Advanced Encryption Standard

(AES)
AES Algorithm

• AES is cryptographic algorithm published by NIST (National Institute of Standards and

Technology).
• The algorithm was proposed by Rijndael, it is also known as Rijndael algorithm.
• AES works on block cipher technique. Size of plaintext and ciphertext is same.
• The AES states that the algorithm can only accept a block size of 128 bits and a choice of three
keys - 128, 192, 256 bits.
• Depending on which version is used, the name of the standard is modified to AES-128, AES-192
or AES- 256 respectively.
• In the following figure, Nr defines the number of rounds. The figure also shows the relationship
between the number of rounds and the key size.
• However, the rounds keys, which are created by the key-expansion algorithm are always 128-
bits, the same size as the plaintext or ciphertext block.

Figure 2.11 General design of AES encryption cipher.

• The number of keys generated by the key-expansion algorithm is always one more than the
number of rounds. In other words, we have
Number of round keys = number of rounds + 1
We refer round keys as K0, K1, K2, ……., KNr
Plaintext transform in matrix form
• Take 128-bit block of plaintext that means 16-bytes and label them as b0 to b15 and convert
into a 4 X 4 matrix of bytes; call it as state array.
 • The first four bytes occupy first column and next four bytes occupy second column and so on.

So, AES operates 4 x 4 column-major order matrix of bytes called as state array.

DEC HEX
A 00 00
B 01 01
: : :
: : :
Z 25 19

Overall structure of AES encryption process

• Overall structure of AES encryption process is shown in figure 2.12.

• For encryption, each round consists of the following steps:
1) SubBytes
2) ShiftRows
3) MixColumns
4) AddRoundKey
Above steps also called AES transformation function
Figure 2.12 Overall structure of AES encryption and decryption process

1. SubBytes / Substitution Bytes

• AES defines a 16 X 16 matrix of byte values, called an S-box that contains a permutation of all
possible 256 8-bit values.
• Each individual byte of State is mapped into a new byte in the following way:
 The left most 4 bits of the byte are used as a row value and the right most 4 bits used as a
column value.
• These row and column values serve as indexes into the S-box to select a unique 8-bit output
value.
• For example, the hexadecimal value 00 references row 0, column 0 of S-box which contains the
value {63}, accordingly the value {12} is mapped into {C9}.

Figure 2.13 SubBytes transformation

 Table 2.7: SubBytes transformation table

• Table 2.8 is the inverse S-Box, it will be using during decryption process.

Table 2.8 InvSubBytes transformation table.

 2. ShiftRows transformation

• The shift rows transformation is called ShiftRows.

• Rules of shifting rows,
 Row 1 → now shifting
 Row 2 → 1 byte left shift
 Row 3 → 2 byte left shift
 Row 4 → 3 byte left shift

• The inverse shift row transformation is called InverseShiftRows, performs the circular shift in
the opposite direction for each of the last three rows, which a one-byte circular right shift for
the second row and so on.

3. Mix Columns

• The mix column transformation is called MixColumns, operates on each column individually.
• Each byte of a column is mapped into a new value that is a function of all four bytes in that
column.
Example calculation is given below.

4. AddRoundKey

• In the forward add round key transformation, AddRoundKey, the 128-bits of State are bitwise
XORed with the 128-bits of the round key.
• As shown in figure, the operation is viewed as a column wise operation between 4 bytes of a
state column and one word of the round key; it can also be viewed as a byte-level XOR
operation.

Figure: AddRoundKey transformation

Example:

AES decryption process is shown in figure 2.14.

This is the inverse of encryption process. Ciphertext is input for the AddRoundKey and the output
is given to the next round and in the same way it will go through Nr-1 rounds and in the last round
MixColumn part is missing same as the last round of encryption process and finally produces the
plaintext.
 Figure 2.14 Overall structure of AES encryption and decryption process

AES Key Expansion

• The AES key expansion algorithm takes as input a four-word (16-byte) key and produces a linear
array of 44 words (176 bytes). This is sufficient to provide a 4-word round key for the initial
AddRoundKey stage and each of the 10 rounds of the cipher.
• The figure 2.16 describes the generation of the expanded key, using the symbol g to represent
that complex function.
• The first 4 words (W0, W1, W2, W3) are made from the cipher key. The cipher key is thought of
as an array of 16 bytes (k0 to K15). The first four bytes (K0 to K3) become W0; the next four bytes
(k4 to k7) become W1; and so on. In other words, the concatenation of the words in this group
replicates the cipher key.
• Words of each round are as follows

Figure 2.15 Words of each round

• The function g consists of the following sub functions.
 This function performs the one-byte circular left shift.
 Using SubBytes transformation table (S box) each sub word performs a byte substitution.
 Finally, the result is XORed with the round constant called as Rcon[j].
 The round constant is a word in which the three rightmost bytes are always 0.
 The table below shows the values for AES-128 version (with 10 rounds).

Figure 2.16 AES Key Expansion

Table 2.9 Rcon Constants

Algorithm
Algorithm 2.1 is a simple algorithm for the key-expansion routine (version AES-128).
Algorithm 2.1 Pseudocode for Key expansion in AES-128