![Key Expansion sub-module
• RotWord performs a one byte circular left shift on a word For
example:
RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0]
• SubWord performs a byte substitution on each byte of input
word using the S-box
• Round Constant Each round constant, RCon, is a 4-byte value
in which the rightmost three bytes are always zero](https://image.slidesharecdn.com/aes28oct-250201163813-949c4496/85/Advance-Encryption-Standard-AES-Cryptosystem-34-320.jpg)
![Round Constant (RCon)
• RCON is a word in which the three rightmost bytes are zero
• It is different for each round and defined as:
RCon[j] = (RCon[j],0,0,0)
where RCon[1] =1 , RCon[j] = 2 * RCon[j-1]
• Multiplication is defined over GF(2^8) but can be implement in Table
Lookup](https://image.slidesharecdn.com/aes28oct-250201163813-949c4496/85/Advance-Encryption-Standard-AES-Cryptosystem-35-320.jpg)
Advance Encryption Standard-AES Cryptosystem
- 2. Why AES? • In 1990’s the cracking of DES algorithm became possible. • clear a replacement for DES was needed • have theoretical attacks that can break it • have demonstrated exhaustive key search attacks • Can use Triple-DES – but slow, has small blocks • US NIST issued call for ciphers in 1997 • 15 candidates accepted in Jun 98 • 5 were shortlisted in Aug-99 • Rijndael was selected as the AES in Oct-2000 • Issued as FIPS PUB 197 standard in Nov-2001 • The modern symmetric-key block cipher
- 3. Criteria for Selecting AES • The criteria defined by NIST for selecting AES fall into three areas: • Security: The main emphasis was on security. Because NIST explicitly demanded a 128-bit key, this criterion focused on resistance to cryptanalysis attacks other than brute-force attack. • Cost: The second criterion was cost, which covers the computational efficiency and storage requirement for different implementations such as hardware, software, or smart cards. • Implementation: This criterion included the requirement that the algorithm must have flexibility (be implementable on any platform) and simplicity.
- 4. AES Shortlist •After testing and evaluation, shortlist in Aug-99 •MARS (IBM) - complex, fast, high security margin •RC6 (USA) - v. simple, v. fast, low security margin •Rijndael (Belgium) - clean, fast, good security margin •Serpent (Euro) - slow, clean, v. high security margin •Twofish (USA) - complex, v. fast, high security margin
- 5. AES Conceptual Scheme 5 AES Plaintext (128 bits) Ciphertext (128 bits) Key (128-256 bits)
- 6. Multiple rounds 6 • Rounds are (almost) identical • First and last round are a little different
- 8. • Round keys are derived from the cipher key using Rijndael's key schedule Key Expansion • AddRoundKey : Each byte of the state is combined with the round key using bitwise xor Initial Round • SubBytes : non-linear substitution step • ShiftRows : transposition step • MixColumns : mixing operation of each column. • AddRoundKey Rounds • SubBytes • ShiftRows • AddRoundKey Final Round No MixColumns
- 9. Data Units AES uses five units of measurement to refer to data: bits, bytes, words, blocks, and state. • Bit: In AES, a bit is a binary digit with a value of 0 or 1. • Byte: A byte is a group of eight bits. • Word: A word is a group of 32 bits or 4 byte. • Block: A block in AES is a group of 128 bits. • State: States, like blocks, are made of 16 bytes, but normally are treated as matrices of 4 × 4 bytes.
- 10. 128-bit values 10 • Data block viewed as 4-by-4 table of bytes • Represented as 4 by 4 matrix of 8-bit bytes. • Key is expanded to array of 32 bits words 1 byte
- 11. Data Unit
- 12. Changing Plaintext to State
- 13. Details of Each Round
- 14. SubBytes Operation • The SubBytes operation involves 16 independent byte-to-byte transformations. • Interpret the byte as two hexadecimal digits xy • SW implementation, use row (x) and column (y) as lookup pointer S1,1 = xy16 x’y’16
- 15. SubBytes Table • Implement by Table Lookup
- 17. Sample SubByte Transformation • The SubBytes and InvSubBytes transformations are inverses of each other.
