Cryptography and Network Security

Spring 2006
http://www.abo.fi/~ipetre/crypto/

Lecture 5: Advanced Encryption Standard (AES)

Ion Petre
Academy of Finland and
Department of IT, Åbo Akademi University

March 30, 2006 1

 Origin of AES
„ 1999: NIST indicates that DES should be replaced as a standard
‰ have theoretical attacks that can break it
‰ have demonstrated exhaustive key search attacks
„ Triple-DES should be used before a new standard is approved
‰ 3DES has 168-bit key: brute-force attack is infeasible
‰ Same engine as for DES is running – software/hardware can be reused
‰ Confident that no effective attack exists: DES has been around for a long time
‰ As far as security is concerned, 3DES is ideal to replace DES
„ Drawbacks of 3DES
‰ Relatively slow software implementations – DES was designed for 1970’s hardware
‰ DES and 3DES use 64-bit blocks: for efficiency and security, larger blocks should be used
„ US NIST issued call for ciphers in 1997
‰ 15 candidates accepted in Jun 98
‰ 5 were shortlisted in Aug-99
‰ Rijndael was selected as the AES in Oct-2000
‰ issued as FIPS PUB 197 standard in Nov-2001

March 30, 2006 2

Requirements for the new standard

„ Private key symmetric block cipher

„ 128-bit data, 128/192/256-bit keys
„ Stronger and faster than 3DES
„ Active life of 20-30 years (+ archival use)
„ Provide full specification and design details
„ Both C and Java implementations
„ NIST have released all submissions & unclassified analyses

March 30, 2006 3

AES Evaluation Criteria

„ Initial criteria:
‰ security – effort to practically cryptanalyze
‰ cost – computational efficiency, so as to be used in high-speed applications, such as
broadband links
‰ algorithm and implementation characteristics: should be suitable for a variety of
soft/hard implementations, simple enough to make analysis straightforward
„ Final criteria
‰ general security: this was conducted by the public (academic) cryptographic
community: people published various attacks and weaknesses of the candidates
‰ software and hardware implementation ease: execution speed, performance on
various platforms, variation of speed with key size
‰ Attacks on implementation: timing attacks and power analysis
„ Multiplication consumes more power and takes more time than addition
„ Writing 1s consumes more power and takes more time than writing 0s
‰ Flexibility (in encryption/decryption, key change, other factors)

March 30, 2006 4

AES Shortlist

„ After testing and evaluation, shortlist in Aug-99:

‰ MARS (IBM) - complex, fast, high security margin
‰ RC6 (USA) - v. simple, v. fast, low security margin
‰ Rijndael (Belgium) - clean, fast, good security margin
‰ Serpent (Euro) - slow, clean, v. high security margin
‰ Twofish (USA) - complex, v. fast, high security margin
„ Then subject to further analysis & comment
„ Analysed contrast between algorithms with
‰ few complex rounds vs. many simple rounds
‰ which refined existing ciphers vs. new proposals

March 30, 2006 5

The AES Cipher – Rijndael

„ Designed by Rijmen-Daemen in Belgium

„ 128/192/256-bit keys, 128 bit data
„ Does not have the structure of a classical feistel cipher
‰ treats data in 4 groups of 4 bytes
‰ operates an entire block in every round
„ Designed to be:
‰ resistant against known attacks
‰ speed and code compactness on many platforms
‰ design simplicity
„ Decryption algorithm different than the encryption

March 30, 2006 6

Rijndael

„ Processes data as 4 groups of 4 bytes – 128-bit block

„ Input block copied into State array, modified at each stage of encryption
or decryption and copied to the output matrix after the final round
„ has 9/11/13 rounds (depending on which variant is used) in which State
undergoes:
‰ byte substitution (one S-box used on every byte)
‰ shift rows: a simple permutation
‰ mix columns: substitution using arithmetic in GF(28)
‰ add round key (XOR State with the round key)
„ initial XOR of the plaintext with a round key
„ There is an incomplete last round (the 10th/12th/14th)
„ Note: all operations can be combined into XOR and table lookups - hence
very fast and efficient

