AES Encryption Standard Explained

Advanced Encryption Standard (AES)
AES was published by NIST (National Institute of

Standard and Technology) in 2001.
AES is a block cipher intended to replace DES as
approved standard for a wide range of applications.
It uses a 128-bit block size and a key size of 128, 192,
or 256 bits.
AES does not use a Feistel structure. Instead, each full
round consists of four separate functions:
byte substitution
Permutation
arithmetic operations over a finite field, and
XOR with a key.
In 1997 the US, NIST started a public competition to select an
algorithm to replace DES.
The algorithm was required to be a block cipher supporting
cipherkey lengths of 128, 192, and 256 and to be free of any
patents.
The selection process consisted of several rounds where
candidate algorithms were evaluated.
At the end of the first round in August 1998, 15 algorithms were
accepted as candidates.
In the next round in August 1999, the candidates were reduced to
five finalist algorithms (MARS, Blowfish, RC6, Rijndael, Serpent).
Finally, in October 2000 the Rijndael algorithm was selected as
the winner and NIIST officially announced that Rijndael has been
chosen as Advanced Encryption Standard (AES) in November
2001.
Initial Evaluation Criteria for AES
Security
Resistance to cryptanalysis, soundness of math,
randomness of output, etc.
Cost
Computational efficiency (speed)
Memory requirements
Algorithm / Implementation Characteristics
Flexibility, hardware and software suitability,
algorithm simplicity
AES - Rijndael
Rijndael cipher invented by two Belgian cryptographers
Joan Daemen and Vincent Rijmen
AES allows for three different key lengths: 128, 192, or
256 bits(16, 24, or 32 bytes ).
The cipher takes a plaintext block size of 128 bits, or 16
bytes.
The algorithm is referred to as AES-128, AES-192, or
AES-256, depending on the key length.
Salient Features of AES
AES is a block cipher with a block length of 128 bits.
AES allows for three different key lengths: 128, 192,
or 256 bits. Most commonly used key length is 128
bits.
Except for the last round in each case, all other
rounds are identical.
Each round of processing includes one single-byte
based substitution step, a row-wise permutation
step, a column-wise mixing step, and the addition of
the round key.
The order in which these four steps are executed is
different for encryption and decryption.
7.7
Data units used in AES
To appreciate the processing steps used in a single round, it is
best to think of a 128-bit block plaintext arranged as 44
matrix of bytes.
Therefore, the first four bytes of a 128-bit input block occupy
the first column in the 4 4 matrix of bytes. The next four
bytes occupy the second column, and so on.
The 4 4 matrix of bytes is referred to as the state array,
which is modified at each stage of encryption or decryption.
After the final stage, State is copied to an output matrix.
These operations are depicted in Figure a.
Similarly, the key is depicted as a square matrix of bytes. This
key is then expanded into an array of key schedule words.
Figure b shows the expansion for the 128-bit key.
Each word is four bytes, and the total key schedule is 44
words for the 128-bit key.
Note that the ordering of bytes within a matrix is by column.
So, for example, the first four bytes of a 128-bit plaintext
(expanded key) input to the encryption cipher occupy the first
column of the in (w) matrix, the second four bytes occupy the
second column, and so on.
The cipher consists of 10 rounds.
The first 9 rounds consist of four distinct
transformation functions:
Substitute Bytes
Shift Rows
Mix Columns
Add Round Key
The final round contains only three
transformations, and there is a initial single
transformation (Add Round Key) before the
first round which can be considered Round 0.
Each transformation takes 4x4 matrix as
input and produces a 4x4 matrix as output.
Key expansion function generates 11 round
keys, each of which is a distinct 4x4 matrix.
