1 A simple algebraic representation of Rijndael Niels Ferguson Richard Schroeppel Doug Whiting

2 I am biased I’m one of the designers of Twofish, an AES finalist that lost to Rijndael in the AES competition. I spent several month attacking Rijndael.

3 The finite field GF(2 8 ) It is a field: you can add, subtract, multiply, and divide. There are 2 8 = 256 elements. Field addition is the XOR operation. Multiplication is similar to modular multiplication, without any carries.

4 Squaring in GF(2 8 ) We all know that (a + b) 2 = a 2 + ab + ab + b 2 but as addition in GF(2 8 ) is a XOR we get (a + b) 2 = a 2 + b 2 This is known as the Freshman’s Dream. Squaring is a bit-linear operation!

5 The MixColumn operation Matrix multiplication: each output byte is a linear combination of input bytes. b 0 = 2a 0 + 3a 1 + a 2 + a 3 b 1 = a 0 + 2a 1 + 3a 2 + a 3 b 2 = a 0 + a 1 + 2a 2 + 3a 3 b 3 = 3a 0 + a 1 + a 2 + 2a 3

6 S-box has three layers Inversion in the field GF(2 8 ). Bit-linear function (each output bit is the sum of some input bits). Addition of a constant.

7 Bit-linear functions in GF(2 8 ) Any bit-linear function in GF(2 8 ) can be written as ax 128 +bx 64 +cx 32 +dx 16 +ex 8 +fx 4 +gx 2 +hx Squaring is bit-linear, so all polynomials of this form are bit-linear. There are 2 64 polynomials of this form, and 2 64 bit-linear functions.

8 Rewriting the S-box The constant can be moved into the key schedule. We can rewrite the S-box as

9 Combined S-box and MixColumn MixColumn: Combined:

10 One round Can be written as: or

11 Four rounds

12 Conclusions Rijndael depends on a new complexity assumption: You cannot solve equations of this form efficiently in GF(2 8 ). We have no idea how hard this problem is.

13 Which block cipher to choose Rijndael/AES: fast, available, and the safe choice (for your career). Serpent: built like a tank, but slow Twofish: most of the security of Serpent, with most of the speed of Rijndael.