BIRLA INSTITUTE OF TECHNOLOGY & SCIENCE, PILANI

WORK INTEGRATED LEARNING PROGRAMMES

Network Security
Advance Encryption Standard (AES)

Session : 10
Advance Encryption Standard
(AES)

2
Advance Encryption Standard (AES)
• Published National Institute of Standards and Technology in 2001
• AES is symmetric block cipher intended to replace DES
• Key requirements
• Security: 128 bit key to resist cryptoanalysis and brute-force attacks
• Cost: Good computational efficiency and storage requirement for different implementations of hardware,
software and smart cards
• Implementation: Algorithm must have flexibility and simplicity to be implemented on any platform
• AES usage variant Rijindael algorithm

3
AES Basics
• Encrypts and decrypts using 128 bits of data block
• Usage 10, 12 or 14 rounds
• Usage a 128, 192 or 256 bit key
• Relationship between rounds and key size
• 10 rounds 128 bit
• 12 rounds 192 bit
• 14 rounds 256 bit
• Round keys are always 128 bits

4
AES Outline
• Encrypts and decrypts using 128
bits of data block
• Usage 10, 12 or 14 rounds
• Usage a 128, 192 or 256 bit key

• Pre-round and Last round are

different in structure
• Rest rounds have same structure
(step)

5
AES Data units
• Bit: Binary digit with a value of 0 or 1
• Byte: Group of 8 bits which can be treated as a
single entity i.e. a row matrix (1x8) or a column
matrix (8x1)
• Word: Group of 32 bits or 4 bytes which can be
treated as a single entity i.e. a row/column
matrix of 4 bytes
• Block: Group of 128 bits i.e. row matrix of 16
bytes

6
AES State
• State is constructed column
wise (up to down, left to
right) using bits of block (left
to right)
• Block is constructed using
bits from state column wise
(up to down, left to right)

7
Structure of a round
• Encrypts and decrypts using 128 bits of data block
• Usage 10, 12 or 14 rounds
• Usage a 128, 192 or 256 bit key

• Pre-round has only AddRoundKey step

• Last round doesn’t have mix column step

8
SubByte transformation
• A byte is interpreted as a hexadecimal
digit
• Each byte-to-byte transformation
involve 16 independent byte-to-byte
transformation

9
Sub Byte transformation table
• A byte is interpreted as a
hexadecimal digit
• Each byte-to-byte
transformation involve 16
independent byte-to-byte
transformation

10
InvSub Byte transformation table
• A byte is interpreted as a
hexadecimal digit
• Each byte-to-byte
transformation involve 16
independent byte-to-byte
transformation

11
Sub Byte transformation example

• If two bytes have the same value their transformation has same value
• InvSub Byte results into original text

12
Permutation – Shift rows

• Shift left operation performed with circular rotation

13
Permutation – Shift rows - example

14
Mix columns

• Mixing provides interbyte transformation that changes the bits inside a byte using bits
from neighbouring bytes
• Bytes are mixed to provide diffusion at bit level
• Mix columns transformation operates at column level
• Each column of the state is transformed to a new column using a constant matrix

15
Mix columns
Mixing bytes using matrix multiplication
Constant matrix used for mixing
• Mixing provides interbyte
transformation that changes
the bits inside a byte using
bits from neighbouring bytes
• Bytes are mixed to provide
diffusion at bit level
• Mix columns transformation
operates at column level
• Each column of the state is
transformed to a new column
using a constant matrix
16
Mix columns - example

• Mixing provides interbyte

transformation that changes the
bits inside a byte using bits from
neighbouring bytes in the column
• Bytes are mixed to provide
diffusion at bit level
• Mix columns transformation
operates at column level
• Each column of the state is
transformed to a new column
using a constant matrix

17
Add round key transformation

• AddRoundKey processes one

column at a time
• AddRoundKey adds a round key
word with each state column
matrix
• The operation in AddRoundKey is
matrix addition

18
Key expansion – AES128
• The first 4 words are from cipher
key – four bytes from each word
• Rest of the words (wi for i=4 to 43):
• If (i mod 4) = 0, wi = wi-1 wi-4
• If (I mod 4) = 0, wi = ti wi-4
• ti is a temporary word derived by
applying two functions RotWord and
SubWord on wi-1 and XORing the result
with a round constant Rcon

