Prepared by: K M Akkas Ali, Professor, IIT, JU

PMIT-6204: Cryptography & Steganography

for
3rd Semester of PMIT Program
Lecture File: 08
Advanced Encryption Standard (AES)
Prepared by:
Professor K M Akkas Ali
[email protected], [email protected]

Institute of Information Technology (IIT)

Jahangirnagar University, Dhaka-1342
IIT, JU
 Lecture File-08:
Advanced Encryption Standard (AES)
Topics to be Discussed
 What Is AES?
 To review a short history of AES

Prepared by: K M Akkas Ali, Professor, IIT, JU

 The features of AES that make it a unique
algorithm
 Basic structure of AES of each round at the
encryption site
 How does AES Work?
 Types of transformations used by AES
 Key expansion process in AES-128
 Applications of AES
 Difference's between AES & DES
 To discuss different implementations
Slide-2 IIT, JU
What is AES (Advanced Encryption Standard):

The AES algorithm (also known as the Rijndael algorithm)

is a symmetric block cipher algorithm that takes a block
size of 128 bits and converts them into ciphertext using
keys of 128, 192, and 256 bits.

Prepared by: K M Akkas Ali, Professor, IIT, JU

11.3 IIT, JU
History of AES (Advanced Encryption Standard):

 Until 2000, DES (Data Encryption Standard) had been used as a

standard method of encryption, but with increase in speed in
computers and having shorter key length, it is no more
considered secure as a cryptanalyst can break the code by
exhaustively searching for all the keys using a fast computer.
From 2001, DES has been replaced by a new standard known as the

Prepared by: K M Akkas Ali, Professor, IIT, JU


Advanced Encryption Standard (AES) which is published by the
National Institute of Standards and Technology (NIST).
 In 1997, NIST started looking for a replacement for DES, which would be
called the Advanced Encryption Standard or AES.
 The NIST specifications required a block size of 128 bits and three
different key sizes of 128, 192, and 256 bits.
 The specifications also required that AES be an open algorithm,
available to the public worldwide. The announcement was made
internationally to solicit responses from all over the world.
 After the First AES Candidate Conference, NIST announced that 15 out of
21 received algorithms had met the requirements and been selected as
the first candidates (August 1998).
 Algorithms were submitted from a number of countries; the variety of
these proposals demonstrated the openness of the process and worldwide
participation.
11.4 IIT, JU
History of AES (Advanced Encryption Standard):
 After the Second AES Candidate Conference, which was held in Rome,
NIST announced that 5 out of 15 candidates—MARS, RC6, Rijndael,
Serpent, and Twofish— were selected as the finalists (August
1999).
 After the Third AES Candidate Conference, NIST announced that

Prepared by: K M Akkas Ali, Professor, IIT, JU

Rijndael designed by Belgian researchers Joan Daemen and
Vincent Rijment, was selected as Advanced Encryption Standard
(October 2000).
 In February 2001, NIST announced that a draft of the Federal
Information Processing Standard (FIPS) was available for public
review and comment.
 Finally, AES was published as FIPS 197 in the Federal Register in
December 2001.

11.5 IIT, JU
Features of AES:

 The features that make AES a unique algorithm are:

1. It uses Substitution and Permutations, also called SP
Networks.
2. A single key is expanded to be used in multiple rounds.

Prepared by: K M Akkas Ali, Professor, IIT, JU

3. AES performs on byte data, instead of bit data.
4. No. of rounds is dependent on key length.
5. Three different key length:
 128-bit Key Length uses 10 rounds
 192-bit Key Length uses 12 rounds
 256-bit Key Length uses 14 rounds

11.6 IIT, JU
Criteria Defined by NIST for AES:

 The criteria defined by NIST for selecting AES fall into three areas:
1. Security:
 The main emphasis was on security. Because NIST explicitly demanded a
128-bit key, this criterion focused on resistance to cryptanalysis attacks
other than brute-force attack.

