SlideShare a Scribd company logo

CNS Module 3_AES. in cryptography and network security

Download as PPTX, PDF
B
bodamaddy

The document discusses the Advanced Encryption Standard (AES) as a successor to the outdated Data Encryption Standard (DES) and Triple DES (3DES), highlighting the limitations of 3DES in terms of speed and block size. NIST selected AES after a comprehensive evaluation process to ensure it met security and efficiency requirements, resulting in Rijndael being chosen for its superior capabilities. AES utilizes a series of substitution and permutation operations for encryption and is designed to support key lengths of 128, 192, and 256 bits, while 3DES is set to be deprecated after 2023.

Engineering
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Department of Information Science and Engineering Cryptography and Network Security Subject Code: 21IST44 Module 3: Advanced Encryption Standard By Dr Mohan D N Assistant Professor
Introduction There is a high level of confidence that 3DES is very resistant to cryptanalysis. If security were the only consideration, then 3DES would be an appropriate choice for a standardized encryption algorithm for decades to come. The principal drawback of 3DES is that the algorithm is relatively sluggish in software. The original DES was designed for mid-1970s hardware implementation and does not produce efficient software code.3DES, which has three times as many rounds as DES, is correspondingly slower. A secondary drawback is that both DES and 3DES use a 64-bit block size. For reasons of both efficiency and security, a larger block size is desirable. Because of these drawbacks, 3DES is not a reasonable candidate for long-term use. As a replacement, NIST in 1997 issued a call for proposals for a new Advanced Encryption Standard (AES), which should have a security strength equal to or better than 3DES and significantly improved efficiency. In addition to these general requirements, NIST specified that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128, 192, and 256 bits. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr. Vincent Rijmen. 2
AES replaced DES encryption • The Data Encryption Standard, also known as DES, is no longer considered secure. While there are no known severe weaknesses in its internals, it is inherently flawed because its 56-bit key is too short. A German court recently declared DES to be “out-of-date and not secure enough,” and held a bank accountable for utilizing it. • One of the primary objectives for the DES replacement algorithm from the National Institute of Standards and Technology (NIST) was that it be efficient in both software and hardware implementations. (Originally, DES was only practical in hardware implementations.) Performance analysis of the algorithms was carried out using Java and C reference implementations. AES was chosen in an open competition that included 15 candidates from as many research teams as possible from around the world, and the overall amount of resources dedicated to the process was enormous. • Finally, in October 2000, the National Institute of Standards and Technology (NIST) announced Rijndael as the proposed Advanced Encryption Standard (AES). 3
Difference between 3DES and AES encryption • Both AES and 3DES, often known as triple-DES, are symmetric block ciphers. These are the current data encryption standards. Though the use of 3DES has become increasingly unpopular in recent years. Both have the same goals and objectives, yet there are a lot of similarities between them. 4
AES Evaluation It is worth examining the criteria used by NIST to evaluate potential candidates. When NIST issued its original request for candidate algorithm nominations in 1997 [NIST97], the request stated that candidate algorithms would be compared based on the crieterias. The three categories of criteria were as follows: i. Security: This refers to the effort required to cryptanalyze an algorithm. The emphasis in the evaluation was on the practicality of the attack. Because the minimum key size for AES is 12 bits, brute-force attacks with current and projected technology were considered impractical. Therefore, the emphasis, with respect to this point, is cryptanalysis other than a brute-force attack. ii. Cost: NIST intends AES to be practical in a wide range of applications. Accordingly, AES must have high computational efficiency, so as to be usable in high-speed applications, such as broadband links. iii. Algorithm and implementation characteristics: This category includes a variety of considerations, including flexibility; suitability for a variety of hardware and software implementations; and simplicity, which will make an analysis of security more straightforward. 5
6 Operations of AES AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations). Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing as a matrix Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key. The Triple Data Encryption Algorithm (TDEA or 3DES) is being officially decommissioned, according to draught guidelines provided by NIST on July 19, 2018. According to the standards, 3DES will be deprecated for all new applications following a period of public deliberation, and its use will be prohibited after 2023.
7 The AES Cipher
8 AES Encryption Process
