1. Advanced Encryption Standard (AES)
Information and Network Security
Dr. Hadi AL Saadi

2. Origins of AES replacement for DES was needed
have theoretical attacks that can break it
have demonstrated exhaustive key search attacks
can use Triple-DES – but slow, has small blocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001
The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and Technology) in AES is a symmetric block cipher that is intended to replace DES as the approved standard for a wide range of applications. The AES cipher (& other candidates) form the latest generation of block ciphers, and now we see a significant increase in the block size - from the old standard of 64-bits up to 128-bits; and keys from 128 to 256-bits. In part this has been driven by the public demonstrations of exhaustive key searches of DES. Whilst triple-DES is regarded as secure and well understood, it is slow, especially in s/w. In a first round of evaluation, 15 proposed algorithms were accepted. A second round narrowed the field to 5 algorithms. NIST completed its evaluation process and published a final standard (FIPS PUB 197) in November of NIST selected Rijndael as the proposed AES algorithm. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr.Vincent Rijmen.

3. AES Requirements private key symmetric block cipher
128-bit data, 128/192/256-bit keys
stronger & faster than Triple-DES
DES 168 bit key (56*3)
Slow in software 16* 3 rounds + key expansion!
Designed for 70’s hardware
provide full specification & design details
both C & Java implementations
NIST have released all submissions & unclassified analyses

4. AES Evaluation Criteria
initial criteria:
security – effort for practical cryptanalysis
cost – in terms of computational efficiency
algorithm & implementation characteristics
final criteria
general security
ease of software & hardware implementation
implementation attacks
flexibility (in en/decrypt, keying, other factors)
In fact, two set of criteria evolved. When NIST issued its original request for candidate algorithm nominations in 1997, the request stated that candidate algorithms would be compared based on the factors shown in Stallings Table5.1, which were used to evaluate field of 15 candidates to select shortlist of 5. These had categories of security, cost, and algorithm & implementation characteristics.
The final criteria evolved during the evaluation process, and were used to select Rijndael from that short-list, and more details are given in Stallings Table 5.2, with categories of: general security, ease of software & hardware implementation, implementation attacks, & flexibility (in en/decrypt, keying, other factors).

5. AES Shortlist
After testing and evaluation, shortlist in August 1999:
MARS (IBM) - complex, fast, high security margin
RC6 (USA) - very simple, very fast, low security margin
Rijndael (Belgium) - clean, fast, good security margin
Serpent (Euro) - slow, clean, very high security margin
Twofish (USA) - complex, very fast, high security margin

6. Then subject to further analysis and comment.
AES Shortlist
Then subject to further analysis and comment.
Saw contrast between algorithms with
few complex rounds verses many simple rounds
which refined existing ciphers verses new proposals
The shortlist is as shown. Note mix of commercial (MARS, RC6, Twofish) verses academic (Rijndael, Serpent) proposals, sourced from various countries.
All were thought to be good – came down to best balance of attributes to meet criteria.

7. AES Shortlist The finalists and their scores were as follows:
Rijndael (from Joan Daemen and Vincent Rijmen, 86 votes).
Serpent (from Ross Anderson, Eli Biham, and Lars Knudsen, 59 votes).
Twofish (from a team headed by Bruce Schneier, 31 votes).
RC6 (from RSA Laboratories, 23 votes).
MARS (from IBM, 13 votes).
The AES shortlist of 5 ciphers was as shown. Note mix of commercial (MARS, RC6, Twofish) verses academic (Rijndael, Serpent) proposals, sourced from various countries.
All were thought to be good – it came down to the best balance of attributes to meet criteria, in particular the balance between speed, security & flexibility.

8. The AES Cipher - Rijndael
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
processes data as block of 4 columns of 4 bytes
operates on entire data block in every round
designed to be:
resistant against known attacks
speed and code compactness on many CPUs
design simplicity

9. Rounds
AES is a non-Feistel cipher that encrypts and decrypts a data block of 128 bits. It uses 10, 12, or 14 rounds. The key size, which can be 128, 192, or 256 bits, depends on the number of rounds.
AES has defined three versions, with 10, 12, and 14 rounds.
Each version uses a different cipher key size (128, 192, or 256), but the round keys are always 128 bits.

10. General design of AES encryption cipher

11. The AES Cipher - Rijndael
Processes data as 4 groups of 4 bytes (state)
Has 9/11/13 rounds in which state undergoes:
Byte substitution (1 S-box used on every byte)
Shift rows (permute bytes between groups/columns)
Mix columns (subs using matrix multiply of groups)
Add round key (XOR state with key material)
Initial XOR key material and incomplete last round.
All operations can be combined into XOR and table lookups - hence very fast and efficient.
The Rijndael proposal for AES defined a cipher in which the block length and the key length can be independently specified to be 128,192,or 256 bits. The AES specification uses the same three key size alternatives but limits the block length to 128 bits. Rijndael is an academic submission, based on the earlier Square cipher, from Belgium academics Dr Joan Daemen and Dr Vincent Rijmen. It is an iterative cipher (operates on entire data block in every round) rather than feistel (operate on halves at a time), and was designed to have characteristics of: Resistance against all known attacks, Speed and code compactness on a wide range of platforms, & Design simplicity.

