A Polynomial Description of the Rijndael Advanced Encryption Standard

Similar documents
Affine equivalence in the AES round function

A Five-Round Algebraic Property of the Advanced Encryption Standard

Essential Algebraic Structure Within the AES

A New Algorithm to Construct. Secure Keys for AES

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

LOOKING INSIDE AES AND BES

AES side channel attacks protection using random isomorphisms

An Algebraic Framework for Cipher Embeddings

Extended Criterion for Absence of Fixed Points

Computational and Algebraic Aspects of the Advanced Encryption Standard

The Advanced Encryption Standard

A New Algebraic Method to Search Irreducible Polynomials Using Decimal Equivalents of Polynomials over Galois Field GF(p q )

Applications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Chapter 4 Mathematics of Cryptography

A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES

Table Of Contents. ! 1. Introduction to AES

Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

How Fast can be Algebraic Attacks on Block Ciphers?

Structural Cryptanalysis of SASAS

Secret Key: stream ciphers & block ciphers

Fields in Cryptography. Çetin Kaya Koç Winter / 30

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

A New Approach for Designing Key-Dependent S-Box Defined over GF (2 4 ) in AES

Perfect Diffusion Primitives for Block Ciphers

The Rijndael Block Cipher

Hardware Design and Analysis of Block Cipher Components

(Solution to Odd-Numbered Problems) Number of rounds. rounds

arxiv: v1 [cs.cr] 13 Sep 2016

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

Cryptography: Key Issues in Security

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

Public-key Cryptography: Theory and Practice

Royal Holloway University of London

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Symmetric Crypto Systems

Gurgen Khachatrian Martun Karapetyan

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Attacking AES via SAT

Security of the AES with a Secret S-box

Classical Cryptography

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Analysis of cryptographic hash functions

On the invertibility of the XOR of rotations of a binary word

Hyper-bent Functions

} has dimension = k rank A > 0 over F. For any vector b!

Block Ciphers and Systems of Quadratic Equations

Algebraic Aspects of Symmetric-key Cryptography

The Hash Function JH 1

Symmetric Crypto Systems

MATH3302 Cryptography Problem Set 2

Matrix Power S-Box Construction

Dickson Polynomials that are Involutions

Quadratic Equations from APN Power Functions

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

ECS 189A Final Cryptography Spring 2011

New Gröbner Bases for formal verification and cryptography

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Subquadratic space complexity multiplier for a class of binary fields using Toeplitz matrix approach

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Chapter 2 Symmetric Encryption Algorithms

Exam Security January 19, :30 11:30

Module 2 Advanced Symmetric Ciphers

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

17.1 Binary Codes Normal numbers we use are in base 10, which are called decimal numbers. Each digit can be 10 possible numbers: 0, 1, 2, 9.

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Some approaches to construct MDS matrices over a finite field

Asymmetric Encryption

Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function

A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS

Mathematical Foundations of Cryptography

Cold Boot Key Recovery by Solving Polynomial Systems with Noise

White Box Cryptography: Another Attempt

Notes 10: Public-key cryptography

Introduction to Modern Cryptography Lecture 4

Other Public-Key Cryptosystems

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

TROPICAL CRYPTOGRAPHY II: EXTENSIONS BY HOMOMORPHISMS

CPSC 467b: Cryptography and Computer Security

Chapter 1 - Linear cryptanalysis.

Introduction to finite fields

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Image Encryption and Decryption Algorithm Using Two Dimensional Cellular Automata Rules In Cryptography

Some integral properties of Rijndael, Grøstl-512 and LANE-256

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Transcription:

A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556, USA e-mail: Rosenthal.1@nd.edu http://www.nd.edu/ rosen/ April 30, 2002 Abstract The paper gives a polynomial description of the Rijndael Advanced Encryption Standard recently adopted by the National Institute of Standards and Technology. Special attention is given to the structure of the S-Box. Index Terms: Advanced encryption standard, Rijndael algorithm, symmetric-key encryption. 1 Introduction On November 26, 2001 the National Institute of Standards and Technology (NIST) announced that the Rijndael encryption algorithm becomes the Advance Encryption Standard. The Rijndael system will be a Federal Information Processing Standard (FIPS) to be used by U.S. Government organizations (and others) to protect sensitive information [1]. Detailed information can be found at the website: http://csrc.nist.gov/encryption/aes/rijndael/ The description [3, 4] supplied by Joan Daemen and Vincent Rijmen, the inventors of the Rijndael encryption algorithm, is very detailed and a reader new to the subject will probably need some time to understand all steps in the algorithm. In this paper we show how the whole algorithm can be quite elegantly described through a sequence of algebraic manipulations in a finite ring. We hope that this description will be helpful in the proliferation of this new important standard. Supported in part by NSF grant DMS-00-72383.

