Advanced

Encryption Standard
(AES)
Origins
• A replacement for DES was needed
• Key size is too small

• Can use Triple-DES – but slow, small block

• US NIST issued call for ciphers in 1997

• 15 candidates accepted in Jun 98

• 5 were shortlisted in Aug 99

AES Competition Requirements
• Private key symmetric block cipher

• 128-bit data, 128/192/256-bit keys

• Stronger & faster than Triple-DES

• Provide full specification & design details

• Both C & Java implementations

AES Evaluation Criteria
• initial criteria:
• security – effort for practical cryptanalysis
• cost – in terms of computational efficiency
• algorithm & implementation characteristics

• final criteria
• general security
• ease of software & hardware implementation
• implementation attacks
• flexibility (in en/decrypt, keying, other factors)
AES Shortlist
• After testing and evaluation, shortlist in Aug-99
• MARS (IBM) - complex, fast, high security margin
• RC6 (USA) - v. simple, v. fast, low security margin
• Rijndael (Belgium) - clean, fast, good security margin
• Serpent (Euro) - slow, clean, v. high security margin
• Twofish (USA) - complex, v. fast, high security margin

• Found contrast between algorithms with

• few complex rounds versus many simple rounds
• Refined versions of existing ciphers versus new proposals

Rijndae: pronounce “Rain-Dahl”

The AES Cipher - Rijndael
• Rijndael was selected as the AES in Oct-2000
• Designed by Vincent Rijmen and Joan Daemen in Belgium
• Issued as FIPS PUB 197 standard in Nov-2001

• An iterative rather than Feistel cipher

• processes data as block of 4 columns of 4 bytes (128 bits) V. Rijmen
• operates on entire data block in every round

• Rijndael design:
• simplicity
• has 128/192/256 bit keys, 128 bits data
• resistant against known attacks
• speed and code compactness on many CPUs J. Daemen
Applications
 Rounds.

AES is a non-Feistel cipher that encrypts and decrypts a

data block of 128 bits. It uses 10, 12, or 14 rounds. The
key size, which can be 128, 192, or 256 bits, depends on
the number of rounds.

Note

AES has defined three versions, with 10, 12,

and 14 rounds.
Each version uses a different cipher key size
(128, 192, or 256), but the round keys are
always 128 bits.
AES Parameters
AES Conceptual Scheme
Plaintext (128 bits)

AES Key (128-256 bits)

Ciphertext (128 bits)

11
Multiple rounds
• Rounds are (almost) identical
• First and last round are a little different

12
 AES Block Cipher
The AES Algorithm:
 AES operates on a 4 × 4 column-wise order array of bytes, called the state. For
instance, if there are 16 bytes, these bytes are represented as this two-dimensional
array:

 The key size used for an AES cipher specifies the number of transformation rounds that
convert the plaintext into the ciphertext . The number of rounds are as follows:
10 rounds for 128-bit keys.
12 rounds for 192-bit keys.
14 rounds for 256-bit keys.
 Each round consists of several processing steps, including one that depends on the
encryption key itself. A set of reverse rounds are applied to transform ciphertext back
into the original plaintext using the same encryption key. 13
High Level Description
• Round keys are derived from the cipher key
Key Expansion using Rijndael's key schedule

• AddRoundKey : Each byte of the state is combined

Initial Round with the round key using bitwise xor

• SubBytes : non-linear substitution step

• ShiftRows : transposition step
Rounds • MixColumns : mixing operation of each column.
• AddRoundKey

• SubBytes
Final Round • ShiftRows No MixColumns
• AddRoundKey
General design of AES encryption cipher
• Process the entire data block in parallel during each round using
substitutions and permutation.
• The key that is provided as input is expanded into an array of forty-
four 32-bit words, w[i]. Four distinct words (128 bits) serve as a
round key for each round;
AES Key Expansion
• The key is copied into the first four words of the expanded key.
• The remainder of the expanded key is filled in four words at a
time.
• Each added word w[i] depends on the immediately preceding
word, w[i -1], and the word four positions back,w[i-4].
• The function g consists of the following subfunctions:
• RotWord performs a one-byte circular left shift on a word. This
means that an input word [b0, b1, b2, b3] is transformed into
[b1, b2, b3, b0].
• SubWord performs a byte substitution on each byte of its
input word, using the S-box
• The result of steps 1 and 2 is XORed with a round constant,
Rcon[j].
• The round constant is a word in which the three rightmost
bytes are always 0.
• Thus the effect of an XOR of a word with Rcon is to only
perform an XOR on the leftmost byte of the word.
• The round constant is different for each round and is defined
as Rcon[j] = (RC[j], 0, 0, 0), with RC[1] = 1, RC[j] = 2 · RC[j - 1]
Key Matrix
Key is expanded in words of 4 bytes (32
bits) w1,w2,w3,w4
State array (4x4 matrix)
Structure of Each Round
Structure of each round at the encryption site

7.37
TRANSFORMATIONS

To provide security, AES uses four types of

transformations: substitution, permutation, mixing, and
key-adding.

Topics discussed in this section:

• Substitution
• Permutation
• Mixing 7.38
• Key Adding
Four different stages are used, one of permutation and three of
substitution:
• Substitute bytes: Uses an S-box to perform a byte-by-byte
substitution of the block
• ShiftRows: A simple permutation
• MixColumns: A substitution that makes use of arithmetic over
GF(28)
• AddRoundKey: A simple bitwise XOR of the current block with
a portion of the expanded key
• For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four
stages, followed by a tenth round of three stages.
• Only the AddRoundKey stage makes use of the key. For this reason, the
cipher begins and ends with an AddRoundKey stage.
• Each stage is easily reversible. For the Substitute Byte,
ShiftRows, and MixColumns stages, an inverse function is used
in the decryption algorithm.
Substitute Bytes
Transformation
• AES defines a 16 x 16 matrix of byte values, called an S-box , that
contains a permutation of all possible 256 8-bit values.
• Each individual byte of State is mapped into a new byte in the
following way: The leftmost 4 bits of the byte are used as a row
value and the rightmost 4 bits are used as a column value.
• These row and column values serve as indexes into the S-box to
select a unique 8-bit output value.
• For example, the hexadecimal value {95} references row 9,
column 5 of the S-box, which contains the value {2A}.
Accordingly, the value {95} is mapped into the value {2A}.
ShiftRows Transformation
• The first row of State is not altered.
• For the second row, a 1-byte circular left shift is performed.
• For the third row, a 2-byte circular left shift is performed.
• For the fourth row, a 3-byte circular left shift is performed.
MixColumns Transformation
• Each byte of a column is mapped into a new value that is a
function of all four bytes in that column. The transformation
can be defined by the following matrix multiplication on State
• Each byte of a column is mapped into a new value that is a
function of all four bytes in the column.
AddRoundKey Transformation

• the 128 bits of State are bitwise XORed with the 128 bits of
the round key.
Example continued:

From Slide 35
Result of Add Round Key
Mix Coumns

State array
 Security

AES was designed after DES. Most of the known attacks

on DES were already tested on AES.
Brute-Force Attack
AES is definitely more secure than DES due to the
larger-size key.
Statistical Attacks
Numerous tests have failed to do statistical analysis of
the ciphertext.

Differential and Linear Attacks

There are no differential and linear attacks on AES as 7.73
yet.