A Polynomial Description of the Rijndael Advanced Encryption Standard

Transcription

1 A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/ v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556, USA Rosenthal.1@nd.edu rosen/ April 30, 2002 Abstract The paper gives a polynomial description of the Rijndael Advanced Encryption Standard recently adopted by the National Institute of Standards and Technology. Special attention is given to the structure of the S-Box. Index Terms: Advanced encryption standard, Rijndael algorithm, symmetric-key encryption. 1 Introduction On November 26, 2001 the National Institute of Standards and Technology (NIST) announced that the Rijndael encryption algorithm becomes the Advance Encryption Standard. The Rijndael system will be a Federal Information Processing Standard (FIPS) to be used by U.S. Government organizations (and others) to protect sensitive information [1]. Detailed information can be found at the website: The description [3, 4] supplied by Joan Daemen and Vincent Rijmen, the inventors of the Rijndael encryption algorithm, is very detailed and a reader new to the subject will probably need some time to understand all steps in the algorithm. In this paper we show how the whole algorithm can be quite elegantly described through a sequence of algebraic manipulations in a finite ring. We hope that this description will be helpful in the proliferation of this new important standard. Supported in part by NSF grant DMS

2 We are aware of some attempts (e.g. [5, 9]) where authors tried to explore an algebraic description of the so called S-Box, the main non-linear part of the Rijndael system. We are explaining in this paper why the S-Box can be described through a sparse polynomial. There is however no attempt done to explore this description further in order to find any weakness of the system. We also derive the interpolation polynomial of the inverse S-Box and we describe the cycle decomposition of the S-Box. The most detailed description of Rijndael can be found in the new book [4]. This book gives many details on the design philosophy and implementation aspects, something we do not address in this paper. During the preparation of this paper we found the description of Rijndael as given in [10] useful. We want to thank U. Maurer for pointing us to an algebraic description of Rijndael recently provided by H. W. Lenstra [6]. 2 The Rijndael Algorithm Let Z 2 = {0, 1} be the binary field and consider the irreducible polynomial µ(z) := z 8 + z 4 + z 3 + z + 1 Z 2 [z]. Let F := Z 2 [z]/ < µ(z) >= GF(256) be the Galois field of 2 8 elements and consider the ideal: I :=< x 4 + 1, y 4 + 1, µ(z) > Z 2 [x, y, z]. We will describe the Rijndael algorithm through a sequence of polynomial manipulations inside the finite ring R := Z 2 [x, y, z]/i = F[x, y]/ < x 4 + 1, y >. (2.1) The ring R has simultaneously the structure of a finite Z 2 -algebra and the structure of a finite F-algebra as above description makes it clear. The monomials { x i y j z k 0 i, j 3, 0 k 7 } form a Z 2 -basis of the ring (algebra) R. In particular dim Z2 R = 128, i.e. R = Computations in the ring R can be done very efficiently. Addition in R is done componentwise and multiplication in R is done through multiplication in Z 2 [x, y, z] followed by reduction modulo the ideal I. Remark 2.1 One readily verifies that x 4 + 1, y 4 + 1, µ(z) forms a reduced Gröbner basis of the ideal I which is also a zero-dimensional ideal. As a consequence the reduction modulo I is very easy. More details about finite dimensional algebras and zero dimensional ideals can be found in [2, Chapter 2]. Whenever r R is an element we will define elements r i,j F and r j F[x]/ < x > through: ( r = r i,j x i y j = r i,j x )y i j = r j y j. (2.2) 2

