University of Salahaddin - Erbil

College of Engineering
Department of Software Engineering

Data Security
Academic year 2018-2019
4th Year Material
Chapter Four

Advanced Encryption Standard (AES)

Prepared By: Mr. Zana Farhad Doghramachi, M.Tech(CSE)

[email protected]
1
Advanced Encryption Standard
 The Advanced Encryption Standard (AES) is a symmetric-key block
cipher published by the National Institute of Standards and
Technology (NIST) in December 2000.

 The criteria defined by NIST for selecting AES fall into three areas:
i. Security: The main emphasis was on security, NIST explicitly
demanded a 128 bit key, this criterion focused on resistance to
cryptanalysis attacks other than brute force attack.

ii. Cost: which covers the computational efficiency and storage

requirement for different implementations such as hardware,
software, or smart card.

iii. Implementation: the algorithm must have flexibility and simplicity.

2
Rounds
 AES is a non-Feistel cipher that encrypts and decrypts a data block of
128 bits. It uses 10, 12, or 14 rounds. The key size, which can be 128,
192, or 256 bits, depends on the number of rounds.

 The encryption algorithm and decryption algorithm are similar but the
round keys are applied in the reverse order.

 The figure in the next page, shows the relationship between the
number of rounds and the key size, which means that we can have
three different AES versions; they are referred as AES-128, AES-192,
and AES-256. However, the round keys, which are created by the key-
expansion algorithm are always 128 bits, the same size as the plaintext
or ciphertext block.

3
Rounds
 The number of round keys generated by the key expansion algorithm
is always one more than the number of round. In other words, we have
number of round keys = number of round (Nr)+ 1
We refer to the round keys as K0, K1, K2,……..,KNr .

4
General Design of AES encryption cipher

5
Data Units
 AES uses five units of measurement to refer to data: bits, bytes, words,
blocks, and state. The bit is the smallest and atomic unit.

 A bit is a binary digit with a value 0 or 1.

 A byte is a group of eight bits that can be treated as a single entity. A

row matrix (1x8) of eight bits, or a column matrix (8x1) of eight bits.
When treated as a row matrix, the bits are inserted to the matrix from
left to right; when treated as a column matrix, the bits are inserted into
the matrix from top to bottom.

 A word is a group of 32 bits that can be treated as a single entity, a

row matrix of four bytes, or a column of four bytes. When treated as a
row matrix, the bits are inserted to the matrix from left to right; when
treated as a column matrix, the bits are inserted into the matrix from
top to bottom.
6
Data Units
 A block in AES is a group of 128 bits. However, a block can be
represented as a row matrix of 16 bytes.

 State is made of 16 bytes, but normally is treated as matrices of 4x4

bytes. Each element of a state is referred to as sr,c , where r (0 to 3)
defines the row and the c (0 to 3) defines the column. Occasionally, a
state is treated as a row matrix (1x4) of words

7
Data units used in AES

8
Block to state and state to block transformation

9
Homework
 Q1 Change the plaintext to state, if you’re using AES encryption and
the plaintext is “AES uses a matrix”.

10
Structure of Each Round
 Each round, except the last, uses four transformations that are
invertible. The last round has only three transformations.

 AES transformations are: substitution(Sub Bytes), permutation(Shift

Rows), mixing (Mix Columns), and key adding (Add Round Key).

 Each transformation takes a state and creates another state to be used

for the next transformation or the next round. The pre-round section
uses only one transformation (Add round Key); the last round uses
only three transformation (Mix columns transformation is missing).

 At the decryption site, the inverse transformations are used.

11
Structure of each round at the encryption site

12
Sub Bytes
 To substitute a byte, we interpret the byte as two hexadecimal digits.
The left digit defines the row and the right digit defines the column of
the substitution table. The two hexadecimal digits at the junction of the
row and the column are the new byte.

