The document discusses the development and characteristics of the Advanced Encryption Standard (AES), which was selected as the successor to the Data Encryption Standard (DES) due to vulnerabilities found in DES and the need for a more secure encryption algorithm. AES emphasizes security, cost, and implementation flexibility and operates on 128-bit blocks using multiple transformation rounds, including substitutions, permutations, and mixing operations. AES is highly secure against known attacks and is designed for efficient implementation across various platforms.

1. AES-Advanced Encryption
Standard

2. Why AES?
• In 1990’s the cracking of DES algorithm became possible.
• clear a replacement for DES was needed
• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• Can use Triple-DES – but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• Issued as FIPS PUB 197 standard in Nov-2001
• The modern symmetric-key block cipher

3. Criteria for Selecting AES
• The criteria defined by NIST for selecting AES fall into three areas:
• Security: The main emphasis was on security. Because NIST explicitly
demanded a 128-bit key, this criterion focused on resistance to
cryptanalysis attacks other than brute-force attack.
• Cost: The second criterion was cost, which covers the computational
efficiency and storage requirement for different implementations such
as hardware, software, or smart cards.
• Implementation: This criterion included the requirement that the
algorithm must have flexibility (be implementable on any platform)
and simplicity.

4. AES Shortlist
•After testing and evaluation, shortlist in Aug-99
•MARS (IBM) - complex, fast, high security margin
•RC6 (USA) - v. simple, v. fast, low security margin
•Rijndael (Belgium) - clean, fast, good security margin
•Serpent (Euro) - slow, clean, v. high security margin
•Twofish (USA) - complex, v. fast, high security margin

5. AES Conceptual Scheme
5
AES
Plaintext (128 bits)
Ciphertext (128 bits)
Key (128-256 bits)

6. Multiple rounds
6
• Rounds are (almost) identical
• First and last round are a little different

8. • Round keys are derived from the cipher key
using Rijndael's key schedule
Key Expansion
• AddRoundKey : Each byte of the state is combined
with the round key using bitwise xor
Initial Round
• SubBytes : non-linear substitution step
• ShiftRows : transposition step
• MixColumns : mixing operation of each column.
• AddRoundKey
Rounds
• SubBytes
• ShiftRows
• AddRoundKey
Final Round No MixColumns

9. Data Units
AES uses five units of measurement to refer to data: bits, bytes,
words, blocks, and state.
• Bit: In AES, a bit is a binary digit with a value of 0 or 1.
• Byte: A byte is a group of eight bits.
• Word: A word is a group of 32 bits or 4 byte.
• Block: A block in AES is a group of 128 bits.
• State: States, like blocks, are made of 16 bytes, but normally are
treated as matrices of 4 × 4 bytes.

10. 128-bit values
10
• Data block viewed as 4-by-4 table of bytes
• Represented as 4 by 4 matrix of 8-bit bytes.
• Key is expanded to array of 32 bits words
1 byte

11. Data Unit

12. Changing Plaintext to State

13. Details of Each Round

14. SubBytes Operation
• The SubBytes operation involves 16 independent byte-to-byte
transformations.
• Interpret the byte as two hexadecimal
digits xy
• SW implementation, use row (x) and
column (y) as lookup pointer
S1,1 = xy16
x’y’16

15. SubBytes Table
• Implement by Table Lookup

16. InvSubBytes Table

17. Sample SubByte Transformation
• The SubBytes and InvSubBytes transformations are
inverses of each other.

18. ShiftRows
• Shifting, which permutes the bytes.
• A circular byte shift in each each
• 1st
row is unchanged
• 2nd
row does 1 byte circular shift to left
• 3rd row does 2 byte circular shift to left
• 4th row does 3 byte circular shift to left
• In the encryption, the transformation is called
ShiftRows
• In the decryption, the transformation is called
InvShiftRows and the shifting is to the right

19. ShiftRows Scheme

20. ShiftRows and InvShiftRows

21. MixColumns
• ShiftRows and MixColumns provide diffusion to the
cipher
• Each column is processed separately
• Each byte is replaced by a value dependent on all 4
bytes in the column
• Effectively a matrix multiplication in GF(28
) using
prime poly m(x) =x8
+x4
+x3
+x+1

