⊕

AES –
Advanced Encryption Standard

Assoc. Prof. Do Trong Tuan

22/4/2020 2
22/4/2020 3
22/4/2020 4
22/4/2020 5
22/4/2020 6
22/4/2020 7
22/4/2020 8
22/4/2020 9
22/4/2020 10
22/4/2020 11
22/4/2020 12
22/4/2020 13
22/4/2020 14
22/4/2020 15
22/4/2020 16
22/4/2020 17
22/4/2020 18
22/4/2020 19
22/4/2020 20
22/4/2020 21
22/4/2020 22
22/4/2020 23
22/4/2020 24
22/4/2020 25
22/4/2020 26
22/4/2020 27
22/4/2020 28
 ●

22/4/2020 29
22/4/2020 30
 ●

22/4/2020 31
22/4/2020 32
 Contents
1. Introduction to AES cipher
2. Transformations
3. Key Expansion
4. Ciphers
5. Examples
6. Analysis of AES

22/4/2020 33
1 Introduction to AES cipher

Plaintext 128-bit AES Ciphertext 128-bit

Key: 128-bit/
192-bit/256-bit

The Advanced Encryption Standard (AES) is a symmetric-key block cipher published

by the National Institute of Standards and Technology (NIST) in December 2001.

❖ History
In February 2001, NIST announced that a draft of the Federal Information
Processing Standard (FIPS) was available for public review and comment. Finally,
AES was published as FIPS 197 in the Federal Register in December 2001.

22/4/2020 34
1 Introduction to AES cipher

❖ Criteria

The criteria defined by NIST for selecting AES fall into three areas:

▪ Security
▪ Cost
▪ Implementation

22/4/2020 35
1 Introduction to AES cipher

❖ Rounds

AES is a non-Feistel cipher that encrypts and decrypts a data block of 128 bits. It uses 10, 12, or
14 rounds. The key size, which can be 128, 192, or 256 bits, depends on the number of rounds.

AES has defined three versions, with 10, 12, and No. AES Cipher Round Nr
14 rounds. Each version uses a different cipher 1 AES-128 10
key size (128, 192, or 256), but the round keys are 2 AES-192 12
always 128 bits. 3 AES-256 14

22/4/2020 36
1 Introduction to AES cipher
❖ Rounds General design of AES encryption cipher
128-bit Plaintext
AES Relationship between number of
rounds and cipher key size.
Round Keys
(128 bits)
Pre-round
transformation K0 Cipher key Nr Key size
(128-bit, 192-bit or 256-bit)
Round 1 10 128
K1

Key expansion
12 192
Round 2
K2 14 256
...

...

Round Nr
(Slightly different) KNr

22/4/2020 37
128-bit Ciphertext
1 Introduction to AES cipher

❖ Data Units

Byte 𝑏0 Word
𝑏1
𝑏2 𝒃𝟎
𝑏3 𝒃𝟏
Byte 𝑏0 𝑏1 𝑏2 𝑏3 𝑏4 𝑏5 𝑏6 𝑏7 Word 𝒃𝟎 𝒃𝟏 𝒃𝟐 𝒃𝟑
𝑏4 𝒃𝟐
𝑏5 𝒃𝟑
b b w w
𝑏6
w
𝑏7
b

Block

b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15

22/4/2020 38
1 Introduction to AES cipher
❖ Data Units

State

𝑠0,0 𝑠0,1 𝑠0,2 𝑠0,3

𝑠1,0 𝑠1,1 𝑠1,2 𝑠1,3
S 𝑠2,0 𝑠2,1 𝑠2,2 𝑠2,3 𝒘𝟎 𝒘𝟏 𝒘𝟐 𝒘𝟑
𝑠3,0 𝑠3,1 𝑠3,2 𝑠3,3

22/4/2020 39
1 Introduction to AES cipher
❖ Data Units
Block-to-state and state-to-block transformation

Block b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15

𝒔𝒊𝒎𝒐𝒅,𝒊/𝟒 ← 𝒃𝒍𝒐𝒄𝒌𝒊
Insertion and extraction flow
𝑠0,0 = 𝑏0 𝑠0,1 = 𝑏4 𝑠0,2 = 𝑏8 𝑠0,3 = 𝑏11
𝑠1,0 = 𝑏1 𝑠1,1 = 𝑏5 𝑠1,2 = 𝑏9 𝑠1,3 = 𝑏12
State
𝑠2,0 = 𝑏2 𝑠2,1 = 𝑏6 𝑠2,2 = 𝑏10 𝑠2,3 = 𝑏13
𝑠3,0 = 𝑏3 𝑠3,1 = 𝑏7 𝑠3,2 = 𝑏10 𝑠3,3 = 𝑏14

