AES AES AES

1. Advanced Encryption Standard

2. Origins
•NIST issued a new version of DES in 1999 (FIPS PUB 46-3)
•DES should only be used in legacy systems
•3DES will be used
•3DES has 2 attractions
o 168-bit key length
 Removes vulnerability to brute force attack
o The underlying algorithm in 3DES is same as in DES
 Easy to understand
 Nothing new-it does not need to further evaluate
 Resistant to cryptanalytic attack now
•Therefore 3DES was considered an appropriate choice for standardized algorithm for decades to come
•But DES suffers some drawbacks
o DES was not efficient algorithm in software and 3DES involves three DES rounds, hence 3 times slower
o Both DES and 3DES use a 64-bit block size
•Because of these drawbacks, 3DES is not a reasonable candidate for long term-NIST issued therefore a new call for the selection
of new standard-called as Advanced Encryption Standard

3. Origins
•NIST issued a call for new Advanced Encryption Standard in 1997, for an
algorithm:
o Security strength equal or better than 3DES
o Improved efficiency as compared to 3DES
• In addition to this general criteria, NIST specified that
o AES must be a symmetric cipher
o Block length of 128-bits
o Support for key length of 128, 192 and 256 bits
• Finally on 2 October 2000, NIST officially announced Rijndael as new AES

4. The AES Cipher- Rijndael
•Designed by Vincent Rijmen & Joan Daemen in Belgium
•Can support variable block & key length sizes of of 128, 192, 256 bits
•NIST limits the block length to 128 bits, so when it is said AES, by default we are talking about
128-bits block and key lengths
•Number of Rounds be 10/12/14 depending on the key and block sizes
•It is not a Feistel cipher but an iterated cipher
o Processes data as block of 4 columns of 4 bytes
o Operates on entire data block in every round
•Designed to be:
o Resistance against all known attacks
o Speed and code compactness on a wide range of platforms
o Design simplicity
Plaintet 16 byte (128 bits)

5. AES

6. The cipher takes a
plaintext block size of 128
bits, or 16 bytes. The key
length can be 16, 24, or 32
bytes (128, 192, or 256
bits). The algorithm is
referred to as AES-128,
AES-192, or AES-256,
depending on the key
length.

8. Detailed Structure
•It is not a Feistel structure.
o In the classic Feistel structure, half of the data block
is used to modify the other half of the data block,
and then the halves are swapped.
•The key that is provided as input is expanded into an array
of forty-four 32-bit words, w[i]. Four distinct words (128
bits) serve as a round key for each round

10. Detailed Structure
•Four different stages are used, one of permutation and three of
substitution:
o Substitute bytes: Uses an S-box to perform a byte-by-byte
substitution of the block
o ShiftRows: A simple permutation
o MixColumns: A substitution that makes use of arithmetic over
(Galois Field) GF(28
).
o AddRoundKey: A simple bitwise XOR of the current block with a
portion of the expanded key

11. AES

12. Byte Substitution
•Simple substitution on each byte of state independently
•Use an S-box of 16x16 bytes containing a permutation of all 256 8-bit values
•Each byte of state is replaced by a new byte indexed by row (left 4-bits) & column (right 4-bits) eg. byte {95}
is replaced by {2A} in row 9 column 5

13. Byte Substitution

14. Shift Rows
•A circular byte shift in each
o 1st
row is unchanged
o 2nd
row does 1 byte circular shift to left
o 3rd row does 2 byte circular shift to left
o 4th row does 3 byte circular shift to left
•Since state is processed by columns, this step permutes bytes between the columns

15. Mix Columns
• Each column of the state matrix is multiplied by the fixed matrix given by
• Each byte of the column is multiplied by the constant byte using
irreducible polynomial m(x) = x8
+ x4
+ x3
+ x + 1 in GF(28
)

