Stream Cipher

and Block
Cipher
 Differences between Stream and Block Ciphers
Stream Block
One Bit or Byte is processed (encrypted or Fixed size block is processed at a time (64 bits,
decrypted) at a time 128 bits, etc.)
Usually Variable Key size A given algorithm will have a fixed key size
Padding is not required Most probably requires padding
Processing is faster Processing is slower
Error Propagation is limited Error propagation could be significant and can
produce a completely different output
Examples:- RC4, Rabbit, ChaCha, etc. Examples:- AES, DES, Triple DES, Serpent,
etc.
Used for real-time data stream encryptions Used for applications which can handle large
and decryptions, where minimum latency is data chunks.
expected.
MOTIVATION FOR FEISTEL
CIPHER STRUCTURE
 n-bit to n-bit Block Substitution
• Block Cipher (n-bit PT block ➡️n-bit CT block, and vice-versa)
• Number of PT blocks possible = 2n.
• Decryption is possible when each PT block can produce a unique CT
block (Reversible or Non-Singular Transformation).

• Reversible set of Transformations when n = 2:-

PT Block CT Block
00 11
01 10
10 00
11 01
 n-bit to n-bit Block Substitution (Contd..)
• Irreversible set of Transformations when n = 2:-

PT Block CT Block
00 11
01 10
10 01
11 01

n
• Number of Reversible sets of transformations = 2 !
4-bit to 4-bit Block Substitution Example
n-bit to n-bit Block Substitutions (Contd..)

• We noticed with n=2, and n=4, that the corresponding tables define
straightforward mappings between PT blocks and CT blocks.

• Feistel called these types of mappings as an ideal block cipher.

• Increasing the block size makes the block cipher more resistant to
cryptanalysis.
n
• The mappings can be defined by a key whose length is n*2 bits.

• However, when n is huge, Key-Management becomes cumbersome.

BLOCK CIPHER DESIGN PRINCIPLES
 1) Confusion
Principles 2) Diffusion
of 3) Avalanche Effect
designing 4) Feistel Structure
a Block 5) Round Functions
6) Key Size and Block Size
Cipher 7) Bit Independence Criterion (BIC)
8) Key Schedule Algorithm
 Confusion

• Term was introduced by Claude Shannon.

• The property makes the relationship between the CT and the key as
complex as possible.
• Achieved through Complex Key-Schedule and Substitution.
• Each bit of the CT depends on several bits of the key.
 Diffusion

• The term was introduced by Claude Shannon.

• The property makes the relationship between the CT and PT
complex.
• Achieved through mixing operations and Permutation.
• One bit change in the PT will result in significant change in the bits
of CT.
 Avalanche Effect

• Property which ensures that a small change in any of the Inputs

results in a significant and unpredictable change in the Output.
• Achieved through Confusion and Diffusion.
 Feistel Structure

• Used to achieve Confusion and Diffusion in an organized manner.

• Involves division of each block, operations through multiple rounds,
and swapping operations.
 Round Functions

• Internal functions used for each round of a Cipher.

• The functions are complex and foundations for Avalanche Effect.
• Involves Substitutions, Permutations, and Mixing Operations.
 Key Size and Block Size

• Plays a crucial role in security.

• Larger the key, more is the Cipher resistant to BFA.
• Larger the PT block, more is the Cipher resistant to Statistical and
Pattern attack.
 BIC

• More associated with cryptographic hash functions and PRNGs.

• However, applicable to Block Cipher design as well.
• Provides statistically random output.
• Provides negligible or 0 predictable relationships between the
current and the neighboring bits.
 Key Schedule Algorithm

• Round keys are derived from a Master Key.

• Crucial Component in many block ciphers like DES, AES, etc.
• A good algorithm should generate unique and random round keys.
• Generated using different operations like Substitutions,
Permutations, Mixing, Bit shifting operations, etc.
FEISTEL CIPHER
 Feistel Cipher
• Key Length = k bits

• Number of sets of Transformations = 2k

• Alternates Substitution and Permutation operations.

• Can have any number of rounds with same structure.

Design Features to be considered in Feistel Cipher
• Block size

• Ease of Analysis

• Key Size

• Sub-Keys generation Function

• Number of Rounds

• Round Function

• Fast software encryption/decryption

Encrypti
on
Decrypti
on
Observations in Encryption and Decryption
• Assume that n is the number of rounds.
• During Encryption, LEi = REi-1
• During Encryption, REi = LEi-1 ⊕ F(REi-1, Ki)
• During Decryption, LDi = RDi-1
• During Decryption, RDi = LDi-1 ⊕ F(RDi-1, Kn-i+1)
• LDi = REn-i
• RDi = LEn-i
Generation of Round Keys from Master Key
• The round keys (sub-keys) Ki are derived from the master key
K (The process is called Key-Expansion)

• Each Round uses a unique round-key.

