Advanced Encryption Standard
Advanced Encryption Standard
AES is a symmetric block cipher that is intended to replace
AES is a symmetric block cipher that is intended to replace DES as the approved standardDES as the approved standard for a wide range of applications. The drawbacks of 3DES being it is very
for a wide range of applications. The drawbacks of 3DES being it is very slow and also it uses 64-slow and also it uses 64-bit block size same as DES. For reasons of both efficiency and security, a larger key size is bit block size same as DES. For reasons of both efficiency and security, a larger key size is desirable. So, NIST (National Institute of Standards and Technology) has called for proposals for desirable. So, NIST (National Institute of Standards and Technology) has called for proposals for a new AES, which should have security strength equal to or better than 3DES and significantly, a new AES, which should have security strength equal to or better than 3DES and significantly, improved efficiency. NIST specified that AES must be a symmetric block cipher with a block improved efficiency. NIST specified that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128, 192, and 256 bits.
length of 128 bits and support for key lengths of 128, 192, and 256 bits.
Out of all the algorithms that were submitted, five were shortlisted and upon final Out of all the algorithms that were submitted, five were shortlisted and upon final evaluation, NIST selected
evaluation, NIST selected RijndaelRijndael as the proposed AES algorithm. The two researchers whoas the proposed AES algorithm. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr. Vincent Rijmen.
Daemen and Dr. Vincent Rijmen.
AES Evaluation:
AES Evaluation:
There are three main categories of criteria used by NIST to evaluate potential There are three main categories of criteria used by NIST to evaluate potential candidates.
candidates.
Security:Security: Resistance to cryptanalysis, soundness of math, randomness of output, etcResistance to cryptanalysis, soundness of math, randomness of output, etc
Cost:Cost: Computational efficiency (speed), Memory requirementsComputational efficiency (speed), Memory requirements
Algorithm/Impleme Algorithm/Implementation ntation Characteristics:Characteristics: Flexibility, hardware and Flexibility, hardware and software suitability,software suitability, algorithm simplicity
algorithm simplicity
Simplified AES
Simplified AES
The encryption algorithm takes a 16-bit block of plaintext as input and a 16-bit key and The encryption algorithm takes a 16-bit block of plaintext as input and a 16-bit key and produces a 16-bit block of ciphertext as output. The S-AES decryption algorithm takes a 16-bit produces a 16-bit block of ciphertext as output. The S-AES decryption algorithm takes a 16-bit block of ciphertext and the same 16-bit key used to produce that ciphertext as input and block of ciphertext and the same 16-bit key used to produce that ciphertext as input and produces the original 16-bit block of plaintext as output.
produces the original 16-bit block of plaintext as output. The encryption algorithm involves theThe encryption algorithm involves the use of four different functions, or transformations: add key (A
use of four different functions, or transformations: add key (AKK) nibble substitution (NS), shift row) nibble substitution (NS), shift row
(SR), and mix column (MC). (SR), and mix column (MC).
The encryption algorithm can be expressed as: The encryption algorithm can be expressed as:
,
, so so that that AAK0K0is applied first.is applied first.
The encryption algorithm is organized into three rounds. Round 0 is simply an add key The encryption algorithm is organized into three rounds. Round 0 is simply an add key round; round 1 is a full round of four functions; and round 2 contains only 3 functions. Each round; round 1 is a full round of four functions; and round 2 contains only 3 functions. Each round includes the add key function, which makes use of 16 bits of key. The initial 16-bit key is round includes the add key function, which makes use of 16 bits of key. The initial 16-bit key is expanded to 48 bits, so that each round uses a distinct 16-bit round key. S- AES encryption and expanded to 48 bits, so that each round uses a distinct 16-bit round key. S- AES encryption and decryption scheme is shown below.
