The Advanced Encryption Standard (AES) was published by the National Institute of Standards and Technology (NIST)

in 2001. AES is a symmetric block cipher that is intended to replace DES as the approved standard for a wide range of
applications.

Finite Field Arithmetic

In AES, all operations are performed on 8-bit bytes. In particular, the arithmetic operations of addition, multiplication,
and division are performed over the finite field GF(28). An example of a finite field (one with a finite number of
elements) is the set Zp consisting of all the integers {0, 1, ..., p - 1}, where p is a prime number and in which arithmetic
is carried out modulo p.
AES uses arithmetic in the finite field GF(28) with the irreducible polynomial m(x) = x8 + x4 + x3 + x + 1. AES operates
on 8-bit bytes. Addition of two bytes is defined as the bitwise XOR operation. Multiplication of two bytes is defined as
multiplication in the finite field GF(28), with the irreducible polynomial m(x) = x8 + x4 + x3 + x + 1.

AES Structure
General Structure
The figure shows the overall structure of the AES encryption process. The cipher takes a plaintext block size of 128
bits, or 16 bytes. The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-
128, AES-192, or AES-256, depending on the key
length.
The input to the encryption and decryption
algorithms is a single 128-bit block. In FIPS PUB
197, this block is depicted as a 4 * 4 square matrix
of bytes. This block is copied into the State array,
which is modified at each stage of encryption or
decryption. After the final stage, State is copied to
an output matrix. Similarly, the key is depicted as a
square matrix of bytes. This key is then expanded
into an array of key schedule words. Each word is
four bytes, and the total key schedule is 44 words
for the 128-bit key. Note that the ordering of bytes
within a matrix is by column. So, for example, the
first four bytes of a 128-bit plaintext input to the
encryption cipher occupy the first column of the in
matrix, the second four bytes occupy the second
column, and so on. Similarly, the first four bytes of
the expanded key, which form a word, occupy the
first column of the w matrix.
The cipher consists of N rounds, where the number
of rounds depends on the key length: 10 rounds for
a 16-byte key, 12 rounds for a 24-byte key, and 14
rounds for a 32-byte key. The first N - 1 rounds
consist of four distinct transformation functions:
SubBytes, ShiftRows, MixColumns, and
AddRoundKey, which are described subsequently.
The final round contains only three
transformations, and there is a initial single
transformation (AddRoundKey) before the first
round, which can be considered Round 0. Each
transformation takes one or more 4 * 4 matrices as
input and produces a 4 * 4 matrix as output. The output of each round is a 4 * 4 matrix, with the output of the final
round being the ciphertext. Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 *
4 matrix. Each round key serves as one of the inputs to the AddRoundKey transformation in each round.
Detailed Structure
Figure below shows the AES cipher in more detail, indicating the sequence of transformations in each round and
showing the corresponding decryption function. Following are important points to be remembered.
1. One noteworthy feature of this structure
is that it is not a Feistel structure. Recall
that, in the classic Feistel structure, half
of the data block is used to modify the
other half of the data block and then the
halves are swapped. AES instead
processes the entire data block as a single
matrix during each round using
substitutions and permutation.
2. The key that is provided as input is
expanded into an array of forty-four 32-
bit words, w[i]. Four distinct words (128
bits) serve as a round key for each round;
these are indicated.
3. Four different stages are used, one of
permutation and three of substitution:
Substitute bytes: Uses an S-box to
perform a byte-by-byte substitution of
the block.
ShiftRows: Permutation of rows
MixColumns: A substitution that makes
use of arithmetic over GF(28)
AddRoundKey: A simple bitwise XOR
of the current block with a portion of the
expanded key
4. The structure is quite simple. For both
encryption and decryption, the cipher
begins with an AddRoundKey stage,
followed by nine rounds that each includes all four stages, followed by a tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an
AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without knowledge of the
key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be formidable. The
other three stages together provide confusion, diffusion, and nonlinearity, but by themselves would provide no
security because they do not use the key. We can view the cipher as alternating operations of XOR encryption
(AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by XOR
encryption, and so on. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse
function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is achieved by XORing
the same round key to the block, using the result that A xor B xor B = A.
8. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order.
However, the decryption algorithm is not identical to the encryption algorithm. This is a consequence of the
particular structure of AES.
9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the
plaintext. The figure lays out encryption and decryption going in opposite vertical directions. At each
horizontal point (e.g., the dashed line in the figure), State is the same for both encryption and decryption.
10. The final round of both encryption and decryption consists of only three stages. Again, this is a consequence of
the particular structure of AES and is required to make the cipher reversible.