 In the SubBytes transformation, the state is treated as a 4x4 matrix of

bytes. Transformation is done one byte at a time. The contents of each
byte is changed, but the arrangement of the bytes in the matrix remains
the same. In the process, each byte is transformed independently.
There are sixteen distinct byte to byte transformation.

13
Sub Bytes transformations

14
Sub Byte transformation table

15
InvSub Byte transformation table

16
Homework
 Q1 Transform the state bye using the Sub Bytes transformation?

17
Shift Rows
 In the encryption, the shifting is to the left and the number of shifts
depends on the row number (0, 1, 2 or 3) of the state matrix. This
means the row 0 is not shifted at all and the last row is shifted three
bytes.

 In the decryption, the shifting is to the right. The number is the same
the row number (0, 1, 2, and 3) of the state matrix

18
Mix Columns
 The mixing transformation changes the contents of each byte by taking
four bytes at a time and combining them to recreate four new bytes. To
guarantee that each new byte is different (even if all four bytes are the
same), the combination process first multiples each byte with a
different constant and then mixes them.

 The mixing can be provided by matrix multiplication. When we

multiply a square matrix by a column matrix, the result is a new
column. Each element in the new matrix depends on all four elements
of the old matrix after they are multiplied by row values in the
constant matrix

19
Mixing bytes using matrix multiplication

20
Add Round Key
 Proceeds one column at a time, Add Round Key adds a round key
word with each state column matrix, so the operation in add round key
is matrix addition.

21
Key Expansion
 To create round keys for each round, AES uses a key expansion
process. If the number of rounds is Nr , the key-expansion routine
creates Nr + 1 128 bit round keys from one single 128-bit cipher key.
The first round key is used for pre-round transformation; the
remaining round keys are used for the last transformation at the end of
each round.

 The key expansion routine creates round keys word by word, where a
word is an array for four bytes. The routine creates 4 x (Nr + 1) words
that are called w0, w1, w2, ……, w4 (Nr + 1) – 1

22
Key Expansion
 The 44 words key are made from the original key, the processes for the
other two versions are the same with some slight changes.

23
Key Expansion
The process is as follows:
1. The first four words (w0, w1, w2, w3) are made from the cipher key.
The cipher key is thought of as an array of 16 bytes (k0 to k15). The
first four bytes (k0 to k3) become w0; the next four bytes (k4 to k7)
become w1; and son on.

2. The rest of words (wi for i=4 to 43) are made as follow:
a) If (i mod 4) 0, wi= wi-1 wi-4. This means each word is made from
the one at the left and the one at the top.
b) If (i mod 4) = 0, wi=t wi-4. Here t, a temporary word, is the result
of applying two routines SubWord and Rotword on wi-1 and XORing
the result with a round constant, Rcon. In other words we have,
t = SubWord (RotWord (wi-1)) Rconi/4

24
Key Expansion
 The RotWord (rotate word) routine is similar to the shift rows
transformation, but it is applied to only one row. The routine takes a
word as an array of four bytes and shifts each byte to the left with
wrapping.

 The SubWord (substitute word) routine is similar to the Sub Bytes

transformation, but it is applied only to four bytes, The routine takes
each byte in the word and substitutes another byte for it.

 Each round constant, RCon, is a 4 byte value in which the rightmost

three bytes are always zero.

25
Rcon constants AES-128 Version

26
Homework
 Q1 Explain key expansion in AES 192 and AES 256?

27
Analysis of AES
AES was designed after DES. Most of the known attacks on DES were
already tested on AES.

 Brute force attacks

AES is definitely more secure than DES due to the larger size key (128,
192 and 256 bits), we need 2128 tests to find the key.

 Statistical attacks
Numerous tests have failed to do statistical analysis of the ciphertext.
Because strong diffusion and confusion provided by the combination of
the Sub Byte, Shift Rows and Mix Columns transformations remove any
frequency pattern in the plaintext.

 Differential and Linear attacks

There are no differential and linear attacks on AES as yet.
28