• The Key-Expansion uses operations like Permutations,

Substitutions, and other transformations.
 Example 1
• Assume that the PT = 0x3C; K1 = 0xF, K2 = 0xA. F(x,y) =
Bitwise Logical AND of x and y. What are the outputs of the
first 2 rounds of Feistel Cipher encryption?

Solution:-
• PT = 0x3C
• LE0 = (0011)2
• RE0 = (1100)2
 Example 1 (Contd..)
Round 1:-
• LE1 = (1100)2
• RE1 = LE0 ⊕ F(RE0, K1)
• RE1 = (0011)2 ⊕ F((1100)2,(1111)2)
• RE1 = (0011)2 ⊕ (1100)2
• RE1 = (1111)2
• Therefore, Round 1 Output = 0xCF
 Example 1 (Contd..)
Round 2:-
• LE2 = (1111)2
• RE2 = LE1 ⊕ F(RE1, K2)
• RE2 = (1100)2 ⊕ F((1111)2,(1010)2)
• RE2 = (1100)2 ⊕ (1010)2
• RE2 = (0110)2
• Therefore, Round 2 Output = 0xF6.
 Example 2
• Assume that Feistel Cipher uses 16 rounds. The output of the
14th Round is 0x8D; K15 = 0x7, K16 = 0xC. F(x,y) = Logical
OR of x and y. Calculate CT.

Solution:-
• LE14 = (1000)2
• RE14 = (1101)2
 Example 2 (Contd..)
Round 15:-
• LE15 = RE14 = (1101)2
• RE15 = LE14 ⊕ F(RE14, K15)
• RE15 = (1000)2 ⊕ F((1101)2, (0111)2)
• RE15 = (1000)2 ⊕ (1111)2
• RE15 = (0111)2
 Example 2 (Contd..)
Round 16:-
• LE16 = RE15 = (0111)2
• RE16 = LE15 ⊕ F(RE15, K16)
• RE16 = (1101)2 ⊕ F((0111)2, (1100)2)
• RE16 = (1101)2 ⊕ (1111)2
• RE16 = (0010)2
• Output of Round 16 = 0x72

• Therefore, CT = 0x27
 Example 3
• Assume that Feistel Cipher uses 16 rounds. The CT is 0xAB, K16 =
0x7. The Round Function F(x,y) = bitwise XOR (1-bit right rotation of
x, 1-bit right rotation of y). What’s the output of the first round during
decryption?
Solution:-
• LD0 = (1010)2
• RD0 = (1011)2
 Example 3 (Contd..)
• LD1 = RD0 = (1011)2
• RD1 = LD0 ⊕ F(RD0, K16)
• RD1 = (1010)2 ⊕ F((1011)2, (0111)2)
• RD1 = (1010)2 ⊕ ((1101)2 ⊕ (1011)2)
• RD1 = (1010)2 ⊕ (0110)2
• RD1 = (1100)2

• Therefore, Output of First Round of decryption is 0xBC.

 Example 4
• Assume that Feistel Cipher uses 16 rounds. The output of 15 th Round
of decryption is 0xABCD, K1 = 0xE9. The Round Function F(x,y) =
bitwise XOR (bitwise NOT of x, bitwise NOT of y). What’s the
deciphered text?
Solution:-
• LD15 = 0xAB = (10101011)2
• RD15 = 0xCD = (11001101)2
• K1 = (11101001)2
 Example 4 (Contd..)
• LD16 = RD15 = (11001101)2
• RD16 = LD15 ⊕ F(RD15, K1)
• RD16 = (10101011)2 ⊕ F[(11001101)2, (11101001)2]
• RD16 = (10101011)2 ⊕ [(00110010)2 ⊕ (00010110)2]
• RD16 = (10101011)2 ⊕ (00100100)2
• RD16 = (10001111)2 = 0x8F

• Therefore, the Deciphered text is 0x8FCD

S-BOXES AND P-BOXES
 S-Boxes

• Uses Non-Linear Transformation to generate Outputs from Inputs.

• Mapping between inputs and corresponding outputs are defined by
a table or a matrix.
• It should be such that its not easily invertible by an attacker.
• Two main categories of S-Boxes:- Static S-Box and Dynamic S-
Box
 P-Boxes

• The primary goal is to increase diffusion for a cipher, by permuting the input
bits.
• Permutation of the bits makes the cryptanalysis more challenging.
• Types of P-Boxes: Straight P-Box, Compression P-Box, and Expansion P-
Box.
Straight P-Box
Expansion P-Box
Compression P-Box
Data Encryption
Standard (DES)
 • Developed by IBM.
• Adopted as a federal standard by NIST in
1977.
• Input = 64-bit block
• Output = 64-bit block
• Original Key Length = 64 bits
DES • Effective Key Length = 56 bits
• Round Key = 48 bits
• Consists of 16 rounds.
• Each Round consists of different operations
like Substitution, Permutation, Key-Mixing,
and Expansion.
DES
Encryption
 DES
Decryption
One
Round of
DES
 Example 1