19
Key expansion – temporary word
ti = SubWord(RotWord(Wi-1))
• RotWord (rotate word): Circular shifts byte to left in
word by 1
• SubWord (substitute word): similar to SubByte
transformation, take eah byte from word and substitute
it using the same S-box
• Round Constant
Rconi/4 • A 4 byte value in which rightmost 3 bytes are always
zero. The values for AES128 are as under:
• Round 1: 01 00 00 00
• Round 2: 02 00 00 00
• Round 3: 04 00 00 00
• Round 4: 08 00 00 00
• Round 5: 10 00 00 00
• Round 6: 20 00 00 00
• Round 7: 40 00 00 00
• Round 8: 80 00 00 00
• Round 9: 1B 00 00 00
• Round 10: 36 00 00 00
20
Key expansion – AES192 & AES256
The algorithm is similar except following differences
• AES192: The words are generated in groups of 6 instead of 4
• Cipher key creates the first 6 words (w0 to w5)
• If (i mod 6) = 0, wi = wi-1 wi-6 ; otherwise wi = ti wi-6

• AES256: The words are generated in groups of 8 instead of 4

• Cipher key creates the first 8 words (w0 to w7)
• If (i mod 8) = 0, wi = wi-1 wi-8 ; otherwise wi = ti wi-8
• If i mod 4 = 0 but i mod 8 = 0 then wi = SubWord(wi-1) wi-8

21
AES Structure 5.2 / AES STRUCTURE 133
Plaintext—16 bytes (128 bits) Key—M bytes

• Block of 128 bits or 16 bytes of plaintext encrypted

Input state Key

• Key can be 128, 192, 256 bits (16, 24, 32 bytes) :

(16 bytes) Round 0 key (M bytes)
(16 bytes)

Initial transformation

State after
AES128, AES192, AES256 algorithm
initial
transformation
(16 bytes) • Input block of 128 bits converted into 4x4 matrix of
Round 1 Round 1 key bytes and copied into an Stage array

Key expansion
(4 transformations) (16 bytes)

• Stage array modified at each stage of encryption

Round 1
output state using key
(16 bytes)

• After final stage array is copied into a output matrix

of 4x4
Round N – 1 key
Round N – 1
(4 transformations)
(16 bytes)
• Keys expanded into key schedule words. Each word
Round N – 1
is 4 bytes and there are 44 words in a key schedule
output state
(16 bytes) for 128 bit key
Round N key
Round N
(3 transformations)
(16 bytes)
• Bytes are ordered column wise in a matrix i.e. first 4
bytes will be in col 1, next 4 in column 2 and so on
Final state Key
No. of
(16 bytes) rounds
Length
(bytes)
10 16
12 24
Cipehertext—16 bytes (128 bits)
14 32

Figure 5.1 AES Encryption Process

22
as input and produces a 4 * 4 matrix as output. Figure 5.1 shows that the output of
each round is a 4 * 4 matrix, with the output of the final round being the ciphertext.
Input, State Array, Output & Key Expansion
in 0 in 4 in 8 in 12 s0,0 s0,1 s0,2 s0,3 s0,0 s0,1 s0,2 s0,3 out0 out4 out8 out12

in 1 in 5 in 9 in 13 s1,0 s1,1 s1,2 s1,3 s1,0 s1,1 s1,2 s1,3 out1 out5 out9 out13

in 2 in 6 in 10 in 14 s2,0 s2,1 s2,2 s2,3 s2,0 s2,1 s2,2 s2,3 out2 out6 out10 out14

in 3 in 7 in 11 in 15 s3,0 s3,1 s3,2 s3,3 s3,0 s3,1 s3,2 s3,3 out3 out7 out11 out15

(a) Input, state array, and output

k0 k4 k8 k12

k1 k5 k9 k13
w0 w1 w2 w42 w43
k2 k6 k10 k14

k3 k7 k11 k15
5.2 / AES STRUCTURE 135
(b) Key and expanded key
Table5.2
Figure 5.1 AES
AESData
Parameters
Structures
Key Size (words/bytes/bits) 4/16/128 6/24/192 8/32/256
Plaintext Block Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Number of Rounds 10 12 14
Round Key Size (words/bytes/bits) 4/16/128 4/16/128 4/16/128
Expanded Key Size (words/bytes) 44/176 52/208 60/240

