E-Book Overview
This book, by the designers of the block cipher, presents Rijndael from scratch. The underlying mathematics and the wide trail strategy as the basic design idea are explained in detail and the basics of differential and linear cryptanalysis are reworked. Subsequent chapters review all known attacks against the Rijndael structure and deal with implementation and optimization issues. In addition, other ciphers related to Rijndael are presented.
E-Book Content
Joan Daernen Vincent Rijrnen ·
The Design of Rijndael
AES
-
The Advanced Encryption Standard
With 48 Figures and 17 Tables
Springer Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris TnL-1Jn
Springer
Foreword
Joan Daemen Proton World International (PWI)
Zweefvliegtuigstraat 10 1130 Brussels, Bel gium
Vincent Rijmen Cryptomathic NV Lei Sa
3000 Leuven, Belgium
Library of Congress Cataloging-in-Publication Data Daemen, Joan, 1965-
The design of Rijndael: AES - The Advanced Encryption Standard/Joan Daemen, Vincent R ijmen. p.cm.
Includes bibliographical references and index. ISBN 3540425802 (alk. paper) .. . 1. Computer security - Passwords. 2. Data encryption (Computer sCIence) I. RIJmen, Vincent, 1970- II. Title QA76.9.A25 D32 2001 005.8-dc21
2001049851
ACM Subject Classification (1998): E.3, C.2, DA.6, K.6.S
ISBN 3-540-42580-2 Springer-Verlag Berlin Heidelberg New York
�
�
This work is subject to copyright. All rights are reserved, whet er the whole o� part o the . material is concerned, specifically the rights of translation, repnntmg, reuse of 11lust�atIOns, recitation, broadcasting, reproduction on microfilm or in any other way, and storage l� ata banks. Duplication of this publication or parts thereof is permitted on y under the P!o:'lSlons of the German Copyright Law of September 9, 1965, in its current verSIOn, and per�lssIOn for use must always be obtained from Springer-Verlag. Violations are liable for prosecutIOn under the German Copyright Law.
�
?
Springer-Verlag Berlin Heidelberg New York, a member of BertelsmannSpringer Science+ Business Media GmbH http://www.springer.de © Springer-Verlag Berlin Heidelberg 2002
Printed in Germany
The use of general descriptive names, trademarks, etc. in this publication does not imply, even in . the'absence of a specific statement, that such names are exempt from the relevant protectIve laws and regulations and therefore free for general use. Typesetting: Camera-ready by the authors Cover Design: KiinkelLopka, Heidelberg n .. =_L_.l �_ ��=.l
._��_�_�_
cnru
1()O is a commutative ring. For special choices of the reduction polynomial m(x) , the structure becomes a field.
Strings of bits are often abbreviated using the hexadecimal notation.
corresponds t o the bit string 01010 1 1 1 , or
15
a(x)
x
b(x) + m(x)
x
c(x) = gcd (a(x) , m(x) ) .
(2 .25)
Here gcd (a(x) , m(x)) denotes the greatest common divisor of the polynomials a(x) and m(x) , which is always equal to 1 iff m(x) is irreducible. Applying modular reduction to (2.25) , we get :
a(x)
x
b(x)
==
1
( mod m(x) ) ,
(2.26)
which means that b( x) is the inverse element of a( x) for the definition of the multiplication ' . ' given in (2.24) . Conclusion. Let F be the field GF(p) . With a suitable choice for the reduc tion polynomial, the structure < f="" [xl="" l="" n="" ,="" +,="" '=""> is a field with p n elements, usually denoted by GF(p n ) .
since:
(x 6 + x4 + x 2 + + 1) ffi (x7 + + 1 ) = x7 + x 6 + x4 + x 2 + ( 1 ffi l)x + ( 1 ffi 1