𝒃𝒍𝒐𝒄𝒌𝒊+𝟒𝒋 ← 𝑺𝒊,𝒋

Block b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15

1 Introduction to AES cipher State

❖ Structure of Each Round SubBytes

State

Structure of each round at the encryption site ShifRows

▪ One AddRoundKey is applied before the first round.

Round
State
▪ The third transformation is missing in the last round.

MixColumns

State

AddRoundKey Round Key

State
22/4/2020 41
1 Introduction to AES cipher

22/4/2020
❖ Structure of Each Round 42
2 Transformation

To provide security, AES uses four types of transformations:

substitution, permutation, mixing, and key-adding.

❖ Substitution
AES, like DES, uses substitution. AES uses two invertible transformations.

▪ SubBytes
The first transformation, SubBytes, is used at the encryption site. To substitute a
byte, we interpret the byte as two hexadecimal digits.

The SubBytes operation involves 16 independent byte-to-byte transformations.

22/4/2020 43
2 Transformation
❖ Substitution
(b)16
▪ SubBytes
(a)16 (cd)16

(ab)16

SubBytes table

State State

22/4/2020 44
2 Transformation
❖ Substitution
▪ SubBytes SubBytes Table

The values in the state is substituted by

another values according to a lookup
table called SubBytes Table

Example

Row 1
14 Column 4
FA

22/4/2020 45
2 Transformation
❖ Substitution
▪ InvSubBytes InvSubBytes Table

Example

Row F
FA Column A
14

22/4/2020 46
2 Transformation
❖ Substitution
Example: This figure shows how a state is transformed using the SubBytes transformation.
The figure also shows that the InvSubBytes transformation creates the original one. Note
that if the two bytes have the same values, their transformation is also the same.

SubByte

00 12 0𝐶 08 63 𝐶9 𝐹𝐸 30
04 04 00 23 𝐹2 𝐹2 63 26
12 12 13 19 𝐶9 𝐶9 7𝐷 𝐷4
14 00 11 19 𝐹𝐴 63 82 𝐷4

InvSubByte

22/4/2020 47
2 Transformation
❖ Substitution
▪ Transformation Using the GF(28) Field

AES also defines the transformation algebraically using the GF(28) field with the
irreducible polynomials (x8 + x4 + x3 + x + 1).

−1
𝑆𝑢𝑏𝐵𝑦𝑡𝑒: → 𝑑 = 𝑋 𝑠𝑟,𝑐 ⊕𝑦
−1 −1 −1
𝐼𝑛𝑣𝑆𝑢𝑏𝐵𝑦𝑡𝑒: → [𝑋 −1 𝑑 ⊕ 𝑦 ]−1 = [𝑋 −1 (𝑋 𝑠𝑟,𝑐 ⊕ 𝑦 ⊕ 𝑦)]−1 = [ 𝑠𝑟,𝑐 ] = 𝑠𝑟,𝑐

Wℎ𝑒𝑟𝑒: 𝑦 = 01100011 2 = 𝑥 6 + 𝑥 5 + 𝑥1 + 1
▪ Note
The SubBytes and InvSubBytes transformations are inverses of each other

22/4/2020 48
22/4/2020 49
22/4/2020 50
2 Transformation State State

❖ Substitution Repeat SubByte Repeat InvSubByte Sr,c

16 times Sr,c 16 times

Inverse Inverse

a a

ByteToMatrix MatrixToByte

SubBytes and InvSubBytes

processes

c
c X b b X-1

+ -

c d y
d c y

MatrixToByte ByteToMatrix

SubByte InvSubByte Sr,c

Sr,c
SubBytes InvSubBytes
State State
2 Transformation
❖ Substitution
Example: Let us show how the byte 0C is transformed to FE by SubByte routine and
transformed back to 0C by the InvSubByte routine.