Each function operates on a 16-bit state, treated as a 2 x 2 matrix of nibbles, where one Each function operates on a 16-bit state, treated as a 2 x 2 matrix of nibbles, where one nibble equals 4 bits. The
nibble equals 4 bits. The initial value of the state matrix is the initial value of the state matrix is the 16-bit plaintext; the state matrix is16-bit plaintext; the state matrix is modified by each subsequent function in the encryption process, producing after the last modified by each subsequent function in the encryption process, producing after the last function the 16-bit ciphertext. The following figure shows the ordering of nibbles within the function the 16-bit ciphertext. The following figure shows the ordering of nibbles within the matrix is by column. So, for example, the first eight bits of a 16-bit plaintext input to the matrix is by column. So, for example, the first eight bits of a 16-bit plaintext input to the encryption cipher occupy the first column of the matrix, and the second eight bits occupy the encryption cipher occupy the first column of the matrix, and the second eight bits occupy the second column. The 16-bit key is similarly organized, but it is somewhat more convenient to second column. The 16-bit key is similarly organized, but it is somewhat more convenient to view the key as two bytes rather than four nibbles The expanded key of 48 bits is treated as view the key as two bytes rather than four nibbles The expanded key of 48 bits is treated as three round keys, whose bits are labelled as follows: K
The following figure shows the essential elements of a full round of S-AES. The decryption as The following figure shows the essential elements of a full round of S-AES. The decryption as shown above can be given as:
shown above can be given as:
in which three of the functions have a corresponding inverse function: inverse nibble in which three of the functions have a corresponding inverse function: inverse nibble substitution (INS), inverse shift row (ISR), and inverse mix column (IMC).
substitution (INS), inverse shift row (ISR), and inverse mix column (IMC).
S-AES Encryption and Decryption
S-AES Encryption and Decryption
The individual functions that are
The individual functions that are part of the part of the encryption algorithm are given below.encryption algorithm are given below. Add Key
Add Key
The add key function consists of the bitwise XOR of the 16-bit state matrix and the 16-bit round key. The add key function consists of the bitwise XOR of the 16-bit state matrix and the 16-bit round key. As shown in the above example, it can also be
As shown in the above example, it can also be viewed as a nibble-wise or bitwise operationviewed as a nibble-wise or bitwise operation.. TheThe inverse of the add key function is identical
inverse of the add key function is identical to the add key function, because the XOR operation isto the add key function, because the XOR operation is its own inverse.
its own inverse.
Nibble Substitution
Nibble Substitution
The nibble substitution function is a simple table lookup. AES defines a 4 x 4 matrix of nibble values, The nibble substitution function is a simple table lookup. AES defines a 4 x 4 matrix of nibble values, called an S-box that contains a permutation of all possible 4-bit values. Each individual nibble of the called an S-box that contains a permutation of all possible 4-bit values. Each individual nibble of the state matrix is mapped into a new nibble in the following way: The leftmost 2 bits of the nibble are state matrix is mapped into a new nibble in the following way: The leftmost 2 bits of the nibble are used as a row value and the rightmost 2 bits are used as a column value. These row and column used as a row value and the rightmost 2 bits are used as a column value. These row and column values serve as indexes into the S-box to select a unique 4-bit output value. For example, the values serve as indexes into the S-box to select a unique 4-bit output value. For example, the hexadecimal value A references row 2, column 2 of the S-box, which contains the value 0. hexadecimal value A references row 2, column 2 of the S-box, which contains the value 0. Accordingly, the value A is mapped into the value 0.
For the example, after nibble substitution, the output For the example, after nibble substitution, the output isis
Shift Row
Shift Row
The shift row function performs a one-nibble circular shift of the second row of the state matrix; The shift row function performs a one-nibble circular shift of the second row of the state matrix; the first row is not altered. Our example is shown below:
the first row is not altered. Our example is shown below:
The inverse shift row function is identical to the shift row function, because it shifts the second The inverse shift row function is identical to the shift row function, because it shifts the second row back to i
row back to its original position.ts original position. Mix Column
Mix Column
The mix column function operates on each column individually. Each nibble of a column is The mix column function operates on each column individually. Each nibble of a column is mapped into a new value that is a function of both nibbles in that column. The transformation mapped into a new value that is a function of both nibbles in that column. The transformation can be defined by
can be defined by the following matrix multiplicatthe following matrix multiplication on the state matrix.ion on the state matrix.
