Master of Science in Cybercrimes and Digital Evidences Analysis, PTUK

Applied Cryptography
Advanced Encryption Standards
Algorithm (AES)

Lecture slides by
Dr. Eman Daraghmi

Associate Prof
PTUK
2021
Eman Yaser Daraghmi, Ph.D
1
[email protected]
 Topics To be Covered ….

v AES Origin
v AES Encryption/Decryption
v Key Expansion Algorithm
v AES security

2
Part I : AES Origin

3
 Origins

v clear a replacement for DES was needed

ü have theoretical attacks that can break it
ü have demonstrated exhaustive key search attacks
v can use Triple-DES – but slow with small blocks

4
 Origins

v US NIST issued call for ciphers in 1997

v AES requirements
ü private key symmetric cipher
ü block cipher
ü 128-bit data, 128/192/256-bit keys
ü stronger & faster than Triple-DES

5
 Origins

v 21 Total proposal were submitted

v initial criteria:
ü security – effort to practically cryptanalyze
ü cost – computational
ü algorithm & implementation characteristics
v 15 candidates accepted in Jun 98

6
 Origins

v final criteria
ü general security
ü software & hardware implementation ease
ü implementation attacks
ü flexibility (in en/decrypt, keying, other factors)
v 5 were shortlisted in Aug-99
ü MARS (IBM) - complex, fast, high security margin
ü RC6 (USA) - v. simple, v. fast, low security margin
ü Rijndael (Belgium) - clean, fast, good security margin
ü Serpent (Euro) - slow, clean, v. high security margin
ü Twofish (USA) complex, v. fast, high security margin
v then subject to further analysis & comment 7
 Origins

v Rijndael was selected as the AES in Oct-2000

v issued as FIPS PUB 197 standard in Nov-2001

8
Part II: The AES Cipher

9
 The Rijndael Structure
v designed by Rijmen-Daemen in Belgium
v has 128/192/256 bit keys, 128 bit data
v an iterative rather than feistel cipher
ü operates on entire data block in every round
v data block of 4 columns of 4 bytes is state
v key is expanded to array of words
v has 9/11/13 rounds in which state undergoes:
ü byte substitution
ü shift rows
ü mix columns
ü add round key (XOR state with the round key)
v initial XOR key material & incomplete last round
v with fast XOR & table lookup implementation
v Chosen by the National Institute of Science and
Technology (NIST) as AES 10
AES- Rijndael
Structure

11
Data Units

12
 Advanced Encryption Algorithm (AES)

• The input to the encryption and

decryption algorithms is a single
128-bit block.

• This block is depicted (column by

column) as a square matrix of
bytes, namely State

• The State array will be modified at

each stage of encryption or
decryption.

• After the final stage, State is

copied to an output matrix.

13
 Advanced Encryption Algorithm (AES)
v The 128-bit key is depicted as a square
matrix of bytes. The ordering of bytes
within a matrix is by column.

v The first four bytes of a 128-bit plaintext

input to the encryption cipher occupy
the first column of the in matrix, the
second four bytes occupy the second
column, and so on.

v The first four bytes of the key, which

form a word, occupy the first column of
the w matrix.

v This key is then expanded into an array

of key schedule words ( each word is
four bytes and the total key schedule is
44 words for the 128-bit key)

14
 AES in Details: THE FOUR STEPS IN EACH
ROUND OF PROCESSING
v Four different stages are
used:
ü Substitute bytes: Uses an S-box
to perform a byte-by-byte
substitution of the block
ü ShiftRows: A simple
permutation
ü MixColumns: A substitution
that makes use of GF(2^8)
ü AddRoundKey: A simple XOR of
the current block with a portion
of the expanded key (with the
round key)
v Note: The different steps that
are carried out in each round
except the last one.
15
 Stage 1: Byte Substitution Transformation
v STEP 1:
ü SubBytes for byte-by-byte substitution during the forward
process (Encryption)
ü InvSubBytes for byte-by-byte substitution during the
inverse transformation (Decryption)
• This step consists of using a 16 × 16 lookup table, called S-box
to find a replacement byte for a given byte in the input state
array.

16
 Stage 1: Byte Substitution Transformation
v Each individual byte of State is mapped into a new byte in the
following way:
ü The leftmost 4 bits of the byte are used as a row value and the rightmost
4 bits are used as a column value.
v These row and column values serve as indexes into the S-box to
select a unique 8-bit output value.

17
 Stage 1: Byte Substitution Transformation
v Here is an example of the SubBytes transformation:
ü For example, the hexadecimal value {0C} is referenced to row 0, column C
of the S-box, which contains the value {FE}.