1. SubByte:
• The multiplicative inverse of 0C in GF(28) field is B0, which means b is (1011 0000).
• Multiplying matrix X by this matrix results in c = (1001 1101).
• The result of XOR operation is d = (1111 1110), which is FE in hexadecimal.
2. InvSubByte:
• The result of XOR operation is c = (1001 1101).
• The result of multiplying by matrix X-1 is (1101 0000) or B0.
• The multiplicative inverse of B0 is 0C.

22/4/2020 52
2 Transformation
❖ Substitution
SubBytes (S)
{
for (r=0 to 3)
for (c=0 to 3)
Sr,c= SubBytes(Sr,c)
}
SubBytes(byte)
a← byte-1 //multiplicative inverse in GF(28)with inverse of 00 to be 00
ByteToMatrix(a,b)
for (i=0 to 7)
{
ci ← bi ⨁ b(i+4)mod 8⨁ b(i+5)mod 8⨁ b(i+6)mod 8⨁ b(i+7)mod 8
di ← ci ⨁ ByteToMatrix(0x63)
}
MatrixToByte (d,d)
byte ← d
}

22/4/2020 53
2 Transformation
❖ Permutation
▪ ShiftRows In the encryption, the transformation is called ShiftRows
ShiftRow

Shift left

Row 0: no shift
Row 1: 1-byte shift
Row 2: 2-byte shift
Row 3: 3-byte shift

State State

ShiftRows transformation

22/4/2020 54
2 Transformation
❖ Permutation
▪ InvShiftRows

In the decryption, the transformation is called InvShiftRows and the shifting is to the right

ShiftRows (S)
{
for (r = 1 to 3)
ShiftRow(Sr,r) // Sr is the rth row
}

ShiftRow(row,n) // n is the number of bytes to be shifted

{
CopyRow(row, t) // t is a temporary row
for (c = 0 to 3)
row(c-n)mod4 ← tc
}

22/4/2020 55
2 Transformation
❖ Permutation

Example: This figure shows how a state is transformed using ShiftRows transformation.
The figure also shows that InvShiftRows transformation creates the original state.

ShiftRow
State State

63 C9 FE 30 63 C9 FE 30

F2 F2 63 26 F2 63 26 F2

C9 C9 7D D4 7D D4 C9 C9

FA 63 82 D4 D4 FA 63 82

InvShiftRow

22/4/2020 56
2 Transformation
❖ Mixing

We need an interbyte transformation that changes the bits inside a byte, based on the bits
inside the neighboring bytes. We need to mix bytes to provide diffusion at the bit level.

𝑎𝑥 + 𝑏𝑦 + 𝑐𝑧 + 𝑑𝑡 𝑎 𝑏 𝑐 𝑑 𝑥
𝑒𝑥 + 𝑓𝑦 + 𝑔𝑧 + ℎ𝑡 𝑒 𝑓 𝑔 ℎ 𝑦
𝑖𝑥 + 𝑗𝑦 + 𝑘𝑧 + 𝑙𝑡 = ×
𝑖 𝑗 𝑘 𝑙 𝑧
𝑚𝑥 + 𝑛𝑦 + 𝑜𝑧 + 𝑝𝑡 𝑚 𝑛 𝑜 𝑝 𝑡

New matrix Constant Matrix Old Matrix

22/4/2020 57
2 Transformation
❖ Mixing

𝑎𝑥 + 𝑏𝑦 + 𝑐𝑧 + 𝑑𝑡 𝑎 𝑏 𝑐 𝑑 𝑥
𝑒𝑥 + 𝑓𝑦 + 𝑔𝑧 + ℎ𝑡 𝑒 𝑓 𝑔 ℎ 𝑦
𝑖𝑥 + 𝑗𝑦 + 𝑘𝑧 + 𝑙𝑡 = ×
𝑖 𝑗 𝑘 𝑙 𝑧
𝑚𝑥 + 𝑛𝑦 + 𝑜𝑧 + 𝑝𝑡 𝑚 𝑛 𝑜 𝑝 𝑡

New matrix Constant Matrix Old Matrix

Constant matrices used by MixColumns and InvMixColumns

02 03 01 01 0𝐸 0𝐵 0𝐷 09
01 02 03 01 Inverse 09 0𝐸 0𝐵 0𝐷
01 01 02 03 0𝐷 09 0𝐸 0𝐵
03 01 01 02 0𝐵 0𝐷 09 0𝐸
𝑪 𝑪−𝟏
22/4/2020 58
2 Transformation
❖ Mixing
▪ MixColumns

= x
The MixColumns transformation operates at MixColumns
the column level; it transforms each column
Constant
of the state to a new column.

