AES

1. Advanced Encryption Standard (AES)
Information and Network Security
Dr. Hadi AL Saadi

2. Origins of AES
 replacement for DES was needed
 have theoretical attacks that can break it
 have demonstrated exhaustive key search attacks
 can use Triple-DES – but slow, has small blocks
 US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were shortlisted in Aug-99
 Rijndael was selected as the AES in Oct-2000
 issued as FIPS PUB 197 standard in Nov-2001

3. AES Requirements
• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger & faster than Triple-DES
– DES 168 bit key (56*3)
– Slow in software 16* 3 rounds + key expansion!
– Designed for 70’s hardware
• provide full specification & design details
• both C & Java implementations
• NIST have released all submissions &
unclassified analyses

4. AES Evaluation Criteria
• initial criteria:
– security – effort for practical cryptanalysis
– cost – in terms of computational efficiency
– algorithm & implementation characteristics
• final criteria
– general security
– ease of software & hardware implementation
– implementation attacks
– flexibility (in en/decrypt, keying, other factors)

5. AES Shortlist
• After testing and evaluation, shortlist in August 1999:
1. MARS (IBM) - complex, fast, high security margin
2. RC6 (USA) - very simple, very fast, low security
margin
3. Rijndael (Belgium) - clean, fast, good security margin
4. Serpent (Euro) - slow, clean, very high security
margin
5. Twofish (USA) - complex, very fast, high security
margin

6. • Then subject to further analysis and comment.
• Saw contrast between algorithms with
 few complex rounds verses many simple rounds
 which refined existing ciphers verses new proposals
AES Shortlist

7. AES Shortlist
• The finalists and their scores were as follows:
1. Rijndael (from Joan Daemen and Vincent Rijmen, 86
votes).
2. Serpent (from Ross Anderson, Eli Biham, and Lars
Knudsen, 59 votes).
3. Twofish (from a team headed by Bruce Schneier, 31 votes).
4. RC6 (from RSA Laboratories, 23 votes).
5. MARS (from IBM, 13 votes).

8. The AES Cipher - Rijndael
 designed by Rijmen-Daemen in Belgium
 has 128/192/256 bit keys, 128 bit data
 an iterative rather than feistel cipher
 processes data as block of 4 columns of 4 bytes
 operates on entire data block in every round
 designed to be:
 resistant against known attacks
 speed and code compactness on many CPUs
 design simplicity

9. AES is a non-Feistel cipher that encrypts and decrypts a
data block of 128 bits. It uses 10, 12, or 14 rounds. The
key size, which can be 128, 192, or 256 bits, depends on
the number of rounds.
AES has defined three versions, with 10, 12, and 14 rounds.
Each version uses a different cipher key size (128, 192, or
256), but the round keys are always 128 bits.
Rounds

10. General design of AES encryption cipher

11. The AES Cipher - Rijndael
• Processes data as 4 groups of 4 bytes (state)
• Has 9/11/13 rounds in which state undergoes:
 Byte substitution (1 S-box used on every byte)
 Shift rows (permute bytes between groups/columns)
 Mix columns (subs using matrix multiply of groups)
 Add round key (XOR state with key material)
• Initial XOR key material and incomplete last round.
• All operations can be combined into XOR and table
lookups - hence very fast and efficient.

12. AES
Encryption
Process

13. AES Parameters

14. Data units used in AES

15. Block-to-state and state-to-block transformation

16. Changing plaintext to state
Plain text: AESUSESAMATRIX
A E S U S E S A M A T R I X Z Z
41 45 53 55 53 45 53 41 4D 41 54 52 49 58 5A 5A
PLAIN TEXT (CHARACTER )
PLAIN TEXT (HEXADECIMAL )












A
A
D
5
52
41
55
5
54
53
53
58
41
45
45
49
4
53
41
STATE

17. Structure of each round at the encryption site

18. Transformation
To provide security, AES uses four types of
transformations: substitution, permutation, mixing, and
key-adding.

19. Substitution
AES, like DES, uses substitution. AES uses two
invertible transformations.
1. SubBytes
The first transformation, SubBytes, is used at the
encryption site. To substitute a byte, we interpret the byte
as two hexadecimal digits.
The SubBytes operation involves 16 independent
byte-to-byte transformations.

20. Byte Substitution
• A simple substitution of each byte.
• Uses one table of 16x16 bytes containing a permutation
of all 256 8-bit values.
• Each byte of state is replaced by byte in row (left 4-bits)
and column (right 4-bits).
 e.g., byte {95} is replaced by row 9 col 5 byte, which
is the value {2A}.
• S-box is constructed using a defined transformation of
the values in GF(28).
• Designed to be resistant to all known attacks.

