Lab Number 8

Date: 29/12/2024

Network Security and Cryptography

Advanced Encryption Standard (AES)

The more popular and widely adopted symmetric encryption algorithm likely to be
encountered nowadays is the Advanced Encryption Standard (AES). It is found at least
six time faster than triple DES.
A replacement for DES was needed as its key size was too small. With increasing
computing power, it was considered vulnerable against exhaustive key search attack.
Triple DES was designed to overcome this drawback but it was found slow.
The features of AES are as follows −

 Symmetric key symmetric block cipher

 128-bit data, 128/192/256-bit keys
 Stronger and faster than Triple-DES
 Provide full specification and design details
 Software implementable in C and Java
How Does AES Encryption Work?

AES encryption is known for speed and security.

Speed comes from the fact that AES is a symmetric-key cipher and requires less
computational power as compared to an asymmetric one.

Security is the direct result of a sophisticated block cipher algorithm. Data is encrypted on
a per-block basis, which is measured in bits. For instance, 128 bits of plain text will
produce 128 bits of cipher text.

The cipher involves substitution and permutation, meaning replacing inputs with specific
outputs and then shuffling those outputs, aka rounds. These rounds make up the
difference between the various key lengths. AES uses 10 rounds for 128-bit keys, 12
rounds for 192-bit keys and 14 rounds for 256-bit keys.

Key Expansion is carried out before each round. The initial key is used to derive a series
of ‘new round keys’ to ensure the same keys are not used in each round.

Each round of AES involves:

 Byte Substitution
 Shift Rows
 Mix Column
 Add Round Key
Operation of AES
AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation
network’. It comprises of a series of linked operations, some of which involve replacing
inputs by specific outputs (substitutions) and others involve shuffling bits around
(permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES
treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four
columns and four rows for processing as a matrix −
Unlike DES, the number of rounds in AES is variable and depends on the length of the
key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for
256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated
from the original AES key.
The schematic of AES structure is given in the following illustration −

Encryption Process
Here, we restrict to description of a typical round of AES encryption. Each round comprise
of four sub-processes. The first round process is depicted below −
The input to the encryption and decryption algorithms is a single 128-bit block.
In FIPS PUB 197, this block is depicted as a 4 * 4 square matrix of bytes. This block
is copied into the State array, which is modified at each stage of encryption or decryp-
tion. After the final stage, State is copied to an output matrix. Similarly, the key is depicted
as a square matrix of bytes. This key is then expanded into an array of key schedule
words. Each word is four bytes, and the total key schedule is 44 words for the 128-
bit key. Note that the ordering of bytes within a matrix is by col-
umn. So, for example, the first four bytes of a 128-bit plaintext input to the encryption
cipher occupy the first column of the in matrix, the second four bytes occupy the
second column, and so on. Similarly, the first four bytes of the expanded key, which
form a word, occupy the first column of the w matrix.
The cipher consists of N rounds, where the number of rounds depends on the
key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a
32-byte key. The first N - 1 rounds consist of four distinct trans-
formation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are
described subsequently. The final round contains only three transformations, and there is
a initial single transformation (AddRoundKey) before the first round,
which can be considered Round 0. Each transformation takes one or more 4 * 4
matrices as input and produces a 4 * 4 matrix as output. Figure 5.1 shows that the
output of each round is a 4 * 4 matrix, with the output of the final round being the
ciphertext. Also, the key expansion function generates N + 1 round keys, each of
which is a distinct 4 * 4 matrix. Each round key serve as one of the inputs to the
AddRoundKey transformation in each round.
Detailed Structure
Figure 5.3 shows the AES cipher in more detail, indicating the sequence of transfor-
mations in each round and showing the corresponding decryption function. As was
done in Chapter 3, we show encryption proceeding down the page and decryption
proceeding up the page.
Before delving into details, we can make several comments about the overall AES
structure.