Each round key serve as one of the inputs to
the Add Round Key transformation in each
round.
Encryption Decryption
AES operates on 8-bit bytes.
Addition of two bytes is
defined as the bitwise XOR
operation.
Multiplication of two bytes is
defined as multiplication in
the finite field GF(2
8
) with the
irreducible polynomial
=
+ +
This is the first one of the 30
possible irreducible
polynomials of degree 8
STEP 1: Substitute Bytes
This step consists of using a 16 16 lookup table to
find a replacement byte for a given byte in the input
state array.
The entries in the lookup table are created by using
the notions of multiplicative inverses in GF(2
8
)
STEP 2: Shift Rows
The goal of this transformation is to scramble the
byte order inside each 128-bit block.
STEP 3: Mix Columns
The goal is here is to further scramble up the 128-bit
input block.
The shift-rows step along with the mix-column step
causes each bit of the ciphertext to depend on every
bit of the plaintext after 10 rounds of processing.
But now we want each bit of the plaintext to affect
every bit of the ciphertext in a block of 128 bits.
STEP 4: Add Round Key
A simple bitwise XOR of the current block with a
portion of the expanded key.
Block-to-state and state-to-block
transformation
Changing plaintext to state array:
M A N I P A L I N S T I T U T E
M P N T
A A S U
N L T T
I I I E
Plaintext Matrix
State array using ASCII code
S
0,0
=4D S
0,1
= 50
S
1,1
= 41
S
2,1
= 4C
S
3,1
= 49
S
0,2
= 4E
S
1,2
= 53
S
2,2
= 54
S
3,2
= 49
S
0,3
= 54
S
1,3
= 55
S
2,3
= 54
S
3,3
= 45
S
1,0
= 41
S
2,0
= 4E
S
3,0
= 49
Let the Key be:
A D V A N C E D E N C R Y P T I
A N E Y
D C N P
V E C T
A D R I
41 4E 45 59
44 43 4E 50
56 45 43 54
41 44 52 49
Key Matrix
Key Matrix using ASCII
codes
W
0
W
1
W
2
W
3 Key words
Add round key transformation
41 4E 45 59
44 43 4E 50
56 45 43 54
41 44 52 49
4D 50 4E 54
41 41 53 55
4E 4C 54 54
49 49 49 45
0C 1E 0B 0D
05 02 1D 05
18 09 17 00
08 0D 1B 0C
=
The 128-bits of State array are bitwise XORed with the 128-
bits of the round key.
As shown in table, the operation is viewed as a columnwise
operation between the 4 bytes of a State column and one
word of the round key;
It can also be viewed as a byte-level operation. The following
is an example of AddRoundKey:
State array round key State array
Constructing S-Box
1. Initialize the cells in the 16x16 with the byte values
in ascending sequence row by row.
The first row contains ; {00} {01} {02} . {0F}
the second row contains; {10} {11} {12} . {1F}
last row contains; {F0} {F1} {F3} .. {FF}
Thus, the value of the byte at row x , column y is [xy].
S-Box Initialization
Y
0 1 2 3 4 5 6 7 8 9 A B C D E F
X
0 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
1 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
2 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
3 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
4 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F
5 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F
6 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F
7 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F
8 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F
9 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F
A A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF
B B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF
C C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF
D D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF
E E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF
F F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF
2. Map each byte in the cell to its multiplicative
inverse in the finite field GF(2
8
) ;
The value 00 is replaced by itself since this element
has no multiplicative inverse.
For example, the byte stored in the cell (9, 5) of the
table is the multiplicative inverse of 0x95, which is
0x8A.
Constructing S-Box
Multiplicative inverse of each element
Y
0 1 2 3 4 5 6 7 8 9 A B C D E F
X
0 00 01 8D F6 CB 52 7B D1 E8 4F 29 C0 B0 E1 E5 C7