State State

MixColumns transformation

22/4/2020 59
2 Transformation
❖ Mixing
▪ InvMixColumns

The InvMixColumns transformation is basically the same as

the MixColumns transformation.

NOTE: The MixColumns and InvMixColumns transformations

are inverses of each other.

22/4/2020 60
2 Transformation
❖ Mixing

MixColumns(S)
{
for (c = 0to 3)
mixcolumn(sc)
}

mixcolumn(col)
{
CopyColumn(col, t) // t is a temporary column
col0 ← (0x02)∗ t0 ⊕ (0x03 *t1) ⊕ t2 ⊕ t3
col1 ← t0 ⊕ (0x02)∗ t1 ⊕ (0x03 *t2) ⊕ t3
col2 ← t0 ⊕ t1 ⊕ (0x02)∗ t2 ⊕ (0x03) *t3
col3 ← (0x03*t0) ⊕ t1 ⊕ t2 ⊕ (0x02)∗t3
}

22/4/2020 61
2 Transformation
❖ Mixing

Example: Figure below shows how a state is transformed using the MixColumns transformation.
The figure also shows that the InvMixColumns transformation creates the original one.

The MixColumns transformation example

MixColumn

63 𝐶9 𝐹𝐸 30 63 02 27 26
State 𝐹2 63 26 𝐹2 𝐶𝐹 92 91 0𝐷 State
7𝐷 𝐷4 𝐶9 𝐶9 0𝐶 0𝐶 𝐹4 𝐷6
𝐷4 𝐹𝐴 63 82 99 18 30 74

InvMixColumn

22/4/2020 62
2 Transformation
❖ Key Adding
▪ AddRoundKey

AddRoundKey proceeds one column at a time. AddRoundKey adds a round

key word with each state column matrix; the operation in AddRoundKey is
matrix addition.

NOTE: The AddRoundKey transformation is the inverse of itself.

22/4/2020 63
2 Transformation
❖ Key Adding
▪ AddRoundKey AddRoundKey transformation

= + AddRoundKey

Key
AddRoundKey(S)
{
for (c = 0 to 3)
sc← sc ⨁ wround +4c
}

State State

22/4/2020 64
3 Key Expansion

▪ To create round keys for each round, AES uses a keyexpansion process.
▪ If the number of rounds is Nr , the key-expansion routine creates Nr + 1 128-bit
round keys from one single 128-bit cipher key.

• Key Expansion in AES-128

• Key Expansion in AES-192 and AES-256
• Key-Expansion Analysis

The key-expansion mechanism in AES has been designed to provide several

features that thwart the cryptanalyst.

22/4/2020 65
3 Key Expansion

If the number of rounds is Nr , the key-expansion routine creates Nr + 1 128-bit round keys
from one single 128- bit cipher key.

Words for each round

AES Round Words

No. Round Nr Pre-round
Cipher W0 W1 W2 W3
1 W4 W5 W6 W7
1 AES-128 10
2 W8 W9 W10 W11
2 AES-192 12 … … … … …
Nr
3 AES-256 14 W4Nr W4Nr+1 W4Nr+2 W4Nr+3

22/4/2020 66
3 Key Expansion
❖ Key Expansion in AES-128
4 words

Cipherkey 128 bits

AES 128

Plaintext 128 bits Ciphertext 128 bits

22/4/2020 67
3 Cipher Key k0 k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 k11 k12 k13 k14 k15

w0 w1 w2 w3

t4 w4 w5 w6 w7

t8 w8 w9 w10 w11

...

...

...

...
t40 w40 w41 w42 w43

Rcon[i/4]

Wi-1 RotWord SubWord ti

22/4/2020 68
Making of ti (temporary) words i=4Nr
3 Key Expansion
❖ Key Expansion in AES-128
Cipher Key k0 k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 k11 k12 k13 k14 k15

w0 w1 w2 w3

t4 w4 w5 w6 w7

t8 w8 w9 w10 w11

...

...

...

