INVERSE CIPHER The inversion of the cipher code presented in Sec.4 is straightforward and provides the following pseudo code for the inverse cipher... Equivalent Inverse Cipher In the st
Trang 1Tap chi Tin hoc va o «khie'n h9C, T. 17, S.4(2001),45-56
DUONG ANH DUC - TRAN MINH TRIE - LU NG HAN CO
Abstract The Rijndael Block Cipher has been chosen to be Ad anced Encryption Standard (AES) since October 2 d
2000 TheCipher processes blocks and keys having 128, 1 2, or2 6 bits.The Extended Rijndael Block Cip er is proposed
to process larger blocksand keysof the length 256, 384, or 512
Tom tat Phuo g phap ma h6a Rijndael viraduoc Vien Tieu Chuan va Cong Nghe Hoa Ky (NIST) chfnh tlurc ch n
la chuan ma h6a AES(Advanced Encryptio Standard) vao ngay 2 than 10 narn 2000 Tren thirc te, phuong phap ma h6a Rijndael x Iycac khoi dir lieu vamiikh6a c6d(J dai 128, 192hoac 256 bit.Tro g bai viet nay, cluing toi gioi thieu phien ban mo ro g 256/384/5 12-bitcua thuat roan nay c6 kha nang xirIy cac kh6i du lieu va rna kh6a c6 d(J dai 256, 384 hoac512 bit
1.INTRODUCTION
In this document we describe the 256/384/512-bit extended Rijndael-like Block Cipher This is the extended version of the Rijndael Block Cipher, proposed by Vincent Rijmen and Joan Daeman, which has been chosen to be the AES by theNational Institute of Standards andTechnology (NIST) The input, the output and the cipher keyfor theExtended-Rijndael are256, 384 or 512 bitsin len th
2 NOTATION AND CONVENTIONS 2.1 Extended-Rijndael Inputs and Outputs
The input,the output and thecipher keyfor Extended-Rijndael areeach bitsequences containing 256, 384
or 512bits with the constraint that theinput andoutput sequences havethe same len th
2.2 Bytes
The basic unit for processing in thisalgorithm is a byte, asequence of eight bits treated as asingle entity Each b tes b is interpreted as a finite field element which c n be represented in binary n tation
7 (Ih h h s h 4h 3 2 J h D or hexadecimal notation ( lh/ 1 0D or polynomial nocatio Ib;x ;
;=0 2.3 The State
Allo erations areperformed on a two-dimensional arrayof bytes called the State consisting ofei g t rows
of bytes, each containing Nb bytes, where Nb istheblock len th divided by 64 An individual byte of the State (denoted bythe symbol s) is referred to as either S, e or s[r,el where r is its row number inthe range 0:::;r< 8 andcisitscolumn number in therange 0:::;c <Nb.
At the beginning oftheCip er or Inverse Cipher, the input array, in, is copied to the State array according
to the scheme: s[r, e l = in[r + 8c] for 0 :::;r<8 and 0 :::;c<Nb and at the end of theCipher and Inverse Cipher, the State iscopied to the output array auf as follows out[r +8e]=s[r, e] for 0:::;r<8and 0::; c<Nh.
