Computer Science Lecture 7 Rijndael – Advanced Encryption Algorithm Professor Wayne Patterson Howard University Fall 2009

2 The Underlying Mathematics: Galois Fields In the RSA, we studied modular arithmetic systems:  p This system can also be thought of as the integers ,  /(p), which means in this new system, we collapse all the values which have the same remainder mod p We saw that if p is a prime, the system  p has the special property that all non-zero elements have multiplicative inverses Such an algebraic system is called a field In Rijndael, all of the mathematics can be done in a system called a Galois Field GF(p,n) This system can also be thought of as all polynomials Z p [x] in a single variable, then Z p [x]/(q(x)), where q(x) is an irreducible polynomial of degree n Irreducible polynomials are like prime numbers --- they cannot be factored. By analogy, the system where we collapse polynomials with the same remainder mod q(x) also becomes a field, which we call GF(p,n), the Galois field.

3 The Main Result Concerning Galois Fields It was a result developed by Evariste Galois, in the early nineteenth century, that all algebraic fields with a finite number of elements can be described as a GF(p,n) (including the fields Z p, since they can be thought of as GF(p,1), i.e. dividing by an irreducible polynomial of degree 1 (such as ax+b). Furthermore, all of the possible choices for a Galois field of type GF(p,n) are equivalent, and their number of elements is p n.

4 And a Bit About Galois Himself Lived in the early 19 th century in Paris Developed very important results in algebra while a teenager Was also a political radical and went to prison Upon his release, his interest in a young woman led to a duel in which he was killed at age 21 He didn’t name Galois fields, they were named after him.

5 Looking at Rijndael Lucifer or Feistel –type cipher Simplest version: 128-bit messages, 128-bit keys, 10 rounds Created by Vincent Rijmen and Joan Daemen Belgians --- Catholic University of Louvain and Proton Corporation Adopted as Advanced Encryption Standard After two-stage competition originally involving 18 proposals from around the world Five finalists, including several non-US Winner obviously non-US Adapted as AES in late 2001

6 Best Reference Although there are many papers, books, articles about Rijndael/AES, most thorough reference is: “The Design of Rijndael,” Joan Daemen and Vincent Rijmen, Springer 2001 Rijndael is best pronounced “RAIN-DOLL”

7 Test Vectors On page 215 and 216 of the handout, Appendix D, are the results of each round of a Rijndael encryption Assumes 128-bit (or 16-byte) test message and cipher key Message or plaintext is (in hex bytes): f6 a8 88 5a 30 8d a2 e Key is: 2b 7e ae d2 a6 ab f cf 4f 3c

8 Outputs at Each Stage Note that under the column heading “ENCRYPT” on page 216 are partial results, i.e. R[00].input R[00].k_sch R[01].start R[01].s_box R[01].s_row R[01].m_col R[01].k_sch R[02].start … and so on

9 What Does R[xx].xxxx mean? The R[00] vectors are the inputs, in other words –R[00].input is the message from the previous page –32 43 f6 a8 88 5a 30 8d a2 e –R[00].k_sch is the “key schedule” for round 0, in other words, the original input key or –2b 7e ae d2 a6 ab f cf 4f 3c

10 R[01].xxxxx We will compute all the R[01].xxxxx’s They are the first round computations Thus the entire encryption takes one to R[10].output R[01].start is simply the XOR of the plaintext and key R[01].s_box is a procedure called “ByteSub” using the single S- box used in the method R[01].s_row is the result of a procedure called “ShiftRow” R[01].m_col is the result of a procedure called “MixColumn” R[01].k_sch is the “Key Schedule” or the generated key for the next round R[02].start is, again, the XOR of the result of round one and the key schedule generated at the end of round one.