...
t40 w40 w41 w42 w43

Rcon[i/4]

Wi-1 RotWord SubWord ti

22/4/2020 Making of ti (temporary) words i=4Nr 69

3 Key Expansion
❖ Key Expansion in AES-128
The process is as follows:
1. The first 4 words (w0,w1,w2,w3) are made from the cipher key. The cipher key is thought of as an array
of 16 bytes (k0 to k15). The first 4 bytes (k0 to k3) become w0; the next 4 bytes (k4 to k7) become w1; and
so on. In other words, the concatenation of the words in this group replicates the cipher key.
2. The rest of the words (wi for i=4 to 43) are made as follows:
a. If (i mod 4) ≠ 0, wi =wi-1⨁ wi-4 . This means each word is made from the one at the left and the one
at the top.
b. If (I mod 4) = 0, wi =t ⨁ wi-4 . Here t, a temporary word, is the result of applying 2 routines,
SubWord and RotWord, on wi-1 and XORing the result with a round constants, Rcon. In other
words, we have:
t = SubWord(RotWord(wi-1)) ⨁ RCONi/4
22/4/2020 70
3 Key Expansion
❖ Key Expansion in AES-128

Rcon[i/4]

Wi-1 RotWord SubWord ti

RotWord:
The RotWord (rotate word) routine is similar to the ShiftRows transformation, but it is applied to only
one row. The routine takes a word as an array of 4 bytes and shifts each byte to the left with wrapping.
SubWord:
The SubWord (Substitute word) rountine is similar to the SubBytes transformation, but it is applied only
to 4 bytes. The rountine takes each byte in the word and substitutes another byte for it.

22/4/2020 71
3 Key Expansion
❖ Key Expansion in AES-128

RCON Constant (Hexa)

Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9 Round 10
RCON0 RCON1 RCON2 RCON3 RCON4 RCON5 RCON6 RCON7 RCON8 RCON9

01 02 04 08 10 20 40 80 1B 36
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00

Each round constant, Rcon, is a 4-byte value in which the rightmost three bytes are always zero.

22/4/2020 72
 Words for each round
Round Words
❖ Key Expansion in AES-128 Pre-round W0 W1 W2 W3
1 W4 W5 W6 W7
▪ Finding W4
2 W8 W9 W10 W11
… … … … …
W0 W1 W2 W3 W4 10 W40 W41 W42 W43

b0 b4 b8 b12

b1 b5 b9 b13
= SubWord(RotWord(W3)) RCON0 W0
b2 b6 b10 b14

b3 b7 b11 b15

Cipher Key
128-bit (4 words)
2.3. Key Expansion
❖ Key Expansion in AES-128 RCON Constant (Hexa)
Round
Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9
▪ Finding W4 RCON0 RCON1 RCON2 RCON3 RCON4 RCON5 RCON6 RCON7 RCON8
10
RCON9
01 02 04 08 10 20 40 80 1B 36
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00

W3 t W0 W4

b12 b13 b0 b16

b13 RotWord b14 SubWord b1 b17

RCON0
b14 b15 SubBytes b2 b18
table
b15 b12 b3 b19
2.3. Key Expansion
❖ Key Expansion in AES-128

▪ Finding W5, W6

W5 W4 W1 W6 W5 W2

b20 b16 b4 b24 b20 b8

b21 b17 b5 b25 b21 b9

= =
b22 b18 b6 b26 b22 b10

b23 b19 b7 b27 b23 b11

2.3. Key Expansion
❖ Key Expansion in AES-128 No. AES Cipher Nround
➢ Generalization
1 AES-128 10
▪ Wi = ? ( for i=0:43) 2 AES-192 12
• If ( i mod 4==0) 3 AES-256 14
𝑾𝒉𝒆𝒓𝒆, 𝒊 = 𝟎 ÷ (𝟒𝑵𝒓𝒐𝒖𝒏𝒅 + 𝟑)

Wi-1 t Wi-4 W4

RotWord SubWord RCONi/4

SubBytes
table
2.3. Key Expansion
❖ Key Expansion in AES-128
➢ Generalization

▪ Wi = ? ( for i=0:43 )
• else

Wi Wi-1 Wi-4

=
3 Key Expansion
❖ Key Expansion in AES-128

The key-expansion routine can either use the above table when calculating the words or use
the GF(28) field to calculate the leftmost byte dynamically, as shown below (prime is the
irreducible polynomial, prime = x8 + x4 + x3 + x + 1)

