2. Origins of AES
replacement for DES was needed
have theoretical attacks that can break it
have demonstrated exhaustive key search attacks
can use Triple-DES – but slow, has small blocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001
3. AES Requirements
• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger & faster than Triple-DES
– DES 168 bit key (56*3)
– Slow in software 16* 3 rounds + key expansion!
– Designed for 70’s hardware
• provide full specification & design details
• both C & Java implementations
• NIST have released all submissions &
unclassified analyses
4. AES Evaluation Criteria
• initial criteria:
– security – effort for practical cryptanalysis
– cost – in terms of computational efficiency
– algorithm & implementation characteristics
• final criteria
– general security
– ease of software & hardware implementation
– implementation attacks
– flexibility (in en/decrypt, keying, other factors)
5. AES Shortlist
• After testing and evaluation, shortlist in August 1999:
1. MARS (IBM) - complex, fast, high security margin
2. RC6 (USA) - very simple, very fast, low security
margin
3. Rijndael (Belgium) - clean, fast, good security margin
4. Serpent (Euro) - slow, clean, very high security
margin
5. Twofish (USA) - complex, very fast, high security
margin
6. • Then subject to further analysis and comment.
• Saw contrast between algorithms with
few complex rounds verses many simple rounds
which refined existing ciphers verses new proposals
AES Shortlist
7. AES Shortlist
• The finalists and their scores were as follows:
1. Rijndael (from Joan Daemen and Vincent Rijmen, 86
votes).
2. Serpent (from Ross Anderson, Eli Biham, and Lars
Knudsen, 59 votes).
3. Twofish (from a team headed by Bruce Schneier, 31 votes).
4. RC6 (from RSA Laboratories, 23 votes).
5. MARS (from IBM, 13 votes).
8. The AES Cipher - Rijndael
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
processes data as block of 4 columns of 4 bytes
operates on entire data block in every round
designed to be:
resistant against known attacks
speed and code compactness on many CPUs
design simplicity
9. AES is a non-Feistel cipher that encrypts and decrypts a
data block of 128 bits. It uses 10, 12, or 14 rounds. The
key size, which can be 128, 192, or 256 bits, depends on
the number of rounds.
AES has defined three versions, with 10, 12, and 14 rounds.
Each version uses a different cipher key size (128, 192, or
256), but the round keys are always 128 bits.
Rounds
11. The AES Cipher - Rijndael
• Processes data as 4 groups of 4 bytes (state)
• Has 9/11/13 rounds in which state undergoes:
Byte substitution (1 S-box used on every byte)
Shift rows (permute bytes between groups/columns)
Mix columns (subs using matrix multiply of groups)
Add round key (XOR state with key material)
• Initial XOR key material and incomplete last round.
• All operations can be combined into XOR and table
lookups - hence very fast and efficient.
16. Changing plaintext to state
Plain text: AESUSESAMATRIX
A E S U S E S A M A T R I X Z Z
41 45 53 55 53 45 53 41 4D 41 54 52 49 58 5A 5A
PLAIN TEXT (CHARACTER )
PLAIN TEXT (HEXADECIMAL )
A
A
D
5
52
41
55
5
54
53
53
58
41
45
45
49
4
53
41
STATE
19. Substitution
AES, like DES, uses substitution. AES uses two
invertible transformations.
1. SubBytes
The first transformation, SubBytes, is used at the
encryption site. To substitute a byte, we interpret the byte
as two hexadecimal digits.
The SubBytes operation involves 16 independent
byte-to-byte transformations.
20. Byte Substitution
• A simple substitution of each byte.
• Uses one table of 16x16 bytes containing a permutation
of all 256 8-bit values.
• Each byte of state is replaced by byte in row (left 4-bits)
and column (right 4-bits).
e.g., byte {95} is replaced by row 9 col 5 byte, which
is the value {2A}.
• S-box is constructed using a defined transformation of
the values in GF(28).
• Designed to be resistant to all known attacks.
25. Example
Fig. shows how a state is transformed using the SubBytes
transformation. The figure also shows that the InvSubBytes
transformation creates the original one. Note that if the two bytes
have the same values, their transformation is also the same.
SubBytes transformation for Example
26. Permutation
Another transformation found in a round is shifting, which
permutes the bytes.
