Computer Science 653 --- Lecture 7Rijndael – Advanced Encryption Algorithm

Professor Wayne PattersonHoward University

Fall 2009

2

The Underlying Mathematics: Galois Fields• In the RSA, we studied modular

arithmetic systems:

p

• This system can also be thought of as the integers , /(p), which means in this new system, we collapse all the values which have the same remainder mod p

• We saw that if p is a prime, the system p has the special property that all non-zero elements have multiplicative inverses

• Such an algebraic system is called a field

• In Rijndael, all of the mathematics can be done in a system called a Galois Field

• GF(p,n)

• This system can also be thought of as all polynomials Zp[x] in a single variable, then Zp[x]/(q(x)), where q(x) is an irreducible polynomial of degree n

• Irreducible polynomials are like prime numbers --- they cannot be factored. By analogy, the system where we collapse polynomials with the same remainder mod q(x) also becomes a field, which we call GF(p,n), the Galois field.

3

The Main Result Concerning Galois Fields

• It was a result developed by Evariste Galois, in the early nineteenth century, that all algebraic fields with a finite number of elements can be described as a GF(p,n) (including the fields Zp , since they can be thought of as GF(p,1), i.e. dividing by an irreducible polynomial of degree 1 (such as ax+b).

• Furthermore, all of the possible choices for a Galois field of type GF(p,n) are equivalent, and their number of elements is pn.

4

And a Bit About Galois Himself

• Lived in the early 19th century in Paris

• Developed very important results in algebra while a teenager

• Was also a political radical and went to prison

• Upon his release, his interest in a young woman led to a duel in which he was killed at age 21

• He didn’t name Galois fields, they were named after him.

5

Looking at Rijndael

• Lucifer or Feistel –type cipher• Simplest version: 128-bit messages, 128-bit

keys, 10 rounds• Created by Vincent Rijmen and Joan Daemen• Belgians --- Catholic University of Louvain and

Proton Corporation• Adopted as Advanced Encryption Standard • After two-stage competition originally

involving 18 proposals from around the world• Five finalists, including several non-US• Winner obviously non-US• Adapted as AES in late 2001

6

Best Reference

• Although there are many papers, books, articles about Rijndael/AES, most thorough reference is:

• “The Design of Rijndael,” Joan Daemen and Vincent Rijmen, Springer 2001

• Rijndael is best pronounced “RAIN-DOLL”

7

Test Vectors

• On page 215 and 216 of the handout, Appendix D, are the results of each round of a Rijndael encryption

• Assumes 128-bit (or 16-byte) test message and cipher key

• Message or plaintext is (in hex bytes):

• 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34

• Key is:

• 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

8

Outputs at Each Stage

• Note that under the column heading “ENCRYPT” on page 216 are partial results, i.e.

• R[00].input• R[00].k_sch• R[01].start• R[01].s_box• R[01].s_row• R[01].m_col• R[01].k_sch• R[02].start … and so on

9

What Does R[xx].xxxx mean?

• The R[00] vectors are the inputs, in other words – R[00].input is the message from the

previous page

– 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34

– R[00].k_sch is the “key schedule” for round 0, in other words, the original input key or

– 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

10

R[01].xxxxx

• We will compute all the R[01].xxxxx’s• They are the first round computations• Thus the entire encryption takes one to R[10].output

• R[01].start is simply the XOR of the plaintext and key• R[01].s_box is a procedure called “ByteSub” using the

single S-box used in the method• R[01].s_row is the result of a procedure called “ShiftRow”• R[01].m_col is the result of a procedure called

“MixColumn”• R[01].k_sch is the “Key Schedule” or the generated key

for the next round• R[02].start is, again, the XOR of the result of round one

and the key schedule generated at the end of round one.

11

Pseudo-C Code for a Round

• Round(State, ExpandedKey[i])• {

– SubBytes(State);– ShiftRows(State);– MixColumns(State);– AddRoundKey(State, ExpandedKey[i]);

• }

12

The Hex XOR Table

• Recall from last week:

0 1 2 3 4 5 6 7 8 9 A B C D E F

0 0 1 2 3 4 5 6 7 8 9 A B C D E F

1 1 0 3 2 5 4 7 6 9 8 B A D C F E

2 2 3 0 1 6 7 4 5 A B 8 9 E F C D

3 3 2 1 0 7 6 5 4 B A 9 8 F E D C

4 4 5 6 7 0 1 2 3 C D E F 8 9 A B

5 5 4 7 6 1 0 3 2 D C F E 9 8 B A

6 6 7 4 5 2 3 0 1 E F C D A B 8 9

7 7 6 5 4 3 2 1 0 F E D C B A 9 8

8 8 9 A B C D E F 0 1 2 3 4 5 6 7

9 9 8 B A D C F E 1 0 3 2 5 4 7 6

A A B 8 9 E F C D 2 3 0 1 6 7 4 5

B B A 9 8 F E D C 3 2 1 0 7 6 5 4

C C D E F 8 9 A B 4 5 6 7 0 1 2 3

D D C F E 9 8 B A 5 4 7 6 1 0 3 2

E E F C D A B 8 9 6 7 4 5 2 3 0 1

F F E D C B A 9 8 7 6 5 4 3 2 1 0

13

Computing R[01].start

• We have R[00].input

• 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34

• To XOR with R[00].k_sch

• 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

• Which gives R[01].start

• 19 3d e3 be a0 f4 e2 2b 9a c6 8d 2a e9 f8 48 08

14

Computing R[01].s_box

• This is the SubBytes or S-box step• Note the S-box table on page 211 (and its

inverse on page 212)• The operation is simply to look up the S-box

value for each byte in R[01].start

• 19 3d e3 be a0 f4 e2 2b 9a c6 8d 2a e9 f8 48 08

• R[01].s_box is

• d4 27 11 ae e0 bf 98 f1 b8 b4 5d e5 1e 41 52 30

15

Computing R[01].s_row• This is the “Shift Rows” step• Basically, one writes R[01].s_box into a 4-by-4

array, writing column-wise (that is, fill the first column first, then the second column, …)

• Recall R[01].s_box is• d4 27 11 ae e0 bf 98 f1 b8 b4 5d e5 1e 41 52 30• Writing column-wise Now a circular left-

shift– d4 e0 b8 1e d4 e0 b8 1e– 27 bf b4 41 bf b4 41 27– 11 98 5d 52 5d 52 11 98– ae f1 e5 30 30 ae f1 e5

• Where the shift is 0, 1, 2, or 3 in the 0, 1, 2, 3 row• Write this out in a single row to get R[01].s_row• d4 bf 5d 30 e0 b4 52 ae b8 41 11 f1 1e 27 98 e5

16

Computing R[01]m_col

• This is the “Mix Columns” step, undoubtedly the trickiest

• This is actually a computation in the Galois Field of polynomials over GF(28).

• But let’s not worry about that. It can also be expressed as a matrix product of a fixed matrix C with R[01].s_row again written columnwise:

• 02 03 01 01 d4 e0 b8 1e• 01 02 03 01 bf b4 41 27• 01 01 02 03 5d 52 11 98• 03 01 01 02 30 ae f1 e5

17

Matrix Multiplication Revisited

• The result of this multiplication will be, as you know, another 4x4 matrix. Again, when we string out the column-wise version, we will get R[01].m_col

• However, these multiplications are in GF(28), or mod 256 arithmetic, and the handout conveniently supplies “log tables” (pages 221 and 222) to make the computation simpler

• Indeed, in the code is a brief function to do the multiplication (mul, p. 223)

• Essentially, mul is • Alogtable[(Logtable[a]+Logtable[b]) % (mod)

255]

18

Showing the Calculation of the First Byte

• We will only compute the first byte of the matrix product, which is gotten by the usual method of the first row of the left-hand matrix by the first column of the right-hand matrix, thus

• 02 03 01 01 d4 e0 b8 1e• 01 02 03 01 bf b4 41 27• 01 01 02 03 5d 52 11 98• 03 01 01 02 30 ae f1 e5

• Yields for the first component

• 02 d4 03 bf 01 5d 01 30

19

Using mul

• 02 d4 03 bf 01 5d 01 30

• Using the mul function for the first two terms (the right-hand side will be decimal numbers):

• mul(2, d4) = Alogtable[Logtable[2]+Logtable[212]]= Alogtable[25 + 65] = Alogtable[90] = 179 = b3 (hex)

• mul(3, bf) = Alogtable[Logtable[3]+Logtable[191]]= Alogtable[1 + 157] = Alogtable[158] =

218 = da (hex)

Thus, we need to compute b3 da 5d 30

20

Maybe easier in bits?

Thus, we need to compute b3 da 5d 30

Or,

b 1011 3 0011d 1101 a 10105 0101 d 11013 0011 0 0000

Or 0000 0100 = 04

Note the first byte in R[01].m_col (maybe we were just lucky!)

21

Last Step --- Key Schedule

In the key schedule, we use the previous key, XOR it with another part of the previous key, run through the S-box, and with a possible counter added

This time, I will only calculate the first word, or 4 bytes of the key.

Take the first 4 bytes of the former key: 2b 7e 15 16

Left rotate once the last 4 bytes: 09 cf 4f 3c cf 4f 3c 09

Run this last part through the S-box: SubByte(cf 4f 3c 09) = 8a 84 eb 01

XOR these, with a counter of 1 on the first byte:

2b 8a 01 7e 84 15 eb 16 01 = a0 fa fe 17