March 30, 2006 7

 Implementation: one AES Round

March 30, 2006 8

Rijndael – the structure

„ Discuss each of the four stages in each round

„ For each stage, describe the encryption and decryption algorithms
„ Describe the rationale of each stage
„ Describe key expansion
„ Each stage operates on the 128-bit State, i.e., 16 bytes – these will be
treated as a 4x4 matrix of bytes
‰ The first four bytes are on the first column, the following 4 on the second
column, etc.
„ In this description we assume key length of 128
‰ Details are only slightly different for longer keys
‰ The 128-bit key is also shown as a matrix of 4x4 bytes (each byte is a
number from 0 to 255): first 4 bytes on the first column, following 4 on the
2nd columns, etc.
‰ The key is expanded in an array of 44 words – each word has 4 bytes;
these key words are used throughout the rounds: in each XOR are involved
4 words

March 30, 2006 9

 Rijndael data structures

March 30, 2006 10

 Rijndael

March 30, 2006 11

 Substitute bytes transformation

„ Note: we will denote hexadecimal numbers in parenthesis: {45}, {A6},

{CF}
„ SubBytes is a simple table lookup (see next slide)
‰ table of 16x16 bytes containing a permutation of all 256 8-bit values
„ Each byte of state is replaced by a byte in the table
‰ The row is given by the leftmost 4-bits of the byte
‰ The column is given by the rightmost 4-bits of the byte
‰ Example: byte {95} (in hexa) is replaced by the byte on row 9, column 5:
{2A} (see next slide)
„ For decryption, use the inverse S-box

March 30, 2006 12

The S-box transformation

March 30, 2006 13

AES S-boxes

March 30, 2006 14

How is the S-box constructed?

„ S-box is constructed using a certain transformation of the values in GF(28)

„ Designed to be resistant to all known attacks

1. Initialize the S-box with the byte values in ascending order row by row: first row
contains {00}, {01}, {02}, …,{0F}, second row contains {10}, {11}, {12},…,{1F},
etc.
2. Map each nonzero byte in the S-box to its multiplicative inverse in GF(28), {00} is
mapped to itself
3. Each byte in the S-box is a sequence of 8 bits (b7,b6,…,b1,b0). Apply the
following transformation to each bit of each byte:
bi’=bi⊕b(i+4)mod 8⊕b(i+5)mod 8⊕b(i+6)mod 8⊕b(i+7)mod 8⊕ci
where ci is the ith bit of {63}: (c7,c6,c5,c4,c3,c2,c1,c0)=(01100011)

March 30, 2006 15

 How are the S-boxes constructed?

Note that the Step 3 in producing the S-box is the transformation shown
bellow – in there, the addition is XOR and the multiplication is the
normal multiplication of 0 and 1

March 30, 2006 16

How are the S-boxes constructed?

„ The inverse S-box (used in the decryption) is computed as follows:

1. Apply to the S-box the inverse of the transformation in Step 3 (multiply

with the inverse of the matrix shown on the previous slide):
bi’=bi ⊕ b(i+2)mod 8 ⊕ b(i+5)mod 8 ⊕ b(i+7)mod 8 ⊕ di
where byte d={05}, i.e., d=(00000101)
2. Replace each byte of the table with its multiplicative inverse in GF(28)

March 30, 2006 17

Why are the S-boxes constructed in this way?

„ The S-box should be resistant to known cryptanalytical attacks

‰ Low correlation between input bits and output bits
‰ Output cannot be described as a simple math function of the input
‰ The transformation was chosen so that the S-box has no fixed point (S-
box(a)=a) and no opposite fixed points (S-box(a)=a’, where a’ is the
bitwise complement of a)
‰ S-box should be invertible
‰ S-box should not be self-inverse (avoid S-box(a)=IS-box(a))

March 30, 2006 18

 Rijndael

March 30, 2006 19

Shift Row Transformations

„ For encryption, circular byte shift in each row

‰ 1st row is unchanged
‰ 2nd row does 1 byte circular shift to left
‰ 3rd row does 2 byte circular shift to left
‰ 4th row does 3 byte circular shift to left
„ For decryption, all shifts are done to right
„ Why this particular shift?
‰ Since state is processed by columns, this step permutes bytes between the
columns
‰ The 4 bytes of one column are spread out to 4 different columns
„ This step provides “permutation” of the data, whereas the other steps
provide substitutions (recall Shannon’s S-P networks)