1. One noteworthy feature of this structure is that it is not a Feistel

structure. Recall that, in the classic Feistel structure, half of the data block is used to
modify the other half of the data block and then the halves are swapped. AES instead
processes the entire data block as a single matrix during each round using
substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-
four 32-
bit words, w[i]. Four distinct words (128 bits) serve as a round key for each round;
these are indicated in Figure 5.3.
3. Four different stages are used, one of permutation and three of substit
ution:
• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of
the block
• ShiftRows: A simple permutation
• MixColumns: A substitution that makes use of arithmetic over GF(28)
• AddRoundKey: A simple bitwise XOR of the current block with a portion of
the expanded key
4. The structure is quite simple. For both encryption and decryption, the
cipher begins with an AddRoundKey stage, followed by nine rounds that each includes
all four stages, followed by a tenth round of three stages. Figure 5.4 depicts the
structure of a full encryption round.
5. Only the AddRoundKey stage makes use of the key. For this reason, t
he cipher begins and ends with an AddRoundKey stage. Any other stage, applied at th
e beginning or end, is reversible without knowledge of the key and so would add no se
curity.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and
by itself would not be formidable. The other three stages together provide
confusion, diffusion, and nonlinearity, but by themselves would provide no security be
cause they do not use the key.We can view the cipher as alternating operations of XOR

encryption (AddRoundKey) of a block, followed by scrambling of the block (the

other three stages), followed by XOR encryption, and so on. This scheme is both
efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte,
ShiftRows,
and MixColumns stages, an inverse function is used in the decryption algorithm. For th
e AddRoundKey stage, the inverse is achieved by XORing the same round key to
the block, using the result that A Ⓧ B Ⓧ B = A.
8. As with most block ciphers, the decryption algorithm
makes use of the expanded key in reverse order. However, the decryption
algorithm is not

identical to the encryption algorithm. This is a consequence of the particular structure

of AES.
9. Once it is established that all four stages are reversible, it is
easy to verify that decryption does recover the plaintext. Figure
5.3 lays out encryption and decryption going in opposite vertical directions. At each
horizontal point (e.g., the dashed line in the figure), State is the same for both encryp
tion and decryption.
10. The final round of both encryption and decryption
consists of only three stages. Again, this is a consequence of the particular structure
of AES and is required to make the cipher reversible.

Byte Substitution (SubBytes)

The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The
result is in a matrix of four rows and four columns.

Shiftrows
Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-
inserted on the right side of row. Shift is carried out as follows −
 First row is not shifted.
 Second row is shifted one (byte) position to the left.
 Third row is shifted two positions to the left.
 Fourth row is shifted three positions to the left.
 The result is a new matrix consisting of the same 16 bytes but shifted with respect
to each other.

MixColumns
Each column of four bytes is now transformed using a special mathematical function. This
function takes as input the four bytes of one column and outputs four completely new
bytes, which replace the original column. The result is another new matrix consisting of
16 new bytes. It should be noted that this step is not performed in the last round.

Addroundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits
of the round key. If this is the last round then the output is the ciphertext. Otherwise, the
resulting 128 bits are interpreted as 16 bytes and we begin another similar round.

Decryption Process
The process of decryption of an AES ciphertext is similar to the encryption process in the
reverse order. Each round consists of the four processes conducted in the reverse order
−

 Add round key

  Mix columns
 Shift rows
 Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the
encryption and decryption algorithms needs to be separately implemented, although they
are very closely related.

AES Analysis
In present day cryptography, AES is widely adopted and supported in both hardware and
software. Till date, no practical cryptanalytic attacks against AES has been discovered.
Additionally, AES has built-in flexibility of key length, which allows a degree of ‘future-
proofing’ against progress in the ability to perform exhaustive key searches.
However, just as for DES, the AES security is assured only if it is correctly implemented
and good key management is employed.

‘
We now turn to a discussion of each of the four transformations used
in AES. For each stage, we describe the forward (encryption) algorithm, th
e inverse (decryption) algorithm, and the rationale for the stage.
Substitute Bytes Transformation
FORWARD AND INVERSE TRANSFORMATIONS The forward substitute byte transformation,
called Sub Bytes, is a simple table lookup (Figure 5.5a). AES defines a 16 * 16 matrix of byte
values, called an S-box (Table 5.2a), that contains a permutation of all possible 256 8-bit values.
Each individual byte of State is mapped into a new byte in the following
way: The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as
a column value. These row and column values serve as indexes into the S-box to select a unique 8-
bit output value. For example, the hexadecimal value3 {95} references row 9, column 5
of the S-box, which contains the value {2A}. Accordingly, the value {95} is mapped
into the value {2A}.
Here is an example of the SubBytes transformation:

The S-box is constructed in the following fashion

(Figure 5.6a).
1. Initialize the S-box with the byte values in ascending sequence row
by row.
The first row contains {00}, {01}, {02}, ... , {0F}; the second row contains
{10}, {11}, etc.; and so on. Thus, the value of the byte at row y, column x is {yx}.
2. Map each byte in the S-box to its multiplicative inverse in the finite
field GF(28); the value {00} is mapped to itself.
3. Consider that each byte in the S-box consists of 8 bits labeled (b7, b6,
b5, b4, b3, b2, b1, b0). Apply the following transformation to each bit of each byte in th
e S-box:

where ci is the ith bit of byte c with the value {63};

that is, (c7c6c5c4c3c2c1c0)
= (01100011). The prime (¿) indicates that the variable is to be updated b
y the value on the right. The AES standard depicts this
transformation in matrix form as follows.

Equation (5.2) has to be interpreted carefully. In ordinary matrix multiplica-

tion,4 each element in the product matrix is the sum of products of the elements of
one row and one column. In this case, each element in the product matrix
is the bitwise XOR of products of elements of one row and one column. Furthermore,
the final addition shown in Equation (5.2) is a bitwise XOR. Recall from Section 4.7
that the bitwise XOR is addition in GF(28).
As an example, consider the input value {95}. The multiplicative inverse in GF(2 8) is
{95} - 1 = {8A}, which is 10001010 in binary. Using Equation (5.2),
The result is {2A}, which should appear in row {09} column {05} of the S-box.
This is verified by checking Table 5.2a.
The inverse substitute byte transformation, called InvSubBytes, makes use of
the inverse S-box shown in Table 5.2b. Note, for
example, that the input {2A} produces the output {95}, and the input {95} to the S-
box produces {2A}. The inverse S-box is constructed (Figure 5.6b) by applying the
inverse of the transfor- mation in Equation (5.1) followed by taking the multiplicativ
e inverse in GF(28).
The inverse transformation is
bi¿ = b(i + 2) mod 8 Ⓧ b(i + 5) mod 8 Ⓧ b(i + 7) mod 8 Ⓧ di
where byte d = {05}, or 00000101. We can depict this transformation as follows.

To see that InvSubBytes is the inverse of SubBytes, label the matrices in SubBytes
and InvSubBytes as X and B, respectively, and the vector versions of con- stants c
and d as C and D, respectively. For some 8-bit vector B, Equation (5.2) becomes
B¿ = XB Ⓧ C. We need to show that Y(XB Ⓧ C) Ⓧ D = B. To multiply out, we
must show YXB Ⓧ YC Ⓧ D = B. This becomes
We have demonstrated that YX equals the identity matrix, and the YC = D, so that
YC Ⓧ D equals the null vector.

RATIONALE The S-box is designed to be resistant to known cryptanalytic attacks.

Specifically, the Rijndael developers sought a design that has a
low correlation between input bits and output bits and the property that the output is
not a linear mathematical function of the input [DAEM01]. The nonlinearity is due
to the use
of the multiplicative inverse. In addition, the constant in Equation (5.1) was chos
en so that the S-box has no fixed points [S-box(a) = a] and no “opposite fixed
points” [S-box(a) = Bar a], where Bar a is the bitwise complement of a.
Of course, the S-box must be invertible, that is, IS-box[S-box(a)] = a.
However, the S-box does not self-inverse in the sense that it is not true that
S-box(a) = IS-box(a). For example, S-box({95}) = {2A}, but IS-box({95}) =
{AD}.

ShiftRows Transformation
FORWARD AND INVERSE TRANSFORMATIONS The forward shift row transformation,
called ShiftRows, is depicted in Figure 5.7a. The first row of State is not altered. For
the second row, a 1-byte circular left shift is performed. For the third row, a 2-byte
circular left shift is performed. For the fourth row, a 3-byte circular left shift is
performed. The following is an example of ShiftRows.

The inverse shift row transformation, called InvShiftRows, performs the circu- lar
shifts in the opposite direction for each of the last three rows, with a 1-
byte circular right shift for the second row, and so on.
RATIONALE The shift row transformation is more substantial than it may first
appear. This is because the State, as well as the cipher input and output, is treated as
an array of four 4-byte columns. Thus, on encryption, the first 4 bytes of the plaintext
are copied to the first column of State, and so on. Furthermore, as will be seen, the
round key is applied to State column by column. Thus, a row shift moves an
individual byte from one column to another, which is a linear
distance of a multiple of 4 bytes. Also note that the transformation ensures that the 4
bytes of one column are spread out to four different columns. Figure 5.4 illustrates
the effect.