3 On an abstract level a secret key crypto-system consist of a message space M, a cipher space C and a key space K together with an encryption map and a decryption map ε : M K C δ : C K M such that δ(ε(m, k), k) = m for all m M and k K. It should be computationally not feasible to compute the secret key k K from a sequence of plain-text/cipher-text pairs ( m (t), c (t) = ε(m (t), k) ), t = 1, 2,.... In the Rijndael AES system one has the possibility to work with secret keys consisting of 128 bits, 192 bits or 256 bits respectively. We will describe the system when K = and will indicate in Section 3 how to adapt the algebraic description to the other situations. For the Rijndael algorithm we define K = M = C = R. Crucial for the description will be the following polynomial: ϕ(u) := ( z ) u ( z ) u ( z 7 + z 6 + z 5 + z 4 + z ) u ( z 5 + z ) u ( z 7 + z 6 + z 5 + z 4 + z 2) u u ( z 7 + z 5 + z 4 + z ) u ( z 7 + z 3 + z 2 + z + 1 ) u (z 6 + z 5 + z + 1) F[u]. (2.3) Assume Alice and Bob share a common secret key k R and Alice wants to encrypt the message m R. In a first step both Alice and Bob do a key expansion which will result in 10 elements k (t) R t = 0,..., 9. Key expansion: Using the notation introduced in Equation (2.2), both Alice and Bob compute recursively 10 elements k (t) R, t = 0,..., 9 in the following way: k (0) k (t+1) 0 := k (t+1) i := ( k := k (t+1) i 1 ϕ(k (t) i,3 )xi ) x 3 + z t + k (t) 0 for t = 0,..., 9. + k (t) i for t = 0,..., 9, i = 1, 2, 3. In order to describe the actual encryption algorithm we define the ring element: γ := (z + 1)x 3 + x 2 + x + z R. 3

4 Rijndael encryption algorithm: Using the round keys k (t) R and starting with the message m R Alice computes recursively: m (0) := m + k (0) := γ m (t+1) c := m (10) := ϕ(m (t) i,j )xi y 3i+j + k (t+1) for t = 0,..., 8. ϕ(m (9) i,j )xi y 3i+j + k (10) The cipher to be transmitted by Alice is c. Note that in the 10th round no multiplication by γ happens. This will make sure that the decryption process follows formally the same algebraic process as we will show next. Rijndael decryption algorithm: The polynomial ϕ introduced in (2.3) is a permutation polynomial describing a permutation of the elements of F. See Sections 3, 4 for more details. There is a unique permutation polynomial ψ(u) F[u] of degree at most 255 such that ϕ ψ = ψ ϕ = id F and we will derive this polynomial in Section 4. The element γ R is invertible with γ 1 := (z 3 + z + 1)x 3 + (z 3 + z 2 + 1)x 2 + (z 3 + 1)x + (z 3 + z 2 + z) R. Using the map ψ, the element γ 1 and the round keys k (t) Bob can decipher the message m of Alice through: c (0) := c + k (10) c (t+1) := γ 1 c (10) := ψ(c (t) i,j )xi y i+j + γ 1 k (9 t) for t = 0,..., 8. ψ(c (9) i,j )xi y i+j + k (0) One readily verifies that m = c (10). Note that formally both the encryption schedule and the decryption schedule follow the same sequence of transformations. ϕ is simply replaced by ψ, multiplication by γ is substituted with multiplication by γ 1 and the key schedule is changed replacing k (t), t = 0,..., 10 with k (10), γ 1 k (9),..., γ 1 k (1), k (0). Remark 2.2 Both encryption and decryption can be done very efficiently. In practice the polynomials ϕ and ψ are not evaluated and a look up table describing the permutations ϕ, ψ : F F is used instead. Substituting exponents x i y j x i y 3i+j does not require any arithmetic and adding a round key k (t+1) is efficiently done through Boolean XOR operations. Arithmetic computations are required when multiplying by γ respectively by γ 1. Since in general multiplication by γ is slightly easier than multiplication by γ 1 the decryption algorithm takes in general slightly longer than the encryption algorithm. 4