11 Pseudo-C Code for a Round Round(State, ExpandedKey[i]) { –SubBytes(State); –ShiftRows(State); –MixColumns(State); –AddRoundKey(State, ExpandedKey[i]); }

12 The Hex XOR Table Recall from last week:  ABCDEF ABCDEF BADCFE AB89EFCD BA98FEDC CDEF89AB DCFE98BA EFCDAB FEDCBA98 889ABCDEF BADCFE AAB89EFCD BBA98FEDC CCDEF89AB DDCFE98BA EEFCDAB FFEDCBA

13 Computing R[01].start We have R[00].input f6 a8 88 5a 30 8d a2 e To XOR with R[00].k_sch 2b 7e ae d2 a6 ab f cf 4f 3c Which gives R[01].start 19 3d e3 be a0 f4 e2 2b 9a c6 8d 2a e9 f

14 Computing R[01].s_box This is the SubBytes or S-box step Note the S-box table on page 211 (and its inverse on page 212) The operation is simply to look up the S-box value for each byte in R[01].start 19 3d e3 be a0 f4 e2 2b 9a c6 8d 2a e9 f R[01].s_box is d ae e0 bf 98 f1 b8 b4 5d e5 1e

15 Computing R[01].s_row This is the “Shift Rows” step Basically, one writes R[01].s_box into a 4-by-4 array, writing column-wise (that is, fill the first column first, then the second column, …) Recall R[01].s_box is d ae e0 bf 98 f1 b8 b4 5d e5 1e Writing column-wise Now a circular left-shift –d4 e0 b8 1ed4 e0 b8 1e –27 bf b4 41 bf b – d 525d –ae f1 e ae f1 e5 Where the shift is 0, 1, 2, or 3 in the 0, 1, 2, 3 row Write this out in a single row to get R[01].s_row d4 bf 5d 30 e0 b4 52 ae b f1 1e e5

16 Computing R[01]m_col This is the “Mix Columns” step, undoubtedly the trickiest This is actually a computation in the Galois Field of polynomials over GF(2 8 ). But let’s not worry about that. It can also be expressed as a matrix product of a fixed matrix C with R[01].s_row again written columnwise: d4 e0 b8 1e bf b d ae f1 e5

17 Matrix Multiplication Revisited The result of this multiplication will be, as you know, another 4x4 matrix. Again, when we string out the column-wise version, we will get R[01].m_col However, these multiplications are in GF(2 8 ), or mod 256 arithmetic, and the handout conveniently supplies “log tables” (pages 221 and 222) to make the computation simpler Indeed, in the code is a brief function to do the multiplication (mul, p. 223) Essentially, mul is Alogtable[(Logtable[a]+Logtable[b]) % (mod) 255]

18 Showing the Calculation of the First Byte We will only compute the first byte of the matrix product, which is gotten by the usual method of the first row of the left-hand matrix by the first column of the right-hand matrix, thus d4 e0 b8 1e bf b d ae f1 e5 Yields for the first component 02 d4  03 bf  01 5d  01 30

19 Using mul 02 d4  03 bf  01 5d  Using the mul function for the first two terms (the right-hand side will be decimal numbers): mul(2, d4) = Alogtable[Logtable[2]+Logtable[212]] = Alogtable[ ] = Alogtable[90] = 179 = b3 (hex) mul(3, bf) = Alogtable[Logtable[3]+Logtable[191]] = Alogtable[ ] = Alogtable[158] = 218 = da (hex) Thus, we need to compute b3  da  5d  30

20 Maybe easier in bits? Thus, we need to compute b3  da  5d  30 Or, b d1101a d Or = 04 Note the first byte in R[01].m_col (maybe we were just lucky!)

21 Last Step --- Key Schedule In the key schedule, we use the previous key, XOR it with another part of the previous key, run through the S-box, and with a possible counter added This time, I will only calculate the first word, or 4 bytes of the key. Take the first 4 bytes of the former key: 2b 7e Left rotate once the last 4 bytes: 09 cf 4f 3c  cf 4f 3c 09 Run this last part through the S-box: SubByte(cf 4f 3c 09) = 8a 84 eb 01 XOR these, with a counter of 1 on the first byte: 2b  8a  01 7e   eb 16  01 = a0 fa fe 17