• PT 1 = 0x46868bd449786458
• Key 1 = 0x144573e006467894
• CT 1 = 0xae8180eb706729d3

• Key 2 = 0x144573e016467894
• CT 2 = 0xa14a01e6c590db61
 Example 2

• PT 1 = 0xfedcba9876543210
• Key 1 = 0x0123456789abcdef
• CT 1 = 0x12c626af058b433b

• PT 2 = 0xfedcba9876543211
• CT 2 = 0x7b129948ca8d29d6
 • Number of possible keys = 7.2057 * 1016.
• Maximum time required for a PC to execute a
successful DES decryption at 109
decryptions/second = (7.2057
*1016)/(109/second) = 7.2057*107 seconds ≈ 2
Strength of years and 3 months.
• Cryptanalysis is possible by exploiting the
DES characteristics of DES.
• DES is moderately resistant to a successful
timing attack.
Advanced Encryption Standard (AES)
 • Published by NIST in 2001.
• Input Block = 128 bits
• Output Block = 128 bits
• Variants of AES:- AES-128, AES-192, and
Overview of AES-256.
AES • AES-128 (10 rounds, 128 bits key)
• AES-192 (12 rounds, 192 bits key)
• AES-256 (14 rounds, 256 bits key)
• Round Key size = 128 bits
 • All the operations are performed in GF(28).
• The irreducible polynomial m(x) = x8 + x4 +
3
x + x + 1.
n
Galois Field • In GF(2 ), any polynomial can be
represented as a n-bit value.
for AES • For example, the binary value corresponding
7 6 5 4 3 2
to the polynomial x + x + x + x + x + x
1 8
+ x + 1 in GF(2 ) = (11111111)2 = 0xFF.
6 5 3 2
• x + x + x + x + x = 0x6E.
 General
Structur
e of AES
Encrypti
on
 CT Block (128 bits)

Key Expansion Expansion

Round N Key Initial
(128 bits) Transformation

General
Structur Round N-1 Key
(128 bits)
Round 1 (4
Transformations
e of AES
Decrypti

………
on Round 1 Key Round N-1 ( 4
(128 bits) Transformations)

Round N (3
Round 0 Key
Transformations)
(128 bits)

PT Block (128 bits)

 • Input State Array:-

General
Structur
• Output State Array:-
e of AES
AES Parameters
Structure of
AES-128
S Box
 Steps to Construct S Box
1) Initialize the S Box row-wise for 16 rows and 16 columns (Row and
Column Indices are 0 to F), in ascending order.

2) Map each of the 256 values in Output of Step 1 with its multiplicative
8
inverse over GF(2 ).

3) Convert each element of Output of Step 2 into its binary equivalent

(b7b6b5b4b3b2b1b0).

4) Now calculate (b’7b’6b’5b’4b’3b’2b’1b’0) for each element of Output of

Step 3 using the affine transformation:-
Steps to Construct S Box (Contd..)
 Steps to Construct S Box (Contd..)
5) Convert each element of Output of Step 4 into its Hexadecimal Equivalent.
Inverse S Box
 Steps to Construct Inverse S Box
1) Initialize the Inverse S Box row-wise for 16 rows and 16 columns (Row
and Column Indices are 0 to F), in ascending order.

2) Convert each element of Output of Step 1 into its binary equivalent

(b7b6b5b4b3b2b1b0).

3) Now calculate (b’7b’6b’5b’4b’3b’2b’1b’0) for each element of Output of

Step 2 using the affine transformation:-
Steps to Construct Inverse S Box (Contd..)
Steps to Construct Inverse S Box (Contd..)
4) Calculate the Multiplicative Inverse of each element of Output of
8
Step 3, over GF(2 ).

5) Convert each element of Output of Step 4 into its 8-bit binary

equivalent, and eventually into Hexadecimal equivalent.
 Proof for Inverse Affine Transformation
• The Affine Transformation in S Box construction is B’ = X*B ⊕ C.
• The Affine Transformation in Inverse S Box construction is B = Y*B’ ⊕ D.
• Now we have to prove that LHS = RHS for Inverse S Box construction
• RHS = Y*B’ ⊕ D
• RHS = Y*(X*B ⊕ C) ⊕ D
• RHS = Y*X*B ⊕ Y*C ⊕ D
• RHS =
Proof for Inverse Affine Transformation (Contd..)
Proof for Inverse Affine Transformation (Contd..)
• RHS =

• Therefore, RHS = B
 Numerical 1
• If Input to S Box is 0x1D, what’s the corresponding output?
Solution:-

