Chapter 4

Advanced Encryption Standards (AES) Cipher

Prepared By:
Dr. Mohamed Abd-Eldayem
The AES Cipher - Rijndael
 designed by Rijmen-Daemen in Belgium
 has 128/192/256 bit keys, 128 bit data
‫ بت‬128 ‫ بت وطول بلوك البيانات‬128/192/256 ‫ طول المفتاح‬
 an iterative rather than feistel cipher
‫ تكراري وال يعتمد علي تشفير فيستيل‬
 treats data in 4 groups of 4 bytes
‫ بايت‬4 ‫ يعالج البيانات في مجموعات وكل مجموعة تتكون من‬
 operates an entire block in every round
‫ يشتغل علي البلوك كله في كل جولة‬
 Based on Finite Field GF(28)
Finite Field GF(28) ‫ مبني عل الحقل المحدود‬
The AES Cipher - Rijndael
 designed to be: ‫صمم لكي‬
 resistant against known attacks
‫ يقاوم الهجمات المعروفة‬
 speed and code compactness on many CPUs
CPUs ‫ السرعة وامكانية تحميل البرنامج في عدة معالجات‬

 design simplicity
‫ بساطة التصميم‬
 Rijndael
 processes data as 4 groups of 4 bytes (state)
(state) ‫ بايت‬4 ‫ مجموعات كل مجموعة‬4 ‫يعالج البيانات في‬ 
 has 9/11/13 rounds in which state undergoes:
:‫ جولة وكل جولة تشمل‬9/11/13 ‫يحتوي‬ 
 byte substitution (1 S-box used on every byte)
‫ تعويض البايت‬
 shift rows (permute bytes between groups/columns)
‫ ترحيل الصفوف‬
 mix columns (subs using matrix multipy of groups)
‫ خلط االعمدة‬
 add round key (XOR state with key material)
(XOR state with key ) ‫ اضافة مفتاح الجولة‬
 initial XOR key material & incomplete last round
‫باالضافة الي االضافة المدائية للمفتاح وجولة اخيرة غير كاملة‬ 
 all operations can be combined into XOR and table lookups - hence very fast & efficient
‫ وجداول‬XOR ‫سريع وكفء النه يمكن ان يتكون من‬ 
Finite Field
Field F
 A field F, sometimes denoted by {F, +, x}, is a set of
elements with two binary operations, called addition and
multiplication, such that for all a, b, c in F the following
axioms are obeyed:
 F is an integral domain; that is, F satisfies axioms A1 through
A5 and M1 through M6. and F satisfies axioms M7
 (M7) Multiplicative inverse: For each a in F, except 0, there
is an element a-1 in F such that aa-1 = (a-1)a = 1.
 In essence, a field is a set in which we can do addition,
subtraction, multiplication, and division without leaving the
set. Division is defined with the following rule: a/b = a(b-1).
 AES Mathematics
 All byte values in the AES algorithm will be presented as the
concatenation of its individual bit values (0 or 1) between
braces in the order {b7, b6, b5, b4, b3, b2, b1, b0}. These
bytes are interpreted as finite field elements using a
polynomial representation:
 b7 x7 + b6 x6 + b5 x5 + b4 x4 + b3 x3 + b2 x2 + b1 x + b0
(5.1)
 For example, {01100011} identifies the specific finite field
element x6 + x5 + x +1.
 effectively a matrix multiplication in GF(28) using prime poly
m(x) =x8+x4+x3+x+1
AES Mathematics
 It is also convenient to denote byte values using hexadecimal
notation with each of two groups of four bits being denoted
by a single character.
 Hence the element {01100011} can be represented as {63},
where the character denoting the four-bit group containing
the higher numbered bits is again to the left.
Addition
 The addition of two elements in a finite field is achieved by
“adding” the coefficients for the corresponding powers in the
polynomials for the two elements.
 The addition is performed with the XOR operation (denoted
by ) - i.e., modulo 2 - so that 1 1 = 0 ,1 0 = 1, and
0 0=0.
 Consequently, subtraction of polynomials is identical to
addition of polynomials.
Multiplication
 In the polynomial representation, multiplication in GF(28)
(denoted by ) corresponds with the multiplication of
polynomials modulo an irreducible polynomial of
degree 8.
 A polynomial is irreducible if its only divisors are one and
itself.
 For the AES algorithm, this irreducible polynomial
is m(x) = x8 + x 4 + x3 + x +1, or {01}{1b} in
hexadecimal notation.
 Example {57} {83} = {c1}

•The modular reduction by m(x) ensures that the result will be a

binary polynomial of degree less than 8, and thus can be represented
by a byte.
•Unlike addition, there is no simple operation at the byte level that
corresponds to this multiplication.
Multiplication by x
 Multiplying the binary polynomial (5.1) with the polynomial x
results in

