Debre Makos Univesity

Department of Computer
Science
Computer Security
Chapter Three
Continued...
Advanced Encryption Standards
(AES)
 Advanced Encryption Standards (AES)

• The crucial problem with DES is that the key length of 56 bits is susceptible to an exhaustive
key search.
• Special-purpose DES crackers have been built that can recover DES keys in a matter of hours,
and distributed attacks using volunteer computers on the Internet have succeeded in finding
DES keys.
• The Advanced Encryption Standard (AES) was published by the National Institute of
Standards and Technology (NIST) in 2001.
• Originally called Rijndael (pronounced as “rain doll”), the cipher was developed by two
Belgian cryptographers, Dr. Joan Daemen and Dr. Vincent Rijmen.
• Similarly to DES, AES encrypts plaintext in a series of rounds, involves the use of a key and
block sizes, and leverages substitution and permutation boxes. It differs from DES in the
following respects:
 It supports 128-bit block sizes.
 The key schedule is based on the S-box.
 It is not based on a Feistel cipher.
 It is extremely complex

• It is currently one of the most popular of encryption standards and, for people involved in any
security work.
• AES is a symmetric block cipher that is intended to supersede/replace DES.
• Since AES algorithm is not a Feistel cipher, in order to decrypt, the AES operations must be
invertible.
• Also unlike DES, the AES algorithm has a highly mathematical structure.
 Overview of the Algorithm
• AES encrypts and decrypts a data block size of 128 bits. Key lengths can be 128 bits, 192 bits,
or 256 bits;
• The algorithm is referred to as AES-128, AES-192, or AES-256, depending on the key length.
• AES-128 uses 10 rounds, AES-192 uses 12 rounds, and AES-256 uses 14 rounds.
• However, the round key, which are generated by the key expansion algorithm are always 128
bits, the same size as plaintext or cipher text blocks.
• The input to encryption and decryption algorithms is 128-bit block.
• This block is depicted as a square matrix of bytes. This block is copied into the State array,
which is modified at each stage of encryption or decryption.
• After the final stage, State is copied to an output matrix.
• These operations are shown in AES’s data structure figure (a).
• Similarly, the key is depicted as a square matrix of bytes. This key is then expanded into an
array of key schedule words. Figure (b) shows the expansion for the 128-bit key. Each word is
four bytes, and the total key schedule is 44 words for the 128-bit key.
• Note that the ordering of bytes within a matrix is by column. So, for example, the first four
bytes of a 128-bit plaintext input to the encryption cipher occupy the first column of the in
matrix, the second four bytes occupy the second column, and so on.
• Similarly, the first four bytes of the expanded key, which form a word, occupy the first column
of the w matrix.
• The cipher consists of rounds, where the number of rounds depends on the key length:
 10 rounds for a 16-byte key,
 12 rounds for a 24-byte key, and
 14 rounds for a 32-byte key.
• The first n-1 rounds consist of four distinct transformation functions:
• SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently.
• The final round, nth round, contains only three transformations, and there is a initial single
transformation (AddRoundKey) before the first round, which can be considered Round 0.
• Each transformation takes one or more 4x4 matrices as input and produces a 4x4 matrix as
output.
• Also, the key expansion function generates N+1 round keys, each of which is a distinct 4x4
matrix.
• Each round key serve as one of the inputs to the AddRoundKey transformation in each round.
 A
E
S

E
n
c
F r
i y
g p
u ti
r o
e n

P
r
o
c
es
s
Figure: AES Data structure

Table: AES Parameters

• The number of round keys generated by the key expansion algorithm is always one more than
the number of rounds. Thus,
Number of round keys= Nr + 1

• We refer to the round keys as N1, N2, …, Nr.

Data Units in AES
• AES uses 5 units of measurements to refer to data:
i. Bits: Bit is a binary digit having a value of 0 or 1.
ii. Bytes: The basic unit for processing in AES algorithm is a byte, a sequence of 8 bits
treated as a single entity, a row matrix (1×8) or a column matrix (8×1) of 8 bits.
• The input, output & Cipher Key bit sequences are processed as arrays of bytes.
• For an input, output or Cipher Key denoted by a, the bytes in the resulting array will be
referenced using one of the two forms, an or a[n], where n will be in one of the following
ranges:
Key length = 128 bits, 0 ≤ n < 16
Key length = 192 bits, 0 ≤ n < 24;
Key length = 256 bits, 0 ≤ n < 32.