12. AES
Encryption
Process

13. AES Parameters

14. Data units used in AES

15. Block-to-state and state-to-block transformation

16. Changing plaintext to state
Plain text: AESUSESAMATRIX
PLAIN TEXT (CHARACTER ) A E S U M T R I X Z
PLAIN TEXT (HEXADECIMAL ) 41 45 53 55 4D 54 52 49 58 5A
STATE

17. Structure of each round at the encryption site

18. Transformation
To provide security, AES uses four types of transformations: substitution, permutation, mixing, and key-adding.

19. Substitution
AES, like DES, uses substitution. AES uses two invertible transformations.
1. SubBytes
The first transformation, SubBytes, is used at the encryption site. To substitute a byte, we interpret the byte as two hexadecimal digits.
The SubBytes operation involves 16 independent byte-to-byte transformations.

20. A simple substitution of each byte.
Byte Substitution
A simple substitution of each byte.
Uses one table of 16x16 bytes containing a permutation of all bit values.
Each byte of state is replaced by byte in row (left 4-bits) and column (right 4-bits).
e.g., byte {95} is replaced by row 9 col 5 byte, which is the value {2A}.
S-box is constructed using a defined transformation of the values in GF(28).
Designed to be resistant to all known attacks.
There is a single 8-bit wide S-box used on every byte. This S-box is a permutation of all bit values, constructed using a transformation which treats the values as polynomials in GF(28) – however it is fixed, so really only need to know the table when implementing. Decryption requires the inverse of the table.

21. Byte Substitution
Substitute byte transformation
Forward substitute byte transformation (SubBytes)
Inverse substitute byte transformation (InvSubBytes)

22. Byte Substitution

23. AES S-Boxes
(a) S-box

24. AES S-Boxes
(b) Inverse S-box

25. Example
Fig. shows how a state is transformed using the SubBytes transformation. The figure also shows that the InvSubBytes transformation creates the original one. Note that if the two bytes have the same values, their transformation is also the same.
SubBytes transformation for Example

26. Permutation
Another transformation found in a round is shifting, which permutes the bytes.
2. ShiftRows
In the encryption, the transformation is called ShiftRows.
ShiftRows transformation

27. 87 F2 4D 97 EC 6E 4C 90 4A C3 46 E7 8C D8 95 A6 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 95

28. Assume we have 16 byte block from 1 to 16
Shift Rows
Assume we have 16 byte block from 1 to 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Convert the 16-byte block to a two-dimensional 4x4 matrix by filling column by column 1 5 9 13 1 5 9 13
Shift left 0 (No shift) 2 6 10 14 6 10 14 2
Shift left 1 3 7 11 15 11 15 3 7
Shift left 2 4 8 12 16 16 4 8 12
Shift left 3
Convert the two-dimensional 4x4 matrix to a 16-byte block by reading column by column 1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12

29. Example Plaintext (Character) C O M P U T E R S I N
Plaintext (Hexadecimal) 43 51 4D 50 55 54 45 52 20 53 49 4E 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
After Substitution (Hexadecimal) 1A D1 E3 53 FC 20 6E 00 B7 ED 3B 2F 1 6 11 16 5 10 15 4 9 14 3 8 13 2 7 12
After Shifting (Hexadecimal) 1A 20 6E FC ED 53 B7 2F E3 00 D1 3B

30. 3.Mix Columns Each column is processed separately.
Each byte is replaced by a value dependent on all 4 bytes in the column.
Effectively a matrix multiplication in GF(28) using prime poly m(x) = x8 + x4 + x3 + x + 1.
This step is also a substitution, but one involving ALL values in a column. Designed as a matrix multiplication where each byte is treated as a polynomial in GF(28). The inverse used for decryption involves a different set of constants.
The constants used are based on a linear code with maximal distance between code words – this gives good mixing of the bytes within each column. Combined with the “shift rows” step provides good avalanche, so that within a few rounds, all output bits depend on all input bits.

31. Mix Columns
M00 = [ {02}·{S00}  {03}·{S10}  {01}·{S20}  {01}·{S30} ] mod GF(28)
M01 = [ {02}·{S01}  {03}·{S11}  {01}·{S21}  {01}·{S31} ] mod GF(28)
M02 = [ {02}·{S02}  {03}·{S12}  {01}·{S22}  {01}·{S32} ] mod GF(28)
M03 = [ {02}·{S03}  {03}·{S13}  {01}·{S23}  {01}·{S33} ] mod GF(28)
M10 = [ {01}·{S00}  {02}·{S10}  {03}·{S20}  {01}·{S30} ] mod GF(28)
M11 = [ {01}·{S01}  {02}·{S11}  {03}·{S21}  {01}·{S31} ] mod GF(28)
M12 = [ {01}·{S02}  {02}·{S12}  {03}·{S22}  {01}·{S32} ] mod GF(28)
M13 = [ {01}·{S03}  {02}·{S13}  {03}·{S23}  {01}·{S33} ] mod GF(28)