9 AES Encryption Process • The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key (Table 6.1). • The first N - 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. • The final round contains only three transformations, and there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as output. • Figure shows that the output of each round is a 4 * 4 matrix, with the output of the final round being the ciphertext. • Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 * 4 matrix. • Each round key serves as one of the inputs to the AddRoundKey transformation in each round.
AES Key Expansion  takes 128-bit (16-byte) key and expands into array of 44 32-bit words  start by copying key into first 4 words  then loop creating words that depend on values in previous & 4 places back  in 3 of 4 cases just XOR these together  1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th back
AES Key Expansion
12 Figure 6.2 AES Data Structures
13 The AES Detailed Structure
14 The AES Detailed Structure 1. AES structure is not a Feistel structure. In the classic Feistel structure, half of the data block is used to modify the other half of the data block and then the halves are swapped. AES instead processes the entire data block as a single matrix during each round using substitutions and permutation. 2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]. Four distinct words (128 bits) serve as a round key for each round; these are indicated in Figure further. 3. Four different stages are used, one of permutation and three of substitution: • Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block. • ShiftRows: A simple permutation. • MixColumns: A substitution that makes use of arithmetic over GF(28 ) (Finite Field Arithmetic) • AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.
The AES Detailed Structure Contd.. 4. The structure is quite simple. For both encryption and decryption, the cipher begins with an AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth round of three stages. 5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without knowledge of the key and so would add no security. 6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by themselves would provide no security because they do not use the key. We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by XOR encryption, and so on. This scheme is both efficient and highly secure. 7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block, using the result that A B B = A. ⊕ ⊕ 15
The AES Detailed Structure Contd.. 8. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However, the decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES. 9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the plaintext. At each horizontal point (e.g., the dashed line in the figure), State is the same for both encryption an decryption. 10. The final round of both encryption and decryption consists of only three stages. Again, this is a consequence of the particular structure of AES and is required to make the cipher reversible. 16
Some Comments on AES 1. an iterative rather than Feistel cipher 2. key expanded into array of 32-bit words 1. four words form round key in each round 3. 4 different stages are used in each round 4. has a simple structure 5. only AddRoundKey uses key 6. AddRoundKey a form of Vernam cipher 7. each stage is easily reversible 8. decryption uses keys in reverse order 9. decryption does recover plaintext 10. final round has only 3 stages
18 AES TRANSFORMATION FUNCTIONS
1. SUBSTITUTE BYTES  a simple substitution of each byte  uses one table of 16x16 bytes containing a permutation of all 256 8-bit values  each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)  eg. byte {95} is replaced by byte in row 9 column 5  which has value {2A}  S-box constructed using defined transformation of values in GF(28)  designed to be resistant to all known cryptanalytic attacks
Substitute Bytes
S-Box
Substitute Bytes Example
2. SHIFT ROWS  a circular byte shift in each each  Row 0: 0 bytes circular shift to left  Row 1: 1 byte circular shift to left  Row 2: 2 byte circular shift to left  Row 3: 3 byte circular shift to left  decrypt inverts using shifts to right  since state is processed by columns, this step permutes bytes between the columns
Shift Rows
3. MIX COLUMNS  each column is processed separately  each byte is replaced by a value dependent on all 4 bytes in the column  effectively a matrix multiplication in GF(28)
Mix Columns
Mix Columns Example
Addition and Multiplication in GF(28) • In GF(28), addition is the bitwise XOR operation and multiplication can be performed as follows: • Multiplication of a value by (i.e.by {02}) can be implemented as a 1- bit left shift followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original value (prior to the shift) is 1.
Mix Columns Example
4. ADD ROUND KEY  XOR state with 128-bits of the round key  again processed by column (though effectively a series of byte operations)  inverse for decryption identical  since XOR own inverse, with reversed keys  designed to be as simple as possible  a form of Vernam cipher on expanded key  requires other stages for complexity / security
Add Round Key
32

More Related Content

PDF
Aes 128 192_256_bits_project_report
sakhi rehman
 
PPTX
Lecture # 007 AES.pptx
MuhammadJavedNaro
 
PPTX
Information and network security 24 advanced encryption standard aes
Vaibhav Khanna
 
