DEBRE MARKOS UNIVERSITY

BURIE CAMPUS
DEPARTMENT OF COMPUTER SCIENCE
Computer Security
By:
Amare W.

1
 2

Chapter 3: continued

Advanced Encryption Standards (AES)

♥ The crucial problem with DES is that the key length of 56 bits
is susceptible to an exhaustive key search.
♥ Special-purpose DES crackers have been built that can recover
DES keys in a matter of hours, and distributed attacks using
volunteer computers on the Internet have succeeded in finding
DES keys.
♥ The Advanced Encryption Standard (AES) was published by
the National Institute of Standards and Technology (NIST) in
2001.
 3 01/27/2025

♥ Originally called Rijndael (pronounced as “rain doll”), the cipher

was developed by two Belgian cryptographers, Dr. Joan Daemen
and Dr. Vincent Rijmen.
♥ Similarly to DES, AES encrypts plaintext in a series of rounds,
involves the use of a key and block sizes, and leverages
substitution and permutation boxes. It differs from DES in the
following respects:
 It supports 128-bit block sizes.
 The key schedule is based on the S-box.
 It is not based on a Feistel cipher. 3/2/2018

 It is extremely complex
 4 01/27/2025

♥ It is currently one of the most popular of encryption standards

and, for people involved in any security work.
♥ AES is a symmetric block cipher that is intended to
supersede/replace DES.
♥ Since AES algorithm is not a Feistel cipher, in order to decrypt,
the AES operations must be invertible.
♥ Also unlike DES, the AES algorithm has a highly mathematical
structure.
3/2/2018
 5 01/27/2025

Overview of the Algorithm

♥ AES encrypts and decrypts a data block size of 128 bits. Key
lengths can be 128 bits, 192 bits, or 256 bits;
♥ The algorithm is referred to as AES-128, AES-192, or AES-
256, depending on the key length.
♥ AES-128 uses 10 rounds, AES-192 uses 12 rounds, and AES-
256 uses 14 rounds.
♥ However, the round key, which are generated by the key
expansion algorithm are always 128 bits, the same size as
3/2/2018

plaintext or cipher text blocks.

 6 01/27/2025

♥ The input to encryption and decryption algorithms is 128-bit block.

♥ This block is depicted as a square matrix of bytes. This block is
copied into the State array, which is modified at each stage of
encryption or decryption.
♥ After the final stage, State is copied to an output matrix. These
operations are shown in AES’s data structure figure (a).
♥ Similarly, the key is depicted as a square matrix of bytes. This key is
then expanded into an array of key schedule words. Figure (b) shows
the expansion for the 128-bit key. Each word is four bytes, and the
3/2/2018
total key schedule is 44 words for the 128-bit key.
 7 01/27/2025

♥ Note that the ordering of bytes within a matrix is by column. So,

for example, the first four bytes of a 128-bit plaintext input to the
encryption cipher occupy the first column of the in matrix, the
second four bytes occupy the second column, and so on.
♥ Similarly, the first four bytes of the expanded key, which form a
word, occupy the first column of the w matrix.
♥ The cipher consists of rounds, where the number of rounds
depends on the key length:
 10 rounds for a 16-byte key,
 12 rounds for a 24-byte key, and 3/2/2018

 14 rounds for a 32-byte key.

 8 01/27/2025

♥ The first n-1 rounds consist of four distinct transformation functions:

SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are
described subsequently.
♥ The final round, nth round, contains only three transformations, and there is
a initial single transformation (AddRoundKey) before the first round,
which can be considered Round 0.
♥ Each transformation takes one or more 4x4 matrices as input and produces
a 4x4 matrix as output.
♥ Also, the key expansion function generates N+1 round keys, each of
3/2/2018
which is a distinct 4x4 matrix. Each round key serve as one of the inputs to
the AddRoundKey transformation in each round.
 9 01/27/2025
A
E
S

E
n
F c
i r
g y
u p
r t
e i
o
n

P
r
o
c
3/2/2018
e
s
s
 10 01/27/2025

Figure: AES Data structure

3/2/2018

Table: AES Parameters

 11 01/27/2025

♥ The number of round keys generated by the key expansion

algorithm is always one more than the number of rounds.
Thus,
Number of round keys= Nr + 1
• We refer to the round keys as N1, N2, …, Nr.
Data Units in AES
• AES uses 5 units of measurements to refer to data:

i. Bits: Bit is a binary digit having a value of 0 or 1.