We are aware of some attempts (e.g. [5, 9]) where authors tried to explore an algebraic description of the so called S-Box, the main non-linear part of the Rijndael system. We are explaining in this paper why the S-Box can be described through a sparse polynomial. There is however no attempt done to explore this description further in order to find any weakness of the system. We also derive the interpolation polynomial of the inverse S-Box and we describe the cycle decomposition of the S-Box. The most detailed description of Rijndael can be found in the new book [4]. This book gives many details on the design philosophy and implementation aspects, something we do not address in this paper. During the preparation of this paper we found the description of Rijndael as given in [10] useful. We want to thank U. Maurer for pointing us to an algebraic description of Rijndael recently provided by H. W. Lenstra [6]. 2 The Rijndael Algorithm Let Z 2 = {0, 1} be the binary field and consider the irreducible polynomial µ(z) := z 8 + z 4 + z 3 + z + 1 Z 2 [z]. Let F := Z 2 [z]/ < µ(z) >= GF(256) be the Galois field of 2 8 elements and consider the ideal: I :=< x 4 + 1, y 4 + 1, µ(z) > Z 2 [x, y, z]. We will describe the Rijndael algorithm through a sequence of polynomial manipulations inside the finite ring R := Z 2 [x, y, z]/i = F[x, y]/ < x 4 + 1, y 4 + 1 >. (2.1) The ring R has simultaneously the structure of a finite Z 2 -algebra and the structure of a finite F-algebra as above description makes it clear. The monomials { x i y j z k 0 i, j 3, 0 k 7 } form a Z 2 -basis of the ring (algebra) R. In particular dim Z2 R = 128, i.e. R = 2 128. Computations in the ring R can be done very efficiently. Addition in R is done componentwise and multiplication in R is done through multiplication in Z 2 [x, y, z] followed by reduction modulo the ideal I. Remark 2.1 One readily verifies that x 4 + 1, y 4 + 1, µ(z) forms a reduced Gröbner basis of the ideal I which is also a zero-dimensional ideal. As a consequence the reduction modulo I is very easy. More details about finite dimensional algebras and zero dimensional ideals can be found in [2, Chapter 2]. Whenever r R is an element we will define elements r i,j F and r j F[x]/ < x 4 + 1 > through: ( r = r i,j x i y j = r i,j x )y i j = r j y j. (2.2) 2

On an abstract level a secret key crypto-system consist of a message space M, a cipher space C and a key space K together with an encryption map and a decryption map ε : M K C δ : C K M such that δ(ε(m, k), k) = m for all m M and k K. It should be computationally not feasible to compute the secret key k K from a sequence of plain-text/cipher-text pairs ( m (t), c (t) = ε(m (t), k) ), t = 1, 2,.... In the Rijndael AES system one has the possibility to work with secret keys consisting of 128 bits, 192 bits or 256 bits respectively. We will describe the system when K = 2 128 and will indicate in Section 3 how to adapt the algebraic description to the other situations. For the Rijndael algorithm we define K = M = C = R. Crucial for the description will be the following polynomial: ϕ(u) := ( z 2 + 1 ) u 254 + ( z 3 + 1 ) u 253 + ( z 7 + z 6 + z 5 + z 4 + z 3 + 1 ) u 251 + ( z 5 + z 2 + 1 ) u 247 + ( z 7 + z 6 + z 5 + z 4 + z 2) u 239 + u 223 + ( z 7 + z 5 + z 4 + z 2 + 1 ) u 191 + ( z 7 + z 3 + z 2 + z + 1 ) u 127 + (z 6 + z 5 + z + 1) F[u]. (2.3) Assume Alice and Bob share a common secret key k R and Alice wants to encrypt the message m R. In a first step both Alice and Bob do a key expansion which will result in 10 elements k (t) R t = 0,..., 9. Key expansion: Using the notation introduced in Equation (2.2), both Alice and Bob compute recursively 10 elements k (t) R, t = 0,..., 9 in the following way: k (0) k (t+1) 0 := k (t+1) i := ( k := k (t+1) i 1 ϕ(k (t) i,3 )xi ) x 3 + z t + k (t) 0 for t = 0,..., 9. + k (t) i for t = 0,..., 9, i = 1, 2, 3. In order to describe the actual encryption algorithm we define the ring element: γ := (z + 1)x 3 + x 2 + x + z R. 3