Detailed Structure SHANNON.IR

Figure 5.3 shows the AES cipher in more detail, indicating the sequence of transfor- 23
mations in each round and showing the corresponding decryption function. As was
 AES Detailed Structure
APTER 5 / ADVANCED ENCRYPTION STANDARD

Key
Plaintext
(16 bytes)
(16 bytes)
Expand key
Plaintext
(16 bytes)
• Each round has 4 different stages – one permutation and 3
Add round key w[0, 3] Add round key
substitution
• Substitute Bytes: Usage an S-box to performs byte-by-byte substation of a block

Round 10
Substitute bytes Inverse sub bytes
• Shift Rows: A simple permutation
Shift rows Inverse shift rows
Round 1

• Mix Columns: A substitution making use of arithmetic GF(28)

Mix columns Inverse mix cols
• Add Round Key: A bit wise XOR of current block with a portion of expanded key
Add round key w[4, 7] Add round key

• Encryption starts with Add Round key followed by 9 rounds that

Round 9
Inverse sub bytes

Inverse shift rows

include all 4 stages.
Substitute bytes • Add Round Key stage makes use of key. Add Round key is a
Shift rows
Vernam cipher. Rest 3 stages don’t use key
Round 9

Mix columns Inverse mix cols • In both encryption and decryption final round usage only 3 stages
Add round key w[36, 39] Add round key – Substitute Byte, Shift Rows and Add Round Key.
Round 1

Substitute bytes Inverse sub bytes

Round 10

Shift rows Inverse shift rows

Add round key w[40, 43] Add round key

Ciphertext Ciphertext
(16 bytes) (16 bytes)

(a) Encryption (b) Decryption

Figure 5.3 AES Encryption and Decryption

24
of the block (the other three stages), followed by XOR encryption, and so on.
This scheme is both efficient and highly secure.
is mapped into the value {2A}.

Substitute Byte Transformation

y
• Usage a 16x16 table defined for AES (S-Box). Table contains
x
permutation of all possible 256 8-bit values.
• Each byte of state is mapped to tables as under: leftmost 4 values
s0,0 s0,1 s0,2 s0,3 S-box s0,0
′ s0,1
′ s0,2
′ s′
are used as row value and rightmost 4 values are used as column
value. The row and column intersection on S-Box is the 8-bit
0,3

s1,0 s1,1 s s1,1

′
1,2 s1,3 s1,0 s1,2 s
′ ′ ′
140 CHAPTER
1,3

output5 /value.
ADVANCED ENCRYPTION STANDARD
s2,0 s2,1 s2,2 s2,3 s2,0
′ s2,1
′ s2,2
′ s′
2,3

s3,0 s3,1 s3,2 s3,3 s3,0

′ s3,1
′ s3,2
′ s′3,3
• Example:
Here is an example of the SubBytes transformation:
5.3 / AES TRANSFORMATION FUNCTIONS 139
(a) Substitute byte transformation
Table 5.2 AES S-Boxes
y EA 04 65 85 87 F2 4D 97
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 83 45 5D 96 EC 6E 4C 90
s10,0 CAs0,1 82
s s
C9 7D FA 59 47 F0 AD D4 A2 s0,0
AF
′ 9Cs0,1
′ A4
s0,2
′ s0,3
72
′ C0
2 B7 FD
0,2
93
0,3
26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15 5C 33 98 B0 S 4A C3 46 E7
s1,1 s1,1
′
s31,0 04 s1,2 23
C7 s1,3 C3 18 96 05w 9A 07 12 80 s1,0
′
E2 EB s1,2
′
27 s1,3
′
B2 75
4 09s2,1 83 2C 1A 1B
w
6E i 5A
i+1w
A0i+2 wi+3
52 3B =D6 B3 29s2,1
′ E3 2F 84 F0 2D AD C5 8C D8 95 A6
s2,0 s2,2 s2,3 s2,0
′ s2,2
′ s2,3
′
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
s63,0 D0s3,1 EF
s s
AA FB 43 4D 33 85 45 F9 02 s3,0
7F
′ 50s3,1
′ 3C
s3,2
′ s3,3
9F
′ A8
3,2 3,3
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
x 8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73 The S-box is constructed in the following fashion (Figure 5.6a).
9 60 81 4F (b) Add
DC 22 round90key88transformation
2A 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
Figure 5.5 AES Byte-Level Operations
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A Byte at row y, Byte at row y,
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E column x yx column x yx
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF initialized to yx initialized to yx
F 8C A1 89 0D SHANNON.IR
BF E6 42 68 41 99 2D 0F B0 54 BB 16
(a) S-box

