Week 5
Week 5
1 AES
The block diagram for AES-128 can be represented as below:
Key Scheduling
K1 K2 K3
10th Round
K10 K11
f 10 C
C1 Ciphertext
So, there are 10 round functions and 11 round keys in AES-128. As there are only 10 rounds,
one round key is applied before the start of round 1. So, in general total no. of round keys would
be number of rounds + 1.
1
Here, to compute all the round functions except the last one we will follow the following 3 steps:
To compute the last round function we will follow the following 2 steps:
f1
128 bits 128 bits
4 Subbytes
Subbytes : {0, 1}128 → {0, 1}128
X = x0 x1 x2 x3 ...x15
where X will be of 128 bits and size of each xi will be 8 bits and so, we can construct a 4x4 matrix
where each element is of 8 bits.
x0 x4 x8 x12 s00 s01 s02 s03
x1 x5 x9 x13 s10 s11 s12 s13
x2 x6 x10 x14 −→ (sij )4×4
s20 s21 s22 s23
x3 x7 x11 x15 s30 s31 s32 s33
2
(i) (C7 C6 C5 C4 C3 C2 C1 C0 ) = (01100011) (in binary) = 63 (in hexadecimal)
After applying all the operations, we can get the subbytes of every elements as represented in
following matrix:
′
s′ 01 s′ 02 s′ 03
s00 s01 s02 s03 s 00
s10 s11 s12 s13 s′ 10 s′ 11 s′ 12 s′ 13
−→ s′ 20 (s′ ij)4 × 4
s′ 21 s′ 22 s′ 23
s20 s21 s22 s23
s30 s31 s32 s33 s′ 30 s′ 31 s′ 32 s′ 33
Here, as S(0) = 0, we can say that all ai s are 0 and so, we can say that value of each bi will
correspond to that Ci and so, b = C = (01100011) = 63 and so we can say that subbyte(0) =
(01100011) = 63.
S(X) = Y
where
X = (a7 a6 a5 a4 a3 a2 a1 a0 )
where, a7 is the most significant bit(MSB) whereas a0 is the least significant bit(LSB).
P (x).q(x) = 1 + h(x).(x8 + x4 + x3 + x + 1)
3
1 = P (x).q(x) + h1 (x).(x8 + x4 + x3 + x + 1)
where h1 (x) = −h(x)
Here, we can say that (p(x).q(x) - 1) must divide (x8 + x4 + x3 + x + 1). Also, we can say that
S(01010011) →
01010011 → x6 + x4 + x + 1
g(x) = x8 + x4 + x3 + x + 1
p(x).q(x) ≡ 1(modg(x))
x + x + x + x + 1 = (x6 + x4 + x + 1)(x2 + 1) + (x2 )
8 4 3
x6 + x4 + x + 1 = (x2 )(x4 + x2 ) + (x + 1)
x2 = (x + 1)(x + 1) + (1)
1 = (x2 ) + (x + 1)(x + 1)
1 = x2 + [(x6 + x4 + x + 1) + (x2 )(x4 + x2 )](x + 1)
1 = (x6 + x4 + x + 1)(x + 1) + (1 + (x4 + x2 )(x + 1))(x2 )
1 = (x + 1)(x6 + x4 + x + 1) + (1 + x2 + x3 + x4 + x5 )[(x8 + x4 + x3 + x + 1) + (x6 + x4 + x + 1)(x2 + 1)]
1 = (1+x2 +x3 +x4 +x5 )(x8 +x4 +x3 +x+1)+[x+1+(x2 +1)(1+x2 +x3 +x4 +x5 )](x6 +x4 +x+1)
1 = (1 + x2 + x3 + x4 + x5 ).g(x) + (x7 + x6 + x3 + x).p(x)
So,
q(x) = (x7 + x6 + x3 + x)
h(x) = (1 + x2 + x3 + x4 + x5 )
So, (x7 + x6 + x3 + x) is the inverse of (x6 + x4 + x + 1) under modulo x8 + x4 + x3 + x + 1.
4
5 Shift Rows
Shif tRows : {0, 1}128 → {0, 1}128
The shift rows operation can be stated as left circular shift of each row of subbytes matrix i
times where i represents the row numbers.
s00 s01 s02 s03 s00 s01 s02 s03
s10 s11 s12 s13 s11 s12 s13 s10
s20 s21 s22 s23 −→ s22
s23 s20 s21
s30 s31 s32 s33 s33 s30 s31 s32
Here, we can see that it is constant time operation.