Rijndael encryption algorithm: Using the round keys k (t) R and starting with the message m R Alice computes recursively: m (0) := m + k (0) := γ m (t+1) c := m (10) := ϕ(m (t) i,j )xi y 3i+j + k (t+1) for t = 0,..., 8. ϕ(m (9) i,j )xi y 3i+j + k (10) The cipher to be transmitted by Alice is c. Note that in the 10th round no multiplication by γ happens. This will make sure that the decryption process follows formally the same algebraic process as we will show next. Rijndael decryption algorithm: The polynomial ϕ introduced in (2.3) is a permutation polynomial describing a permutation of the elements of F. See Sections 3, 4 for more details. There is a unique permutation polynomial ψ(u) F[u] of degree at most 255 such that ϕ ψ = ψ ϕ = id F and we will derive this polynomial in Section 4. The element γ R is invertible with γ 1 := (z 3 + z + 1)x 3 + (z 3 + z 2 + 1)x 2 + (z 3 + 1)x + (z 3 + z 2 + z) R. Using the map ψ, the element γ 1 and the round keys k (t) Bob can decipher the message m of Alice through: c (0) := c + k (10) c (t+1) := γ 1 c (10) := ψ(c (t) i,j )xi y i+j + γ 1 k (9 t) for t = 0,..., 8. ψ(c (9) i,j )xi y i+j + k (0) One readily verifies that m = c (10). Note that formally both the encryption schedule and the decryption schedule follow the same sequence of transformations. ϕ is simply replaced by ψ, multiplication by γ is substituted with multiplication by γ 1 and the key schedule is changed replacing k (t), t = 0,..., 10 with k (10), γ 1 k (9),..., γ 1 k (1), k (0). Remark 2.2 Both encryption and decryption can be done very efficiently. In practice the polynomials ϕ and ψ are not evaluated and a look up table describing the permutations ϕ, ψ : F F is used instead. Substituting exponents x i y j x i y 3i+j does not require any arithmetic and adding a round key k (t+1) is efficiently done through Boolean XOR operations. Arithmetic computations are required when multiplying by γ respectively by γ 1. Since in general multiplication by γ is slightly easier than multiplication by γ 1 the decryption algorithm takes in general slightly longer than the encryption algorithm. 4

Remark 2.3 (Compare with [4, page 55] and [6]). γ was chosen such that multiplication by γ can be done with a minimal branch number and in the same time a good diffusion of F[x]/ < x 4 + 1 > is guaranteed. We are not convinced that the choice of γ was optimal for the latter as it has a very small order in R. A direct computation shows that γ has order 4. With this we also have an easy expression for γ 1 : γ 1 = γ 3 = γ 2 γ = (z 2 x 2 + z 2 + 1)γ. (2.4) Instead of multiplying by γ 1 it is therefore possible to multiply three times by γ or alternatively one can pre-process the multiplication of γ by the multiplication of (z 2 x 2 + z 2 + 1). This is more efficient than multiplying the full expression by γ 1. Remark 2.4 We made a computer search for interesting factorizations of γ 1. It seems that the factorization (2.4) is probably the easiest for computation purposes. The following is a related interesting factorization which we found: γ 1 = (zx 3 + z + 1)(x 3 + (z 2 + 1)x 2 + x + z 2 ) (2.5) 3 Relation to the Standard Description In the original description of the Rijndael algorithm the ring R was not used. Instead sets of elements having 128 bits were described by a 4 4 array each containing one byte, i.e. 8 bits. In order to relate the descriptions assign to each element r = 3 3 r i,jx i y j the 4 4 array r 0,0 r 0,1 r 0,2 r 0,3 r 1,0 r 1,1 r 1,2 r 1,3 r 2,0 r 2,1 r 2,2 r 2,3 r 3,0 r 3,1 r 3,2 r 3,3 where each element r i,j F is viewed as one byte. Using a specific schedule the following operations are applied: S-Box Transformation: In this operation each element r i,j F is changed using a permutation ϕ of the symmetric group of 256 elements. The permutation ϕ decomposes into three permutations: { f 1 if f 0, ϕ 1 : F F, f (3.1) 0 if f = 0. L : F F, f (z 4 + z 3 + z 2 + z + 1)f mod z 8 + 1. (3.2) ϕ 3 : F F, f z 6 + z 5 + z + 1 + f. (3.3) The permutation ϕ is defined as ϕ := ϕ 3 L ϕ 1. It is possible to describe the permutation ϕ using a permutation polynomial. For this note that any permutation of F can also be 5

