14-Apr-20

Advanced Encryption
Standard (AES)

Dr. Arshad Aziz

Math Behind AES

1
 14-Apr-20

Introduction
• will now introduce finite fields
• of increasing importance in cryptography
– AES, Elliptic Curve, IDEA, Public Key
• concern operations on “numbers”
– where what constitutes a “number” and the
type of operations varies considerably
• start with concepts of groups, rings, fields
from abstract algebra

Modular Arithmetic
• define modulo operator “a mod n” to be
remainder when a is divided by n
• use the term congruence for: a = b mod n
– when divided by n, a & b have same remainder
– eg. 100 = 34 mod 11
• b is called a residue of a mod n
– since with integers can always write: a = qn + b
– usually chose smallest positive remainder as residue
• ie. 0 <= b <= n-1
– process is known as modulo reduction
• eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7

2
 14-Apr-20

Modular Arithmetic Operations

• is 'clock arithmetic'
• uses a finite number of values, and loops
back from either end
• modular arithmetic is when do addition &
multiplication and modulo reduce answer
• can do reduction at any point, ie
– a+b mod n = [a mod n + b mod n] mod n

Galois Fields
• finite fields play a key role in cryptography
• can show number of elements in a finite
field must be a power of a prime pn
• known as Galois fields
• denoted GF(pn)
• in particular often use the fields:
– GF(p)
– GF(2n)

3
 14-Apr-20

Galois Fields GF(p)

• GF(p) is the set of integers {0,1, … , p-1}
with arithmetic operations modulo prime p
• these form a finite field
– since have multiplicative inverses
• hence arithmetic is “well-behaved” and
can do addition, subtraction, multiplication,
and division without leaving the field GF(p)

Modulo 8 Addition Example

+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6

4
 14-Apr-20

GF(7) Multiplication Example

 0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1

Polynomial Arithmetic
• can compute using polynomials
f(x) = anxn + an-1xn-1 + … + a1x + a0 = ∑ aixi
• nb. not interested in any specific value of x
• which is known as the indeterminate
• several alternatives available
– ordinary polynomial arithmetic
– poly arithmetic with coords mod p
– poly arithmetic with coords mod p and
polynomials mod m(x)

5
 14-Apr-20

Byte - b7b6b5b4b3b2b1b0
• Bytes represent finite field elements in GF(28), GF means “Galois Field”
• Correspond to a 8 term polynomial, with 0 or 1 coefficients.

b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x + b0

Example:

x6 + x5 + x3 + x2 + 1 polynomial

{0110 1101} binary

6D hex

Byte Addition in GF(28)

• To add 2 finite fields elements in GF(28) we add coefficients of
corresponding powers modulo 2
• In binary: xor () the bytes

Example:

(x6 + x4 + x2 + x + 1) + (x7 + x + 1) = (x7 + x6 + x4 + x2)

{0101 0111}  {1000 0011} = {1101 0100} binary

57  83 = D4 hex

6
 14-Apr-20

Byte Multiplication in GF(28)

• To multiply (denoted by  ) 2 finite fields elements in GF(28) we multiply the
polynomials modulo an irreducible polynomial of degree 8 (i.e. ensures
result is less than degree 8).
• Irreducible if only divisors are 1 and itself. Can find multiplicative inverse
using Extended Euclidean algorithm (with works for any “integral domains”,
certain kinds of rings).
• For AES we use (x8 + x4 + x3 + x + 1) as the irreducible polynomial, i.e.
multiplication is:

c(x) = a(x)  b(x) mod m(x)

where m(x) = (x8 + x4 + x3 + x + 1)

Multiplication  is the basis for non-linear behaviour of AES: it’s easy to understand
over polynomials, but hard to predict as operation on bytes.

