Advanced Encryption Standard

(AES)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
7.1
 Chapter 7
Objectives

❏ To review a short history of AES

❏ To define the basic structure of AES

❏ To define the transformations used by AES

❏ To define the key expansion process

❏ To discuss different implementations

7.2
 7-1 INTRODUCTION

The Advanced Encryption Standard (AES) is a

symmetric--key block cipher published by the National
symmetric
Institute of Standards and Technology (NIST) in
December 2001
2001..

Topics discussed in this section:

7.1.1 History
7.1.2 Criteria
7.1.3 Rounds
7.1.4 Data Units
7.1.5 Structure of Each Round

7.3
 7.1.1 History.

In February 2001, NIST announced that a draft of the

Federal Information Processing Standard (FIPS) was
available for public review and comment. Finally, AES
was published as FIPS 197 in the Federal Register in
December 2001.

7.4
 7.1.2 Criteria

The criteria defined by NIST for selecting AES fall

into three areas
areas::
1. Security
2. Cost
3. Implementation
Implementation..

7.5
 7.1.3 Rounds.

AES is a non
non--Feistel cipher that encrypts and decrypts
a data block of 128 bits
bits.. It uses 10
10,, 12
12,, or 14 rounds
rounds..
The key size, which can be 128 128,, 192
192,, or 256 bits,
depends on the number of rounds
rounds..

Note

AES has defined three versions, with 10, 12,

and 14 rounds.
Each version uses a different cipher key size
(128, 192, or 256), but the round keys are
always 128 bits.

7.6
 7.1.3 Continue

Figure 7.1 General design of AES encryption cipher

7.7
 7.1.4 Data Units.
Figure 7.2 Data units used in AES

7.8
 7.1.4 Continue

Figure 7.3 Block-to-state and state-to-block transformation

7.9
 7.1.4 Continue
Example 7.1 Continue

Figure 7.4 Changing plaintext to state

7.10
 7.1.5 Structure of Each Round
Figure 7.5 Structure of each round at the encryption site

7.11
 7-2 TRANSFORMATIONS

To provide security, AES uses four types of

transformations:: substitution, permutation, mixing,
transformations
and key
key--adding
adding..

Topics discussed in this section:

7.2.1 Substitution
7.2.2 Permutation
7.2.3 Mixing
7.2.4 Key Adding

7.12
 7.2.1 Substitution

AES, like DES, uses substitution

substitution.. AES uses two
invertible transformations
transformations..

SubBytes
The first transformation, SubBytes, is used at the
encryption site. To substitute a byte, we interpret the byte
as two hexadecimal digits.

Note

The SubBytes operation involves 16

independent byte-to-byte transformations.

7.13
 7.2.1 Continue

Figure 7.6 SubBytes transformation

7.14
 7.2.1 Continue

7.15
 7.2.1 Continue

7.16
 7.2.1 Continue

InvSubBytes

7.17
 7.2.1 Continue

InvSubBytes (Continued)

7.18
 7.2.1 Continue
Example 7.2
Figure 7.7 shows how a state is transformed using the
SubBytes transformation
transformation.. The figure also shows that the
InvSubBytes transformation creates the original one
one.. Note
that if the two bytes have the same values, their
transformation is also the same
same..

Figure 7.7 SubBytes transformation for Example 7.2

7.19
 7.2.1 Continue

Transformation Using the GF(28) Field

AES also defines the transformation algebraically using
the GF(28) field with the irreducible polynomials
(x8 + x4 + x3+ x + 1), as shown in Figure 7.8.

Note

The SubBytes and InvSubBytes

transformations are inverses of each other.

Irreducible if it cannot be factored into the product of two or more non-trivial polynomials
whose coefficients are of a specified type.
7.20
 7.2.1 Continue
Figure 7.8 SubBytes and InvSubBytes processes

7.21
 7.2.1 Continue
Example 7.3

Let us show how the byte 0C is transformed to FE by subbyte

routine and transformed back to 0C by the invsubbyte
routine..
routine

7.22
 7.2.1 Continue

7.23
 7.2.2 Permutation

Another transformation found in a round is shifting,

which permutes the bytes.
ShiftRows
In the encryption, the transformation is called ShiftRows.