18
 Implementation of Byte Substitution

• The SubBytes transformation

repeats a routine, called subyte, 16
times.
• The InvSubBytes repeats a routine
called invsubbyte.
• Each iteration transforms one byte.
• AES defines the transformation
algebraically using the GF(2^8)
field with the irreducible
polynomials:
(x8 + x4 + x3+ x + 1)
• S-box was defined by:
• the multiplicative inverse in GF(2^8)
• Matrix multplication
• Xoring
19
 Transformation Using the GF(2^8 ) Field
- A finite field or Galois field is
a set that contains a finite number
of elements.

- GF(2) contains only 2 elements 0,1

- GF(2^3) has 8 elements 0,1,2,3,….7
- GF(28) = GF(256) is {0,1,2,3,4,5, …. 255}

- The operations: multiplication,

addition, subtraction and division
are defined in GF.
- The elements of the GF(2^8) field is
generated with the irreducible
polynomials:
(x8 + x4 + x3+ x + 1)
20
 Polynomial and Binary Representation
• A binary can be presented as a Polynomial and a
polynomial can be presented as a binary as well
As our calculation is based on GF(2^8) = {0, …, 255} =
{00000000, ….,11111111}, a polynomial of 7 degrees is used
for representation (max power is 7)
𝑎𝑥 # + 𝑎𝑥 % + 𝑎𝑥 & + 𝑎𝑥 ' +𝑎𝑥 ( +𝑎𝑥 ) + 𝑎𝑥 * +𝑎𝑥 +
Example: Convert 1100 0111 to polynomial

1 1 0 0 0 1 1 1

X^7 X^6 X^5 X^4 X^3 X^2 X^1 X^0

X^7 X^6 0 0 0 X^2 X^1 1

x^7 + x^6 + x^2 + x +1

21
 Polynomial and Binary Representation
• A binary can be presented as a Polynomial and a
polynomial can be presented as a binary as well
As our calculation is based on GF(2^8) = {0, …, 255} =
{00000000, ….,11111111}, a polynomial of 7 degrees is used
for representation (max power is 7)
𝑎𝑥 # + 𝑎𝑥 % + 𝑎𝑥 & + 𝑎𝑥 ' +𝑎𝑥 ( +𝑎𝑥 ) + 𝑎𝑥 * +𝑎𝑥 +
Example: Convert 1100 0111 to polynomial

1 1 0 0 0 1 1 1

X^7 X^6 X^5 X^4 X^3 X^2 X^1 X^0

X^7 X^6 0 0 0 X^2 X^1 1

x^7 + x^6 + x^2 + x +1

22
 Polynomial and Binary Representation

• Example:

• Convert the following binary into polynomial

• 1011 0011

1 0 1 1 0 0 1 1

X^7 X^6 X^5 X^4 X^3 X^2 X^1 X^0

X^7 0 X^5 X^4 0 0 X^1 1

x^7 + x^5 + x^4 + x +1

23
 Polynomial and Binary Representation
• Example:

• Convert the following polynomial into binary

X^6 + x^4 + x^1 + 1

X^6 X^4 X^1 X^0

0 1 0 1 0 0 1 1

0101 0011

24
 Addition and Multiplication in GF(2^8)

2(87) 2(87) = x(x^7+ x^2 +x+1) =

x^8+ x^3 +x^2+x =
01000 0111 x^4 + x^3 +x + 1+ x^3 +x^2+x =
10 *
x^4 + x^3 +x + 1+ x^3 +x^2+x =
----------------
000000000
Xor
100001110 If the result has x^8 it will
---------------- substituted with x^8+ x^4 +x^3+ x
100001110 +1 à x^8 = x^4 +x^3+ x +1
100011011
----------------
000010101
(15 in decimal)

If results consist of bits >8 then xor the result with the
binary representation of the irreducible polynomial
x8 + x4 + x3+ x + 1 = 1 0001 1011 25
 Implementation of Byte Substitution

Let us show how the byte 0C is transformed to FE by subbyte

routine

26
Implementation of Byte Substitution

27
 Multiplicative Inverse in GF(2^8) via
Euclidian Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that
(0C X = 1)
q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + X^3 + x^2 X^2+x+1 0 1 X^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 X^2+x+1 x 1 X^5+x^4+x^3+x^ X^6 + x^5 + x^4 +

2+1 x^3 + x +1

X+1 X^2+x+1 x 1 X^5+x^4+x^3+x^ X^6 + x^5 + x^4 + X^7+x^5+x^4

2+1 x^3 + x +1

x x 1 0 X^6 + x^5 + x^4 + X^7+x^5+x^4 0

x^3 + x +1

**** 1 0 *** X^7+x^5+x^4 0 ***

28
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^8 + x^4 + X^3 + x^2 0 1

x^3 +x +1

29
30
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + X^3 + x^2 X^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