Where arithmetic is performed in GF(2
Where arithmetic is performed in GF(244), and the ), and the symbol · refers to multiplication in GF(2symbol · refers to multiplication in GF(244). The). The example is shown below:
example is shown below:
The inverse mix column function is
The inverse mix column function is defined as follows:defined as follows:
Key Expansion
Key Expansion
For key expansion, the 16 bits of the initial key are grouped into a row of two 8-bit words. The For key expansion, the 16 bits of the initial key are grouped into a row of two 8-bit words. The following figure shows the expansion into 6 words, by the calculation of 4 new words from the initial following figure shows the expansion into 6 words, by the calculation of 4 new words from the initial 2 words. The algorithm is as follows:
RCON is a round constant, defined as follows: RC[i] = x
RCON is a round constant, defined as follows: RC[i] = xi i + + 22, so that RC[1]=x, so that RC[1]=x33=1000 and=1000 and RC[2]=x
RC[2]=x44mod (xmod (x44 + x + 1) = x + 1 = 0011. RC[i] forms the leftmost nibble of a byte, with the+ x + 1) = x + 1 = 0011. RC[i] forms the leftmost nibble of a byte, with the rightmost nibble being all zeros. Thus, RCON(1) = 10000000 and RCON(2) = 00110000.
rightmost nibble being all zeros. Thus, RCON(1) = 10000000 and RCON(2) = 00110000. For example, suppose the key is
The S-Box
The S-Box
The S-box is constructed as follows: The S-box is constructed as follows:
1.
1. Initialize the S-box with the nibble values in ascending sequence row by row. The firstInitialize the S-box with the nibble values in ascending sequence row by row. The first row contains the hexadecimal values 0, 1, 2, 3; the second row contains 4, 5, 6, 7; and so row contains the hexadecimal values 0, 1, 2, 3; the second row contains 4, 5, 6, 7; and so on. Thus, the value of the nibble at row i, column j is 4i + j.
on. Thus, the value of the nibble at row i, column j is 4i + j. 2.
2. Treat each nibble as an element of the finite field GF(2Treat each nibble as an element of the finite field GF(244) modulo x) modulo x44 +x + 1. Each nibble+x + 1. Each nibble a
a00aa11aa22aa33represents a polynomial of degree 3.represents a polynomial of degree 3.
3.
3. Map each byte in the S-box to its multiplicative inverse in the finite field GF(2Map each byte in the S-box to its multiplicative inverse in the finite field GF(244) modulo) modulo xx44+ x + 1; the value 0 is mapped to itself.+ x + 1; the value 0 is mapped to itself.
4.
4. Consider that each byte in the S-box consists of 4 bits labeled (bConsider that each byte in the S-box consists of 4 bits labeled (b00, , bb11, b, b22, , bb33). Apply the). Apply the
following transformation to each bit of each byte in the S-box: The AES standard depicts following transformation to each bit of each byte in the S-box: The AES standard depicts this transformation in matrix form as follows:
this transformation in matrix form as follows:
The prime (') indicates that the variable is to be updated by the value on the right. The prime (') indicates that the variable is to be updated by the value on the right. Remember that addition and multiplication are being calculated modulo 2.