Figure 7.9 ShiftRows transformation

7.24
 7.2.2 Continue

InvShiftRows
In the decryption, the transformation is called
InvShiftRows and the shifting is to the right.

7.25
 7.2.2 Continue
Example 7.4

Figure 7.10 shows how a state is transformed using ShiftRows

transformation.. The figure also shows that InvShiftRows
transformation
transformation creates the original state
state..

Figure 7.10 ShiftRows transformation in Example 7.4

7.26
 7.2.3 Mixing

We need an interbyte transformation that changes the

bits inside a byte, based on the bits inside the
neighboring bytes
bytes.. We need to mix bytes to provide
diffusion at the bit level
level..

Figure 7.11 Mixing bytes using matrix multiplication

7.27
 7.2.3 Continue

Figure 7.12 Constant matrices used by MixColumns and InvMixColumns

7.28
 7.2.3 Continue

MixColumns
The MixColumns transformation operates at the column
level; it transforms each column of the state to a new
column.

Figure 7.13 MixColumns transformation

7.29
 7.2.3 Continue

InvMixColumns
The InvMixColumns transformation is basically the same
as the MixColumns transformation.

Note

The MixColumns and InvMixColumns

transformations are inverses of each other.

7.30
 7.2.3 Continue

7.31
 7.2.3 Continue
Example 7.5

Figure 7.14 shows how a state is transformed using the

MixColumns transformation
transformation.. The figure also shows that the
InvMixColumns transformation creates the original one
one..

Figure 7.14 The MixColumns transformation in Example 7.5

7.32
 7.2.4 Key Adding

AddRoundKey
AddRoundKey proceeds one column at a time.
AddRoundKey adds a round key word with each state
column matrix; the operation in AddRoundKey is matrix
addition.

Note

The AddRoundKey transformation is the

inverse of itself.

7.33
 7.2.4 Continue
Figure 7.15 AddRoundKey transformation

7.34
 7-3 KEY EXPANSION

To create round keys for each round, AES uses a key key--
expansion process
process.. If the number of rounds is Nr , the
key--expansion routine creates Nr + 1 128
key 128--bit round
keys from one single 128
128--bit cipher key
key..

Topics discussed in this section:

7.3.1 Key Expansion in AES-128
7.3.2 Key Expansion in AES-192 and AES-256
7.3.3 Key-Expansion Analysis

7.35
 7-3 Continued

7.36
 7.3.1 Key Expansion in AES-128
Figure 7.16 Key expansion in AES

7.37
 7.3.1 Continue

7.38
 7.3.1 Continue

The key
key--expansion routine can either use the above
GF(228)
table when calculating the words or use the GF(
field to calculate the leftmost byte dynamically, as
shown below (prime is the irreducible polynomial)
polynomial)::

7.39
 7.3.1 Continue

7.40
 7.3.1 Continue
Example 7.6
Table 7.5 shows how the keys for each round are calculated
assuming that the 128
128--bit cipher key agreed upon by Alice
and Bob is (24 75 A2 B3 34 75 56 88 31 E2 12 00 13 AA 54
87))16.
87

7.41
 7.3.1 Continue
Example 7.7

Each round key in AES depends on the previous round key

key..
The dependency, however, is nonlinear because of SubWord
transformation.. The addition of the round constants also
transformation
guarantees that each round key will be different from the
previous one
one..

Example 7.8
The two sets of round keys can be created from two cipher
keys that are different only in one bit
bit..

7.42
 7.3.1 Continue
Example 7.8 Continue

7.43
 7.3.1 Continue
Example 7.9
The concept of weak keys, as we discussed for DES in last
lecture, does not apply to AES
AES.. Assume that all bits in the
cipher key are 0s. The following shows the words for some
rounds::
rounds

The words in the pre

pre--round and the first round are all the
same.. In the second round, the first word matches with the
same
third;; the second word matches with the fourth
third fourth.. However,
after the second round the pattern disappears
disappears;; every word is
different..
different
7.44
 7.3.2 Key Expansion in AES-192 and AES-256

Key-expansion algorithms in the AES

Key- AES--192 and AES
AES--256
versions are very similar to the key expansion algorithm in
AES--128
AES 128,, with the following differences
differences::

7.45
 7.3.3 Key-Expansion Analysis

The key
key--expansion mechanism in AES has been
designed to provide several features that thwart the
cryptanalyst..
cryptanalyst

7.46
 7-4 CIPHERS

AES uses four types of transformations for encryption

and decryption
decryption.. In the standard, the encryption
algorithm is referred to as the cipher and the
decryption algorithm as the inverse cipher
cipher..