described through a unique interpolation polynomial (an element of F[u]) having degree at most 255. We will denote this unique polynomial describing the permutation ϕ with ϕ(u). The context will always make it clear if we view ϕ as a permutation or as a polynomial ϕ(u) F[u]. This unique permutation polynomial can be computed in the following way. If α 0 then 254 T α (u) := u α i u 254 i is the unique Lagrange interpolant having the property that { 1 if α = β, T α (β) = 0 otherwise. If α = 0 then T α (u) = u 255 + 1 is the unique Lagrange interpolant. The unique polynomial ϕ(u) F[u] is then readily computed using a symbolic algebra program as ϕ(u) = α F ϕ(α)t α(u). This computation was already done by Daemen and Rijmen in their original proposal and the polynomial ϕ can be found in [3, Subsection 8.5.] The ShiftRow Transformation: In this operation the bytes of the ith row are cyclically shifted by i positions. Algebraically this operation has a simple interpretation. For this consider an element r = r(x, y) R as described in (2.2). The ShiftRow corresponds then simply to the transformation: r = r(x, y) r(xy 3, y). This then translates in the encryption algorithm to replace the monom x i y j with the monom x i y 3i+j. The inverse of the ShiftRow transformation is r = r(x, y) r(xy, y) which translates into the replacement of x i y j with the monom x i y i+j. The MixColumn Transformation: In this transformation each column r j = 3 r i,jx i is multiplied by the element γ. Add Round Key: In this step the t-th round key k (t) is added. The schedule of operation is as follows: In the zero round the round key k (0) is simply added. In rounds 1-9 do the operations S-Box, ShiftRow, MixColumn and Add Round Key. In the 10th round do only S-Box, ShiftRow and Add Round Key. We have given the algebraic description for this schedule. 3.1 AES-192 and AES-256 Until now we described Rijndael when the key size and the message size have 128 bits. This system is referred to as AES-128. In the original description [3] one had the possibility to vary both the size of the message blocks and the size of the secret keys. 6

In the adopted standard [1] the size of the message blocks are always taken to be 128 bits. In AES-192 and in AES-256 the secret key size consists of 192 respectively 256 bits. In order to run these presumably more secure algorithms it will be necessary to change the key expansion schedule of the last section. In AES-192 13 elements k (t) R, t = 0,..., 12 are computed from the original 192 bits and the Rijndael algorithm runs over 12 rounds. In AES-256 15 elements k (t) R, t = 0,..., 14 are computed from the original 192 bits and the Rijndael algorithm runs over 14 rounds. Other than this there seems to be no difference and details can be found in [1, 4]. 4 The Structure of the S-Box Except for the transformation of the S-Box all transformations are Z 2 linear. An understanding of the S-Box is therefore most crucial. Surprisingly the permutation polynomial ϕ(u) is very sparse and we explain in this section why this is the case. The permutation ϕ is the composition of the maps ϕ 1, L and ϕ 3. We will describe the permutation polynomial for each of them. The permutation polynomial for the map ϕ 1 is simply given by ϕ 1 (u) = u 254. The permutation L is a Z 2 linear map. Because of this reason there is a unique linearized polynomial (see [8, Chapter 3]) L(u) = 7 λ iu 2i F[u] such that L(f) = L(f) for all f F. If α 1,..., α 8 is a any basis of F over the prime field Z 2 then it is possible to compute the coefficients λ 0, λ 1,..., λ 7 through the linear equations: L(α j ) = 7 λ i α 2i j = L(α j ), j = 1,..., 8. This system of linear equations can be solved explicitly. For this let β 1,..., β 8 be the dual basis (see e.g. [8, Chapter 3]) of α 1,..., α 8 characterized through the requirement: Tr F/Z2 (α i β j ) = { 1 if i = j, 0 if i j. Introduce the matrices: A := α 1 α1 2 α1 4... α1 27 α 2 α2 2 α2 4... α2 27... α 8 α8 2 α8 4... α8 27 B := β 1 β 2... β 8 β1 2 β2 2... β8 2 β1 4 β2 4... β8 4... β1 27 β2 27... β8 27 Assuming that β 1,..., β 8 is the dual basis of α 1,..., α 8 simply means that AB = I 8. 7