Step 1:-
4 3 2
0x1D = (00011101)2 = x + x + x + 1

Step 2:-
Iteration 1:-
8 4 3 4 3 2
a(x) = x + x + x + x + 1; b(x) = x + x + x + 1;
q(x) = x4 + x3 + x + 1; r(x) = x2;
v1(x) = 0; v2(x) = 1; v(x) = x4 + x3 + x + 1
 Numerical 1 (Contd..)
Iteration 2:-
4 3 2 2 2
a(x) = x + x + x + 1; b(x) = x ; q(x) = x + x + 1; r(x) = 1;
v1(x) = 1; v2(x) = x4 + x3 + x + 1; v(x) = x6

Iteration 3:-
a(x) = x2; b(x) = 1; q(x) = x2; r(x) = 0;
4 3 6
v1(x) = x + x + x + 1; v2(x) = x ; v(x) = 0;

Iteration 4:-
6
a(x) = 1; b(x) = 0; v1(x) = x ; v2(x) = 0;
 Numerical 1 (Contd..)
4 3 2 8 4 3 6
MI(x + x + x + 1) mod (x + x + x + x + 1) = x

Step 3:-
(b7b6b5b4b3b2b1b0) = (01000000)2

Step 4:-
Numerical 1 (Contd..)
 Numerical 1 (Contd..)
•=

• Output = 0xA4
 Numerical 2
• If Input to S Box is 0x7D, what’s the corresponding output?
Solution:-

Step 1:-
0x7D = (01111101)2 = (x6+x5+x4+x3+x2+1)

Step 2:-
Iteration 1:-
a(x) = x8 + x4 + x3 + x + 1; b(x) = x6 + x5 + x4 + x3 + x2 + 1; q(x) = x2 + x;
4 2 2
r(x) = x + x + 1; v1(x) = 0; v2(x) = 1; v(x) = x + x
 Numerical 2 (Contd..)
Iteration 2:-
a(x) = x6 + x5 + x4 + x3 + x2 + 1; b(x) = x4 + x2 + 1; q(x) = x2 + x; r(x) = x + 1;
v1(x) = 1; v2(x) = x2 + x; v(x) = x4 + x2 + 1

Iteration 3:-
4 2 3 2
a(x) = x + x + 1; b(x) = x + 1; q(x) = x + x ; r(x) = 1;
v1(x) = x2 + x; v2(x) = x4 + x2 + 1; v(x) = x7 + x6 + x5 + x4 + x3 + x

Iteration 4:-
a(x) = x + 1; b(x) = 1; q(x) = x + 1; r(x) = 0;
v1(x) = x4 + x2 + 1; v2(x) = x7 + x6 + x5 + x4 + x3 + x; v(x) = 0
 Numerical 2 (Contd..)
Iteration 5:-
7 6 5 4 3
a(x) = 1; b(x) = 0; v1(x) = x + x + x + x + x + x; v2(x) = 0

6 5 4 3 2 8 4 3 7 6 5 4 3
MI(x + x + x + x + x + 1) mod (x + x + x + x + 1) = x + x + x + x + x + x

Step 3:-
(b7b6b5b4b3b2b1b0) = (11111010)2

Step 4:-
Numerical 2 (Contd..)
 Numerical 2 (Contd..)
=

• Output = 0xFF
 Numerical 3
• If Input to Inverse S Box is 0xA4, what’s the corresponding output?

Solution:-

Step 1:-
(b7b6b5b4b3b2b1b0) = (10100100)2

Step 2:-
Numerical 3 (Contd..)
 Numerical 3 (Contd..)

• (01000000)2 = x6
 Numerical 3 (Contd..)
Step 3:-
Iteration 1:-
a(x) = x8 + x4 + x3 + x + 1; b(x) = x6; q(x) = x2; r(x) = x4 + x3 + x + 1;
v1(x) = 0; v2(x) = 1; v(x) = x2

Iteration 2:-
6 4 3 2
a(x) = x ; b(x) = x + x + x + 1; q(x) = x + x + 1; r(x) = 1;
2 4 3 2
v1(x) = 1; v2(x) = x ; v(x) = x + x + x + 1
 Numerical 3 (Contd..)
Iteration 3:-
a(x) = x4 + x3 + x + 1; b(x) = 1; q(x) = x4 + x3 + x + 1; r(x) = 0;
v1(x) = x2; v2(x) = x4 + x3 + x2 + 1; v(x) = 0

Iteration 4:-
a(x) = 1; b(x) = 0; v1(x) = x4 + x3 + x2 + 1

Step 4:-
• Output = (00011101)2 = 0x1D
 Numerical 4
• If Input to Inverse S Box is 0x55, what’s the corresponding output?

Solution:-

Step 1:-
(b7b6b5b4b3b2b1b0) = (01010101)2

Step 2:-
Numerical 4 (Contd..)
 Numerical 4 (Contd..)

