View
215
Download
0
Category
Preview:
Citation preview
1
Block Ciphers
Structures have been found in DES that were undoubtedly inserted tostrengthen the system against certain types of attack. Structures havealso been found that appear to weaken the system.
Lexar Corporation, “An Evalution of the DES”, 1976.
Block Ciphers 2CMPS 122, UC Santa Cruz
Block ciphers
• Stream ciphers◆ Encrypt small (bit or byte) units one at a time◆ Everything we have seen so far◆ Require less buffering
• Block ciphers◆ Encrypt large chunks (64+ bits) at once◆ Must buffer enough to get a block before encrypting
2
Block Ciphers 3CMPS 122, UC Santa Cruz
Block cipher
• 64 bit blocks• 264 possible plaintext blocks, must have at least 264
corresponding ciphertext blocks◆ There are 264! possible mappings
• Why not just create a random mapping?◆ Need a 264 * 64-bit table ≈ 1021 bits◆ At $1/GB (for disk), this costs a million million dollars!◆ Need to distribute new table if compromised
• Approximate ideal random mapping usingcomponents controlled by a key
Block Ciphers 4CMPS 122, UC Santa Cruz
Goals: diffusion and confusion
• Claude Shannon [1945]• Diffusion
◆ Small change in plaintext changes lots of ciphertext◆ Statistical properties of plaintext hidden in ciphertext
• Confusion◆ Statistical relationship between key and ciphertext as
complex as possible⇒ Need to design functions that produce output that is
diffuse and confused
3
Block Ciphers 5CMPS 122, UC Santa Cruz
Feistel cipher structure
Plaintext
L0 R0
⊕ F
K1
Sub
stitu
tion
Per
mut
atio
n
• Encrypt in rounds◆ Input to each round split
L0 = left half of inputR0 = right half of input
◆ For each round:Li = Ri-1Ri = Li-1 ⊕ F(Ri-1, Ki)
• Substitution: S-box• Permutation: P-box• Proceed for n rounds• After final round, undo last
permutationC = Rn || Ln
R1L1
Round
Block Ciphers 6CMPS 122, UC Santa Cruz
One round Feistel
E (L0 || R0):L1 = R0
R1 = L0 ⊕ F (R0, K1))C = R1 || L1 = L0 ⊕ F (R0, K1)) || R0
Li = Ri - 1
Ri = Li - 1 ⊕ F (Ri - 1, Ki )
4
Block Ciphers 7CMPS 122, UC Santa Cruz
Decryption
• Inputs to decryption engine◆ LD0 = left half of ciphertext◆ RD0 = right half of ciphertext
• For each round◆ LDi = RDi - 1◆ RDi = LDi - 1 ⊕ F (RDi - 1,
Kn – i + 1)• Repeat for n rounds• Last round
◆ P = RDn || LDn
Ciphertext
LD0 RD0
⊕ F
Kn
Sub
stitu
tion
Per
mut
atio
n
R1L1
Round
Block Ciphers 8CMPS 122, UC Santa Cruz
Decryption
D (L0 ⊕ F (R0, K1)) || R0)LD0 = L0 ⊕ F (R0, K1) RD0 = R0LD1 = R0RD1 = LD0 ⊕ F (RD0, K1)
= L0 ⊕ F (R0, K1) ⊕ F (RD0, K1))= L0
P = RD1 || LD1 = L0 || R0
LDi = RDi - 1
RDi = LDi - 1 ⊕ F (RDi - 1, Kn – i + 1)
5
Block Ciphers 9CMPS 122, UC Santa Cruz
Multiple Rounds
• The entire round is a function:fK (L || R) = R || L ⊕ F (R, K))swap (L || R) = R || L
• E = swap ° swap ° fKr ° swap ° fKr-1 ° ... ° fK2 ° swap ° fK1
• D = fK1 ° swap ° fK2 ° ... °fKr-1 ° swap ° fKr ° swap ° swap
Block Ciphers 10CMPS 122, UC Santa Cruz
Decryption
swap (fK (swap (fK (L || R))= swap (fK (swap (R || L ⊕ F (R, K))))= swap (fK (L ⊕ F (R, K) || R))= swap (R || (L ⊕ F (R, K)) ⊕ F (R, K))= swap (R || L) = L || R
So swap ° fK is its own inverse!