March 30, 2006 20

 Shift Row
Transformations

Mix Column
Transformations

March 30, 2006 21

 Rijndael

March 30, 2006 22

Mix Columns

„ MixColumns operates on each column independently

„ Each byte is replaced by a value dependent on all 4 bytes in its
column, where all operations are done in GF(28), with m(x)=
x8+x4+x3+x+1
s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j
s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j
s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j)
s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j)
for all 0≤j ≤3.

March 30, 2006 23

Mix Columns

„ MixColumns is in fact a matrix multiplication in GF(28) using prime

polynomial m(x) =x8+x4+x3+x+1

„ Why those constants in the matrix?

‰ Equivalent definition: take each column as a polynomial of degree at most 3 and
multiply it with {03}x3+{01}x2+{01}x+{02} mod x4+1
‰ Multiplication with {00},{01},{02},{03} is easy to implement: at most one shift and
XOR
‰ Gives good mixing of the bytes within each column
‰ Combined with the “shift rows” step, it provides good avalanche, so that within a
few rounds, all output bits depend on all input bits.

March 30, 2006 24

 Example on how to do computations in GF(28)

„ An element of GF(28) is a byte (b7,b6,…,b1,b0) or, equivalently, a polynomial of

degree at most 7 with coefficients 0 and 1:
f(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0
„ Doing computations with polynomials in GF(28) can be implemented easily as
operations with bytes
„ Addition u⊕v is simply bitwise XOR of the two bytes
„ Multiplication u●v more complicated: a series of is shift & XOR – example bellow for
GF(28) with m(x)= x8+x4+x3+x+1 (as in AES)

‰ x8 mod m(x) = (m(x)- x8) = x4+x3+x+1

‰ Consider a byte v, i.e., polynomial in GF(28), v(x)=b7x7+b6x6+b5x5+b4x4+b3x3+b2x2+b1x+b0
‰ Multiplying by x we have xv(x)=b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x
‰ If b7=0, then the result is in GF(28). If b7=1, then we need to reduce x8 mod m(x):
xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + (x4+x3+x+1)
‰ Thus, multiplication by x is in fact a 1-bit left shift potentially followed by a XOR with
(00011011)
‰ Multiplication by higher powers of x implies an iteration of the above procedure

March 30, 2006 25

 Example on applying MixColumns
87 F2 4D 97 47 40 A3 4C s’0,j=(2•s0,j) ⊕ (3•s1,j) ⊕ s2,j ⊕ s3,j
37 D4 70 9F s’1,j=s0,j ⊕ (2•s1,j) ⊕ (3•s2,j) ⊕ s3,j
6E 4C 90 EC
s’2,j=s0,j ⊕ s1,j ⊕ (2•s2,j) ⊕ (3•s3,j)
46 E7 4A C3 94 E4 3A 42
s’3,j=(3•s0,j) ⊕ s1,j ⊕ s2,j ⊕ (2•s3,j)
A6 8C D8 9 ED A5 A6 BC

• Consider the computation of the value on the top left corner:

({02}•{87}) ⊕ ({03}•{6E}) ⊕ {46} ⊕ {A6}
• {02}•{87}: {02}=(0000 0010) , i.e., polynomial X: we have here multiplication with X:
xv(x) = (b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x) + b7(x4+x3+x+1)
• Since v(X)={87}=(1000 0111), i.e., b7=1, we get
{02}•{87}=(0000 1110) ⊕ (0001 1011)=(0001 0101)
• Similarly, {03}•{6E}=(1011 0010)
• The top-left value should be:
(0001 0101) ⊕
(1011 0010) ⊕
(0100 0110) ⊕
(1010 0110) =
(0100 0111) =
{47}

March 30, 2006 26

Inverse Mix Columns

„ The inverse mix column transformation InvMixColumns is defined by

the following matrix multiplication in GF(28)

0E 0B 0D 09 S0,0 S0,1 S0,3 S0,4 S’0,0 S’0,1 S’0,2 S’0,3

09 0E 0B 0D S1,0 S1,1 S1,2 S1,3 S’1,0 S’1,1 S’1,2 S’1,3

OD 09 0E 0B S2,0 S2,1 S2,2 S2,3 = S’2,0 S’2,1 S’2,2 S’2,3

0B 0D 09 0E S3,0 S3,1 S3,2 S3,3 S’3,0 S’3,1 S’3,2 S’3,3

March 30, 2006 27

 Why these mix column transformations?

