3

Cryptographic primitives should have nothing-up-my-sleeve property to prove their designers don't have an advantage in using them versus the general public.

For example, Blowfish is using binary reprensentation of digits of π to initialize its key schedule. The Salsa20 family of ciphers use the ASCII string "expand 32-byte k" as constants in its block initialization process.

Now, my question is about widely used AES cipher. I cannot find any references to how its S-boxes were generated. Recently, it was proven that a Grasshopper block cipher S-boxes were generated using a hidden algorithm and that this made it potentially weaker.

So, does this mean AES doesn't have nothing-up-my-sleeve property? Can designers of AES have an advantage in using it?

Paul Miller
  • 340
  • 1
  • 12

1 Answers1

2

So, does this mean AES doesn't have nothing-up-my-sleeve property?

That is correct in a sense, the design of the s-box is formulaic. It is generated using finite field inversion, an affine transform, and xor of a constant (0x63). It can be described as a simple equation.

The other parts of round transformation also have a very simple description, the most complex being the MixColumns operation.

The key schedule adds a round constant which is generated simply by consecutive multiplication by 2 in a finite field.

Not using NUMS numbers allows the entire encryption operation to be described as an equation in a much more simple manner, and is easier to analyze. Rational is given for all choices of constants, although some seem.. incorrectly chosen, like the s-box constant, which causes a self-inverse mapping (see my comment on answer). A limited number of specifically chosen constants also prevents anything from being hidden in the same manner NUMS numbers do.

Richie Frame
  • 13,278
  • 1
  • 26
  • 42