Polynomials in the Nation's Service: Using Algebra to Design the Advanced Encryption Standard

Susan Landau
2004 The American mathematical monthly  
INTRODUCTION. Cryptography, the science of transforming communications so that only the intended recipient can understand them, should be a mathematician's playground. Certain aspects of cryptography are indeed quite mathematical. Publickey cryptography, in which the encryption key is public but only the intended recipient holds the decryption key, is an excellent demonstration of this. Both Diffie-Hellman key exchange and the RSA encryption algorithm rely on elementary number theory, while
more » ... ptic curves power more advanced public-key systems [21] , [4] . But while public key has captured mathematicians' attention, such cryptography is in fact a show horse, far too slow for most needs. Public key is typically used only for key exchange. Once a key is established, the workhorses of encryption, privateor symmetric-key cryptosystems, take over. While Boolean functions are the mainstay of private-key cryptosystems, until recently most private-key cryptosystems were an odd collection of tricks, lacking an overarching mathematical theory. That changed in 2001, with the U.S. government's choice of Rijndael 1 as the Advanced Encryption Standard. Polynomials provide Rijndael's structure and yield proofs of security. Cryptographic design may not yet fully be a science, but Rijndael's polynomials brought to cryptographic design "more matter, with less art" (Hamlet, act 2, scene 2, 97). Rijndael is a "block-structured cryptosystem," encrypting 128-bit blocks of data using a 128-, 192-, or 256-bit key. Rijndael variously uses x −1 , x 7 + x 6 + x 2 + x, x 7 + x 6 + x 5 + x 4 + 1, x 4 + 1, 3x 3 + x 2 + x + 2, and x 8 + 1 to provide cryptographic security. (Of course, x −1 is not strictly a polynomial, but in the finite field GF(2 8 ) x −1 = x 254 and so we will consider it one.) In this paper I will show how polynomials came to play a critical role in what may become the most widely-used algorithm of the new century. To set the stage, I will begin with a discussion of a decidedly nonalgebraic algorithm, the 1975 U.S. Data Encryption Standard (DES), which, aside from RC4 in web browsers and relatively insecure cable-TV signal encryption, is the most widely-used cryptosystem in the world. 2 I will concentrate on attacks on DES, showing how they shaped future ciphers, and explain the reasoning that led to Rijndael, and explain the role that each of Rijndael's polynomials play. I will end by discussing how the algebraic structure that promises security may also introduce vulnerabilities. Cryptosystems consist of two pieces: the algorithm, or method, for encryption, and a secret piece of information, called the key. In the nineteenth century, Auguste Kerckhoffs observed that any cryptosystem used by more than a very small group of people will eventually leak the encryption technique. Thus the secrecy of a system must reside in the key. 1 "Rijndael" is pronounced "Rhine Dahl" and is a combination of the names of the algorithm's two designers, Joan (pronounced Jo han) Daemen and Vincent Rijmen. 2 Both DES and Rijndael were made into Federal Information Processing Standards, which means that the systems were approved for sale to the Federal government. The government's purchasing power causes many FIPS to become de facto commercial standards.
doi:10.2307/4145212 fatcat:57fabdawj5ad7e2xhxcbef7vsq