Professional Documents
Culture Documents
AES Ex
AES Ex
AES –
Advanced Encryption Standard
22/4/2020 29
22/4/2020 30
●
22/4/2020 31
22/4/2020 32
Contents
1. Introduction to AES cipher
2. Transformations
3. Key Expansion
4. Ciphers
5. Examples
6. Analysis of AES
22/4/2020 33
1 Introduction to AES cipher
Key: 128-bit/
192-bit/256-bit
❖ History
In February 2001, NIST announced that a draft of the Federal Information
Processing Standard (FIPS) was available for public review and comment. Finally,
AES was published as FIPS 197 in the Federal Register in December 2001.
22/4/2020 34
1 Introduction to AES cipher
❖ Criteria
The criteria defined by NIST for selecting AES fall into three areas:
▪ Security
▪ Cost
▪ Implementation
22/4/2020 35
1 Introduction to AES cipher
❖ Rounds
AES is a non-Feistel cipher that encrypts and decrypts a data block of 128 bits. It uses 10, 12, or
14 rounds. The key size, which can be 128, 192, or 256 bits, depends on the number of rounds.
AES has defined three versions, with 10, 12, and No. AES Cipher Round Nr
14 rounds. Each version uses a different cipher 1 AES-128 10
key size (128, 192, or 256), but the round keys are 2 AES-192 12
always 128 bits. 3 AES-256 14
22/4/2020 36
1 Introduction to AES cipher
❖ Rounds General design of AES encryption cipher
128-bit Plaintext
AES Relationship between number of
rounds and cipher key size.
Round Keys
(128 bits)
Pre-round
transformation K0 Cipher key Nr Key size
(128-bit, 192-bit or 256-bit)
Round 1 10 128
K1
Key expansion
12 192
Round 2
K2 14 256
...
...
Round Nr
(Slightly different) KNr
22/4/2020 37
128-bit Ciphertext
1 Introduction to AES cipher
❖ Data Units
Byte 𝑏0 Word
𝑏1
𝑏2 𝒃𝟎
𝑏3 𝒃𝟏
Byte 𝑏0 𝑏1 𝑏2 𝑏3 𝑏4 𝑏5 𝑏6 𝑏7 Word 𝒃𝟎 𝒃𝟏 𝒃𝟐 𝒃𝟑
𝑏4 𝒃𝟐
𝑏5 𝒃𝟑
b b w w
𝑏6
w
𝑏7
b
Block
22/4/2020 38
1 Introduction to AES cipher
❖ Data Units
State
22/4/2020 39
1 Introduction to AES cipher
❖ Data Units
Block-to-state and state-to-block transformation
𝒔𝒊𝒎𝒐𝒅,𝒊/𝟒 ← 𝒃𝒍𝒐𝒄𝒌𝒊
Insertion and extraction flow
𝑠0,0 = 𝑏0 𝑠0,1 = 𝑏4 𝑠0,2 = 𝑏8 𝑠0,3 = 𝑏11
𝑠1,0 = 𝑏1 𝑠1,1 = 𝑏5 𝑠1,2 = 𝑏9 𝑠1,3 = 𝑏12
State
𝑠2,0 = 𝑏2 𝑠2,1 = 𝑏6 𝑠2,2 = 𝑏10 𝑠2,3 = 𝑏13
𝑠3,0 = 𝑏3 𝑠3,1 = 𝑏7 𝑠3,2 = 𝑏10 𝑠3,3 = 𝑏14
𝒃𝒍𝒐𝒄𝒌𝒊+𝟒𝒋 ← 𝑺𝒊,𝒋
State
Round
State
▪ The third transformation is missing in the last round.
MixColumns
State
State
22/4/2020 41
1 Introduction to AES cipher
22/4/2020
❖ Structure of Each Round 42
2 Transformation
❖ Substitution
AES, like DES, uses substitution. AES uses two invertible transformations.
▪ SubBytes
The first transformation, SubBytes, is used at the encryption site. To substitute a
byte, we interpret the byte as two hexadecimal digits.