The AES Cipher
The AES Cipher
The Rijndael proposal for AES defined a cipher in which the block length and the key length can The Rijndael proposal for AES defined a cipher in which the block length and the key length can be independently specified to be 128, 192, or 256 bits. The AES specification uses the same be independently specified to be 128, 192, or 256 bits. The AES specification uses the same three key size alternatives but limits the block length to 128 bits. The number of rounds is three key size alternatives but limits the block length to 128 bits. The number of rounds is dependent on the key size i.e. for key sizes of
dependent on the key size i.e. for key sizes of 128/192/256 bits,128/192/256 bits, the number of rounds arethe number of rounds are 10/12/14
10/12/14.. AES is an AES is an iterated cipher (rather than Feistel cipher) as it processes data as block of iterated cipher (rather than Feistel cipher) as it processes data as block of 44 columns of 4 bytes and operates on entire data block in every round.
columns of 4 bytes and operates on entire data block in every round. Rijndael was designed to have the following
Rijndael was designed to have the following characteristics:characteristics:
•
• Resistance against all known attacksResistance against all known attacks •
• Speed and code compactness on a Speed and code compactness on a wide range of platformswide range of platforms •
• Design simplicityDesign simplicity
AES Encryption and Decryption AES Encryption and Decryption
The input to the encryption and decryption algorithms is a single 128-bit block. In FIPS PUB 197, this The input to the encryption and decryption algorithms is a single 128-bit block. In FIPS PUB 197, this block is depicted as a square matrix of bytes. This block is copied into the State array, which is block is depicted as a square matrix of bytes. This block is copied into the State array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output modified at each stage of encryption or decryption. After the final stage, State is copied to an output matrix. In the same way, the 128-bit key is depicted as a square matrix of bytes. This key is then matrix. In the same way, the 128-bit key is depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words; each word is four bytes and the total key schedule is expanded into an array of key schedule words; each word is four bytes and the total key schedule is 44 words for the 128-bit key.
44 words for the 128-bit key.
AES Data Structures AES Data Structures
1.
1. The key that is provided as input is expanded into an array of forty-four 32-bit words,The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]. Four distinct words (128 bits) serve as a round key for each round; these are w[i]. Four distinct words (128 bits) serve as a round key for each round; these are indicated in above figure.
indicated in above figure. 2.
2. Four different stages are used, one of permutation and three of substitution:Four different stages are used, one of permutation and three of substitution: o
o Substitute bytes:Substitute bytes:
o o
Uses an S-box to perform a byte-by-byte substitution of the Uses an S-box to perform a byte-by-byte substitution of the block block ShiftRows: ShiftRows: o o A simple permutation A simple permutation MixColumns MixColumns o o
: A substitution that makes use of arithmetic over GF(2 : A substitution that makes use of arithmetic over GF(288)) AddRoundKey:
AddRoundKey:
3.
3. The structure is quite simple. For both The structure is quite simple. For both encryption and decryption, the cipher begins withencryption and decryption, the cipher begins with an AddRoundKey stage, followed by nine rounds that each includes all four stages, an AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth round of three stages. The following figure depicts the structure of a followed by a tenth round of three stages. The following figure depicts the structure of a full encryption round.
full encryption round.
A simple bitwise XOR of the current block with a portion of A simple bitwise XOR of the current block with a portion of the expanded key
the expanded key
4.
4. Only the AddRoundKey stage makes use of the key. For this reason, the cipher beginsOnly the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an
and ends with an AddRoundKey stage. Any other stage, applied at the beginning or AddRoundKey stage. Any other stage, applied at the beginning or end,end, is reversible without knowledg
is reversible without knowledge of the key and e of the key and so would add no security.so would add no security. 5.
5. The AddRoundKey stage is, in effect, a form of Vernam cipher and by The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not beitself would not be formidable. The other three stages together provide confusion, diffusion, and formidable. The other three stages together provide confusion, diffusion, and
of a block, followed by scrambling of the block (the other three stages), followed by XOR of a block, followed by scrambling of the block (the other three stages), followed by XOR encryption, and so on. This scheme is both efficient and highly secure.
encryption, and so on. This scheme is both efficient and highly secure. AES Encryption Round
AES Encryption Round
6.
6. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumnsEach stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm. For the AddRoundKey stages, an inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block, using the stage, the inverse is achieved by XORing the same round key to the block, using the result that
result that 7.