Prepared by: K M Akkas Ali, Professor, IIT, JU

2. Cost:
 The second criterion was cost, which covers the computational
efficiency and storage requirement for different implementations
such as hardware, software, or smart cards.

3. Implementation:
 The third criterion was implementation. This criterion included the
requirement that the algorithm must have flexibility (be implementable on
any platform) and simplicity. It also required that AES be an open
algorithm, available to the public worldwide.

 At the end, Rijndael was judged the best at meeting the combination
of these criteria.

11.7 IIT, JU
Parameters for Three Versions of AES:

 AES is a non-Feistel cipher (i.e., it uses only invertible components).

 In AES, there is no need to divide the plaintext into two halves as we
saw in the Feistel ciphers like DES.
 AES is a block cipher that encrypts and decrypts data as a block of

Prepared by: K M Akkas Ali, Professor, IIT, JU

128 bits.
 It uses 10, 12, or 14 rounds.
 Three different key sizes of 128, 192, and 256 bits can be used which
depends on the number of rounds.
 AES has defined three versions with 10, 12, and 14 rounds. The
versions are referred as AES-128, AES-192, and AES-256.
 Each version uses a different cipher key size (128, 192, or 256 bits),
but the round keys (which are created by the key-expansion
algorithm) are always 128 bits which is the same size as the
plaintext or ciphertext block.

11.8 IIT, JU
11.9
Common Parameters about AES:

IIT, JU

Prepared by: K M Akkas Ali, Professor, IIT, JU

Manner of Storing Input Data: Block-to-State Conversion

Let us know how data is being stored during the process of AES
encryption.
 The plaintext block to be encrypted is just a sequence of 128 bits.
 AES works with byte quantities. So at first, we convert the 128 bits

Prepared by: K M Akkas Ali, Professor, IIT, JU

into 16 bytes.
 These 16 bytes of plaintext data is arranged in a 4 x 4 matrix
format which is known as state array.
 Each round takes the state array as input and gives
corresponding output of 4 x 4 matrix.
 At the start of the encryption, the 16 bytes of data, numbered are
loaded into the array as shown in Table where each cell
corresponds to one byte.
 4 bytes (i.e., 32 bits) make one word, so each
state array has 4 words.

11.10 IIT, JU
Manner of Storing Input Data: Block-to-State Conversion

Example:
 Let us see how a 16-character block can be shown as a 4 x 4 matrix.
 Assume that the text block is “AES uses a matrix”.
 We add two bogus characters at the end to get “AESUSESAMATRIXZZ”.
 Now we replace each character with a decimal integer between 00 and 25.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 We then show each byte as an integer with two hexadecimal digits. For example,
the character “S” is first changed to 18 and then written as 12 16 in hexadecimal. The
state matrix is then filled up, column by column, as shown in the figure below.

11.11
Figure: Changing plaintext to state IIT, JU
Steps in AES Encryption Process

The AES encryption process uses a set of specially derived keys called
round keys. Along with other operations, these round keys are applied on an
array of data that holds exactly one block of data that is to be encrypted.
The steps in the encryption of AES 128-bit block are listed
below:

Prepared by: K M Akkas Ali, Professor, IIT, JU

1) Derive the set of round keys from the cipher key.
2) Initialize the state array with the block data (plaintext).
3) Add the initial round key to the starting state array.
4) Perform nine rounds of state manipulation.
5) Perform the tenth and final round of state manipulation.
Note:
The reason that the rounds have been listed as "nine followed by a final
tenth round" is because the tenth round involves a slightly different
manipulation from the others.

11.12 IIT, JU
 Simplified Block Diagram of AES

IIT, JU

Prepared by: K M Akkas Ali, Professor, IIT, JU

Simplified Block Diagram of AES
Four operations are required in each round:

Prepared by: K M Akkas Ali, Professor, IIT, JU

11.14 IIT, JU
Pre-round Operations in AES
 In the very beginning, the plaintext state array is Exor-ed with the initial
round key K0.
 The output is passed to a byte substitution process.