31
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + X^3 + x^2 X^2+x+1 0 1 X^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

X^3 + x^2 X^2+x+1 1 X^5+x^4+x^3+x^

2+1

32
33
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + x^3 + x^2 x^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 x^2+x+1 x 1 x^5+x^4+x^3+x^ x^6 + x^5 + x^4 +

2+1 x^3 + x +1

34
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + x^3 + x^2 x^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 x^2+x+1 x 1 x^5+x^4+x^3+x^ x^6 + x^5 + x^4 +

2+1 x^3 + x +1

X^2+x+1 x X^5+x^4+x^3+x^ X^6 + x^5 + x^4 +

2+1 x^3 + x +1

35
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + x^3 + x^2 x^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 x^2+x+1 x 1 x^5+x^4+x^3+x^ x^6 + x^5 + x^4 +

2+1 x^3 + x +1

X+1 X^2+x+1 x 1 X^5+x^4+x^3+x^ X^6 + x^5 + x^4 + X^7+x^5+x^4

2+1 x^3 + x +1

36
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + x^3 + x^2 x^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 x^2+x+1 x 1 x^5+x^4+x^3+x^ x^6 + x^5 + x^4 +

2+1 x^3 + x +1

X+1 X^2+x+1 x 1 X^5+x^4+x^3+x^ X^6 + x^5 + x^4 + X^7+x^5+x^4

2+1 x^3 + x +1

x 1 X^6 + x^5 + x^4 + X^7+x^5+x^4

x^3 + x +1

37
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + x^3 + x^2 x^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 x^2+x+1 x 1 x^5+x^4+x^3+x^ x^6 + x^5 + x^4 +

2+1 x^3 + x +1

X+1 X^2+x+1 x 1 X^5+x^4+x^3+x^ X^6 + x^5 + x^4 + X^7+x^5+x^4

2+1 x^3 + x +1

x x 1 0 X^6 + x^5 + x^4 + X^7+x^5+x^4 X^7+x^6+x^3+x+1

x^3 + x +1

38
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + x^3 + x^2 x^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 x^2+x+1 x 1 x^5+x^4+x^3+x^ x^6 + x^5 + x^4 +

2+1 x^3 + x +1

X+1 X^2+x+1 x 1 X^5+x^4+x^3+x^ X^6 + x^5 + x^4 + X^7+x^5+x^4

2+1 x^3 + x +1

x x 1 0 X^6 + x^5 + x^4 + X^7+x^5+x^4 0

x^3 + x +1

1 0 X^7+x^5+x^4 0

39
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + x^3 + x^2 x^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 x^2+x+1 x 1 x^5+x^4+x^3+x^ x^6 + x^5 + x^4 +

2+1 x^3 + x +1

X+1 X^2+x+1 x 1 X^5+x^4+x^3+x^ X^6 + x^5 + x^4 + X^7+x^5+x^4

2+1 x^3 + x +1

x x 1 0 X^6 + x^5 + x^4 + X^7+x^5+x^4 0

x^3 + x +1

**** 1 0 *** X^7+x^5+x^4 0 ***

40
 Multiplicative Inverse in GF(2^8) via Euclidian
Algorithm
- Multiplicative Inverse means find a number in GF(2^8) such that (0C X = 1)

q r1 r2 r t1 t2 t=t1-(q*t2)

x^5+x^4+x^3+ x^8 + x^4 + x^3 + x^2 x^2+x+1 0 1 x^5+x^4+x^3+x^2

x^2+1 x^3 +x +1 +1

x X^3 + x^2 x^2+x+1 x 1 x^5+x^4+x^3+x^ x^6 + x^5 + x^4 +

2+1 x^3 + x +1

X+1 X^2+x+1 x 1 X^5+x^4+x^3+x^ X^6 + x^5 + x^4 + X^7+x^5+x^4

2+1 x^3 + x +1

x x 1 0 X^6 + x^5 + x^4 + X^7+x^5+x^4 0

x^3 + x +1

**** 1 0 *** X^7+x^5+x^4 0 ***

41
This is the number we are looking for = 10110000 = B0
Implementation of Byte Substitution

42
 AES Stages – Stage 2: Shift Rows
v STEP 2:
ü ShiftRows for shifting the rows of the state array during
the forward process
ü InvShiftRows for Inverse ShiftRow Transformation

v The goal of this transformation is to scramble the byte

order inside each 128-bit block.

