Joan Daemen, Vincent Rijmen

Joan Daemen Proton World Int.l Zweefvliegtuigstraat 10 B-1130 Brussel, Belgium daemen.j@protonworld.com Vincent Rijmen Katholieke Universiteit Leuven, ESAT-COSIC K. Mercierlaan 94 B-3001 Heverlee, Belgium vincent.rijmen@esat.kuleuven.ac.be

Table of Contents

1. Introduction

1.1 Document history

2. Mathematical preliminaries

2.1 The field GF(2 ) 2.1.1 Addition 2.1.2 Multiplication 2.1.3 Multiplication by x 8 2.2 Polynomials with coefficients in GF(2 ) 2.2.1 Multiplication by x 8

3. Design rationale 4. Specification

4.1 The State, the Cipher Key and the number of rounds 4.2 The round transformation 4.2.1 The ByteSub transformation 4.2.2 The ShiftRow transformation 4.2.3 The MixColumn transformation 4.2.4 The Round Key addition 4.3 Key schedule 4.3.1 Key expansion 4.3.2 Round Key selection 4.4 The cipher

5. Implementation aspects

5.1 8-bit processor 5.2 32-bit processor 5.2.1 The Round Transformation 5.2.2 Parallelism 5.2.3 Hardware suitability 5.3 The inverse cipher 5.3.1 Inverse of a two-round Rijndael variant 5.3.2 Algebraic properties 5.3.3 The equivalent inverse cipher structure 5.3.4 Implementations of the inverse cipher

6. Performance figures

6.1 8-bit processors 6.1.1 Intel 8051

54 1 :egaP

ODVRSRU3 6($

4

4

UHKSL& NFRO% OHDGQML5 HK7

99/90/30 :etaD ,2 noisrev tnemucoD

nemjiR tnecniV nemeaD naoJ :srohtuA

4

4 4 5 6 6 7

8 8

8 10 11 11 12 13 14 14 15 16

16

16 17 17 18 19 19 19 20 20 21

23

23 23

/

6.1.2 Motorola 68HC08 6.2 32-bit processors 6.2.1 Optimised ANSI C 6.2.2 Java

7. Motivation for design choices

7.1 The reduction polynomial m(x ) 7.2 The ByteSub S-box 7.3 The MixColumn transformation 7.3.1 Branch number 7.4 The ShiftRow offsets 7.5 The key expansion 7.6 Number of rounds

8. Strength against known attacks

8.1 Symmetry properties and weak keys of the DES type 8.2 Differential and linear cryptanalysis 8.2.1 Differential cryptanalysis 8.2.2 Linear cryptanalysis 8.2.3 Weight of differential and linear trails 8.2.4 Propagation of patterns 8.3 Truncated differentials 8.4 The Square attack 8.4.1 Preliminaries 8.4.2 The basic attack 8.4.3 Extension by an additional round at the end 8.4.4 Extension by an additional round at the beginning 8.4.5 Working factor and memory requirements for the attacks 8.5 Interpolation attacks 8.6 Weak keys as in IDEA 8.7 Related-key attacks

9. Expected strength 10. Security goals

10.1 Definitions of security concepts 10.1.1 The set of possible ciphers for a given block length and key length 10.1.2 K-Security 10.1.3 Hermetic block ciphers 10.2 Goal

11. Advantages and limitations

11.1 Advantages 11.2 Limitations

12. Extensions

12.1 Other block and Cipher Key lengths 12.2 Another primitive based on the same round transformation

13. Other functionality

13.1 MAC 13.2 Hash function 13.3 Synchronous stream cipher 13.4 Pseudorandom number generator 13.5 Self-synchronising stream cipher

14. Suitability for ATM, HDTV, B-ISDN, voice and satellite 15. Acknowledgements

54 2 :egaP

ODVRSRU3 6($

23 24 24 25

UHKSL& NFRO% OHDGQML5 HK7

99/90/30 :etaD ,2 noisrev tnemucoD

nemjiR tnecniV nemeaD naoJ :srohtuA

25

25 26 27 27 27 28 28

30

30 30 30 30 31 31 36 36 36 36 37 37 38 38 38 39

39 39

39 39 40 40 40

41

41 41

42

42 42

42

42 43 43 43 43

44 44

/

16. References 17. List of Annexes

Table of Figures

Figure 1: Example of State (with Nb = 6) and Cipher Key (with Nk = 4) layout.......................... 9 Figure 2: ByteSub acts on the individual bytes of the State..................................................... 11 Figure 3: ShiftRow operates on the rows of the State. ............................................................ 12 Figure 4: MixColumn operates on the columns of the State. ................................................... 13 Figure 5: In the key addition the Round Key is bitwise EXORed to the State....