2. ShiftRows
In the encryption, the transformation is called ShiftRows.
ShiftRows transformation
28. Shift Rows
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 5 9 13
2 6 10 14
3 7 11 15
4 8 12 16
1 5 9 13
6 10 14 2
11 15 3 7
16 4 8 12
1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12
Shift left 0 (No shift)
Shift left 1
Shift left 2
Shift left 3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Assume we have 16 byte block from 1 to 16
Convert the 16-byte block to a two-dimensional 4x4 matrix by filling column by column
Convert the two-dimensional 4x4 matrix to a 16-byte block by reading column by column
29. 1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Example
43 51 4D 50 55 54 45 52 20 53 43 49 45 4E 43 45
Plaintext
(Hexadecimal)
C O M P U T E R S C I E N C E
Plaintext
(Character)
1A D1 E3 53 FC 20 6E 00 B7 ED 1A 3B 6E 2F 1A 6E
After Substitution
(Hexadecimal)
1A 20 1A 6E FC ED 1A 53 B7 2F E3 00 6E D1 6E 3B
After Shifting
(Hexadecimal)
30. 3.Mix Columns
• Each column is processed separately.
• Each byte is replaced by a value dependent on all 4
bytes in the column.
• Effectively a matrix multiplication in GF(28) using prime
poly m(x) = x8 + x4 + x3 + x + 1.
33. Mixing
We need an interbyte transformation that changes the
bits inside a byte, based on the bits inside the
neighboring bytes. We need to mix bytes to provide
diffusion at the bit level.
Mixing bytes using matrix multiplication
36. Figure shows how a state is transformed using the MixColumns
transformation. The figure also shows that the InvMixColumns
transformation creates the original one.
The MixColumns transformation in Example 7.5
37. 1st column of the result is obtained by:
{02){87}+{03}{6E}+{46}+{A6} = {47}
{87}+{02}{6E}+{03}{46}+{A6} = {37}
{87}+{6E}+{02}{46}+{03}{A6} = {94}
{03}{87}+{6E}+{46}+{02}{A6} = {ED}
For the 1st equation, we have {02}{87}=(0000 0010)(1000 0111)=
1
)
1
mod(
)
(
)
1
( 2
4
3
4
8
2
3
8
2
7
x
x
x
x
x
x
x
x
x
x
x
x
x
x
= (0001 0101)={15}
Example of MixColumns
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
47 40 A3 4C
37 D4 70 9F
94 E4 3A 42
ED A5 A6 BC
=
MixColumns
Constant matrices
State Result
38. {03}{6E}=(0000 0011)(0110 1110)=
x
x
x
x
x
x
x
x
x
x
4
5
7
2
3
5
6
)
)(
1
(
=
(1011 0010) = {B2}
{02){87}+{03}{6E}+{46}+{A6}={15}+{B2}+{46}+{A6}=
(0001 0101)+
(1011 0010)+
(0100 0110)+
(1010 0110)=
(0100 0111)={47}
NOTE :
MULTIPLICATION A VALUE X BY {02} CAN BE
IMPLEMENTED AS 1-BIT LEFT SHIFT FOLLOWED BY
A CONDITIONAL BITWISE XOR WITH (0001 1011) (1B )
IF THE LEFT MOST BIT OF THE ORIGINAL VALUE (
PRIORE TO SHIFT IS 1)
39.
40. 4. AddRoundKey Transformation
The 128 bit of the state are bitwise XORed with the 128 bit
of round key. As sown in Fig. below , the operation is
viewed as columnwise operation between the 4 bytes of the
state column and one word of the round key.
47 40 A3 4C
37 D4 70 9F
94 E4 3A 42
ED A5 A6 BC
AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6A
EB 59 8B 1B
40 2E A1 C3
F2 38 13 42
1E 84 E7 D6
State Key State ♁Key
47= 0100 0111
AC= 1010 1100
-----------------------
EB = 1110 1011
♁
37= 0011 0111
40 = 0111 0111
-----------------------
40= 0100 0000
♁ ♁ 94= 1001 0100
66= 0110 0110
-----------------------
F2= 1111 0010
42. AES Key Expansion
• Takes 128-bit (16-byte) key and expands into array of 44/52/60
32-bit words.
• Start by copying key into first 4 words.
