3.

THE ADVANCED ENCRYPTION STANDARD

The overall structure of AES can be seen in fig 3.1. The input is a single 128 bit block both for
decryption and encryption and is known as the in matrix. This block is copied into a state array
which is modified at each stage of the algorithm and then copied to an output matrix. Both the
plaintext and key are depicted as a 128 bit square matrix of bytes. The algorithm begins with an
Add round key stage followed by 9 rounds of four stages and a tenth round of three stages. This
applies for both encryption and decryption with the exception that each stage of a round the
decryption algorithm is the inverse of its counterpart in the encryption algorithm.
The four major steps of AES are as follows:
i. Substitute Bytes (Applying Confusion)
ii. Shift Rows (Applying Diffusion, part I)
iii. Mix columns (Applying Diffusion, part II)
iv. Add Round Key

Fig 3.1 AES Encryption and Decryption Block Diagram

4
3.1 Substitute Byte Step

The first layer in each round is the Byte Substitution layer. This step consists of using a 16 × 16
lookup table also called S-box to find a replacement byte for a given byte in the input state array.

In the layer, each state byte Ai is replaced, i.e. substituted, by another byte Bi:
S(Ai)=Bi

Table3.1 AES S-Box

Fig3.2. Substitute Byte Transformation

5
We can consider S-Box as a lookup table. The designers of Rijndael showed how this was done
unlike s-boxes in DES for which no rationale was given. The Matrix that gets operated upon
throughout the encryption is known as state. In substitute round, each byte is mapped into a new
byte in the following way: the leftmost nibble of the byte is used to specify a particular row of the
s-box and the rightmost nibble specifies a column. For example, the byte {95} (curly brackets
represent hex values) selects row 9 column 5 which turns out to contain the value {2A}. This is
then used to update the state matrix. Fig3.3 depicts this idea.

3.2 Shift Rows

The ShiftRows transformation cyclically shifts the second row of the state matrix by three bytes to the right,
the third row by two bytes to the right and the fourth row by one byte to the right. The first row is not
changed by the ShiftRows transformation. The purpose of the ShiftRows transformation is to increase the
diffusion properties of AES. This operation on the state matrix can be represented by:

No Shift

One position left Shift

Two positions left Shift

Three positions left Shift

Fig 3.3 Shift row operation

3.3 Mix columns

The MixColumn step is a linear transformation which mixes each column of the state matrix. Since
every input byte influences four output bytes, the MixColumn operation is the major diffusion
element in AES. The combination of the ShiftRows and MixColumn layer makes it possible that
after only three rounds every byte of the state matrix depends on all 16 plaintext bytes [9]. Now,
each 4-byte column is considered as a vector and multiplied by a fixed 4×4 matrix. The matrix
contains constant entries. Multiplication and addition of the Coefficients is done in GF(28).

6
 02 03 01 01
[ 01 02 03 01 ]X[ ]=[ ]
01 01 02 03
03 01 01 02

S0,0 S0,1 S0,2 S0,3 S’0,0 S’0,1 S’0,2 S’0,3

S1,0 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3

S2,0 S2,1 S2,2 S2,3 S’2,0 S’2,1 S’2,2 S’2,3

S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3

Fig3.4. Mix Columns Stage

Now, each 4-byte column is considered as a vector and multiplied by a fixed 4×4 matrix. The
matrix contains constant entries. Multiplication and addition of the coefficients is done in GF(28).
This can be written as:
S’(x) = a(x) ⊗ S(x)
𝑆′0,𝑐 02 03 01 01 𝑆0,𝑐
𝑆′1,𝑐 01 ] 𝑆1,𝑐
=[ 01 02 03
𝑆′2,𝑐 01 01 02 03 𝑆2,𝑐
[𝑆′3,𝑐 ] 03 01 01 02 [𝑆3,𝑐 ]

As a result of this multiplication, the four bytes in a column are replaced by the following:

𝑆′0,𝑐 = ({02} • 𝑆0,𝑐 ) ⊕ ({03} • 𝑆1,𝑐 ) ⊕ 𝑆2,𝑐 ⊕ 𝑆3,𝑐

𝑆 ′1,𝑐 = 𝑆0,𝑐 ⊕ ({02} • 𝑆1,𝑐 ) ⊕ ({03} • 𝑆2,𝑐 ) ⊕ 𝑆3,𝑐

𝑆 ′ 2,𝑐 = 𝑆0,𝑐 ⊕ 𝑆1,𝑐 ⊕ ({02} • 𝑆2,𝑐 ) ⊕ ({03} • 𝑆3,𝑐 )

𝑆′3,𝑐 = ({03} • 𝑆0,𝑐 ) ⊕ 𝑆1,𝑐 ⊕ 𝑆2,𝑐 ⊕ ({02} • 𝑆3,𝑐 )

7
3.4 Add Round Key

The two inputs to the Key Addition layer are the current 16-byte state matrix and a subkey which
also consists of 16 bytes (128 bits). The two inputs are combined through a bitwise XOR operation.
Here, XOR operation is equal to addition in the Galois field GF(2). The subkeys are derived in the
key schedule.

Key Schedule

The key schedule takes the original input key (of length 128, 192 or 256 bit) and derives the
subkeys used in AES. This process is sometimes referred to as key whitening. The number of
subkeys is equal to the number of rounds plus one, due to the key needed for key whitening in the
first key addition layer. Thus, for the key length of 128 bits, the number of rounds is nr = 10, and
there are 11 subkeys, each of 128 bits. The AES with a 192-bit key requires 13 subkeys of length
128 bits, and AES with a 256-bit key has 15 subkeys. The AES subkeys are computed recursively,
i.e., in order to derive subkey ki, subkey ki−1 must be known, etc. The AES key schedule is word-
oriented, where 1 word = 32 bits. Subkeys are stored in a key expansion array W that consists of
words. There are different key schedules for the three different AES key sizes of 128, 192 and 256
bit, which are all fairly similar.

Key Schedule for 128-Bit Key AES

The ll subkeys are stored in a key expansion array with the elements W[0], . . . ,W[43].
The subkeys are computed as depicted in Fig. 4.5. The elements K0, . . . ,K15 denote the bytes of the
original AES key.
The first subkey k0 is the original AES key. i.e., the key is copied into the first four elements of the
key array W. The other array elements are computed as follows.
As can be seen in the figure, the leftmost word of a subkey W[4i], where i = 1, . . . , 10, is computed
as:
W[4i] =W[4(i−1)]+g(W[4i−1]).
The remaining three words of a subkey are computed recursively as:
W[4i+ j ] =W[4i+ j−1]+W[4(i−1)+ j ],
Here g() is a nonlinear function with a four-byte input and output. It includes following 3
processes:

8
 Fig 3.5 AES key expansion
a. Rotate Words (RotWords)
1 byte left circular shift i.e [𝑏0 𝑏1 𝑏2 𝑏3 ] => [𝑏1 𝑏2 𝑏3 𝑏0 ]
b. Substitute Words
Use the S- box table
[𝑆(𝑏1 ) 𝑆(𝑏2 ) 𝑆(𝑏3 ) 𝑆(𝑏0 )]
c. XOR with Round Constant
The result of step 1 and step 2 is XORed with a round constant, RC[i].

9
The round coefficient is an element of the Galois field GF(28), i.e, an 8-bit value. It is only added
to the leftmost byte in the function g(). The round coefficients vary from round to round according
to the following rule:
RC[1] = x0 = (00000001)2
RC[1] = x1 = (00000010)2

. . .

RC[10] = x10 = (00110110)2

The function g() has two purposes. First, it adds nonlinearity to the key schedule. Second, it
removes symmetry in AES. Both properties are necessary to thwart certain block cipher attacks.
The overall encryption stages of AES can be illustrated by following figure:

State

Sub bytes

State

Shift
Rows

State

Mix
Columns

State

Add Round
Key

State

Fig 3.6 AES encryption round.

10