Substitute Bytes
Substitute Bytes TransformatiTransformationon::
•
• The forward substitute byte transformation, calledThe forward substitute byte transformation, calledsubBytessubBytesis a simple table look up.is a simple table look up. •
• Simple substitution on each byte of Simple substitution on each byte of state independentlystate independently •
• Uses an S-box of 16x16 bytes containing a permutation of all 256 8-bit valuesUses an S-box of 16x16 bytes containing a permutation of all 256 8-bit values
•
• The leftmost 4 bits of the byte The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a row value and the rightmost 4 bits are used asare used as
a column value. a column value.
•
• S-box constructed using defined transformation of values in GF(2S-box constructed using defined transformation of values in GF(288) and is designed to be) and is designed to be resistant to all known attacks
resistant to all known attacks •
• The inverse substitute byte transformation calledThe inverse substitute byte transformation called invSubBytesinvSubBytesmakes use of inverse S-makes use of inverse S-box
box
ShiftRows Transformation: ShiftRows Transformation:
The forward shift row transformation, called ShiftRows, is depicted below. The first row of The forward shift row transformation, called ShiftRows, is depicted below. The first row of State is not altered. For the second row, a 1-byte circular left shift is performed. For the third row, a State is not altered. For the second row, a 1-byte circular left shift is performed. For the third row, a 2-byte circular left shift is p
2-byte circular left shift is performed. For the fourth row, a erformed. For the fourth row, a 3-byte circular left shift is 3-byte circular left shift is performed.performed.
The inverse shift row transformation, called
The inverse shift row transformation, calledInvShiftRowsInvShiftRows, performs the circular shifts in the, performs the circular shifts in the opposite direction for each of the last three rows, with a one-byte circular right shift for the second opposite direction for each of the last three rows, with a one-byte circular right shift for the second
The
The forward mix column transformation forward mix column transformation, called MixColumns, operates on each column individually., called MixColumns, operates on each column individually. Each byte of a column is mapped into a new value that is a function of all four bytes in that column. Each byte of a column is mapped into a new value that is a function of all four bytes in that column. The transformation can be defined by the following
The transformation can be defined by the following matrix multiplication on State.matrix multiplication on State.
Each element in the product matrix is the sum of products of elements of one row and one column. Each element in the product matrix is the sum of products of elements of one row and one column. In this case, the individual additions and multiplications
In this case, the individual additions and multiplications are performed in GF(2are performed in GF(288) ) using irreducible) ) using irreducible polynomial m(x) = x
polynomial m(x) = x88+ x+ x44+ x+ x33+ x + 1. The inverse mix column transformation, called+ x + 1. The inverse mix column transformation, called InvMixColumnsInvMixColumns,, is defined by the following matrix
AddRoundKey Transformation AddRoundKey Transformation
In the
In the forward add round key transformation forward add round key transformation, called AddRoundKey, the 128 bits of State are bitwise, called AddRoundKey, the 128 bits of State are bitwise XORed with the 128 bits of the round key. As shown below, the operation is viewed as a columnwise XORed with the 128 bits of the round key. As shown below, the operation is viewed as a columnwise operation between the 4 bytes of a State column and one word of the round key; it can also be operation between the 4 bytes of a State column and one word of the round key; it can also be viewed as a byte-level operation.
viewed as a byte-level operation.
The inverse add round key transformation is identical to the forward add round key transformation, The inverse add round key transformation is identical to the forward add round key transformation, because the XOR operation is its
because the XOR operation is its own inverse.own inverse.
