[CS304] Introduction to Cryptography and Network Security

Course Instructor: Dr. Dibyendu Roy Winter 2023-2024

Scribed by: Shah Vedant Rupeshkumar (202151143) Lecture (Week 5)

1 AES
The block diagram for AES-128 can be represented as below:

128-bit Secret Key

Key Scheduling

K1 K2 K3

f1 f2 f3 ... Continues for 10 rounds

Plaintext
128-bits C1 C2

10th Round

K10 K11

f 10 C
C1 Ciphertext
So, there are 10 round functions and 11 round keys in AES-128. As there are only 10 rounds,
one round key is applied before the start of round 1. So, in general total no. of round keys would
be number of rounds + 1.

2 Round Function of AES

All round functions have to be invertible as if they are invertible, then only decryption will be
possible. Also, we can say that for AES 128, f1 to f9 will be same and f10 will be different. For
AES-192, f1 to f11 will be same and f12 will be different. For AES-256, f1 to f13 will be same and
f14 will be different. Here, the last round function is different to identify the end point.

3 Round Function of AES-128

Here, f1 = f2 = ... = f9

1
 Here, to compute all the round functions except the last one we will follow the following 3 steps:

(i) Sub Bytes

(ii) Shift Rows

(iii) Mix Columns

All three operations will work as:

{0, 1}128 → {0, 1}128

To compute the last round function we will follow the following 2 steps:

(i) Sub Bytes

(ii) Shift Rows

f1
128 bits 128 bits

Subbytes Shift Rows Mix Columns

128 bits 128 bits 128 bits
128 bits

Subbytes Shift Rows

128 bits 128 bits
128 bits

4 Subbytes
Subbytes : {0, 1}128 → {0, 1}128

X = x0 x1 x2 x3 ...x15
where X will be of 128 bits and size of each xi will be 8 bits and so, we can construct a 4x4 matrix
where each element is of 8 bits.
   
x0 x4 x8 x12 s00 s01 s02 s03
x1 x5 x9 x13  s10 s11 s12 s13 
x2 x6 x10 x14  −→ (sij )4×4
   
s20 s21 s22 s23 
x3 x7 x11 x15 s30 s31 s32 s33

S : {0, 1}8 → {0, 1}8

The property states that S(0) = 0. The following steps should be followed to obtain subbytes
of a given text:

2
 (i) (C7 C6 C5 C4 C3 C2 C1 C0 ) = (01100011) (in binary) = 63 (in hexadecimal)

(ii) S(sij ) = (a7 a6 a5 a4 a3 a2 a1 a0 )

(iii) For i=0 to i=7

bi = (ai + a(i4 )%8 + a(i+5)%8 + a(i+6)%8 + a(i+7)%8 + Ci ) mod 2
We can observe that they are calculated in circular fashion.Also, here + under mod 2 will
represent XOR operation
′
(iv) Output: Sij = (b7 b6 b5 b4 b3 b2 b1 b0 )

After applying all the operations, we can get the subbytes of every elements as represented in
following matrix:
 ′
s′ 01 s′ 02 s′ 03
  
s00 s01 s02 s03 s 00
s10 s11 s12 s13  s′ 10 s′ 11 s′ 12 s′ 13
−→ s′ 20 (s′ ij)4 × 4
s′ 21 s′ 22 s′ 23
   
s20 s21 s22 s23 
s30 s31 s32 s33 s′ 30 s′ 31 s′ 32 s′ 33
Here, as S(0) = 0, we can say that all ai s are 0 and so, we can say that value of each bi will
correspond to that Ci and so, b = C = (01100011) = 63 and so we can say that subbyte(0) =
(01100011) = 63.

Now, Substitution box S can be defined as:

{0, 1}8 → {0, 1}8

S(X) = Y
where
X = (a7 a6 a5 a4 a3 a2 a1 a0 )
where, a7 is the most significant bit(MSB) whereas a0 is the least significant bit(LSB).