PDF
A design of a fast parallel pipelined implementation of aes advanced encrypti...
ijcsit
 
PPT
AES Cryptosystem
هيثم فرج
 
PDF
Renas Rajab Asaad
Renas Rekany
 
PDF
icwet1097
Sapna Agarwal
 
PDF
Aes
Sijo Mathew
 
Aes 128 192_256_bits_project_report
sakhi rehman
 
Lecture # 007 AES.pptx
MuhammadJavedNaro
 
Information and network security 24 advanced encryption standard aes
Vaibhav Khanna
 
A design of a fast parallel pipelined implementation of aes advanced encrypti...
ijcsit
 
AES Cryptosystem
هيثم فرج
 
Renas Rajab Asaad
Renas Rekany
 
icwet1097
Sapna Agarwal
 
Aes
Sijo Mathew
 

Similar to CNS Module 3_AES. in cryptography and network security (20)

PDF
Final report
Jagbir Kalirai
 
PPTX
Software EngineeringModule 2 (Complete).pptx
20PZSB7038SachinP1
 
PDF
Paper on Optimized AES Algorithm Core Using FeedBack Architecture
Dhaval Kaneria
 
PPTX
Information and data security advanced encryption standard (aes)
Mazin Alwaaly
 
PDF
Aes
Manju Hegde
 
PDF
“Optimized AES Algorithm Core Using FeedBack Architecture”
Nirav Desai
 
PDF
cns 2marks
ilakiyadinesh
 
PDF
High throughput FPGA Implementation of Advanced Encryption Standard Algorithm
TELKOMNIKA JOURNAL
 
PDF
An Efficient VLSI Architecture for AES and It's FPGA Implementation
IRJET Journal
 
PDF
Security Analysis of AES and Enhancing its Security by Modifying S-Box with a...
IJCNCJournal
 
PPT
Aes
Aravindharamanan S
 
PDF
Unit 2_AES_AES_Structure_Encryption_Example.pdf
KanchanPatil34
 
PPTX
Information and data security block cipher and the data encryption standard (...
Mazin Alwaaly
 
PDF
A03530107
inventionjournals
 
PPTX
Block Ciphers and DES.pptx
DrAnilKannur1
 
PPT
Advanced Encryption Standard presentation slide
ssr978534
 
PDF
CNS2 unit 2.pdf
Padamata Rameshbabu
 
PDF
Arm recognition encryption by using aes algorithm
eSAT Journals
 
PPTX
Topic5 advanced encryption standard (aes)
MdFazleRabbi18
 
PDF
FPGA Implementation of an Area Optimized Architecture for 128 bit AES Algorithm
IJERA Editor
 
Final report
Jagbir Kalirai
 
Software EngineeringModule 2 (Complete).pptx
20PZSB7038SachinP1
 
Paper on Optimized AES Algorithm Core Using FeedBack Architecture
Dhaval Kaneria
 
Information and data security advanced encryption standard (aes)
Mazin Alwaaly
 
Aes
Manju Hegde
 
“Optimized AES Algorithm Core Using FeedBack Architecture”
Nirav Desai
 
cns 2marks
ilakiyadinesh
 
High throughput FPGA Implementation of Advanced Encryption Standard Algorithm
TELKOMNIKA JOURNAL
 
An Efficient VLSI Architecture for AES and It's FPGA Implementation
IRJET Journal
 
Security Analysis of AES and Enhancing its Security by Modifying S-Box with a...
IJCNCJournal
 
Aes
Aravindharamanan S
 
Unit 2_AES_AES_Structure_Encryption_Example.pdf
KanchanPatil34
 
Information and data security block cipher and the data encryption standard (...
Mazin Alwaaly
 
A03530107
inventionjournals
 
Block Ciphers and DES.pptx
DrAnilKannur1
 
Advanced Encryption Standard presentation slide
ssr978534
 
CNS2 unit 2.pdf
Padamata Rameshbabu
 
Arm recognition encryption by using aes algorithm
eSAT Journals
 
Topic5 advanced encryption standard (aes)
MdFazleRabbi18
 
FPGA Implementation of an Area Optimized Architecture for 128 bit AES Algorithm
IJERA Editor
 
Ad

Recently uploaded (20)

PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
composite construction of structures.pdf
AinieButt1
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
web development for engineering and engineering
keshriji700
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
composite construction of structures.pdf
AinieButt1
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
Project quality management in manufacturing
BarMusaTetik
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
Construction Project Organization Group 2.pptx
vj5agdales
 
web development for engineering and engineering
keshriji700
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
Ad

CNS Module 3_AES. in cryptography and network security

  • 1. Department of Information Science and Engineering Cryptography and Network Security Subject Code: 21IST44 Module 3: Advanced Encryption Standard By Dr Mohan D N Assistant Professor
  • 2. Introduction There is a high level of confidence that 3DES is very resistant to cryptanalysis. If security were the only consideration, then 3DES would be an appropriate choice for a standardized encryption algorithm for decades to come. The principal drawback of 3DES is that the algorithm is relatively sluggish in software. The original DES was designed for mid-1970s hardware implementation and does not produce efficient software code.3DES, which has three times as many rounds as DES, is correspondingly slower. A secondary drawback is that both DES and 3DES use a 64-bit block size. For reasons of both efficiency and security, a larger block size is desirable. Because of these drawbacks, 3DES is not a reasonable candidate for long-term use. As a replacement, NIST in 1997 issued a call for proposals for a new Advanced Encryption Standard (AES), which should have a security strength equal to or better than 3DES and significantly improved efficiency. In addition to these general requirements, NIST specified that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128, 192, and 256 bits. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr. Vincent Rijmen. 2
  • 3. AES replaced DES encryption • The Data Encryption Standard, also known as DES, is no longer considered secure. While there are no known severe weaknesses in its internals, it is inherently flawed because its 56-bit key is too short. A German court recently declared DES to be “out-of-date and not secure enough,” and held a bank accountable for utilizing it. • One of the primary objectives for the DES replacement algorithm from the National Institute of Standards and Technology (NIST) was that it be efficient in both software and hardware implementations. (Originally, DES was only practical in hardware implementations.) Performance analysis of the algorithms was carried out using Java and C reference implementations. AES was chosen in an open competition that included 15 candidates from as many research teams as possible from around the world, and the overall amount of resources dedicated to the process was enormous. • Finally, in October 2000, the National Institute of Standards and Technology (NIST) announced Rijndael as the proposed Advanced Encryption Standard (AES). 3
  • 4. Difference between 3DES and AES encryption • Both AES and 3DES, often known as triple-DES, are symmetric block ciphers. These are the current data encryption standards. Though the use of 3DES has become increasingly unpopular in recent years. Both have the same goals and objectives, yet there are a lot of similarities between them. 4
  • 5. AES Evaluation It is worth examining the criteria used by NIST to evaluate potential candidates. When NIST issued its original request for candidate algorithm nominations in 1997 [NIST97], the request stated that candidate algorithms would be compared based on the crieterias. The three categories of criteria were as follows: i. Security: This refers to the effort required to cryptanalyze an algorithm. The emphasis in the evaluation was on the practicality of the attack. Because the minimum key size for AES is 12 bits, brute-force attacks with current and projected technology were considered impractical. Therefore, the emphasis, with respect to this point, is cryptanalysis other than a brute-force attack. ii. Cost: NIST intends AES to be practical in a wide range of applications. Accordingly, AES must have high computational efficiency, so as to be usable in high-speed applications, such as broadband links. iii. Algorithm and implementation characteristics: This category includes a variety of considerations, including flexibility; suitability for a variety of hardware and software implementations; and simplicity, which will make an analysis of security more straightforward. 5
  • 6. 6 Operations of AES AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations). Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing as a matrix Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key. The Triple Data Encryption Algorithm (TDEA or 3DES) is being officially decommissioned, according to draught guidelines provided by NIST on July 19, 2018. According to the standards, 3DES will be deprecated for all new applications following a period of public deliberation, and its use will be prohibited after 2023.