5 Remark 2.3 (Compare with [4, page 55] and [6]). γ was chosen such that multiplication by γ can be done with a minimal branch number and in the same time a good diffusion of F[x]/ < x > is guaranteed. We are not convinced that the choice of γ was optimal for the latter as it has a very small order in R. A direct computation shows that γ has order 4. With this we also have an easy expression for γ 1 : γ 1 = γ 3 = γ 2 γ = (z 2 x 2 + z 2 + 1)γ. (2.4) Instead of multiplying by γ 1 it is therefore possible to multiply three times by γ or alternatively one can pre-process the multiplication of γ by the multiplication of (z 2 x 2 + z 2 + 1). This is more efficient than multiplying the full expression by γ 1. Remark 2.4 We made a computer search for interesting factorizations of γ 1. It seems that the factorization (2.4) is probably the easiest for computation purposes. The following is a related interesting factorization which we found: γ 1 = (zx 3 + z + 1)(x 3 + (z 2 + 1)x 2 + x + z 2 ) (2.5) 3 Relation to the Standard Description In the original description of the Rijndael algorithm the ring R was not used. Instead sets of elements having 128 bits were described by a 4 4 array each containing one byte, i.e. 8 bits. In order to relate the descriptions assign to each element r = 3 3 r i,jx i y j the 4 4 array r 0,0 r 0,1 r 0,2 r 0,3 r 1,0 r 1,1 r 1,2 r 1,3 r 2,0 r 2,1 r 2,2 r 2,3 r 3,0 r 3,1 r 3,2 r 3,3 where each element r i,j F is viewed as one byte. Using a specific schedule the following operations are applied: S-Box Transformation: In this operation each element r i,j F is changed using a permutation ϕ of the symmetric group of 256 elements. The permutation ϕ decomposes into three permutations: { f 1 if f 0, ϕ 1 : F F, f (3.1) 0 if f = 0. L : F F, f (z 4 + z 3 + z 2 + z + 1)f mod z (3.2) ϕ 3 : F F, f z 6 + z 5 + z f. (3.3) The permutation ϕ is defined as ϕ := ϕ 3 L ϕ 1. It is possible to describe the permutation ϕ using a permutation polynomial. For this note that any permutation of F can also be 5

6 described through a unique interpolation polynomial (an element of F[u]) having degree at most 255. We will denote this unique polynomial describing the permutation ϕ with ϕ(u). The context will always make it clear if we view ϕ as a permutation or as a polynomial ϕ(u) F[u]. This unique permutation polynomial can be computed in the following way. If α 0 then 254 T α (u) := u α i u 254 i is the unique Lagrange interpolant having the property that { 1 if α = β, T α (β) = 0 otherwise. If α = 0 then T α (u) = u is the unique Lagrange interpolant. The unique polynomial ϕ(u) F[u] is then readily computed using a symbolic algebra program as ϕ(u) = α F ϕ(α)t α(u). This computation was already done by Daemen and Rijmen in their original proposal and the polynomial ϕ can be found in [3, Subsection 8.5.] The ShiftRow Transformation: In this operation the bytes of the ith row are cyclically shifted by i positions. Algebraically this operation has a simple interpretation. For this consider an element r = r(x, y) R as described in (2.2). The ShiftRow corresponds then simply to the transformation: r = r(x, y) r(xy 3, y). This then translates in the encryption algorithm to replace the monom x i y j with the monom x i y 3i+j. The inverse of the ShiftRow transformation is r = r(x, y) r(xy, y) which translates into the replacement of x i y j with the monom x i y i+j. The MixColumn Transformation: In this transformation each column r j = 3 r i,jx i is multiplied by the element γ. Add Round Key: In this step the t-th round key k (t) is added. The schedule of operation is as follows: In the zero round the round key k (0) is simply added. In rounds 1-9 do the operations S-Box, ShiftRow, MixColumn and Add Round Key. In the 10th round do only S-Box, ShiftRow and Add Round Key. We have given the algebraic description for this schedule. 3.1 AES-192 and AES-256 Until now we described Rijndael when the key size and the message size have 128 bits. This system is referred to as AES-128. In the original description [3] one had the possibility to vary both the size of the message blocks and the size of the secret keys. 6

