Advanced Encryption Standard

Tennov Simanjuntak
 Origins
• clear a replacement for DES was needed
– have theoretical attacks that can break it
– have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001

2
 AES Requirements
• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger & faster than Triple-DES
• active life of 20-30 years (+ archival use)
• provide full specification & design details
• both C & Java implementations
• NIST have released all submissions &
unclassified analyses

3
 AES Evaluation Criteria
• initial criteria:
– security – effort for practical cryptanalysis
– cost – in terms of computational efficiency
– algorithm & implementation characteristics
• final criteria
– general security
– ease of software & hardware implementation
– implementation attacks
– flexibility (in en/decrypt, keying, other factors)

4
 AES Shortlist
• after testing and evaluation, shortlist in Aug-99:
– MARS (IBM) - complex, fast, high security margin
– RC6 (USA) - v. simple, v. fast, low security margin
– Rijndael (Belgium) - clean, fast, good security margin
– Serpent (Euro) - slow, clean, v. high security margin
– Twofish (USA) - complex, v. fast, high security margin
• then subject to further analysis & comment
• saw contrast between algorithms with
– few complex rounds verses many simple rounds
– which refined existing ciphers verses new proposals

5
 The AES Cipher - Rijndael
• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• Number of rounds can be specified to be 10, 12, or 14
depend on the key length.
• an iterative rather than feistel cipher
– processes data as block of 4 columns of 4 bytes
– operates on entire data block in every round
• designed to be:
– resistant against known attacks
– speed and code compactness on many CPUs
– design simplicity

6
AES encryption and decryption

7
 AES encryption and decryption
• data block of depicted in 4 x 4 matrix. This
block is copied into state array which is
modified each round of
encryption/decryption.
• The key is expanded into an array of 44 words.
4 distinct words (128 bits) serve as round key
for each round

8
AES data structure

9
 AES encryption and decryption
• 4 different stages are uses, 1 permutation and 3
substitution:
– Substitute byte: use an S-box to perform byte-by-byte
substitution of the block.
– shift rows: simple permutation
– mix columns: substitution that makes use of arithmetic
over GF(28)
– add round key: a simple bitwise XOR of the current block
with round key (a portion of the expanded key).

10
 Byte Substitution
• a simple substitution of each byte
• uses 1 S-Box which is a 16x16 matrix of byte values
containing a permutation of all 256 8-bit values.
• each byte of state is replaced by byte indexed by row
(left 4-bits) & column (right 4-bits)
– eg. byte {95} is replaced by byte in row 9 column 5
– which has value {2A}

11
Byte Substitution

12
S-box

13
Substitute byte

14
 S-box construction (1)
• S-box initialization: initial byte values
according to row and column in ascending
order. E.g 1st row : {00},{01}...{0F}
2nd row: {10},{11}...{1F}
• Map initial byte value to its multiplicative
inverse in GF(28). E.g. {00} map to {00}-1= {00}
{95} map to {95}-1= {8A}
{83} map to {83}-1= {80}
15
 S-box construction (2)
• Consider each byte in S-box labeled (x7, x6 x5 x4 x3 x2 x1
x0). Calculate (y7, y6 y5 y4 y3 y2 y1 y0) using the
following equation:

16
The inverse substitution bytes

17
 Shift rows (1)
• Forward shift rows transformation (forward means
for encryption), called shift rows is shown by figure
below:

18
 Shift rows (2)
• a circular byte shift in each each
– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 byte circular shift to left
– 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step
permutes bytes between the columns

19
 Shift rows (3)
• The inverse shift row transformation (inverse
means for decryption), called inverse shift
rows, performs the circular shift in the
opposite direction for each of the last three
rows.
– 2nd row does 1 byte circular shift to right.
– 3rd row does 2 byte circular shift to right
– 4th row does 3 byte circular shift to right

20
 Mix Columns
• The forward mix column transformation,
called mix columns, operates on each column
individually.
• Each byte of column is mapped into a new
value that is a function of all four bytes in the
column.
• effectively a matrix multiplication in

21
 Mix columns
• The transformation can be defined by the
following matrix multiplication on state:

• The product matrix operation is done in GF(28)

using irreducible (prime) poly m(x)
=x8+x4+x3+x+1
22
Mix Columns

23
Forward mix columns: example (1)

24
 GF(28) multiplication: revisited (1)
• AES prime poly:
• The technique is based on the observation:

• Now, consider a polynomial in GF(28), which

has the form:

• If we multiply f(x) by x, we have:

25
 GF(2 ) multiplication: revisited (2)
8

• If b7 = 0, then the result is a polynomial of degree <8,

which is already in reduced form (member of set of
polys in GF(28)).
• If b7 = 1, then reduction module m(x) is achieved
using the following equation:

• It follows that multiplication by x (00000010) can be

implemented as a 1-bit left shift followed by bitwise
XOR with (00011011) which represent m(x).
26
 GF(28) multiplication: revisited (3)
• To summarize:

• Multiplication of higher power of x can be achiever

by repeated application of the above equation:

................................
................................