22. Mix Columns operation

23. MixColumn and InvMixColumn

24. Example of Mix column
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
63 C9 FE 30
F2 63 26 F2
7D D4 C9 C9
D4 FA 63 82
State
63
F2
7D
D4
¿

25. {02 63}
⊗ ⨁ {03 ⊗ F2 } ⨁ { 01 ⊗ 7D } ⨁ { 01 ⊗ D4}
02= 00000010 =
63=01100011=+++1
02 63 =
⊗ +++1) =+++
=11000110
=C6
03=00000011=+1
F2=11110010=++++
03 F2=
⊗ +1)(++++)
=++++++++
=++

26. Irreducible polynomial=x8
+x4
+x3
+x+1
Now,
++ is reduced as
1
x8
+x4
+x3
+x+1 ++
x8
+x4
+x3
+x1
+1
=00001101
=0D
03 F2=0D
⊗

27. 01 ⊗ 7D = 7D
01 ⊗ D4= D4
Now,
{02 63}
⊗ ⨁ {03 ⊗ F2 } ⨁ { 01 ⊗ 7D } ⨁ { 01 ⊗ D4}
=C6 ⨁ 0D ⨁7D ⨁ D4
= 62
C6 1 1 0 0 0 1 1 0
0D 0 0 0 0 1 1 0 1
C6 ⨁ 0D 1 1 0 0 1 0 1 1
7D 0 1 1 1 1 1 0 1
C6 ⨁ 0D ⨁7D 1 0 1 1 0 1 1 0
D4 1 1 0 1 0 1 0 0
C6 ⨁ 0D ⨁7D ⨁
D4
0 1 1 0 0 0 1 0
6 2

28. Example of Mix column
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
63 C9 FE 30
F2 63 26 F2
7D D4 C9 C9
D4 FA 63 82
State
63
F2
7D
D4
¿
62
C
F
0
C

29. AddRoundKey
• XOR state with 128-bits of the round key
• AddRoundKey proceeds one column at a time.
• adds a round key word with each state column matrix
• the operation is matrix addition
• Inverse for decryption identical
• since XOR own inverse, with reversed keys
• Designed to be as simple as possible

30. AddRoundKey Scheme

31. AES Round

32. AES Key Scheduling
• takes 128-bits (16-bytes) key and expands into array
of 44 32-bit words

33. Key Expansion Scheme

34. Key Expansion sub-module
• RotWord performs a one byte circular left shift on a word For
example:
RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0]
• SubWord performs a byte substitution on each byte of input
word using the S-box
• Round Constant Each round constant, RCon, is a 4-byte value
in which the rightmost three bytes are always zero

35. Round Constant (RCon)
• RCON is a word in which the three rightmost bytes are zero
• It is different for each round and defined as:
RCon[j] = (RCon[j],0,0,0)
where RCon[1] =1 , RCon[j] = 2 * RCon[j-1]
• Multiplication is defined over GF(2^8) but can be implement in Table
Lookup

36. AES
Example
Key
Expansion

37. AES
Example
Encryption

38. AES Decryption
 AES decryption is not identical to
encryption since steps done in reverse
 but can define an equivalent inverse
cipher with steps as for encryption

but using inverses of each step

with a different key schedule
 works since result is unchanged when

swap byte substitution & shift rows

swap mix columns & add (tweaked) round key

39. AES Decryption

40. AES Security
• AES was designed after DES.
• Most of the known attacks on DES were already tested on AES.
• Brute-Force Attack
• AES is definitely more secure than DES due to the larger-size key.
• Statistical Attacks
• Numerous tests have failed to do statistical analysis of the
ciphertext
• Differential and Linear Attacks
• There are no differential and linear attacks on AES as yet.

41. Implementation Aspects
• The algorithms used in AES are so simple that they
can be easily implemented using cheap processors
and a minimum amount of memory.
• Very efficient
• Implementation was a key factor in its selection as the
AES cipher