7 In the adopted standard [1] the size of the message blocks are always taken to be 128 bits. In AES-192 and in AES-256 the secret key size consists of 192 respectively 256 bits. In order to run these presumably more secure algorithms it will be necessary to change the key expansion schedule of the last section. In AES elements k (t) R, t = 0,..., 12 are computed from the original 192 bits and the Rijndael algorithm runs over 12 rounds. In AES elements k (t) R, t = 0,..., 14 are computed from the original 192 bits and the Rijndael algorithm runs over 14 rounds. Other than this there seems to be no difference and details can be found in [1, 4]. 4 The Structure of the S-Box Except for the transformation of the S-Box all transformations are Z 2 linear. An understanding of the S-Box is therefore most crucial. Surprisingly the permutation polynomial ϕ(u) is very sparse and we explain in this section why this is the case. The permutation ϕ is the composition of the maps ϕ 1, L and ϕ 3. We will describe the permutation polynomial for each of them. The permutation polynomial for the map ϕ 1 is simply given by ϕ 1 (u) = u 254. The permutation L is a Z 2 linear map. Because of this reason there is a unique linearized polynomial (see [8, Chapter 3]) L(u) = 7 λ iu 2i F[u] such that L(f) = L(f) for all f F. If α 1,..., α 8 is a any basis of F over the prime field Z 2 then it is possible to compute the coefficients λ 0, λ 1,..., λ 7 through the linear equations: L(α j ) = 7 λ i α 2i j = L(α j ), j = 1,..., 8. This system of linear equations can be solved explicitly. For this let β 1,..., β 8 be the dual basis (see e.g. [8, Chapter 3]) of α 1,..., α 8 characterized through the requirement: Tr F/Z2 (α i β j ) = { 1 if i = j, 0 if i j. Introduce the matrices: A := α 1 α1 2 α α1 27 α 2 α2 2 α α α 8 α8 2 α α8 27 B := β 1 β 2... β 8 β1 2 β β8 2 β1 4 β β β1 27 β β8 27 Assuming that β 1,..., β 8 is the dual basis of α 1,..., α 8 simply means that AB = I 8. 7

8 Let S be the change of basis transformation such that α 1 1 α 2 ẓ and consider the matrix L :=. α 8 = S. z which describes the linear map introduced in (3.2) with respect to the polynomial basis 1, z, z 2,..., z 7. Then one has: Lemma 4.1 The coefficients λ 0, λ 1,..., λ 7 of the permutation polynomial L(u) are given as: λ 0 α 1 λ 1. = BSLt S 1 α 2.. (4.1) λ 7 Proof: SL t S 1 describes the change of basis of the linear map L with regard to the basis α 1,..., α 8. In order to explicitly compute the coefficients λ 0, λ 1,..., λ 7 we can work with the polynomial basis 1, z, z 2,..., z 7 (in which case S = I 8 ). Alternatively we can work with a normal basis. We explain the computation for a normal basis. Let α := z F. One verifies e.g. with the computer program Maple that α is a primitive of F and that {α i := α 2i 1 i = 1,..., 8} forms a normal basis. Such bases are called primitive normal bases. α is special in the sense that it is the first element of F with respect to lexicographic order which is both a primitive and the generator of a normal basis. Remark 4.2 The existence of primitive normal bases has been established by Lenstra and Schoof [7] for every finite extension GF(q m ) of a finite field GF(q). Probably the nicest possible basis a finite field can have is a primitive normal basis which is also self-dual. We verified by computer search that GF(256) does not have a self-dual, primitive normal basis. 8 α 8

9 The dual basis of {α 1,..., α 8 } is readily computed using Maple as {β j := β 2j 1 j = 1,..., 8}, where β = z 5 +z 4 +z It is a well known fact that the dual basis of a normal basis is normal as well. The change of basis transformation is computed in this case as: S = With this one readily computes: λ 0 λ 1. λ 7 = BSLt S α α 2. α 27 =. z z z 7 + z 6 + z 5 + z 4 + z z 5 + z z 7 + z 6 + z 5 + z 4 + z 2 1 z 7 + z 5 + z 4 + z z 7 + z 3 + z 2 + z + 1. (4.2) The elements λ i already agree with the non-constant coefficients of ϕ introduced in (2.3) up to order. In order to get the exact form we need a polynomial description of the permutation ϕ 3 introduced in (3.3). Clearly the linear polynomial ϕ 3 (u) := u z + z 5 + z 6 F[u] interpolates the affine map ϕ 3. Concatenating the three polynomial maps we get: ϕ(u) = ϕ 3 L ϕ 1 (u) = 1 + z + z 5 + z 6 + L(u 254 ) mod u u. Note that L has at most 8 nonzero coefficients. Reducing L(u 254 ) by the relation u 256 = u will not change this and this explains the sparsity of the polynomial ϕ(u). The fact that the permutation polynomial ϕ(u) is sparse does not imply that the inverse polynomial ψ(u) is sparse. For this note that ψ(u) = ϕ 1 1 L 1 ϕ 1 3 (u) mod u256 + u. As before the coefficients of the polynomial L 1 (u) are computed from: α BS(L 1 ) t S 1 α 2.. (4.3) α 27 9