Byte Multiplication in GF(28) -

Example
(x7 + x6 + 1)  (x2 + x) = (x9 + x8 + x2) + (x8 + x7 + x)
= x9 + x7 + x2 + x

x
x8 + x4 + x3 + x + 1 x9 + x7 + x2 + x
x9 + x5 + x4 + x2 + x
x7 + x5 + x4

Result = x7 + x5 + x4

7
 14-Apr-20

Finite Field Arithmetic

• In the Advanced Encryption Standard (AES) all
operations are performed on 8-bit bytes
• The arithmetic operations of addition,
multiplication, and division are performed over the
finite field GF(28)
• A field is a set in which we can do addition,
subtraction, multiplication, and division without
leaving the set
• Division is defined with the following rule:
• a /b = a (b-1 )

• An example of a finite field (one with a finite number of

elements) is the set Zp consisting of all the integers
{0, 1, . . . . , p - 1}, where p is a prime number and in
which arithmetic is carried out modulo p

Finite Field Arithmetic

If one of the operations For convenience and for
used in the algorithm is implementation efficiency
division, then we need to we would like to work with
work in arithmetic integers that fit exactly
defined over a field into a given number of
• Division requires that each bits with no wasted bit
nonzero element have a patterns
multiplicative inverse
• Integers in the range 0 through
2n – 1, which fit into an n-bit word

The set of such integers, A finite field containing

Z2n, using modular 2n elements is referred
arithmetic, is not a field to as GF(2n)
• For example, the integer 2 has • Every polynomial in GF(2n) can
no multiplicative inverse in Z2n, be represented by an n-bit
that is, there is no integer b, number
such that 2b mod 2n = 1

8
 14-Apr-20

Origins
• clear a replacement for DES was needed
– have theoretical attacks that can break it
– have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001

AES Requirements
• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger & faster than Triple-DES
• active life of 20-30 years (+ archival use)
• provide full specification & design details
• both C & Java implementations
• NIST have released all submissions &
unclassified analyses

9
 14-Apr-20

AES Evaluation Criteria

• initial criteria:
– security – effort for practical cryptanalysis
– cost – in terms of computational efficiency
– algorithm & implementation characteristics
• final criteria
– general security
– ease of software & hardware implementation
– implementation attacks
– flexibility (in en/decrypt, keying, other factors)

AES Shortlist
• after testing and evaluation, shortlist in Aug-99:
– MARS (IBM) - complex, fast, high security margin
– RC6 (USA) - v. simple, v. fast, low security margin
– Rijndael (Belgium) - clean, fast, good security margin
– Serpent (Euro) - slow, clean, v. high security margin
– Twofish (USA) - complex, v. fast, high security margin
• then subject to further analysis & comment
• saw contrast between algorithms with
– few complex rounds verses many simple rounds
– which refined existing ciphers verses new proposals

10
 14-Apr-20

The AES Cipher - Rijndael

• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than feistel cipher
– processes data as block of 4 columns of 4 bytes
– operates on entire data block in every round
• designed to be:
– resistant against known attacks
– speed and code compactness on many CPUs
– design simplicity

Rijndael/AES
• data block of 4 columns of 4 bytes is state
• key is expanded to array of words
• has 9/11/13 rounds in which state undergoes:
– byte substitution (1 S-box used on every byte)
– shift rows (permute bytes between groups/columns)
– mix columns (subs using matrix multipy of groups)
– add round key (XOR state with key material)
– view as alternating XOR key & scramble data bytes
• initial XOR key material & incomplete last round
• with fast XOR & table lookup implementation

11
 14-Apr-20

Rijndael

© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

12
 14-Apr-20

Detailed Structure
• Processes the entire data block as a single matrix during each round using substitutions and
permutation
• The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]

Four different stages are used:

• Substitute bytes – uses an S-box to perform a byte-by-byte substitution of the block
• ShiftRows – a simple permutation
• MixColumns – a substitution that makes use of arithmetic over GF(28)
• AddRoundKey – a simple bitwise XOR of the current block with a portion of the expanded key
• The cipher begins and ends with an AddRoundKey stage
• Can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block,
followed by scrambling of the block (the other three stages), followed by XOR encryption, and so on
• Each stage is easily reversible
• The decryption algorithm makes use of the expanded key in reverse order, however the decryption
algorithm is not identical to the encryption algorithm
• State is the same for both encryption and decryption
• Final round of both encryption and decryption consists of only three stages

