9/21/2022

Introduction

Lecture 5: Advanced • In 1999 the US National Institute of Standards and Technology (NIST) indicated
that DES should only be used for legacy systems and instead triple DES (3DES)
should be used.
Encryption Standard • Even though 3DES resists brute-force attacks with today’s technology, there are
several problems with it.
• First, it is not very efficient with regard to software implementations. DES is
already not particularly well suited for software and 3DES is three times slower
than DES.
• Secondly, if one is worried about attacks with quantum computers, which might
become reality in a few decades, key lengths on the order of 256 bits are
desirable.
• All these consideration led NIST to the conclusion that an entirely new block
cipher was needed as a replacement for DES.

Introduction Introduction - AES Shortlist

• In 1997 NIST called for proposals for a new Advanced Encryption Standard (AES).
• Unlike the DES development, the selection of the algorithm for AES was an open
process administered by NIST.
• In three subsequent AES evaluation rounds, NIST and the international scientific
community discussed the advantages and disadvantages of the submitted ciphers
and narrowed down the number of potential candidates.
• In 2001, NIST declared the block cipher Rijndael as the new AES and published it
as a final standard.
• Rijndael was designed by two young Belgian cryptographers.
• After testing and evaluation, shortlist in Aug-99
• MARS (IBM) - complex, fast, high security margin
• RC6 (USA) - v. simple, v. fast, low security margin
• Rijndael (Belgium) - clean, fast, good security margin
• Serpent (Euro) - slow, clean, v. high security margin
• Twofish (USA) - complex, v. fast, high security margin
• Found contrast between algorithms with
• Few complex rounds versus many simple rounds
• Refined versions of existing ciphers versus new proposals

Rijndae: pronounce “Rain-Dahl”

 9/21/2022

Introduction -The AES Cipher - Rijndael Overview of AES Algorithm

• Rijndael was selected as the AES in Oct-2000 • The Rijndael block and key size vary between 128, 192 and 256 bits.
• Designed by Vincent Rijmen and Joan Daemen in Belgium
• Issued as FIPS PUB 197 standard in Nov-2001 • However, the AES standard only calls for a block size of 128 bits.
• Hence, only Rijndael with a block length of 128 bits is known as the AES
• An iterative rather than Feistel cipher V. Rijmen algorithm.
• Processes data as block of 4 columns of 4 bytes (128 bits)
• Operates on entire data block in every round
• We will only discuss the standard version of Rijndael with a block length of 128
bits
• Rijndael design:
• Simplicity
• Has 128/192/256 bit keys, 128 bits data
• Resistant against known attacks J. Daemen
• Speed and code compactness on many CPUs

Overview of AES Algorithm Overview of AES Algorithm

• In contrast to DES, AES does not have a Feistel structure.
• Feistel networks do not encrypt an entire block per iteration, e.g., in DES, 64/2 =
32 bits are encrypted in one round.
• AES, on the other hand, encrypts all 128 bits in one iteration.
• This is one reason why it has a comparably small number of rounds.
 9/21/2022

Overview of AES Algorithm Overview of AES Algorithm

• Key Addition layer: A 128-bit round key, or subkey, which has been derived from
the main key in the key schedule, is XORed to the state.
• Byte Substitution layer (S-Box):
• Each element of the state is nonlinearly transformed using lookup tables
• This introduces confusion to the data, i.e., it assures that changes in individual state bits
propagate quickly across the data path.
• Diffusion layer: It provides diffusion over all state bits. It consists of two
sublayers, both of which perform linear operations:
• The ShiftRows layer permutes the data on a byte level.
• The MixColumn layer is a matrix operation which combines (mixes) blocks of four bytes.

Overview of AES Algorithm Mathematics: Galois Fields

• Similar to DES, the key schedule computes round keys, or subkeys, • Slides
(k0,k1,...,knr) from the original AES key. • Calculations done on board in class
 9/21/2022

Finite Field Finite Field

• Finite Fields, also known as Galois Fields, are cornerstones for understanding any
cryptography.
• A field can be defined as a set of numbers that we can add, subtract, multiply and
divide together and only ever end up with a result that exists in our set of
numbers.
• To have a finite field you need the following properties (the dot symbol · denotes
the remainder after multiplying/adding two elements):
• Closed — any operation performed with elements from the set returns an element contained
in the original set.
• Associative — if you have (a· b) ·c, it’s the same as a ·(b ·c)
• Identity — there exists a neutral element (usually 1) such that a · 1 = a
• Inverse — within the set there’s another element such that a · (a)^-1= 1
• Commutative — the order of operations doesn’t matter: a · b = b · a

Finite Field Prime Field Arithmetic

 9/21/2022

Extension Field Extension Field

Extension Field Internal Structure of AES


Internal Structure of AES
• The 16-byte input A0,...,A15 is fed byte-wise into the S-Box.
• The 16-byte output B0,...,B15 is permuted byte-wise in the ShiftRows layer and
mixed by the MixColumn transformation c(x).
• Finally, the 128-bit subkey ki is XORed with the intermediate result.
• Take note that AES is a byte-oriented cipher.
• This is in contrast to DES, which makes heavy use of bit permutation and can thus
be considered to have a bit-oriented structure.
Byte Substitution Layer
• The Byte Substitution layer can be viewed as a row of 16 parallel S-Boxes, each
with 8 input and output bits.
• Note that all 16 S-Boxes are identical, unlike DES where eight different S-Boxes
are used.
• In the layer, each state byte Ai is replaced, i.e., substituted, by another byte Bi
9/21/2022
Internal Structure of AES
• In order to understand how the data moves through AES, we first imagine that
the state A (i.e., the 128-bit data path) consisting of 16 bytes A0,A1,...,A15 is
arranged in a four-by-four byte matrix:
Byte Substitution Layer
• The S-Box is the only nonlinear element of AES, i.e., it holds that ByteSub(A) +
ByteSub(B) 6= ByteSub(A + B) for two states A and B.
• The S-Box substitution is a bijective mapping, i.e., each of the 28 = 256 possible
input elements is one-to-one mapped to one output element.
• This allows us to uniquely reverse the S-Box, which is needed for decryption.
• In software implementations the S-Box is usually realized as a 256-by-8 bit lookup
table with fixed entries.
 9/21/2022

