1. Cryptography and Network Security
Advanced Encryption Standard
By William Stallings
Modified by M. Sakalli

2. Origins clear a replacement for DES was needed
have theoretical attacks that can break it
have demonstrated exhaustive key search attacks
can use Triple-DES – but slow with small blocks
US NIST issued call for ciphers in 1997
5 were short-listed in Aug-99
MARS (IBM) - complex, fast, high security margin
RC6 (USA) - v. simple, v. fast, low security margin
Rijndael (Belgium) - clean, fast, good security margin
Serpent (Euro) - slow, clean, v. high security margin
Twofish (USA) - complex, v. fast, high security margin
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001
The AES candidates are the latest generation of block ciphers, and now we see a significant increase in the block size - from the old standard of 64-bits up to 128-bits; and keys from 128 to 256-bits. In part this has been driven by the public demonstrations of exhaustive key searches of DES. Whilst triple-DES is regarded as secure and well understood, it is slow, especially in s/w.

3. AES Requirements private key symmetric block cipher
128-bit data, 128/192/256-bit keys
stronger & faster than Triple-DES
active life of years (+ archival use)
provide full specification & design details
both C & Java implementations
NIST have released all submissions & unclassified analyses
Evaluation criteria of submitted ones
General security – effort to practically cryptanalyse
algorithm & implementation characteristics
cost – computational, software & hardware implementation ease, minimize implementation attacks
flexibility (in en/decrypt, keying, other factors)

4. processes data as 4 groups of 4 bytes (state)
Rijndael
processes data as 4 groups of 4 bytes (state)
has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box; byte to byte substitution)
shift rows (permutation of bytes)
mix columns (subs using gf28)
Add Round Key (XOR state with a portion of expended K)
initial XOR key material & incomplete last round
all operations can be combined into XOR and table lookups - hence very fast & efficient
The AES Cipher
designed by Rijmen-Daemen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than feistel cipher
treats data in 4 groups of 4 bytes
operates an entire block in every round
designed to be:
resistant against known attacks
speed and code compactness on many CPUs
design simplicity
Data is written into the state matrix by columns; this matrix is manipulated at stage of the en/decryption process, and is then finally copied to the output.
The key is expanded into 44/52/60 lots of 32-bit words (see later), with 4 used in each round.
The data computation then consists of an “add round key” step, then 9/11/13 rounds with all 4 steps, and a final 10th/12th/14th step of byte subs + mix cols + add round key. All steps are easily reversed.
Note only the “add round key” step makes use of the key and obscures the result, hence MUST be used at start and end of each round, since otherwise could undo effect of other steps. But the other steps provide confusion/diffusion/non-linearity. ie can look at cipher as a series of XOR with key then scramble/permute block repeated. This is efficient and highly secure it is believed.

5. Stallings Fig 5-1.

6. AddRoundKey
Each round uses four different words from the expanded key array.
Each column in the state matrix is XORed with a different word.
The heart of the encryption. All other functions’ properties are permanent and known to all.
InvAddRoundKey
(A  B)  B = A
Key is used in reverse order

7. Substitution Byte (Subbyte)
It is a bytewise lookup process that returns a 4-byte word in which each byte is the result of applying the Rijndael S-box. Designed to be resistant to all known attacks
Simple substitution of each byte using one table of 16x16 bytes containing a permutation of all bit values
each byte of state is replaced by byte in row (left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by row 9 col 5 byte
which is the value {2A}
S-box is constructed using a transformation of the values in GF(28)
There is a single 8-bit wide S-box used on every byte. This S-box is a permutation of all bit values, constructed using a transformation which treats the values as polynomials in GF(28) – however it is fixed, so really only need to know the table when implementing. Decryption requires the inverse of the table.

8. Shift Rows a circular byte shift in each row
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
decrypt does shifts to right
since state is processed by columns, this step permutes bytes between the columns
This step provides “permutation” of the data, whereas the other steps involve substitutions.

9. each column is processed separately
Mix Columns
each column is processed separately
each byte is replaced by a value dependent on all 4 bytes in the column
effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
Add Round Key
XOR state with 128-bits of the round key
again processed by column (though effectively a series of byte operations)
inverse for decryption is identical since XOR is own inverse, just with correct round key
designed to be simple
This step is also a substitution, but one involving ALL values in a column. Designed as a matrix multiplication where each byte is treated as a polynomial in GF(28). The inverse used for decryption involves a different set of constants.
The constants used are based on a linear code with maximal distance between code words – this gives good mixing of the bytes within each column. Combined with the “shift rows” step provides good avalanche, so that within a few rounds, all output bits depend on all input bits.

10. AES Round
Stallings Fig 5-3.

11. Mathematical Review
Performing arithmetic operations on bytes requires to work in a finite field and treat each byte as an element.
GF(28) - Finite field containing 256 elements.
Each element is a polynomial of degree 7 over Z2, hence an element is defined by 8 binary values – a byte.
Addition – polynomial addition, over Z2, implemented using XOR.
Multiplication – polynomial multiplication , over Z2, modulo irreducible polynomial X8 + X4 + X3 + X + 1
Implemented using repetitive left shifts and XOR.
SubBytes - 16 X 16 table
Each byte is considered as an element in GF(28)
Called S-BoxA. 16 X 16 table contains all possible 256 elements.
Row Column Indices: Left and Right halves of the byte.
Each byte B in the state matrix is substituted with f(B).