10 Using Maple we find: L 1 (u) = ( z 6 + z 5 + z 3 + z 2 + z ) u ( z 7 + z 6 + z 4 + z 3 + z + 1 ) u 64 + ( z 6 + z 4 + z ) u 32 + ( z 6 + z 5 + z 4 + z 3) u 16 + ( z 6 + z 4 + z 3 + z ) u 8 + ( z 6 + z 5 + z 4 + z 3 + z 2 + z + 1 ) u 4 + ( z 7 + z 6 + z 5 + z 4 + z 3 + z 2 + z ) u 2 + ( z ) u F[u]. (4.4) Combining the result with the map ϕ 1 3 (u) one gets: ρ(u) := L 1 ϕ 1 3 (u) = L 1 (u + ϕ 3 (0)) = L 1 (u) + L 1 (ϕ 3 (0)) = L 1 (u) + z (4.5) A polynomial of the form ρ(u) is sometimes called an affine polynomial [8] reflecting the fact that the map L 1 ϕ 1 3 is affine linear over Z 2. Concatenating ρ(u) with the polynomial ϕ 1 1 (u) = ϕ 1 (u) = u 254 results in a non-sparse polynomial ψ(u) = ρ(u) 254 mod u u. For completeness we provide the result of the Maple computation. The coefficients are expressed in terms of the primitive α = z ψ(u) = α 163 u α 76 u α 195 u α 186 u α 234 u α 194 u α 248 u α 255 u α 196 u α 100 u α 216 u α 212 u α 47 u α 17 u α 85 u α 103 u α 201 u α 184 u α 235 u α 215 u α 170 u α 74 u α 15 u α 2 u α 185 u α 89 u α 26 u α 231 u α 137 u α 110 u α 230 u α 20 u α 126 u α 35 u α 117 u α 48 u α 141 u α 56 u α 29 u α 154 u α 207 u α 175 u α 253 u α 147 u α 5 u α 43 u α 194 u α 242 u α 202 u α 27 u α 15 u α 164 u α 11 u α 233 u α 56 u α 121 u α 163 u α 69 u α 113 u α 235 u α 225 u α 152 u α 227 u α 9 u α 78 u α 234 u α 57 u α 136 u α 115 u α 128 u α 57 u α 223 u α 228 u α 110 u α 249 u α 83 u α 55 u α 55 u α 32 u α 94 u α 71 u α 88 u α 94 u α 45 u α 218 u α 157 u α 73 u α 209 u α 21 u α 122 u α 127 u α 206 u α 19 u α 189 u α 89 u α 177 u α 192 u α 211 u α 99 u α 195 u α 14 u α 172 u α 67 u α 136 u α 6 u α 122 u α 102 u 148 +α 198 u 147 +α 14 u 146 +α 130 u 145 +α 102 u 144 +α 129 u 143 +α 246 u 142 +α 187 u 141 +α 85 u 140 +α 181 u 139 +α 169 u 138 +α 230 u 137 +α 21 u 136 +α 234 u 135 +α 138 u 134 +α 104 u 133 +α 26 u 132 +α 229 u 131 +α 177 u 130 +α 168 u 129 +α 245 u α 13 u α 142 u α 96 u α 240 u α 224 u α 32 u α 228 u α 68 u α 125 u α 147 u α 19 u α 78 u α 51 u α 114 u α 87 u α 120 u α 5 u α 209 u α 51 u α 39 u α 47 u α 109 u α 159 u α 203 u α 202 u α 9 u α 238 u α 44 u α 188 u 99 + α 234 u 98 +α 59 u 97 +α 15 u 96 +α 131 u 95 +α 173 u 94 +α 135 u 93 +α 244 u 92 +α 216 u 91 +α 50 u 90 +α 218 u 89 +α 250 u 88 +α 108 u 87 + α 192 u 86 + α 45 u 85 + α 53 u 84 + α 186 u 83 + α 92 u 82 + α 74 u 81 + α 157 u 80 + α 172 u 79 + α 99 u 78 + α 209 u 77 + α 236 u 76 +α 212 u 75 +α 44 u 74 +α 209 u 73 +α 175 u 72 +α 101 u 71 +α 41 u 70 +α 51 u 69 +α 163 u 68 +α 183 u 67 +α 245 u 66 +α 169 u 65 + α 58 u 64 + α 5 u 63 + α 68 u 62 + α 63 u 61 + α 202 u 60 + α 138 u 59 + α 204 u 58 + α 109 u 57 + α 173 u 56 + α 214 u 55 + α 61 u 54 +α 255 u 53 +α 185 u 52 +α 249 u 51 +α 153 u 50 +α 143 u 49 +α 206 u 48 +α 163 u 47 +α 43 u 46 +α 202 u 45 +α 156 u 44 +α 70 u 43 + α 2 u 42 + α 45 u 41 + α 81 u 40 + α 43 u 39 + α 121 u 38 + α 90 u 37 + α 101 u 36 + α 252 u 35 + α 42 u 34 + α 176 u 33 + α 201 u 32 + α 22 u 31 + α 135 u 30 + α 250 u 29 + α 176 u 28 + α 76 u 27 + α 90 u 26 + α 247 u 25 + α 220 u 24 + α 123 u 23 + α 76 u 22 + α u 21 + α 180 u 20 + α 108 u 19 + α 222 u 18 + α 54 u 17 + α 46 u 16 + α 89 u 15 + α 240 u 14 + α 235 u 13 + α 208 u 12 + α 194 u 11 + α 2 u 10 + α 201 u 9 + α 67 u 8 + α 247 u 7 + α 56 u 6 + α 132 u 5 + α 16 u 4 + α 242 u 3 + α 223 u 2 + α 243 u + α 92 10