21. Byte Substitution
• Substitute byte transformation
 Forward substitute byte transformation (SubBytes)
 Inverse substitute byte transformation (InvSubBytes)

22. Byte Substitution

23. AES S-Boxes
(a) S-box

24. AES S-Boxes
(b) Inverse S-box

25. Example
Fig. shows how a state is transformed using the SubBytes
transformation. The figure also shows that the InvSubBytes
transformation creates the original one. Note that if the two bytes
have the same values, their transformation is also the same.
SubBytes transformation for Example

26. Permutation
Another transformation found in a round is shifting, which
permutes the bytes.
2. ShiftRows
In the encryption, the transformation is called ShiftRows.
ShiftRows transformation

27. 87 F2 4D 97
EC 6E 4C 90
4A C3 46 E7
8C D8 95 A6
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95

28. Shift Rows
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 5 9 13
2 6 10 14
3 7 11 15
4 8 12 16
1 5 9 13
6 10 14 2
11 15 3 7
16 4 8 12
1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12
Shift left 0 (No shift)
Shift left 1
Shift left 2
Shift left 3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Assume we have 16 byte block from 1 to 16
Convert the 16-byte block to a two-dimensional 4x4 matrix by filling column by column
Convert the two-dimensional 4x4 matrix to a 16-byte block by reading column by column

29. 1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Example
43 51 4D 50 55 54 45 52 20 53 43 49 45 4E 43 45
Plaintext
(Hexadecimal)
C O M P U T E R S C I E N C E
Plaintext
(Character)
1A D1 E3 53 FC 20 6E 00 B7 ED 1A 3B 6E 2F 1A 6E
After Substitution
(Hexadecimal)
1A 20 1A 6E FC ED 1A 53 B7 2F E3 00 6E D1 6E 3B
After Shifting
(Hexadecimal)

30. 3.Mix Columns
• Each column is processed separately.
• Each byte is replaced by a value dependent on all 4
bytes in the column.
• Effectively a matrix multiplication in GF(28) using prime
poly m(x) = x8 + x4 + x3 + x + 1.

31. Mix Columns
M00 = [ {02}·{S00}  {03}·{S10}  {01}·{S20}  {01}·{S30} ] mod GF(28)
M01 = [ {02}·{S01}  {03}·{S11}  {01}·{S21}  {01}·{S31} ] mod GF(28)
M02 = [ {02}·{S02}  {03}·{S12}  {01}·{S22}  {01}·{S32} ] mod GF(28)
M03 = [ {02}·{S03}  {03}·{S13}  {01}·{S23}  {01}·{S33} ] mod GF(28)
M10 = [ {01}·{S00}  {02}·{S10}  {03}·{S20}  {01}·{S30} ] mod GF(28)
M11 = [ {01}·{S01}  {02}·{S11}  {03}·{S21}  {01}·{S31} ] mod GF(28)
M12 = [ {01}·{S02}  {02}·{S12}  {03}·{S22}  {01}·{S32} ] mod GF(28)
M13 = [ {01}·{S03}  {02}·{S13}  {03}·{S23}  {01}·{S33} ] mod GF(28)

32. Mix Columns
M20 = [ {01}·{S00}  {01}·{S10}  {02}·{S20}  {03}·{S30} ] mod GF(28)
M21 = [ {01}·{S01}  {01}·{S11}  {02}·{S21}  {03}·{S31} ] mod GF(28)
M22 = [ {01}·{S02}  {01}·{S12}  {02}·{S22}  {03}·{S32} ] mod GF(28)
M23 = [ {01}·{S03}  {01}·{S13}  {02}·{S23}  {03}·{S33} ] mod GF(28)
M30 = [ {03}·{S00}  {01}·{S10}  {01}·{S20}  {02}·{S30} ] mod GF(28)
M31 = [ {03}·{S01}  {01}·{S11}  {01}·{S21}  {02}·{S31} ] mod GF(28)
M32 = [ {03}·{S02}  {01}·{S12}  {01}·{S22}  {02}·{S32} ] mod GF(28)
M33 = [ {03}·{S03}  {01}·{S13}  {01}·{S23}  {02}·{S33} ] mod GF(28)

33. Mixing
We need an interbyte transformation that changes the
bits inside a byte, based on the bits inside the
neighboring bytes. We need to mix bytes to provide
diffusion at the bit level.
Mixing bytes using matrix multiplication

34. Constant matrices used by MixColumns and InvMixColumns
Mix Columns

35. MixColumns
The MixColumns transformation operates at the column
level; it transforms each column of the state to a new
column.
MixColumns transformation

36. Figure shows how a state is transformed using the MixColumns
transformation. The figure also shows that the InvMixColumns
transformation creates the original one.
The MixColumns transformation in Example 7.5

