 Based on Rijndael algorithm, created by

John Daemen & Vincent Rijmen

 Published by National Institute of Standards
& Technology in 2001
 Standard became effective May 26, 2002
 Symmetric key block cipher
 Created to replace DES
 Doesn’t use feistel structure; cipher
function is run on each whole block
 Uses 128 bit block size
 Key size of either 128, 192, or 256 bits
 Has 10, 12, or 14 rounds depending on key
size used
 Finite field GF(28) is used for mathematics
involved
 We’ll look at the algorithm using 10 rounds
and 16 byte key size
 Expansion function
for key expansion
 Cipher function has
four transformations:
◦ Substitute bytes
◦ Shift rows
◦ Mix columns
◦ Add round key
 Transformations
include S-box
substitution and
matrix transforms
 Finite field is defined over polynomials
 Irreducible polynomial is: x8 + x4 + x3 + x + 1
 Addition is done modulus 2
 Multiplication is done regularly, then reduce
via irreducible polynomial if highest degree is
more than x7
 We’ve done this in class, anyone need
clarification?

 Bit rep. would be (hex): 80 * 02 = 1B

 We begin with 16 byte key (4 words)
 This is expanded to 176 bytes (44 words)
 Input key is used as the first key, then a key
is generated for each of the next 10 rounds
 Each word of a key is the XOR of the
previous word and the fourth previous
word (except the first key)

 So, w[i] = w[i-1] (+) w[i-4], i >= 4

 Also; if i mod4 = 0, then we run a

function g on w[i-1] before the XOR
operation
 The function g takes a word
and does a left byte shift on
the data,
 Then the word is run through
a S-box (byte level),
 And finally the S-box output
is XOR’d with a round constant
 Round constant is four bytes, the right three
are zero
 Left byte of round constant begins at (hex) 01
 Each round the constant is multiplied by 2,
with respect to our finite field
 SubBytes does a simple replacement of each
byte of the block data using an S-box
 Left four bits determine row, right four bits
determine the column
 S-box defined by affine transformation over
our finite field
 Both multiplication by matrix and addition by
a constant vector
 Byte is inversed wrt/ finite field before
transformation
 Addition of vector constant removes fixed
points from the mapping
 S: b’ = Xb (+) C
 IS: b = Yb’ (+) D
 So we need:
◦ YX=I -> Y-1 = X
◦ YC = D
 b= Y(Xb (+) C) (+) D
= YXb (+) YC (+) D
= b (+) YC (+) D
= b (+) D (+) D
= b
 In our representation block data is arranged
down columns of our matrix
 ShiftRows simply byte shifts the rows
◦ First row: no change
◦ Second row: one byte cyclical left shift
◦ Third row: two byte cyclical left shift
◦ Fourth row: three byte cyclical left shift
 THE AES IS VERY COOL

 ShiftRows is run after SubBytes, so we

wouldn’t have the plaintext as input
 MixColumns runs on each column individually
 Each byte is mapped to a new value which
depends on the value of all four of the bytes
in the column
 This is a matrix transformation; its
coefficients chosen to mix bytes the most
 As well as to favor encryption speed over
decryption speed
 The round key is XOR’d with the block of data
 The complexity of all other stages ensure
security of overall algorithm,
 And cut down on complexity needed for this
stage
 Simple example to show steps
 Values used are as given:
 Key expansion example with given values
 First four words is first key, which is given
 The rest of the keys are generated
 First few rounds of encryption
 Look at all these bytes! Awwww yeahhh!!!
 Key expansion again
 Difference of one bit
gives ‘avalanche’
effect
 Same ‘avalanche’
effect is seen with
bit difference in
plaintext
1. Stallings, William. Cryptography and Network
Security; Principles and Practices. 5th ed. Prentice
Hall, 2006/2011
2. Mao, Wenbo. Modern Cryptography: Theory and
Practice. Prentice Hall, 2003
3. Federal Information Processing Standards
Publication 197, Announcing the Advanced
Encryption Standard (AES), November 2001.