INFORMATION SECURITY [3 0 0 3]

ICT 3172:
 Advanced Encryption Standards (AES)

AES is a symmetric-key block cipher.

Published by the National Institute of Standards and Technology

(NIST) in December 2001.

.
History

In 1997, NIST started looking for a replacement for DES.

The NIST specifications required a block size of 128 bits and 3

different key sizes of 128, 192, and 256 bits.

The specifications also required that AES be an open algorithm,

available to the public worldwide.

The announcement was made internationally to solicit responses from

all over the world.

.
Rounds

• AES is a non-Feistel cipher.

• Encrypts and decrypts a data block of 128 bits.

• It uses 10, 12, or 14 rounds.

• The key size, which can be 128, 192, or 256 bits, depends on the
number of rounds.

.
 Rounds

• Nr defines the number of rounds.

• 3 different AES versions: AES-128, AES-192, and AES-256.
• Round keys created by the key-expansion algorithm are always 128 bits

.
AES has defined three versions, with 10, 12, and 14 rounds.

Each version uses a different cipher key size (128, 192, or 256),
but the round keys are always 128 bits.

The number of round keys generated by the key-expansion algorithm

is always one more than the number of rounds.

In other words, we have Number of round keys = Nr + 1

We refer to the round keys as K0, K1, K2, …, KNr

.
Data Units

• AES uses 5 units of measurement to refer to data: bits, bytes, words, blocks,
and state.

• Bit is the smallest unit; other units can be expressed in terms of smaller ones.

.
Data Units

Bit
bit is a binary digit with a value of 0 or 1. lowercase letter to refer to a bit.

Byte
• group of eight bits that can be treated as a single entity, a row matrix (1 × 8) of eight bits,
or a column matrix (8 × 1) of eight bits.
• When treated as a row matrix, the bits are inserted to the matrix from left to right; when
treated as a column matrix, the bits are inserted into the matrix from top to bottom.
• lowercase bold letter to refer to a byte.

Word
• A word is a group of 32 bits that can be treated as a single entity, a row matrix of four
bytes, or a column matrix of four bytes.
• When it is treated as a row matrix, the bytes are inserted into the matrix from left to
right; when it is considered as a column matrix, the bytes are inserted into the matrix
from top to bottom.
• We use the lowercase bold letter to show a word.

Block
• AES encrypts and decrypts data blocks.
• A block in AES is a group of 128 bits.
.
State

AES uses several rounds in which each round is made of

several stages.
Data block is transformed from one stage to another.

At the beginning and end of the cipher, AES uses the term data block; before
and after each stage, the data block is referred to as a state.

We use an uppercase bold letter to refer to a state.

Although the states in different stages are normally called S, letter T to refer to
a temporary state.

.
States, like blocks, are made of 16 bytes, but normally are treated as matrices
of 4 × 4 bytes.

In this case, each element of a state is referred to as sr,c, where r (0 to 3)

defines the row and the c (0 to 3) defines the column.

.
Example 7.1
Example: The text block is “AES uses a matrix”. We add two bogus characters at the end
to get “AESUSESAMATRIXZZ”.

Replace each character with an integer between 00 and 25. Then show each byte as an
integer with two hexadecimal digits.

.
 Structure of Each Round

Figure: structure of each round at the encryption

side.

Each round, except the last, uses four transformations

that are invertible. The last round has only 3
transformations.

Each transformation takes a state and creates

another state to be used for the next transformation or
the next round.

Pre-round section uses only one transformation

(AddRoundKey); last round uses only three
transformations (MixColumns is missing).

At the decryption site, the inverse transformations are

used: InvSubByte, InvShiftRows, InvMixColumns, and
AddRoundKey (this one is self-invertible).

.
7.2 TRANSFORMATIONS

To provide security, AES uses four types of transformations:

substitution, permutation, mixing, and key-adding.

Substitution

The substitution is done for each byte.

Only one table is used for transformation of every byte.

Transformation is defined by either a table lookup process or mathematical

calculation in the GF(28) field.

AES uses two invertible transformations.

