Nhập môn mật mã - mã hóa Nguyễn Như Huân

Advanced Encryption Standard

-------------------------------------------
InputBlockLength 128 bits
OutputBlockLength 128 bits
StateLength 128 bits ⟶ 𝑁𝑏 = 4 (blocks 32-bits)
CipherKeyLength 128/192/256 bits ⟶ 𝑁𝑘 = 4/6/8 (blocks 32-bits)
NumberOfRound 10/12/14 ⟶ 𝑁𝑟 = 10/12/14 (depend on 𝑁𝑘)
-------------------------------------------

1. Encryption

The AES algorithm’s operations are on a matrix of bytes called the State. The State has 4 rows
and 𝑁𝑏 columns.
Input bytes State array Output bytes
𝑖𝑛0 𝑖𝑛4 𝑖𝑛8 𝑖𝑛12 𝑠0,0 𝑠0,1 𝑠0,2 𝑠0,3 𝑜𝑢𝑡0 𝑜𝑢𝑡4 𝑜𝑢𝑡8 𝑜𝑢𝑡12
𝑖𝑛1 𝑖𝑛5 𝑖𝑛9 𝑖𝑛13 𝑠1,0 𝑠1,1 𝑠1,2 𝑠1,3 𝑜𝑢𝑡1 𝑜𝑢𝑡5 𝑜𝑢𝑡9 𝑜𝑢𝑡13
𝑖𝑛2 𝑖𝑛6 𝑖𝑛10 𝑖𝑛14 𝑠2,0 𝑠2,1 𝑠2,2 𝑠2,3 𝑜𝑢𝑡2 𝑜𝑢𝑡6 𝑜𝑢𝑡10 𝑜𝑢𝑡14
𝑖𝑛3 𝑖𝑛7 𝑖𝑛11 𝑖𝑛15 𝑠3,0 𝑠3,1 𝑠3,2 𝑠3,3 𝑜𝑢𝑡3 𝑜𝑢𝑡7 𝑜𝑢𝑡11 𝑜𝑢𝑡15

First, the Input is copied to State.

After an initial Round Key addition, the State is transformed by Round Function 𝑁𝑟 times.
The final State is copied to Output.

SubBytes
The SubBytes transformation is a non-linear byte substitution using S-box. The S-box is
constructed as the following:
- Let {𝑎0 𝑏0 } be the input byte. We compute {𝑎1 𝑏1 } which is the inverse in 𝐺𝐹(28 ):
{𝑎0 𝑏0 }−1 ≡ {𝑎1 𝑏1 } mod (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)
- Let 𝛼 = {𝑎1 𝑏1 } Applying the following affine transformation over 𝐺𝐹(2):
𝛽𝑖 = 𝛼𝑖 ⨁𝛼(𝑖+4) mod 8 ⨁𝛼(𝑖+5) mod 8 ⨁𝛼(𝑖+6) mod 8 ⨁𝛼(𝑖+7) mod 8 ⨁𝑐𝑖
Nhập môn mật mã - mã hóa Nguyễn Như Huân

where 𝑐 is a byte with the value {63}. To express this transformation in the matrix form:
𝛽0 1 0 0 0 1 1 1 1 𝛼0 1
𝛽1 1 1 0 0 0 1 1 1 𝛼1 1
𝛽2 1 1 1 0 0 0 1 1 𝛼 2 0
𝛽3 1 1 1 1 0 0 0 1 𝛼3 0
= ∙ 𝛼 +
𝛽4 1 1 1 1 1 0 0 0 4 0
𝛽5 0 1 1 1 1 1 0 0 𝛼5 1
𝛽6 0 0 1 1 1 1 1 0 𝛼 6 1
[𝛽7 ] [ 0 0 0 1 1 1 1 1] [𝛼7 ] [0]
{𝑥𝑦} = [𝛽7 𝛽6 𝛽5 𝛽4 𝛽3 𝛽2 𝛽1 𝛽0 ] is the output of S-box.

Example: Input = {07}. Output = {𝑐5}

We have {𝑎0 𝑏0 } = [00000111] ⟶ {𝑎1 𝑏1 } ≡ {𝑎0 𝑏0 }−1 (mod 𝑚(𝑥)) = {𝑑1} = [11010001]

Compute {𝑥𝑦} by the transformation above: {𝑥𝑦} = [11000101] = {𝑐5}

S-box table
Nhập môn mật mã - mã hóa Nguyễn Như Huân

ShiftRows
Now the State will be transformed by cyclically shifting row 𝑖 in 𝑖 times.

Illustrations of Shifting rows

MixColumns
This treats each column of the State as a four-term polynomial. As mentioned, the AES
algorithm considers the columns as polynomials over 𝐺𝐹(28 ) and multiplied modulo 𝑥 4 + 1 with
a fixed polynomials 𝑎(𝑥) = {03}𝑥 3 + {01}𝑥 2 + {01}𝑥 + {02}.
We compute 𝑠 ′ (𝑥) = 𝑎(𝑥)⨂𝑠(𝑥)
′
𝑠0,𝑐 02 03 01 01 𝑠0,𝑐
′
𝑠1,𝑐 01 02 03 01 𝑠1,𝑐
′ =[ ] ∙ [𝑠 ] 0 ≤ 𝑐 < 𝑁𝑏
𝑠2,𝑐 01 01 02 03 2,𝑐
′ 03 01 01 02 𝑠3,𝑐
[𝑠3,𝑐 ]