1 74 B4 AA 4B 99 2B 60 5F 58 3F FD CC FF 40 EE B2
2 3A 6E 5A F1 55 4D A8 C9 C1 0A 98 15 30 44 A2 C2
3 2C 45 92 6C F3 39 66 42 F2 35 20 6F 77 BB 59 19
4 1D FE 37 67 2D 31 F5 69 A7 64 AB 13 54 25 E9 09
5 ED 5C 05 CA 4C 24 87 BF 18 3E 22 F0 51 EC 61 17
6 16 5E AF D3 49 A6 36 43 F4 47 91 DF 33 93 21 3B
7 79 B7 97 85 10 B5 BA 3C B6 70 D0 06 A1 FA 81 82
8 83 7E 7F 80 96 73 BE 56 9B 9E 95 D9 F7 02 B9 A4
9 DE 6A 32 6D D8 8A 84 72 2A 14 9F 88 F9 DC 89 9A
A FB 7C 2E C3 8F B8 65 48 26 C8 12 4A CE E7 D2 62
B 0C E0 1F EF 11 75 78 71 A5 8E 76 3D BD BC 86 57
C 0B 28 2F A3 DA D4 E4 0F A9 27 53 04 1B FC AC E6
D 7A 07 AE 63 C5 DB E2 EA 94 8B C4 D5 9D F8 90 6B
E B1 0D D6 EB C6 0E CF AD 08 4E D7 E3 5D 50 1E B3
F 5B 23 38 34 68 46 03 8C DD 9C 7D A0 CD 1A 41 1C
Finding the S-box elements
3. Consider that each byte in the cell consists of 8 bits
labeled (b
7,
b
6
, b
5
, b
4
, b
3
, b
2
, b
1
, b
0
). Apply the following
transformation to each bit of each byte in the S-box:
c
i
is the i
th
bit of byte c with value 0x63, i.e
The above bit-mangling step can be better visualized as
the following vector-matrix operation. Note that all of
the additions in the product of the matrix and the vector
are actually XOR operations.
Finding the S-box elements
Using affine transformation: Y= Ax + C
Example:
Input value = 0x95.
Multiplicative inverse = 0x8A
Value in S-box = 2A
Tips to remember A matrix: Start with 0x8F, next row is obtained
by rotating 1-bit to right, and so on
Complete S-box
SB
Inverse S-box construction
1. Initialize the cells in 16x16 table with the byte
values in ascending sequence row by row.
The first row contains ; {00} {01} {02} . {0F}
the second row contains; {10} {11} {12} . {1F}
and so on.
2. Apply the following transformation to each bit of
each byte in the S-box:
where d
i
is the i
th
bit of a specially designated byte d
whose hex value is 0x05.
( d
7
d
6
d
5
d
4
d
3
d
2
d
1
d
0
= 00000101 )
3. Finally, you replace the byte in the cell by its
multiplicative inverse in GF(2
8
).
The above bit-mangling step can be better isualized
as the following vector-matrix operation.
Tips to remember A
1
matrix: Start the top row
with 0x25, next row is obtained by rotating 1-bit
to right, and so on.
Inverse S-box construction
Complete Inverse S-box
ISB
Step1: Substitute Byte transformation
This is a byte-by-byte substitution and the substitution
byte for each input byte is found by using the same
lookup table.
The size of the lookup table is 16 16 matrix of byte
value, called an S-box.
S-box contains a permutation of all possible 256 8-bit
values.
Each individual byte of state array is mapped into a new
byte in the following way:
The leftmost 4-bits of the byte are used as a row
value and the rightmost 4-bits are used as a column
value.
These row and column values serve as indexes into
the S-box to select a unique 8-bit output value.
Step1: Forward Substitute Byte transformation
0C 1E 0B 0D
05 02 1D 05
18 09 17 00
08 0D 1B 0C
FE 72 2B D7
6B 77 A4 6B
AD 01 F0 63
30 D7 AF FE
I/p to Substitute transformation O/P of Substitute transformation
Step1: Inverse Substitute Byte transformation
Inverse substitute byte transformation
Makes use of the inverse S-box
shown in Table.
Example:
Input oxA4
Inverse S-box produces output ox1D.
Step2: Forward Shift Row Transformation
The Shift Rows transformation consists of:
I. Not shifting the first row of the state array at all.
II. Circularly shifting the second row by one byte to
the left.
III. Circularly shifting the third row by two bytes to
the left, and
IV. Circularly shifting the last row by three bytes to
the left.
Step2: Forward Shift Row Transformation
FE 72 2B D7
6B 77 A4 6B
AD 01 F0 63
30 D7 AF FE
I/P to ShiftRowtransformation
FE 72 2B D7
77 A4 6B 6B
F0 63 AD 01
FE 30 D7 AF
O/P to ShiftRowtransformation
The first 4 bytes of the plaintext are copied to the
first column of State array, and so on.
The round key is applied to State column by
column.
