The Advanced Encryption Standard

- see Susan Landaus paper: Communications security for the

twenty-first century: the advanced encryption standard.
In 1997, the NIST (the National Institute of Standards and
Technology, formerly the NBS) began the process of choosing
a replacement for DES, to be called the Advanced Encryption
Standard (AES).
At that time, triple-DES had become popular, but it was too
slow and the 64-bit block length was too small. (Aside: recall
that double-DES is not much harder to break by brute-force
than DES using a meet-in-the-middle attack.)
AES Requirements
The NIST solicited proposals from the international
community.
The requirements for the algorithms were as follows:
The algorithm must implement private-key cryptography.
The algorithm must be a block cipher.
The algorithm must work on 128-bit blocks and support 3
keys sizes: 128, 192, and 256 bits.
If selected, the algorithm should be available world-wide on
a royalty-free basis.
AES Requirements
Evaluation criteria would be: security, cost, and algorithm and
implementation characteristics.
Submissions were due on June 15, 1998. Of the 21 submissions,
15 fulfilled the AES criteria.
In August 1999, the NIST chose the following 5 finalists:
MARS, RC6, Rijndael, Serpent, and Twofish.
All finalists were felt to be secure. On October 2, 2000,
Rijndael was selected as the AES. You can find short
descriptions of the 5 finalists in Landaus paper, and judge for
yourself
Description of AES
Recall that AES has block length 128, and three allowable key
lengths: 128 bits, 192 bits, and 256 bits.
AES is an iterated cipher. The number of rounds (N) depends
on the key length: N = 10 for 128-bit keys, N = 12 for 192-
bit keys, and N = 14 for 256-bit keys.
Here is a high-level description of AES:
1. Perform operation AddRoundKey, which XORs the round key with the
state.
2. For each of the N rounds:
- perform operation ByteSub (a substitution using an S-box)
- perform operation ShiftRow (a permutation)
- perform operation MixColumn (unless it is the last round)
- perform AddRoundKey.
State
All operations in AES are byte-based.
The state consists of 128 bits = 16 bytes, viewed as a 4x4
array of bytes.
Initially, the 16 bytes of plaintext x
0
, , x
15
are arranged as
follows:
x
15
x
11
x
7
x
3
x
14
x
10
x
6
x
2
x
13
x
9
x
5
x
1
x
12
x
8
x
4
x
0
ByteSub
- operation performs a substitution on each byte
- uses one S-box
S
that maps bytes to bytes (see page 155)
- represented as a 16 x 16 array: for hexadecimal digits X and
Y,
S
(XY) is at position (row X, column Y)
In contrast to the DES S-boxes, the AES S-box can be
defined algebraically. It was designed for resistance against
linear and differential cryptanalysis and it is invertible.
The AES box incorporates operations in the finite field with
2
8
elements:
GF(2
8
) = Z
2
[X] (mod X
8
+X
4
+X
3
+X+1).
What ???
A field is a set containing elements 0 and 1, where 0 1, with
two operations: multiplication and addition. Both operations
are closed, commutative, and associative, and the distributive
law holds. 0 is the additive identity, and 1 is the multiplicative
identity. Every element has an additive inverse.
Every non-zero element has a multiplicative inverse.
Example fields ?
For every prime power p
k
, there is exactly one field with p
k
elements. This field is called GF(p
k
) (Galois field).
We will now see how to construct these fields.
Polynomials
Z
2
[X] is the set of all polynomials with coefficients in Z
2
.
Examples:
Can we add/subtract/multiply elements of Z
2
[X] ?
Is there an additive identity ?
Is there a multiplicative identity ?
Can we divide with remainder ?
Divide X
4
+X
3
+1 by X
2
+X+1,
get quotient: and remainder:
Polynomials
Z
2
[X] is the set of all polynomials with coefficients in Z
2
.
Since X
4
+X
3
+1 divided by X
2
+X+1 equals X
2
+1 with remainder X,
we can write
X
4
+X
3
+1 X (mod X
2
+X+1).
It turns out that Z
2
[X] (mod X
2
+X+1) is the finite field GF(4).
The elements of the field are 0, 1,X, and X+1, and the
operations are addition and multiplication modulo X
2
+X+1.
Irreducible Polynomials
You cannot just use any polynomial to get a field; you must use
an irreducible polynomial.
A polynomial F(X) in Z
2
[X] is irreducible if it doesnt factor
into two polynomials of lower degree.
Z
2
[X] (mod F(X)) is a field if and only if F(X) is irreducible.
Back to AES
Recall ;-)
GF(2
8
) = Z
2
[X] (mod X
8
+X
4
+X
3
+X+1).
Every byte corresponds to a field element and vice versa.
More about the S-box
As mentioned previously, although the S-box is implemented as
a lookup table (see Table 5.1), it has a simple mathematical
description.
View a byte as an element of GF(2
8
). For example, view the
byte 01010011 as the field element X
6
+X
4
+X+1.
Now take the inverse of this field element in GF(2
8
). In our
example, this is X
7
+X
6
+X
3
+X.
How would you compute the inverse?
More about the S-box
Computing the inverse of X
6
+X
4
+X+1 mod X
8
+X
4
+X
3
+X+1:
More about the S-box
S-box mapping of 01010011:
- Compute the inverse of X
6
+X
4
+X+1, get X
7
+X
6
+X^3+X.
- View this element as a bit vector, with the right-most bit in
the top position. In our example, we get the vector
(0,1,0,1,0,0,1,1).
- Multiply this vector by the matrix on page 157, and add
vector (1,1,0,0,0,1,1,0).
- View the resulting vector as a byte (taking the top bit to be
the rightmost bit).
This is the output of the S-box.
In our example, the output is 11101101, which we can verify
with the S-box table.
ShiftRow, MixColumn, Key Schedule
The operation ShiftRow cyclically shifts the elements of the
i-th row i elements to the left.
The operation MixColumn replaces each column of the state by
a new column. This operation uses polynomials over GF(2
8
).
Key Schedule
The book describes the key schedule for 10-round AES, which
used a 128-bit key. We need 11 round keys, each of which
consists of 16 bytes. The key schedule is word oriented. The
concatenation of the 11 round keys is called the expanded key,
and consists of 44 words.
You can find the exact algorithm on page 156/157.