RC1 → 𝒙𝟏−𝟏 = 𝒙𝟎 mod prime =1 → 0000 0001 → 01 16

RC2 → 𝒙𝟐−𝟏 = 𝒙𝟏 mod prime =𝑥 → 0000 0010 → 02 16
RC3 → 𝒙𝟑−𝟏 = 𝒙𝟐 mod prime = 𝑥2 → 0000 0100 → 04 16
RC4 → 𝒙𝟒−𝟏 = 𝒙𝟑 mod prime = 𝑥3 → 0000 1000 → 08 16
RC5 → 𝒙𝟓−𝟏 = 𝒙𝟒 mod prime = 𝑥4 → 0001 0000 → 10 16
RC6 → 𝒙𝟔−𝟏 = 𝒙𝟓 mod prime = 𝑥5 → 0010 0000 → 20 16
RC7 → 𝒙𝟕−𝟏 = 𝒙𝟔 mod prime = 𝑥6 → 0100 0000 → 40 16
RC8 → 𝒙𝟖−𝟏 = 𝒙𝟕 mod prime = 𝑥7 → 1000 0000 → 80 16
RC9 → 𝒙𝟗−𝟏 = 𝒙𝟖 mod prime = 𝑥4 + 𝑥3 + 𝑥 + 1 → 0001 1011 → 1𝐵 16
RC10 → 𝒙𝟏𝟎−𝟏 = 𝒙𝟗 mod prime = 𝑥5 + 𝑥4 + 𝑥2 + 𝑥 → 0011 0110 → 36 16

22/4/2020 78
3 Key Expansion
❖ Key Expansion in AES-128

KeyExpansion ([Key0 to key15], [w0 to w43])

{
for (i=0 to 3)
wi <- key4i + key4i+1 + key4i+2 + key4i+3
for (i=4 to 43)
{
if (i mod 4≠ 0) wi<- wi-1 + wi-4
else
{ t <- SubWord(RotWord(wi-1)) xor RConi/4 // t is a temporary word
wi <- t+ wi-4
}
}
}

22/4/2020 79
3 Key Expansion
❖ Key Expansion in AES-128

Each round key in AES depends on the previous round key. The dependency,
however, is nonlinear because of SubWord transformation. The addition of the
round constants also guarantees that each round key will be different from the
previous one.

22/4/2020 80
3 Key Expansion
❖ Key Expansion in AES-128

This table shows how the keys for each round are calculated assuming that the 128-bit cipher
key agreed upon by Alice and Bob is (24 75 A2 B3 34 75 56 88 31 E2 12 00 13 AA 54 87)16.

22/4/2020 81
3 Key Expansion
❖ Key Expansion in AES-128

The concept of weak keys, as we discussed for DES in Chapter 3, does not apply to AES.
Assume that all bits in the cipher key are 0s. The following shows the words for some rounds:

The words in the pre-round and the first round are all the same. In the second round, the
first word matches with the third; the second word matches with the fourth. However, after
the second round the pattern disappears; every word is different.

22/4/2020 82
3 Key Expansion

▪ Key-expansion algorithms in the AES-192 and AES-256 versions are very similar
to the key expansion algorithm in AES-128, with the following differences:

1. AES – 192: The words are generated in groups of six instead of four:
a. The cipher key creates the first six words (w0 to w5).
b. If i mod 6 ≠ 0, wi← wi-1 + wi-6; otherwise, wi← t + wi-6
2. AES-256: The words are generated in groups of eight instead of four:
a. The cipher key creates the first eight words (w0 to w7).
b. If i mod 8 ≠ 0, wi← wi-1 + wi-8; otherwise, wi← t + wi-8
c. If i mod 4 = 0, but i mod 8 ≠ 0, then wi = SubWord(wi-1) + wi-8

22/4/2020 83
3 Key Expansion
❖ Key Expansion in AES-192
6 words

Cipherkey 192 bits

AES 192

Plaintext 128 bits Ciphertext 128 bits

22/4/2020 84
3 Key Expansion Words for each round
Round Words
❖ Key Expansion in AES-192 Pre-round W0 W1 W2 W3
1 W4 W5 W6 W7
2 W8 W9 W10 W11
… … … … …
12 W48 W49 W50 W51
➢ Finding W6
W0 W1 W2 W3 W4 W5 W6 W5 W0

b0 b4 b8 b12 b16 b20 b20 b0

b1 b5 b9 b13 b17 b21

b21 b1
= SubWord(RotWord( )) RCON0
b2 b6 b10 b14 b18 b22
b22 b2
b3 b7 b11 b15 b19 b23
b23 b3
Cipher Key 192-bit (6 words)