„ MixColumns can be described also in other terms:

‰ Each column describes a polynomial of degree 3
‰ MixColumns is simply the multiplication of each column/polynomial with a(x)
modulo (x4+1), where a(x)={03}x3+{01}x2+{01}x+{02}
„ InvMixColumns is the multiplication of each column/polynomial with
b(x)={0B}x3+{0D}x2+{09}x+{0E}, where b(x)=a-1(x) mod (x4+1)

March 30, 2006 28

 Rijndael

March 30, 2006 29

Add Round Key

„ XOR state with 128-bits of the round key

„ Same in the decryption – use the round keys in reverse order

March 30, 2006 30

 AES Key Expansion

„ Takes 128-bit (16-byte) key and expands into an array of 44 32-bit words
(each word has 4 bytes)
‰ KeyExpansion(byte key[16], word w[44])
{
Word temp;
For (i=0;i<4; i++) // key is copied into the first 4 words
w[i]=(key[4*i], key[4*i+1],key[4*i+2],key[4*i+3])
For (i=4;i<44;i++) // the rest of the words are produced here
{
temp=w[i-1];
if (i mod 4 == 0)
temp=SubWord( RotWord(temp) ) ⊕ Rcon[i/4];
w[i]=w[i-4] ⊕ temp; // Most of the words are just XOR of two earlier values
}
}

March 30, 2006 31

AES key expansion

„ Key is copied first into the first 4 words of the expanded key
„ Each added word depends on the previous word and on the one 4 positions
earlier
„ In 3 cases out of 4 a simple XOR is used
„ For every fourth word a more complex function is used
‰ RotWord performs one-byte circular left-shift on a word: [b0,b1,b2,b3] is
transformed into [b1,b2,b3,b0]
‰ SubWord performs a byte substitution on each byte of the input word, using the
S-box of AES
‰ Results of step 1 and 2 are XORED with a round constant Rcon[j] (a geometric
progression with rate 2 computed in GF(28):

J 1 2 3 4 5 6 7 8 9 10
Rcon[J] {01} {02} {04} {08} {10} {20} {40} {80} {1B} {36}

March 30, 2006 32

AES Decryption

„ AES decryption is not identical to encryption since steps must be

performed in reverse
‰ This is a disadvantage because different software is needed for encryption
and decryption
‰ Encryption is an interation of SubBytes, ShiftRows, MixColumns,
AddRoundKey
‰ Decryption is an interation of InvShiftRows, InvSubBytes, AddRoundKey,
InvMixColumns
„ Decryption can be modified to use the encryption software (switch the
order of the first two operations and the order of the last two operations
in each round), provided we operate a small change in the key
expansion
‰ Before we apply AddRoundKey in each round, we apply InvMixColumns to
the matrix formed by the 4 words participating in the current round

March 30, 2006 33

 Implementation aspects: AES Round with State seen as an
array with 16 bytes rather than as a 4x4 matrix

March 30, 2006 34

Implementation Aspects

„ Can efficiently implement on 8-bit CPU

‰ byte substitution works on bytes using a table of 256 entries
‰ shift rows is simple byte shifting
‰ add round key works on byte XORs
‰ mix columns requires matrix multiply in GF(28) which works on byte
values, can be simplified to use a table lookup

March 30, 2006 35

Implementation Aspects

„ Can efficiently implement on 32-bit CPU

‰ redefine steps to use 32-bit words
‰ can precompute 4 tables of 256-words
‰ then each column in each round can be computed using 4 table lookups
+ 4 XORs
‰ at a cost of 16Kb to store tables
„ Designers believe this very efficient implementation was a key factor
in its selection as the AES cipher

March 30, 2006 36