- 18. ShiftRows • Shifting, which permutes the bytes. • A circular byte shift in each each • 1st row is unchanged • 2nd row does 1 byte circular shift to left • 3rd row does 2 byte circular shift to left • 4th row does 3 byte circular shift to left • In the encryption, the transformation is called ShiftRows • In the decryption, the transformation is called InvShiftRows and the shifting is to the right
- 19. ShiftRows Scheme
- 21. MixColumns • ShiftRows and MixColumns provide diffusion to the cipher • Each column is processed separately • Each byte is replaced by a value dependent on all 4 bytes in the column • Effectively a matrix multiplication in GF(28 ) using prime poly m(x) =x8 +x4 +x3 +x+1
- 24. Example of Mix column 02 03 01 01 01 02 03 01 01 01 02 03 03 01 01 02 63 C9 FE 30 F2 63 26 F2 7D D4 C9 C9 D4 FA 63 82 State 63 F2 7D D4 ¿
- 25. {02 63} ⊗ ⨁ {03 ⊗ F2 } ⨁ { 01 ⊗ 7D } ⨁ { 01 ⊗ D4} 02= 00000010 = 63=01100011=+++1 02 63 = ⊗ +++1) =+++ =11000110 =C6 03=00000011=+1 F2=11110010=++++ 03 F2= ⊗ +1)(++++) =++++++++ =++
- 26. Irreducible polynomial=x8 +x4 +x3 +x+1 Now, ++ is reduced as 1 x8 +x4 +x3 +x+1 ++ x8 +x4 +x3 +x1 +1 =00001101 =0D 03 F2=0D ⊗
- 27. 01 ⊗ 7D = 7D 01 ⊗ D4= D4 Now, {02 63} ⊗ ⨁ {03 ⊗ F2 } ⨁ { 01 ⊗ 7D } ⨁ { 01 ⊗ D4} =C6 ⨁ 0D ⨁7D ⨁ D4 = 62 C6 1 1 0 0 0 1 1 0 0D 0 0 0 0 1 1 0 1 C6 ⨁ 0D 1 1 0 0 1 0 1 1 7D 0 1 1 1 1 1 0 1 C6 ⨁ 0D ⨁7D 1 0 1 1 0 1 1 0 D4 1 1 0 1 0 1 0 0 C6 ⨁ 0D ⨁7D ⨁ D4 0 1 1 0 0 0 1 0 6 2
- 28. Example of Mix column 02 03 01 01 01 02 03 01 01 01 02 03 03 01 01 02 63 C9 FE 30 F2 63 26 F2 7D D4 C9 C9 D4 FA 63 82 State 63 F2 7D D4 ¿ 62 C F 0 C
- 29. AddRoundKey • XOR state with 128-bits of the round key • AddRoundKey proceeds one column at a time. • adds a round key word with each state column matrix • the operation is matrix addition • Inverse for decryption identical • since XOR own inverse, with reversed keys • Designed to be as simple as possible
- 31. AES Round
- 32. AES Key Scheduling • takes 128-bits (16-bytes) key and expands into array of 44 32-bit words
- 34. Key Expansion sub-module • RotWord performs a one byte circular left shift on a word For example: RotWord[b0,b1,b2,b3] = [b1,b2,b3,b0] • SubWord performs a byte substitution on each byte of input word using the S-box • Round Constant Each round constant, RCon, is a 4-byte value in which the rightmost three bytes are always zero
- 35. Round Constant (RCon) • RCON is a word in which the three rightmost bytes are zero • It is different for each round and defined as: RCon[j] = (RCon[j],0,0,0) where RCon[1] =1 , RCon[j] = 2 * RCon[j-1] • Multiplication is defined over GF(2^8) but can be implement in Table Lookup
- 38. AES Decryption AES decryption is not identical to encryption since steps done in reverse but can define an equivalent inverse cipher with steps as for encryption but using inverses of each step with a different key schedule works since result is unchanged when swap byte substitution & shift rows swap mix columns & add (tweaked) round key
- 39. AES Decryption
- 40. AES Security • AES was designed after DES. • Most of the known attacks on DES were already tested on AES. • Brute-Force Attack • AES is definitely more secure than DES due to the larger-size key. • Statistical Attacks • Numerous tests have failed to do statistical analysis of the ciphertext • Differential and Linear Attacks • There are no differential and linear attacks on AES as yet.
