1996: NIST initiated program to choose Advanced Encryption
Standard to replace DES
❖
Requested algorithm submissions
•
Got 15 of them!
❖
Requirements:
•
Secure for next 50–100 years
•
Faster than 3DES
•
Supports variable length keys (at least 128, 192 and 256 bits)
•
Must be a block cipher
AES: Advanced Encryption Standard
30

❖
Open design
•
DES: design criteria for S-boxes kept secret
•
Open
➠
less chance for subversion
❖
Many decent choices
•
DES: only one acceptable algorithm
•
Less likelihood that the algorithm is “fixed”
❖
Public cryptanalysis efforts before choice
•
Heavy involvements of academic community
•
Leading public cryptographers tried to break it
❖
Very conservative: 4+ year process
AES process
31

❖
15 submissions accepted
❖
Weak ciphers quickly eliminated
•
Magenta broken at conference!
❖
5 finalists selected
•
Security versus performance is main tradeoff
•
Lots of complexity
➠
anything can be made secure
•
Tougher to make simple ciphers secure…
AES: Round 1
32

❖
MARS (IBM)
❖
RC6 (Rivest, et. al.)
❖
Rijndael (top Belgium cryptographers)
❖
Serpent (Anderson, Biham, Knudsen)
❖
Twofish (Schneier, et. al.)
AES finalists
33

❖
[Schneier93]
❖
64-bit block cipher
❖
Much faster than DES
❖
Variable key length: 32-448 bits
❖
Many attempted crytanalyses,
none successful yet
❖
Widely used: ssh, OpenBSD
Blowfish
34

❖
Differential cryptanalysis depends on analyzing S-box input/
output different probabilities
❖
Prevent this by making the S-boxes key-dependent
•
S-boxes differ by key, so no
a priori
analysis
❖
Problem for AES: too much setup time & space
•
Must run algorithm 521 times to set up S-boxes
❖
Solution: Twofish
•
Provides options for how many key-dependent S-boxes
•
Trade off security for time-space
•
Does other things
•
Increases block size (128 required by AES)
•
Changes key schedule
•
Other stuff…
Key-dependent S-boxes
35

❖
Mathematical constants have good pseudorandom distribution
•
Transcendental, so not predictable
•
Generate as many digits as needed…
❖
Since they are public and well-known, little fear that choice is a
trap door
•
Still could be there, but just how powerful is the NSA?
❖
Used by RC5, RC6, Blowfish, etc. to help generate magic
constants
Why use π/e/Φin cryptography?
36

Choosing AES
37
Cipher
Speed
(32 bits)
Speed
(8 bits)
Safety
factor
Simplicity
(code size)
Cycles per
byte encrypted
Serpent
62
69
3.56
341 KB
MARS
23
34
1.9
85 KB
RC6
15
43
1.18
48 KB
Rijndael
18
20
1.33
98 KB
Twofish
16
18
2.67
104 KB

❖
Rijndael chosen as AES algorithm
❖
Key characteristics
•
Fast
•
Small
•
Well-understood characteristics
❖
Twofish drawbacks
•
Key-dependent S-boxes not well-understood
•
Full implementation was a memory and space hog
•
OK for some applications, but not for smart cards…
And the winner is…
38