ADVANCED ENCRYPTION STANDARD (AES) · The Advanced Encryption Standard (AES) is a symmetric-key block cipher published in 2000. AES was given to improve DES weaknesses as well as

ADVANCED ENCRYPTION STANDARD

(AES)

Tran Song Dat Phuc

Department of Computer Science and Engineering

Seoul National University of Science and Technology

2013-2014

Outline

AES History

AES Operations

Advanced Encryption Standard (AES)

AES Implementation

Security of AES

Summary

AES

History:

- A replacement of DES was needed

-> key size to small

- Triple-DES is a solution, but slow and small block

- AES Competition started in 1997 by NIST:

. Single block cipher

. Available royalty-free worldwide

. Have a public and flexible design

. 128-bits block data

. 128/192/256-bits key (based on round numbers)

AES

- Rijndael design was selected as AES Cipher in 2000

. Design by Vincent Rijmen and Joan Daemen

. Issued as FIPS PUB 197 standard in 2001

. Simplicity

. Support 128-bits block, 128/192/256-bits key

. Resistant against known attack

. Speed and code compactness on many CPU’s

AES Operations

In AES, all operations are performed on 8-bit bytes,

so it operates on the finite field GF(28), which can

be presented as a polynomial b(x) with binary

coefficient b {0,1}:

b7x7 + b6x

6 + b5x5 + b4x

4 + b3x3 + b2x

2 + b1x + b0

Addition of two bytes in AES is defined as the

bitwise XOR operation.

AES Operations

Multiplication in AES is defined as multiplication

in the finite field GF(28) of with the irreducible

polynomial of degree 8.

AES irreducible polynomial:

m(x) = x8 + x4 + x3 + x + 1

AES (Advance Encryption Standard)

AES is a symmetric block cipher.

- The same key is used to encrypt and decrypt

the message (128/192/256-bits key)

- The plaintext and cipher-text are the same size

(128-bits block)

AES Block AES has a block size of 128-bits(16bytes) called state

AES Key

AES Key

AES Multiple Rounds

First and last round are different

AES Round Stage

AES Structure

AES Encryption With 128-bits (16bytes), AES views data block as

4-by-4 table of bytes.

AddRoundKey Transformation At each round, the state array is combined with a

similarly sized array of subkey material.

AddRoundKey Transformation

Key Expansion

Use to create round key for each round.

If the number of round is , the key-expansion creates

Nr +1 128-bit round keys from one single 128-bit

cipher key.

The key expansion creates round keys word by word,

where a word is an array of four bytes (4 x Nr +1)

w0, w1, w2, … , w4(Nr +1) - 1

with 128-bits key (10 rounds, 44 words, ), 192-bits key

(12 rounds, 52 words) and 256-bits key (14 rounds, 60

words).

Key Expansion

Round Words

Pre-round w0 w1 w2 w3

1 w4 w5 w6 w7

2 w8 w9 w10 w11

… …

Nr w4Nr w4Nr+1 w4Nr+2 w4Nr+3

Key Expansion

Key Expansion

Key Expansion

Round Constant ( RCon )

1 (01 00 00 00)16

2 (02 00 00 00)16

3 (04 00 00 00)16

4 (08 00 00 00)16

5 (10 00 00 00)16

6 (20 00 00 00)16

7 (40 00 00 00)16

8 (80 00 00 00)16

9 (1B 00 00 00)16

10 (36 00 00 00)16

RCon Constants

Key Expansion

Key Expansion

Round Value of t First word Second word Third word Fourth word

__ W00 = 2475A2B3 W01 = 34755688 W02 = 31E21200 W03 = 13AA5487

1 AD20177D W04 = 8955B5CE W05 = BD20E346

W06 = 8CC2F146

W07 = 9F68A5C1

2 470678DB W08 = CE53CD15 W09 = 73732E53 W10 = FFB1DF15 W11 = 60D97AD4

… … … … … …

9 0A5E4F61 W36 = E43FE3BF W37 = 0EC1FCF4 W38 = 21A35A12 W39 = F940C780

10 3FC6CD99 W40 = DBF92E26 W041 = D538D2D2 W42 = F49B88C0 W43 = 0DDB4F40

Key Expansion

SubBytes Transformation Each byte of the array transformed by the S-box, provide

confusion for cipher.

This takes 8-bits input and returns 8-bits output.

Only one S-box(16x16 bytes) is used throughout AES

cipher, contains a permutation of all 256 8-bits values.

SubBytes Transformation

SubBytes Transformation

SubBytes Transformation using the S-Boxes Table :

State AddRoundKey

SubBytes Transformation

SubBytes Transformation using the GF(28) Field :

- AES defines the transformation algebraically using the

GF(28) field with the irreducible polynomials :

(x8 + x4 + x3 + x + 1) as the modulus.

- The multiplicative inverse of byte (as an 8-bit binary

string) is found in GF(28).

- The inverted byte is interpreted as a column matrix

with the least bit at the top and the most bit at the

bottom.

- This column matrix is multiplied by a constant square

matrix, X, and the result is added with a constant

column matrix, Y, to give a new byte.