.
SubBytes

The first transformation is SubBytes.

Here interpret the byte as two hexadecimal digits.
Left digit defines the row and right digit defines the column of substitution table.
Two hexadecimal digits at the junction of the row and the column are the new byte.

.
Table shows the substitution table (S-box) for SubBytes transformation. The
transformation definitely provides confusion effect.

For example, two bytes, 5A16 and 5B16, which differ only in one bit (the
rightmost bit) are transformed to BE16 and 3916, which differ in four bits.

.
InvSubBytes
InvSubBytes is the inverse of SubBytes.
The transformation is done using Table 7.2.

.
.
Transformation Using the GF(28) Field

Although we can use Table 7.1

or Table 7.2 to find the
substitution for each byte,

AES also defines the

transformation algebraically
using the GF(2 ) field with the
8

irreducible polynomials (x8 + x4 +

x3+ x + 1), as shown in Figure
7.8.

SubBytes transformation
repeats a routine, called
subbyte, 16 times.

The InvSubBytes repeats a

routine called invsubbyte.

Each iteration transforms one

byte.

.
In the subbyte routine, the multiplicative inverse of the byte is found in GF(2 8) with the
irreducible polynomial (x8 + x4 + x3+ x + 1) as the modulus.

if the byte is 0016, its inverse is itself.

The inverted byte is then interpreted as a column matrix.

This column matrix is multiplied by a constant square matrix, X, and the result is added
with a constant column matrix, y, to give the new byte.

multiplication and addition of bits are done in GF(2).

.
The invsubbyte is doing the same thing in reverse order.

In the encryption, multiplication is first and addition is second; in the decryption,

subtraction is first and division is second.

Two transformations are inverses of each other because addition or subtraction

in GF(2) is actually the XOR operation.

.
Example 7.3 : How the byte 0C is transformed to FE by subbyte routine and
transformed back to 0C by the invsubbyte routine.

1. subbyte:
a. Multiplicative inverse of 0C in GF(28) field is B0, which means b is
(10110000).
b. Multiplying matrix X by this matrix results in c = (10011101)
c. The result of XOR operation is d = (11111110), which is FE in hexadecimal.

2. invsubbyte:
a. The result of XOR operation is c = (10011101)
b. The result of multiplying by matrix X−1 is (11010000) or B0
c. The multiplicative inverse of B0 is 0C.

.
 Algorithm
• The algorithm does not necessarily use multiplication and addition of
matrices because most of the elements in the constant square matrix
are only 0 or 1.
• The value of the constant column matrix is 0x63.
• Algorithm 7.1 calls the subbyte routine 16 time, one for each byte in
the state.

The ByteToMatrix routine transforms a byte to an 8 × 1 column matrix. The

MatrixToByte routine transforms an 8 × 1 column matrix to a byte. The
expansion of these routines and the algorithm for InvSubBytes are left as
exercises. .
Permutation
Another transformation found in a round is shifting, which permutes the bytes.

Shifting transformation in AES is done at the byte level.

ShiftRows
• In the encryption, the transformation is called ShiftRows and the shifting is to
the left.
• The number of shifts depends on the row number (0, 1, 2, or 3) of the state
matrix.

.
ShiftRows
• In the encryption, the transformation is called ShiftRows and the shifting is to the left.
• The number of shifts depends on the row number (0, 1, 2, or 3) of the state matrix.
• This means the row 0 is not shifted at all and the last row is shifted three bytes.

The ShiftRows transformation operates one row at a time.

.
InvShiftRows
In the decryption, the transformation is called InvShiftRows and the shifting is
to the right.
The number of shifts is the same as the row number (0, 1, 2, and 3) of the
state matrix.

The ShiftRows and InvShiftRows transformations are

inverses of each other

.
Algorithm
Transformation is one row at a time, routine called shiftrow that shifts the byte
in a single row. Call this routine three times.
The shiftrow routine first copies the row into a temporary row matrix, t. It then
shifts the row.

.
.
 Mixing

SubBytes is an intrabyte transformation.