P (x) = a0 + a1 .x + a2 .x2 + a3 .x3 + ... + a7 .x7

So, we can see that the degree of P(x) will be atmost 7. All this polynomials will represent a
field which can be denoted as
F2 [x]|(X 8 + x4 + x3 + x + 1)
where + will be addition under (X 8 + x4 + x3 + x + 1) and * will be multipication under (X 8 +
x4 + x3 + x + 1). Also, by the property of field we can say that multiplicative inverse will exist for
all the values of polynomial except its additive inverse i.e. 0.

Now, we will try to find multiplicative inverse of P(x) under modulo x8 + x4 + x3 + x + 1

P (x).q(x) = 1(mod(x8 + x4 + x3 + x + 1))

Here, it is written as 1 should be the remainder for multiplicative inverse. According to the
field defination, we can also say that every non zero polynomial of this form will have multiplicative
inverse.

P (x).q(x) = 1 + h(x).(x8 + x4 + x3 + x + 1)

3
 1 = P (x).q(x) + h1 (x).(x8 + x4 + x3 + x + 1)
where h1 (x) = −h(x)
Here, we can say that (p(x).q(x) - 1) must divide (x8 + x4 + x3 + x + 1). Also, we can say that

gcd(p(x), (x8 + x4 + x3 + x + 1)) = 1

Using this property, we need to find q(x) and h1 (x) using extended euclidean algorithm where
q(x) will be the multiplicative inverse of p(x).

S(01010011) →
01010011 → x6 + x4 + x + 1
g(x) = x8 + x4 + x3 + x + 1
p(x).q(x) ≡ 1(modg(x))
x + x + x + x + 1 = (x6 + x4 + x + 1)(x2 + 1) + (x2 )
8 4 3

x6 + x4 + x + 1 = (x2 )(x4 + x2 ) + (x + 1)
x2 = (x + 1)(x + 1) + (1)

1 = (x2 ) + (x + 1)(x + 1)
1 = x2 + [(x6 + x4 + x + 1) + (x2 )(x4 + x2 )](x + 1)
1 = (x6 + x4 + x + 1)(x + 1) + (1 + (x4 + x2 )(x + 1))(x2 )
1 = (x + 1)(x6 + x4 + x + 1) + (1 + x2 + x3 + x4 + x5 )[(x8 + x4 + x3 + x + 1) + (x6 + x4 + x + 1)(x2 + 1)]
1 = (1+x2 +x3 +x4 +x5 )(x8 +x4 +x3 +x+1)+[x+1+(x2 +1)(1+x2 +x3 +x4 +x5 )](x6 +x4 +x+1)
1 = (1 + x2 + x3 + x4 + x5 ).g(x) + (x7 + x6 + x3 + x).p(x)
So,
q(x) = (x7 + x6 + x3 + x)
h(x) = (1 + x2 + x3 + x4 + x5 )
So, (x7 + x6 + x3 + x) is the inverse of (x6 + x4 + x + 1) under modulo x8 + x4 + x3 + x + 1.

S(01010011) = (11001010) = (a7 a6 a5 a4 a3 a2 a1 a0 )

b0 = (a0 + a4 + a5 + a6 + a7 + C0 ) mod 2 = (0 + 0 + 0 + 1 + 1 + 1) mod 2 = 1

Similarly,

(b7 b6 b5 b4 b3 b2 b1 b0 ) = (11101101) in binary = ED (in hexadecimal)

So,
Subbytes(01010011) = Subbytes(53) = 11101101(in binary) = ED(in hexadecimal)
So, we can say that it can also be calculated from a 16 x 16 table which is used to directly
compute the value without doing this tedious computations. So, the row number of the table could
be found from the 4 most significant bits(MSBs) and column no. could be found from the 4 least
significant bits(LSBs). So, in the above example the answer for 01010011 could be found from the
table at row no. 5 and column no. 3. The table is as follows:

4
5 Shift Rows
Shif tRows : {0, 1}128 → {0, 1}128
The shift rows operation can be stated as left circular shift of each row of subbytes matrix i
times where i represents the row numbers.
   
s00 s01 s02 s03 s00 s01 s02 s03
s10 s11 s12 s13  s11 s12 s13 s10 
s20 s21 s22 s23  −→ s22
   
s23 s20 s21 
s30 s31 s32 s33 s33 s30 s31 s32
Here, we can see that it is constant time operation.