AES ENCRYPTION ALGORITHM

FLOW

USER KEY SUB KEY SUB KEY

IN OUT
ARK BS ARK BS SR ARK

(ROUND-1..9)
SR MC

BS: Byte Substitution

SR: Shift Rows
MC: Mix Column
ARK: Add Round Key
26

13
 14-Apr-20

State
• State is a 4 by 4 array of bytes, initialised (col-by-col) with the 16-
byte plaintext block (see below)
• Final value of state is returned as ciphertext

State 0 1 2 3
0 in[0] in[4] in[8] in[12]
1 in[1] in[5] in[9] in[13]
2 in[2] in[6] in[10] in[14]
3 in[3] in[7] in[11] in[15]

• Bytes of State correspond to finite field elements in GF(28)

• Columns of State correspond to WORDS, i.e. 4-term polynomials with finite
field elements in GF(28), as coefficients.

Convert to State Array

Input block:

0 4 8 12 S0,0 S0,1 S0,2 S0,3

0 1
1
2
3
2
5 9 13
3 4 5
6 10 14
7 11 15
6
= 7 8
S S1,1 S1,2 S1,3
9 1,0
10 11 12 13 14 15
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3

28

14
 14-Apr-20

Byte Substitution
• a simple substitution of each byte
• uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
• each byte of state is replaced by byte indexed by
row (left 4-bits) & column (right 4-bits)
– eg. byte {95} is replaced by byte in row 9 column 5
– which has value {2A}
• S-box constructed using defined transformation
of values in GF(28)
• designed to be resistant to all known attacks

Table 6.2

(a) S-box
(Table can be found on page 155 in textbook)

15
 14-Apr-20

Table 6.2

(b) Inverse S-box

(Table can be found on page 155 in textbook)

Byte Substitution

16
 14-Apr-20

Shift Rows
• a circular byte shift in each each
– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 byte circular shift to left
– 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step
permutes bytes between the columns

Shift Rows

17
 14-Apr-20

MixColumn
• Apply MixColumn transformation to each
column s   02 03 01 01   s 
'
0 ,c 0 ,c
'
 s1,c   01 02 03 01   s 1 , c 
 '   
s
 2 ,c  01 01 02 03   s 2 , c 
s'    
 3 ,c   03 01 01 02   s 3 , c 
MixColumns()
S0,1 S’0,1
S’0,c
S0,0 S0,1 S0,2 = ({02}  S0,c)  ({03}  S1,c)  SS’
S0,3 S
2,c0,0 S’3,c S’ S’
0,1 0,2 0,3
S
S1,0 S1,1
1,1 S S S’ S’
S’
1,1 S’
= S0,c  ({02}  S1,c)  ({03}  S2,c)1,0
S’1,c1,3
1,2  S3,c1,1 1,2 S’1,3

S2,0 S
S2,1 S2,2 S2,3 S’ S’ S’2,1 S’2,2 S’2,3
2,1 S’2,c = S0,c  S1,c  ({02}  S2,c )  ({03}2,0
 S3,c
2,1)
S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3
S3,1 S’3,c = ({03}  S0,c)  S1,c  S2,c  ({02}  S’ S3,c
3,1

35

ShiftRows Transformation
• Cyclically rotate LEFT last 3 ROWS of state matrix by 1, 2 and 3 bytes resp.

a b c d a b c d
e f g h Rotate left 1 Byte f g h e
i j k l Rotate left 2 Bytes k l i j
m n o p Rotate left 3 Bytes p m n o

18
 14-Apr-20

ShiftRow
• Last three rows are cyclically shifted

S0,0 S0,1 S0,2 S0,3

S1,0 S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,0 S3,1 S3,2 S3,3

37

Mix Columns
• each column is processed separately
• each byte is replaced by a value
dependent on all 4 bytes in the column
• effectively a matrix multiplication in GF(28)
using prime poly m(x) =x8+x4+x3+x+1

19
 14-Apr-20

Mix Columns

MixColumns Transformation
• Multiply each column by {03}x3 + {01}x2 + {01}x + {02}
mod (x4 + 1)
i.e. columns are word-polynomials
• This is equivalent to replacing the 4 bytes (m,n,p,q) in a
column as follows:

m {02}m  {03}n  p  q
n m  {02}n  {03}p  q
p m  n  {02}p  {03}q
q {03}m  n  p  {02}q