22/4/2020 43
2 Transformation
❖ Substitution
(b)16
▪ SubBytes
(a)16 (cd)16
(ab)16
SubBytes table
State State
22/4/2020 44
2 Transformation
❖ Substitution
▪ SubBytes SubBytes Table
Example
Row 1
14 Column 4
FA
22/4/2020 45
2 Transformation
❖ Substitution
▪ InvSubBytes InvSubBytes Table
Example
Row F
FA Column A
14
22/4/2020 46
2 Transformation
❖ Substitution
Example: This figure shows how a state is transformed using the SubBytes transformation.
The figure also shows that the InvSubBytes transformation creates the original one. Note
that if the two bytes have the same values, their transformation is also the same.
SubByte
00 12 0𝐶 08 63 𝐶9 𝐹𝐸 30
04 04 00 23 𝐹2 𝐹2 63 26
12 12 13 19 𝐶9 𝐶9 7𝐷 𝐷4
14 00 11 19 𝐹𝐴 63 82 𝐷4
InvSubByte
22/4/2020 47
2 Transformation
❖ Substitution
▪ Transformation Using the GF(28) Field
AES also defines the transformation algebraically using the GF(28) field with the
irreducible polynomials (x8 + x4 + x3 + x + 1).
−1
𝑆𝑢𝑏𝐵𝑦𝑡𝑒: → 𝑑 = 𝑋 𝑠𝑟,𝑐 ⊕𝑦
−1 −1 −1
𝐼𝑛𝑣𝑆𝑢𝑏𝐵𝑦𝑡𝑒: → [𝑋 −1 𝑑 ⊕ 𝑦 ]−1 = [𝑋 −1 (𝑋 𝑠𝑟,𝑐 ⊕ 𝑦 ⊕ 𝑦)]−1 = [ 𝑠𝑟,𝑐 ] = 𝑠𝑟,𝑐
Wℎ𝑒𝑟𝑒: 𝑦 = 01100011 2 = 𝑥 6 + 𝑥 5 + 𝑥1 + 1
▪ Note
The SubBytes and InvSubBytes transformations are inverses of each other
22/4/2020 48
22/4/2020 49
22/4/2020 50
2 Transformation State State
Inverse Inverse
a a
ByteToMatrix MatrixToByte
c
c X b b X-1
+ -
c d y
d c y
MatrixToByte ByteToMatrix
1. SubByte:
• The multiplicative inverse of 0C in GF(28) field is B0, which means b is (1011 0000).
• Multiplying matrix X by this matrix results in c = (1001 1101).
• The result of XOR operation is d = (1111 1110), which is FE in hexadecimal.
2. InvSubByte:
• The result of XOR operation is c = (1001 1101).
• The result of multiplying by matrix X-1 is (1101 0000) or B0.
• The multiplicative inverse of B0 is 0C.
22/4/2020 52
2 Transformation
❖ Substitution
SubBytes (S)
{
for (r=0 to 3)
for (c=0 to 3)
Sr,c= SubBytes(Sr,c)
}
SubBytes(byte)
a← byte-1 //multiplicative inverse in GF(28)with inverse of 00 to be 00
ByteToMatrix(a,b)
for (i=0 to 7)
{
ci ← bi ⨁ b(i+4)mod 8⨁ b(i+5)mod 8⨁ b(i+6)mod 8⨁ b(i+7)mod 8
di ← ci ⨁ ByteToMatrix(0x63)
}
MatrixToByte (d,d)
byte ← d
}
22/4/2020 53
2 Transformation
❖ Permutation
▪ ShiftRows In the encryption, the transformation is called ShiftRows
ShiftRow
Shift left
Row 0: no shift
Row 1: 1-byte shift
Row 2: 2-byte shift
Row 3: 3-byte shift
State State
ShiftRows transformation
22/4/2020 54
2 Transformation
❖ Permutation
▪ InvShiftRows
In the decryption, the transformation is called InvShiftRows and the shifting is to the right
ShiftRows (S)
{
for (r = 1 to 3)
ShiftRow(Sr,r) // Sr is the rth row
}
22/4/2020 55
2 Transformation
❖ Permutation
Example: This figure shows how a state is transformed using ShiftRows transformation.
