Cipher Book Review, Issue E160

The Design of Rijndael: The Advanced Encryption Standard (AES)
by Joan Daemen and Vincent Rijmen

Springer Verlag 2020.
ISBN ISBN 978-3-662-60768-8, ISBN 978-3-662-60769-5 (eBook)
300 pages

Reviewed by  Sven Dietrich   3/21/21 

This book about the Rijndael cryptographic cipher takes us back to the late 1990s, somewhat in the middle of those crypto wars and in the aftermath of the failed adoption of the Clipper chip and its associated cipher SKIPJACK. Back then the world was looking at a new hope and an open design for a newer encryption standard to replace the aging Data Encryption Standard (DES). I recall the controversy around cryptography then, the worry about export-grade ciphers in Internet browsers, the worry about exporting strong crypto when traveling to another country from the United States with a laptop.

A competition had been announced by the United States National Institute of Standard and Technology (NIST), to be held openly across the world, for a new Advanced Encryption Standard (AES), in a process much different from what had been done with DES in the 1970s, which was all behind closed doors. The finalist of this open competition would be the Rijndael cipher, a subset of which we now call AES, to be adopted as AES in FIPS Pub 197 in November 2001.

This book "The Design of Rijndael," written by none other than the authors of the cipher, Joan Daemen and Vincent Rijmen, is now in its updated and renewed second edition, almost 20 years later from the first one in 2002. And the world has changed quite a bit since then: AES has been widely adopted, both in the Internet browser world and on our various Internet-connected devices.

The second edition of the book acts as a refreshed version, updating its terminology to the 2020s, adding four new chapters of new material for a total of about 300 pages in 15 chapters total, plus two appendices and reference code in the C programming language.

In the first chapter "The Advanced Encryption Standard Process," the authors set the stage for what was going to be a new milestone in open-research cryptography: an international competition by NIST for replacing the DES by AES. Here the reader finds out the names of the other competitors in this "crypto game," as well as the requirements imposed by NIST at the time including the hardware context (Ugh, who remembers the first Intel Pentium processors?).

In the second chapter "Preliminaries," the reader is given the proper background, e.g. in abstract algebra and basic cryptography, to be able to understand the terminology in the book. For those not up to speed, it is a reminder to pull out those math books and catch up. And for the others, it just brings back the right terminology into the proper context.

The third chapter "Specification of Rijndael" introduces the reader to the cipher structure of Rijndael, which is simply a block cipher with both a variable block length and a variable key length. AES is a subset of the block and key options for Rijndael, as it fixes the block length to 128 bits and key lengths of 128, 192 or 256 bits, making it the only difference between the two ciphers. The chapter mentions the main components of the key-iterated block cipher, such as the various rounds, mixing, and shifting, in the right setting of implementation using the hardware at the time.

The fourth chapter "Implementation Aspects" then delves deeper into the implementation aspects of the cipher, since running on 8-bit processors was one of the requirements. While that may seem extremely restrictive, keep in mind that AES is nowadays found even in embedded devices and smartcards. The reader learns about 32-bit processor implementations, the AES-NI instructions in modern processors as well as specialized hardware.

In the fifth chapter "Design Philosophy" the authors discuss their approach for designing the cipher, focusing on simplicity and symmetry as key aspects for achieving the security goals. They also mention their security goals in terms of modern cryptographic terminology, such as pseudorandom permutation (PRP) advantage and strong pseudorandon permutation (SPRP) advantage, and the declared resistance against forms of linear and differential cryptanalysis, the value of the key-alternating cipher structure, and the key schedule.

The sixth chapter reflects on its NIST's cipher predecessor DES and its vulnerability to both linear and differential cryptanalysis, which are both explained here.

In the seventh chapter "Correlation Matrices," the reader learns about more extensive tools for linear cryptanalysis and to what extent they can be applied to ciphers such as DES or Rijndael.

Following this pattern, in the eighth chapter "Difference Propagation," the reader learns about more tools related to differential cryptanalysis and how they apply to DES. The concept of a differential trail as a component for difference propagation for block ciphers is introduced here.

The ninth chapter "The Wide Trail Strategy" explains the strategy for designing a cipher like Rijndael in making it resistant to both linear and differential cryptanalysis. The diffusion (based on Shannon's diffusion concept) measure "branch number" is introduced, still building up the proper tools for understanding and analyzing the inner workings of the cipher. The round structure of Rijndael is explained further here.

The tenth chapter "Cryptanalysis," after covering the resistance to linear and differential cryptanalysis (a major concern in the late 1990s) in the previous three chapters, elaborates on other attacks on the cipher, such as Truncated Differentials, Saturations Attacks (since such attacks worked on Square, the natural predecessor to Rijndael), working on reduced-round versions of the cipher. The reader also finds out about Related-Key Attacks, Interpolation Attacks, and Biclique Attacks, among others, but the list is by no means complete by the authors' own admission. Last but not least, the authors mention implementation attacks, as well as the usual side channels that can be found, such as power analysis and timing attacks.

In the eleventh chapter "The Road to Rijndael," the roadmap for the inception of Rijndael is revealed, as a natural evolution from previous ciphers such as SHARK, Square, BKSQ, with some technical background on each and a direct connection to Rijndael. Those three, as well as Rijndael, are all key-iterated block ciphers. Chapter twelve of the second edition, "Correlation Analysis in GF(2n)," is a reworking of Appendix A of the first edition and newer material. Our dear friend Evariste Galois comes to the rescue in a generalized form of Rijndael which the authors call Rijndael-GF. So this is a more generalized approach for correlation analysis.

In chapter thirteen "On the EDP and the ELP of Two and Four Rijndael Rounds," the authors build on earlier results from chapters 7 and 8 and expand on the expected differential probability (EDP) and expected linear potential (ELP). Here the reader must flip back to chapters 7 and 8 to connect the dots.

Chapter fourteen "Two-Round Differential Trail Clustering" goes into more detail on analyses ond reduced-round Rijndael considerations based on material published since the first edition of the book. Back references to chapters 3, 9, and 13 are essential for capturing the material.

In chapter fifteen "Plateau Trails," the authors bring in further material from earlier work to explain plateau trails as a means for looking at the resistance of Rijndael to differential cryptanalysis.

Finally the book wraps up with Appendices on "Substitution Tables" and "Test Vectors." And of course the reader gets to parse the C code as a reference implementation of Rijndael.

Overall the book is a great insight into the design of Rijndael and the Advanced Encryption Standard (aka AES). The reader, whether an undergraduate or graduate student or even professional, gets to understand what was on the designers' mind when creating this cipher, nowadays known as AES, that has become omnipresent in the context of secure communications in the 2020s. The second edition retrofits the first edition with modern terminology so that one can connect modern cryptography articles to the nomenclature that was in use in the late 1990s, as well as putting Rijndael in the proper light for what has happened in terms on cryptanalysis.

I enjoyed reading this book, which is now sitting on my new office bookshelves, as it brought back memories of the late 1990 and early 2000s crypto waiting game, going from round to round in the NIST competition. And then there was Rijndael.


Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org