 The result x · b(x) is obtained by reducing the above result modulo m(x),
 If b7 = 0, the result is already in reduced form. If b7 = 1, the reduction is
accomplished by subtracting (i.e., XORing) the polynomial m(x).
 It follows that multiplication by x (i.e., {00000010} or {02}) can
be implemented at the byte level as a left shift and a subsequent
conditional bitwise XOR with {1b}.
 Example
 F(x) = x6 + x4 + x2 + x + 1 and G(x)= x7 + x + 1 , then F(x) × G(x) = ( x6
+ x4 + x2 + x + 1 )× ( x7 + x + 1 ) = x7 + x6 + 1
 Now we will see the solution in binary. We need to find the result of
(01010111) × (10000011). First we determine the results of multiplication by
power of x
 (01010111) (00000010) = (10101110)
(01010111) (00000100) = (01011100) (00011011)= (01000111)
(01010111) (00001000) = (10001110)
(01010111) (00010000) = (00011100) (00011011)= (00000111)
(01010111) (00100000) = (00001110)
(01010111) (01000000) = (00011100)
(01010111) (10000000) = (00111000)
 So (01010111) (10000011)
= (01010111) [(00000001) (00000010) (10000000)]
= (01010111) (10101110) (00111000)
= (11000001) which is equivalent to x7 + x6 + 1
Rijndael
Byte Substitution
 a simple substitution of each byte
 uses one table of 16x16 bytes containing a permutation
of all 256 8-bit values
 each byte of state is replaced by byte in row (left 4-bits)
& column (right 4-bits)
 eg. byte {95} is replaced by row 9 col 5 byte
 which is the value {2A}
 S-box is constructed using a defined transformation of
the values in GF(28)
 designed to be resistant to all known attacks
Byte Substitution
Shift Rows
 a circular byte shift in each round
 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 decrypt does shifts to right
 since state is processed by columns, this step permutes bytes
between the columns
Mix Columns
 each column is processed separately
 each byte is replaced by a value dependent on all 4 bytes in
the column
 effectively a matrix multiplication in GF(28) using prime poly
m(x) =x8+x4+x3+x+1
Add Round Key
 XOR state with 128-bits of the round key
 again processed by column (though effectively a series of byte
operations)
 inverse for decryption is identical since XOR is own inverse,
just with correct round key
 designed to be as simple as possible
AES Key Expansion
 takes 128-bit (16-byte) key and expands into array of
44/52/60 32-bit words
 start by copying key into first 4 words
 then loop creating words that depend on values in previous &
4 places back
 in 3 of 4 cases just XOR these together
 every 4th has rotate + S-box + XOR constant of previous before
XOR together
 designed to resist known attacks
Figure 5.6 AES Key Expansion
  The round constant Rcon[j] = (RC[j], 0, 0, 0), with RC[1] = 1, RC[j] =
2 · RC[j - 1] and with multiplication defined over the field GF(28). The
values of RC[j] in hexadecimal are:
j 1 2 3 4 5 6 7 8 9 10

RC[j] 01 02 04 08 10 02 04 08 1B 36

 For example, suppose that the round key for round 8 is

 EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F
 Then the first 4 bytes (first column) of the round key for round 9 are
calculated as follows:
i temp After After Rcon (9) After w[i -4] w[i] =
(dec.) RotWord SubWord XOR temp
with w[i -4]
Rcon

36 7F8D292F 8D292F7F 5DA515D2 1B000000 46A515D2 EAD27321 AC7766F3

AES Decryption
 AES decryption is not identical to encryption since steps
done in reverse
 but can define an equivalent inverse cipher with steps as for
encryption
 but using inverses of each step
 with a different key schedule
 works since result is unchanged when
 swap byte substitution & shift rows
 swap mix columns & add (tweaked) round key
Inverse Mix Columns
 AES Single Round Example
The Input block of data to a single round of AES algorithm with 128 bits length is

EA 04 65 85
83 45 5D 96
5C 33 98 B0
F0 2D AD C5

and a round key input to this round is

AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6A

Find the data of output block from this round

 Answer:
After Substitute Bytes Transformation

87 F2 4D 97
EC 6E 4C 90
4A C3 46 E7
8C D8 95 A6

After Shift Row Transformation

87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
 After Mix Column Transformation

 To find the first byte after Mix Column, we do matrix

multiplication over GF(2 8 ) as follows:
(02 * 87) (03 * 6E) 46 A6 = 47

We have 02 * 87 = (0000 0010) * (1000 0111) = (0000 1110) (0001 1011)

= (0001 0101)
(02 * 87) (03 * 6E) 46 A6 = 47

We have 02 * 87 = (0000 0010) * (1000 0111) = (0000 1110) (0001 1011)

= (0001 0101)

and (03 * 6E) = (0000 0011) * (0110 1110) = (0000 0001) * (0110 1110) (0000 0010) *
(0110 1110)

= (0110 1110) (1101 1100) = (1011 0010)

and (46) = (0100 0110)

and (A6) = (1010 0110)

Then the first byte = (0001 0101) (1011 0010) (0100 0110) (1010 0110) = (0100 0111)
= (47)
 After Add Round Key Transformation

47 40 A3 4C AC 19 28 57 EB 59 8B 1B
37 D4 70 9F 77 FA D1 5C 40 2E A1 C3
=
94 E4 3A 42 66 DC 29 00 F2 38 13 42
ED A5 A6 BC F3 21 41 6A 1E 84 E7 D2

The value of the first byte of after Add Round Key = (47) (AC)

(47) (AC) = (0100 0111) (1010 1100) = (1110 1011) = (EB)

The value of the first byte of after Add Round Key = (47) (AC) = (EB)
References:
 Chapter 5: Ref.: Cryptography and Network Security by
William Stallings &
 Lecture slides by Lawrie Brown
 Advanced Encryption Standard (AES)
 (FIPS PUB 197)