MixColumns Transformation
FORWARD AND INVERSE TRANSFORMATIONS The forward mix column transformation
, called MixColumns, operates on each column individually. Each byte of a column is
mapped into a new value that is a function of all four bytes in that column.
The transformation can be defined by the following matrix
multiplication on State (Figure 5.7b):
Each element in the product matrix is the sum of products of elements of one row and
one column. In this case, the individual additions and multiplications5 are performed
in GF(28). The MixColumns transformation on a single column of State can
be expressed as

Let us verify the first column of this example. Recall from Section 4.7 that, in
GF(28), addition is the bitwise XOR operation and that multiplication can be per-
formed according to the rule established in Equation (4.14). In particular, multipli-
cation of a value by x (i.e., by {02}) can be implemented as a 1-bit left shift followed
by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original
value (prior to the shift) is 1. Thus, to verify the MixColumns transformation on the
first column, we need to show that
The other equations can be similarly verified.
The inverse mix column transformation, called InvMixColumns, is defined by the
following matrix multiplication:

It is not immediately clear that Equation (5.5) is the inverse of Equation (5.3).
We need to show
That is, the inverse transformation matrix times the forward transformation matrix
equals the identity matrix. To verify the first column of Equation (5.6), we need to
show

For the first equation, we have {0E} . {02} = 00011100 and {09} . {03}
= {09} Ⓧ ({09} # {02}) = 00001001 Ⓧ 00010010 = 00011011. Then

The other equations can be similarly verified.

The AES document describes another way of characterizing the MixColumns transfo
rmation, which is in terms of polynomial
arithmetic. In the standard, MixColumns is defined by considering each column of S
tate to be a four-term poly- nomial with coefficients in GF(28). Each column is
multiplied modulo (x4 + 1) by the fixed polynomial a(x), given by
a(x) = {03}x3 + {01}x2 + {01}x + {02} (5.7)
Appendix 5A demonstrates that multiplication of each column of State by a(x) can
be written as the matrix multiplication of Equation (5.3). Similarly, it can be seen that
the transformation in Equation (5.5) corresponds to treating each column as a four-
term polynomial and multiplying each column by b(x), given by
b(x) = {0B}x3 + {0D}x2 + {09}x + {0E} (5.8)
It readily can be shown that b(x) = a - 1(x) mod (x4 + 1).
RATIONALE The coefficients of the matrix in Equation (5.3) are based on a
linear code with maximal distance between code words, which
ensures a good mixing among the bytes of each column. The mix column transforma
tion combined with the shift row transformation ensures that after a few rounds all
output bits depend on all input bits. See [DAEM99] for a discussion.
In addition, the choice of coefficients in MixColumns, which are all {01}, { 02}, or
{ 03}, was influenced by implementation considerations. As was discussed, multi-
plication by these coefficients involves at most a shift and an XOR. The coefficients
in InvMixColumns are more formidable to implement. However, encryption was
deemed more important than decryption for two reasons:

1. For the CFB and OFB cipher modes (Figures 6.5 and 6.6; described in
Chapter 6), only encryption is used.
2. As with any block cipher, AES can be used to construct a message a
uthentica- tion code (Chapter 12), and for this, only encryption is used.

AddRoundKey Transformation
FORWARD AND INVERSE TRANSFORMATIONS In the forward add round
key transfor- mation, called AddRoundKey, the 128 bits of State are bitwise
XORed with the 128 bits of the round key. As shown in Figure 5.5b, the operation is
viewed as a columnwise operation between the 4 bytes of a State column and one
word of the round key; it can also be viewed as a byte-level
operation. The following is an example of AddRoundKey:

The first matrix is State, and the second matrix is the round key.
The inverse add round key transformation is identical to the forward add round
key transformation, because the XOR operation is its own inverse.

RATIONALE The add round key transformation is as simple as possible and affects
every bit of State. The complexity of the round key expansion, plus the complexity
of the other stages of AES, ensure security.
Figure 5.8 is another view of a single round of AES, emphasizing the mecha- nisms
and inputs of each transformation.