ii. Bytes: The basic unit for processing in AES algorithm is a
byte, a sequence of 8 bits treated as a single entity, a row matrix
3/2/2018
(1×8) or a column matrix (8×1) of 8 bits.
 12 01/27/2025

♥ The input, output & Cipher Key bit sequences are

processed as arrays of bytes.
♥ For an input, output or Cipher Key denoted by a, the
bytes in the resulting array will be referenced using
one of the two forms, an or a[n], where n will be in one
of the following ranges:
Key length = 128 bits, 0 ≤ n < 16
Key length = 192 bits, 0 ≤ n < 24; 3/2/2018

Key length = 256 bits, 0 ≤ n < 32.

 13 01/27/2025

♥ All byte values in the AES algorithm will be presented as the

concatenation of its individual bit values (0 or 1) between braces in
the order {b7, b6, b5, b4, b3, b2, b1, b0}.

♥ These bytes are interpreted as finite field elements using a polynomial

representation:
b7 x7 + b6 x6 + b5 x5 + b4 x4 + b3x3 + b2 x2 + b1x1 + b0

♥ For example, {01100011} identifies the specific finite field element

x6 + x5 + x +1.
♥ Byte values can also be represented using hexadecimal notation with
3/2/2018
each of two groups of four bits being denoted by a single character as
in the following:
 14 01/27/2025

Bit pattern Character

0000 0 0100 41000 81100 c
0001 1 0101 51001 91101 d
0010 2 0110 61010 a 1110 e
0011 3 0111 71011 b1111 f
Hence the element {0110 0011} can be represented as {63}.

Arrays of Bytes: Arrays of bytes will be represented in the following form: a0 a1 a2

...a15. The bytes and the bit ordering within bytes are derived from the 128-bit input
sequence:
input0 input1 input2 … input126 input127
as follows: a0 = {input0, input1, …, input7};
a1 = {input8, input9, …, input15};
3/2/2018
…
a15 = {input120, input121, …, input127}.
 15 01/27/2025

iii. Words:
♥ A word is a group of 32 bits that can be treated as a single entity, a row
matrix of 4 bytes, or a column matrix of 4 bytes.
iv. Blocks:
♥ AES encrypts and decrypts data blocks. A block in AES is a group of 128
bits. However, a block can be represented as a row matrix of 16 bytes.
v. States:
♥ AES uses the term data block at the beginning and end of the cipher; before
and after each stage, the data block is referred to as state.
♥ AES algorithm’s operations are performed on a two-dimensional array of
bytes called the State.
3/2/2018
♥ The State consists of four rows of bytes, each containing Nb bytes, where Nb
is the block length divided by 32.
 16 01/27/2025

The State as an Array of Bytes

♥ In the State array denoted by the symbol s, each individual byte has two indices, with
its row number r in the range 0 ≤ r < 4 and its column number c in the range 0 ≤ c < Nb.

♥ This allows an individual byte of the State to be referred to as either sr,c or s[r,c]. For

this standard, Nb=4, i.e., 0 ≤ c < 4.

♥ At the start of the Cipher and Inverse Cipher, the input, the array of bytes in0, in1, …

in15, is copied into the State array as illustrated in the following:

input bytes State array output bytes
in0 in4 in8 in12 s0,0 s0,1 s0,2 s0,3 out0 out4 out8 out12
in1 in5 in9 in13 -> s1,0 s1,1 s1,2 s1,3 -> out1 out5 out9 out13
in2 in6 in10 in14 s2,0 s2,1 s2,2 s2,3 out2 out6 out10 out14
in3 in7 in11 in15 s3,0 s3,1 s3,2 s3,3 out3 out7 out11 out15

3/2/2018
 17 01/27/2025

♥ Hence, at the beginning of the Cipher or Inverse Cipher, the input

array, in, is copied to the State array according to the scheme:
s[r, c] = in[r + 4c]
for 0 ≤ r < 4 and 0 ≤ c < Nb,

and at the end of the Cipher and Inverse Cipher, the State is copied
to the output array out as follows:

out[r + 4c] = s[r, c]

for 0 ≤ r < 4 and 0 ≤ c < Nb.

