Information Security

Advanced Encryption Standard (AES)

Origins
 a replacement for DES was needed
 have theoretical attacks that can break it
 have demonstrated exhaustive key search attacks
 can use 3-DES – but slow with small blocks
 US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were shortlisted in Aug-99
 Rijndael was selected as the AES in Oct-2000
 issued as standard in Nov-2001
AES Requirements
 private key symmetric block cipher
 128-bit data, 128/192/256-bit keys
 stronger & faster than Triple-DES
 active life of 20-30 years (+ archival use)
 provide full specification & design details
 both C & Java implementations
 NIST have released all submissions &
unclassified analyses
AES Evaluation Criteria
 initial criteria:
 security – effort to practically cryptanalyse
 cost – computational
 algorithm & implementation characteristics
 final criteria
 general security
 software & hardware implementation ease
 implementation attacks
 flexibility (in en/decrypt, keying, other factors)
AES Shortlist
 after testing and evaluation, shortlist in Aug-99:
 MARS (IBM) - complex, fast, high security margin
 RC6 (USA) - v. simple, v. fast, low security margin
 Rijndael (Belgium) - clean, fast, good security margin
 Serpent (Euro) - slow, clean, v. high security margin
 Twofish (USA) - complex, v. fast, high security
margin
 then subject to further analysis & comment
 saw contrast between algorithms with
 few complex rounds verses many simple rounds
 which refined existing ciphers verses new proposals
What makes Rijndael stand out?
 The Symmetric and parallel structure
 gives implementers a lot of flexibility
 does not allow effective cryptanalytic attacks
 Well adapted to modern processors
 Pentium
 RISC and parallel processors
 Suited for Smart Cards
 Flexible in dedicated hardware
The AES Cipher - Rijndael
 designed by Rijmen-Daemen in Belgium
 has 128/192/256 bit keys, 128 bit data
 an iterative rather than feistel cipher
 treats data in 4 groups of 4 bytes
 operates an entire block in every round
 designed to be:
 resistant against known attacks
 speed and code compactness on many CPUs
 design simplicity
Working of Algorithm
AES-128 AES-192 AES-256

Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256

Plaintext block size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Number of rounds 10 12 14

Round key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Expanded key size (words/bytes) 44/176 52/208 60/240

Basic Operation
 The Rijndael Algorithm is a block cipher that
encrypt blocks of 128 bits.
 Uses symmetric keys of 128, 192 or 256 bits.
 The first 9/11/13 rounds are similar and they
consist of 4 transformations, called
 ByteSub (Substitution Bytes)
 ShiftRow (Shift Rows)
 MixColumn (multiply columns)
 AddRoundKey (XOR by key )
 The last round has only the transformations
 ByteSub, ShiftRow, AddRoundKey
General Design
 Plaintext Plaintext

Add round key w[0,3] Add round key

Round 10
Substitute Bytes Expand Key Inverse sub bytes
Round 1

Shift Rows Inverse shift rows

Mix Columns Inverse mix cols

Round 9
Add round key w[4,7] Add round key
. Inverse sub bytes
.
.
Inverse shift rows
Substitute Bytes .
.
.
Round 9

Shift Rows
Mix Columns Inverse mix cols

Round 1
Add Round Key w[36,39] Add round key
Substitute Bytes Inverse sub bytes
Round 10

Shift Rows Inverse shift rows

Add Round Key w[40,43] Add round key

Ciphertext Ciphertext
Data Units in AES

RQ 12
AES
Rounds
AES Round
Byte Substitution
 a simple substitution of each byte
 uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
 each byte of state is replaced by byte in row
(left 4-bits) & column (right 4-bits)
 eg. byte {95} is replaced by row 9 col 5 byte which
is the value {2A}
 designed to be resistant to all known attacks
Byte Substitution
Shift Rows

 a circular byte shift in each each

 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 decrypt does shifts to right
 since state is processed by columns, this step
permutes bytes between the columns
Mix Columns

The MixColumns transformation operates at the

column level; it transforms each column of the state
to a new column.
Add Round Key
 XOR state with 128-bits of the round key
 again processed by column (though effectively
a series of byte operations)
 inverse for decryption is identical since XOR is
own inverse, just with correct round key
 designed to be as simple as possible
AES Round
Some Comments on AES
 an iterative rather than Feistel cipher
 key expanded into array of 32-bit words
 four words form round key in each round
 4 different stages are used as shown
 has a simple structure
 only AddRoundKey uses key
 each stage is easily reversible
 decryption uses keys in reverse order
 final round has only 3 stages
AES Key Expansion
 takes 128-bit (16-byte) key and expands into
array of 44/52/60 32-bit words
 start by copying key into first 4 words
 then loop creating words that depend on
values in previous & 4 places back
 in 3 of 4 cases just XOR these together
 every 4th has S-box + rotate + XOR constant of
previous before XOR together
 designed to resist known attacks
Key Expansion in AES-128
 AES Decryption
 AES decryption cipher is
not identical to the
encryption cipher
 The sequence of
transformations differs
although the form of the
key schedules is the same
 Has the disadvantage that
two separate software or
firmware modules are
needed for applications
that require both
encryption and
decryption
AES
Example
Key
Expansion
AES
Example
Encryption
Avalanche
Effect
in AES:
Change in
Plaintext
Shows the result
when the eighth bit of
the plaintext is
changed.
The second column
shows the value of
the State matrix at the
end of each round for
the two plaintexts.
K: 0f1571c947d9e859
0cb7add6af7f6798
Avalanche
Effect in AES:
Change in
Key
Shows the change in
State matrix values
when the same
plaintext is used and
the two keys differ in
only one bit (at the
eighth position).
Key1:
0f1571c947d9e859
0cb7add6af7f6798
Key2:
0e1571c947d9e859
0cb7add6af7f6798
Implementation Aspects
 Can efficiently implement on a 8-bit processor
 AddRoundKey is a bytewise XOR operation
 ShiftRows is a simple byte-shifting operation
 SubBytes operates at the byte level and only
requires a table of 256 bytes
 MixColumns requires matrix multiplication in the
field GF(28), which means that all operations are
carried out on bytes
Implementation Aspects
 Can efficiently implement on a 32-bit
processor
 Redefine steps to use 32-bit words
 Can precompute 4 tables of 256-words
 Then each column in each round can be computed
using 4 table lookups + 4 XORs
 At a cost of 4Kb to store tables
 Designers believe this very efficient
implementation was a key factor in its
selection as the AES cipher
Summary

 The AES selection process

 The details of Rijndael – the AES cipher
 Implementation aspects