Prepared by: K M Akkas Ali, Professor, IIT, JU

Example:

54 = 01010100 77 = 01110111
54 = 01010100 68 = 01101000
11.15 00 = 00000000 1F = 00011111 IIT, JU
Round Operations in AES

Following four operations are required to perform in round-1 to round-9:

1. SubBytes
2. ShiftRows
3. MixColumns

Prepared by: K M Akkas Ali, Professor, IIT, JU

4. XorRoundKey

In the final round (10th round), following three operations are required to
perform
1. SubBytes
2. ShiftRows
3. XorRoundKey

11.16 IIT, JU
1. SubBytes Operations

Prepared by: K M Akkas Ali, Professor, IIT, JU

State Matrix after SubBytes Operation
State Matrix before SubBytes Operation

11.17 IIT, JU
2. ShiftRows Operation

Row 0: Rotate each byte from right to left over 0 byte

Row 1: Rotate each byte from right to left over 1 byte

Row 2: Rotate each byte from right to left over 2 byte

Prepared by: K M Akkas Ali, Professor, IIT, JU

Row 3: Rotate each byte from right to left over 3 byte

State Matrix before ShiftRows Operation

11.18
State Matrix after ShiftRows Operation IIT, JU
3. MixColumn Operation:

Prepared by: K M Akkas Ali, Professor, IIT, JU

State Matrix before MixColumn Operation

11.19 State Matrix after MixColumn Operation IIT, JU

4. AddRoundKey Operation:

Prepared by: K M Akkas Ali, Professor, IIT, JU

State Matrix before AddRoundKey Operation

11.20 State Matrix after AddRoundKey Operation IIT, JU

AES Key Expansion

 To create round key for each round, AES uses a key-expansion

process.
 The cipher key is expanded to n + 1 rounds, with n being the
number of rounds.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 The first round key is used for pre-round transformation
(AddRoundKey); the remaining round keys are used for the last
transformation (AddRoundKey) at the end of each round.
 4 words in each key.
 Each key is used for a single round. The first key is used
as initial round key before any round begins.

11.21 IIT, JU
Key Schedule Algorithm in AES-128:

Prepared by: K M Akkas Ali, Professor, IIT, JU

Rcon = A Constant Table
11.22 IIT, JU
Key Schedule Algorithm in AES-128:

Prepared by: K M Akkas Ali, Professor, IIT, JU

Substitute these values by the S-box

After rotation

11.23 After substitution IIT, JU

Key Schedule Algorithm in AES-128:

Prepared by: K M Akkas Ali, Professor, IIT, JU

11.24 IIT, JU
Key Schedule Algorithm in AES-128:

Prepared by: K M Akkas Ali, Professor, IIT, JU

11.25 IIT, JU
Key Schedule Algorithm in AES-128:

Prepared by: K M Akkas Ali, Professor, IIT, JU

11.26 IIT, JU
Key Schedule Algorithm in AES-128:

Prepared by: K M Akkas Ali, Professor, IIT, JU

11.27 IIT, JU
Key Schedule Algorithm in AES-128:

Prepared by: K M Akkas Ali, Professor, IIT, JU

11.28 IIT, JU
General Design of AES Encryption Cipher:
 Figure below shows the general design for the encryption algorithm (called cipher). Nr
defines the number of rounds. Figure also shows the relationship between the number of
rounds and the key size.
 The decryption algorithm (called inverse cipher) is similar, but the round keys are applied
in the reverse order.  The number of round keys generated by the key-
expansion algorithm is always one more than the
number of rounds.
 In other words, we have:

Prepared by: K M Akkas Ali, Professor, IIT, JU

Number of round keys = Nr+1
 We refer to the round keys as
K0, K1, K2, . . . , KNr.

