Published by National Institute of Standards & Technology in 2001 Standard became effective May 26, 2002 Symmetric key block cipher Created to replace DES Doesn’t use feistel structure; cipher function is run on each whole block Uses 128 bit block size Key size of either 128, 192, or 256 bits Has 10, 12, or 14 rounds depending on key size used Finite field GF(28) is used for mathematics involved We’ll look at the algorithm using 10 rounds and 16 byte key size Expansion function for key expansion Cipher function has four transformations: ◦ Substitute bytes ◦ Shift rows ◦ Mix columns ◦ Add round key Transformations include S-box substitution and matrix transforms Finite field is defined over polynomials Irreducible polynomial is: x8 + x4 + x3 + x + 1 Addition is done modulus 2 Multiplication is done regularly, then reduce via irreducible polynomial if highest degree is more than x7 We’ve done this in class, anyone need clarification?
Bit rep. would be (hex): 80 * 02 = 1B
We begin with 16 byte key (4 words) This is expanded to 176 bytes (44 words) Input key is used as the first key, then a key is generated for each of the next 10 rounds Each word of a key is the XOR of the previous word and the fourth previous word (except the first key)
So, w[i] = w[i-1] (+) w[i-4], i >= 4
Also; if i mod4 = 0, then we run a
function g on w[i-1] before the XOR operation The function g takes a word and does a left byte shift on the data, Then the word is run through a S-box (byte level), And finally the S-box output is XOR’d with a round constant Round constant is four bytes, the right three are zero Left byte of round constant begins at (hex) 01 Each round the constant is multiplied by 2, with respect to our finite field SubBytes does a simple replacement of each byte of the block data using an S-box Left four bits determine row, right four bits determine the column S-box defined by affine transformation over our finite field Both multiplication by matrix and addition by a constant vector Byte is inversed wrt/ finite field before transformation Addition of vector constant removes fixed points from the mapping S: b’ = Xb (+) C IS: b = Yb’ (+) D So we need: ◦ YX=I -> Y-1 = X ◦ YC = D b= Y(Xb (+) C) (+) D = YXb (+) YC (+) D = b (+) YC (+) D = b (+) D (+) D = b In our representation block data is arranged down columns of our matrix ShiftRows simply byte shifts the rows ◦ First row: no change ◦ Second row: one byte cyclical left shift ◦ Third row: two byte cyclical left shift ◦ Fourth row: three byte cyclical left shift THE AES IS VERY COOL
ShiftRows is run after SubBytes, so we
wouldn’t have the plaintext as input MixColumns runs on each column individually Each byte is mapped to a new value which depends on the value of all four of the bytes in the column This is a matrix transformation; its coefficients chosen to mix bytes the most As well as to favor encryption speed over decryption speed The round key is XOR’d with the block of data The complexity of all other stages ensure security of overall algorithm, And cut down on complexity needed for this stage Simple example to show steps Values used are as given: Key expansion example with given values First four words is first key, which is given The rest of the keys are generated First few rounds of encryption Look at all these bytes! Awwww yeahhh!!! Key expansion again Difference of one bit gives ‘avalanche’ effect Same ‘avalanche’ effect is seen with bit difference in plaintext 1. Stallings, William. Cryptography and Network Security; Principles and Practices. 5th ed. Prentice Hall, 2006/2011 2. Mao, Wenbo. Modern Cryptography: Theory and Practice. Prentice Hall, 2003 3. Federal Information Processing Standards Publication 197, Announcing the Advanced Encryption Standard (AES), November 2001.