• All byte values in the AES algorithm will be presented as the concatenation of its individual bit
values (0 or 1) between braces in the order {b7, b6, b5, b4, b3, b2, b1, b0}.
• These bytes are interpreted as finite field elements using a polynomial representation:
b7 x7 + b6 x6 + b5 x5 + b4 x4 + b3x3 + b2 x2 + b1x1 + b0
• For example, {01100011} identifies the specific finite field element
x6 + x5 + x +1.
• Byte values can also be represented using hexadecimal notation with each of two groups of
four bits being denoted by a single character as in the following:
Bit pattern Character
0000 0 0100 4 1000 8 1100 c
0001 1 0101 5 1001 9 1101 d
0010 2 0110 6 1010 a 1110 e
0011 3 0111 7 1011 b 1111 f
Hence the element {0110 0011} can be represented as {63}.
 Arrays of Bytes: Arrays of bytes will be represented in the following form: a0 a1 a2 ...a15.
 The bytes and the bit ordering within bytes are derived from the 128-bit input sequence:
input0 input1 input2 … input126 input127
as follows: a0 = {input0, input1, …, input7};
a1 = {input8, input9, …, input15};
…
a15 = {input120, input121, …, input127}.
 iii. Words:

• A word is a group of 32 bits that can be treated as a single entity, a row matrix of 4 bytes, or a
column matrix of 4 bytes.
iv. Blocks:
• AES encrypts and decrypts data blocks. A block in AES is a group of 128 bits.
• However, a block can be represented as a row matrix of 16 bytes.
v. States:
• AES uses the term data block at the beginning and end of the cipher; before and after each
stage, the data block is referred to as state.
• AES algorithm’s operations are performed on a two-dimensional array of bytes called the
State.
• The State consists of four rows of bytes, each containing Nb bytes, where Nb is the block length
 The State as an Array of Bytes
• In the State array denoted by the symbol s, each individual byte has two indices, with its row
number r in the range 0 ≤ r < 4 and its column number c in the range 0 ≤ c < Nb.

• This allows an individual byte of the State to be referred to as either sr,c or s[r,c].

• For this standard, Nb=4, i.e., 0 ≤ c < 4.

• At the start of the Cipher and Inverse Cipher, the input, the array of bytes in0, in1, … in15, is
copied into the State array as illustrated in the following:
input bytes State array output bytes
in0 in4 in8 in12 s0,0 s0,1 s0,2 s0,3 out0 out4 out8 out12

in1 in5 in9 in13 -> s1,0 s1,1 s1,2 s1,3 -> out1 out5 out9 out13

in2 in6 in10 in14 s2,0 s2,1 s2,2 s2,3 out2 out6 out10 out14
• Hence, at the beginning of the Cipher or Inverse Cipher, the input array, in, is copied to the
State array according to the scheme:
s[r, c] = in[r + 4c]
for 0 ≤ r < 4 and 0 ≤ c < Nb,
and at the end of the Cipher and Inverse Cipher, the State is copied to the output array out as
follows:
out[r + 4c] = s[r, c]
for 0 ≤ r < 4 and 0 ≤ c < Nb.
• On encryption, the first 4 bytes of plaintext are copied to the first column of State, & so on.
• The four bytes in each column of the State array form 32-bit words, where the row number r
provides an index for the four bytes within each word.
• The state can hence be interpreted as a one-dimensional array of 32 bit words (columns),
w0,...,w3, where the column number c provides an index into this array.
• Hence, for the following example, the State can be considered as an array of four words, as
follows:
w0 = s0,0 s1,0 s2,0 s3,0 w2 = s0,2 s1,2 s2,2 s3,2

w1 = s0,1 s1,1 s2,1 s3,1 w3 = s0,3 s1,3 s2,3 s3,3

  Algorithm Specification
• For the AES algorithm, the length of the input block, the output block and the State is 128 bits.
• This is represented by Nb = 4, which reflects the number of 32-bit words (number of columns)
in the State.
• For the AES algorithm, the length of the Cipher Key, K, is 128, 192, or 256 bits.
• The key length is represented by Nk = 4, 6, or 8, which reflects the number of 32-bit words
(number of columns) in the Cipher Key.
• For the AES algorithm, the number of rounds to be performed during the execution of the
algorithm is dependent on the key size. The number of rounds is represented by Nr, where

Nr = 10 when Nk = 4,

Nr = 12 when Nk = 6, and
• The only Key-Block-Round combinations that conform to this standard are given in the
following:
Key Length (Nk words) Block Size (Nb words) Number of Rounds (Nr).
AES-128 4 4 10
AES-192 6 4 12
AES-256 8 4 14
 Detailed Structure of AES