Let S be the change of basis transformation such that α 1 1 α 2 ẓ and consider the matrix L :=. α 8 = S. z 7 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 which describes the linear map introduced in (3.2) with respect to the polynomial basis 1, z, z 2,..., z 7. Then one has: Lemma 4.1 The coefficients λ 0, λ 1,..., λ 7 of the permutation polynomial L(u) are given as: λ 0 α 1 λ 1. = BSLt S 1 α 2.. (4.1) λ 7 Proof: SL t S 1 describes the change of basis of the linear map L with regard to the basis α 1,..., α 8. In order to explicitly compute the coefficients λ 0, λ 1,..., λ 7 we can work with the polynomial basis 1, z, z 2,..., z 7 (in which case S = I 8 ). Alternatively we can work with a normal basis. We explain the computation for a normal basis. Let α := z 5 + 1 F. One verifies e.g. with the computer program Maple that α is a primitive of F and that {α i := α 2i 1 i = 1,..., 8} forms a normal basis. Such bases are called primitive normal bases. α is special in the sense that it is the first element of F with respect to lexicographic order which is both a primitive and the generator of a normal basis. Remark 4.2 The existence of primitive normal bases has been established by Lenstra and Schoof [7] for every finite extension GF(q m ) of a finite field GF(q). Probably the nicest possible basis a finite field can have is a primitive normal basis which is also self-dual. We verified by computer search that GF(256) does not have a self-dual, primitive normal basis. 8 α 8

The dual basis of {α 1,..., α 8 } is readily computed using Maple as {β j := β 2j 1 j = 1,..., 8}, where β = z 5 +z 4 +z 2 +1. It is a well known fact that the dual basis of a normal basis is normal as well. The change of basis transformation is computed in this case as: S = With this one readily computes: λ 0 λ 1. λ 7 = BSLt S 1 1 0 0 0 0 1 0 0 1 0 1 1 0 1 1 0 0 1 1 0 1 0 0 1 1 0 1 0 1 0 0 1 0 0 0 0 1 0 0 1 1 0 0 0 0 0 0 1 1 1 0 1 1 0 0 1 0 0 1 0 0 0 1 1 α α 2. α 27 =. z 2 + 1 z 3 + 1 z 7 + z 6 + z 5 + z 4 + z 3 + 1 z 5 + z 2 + 1 z 7 + z 6 + z 5 + z 4 + z 2 1 z 7 + z 5 + z 4 + z 2 + 1 z 7 + z 3 + z 2 + z + 1. (4.2) The elements λ i already agree with the non-constant coefficients of ϕ introduced in (2.3) up to order. In order to get the exact form we need a polynomial description of the permutation ϕ 3 introduced in (3.3). Clearly the linear polynomial ϕ 3 (u) := u + 1 + z + z 5 + z 6 F[u] interpolates the affine map ϕ 3. Concatenating the three polynomial maps we get: ϕ(u) = ϕ 3 L ϕ 1 (u) = 1 + z + z 5 + z 6 + L(u 254 ) mod u 256 + u. Note that L has at most 8 nonzero coefficients. Reducing L(u 254 ) by the relation u 256 = u will not change this and this explains the sparsity of the polynomial ϕ(u). The fact that the permutation polynomial ϕ(u) is sparse does not imply that the inverse polynomial ψ(u) is sparse. For this note that ψ(u) = ϕ 1 1 L 1 ϕ 1 3 (u) mod u256 + u. As before the coefficients of the polynomial L 1 (u) are computed from: α BS(L 1 ) t S 1 α 2.. (4.3) α 27 9