ShiftRows is a byte-exchange transformation.

Need an interbyte transformation that changes the bits inside a byte,

based on the bits inside the neighboring bytes.

Need to mix bytes to provide diffusion at the bit level.

.
Mixin
g
Mixing transformation changes the contents of each byte by taking
four bytes at a time and combining them to recreate four new bytes.

To guarantee that each new byte is different (even if all four bytes are
the same), the combination process first multiplies each byte with a
different constant and then mixes them.

.
• AES defines a transformation, called MixColumns, to achieve this goal.

• There is also an inverse transformation, called InvMixColumns.

• Figure shows the constant matrices used for these transformations.

• These two matrices are inverses of each other when the elements are interpreted as
8-bit words (or polynomials) with coefficients in GF(2 8).

.
MixColumns

Transformation is actually the matrix multiplication of a state column by a

constant square matrix.

The bytes in the state column and constants matrix are interpreted as 8-bit
words (or polynomials) with coefficients in GF(2).

Multiplication of bytes is done in GF(2 8) with modulus (10001101) or (x8 + x4 + x3

+ x + 1).

Addition is the same as XORing of 8-bit words.

.
InvMixColumns
The InvMixColumns transformation is basically the same as the MixColumns
transformation.
If the two constant matrices are inverses of each other, it is easy to prove that
the two transformations are inverses of each other.

The MixColumns and InvMixColumns transformations are

inverses of each other.

.
 Algorithm 7.3 shows the code for MixColumns transformation

Algorithms for MixColumns and InvMixColumns involve multiplication and addition in the
GF(28) field.
The routine mixcolumn simply multiplies the rows of the constant matrix by a column in the
state.
The operator (•) used in the mixcolumn routine is multiplication in the GF(2 8) field.

It can be replaced with a simple routine as discussed in Chapter 4.

.
Example 7.5
Figure 7.14 shows how a state is transformed using the MixColumns
transformation. The figure
also shows that the InvMixColumns transformation creates the original one.

Note that equal bytes in the old state are not equal any more in the new
state. For example, the two bytes F2 in the second row are changed to CF
and 0D.

.
Key Adding
Most important transformation is the one that includes the cipher key.

If the cipher key is not added to the state at each round, it is very easy for the
adversary to find the plaintext, given the ciphertext.

Each round key is 128 bits long. It is treated as four 32-bit words.

Each word is considered as a column matrix.

.
AddRoundKey
AddRoundKey adds a round key word with each state column matrix.

The operation in AddRoundKey is matrix addition.

Since addition and subtraction in this field are the same, the AddRoundKey transformation
is the inverse of itself.

The AddRoundKey transformation is the inverse of

itself.
.
 Algorithm
The AddRoundKey transformation can be thought as XORing of each column of the
state, with the corresponding key word.

Note that sc and wround+4c are 4 × 1 column matrices.

The ⊕ operator here means XORing two column matrices, each of 4 bytes.

.
 7.3 KEY EXPANSION
Key-expansion process to create round key for each round,

If the number of rounds is Nr, key-expansion routine creates Nr+1 128-bit round
keys.

First round key is used for pre-round transformation (AddRoundKey);

Remaining round keys are used for the last transformation (AddRoundKey) at the
end of each round.

.
 7.3 KEY EXPANSION

key-expansion routine creates round keys word by word, where a word is an array of 4 bytes.

The routine creates 4 × (Nr +1) words.

• In AES-128 version (10 rounds), there are 44 words;

• In AES- 192 version (12 rounds), there are 52 words;
• In AES-256 version (with 14 rounds), there are 60 words.
• Each round key is made of four words.

.
7.3 KEY EXPANSION

Relationship between rounds and words.

.
Key Expansion in AES-128

Creation of words for the AES-128 version;

Processes for the other two versions are the same with some slight changes.
Figure shows how 44 words are made from the original key.
.
The process is as follows:
1. The first four words (w0, w1, w2, w3) are made from the cipher key. The cipher
key is thought of as an array of 16 bytes (k0 to k15).