• The following figure shows the AES cipher in more detail, indicating the sequence of
transformations in each round and showing the corresponding decryption function.
• The encryption proceeds down the page and decryption proceeding up the page. Before delving
into details, we can make several comments about the overall AES structure:
1) One remarkable feature of this structure is that it is not a Feistel structure.
In Feistel structure, half of the data block is used to modify the other half of the data block
and then the halves are swapped.
• AES instead processes the entire data block as a single matrix during each round using
substitutions and permutation.
2) The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i].
• Four distinct words (128 bits) serve as a round key for each round; these are indicated in
the following figure too.
3) Four different stages are used, one of permutation and three of substitution:
 Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block
 Shift Rows: A simple permutation that is performed by row by row
 Mix Columns: A substitution that alters each byte in a column as a function of all of the
bytes in the column.
 Add Round Key: A bitwise XOR of the current block with a portion of expanded key
A A
E E
S S

E D
N E
C C
R R
Y Y
P P
T T
I I
O O
N N
4) The structure is quite simple. For both encryption and decryption, the cipher begins with an
Add Round Key stage, followed by nine rounds that each includes all four stages, followed by a
tenth round of three stages.
5) Only the Add Round Key stage makes use of the key. For this reason, the cipher begins and
ends with an Add Round Key stage.
6) The Add Round Key stage by itself would not be formidable. The other three stages together
provide confusion, diffusion, and nonlinearity, but by themselves would provide no security
because they do not use the key.
We can view the cipher as alternating operations of XOR encryption (Add Round Key) of a
block, followed by scrambling of the block (the other three stages), followed by XOR
encryption, and so on. This scheme is both efficient and highly secure.
7) Each stage is easily reversible. For the Substitute Byte, Shift Rows, and Mix Columns stages,
an inverse function is used in the decryption algorithm.
For the Add Round Key stage, the inverse is achieved by XORing the same round key to the
block.

Figure: AES Encryption round

8) As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse

order.

9) Once it is established that all four stages are reversible, it is easy to verify that decryption does

recover the plaintext.

10) The final round of both encryption and decryption consists of only three stages.
 AES TRANSFORMATION FUNCTIONS
• For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that is
composed of four different byte-oriented transformations:
1) byte substitution using a substitution table (S-box),
2) shifting rows of the State array by different offsets,
3) mixing the data within each column of the State array, and
4) adding a Round Key to the State.
• We now turn to a discussion of each of the four transformations used in AES. For each stage,
we describe the forward (encryption) algorithm, and the inverse (decryption) algorithm for the
stage.
 AES TRANSFORMATION FUNCTIONS: Substitute Bytes
• The forward substitute byte transformation, called SubBytes, is a simple table lookup. AES
defines a matrix of byte values, called an S-box, that contains a permutation of all possible
256 8-bit values.
• The SubBytes() transformation is a non-linear byte substitution that operates independently on
each byte of the State using a substitution table (S-box).
• Each individual byte of State is mapped into a new byte in the following way:
 The leftmost 4 bits of the byte are used as a row value and
 The rightmost 4 bits are used as a column value.
• These row and column values serve as indexes into the S-box to select a unique 8-bit output
value.
• The following Figure illustrates the effect of the SubBytes()transformation on the State:

• In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-bit lookup
table, S; bij = S(aij) The S-box used in the SubBytes()transformation is presented in
hexadecimal form in the following table.
• For example, if a1,1 = {53}, then the substitution value would be determined by the intersection

of the row with index ‘5’ and the column with index ‘3’. This would result in b11 having a
value of {ED}.
• The hexadecimal value {95} references row 9, column 5 of the S-box, which contains the
 T
a
b
l
e
:
A
E
S

S
-
B
o
x

Here is an example of the

SubBytes transformation
• The inverse substitute byte transformation, called InvSubBytes, makes use of the inverse S-box
shown in the following table. Note, for example, that the input {2A} produces the output
{95} , and the input {95} to the S-box produces {2A}.

Table: AES
Inverse S-Box
 AES TRANSFORMATION FUNCTIONS: ShiftRows
• The forward shift row transformation, called ShiftRows, is depicted in the following figure.
The ShiftRow operation is a simple cyclic shift of the bytes in each row of the 4 × 4 byte array.
• The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes in each row
by a certain offset.