Byte Substitution Layer Byte Substitution Layer

Diffusion Layer Diffusion Layer – Shift Rows Sub Layer

• In AES, the Diffusion layer consists of two sublayers, the ShiftRows transformation
and the MixColumn transformation.
• We recall that diffusion is the spreading of the influence of individual bits over
the entire state.
• Unlike the nonlinear S-Box, the diffusion layer performs a linear operation on
state matrices A,B, i.e., DIFF(A)+DIFF(B) = DIFF(A+B)
 9/21/2022

Diffusion Layer – MixColumn Sublayer Diffusion Layer – MixColumn Sublayer

• The MixColumn step is a linear transformation which mixes each column of the
state matrix.
• Since every input byte influences four output bytes, the MixColumn operation is
the major diffusion element in AES.
• The combination of the ShiftRows and MixColumn layer makes it possible that
after only three rounds every byte of the state matrix depends on all 16 plaintext
bytes.

Diffusion Layer – MixColumn Sublayer Key Addition Layer

• The two inputs to the Key Addition layer are the current 16-byte state matrix and
a subkey which also consists of 16 bytes (128 bits).
• The two inputs are combined through a bitwise XOR operation.
• Note that the XOR operation is equal to addition in the Galois field GF(2).
• The subkeys are derived in the key schedule that is discussed next.
 9/21/2022

Key Schedule Key Schedule

• The key schedule takes the original input key (of length 128, 192 or 256 bit) and
derives the subkeys used in AES.
• Note that an XOR addition of a subkey is used both at the input and output of
AES.
• The number of subkeys is equal to the number of rounds plus one, due to the key
needed for the first key addition layer.
• Thus, for the key length of 128 bits, the number of rounds is nr = 10, and there
are 11 subkeys, each of 128 bits.
• The AES with a 192-bit key requires 13 subkeys of length 128 bits, and AES with a
256-bit key has 15 subkeys.
• The AES subkeys are computed recursively, i.e., in order to derive subkey ki,
subkey ki-1 must be known, etc
• The AES key schedule is word-oriented, where 1 word = 32 bits.
• Subkeys are stored in a key expansion array W that consists of words.
• There are different key schedules for the three different AES key sizes of 128, 192
and 256 bit.
• We will look at key schedule for AES key size of 128

Key Schedule for 128-Bit Key AES Key Schedule for 128-Bit Key AES
• The first subkey k0 is the original AES key, i.e., the key is
copied into the first four elements of the key array W .
• The leftmost word of a subkey W[4i], where i = 1,...,10,
is computed as:

• Here g() is a nonlinear function with a four-byte input

and output.
• The remaining three words of a subkey are computed
recursively as:
• The function g() rotates its four input bytes, performs
a byte-wise S-Box substitution, and adds a round
coefficient RC to it.
• where i = 1,...,10 and j = 1,2,3. • The round coefficient is an element of the Galois
field GF(28), i.e, an 8-bit value.
• It is only added to the leftmost byte in the function
g().
 9/21/2022

Decryption Decryption
• Since the last encryption round
• Because AES is not based on a Feistel network, all layers must actually be does not perform the MixColum
inverted, i.e., the Byte Substitution layer becomes the Inv Byte Substitution layer, operation, the first decryption
the ShiftRows layer becomes the Inv ShiftRows layer, and the MixColumn layer round also does not contain the
corresponding inverse layer.
becomes Inv MixColumn layer. • All other decryption rounds,
• Inverse layer operations are fairly similar to the layer operations used for however, contain all AES layers.
• Since the XOR operation is its
encryption. own inverse, the key addition
• In addition, the order of the subkeys is reversed, i.e., we need a reversed key layer in the decryption mode is
schedule. the same as in the encryption
mode: it consists of a row of
plain XOR gates

Decryption Decryption - A Decryption Round

 9/21/2022

Inverse MixColumn Sublayer Inverse ShiftRows Sublayer

• In order to reverse the ShiftRows operation of the encryption algorithm, we must
shift the rows of the state matrix in the opposite direction.
• The first row is not changed by the inverse ShiftRows transformation.

• After the addition of the subkey, the inverse MixColumn step is applied to the state (again,
the exception is the first decryption round).
• In order to reverse the MixColumn operation, the inverse of its matrix must be used.
• The input is a 4-byte column of the State C which is multiplied by the inverse 4×4 matrix.
• The matrix contains constant entries.
• Multiplication and addition of the coefficients is done in GF(28).

Inverse Byte Substitution Layer Inverse Byte Substitution Layer

• The inverse S-Box is used when decrypting a ciphertext.

• where Ai and Bi are elements of the state matrix.

• The entries of the inverse S-Box are given in Table below.
 9/21/2022

Decryption Key Schedule

• Since decryption round one needs the last subkey, the second decryption round
needs the second-to-last subkey and so on, we need the subkey in reversed order
as shown in the figure for encryption key schedule.