11 Other than the fact that ψ(u) = ρ(u) 254 mod u u the author did not observe some regularity in the coefficients of ψ(u). The complicated algebraic structure of the inverse S-Box shows that an algebraic attack on Rijndael which tries to recursively solve the decryption equations might be very hard indeed. Since ϕ(u) is much more sparse it might be more feasible to derive algebraic expressions of several rounds of the encryption schedule. Ferguson, Schroeppel and Whiting [5] show a way to describe multiple rounds of the Rijndael algorithm using some continued fraction expansion. The derived formulas look very appealing. It is however not clear if there is any way to solve these formulas by algebraic means. Although algebraic expressions for several rounds of Rijndael were derived it is our belief that a compact polynomial description of several rounds of Rijndael will result in an explosion of the variables. Further research on this question will be needed. In the last part of this section we provide the cycle decomposition for the permutation of the S-Box. For this let α = z We describe the cycles [β, ϕ(β), ϕ(ϕ(β)),...] expressed in terms of the primitive α: [α, α 113, α 139, α 115, α 211, α 233, α 45, α 150, α 25, α 6, α 96, α 133, α 138, α 80, α 184, α 130, α 119, α 116, α 222, α 164, α 79, α 114, α 9, α 165, α 160, α 98, α 81, α 131, α 215, α 181, α 200, α 125, α 143, α 41, α 179, α 202, α 157, α 70, α 146, α 92, 0, α 210, α 232, α 117, α 11, α 192, α 72, α 185, α 212, α 21, α 105, α 163, α 216, α 78, α 48, α 174, α 198, α 209, α 176, α] [α 2, α 112, α 37, α 161, α 242, α 50, α 240, α 26, α 0, α 42, α 245, α 168, α 10, α 228, α 229, α 251, α 29, α 76, α 247, α 223, α 243, α 17, α 49, α 197, α 225, α 3, α 104, α 106, α 55, α 32, α 204, α 203, α 132, α 206, α 19, α 226, α 107, α 84, α 152, α 231, α 142, α 159, α 140, α 110, α 162, α 170, α 248, α 127, α 82, α 148, α 180, α 151, α 31, α 88, α 227, α 237, α 85, α 43, α 95, α 218, α 71, α 177, α 121, α 65, α 188, α 186, α 77, α 23, α 187, α 238, α 167, α 52, α 145, α 136, α 149, α 147, α 123, α 224, α 20, α 134, α 195, α 2 ] [α 4, α 16, α 69, α 7, α 62, α 34, α 183, α 172, α 208, α 129, α 220, α 91, α 230, α 153, α 87, α 102, α 234, α 93, α 51, α 73, α 155, α 196, α 253, α 124, α 101, α 66, α 235, α 252, α 193, α 18, α 94, α 90, α 144, α 83, α 5, α 47, α 194, α 244, α 118, α 173, α 120, α 199, α 250, α 63, α 156, α 109, α 221, α 30, α 86, α 46, α 126, α 56, α 44, α 249, α 33, α 24, α 201, α 205, α 191, α 128, α 67, α 219, α 239, α 15, α 217, α 103, α 141, α 169, α 241, α 214, α 59, α 154, α 207, α 175, α 178, α 36, α 97, α 13, α 28, α 12, α 74, α 182, α 8, α 14, α 58, α 108, α 75, α 4 ] [α 22, α 135, α 64, α 158, α 190, α 189, α 100, α 40, α 60, α 39, α 99, α 61, α 111, α 166, α 213, α 27, α 89, α 246, α 171, α 137, α 122, α 254, α 35, α 57, α 53, α 236, α 68, α 22 ] [α 38, α 54, α 38 ] It follows that ϕ has cycle lengths 59, 81, 87, 27 and 2 and order lcm (59, 81, 87, 27, 2) = 277, 182 confirming the result given by Lenstra [6]. We would like to remark that the largest order an element of the symmetric group of 256 elements can have is 451,129,701,092,070. In comparison to this the order of ϕ is not very large. 11