6 Mix Columns
The mix columns operation can be stated as:
M ixcolumns : {0, 1}128 → {0, 1}128

 
s00 s01 s02 s03
s10 s11 s12 s13 
s′ij (4 × 4)



s20
 −→
s21 s22 s23 
s30 s31 s32 s33
Here, we can represent
′
s00 = [x.s00 + (x + 1).s10 + 1.s20 + 1.s30 ] mod (x8 + x4 + x3 + x + 1)
So, we can say we will multiply x,x+1,1 and 1 in circular fasion to the elements of column j
starting from the element in ith row in order to perform mix columns operation on column j and
′
to calculate sij

5
 Now, for all columns c ∈ 0,1,2,3

For i=0 to 3
ti = binarytopoly(si,c )
u0 = (x.t0 + (x + 1).t1 + t2 + 1.t3 ) mod (x8 + x4 + x3 + x + 1)
u1 = (x.t1 + (x + 1).t2 + t3 + t0 ) mod (x8 + x4 + x3 + x + 1)
u2 = (x.t2 + (x + 1).t3 + t0 + t1 ) mod (x8 + x4 + x3 + x + 1)
u3 = (x.t3 + (x + 1).t0 + t1 + t2 ) mod (x8 + x4 + x3 + x + 1)

For i=0 to 3
′
si,c = polynomialtobinary(ui )

So, we can say create a mix column matrix as follows:

  
x x+1 1 1 s00 s01 s02 s03
 1 x x+1 1  s11 s12 s13 s10 
s′  mod (x8 + x4 + x3 + x + 1)
 
= 
 1 1 x x + 1 s22 s23 s20 s21 
x+1 1 1 x s33 s30 s31 s32
We can also represent x as 2 and x+1 as 3 and 1 as 1 and so, the matrix can also be represented
as:
  
2 3 1 1 s00 s01 s02 s03
1 2 3 1 s11 s12 s13 s10 
s′ = 
1
  mod (x8 + x4 + x3 + x + 1)
1 2 3 s22 s23 s20 s21 
3 1 1 2 s33 s30 s31 s32

6.1 Example of Mix columns

Here, we are given that s00 = 95, s10 = 65,s20 = FD and s30 = F3 in hexadecimal format.

s00 = 95 = 10010101 = x7 + x4 + x2 + 1
s10 = 65 = 01100101 = x6 + x5 + x2 + 1
s20 = F D = 11111101 = x7 + x6 + x5 + x4 + x3 + x2 + 1
s30 = F 3 = 11110011 = x7 + x6 + x5 + x4 + x + 1
So, s′00 = x.s00 + (x + 1).s10 + s20 + 1.s30 mod (x8 + x4 + x2 + x + 1)
x.s00 = x.(x7 + x4 + x2 + 1) = (x8 + x5 + x3 + x) = (x4 + x3 + x + 1) + x5 + x3 + x = x5 + x4 + 1
(x + 1).s10 = (x + 1).(x6 + x5 + x2 + 1) = x7 + x6 + x3 + x + x6 + x5 + x2 + 1 = x7 + x5 + x3 + x2 + x + 1
1.s20 = 1.(x7 + x6 + x5 + x4 + x3 + x2 + 1) = x7 + x6 + x5 + x4 + x3 + x2 + 1
1.s30 = 1.(x7 + x6 + x5 + x4 + x + 1) = x7 + x6 + x5 + x4 + x + 1
So, after adding the above four terms under modulo 2 operation we get:
′
s00 = x7 + x4
′
s00 = 10010000 = 90
′ ′
Similarly, by following this steps we can get all the terms of the column which are s10 ,s20 and
′
s30 .

6
7 Key Scheduling algorithm for AES-128 bit
We need to use the key K of 128 bit to generate 11 round keys (k1 , k2 , ..., k11 ) each of which is of
length 128 bits.

So, the key K can be represented as K = (Key[0] Key[1] Key[2] ... Key[15]) where length of
each Key[i] = 8bits.So, we are just breaking the key K into 16 groups of 8 bits each.