6 Mix Columns
The mix columns operation can be stated as:
M ixcolumns : {0, 1}128 → {0, 1}128
s00 s01 s02 s03
s10 s11 s12 s13
s′ij (4 × 4)
s20
−→
s21 s22 s23
s30 s31 s32 s33
Here, we can represent
′
s00 = [x.s00 + (x + 1).s10 + 1.s20 + 1.s30 ] mod (x8 + x4 + x3 + x + 1)
So, we can say we will multiply x,x+1,1 and 1 in circular fasion to the elements of column j
starting from the element in ith row in order to perform mix columns operation on column j and
′
to calculate sij
5
Now, for all columns c ∈ 0,1,2,3
For i=0 to 3
ti = binarytopoly(si,c )
u0 = (x.t0 + (x + 1).t1 + t2 + 1.t3 ) mod (x8 + x4 + x3 + x + 1)
u1 = (x.t1 + (x + 1).t2 + t3 + t0 ) mod (x8 + x4 + x3 + x + 1)
u2 = (x.t2 + (x + 1).t3 + t0 + t1 ) mod (x8 + x4 + x3 + x + 1)
u3 = (x.t3 + (x + 1).t0 + t1 + t2 ) mod (x8 + x4 + x3 + x + 1)
For i=0 to 3
′
si,c = polynomialtobinary(ui )
x x+1 1 1 s00 s01 s02 s03
1 x x+1 1 s11 s12 s13 s10
s′ mod (x8 + x4 + x3 + x + 1)
=
1 1 x x + 1 s22 s23 s20 s21
x+1 1 1 x s33 s30 s31 s32
We can also represent x as 2 and x+1 as 3 and 1 as 1 and so, the matrix can also be represented
as:
2 3 1 1 s00 s01 s02 s03
1 2 3 1 s11 s12 s13 s10
s′ =
1
mod (x8 + x4 + x3 + x + 1)
1 2 3 s22 s23 s20 s21
3 1 1 2 s33 s30 s31 s32
s00 = 95 = 10010101 = x7 + x4 + x2 + 1
s10 = 65 = 01100101 = x6 + x5 + x2 + 1
s20 = F D = 11111101 = x7 + x6 + x5 + x4 + x3 + x2 + 1
s30 = F 3 = 11110011 = x7 + x6 + x5 + x4 + x + 1
So, s′00 = x.s00 + (x + 1).s10 + s20 + 1.s30 mod (x8 + x4 + x2 + x + 1)
x.s00 = x.(x7 + x4 + x2 + 1) = (x8 + x5 + x3 + x) = (x4 + x3 + x + 1) + x5 + x3 + x = x5 + x4 + 1
(x + 1).s10 = (x + 1).(x6 + x5 + x2 + 1) = x7 + x6 + x3 + x + x6 + x5 + x2 + 1 = x7 + x5 + x3 + x2 + x + 1
1.s20 = 1.(x7 + x6 + x5 + x4 + x3 + x2 + 1) = x7 + x6 + x5 + x4 + x3 + x2 + 1
1.s30 = 1.(x7 + x6 + x5 + x4 + x + 1) = x7 + x6 + x5 + x4 + x + 1
So, after adding the above four terms under modulo 2 operation we get:
′
s00 = x7 + x4
′
s00 = 10010000 = 90
′ ′
Similarly, by following this steps we can get all the terms of the column which are s10 ,s20 and
′
s30 .
6
7 Key Scheduling algorithm for AES-128 bit
We need to use the key K of 128 bit to generate 11 round keys (k1 , k2 , ..., k11 ) each of which is of
length 128 bits.
So, the key K can be represented as K = (Key[0] Key[1] Key[2] ... Key[15]) where length of
each Key[i] = 8bits.So, we are just breaking the key K into 16 groups of 8 bits each.
For i=0 to 3
w[i] = (Key[4.i] + Key[4.i+1] + Key[4.i+2] + Key[4.i+3])
For i=4 to 43
temp = w[i-1]
if i=0(mod 4) L
then temp = L SUBWORD(ROTWORD(temp)) RCon[i/4]
w[i] = w[i-4] temp
Return (w[0],w[1],...,w[43])
Here, We will basically have a Key K of 128 bits which will be divided into 16 blocks of 8 bits
each which are represented by key[i] and the w[i] which we generate are of 32 bits each.Also,
in above function we can see that we are creating in total 44 w[i]s and each is of 32 bits so,
7
in total we can create 11 round keys each of 128 bits from them as (44 x 32)bits = (4 x 11 x
32)bits = (11 x 128) bits
So, we will now obtain all the round keys which can be stated as follows:
K1 = w[0]||w[1]||w[2]||w[3]
K2 = w[4]||w[5]||w[6]||w[7]
.
.
.
K11 = w[40]||w[41]||w[42]||w[43]
where || represents concatenation.
8 Decryption of AES
We can say that the whole process of AES is decyptable as all the functions
L we have performed are
invertible. So, we will start
L from the last step where we perform C 10 K 11 to get C and it can be
inverted to get C10 as C K11 .