12 5 Conclusion In this paper we provided a description of the Advanced Encryption Standard Rijndael which involved a series of polynomial transformations in a finite ring R. Special attention was given to derive the permutation polynomials describing the S-Box and the inverse S-Box of the Rijndael system. References [1] Federal information processing standards publication 197, advanced encryption standard, November Available at pdf. [2] D. Cox, J. Little, and D. O Shea. Using Algebraic Geometry. Springer-Verlag, New York, [3] J. Daemen and V. Rijmen. AES Proposal Rijndael, September AES algorithm submission, available at [4] J. Daemen and V. Rijmen. The Design of Rijndael: AES The Advanced Encryption Standard. Springer-Verlag, Berlin Heidelberg, [5] N. Ferguson, R. Schroeppel, and D. Whiting. A simple algebraic representation of Rijndael. In A.M. Vaudenay, S. Youssef, editor, Selected Areas in Cryptography, LNCS number 2259, pages Springer Verlag, Berlin, December [6] H. W. Lenstra, Jr. Rijndael for algebraists, April Preprint: hwl/. [7] H. W. Lenstra, Jr. and R. J. Schoof. Primitive normal bases for finite fields. Math. Comp., 48(177): , [8] R. Lidl and H. Niederreiter. Introduction to Finite Fields and their Applications. Cambridge University Press, Cambridge, London, Revised edition. [9] S. Murphy and M. Robshaw. New observations on Rijndael, August Preprint: mrobshaw/rijndael.pdf. [10] W. Trappe and L. C. Washington. Introduction to Cryptography with Coding Theory. Prentice Hall, Upper Saddle River, New Jersey,