SubBytes Transformation

SubBytes Process

SubBytes Transformation Ex: with byte 53 is transformed by SubBytes routine

- 53 in binary is 0101 0011, can be denoted in the finite field

GF(28) as polynomial : x6 + x4 + x + 1

- Multiplicative inverse of a byte in GF(28) with polynomial :

x8 + x4 + x3 + x + 1 as modulus

- Multiplicative inverse algorithm:

remainder[1] := f(x) auxiliary[1] := 0

remainder[2] := a(x) auxiliary[2] := 1

i := 2

while remainder[i] > 1

i := i + 1 remainder[i] := remainder(remainder[i-2] / remainder[i-1])

quotient[i] := quotient(remainder[i-2] / remainder[i-1])

auxiliary[i] := -quotient[i] * auxiliary[i-1] + auxiliary[i-2]

inverse := auxiliary[i]

SubBytes Transformation

- The multiplicative inverse of byte 53 is CA.

x7 + x6 + x3 + x = 1100 1010 (CA in Hex)

i Remainder[i] Quotient[i] Auxiliary[i]

1 x8 + x4 + x3 + x + 1 0

2 x6 + x4 + x + 1 1

3 x2 x2 + 1 x2 + 1

4 x + 1 x4 + x2 x6 + x4 + x4 + x2 + 1

5 1 x + 1 x7 + x6 + x3 + x2 + x2 + x + 1 + 1

6 0 x + 1

SubBytes Transformation

- Multiply the inverted byte with the matrix X.

- An easier way to view the matrix multiplication is as

polynomial multiplication.

Row 1 = 1000 1111 = N0 + N4 + N5 + N6 + N7 0 + 0 + 0 + 1 + 1 = 0

Row 2 = 1100 0111 = N0 + N1 + N5 + N6 + N7 0 + 1 + 0 + 1 + 1 = 1

Row 3 = 1110 0011 = N0 + N1 + N2 + N6 + N7 0 + 1 + 0 + 1 + 1 = 1

Row 4 = 1111 0001 = N0 + N1 + N2 + N3 + N7 0 + 1 + 0 + 1 + 1 = 1

Row 5 = 1111 1000 = N0 + N1 + N2 + N3 + N4 0 + 1 + 0 + 1 + 0 = 0

Row 6 = 0111 1100 = N1 + N2 + N3 + N4 + N5 1 + 0 + 1 + 0 + 0 = 0

Row 7 = 0011 1110 = N2 + N3 + N4 + N5 + N6 0 + 1 + 0 + 0 + 1 = 0

Row 8 = 0001 1111 = N3 + N4 + N5 + N6 + N7 1 + 0 + 0 + 1 + 1 = 1

- The result of multiplication is the vector : 0111 0001.

SubBytes Transformation

ShiftRows Transformation

ShiftRows Transformation

Before After

MixColumns Transformation

ShiftRows and MixColumns provide confusion for cipher.

Each column of the array is mixed together.

Each byte is replaced by a value dependent on all 4 bytes

of column.

MixColumns Transformation

MixColumns Transformation

MixColumns Transformation

MixColumns Transformation

MixColumns Transformation

. {02 . 63} :

02 = 0000 0010 (in Binary), be denoted in GF(28) as the

polynomial : x

63 = 0110 0011 (in Binary), in GF(28) as the polynomial :

x6 + x5 + x + 1

{02 . 63} = x(x6 + x5 + x + 1) = x7 + x6 + x2 + x

. {03 . F2} :

03 = 0000 0011 = x + 1

F2 = 1111 0010 = x7 + x6 + x5 + x4 + x

{03 . F2} = (x + 1)(x7 + x6 + x5 + x4 + x)

= x8 + x7 + x6 + x5 + x2 + x7 + x6 + x5 + x4 + x

= (x8 + x4 + x2 + x) mod (x8 + x4 + x3 + x + 1)

MixColumns Transformation

x8 + x4 + x2 + x x8 + x4 + x3 + x + 1

x8 + x4 + x3 + x + 1 1

x3 + x2 + 1

{03 . F2} = x3 + x2 + 1

. {01 . 7D} = x6 + x5 + x4 + x3 + x2 + 1

. {01 . D4} = x7 + x6 + x4 + x2

. P0 = {02 . 63} + {03 . F2} + {01 . 7D} + {01 . D4}

= x7 + x6 + x2 + x + x3 + x2 + 1

+ x6 + x5 + x4 + x3 + x2 + 1 + x7 + x6 + x4 + x2

= x6 + x5 + x = 0110 0010 = 62 (in Hex)

MixColumns Transformation

MixColumns Transformation

MixColumns Transformation

MixColumns Transformation

Decryption with AES Decryption do operations similar to encryption process, in

reverse order.

Use InvSubBytes, InvShiftRows, InvMixColumns replace to

SubBytes, ShiftRows and MixColumns.

Decryption with AES S-box S-1[.] of InvSubBytes.

Decryption with AES

InvSubBytes Process

Decryption with AES

Matrix M-1 of InvMixColumns.

M-1 =

0E 0B 0D 0909 0E 0B 0D0D 09 0E 0B0B 0D 09 0E

AES Implementation

AES Implementation

AES Implementation

The Avalanche Effect:

- A change in one bit of either the plaintext or the

key should produce a change in many bits of the

ciphertext.

AES Implementation

AES Implementation

AES Security AES was designed after DES. Most of the known

attacks on DES were already tested on AES.

Brute-Force Attack:

- AES is definitely more secure than DES due to the

larger-size key.

Statistical Attacks:

- Numerous tests have failed to do statistical analysis

of the cipher-text.

Differential and Linear Attacks:

- There are no differential and linear attacks on AES as

yet.

AES Security

Differential Cryptanalysis:

- Study of how differences in input affect differences in

output.

- Can greatly reduced due to high number of rounds.

Linear Cryptanalysis:

- Study of correlations between input and output.

- S-Box and MixColumns are designed to frustrate

Linear Analysis.

Summary

The Advanced Encryption Standard (AES) is a

symmetric-key block cipher published in 2000.

AES was given to improve DES weaknesses as

well as create stronger block cipher design.

AES uses 128-bits length as input, with 128, 192,

256-bits key size to produce 128-bits output.

AES showed its advantage to secure against most

known attacks (brute-force, statistical, differential

and linear cryptanalysis).