  • 9. 9 AES Encryption Process • The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key (Table 6.1). • The first N - 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. • The final round contains only three transformations, and there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as output. • Figure shows that the output of each round is a 4 * 4 matrix, with the output of the final round being the ciphertext. • Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 * 4 matrix. • Each round key serves as one of the inputs to the AddRoundKey transformation in each round.
  • 10. AES Key Expansion  takes 128-bit (16-byte) key and expands into array of 44 32-bit words  start by copying key into first 4 words  then loop creating words that depend on values in previous & 4 places back  in 3 of 4 cases just XOR these together  1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th back
  • 12. 12 Figure 6.2 AES Data Structures
  • 14. 14 The AES Detailed Structure 1. AES structure is not a Feistel structure. In the classic Feistel structure, half of the data block is used to modify the other half of the data block and then the halves are swapped. AES instead processes the entire data block as a single matrix during each round using substitutions and permutation. 2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]. Four distinct words (128 bits) serve as a round key for each round; these are indicated in Figure further. 3. Four different stages are used, one of permutation and three of substitution: • Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block. • ShiftRows: A simple permutation. • MixColumns: A substitution that makes use of arithmetic over GF(28 ) (Finite Field Arithmetic) • AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.
  • 15. The AES Detailed Structure Contd.. 4. The structure is quite simple. For both encryption and decryption, the cipher begins with an AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth round of three stages. 5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without knowledge of the key and so would add no security. 6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by themselves would provide no security because they do not use the key. We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by XOR encryption, and so on. This scheme is both efficient and highly secure. 7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block, using the result that A B B = A. ⊕ ⊕ 15
  • 16. The AES Detailed Structure Contd.. 8. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However, the decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES. 9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the plaintext. At each horizontal point (e.g., the dashed line in the figure), State is the same for both encryption an decryption. 10. The final round of both encryption and decryption consists of only three stages. Again, this is a consequence of the particular structure of AES and is required to make the cipher reversible. 16
  • 17. Some Comments on AES 1. an iterative rather than Feistel cipher 2. key expanded into array of 32-bit words 1. four words form round key in each round 3. 4 different stages are used in each round 4. has a simple structure 5. only AddRoundKey uses key 6. AddRoundKey a form of Vernam cipher 7. each stage is easily reversible 8. decryption uses keys in reverse order 9. decryption does recover plaintext 10. final round has only 3 stages
  • 19. 1. SUBSTITUTE BYTES  a simple substitution of each byte  uses one table of 16x16 bytes containing a permutation of all 256 8-bit values  each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)  eg. byte {95} is replaced by byte in row 9 column 5  which has value {2A}  S-box constructed using defined transformation of values in GF(28)  designed to be resistant to all known cryptanalytic attacks
  • 21. S-Box
  • 23. 2. SHIFT ROWS  a circular byte shift in each each  Row 0: 0 bytes circular shift to left  Row 1: 1 byte circular shift to left  Row 2: 2 byte circular shift to left  Row 3: 3 byte circular shift to left  decrypt inverts using shifts to right  since state is processed by columns, this step permutes bytes between the columns
  • 25. 3. MIX COLUMNS  each column is processed separately  each byte is replaced by a value dependent on all 4 bytes in the column  effectively a matrix multiplication in GF(28)
  • 28. Addition and Multiplication in GF(28) • In GF(28), addition is the bitwise XOR operation and multiplication can be performed as follows: • Multiplication of a value by (i.e.by {02}) can be implemented as a 1- bit left shift followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original value (prior to the shift) is 1.
  • 30. 4. ADD ROUND KEY  XOR state with 128-bits of the round key  again processed by column (though effectively a series of byte operations)  inverse for decryption identical  since XOR own inverse, with reversed keys  designed to be as simple as possible  a form of Vernam cipher on expanded key  requires other stages for complexity / security
  • 32. 32