Figure: General design of AES encryption cipher

11.29 IIT, JU
Data Units in AES:
 AES uses five units of measurement to refer to data:
1. Bit:
 In AES, a bit is a binary digit with a value of 0 or 1 . We use a lowercase
letter b to refer to a bit.
2. Byte:

Prepared by: K M Akkas Ali, Professor, IIT, JU

 A byte is a group of eight bits that can be treated as a single entity: a row
matrix (1 x 8) of eight bits, or a column matrix (8 x 1) of eight bits.
 When treated as a row matrix, the bits are inserted to the matrix from left
to right; when treated as a column matrix, the bits are inserted into the
matrix from top to bottom. We use a lowercase bold b letter to refer to a
byte.
3. Word:
 A word is a group of 32 bits (4 bytes) that can be treated as a single
entity, a row matrix of four bytes, or a column matrix of four bytes.
 When it is treated as a row matrix, the bytes are inserted into the matrix
from left to right; when it is considered as a column matrix, the bytes are
inserted into the matrix from top to bottom. We use the lowercase bold
letter w to show a word.
4. Blocks:
 AES encrypts and decrypts data as blocks. A block in AES is a group of
128 bits (4 words or 16 bytes). However, a block can be represented as a
row matrix of 16 bytes.
11.30 IIT, JU
Data Units in AES:

5. State:
 AES uses several rounds in which each round is made of several stages.
 Data block is transformed from one stage to another.
 At the beginning and end of the cipher, AES uses the term data block; before and
after each stage, the data block is referred to as a state.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 We use an uppercase bold letter S to refer to a state.
 Although the states in different stages are normally called S, we occasionally use
the letter T to refer to a temporary state.
 States, like blocks, are made of 16 bytes, but normally are treated as matrices of 4
x 4 bytes. In this case, each element of a state is referred to as S r,c, where r (0 to 3)
defines the row and the c (0 to 3) defines the column.

11.31 IIT, JU
Data Units in AES:
 Among the five units of measurement of data in AES, bit is the atomic unit and the
remaining units are called non-atomic which are shown in the figure below.

Prepared by: K M Akkas Ali, Professor, IIT, JU

Figure: Data units used in AES
11.32 IIT, JU
Structure of Each Round at the Encryption Site:
 Figure below shows the
structure of each round at the
encryption side.
 Each round, except the last,
uses four transformations that
are invertible:
1. SubByte

Prepared by: K M Akkas Ali, Professor, IIT, JU

2. ShiftRows
3. MixColumns
4. AddRoundKey
 The last round has only three
transformations (except the
third transformation).
 Each transformation takes a
state and creates another state
to be used for the next
transformation or the next
round.
 The pre-round section uses only
one transformation
(AddRoundKey); the last round
uses only three transformations
(MixColunms transformation is
missing).
Figure: Structure of each round at the encryption site
11.33 IIT, JU
Transformations in AES:

 To provide security, AES uses four types of transformations:

1. Substitution
2. Permutation
3. Mixing
4. Key-adding

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Each round of AES, except the last, uses the four transformations.
The last round uses only three of the four transformations (Mixing
transformation is missing).

11.34 IIT, JU
Transformations in AES:

1) Substitution:
 AES, like DES, uses substitution. However, the mechanism is
different.
 First, the substitution is done for each byte.
 Second, only one table is used for transformation of every byte, which

Prepared by: K M Akkas Ali, Professor, IIT, JU

means that if two bytes are the same, the transformation is also the
same.
 Third, the transformation is defined by either a table lookup process or
mathematical calculation in the GF(28) field.
 AES uses two invertible transformations, SubBytes and InvSubBytes,
which are inverses of each other.

11.35 IIT, JU
Transformations in AES:

2) Permutation:
 The second transformation in a round is shifting, which permutes the bytes.
 Unlike DES, in which permutation is done at the bit level, shifting
transformation in AES is done at the byte level; the order of the bits in the
byte is not changed.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 In the encryption, the transformation is called ShiftRows. In the decryption,
the transformation is called InvShiftRows. The ShiftRows and InvShiftRows
transformations are inverses of each other.
 In ShiftRows, the shifting is to the left. The number of shifts depends on the
row number (0, 1 , 2, or 3) of the state matrix. This means the row 0 is not
shifted at all and the last row is shifted three bytes. Figure below shows the
shifting transformation.