y Inverse Byte to bit

25
0 1 2 3 4 5 6 7 8 9 A B C D E F in GF(28) column vector
0 52 09 6A D5 30 36 A5 38 BF 40 A3 9E 81 F3 D7 FB
 ShiftRows, is depicted in Figure 5.7a. The first row of State is not altered. For
Shift Row Transformation
cond row, a 1-byte circular left shift is performed. For the third row, a 2-byte
ar left shift is performed. For the fourth row, a 3-byte circular left shift is per-
d. The following is an example of ShiftRows.

87 F2 4D 97 87 F2 4D 97
EC 6E 4C 90 6E 4C 90 EC
4A C3 46 E7 S 46 E7 4A C3
8C D8 95 A6 A6 8C D8 95

The inverse shift row transformation, called InvShiftRows, performs the circu-

ifts in •theFirst row not
opposite altered
direction for each of the last three rows, with a 1-byte
ar right shift for the second row, and so on.
• Second row 1 byte circular left shift performed
NALE The shift row transformation is more substantial than it may first
ar. This• isThird row the
because 2 byte circular
State, as wellleftasshift performed
the cipher input and output, is
Fourth
d as an• array row 4-byte
of four 3 bytecolumns.
circular Thus,
left shift performedthe first 4 bytes
on encryption,
plaintext are copied to the first column of State, and so on. Furthermore,
• This
l be seen, ensures
the round keythat 4 bytes
is applied toof thecolumn
State originalbycolumn
column.are distributed
Thus, a row to
moves anfour columns
individual byte from one column to another, which is a linear

SHANNON.IR

26
transformation can be defined by the following matrix multiplication on State
Mix ColumnTransformation
(Figure 5.7b):

02 03 01 01 s0,0 s0,1 s0,2 s0,3 s′0,0 s′0,1 s′0,2 s′0,3

01 02 03 01 s s1,1 s1,2 s1,3 s′ s′1,1 s′1,2 s′1,3
D T D 1,0 T = D 1,0 T (5.3)
01 01 02 03 s2,0 s2,1 s2,2 s2,3 s′2,0 s′2,1 s′2,2 s′2,3
03 01 01 02 s3,0 s3,1 s3,2 s3,3 s′3,0 s′3,1 s′3,2 s′3,3

Each element in the product matrix is the sum of products of elements of one row
5
and •one column.
Each byte ofIn this case,
a column the individual
is mapped additions
into a new and is
value that multiplications
a are
function of all four bytes in that column
5
• The transformation usage the matrix multiplication defined above
finite field GF(28) and ⊕ to indicate bitwise XOR, which corresponds to addition in GF(28).

SHANNON.IR

27
plication by these coefficients involves at most a shift and an XOR. The coefficients

Add Round Key Transformation

in InvMixColumns are more (a) Substitute byte
formidable totransformation
implement. However, encryption was
deemed more important than decryption for two reasons:
1. For the CFB and OFB cipher modes (Figures 6.5 and 6.6; described in Chapter 6),
only encryption is used.
s0,1 any block cipher, AES can be used to construct a message
2.s0,0As with
s0,1
′
authentica-
s0,2 s0,3 s0,0
′ s0,2
′ s0,3
′
tion scode (Chapter 12), and for this, only encryption is used. s′ • 128 bits of state are XORed with 128 bits of
s1,0 1,1 s
1,2 s1,3 wi+1 s1,0
′ 1,1 s ′
1,2 s1,3
′ round key
wi wi+2 wi+3 =
AddRoundKey s2,1 Transformation s2,1
′
s2,0 s2,2 s2,3 s2,0
′ s2,2
′ s2,3
′ • Column wise operation between 4 bytes of
FORWARD sAND
s 3,1 s
INVERSE TRANSFORMATIONS In the forward add rounds3,1
s s ′
′key transfor-
s3,2
′ s3,3
′
state and one word of the round key
mation,3,0 called 3,2AddRoundKey,
3,3 the 128 bits of State are bitwise XORed
3,0 with the 128
bits of the round key. As shown in Figure 5.5b, the operation is viewed as a colum-
nwise operation between the 4 bytes of a State column and one word of the round
(b) Add round key transformation
key; it can also be viewed as a byte-level operation. The following is an example of
Figure 5.5 AES Byte-Level Operations
AddRoundKey:

47 40 A3 4C AC 19 28 57 EB 59 8B 1B
37 D4 70 9F 77 FA D1 5C 40 2E A1 C3
94 E4 3A 42 ⊕SHANNON.IR
66 DC 29 00 = F2 38 13 42
ED A5 A6 BC F3 21 41 6A 1E 84 E7 D6

The first matrix is State, and the second matrix is the round key.
The inverse add round key transformation is identical to the forward add
round key transformation, because the XOR operation is its own inverse.

RATIONALE The add round key transformation is as simple as possible and affects
every bit of State. The complexity of the round key expansion, plus the complexity
28
of the other stages of AES, ensure security.
Inputs for Single Round of AES
148 CHAPTER 5 / ADVANCED ENCRYPTION STANDARD

State matrix
at beginning
of round

SubBytes

S-box

ShiftRows

02 03 01 01
01 02 03 01
MixColumns
01 01 02 03
03 01 01 02
MixColumns matrix
Round
key

AddRoundKey

State matrix
at end
of round
Constant inputs Variable input
Figure 5.8 Inputs for Single AES Round

29
5.4 AES KEY EXPANSION
AES Key Expansion
• Takes input of four word (16 byte, 128 bits) key and produces linear array of 44 words
• This provides 4 word round key for initial Add Round Key stage and 10 rounds of cipher
• In the expanded key, the first 4 words are copied from the given key. Remainder of the expanded key is
filled 4 words at a time.
• Each added word W(i) depends on immediate previous word W(i-1) and word four positions back W(i-4)
150 CHAPTER 5 / ADVANCED ENCRYPTION STANDARD
• For 3 out of four words a simple XOR is used
1. RotWord performs a one-byte circular left shift on a word. This means that an
• For a word whose
input position
word [B is3]multiple
0, B 1, B 2, B of 4,
is transformed intoa[B
complex
1, B 2, B 3, Bfunction
0]. is used
2. SubWord
• RotWord: performs
Perform a oneabyte
byte circular
substitution
left on each
shift onbyte
the of its input word, using the
word
S-box (Table 5.2a).
• SubWord: byte substitution on each byte of word using S-Box
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].
• Result of RotWord and SubWord is XORed with a round constant (a word with three rightmost bytes as 0) – only perform XOR
on leftThe
most byteconstant is a word in which the three rightmost bytes are always 0.
round
Thus, the effect of an XOR of a word with Rcon is to only perform an XOR on the
• Round constant is different for each round
leftmost byte of the word. The round constant is different for each round and is
• Rcon[j]
defined=as( Rcon[j]
RC[j], 0,=0,(RC[j],
0) 0, 0, 0), with RC[1] = 1, RC[j] = 2 # RC[j-1] and with
8
• RC [1] = 1, RC [j]
multiplication = 2* RC
defined over[j-1]
the with multiplication
field GF(2 defined
). The values overinfield
of RC[j] GF(28) are
hexadecimal

j 1 2 3 4 5 6 7 8 9 10
RC[j] 01 02 04 08 10 20 40 80 1B 36

For example, suppose that the round key for round 8 is

EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F 30
Implementation of AES
• AES encryption and Decryption are not similar
• Sequence of transformation for Decryption differs from
that of Encryption
• Encryption has SubByte, ShiftRows, MixColumns and
AddRoundKey
• Decryption has InvShiftRows, InvSubByte,
InvAddRoundKey, InvMIxColumns
• For Decryption the order of first two transformations
needs to be inter changed and order of last two
transformations needs to be inter changed

31
THANK YOU

32