in R[01].m_col (maybe we were just lucky!)

21 Last Step --- Key Schedule In the key schedule, we use the previous key, XOR it with another part of the previous key, run through the S-box, and with a possible counter added This time, I will only calculate the first word, or 4 bytes of the key. Take the first 4 bytes of the former key: 2b 7e 15 16 Left rotate once the last 4 bytes: 09 cf 4f 3c  cf 4f 3c 09 Run this last part through the S-box: SubByte(cf 4f 3c 09) = 8a 84 eb 01 XOR these, with a counter of 1 on the first byte: 2b  8a  01 7e  84 15  eb 16  01 = a0 fa fe 17

Download ppt "Computer Science 653 --- Lecture 7 Rijndael – Advanced Encryption Algorithm Professor Wayne Patterson Howard University Fall 2009."

Similar presentations