Polynomials in the Nation's Service: Using Algebra to Design the Advanced Encryption Standard

1. INTRODUCTION. Cryptography, the science of transforming communications so that only the intended recipient can understand them, should be a mathematician’s playground. Certain aspects of cryptography are indeed quite mathematical. Publickey cryptography, in which the encryption key is public but only the intended recipient holds the decryption key, is an excellent demonstration of this. Both Diffie-Hellman key exchange and the RSA encryption algorithm rely on elementary number theory, while elliptic curves power more advanced public-key systems [21], [4]. But while public key has captured mathematicians’ attention, such cryptography is in fact a show horse, far too slow for most needs. Public key is typically used only for key exchange. Once a key is established, the workhorses of encryption, privateor symmetric-key cryptosystems, take over. While Boolean functions are the mainstay of private-key cryptosystems, until recently most private-key cryptosystems were an odd collection of tricks, lacking an overarching mathematical theory. That changed in 2001, with the U.S. government’s choice of Rijndael 1 as the Advanced Encryption Standard. Polynomials provide Rijndael’s structure and yield proofs of security. Cryptographic design may not yet fully be a science, but Rijndael’s polynomials brought to cryptographic design “more matter, with less art” (Hamlet, act 2, scene 2, 97). Rijndael is a “block-structured cryptosystem,” encrypting 128-bit blocks of data using a 128-, 192-, or 256-bit key. Rijndael variously uses x −1 , x 7 + x 6 + x 2 + x, x 7 + x 6 + x 5 + x 4 + 1, x 4 + 1, 3x 3 + x 2 + x + 2, and x 8 + 1 to provide cryptographic security. (Of course, x −1 is not strictly a polynomial, but in the finite field GF(2 8 ) x −1 = x 254 and so we will consider it one.) In this paper I will show how polynomials came to play a critical role in what may become the most widely-used algorithm of the new century. To set the stage, I will begin with a discussion of a decidedly nonalgebraic algorithm, the 1975 U.S. Data Encryption Standard (DES), which, aside from RC4 in web browsers and relatively insecure cable-TV signal encryption, is the most widely-used cryptosystem in the world. 2 I will concentrate on attacks on DES, showing how they shaped future ciphers, and explain the reasoning that led to Rijndael, and explain the role that each of Rijndael’s polynomials play. I will end by discussing how the algebraic structure that promises security may also introduce vulnerabilities. Cryptosystems consist of two pieces: the algorithm, or method, for encryption, and a secret piece of information, called the key. In the nineteenth century, Auguste Kerckhoffs observed that any cryptosystem used by more than a very small group of people will eventually leak the encryption technique. Thus the secrecy of a system must reside in the key.

[1]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[2]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[3]  Vincent Rijmen,et al.  The Cipher SHARK , 1996, FSE.

[4]  Wang Nan-gao On the criminal action , 2003 .

[5]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[6]  Joan Daemen,et al.  Cipher and hash function design strategies based on linear and differential cryptanalysis , 1995 .

[7]  Matthew Kwan Reducing the Gate Count of Bitslice DES , 2000, IACR Cryptol. ePrint Arch..

[8]  Niels Ferguson,et al.  A Simple Algebraic Representation of Rijndael , 2001, Selected Areas in Cryptography.

[9]  Lars R. Knudsen,et al.  Attacks on Block Ciphers of Low Algebraic Degree , 2001, Journal of Cryptology.

[10]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[11]  Cunsheng Ding,et al.  On Almost Perfect Nonlinear Permutations , 1994, EUROCRYPT.

[12]  D. K. Branstad,et al.  Data Encryption Standard: past and future , 1988, Proc. IEEE.

[13]  Matthew J. B. Robshaw,et al.  Further Comments on the Structure of Rijndael , 2000 .

[14]  Matthew J. B. Robshaw,et al.  Essential Algebraic Structure within the AES , 2002, CRYPTO.

[15]  Vincent Rijmen,et al.  Answer to “new observations on Rijndael” , 2000 .

[16]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[17]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[18]  Claude Carlet Codes de reed-muller, codes de kerdock et de preparata , 1990 .

[19]  S. Landau Standing the Test of Time : The Data Encryption Standard , 2000 .

[20]  Willi Meier,et al.  Nonlinearity Criteria for Cryptographic Functions , 1990, EUROCRYPT.

[21]  Lars R. Knudsen,et al.  Provable security against a differential attack , 1994, Journal of Cryptology.

[22]  Don Coppersmith,et al.  The Data Encryption Standard (DES) and its strength against attacks , 1994, IBM J. Res. Dev..

[23]  Adi Shamir,et al.  On the Security of DES , 1985, CRYPTO.

[24]  Bryan Weeks,et al.  Hardware Performance Simulations of Round 2 Advanced Encryption Standard Algorithms , 2000, AES Candidate Conference.

[25]  H. Niederreiter,et al.  Introduction to finite fields and their applications: Factorization of Polynomials , 1994 .

[26]  Kaisa Nyberg,et al.  S-boxes and Round Functions with Controllable Linearity and Differential Uniformity , 1994, FSE.

[27]  Neal Koblitz,et al.  Algebraic aspects of cryptography , 1998, Algorithms and computation in mathematics.

[28]  Kaisa Nyberg,et al.  On the Construction of Highly Nonlinear Permutations , 1992, EUROCRYPT.

[29]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[30]  Sean Murphy New Observations on Rijndael , 2000 .

[31]  Jean-Charles Faugère,et al.  Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering , 1993, J. Symb. Comput..

[32]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[33]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[34]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[35]  Neil J. A. Sloane,et al.  The theory of error-correcting codes (north-holland , 1977 .

[36]  James L. Massey,et al.  A spectral characterization of correlation-immune combining functions , 1988, IEEE Trans. Inf. Theory.