The eight bytes ineach column of the state array can be considered either as an array of eight bytes indexed by the row number r or as a single 64-bit word The state can hence be considered as a one-dimensional array ofwords for which thecolumn number cprovides the array index
3 POLYNOMIALS WITH COEFFICIENT IN GF(2K) All bytes in the Extended-Rijndael algorithm are interpreted as finite field elements which can be added and multiplied For these o eratio s please refer to [2, 1 , IS]
Eight-term p lynomials can be defined - with coefficients that are finite feld elements - as 7
a(x) = Ia;x; which will beden ted as a word in the form [G o , GJ, G 2 , G 3 G 4, G ), G 6, G 7 ]
Trang 2the finite field coefficients of likepowers of x :
7
Multiplication is achieved in two steps In the first step, the polynomial product c(x) = a(x) • hex) is
algebraically expanded, and like powers are collected to give:
c(x) =L ci x i ,where <, =EB(a j eb i_ J (2)
(1)
The second step of the multiplication is to reduce c(x) modulo a polynomial of degree 8; the result can be
reduced to a polynomial of degree less than 8.This is accomplished with the polynomial x 8+1,so that:
The modular product ofa ( x ) and b( x ) denoted bya(x) ® b(x), is given by the eight-term polynomial d(x) ,
defined asfollows:
Because x 8 + I is not an irreducible polynomial over GF(28) multiplication by a fixed eight-term polynomial is not necessarily invertible However, the Extended-Rijndael algorithm specifies a fixed eight-term polynomial that does have an inverse:
4 THE CIPHER
The length (Nb) of the cipher input, the cipher output, the cipher state the cipher key (Nk) , measured in
multiples of 64 bits (Nb), is 4, 6 or 8 The number of rounds (Nr) depends on the block length and the key
length: Nr =max lNh , Nkl+6
The cipher is described in the following pseudo code, for which the individual transformations and the key schedule are described in the following sections (the array w contains the key schedule, an array of round
keys)
Cip er(byt in[ * Nb], byte out[S * Nb], word w[Nb * (Nr + 1)])
begin
b te s ate[S,Nb]
state = in
AddRoundKey(state w)
f r round = 1 step 1 to Nr - 1
SubBytes(state)
S iftRows(state)
MixColumns(state)
AddRoundKey(state, w + round * Nb)
end for
SubBytes state)
S iftRows(state)
AddRoundKey(state, w + Nr * Nb)
out = state
end
4.1 The SubBytes Transformation
The SubBytes transformation is a non-linear byte substitution that operates independently on each byte of the State using a substitution table (S-box) as in the original Rijndael algorithm ([2,10, 15])
Trang 3This S-box, which is invertible, is constructed by composing two transformations:
I Take themultiplicative inverse in thefnite field GF(28 the element {OOIis mapped to itsel
2 Apply an affine (over GF(2)) transformation defined by:
b , = b , EB b ( i+4) mod 8E b + 5)mOd 8 EBb ( i+ 6 ) m d EBb ( + 7 ) m d EBCi· (7 )
for 0 ~ i < 8,where b, is the I'll bit of the byte, and {C7C6C5C4C)C2C I CoI = {631= {O1100011I.A prime ona
variable (e.g., b ') indicates that the variable istobeupdated withthe value ontheright
SubBytes(byte state[ ,Nb)
begin
end
4.2 The ShiftRows Transformation
The ShiftRows transformatio operates individually on each row of the state by cyclically shifting the
b tes in therowsuch that:
Sr ,c =sr , ( c+ shij t (r N b) ) mod Nb (8)
for0 < r < 8 and 0~C< N b, where the shift value sh ifttr Nb) =r mod Nb
This hasthe effect of moving b tes to "lower" positio s in the row (i.e.,lower values ofCin a given row), while
the "lowest" b tes wrap around intothe "to " oftherow (i.e., higher values ofCina given row)
ShiftRows byte state[8,Nb))
begin
end
4.3 The MixColumns Transformatio
The MixColumns tansformatio operates on the State column-by-column, treating each column as a
eight-term poly omial as descrbed in Sec 3 The columns are considered as polynomials over GF(28) and multiplied rnodulo z"+1 witha fixed polynomial a(x) , given by:
a(x) = {031x7+ {051x6+ {031x'+ {021x4+ {02 ~+ {041x1+ {02 x+ {021 (9)
The pseudo code for this transformation is as follows, where the function FFmul(x, y) returns the product of
two finite fieldelements x andy.
begin
Trang 4DUONG AN H D ue - TRAN MINH TR I ET - LUONG HAN CO
end
4.4 The Add Round Key Transformation
In the AddRoundKey transformatio , a Round Key is added to the State by a simple bitwise XOR
o eration Each Round Key consists of Nb words from the key schedule (descrbed in Se 4.5) Those Nb
words are each added into the columns of theState, such that:
SO c ,•S lc 2c,S3c, ,S 4c ,S•Sc ,S6 c ,S,7c • I , • =
[ S 0 c, , S i c 'S 2 , , S 3 c , , S 4 , c 'SS e.'S 6 , , S 7 c , ]EB [Wr o ul/d N b +c ] (10)
where [w , are the key schedule words described inSec 4.5, and ro u nd is a value in the range 0::::; ro u nd S: Nr.
