3

Cryptographic primitives should have nothing-up-my-sleeve property to prove their designers don't have an advantage in using them versus the general public.

For example, Blowfish is using binary reprensentation of digits of π to initialize its key schedule. The Salsa20 family of ciphers use the ASCII string "expand 32-byte k" as constants in its block initialization process.

Now, my question is about widely used AES cipher. I cannot find any references to how its S-boxes were generated. Recently, it was proven that a Grasshopper block cipher S-boxes were generated using a hidden algorithm and that this made it potentially weaker.

So, does this mean AES doesn't have nothing-up-my-sleeve property? Can designers of AES have an advantage in using it?

Paul Miller
  • 340
  • 1
  • 12
  • 3
    AES sbox generated using inverse multiplicative in GF(2^8) + affine transformation – hardyrama Jan 31 '20 at 06:45
  • 3
    You should look for the document called "the design of rijndeal". Everything about AES' design is argumented there. – Yuon Jan 31 '20 at 11:06
  • possibly related https://crypto.stackexchange.com/questions/17932/choice-of-multiplication-polynomial-in-rijndael-s-box-affine-mapping – Richie Frame Jan 31 '20 at 21:05
  • might be helpful : https://mailarchive.ietf.org/arch/msg/cfrg/iGeC0IO9K0AGS_AvUHcOLMfd8Dk – hardyrama Feb 01 '20 at 15:37
  • Also helpful https://who.paris.inria.fr/Leo.Perrin/pi.html for more feedback of the original author re:mailarchive. – Paul Miller Feb 03 '20 at 04:36

1 Answers1

2

So, does this mean AES doesn't have nothing-up-my-sleeve property?

That is correct in a sense, the design of the s-box is formulaic. It is generated using finite field inversion, an affine transform, and xor of a constant (0x63). It can be described as a simple equation.

The other parts of round transformation also have a very simple description, the most complex being the MixColumns operation.

The key schedule adds a round constant which is generated simply by consecutive multiplication by 2 in a finite field.

Not using NUMS numbers allows the entire encryption operation to be described as an equation in a much more simple manner, and is easier to analyze. Rational is given for all choices of constants, although some seem.. incorrectly chosen, like the s-box constant, which causes a self-inverse mapping (see my comment on answer). A limited number of specifically chosen constants also prevents anything from being hidden in the same manner NUMS numbers do.

Richie Frame
  • 13,097
  • 1
  • 25
  • 42