# Cipher

Topics: Cipher, Block cipher, Advanced Encryption Standard Pages: 27 (5854 words) Published: September 2, 2010
AES Proposal: Rijndael
Joan Daemen, Vincent Rijmen
Joan Daemen Proton World Int.l Zweefvliegtuigstraat 10 B-1130 Brussel, Belgium daemen.j@protonworld.com Vincent Rijmen Katholieke Universiteit Leuven, ESAT-COSIC K. Mercierlaan 94 B-3001 Heverlee, Belgium vincent.rijmen@esat.kuleuven.ac.be

1. Introduction
1.1 Document history

2. Mathematical preliminaries
2.1 The field GF(2 ) 2.1.1 Addition 2.1.2 Multiplication 2.1.3 Multiplication by x 8 2.2 Polynomials with coefficients in GF(2 ) 2.2.1 Multiplication by x 8

3. Design rationale 4. Specification
4.1 The State, the Cipher Key and the number of rounds 4.2 The round transformation 4.2.1 The ByteSub transformation 4.2.2 The ShiftRow transformation 4.2.3 The MixColumn transformation 4.2.4 The Round Key addition 4.3 Key schedule 4.3.1 Key expansion 4.3.2 Round Key selection 4.4 The cipher

5. Implementation aspects
5.1 8-bit processor 5.2 32-bit processor 5.2.1 The Round Transformation 5.2.2 Parallelism 5.2.3 Hardware suitability 5.3 The inverse cipher 5.3.1 Inverse of a two-round Rijndael variant 5.3.2 Algebraic properties 5.3.3 The equivalent inverse cipher structure 5.3.4 Implementations of the inverse cipher

6. Performance figures
6.1 8-bit processors 6.1.1 Intel 8051

54 1 :egaP

ODVRSRU3 6(\$
4
4

UHKSL& NFRO% OHDGQML5 HK7

4
4 4 5 6 6 7

8 8
8 10 11 11 12 13 14 14 15 16

16
16 17 17 18 19 19 19 20 20 21

23
23 23
/

6.1.2 Motorola 68HC08 6.2 32-bit processors 6.2.1 Optimised ANSI C 6.2.2 Java

7. Motivation for design choices
7.1 The reduction polynomial m(x ) 7.2 The ByteSub S-box 7.3 The MixColumn transformation 7.3.1 Branch number 7.4 The ShiftRow offsets 7.5 The key expansion 7.6 Number of rounds

8. Strength against known attacks
8.1 Symmetry properties and weak keys of the DES type 8.2 Differential and linear cryptanalysis 8.2.1 Differential cryptanalysis 8.2.2 Linear cryptanalysis 8.2.3 Weight of differential and linear trails 8.2.4 Propagation of patterns 8.3 Truncated differentials 8.4 The Square attack 8.4.1 Preliminaries 8.4.2 The basic attack 8.4.3 Extension by an additional round at the end 8.4.4 Extension by an additional round at the beginning 8.4.5 Working factor and memory requirements for the attacks 8.5 Interpolation attacks 8.6 Weak keys as in IDEA 8.7 Related-key attacks

9. Expected strength 10. Security goals
10.1 Definitions of security concepts 10.1.1 The set of possible ciphers for a given block length and key length 10.1.2 K-Security 10.1.3 Hermetic block ciphers 10.2 Goal

12. Extensions
12.1 Other block and Cipher Key lengths 12.2 Another primitive based on the same round transformation

13. Other functionality
13.1 MAC 13.2 Hash function 13.3 Synchronous stream cipher 13.4 Pseudorandom number generator 13.5 Self-synchronising stream cipher

14. Suitability for ATM, HDTV, B-ISDN, voice and satellite 15. Acknowledgements

54 2 :egaP

ODVRSRU3 6(\$
23 24 24 25

UHKSL& NFRO% OHDGQML5 HK7

25
25 26 27 27 27 28 28

30
30 30 30 30 31 31 36 36 36 36 37 37 38 38 38 39

39 39
39 39 40 40 40

41
41 41

42
42 42

42
42 43 43 43 43

44 44
/

16. References 17. List of Annexes

Table of Figures
Figure 1: Example of State (with Nb = 6) and Cipher Key (with Nk = 4) layout.......................... 9 Figure 2: ByteSub acts on the individual bytes of the State..................................................... 11 Figure 3: ShiftRow operates on the rows of the State. ............................................................ 12 Figure 4: MixColumn operates on the columns of the State. ................................................... 13 Figure 5: In the key addition the Round Key is bitwise EXORed to the State....