♥ This operation is given by

 The first row of State is not altered.
 For the second row, a 1-byte circular left shift is performed.
 For the third row, a 2-byte circular left shift is performed.
 For the fourth row, a 3-byte circular left shift is performed.
• The following is an example of ShiftRows.

• For blocks of sizes 128 and 192 bits, the shifting pattern is the same. Row n is shifted left
circular by n-1 bytes.
• In this way, each column of the output state of the ShiftRows step is composed of bytes from
each column of the input state.
• The inverse shift row transformation, called InvShiftRows, performs the circular shifts in the
opposite direction for each of the last three rows.
 First row is not affected
 a 1-byte circular right shift for the second row,
 a 2-byte circular right shift for the third row and
 a 3-byte circular right shift for the fourth row.
 AES TRANSFORMATION FUNCTIONS: MixColumns

• The forward mix column transformation, called MixColumns, operates on each column
individually. Each byte of a column is mapped into a new value that is a function of all four
bytes in that column.
• In the MixColumns step, each column of the state is multiplied with a fixed polynomial c(x).
• In the MixColumns step, the four bytes of each column of the state are combined using an
invertible linear transformation.
• During this operation, each column is multiplied by the known matrix, the matrix for the 128-
bit key is
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
The transformation can be defined by the following matrix multiplication on State:
• Each element in the product matrix is the sum of products of elements of one row and one
column. In this case, the individual additions and multiplications are performed in GF(2 8). The
MixColumns transformation on a single column of State can be expressed as

♥The multiplication operation is defined as:

 multiplication by 1 means no change,
 multiplication by 2 means shifting to the left, and
 multiplication by 3 means shifting to the left and then performing XOR with the initial
unshifted value.
♥The following is an example of MixColumns:

• Let us verify the first column of this example. In GF(2 8), addition is the bitwise XOR operation
and that multiplication can be performed according to the previous rule. In particular,
multiplication of a value by x (i.e., by {02}) can be implemented as a 1-bit left shift followed
by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original value (prior to
the shift) is 1.
• Thus, to verify the MixColumns transformation on the first column, we need to show that
({02}.{87}) ⊕ ({03}.{6E}) ⊕ {46} ⊕ {A6} ={47}
{87} ⊕ ({02}.{6E}) ⊕ ({03}.{46}) ⊕ {A6} ={37}
{87} ⊕ {6E} ⊕ ({02}.{46}) ⊕ ({03}.{A6}) ={94}
({03}.{87}) ⊕ {6E} ⊕ {46} ⊕ ({02}.{A6}) ={ED}
♥For the first equation, we have
{02}.{87} =(0001 0101)
({03}.{6E} = (1011 0010)
Then
{02}.{87} = 0001 0101
{03}.{6E} = 1011 0010
{46} = 0100 0110
{A6} = 1010 0110
0100 0111 = {47}
The other equations can be similarly verified.
• The inverse mix column transformation, called InvMixColumns, is defined by the following
matrix multiplication:

We need to show

which is equivalent to showing

• That is, the inverse transformation matrix times the forward transformation matrix equals the
identity matrix. To verify the first column of the above equation, we need to show
({0E}.{02}) ⊕ {0B} ⊕ {0D} ⊕ ({09}.{03}) ={01}
({09}.{02}) ⊕ {0E} ⊕ {0B} ⊕ ({0D}.{03}) ={00}
({0D}.{02}) ⊕ {09} ⊕ {0E} ⊕ ({0B}.{03}) ={00}
({0B}.{02}) ⊕ {0D} ⊕ {09} ⊕ ({0E}.{03}) ={00}

For the first equation, we have

{0E}.{02} = 0001 1100
{09}.{03} = {09} ⊕ ({09}.{02}) =00001001 ⊕ 00010010 = 0001 1011

Then {0E}.{02} = 0001 1100

{0B} = 0000 1011
{0D} = 0000 1101
{09}.{03} = 0001 1011
0000 0001

The other equations can be similarly verified.

 AES TRANSFORMATION FUNCTIONS: AddRoundKey
• In the forward add round key transformation, called AddRoundKey, the 128 bits of State are
bitwise XORed with the 128 bits of the round key.

• In the AddRoundKey step, each byte of the state is combined with a byte of the round subkey
using the XOR operation, i.e, the subkey is combined with the state.
• For each round, a subkey is derived from the main key using Rijndael's key schedule; each
subkey is the same size as the state.
• The following is an example of AddRoundKey:

• The first matrix is State, and the second matrix is the round key.
• The inverse add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.
 k s!
ha n
ny T
Ma