Advanced Encryption Standard

(AES)
 INTRODUCTION

The Advanced Encryption Standard (AES) is a

symmetric-key block cipher published by the National
Institute of Standards and Technology (NIST) in
December 2001.
AES Shortlist
after testing and evaluation, shortlist in Aug-99:
 MARS (IBM) - complex, fast, high security margin

 RC6 (USA) - v. simple, v. fast, low security margin

 Rijndael (Belgium) - clean, fast, good security margin

 Serpent (Euro) - slow, clean, v. high security margin

 Twofish (USA) - complex, v. fast, high security margin

then subject to further analysis & comment

saw contrast between algorithms with

 few complex rounds verses many simple rounds

 which refined existing ciphers verses new proposals

AES Requirements
 private key symmetric block cipher
 128-bit data, 128/192/256-bit keys
 stronger & faster than Triple-DES
 active life of 20-30 years (+ archival use)
 provide full specification & design details
 both C & Java implementations
 NIST have released all submissions & unclassified
analyses
 Criteria

Initial criteria:
security – effort for practical cryptanalysis
cost – in terms of computational efficiency
algorithm & implementation characteristics
Final criteria
general security
ease of software & hardware implementation
implementation attacks
flexibility (in encrpt/decrypt, keying, other factors)
Rijndael
 data block of 4 columns of 4 bytes is state
 key is expanded to array of words has 9/11/13 rounds in
which state undergoes:
 byte substitution (1 S-box used on every byte)

 shift rows (permute bytes between groups/columns)

 mix columns (subs using matrix multipy of groups)

 add round key (XOR state with key material)

 view as alternating XOR key & scramble data bytes

 initial XOR key material & incomplete last round

 with fast XOR & table lookup implementation
 Rounds.

AES is a non-Feistel cipher that encrypts and decrypts

a data block of 128 bits. It uses 10, 12, or 14 rounds.
The key size, which can be 128, 192, or 256 bits,
depends on the number of rounds.

Note

AES has defined three versions, with 10, 12,

and 14 rounds.
Each version uses a different cipher key size
(128, 192, or 256), but the round keys are
always 128 bits.
General design of AES encryption cipher
Data Units
Data units used in AES
Block-to-state and state-to-block transformation
Example

Changing plaintext to state

Structure of Each Round
Structure of each round at the encryption site
AES Round
TRANSFORMATIONS

To provide security, AES uses four types of

transformations: substitution, permutation, mixing,
and key-adding.

 Substitution
 Permutation
 Mixing
 Key Adding
 Substitution

AES, like DES, uses substitution. AES uses two

invertible transformations.

SubBytes
The first transformation, SubBytes, is used at the
encryption site. To substitute a byte, we interpret the byte
as two hexadecimal digits.

Note

The SubBytes operation involves 16

independent byte-to-byte transformations.
Byte Substitution (SubBytes)

The 16 input bytes are substituted by looking up a fixed table (S-box) given in
design. The result is in a matrix of four rows and four columns.

Shiftrows

Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall
off’ are re-inserted on the right side of row. Shift is carried out as follows

•First row is not shifted.

•Second row is shifted one (byte) position to the left.
•Third row is shifted two positions to the left.
•Fourth row is shifted three positions to the left.
•The result is a new matrix consisting of the same 16 bytes but shifted with
respect to each other
SubBytes transformation
SubBytes
InvSubBytes
InvSubBytes
 Example

Figure shows how a state is transformed using the SubBytes

transformation. The figure also shows that the InvSubBytes
transformation creates the original one. Note that if the two
bytes have the same values, their transformation is also the
same.

SubBytes transformation for Example

SubBytes and InvSubBytes processes
 Permutation

Another transformation found in a round is shifting,

which permutes the bytes.
ShiftRows
In the encryption, the transformation is called ShiftRows.

ShiftRows transformation
 Example

Figure shows how a state is transformed using ShiftRows

transformation. The figure also shows that InvShiftRows
transformation creates the original state.

ShiftRows transformation in Example

MixColumns
The MixColumns transformation operates at the column
level; it transforms each column of the state to a new
column.

MixColumns transformation
InvMixColumns
The InvMixColumns transformation is basically the same
as the MixColumns transformation.

Each column of four bytes is now transformed using a special mathematical

function. This function takes as input the four bytes of one column and outputs
four completely new bytes, which replace the original column. The result is
another new matrix consisting of 16 new bytes. It should be noted that this step
is not performed in the last round.
 Example

Figure shows how a state is transformed using the

MixColumns transformation. The figure also shows that the
InvMixColumns transformation creates the original one.

Figure The MixColumns transformation in Example

 Key Adding

AddRoundKey
AddRoundKey proceeds one column at a time.
AddRoundKey adds a round key word with each state
column matrix; the operation in AddRoundKey is matrix
addition.

The 16 bytes of the matrix are now considered as 128 bits and are XORed to
the 128 bits of the round key. If this is the last round then the output is the
ciphertext. Otherwise, the resulting 128 bits are interpreted as 16 bytes and we
begin another similar round.
AddRoundKey transformation
KEY EXPANSION

To create round keys for each round, AES uses a key-

expansion process. If the number of rounds is N r , the
key-expansion routine creates Nr + 1 128-bit round
keys from one single 128-bit cipher key.
Words
Key Expansion in AES-128
Key expansion in AES
The key-expansion routine can either use the above
table when calculating the words or use the GF(2 8)
field to calculate the leftmost byte dynamically, as
shown below (prime is the irreducible polynomial):
CIPHERS

AES uses four types of transformations for encryption

and decryption. In the standard, the encryption
algorithm is referred to as the cipher and the
decryption algorithm as the inverse cipher.
Original Design
Ciphers and inverse ciphers of the original design
 7.6.1 Security

AES was designed after DES. Most of the known

attacks on DES were already tested on AES.
Brute-Force Attack
AES is definitely more secure than DES due to the
larger-size key.
Statistical Attacks
Numerous tests have failed to do statistical analysis of
the ciphertext.

Differential and Linear Attacks

There are no differential and linear attacks on AES as
yet.
 Implementation

AES can be implemented in software, hardware, and

firmware. The implementation can use table lookup
process or routines that use a well-defined algebraic
structure.