In the Cipher, the initial Round Key addition occurs when ro u nd = 0,prior tothefirst applicatio of the round functio The application of theAddRoundKey transformation totheNr rounds of the Cipher occurs when 1 :::
r o und ts Nr This transformation isitsown inverse, since itonlyinvolves an application of theX R operatio 4.5 Key Expansio
The round keys are derived from the cipher key by means of a key schedule witheach round requiring Nb
words of key data with an extra initial set making Nh(Nr +I) words in total The key schedule consists of a linear array of 8-byte words denoted by either W iorw [i] with iin therange 0 ::::;i<N h (N r +1)
The expansio of the input key into the key schedule proceeds according to the following pseudo code where the function SubWord(x) gives an output word in which the S-box substitution has been individually
applied to each oftheeight bytes of its input x
The function RotWord(x) takes aword rh o , hi b2' b3 'b4'b5' b6,h 7] asinput and returns the word [bl'b 2 '
b ; b 4 , b ; h 6 , h 7 , h o ].
The word array Rcon[i] contains the values given by [ x I 0, 0,0,0, 0, 0, 0] withJ being powers ofx in
thefield GF(28 ) (n te that istarts at 1,n t0)
begin
i = 0
while ( < Nk)
end while
i = Nk
while ( < Nb * (Nr + 1))
wor temp = w[i - 1]
else
end if
end
Note that this key schedule, which is illustrated in Figure I forNk =4 an N b =6, can begenerated 'o n-the fly' if necessary using abufer ofmax(Nh , Nk) words
Trang 5ro_u_n_d k_e_y_O ~ r_o_u_n_d_k_e_y 1 ro_u_n_d k_e_Y_2 c==
Fi g ure 1.The key schedule and round key selection for Nk =4 and Nb =6
S INVERSE CIPHER
The inversion of the cipher code presented in Sec.4 is straightforward and provides the following pseudo
code for the inverse cipher
In v Cip he r b te in[ 8 * N b], byt e o t[8 * N ] w ord w[Nb * (N r + 1 ]
b gin
byte state[8,Nb]
state = in
Add Ro un d Ke y( st a te, w + Nr * N )
f r ro u nd = Nr - 1 step -1 t 1
I v h iftR ows ( state)
InvSu b By tes ( sta t )
AddRou nd K y state , w + r oun d * Nb )
I nv Mix Co lu mn s sta te )
e nd f r
In v ShiftR o ws(stat e)
Inv S ubB y tes(state)
AddRoundKey(state, w)
out = state
end
5.1 The InvShiftRows Transformation
The InvShiftRows transformation o erates individually on each row of the state cyclically shifting the
b tes in the row such that:
S r , ( c+s h i[t ( r ,N b) ) m o N b =sr ,c (11)
for 0 <r< 8 and 0:::;c < Nb where the cyclic shift values shift(r , Nb) are mento ed in Sec.4.2
InvShif t Row s (byte sta t e[8,Nb])
b egin
b t t [ Nb l
f or r = 1 step 1 t 8
f r c = a s ep 1 to N - 1
t[ ( + shif t [r,Nb] ) m d N ]
sta te [r,c ]
en d f r
f r c = a st ep 1 t Nb - 1
st ate [r, c = t [ c
e nd for
end f r
e nd
5.2 The InvSubBytes Transformation
InvSubBytes isthe inverse of theb te substitution transformatio , inwhich the inverse S-boxisapplied to
each byte of the State This isobtained by applying the inverse of the affine transformatio (4.1) followed by
taking the multiplicative inverse in GF(28 )
The inverse of theaffine tranformation (4.1) being:
Trang 6where byted= {05I
begin
s ate[r,c) ; Inv box[stat [r,c)) end for
end for
5.3 The InvMixColumns Transformation
The InvMixColumns transformation acts independenty o every column of the state and treats each column as a eight-term poly omial as described in Se 3 The columns are considered as polynomials over GF(28 ) and multiplied modulo r"+Iwitha fixed polynomial a·l(x), given by:
a - I(x) ={03Ix7+{041.0+{03I +{03Ix4+ {021x' +{0 V +{021 +{03I (13) The pseudo code for this transformation is as follows, where thefunction FFmul(x, y) returns the product of two finite field elements x and y
begin
end for
end
xor FFmul(Ox03,
xor FFmul(Ox02,
xor FFmul(Ox02,
t[(r + 1)
t[ ( + 3 )
t[(r + 5)
t[(r + 7)
mod 8)) xor
5.4 Equivalent Inverse Cipher