♥ On encryption, the first 4 bytes of plaintext are copied to the first

3/2/2018
column of State, & so on.
 18 01/27/2025

♥ The four bytes in each column of the State array form 32-bit
words, where the row number r provides an index for the four
bytes within each word.
♥ The state can hence be interpreted as a one-dimensional array of
32 bit words (columns), w0,...,w3, where the column number c
provides an index into this array.
♥ Hence, for the following example, the State can be considered as
an array of four words, as follows:
w0 = s0,0 s1,0 s2,0 s3,0 w2 = s0,2 s1,2 s2,2 s3,2 3/2/2018

w1 = s0,1 s1,1 s2,1 s3,1 w3 = s0,3 s1,3 s2,3 s3,3

 19 01/27/2025

….cont’d
 Algorithm Specification
♥ For the AES algorithm, the length of the input block, the output
block and the State is 128 bits.

♥ This is represented by Nb = 4, which reflects the number of 32-bit

words (number of columns) in the State. For the AES algorithm,
the length of the Cipher Key, K, is 128, 192, or 256 bits.

♥ The key length is represented by Nk = 4, 6, or 8, which reflects

the number of 32-bit words (number of columns) in the Cipher
Key. 3/2/2018
 20 01/27/2025

♥ For the AES algorithm, the number of rounds to be performed

during the execution of the algorithm is dependent on the key size.
The number of rounds is represented by Nr, where
Nr = 10 when Nk = 4,
Nr = 12 when Nk = 6, and
Nr = 14 when Nk = 8.

♥ The only Key-Block-Round combinations that conform to this

standard are given in the following:

Key Length (Nk words) Block Size (Nb words) Number of Rounds (Nr)
AES-128 4 4 10 3/2/2018
AES-192 6 4 12
 21 01/27/2025

Detailed Structure of AES

♥ The following figure shows the AES cipher in more detail,

indicating the sequence of transformations in each round and
showing the corresponding decryption function.
♥ The encryption proceeds down the page and decryption
proceeding up the page. Before delving into details, we can
make several comments about the overall AES structure:
1) One remarkable feature of this structure is that it is not a
Feistel structure. In Feistel structure, half of the data block is
3/2/2018
used to modify the other half of the data block and then the
halves are swapped.
 22 01/27/2025

♥ AES instead processes the entire data block as a single matrix

during each round using substitutions and permutation.
♥ 2) The key that is provided as input is expanded into an array
of forty-four 32-bit words, w[i].
♥ Four distinct words (128 bits) serve as a round key for each
round; these are indicated in the following figure too.

3/2/2018
 23 01/27/2025

3) Four different stages are used, one of permutation and three of

substitution:
 Substitute bytes: Uses an S-box to perform a byte-by-byte
substitution of the block
 Shift Rows: A simple permutation that is performed by row by
row
 Mix Columns: A substitution that alters each byte in a column
as a function of all of the bytes in the column.
 Add Round Key: A bitwise XOR of the current block with a
portion of expanded key
3/2/2018
 24 01/27/2025

A
A
E
E
S
S

E
D
N
E
C
C
R
R
Y
Y
P
P
T
T
I
I
O
O
N
N
3/2/2018
 25 01/27/2025

4) The structure is quite simple. For both encryption and decryption,

the cipher begins with an Add Round Key stage, followed by nine
rounds that each includes all four stages, followed by a tenth round of
three stages.

5) Only the Add Round Key stage makes use of the key. For this
reason, the cipher begins and ends with an Add Round Key stage.

6) The Add Round Key stage by itself would not be formidable. The
other three stages together provide confusion, diffusion, and
nonlinearity, but by themselves would provide no security because
3/2/2018

they do not use the key.

 26 01/27/2025

We can view the cipher as alternating operations of XOR

encryption (Add Round Key) of a block, followed by scrambling of
the block (the other three stages), followed by XOR encryption, and
so on. This scheme is both efficient and highly secure.

7) Each stage is easily reversible. For the Substitute Byte, Shift

Rows, and Mix Columns stages, an inverse function is used in the
decryption algorithm.