Using Maple we find: L 1 (u) = ( z 6 + z 5 + z 3 + z 2 + z ) u 128 + ( z 7 + z 6 + z 4 + z 3 + z + 1 ) u 64 + ( z 6 + z 4 + z 3 + 1 ) u 32 + ( z 6 + z 5 + z 4 + z 3) u 16 + ( z 6 + z 4 + z 3 + z ) u 8 + ( z 6 + z 5 + z 4 + z 3 + z 2 + z + 1 ) u 4 + ( z 7 + z 6 + z 5 + z 4 + z 3 + z 2 + z ) u 2 + ( z 2 + 1 ) u F[u]. (4.4) Combining the result with the map ϕ 1 3 (u) one gets: ρ(u) := L 1 ϕ 1 3 (u) = L 1 (u + ϕ 3 (0)) = L 1 (u) + L 1 (ϕ 3 (0)) = L 1 (u) + z 2 + 1. (4.5) A polynomial of the form ρ(u) is sometimes called an affine polynomial [8] reflecting the fact that the map L 1 ϕ 1 3 is affine linear over Z 2. Concatenating ρ(u) with the polynomial ϕ 1 1 (u) = ϕ 1 (u) = u 254 results in a non-sparse polynomial ψ(u) = ρ(u) 254 mod u 256 + u. For completeness we provide the result of the Maple computation. The coefficients are expressed in terms of the primitive α = z 5 + 1. ψ(u) = α 163 u 254 + α 76 u 253 + α 195 u 252 + α 186 u 251 + α 234 u 250 + α 194 u 249 + α 248 u 248 + α 255 u 247 + α 196 u 246 + α 100 u 245 + α 216 u 244 + α 212 u 243 + α 47 u 242 + α 17 u 241 + α 85 u 240 + α 103 u 239 + α 201 u 238 + α 184 u 237 + α 235 u 236 + α 215 u 235 + α 170 u 234 + α 74 u 233 + α 15 u 232 + α 2 u 231 + α 185 u 230 + α 89 u 229 + α 26 u 228 + α 231 u 227 + α 137 u 226 + α 110 u 225 + α 230 u 224 + α 20 u 223 + α 126 u 222 + α 35 u 221 + α 117 u 220 + α 48 u 219 + α 141 u 218 + α 56 u 217 + α 29 u 216 + α 154 u 215 + α 207 u 214 + α 175 u 213 + α 253 u 212 + α 147 u 211 + α 5 u 210 + α 43 u 209 + α 194 u 208 + α 242 u 207 + α 202 u 206 + α 27 u 205 + α 15 u 204 + α 164 u 203 + α 11 u 202 + α 233 u 201 + α 56 u 200 + α 121 u 199 + α 163 u 198 + α 69 u 197 + α 113 u 196 + α 235 u 195 + α 225 u 194 + α 152 u 193 + α 227 u 192 + α 9 u 191 + α 78 u 190 + α 234 u 189 + α 57 u 188 + α 136 u 187 + α 115 u 186 + α 128 u 185 + α 57 u 184 + α 223 u 183 + α 228 u 182 + α 110 u 181 + α 249 u 180 + α 83 u 179 + α 55 u 178 + α 55 u 177 + α 32 u 176 + α 94 u 175 + α 71 u 174 + α 88 u 173 + α 94 u 172 + α 45 u 171 + α 218 u 170 + α 157 u 169 + α 73 u 168 + α 209 u 167 + α 21 u 166 + α 122 u 165 + α 127 u 164 + α 206 u 163 + α 19 u 162 + α 189 u 161 + α 89 u 160 + α 177 u 159 + α 192 u 158 + α 211 u 157 + α 99 u 156 + α 195 u 155 + α 14 u 154 + α 172 u 153 + α 67 u 152 + α 136 u 151 + α 6 u 150 + α 122 u 149 + α 102 u 148 +α 198 u 147 +α 14 u 146 +α 130 u 145 +α 102 u 144 +α 129 u 143 +α 246 u 142 +α 187 u 141 +α 85 u 140 +α 181 u 139 +α 169 u 138 +α 230 u 137 +α 21 u 136 +α 234 u 135 +α 138 u 134 +α 104 u 133 +α 26 u 132 +α 229 u 131 +α 177 u 130 +α 168 u 129 +α 245 u 128 + α 13 u 127 + α 142 u 126 + α 96 u 125 + α 240 u 124 + α 224 u 123 + α 32 u 122 + α 228 u 121 + α 68 u 120 + α 125 u 119 + α 147 u 118 + α 19 u 117 + α 78 u 116 + α 51 u 115 + α 114 u 114 + α 87 u 113 + α 120 u 112 + α 5 u 111 + α 209 u 110 + α 51 u 109 + α 39 u 108 + α 47 u 107 + α 109 u 106 + α 159 u 105 + α 203 u 104 + α 202 u 103 + α 9 u 102 + α 238 u 101 + α 44 u 100 + α 188 u 99 + α 234 u 98 +α 59 u 97 +α 15 u 96 +α 131 u 95 +α 173 u 94 +α 135 u 93 +α 244 u 92 +α 216 u 91 +α 50 u 90 +α 218 u 89 +α 250 u 88 +α 108 u 87 + α 192 u 86 + α 45 u 85 + α 53 u 84 + α 186 u 83 + α 92 u 82 + α 74 u 81 + α 157 u 80 + α 172 u 79 + α 99 u 78 + α 209 u 77 + α 236 u 76 +α 212 u 75 +α 44 u 74 +α 209 u 73 +α 175 u 72 +α 101 u 71 +α 41 u 70 +α 51 u 69 +α 163 u 68 +α 183 u 67 +α 245 u 66 +α 169 u 65 + α 58 u 64 + α 5 u 63 + α 68 u 62 + α 63 u 61 + α 202 u 60 + α 138 u 59 + α 204 u 58 + α 109 u 57 + α 173 u 56 + α 214 u 55 + α 61 u 54 +α 255 u 53 +α 185 u 52 +α 249 u 51 +α 153 u 50 +α 143 u 49 +α 206 u 48 +α 163 u 47 +α 43 u 46 +α 202 u 45 +α 156 u 44 +α 70 u 43 + α 2 u 42 + α 45 u 41 + α 81 u 40 + α 43 u 39 + α 121 u 38 + α 90 u 37 + α 101 u 36 + α 252 u 35 + α 42 u 34 + α 176 u 33 + α 201 u 32 + α 22 u 31 + α 135 u 30 + α 250 u 29 + α 176 u 28 + α 76 u 27 + α 90 u 26 + α 247 u 25 + α 220 u 24 + α 123 u 23 + α 76 u 22 + α u 21 + α 180 u 20 + α 108 u 19 + α 222 u 18 + α 54 u 17 + α 46 u 16 + α 89 u 15 + α 240 u 14 + α 235 u 13 + α 208 u 12 + α 194 u 11 + α 2 u 10 + α 201 u 9 + α 67 u 8 + α 247 u 7 + α 56 u 6 + α 132 u 5 + α 16 u 4 + α 242 u 3 + α 223 u 2 + α 243 u + α 92 10