Editor's Notes

  • #9: Freedom from risk or danger; safety means taking appropriate measures for prevention of attacks. having systems in place beforehand which prevent attacks before they begin. Related to the first definition, having peace of mind knowing that your systems are safe and protected. This includes contingency plans for what to do when attackers strike, keeping up with the latest CERT advisories, hiring network security consultants to find insecurities in your network, etc.
  • #10: The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of words, providing a 4-word round key for the initial AddRoundKey stage and each of the 10/12/14 rounds of the cipher. It involves copying the key into the first group of 4 words, and then constructing subsequent groups of 4 based on the values of the previous & 4th back words. The first word in each group of 4 gets “special treatment” with rotate + S-box + XOR constant on the previous word before XOR’ing the one from 4 back. In the 256-bit key/14 round version, there’s also an extra step on the middle word. The text includes in section 5.4 pseudocode that describes the key expansion.
  • #11: The first block of the AES Key Expansion is shown here in Stallings Figure 5.9a. It shows each group of 4 bytes in the key being assigned to the first 4 words, then the calculation of the next 4 words based on the values of the previous 4 words, which is repeated enough times to create all the necessary subkey information.
  • #13: Stallings Figure 5.3 shows the structure of AES in more detail. The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key; 12 rounds for a 24-byte key; and 14 rounds for a 32-byte key. The first N – 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. The final round contains only 3 transformation, and there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 x 4 matrices as input and produces a 4 x 4 matrix as output. Figure 5.1 shows that the output of each round is a 4 x 4 matrix, with the output of the final round being the ciphertext. Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 x 4 matrix. Each round key serve as one of the inputs to the AddRoundKey transformation in each round.
  • #17: Before delving into details, can make several comments about the overall AES structure. See text for details.
  • #19: We now turn to a discussion of each of the four transformations used in AES. For each stage, we mention the forward (encryption) algorithm, the inverse (decryption) algorithm, and the rationale for the design of that stage. The Substitute bytes stage uses an S-box to perform a byte-by-byte substitution of the block. There is a single 8-bit wide S-box used on every byte. This S-box is a permutation of all 256 8-bit values, constructed using a transformation which treats the values as polynomials in GF(28) – however it is fixed, so really only need to know the table when implementing. Decryption requires the inverse of the table. These tables are given in Stallings Table 5.2. The table was designed to be resistant to known cryptanalytic attacks. Specifically, the Rijndael developers sought a design that has a low correlation between input bits and output bits, with the property that the output cannot be described as a simple mathematical function of the input, with no fixed points and no “opposite fixed points”.
  • #20: As this diagram from Stallings Fig 5.5a shows, the Byte Substitution operates on each byte of state independently, with the input byte used to index a row/col in the table to retrieve the substituted value.
  • #22: Show an example of the SubBytes transformation from the text.
  • #23: The ShiftRows stage provides a simple “permutation” of the data, whereas the other steps involve substitutions. Further, since the state is treated as a block of columns, it is this step which provides for diffusion of values between columns. It performs a circular rotate on each row of 0, 1, 2 & 3 places for respective rows. When decrypting it performs the circular shifts in the opposite direction for each row. This row shift moves an individual byte from one column to another, which is a linear distance of a multiple of 4 bytes, and ensures that the 4 bytes of one column are spread out to four different columns.
  • #24: Stalling Figure 5.7a illustrates the Shift Rows permutation. Then show an example of ShiftRows from the text.
  • #25: The forward mix column transformation, called MixColumns, operates on each column individually. Each byte of a column is mapped into a new value that is a function of all four bytes in that column. It is a substitution that makes use of arithmetic over GF(2^8). Each byte of a column is mapped into a new value that is a function of all four bytes in that column. It is designed as a matrix multiplication where each byte is treated as a polynomial in GF(28). The inverse used for decryption involves a different set of constants. The constants used are based on a linear code with maximal distance between code words – this gives good mixing of the bytes within each column. Combined with the “shift rows” step provides good avalanche, so that within a few rounds, all output bits depend on all input bits.
  • #26: Stalling Figure 5.5b illustrates the Mix Columns transformation.
  • #27: Show an example of the MixColumns transformation from the text, along with verification of the first column of this example.
  • #30: Lastly is the Add Round Key stage which is a simple bitwise XOR of the current block with a portion of the expanded key. Note this is the only step which makes use of the key and obscures the result, hence MUST be used at start and end of each round, since otherwise could undo effect of other steps. But the other steps provide confusion/diffusion/non-linearity. That us you can look at the cipher as a series of XOR with key then scramble/permute block repeated. This is efficient and highly secure it is believed.
  • #31: Stallings Figure 5.5b illustrates the Add Round Key stage, which like Byte Substitution, operates on each byte of state independently.