In the straightforward Inverse Cipher presented above, the sequence of the transformatons differs from that of the Cip er, while the form of the key schedules for encryption and decryption remains the same However the order of InvSubBytes and InvShiftRows can be reversed The order of AddRoundKey and
InvMixColumns can also be reversed, provided that the columns (words) of the decryption key schedule are transformed using InvMixColumns This latter operatio shall no t be performed on the first or the last N b
words in the key schedule, since those do noto erate with InvlvlbcColumns Giventhese changes, the resulting Equivalent Inverse Cipher offers a more efficient structure than the straightforward Inverse Cipher described above
In the pseudo code for the Equivalent Inverse Cipher, the word array dw[] contains the modified decryptio key schedule
begin
state ; in
InvSubBytes(state)
InvShiftRows(state)
InvMixColumns(state)
Trang 7InvSubBytes(tate}
InvShiftRows(state}
AddRoundKey(state, dw)
out = state
end
end for
end for
MixColumnshas been chosen from thespace of 8-byte to 8-byte linear transformatio s using the followin
1 Invertibility;
Bran c h numb e r :
(14)
practically eliminates the possibility ofequivalent keys
7 2 1 D i fere n tia l cry pta na l ys i s ( DC )
Trang 8or 3) rounds that have aprop ratio (the relative amount of allinput pairs thatfor the given input difference give
rise to the output difference) significantly larger than21-" if nistheblock length
For this 256/384/512-bit extended Rijndael ike Block Cipher, weprove that there are no 4-round differential
trails withapredicted prop ratio above 2 48(Nb+ l (and no 8-round trails with a predicted prop ratio above 2- 96(Nb+ I
For all block len ths ofthis extended versio , this is sufficient The proof is given in Sec.7.2.3
7 2.2 L i near cryp t a a l y s is ( L C)
LC attacks [1 ] are possible if there are predictable input-output correlations over all but a few
(typically 2 or 3) rounds significantly larger than 2-0 • For this extended version, we prove that there are no
4-round linear trails with a correlation above 2-2 4(N b l ) (and no S-round trails with a correlation above
7 2 3 Weight of differentia l and linear trai l s.
In [9], it is shown that
• The prop ratio of a differential trail can be approximated by the product of the prop ratios of its active
S-boxes
• The correlatio of a linear trail can beapproximated by theproduct of input-output correlations of its active
S-boxes
The widetrailstrategy can be summarised asfollows:
• Choose an S-box where themaximum prop ratioand the maximum input-output correlation are assmall as
possible For the 25 6 / 3 84/5 1 2-bi t extended Rijndael-like Block Cipher, this isrespectively 2-6and 2-3 •
• Construct the diffusion layer in sucha way that there areno multiple-round trails with fewa tiveS-boxes
We prove that the minimum number of active S-boxes in any 4-ound differential or linear trail is 8(Nb+ 1)
This gives a maximum prop rato of2 48( N b+I) for an 4-round differential trail and a maximum of 2 - 24(Nb+I) for the
correlation for any 4-round linear trail.This isindependent of the value of the Round Keys
7.2 4 Propagation of patt e rns
For DC, theactive S-boxes in a round aredetermined by the nonzero bytes in the difference of the states at
the input of a round Let the pattern that specifies the positions of the active S-boxes be denoted by the term
(diffe r e n ce) a tivity pattern and let the (diff ere n ce ) b y t e w e i g ht bethe number of active bytes in a pattern
For LC, the active S-boxes in.• round aredetermined bythenonzero bytes in the sel e cti o n v ec tors [9] at
the input of around Let the pattern that specifies the positions of the active S-boxes be denoted by the term
(corre l a t ion) ac ti vi t y p tt e r n and let the (co r re l a ti o n) b y t e we i g ht W(a) be the number of active bytes in a
pattern a.
Moreover, leta column of an activity pattern with at le st one active byte be denoted by a c tive column.
