LECTURE 5: BLOCK CIPHERS: ADVANCED ENCRYPTION STANDARDS

INTRODUCTION
The Advanced Encryption Standard (AES) was published by the National Institute of Standards
and Technology (NIST) in 2001. AES is a symmetric block cipher that is intended to replace
DES as the approved standard for a wide range of applications.
AES STRUCTURE
The General Structure
Figure 5.1 shows the overall structure of the AES encryption process. The cipher takes a
plaintext block size of 128 bits, or 16 bytes. The key length can be 16, 24, or 32 bytes (128, 192,
or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES-256, depending on the
key length.
The input to the encryption and decryption algorithms is a single 128-bit block. This block is
depicted as a square matrix of bytes. This block is copied into the State array, which is modified
at each stage of encryption or decryption. After the final stage, State is copied to an output
matrix. These operations are depicted in Figure 5.2a. Similarly, the key is depicted as a square
matrix of bytes. This key is then expanded into an array of key schedule words. Figure 5.2b
shows the expansion for the 128-bit key. Each word is four bytes, and the total key schedule is
44 words for the 128-bit key. Each word is four bytes, and the total key schedule is 44 words for
the 128-bit key.
The cipher consists of rounds, where the number of rounds depends on the key length: 10 rounds
for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key (Table 5.1). The
first rounds consist of four distinct transformation functions: SubBytes, ShiftRows,
MixColumns, and AddRoundKey, which are described subsequently. The final round contains
only three transformations, and there is an initial single transformation (AddRoundKey) before
the first round, which can be considered Round 0
Detailed Structure
Figure 5.3 shows the AES cipher in more detail, indicating the sequence of transformations in
each round and showing the corresponding decryption function. As was done in Lecture 4, we
show encryption proceeding down the page and decryption proceeding up the page.
Before delving into details, we can make several comments about the overall AES structure.
1. One noteworthy feature of this structure is that it is not a Feistel structure. Recall that, in
the classic Feistel structure, half of the data block is used to modify the other half of the
data block and then the halves are swapped. AES instead processes the entire data block
as a single matrix during each round using substitutions and permutation.
 2. The key that is provided as input is expanded into an array of forty-four 32-bit words,
w[i]. Four distinct words (128 bits) serve as a round key for each round; these are
indicated in Figure 5.3.
3. Four different stages are used, one of permutation and three of substitution:
• Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block
• ShiftRows: A simple permutation
• MixColumns: A substitution that makes use of arithmetic over
• AddRoundKey: A simple bitwise XOR of the current block with a portion of the
expanded key
4. The structure is quite simple. For both encryption and decryption, the cipher begins with
an AddRoundKey stage, followed by nine rounds that each includes all four stages,
followed by a tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins
and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end,
is reversible without knowledge of the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. The other three stages together provide confusion, diffusion, and
nonlinearity, but by themselves would provide no security because they do not use the
key. We can view the cipher as alternating operations of XOR encryption
(AddRoundKey) of a block, followed by scrambling of the block (the other three stages),
followed by XOR encryption, and so on. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns
stages, an inverse function is used in the decryption algorithm. For the AddRoundKey
stage, the inverse is achieved by XORing the same round key to the block, using the
result that.
8. As with most block ciphers, the decryption algorithm makes use of the expanded key in
reverse order. However, the decryption algorithm is not identical to the encryption
algorithm. This is a consequence of the particular structure of AES.
9. Once it is established that all four stages are reversible, it is easy to verify that decryption
does recover the plaintext.
10. The final round of both encryption and decryption consists of only three stages. Again,
this is a consequence of the particular structure of AES and is required to make the cipher
reversible.
AES TRANSFORMATION FUNCTION
We now turn to a discussion of each of the four transformations used in AES. For each stage, we
describe the forward (encryption) algorithm, the inverse (decryption) algorithm, and the rationale
for the stage.
Substitute Byte Transformation
Forward and Inverse Transformations
The forward substitute byte transformation, called SubBytes, is a simple table lookup (Figure
5.5a). AES defines a matrix of byte values, called an S-box (Table 5.2a), that contains a
permutation of all possible 256 8-bit values. Each individual byte of State is mapped into a new
byte in the following way: The leftmost 4 bits of the byte are used as a row value and the
rightmost 4 bits are used as a column value. These row and column values serve as indexes into
the S-box to select a unique 8-bit output value. For example, the hexadecimal value 3 {95}
references row 9, column 5 of the S-box, which contains the value {2A}. Accordingly, the value
{95} is mapped into the value {2A}.
Class exercise
Transform the following matrix using the given S-box matrix

The Inverse Substitute Byte Transformation

The inverse substitute byte transformation, called InvSubBytes, makes use of the inverse S-box
shown in Table 5.2b. Note, for example, that the input {2A} produces the output {95}, and the
input {95} to the S-box produces {2A}.
Rationale
The S-box is designed to be resistant to known cryptanalytic attacks.
ShiftRows Transformation
Forward and Inverse Transformation
Forward Transformation
The forward shift row transformation, called ShiftRows, is depicted in Figure 5.7a. The first row
of State is not altered. For the second row, a 1-byte circular left shift is performed. For the third
row, a 2-byte circular left shift is performed. For the fourth row, a 3-byte circular left shift is
performed. The following is an example of ShiftRows.

The inverse shift row transformation, called InvShiftRows, performs the circular shifts in the
opposite direction for each of the last three rows, with a 1-byte circular right shift for the second
row, and so on.

AddRoundKey Transformation
In the forward add round key transformation, called AddRoundKey, the 128 bits of State are
bitwise XORed with the 128 bits of the round key. As shown in Figure 5.5b, the operation is
viewed as a columnwise operation between the 4 bytes of a State column and one word of the
round key; it can also be viewed as a byte-level operation. The following is an example of
AddRoundKey.
The first matrix is State, and the second matrix is the round key.
The inverse add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.

Rationale
The add round key transformation is as simple as possible and affects every bit of State. The
complexity of the round key expansion, plus the complexity of the other stages of AES, ensure
security.