The figure also shows that InvShiftRows transformation creates the original state.
ShiftRow
State State
63 C9 FE 30 63 C9 FE 30
F2 F2 63 26 F2 63 26 F2
C9 C9 7D D4 7D D4 C9 C9
FA 63 82 D4 D4 FA 63 82
InvShiftRow
22/4/2020 56
2 Transformation
❖ Mixing
We need an interbyte transformation that changes the bits inside a byte, based on the bits
inside the neighboring bytes. We need to mix bytes to provide diffusion at the bit level.
𝑎𝑥 + 𝑏𝑦 + 𝑐𝑧 + 𝑑𝑡 𝑎 𝑏 𝑐 𝑑 𝑥
𝑒𝑥 + 𝑓𝑦 + 𝑔𝑧 + ℎ𝑡 𝑒 𝑓 𝑔 ℎ 𝑦
𝑖𝑥 + 𝑗𝑦 + 𝑘𝑧 + 𝑙𝑡 = ×
𝑖 𝑗 𝑘 𝑙 𝑧
𝑚𝑥 + 𝑛𝑦 + 𝑜𝑧 + 𝑝𝑡 𝑚 𝑛 𝑜 𝑝 𝑡
22/4/2020 57
2 Transformation
❖ Mixing
𝑎𝑥 + 𝑏𝑦 + 𝑐𝑧 + 𝑑𝑡 𝑎 𝑏 𝑐 𝑑 𝑥
𝑒𝑥 + 𝑓𝑦 + 𝑔𝑧 + ℎ𝑡 𝑒 𝑓 𝑔 ℎ 𝑦
𝑖𝑥 + 𝑗𝑦 + 𝑘𝑧 + 𝑙𝑡 = ×
𝑖 𝑗 𝑘 𝑙 𝑧
𝑚𝑥 + 𝑛𝑦 + 𝑜𝑧 + 𝑝𝑡 𝑚 𝑛 𝑜 𝑝 𝑡
02 03 01 01 0𝐸 0𝐵 0𝐷 09
01 02 03 01 Inverse 09 0𝐸 0𝐵 0𝐷
01 01 02 03 0𝐷 09 0𝐸 0𝐵
03 01 01 02 0𝐵 0𝐷 09 0𝐸
𝑪 𝑪−𝟏
22/4/2020 58
2 Transformation
❖ Mixing
▪ MixColumns
= x
The MixColumns transformation operates at MixColumns
the column level; it transforms each column
Constant
of the state to a new column.
State State
MixColumns transformation
22/4/2020 59
2 Transformation
❖ Mixing
▪ InvMixColumns
22/4/2020 60
2 Transformation
❖ Mixing
MixColumns(S)
{
for (c = 0to 3)
mixcolumn(sc)
}
mixcolumn(col)
{
CopyColumn(col, t) // t is a temporary column
col0 ← (0x02)∗ t0 ⊕ (0x03 *t1) ⊕ t2 ⊕ t3
col1 ← t0 ⊕ (0x02)∗ t1 ⊕ (0x03 *t2) ⊕ t3
col2 ← t0 ⊕ t1 ⊕ (0x02)∗ t2 ⊕ (0x03) *t3
col3 ← (0x03*t0) ⊕ t1 ⊕ t2 ⊕ (0x02)∗t3
}
22/4/2020 61
2 Transformation
❖ Mixing
Example: Figure below shows how a state is transformed using the MixColumns transformation.
The figure also shows that the InvMixColumns transformation creates the original one.
MixColumn
63 𝐶9 𝐹𝐸 30 63 02 27 26
State 𝐹2 63 26 𝐹2 𝐶𝐹 92 91 0𝐷 State
7𝐷 𝐷4 𝐶9 𝐶9 0𝐶 0𝐶 𝐹4 𝐷6
𝐷4 𝐹𝐴 63 82 99 18 30 74
InvMixColumn
22/4/2020 62
2 Transformation
❖ Key Adding
▪ AddRoundKey
22/4/2020 63
2 Transformation
❖ Key Adding
▪ AddRoundKey AddRoundKey transformation
= + AddRoundKey
Key
AddRoundKey(S)
{
for (c = 0 to 3)
sc← sc ⨁ wround +4c
}
State State
22/4/2020 64
3 Key Expansion
▪ To create round keys for each round, AES uses a keyexpansion process.