For the Add Round Key stage, the inverse is achieved by XORing
the same round key to the block. 3/2/2018
 27 01/27/2025

3/2/2018

Figure: AES Encryption round

 28 01/27/2025

8) As with most block ciphers, the decryption algorithm makes

use of the expanded key in reverse order.

9) Once it is established that all four stages are reversible, it is

easy to verify that decryption does recover the plaintext.

10) The final round of both encryption and decryption consists of

only three stages.

3/2/2018
 29 01/27/2025

AES TRANSFORMATION FUNCTIONS

♥ For both its Cipher and Inverse Cipher, the AES algorithm uses a
round function that is composed of four different byte-oriented
transformations:
1) byte substitution using a substitution table (S-box),
2) shifting rows of the State array by different offsets,
3) mixing the data within each column of the State array, and
4) adding a Round Key to the State.
♥ We now turn to a discussion of each of the four transformations
used in AES. For each stage, we describe the forward
(encryption) algorithm, and the inverse (decryption) algorithm
3/2/2018

for the stage.

 30 01/27/2025

AES TRANSFORMATION FUNCTIONS: Substitute Bytes

♥ The forward substitute byte transformation, called SubBytes, is a simple table

lookup. AES defines a matrix of byte values, called an S-box, that contains a
permutation of all possible 256 8-bit values.
♥ The SubBytes() transformation is a non-linear byte substitution that operates
independently on each byte of the State using a substitution table (S-box).
♥ Each individual byte of State is mapped into a new byte in the following
way:
 The leftmost 4 bits of the byte are used as a row value and
 The rightmost 4 bits are used as a column value.

♥ These row and column values serve as indexes into the S-box to select a
unique 8-bit output value. 3/2/2018
 31 01/27/2025

♥ The following Figure illustrates the effect of the SubBytes()transformation on the State:

♥ In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-bit
lookup table, S; bij = S(aij) The S-box used in the SubBytes()transformation is presented
in hexadecimal form in the following table.
♥ For example, if a1,1 = {53}, then the substitution value would be determined by the
intersection of the row with index ‘5’ and the column with index ‘3’. This would result
in b11 having a value of {ED}.
3/2/2018
♥ The hexadecimal value {95} references row 9, column 5 of the S-box, which contains
the value. Accordingly, the value {95} is mapped into the value {2A}.
 32 01/27/2025

T
a
b
l
e
:
A
E
S

S
-
B
o
x

Here is an example of the 3/2/2018

SubBytes transformation
 33 01/27/2025

♥ The inverse substitute byte transformation, called InvSubBytes,

makes use of the inverse S-box shown in the following table. Note,
for example, that the input {2A} produces the output {95} , and the
input {95} to the S-box produces {2A}.

Table: AES
Inverse S-Box

3/2/2018
 34 01/27/2025

AES TRANSFORMATION FUNCTIONS: ShiftRows

♥ The forward shift row transformation, called ShiftRows, is depicted in the

following figure. The ShiftRow operation is a simple cyclic shift of the bytes in
each row of the 4 × 4 byte array.
♥ The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes
in each row by a certain offset.

♥ This operation is given by

 The first row of State is not altered.
 For the second row, a 1-byte circular left shift is performed.
3/2/2018
 For the third row, a 2-byte circular left shift is performed.
 For the fourth row, a 3-byte circular left shift is performed.
 35 01/27/2025

♥ The following is an example of ShiftRows.

♥ For blocks of sizes 128 and 192 bits, the shifting pattern is the same. Row n is
shifted left circular by n-1 bytes.
♥ In this way, each column of the output state of the ShiftRows step is composed of
bytes from each column of the input state.
♥ The inverse shift row transformation, called InvShiftRows, performs the circular
shifts in the opposite direction for each of the last three rows.
 First row is not affected
 a 1-byte circular right shift for the second row,
3/2/2018
 a 2-byte circular right shift for the third row and
 a 3-byte circular right shift for the fourth row.
 36 01/27/2025

AES TRANSFORMATION FUNCTIONS: MixColumns

♥ The forward mix column transformation, called MixColumns,

operates on each column individually. Each byte of a column is
mapped into a new value that is a function of all four bytes in that
column.
♥ In the MixColumns step, each column of the state is multiplied with a
fixed polynomial c(x).
♥ In the MixColumns step, the four bytes of each column of the state are
combined using an invertible linear transformation.