Let the co l umn we i g ht , denoted by Wc (a), be the number of active columns in a pattern The byte weight of a
columnj ofa,den ted byW(a)lj isthe number of active bytes in it
Theweight of atrail is the sum of the weights of its activity patterns at theinput of each round
Difference and correlatio activity patterns can beseen as propagating through the transformations of the different rounds oftheblock cipher toform linear and differential trails
This is illustrated with anexample in Fig re 2
~
A I A I A I A W ~
F igu r e 2.Pro agation ofactivity pattern (ingray) throug a single round
In o r description, the activity pattern at the input of a round i isdenoted byaj_1 and the activity pattern
after applying ofround i isden ted by Theinitial round isnumbered 1 and theinitial difference
Trang 9pattern isden ted by ao.Clearly, a, a nd b ,are separated by ShiftRows and have the same byte weight, b j_, and
a j are separated byMixColumns and have the same column weight The weight of an m-round trail is given by
the sum of the weights ofao to a m_ , • In the following figures, active b tes are indicated in dark grey, active
columns in lightgrey
Theorem 1.Th e w e ight of a t wo -r o und t ra il with Q active colum n s at the input of the sec o nd r o und is low e r bounded by 8Q
Proof The fact thatMixColumns has aBranch Number equal to 8 implies that sum of the byte weights of each
for the sum oftheb teweights ofbo anda, As a o and b ohave the same byte weight, the lower bounded isalso
valid for the sum of the weights aoanda" provin thetheorem QED
Theorem 1 isillustrated in Fig re 3
~c
~
f
F ig ur e 3 Illustration of Theorem 1with Q=2
From this it follows thatan two-round trail has at least 8active S-boxes
Lemma 1.I n a t wo - ro und t r ai l , the sum of t he numbe r of active co l umns at its input and th e numb e r o f ac ti ve
Nb+1
Proof ShiftRows moves allbytes in a column of a, to different columns in b , and vice versa It follows that the
in ividual columns of ai and thenumber of columns in astate (Nb)
In a trail, at least one column of a , (or equivalently b o ) is active Let this column be denoted by "column g"
Because Mixcolumns has abranch number of 8,the sum of the byte weights of column g in b o an column g in
a, is lower bounded by 8.The column weight of aois lower bounded by the byte weight of column gof b o and
Theorem 2.Any trail over four rounds has at least 8( Nb+ 1) a c ti ve bytes.
thatthe byte weig t ofthetrail is lower bounded by the sum of the column weight of a, and a 3multiplied by 8
By applying Lemma 1,the sum of the column weight of a, and a 3 is lower bounded by Nb+1 From this it
7.3 Truncated Differentials
Trang 10can be computed independently of the prop ratios of the individual differential trails Ciphers in which all
transformation operate on the state inwellalig ed blocks arepro e to be susceptible to thisty eofattack Since this is the case for 256/384/5 2-bi extended Rijndael-like Block Cipher, all transformations operating on bytes rather than individual bits, we investigated isresistance against "truncated differentials" For 6 rounds or more,
no attacks faster than exhaustive key search have been found
ao
~
L
r
I '
r
\
,.,1
a,
~
W ( al~j + W(bot ~ 8
h,
t If
aj t.:
r
I '
I r
a2
Figur e 4 Illustration of Lemma 1 with one active column inal
~
I ~~
t~
r' I ·1l'
i"4 I "
f fi
•
~(al) + Wc(~ ) ~Nb+l
0' " '' ' -' ' 1",, , ,-,, , , , I , , , " , " 1 , 1r -,., " 1'-"""" "" _ '
W(ao) +W(al)~8*Wc(al)
( ~ '
f1 III
,
a2
F ig ur e 5 Illustration of Theorem 2
I r '
t lJ ! l
t l U t 3
W(a2) + W(a3)~8*WA a 3)
7.4 I nt e rp o l a t io n Atacks
In this attack [14], the attacker constructs polynomials using cipher inputoutp t pairs This attack is
feasible if the components in the cipher have a compact algebraic expression and can be combined to give
expressions with manageable complexity The basis of the attack is that if the constructed polynomials (or
rational expressions) have asmall degree, only few cipher input/output pairs are necessary to solve for the
(key-dependent) coefficients of the polynomial The complicated expression of the S-box in GF(28 in combination
with the effect of the diffusion layer prohibits these types of attack for more than a few rounds The expression
for the S-box is given by:
S (x) ={ 63}+{ 8f}x'27+{b5}x'91+{Ol}r23+{f4}r39+{25}r47+{f9}r51+{ 09}r53+{05}r5