The steps followed to generate the round keys are as follows:

(i) ROT W ORD(B0 , B1 , B2 , B3 ) = (B1 , B2 B3 B0 ) where length of each Bi is 8 bits and it is

obtained by performing left circular shift on the original word. The ROTWORD function
takes in input of 32 bits, divides it into 4 blocks of 8 bits each and performs the above
operation to produce a 32 bit output.
′ ′ ′ ′ ′
(ii) SU BW ORD(B0 , B1 , B2 , B3 ) = (B0 , B1 B2 B3 ) where Bi = subbytes(Bi ).It also takes an input
of 32 bits, divides it into 4 blocks of 8 bits each and performs the above operation to produce
a 32 bit output.
The process for obtaining the round keys is as follows:
Firstly we will set 10 constants which are predefined for AES:
RCon[1] = 01000000
RCon[2] = 02000000
RCon[3] = 04000000
RCon[4] = 08000000
RCon[5] = 10000000
RCon[6] = 20000000
RCon[7] = 40000000
RCon[8] = 80000000
RCon[9] = 1B000000
RCon[10] = 36000000

For i=0 to 3
w[i] = (Key[4.i] + Key[4.i+1] + Key[4.i+2] + Key[4.i+3])

For i=4 to 43
temp = w[i-1]
if i=0(mod 4) L
then temp = L SUBWORD(ROTWORD(temp)) RCon[i/4]
w[i] = w[i-4] temp

Return (w[0],w[1],...,w[43])

Here, We will basically have a Key K of 128 bits which will be divided into 16 blocks of 8 bits
each which are represented by key[i] and the w[i] which we generate are of 32 bits each.Also,
in above function we can see that we are creating in total 44 w[i]s and each is of 32 bits so,

7
 in total we can create 11 round keys each of 128 bits from them as (44 x 32)bits = (4 x 11 x
32)bits = (11 x 128) bits

So, we will now obtain all the round keys which can be stated as follows:

K1 = w[0]||w[1]||w[2]||w[3]
K2 = w[4]||w[5]||w[6]||w[7]
.
.
.
K11 = w[40]||w[41]||w[42]||w[43]
where || represents concatenation.

8 Decryption of AES
We can say that the whole process of AES is decyptable as all the functions
L we have performed are
invertible. So, we will start
L from the last step where we perform C 10 K 11 to get C and it can be
inverted to get C10 as C K11 .

We can also see that shift row is also invertible where we can perform right circular shift instead
of left circular shift.

Also, subbytes is invertible as we can locate element in table/matrix and then we can easily get
row number and column number of that element.

Also, the mix column operation can be easily calculated as the matrix is invertible under mod
(x8 + x4 + x2 + x + 1).

Using all this inverses of all the functions we can XOR it with round keys and can get the
original text easily.

9 Modes of Operation
There are many modes of operations such as ECB(Elementary mode of operation), CBC(most used
and a very important mode of operation), CFB, OFB, IGE, and many more...

It is a way of encryption/implementing block cipher in case of very large messages.

8
10 ECB(Electronic Code Book)
Input: Key K, n-bit plaintext

(i) Encryption : Enc(xi , Ki ) = Ci where 1 ≤ i ≤ t

(ii) Decryption : Dec(Ci , Ki ) = xi where 1 ≤ i ≤ t

x c

11 Cipher Block Chaining(CBC)

Input: key K , n-bit plain text which is written as x1 , x2 , ..., xt
We also define a public parameter initial permutation abbreviated as iv.

(i) Encryption : C0L = iv

Cj = Enc(Cj−1 xj , K) where 1 ≤ j ≤ t
C = C0 , C1 , ..., Ct

x1 x2 x3
iv

K K Enc K Enc
Enc

C1 C2 C3

(ii) Decryption : C0 L
= iv
xj = Dec(cj , K) Cj−1 where 1 ≤ j ≤ t
C2 C3
C1
K K
K
Dec Dec
Dec

iv —

x2 x3
x1

12 Stream Cipher
We have earlier discussed various types of block ciphers such as AES,DES and various modes of
operations. So, now we will move forward to discuss stream ciphers.