▪ If the number of rounds is Nr , the key-expansion routine creates Nr + 1 128-bit
round keys from one single 128-bit cipher key.
22/4/2020 65
3 Key Expansion
If the number of rounds is Nr , the key-expansion routine creates Nr + 1 128-bit round keys
from one single 128- bit cipher key.
22/4/2020 66
3 Key Expansion
❖ Key Expansion in AES-128
4 words
AES 128
w0 w1 w2 w3
t4 w4 w5 w6 w7
t8 w8 w9 w10 w11
...
...
...
...
t40 w40 w41 w42 w43
Rcon[i/4]
22/4/2020 68
Making of ti (temporary) words i=4Nr
3 Key Expansion
❖ Key Expansion in AES-128
Cipher Key k0 k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 k11 k12 k13 k14 k15
w0 w1 w2 w3
t4 w4 w5 w6 w7
t8 w8 w9 w10 w11
...
...
...
...
t40 w40 w41 w42 w43
Rcon[i/4]
Rcon[i/4]
RotWord:
The RotWord (rotate word) routine is similar to the ShiftRows transformation, but it is applied to only
one row. The routine takes a word as an array of 4 bytes and shifts each byte to the left with wrapping.
SubWord:
The SubWord (Substitute word) rountine is similar to the SubBytes transformation, but it is applied only
to 4 bytes. The rountine takes each byte in the word and substitutes another byte for it.
22/4/2020 71
3 Key Expansion
❖ Key Expansion in AES-128
01 02 04 08 10 20 40 80 1B 36
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
Each round constant, Rcon, is a 4-byte value in which the rightmost three bytes are always zero.
22/4/2020 72
Words for each round
Round Words
❖ Key Expansion in AES-128 Pre-round W0 W1 W2 W3
1 W4 W5 W6 W7
▪ Finding W4
2 W8 W9 W10 W11
… … … … …
W0 W1 W2 W3 W4 10 W40 W41 W42 W43
b0 b4 b8 b12
b1 b5 b9 b13
= SubWord(RotWord(W3)) RCON0 W0
b2 b6 b10 b14
b3 b7 b11 b15
Cipher Key
128-bit (4 words)
2.3. Key Expansion
❖ Key Expansion in AES-128 RCON Constant (Hexa)
Round
Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9
▪ Finding W4 RCON0 RCON1 RCON2 RCON3 RCON4 RCON5 RCON6 RCON7 RCON8
10
RCON9
01 02 04 08 10 20 40 80 1B 36
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
W3 t W0 W4
▪ Finding W5, W6
W5 W4 W1 W6 W5 W2
Wi-1 t Wi-4 W4
SubBytes
table
2.3. Key Expansion
❖ Key Expansion in AES-128
➢ Generalization
▪ Wi = ? ( for i=0:43 )
• else
Wi Wi-1 Wi-4
=
3 Key Expansion
❖ Key Expansion in AES-128
The key-expansion routine can either use the above table when calculating the words or use
the GF(28) field to calculate the leftmost byte dynamically, as shown below (prime is the
irreducible polynomial, prime = x8 + x4 + x3 + x + 1)
22/4/2020 78
3 Key Expansion
❖ Key Expansion in AES-128
22/4/2020 79
3 Key Expansion
❖ Key Expansion in AES-128
Each round key in AES depends on the previous round key. The dependency,
however, is nonlinear because of SubWord transformation. The addition of the
round constants also guarantees that each round key will be different from the
previous one.
22/4/2020 80
3 Key Expansion
❖ Key Expansion in AES-128
This table shows how the keys for each round are calculated assuming that the 128-bit cipher
key agreed upon by Alice and Bob is (24 75 A2 B3 34 75 56 88 31 E2 12 00 13 AA 54 87)16.
22/4/2020 81
3 Key Expansion
❖ Key Expansion in AES-128
The concept of weak keys, as we discussed for DES in Chapter 3, does not apply to AES.
