Lecture 5-AES

Cryptography
Advance Encryption Standard
Origins
 A replacement for DES was needed
 Key size is too small

 Can use Triple-DES – but slow, small block

 US NIST issued call for ciphers in 1997

 15 candidates accepted in Jun 98

 5 were shortlisted in Aug 99

AES Evaluation Criteria
 The criteria defined by NIST for selecting AES fall into three
areas: security, cost, and implementation.
• Security: The main emphasis was on security. Because NIST
explicitly demanded a 128-bit key, this criterion focused on
resistance to cryptanalysis attacks other than brute-force
attack.
• Cost: The second criterion was cost, which covers the
computational efficiency and storage requirement for different
implementations such as hardware, software, or smart cards.
• Implementation: This criterion included the requirement that
the algorithm must have flexibility and simplicity
The AES Cipher - Rijndael
 Rijndael was selected as the AES in Oct-2000
 Designed by Vincent Rijmen and Joan Daemen in Belgium
 Issued as FIPS PUB 197 standard in Nov-2001

 An iterative rather than Feistel cipher

 processes data as block of 4 columns of 4 bytes (128 bits) V. Rijmen

 operates on entire data block in every round

 Rijndael design:
 simplicity
 has 128/192/256 bit keys, 128 bits blocks
 resistant against known attacks
J. Daemen
 speed and code compactness on many CPUs
AES Conceptual Scheme

Plaintext (128 bits)

AES Key (128/192/256 bits)

Ciphertext (128 bits)

5
Multiple rounds
 Rounds are (almost) identical
 First and last round are a little different

6
Multiple rounds
 AES has defined three versions, with 10, 12, and 14 rounds. Each
version uses a different cipher key size (128, 192, or 256), but the
round keys are always 128 bits.
 AES uses Substitution Permutation network. DES uses Feistal network

7
Description

• Round keys are derived from the cipher key

Key Expansion using Rijndael's key schedule

• AddRoundKey : Each byte of the state is combined

Initial Round with the round key using bitwise xor

• SubBytes : non-linear substitution step

• ShiftRows : transposition step
Rounds • MixColumns : mixing operation of each column.
• AddRoundKey

• SubBytes
Final Round • ShiftRows No MixColumns
• AddRoundKey
Overall Structure
128-bit(16 Byte) values of Plaintext

 A block in AES is a group of 128 bits. However, a block

can be represented as a row matrix of 16 bytes
 Data block viewed as 4-by-4 table of bytes
 Represented as 4 by 4 matrix of 8-bit bytes.
 Key is expanded to array of 32 bits words
1 byte

10
The AES state representation
 AES uses several rounds in which each round is made of several
stages. Input block is transformed from one stage to another. At the
beginning and end of the cipher, AES uses the term Input block; before
and after each stage, the Input block is referred to as a state.
 16 bytes (128-bits) are arranged in a 4 x 4 array

AES

11
Details of Each Round
SubBytes: Byte Substitution
 A simple substitution of each byte
 provide confusion

 AES, like DES, uses substitution. However, the mechanism is different.

• First, the substitution is done for each byte.
• Second, only one table is used for the transformation of every byte, which
means that if two bytes are the same, the transformation is also the same.
SubBytes: Byte Substitution
 Each byte of state is replaced by byte indexed by row (left 4-bits) & column
(right 4-bits)
 eg. byte {95} is replaced by byte in row 9 column 5
 which has value {2A}
SubBytes Table
 Implement by Table Lookup
InvSubBytes Table
Sample SubByte Transformation

 The SubBytes and InvSubBytes transformations are

inverses of each other.
ShiftRows

 Shifting, which permutes the bytes.

 A circular byte shift in each each
 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 In the encryption, the transformation is called
ShiftRows
 In the decryption, the transformation is called
InvShiftRows and the shifting is to the right
ShiftRows Scheme
ShiftRows and InvShiftRows
MixColumns
 ShiftRows and MixColumns provide diffusion to the
cipher
 Each column is processed separately
 Each byte is replaced by a value dependent on all 4 bytes
in the column
MixColumns Scheme

The MixColumns transformation operates at the column level; it

transforms each column of the state to a new column.
MixColumn and InvMixColumn
RoundKey
 A round key is organized as word of 32 bits that can be
treated as a single entity, a row matrix of four bytes, or a
column matrix of four bytes.
AddRoundKey
 XOR state with 128-bits of the round key

 AddRoundKey proceeds one column at a time.

 adds a round key word with each state column matrix
 the operation is matrix addition

 Inverse for decryption identical

 since XOR own inverse, with reversed keys

 Designed to be as simple as possible

AddRoundKey Scheme
AES Key Scheduling
 takes 128-bits (16-bytes) key and expands into array of 44
32-bit words
Key Expansion Scheme
Key Expansion Scheme
 The process is as follows:
• The first four words (w0, w1, w2, w3) are made from the
cipher key. The cipher key is thought of as an array of 16
bytes (k0 to k15). The first four bytes (k0 to k3) become
w0; the next four bytes (k4 to k7) become w1; and so on.
• In other words, the concatenation of the words in this
group replicates the cipher key.
Key Expansion Scheme
• The rest of the words (wi for i = 4 to 43) are made as
follows:
a. If (i mod 4) ≠ 0, wi = wi−1 ⊕ wi−4. Referring to Figure,
this means each word is made from the one at the left
and the one at the top.
b. b. If (i mod 4) = 0, wi = t ⊕ wi−4. Here t, a temporary
word, is the result of applying two routines, SubWord
and RotWord, on wi−1 and XORing the result with a
round constants, RCon.
Key Expansion submodule
 RotWord performs a one byte circular left shift on a word.
Similar to shiftrows, but it is applied on only one row. For
example:

RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0]

 SubWord performs a byte substitution on each byte of input

word using the S-box. The SubWord (substitute word) routine
is similar to the SubBytes transformation, but it is applied only
to four bytes.

 SubWord(RotWord(temp)) is XORed with RCon[j] – the

round constant
Round Constant (RCon)
 RCON is a word in which the three rightmost bytes are zero
 It is different for each round and defined as:
RCon[j] = (RCon[j],0,0,0)
where RCon[1] =1 , RCon[j] = 2 * RCon[j-1]
 Multiplication is defined over GF(2^8) but can be implemented in Table
Lookup
AES Encryption & Decryption
 In AES, the transformations in the reverse cipher are
rearranged to make the order of transformations the same in
the cipher and reverse cipher.
AES Encryption & Decryption
AES Security
 AES was designed after DES.
 Most of the known attacks on DES were already tested on
AES.
 Brute-Force Attack
 AES is definitely more secure than DES due to the larger-size key.
 Statistical Attacks
 Numerous tests have failed to do statistical analysis of the ciphertext
Implementation Aspects
 The algorithms used in AES are so simple that they
can be easily implemented using cheap processors
and a minimum amount of memory.

 Very efficient

 Implementation was a key factor in its selection as

the AES cipher