16. Mix Columns

17. Mix Columns (Multiplication)
• Following are the steps to follow in order to use L and E lookup table for GF multiplication
– The result of the multiplication is simply the result of a lookup of the L table, followed
by the addition of the results in base 16, followed by a lookup to the E table.
– If the result of addition is greater then FF then simply subtract FF from result.
– use the first digit in the number on the vertical index and the second number on the
horizontal index.
– If the value being multiplied is composed of only one digit then use 0 on the vertical
index.
• Two exceptions are that:
– Any number multiplied by one is equal to its self and does not need to go through
the above procedure. For example: FF * 1 = FF
– Any number multiplied by zero equals zero

18. Mix Columns (Multiplication)

19. Mix Columns (Multiplication)

20. Mix Columns (Multiplication)
• Example: AF * 8
L(AF)=B7
L (08)=4B
B7+4B=102>FF so
102
-
FF =03
E(03)=0F
So AF*08=0F

21. Add Round Key
• Added (XOR) each key byte to each byte of
the state matrix

23. AES Decryption

24. Inverse Byte Substitution
•S-box has its inverse-inverse S-box
•Like encryption, each byte is substituted independently
•Inverse S-box like encrytion s-box contains all 256 values of 8-bit each
•Each byte of state is replaced by a new byte indexed by row (left 4-bits) & column (right 4-bits)
eg. byte {11} is replaced by {e3} in row 1 column 1

25. Inverse S-Box

26. Inverse Shift Rows
•Inverse shift row rotates bytes to the right instead of left as
in case of encryption
•Therefore a circular byte shift in each
o 1st row is unchanged
o 2nd row does 1 byte circular shift to right
o 3rd row does 2 byte circular shift to right
o 4th row does 3 byte circular shift to right

27. Inverse Mix Columns
•Each column of the state matrix is multiplied by given matrix
•Each byte of the column is multiplied by the constant byte
using irreducible polynomial m(x) = x8
+ x4
+ x3
+ x + 1 in GF(28
)

28. Inverse Add Round Key
•Inverse Add round key is essentially the same
as Add round key as it just adds (XOR) each key
byte to each byte of the state matrix

30. AES: Key Expansion

31. AES Key Expansion
•Takes 128-bit (16-byte; 4-word) key and expands into array of
44 , 32-bit words.
•Start by copying key into first 4 words
•Then loop creating words that depend on values in previous
& 4 places back
o In 3 of 4 cases just XOR these together
o 1st word in 4 has rotate + S-box + XOR round constant on
previous, before XOR 4th back

32. •Each added word w[i] depends on the
immediately preceding word, w[i- 1],
and the word four positions back, w[i-4].
•In three out of four cases, a simple XOR
is used.
• For a word whose position in the w
array is a multiple of 4, a more complex
function g is used

33. The function g consists of the following
substitution:
1.RotWord performs a one-byte circular left
shift on a word. This means that an input
word [b0,b1,b2,b3] is transformed into
[b1,b2,b3, b0]
2.SubWord performs a byte substitution on
each byte of its input word using the S-box
3.The result of step 1 & Step 2 is XORed
with a round constant, Rcon[j]

34. Round Constant
•The round constant is a word in which the three rightmost bytes are
always 0.
•Thus, the effect of an XOR of a word with Rcon is to only perform an
XOR on the leftmost byte of the word.
•The round constant is different for each round, the values of RC[j] in
hexadecimal are:

35. Key Expansion Rationale
•The Rijndael developers designed the expansion key algorithm to be resistant to
known cryptanalytic attacks.
•Design criteria included:
oThe inclusion of round constant eliminates the symmetry, or similarity,
between the ways in which round keys are generated in different rounds.
oKnowledge of a part of the cipher key or round key does not enable
calculation of many other round-key bits.
oFast on wide range of CPU’s
oSimplicity of description

36. Reading
“Cryptography and Network Security Principles and Practices”, Fourth Edition by William
Stallings
Chapter 5