Assume that all bits in the cipher key are 0s. The following shows the words for some rounds:
The words in the pre-round and the first round are all the same. In the second round, the
first word matches with the third; the second word matches with the fourth. However, after
the second round the pattern disappears; every word is different.
22/4/2020 82
3 Key Expansion
▪ Key-expansion algorithms in the AES-192 and AES-256 versions are very similar
to the key expansion algorithm in AES-128, with the following differences:
1. AES – 192: The words are generated in groups of six instead of four:
a. The cipher key creates the first six words (w0 to w5).
b. If i mod 6 ≠ 0, wi← wi-1 + wi-6; otherwise, wi← t + wi-6
2. AES-256: The words are generated in groups of eight instead of four:
a. The cipher key creates the first eight words (w0 to w7).
b. If i mod 8 ≠ 0, wi← wi-1 + wi-8; otherwise, wi← t + wi-8
c. If i mod 4 = 0, but i mod 8 ≠ 0, then wi = SubWord(wi-1) + wi-8
22/4/2020 83
3 Key Expansion
❖ Key Expansion in AES-192
6 words
AES 192
22/4/2020 85
RCON Constant (Hexa)
3 Key Expansion Round 1 Round 2 Round 3 Round 4 Round 5 Round 6 Round 7 Round 8 Round 9
Round
10
RCON0 RCON1 RCON2 RCON3 RCON4 RCON5 RCON6 RCON7 RCON8
RCON9
22/4/2020 86
3 Key Expansion
❖ Key Expansion in AES-192
➢ Finding W7 ,W8
W7 W6 W1 W8 W7 W2
b4 b8
b5
b9
= =
b6
b10
b7
b11
22/4/2020 87
3 Key Expansion
❖ Key Expansion in AES-192
➢ Generality
▪ Wi = ? ( for i=0:51 )
• If ( i mod 6==0)
W
Wi-1
5 t WW
i-60
W6
Wi
b20 b21 c0 t0 b0
b23 b20 c3 t3 b3
22/4/2020 88
3 Key Expansion
❖ Key Expansion in AES-192
➢ Generality
▪ Wi = ? ( for i=0:51 )
• else
Wi Wi-1 Wi-6
22/4/2020 89
3 Key Expansion CIPHER KEY 192 BITS
W0 W1 W2 W3 W4 W5
➢ Generality
Round Words
Pre-round W0 W1 W2 W3
1 W4 W5 W6 W7
2 W8 W9 W10 W11
ROUND 4
… … … … … W46 W47 W48 W49 W50 W51
22/4/2020 90
3 Key Expansion
❖ Key Expansion in AES-256
8 words
AES 256
22/4/2020 91
3 Key Expansion Words for each round
Round Words
❖ Key Expansion in AES-256 Pre-round W0 W1 W2 W3
1 W4 W5 W6 W7
➢ Finding W8 2 W8 W9 W10 W11
… … … … …
14 W56 W57 W58 W59
W0 W1 W2 W3 W4 W5 W6 W7 W8 W7 W0
22/4/2020 92
3 Key Expansion
❖ Key Expansion in AES-256
W9 W8 W1 W10 W9 W2
b4 b4
b5 b5
= =
b6 b6
b7 b7
22/4/2020 93
3 Key Expansion
❖ Key Expansion in AES-256
➢ Finding W12
W11 W4
W12
b16
b17
= SubWord( )
b18
b19
22/4/2020 94
3 Key Expansion
❖ Key Expansion in AES-256
➢ Generality
▪ Wi = ? ( for i=0:59 )
• If ( i mod 8==0)
t WW 0
i-8
W
W6i
WWi-15
b21 c0 t0 b0
b20
b23 b20 c3 t3 b3
22/4/2020 95
3 Key Expansion
❖ Key Expansion in AES-256
➢ Generality
▪ Wi = ? ( for i=0:59 )
Wi-1 Wi-8
Wi
= SubWord( )
22/4/2020 96
3 Key Expansion
❖ Key Expansion in AES-256
➢ Generality
▪ Wi = ? ( for i=0:59 )
• else
Wi Wi-1 Wi-8
22/4/2020 97
3 Key Expansion
❖ Key Expansion in AES-256 CIPHER KEY 256 BITS
W0 W1 W2 W3 W4 W5 W6 W7
➢ Generality
1 W4 W5 W6 W7
W54 W55 W56 W57 W58 W59
2 W8 W9 W10 W11
… … … … …
14 W56 W57 W58 W59
22/4/2020 98
4 Ciphers
• Original Design
• Alternative Design
22/4/2020 99
4 Ciphers Cipher Key Plaintext Plaintext Cipher Key
Inverses
❖ Original Design W0 – W3 AddRoundKey AddRoundKey W 0 – W3
ROUND 10
SubBytes InvSubBytes
ROUND 1
ShiftRows InvShiftRows
MixColumns
MixColumns
W4 – W7 AddRoundKey
ROUND 9
Key Expansion
AddRoundKey W4 – W7
Key Expansion
...