• Then loop creating words that depend on values in previous
and 4 places back.
In 3 of 4 cases just XOR these together.
Every 4th has S-box + rotate + XOR constant of previous
before XOR together.
• Designed to resist known attacks.
44. Steps for computing g function
1. RotWord perform one-byte circular left shift on word , this means that an
input word [B0,B1,B2,B3] is transformed into [ B1,B2,B3,B0]
2. Subword perform a Byte substitution on each byte of its input word , using
the S-Box
3. The result in step (2) is XORed with a round constant. Rcon[j], the round
constant is a word in which the three rightmost bytes are always (0) , and is
defined as Rcon[j]=(RC[j],0,0,0), and the values of RC[j] in hexadecimal are
Rcon[1]=1
Rcon[j]=2.Recon[j-1]
45. Table below shows how the keys for each round are calculated
assuming that the 128-bit cipher key agreed upon by Alice and
Bob is (24 75 A2 B3 34 75 56 88 31 E2 12 00 13 AA 54 87)16.
Example:
48. AES Decryption
AES decryption is not identical to encryption
since steps done in reverse
but can define an equivalent inverse cipher
with steps as for encryption
but using inverses of each step
with a different key schedule
works since result is unchanged when
swap byte substitution & shift rows
swap mix columns & add (tweaked) round key
The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and Technology) in 2001. AES is a symmetric block cipher that is intended to replace DES as the approved standard for a wide range of applications. The AES cipher (& other candidates) form the latest generation of block ciphers, and now we see a significant increase in the block size - from the old standard of 64-bits up to 128-bits; and keys from 128 to 256-bits. In part this has been driven by the public demonstrations of exhaustive key searches of DES. Whilst triple-DES is regarded as secure and well understood, it is slow, especially in s/w. In a first round of evaluation, 15 proposed algorithms were accepted. A second round narrowed the field to 5 algorithms. NIST completed its evaluation process and published a final standard (FIPS PUB 197) in November of 2001. NIST selected Rijndael as the proposed AES algorithm. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr.Vincent Rijmen.
In fact, two set of criteria evolved. When NIST issued its original request for candidate algorithm nominations in 1997, the request stated that candidate algorithms would be compared based on the factors shown in Stallings Table5.1, which were used to evaluate field of 15 candidates to select shortlist of 5. These had categories of security, cost, and algorithm & implementation characteristics.
The final criteria evolved during the evaluation process, and were used to select Rijndael from that short-list, and more details are given in Stallings Table 5.2, with categories of: general security, ease of software & hardware implementation, implementation attacks, & flexibility (in en/decrypt, keying, other factors).
The shortlist is as shown. Note mix of commercial (MARS, RC6, Twofish) verses academic (Rijndael, Serpent) proposals, sourced from various countries.
All were thought to be good – came down to best balance of attributes to meet criteria.
The AES shortlist of 5 ciphers was as shown. Note mix of commercial (MARS, RC6, Twofish) verses academic (Rijndael, Serpent) proposals, sourced from various countries.
All were thought to be good – it came down to the best balance of attributes to meet criteria, in particular the balance between speed, security & flexibility.
The Rijndael proposal for AES defined a cipher in which the block length and the key length can be independently specified to be 128,192,or 256 bits. The AES specification uses the same three key size alternatives but limits the block length to 128 bits. Rijndael is an academic submission, based on the earlier Square cipher, from Belgium academics Dr Joan Daemen and Dr Vincent Rijmen. It is an iterative cipher (operates on entire data block in every round) rather than feistel (operate on halves at a time), and was designed to have characteristics of: Resistance against all known attacks, Speed and code compactness on a wide range of platforms, & Design simplicity.
There is a single 8-bit wide S-box used on every byte. This S-box is a permutation of all 256 8-bit values, constructed using a transformation which treats the values as polynomials in GF(28) – however it is fixed, so really only need to know the table when implementing. Decryption requires the inverse of the table.
This step is also a substitution, but one involving ALL values in a column. Designed as a matrix multiplication where each byte is treated as a polynomial in GF(28). The inverse used for decryption involves a different set of constants.
The constants used are based on a linear code with maximal distance between code words – this gives good mixing of the bytes within each column. Combined with the “shift rows” step provides good avalanche, so that within a few rounds, all output bits depend on all input bits.