6
Block Ciphers 11CMPS 122, UC Santa Cruz
Requirements for F
• For decryption to work:◆ F must be deterministic and solely a function of its inputs
(key and block)◆ Could even be a constant function!◆ Certainly could produce identical values for a given K
and more than one block• For security:
◆ Hide patterns in plaintext◆ Hide patterns in key
• Coming up with a good F is hard!
Block Ciphers 12CMPS 122, UC Santa Cruz
DES (Data Encryption Standard)
• NIST (then NBS) sought standard for data security(1973)
• IBM’s Lucifer only reasonable proposal• Modified by NSA
◆ Changed S-Boxes◆ Reduced key from 128 to 56 bits
• Adopted as standard in 1976• More bits have been encrypted using DES than any
other cipher
7
Block Ciphers 13CMPS 122, UC Santa Cruz
DES algorithm
• Feistel cipher with added initial permutation• Complex choice of F• 16 rounds• 56-bit key, shifts and permutations produce 48-bit
subkeys for each round
Block Ciphers 14CMPS 122, UC Santa Cruz
F used for DES
Expand and permute (using E table)
32 bits
48 bits
Kn
Substitute (using S boxes)32 bits
Permutation
The goal is confusion!
8
Block Ciphers 15CMPS 122, UC Santa Cruz
S-Box
6 bits
4 bits
Example: 110011
1001
64 entry lookup table
S-Boxes
• Critical to security• NSA changed choice of S-Boxes• Only non-linear step in DES
◆ E(11) ≠ E(01) + E(10)
Block Ciphers 16CMPS 122, UC Santa Cruz
DES avalanche
Input: ...............................................................* 1Permuted: .......................................*........................ 1Round 1: .......*........................................................ 1Round 2: .*..*...*.....*........................*....................….. 5Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..*Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*...Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...**Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*..Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...*Round 12: *..***....*...*.*.*.***...****....******......*..******....*....Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****..Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*.Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.**Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.*Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.
Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html
9
Block Ciphers 17CMPS 122, UC Santa Cruz
Generating DES round keys
• Need 16 48-bit keys◆ Best security: just use 16
independent keys◆ Problem: 768 key bits is too
long!• 56-bit key used
◆ Actually use 64 bits,including parity checking
• Produce 48-bit round keysby shifting and permutingKi = PC (Shift (Left (Ki-1)) ||
Shift (Right (Ki-1)))◆ How is decrypting done?◆ Are there weak keys?
Shift(1 or 2 bits)
Shift(1 or 2 bits)
Key (56 bits)
Compress / permute
Kn
28 bits 28 bits
Block Ciphers 18CMPS 122, UC Santa Cruz
Is DES a perfect cipher?
• No!◆ There are more messages than keys
• What about for a 64-bit block?◆ No!◆ 264 messages > 256 keys
10
Block Ciphers 19CMPS 122, UC Santa Cruz
Brute force attacks on DES
• Key is 56 bits◆ 256 = 7.2 * 1016 = 72 quadrillion keys◆ On average, try half the keys to find the right one
• How long will it take?◆ 1 per second => 1.1 billion years◆ 10 million per second => 110 years◆ 10 million per second on each of 10,000 PCs: 4.1 days!
• The latter can be done with a distributed attack◆ Steal/borrow idle cycles on networked PCs
– A large corporation with 25,000 PCs could do this in less than aweek, even assuming the software runs only during off hours….