20
 14-Apr-20

Mix Columns
• can express each col as 4 equations
– to derive each new byte in col
• decryption requires use of inverse matrix
– with larger coefficients, hence a little harder
• have an alternate characterisation
– each column a 4-term polynomial
– with coefficients in GF(28)
– and polynomials multiplied modulo (x4+1)

Add Round Key

• XOR state with 128-bits of the round key
• again processed by column (though
effectively a series of byte operations)
• inverse for decryption identical
– since XOR own inverse, with reversed keys
• designed to be as simple as possible
– a form of Vernam cipher on expanded key
– requires other stages for complexity / security

21
 14-Apr-20

MixColumn
• Apply MixColumn transformation to each
column s   02 03 01 01   s 
'
0 ,c 0 ,c
'
 s1,c   01 02 03 01   s 1 , c 
 '   
s
 2 ,c  01 01 02 03   s 2 , c 
s'    
 3 ,c   03 01 01 02   s 3 , c 
MixColumns()
S0,1 S’0,1
S’0,c
S0,0 S0,1 S0,2 = ({02}  S0,c)  ({03}  S1,c)  SS’
S0,3 S
2,c0,0 S’3,c S’ S’
0,1 0,2 0,3
S
S1,0 S1,1
1,1 S S S’ S’
S’
1,1 S’
= S0,c  ({02}  S1,c)  ({03}  S2,c)1,0
S’1,c1,3
1,2  S3,c1,1 1,2 S’1,3

S2,0 S
S2,1 S2,2 S2,3 S’ S’ S’2,1 S’2,2 S’2,3
2,1 S’2,c = S0,c  S1,c  ({02}  S2,c )  ({03}2,0
 S3,c
2,1)
S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3
S3,1 S’3,c = ({03}  S0,c)  S1,c  S2,c  ({02}  S’ S3,c
3,1

43

Add Round Key

22
 14-Apr-20

AddRoundKey
• XOR each byte of the round key with its
corresponding byte in the state array

XOR
S0,1
S0,0 S0,1 S0,2 S0,3
S1,1 S S
S1,0 S1,1 1,2 1,3 S’0,1
R0,1
S2,0 S S2,2 S2,3 S’0,0 S’0,1 S’0,2 S’0,3
S2,1
2,1 R0,0 R0,1 R0,2 R0,3
S3,0 S3,1 S3,2 S3,3 R1,1 R R S’ S’
1,0 S’1,1 S’ S’
1,1 1,2 1,3
R R
1,0 1,1 1,2 1,3
S3,1 S’2,0S’
S’2,1 S’2,2 S’2,3
R2,0 R2,1 R2,2 R2,3 2,1
R2,1 S’3,0 S’3,1 S’3,2 S’3,3
R3,0 R3,1 R3,2 R3,3
S’3,1
R3,1 45

AddRoundKey Transformation
• The 128 bits of State
are bitwise XORed with
the 128 bits of the Rationale:
round key
• Operation is viewed as Is as simple as possible
and affects every bit of
a columnwise operation State
between the 4 bytes of
a State column and one The complexity of the round
key expansion plus the
word of the round key complexity of the other
stages of AES ensure
• Can also be viewed as a security
byte-level operation

23
 14-Apr-20

State matrix
at beginning
of round

SubBytes

S-box

ShiftRows


02 03 01 01 
 
01
 02 03 01 
MixColumns

01 01 02 03 
 
03
 01 01 02 
MixColumns matrix
Round
key

AddRoundKey

State matrix
at end
of round
Constant inputs Variable input

Figure 6.8 Inputs for Single AES Round

AES Key Expansion

• Takes as input a four-word (16 byte) key and
produces a linear array of 44 words (176) bytes
• This is sufficient to provide a four-word round key for
the initial AddRoundKey stage and each of the 10
rounds of the cipher
• Key is copied into the first four words of the
expanded key
• The remainder of the expanded key is filled in four
words at a time
• Each added word w[i] depends on the
immediately preceding word, w[i – 1], and the
word four positions back, w[i – 4]
• In three out of four cases a simple XOR is used
• For a word whose position in the w array is a multiple
of 4, a more complex function is used