6 4
• (01010000)2 = x + x
 Numerical 4 (Contd..)
Step 3:-
Iteration 1:-
a(x) = x8 + x4 + x3 + x + 1; b(x) = x6 + x4; q(x) = x2 + 1; r(x) = x3 + x + 1;
v1(x) = 0; v2(x) = 1; v(x) = x2 + 1

Iteration 2:-
6 4 3 3
a(x) = x + x ; b(x) = x + x + 1; q(x) = x + 1; r(x) = x + 1;
2 5 3 2
v1(x) = 1; v2(x) = x + 1; v(x) = x + x + x

Iteration 3:-
 Numerical 4 (Contd..)
a(x) = x3 + x + 1; b(x) = x + 1; q(x) = x2 + x; r(x) = 1;
2 5 3 2 7 6 5 3 2
v1(x) = x + 1; v2(x) = x + x + x ; v(x) = x + x + x + x + x + 1

Iteration 4:-
a(x) = x + 1; b(x) = 1; q(x) = x + 1; r(x) = 0;
v1(x) = x5 + x3 + x2; v2(x) = x7 + x6 + x5 + x3 + x2 + 1; v(x) = 0

Iteration 5:-
a(x) = 1; b(x) = 0; v1(x) = x7 + x6 + x5 + x3 + x2 + 1

Step 4:-
Output = (11101101)2 = 0xED
Substitute Bytes Operation
 Substitute Bytes Operation (Example 1)

0x00 0x01 0x02 0x03 0x63 0x7C 0x77 0x7B

0x10 0x11 0x12 0x13 0xCA 0x82 0xC9 0x7D

0x20 0x21 0x22 0x23 0xB7 0xFD 0x93 0x26

0x30 0x31 0x32 0x33 0x04 0xC7 0x23 0xC3

 Inverse Substitute Bytes Operation
• Operation is similar to Substitute Bytes Operation, but here Inverse S box is
used instead.
• Example:-

0x00 0x01 0x02 0x03 0x52 0x09 0x6A 0xD5

0x10 0x11 0x12 0x13 0x7C 0xE3 0x39 0x82
0x20 0x21 0x22 0x23 0x54 0x7B 0x94 0x32
0x30 0x31 0x32 0x33 0x08 0x2E 0xA1 0x66
 Rationale of Substitute Bytes Operation
• Rijndael developers targeted to provide low correlation between input and
output bits.

• Non-Linearity of S Box is provided by Multiplicative Inverse calculations.

• Invertible property of S Box.

• S Box has non-homomorphic nature.

• Enhances Confusion
 Key
Expansion
in AES-128
 g-
Function
for Key
Expansio
n in
AES-128
 Round Constant for Key Expansion in AES-128
• Rcon[j] = (RC[j],0,0,0)

• RC[j] = 2*RC[j-1] over GF(28)

 Observations on Key Expansion in AES-128
• w4*j = w4*(j-1) ⊕ g(w4*j-1)

• w4*j+1 = w4*j-3 ⊕ w4*j

• w4*j+2 = w4*j-2 ⊕ w4*j+1

• w4*j+3 = w4*j-1 ⊕ w4*j+2

 Numerical 5
• If Key = 0x0F1571C947D9E8590CB7ADD6AF7F6798, calculate w4 during
Round Keys generation in AES-128?

Solution:-

Step 1:-

w0 = 0 x 0F 15 71 C9
w1 = 0 x 47 D9 E8 59
w2 = 0 x 0C B7 AD D6
w3 = 0 x AF 7F 67 98
 Numerical 5 (Contd..)
Step 2:-
x = RotWord(w3) = 0 x 7F 67 98 AF
y = SubWord(x) = 0 x D2 85 46 79
Rcon(1) = 0 x 01 00 00 00
z = y ⊕ Rcon(1) = (0 x D2 85 46 79) ⊕ (0 x 01 00 00 00)
z = 0 x D3 85 46 79

Step 3:-
w4 = w0 ⊕ z = (0 x 0F 15 71 C9) ⊕ (0 x D3 85 46 79)
w4 = 0 x DC 90 37 B0
 Numerical 6
• During Key Expansion in AES-128, the output array of Round 6 is as given in
the array below. Generate the Output array of Round 7 for key expansion.

71 8C 83 CF
C7 29 E5 A5
4C 74 EF A9
C2 EF 52 EF
 Numerical 6 (Contd..)
Solution:-

71 8C 83 CF
C7 29 E5 A5
4C 74 EF A9
C2 EF 52 EF

w24 w25 w26 w27

 Numerical 6 (Contd..)
• x = RotWord(w27) = 0 x A5 A9 EF CF
• y = SubWord(x) = 0 x 06 D3 DF 8A
• Rcon(7) = 0 x 40 00 00 00
• z = y ⊕ Rcon(7) = 0 x 46 D3 DF 8A