12. SubBytes, S-Box computation
Computing S-Box cells in three stages:
-The cells are numbered in ascending order.
-Each cell’s number is substituted with its multiplicative inverse over GF(28).
- The cell’s bits go through the following transformation:
bi’ = bi  b(i+4)mod(8)  b(i+5)mod(8)  b(i+6)mod(8)  b(i+7)mod(8)  ci
bi’ = new bit value, ci = the i’th bit of 63={ } irreducible polynomial

13. S-Box eg. byte {95} is replaced by row 9 col 5 byte which is the value {2A}

14. InvSubBytes Same routine as SubBytes, but uses the inverse S-Box.
Inverse S-box is computed by applying the inverse affine transformation and then substituting with the multiplicative inverse, of the cell’s value in the S-Box.
The Inverse transformation:
bi’ = b(i+2)mod8  b(i+5)mod8  b(i+7)mod8  di
bi’ = new bit value, di = the i’th bit of 05={ }.

16. SubBytes, crypto properties
S-Box design makes it resistant to cryptanalitic attacks.
Conditions:
No fixed points S(a)  a, no opposite fixed points IS(a)  a complement.
Invertible s box, IS[S(a)] = a;
but not self invertible, which means
S(a)  IS(a), ie. S({95}) = {2A}, but IS({95}) = {AD} think S({2A})=?{95}
To see that InvSubBytes is the inverse of SubBytes,
label the matrices in SubBytes and InvSubBytes as X and Y, respectively, and the vector versions of constants c and d as C and D, respectively.
For some 8-bit vector B  B' = XB  C.
To show that Y(XB  C)  D = B.
Must show YXB  YC  D = B.
B’=XBC; (Y(XBC)D) = [YX][B][YC][D] = B
Which means …

17. ShiftRows
Rows 2-4 in the state matrix are left shifted by different offsets of 1-3 bytes respectively.
Strong diffusion effect. Separation of each four, originally consecutive, bytes.

18. A transformation which operates on individual columns – 32 bits/4 bytes.
Each column is treated as a 3 degree polynomial over GF(23)
Multiplied by the fixed polynomial:
a(x)=({03}X3 + {01}X2 + {01}X + {02})mod(x4+1)
a(x) was chosen so the multiplication/transformation is invertible.
Generally, multiplication in the above group mod(x4+1) doesn’t provide inverse for each element.
*coefficients multiplication is the GF(28) multiplication mentioned earlier.

19. MixColumn, props - The transformation is a linear code with a maximal distance between code words. - Combined with ShiftRows, after several rounds all output bits depend on all input bits.

20. In GF(28), irreducible polynomial mod(x4+x3+x+1)
({02} · {87})  ({03} · {6E})  {46}  {A6} = {47}
{87}  ({02} · {6E})  ({03}· {46})  {A6} = {37}
{87}  {6E}  ({02} · {46}  ({03} · {A6}) = {94}
({03} · {87})  {6E}  {46}  ({02} · {A6} = {ED}
For the first equation,
{02} · {87} = x*(x7 + x2+x+1) = ( ) l because of the most left 1,
( )  ( ) = ( );
and
{03} · {6E} = (x+1)*(x6 +x5 + x3+ x2+x)
= (x6 +x5 + x3+ x2+x)  (x)*(x6 +x5 + x3+ x2+x), the same statement for the second side.
= {6E}  ({02} · {6E}) = ( )  ( )
= ( ).
{02} · {87} =   
{03} · {6E} =   
{46} =   
{A6} =    
Total = {47}

21. InvMixColumn
Same routine as MixColumn, only instead of a(x) the inverse of a(x) is used:
a-1(x)={0B}x3{0D}x2{09}x{0E}

22. AES Key Expansion
takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words
start by copying key into first 4 words
then loop creating words that depend on values in previous & 4 places back
in 3 of 4 cases just XOR these together
every 4th has S-box + rotate + XOR constant of previous before XOR together
designed to resist known attacks
Key expansion is designed to be simple to implement, but by using round constants break symmetries, and make it much harder to deduce other key bits if just some are known (but once have as many consecutive bits as are in key, can then easily recreate the full expansion).

23. AES Decryption
AES decryption is not identical to encryption since steps done in reverse
but can define an equivalent inverse cipher with steps as for encryption
but using inverses of each step
with a different key schedule
works since result is unchanged when
swap byte substitution & shift rows
swap mix columns & add (tweaked) round key
By constructing an equivalent inverse cipher with steps in same order as for encryption, can derive a more efficient implementation. Clearly swapping the byte substitutions and shift rows has no effect, since work just on bytes. Swapping the mix columns and add round key steps requires the inverse mix columns step be applied to the round keys first – this makes the decryption schedule a little more complex with this construction.

24. Implementation Aspects
can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of 256 entries
shift rows is simple byte shifting
add round key works on byte XORs
mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use a table lookup
can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words
can pre-compute 4 tables of 256-words
then each column in each round can be computed using 4 table lookups + 4 XORs
at a cost of 16Kb to store tables
designers believe this very efficient implementation was a key factor in its selection as the AES cipher

25. Summary have considered: the AES selection process
the details of Rijndael – the AES cipher
looked at the steps in each round
the key expansion
implementation aspects