28-01-2013, 02:26 PM
Mini Advanced Encryption Standard (Mini-AES): A Testbed for Cryptanalysis Students
1Mini Advanced Encryption.pdf (Size: 884.77 KB / Downloads: 237)
ABSTRACT:
In this paper, we present a mini version of Rijndael, the symmetric-key block cipher
selected as the Advanced Encryption Standard (AES) recently. Mini-AES has all the
parameters significantly reduced while at the same time preserving its original structure. It is
meant to be a purely educational cipher and is not considered secure for actual applications.
The purpose is such that once undergraduate students and amateur cryptanalysts have grasped
the basic principles behind how Mini-AES works, it will be easy for them to move on to the
real AES. At the same time, an illustration of how the Square attack can be applied to Mini-
AES is presented in the hope that Mini-AES would also serve as a testbed for students to
begin their cryptanalysis efforts.
Introduction
The National Institute of Standards and Technology (NIST) issued in 1997 a call for
proposals for the Advanced Encryption Standard (AES) [7]. Twenty one proposals were
submitted, out of which 15 were accepted. Two years later, after undergoing public review
and analysis, the list was narrowed down to 5 finalists, and more extensive analysis ensued.
In October 2000, Rijndael emerged as the winner and was selected as the Advanced
Encryption Standard [8]. The specifications of the AES are now available as a Federal
Information Processing Standard (FIPS) [9].
The AES has a block size of 128 bits, and supports key sizes of 128, 192 and 256 bits.
The number of rounds is 10, 12 or 14 for the three different key sizes respectively. Just like
the DES, the AES is expected to draw much attention from cryptographers and cryptanalysts
alike within the space of time from now until the next few decades. In order to aid
undergraduate cryptography students and aspiring cryptanalysts in better understanding the
internal workings of the AES, we present a mini version of the AES, with all the parameters
significantly reduced while preserving its original structure. This mini version is purely
educational and hence it is hoped to aid students in grasping the underlying concepts in the
design of Rijndael-like ciphers and also to serve as a testbed for aspiring cryptanalysts to try
out various cryptanalytic attacks.
Addition in GF(24)
When we represent elements of GF(24) as polynomials with coefficients in {0,1}, then
addition of two such elements is simply addition of the coefficients of the two polynomials.
Since the coefficients have values in {0,1}, then the addition of the coefficients is just modulo
2 addition or exclusive-OR denoted by the symbol ⊕. Hence, for the rest of this paper, the
symbols + and ⊕ are used interchangeably to denote addition of two elements in GF(24).
Mini-AES
In order to encrypt messages with Mini-AES, the original input message, called the plaintext
is broken up into blocks of 16 bits each. At any one time, only one plaintext block is
encrypted with Mini-AES into ciphertext, after which the next plaintext block is encrypted
and the process repeats until all of the plaintext blocks have been encrypted. Mini-AES
encryption is done with a secret key of 16 bits. Figure 1 illustrates the process of encrypting
the plaintext message with Mini-AES.
KeyAddition, σKi
KeyAddition causes each bit of the input block, D = (d0, d1, d2, d3) to be exclusived-ORed
with the corresponding bit of the ith round key, Ki = (k0, k1, k2, k3) to obtain the 16-bit output
block E = (e0, e1, e2, e3) as shown in Figure 6. The round key is derived from the secret key,
K by using the key schedule, which will be described in Section 3.6. For each bit, the
exclusive-OR operation causes the output bit to be ‘1’ if the corresponding bits of the input
block and round key are different. Otherwise, the output bit is ‘0’.
The Advanced Encryption Standard (AES)
In this section, we relate Mini-AES to the actual Advanced Encryption Standard (AES).
Instead of having a block of 16 bits, the AES is a 128-bit block cipher, and supports secret
key sizes of 128, 192 or 256 bits. We will describe the details of the AES with reference to a
128-bit key. The other variants are similar in nature.
The 128-bit block of the AES is expressed as a matrix of 4 × 4 bytes, in contrast to
Mini-AES being expressed as a matrix of 2 × 2 nibbles.
The Square Attack
The structure of the AES is derived from its predecessor, the block cipher Square [2]. It is
susceptible to a dedicated attack that was first developed on Square, also called the Square
attack. In order to demonstrate to the student how the attack works on the AES, we will apply
it on Mini-AES.
First, we extend the number of rounds of Mini-AES to 4 so that it is not too trivial to
apply the Square attack on it. Let’s suppose we have a set of 16 plaintexts, Pi (i = 0 to 15)
such that they are equal in all nibbles except in one nibble where they have all the 16 possible
different values. We will call this a delta set. The nibbles that have the same values for all 16
plaintexts in the set are called the passive nibbles whereas the nibble with all 16 possible
values is called the active nibble.
Conclusion
We have presented a mini version of the Advanced Encryption Standard (AES) that is wellsuited
for undergraduate cryptography and cryptanalysis courses. Once the student feels
comfortable with Mini-AES, then he will have no problem in understanding the inner
workings of the real Advanced Encryption Standard. Mini-AES is also intended to be a
testbed for students and aspiring cryptanalysts to experiment with the various cryptanalysis
methods that are currently available in academic literature. As an example, we demonstrated
in detail how the Square attack can be used on Mini-AES. With this, we hope to have
provided the vital stepping stone for the student to advance into the fascinating world of
cryptanalysis research.