Other than the fact that ψ(u) = ρ(u) 254 mod u 256 + u the author did not observe some regularity in the coefficients of ψ(u). The complicated algebraic structure of the inverse S-Box shows that an algebraic attack on Rijndael which tries to recursively solve the decryption equations might be very hard indeed. Since ϕ(u) is much more sparse it might be more feasible to derive algebraic expressions of several rounds of the encryption schedule. Ferguson, Schroeppel and Whiting [5] show a way to describe multiple rounds of the Rijndael algorithm using some continued fraction expansion. The derived formulas look very appealing. It is however not clear if there is any way to solve these formulas by algebraic means. Although algebraic expressions for several rounds of Rijndael were derived it is our belief that a compact polynomial description of several rounds of Rijndael will result in an explosion of the variables. Further research on this question will be needed. In the last part of this section we provide the cycle decomposition for the permutation of the S-Box. For this let α = z 5 + 1. We describe the cycles [β, ϕ(β), ϕ(ϕ(β)),...] expressed in terms of the primitive α: [α, α 113, α 139, α 115, α 211, α 233, α 45, α 150, α 25, α 6, α 96, α 133, α 138, α 80, α 184, α 130, α 119, α 116, α 222, α 164, α 79, α 114, α 9, α 165, α 160, α 98, α 81, α 131, α 215, α 181, α 200, α 125, α 143, α 41, α 179, α 202, α 157, α 70, α 146, α 92, 0, α 210, α 232, α 117, α 11, α 192, α 72, α 185, α 212, α 21, α 105, α 163, α 216, α 78, α 48, α 174, α 198, α 209, α 176, α] [α 2, α 112, α 37, α 161, α 242, α 50, α 240, α 26, α 0, α 42, α 245, α 168, α 10, α 228, α 229, α 251, α 29, α 76, α 247, α 223, α 243, α 17, α 49, α 197, α 225, α 3, α 104, α 106, α 55, α 32, α 204, α 203, α 132, α 206, α 19, α 226, α 107, α 84, α 152, α 231, α 142, α 159, α 140, α 110, α 162, α 170, α 248, α 127, α 82, α 148, α 180, α 151, α 31, α 88, α 227, α 237, α 85, α 43, α 95, α 218, α 71, α 177, α 121, α 65, α 188, α 186, α 77, α 23, α 187, α 238, α 167, α 52, α 145, α 136, α 149, α 147, α 123, α 224, α 20, α 134, α 195, α 2 ] [α 4, α 16, α 69, α 7, α 62, α 34, α 183, α 172, α 208, α 129, α 220, α 91, α 230, α 153, α 87, α 102, α 234, α 93, α 51, α 73, α 155, α 196, α 253, α 124, α 101, α 66, α 235, α 252, α 193, α 18, α 94, α 90, α 144, α 83, α 5, α 47, α 194, α 244, α 118, α 173, α 120, α 199, α 250, α 63, α 156, α 109, α 221, α 30, α 86, α 46, α 126, α 56, α 44, α 249, α 33, α 24, α 201, α 205, α 191, α 128, α 67, α 219, α 239, α 15, α 217, α 103, α 141, α 169, α 241, α 214, α 59, α 154, α 207, α 175, α 178, α 36, α 97, α 13, α 28, α 12, α 74, α 182, α 8, α 14, α 58, α 108, α 75, α 4 ] [α 22, α 135, α 64, α 158, α 190, α 189, α 100, α 40, α 60, α 39, α 99, α 61, α 111, α 166, α 213, α 27, α 89, α 246, α 171, α 137, α 122, α 254, α 35, α 57, α 53, α 236, α 68, α 22 ] [α 38, α 54, α 38 ] It follows that ϕ has cycle lengths 59, 81, 87, 27 and 2 and order lcm (59, 81, 87, 27, 2) = 277, 182 confirming the result given by Lenstra [6]. We would like to remark that the largest order an element of the symmetric group of 256 elements can have is 451,129,701,092,070. In comparison to this the order of ϕ is not very large. 11