AddRoundKey
In this step, the State is XOR with a Round Key. Each Round Key consists of 𝑁𝑏 4-byte words
from the Key Schedule.
′ ′ ′ ′
[𝑠0,𝑐 𝑠1,𝑐 𝑠2,𝑐 𝑠3,𝑐 ] = [𝑠0,𝑐 𝑠1,𝑐 𝑠2,𝑐 𝑠3,𝑐 ]⨁[𝑤round×𝑁𝑏+𝑐 ]

where 0 ≤ 𝑐 < 𝑁𝑏 ; 0 ≤ round < 𝑁𝑟

In the Encryption, the initial Round Key addition occurs when round = 0, and the
AddRoundKey transformation is applied when 1 ≤ round < 𝑁𝑟.
Nhập môn mật mã - mã hóa Nguyễn Như Huân

Illustration of AddRoundKey

2. Key Expansion
We need RoundKey to perform AddRoundKey transformation, and the Key Expansion is to
generate that Key Schedule. This routine generates a total of 𝑁𝑏. (𝑁𝑟 + 1) 4-byte words: an initial
RoundKey 𝑁𝑏 words, 𝑁𝑟 other rounds with RoundKey 𝑁𝑏 words each.
First, we get array of 𝑁𝑘 words 𝒘. We keep the value of first 𝑁𝑘 elements of 𝒘.
We generate 𝒘[𝒊] with the following pseudo codes:

for (int i = Nk; i < Nb*(Nr+1); ++i) {

t = w[i-1];
if (i % Nk == 0)
t = SubWord(RotWord(temp)) ^ Rcon[i/Nk];
else if (Nk == 8 && i % k == 4)
t = SubWord(t);
w[i] = w[i - Nk] ^ t;
}

Pseudo code: Key Expansion

SubWord is a function that takes a 4-byte word as input, applies S-box to each byte to
produce an output 4-byte word.
RotWord is a function that inputs a word [𝑎0 , 𝑎1 , 𝑎2 , 𝑎3 ], performs a permutation and outputs
the word [𝑎1 , 𝑎2 , 𝑎3 , 𝑎0 ].

Rcon is an array of round constant word. Rcon[i] = [{02}𝑖−1 , {00}, {00}, {00}] over 𝐺𝐹(28 ).
Nhập môn mật mã - mã hóa Nguyễn Như Huân

We review the Encryption algorithm through the following pseudo code:

Encryption (byte input[4,Nb], byte output[4,Nb], byte key[4*Nk])

{
word w[Nb*(Nr+1)] = KeyExpansion(key, Nk);
byte state[4,Nb] = input;
AddRoundKey(state, w[0, Nb-1]); // initial Round Key addition

for (int round = 1; i < Nr; ++round) {

SubBytes(state);
ShiftRows(state);
MixColumns(state);
AddRoundKey(state, w[(round*Nb)..(round*Nb + Nb-1)]);
}
// MixColumns is performed except the final round.

SubBytes(state);
ShiftRows(state);
AddRoundKey(state, w[(Nr*Nb)..(Nr*Nb + Nb-1)]);
output = state;
}

Pseudo code: The AES Algorithm – Encryption

3. Decryption

The Encryption uses transformations which can be inverted.

InvShiftRows
This is so simple, just cyclically shifting in the reverse direction.
Nhập môn mật mã - mã hóa Nguyễn Như Huân

Illustration of InvShiftRows

InvSubBytes
This is also simple, because S-box is constructed on reverse-ability transformation and
operation. We have the S-box table to look up, then we can use it to create an Inverse S-box.

Inverse S-box table

InvMixColumns
Because of the special fixed polynomial 𝑎(𝑥), the matrix is reverse.
𝑎−1 (𝑥) = {0𝑏}𝑥 3 + {0𝑑}𝑥 2 + {09}𝑥 + {0𝑒}.
We compute 𝑠 ′ (𝑥) = 𝑎−1 (𝑥)⨂𝑠(𝑥)
Nhập môn mật mã - mã hóa Nguyễn Như Huân

′
𝑠0,𝑐 0𝑒 0𝑏 0𝑑 09 𝑠0,𝑐
′
𝑠1,𝑐 09 0𝑒 0𝑏 0𝑑 𝑠1,𝑐
′ =[ ] ∙ [𝑠 ] 0 ≤ 𝑐 < 𝑁𝑏
𝑠2,𝑐 0𝑑 09 0𝑒 0𝑏 2,𝑐
′ 0𝑏 0𝑑 09 0𝑒 𝑠3,𝑐
[𝑠3,𝑐 ]

AddRoundKey
Because there is only XOR operation, and 𝒘 can be generated the same by Key Expansion
algorithm, AddRoundKey is also InvAddRoundKey transformation.

Decryption (byte input[4,Nb], byte output[4,Nb], byte key[4*Nk])

{
word w[Nb*(Nr+1)] = KeyExpansion(key, Nk);
byte state[4,Nb] = input;
AddRoundKey(state, w[Nr*Nb, Nr*Nb + Nb-1]);
for (int round = Nr - 1; i >= 1; --round) {
InvShiftRows(state);
InvSubBytes(state);
MixColumns(state);
AddRoundKey(state, w[(round*Nb)..(round*Nb + Nb-1)]);
}
InvShiftRows(state);
InvSubBytes(state);
AddRoundKey(state, w[0.. Nb-1]);
output = state;
}

Pseudo code: The AES Algorithm – Decryption

REFERENCE:
[1] Announcing the Advanced Encryption Standard (AES)