27
 GF(28) multiplication: revisited (4)
• Example:

1. Determine the result of multiplication by powers of x

28
 GF(2 ) multiplication: revisited (5)
8

2. Solve it

29
Forward mix columns: example (2)

30
Forward mix columns: example (3)
• For the first equation:

31
 Mix columns
• decryption requires use of inverse matrix
– with larger coefficients, hence a little harder
• have an alternate characterisation
– each column a 4-term polynomial
– with coefficients in GF(28)
– and polynomials multiplied modulo (x4+1)

32
Inverse mix columns

33
Add Round Key Transformation (1)
• In the forward add round key transformation,
called AddRoundKey, the 128 bits of state is
XORed with 128-bits of the round key
• Operation is viewed as a columnwise operation
between 4 bytes of a state and 1 word of the
round key.
• The inverse add round key transformation is
identical to the forward add round key
transformation because XOR operation is its own
inverse.
34
Add Round Key Transformation (2)

35
Add Round Key Transformation (3)
• Example:

36
 AES Key Expansion (1)
• Takes 128-bit or 16-bytes or 4 words key and expands
into array of 44/52/60 words
• Start by copying key into first 4 words (w0,w1,w2,w3).
• Next, loop for creating w4 – w43 that depends on
immediately preceding word and the word of four
positions back.
• In 3 of 4 cases, a simple XOR is used (words position is
not a multiple of 4).
• If word position is a multiple of 4, more complex
function (g function) is used that comprises:
rotation + S-box + XOR round constant.
37
 AES Key Expansion (2)
• Pseudocode:

38
AES Key Expansion (3)

39
 AES Key Expansion (4)
• The function g:
– RotWord: performs 1 byte circular left-sift. E.g.:
w[b0,b1,b2,b3] w’[b1,b2,b3,b0]
– SubWord performs a byte substitution on each
byte of its input word using S-box
– The result of steps 1 and 2 is XORed with a round
constant, Rcon[j].
• Round constant is a word in which the three
rightmost bytes are always 0.

40
 AES Key Expansion (5)
• Round constant is different for each round and is
defined as:
– Rcon[j]=(RC[j],0,0,0), with RC(1)=01,
RC[j]=2 x RC[j-1] with multiplication defined over
GF(28).

41
 AES Key Expansion (6)
• Example: suppose that the round key for round 8 is:
EAD27321B58DBAD2312BF5607F8D292F
• Then the 1st 4 bytes of the round key for round 9 are
calculate as follow:

42
 Key Expansion Rationale
• designed to resist known attacks
• design criteria included
– knowing part key insufficient to find many more
– invertible transformation
– fast on wide range of CPU’s
– use round constants to break symmetry
– diffuse key bits into round keys
– enough non-linearity to hinder analysis
– simplicity of description

43
AES Round

44
 AES Decryption
• AES decryption is not identical to encryption
since steps done in reverse
• but can define an equivalent inverse cipher
with steps as for encryption
– but using inverses of each step
– with a different key schedule
• works since result is unchanged when
– swap byte substitution & shift rows
– swap mix columns & add (tweaked) round key

45
AES Decryption

46
 Implementation Aspects
• can efficiently implement on 8-bit CPU
– byte substitution works on bytes using a table of
256 entries
– shift rows is simple byte shift
– add round key works on byte XOR’s
– mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified to
use table lookups & byte XOR’s

47
 Implementation Aspects
• can efficiently implement on 32-bit CPU
– redefine steps to use 32-bit words
– can precompute 4 tables of 256-words
– then each column in each round can be computed
using 4 table lookups + 4 XORs
– at a cost of 4Kb to store tables
• designers believe this very efficient
implementation was a key factor in its
selection as the AES cipher

48
 Summary
• have considered:
– the AES selection process
– the details of Rijndael – the AES cipher
– looked at the steps in each round
– the key expansion
– implementation aspects

49