We can also see that shift row is also invertible where we can perform right circular shift instead
of left circular shift.
Also, subbytes is invertible as we can locate element in table/matrix and then we can easily get
row number and column number of that element.
Also, the mix column operation can be easily calculated as the matrix is invertible under mod
(x8 + x4 + x2 + x + 1).
Using all this inverses of all the functions we can XOR it with round keys and can get the
original text easily.
9 Modes of Operation
There are many modes of operations such as ECB(Elementary mode of operation), CBC(most used
and a very important mode of operation), CFB, OFB, IGE, and many more...
8
10 ECB(Electronic Code Book)
Input: Key K, n-bit plaintext
x c
x1 x2 x3
iv
K K Enc K Enc
Enc
C1 C2 C3
(ii) Decryption : C0 L
= iv
xj = Dec(cj , K) Cj−1 where 1 ≤ j ≤ t
C2 C3
C1
K K
K
Dec Dec
Dec
iv —
x2 x3
x1
12 Stream Cipher
We have earlier discussed various types of block ciphers such as AES,DES and various modes of
operations. So, now we will move forward to discuss stream ciphers.
9
Stream cipher is such a cipher which performs the encryption of the message bitwise.So, firstly
we will take the message(plain text) as follows:
M = M0 ...Mt ; Mi ∈ {0, 1}
The encryption would be done as:
M
Encryption : Ci = mi Ki
M M
Decryption : M = C K or mi = Ci Ki
We can say that it is the most efficient algorithm when certain conditions are applied which we
will see in further discussions. We can say that an algorithm is perfectly secure if we do not receive
any information about plaintext from the ciphertext.This is Shannon’s notion of perfect secrecy.
Pr (M = M1 |C = Ch1 ) = Pr [M = M1 ]
We can see that there is no effect of knowing ciphertext in predicting the plaintext that is no
extra advantage of given C = Ch1.
Pr [M = 0] = p
Pr [M = 1] = 1 − p
Pr [K = 0] = 1/2
Pr [K = 1] = 1/2
M
C = Enc(M, K) = M K
C ∈ {0, 1}
Pr [c = 0] = Pr [{m = 0, k = 0} ∪ {m = 1, k = 1}]
= Pr [{m = 0, k = 0}] + Pr [{m = 1, k = 1}]
= (Pr [m = 0] × Pr [k = 0]) + (Pr [m = 1] × Pr [k = 1])
= (p × 1/2) + ((1 − p) × 1/2)
= 1/2
Here,the key K is randomly generated.
10
Pr [c = 1] = 1/2
C = Ch1 |M = M1
M
Ch1 = M1 K
M
K = Ch1 M1
Pr [M = M1 |C = Ch1 ]
= Pr [M = M1 , C = Ch1 ]/Pr [C = Ch1 ]
= (Pr [C = Ch1 |M = M1 ]) × Pr [M = M1 ])/(1/2)
M
= (Pr [K = Ch1 M1 ] × Pr [M = M1 ])/(1/2)
= (1/2) × Pr [M = M1 ])/(1/2)
= Pr [M = M1 ]
Hence, we can conclude that this is a perfectly secure algorithm as we have proved the above
statement. For this algorithm to provide perfect secracy following two conditions must be satisfied:
1. We should not reuse the key as if we reuse the key it becomes relatively easier for someone
to guess the message which can be seen as belows:
M
C=M K
M
C 1 = M1 K
M
C 2 = M2 K
M M M M M
C1 C2 = (M1 K) (M2 K) = M1 M2
So, we can see that the significance of K has gone and we are only left with XOR value of the
two messages.
L
If C1 C2 = 0, then we get to know that M1 = M2 .So, it reveals a major information and
so, we can say that the key must be randomly generated and should not be same in order to
maintain perfect secracy of this algorithm.
2. The length of the key should not be less than the length of the plaintext as if it is less then
the key starts to repeat itself from starting and the effect can be seen as below:
K = k0 k1 ...kl
M = m0 m1 ...mn
where n > l and we define r = n-l
K1 = K||k0 ||...||kr−1
11
C1 = C0 ...Cl Cl+1 ...Cn
So, we can say that the if we select C0 and Cl+1 from the ciphertext C1 and perform XOR
we get as follows:
M M M M M
C0 Cl+1 = m0 k0 ml+1 k0 = m0 ml+1
So, we can see that the significance of the key decreases and we can directly get XOR values
of this 2 bits and so, it is not effective. So, we need to ensure that the length of the key is
not less than that of the plaintext.
So, to summarize we can say that we cannot use the same key to encrypt 2 different messages
and we can also not use a key which is of smaller length as compared to plaintext.
So, if we ensure that this two conditions are met, we say that the cipher is OTP(One Time
Padding).
12