22/4/2020 85
 RCON Constant (Hexa)
3 Key Expansion Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9
Round
10
RCON0 RCON1 RCON2 RCON3 RCON4 RCON5 RCON6 RCON7 RCON8
RCON9

❖ Key Expansion in AES-192 01

00
02
00
04
00
08
00
10
00
20
00
40
00
80
00
1B
00
36
00
00 00 00 00 00 00 00 00 00 00
➢ Finding W6 00 00 00 00 00 00 00 00 00 00

22/4/2020 86
3 Key Expansion
❖ Key Expansion in AES-192

➢ Finding W7 ,W8

W7 W6 W1 W8 W7 W2

b4 b8

b5
b9
= =
b6
b10

b7
b11

22/4/2020 87
3 Key Expansion
❖ Key Expansion in AES-192

➢ Generality

▪ Wi = ? ( for i=0:51 )
• If ( i mod 6==0)
W
Wi-1
5 t WW
i-60
W6
Wi

b20 b21 c0 t0 b0

b21 RotWord b22 SubWord c1 RCONi/6 t1 b1

b22 b23 SubBytes Table c2 t2 b2

b23 b20 c3 t3 b3

22/4/2020 88
3 Key Expansion
❖ Key Expansion in AES-192

➢ Generality

▪ Wi = ? ( for i=0:51 )
• else
Wi Wi-1 Wi-6

22/4/2020 89
3 Key Expansion CIPHER KEY 192 BITS

W0 W1 W2 W3 W4 W5

❖ Key Expansion in AES-192

➢ Generality

Words for each round

PRE-ROUND ROUND 1 ROUND 2 ROUND 3

Round Words
Pre-round W0 W1 W2 W3
1 W4 W5 W6 W7
2 W8 W9 W10 W11
ROUND 4
… … … … … W46 W47 W48 W49 W50 W51

12 W48 W49 W50 W51

ROUND 10 ROUND 11 ROUND 12

22/4/2020 90
3 Key Expansion
❖ Key Expansion in AES-256

8 words

Cipher key 256 bits

AES 256

Plaintext 128 bits Ciphertext 128 bits

22/4/2020 91
3 Key Expansion Words for each round
Round Words
❖ Key Expansion in AES-256 Pre-round W0 W1 W2 W3
1 W4 W5 W6 W7
➢ Finding W8 2 W8 W9 W10 W11
… … … … …
14 W56 W57 W58 W59

W0 W1 W2 W3 W4 W5 W6 W7 W8 W7 W0

b0 b4 b8 b12 b16 b20 b16 b20 b20 b0

b1 b5 b9 b13 b17 b21 b17 b21 b21 b1

b2 b6 b10 b14 b18 b22 b18 b22
= SubWord(RotWord( )) RCON0
b22 b2
b3 b7 b11 b15 b19 b23 b19 b23
b23 b3

Cipher Key 256-bit (8 words)

22/4/2020 92
3 Key Expansion
❖ Key Expansion in AES-256

➢ Finding W9, W10

W9 W8 W1 W10 W9 W2

b4 b4

b5 b5
= =
b6 b6

b7 b7

22/4/2020 93
3 Key Expansion
❖ Key Expansion in AES-256

➢ Finding W12

W11 W4
W12

b16

b17
= SubWord( )
b18

b19

22/4/2020 94
3 Key Expansion
❖ Key Expansion in AES-256

➢ Generality

▪ Wi = ? ( for i=0:59 )

• If ( i mod 8==0)
t WW 0
i-8
W
W6i
WWi-15
b21 c0 t0 b0
b20

b21 RotWord b22 SubWord c1 RCONi/8 t1 b1

b23 SubBytes Table c2 t2 b2

b22

b23 b20 c3 t3 b3

22/4/2020 95
3 Key Expansion
❖ Key Expansion in AES-256

➢ Generality

▪ Wi = ? ( for i=0:59 )

• elseif ( i mod 4==0)&&(i mod 8~=0)

Wi-1 Wi-8
Wi

= SubWord( )

22/4/2020 96
3 Key Expansion
❖ Key Expansion in AES-256

➢ Generality
▪ Wi = ? ( for i=0:59 )
• else
Wi Wi-1 Wi-8

22/4/2020 97
3 Key Expansion
❖ Key Expansion in AES-256 CIPHER KEY 256 BITS

W0 W1 W2 W3 W4 W5 W6 W7

➢ Generality

Words for each round

Round Words
Pre-round W0 W1 W2 W3
…
PRE-ROUND ROUND 1 ROUND 2 ROUND 3

1 W4 W5 W6 W7
W54 W55 W56 W57 W58 W59
2 W8 W9 W10 W11
… … … … …
14 W56 W57 W58 W59

ROUND 12 ROUND 13 ROUND 14

22/4/2020 98
4 Ciphers

▪ AES uses four types of transformations for encryption and decryption.