24
 14-Apr-20

k0 k4 k8 k12
w
k1 k5 k9 k13

k2 k6 k10 k14 g
k3 k7 k11 k15 B0 B1 B2 B3

w0 w1 w2 w3 g
B1 B2 B3 B0

S S S S

B1' B2' B3' B0'

w4 w 5 w6 w 7
RCj 0 0 0

w'

(b) Function g
w40 w41 w42 w43

(a) Overall algorithm

Figure 6.9 AES Key Expansion

Key Expansion Rationale

The specific criteria that were used
• The Rijndael are:
developers designed • Knowledge of a part of the cipher key
the expansion key or round key does not enable
algorithm to be calculation of many other round-key
resistant to known bits
cryptanalytic attacks • An invertible transformation
• Speed on a wide range of processors
• Inclusion of a round- • Usage of round constants to eliminate
dependent round symmetries
constant eliminates • Diffusion of cipher key differences into
the symmetry the round keys
between the ways in • Enough nonlinearity to prohibit the full
which round keys are determination of round key
differences from cipher key
generated in different differences only
rounds • Simplicity of description

25
 14-Apr-20

Table 6.3 Example Round Key Calculation

Description Value
i (decimal) 36
temp = w[i - 1] 7F8D292F
RotWord (temp) 8D292F7F

SubWord (RotWord (temp)) 5DA515D2

Rcon (9) 1B000000
SubWord (RotWord (temp))  Rcon (9) 46A515D2
w[i – 4] EAD27321
w[i] = w[i – 4]  SubWord (RotWord (temp))  Rcon (9) AC7766F3

(Table is located on page 166 in the textbook)

Key Words Auxiliary Function

w0 = 0f 15 71 c9 RotWord(w3)= 7f 67 98 af = x 1
w1 = 47 d9 e8 59 SubWord(x1)= d2 85 46 79 = y 1
w2 = 0c b7 ad d6 Rcon(1)= 01 00 00 00
w3 = af 7f 67 98 y1  Rcon(1)= d3 85 46 79 = z 1
w4 = w0  z1 = dc 90 37 b0 RotWord(w7)= 81 15 a7 38 = x 2
SubWord(x4)= 0c 59 5c 07 = y 2
w5 = w4  w1 = 9b 49 df e9 Rcon(2)= 02 00 00 00
w6 = w5  w2 = 97 fe 72 3f
y2  Rcon(2)= 0e 59 5c 07 = z 2
w7 = w6  w3 = 38 81 15 a7
w8 = w4  z2 = d2 c9 6b b7 RotWord(w11)= ff d3 c6 e6 = x 3
SubWord(x2)= 16 66 b4 8e = y 3

