Cryptography and

Network Security
Chapter 5
Fifth Edition
by William Stallings

Lecture slides by Lawrie Brown

Lecture slides modified and presented by Tennov
1
Simanjuntak
Chapter 5 –Advanced Encryption
Standard

"It seems very simple."

"It is very simple. But if you don't know what
the key is it's virtually indecipherable."
—Talking to Strange Men, Ruth Rendell

2
 AES Origins
 clear a replacement for DES was needed
 have theoretical attacks that can break it
 have demonstrated exhaustive key search attacks
 can use Triple-DES – but slow, has small blocks
 US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were shortlisted in Aug-99
 Rijndael was selected as the AES in Oct-2000
 issued as FIPS PUB 197 standard in Nov-2001

3
 AES Requirements
 private key symmetric block cipher
 128-bit data, 128/192/256-bit keys
 stronger & faster than Triple-DES
 active life of 20-30 years (+ archival use)
 provide full specification & design details
 both C & Java implementations
 NIST have released all submissions &
unclassified analyses

4
 AES Evaluation Criteria
 initial criteria:
• security – effort for practical cryptanalysis
• cost – in terms of computational efficiency
• algorithm & implementation characteristics
 final criteria
• general security
• ease of software & hardware implementation
• implementation attacks
• flexibility (in en/decrypt, keying, other factors)
5
 AES Shortlist
 after testing and evaluation, shortlist in Aug-99:
• MARS (IBM) - complex, fast, high security margin
• RC6 (USA) - v. simple, v. fast, low security margin
• Rijndael (Belgium) - clean, fast, good security margin
• Serpent (Euro) - slow, clean, v. high security margin
• Twofish (USA) - complex, v. fast, high security margin
 then subject to further analysis & comment saw
contrast between algorithms with
• few complex rounds verses many simple rounds
• which refined existing ciphers verses new proposals

6
 The AES Cipher - Rijndael
 designed by Rijmen-Daemen in Belgium
 has 128/192/256 bit keys, 128 bit data
 an iterative rather than Feistel cipher
 processes data as block of 4 columns of 4 bytes
 operates on entire data block in every round
 designed to have:
 resistance against known attacks
 speed and code compactness on many CPUs
 design simplicity

7
 AES
Encryption
Process

8
 AES Structure
 data block of 4 columns of 4 bytes is state
 key is expanded to array of words
 has 10/12/14 rounds in which state undergoes:
 byte substitution (1 S-box used on every byte)
 shift rows (permute bytes between groups/columns)
 mix columns (subs using matrix multiply of groups)
 add round key (XOR state with key material)
 view as alternating XOR key & scramble data bytes
 initial XOR key material & incomplete last round
 with fast XOR & table lookup implementation
9
AES Structure

10
 Some Comments on AES
1. an iterative rather than Feistel cipher
2. key expanded into array of 32-bit words
1. four words form round key in each round
3. 4 different stages are used as shown
4. has a simple structure
5. only AddRoundKey uses key
6. AddRoundKey a form of Vernam cipher
7. each stage is easily reversible
8. decryption uses keys in reverse order
9. decryption does recover plaintext
10. final round has only 3 stages 11
AES Data Structures

12
 AES Encryption and Decryption

4 different stages are uses, 1 permutation and 3

substitution:
• Substitute byte: use an S-box to perform byte-by-
byte substitution of the block.
• shift rows: simple permutation
• mix columns: substitution that makes use of
arithmetic over GF(28)
• add round key: a simple bitwise XOR of the current
block with round key (a portion of the expanded key).

13
 Substitute Bytes
 a simple substitution of each byte
 uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
 each byte of state is replaced by byte indexed by
row (left 4-bits) & column (right 4-bits)
 eg. byte {95} is replaced by byte in row 9 column 5
 which has value {2A}
 S-box constructed using defined transformation
of values in GF(28)
 designed to be resistant to all known attacks

14
Substitute Bytes

15
AES S-Box

16
Substitute Bytes Example

17
 AES S-Box Construction
1. S-box initialization: initial byte values according
to row and column in ascending order.
E.g 1st row : {00},{01}...{0F}
2nd row: {10},{11}...{1F}
2. Map initial byte value to its multiplicative
inverse in GF(28). E.g. {00} map to {00}-1= {00}
{95} map to {95}-1= {8A}
{83} map to {83}-1= {80}

18
 AES S-Box Construction
3. Consider each byte in S-box labeled (x7, x6 x5 x4 x3 x2 x1
x0). Calculate (y7, y6 y5 y4 y3 y2 y1 y0) using the following
equation:

19
AES Inverse S-Box

20
 Shift Rows
 a circular byte shift in each each
 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 decrypt inverts using shifts to right
 since state is processed by columns, this step
permutes bytes between the columns

21
Shift Rows

22
 Mix Columns
 each column is processed separately
 each byte is replaced by a value
dependent on all 4 bytes in the column
 effectively a matrix multiplication in GF(28)
using prime poly m(x) =x8+x4+x3+x+1

