A Simple Algebraic Representation of Rijndael

1
A Simple Algebraic Representation of Rijndael
2
In the Rijndael System the S-box can be written
as an equation of the form
where wi are constants. Now, our goal is to
simplified it, if fortunate enough, we might
break the system.
3
First, the constant w8 can be gotten rid of,
since after each run of S box, there follows a
key addition.We can simply get rid of w8 by
adding an appropriate constant to the key.So our
formula becomes
4
Next, we see in GF(256),
x255 1 for all x but 0
And if we define
a/0 0 for all a
after check cases of x0 or not.we can rewrite
the formula even simplier as
Note that this equation can explained directly
from the structure of S box.
5
For one thing, the S-box contains an inversion
map, which map 0 to 0, and all other to their
inversions in GF(256). That explains the - sign
in the exponent. For another, the other part of
S-box is a bit-linear map, which can be always
represent by a polynomial with exponents powers
of two. To see why its true, first note that the
number of bit-linear maps is 8256, which is the
same number of polynomial with exponents powers
of two.
Each w has 256 choices.
Size of GF(256)
8256
8 ws constants to be determined
GF(256) has dimension 8 over GF(2)
6
Then note that every polynomial of this type
represent different maps from each other. (By
Cramers law its obvious.) Therefore, we see
that the formula is in fact representing a
bit-linear map.
7
ONE ROUND EQUATION
Let
be the byte position (i,j) of round r.
Recall that Rijndael represents states values as
4 by 4 square of bytes, with coordinate run from
0 to3. For convenience, we identify the
coordinates are the same if they are in
congruence modulo 4.
In a round, first step is the ByteSub step.
8
Next step is the ShiftRow step.
The third step is the MixColumn step.
3
(r)
S
vi,er
t i,er

er0
9
The final step is key addition.

In the last interesting formula, we let
E0,1,2,3,and D0,1,2,3,4,5,6,7.
10
MULTIPLE-ROUND EQUATION
Recall that in field of characteristic 2,
specifically GF(256)
(ab)2 a2 b2
We can simplified the mutiple-round equation a
lot. Take 3-round equation for example.

can be simplified as
11

Now we simplify the notations in the formula.
Write constants as C, write expanded key bytes
as K, and write plaintext as p. Subscripts
are replaced with . Since the first-round as
can be treat as if plaintext plus some key. The
formula looks like this.
12
FULLY EXPANDED EQUATIONS
By the method introduced, the equations are
greatly reduced, its easy to write down a
10-round equation if the C, K,and p
notations are used. However, the equations we met
beforehand, are written in a very compact way,
and thus looks easy. If we written it fully
expanded, that is, to do without even summation
notations, then the situation will be completely
different. For example, the 256-bit Rijndael
ciphers has 14 rounds. There will be about 270
terms in fully expanded equations.
13
OTHER CIPHERS
No serious block ciphers has an algebraic
description, even though every cipher can be
represent with equations describing all Boolean
gates in the cipher, which can do nothing on
attack since no efficient algorithms are known to
handle this. Some ciphers like DES has formula
with too many terms to leads to any attacks more
efficient than exhausted search. Another idea is
to write the formula in summation notations, as
we did before. However, it doesn't help,
either. Problems remains in SAT.
14
AN ALGEBRAIC ATTACK?
We know that if the formula is a simple
polynomial, its easy to solve. Therefore, if
there were no 1/x in the formula, it would be
easy.
1/x x 254
Note that by the relation
the formula can also be reduced to a polynomial,
but there are too many terms. We feel algebraic
attack may works, since the formula looks like a
continue fraction. Continue fractions are studied
a lot, but its unclear if they apply. One more
thing, there are only 176 expanded key bytes over
all, maybe the algorithm can take advantage of it.
15
CONCLUSIONS
We expressed Rijdael in very simple formulae. We
know that other formulae cant be express so
elegant as Rijdael. Therefore, the security of
Rijdael rely on the assumption that equations of
this type are computational infeasible to
solve. Who knows? There might some good technique
to handle this type of equations and we just not
aware of. Someone might discover it in the
future. In cryptography, its best to be cautious.