Table 6.4
w9 = w8  w5 = 49 80 b4 5e
Rcon(3)= 04 00 00 00
w10 = w9  w6 = de 7e c6 61 y3  Rcon(3)= 12 66 b4 8e = z 3
w11 = w10  w7 = e6 ff d3 c6
w12 = w8  z3 = c0 af df 39 RotWord(w15)= ae 7e c0 b1 = x 4
SubWord(x3)= e4 f3 ba c8 = y 4
w13 = w12  w9 = 89 2f 6b 67 Rcon(4)= 08 00 00 00
w14 = w13  w10 = 57 51 ad 06
Key Expansion w15 = w14  w11 = b1 ae 7e c0
y4  Rcon(4)= ec f3 ba c8 = 4
RotWord(w19)= 8c dd 50 43 = x 5
w16 = w12  z4 = 2c 5c 65 f1
w17 = w16  w13 = a5 73 0e 96 SubWord(x4)= 64 c1 53 1a = y 5
Rcon(5)= 10 00 00 00
w18 = w17  w14 = f2 22 a3 90
y5  Rcon(5)= 74 c1 53 1a = z 5
for w19 = w18  w15 = 43 8c dd 50
w20 = w16  z5 = 58 9d 36 eb RotWord(w23)= 40 46 bd 4c = x 6
SubWord(x5)= 09 5a 7a 29 = y 6
w21 = w20  w17 = fd ee 38 7d Rcon(6)= 20 00 00 00
w22 = w21  w18 = 0f cc 9b ed y6  Rcon(6)= 29 5a 7a 29 = z 6
w23 = w22  w19 = 4c 40 46 bd
AES Example w24 = w20  z6 = 71 c7 4c c2 RotWord(w27)= a5 a9 ef cf = x 7
SubWord(x6)= 06 d3 df 8a = y 7
w25 = w24  w21 = 8c 29 74 bf
Rcon(7)= 40 00 00 00
w26 = w25  w22 = 83 e5 ef 52
y7  Rcon(7)= 46 d3 df 8a = z 7
w27 = w26  w23 = cf a5 a9 ef
w28 = w24  z7 = 37 14 93 48 RotWord(w31)= 7d a1 4a f7 = x 8
SubWord(x7)= ff 32 d6 68 = y 8
w29 = w28  w25 = bb 3d e7 f7 Rcon(8)= 80 00 00 00
w30 = w29  w26 = 38 d8 08 a5 y8  Rcon(8)= 7f 32 d6 68 = z 8
w31 = w30  w27 = f7 7d a1 4a
w32 = w28  z8 = 48 26 45 20 RotWord(w35)= be 0b 38 3c = x 9
w33 = w32  w29 = f3 1b a2 d7 SubWord(x8)= ae 2b 07 eb = y 9
Rcon(9)= 1B 00 00 00
w34 = w33  w30 = cb c3 aa 72
y9  Rcon(9)= b5 2b 07 eb = z 9
w35 = w34  w32 = 3c be 0b 38
w36 = w32  z9 = fd 0d 42 cb RotWord(w39)= 6b 41 56 f9 = x 10
SubWord(x9)= 7f 83 b1 99 = y 10
w37 = w36  w33 = 0e 16 e0 1c Rcon(10)= 36 00 00 00
w38 = w37  w34 = c5 d5 4a 6e y10  Rcon(10)= 49 83 b1 99 = z 10
w39 = w38  w35 = f9 6b 41 56
w40 = w36  z10 = b4 8e f3 52
w41 = w40  w37 = ba 98 13 4e
w42 = w41  w38 = 7f 4d 59 20
w43 = w42  w39 = 86 26 18 76

(Table is located on page 167-168 in the textbook)

26
 14-Apr-20

Table 6.5

AES
EXAMPLE

(Table is located on page 169

in textbook)

Table 6.6

Avalanche
Effect
in AES:
Change
in Plaintext
(Table is located on page 170
in textbook)

27
 14-Apr-20

Round Number of Bits

that Differ
0123456789abcdeffedcba9876543210
0
0123456789abcdeffedcba9876543210
Table 6.7 0
0e3634aece7225b6f26b174ed92b5588
1
0f3634aece7225b6f26b174ed92b5588
657470750fc7ff3fc0e8e8ca 4dd02a9c
1 22
c5a9ad090ec7ff3fc1e8e8ca4cd02a9c
Avalanche 2
5c7bb49a6b72349b05a2317ff46d1294
58
90905fa9563356d15f3760f3b8259985
Effect 3
7115262448dc747e5cdac7227da9bd9c
67
18aeb7aa794b3b66629448d575c7cebf
in 4
f867aee8b437a5210c24c1974cffeabc
f81015f993c978a876ae017cb49e7ee c
63

AES: 5
721eb200ba06206dcbd4bce704fa654e
5955c91b4e769f3cb4a94768e98d5267
81

0ad9d85689f9f77bc1c5f71185e5fb14
Change in 6
dc60a24d137662181e45b8d3726b2920
70

db18a8ffa16d30d5f88b08d777ba4eaa
Key 7
fe8343b8f88bef66cab7e977d005a03c
74

f91b4fbfe934c9bf8f2f85812b084989
8 67
da7dad581d1725c5b72fa0f9d9d1366a
cca104a13e678500ff59025f3bafaa34
9 59
0ccb4c66bbfd912f4b511d72996345e0
(Table is located on page 171
in textbook) ff0b844a0853bf7c6934ab4364148fb9
10 53
fc8923ee501a7d207ab670686839996b