9
 Stream cipher is such a cipher which performs the encryption of the message bitwise.So, firstly
we will take the message(plain text) as follows:

M = M0 ...Mt ; Mi ∈ {0, 1}
The encryption would be done as:

Enc(M, k) = e(M0 , z0 )e(M1 , z1 )...e(Ml , zl )

Let us take a key as
KeyK = K0 K1...kt
Ciphertext C would be defined as
M M M M
C=M K = (m0 K0 )(m1 K1 )...(mt Kt

M
Encryption : Ci = mi Ki
M M
Decryption : M = C K or mi = Ci Ki
We can say that it is the most efficient algorithm when certain conditions are applied which we
will see in further discussions. We can say that an algorithm is perfectly secure if we do not receive
any information about plaintext from the ciphertext.This is Shannon’s notion of perfect secrecy.

Pr (M = M1 |C = Ch1 ) = Pr [M = M1 ]
We can see that there is no effect of knowing ciphertext in predicting the plaintext that is no
extra advantage of given C = Ch1.

Pr [M = 0] = p
Pr [M = 1] = 1 − p
Pr [K = 0] = 1/2
Pr [K = 1] = 1/2
M
C = Enc(M, K) = M K
C ∈ {0, 1}
Pr [c = 0] = Pr [{m = 0, k = 0} ∪ {m = 1, k = 1}]
= Pr [{m = 0, k = 0}] + Pr [{m = 1, k = 1}]
= (Pr [m = 0] × Pr [k = 0]) + (Pr [m = 1] × Pr [k = 1])
= (p × 1/2) + ((1 − p) × 1/2)
= 1/2
Here,the key K is randomly generated.

So, we can say that

Pr [c = 0] = 1/2

10
 Pr [c = 1] = 1/2
C = Ch1 |M = M1
M
Ch1 = M1 K
M
K = Ch1 M1
Pr [M = M1 |C = Ch1 ]
= Pr [M = M1 , C = Ch1 ]/Pr [C = Ch1 ]
= (Pr [C = Ch1 |M = M1 ]) × Pr [M = M1 ])/(1/2)
M
= (Pr [K = Ch1 M1 ] × Pr [M = M1 ])/(1/2)
= (1/2) × Pr [M = M1 ])/(1/2)
= Pr [M = M1 ]
Hence, we can conclude that this is a perfectly secure algorithm as we have proved the above
statement. For this algorithm to provide perfect secracy following two conditions must be satisfied:

1. We should not reuse the key as if we reuse the key it becomes relatively easier for someone
to guess the message which can be seen as belows:
M
C=M K
M
C 1 = M1 K
M
C 2 = M2 K
M M M M M
C1 C2 = (M1 K) (M2 K) = M1 M2

So, we can see that the significance of K has gone and we are only left with XOR value of the
two messages.

L
If C1 C2 = 0, then we get to know that M1 = M2 .So, it reveals a major information and
so, we can say that the key must be randomly generated and should not be same in order to
maintain perfect secracy of this algorithm.

2. The length of the key should not be less than the length of the plaintext as if it is less then
the key starts to repeat itself from starting and the effect can be seen as below:

K = k0 k1 ...kl

M = m0 m1 ...mn
where n > l and we define r = n-l

K1 = K||k0 ||...||kr−1

Now, this K1 will be used for the encryption process:

M
C=M K1

11
 C1 = C0 ...Cl Cl+1 ...Cn
So, we can say that the if we select C0 and Cl+1 from the ciphertext C1 and perform XOR
we get as follows:
M M M M M
C0 Cl+1 = m0 k0 ml+1 k0 = m0 ml+1

So, we can see that the significance of the key decreases and we can directly get XOR values
of this 2 bits and so, it is not effective. So, we need to ensure that the length of the key is
not less than that of the plaintext.

So, to summarize we can say that we cannot use the same key to encrypt 2 different messages
and we can also not use a key which is of smaller length as compared to plaintext.

So, if we ensure that this two conditions are met, we say that the cipher is OTP(One Time
Padding).

12