• w28 = w24 ⊕ z = 0 x 37 14 93 48
• w29 = w28 ⊕ w25 = 0 x BB 3D E7 A7
• w30 = w29 ⊕ w26 = 0 x 38 D8 08 F5
• w31 = w30 ⊕ w27 = 0 x F7 7D A1 1A
 Numerical 6 (Contd..)
• Output array for 7th Round:-
37 BB 38 F7
14 3D D8 7D
93 E7 08 A1
48 F7 A5 4A
 Rationale of Key Expansion in AES
• Knowledge of a part of the cipher key or round key does not enable calculation
of many other round-key bits.
• An invertible transformation
• Speed on a wide range of processors.
• Usage of round constants to eliminate symmetries.
• Impact of cipher key differences on the round keys.
• Enough nonlinearity to prohibit the full determination of round key differences
from cipher key differences only.
• Simplicity of description.
 Add Round Key Transformation in AES-128
Input State Block (16 Bytes)

Round Key (16 Bytes) State after Initial

Transformation (16 Bytes)

• Rationale:- Simple operation which affects every bit of the state.

 Numerical 7
• PT = 0x0123456789ABCDEFFEDCBA9876543210
• Key = 0x0F1571C947D9E8590CB7ADD6AF7F6798
• State Array after Initial Transformation in AES-128 = ?

Solution:-
• State Array after Initial Transformation = PT ⊕ Key =
 Numerical 7 (Contd..)
01 89 FE 76 0F 47 0C AF
23 AB DC 54 15 D9 B7 7F
45 CD BA 32 71 E8 AD 67
67 EF 98 10 C9 59 D6 98

0E CE F2 D9
36 72 6B 2B
34 25 17 55
AE B6 4E 88
 Shift Rows Transformation in AES-128
x11 x12 x13 x14 x11 x12 x13 x14
x21 x22 x23 x24 x22 x23 x24 x21
x31 x32 x33 x34 x33 x34 x31 x32
x41 x42 x43 x44 x44 x41 x42 x43
Inverse Shift Rows Transformation in AES-128
x11 x12 x13 x14 x11 x12 x13 x14
x21 x22 x23 x24 x24 x21 x22 x23
x31 x32 x33 x34 x33 x34 x31 x32
x41 x42 x43 x44 x42 x43 x44 x41
 Numerical 8
• When the array (as shown below) is the input to Shift Rows Transformation
in AES-128, what’s the output array just after the transformation?

0x4A 0x7F 0x6B 0xBF Solution:-

0x21 0x40 0x3A 0x3C 0x4A 0x7F 0x6B 0xBF
0x8D 0x18 0xC7 0xC9 0x40 0x3A 0x3C 0x21
0xB8 0x14 0xD2 0x22 0xC7 0xC9 0x8D 0x18

0x22 0xB8 0x14 0xD2

 Numerical 9
• When the array (as shown below) is the input to Inverse Shift Rows
Transformation in AES-128, what’s the output array just after the
transformation?
0x40 0xF4 0x1F 0xF2 Solution:-
0x6F 0x48 0x2D 0x72 0x40 0xF4 0x1F 0xF2
0x65 0x4D 0x37 0xB7 0x72 0x6F 0x48 0x2D
0x2F 0x63 0x3C 0x94 0x37 0xB7 0x65 0x4D

0x63 0x3C 0x94 0x2F

 Rationale of Shift Rows
Transformation

• Enhances Diffusion

• Scatters Bytes across various parts of the output.

Mix Columns Transformation
in AES-128
Mix Columns Transformation in AES-128 (Contd..)

• All the operations are performed in GF(28).

 Inverse Mix Columns
Transformation in AES-128
 Proof that Mix Column Operation is Invertible

• We are supposed to prove that:-

• Y=
 Proof that Mix Column Operation is Invertible

Assume that X =
 Proof that Mix Column Operation is Invertible (Contd..)

• Xr1c1 = (0x0E) * (0x02) ⊕ (0x0B) ⊕ (0x0D) ⊕ (0x09)*(0x03)

3 2 3 3 2 3
• Xr1c1 = (x + x + x)*(x) ⊕ (x + x + 1) ⊕ (x + x + 1) ⊕ (x + 1)*(x+1)
• Xr1c1 = (11100)2 ⊕ (1011)2 ⊕ (1101)2 ⊕ (11011)2 = 0x01

• Xr2c1 = (0x09) * (0x02) ⊕ (0x0E) ⊕ (0x0B}⊕ (0x0D)*(03)

• Xr2c1 = (x3 + 1)*(x) ⊕ (x3 + x2 + x) ⊕ (x3 + x + 1) ⊕ (x3 + x2 + 1) (x+1)
• Xr2c1 = (10010)2 ⊕ (1110)2 ⊕ (01011)2 ⊕ (10111)2 = 0x00

• Xr3c1 = (0x0D)*(0x02) ⊕ (0x09) ⊕ (0x0E) ⊕ (0x0B)*(0x03)

3 2 3 3 2 3
• Xr3c1 = (x + x + 1)*(x) ⊕ (x + 1) ⊕ (x + x + x) ⊕ (x + x + 1)*(x+1)
• Xr3c1 = (11010)2 ⊕ (1001)2 ⊕ (1110)2 ⊕ (11101)2 = 0x00
 Proof that Mix Column Operation is Invertible (Contd..)