AES Implementation
• AES decryption cipher
is not identical to the Two separate changes are
needed to bring the
encryption cipher decryption structure in line
• The sequence of with the encryption structure
transformations differs
although the form of
the key schedules is
The first two stages of the
the same decryption round need to be
• Has the disadvantage interchanged
that two separate
software or firmware
modules are needed
for applications that The second two stages of the
require both encryption decryption round need to be
and decryption interchanged

28
 14-Apr-20

AES Round

AES Key Expansion

• takes 128-bit (16-byte) key and expands
into array of 44/52/60 32-bit words
• start by copying key into first 4 words
• then loop creating words that depend on
values in previous & 4 places back
– in 3 of 4 cases just XOR these together
– 1st word in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4th back

29
 14-Apr-20

AES Key Expansion

Key Expansion Rationale

• designed to resist known attacks
• design criteria included
– knowing part key insufficient to find many more
– invertible transformation
– fast on wide range of CPU’s
– use round constants to break symmetry
– diffuse key bits into round keys
– enough non-linearity to hinder analysis
– simplicity of description

30
 14-Apr-20

AES Decryption
• AES decryption is not identical to
encryption since steps done in reverse
• but can define an equivalent inverse
cipher with steps as for encryption
– but using inverses of each step
– with a different key schedule
• works since result is unchanged when
– swap byte substitution & shift rows
– swap mix columns & add (tweaked) round key

AES Decryption

31
 14-Apr-20

The AES Cipher

plaintext

Add round key

Substitute bytes Substitute bytes

Substitute bytes

Shift rows
Round 1
Shift rows

Round 9
Shift rows

Mix columns Mix columns Add round key

Add Round key Add round key Cipher text

W[4,7] W[36,39] W[40,43]

key

The AES Inverse Cipher

ciphertext

Add round key

Inv. Shift rows Inv. Shift rows

Inv. Shift rows

Inv. Sub bytes

Round 1

Inv. Sub bytes

Round 9

Inv. Sub bytes

Add round key Add round key Add round key

Inv. Mix Columns Inv. Mix columns plaintext

W[36,39] W[4,7] W[0,3]

key

32
 14-Apr-20

Key Expansion

• AES-192 and AES-256

– Same as AES-128 except that
– In AES-192, the words are generated in groups
of six instead of 4
– In AES-256, the words are generated in groups
of eight instead of 4

Ciphers
• Ciphers and inverse ciphers in AES

33
 14-Apr-20

Ciphers
• Ciphers and inverse ciphers in AES
– Invertibility of SubBytes and ShiftRows
combinations

Ciphers
• Ciphers and inverse ciphers in AES
– Invertibility of MixColumns and AddRoundKey
combination

34
 14-Apr-20

Ciphers
• Alternative design of ciphers and inverse
ciphers

1.69

Analysis of AES
• Security of AES
– AES is definitely more secure than DES due to
the larger-size key
– Numerous tests have failed to do statistical
analysis of the ciphertext
– There are no differential and linear attacks on
AES as yet

1.70

35
 14-Apr-20

Analysis of AES
• Implementation of AES
– AES can be implemented in software,
hardware, and firmware
– The algorithms used in AES are so simple that
they can be easily implemented using cheap
processors and a minimum amount of memory

1.71

Implementation Aspects
• can efficiently implement on 8-bit CPU
– byte substitution works on bytes using a table
of 256 entries
– shift rows is simple byte shift
– add round key works on byte XOR’s
– mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified
to use table lookups & byte XOR’s

36
 14-Apr-20

Implementation Aspects
• can efficiently implement on 32-bit CPU
– redefine steps to use 32-bit words
– can precompute 4 tables of 256-words
– then each column in each round can be
computed using 4 table lookups + 4 XORs
– at a cost of 4Kb to store tables
• designers believe this very efficient
implementation was a key factor in its
selection as the AES cipher

Summary
• have considered:
– the AES selection process
– the details of Rijndael – the AES cipher
– looked at the steps in each round
– the key expansion
– implementation aspects

37