Advanced Encryption Standard

(AES)
Cryptology (UCT723)
Lecture 16-17
International Data Encryption Algorithm
(IDEA)
• Introduced in 1990, by Xuejia Lai and James Massey of ETH Zurich,
under the name Proposed Encryption Standard (PES)
• The algorithm was subjected to cryptanalysis, and some shortcomings
were identified. The authors published a strengthened algorithm called
Improved Proposed Encryption Standard (IPES) in 1991.
• In 1992, they renamed it International Data Encryption Algorithm
(IDEA)
• IDEA is part of PGP (Pretty Good Privacy)

2
International Data Encryption Algorithm
(IDEA)
• IDEA is similar to DES in some ways:
– Both have rounds
– Both have a complicated "mangler" function which does not have to
be reversible for decryption to work.
• With DES, the same keys are used in reverse for decryption
• With IDEA, the encryption and decryption keys are related in a
more complex manner.
• IDEA is a block cipher with a:
– Block size of 64 bits
– Key size of 128 bits

3
International Data Encryption Algorithm
(IDEA)
• IDEA is patented by the Swiss company Ascom, but they have been
generous in allowing free non-commercial use of their algorithm.
• IDEA avoids the use of any lookup tables or S-boxes (no bit-level
permutations)
• Each primitive operation in IDEA maps two 16-bit quantities into a
16-bit quantity
– By comparison, each DES S-box maps a 6-bit quantity into a 4-bit
quantity
• The primitive operations in IDEA are efficient in computers -- even
in 16-bit processors

4
International Data Encryption Algorithm
(IDEA)
• IDEA uses 3 operations to create a mapping:
 - bitwise exclusive OR
 - slightly modified ADD
 - slightly modified MULTIPLY

– The addition is done mod 216

5
 International Data Encryption Algorithm
(IDEA)
• The multiplication is done by first calculating the 32-bit result
from the two 16-bit inputs, and then taking the remainder mod
(216 + 1)
– Multiplication mod (216 + 1) is reversible, in that every number
between 1 and 216 has an inverse in the range 1 to 216 because 216 + 1
(65,537) is prime
– 0 would not have a multiplicative inverse, and 216 (a valid remainder
in mod 216 + 1 arithmetic) cannot be expressed in 16 bits, so in
IDEA a 16-bit number containing all zeros is treated as an encoding
for 216
– Note that:
• (24 + 1 = 17) and (28 + 1 = 257) are both prime, but
• (232 + 1) is not prime, so IDEA cannot easily be extended to a 128-bit
block size

6
 International Data Encryption Algorithm
(IDEA)
• The 64-bit plaintext block is divided into 4 16-bit sub-blocks, Xa, Xb, Xc, Xd,
which become the inputs to the first round.
• The 128-bit key is expanded into 52 16-bit subkeys, Ki
• There are 17 rounds, even and odd:
– Odd rounds use four of the keys, Ka, Kb, Kc, Kd
• For example, round 1 uses K1, K2, K3, K4
– Even rounds use two keys, Ke and Kf
• For example, round 2 uses K5 and K6

(Some explanations talk about 8 rounds, where each of those rounds

combines the work of two of the above rounds. It can get confusing if you
mix different explanations!)

7
 IDEA Rounds
• Odd round: X  K  X
a a a

X b  Kb  X c
X c  Kc  X b
X d  Kd  X d
• Even round:
Mangler function : f (Yin , Z in , K e , K f )
X a  X b  Yin , X c  X d  Z in
(( K e  Yin )  Z in )  K f  Yout
( K e  Yin )  Yout  Z out
X a  Yout  X a , X b  Yout  X b
X c  Z out  X c , X d  Z out  X d

8
 IDEA Rounds
• For decryption:
– For odd rounds, we perform the multiplications with the inverses of
the Ki keys, mod 216 + 1
– An even round is its own inverse -- use the same keys
• Key schedule for decryption:
KD(1) = KE-1(49) , KD(2) = -KE(50) , KD(3) = -KE(51) , KD(4) = KE-1(52)

KD(5) = KE(47) , KD(6) = KE(48)

etc ... Multiplicative Inverse

Additive Inverse

Same value
9
 International Data Encryption Algorithm
(IDEA)
• IDEA has been thoroughly cryptanalyzed, and is considered
to be a secure cipher -- much better than DES

• However, it has not caught on as much as did DES, and

perhaps it is now overshadowed by...