5 Conclusion In this paper we provided a description of the Advanced Encryption Standard Rijndael which involved a series of polynomial transformations in a finite ring R. Special attention was given to derive the permutation polynomials describing the S-Box and the inverse S-Box of the Rijndael system. References [1] Federal information processing standards publication 197, advanced encryption standard, November 2001. Available at http://csrc.nist.gov/publications/fips/fips197/fips- 197.pdf. [2] D. Cox, J. Little, and D. O Shea. Using Algebraic Geometry. Springer-Verlag, New York, 1998. [3] J. Daemen and V. Rijmen. AES Proposal Rijndael, September 1999. AES algorithm submission, available at http://csrc.nist.gov/encryption/aes/rijndael/. [4] J. Daemen and V. Rijmen. The Design of Rijndael: AES The Advanced Encryption Standard. Springer-Verlag, Berlin Heidelberg, 2002. [5] N. Ferguson, R. Schroeppel, and D. Whiting. A simple algebraic representation of Rijndael. In A.M. Vaudenay, S. Youssef, editor, Selected Areas in Cryptography, LNCS number 2259, pages 103 111. Springer Verlag, Berlin, December 2001. [6] H. W. Lenstra, Jr. Rijndael for algebraists, April 2002. Preprint: http://math.berkeley.edu/ hwl/. [7] H. W. Lenstra, Jr. and R. J. Schoof. Primitive normal bases for finite fields. Math. Comp., 48(177):217 231, 1987. [8] R. Lidl and H. Niederreiter. Introduction to Finite Fields and their Applications. Cambridge University Press, Cambridge, London, 1994. Revised edition. [9] S. Murphy and M. Robshaw. New observations on Rijndael, August 2000. Preprint: http://www.isg.rhul.ac.uk/ mrobshaw/rijndael.pdf. [10] W. Trappe and L. C. Washington. Introduction to Cryptography with Coding Theory. Prentice Hall, Upper Saddle River, New Jersey, 2002. 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback