The Advanced Encryption Standard (Rijndael)

1
The Advanced Encryption Standard (Rijndael)
2
AES Why a new Standard?

• Old standard insecure against brute-force attacks
• Straightforward fixes lead to inefficientTriple
  DES
• implementations
• New trends in fast software encryption
• use of basic instructions of the microprocessor
• New ways of assessing cipher strength
• differential cryptanalysis
• linear cryptanalysis

3
AES Why a Contest?

• Speed-up the acceptance of the standard
• Small number of specialists in the open research
• Focus the effort of cryptographic community
• Stimulate the research on methods of constructing
• secure ciphers
• Avoid backdoor theories

4
AES General Form
5
AES Rules of the Game

• Each team submits
• Detailed cipher description
• Justification of design decisions
• Tentative results of cryptanalysis
• Source code in C
• Source code in Java
• Test vectors

6
AES Candidates

• Round 1, June 1998
• 15 Candidates
• from USA, Canada, Belgium, France, Germany,
  Norway, UK, Isreal, Korea, Japan, Australia,
  Costa Rica.
• Security, Software efficiency
• Round 2, August 1999
• 5 final candidates
• Mars, RC6, Rijndael, Serpent, Twofish
• Security, Hardware efficiency
• October 2000
• 1 winner Rijndael
• Belgium

7
AES Candidates

• USA Mars, RC6, Twofish, Safer, HPC
• Canada CAST-256, Deal
• Costa Rica Frog
• Australia LOKI97
• Japan E2
• Korea Crypton
• Belgium Rijndael
• France DFC
• Germany Magenta
• Israel, GB, Norway Serpent
• America (8) Europe (4) Asia (2)
• Australia (1)

8
AES Candidates

• Survey filled by 104 participants of the
• Second AES Conference in Rome, March 1999
• Middle-of-the-Road
• 7. CAST-256 -2
• 8. Safer -4
• 9. DFC -5
• Mild NO
• 10. Crypton -15
• Overwhelming NO
• 11. DEAL -70
• 12. HPC -77
• 13. Magenta -83
• 14. Loki97 -85
• 15. Frog -85

9
AES Candidates

• Survey filled by 104 participants of the
• Second AES Conference in Rome, March 1999
• Overwhelming YES
• 1. Rijndael 76
• 2. RC6 73
• 3. Twofish 61
• 4. Mars 52
• 5. Serpent 45
• Mild YES
• 6. E2 14

10
AES Final 5

• USA
• Mars - IBM
• C. Burwick, D. Coppersmith, E. DAvignon,
• R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,
• L. OConnor, M. Peyravian, D. Safford,
• N. Zunic
• RC6 - RSA Data Security, Inc.
• R. Rivest - MIT
• M. Robshaw, R. Sidney, Y. L. Yin - RSA
• Twofish - Counterpane Systems
• B. Schneier, J. Kelsey, C. Hall, N. Ferguson
• - Counterpane, D.Whiting - Hi/fn,
• D. Wagner - Berkeley

11
AES Final 5

• Europe
• Rijndael - J. Daemen, V. Rijmen
• Katholieke Universiteit Leuven
• Belgium
• Serpent - R. Anderson, Cambridge, England
• E. Biham - Technion, Israel
• L. Knudsen, University of Bergen, Norway
• AES Finalists (2)

12
RC6The elegant AES choice

• Ron Rivest rivest_at_mit.edu
• Matt Robshaw mrobshaw_at_supanet.com
• Yiqun Lisa Yin yiqun_at_nttmcl.com

13
RC6 is the right AES choice

• Security
• Performance
• Ease of implementation
• Simplicity
• Flexibility

14
RC6 is simple only 12 lines

• B B S 0 D D S 1 for i 1
  to 20 do t ( B x ( 2B 1
  ) ) ltltlt 5 u ( D x ( 2D 1 ) )
  ltltlt 5 A ( ( A ? t ) ltltlt u ) S
  2i C ( ( C ? u ) ltltlt t ) S
  2i 1 (A, B, C, D) (B, C, D, A)
  A A S 42 C C S 43

15
Simplicity

• Facilitates and encourages analysis
• allows rapid understanding of security
• makes direct analysis straightforward (contrast
  with Mars and Twofish)
• Enables easy implementation
• allows compilers to produce high-quality code
• obviates complicated optimizations
• provides good performance with minimal effort

16
RC6 key schedule is rock-solid

• Studied for more than six years
• Secure
• thorough mixing
• one-way function
• no key separation (cf. Twofish)
• no related-key attacks (cf. Rijndael)

17
Original analysis still accurate

• RC6 meets original design criteria
• Security estimates from 1998 still good today
  independent analyses supportive.
• Secure, even in theory, even with analysis
  improvements far beyond those seen for DES during
  its lifetime
• RC6 provides a solid, well-tuned margin for
  security

18
How do we grade candidates?

• Security (corroborated)
• Performance (speedmemory)
• 32-bit (30)
• Java (20)
• DSP (15)
• 64-bit (15)
• Hardware (15)
• 8-bit (5)
• Ease of implementation
• Simplicity
• Flexibility
• Overall 40/25/15/10/10

19
Conclusions

• RC6 is a simple yet remarkably strong cipher
• good performance on most important platforms
• simple to code for good performance
• excellent flexibility
• the most studied finalist
• the best understood finalist
• RC6 is the secure and elegant choice for the AES

20
(The End)

21
AES Performance Evaluation
22
AES Performance Evaluation
23
AES Performance Evaluation
24
AES Performance Evaluation
25
AES Performance Evaluation
26
AES Performance Evaluation
27
AES Performance Evaluation
28
AES Performance Evaluation
29
AES Performance Evaluation
30
AES Performance Evaluation
31
AES Performance Evaluation
32
AES Performance Evaluation
33
AES Performance Evaluation
34
AES Performance Evaluation
35
AES Summary of Final-5 Evaluation

• Serpent 2
• Pluses
• large security margin
• cryptanalytical reputation of authors
• conservative construction
• very fast in hardware
• Minuses
• slow in software
• moderate flexibility

36
AES Summary of Final-5 Evaluation

• Rijndael 1
• Pluses
• fastest in hardware
• close to the fastest in software
• security margin
• novel ideas
• very high flexibility
• Minuses
• security margin

37
AES Summary of Final-5 Evaluation

• Twofish
• Pluses
• good security margin
• fast encryption/decryption in software
• US
• strongly advertized
• Minuses
• moderately fast in hardware
• slow key setup in software
• moderate flexibility

38
Rijndael OverView

• Designed by Joan Daemen and Vincent Rijmen (from
  Leuven Belgium)
• Based upon the Square Cipher
• 3 Design Goals
• Resistance against known attacks
• Speed and code compactness on a variety of
  platforms
• Design simplicity

39
Rijndael OverView

• Rijndael/AES Designed by Joan Daemen,
  Proton World International Vincent
  Rijmen, Katholique Universiteit LuevenBlock
  cypherSymmetric keyArithmetic based in the
  Galois Field GF(28)Fast and scalableResistant
  to all known cryptanalysis attacks

40
Dr. Vincent Rijmen 
41
Rijndael

• The block cipher Rijndael is designed to use only
  simple whole-byte operations. Also, it provides
  extra flexibility over that required of an AES
  candidate, in that both the key size and the
  block size may be chosen to be any of 128, 192,
  or 256 bits.

42
Rijndael OverView

• Rijndael is not a Feistel cipher
• 3 distinct invertible layers per round
• Encryption and decryption algorithms are
  different
• Rijndael uses the Wide Trail Strategy
• Non-linear layer (confusion)
• Linear mixing layer (diffusion)
• Key addition layer

43
Rijndael OverView

• State and Round Key representations
• The State is the intermediate cipher result
• Both the State and the Round Key are interpreted
  as rectangular arrays of bytes
• Number of columns in the State and Round Key
  arrays depend on block and key sizes,
  respectively

44
Rijndael OverView

• Rijndael is a block cipher that encrypts and
  decrypts 128, 192, and 256 bit blocks, using 128,
  192, and 256 byte keys in any combination. The
  block is considered to be structured as 4, 6, or
  8 columns of 4 bytes, depending on block size.

45
Rijndael

• During an early stage of the AES process, a draft
  version of the requirements would have required
  each algorithm to have three versions, with both
  the key and block sizes equal to each of 128,
  192, and 256 bits. This was later changed to make
  the three required versions have those three key
  sizes, but only a block size of 128 bits, which
  is more easily accommodated by many types of
  block cipher design.

46
Rijndael

• The original description of Rijndael is available
  at http//www.esat.kuleuven.ac.be/rijmen/rijndae
  l/.
• However, the variations of Rijndael which act on
  larger block sizes apparently will not be
  included in the actual standard, on the basis
  that the cryptanalytic study of Rijndael during
  the standards process primarily focused on the
  version with the 128-bit block size.
• Rijndael is a relatively simple cipher in many
  respects.

47
Rijndael Number of Rounds

• Rijndael has a variable number of rounds. The
  number of rounds in Rijndael is
• 10 if both the block and the key are 128 bits
  long.
• 12 if either the block or the key is 192 bits
  long, and neither of them is longer than that.
• 14 if either the block or the key is 256 bits
  long.

48
Rijndael OverView

• Each round consists of 4 steps
• Step 1 ByteSub Transformation (Confusion)
• Step 2 ShiftRow Transformation (Diffusion)
• Step 3 MixColumn Transformation (Diffusion)
• Step 4 Round Key Addition
• Final round slightly different from other rounds

49
Rijndael OverView

• The basic operations applied to the block are
• 1) ByteSub Applying an S-box (substituting each
• byte with another, based on an equation in
  GF(28))
• 2) ShiftRow Shifting the rows in a circular way,
  the
• amount of shift (0, 1, 2, 3, or 4 bytes)
  depending on the
• position from the top and on the block size,

50
Rijndael OverView

• 3) MixColumn Mixing the 4, 6, or 8 columns
  vertically
• by taking invertible linear combinations (in
  GF(28) of
• the elements in each column and
• 4) Round Key Addition XORing each byte with a
  round key (done before the first round for
  whitening, and again at the end of each round),

51
Rijndael Algorithm

• Rijndael CypherAES(data_block, key) in State,
  RoundKeysState  State xor RoundKey0for Round
  1 to Nr SubBytes(State) ShiftRow (State) If
  not(last Round) then MixColumn(State) State Â
  State xor RoundKeyRoundout State

52
Rijndael Sequence of Operations

• The extra final round omits the Mix Column step,
  but is otherwise the same as a regular round.
  Thus, the sequence of steps in Rijndael is
•  ARK 
• BSB, SR, MC, ARK 
• BSB, SR, MC, ARK 
• BSB, SR, MC, ARK 
• .....
• BSB, SR, MC, ARK 
• BSB, SR, ARK 

9 of them!!
53
Rijndael Sequence of Operations
Where ARK Add Round Key BSB Byte Sub
Block SR Shift Row MC Mix Column
54
Rijndael
55
Rijndael two-Dimensions Scheme
56
Rijndael Block Representation

•   Rijndael considers a 128-bit block grouped into
  16 bytes of 8 bits each. Let us call each of
  these 16 bytes as, b15 b14 b13 b2 b1 b0.
  Rijndael deals with this block as bytes arranged
  into a 44 matrix,

57
Rijndael Rounds Steps

• In the Byte Sub step each byte of the block is
  replaced by its substitute in an S-box.

58
S-Box Look-up Table method

• Write a byte as 8 bits x7 x6 x5 x4 x3 x2 x1 x0.
  Look for the entry in the x7 x6 x5 x4 row and x3
  x2 x1 x0 column.

59
Rijndael S-Box

•   99 124 119 123 242 107 111 197 48 1 103
  43 254 215 171 118
• 202 130 201 125 250 89 71 240 173 212 162
  175 156 164 114 192
• 183 253 147 38 54 63 247 204 52 165 229
  241 113 216 49 21
• 4 199 35 195 24 150 5 154 7
  18 128 226 235 39 178 117
• 9 131 44 26 27 110 90 160 82 59
  214 179 41 227 47 132
• 83 209 0 237 32 252 177 91 106 203
  190 57 74 76 88 207
• 208 239 170 251 67 77 51 133 69 249
  2 127 80 60 159 168
• 81 163 64 143 146 157 56 245 188 182 218
  33 16 255 243 210
• 205 12 19 236 95 151 68 23 196 167
  126 61 100 93 25 115
• 96 129 79 220 34 42 144 136 70 238
  184 20 222 94 11 219
• 224 50 58 10 73 6 36 92 194 211
  172 98 145 149 228 121
• 231 200 55 109 141 213 78 169 108 86 244
  234 101 122 174 8
• 186 120 37 46 28 166 180 198 232 221 116
  31 75 189 139 138
• 112 62 181 102 72 3 246 14 97 53
  87 185 134 193 29 158
• 225 248 152 17 105 217 142 148 155 30 135
  233 206 85 40 223
• 140 161 137 13 191 230 66 104 65 153 45
  15 176 84 187 22

60
Rijndael Rounds Steps

• The specification for Rijndael only provided an
  explanation of how the S-box was calculated the
  first step was to replace each byte with its
  reciprocal in the same GF(28) as used below in
  the Mix Column step, except that 0, which has no
  reciprocal, is replaced by itself (since it isn't
  anything's reciprocal either, it is the only
  value not used, so that makes sense) then a
  bitwise modulo-two matrix multiply was used, and
  finally the hexadecimal number 63 is XORed with
  the result.

61
Rijndael ByteSub Step

• S-Box ArithmeticElements in
• G GF(28, 1aa3a4a8 )nhex Þ nbin Þ
  (polynomial with nÕs bits for coeffs)Arithmetic
  in Z2 (/), then mod by 1aa3a4a8polynomial
  Þ nbin Þ nhex ByteSub(x) A Mx-1 63hex
  Precompute and use look-up table

62
The Construction of the S-Box

•  Although the S-box is implemented as a lookup
  table, it has a simple mathematical description.
• Start with a byte x7 x6 x5 x4 x3 x2 x1 x0, where
  each xi is a binary bit. Compute its inverse in
  GF(28). If the byte is 0, use the same 0 as its
  inverse.

63
The Construction of the S-Box

•  The resulting byte y7 y6 y5 y4 y3 y2 y1 y0
  represents an 8-dimensional column vector, with
  the rightmost bit y0 in the top position.
  Multiply by a matrix and add the column vector
  (1, 1, 0, 0, 1, 1, 0) to obtain a vector z7 z6 z5
  z4 z3 z2 z1 z0 as shown in the next slide

64
The Construction of the S-Box
65
The Construction of the S-Box

• For example, start with the byte 11001011 CB.
  Its inverse in GF(28) is 00000100 04, then

66
The Construction of the S-Box

• This yields the byte 00011111 1F. Note that the
  input vector was 11001011. The 4 MSBs of the
  input vector are thus 1100 and this gives us the
  13th row in the S-Box. Similarly, 1011 yields us
  the 14th column in the S-Box. By checking the
  S-box we see that indeed 31 1F is the
  corresponding entry in the S-Box as claimed.

67
Rijndael Shift Row Step

•   Next is the Shift Row step. Considering the
  128-bit block grouped into 16 bytes of 8 bits
  each, call them, b15 b14 b13 b2 b1 b0.
• these bytes are arranged into a 44 matrix, and
  shifted as follows
•  

68
Rijndael Shift Row Step

•   Blocks that are 192 and 256 bits long are
  shifted like this
•  from to
• 1 5 9 13 17 21 1 5 9 13 17 21
• 2 6 10 14 18 22 6 10 14 18 22 2
• 3 7 11 15 19 23 11 15 19 23 3 7
• 4 8 12 16 20 24 16 20 24 4 8 12 
• from to
• 1 5 9 13 17 21 25 29 1 5 9 13 17 21 25
  29
• 2 6 10 14 18 22 26 30 6 10 14 18 22 26 30 2
  
• 3 7 11 15 19 23 27 31 15 19 23 27 31 3 7
  11
• 4 8 12 16 20 24 28 32 20 24 28 32 4 8 12
  16

69
Rijndael Mix Column step

•   Next comes the Mix Column step. Matrix
  multiplication is performed each column, in the
  arrangement we have seen above, is multiplied by
  the matrix
•   2 3 1 1
• 1 2 3 1
• 1 1 2 3
• 3 1 1 2
• However, this multiplication is done over GF(28).
  This means that the bytes being multiplied are
  treated as polynomials rather than numbers.

70
Rijndael Mix Column step

•   GF(28)The Galois Field with 28 elements is the
  Finite Field GF(28)Z2x/m(x)where m is
  irreducible in Z2x and has degree 8.Rijndael
  chooses m(x) 1 x x3 x4 x8

71
Rijndael Mix Column step

•   If the result has more than 8 bits, the extra
  bits are not simply discarded instead, they're
  cancelled out by XORing the binary 9-bit string
  100011011 with the result (shifted right if
  necessary). This string stands for the generating
  polynomial of the particular version of GF(28)
  used by Rijndael.

72
Rijndael Mix Column step

•   For example, multiplying the binary string
  11001010 by 3 within this Galois Field works like
  this
•   11001010
• 11
• --------------
• 11001010
• 11001010
• ---------------
• 101011110 (XOR instead of addition)
  
• 100011011 (this is XORed, instead of
  subt. 256)
• --------------
• 1000101

73
Rijndael Mix Column step

•   MixColumn ArithmeticMixColumn is equivalent
  to
• with arithmetic in GF( 28 ).

74
Rijndael Add Round Key

•   The final step is Add Round Key. This simply
  XORs in the subkey for the current round.

75
Rijndael Key Schedule

• Round keys extracted from the cipher key in two
  steps
• Initial key expansion
• First bits of the expanded key are set to the
  bits of the cipher key
• Remaining bits calculated recursively as a
  non-linear function of the previous bits of the
  expanded key
• Round key selection from expanded key

76
Rijndael Key Schedule

• The original key consists of 128 bits, which are
  arranged into a 44 matrix of bytes. This matrix
  is expanded by adjoining 40 more columns, as
  follows.
• Label the first four columns W(0), W(1), W(2),
  W(3). The new columns are generated recursively.
  Suppose columns up through W(i-1) have been
  defined. If i is not a multiple of 4, then form
  the new column as,
• W(i) W(i-4)?W(i-1).

77
Rijndael Key Schedule

• If i is a multiple of 4, then
• W(i) W(i-4)?T(W(i-1)),
• Where T(W(i-1)) is the transformation of W(i-1)
  as follows. Let the elements of the columns are
  w0 w1 w2 w3. Shift these cyclically to obtain w1
  w2 w3 w0. Then replace each of these bytes with
  the corresponding element in the S-box from the
  ByteSub step, to get 4 bytes y0 y1 y2 y3.

78
Rijndael Key Schedule

• Finally compute the round constant
• In GF(28). Recall that we are in the case where i
  is a multiple of 4. Then T(W(i-1)) is the column
  vector
• (y0 ?r(i), y1 y2 y3)

79
Rijndael Key Schedule

• In this way, columns W(4),,W(43) are generated
  from the initial four columns. The round key for
  the ith round consists of the columns
• W(4i), W(4i1), W(4i2), W(4i3.)

80
Rijndael Key Schedule

• Because it begins and ends with an ARK (Add Round
  Key) step, there is no wasted unkeyed step at the
  beginning or end. The sequence of operations is
  important for facilitating decipherment, as well.
• Although the sequence is not symmetrical, the
  order of some of the steps in Rijndael could be
  changed without affecting the cipher. The Byte
  Sub step could just as easily be done after the
  Shift Row step as before it.

81
Rijndael Key Schedule

• For keys 128 and 192 bits in length, the subkey
  material, which consists of all the round keys in
  order, consists of the original key, followed by
  stretches, each the length of the original key,
  consisting of four-byte words such that each word
  is the XOR of the preceding four-byte word and
  either the corresponding word in the previous
  stretch or a function of it.

82
Rijndael Key Schedule

• For the first word in a stretch, the word is
  first rotated one byte to the left, and then its
  bytes are transformed using the S-box from the
  Byte Sub step, and then a round-dependent
  constant is XORed to its first byte.

83
Rijndael Key Schedule

• The round constants are
•   1 2 4 8 16 32
  64 128
• 27 54 108 216 171 77 154
  47
• 94 188 99 198 151 53 106 212
  
• 179 125 250 239 197 145 57 114
• 228 211 189 97...

84
Rijndael Decryption

• Inverse Cypher
• Reverse Steps
• Use Keys in Reverse Order
• ByteSub and ShiftRow Commute
• MixColumn Matrix is Invertible

85
Rijndael Decryption

1. The inverse of ByteSub is another lookup table,
   called InvByteSub.
2. The inverse of ShiftRow is obtained by shifting
   the rows to the right instead of to the left,
   yielding InvShiftRow.

86
Rijndael Decryption

1. The inverse of MixColumn exists because the 44
   matrix used in MixColumn is invertible. The
   transformation InvMixColumn is given by
   multiplication by the matrix

87
Rijndael Sequence of Operations for Encryption

• The extra final round omits the Mix Column step,
  but is otherwise the same as a regular round.
  Thus, the sequence of steps in Rijndael is
•  ARK 
• BSB, SR, MC, ARK 
• BSB, SR, MC, ARK 
• BSB, SR, MC, ARK 
• .....
• BSB, SR, MC, ARK 
• BSB, SR, ARK 

9 of them!!
88
Rijndael Sequence of Operations
Where ARK Add Round Key BSB Byte Sub
Block SR Shift Row MC Mix Column
89
Rijndael Decryption

• AddRoundKey is its own inverse.
• Hence to decrypt we have to perform the following
  steps
• ARK, ISR, IBS
• ARK, IMC, ISR, IBS
• ARK, IMC, ISR, IBS
•  .....
• ARK, IMC, ISR, IBS
• ARK 

90
Rijndael Decryption

• However, we would like to rewrite this
  decryption in order to make it look more like
  encryption. We make the following observations
• The order of BS and the SR operations are
  exchangable (why??).
• We also would like to reverse the order of ARK
  and IMC but this is not possible.Instead we
  proceed as follows

91
Rijndael Decryption

• Where (mi,j) is the 44 matrix in MixColumn and
  (ki,j) is the round key matrix. The inverse is
  obtained by solving
  for (ci,j) in terms of (ei,j), namely,

92
Rijndael Decryption

• Therefore the decryption process to follow is
• The first arrow is simply InvMixColumn applied to
  (ei,j). If we let InvAddRoundKey be XORing with
  (ki,j), then we have that the inverse of MC
  then ARK is IMC then IARK.

93
Rijndael Decryption

• We now see that decryption is given by
• ARK, IBS, ISR
• IMC, IARK, IBS, ISR
• IMC, IARK, IBS, ISR
•  .....
• IMC, IARK, IBS, ISR
• ARK. 
• Summarizing we have the following procedures to
  perform encryption/decryption with Rijndael
  algorithm

94
Rijndael Encryption

1. ARK using the 0th key.
2. Nine rounds of BS, SR, MC, ARK using round keys 1
   to 9.
3. A final round BS, SR, ARK, using the 10th round
   key.

95
Rijndael Decryption

1. ARK using the 10th key.
2. Nine rounds of IBS, ISR, IMC, IARK using round
   keys 9 to 1.
3. A final round IBS, ISR, ARK, using the 0th round
   key.

96
Rijndael Why MixColumn is omitted in the last
round?

• Suppose MixColumn had been left in. Then the
  encryption would start ARK, BS, SR, MC, ARK, ,
  and it would end ARK, BS, SR, MC, ARK. Therefore,
  the beginning o fthe decryption would be (after
  the reorderings) IMC, IARK, IBS, ISR, . This
  means the decryption would have an unnecessary
  IMC at the beginning.

97
Rijndael Why MixColumn is omitted in the last
round?

• Another way to look at encryption is that there
  is an initialARK, then a sequence of alternating
  half rounds
• (BS, SR), (MC, ARK), (BS, SR),, (MC, ARK), (BS,
  SR),
• followed by a final ARK.
• The decryption is ARK, followed by a sequence of
  alternating half rounds
• (IBS, ISR), (IMC, IARK), (IBS, ISR),, (IMC,
  IARK), (IBS, ISR)

98
Rijndael Why MixColumn is omitted in the last
round?

• Followed by a final ARK. From this point of view,
  we see that a final MC would not fit naturally
  into any of the half rounds, and it results
  natural to leave it out.

99
Rijndael SOme design consideration comments.

• On 8-bit processors, decryption is not quite as
  fast as encryption. This is because the entriesof
  the 44 matrix for InvMixColumn are more complex
  than those for MixColumn, and this is enough to
  make decryption take around 30 longer than
  encryption for those processors.

100
Rijndael SOme design consideration comments.

• The fact that encryption and decryption are not
  identical processes leads to the expectation that
  there are no weak keys in Rijndael, in contrast
  to DES and several other algorithms.
• In Rijndael all the bits are treated uniformly.
  This has the effect of diffusing the input bits
  faster.

101
Rijndael SOme design consideration comments.

• It can be shown that two rounds are enough to
  obtain full difussion, namely, each of the 128
  output bits depends on each of the 128 input
  bits.
• The Rijndael S-box is highly nonlinear, since it
  is based on the mapping x ? x-1 in GF(28). This
  means that Rijndael is excellent resisting
  differential and linear cryptoanalysis attacks.

102
Rijndael SOme design consideration comments.

• The ShiftRow step was added to resist two
  recently developed attacks, namely truncated
  differentials and the Square attack (Square is a
  predecessor of Rijndael).
• The MixColumn causes diffusion among the bytes. A
  change in one input byte in this step always
  results in all four output bytes changing. If two
  input bytes are changed, at least three output
  bytes are changed.

103
Rijndael SOme design consideration comments.

• The Key Schedule involves nonlinear mixing of the
  key bits, since it uses the S-box. The mixing is
  designed to resist attacks where the
  cryptoanalyst knows part of the key and tries to
  deduce the remaining bits.
• The round constants are used to eliminate
  symmetries in the encryption process by making
  each round different.

104
Rijndael SOme design consideration comments.

• The number of rounds was chosen to be 10 because
  there are attacks that are better than brute
  force up to six rounds.
• No known attack beats brute force for seven or
  more rounds.
• It was felt that four extra rounds provide a
  large enough margin of safety. Of course, the
  number of rounds could easily be increased if
  needed.