• Xr4c1 = (0x0B)*(0x02) ⊕ (0x0D) ⊕ (0x09) ⊕ (0x0E)*(0x03)

3 3 2 3 3 2
• Xr4c1 = (x + x + 1)*(x) ⊕ (x + x + 1) ⊕ (x + 1) ⊕ (x + x + x)*(x+1)
• Xr4c1 = (10110)2 ⊕ (1101)2 ⊕ (1001)2 ⊕ (10010)2 = 0x00

• Similarly, we can obtain other values of Y.

• Y=

*
 Rationale of Mix Column
Transformation

• Though a Linear Transformation, the operations enhance the

overall security.

• Enhances Diffusion
 Numerical 10
• If the input to Mix Column Transformation in AES-128 is as shown in the array
below, then what’s the output of the transformation in the 1 st row 1st column?
0x87 0xF2 0x4D 0x97
0x6E 0x4C 0x90 0xEC
0x46 0xE7 0x4A 0xC3
0xA6 0x8C 0xD8 0x95
Solution:-
8 4 3
• m(x) = x + x + x + x + 1
• Output = (0x02) * (0x87) ⊕ (0x03) * (0x6E) ⊕ (0x46) ⊕ (0xA6)
 Numerical 10 (Contd..)
• (0x02) * (0x87) = x * (x7 + x2 + x + 1) mod m(x)
• (0x02) * (0x87) = (x8 + x3 + x2 + x) mod m(x)
• (0x02) * (0x87) = (x4 + x2 + 1) = (00010101)2

6 5 3 2
• (0x03) * (0x6E) = (x + 1) (x + x + x + x + x) mod m(x)
7 5 4
• (0x03) * (0x6E) = (x + x + x + x) = (10110010)2

• Output = (00010101)2 ⊕ (10110010)2 ⊕ (01000110)2 ⊕ (10100110)2

• Output = (01000111)2 = 0x47
 Numerical 11
• If the input to Mix Column Transformation in AES-128 is as shown in the array
below, then what’s the output of the transformation in the 4 th row 4th column?
0x87 0xF2 0x4D 0x97
0x6E 0x4C 0x90 0xEC
0x46 0xE7 0x4A 0xC3
0xA6 0x8C 0xD8 0x95
Solution:-
8 4 3
• m(x) = x + x + x + x + 1
• Output = (0x03)*(0x97) ⊕ (0xEC) ⊕ (0xC3) ⊕ (0x02) * (0x95)
 Numerical 11 (Contd..)
• (0x03) * (0x97) = (x + 1) * (x7 + x4 + x2 + x + 1) mod m(x)
8 7 5 4 3
• (0x03) * (0x97) = (x + x + x + x + x + 1) mod m(x)
7 5
• (0x03) * (0x97) = (x + x + x) = (10100010)2

• (0x02) * (0x95) = x * (x7 + x4 + x2 + 1) mod m(x)

8 5 3
• (0x02) * (0x95) = (x + x + x + x) mod m(x)
5 4
• (0x02) * (0x95) = (x + x + 1) = (00110001)2

• Output = (10100010)2 ⊕ (11101100)2 ⊕ (11000011)2 ⊕ (00110001)2

• Output = (10111100)2 = 0xBC
 Numerical 12
• If the input to Inverse Mix Column Transformation in AES-128 is as shown in
the array below, then what’s the output of the transformation in the 1 st row 1st
column?
0x47 0x40 0xA3 0x4C
0x37 0xD4 0x70 0x9F
0x94 0xE4 0x3A 0x42
0xED 0xA5 0xA6 0xBC

Solution:-
8 4 3
• m(x) = x + x + x + x + 1
 Numerical 12 (Contd..)
• Output = (0x0E) * (0x47) ⊕ (0x0B) * (0x37) ⊕ (0x0D) * (0x94) ⊕ (0x09) *
(0xED)

3 2 6 2
• (0x0E) * (0x47) = (x + x + x) (x + x + x + 1) mod m(x)
9 8 7 5 3
• (0x0E) * (0x47) = (x + x + x + x + x + x) mod m(x)
• (0x0E) * (0x47) = (x7 + x2 + x + 1) = (10000111)2

3 5 4 2
• (0x0B) * (0x37) = (x + x + 1) * (x + x + x + x + 1) mod m(x)
8 7 6 5
• (0x0B) * (0x37) = (x + x + x + x + 1) mod m(x)
• (0x0B) * (0x37) = (x7 + x6 + x5 + x4 + x3 + x) mod m(x) = (11111010)2
 Numerical 12 (Contd..)
• (0x0D) * (0x94) = (x3 + x2 + 1) (x7 + x4 + x2) mod m(x)
• (0x0D) * (0x94) = (x10 + x9 + x6 + x5 + x2) mod m(x)
• (0x0D) * (0x94) = (x5 + x4 + x3 + x2 + x) = (00111110)2