▪ In the standard, the encryption algorithm is referred to as the cipher and the
decryption algorithm as the inverse cipher.

▪ Topics discussed in this section:

• Original Design
• Alternative Design

22/4/2020 99
4 Ciphers Cipher Key Plaintext Plaintext Cipher Key

Inverses
❖ Original Design W0 – W3 AddRoundKey AddRoundKey W 0 – W3

ROUND 10
SubBytes InvSubBytes

ROUND 1
ShiftRows InvShiftRows

MixColumns
MixColumns
W4 – W7 AddRoundKey

ROUND 9
Key Expansion
AddRoundKey W4 – W7

Key Expansion
...
Ciphers and inverse ciphers InvSubBytes

...
SubBytes InvShiftRows
of the original design

...
ROUND 9
ShiftRows

...
MixColumns
MixColumns
W36 – W39 AddRoundKey
W36 – W39

ROUND 1
AddRoundKey
SubBytes InvSubBytes

ROUND 10
ShiftRows InvShiftRows
W40 – W43 AddRoundKey
W40 – W43
AddRoundKey
Ciphertext

22/4/2020 100
4 Ciphers
❖ Alternative Design

▪ In this version, the transformation in the reverse cipher are rearranged to make
the order of transformations the same in the cipher and reverse cipher.
▪ In this design, invertibility is provided for a pair of transformations, not for each
single transformation.

Round
SubBytes Inverse InvShiftRows MixColumns Inverse AddRoundKey
Key
ShiftRows InvSubBytes Round
AddRoundKey InvMixColumns
Key

22/4/2020 101
4 Ciphers Cipher Key Plaintext Plaintext Cipher Key

Inverses
W0 – W3
❖ Alternative Design AddRoundKey AddRoundKey W 0 – W3

ROUND 10
SubBytes InvSubBytes

ROUND 1
ShiftRows InvShiftRows

MixColumns
InvMixColumns
W4 – W7 AddRoundKey

Key Expansion
AddRoundKey W4 – W7

Key Expansion
Cipher and reverse cipher

ROUND 9
...
InvSubBytes
in alternate design

...
SubBytes InvShiftRows

...
ROUND 9
ShiftRows

...
MixColumns
InvMixColumns
W36 – W39 AddRoundKey
AddRoundKey W36 – W39

ROUND 1
ROUND 10
SubBytes InvSubBytes
ShiftRows InvShiftRows
W40 – W43 AddRoundKey
W40 – W43
AddRoundKey
Ciphertext

22/4/2020 102
5 Examples

In this section, some examples of encryption/ decryption and key generation are
given to emphasize some points discussed in the two previous sections.

Example 5.1: The following shows the ciphertext block created from a plaintext
block using a randomly selected cipher key.

22/4/2020 103
5 Examples
Example 5.1: (Continue)

22/4/2020 104
5 Examples
Example 5.1: (Continue)

22/4/2020 105
5 Examples
Example 5.1: (Continue)

22/4/2020 106
5 Examples
Example 5.2: This Figure shows the state entries in one round, round 7, in Example 5.1

States in a single round

22/4/2020 107
5 Examples
Example 5.3: One may be curious to see the result of encryption when the plaintext is
made of all 0s. Using the cipher key in Example 5.1 yields the ciphertext.

The avalanche effect

22/4/2020 108
5 Examples

Example 5.4: The following shows the effect of using a cipher key in which all bits are 0s.

22/4/2020 109
6 Analysis of AES

AES was designed after DES. Most ofthe known attacks on DES were already tested on AES.

▪ Brute-Force Attack
AES is definitely more secure than DES due to the larger-size key.
▪ Statistical Attacks
Numerous tests have failed to do statistical analysis of the ciphertext.
▪ Differential and Linear Attacks
There are no differential and linear attacks on AES as yet.

22/4/2020 110