Figure: ShiftRows transformation

11.36 IIT, JU
Transformations in AES:

3) Mixing:
 The mixing transformation changes the contents of each byte by
taking four bytes at a time and combining them to recreate four new
bytes.
 AES defines two mixing transformations, MixColumns and

Prepared by: K M Akkas Ali, Professor, IIT, JU

InvMixColumns, to be used in the encryption and decryption.
 MixColumns multiplies the state matrix by a constant square matrix;
the InvMixColumns does the same using the inverse constant matrix.
 The MixColumns and InvMixColumns transformations are inverses of
each other.

11.37 IIT, JU
Transformations in AES:

4) Key-adding:
 The transformation that performs whitening is called AddRoundKey.
 The previous state is added (matrix addition) with the round matrix
key to create the new state.
 Addition of individual elements in the two matrices is done in GF(2 8)

Prepared by: K M Akkas Ali, Professor, IIT, JU

which means that 8-bit words are XORed.
 The AddRoundKey transformation is the inverse of itself.

Figure: AddRoundKey transformation

11.38 IIT, JU
Key Expansion in AES:
 To create round key for each round, AES uses a key-expansion process.
 If the number of rounds is Nr, the key-expansion routine creates Nr+1 128-bit
round keys from one single 128-bit cipher key.
 The first round key is used for pre-round transformation (AddRoundKey); the
remaining round keys are used for the last transformation (AddRoundKey) at
the end of each round.

Prepared by: K M Akkas Ali, Professor, IIT, JU

 The key-expansion routine creates round keys word by word, where a word is
an array of four bytes. The routine creates 4 x (N r +1) words that are called:
w0, w1, w2, …..,w4(nr+1)-1
 In other words, in the AES-128 version (10 rounds), there are 44 words; in
the AES 192 version (12 rounds), there are 52 words; and in the AES-256
version (with 14 rounds), there are 60 words.
 Each round key is made of four words. Table shows the relationship between
rounds and words.

11.39 IIT, JU
Key Expansion in AES-128:

 Let us show the creation of words for the AES-128 version; the processes for
the other two versions are the same with some slight changes.
 Figure below shows how 44 words are made from the original key.

Prepared by: K M Akkas Ali, Professor, IIT, JU

11.40 Figure: Key expansion in AES IIT, JU
Key Expansion in AES-128:
 The process is as follows:
1. The first four words (w0, w1, W2, W3) are made from the cipher key.
The cipher key is thought of as an array of 16 bytes (k 0 to k16). The
first four bytes (k0 to k3) become w0; the next four bytes (k4 to k7)
become w1 and so on.

Prepared by: K M Akkas Ali, Professor, IIT, JU

2. The rest of the words (wi for i = 4 to 43) are made as follows:
 If (i mod 4) =! 0, wi = wi-1 EXOR wi+4 . Referring to the above figure, this
means each word is made from the one at the left and the one at the top.
 If (i mod 4) = 0, wi = t EXOR wi-4. Here t, a temporary word, is the result
of applying two routines, SubWord and RotWord, on W i-1 and XORing the
result with a round constants, RCon. In other words, we have, t =
SubWord (RotWord (wi-1)) EXOR Rconi/4.
RotWord:
 The RotWord (rotate word) routine is similar to the ShiftRows transformation,
but it is applied to only one row. The routine takes a word as an array of four
bytes and shifts each byte to the left with wrapping.

SubWord:
 The SubWord (substitute word) routine is similar to the SubBytes
transformation, but it is applied only to four bytes. The routine takes each
byte in the word and substitutes another byte for it.

11.41 IIT, JU
 Discussion Points

 To review a short history of AES

 Basic structure of AES

Prepared by: K M Akkas Ali, Professor, IIT, JU

 Types of transformations used by AES
 Key expansion process in AES-128
 Structure of each round at the encryption
site
 To discuss different implementations

Slide-42 IIT, JU
Slide-43
Thank you…
Have a question?

IIT, JU

Prepared by: K M Akkas Ali, Professor, IIT, JU