• (0x09) * (0xED) = (x3 + 1) (x7 + x6 + x5 + x3 + x2 + 1) mod m(x)

• (0x09) * (0xED) = (x10 + x9 + x8 + x2 + 1) mod m(x)
• (0x09) * (0xED) = (x7 + x6 + x2) = (11000100)2

• Output = (10000111)2 ⊕ (11111010)2 ⊕ (00111110)2 ⊕ (11000100)2 =

• Output = (10000111)2 = 0x87
 Numerical 13
• If the input to Inverse Mix Column Transformation in AES-128 is as shown in
the array below, then what’s the output of the transformation in the 1 st row 1st
column?
0xB9 0x94 0x57 0x75
0xE4 0x8E 0x16 0x51
0x47 0x20 0x9A 0x3F
0xC5 0xD6 0xF5 0x3B

Solution:-
8 4 3
• m(x) = x + x + x + x + 1
 Numerical 13 (Contd..)
• Output = (0x0E) * (0xB9) ⊕ (0x0B) * (0xE4) ⊕ (0x0D) * (0x47) ⊕ (0x09) *
(0xC5)

• (0x0E) * (0xB9) = (x3 + x2 + x) (x7 + x5 + x4 + x3 + 1) mod m(x)

• (0x0E) * (0xB9) = (x10 + x9 + x6 + x4 + x3 + x2 + x) mod m(x)
• (0x0E) * (0xB9) = x2 = (000000100)2

3 7 6 5 2
• (0x0B) * (0xE4) = (x + x + 1) * (x + x + x + x ) mod m(x)
10 9 3 2
• (0x0B) * (0xE4) = (x + x + x + x ) mod m(x)
6 4 2
• (0x0B) * (0xE4) = (x + x + x + x) mod m(x) = (01010110)2
 Numerical 13 (Contd..)
• (0x0D) * (0x47) = (x3 + x2 + 1) (x6 + x2 + x + 1) mod m(x)
• (0x0D) * (0x47) = (x9 + x8 + x6 + x5 + x + 1) mod m(x)
• (0x0D) * (0x47) = (x6 + x3 + x2 + x) = (01001110)2

• (0x09) * (0xC5) = (x3 + 1) (x7 + x6 + x2 + 1) mod m(x)

• (0x09) * (0xC5) = (x10 + x9 + x7 + x6 + x5 + x3 + x2 + 1) mod m(x)
• (0x09) * (0xC5) = (x7 + x5 + x4 + x2 + x + 1) = (10110111)2

• Output = (00000100)2 ⊕ (01010110)2 ⊕ (01001110)2 ⊕ (10110111)2 =

• Output = (10101011)2 = 0xAB
 Equivalent Inverse Cipher in AES
• When AES encryption and decryption algorithms are used, 2 separate software
or firmware modules are required for the applications.

• It’s necessary to make 2 separate changes to make the decryption algorithm

align with the encryption algorithm.

• The Inverse Shift Rows and Inverse Sub Bytes can be interchanged.

• The Add Round Key and Inverse Mix Columns can be interchanged.
Equivalent
Inverse
Cipher in
AES
(Contd..)
Interchanging Inverse Shift Rows and Inverse
Sub Bytes

• Inverse Shift Rows transformation affects the sequence of Bytes in State array,
without altering the Bytes contents.

• Inverse Sub Bytes affects the Bytes contents in State array, without altering the
sequence of Bytes.

• Inverse Shift Rows [Inverse Sub Bytes (Si)] = Inverse Sub Bytes [Inverse Shift
Rows (Si)]
Interchanging Add Round key and Inverse Mix
Columns

• The transformations do not alter the sequence of Bytes.

• The transformations are linear with respect to column input.

• Inverse Mix Columns (Si ⊕ Ri) = Inverse Mix Columns (Si) ⊕ Inverse Mix
Columns(Ri)
AES Implementation aspects on 8-bit Processors
• Can be implemented very efficiently on an 8-bit processor.
• (0x03)*x = (0x02)*x ⊕ x
AES Implementation aspects on 8-bit Processors
(Contd..)
• Byte Multiplication by 0x02 may be vulnerable to timing attack.
• The multiplication can be replaced by a lookup table to counter timing attack,
and to reduce the computation time.
• X2[i] = (0x02) * i
 AES Implementation aspects on 32-bit
Processors
• Operations can be defined on 32-bit words.
• The 4 transformations of a round can be expressed in algebraic form:-
 AES Implementation aspects on 32-bit
Processors (Contd..)
• All the expressions of the 4 transformations can be expressed as a single
equation:-
 AES Implementation aspects on 32-bit
Processors (Contd..)
• Four 256-word tables:-

• We can now define a Round Function operating on each column as:-