37. 1st column of the result is obtained by:
{02){87}+{03}{6E}+{46}+{A6} = {47}
{87}+{02}{6E}+{03}{46}+{A6} = {37}
{87}+{6E}+{02}{46}+{03}{A6} = {94}
{03}{87}+{6E}+{46}+{02}{A6} = {ED}
For the 1st equation, we have {02}{87}=(0000 0010)(1000 0111)=
1
)
1
mod(
)
(
)
1
( 2
4
3
4
8
2
3
8
2
7













 x
x
x
x
x
x
x
x
x
x
x
x
x
x
= (0001 0101)={15}
Example of MixColumns
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
47 40 A3 4C
37 D4 70 9F
94 E4 3A 42
ED A5 A6 BC
=

MixColumns
Constant matrices
State Result

38. {03}{6E}=(0000 0011)(0110 1110)=
x
x
x
x
x
x
x
x
x
x 







 4
5
7
2
3
5
6
)
)(
1
(
=
(1011 0010) = {B2}
{02){87}+{03}{6E}+{46}+{A6}={15}+{B2}+{46}+{A6}=
(0001 0101)+
(1011 0010)+
(0100 0110)+
(1010 0110)=
(0100 0111)={47}
NOTE :
MULTIPLICATION A VALUE X BY {02} CAN BE
IMPLEMENTED AS 1-BIT LEFT SHIFT FOLLOWED BY
A CONDITIONAL BITWISE XOR WITH (0001 1011) (1B )
IF THE LEFT MOST BIT OF THE ORIGINAL VALUE (
PRIORE TO SHIFT IS 1)

40. 4. AddRoundKey Transformation
The 128 bit of the state are bitwise XORed with the 128 bit
of round key. As sown in Fig. below , the operation is
viewed as columnwise operation between the 4 bytes of the
state column and one word of the round key.
47 40 A3 4C
37 D4 70 9F
94 E4 3A 42
ED A5 A6 BC
AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6A
EB 59 8B 1B
40 2E A1 C3
F2 38 13 42
1E 84 E7 D6
State Key State ♁Key
47= 0100 0111
AC= 1010 1100
-----------------------
EB = 1110 1011
♁
37= 0011 0111
40 = 0111 0111
-----------------------
40= 0100 0000
♁ ♁ 94= 1001 0100
66= 0110 0110
-----------------------
F2= 1111 0010

41. AES Round

42. AES Key Expansion
• Takes 128-bit (16-byte) key and expands into array of 44/52/60
32-bit words.
• Start by copying key into first 4 words.
• Then loop creating words that depend on values in previous
and 4 places back.
 In 3 of 4 cases just XOR these together.
 Every 4th has S-box + rotate + XOR constant of previous
before XOR together.
• Designed to resist known attacks.

43. AES Key Expansion

44. Steps for computing g function
1. RotWord perform one-byte circular left shift on word , this means that an
input word [B0,B1,B2,B3] is transformed into [ B1,B2,B3,B0]
2. Subword perform a Byte substitution on each byte of its input word , using
the S-Box
3. The result in step (2) is XORed with a round constant. Rcon[j], the round
constant is a word in which the three rightmost bytes are always (0) , and is
defined as Rcon[j]=(RC[j],0,0,0), and the values of RC[j] in hexadecimal are
Rcon[1]=1
Rcon[j]=2.Recon[j-1]

45. Table below shows how the keys for each round are calculated
assuming that the 128-bit cipher key agreed upon by Alice and
Bob is (24 75 A2 B3 34 75 56 88 31 E2 12 00 13 AA 54 87)16.
Example:

46. AES example of key
expansion

47. AES Example
Encryption

48. AES Decryption
 AES decryption is not identical to encryption
since steps done in reverse
 but can define an equivalent inverse cipher
with steps as for encryption
 but using inverses of each step
 with a different key schedule
 works since result is unchanged when
 swap byte substitution & shift rows
 swap mix columns & add (tweaked) round key

49. Ciphers and inverse ciphers of the AES

50. Useful Website
http://www.cs.utsa.edu/~wagner/laws/AESEncryptJava.html
http://www.example-code.com/java/crypt2_aes.asp
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
http://www.movable-type.co.uk/scripts/aes.html
http://islab.oregonstate.edu/koc/ece575/02Project/Sha/
http://www.angelfire.com/biz7/atleast/mix_columns.pdf
http://en.wikipedia.org/wiki/Rijndael_Galois_field#Rijndael.27s_finite_field
http://www.samiam.org/key-schedule.html
http://cegt201.bradley.edu/projects/proj2005/aes128/Expo_Document2.pdf