- 41. Implementation Aspects • The algorithms used in AES are so simple that they can be easily implemented using cheap processors and a minimum amount of memory. • Very efficient • Implementation was a key factor in its selection as the AES cipher
Editor's Notes
- #6: The input to the AES encryption and decryption algorithms is a single 128-bit block, depicted in FIPS PUB 197, as a square matrix of bytes .This block is copied into the State array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output. The key is expanded into 44/52/60 lots of 32-bit words (see later), with 4 used in each round. The data computation then consists of an “add round key” step, then 9/11/13 rounds with all 4 steps, and a final 10th/12th/14th step of byte subs + mix cols + add round key. This can be viewed as alternating XOR key & scramble data bytes operations. All of the steps are easily reversed, and can be efficiently implemented using XOR’s & table lookups.
- #8: The input to the AES encryption and decryption algorithms is a single 128-bit block, depicted in FIPS PUB 197, as a square matrix of bytes .This block is copied into the State array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output. The key is expanded into 44/52/60 lots of 32-bit words (see later), with 4 used in each round. The data computation then consists of an “add round key” step, then 9/11/13 rounds with all 4 steps, and a final 10th/12th/14th step of byte subs + mix cols + add round key. This can be viewed as alternating XOR key & scramble data bytes operations. All of the steps are easily reversed, and can be efficiently implemented using XOR’s & table lookups.
- #18: The ShiftRows stage provides a simple “permutation” of the data, whereas the other steps involve substitutions. Further, since the state is treated as a block of columns, it is this step which provides for diffusion of values between columns. It performs a circular rotate on each row of 0, 1, 2 & 3 places for respective rows. When decrypting it performs the circular shifts in the opposite direction for each row. This row shift moves an individual byte from one column to another, which is a linear distance of a multiple of 4 bytes, and ensures that the 4 bytes of one column are spread out to four different columns.
- #19: Stalling Figure 5.5a illustrates the Shift Rows permutation.
- #21: The MixColumns stage is a substitution that makes use of arithmetic over GF(2^8). Each byte of a column is mapped into a new value that is a function of all four bytes in that column. It is designed as a matrix multiplication where each byte is treated as a polynomial in GF(28). The inverse used for decryption involves a different set of constants. The constants used are based on a linear code with maximal distance between code words – this gives good mixing of the bytes within each column. Combined with the “shift rows” step provides good avalanche, so that within a few rounds, all output bits depend on all input bits.
- #29: Lastly is the Add Round Key stage which is a simple bitwise XOR of the current block with a portion of the expanded key. Note this is the only step which makes use of the key and obscures the result, hence MUST be used at start and end of each round, since otherwise could undo effect of other steps. But the other steps provide confusion/diffusion/non-linearity. That us you can look at the cipher as a series of XOR with key then scramble/permute block repeated. This is efficient and highly secure it is believed.
- #30: Stallings Figure 5.4b illustrates the Add Round Key stage, which like Byte Substitution, operates on each byte of state independently.
- #31: Can thus now view all the internal details of the AES round, showing how each byte of the state is manipulated, as shown in Stallings Figure 5.3.
- #32: The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of words, providing a 4-word round key for the initial AddRoundKey stage and each of the 10/12/14 rounds of the cipher. It involves copying the key into the first group of 4 words, and then constructing subsequent groups of 4 based on the values of the previous & 4th back words. The first word in each group of 4 gets “special treatment” with rotate + S-box + XOR constant on the previous word before XOR’ing the one from 4 back. In the 256-bit key/14 round version, there’s also an extra step on the middle word.
- #41: AES can also be very efficiently implemented on an 32-bit processor, by rewriting the stage transformation to use 4 table lookups & 4 XOR’s per column of state. These tables can be computed in advance using the formulae shown in the text, and need 4Kb to store. The developers of Rijndael believe that this compact, efficient implementation was probably one of the most important factors in the selection of Rijndael for AES.