Shift row transformation ensures that the 4 bytes of
one column are spread out to four different
columns.
Performs the circular shifts in the opposite direction
for each of the last three rows
I. Not shifting the first row of the state array at all.
II. Circularly shifting the second row by one byte to
the right.
III. Circularly shifting the third row by two bytes to
the right, and
IV. Circularly shifting the last row by three bytes to
the right.
Step2: Inverse Shift Row Transformation
Step3: Forward Mix Column Transformation
Operates on each column individually.
Each byte of a column is mapped into a new value
that is a function of all four bytes in that column.
The transformation can be defined by the following
matrix multiplication on State array
Each byte in a column is replaced by two times that
byte, plus three times the the next byte, plus the
byte that comes next, plus the byte that follows.
next and follow refer to bytes in the same
column, and their meaning is circular.
The Mix Columns transformation on a single
column of State can be expressed as:
More compactly, the column transformation can be
defined by the following matrix multiplication on
State array.
Each element in the product matrix is the sum of
products of elements of one row and one column.
Individual additions and multiplications are
performed in GF(2
8
).
=
Example:
Step3: Inverse Mix Column Transformation
Inverse Mix Columns, is defined by the following matrix
multiplication:
The inverse transformation matrix times the forward
transformation matrix equals the identity matrix.
AES Key Expansion algorithm
It is used to derive the 128-bit round key from the
original 128-bit encryption key.
The algorithm first arranges the 16 bytes of the
encryption key in the form of a 4 4 array of bytes:
The first four bytes of the encryption key constitute the word
w
0
, the next four bytes the word w
1
, and so on.
W
0
W
1
W
2
W
3
Lets say that we have the four words
of the round key for the (i/4)
th
round:
w
i
w
i+1
w
i+2
w
i+3
i must be a multiple of 4.
For example, w
4
, w
5
, w
6
, w
7
is the
round key for round 1, the sequence
of words w
8
, w
9
, w
10
, w
11
the round
key for round 2, and so on.
Now we need to determine the words
w
i+4
w
i+5
w
i+6
w
i+7
from the words
w
i
w
i+1
w
i+2
w
i+3
From Figure , we write
w
i+4
= w
i
g(w
i+3
)
w
i+5
= w
i+4
w
i+1
w
i+6
= w
i+5
w
i+2
w
i+7
= w
i+6
w
i+3
Note that except for the first word
in a new 4-word grouping, each
word is an XOR of the previous
word and the corresponding word
in the previous 4-word grouping.
The function g() consists of the
following three steps:
1. Perform a one-byte left circular
rotation on the argument 4-byte
word.
2. Perform a byte substitution for
each byte of its input word using
the S-box
3. XOR the bytes obtained from the
previous step with what is
known as a round constant
RCON[j].
Round constant: It is a word whose three rightmost
bytes are always zero.
i.e RCON[j] = (RC[j], 0, 0, 0) where RC[j] is defined by
the table:
The only non-zero byte in the round constants, RC[i],
obeys the following recursion:
RC[1] = 1
RC[j] = 2 RC[j 1]
EA B5 31 7F
D2 8D 2B 8D
73 BA F5 29
21 D2 60 2F
W
32
W
33
W
34
W
35
W
35
7F 8D 29 2F
STEP1: One byte circular left shift
STEP2: After Substitute byte
operation
STEP3: Round constant for round 9 is:
RC[9]=1B
i.e RCON[9]= 1B 00 00 00
XOR with RCON :
5D A5 15 D2
1B 00 00 00
o/p g: 46 A5 15 D2
8D 29 2F 7F
5D A5 15 D2
For example, suppose
that the round key for
round 8 is:
36
=
32

37
=
33

36
38
=
34

37
39
=
35

38
W
36
= EA D2 73 21 46 A5 15 D2 = AC 77 66 F3
W
37
= B5 8D BA D2 AC7766F3 = 19 FA DC 21
W
38
= 31 2B F5 60 19 FA DC 21 = 28 D1 29 41
W
39
= 7F 8D 29 2F 28 D1 29 41 = 57 5C 00 6E

AES Encryption Standard Explained

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

AES Encryption Standard Explained

Enviado por

Direitos autorais:

Formatos disponíveis

Advanced Encryption Standard (AES)

AES was published by NIST (National Institute of

Você também pode gostar