43
 AES Stages – Stage 2: Shift Rows
v This operation on the state array can be represented by

Encryption
Left Shift 44
 AES Stages – Stage 2: Shift Rows
v For decryption, the corresponding step shifts the rows in
exactly the opposite fashion.
v The first row is left unchanged, the second row is shifted
to the right by one byte, the third row to the right by two
bytes, and the last row to the right by three bytes, all
shifts being circular.

Decryption
Right shift

45
AES Stages – Stage 2: Shift Rows

46
 MIX COLUMNS
v STEP 3:
ü called MixColumns for mixing up of the bytes in each column
separately during the forward process
ü InvMixColumns for inverse mix column transformation.
v The goal is here is to further scramble up the 128-bit input block.
v The shift-rows step along with the mix-column step causes strong
avalanche effect.
ü In DES, one bit of plaintext affected roughly 31 bits of ciphertext.
ü In AES, each bit of the plaintext to affect every bit position of the
ciphertext block of 128 bits.

47
AES Stages – THE MIX COLUMNS STEP 3:
MixColumns and InvMixColumns

48
THE MIX COLUMNS

49
Example: MixColumn

50
 InvMixColumns

v The corresponding transformation during

decryption is given by

51
 STEP 4: AddRoundKey
v STEP 4:
ü called AddRoundKey for adding the round key to the
output of the previous step during the forward process
ü InvAddRoundKey for inverse add round key
transformation
v XOR state with 128-bits of the round key
v again processed by column (though effectively a series of
byte operations)

52
 AES-
Decryption

53
THE KEY EXPANSION ALGORITHM

54
THE KEY EXPANSION ALGORITHM

• Each round has its own round key

that is derived from the original
128-bit encryption key.

• One of the four steps of each

round, for both encryption and
decryption, involves XORing of the
round key with the state array.

55
 THE KEY EXPANSION ALGORITHM

• The 128 bits forms the first

initial words w0 … w3 and
initially will be used before
processing the AES algorithm
• The remaining 40 words of the
key schedule are used four
words at a time in each of the
10 rounds.
• In decryption
• we reverse the order of the words in
the key schedule.
• The last four words of the key
schedule are XOR’ed with the 128-bit
ciphertext block before any round-
based processing begins.

56
 THE KEY EXPANSION ALGORITHM

• The four words in a round is defined as wi wi+1 wi+2 wi+3, where

i=(round # *4)
• In the first round i=1, the words will be : w4, w5, w6, w7
• In the fifth round i=5, the words will be: w20,w21 w22 w23
• Now we need to determine, how to obtain the words
wi wi+1 wi+2 wi+3
w5 = w4 ⊗ w1
wi+6 = w5 ⊗ w2
wi+7 = w6 ⊗ wi3

Note that except for the first word in a

new 4-word grouping, each word is an
XOR of the previous word and the
corresponding word in the previous 4-
word grouping

57
 THE KEY EXPANSION ALGORITHM
v The beginning word of each round key is obtained by:
w4 = w0 ⊗ g(w3)
ü G function includes:
- SubWord: Perform a one-byte left circular shift.
– Perform a byte substitution for each byte of the word returned by the
previous step by using the same 16 × 16 lookup table as used in the SubBytes
– XOR the bytes obtained from the previous step with a round constant.
The round constant is a word whose three rightmost bytes are always zero.
Therefore, XOR’ing with the round constant amounts to XOR’ing with just its
leftmost byte.

58
 The constant round key generator
x^8 + x^4+x^3 +x+1 ....
g Round # polynomial binary Decimal Hexadecimal

g^0 1 1 0000 0001 1 1

g^1 2 x 0000 0010 2 2

g^2 3 x^2 0000 0100 4 4

g^3 4 x^3 0000 1000 8 8

g^4 5 x^4 0001 0000 16 10

g^5 6 x^5 0010 0000 32 20

g^6 7 x^6 0100 0000 64 40

g^7 8 x^7 1000 0000 128 80

g^8 = 9 x^4+x^3 +x+1 0001 1011 27 1b

g^9 =g g^8 10 (x^4+x^3 +x+1)x = x^5 +x^4 + x^2 + x 0011 0110 54 36

59
Key Expansion Algorithm Example

60
 Security
AES was designed after DES. Most of the known attacks
on DES were already tested on AES.

• Brute-Force Attack
AES is definitely more secure than DES due to the
larger-size key.

• Differential and Linear Attacks

There are no differential and linear attacks on AES as
yet.

7.61
 Summary

v have considered:
ü the AES selection process

ü the key expansion

62