Cryptography Reference
In-Depth Information
Security of Rijndael
The design of Rijndael practically eliminates the possibility of weak or semi-
weak keys, which exist for DES. Moreover, the design of the key schedule vir-
tually eliminates the possibility of equivalent keys. Although the mechanisms
of LC and DC can be adjusted to present attacks on Rijndael, it appears that
Rijndael's design is su 0 cient to withstand these cryptanalytic onslaughts, since
its S-box is nearly perfect for resistance to DC and the
F 2 8 equivalent of LC.
A chosen plaintext attack, called the square attack , which is a dedicated
attack on the Square cipher, can be used as well, since Rijndael inherited many
features from Square. However, for seven or more rounds in Rijndael, no such
attack, faster than exhaustive key search, 3.10 has been found. Other attacks,
such as Biham's related-key attack , or the interpolation attacks introduced by
Jakobsen and Knudsen have little chance of success against Rijndael due to
the diffusion and nonlinearity of Rijndael's key schedule and the complicated
construction of the S-box.
The S-box was designed to avoid any suspicions of a trapdoor being built
into the cryptosystem. (Recall that this was a problem with DES; see page 98).
Concluding Comments
Unlike the Feistel structure of the round function, such as in DES, where
some of the bits of the intermediate state are simply put into a different po-
sition unchanged, the Rijndael round function is comprised of three different
invertible transformations, called layers , through which every bit of the state
is treated in a similar fashion, called uniformity . The BSB step in each round
is a nonlinear mixing layer (confusion). SR is a linear mixing layer (inter-
column diffusion), and MC is also a linear mixing layer (interbyte diffusion
within columns). Then there is the keyadditionlayer . These layers ensure that
the Rijndael round does not have a Feistel structure. The layers are predom-
inantly based upon the application of what the designers call the Wide Trail
Strategy , which is a devised system for providing resistance against LC and DC,
discussed in Daemen's doctoral dissertation of March 1995. Essentially this
strategy means that MC makes it impossible to find LC and DC attacks that
involve “few” active S-boxes.
For further information on Rijndael, such as attacks on reduced rounds and
alternative mathematical methods for describing AES, see [83] and [84]. Also,
for further, relatively recent research on security of AES against LC, see [132].
Rijndael is well tailored to modern processors (Pentium, RISC, and parallel
processors). It is also ideally suited for ATM, HDTV, Voice, and Satellite. Uses
for Rijndael include MAC by employing it in a CBC-MAC algorithm. It is
also possible to use it as a synchronous stream cipher ,a pseudorandom number
generator ,ora self-synchronizing stream cipher (the latter, by using it in CFB
mode), and we will learn about all of these concepts in the next section.
3.10 An exhaustive search of the keyspace or brute force attack , means that all possible keys
are tried to see which one is being used by communicating parties.
Search WWH ::




Custom Search