◆ Increase speed further with more hardware assist
Block Ciphers 20CMPS 122, UC Santa Cruz
Brute Force Attacks
• RSA DES challenges:◆ 1997: 96 days (using 70,000 machines)◆ Feb 1998: 41 days (distributed.net)◆ July 1998: 56 hours (EFF custom hardware)◆ January 1999: 22 hours (EFF + distributed.net)
– 245 Billion keys per second• NSA can probably crack DES routinely (but they
won’t admit it)◆ Hardware is simple to design◆ 10,000 inexpensive PCs cost only $5 million
11
Block Ciphers 21CMPS 122, UC Santa Cruz
Electronic Codebook Mode (ECB)
• Transmitting a long plaintext using DES:◆ P = P1 || P2 || ... || PN
• Electronic Codebook Mode:◆ C = EK (P1) || EK (P2) || ... || EK (PN)
• Problems:◆ Any identical blocks encrypted identically
– 64 bits = 8 ASCII characters– Identical 8 character sequences encrypt to the same thing
◆ Lots of ciphertext encrypted with same K◆ Enemy can easily substitute
– Example: salary is always bytes 24-31 of the message– Replace my salary with Dean Kang’s
– I don’t know what it is, but it’s more than mine…
Block Ciphers 22CMPS 122, UC Santa Cruz
Cipher Block Chaining (CBC)
DES
Initializationvector (IV)
K
⊕
P1
C1
to receiver
DESK
⊕
P2
C2
to receiver
...
12
Block Ciphers 23CMPS 122, UC Santa Cruz
Cipher Feedback Mode (CFB)
DES
IV
K
⊕j bits
P1
C1
to receiver
shift j bits
...DESK
⊕j bits
P2
C2
to receiver
Encrypt in unitsof j < 64 bits
Block Ciphers 24CMPS 122, UC Santa Cruz
Output Feedback Mode (OFB)
DES
IV
K
⊕j bits
P1
C1
to receiver
shift j bits
...DESK
⊕j bits
P2
C2
to receiver
Encrypt in unitsof j < 64 bits
13
Block Ciphers 25CMPS 122, UC Santa Cruz
Cipher/output feedback
• 1-bit transmission error◆ Recoverable in output feedback◆ May not be recoverable in cipher feedback
• Active eavesdropper◆ Can modify stream using XOR◆ May make undetectable changes if parity used for error
correction• Known plaintext attacks work on OFB
◆ Sequence of DES outputs are always the same• Performance
◆ Slower than full DES, but works on smaller chunks of data
Block Ciphers 26CMPS 122, UC Santa Cruz
Multiple encryption
• C = EK2 (EK1 (P))• Does it double the key space?• Monoalphabetic cipher
◆ Ci = K2[K1[Pi]]= K3[Pi] for some K3
• Composition over monoalphabetic encryption is agroup◆ Result of composing two encryptions is another
encryption that’s a member of the group◆ By extension, so is a composition of n encryptions◆ In this case there’s no benefit to multiple encryptions
14
Block Ciphers 27CMPS 122, UC Santa Cruz
Double-Vigenère
C = EK2 (EK1 (P))Vigenère: Ci = (Pi + Ki mod N) mod Z
Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z= (Pi + K1i mod N1 + K2i mod N2 ) mod Z
if N1 = N2:= (Pi + K3i mod N) mod Z (K3 = K1 + K2)
But what if N1 ≠ N2?
Block Ciphers 28CMPS 122, UC Santa Cruz
Double-Vigenère
• K1 = "BOND"• K2 = "JAMES"
BONDBONDBONDBONDBONDBONDBOND+ JAMESJAMESJAMESJAMESJAMESJAM= KOZHTXNPFGWDNSFMBARVKOZHTXNP
• Effective key length: LCM (N1, N2) = 20• Composition over Vignère is a group
◆ This means that the result could be obtained with a 20-letter alphabetic key (though not necessarily a real word)
15
Block Ciphers 29CMPS 122, UC Santa Cruz
Double DES
• C = EK2 (EK1 (P))• Is there a K3 such that C = EK3 (P)?
◆ There are 256 keys, and 264! mappings◆ If DES is good, keys map randomly to mappings
– Probability that a randomly chosen mapping corresponds to aDES key:256 / 264! << 1 / 263!
– Composition over DES is not a group [Campbell 1992]◆ Answer: EK3 (P) ≠ EK2 (EK1 (P)), at least for most K1, K2
• Effective key size of Double DES?= 256 * 256 = 2112
NOT!!!
Block Ciphers 30CMPS 122, UC Santa Cruz
Known plaintext attack
E EP
K1 K2
C
P E
try all possible keys
XK1
XK2
XK256
CD
try all possible keys
YK1
YK2
YK256
One XKi = YKj means K1 = Ki and K2 = Kj
16
Block Ciphers 31CMPS 122, UC Santa Cruz
Meet-in-the-Middle attack
• C = EK2 (EK1 (P))• X = EK1 (P) = DK2 (C)• Brute force attack (given one P/C pair):
◆ Calculate EK1 (P) for all keys (256 work)◆ Calculate DK2 (C) for all keys (256 work)◆ Match gives the keys!
• Total work = 2 * 256 = 257
Block Ciphers 32CMPS 122, UC Santa Cruz
2-Key Triple DES
• C = EK1 (DK2 (EK1 (P)))• Why DK2 not EK2?
◆ Backwards compatibility with DES◆ If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P)
• Actual key size = 56 + 56 bits = 112 bits• Meet-in-the-middle?
X = EK1 (P) = DK1 (EK2 (C))256 need to try 2112
17
Block Ciphers 33CMPS 122, UC Santa Cruz
How secure is Triple-DES?
• Brute force search: 2112 keys◆ Best DES attack: 245 B keys/second◆ ≈ 6.7 * 1014 years (compared to 22 hours)◆ 1011 years = total lifetime of universe (closed universe
theory)• Best known attack - reduces to 2120-log2n
◆ n = number of known P-C pairs◆ n = 264, work is 256
Is this realistic?
Block Ciphers 34CMPS 122, UC Santa Cruz
3-Key Triple DES
• C = EK3 (DK2 (EK1 (P)))• H(K) = 168• Used by PGP, S/MIME• How much work to brute-force?
◆ Meet-in-the-middle:X = DK3 (C) = DK2 (EK1 (P))
256 + 2112
18
Block Ciphers 35CMPS 122, UC Santa Cruz
Attacks on DES and other block ciphers
• Brute force◆ Try all possible keys, and check to see if the resulting
plaintext is reasonable• Differential cryptanalysis
◆ Try inputs (key, ciphertext, plaintext) that differ by only afew bits and see how the output changes
• Power cryptanalysis◆ Analyze power usage◆ More power may indicate something about the key or
plaintext: more power => particular bit is 1?
Block Ciphers 36CMPS 122, UC Santa Cruz
Side channel cryptanalysis
• Regular cryptanalysis is mathematical◆ Attacker sees inputs, outputs
• Side channel cryptanalysis◆ Attacker sees something else
– Power consumption: can measure at 1 GHz!– Encryption/decryption time (longer for 1’s)– Radiation
◆ Example– Current for a left shift depends on leftmost bit: if 1, need to set
rightmost bit afterwards– DES key schedule uses shifts, can tell bits in key!– Current for XOR may depend on number of switches
◆ Can be difficult to prevent!• Depends on implementation of algorithm
19
Block Ciphers 37CMPS 122, UC Santa Cruz
Defenses against side channel attacks
• Reduce signal◆ Physical shielding, microprocessor design (make all shifts
use same power, etc.)• Introduce random noise
◆ Change execution order, do random computation, etc.◆ Design computation to do the same thing regardless of
input, varying only the result– Works best with reduced signal!
• Design cryptosystems with DPA in mind◆ Nonlinear key updates between transactions
Block Ciphers 38CMPS 122, UC Santa Cruz
What’s next after DES?
• 3DES is almost certainly secure◆ 168 bit keys are long enough◆ Many years of experience and testing
• But…◆ NSA might be able to break it◆ 3DES is too slow
– Three sequential applications of DES– Can’t easily parallelize because of data dependencies
◆ 3DES is too inflexible– Can’t change block size– Can’t change key size
20
Block Ciphers 39CMPS 122, UC Santa Cruz
First try: Clipper
• 1993: AT&T markets secure telephony device• Law enforcement has issues
◆ US courts can authorize wire taps◆ “Authorities” must be able to decrypt
• NSA proposes Clipper Chip◆ Secret algorithm (Skipjack)
– No public review– “Take our word for it — it’s secure”
◆ Only implemented in hardware
Block Ciphers 40CMPS 122, UC Santa Cruz
Key escrow
• NSA has copy of special key◆ Authorities can obtain key with a court order
• With each message, sender transmitsE (M, k) || LEAF◆ LEAF = “law enforcement agents’ field”
• Holder of special key can decrypt LEAF to find message key◆ With message key, message can be decrypted
k = message keyu = 80-bit special key (unique to chip)n = 30-bit identifier (unique to chip)a = escrow authenticatorf = 80-bit key (same on all chips)
Known by FBILEAF = E ((E (k, u) || n || a), f)
21
Block Ciphers 41CMPS 122, UC Santa Cruz
How wire taps are supposed to work
• FBI investigating Alice◆ FBI intercepts Clipper-encoded communication
• Uses f to decrypt LEAF:◆ D (E ((E (k, u) || n || a), f)) = E (k, u) || n || a)
• Delivers n and court order to 2 escrow agencies◆ Agencies provide u (2 pieces of split key) to authorities
• Decrypts E (k, u)◆ Obtains message key
• Decrypts message!
Block Ciphers 42CMPS 122, UC Santa Cruz
Why didn’t Clipper succeed?
• Politics◆ Administration backed down
– Secret algorithm– Public relations disaster
– Didn’t involve academic cryptographers early– Proposal was rushed– Hadn’t even figured out who would escrow the keys!
• Crypto strength◆ How do you prevent criminals from transmitting wrong LEAF?
– Use a checksum– But, easy to find LEAF with right checksum with brute-force attack
[Blaze]– Attack could be done in less than a day– Just transmit new LEAF with correct checksum
◆ NSA solution: put it in hardware, inspect all Clipper devices– Still vulnerable to out-of-the box device
◆ Bottom line: people will find ways around hardware security…
22
Blowfish, Rijndael, and Other StrangeCreatures
The algorithm might look haphazard, but we did everything for a reason.Nothing is in Twofish by chance. Anything in the algorithm that we couldn'tjustify, we removed. The result is a lean, mean algorithm that is strong andconceptually simple.
- Bruce Schneier
Block Ciphers 44CMPS 122, UC Santa Cruz
AES: Advanced Encryption Standard
• 1996: NIST initiated program to choose AdvancedEncryption Standard to replace DES
• Requested algorithm submissions◆ Got 15 of them!
• Requirements:◆ Secure for next 50 – 100 years◆ Faster than 3DES◆ Supports variable length keys (at least 128, 192 and 256
bits)◆ Must be a block cipher
23
Block Ciphers 45CMPS 122, UC Santa Cruz
AES process
• Open design◆ DES: design criteria for S-boxes kept secret◆ Open => less chance for subversion
• Many decent choices◆ DES: only one acceptable algorithm◆ Less likelihood that the algorithm is “fixed”
• Public cryptanalysis efforts before choice◆ Heavy involvements of academic community◆ Leading public cryptographers tried to break it
• Very conservative: 4+ year process
Block Ciphers 46CMPS 122, UC Santa Cruz
AES: Round 1
• 15 submissions accepted• Weak ciphers quickly eliminated
◆ Magenta broken at conference!• 5 finalists selected
◆ Security versus performance is main tradeoff◆ Lots of complexity => anything can be made secure◆ Tougher to make simple ciphers secure…
24
Block Ciphers 47CMPS 122, UC Santa Cruz
AES finalists
• MARS (IBM)• RC6 (Rivest, et. al.)• Rijndael (top Belgium cryptographers)• Serpent (Anderson, Biham, Knudsen)• Twofish (Schneier, et. al.)
Block Ciphers 48CMPS 122, UC Santa Cruz
Blowfish
• [Schneier93]• 64-bit block cipher• Much faster than DES• Variable key length:
32-448 bits• Many attempted crytanalyses, none successful yet• Widely used: ssh, OpenBSD, PGPFone
25
Block Ciphers 49CMPS 122, UC Santa Cruz
Key-dependent S-boxes
• Differential cryptanalysis depends on analyzing S-box input/output different probabilities
• Prevent this by making the S-boxes key-dependent◆ S-boxes differ by key, so no a priori analysis
• Problem for AES: too much setup time & space◆ Must run algorithm 521 times to set up S-boxes
• Solution: Twofish◆ Provides options for how many key-dependent S-boxes
– Trade off security for time-space◆ Does other things
– Increases block size (128 required by AES)– Changes key schedule– Other stuff…
Block Ciphers 50CMPS 122, UC Santa Cruz
Why use π/e/Φ in cryptography?
• Mathematical constants have good pseudorandomdistribution◆ Transcendental, so not predictable◆ Generate as many digits as needed…
• Since they are public and well-known, little fear thatchoice is a trap door◆ Still could be there, but just how powerful is the NSA?
• Used by RC5, RC6, Blowfish, etc. to help generatemagic constants
26
Block Ciphers 51CMPS 122, UC Santa Cruz
TwofishF
rom
http
://ww
w.d
dj.co
m/a
rticles
/19
98
/98
12
/98
12
b/9
81
2b
f1.h
tm
Block Ciphers 52CMPS 122, UC Santa Cruz
Choosing AES
Simplicity(code size)
Safetyfactor
Speed(8 bits)
Speed(32 bits)
Cipher
104 KB2.671816Twofish
98 KB1.332018Rijndael
48 KB1.184315RC6
85 KB1.903423MARS
341 KB3.566962Serpent
Cycles perbyte encrypted
27
Block Ciphers 53CMPS 122, UC Santa Cruz
And the winner is…
• Rijndael chosen as AES algorithm• Key characteristics
◆ Fast◆ Small◆ Well-understood characteristics
• Twofish drawbacks◆ Key-dependent S-boxes not well-understood◆ Full implementation was a memory and space hog
– OK for some applications, but not for smart cards…
Block Ciphers 54CMPS 122, UC Santa Cruz
Rijndael details
• Central operation: xtime(a)◆ xtime(a) = (a << 1) ⊕ 0x1b◆ Apply repeatedly to perform operations on larger numbers◆ Example: 57 • 13:
57 • 02 = xtime (57) = AE57 • 04 = xtime (AE) = 4757 • 08 = xtime (47) = 8E57 • 10 = xtime (8E) = 0757 • 13 = 57 ⊕ AE ⊕ 07 = FE
• Three layers◆ Linear mixing◆ Non-linear (application of S-boxes)◆ Key addition (by XOR)
• Rijndael is not a Feistel cipher!
28
Block Ciphers 55CMPS 122, UC Santa Cruz
Rijndael data structures
• Assume block size of 128,key size of 192
• State array is 4 columns(n/32) x 4 rows of bytes
• Key array is 6 columns(k/32) x 4 rows of bytes
• Both packed into lineararrays column by column
a3,3a3,2a3,1a3,0
a2,3a2,2a2,1a2,0
a1,3a1,2a1,1a1,0
a0,3a0,2a0,1a0,0
State array
k3,4
k2,4
k1,4
k0,4
k3,5
k2,5
k1,5
k0,5
k3,3k3,2k3,1k3,0
k2,3k2,2k2,1k2,0
k1,3k1,2k1,1k1,0
k0,3k0,2k0,1k0,0
Key array
k3,5k2,5…k2,0k1,0k0,0
Block Ciphers 56CMPS 122, UC Santa Cruz
Rijndael operationsRound (State, RoundKey){
ByteSub (State);ShiftRow (State);MixColumn (State);AddRoundKey(State,RoundKey);
}
ByteSub (State){ for each byte in State { Map byte using S-box table Replace byte in State }}
ShiftRow (State){ for each row k of State { // Ck depends on block size cyclic shift left by Ck }}
MixColumn (State){ for each row k of State { Invertible transform }}
AddRoundKey (State, RoundKey){ State = State ⊕ RoundKey}
29
Block Ciphers 57CMPS 122, UC Santa Cruz
Running Rijndael
• Generate S-boxes (or use static S-boxes)• Generate round keys from 128 – 256 bit key• Add first round key to block• Run Nr-1 rounds• Run the final round without mixing columns• Output the state array as the ciphertext
• Code available online from Homework #2 page…
Block Ciphers 58CMPS 122, UC Santa Cruz
Advantages of Rijndael
• Uses only simple operations◆ XOR◆ Substitution◆ Cyclic shifts
• Doesn’t depend on natural constants◆ Less chance of choosing a “bad” constant
• Requires very little space and time to run◆ S-boxes can be hard-coded in 256 bytes for 8-bit processor◆ Lots of parallelism within each round
Recommended