10
The Advanced Encryption Standard (AES)

• In January, 1997, NIST announced a contest to select a new

encryption standard to be used for protecting sensitive, non-
classified, U.S. government information.
– Proposals were accepted from anyone, anywhere in the world
– 5 finalists were chosen from 15 submissions:
• MARS, RC6, Rijndael, Serpent, and Twofish

11
The Advanced Encryption Standard (AES)
• Proposals had to meet a number of specific evaluation criteria.
The initial criteria were:
– Security:
• High effort required to cryptanalyze the algorithm
– Cost:
• Practical in a wide range of applications
– Algorithm and Implementation Characteristics:
• Flexibility, suitability for a variety of hardware and software
implementations, simplicity (to make the analysis of security easier)

12
The Advanced Encryption Standard (AES)
• The final criteria used to pick from the 5 finalists were:
– General Security: Public worldwide security analyses were
published
– Software Implementations
– Restricted-Space Implementations
– Hardware Implementations
– Attacks on Implementations
– Encryption vs Decryption
– Key Agility
– Other Versatility and Flexibility
– Potential for Instruction-level Parallelism

13
The Advanced Encryption Standard (AES)
• The DES selection process:
– Was done in relative secrecy
– The details and motivation for the algorithm was secret
– Led to lots of suspicion about the role of NSA and whether DES was truly
secure
• In contrast, the AES selection process:
– Was open
– NSA was specifically excluded from proposing, although they could
provide advice
– A detailed explanation and analysis of the algorithms was part of the
process.
– This resulted in more confidence about AES

14
 The Advanced Encryption Standard
(AES) "Rijndael"
• NIST chose a submission called "Rijndael" by two Belgian
cryptographers -- Joan Daemen & Vincent Rijmen
• In 2001, they published this as the new Advanced
Encryption Standard (AES)*, ultimately replacing DES.

15
 The Advanced Encryption Standard
(AES) "Rijndael"
1) How is that pronounced ?
If you're Dutch, Flemish, Indonesian, Surinamer or South-African, it's pronounced
like you think it should be. Otherwise, you could pronounce it like "Reign Dahl",
"Rain Doll", "Rhine Dahl". We're not picky. As long as you make it sound
different from "Region Deal".
2) Why did you choose this name ?
Because we were both fed up with people mutilating the pronunciation of the
names "Daemen" and "Rijmen". (There are two messages in this answer.)
3) Can't you give it another name ? (Propose it as a tweak !)
Dutch is a wonderful language. Currently we are debating about the names
"Herfstvrucht", "Angstschreeuw" and "Koeieuier". Other suggestions are welcome
of course. Derek Brown, Toronto, Ontario, Canada, proposes "bob".

16
 The Mathematics of Rijndael
• Rijndael uses arithmetic in the Galois Field GF(28), a.k.a.
GF(256) (the finite field of order 256)
– Recall that:
• It can be shown that the order of a finite field (number of elements in the
field) must be a power of a prime, pn, where n is a positive integer.
– A nice property of GF(28) is that each element of the field can be
represented by an octet.

17
 The Mathematics of Rijndael
• The bits in the octet are the coefficients of a polynomial
over Z2 modulo the irreducible* Z2 polynomial:
m(x) = x8 + x4 + x3 + x + 1

*A polynomial is called irreducible if its only divisors are one and itself.
By analogy to integers, an irreducible polynomial is also called a prime
polynomial.

18
 The Mathematics of Rijndael
• Byte values are represented as polynomials with the least significant bit
being the the coefficient of x0, and the most significant bit the coefficient
of x7.
– For example, {01100011} identifies the specific field element:
x6 + x5 + x + 1
• Some finite field operations involve one additional bit to the left of an 8-
bit byte. When this extra bit is present, it appears as {01} to the left of the
other 8 bits:
{01} {00011011}

19
 The Mathematics of Rijndael
• Addition in a finite field is achieved by "adding" the
coefficients for the corresponding powers in the polynomials
for the two elements.
• Addition is s performed using an XOR operation, denoted by 
(recall that addition modulo 2 is equivalent to XOR)
• Subtraction of polynomials is identical to addition of
polynomials (recall that, too?)

20
 The Mathematics of Rijndael
• For example:
( x 6  x 4  x 2  x  1)  ( x 7  x  1)  x 7  x 6  x 4  x 2  0
(polynomial notation)
{01010111}  {10000011} {11010100} (binary notation)
{57}  {83} {d 4} (hexadecimal notation)

are all equivalent.

21
 The Mathematics of Rijndael
• Multiplication in Rijndael is the • For example:
multiplication of polynomials
modulo the irreducible
polynomial:
m(x) = x8 + x4 + x3 + x + 1
or {01}{1b} in hexadecimal
notation.
{57}  {83} {c1} , because :
(x 6  x 4  x 2  x  1)(x 7  x  1) 
x13  x11  x 9  x 8  x 7 
7 5 3
x  x  x  x2  x 
x 6  x 4  x 2  x 1
 x13  x11  x 9  x 8  x 6  x 5  x 4  x 3  1
and :
x13  x11  x 9  x 8  x 6  x 5  x4  x 3  1
modulo ( x 8  x 4  x 3  x  1)
x 7  x 6 1
22
 The Mathematics of Rijndael
• The modular reduction by m(x) ensures that the result will be a binary
polynomial of degree less than 8, and thus can be represented in a byte.
• This multiplication is associative
• The element {01} is the multiplicative identity.
• For any non-zero binary polynomial b(x) of degree less than 8, the
multiplicative inverse of b(x), denoted by b-1(x) can be found using the
Extended Euclidean algorithm. This computes polynomials a(x) and
c(x) such that:
b( x)a ( x)  m( x)c( x) 1,
hence a ( x)  b( x) mod m( x) 1,
or b  1 ( x) a ( x) mod m( x)