2. The rest of the words (wi for i = 4 to 43) are made as follows:

a. If (i mod 4) ≠ 0, wi = wi−1 ⊕ wi−4. This means each word is made from

the one at the left and the one at the top.

b. If (i mod 4) = 0, wi = t ⊕ wi−4.
Here t, a temporary word, is the result of applying two routines, SubWord
and RotWord, on wi−1 and XORing the result with a round constants, RCon.
In other words, we have,

.
 RotWord
• The routine takes a word as an array of four bytes and shifts each byte to
the left with wrapping.
• Ex: input word [b0,b1,b2,b3] is transformed into [b1, b2,b3,b0]

SubWord
• The SubWord (substitute word) routine is similar to the SubBytes
transformation, but it is applied only to four bytes.
• The routine takes each byte in the word and substitutes another byte for it.

Round Constants
Each round constant, RCon, is a 4-byte value in which the rightmost 3 bytes are
always zero.
Table 7.4 shows the values for AES-128 version (with 10 rounds).

.
Round Constants
Each round constant, RCon, is a 4-byte value in which the rightmost three
bytes are always zero.
Table 7.4 shows the values for AES-128 version (with 10 rounds).

.
 Key expansion in AES-192 and AES 256

In AES-192 words are generated in groups of 6 instead of 4 (w o to w5)

In AES-256 words are generated in groups of 8 instead of 4 (w o to w7)

.
8.1 USE OF MODERN BLOCK CIPHERS

The two modern block ciphers namely DES and AES, are designed to encipher
and decipher a block of text of fixed size.

DES encrypts and decrypts a block of 64 bits; AES encrypts and decrypts a
block of 128 bits.

In reallife applications, the text to be enciphered is of variable size and normally

much larger than 64 or 128 bits.

.
Modes of operation have been devised to encipher text of any size
employing either DES or AES.

Figure shows the 5 modes of operation

.
Electronic Codebook (ECB) Mode

The simplest mode of operation.

The plaintext is divided into N blocks. The block size is n bits.

If the plaintext size is not a multiple of the block size, the text is padded to
make the last block the same size as the other blocks.

The same key is used to encrypt and decrypt each block.

.
Electronic Codebook (ECB) Mode

.
Cipher Block Chaining (CBC) Mode

In CBC mode, each plaintext block is exclusive-ored with the previous

ciphertext block before being encrypted.

When a block is enciphered, the block is sent, but a copy of it is kept in memory
to be used in the encryption of the next block.

The reader may wonder about the initial block. There is no ciphertext block
before the first block.
In this case, a phony block called the initialization vector (IV) is used.

The sender and receiver agree upon a specific predetermined IV.

.
Cipher Block Chaining (CBC) Mode
Figure 8.3 shows CBC mode. At the sender side, exclusive-oring is done before
encryption; at the receiver site, decryption is done before exclusive-oring.

The relation between plaintext and ciphertext blocks is

shown below:

.
Cipher Feedback (CFB) Mode

In some situations, we need to use DES or AES as secure ciphers, but the
plaintext or ciphertext block sizes are to be smaller.

For example, to encrypt and decrypt ASCII 8-bit characters, you would not want
to use one of the traditional ciphers because they are insecure.

The solution is to use DES or AES in cipher feedback (CFB) mode.

In this mode the size of the block used in DES or AES is n, but the size of the
plaintext or ciphertext block is r, where r <=n

.
Cipher Feedback (CFB) Mode

.
 Cipher Feedback (CFB) Mode

In CFB mode, encipherment and decipherment use the encryption

function of the underlying block cipher.

The relation between plaintext and ciphertext blocks is shown below:

.
Output Feedback (OFB) Mode

.
Counter (CTR) Mode

In the counter (CTR) mode, there is no feedback.

An n-bit counter is initialized to a pre-determined value (IV) and

incremented based on a predefined rule.

To provide a better randomness, the increment value can depend on

the block number to be incremented.

.
Counter (CTR) Mode

The relation between plaintext and ciphertext blocks is shown

below.

.
END