Parts VIII–IX:
AES, RSA & Factoring

Bartosz Naskręcki

Elements of Cryptanalysis • Adam Mickiewicz University

Chapters 22–27

Part VIII

AES and Rijndael — Chapters 22–24

Chapter 22

Finite Field Arithmetic

The Field \(\mathrm{GF}(2^8)\)

Definition — GF(2&sup8;)

Elements are polynomials in \(\mathbb{F}_2[x]/(m(x))\) where \[ m(x) = x^8 + x^4 + x^3 + x + 1 \] Addition = XOR of coefficients. Multiplication = polynomial product mod \(m(x)\).

Key Properties

Every nonzero element has a multiplicative inverse
The multiplicative group \(\mathrm{GF}(2^8)^* \cong \mathbb{Z}_{255}\) is cyclic
The xtime operation: multiply by \(x\), reduce mod \(m(x)\) if needed

Chapter 23

AES (Rijndael) Design

AES Round Structure

AES-128: 10 Rounds

Each round applies four operations to the \(4 \times 4\) state matrix:

SubBytes: \(S(a) = A \cdot a^{-1} + c\) in \(\mathrm{GF}(2^8)\) — nonlinear
ShiftRows: cyclic left-shift row \(i\) by \(i\) positions
MixColumns: multiply each column by fixed MDS matrix in \(\mathrm{GF}(2^8)\)
AddRoundKey: XOR with round key

S-Box Properties

Differential uniformity \(\delta = 4\), nonlinearity \(\mathcal{NL} = 112\), algebraic degree 7.

NIST Competition & Key Schedule

Finalist	Block	Structure	Result
Rijndael	128	SPN	Winner
Serpent	128	SPN (32 rounds)	Runner-up
Twofish	128	Feistel	Finalist
RC6	128	Feistel variant	Finalist
MARS	128	Heterogeneous	Finalist

Key Schedule

128-bit key → 44 words via: RotWord, SubWord, XOR with Rcon. Variants: AES-128 (10 rounds), AES-192 (12), AES-256 (14).

Chapter 24

AES Security & Wide Trail Strategy

Provable Security Bounds

Wide Trail Strategy

Branch number of a linear transformation \(\theta\): \[ \mathcal{B}(\theta) = \min_{a \neq 0} (\mathrm{wt}(a) + \mathrm{wt}(\theta(a))) \] AES MixColumns: \(\mathcal{B} = 5\). After 4 rounds: \(\geq 25\) active S-boxes.

Security Margins

Best differential probability per S-box: \(2^{-6}\)
4-round bound: \(25\) active S-boxes ⇒ \(p \leq (2^{-6})^{25} = 2^{-150}\)
Best linear bias per S-box: \(2^{-3}\)
Full AES-128: complexity \(\gg 2^{128}\) for both attacks

Attack	Rounds	Complexity
Biclique	10	\(2^{126.1}\)
Square	7	\(2^{128}\)
Related-key (AES-256)	14	\(2^{99.5}\)

Part IX

RSA and Factoring — Chapters 25–27

Chapter 25

The RSA Cryptosystem

RSA: Key Generation & Operations

RSA Key Generation

Choose large primes \(p, q\); compute \(n = pq\)
Compute \(\phi(n) = (p-1)(q-1)\)
Choose \(e\) with \(\gcd(e, \phi(n)) = 1\); compute \(d = e^{-1} \bmod \phi(n)\)

Public key: \((n, e)\). Private key: \(d\).

Encrypt / Decrypt

\[ c = m^e \bmod n, \qquad m = c^d \bmod n \]

Correctness (Euler’s Theorem)

\(m^{ed} = m^{1 + k\phi(n)} = m \cdot (m^{\phi(n)})^k \equiv m \pmod{n}\)

Chapter 26

Attacks on RSA

Classical RSA Attacks

Wiener’s Attack (small \(d\))

If \(d < \frac{1}{3}n^{1/4}\), the continued fraction expansion of \(e/n\) reveals \(d\). Runs in polynomial time.

Håstad’s Broadcast Attack (small \(e\))

If the same message \(m\) is sent to \(e\) recipients with the same \(e\), CRT gives \(m^e \bmod (n_1 \cdots n_e)\) and \(m = (m^e)^{1/e}\) over \(\mathbb{Z}\).

Attack	Condition	Complexity
Wiener	\(d < n^{0.25}/3\)	Polynomial
Håstad	\(e\) copies, same \(m\)	Polynomial
Coppersmith	Partial knowledge	Polynomial
Fermat	\(\|p-q\|\) small	\(O(n^{1/4}/\|p-q\|)\)

Chapter 27

Integer Factoring Algorithms

The Factoring Landscape

L-notation

\[ L_n[\alpha, c] = \exp\big(c \cdot (\ln n)^\alpha (\ln \ln n)^{1-\alpha}\big) \] \(\alpha = 0\): polynomial. \(\alpha = 1\): exponential. \(0 < \alpha < 1\): sub-exponential.

Algorithm	Complexity	Type
Trial division	\(O(\sqrt{n})\)	Exponential
Pollard \(\rho\)	\(O(n^{1/4})\)	Exponential
Pollard \(p{-}1\)	\(O(B \log n)\)	Special
QS	\(L_n[1/2, 1]\)	Sub-exp
GNFS	\(L_n[1/3, 1.923]\)	Sub-exp

Current record: RSA-250 (829 bits) factored in 2020 using GNFS.

Parts VIII–IX: Summary

Ch	Topic	Key Result
22	Finite fields	GF(2&sup8;) arithmetic, irreducible \(m(x)\)
23	AES design	SubBytes + ShiftRows + MixColumns + AddRoundKey
24	AES security	Wide trail: \(\geq 25\) active S-boxes in 4 rounds
25	RSA	\(c = m^e \bmod n\), security = factoring \(n = pq\)
26	Attacks on RSA	Wiener, Håstad, Coppersmith, Fermat
27	Factoring	GNFS: \(L_n[1/3, 1.923]\), sub-exponential

End of Parts VIII–IX

← Back to Slides Index

← Parts VI–VII

Parts X–XI →