32. Mix Columns
M20 = [ {01}·{S00}  {01}·{S10}  {02}·{S20}  {03}·{S30} ] mod GF(28)
M21 = [ {01}·{S01}  {01}·{S11}  {02}·{S21}  {03}·{S31} ] mod GF(28)
M22 = [ {01}·{S02}  {01}·{S12}  {02}·{S22}  {03}·{S32} ] mod GF(28)
M23 = [ {01}·{S03}  {01}·{S13}  {02}·{S23}  {03}·{S33} ] mod GF(28)
M30 = [ {03}·{S00}  {01}·{S10}  {01}·{S20}  {02}·{S30} ] mod GF(28)
M31 = [ {03}·{S01}  {01}·{S11}  {01}·{S21}  {02}·{S31} ] mod GF(28)
M32 = [ {03}·{S02}  {01}·{S12}  {01}·{S22}  {02}·{S32} ] mod GF(28)
M33 = [ {03}·{S03}  {01}·{S13}  {01}·{S23}  {02}·{S33} ] mod GF(28)

33. Mixing
We need an interbyte transformation that changes the bits inside a byte, based on the bits inside the neighboring bytes. We need to mix bytes to provide diffusion at the bit level.
Mixing bytes using matrix multiplication

34. Mix Columns
Constant matrices used by MixColumns and InvMixColumns

35. MixColumns
The MixColumns transformation operates at the column level; it transforms each column of the state to a new column.
MixColumns transformation

36. Figure shows how a state is transformed using the MixColumns transformation. The figure also shows that the InvMixColumns transformation creates the original one.
The MixColumns transformation in Example 7.5

37. =  Example of MixColumns 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8
MixColumns Constant matrices
Result
State 02 03 01 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 95 47 40 A3 4C 37 D4 70 9F 94 E4 3A 42 ED A5 A6 BC = 
1st column of the result is obtained by:
{02){87}+{03}{6E}+{46}+{A6} = {47}
{87}+{02}{6E}+{03}{46}+{A6} = {37}
{87}+{6E}+{02}{46}+{03}{A6} = {94}
{03}{87}+{6E}+{46}+{02}{A6} = {ED}
For the 1st equation, we have {02}{87}=( )( )=
= ( )={15}

38. {03}{6E}=( )( )= =
( ) = {B2}
{02){87}+{03}{6E}+{46}+{A6}={15}+{B2}+{46}+{A6}=
( )+
( )+
( )+
( )=
( )={47}
NOTE :
MULTIPLICATION A VALUE X BY {02} CAN BE IMPLEMENTED AS 1-BIT LEFT SHIFT FOLLOWED BY A CONDITIONAL BITWISE XOR WITH ( ) (1B ) IF THE LEFT MOST BIT OF THE ORIGINAL VALUE ( PRIORE TO SHIFT IS 1)

40. 4. AddRoundKey Transformation
The 128 bit of the state are bitwise XORed with the 128 bit of round key. As sown in Fig. below , the operation is viewed as columnwise operation between the 4 bytes of the state column and one word of the round key.
State
Key
State ♁Key 47 40 A3 4C 37 D4 70 9F 94 E4 3A 42 ED A5 A6 BC AC 19 28 57 77 FA D1 5C 66 DC 29 00 F3 21 41 6A EB 59 8B 1B 40 2E A1 C3 F2 38 13 42 1E 84 E7 D6
47=
AC=
EB =
37=
40 =
40=
94=
66=
F2= ♁ ♁ ♁

41. AES Round

42. AES Key Expansion
Takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words.
Start by copying key into first 4 words.
Then loop creating words that depend on values in previous and 4 places back.
In 3 of 4 cases just XOR these together.
Every 4th has S-box + rotate + XOR constant of previous before XOR together.
Designed to resist known attacks.

43. AES Key Expansion

44. Steps for computing g function
RotWord perform one-byte circular left shift on word , this means that an input word [B0,B1,B2,B3] is transformed into [ B1,B2,B3,B0]
Subword perform a Byte substitution on each byte of its input word , using the S-Box
The result in step (2) is XORed with a round constant. Rcon[j], the round constant is a word in which the three rightmost bytes are always (0) , and is defined as Rcon[j]=(RC[j],0,0,0), and the values of RC[j] in hexadecimal are
Rcon[1]=1
Rcon[j]=2.Recon[j-1]

45. Example:
Table below shows how the keys for each round are calculated assuming that the 128-bit cipher key agreed upon by Alice and Bob is (24 75 A2 B E AA 54 87)16.

46. AES example of key expansion

47. AES Example Encryption

48. AES Decryption
AES decryption is not identical to encryption since steps done in reverse
but can define an equivalent inverse cipher with steps as for encryption
but using inverses of each step
with a different key schedule
works since result is unchanged when
swap byte substitution & shift rows
swap mix columns & add (tweaked) round key

49. Ciphers and inverse ciphers of the AES

50. Useful Website