AES Key Expansion AES Key Expansion
The AES key expansion algorithm takes as input a
The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces4-word (16-byte) key and produces a linear array of 44 words (176 bytes).
a linear array of 44 words (176 bytes). This is sufficient to provide a 4-word round key for theThis is sufficient to provide a 4-word round key for the initial AddRoundKey stage and each of the 10 rounds initial AddRoundKey stage and each of the 10 rounds of the cipher. The key is copied into the first four of the cipher. The key is copied into the first four words of the expanded key. The remainder of the words of the expanded key. The remainder of the expanded key is filled in four words at a time. Each expanded key is filled in four words at a time. Each added word w[i] depends on the immediately added word w[i] depends on the immediately preceding word, w[i 1], and the word four positions preceding word, w[i 1], and the word four positions back,w[i 4]. In three out of four cases, a simple XOR is back,w[i 4]. In three out of four cases, a simple XOR is used. For a word whose position in the w array is a used. For a word whose position in the w array is a multiple of 4, a more complex function
multiple of 4, a more complex function gg is used. Theis used. The function g consists of the following
function g consists of the following subfunctionssubfunctions
RotWord RotWord performs a one-byte circular left shiftperforms a one-byte circular left shift on a word. This means that an input word [b0, b1, b2, on a word. This means that an input word [b0, b1, b2, b3] is transformed into [b1, b2, b3, b0].
b3] is transformed into [b1, b2, b3, b0].
SubWord SubWord performs a byte substitution on eachperforms a byte substitution on each byte of its input word, using the S-box
byte of its input word, using the S-box
The result of steps 1 and 2 is XORed with aThe result of steps 1 and 2 is XORed with a round constant,
round constant,Rcon[j Rcon[j ].].
The round constant is a word in which theThe round constant is a word in which the three rightmost bytes are always 0.
three rightmost bytes are always 0.
The effect of an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of The effect of an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the word.
the word.
The round constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0The round constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0 , 0), with, 0), with RC[1] = 1, RC[j] = 2 · RC[j - 1] and with multiplication defined over the field GF(2
•
• Designed to resist known attacksDesigned to resist known attacks •
• Design criteria includesDesign criteria includes
Knowing part key insufficient to find many moreKnowing part key insufficient to find many more
Invertible transformationInvertible transformation
Fast on wide range of CPU’sFast on wide range of CPU’s
Use round constants to break symmetryUse round constants to break symmetry
Diffuse key bits into round keysDiffuse key bits into round keys
Enough non-linearity to hinder analysisEnough non-linearity to hinder analysis
Simplicity of descriptionSimplicity of description
AES Decryption AES Decryption
1. AES decryption is not 1. AES decryption is not identical to encryption since identical to encryption since steps done in reverse
steps done in reverse
2. But can define an equivalent 2. But can define an equivalent inverse cipher with steps as for inverse cipher with steps as for encryption
encryption
3. But using inverses of each 3. But using inverses of each step
step
4. With a different key schedule 4. With a different key schedule
5. Works since result is 5. Works since result is unchanged when
unchanged when
6. Swap byte substitution & 6. Swap byte substitution & shift rows
shift rows
7. Swap mix columns & add 7. Swap mix columns & add (tweaked) round key
Implementation Aspects Implementation Aspects
Can efficiently implement on 8-bit CPUCan efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of 256 entriesbyte substitution works on bytes using a table of 256 entries
shift rows is simple byte shiftshift rows is simple byte shift
add round key works on byte XOR’sadd round key works on byte XOR’s
mix columns requires matrix multiply in GF(2mix columns requires matrix multiply in GF(288) which works on byte values, can be) which works on byte values, can be simplified to use table lookups & byte XOR’s
simplified to use table lookups & byte XOR’s
Can efficiently implement on 32-bit CPUCan efficiently implement on 32-bit CPU
redefine steps to use 32-bit wordsredefine steps to use 32-bit words
can precompute 4 tables of 256-wordscan precompute 4 tables of 256-words
then each column in each round can be computed using 4 table lookups + 4 XORsthen each column in each round can be computed using 4 table lookups + 4 XORs
at a cost of 4Kb to store tablesat a cost of 4Kb to store tables
Designers believe this very efficient implementation was a key factor in its selectionDesigners believe this very efficient implementation was a key factor in its selection as the AES cipher