23
 The Mathematics of Rijndael
• It follows from the above that the set of 256 possible byte
values, with XOR used as addition, and the multiplication
defined as above, has the structure of the finite field GF(2 8)

24
 The Mathematics of Rijndael
• Rijndael also uses polynomials over GF(28), taken modulo the
GF(28) non-irreducible polynomial x4 + 1.
– These polynomials are represented as 4-vectors of octets, with the
coefficient of 1 being the first octet in the 4-vector.
– With this representation, multiplication is simply a rotation.

• Finally, for one of its operations composing its "S-box", Rijndael

treats octets as polynomials over Z2 modulo the non-irreducible
polynomial x8 + 1

25
 The Advanced Encryption Standard
(AES) "Rijndael"
• Originally, Rijndael defined a symmetric block cipher in which the
block length and the key length can be independently specified to be
128, 192, or 256 bits
• The accepted AES allows key sizes of 128, 192, or 256 bits, but
restricts the block size to 128 bits
• AES is not a Feistel cipher.

26
 The Advanced Encryption Standard
(AES) "Rijndael"
• The basic structure provides flexibility with the use of 3 parameters:
– Nb , the block size (the number of 32-bit words, or 4-octet columns, in a
plaintext block). For AES, Nb = 4, since the block size is 128 bits
– Nk , the key size (the number of 32-bit words in an encryption key)
• 128 bits => Nk = 4; 192 bits => Nk = 6; 256 bits => Nk = 8
– Nr , the number of rounds
• Needs to be larger for longer keys
• Needs to be larger for larger block sizes
• Rijndael specifies Nr = 6 + max(Nb, Nk)
– 128-bit key => 10 rounds
– 192-bit key => 12 rounds
– 256-bit key => 14 rounds

27
 The Basic Rijndael Structure
• Internally, the algorithm's operations
are performed on a 2-dimensional
array of bytes called the State.
• The State consists of 4 rows of bytes,
each containing Nb bytes, where Nb is
the block length/32.
– In AES, Nb = 128/32 = 4 so the State is a
4x4 array of bytes.

28
 The Rijndael State
• At the start of the cipher and inverse cipher, the array of input
bytes (plaintext) is copied into the State array.
• The cipher or inverse cipher operations are then conducted on
this State array.
• Finally, the State's final value is copied to the output array.

29
The Rijndael Cipher Algorithm

30
 The Rijndael Cipher Algorithm
• AddRoundKey()
– A Round Key is added to the state
using XOR
• SubBytes()
– uses S-box to perform a non-linear
byte-by-byte substitution of State
• ShiftRows()
– processes the State by cyclically
shifting the last three rows of the State
by different offsets
• MixColumns()
– takes all the columns of the State and
mixes their data, independently of one
another, making use of arithmetic over
GF(28)

31
 The Rijndael Cipher Algorithm
• Only AddRoundKey() makes use of the key
• The other three functions are used to produce diffusion and
confusion
• The final round omits MixColumns transformation.

32
 SubBytes()
• The SubBytes() transformation is a non-linear substitution that
operates independently on each byte of the State using a
substitution table ("S-box").
• The S-box is invertible

33
 ShiftRows()
• ShiftRows() cyclically shifts the last three rows in the State

34
 MixColumns()
• MixColumns() operates on the State column-by-column

35
 AddRoundKey()
• AddRoundKey() XORS each column of the State with a word from the
key schedule.

36
Inverse Cipher Algorithm

37
 The AES Inverse Cipher
• Decryption algorithm uses the
expanded key in reverse order
• All the functions are easily
reversible and their inverse form is
used in decryption
• The decryption algorithm is not
identical to the encryption algorithm
• The final round again omits a stage.

38
Rijndael Key Expansion

39
 Rijndael Key Expansion
• Starts with the key arranged as
Nk 4-octet columns and
iteratively generates the next Nk
columns of the expanded key.
• SubWord() takes a 4-byte input
and applies the S-box to each of
the 4 bytes to produce an output
word.
• RotWord() takes a word
[a0a1a2a3] as input and performs
a cyclic permutation on it,
returning [a1a2a3a0]

40
 Some Other Symmetric Block Ciphers
• Serpent
– An AES finalist – conservative; slower than Rijndael
• Blowfish
– Designed by Bruce Schneier; unpatented algorithm; C code in the
public domain; fast; compact; simple; variable key length up to 448
bits.
• Twofish
– AES finalist; Designed by Bruce Schneier et. al. from Counterpane
Systems; 128-bit block; 128-, 192-, or 256-bit key; 16 rounds
• RC5
– Designed by Ron Rivest (of RSA fame); variable block size,
variable key size, and variable number of rounds

41