Topics discussed in this section:

7.4.1 Original Design
7.4.2 Alternative Design

7.47
 7.4.1 Original Design
Figure 7.17 Ciphers and inverse ciphers of the original design

7.48
 7.4.1 Continue

Algorithm
The code for the AES-128 version of this design is shown
in Algorithm 7.6.

7.49
 7.4.2 Alternative Design

Figure 7.18 Invertibility of SubBytes and ShiftRows combinations

7.50
 7.4.2 Continue

Figure 7.19 Invertibility of MixColumns and AddRoundKey combination

7.51
 7.4.2 Continue
Figure 7.20 Cipher and reverse cipher in alternate design

7.52
 7.4.2 Continue

Changing Key-Expansion Algorithm

Instead of using InvRoundKey transformation in the
reverse cipher, the key-expansion algorithm can be
changed to create a different set of round keys for the
inverse cipher.

7.53
 7-5 Examples

In this section, some examples of encryption/

decryption and key generation are given to emphasize
some points discussed in the two previous sections
sections..

Example 7.10
The following shows the ciphertext block created from a
plaintext block using a randomly selected cipher key
key..

7.54
 7-5 Continued
Example 7.10 Continued

7.55
 7-5 Continued
Example 7.10 Continued

7.56
 7-5 Continued
Example 7.10 Continued

7.57
 7-5 Continued
Example 7.11
Figure 7.21 shows the state entries in one round, round 7, in
Example 7.10
10..

Figure 7.21 States in a single round

7.58
 7-5 Continued
Example 7.12
One may be curious to see the result of encryption when the
plaintext is made of all 0s. Using the cipher key in Example
7.10 yields the ciphertext
ciphertext..

7.59
 7-5 Continued
Example 7.13

Let us check the avalanche effect that we discussed in last

lecture.. Let us change only one bit in the plaintext and
lecture
compare the results
results.. We changed only one bit in the last byte
byte..
The result clearly shows the effect of diffusion and confusion
confusion..
Changing a single bit in the plaintext has affected many bits
in the ciphertext
ciphertext..

7.60
 7-5 Continued
Example 7.14

The following shows the effect of using a cipher key in which

all bits are 0s.

7.61
 7-6 ANALYSIS OF AES

This section is a brief review of the three

characteristics of AES
AES..

Topics discussed in this section:

7.6.1 Security
7.6.2 Implementation
7.6.3 Simplicity and Cost

7.62
 7.6.1 Security

AES was designed after DESDES.. Most of the known

attacks on DES were already tested on AES
AES..
Brute-Force Attack
Brute-
AES is definitely more secure than DES due to the
larger--size key
larger key..
Statistical Attacks
Numerous tests have failed to do statistical analysis of
the ciphertext
ciphertext..

Differential and Linear Attacks

There are no differential and linear attacks on AES as
yet..
yet
7.63
 7.6.1 Continue

Statistical Attacks
Numerous tests have failed to do statistical analysis of
the ciphertext
ciphertext..

Differential and Linear Attacks

There are no differential and linear attacks on AES as
yet..
yet

7.64
 7.6.2 Implementation

AES can be implemented in software, hardware, and

firmware.. The implementation can use table lookup
firmware
process or routines that use a well
well--defined algebraic
structure..
structure

7.65
 7.6.3 Simplicity and Cost

The algorithms used in AES are so simple that they

can be easily implemented using cheap processors and
a minimum amount of memory
memory..

7.66
 Comparison of AES with DES

AES DES

Block size (in bits) 128 64

Key size (in bits) 128, 192, 256 56
Speed High Low
Encryption Substitution, Substitution,
primitives shift, permutation
bit mixing
Cryptographic Confusion, Confusion,
primitives Diffusion Diffusion
 Comparison with Triple-DES

AES Triple DES

Type of Symmetric, Symmetric,
algorithm block cipher feistel cipher
Key size 128, 192, 256 112 or 168
(in bits)
Speed High Low
Time to crack 149 trillion 4.6 billion years
years
Resource Low Medium
consumption