Ciphers and inverse ciphers InvSubBytes
...
SubBytes InvShiftRows
of the original design
...
ROUND 9
ShiftRows
...
MixColumns
MixColumns
W36 – W39 AddRoundKey
W36 – W39
ROUND 1
AddRoundKey
SubBytes InvSubBytes
ROUND 10
ShiftRows InvShiftRows
W40 – W43 AddRoundKey
W40 – W43
AddRoundKey
Ciphertext
22/4/2020 100
4 Ciphers
❖ Alternative Design
▪ In this version, the transformation in the reverse cipher are rearranged to make
the order of transformations the same in the cipher and reverse cipher.
▪ In this design, invertibility is provided for a pair of transformations, not for each
single transformation.
Round
SubBytes Inverse InvShiftRows MixColumns Inverse AddRoundKey
Key
ShiftRows InvSubBytes Round
AddRoundKey InvMixColumns
Key
22/4/2020 101
4 Ciphers Cipher Key Plaintext Plaintext Cipher Key
Inverses
W0 – W3
❖ Alternative Design AddRoundKey AddRoundKey W 0 – W3
ROUND 10
SubBytes InvSubBytes
ROUND 1
ShiftRows InvShiftRows
MixColumns
InvMixColumns
W4 – W7 AddRoundKey
Key Expansion
AddRoundKey W4 – W7
Key Expansion
Cipher and reverse cipher
ROUND 9
...
InvSubBytes
in alternate design
...
SubBytes InvShiftRows
...
ROUND 9
ShiftRows
...
MixColumns
InvMixColumns
W36 – W39 AddRoundKey
AddRoundKey W36 – W39
ROUND 1
ROUND 10
SubBytes InvSubBytes
ShiftRows InvShiftRows
W40 – W43 AddRoundKey
W40 – W43
AddRoundKey
Ciphertext
22/4/2020 102
5 Examples
In this section, some examples of encryption/ decryption and key generation are
given to emphasize some points discussed in the two previous sections.
Example 5.1: The following shows the ciphertext block created from a plaintext
block using a randomly selected cipher key.
22/4/2020 103
5 Examples
Example 5.1: (Continue)
22/4/2020 104
5 Examples
Example 5.1: (Continue)
22/4/2020 105
5 Examples
Example 5.1: (Continue)
22/4/2020 106
5 Examples
Example 5.2: This Figure shows the state entries in one round, round 7, in Example 5.1
22/4/2020 107
5 Examples
Example 5.3: One may be curious to see the result of encryption when the plaintext is
made of all 0s. Using the cipher key in Example 5.1 yields the ciphertext.
22/4/2020 108
5 Examples
Example 5.4: The following shows the effect of using a cipher key in which all bits are 0s.
22/4/2020 109
6 Analysis of AES
AES was designed after DES. Most ofthe known attacks on DES were already tested on AES.
▪ Brute-Force Attack
AES is definitely more secure than DES due to the larger-size key.
▪ Statistical Attacks
Numerous tests have failed to do statistical analysis of the ciphertext.
▪ Differential and Linear Attacks
There are no differential and linear attacks on AES as yet.
22/4/2020 110