23
Mix Columns

24
Mix Columns Example

25
 AES Arithmetic
 uses arithmetic in the finite field GF(28)
 with irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
which is (100011011) or {11b}
 e.g.
{02} • {87} mod {11b} = (1 0000 1110) mod {11b}
= (1 0000 1110) xor (1 0001 1011) = (0001 0101)

26
 GF(2 ) Multiplication
8

• AES prime poly:

• The technique is based on the observation:

• Now, consider a polynomial in GF(28), which

has the form:

• If we multiply f(x) by x, we have:

27
 GF(2 ) Multiplication
8

• If b7 = 0, then the result is a polynomial of degree <8,

which is already in reduced form (member of set of
polys in GF(28)).
• If b7 = 1, then reduction module m(x) is achieved using
the following equation:

• It follows that multiplication by x (00000010) can be

implemented as a 1-bit left shift followed by bitwise XOR
with (00011011) which represent m(x).

28
 GF(2 ) Multiplication
8

• To summarize:

• Multiplication of higher power of x can be achiever by

repeated application of the above equation:

29
 GF(2 ) Multiplication
8

• Example:

1. Determine the result of multiplication by powers of x

30
 GF(2 ) Multiplication
8

2. Solve it

Thus

31
 Mix Columns
 can express each col as 4 equations
 to derive each new byte in col
 decryption requires use of inverse matrix
 with larger coefficients, hence a little harder
 have an alternate characterisation
 each column a 4-term polynomial
 with coefficients in GF(28)
 and polynomials multiplied modulo (x4+1)
 coefficients based on linear code with
maximal distance between codewords
32
Inverse Mix Column

33
 Add Round Key
 XOR state with 128-bits of the round key
 again processed by column (though
effectively a series of byte operations)
 inverse for decryption identical
 since XOR own inverse, with reversed keys
 designed to be as simple as possible
 a form of Vernam cipher on expanded key
 requires other stages for complexity / security
34
 Add Round Key

• Example

35
AES Round

36
 AES Key Expansion
 takes 128-bit (16-byte) key and expands into array of
44/52/60 32-bit words
 start by copying key into first 4 words:(w
words: 0,w1,w2,w3)
 Next, loop for creating w4 – w43 that depends on
immediately preceding word and the word of four
positions back.
 in 3 of 4 cases just XOR these together (words

position is not a multiple of 4).

 If word position is a multiple of 4, more complex

function (g function) is used that comprises:

rotation + S-box + XOR round constant.
37
 AES Key Expansion
• Pseudocode

38
AES Key Expansion

39
 AES Key Expansion
• The function g:
• RotWord: performs 1 byte circular left-sift. E.g.:
w[b0,b1,b2,b3]  w’ [b1,b2,b3,b0]
• SubWord performs a byte substitution on each byte
of its input word using S-box
• The result of steps 1 and 2 is XORed with a round
constant, Rcon[j].
• Round constant is a word in which the three rightmost
bytes are always 0.

40
 AES Key Expansion
• Round constant is different for each round and is
defined as:
• Rcon[j] = (RC[j],0,0,0), with RC(1)=01,
RC[j] = 2 x RC[j-1] with multiplication defined over
GF(28).

41
 AES Key Expansion
• For example, suppose that the round key for round 8 is:
EAD2 7321 B58D BAD2 312B F560 7F8D 292F
• Then the 1st 4 bytes of the round key for round 9 are
calculate as follow:

42
 Key Expansion Rationale
 designed to resist known attacks
 design criteria included
 knowing part key insufficient to find many more
 invertible transformation
 fast on wide range of CPU’s
 use round constants to break symmetry
 diffuse key bits into round keys
 enough non-linearity to hinder analysis
 simplicity of description
43
 AES
Example
Key
Expansion

44
 AES
Example
Encryption

45
 AES
Example
Avalanche

46
 AES Decryption
 AES decryption is not identical to
encryption since steps done in reverse
 but can define an equivalent inverse
cipher with steps as for encryption
 but using inverses of each step
 with a different key schedule
 works since result is unchanged when
 swap byte substitution & shift rows
 swap mix columns & add (tweaked) round key
47
AES Decryption

48
 Implementation Aspects
 can efficiently implement on 8-bit CPU
 byte substitution works on bytes using a table
of 256 entries
 shift rows is simple byte shift
 add round key works on byte XOR’s
 mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified
to use table lookups & byte XOR’s

49
 Implementation Aspects
 can efficiently implement on 32-bit CPU
 redefine steps to use 32-bit words
 can precompute 4 tables of 256-words
 then each column in each round can be
computed using 4 table lookups + 4 XORs
 at a cost of 4Kb to store tables
 designers believe this very efficient
implementation was a key factor in its
selection as the AES cipher

50
 Summary
 have considered:
 the AES selection process
 the details of Rijndael – the AES cipher
 looked at the steps in each round
 the key expansion
 implementation aspects

51