AES Transformation Functions

Substitute Bytes Transformation

Forward and Inverse Transformations The forward substitute byte transformation, called SubBytes, is a
simple table lookup. AES defines a 16 * 16 matrix of byte values, called an S-box, that contains a permutation of
all possible 256 8-bit values. Each individual byte of State is mapped into a new byte in the following way: The
leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a column value. These row
and column values serve as indexes into the S-box to select a unique 8-bit output value. For example, the
hexadecimal value {95} references row 9, column 5 of the S-box, which contains the value {2A}. Accordingly,
the value {95} is mapped into the value {2A}. The inverse substitute byte transformation, called InvSubBytes,
makes use of the inverse S-box shown in Table 5.2b. Note, for example, that the input {2A} produces the output
{95}, and the input {95} to the S-box produces {2A}.

Rationale – The S-box is designed to be resistant to known cryptanalytic attacks. Specifically, the Rijndael
developers sought a design that has a low correlation between input bits and output bits and the property that the
output is not a linear mathematical function of the input. The S-box must be invertible, that is, IS-box[S-box(a)] =
a. However, the S-box does not self-inverse in the sense that it is not true that S-box(a) = IS-box(a). For example,
S-box({95}) = {2A}, but IS-box({95}) = {AD}.

ShiftRows Transformation
Forward and Inverse Transformations The forward shift row transformation, called ShiftRows. The first row
of State is not altered. For the second row, a 1-byte circular left shift is performed. For the third row, a 2-byte
circular left shift is performed. For the fourth row, a 3-byte circular left shift is performed. The following is an
example of ShiftRows. The inverse shift row transformation, called InvShiftRows, performs the circular shifts
in the opposite direction for each of the last three rows, with a 1-byte circular right shift for the second row, and so
on.
Rationale The shift row transformation is more substantial than it
may first appear. This is because the State, as well as the cipher
input and output, is treated as an array of four 4-byte columns.
Thus, on encryption, the first 4 bytes of the plaintext are copied to
the first column of State, and so on. Furthermore, as will be seen,
the round key is applied to State column by column. Thus, a row shift moves an individual byte from one column
to another, which is a linear distance of a multiple of 4 bytes. Also note that the transformation ensures that the 4
bytes of one column are spread out to four different columns.

MixColumns Transformation
Forward and Inverse Transformations The forward mix column transformation, called MixColumns, operates
on each column individually. Each byte of a column is mapped into a new value that is a function of all four bytes
in that column.
Rationale The coefficients of the matrix are based on a linear code with maximal distance between code words,
which ensures a good mixing among the bytes of each column. The mix column transformation combined with
the shift row transformation ensures that after a few rounds all output bits depend on all input bits.

AddRoundKey Transformation
Forward and Inverse Transformations In the forward add round key transformation, called AddRoundKey,
the 128 bits of State are bitwise XORed with the 128 bits of the round key. The operation is viewed as a column
wise operation between the 4 bytes of a State column and one word of the round key; it can also be viewed as a
byte-level operation.

Rationale The add round key transformation is as simple as possible and affects every bit of State. The
complexity of the round key expansion, plus the complexity of the other stages of AES, ensure security.
AES Key Expansion
The AES key expansion algorithm takes as input a four-word (16-byte) key and produces a linear array of 44 words
(176 bytes). This is sufficient to provide a four word round key for the initial AddRoundKey stage and each of the 10
rounds of the cipher. The key is copied into the first four words of the expanded key. The remainder of the expanded
key is filled in four words at a time. Each added word w[i] depends on the immediately preceding word, w[i - 1], and
the word four positions back, w[i - 4]. In three out of four cases, a simple XOR is used. For a word whose position in
the w array is a multiple of 4, a more complex function, g is used.
The function g consists of the following subfunctions.
1. RotWord performs a one-byte circular left shift on a
word. This means that an input word [B0, B1, B2, B3]
is transformed into [B1, B2, B3, B0].
2. SubWord performs a byte substitution on each byte
of its input word, using the S-box.
3. The result of steps 1 and 2 is XORed with a round
constant, Rcon[j].
The round constant is a word in which the three rightmost
bytes are always 0. Thus, the effect of an XOR of a word
with Rcon is to only perform an XOR on the leftmost byte of
the word. The round constant is different for each round and
is defined as Rcon[j] = (RC[j], 0, 0, 0), with RC[1] = 1, RC[j]
= 2.RC[j-1] and with multiplication defined over the field
GF(28).

Rationale
The Rijndael developers designed the expansion key
algorithm to be resistant to known cryptanalytic attacks. The
inclusion of a round-dependent round constant eliminates the
symmetry, or similarity, between the ways in which round
keys are generated in different rounds.