3/2/2018
 37 01/27/2025

♥ During this operation, each column is multiplied by the known

matrix, the matrix for the 128-bit key is
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
The transformation can be defined by the following matrix
multiplication on State:

3/2/2018
 38

♥ Each element in the product matrix is the sum of products of

elements of one row and one column. In this case, the individual
additions and multiplications are performed in GF(2 8). The
MixColumns transformation on a single column of State can be
expressed as

♥ The multiplication operation is defined as:

 multiplication by 1 means no change,
 multiplication by 2 means shifting to the left, and
 multiplication by 3 means shifting to the left 3/2/2018
and then
performing XOR with the initial unshifted value.
 39 01/27/2025

♥ The following is an example of MixColumns:

♥ Let us verify the first column of this example. In GF(28), addition is the bitwise
XOR operation and that multiplication can be performed according to the
previous rule. In particular, multiplication of a value by x (i.e., by {02}) can be
implemented as a 1-bit left shift followed by a conditional bitwise XOR with
(0001 1011) if the leftmost bit of the original value (prior to the shift) is 1.
♥ Thus, to verify the MixColumns transformation on the first column, we need to
show that
({02}.{87}) ⊕ ({03}.{6E}) ⊕ {46} ⊕ {A6} ={47}
{87} ⊕ ({02}.{6E}) ⊕ ({03}.{46}) ⊕ {A6} ={37}
3/2/2018
{87} ⊕ {6E} ⊕ ({02}.{46}) ⊕ ({03}.{A6}) ={94}
({03}.{87}) ⊕ {6E} ⊕ {46} ⊕ ({02}.{A6}) ={ED}
 40 01/27/2025

♥ For the first equation, we have

{02}.{87} =(0001 0101)
({03}.{6E} = (1011 0010)
 Then
{02}.{87} = 0001 0101
{03}.{6E} = 1011 0010
{46} = 0100 0110
{A6} = 1010 0110
0100 0111 = {47}
 The other equations can be similarly 3/2/2018

verified.
 41 01/27/2025

♥ The inverse mix column transformation, called InvMixColumns, is

defined by the following matrix multiplication:

We need to show

which is equivalent to showing

3/2/2018
 42 01/27/2025

♥ That is, the inverse transformation matrix times the forward transformation matrix
equals the identity matrix. To verify the first column of the above equation, we
need to show
({0E}.{02}) ⊕ {0B} ⊕ {0D} ⊕ ({09}.{03}) ={01}
({09}.{02}) ⊕ {0E} ⊕ {0B} ⊕ ({0D}.{03}) ={00}
({0D}.{02}) ⊕ {09} ⊕ {0E} ⊕ ({0B}.{03}) ={00}
({0B}.{02}) ⊕ {0D} ⊕ {09} ⊕ ({0E}.{03}) ={00}
For the first equation, we have
{0E}.{02} = 0001 1100
{09}.{03} = {09} ⊕ ({09}.{02}) =00001001 ⊕ 00010010 = 0001 1011
Then {0E}.{02} = 0001 1100
{0B} = 0000 1011
{0D} = 0000 1101
{09}.{03} = 0001 1011 3/2/2018

0000 0001
The other equations can be similarly verified.
 43 01/27/2025

AES TRANSFORMATION FUNCTIONS: AddRoundKey

♥ In the forward add round key transformation, called AddRoundKey,

the 128 bits of State are bitwise XORed with the 128 bits of the
round key.

♥ In the AddRoundKey step, each byte of the state is combined with a

byte of the round subkey using the XOR operation, i.e, the subkey is
combined with the state.
♥ For each round, a subkey is derived from the main 3/2/2018
key using
Rijndael's key schedule; each subkey is the same size as the state.
 44 01/27/2025

♥ The following is an example of AddRoundKey:

♥ The first matrix is State, and the second matrix is the round key.
♥ The inverse add round key transformation is identical to the
forward add round key transformation, because the XOR
3/2/2018
operation is its own inverse.
 45

Thank you