Professional Documents
Culture Documents
Computer Security
Lecture – 7
• NIST put out a public call for a replacement of the symmetric encryption
1.6 The Advanced Encryption Standard (AES)
algorithm DES in 1997
In 1997, the U.S. National Institute for Standards and Technology (NIST)
• Five finalists: Rijndael
put out (“Rhine
a public call fordoll”),
a replacementdesigned by Joan
of the symmetric encryption algo- Daemen and Vincent
Key
128, 192 or 256 bits
Cryptography
P X0
• The 128-bit version of the AES encryption
algorithm proceeds in ten rounds K Round 1
X1
X10 C
provide some structure to the 128-bit blocks it operates on, the AES al-
AES
rithm views each such block,
16 bytes of 8 bits each,
Matrixstarting with the 128-bit block of plaintext,
Representation
To provide some structure to the 128-bit blocks it operates on, the AES al-
gorithm views each such block, starting with the 128-bit block of plaintext,
• To
provideassome structure
16 bytes to the 128-bit blocks it operates on, the
of 8 bits each, AES
algorithm
( a0,0 , a1,0 , a2,0 views
, a3,0 , a0,1 , a1,1 , a2,1 , aeach such block, starting with the 128-bit block of
3,1 , a0,2 , a1,2 , a2,2 , a3,2 , a0,3 , a1,3 , a2,3 , a3,3 ),
plaintext, as 16 bytes of 8 bits each
( a , a , a , a , a , a , a , a , a , a1,2 , a2,2 , a3,2 , a0,3 , a1,3 , a2,3 , a3,3 ),
0,0 1,0 2,0 3,0 0,1 1,1 2,1 3,1 0,2
anged in column-major order into a 4 ⇥ 4 matrix as follows:
• This is arranged in column-major order into a 4 × 4 matrix as follows:
arranged in column-major order into a 4 ⇥ 4 matrix as follows:
2 3
a0,0 a0,1 a0,2 a0,3
6 a1,0 a1,1 a1,2 a1,3 72 3
6 7 . a0,0 a0,1 a0,2 a0,3
4 a2,0 a2,1 a2,2 a2,3 56 a a a a 7
6 1,0 1,1 1,2 1,3 7.
a3,0 a3,1 a3,2 a3,3 4 a2,0 a2,1 a2,2 a2,3 5
a3,0 a3,1 a3,2 a3,3
• AES also has the notion of a word consisting of four bytes, that is 32 bits
• Therefore, each column of the state array is a word, as is each row
• Each round of processing works on the input state array and produces an
output state array
AES – Key Expansion
• Assuming a 128-bit key, the key is also arranged
in the form of an array of 4 × 4 bytes
• As with the input block, the first word from the key
fills the first column of the array, and so on
• The four column words of the key array are
expanded into a schedule of 44 words
• Each round consumes four words from the key
schedule
• The figure depicts the arrangement of the
encryption key in the form of 4-byte words and
the expansion of the key into a key schedule
consisting of 44 4-byte words
• Of these, the first four words are used for
adding to the input state array before any
round-based processing can begin, and the
remaining 40 words used for the ten rounds of
processing that are required for the case a 128-
bit encryption key.
AES – Overall Encryption and Decryption
AES
• Each round is built from four basic
steps:
1. SubBytes step: an S-box
substitution step
2. ShiftRows step: a permutation step
3. MixColumns step: a matrix
multiplication step
4. AddRoundKey step: an XOR step
with a round key derived from the
128-bit encryption key
• For encryption and decryption, the
sequence of these steps change
according to the side figure
AES – SubBytes Step Cryptography
SubBytes Step
• In the SubBytes step, each byte in the matrix is substituted with a
replacement
In thebyte according
SubBytes to the
step, each byte in thesubstitution boxwith
matrix is substituted known as S-box
a replace-
shown ment byte according to the S-box shown in Figure 14, resulting in the
following transformation:
• This results in the following transformation:
2 3 2 3
a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3
6 a1,0 a1,1 a1,2 a1,3 7 6 b1,3 7
6 7 ! 6 b1,0 b1,1 b1,2 7.
4 a2,0 a2,1 a2,2 a2,3 5 4 b2,0 b2,1 b2,2 b2,3 5
a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3
0 1 2 3 4 5 6 7 8 9 a b c d e f
0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
Figure 14: The S-box used in the SubBytes step of AES. Each byte is shown
AES – ShiftRows Step
• The ShiftRows step is a simple permutation, which has the effect of
mixing up the bytes in each row of the 4 × 4 matrix output from the
Cryptography
2 3 2 3
00000010 00000011 00000001 00000001 c0,0 c0,1 c0,2 c0,3
6 00000001 00000010 00000011 00000001 7 6 c1,3 7
6 7 · 6 c1,0 c1,1 c1,2 7
4 00000001 00000001 00000010 00000011 5 4 c2,0 c2,1 c2,2 c2,3 5
00000011 00000001 00000001 00000010 c3,0 c3,1 c3,2 c3,3
2 3
d0,0 d0,1 d0,2 d0,3
6 d1,0 d1,1 d1,2 d1,3 7
= 6 4 d2,0
7.
d2,1 d2,2 d2,3 5
d3,0 d3,1 d3,2 d3,3
For decryption,
As in the Hillthe following
cipher, matrix
this operation is multiplied
is invertible with
in the GF (28 )the 4 x 4 matrix
number
system. In fact, the inverse matrix to be used during the reverse Mix-
Columns step for decryption is as follows:
2 3
00001110 00001011 00001101 00001001
6 00001001 00001110 00001011 00001101 7
6 7.
4 5
AES – AddRoundKey Step
Cryptography
• In the AddRoundKey step, we exclusive-or the result from previous
AddRoundKey Step
steps with a set of keys derived from the 128-bit secret key
In the AddRoundKey step, we exclusive-or the result from previous steps
with a set of keys derived from the 128-bit secret key. The operation of the
• The operationAddRoundKey
of the AddRoundKey step,
step, therefore, can be expressed therefore, can be expressed
as follows:
as follows: 2
d d0,0 d0,1 d 0,2
3
0,3
2
k k0,0 k k
0,1
3
0,2 0,3
6 d1,0 d1,1 d1,2 d1,3 7 6 k1,0 k1,1 k1,2 k1,3 7
6 7 6 7
4 d2,0 d2,1 d2,2 d2,3 5 4 k2,0 k2,1 k2,2 k2,3 5
d3,0 d3,1 d3,2 d3,3 k3,0 k3,1 k3,2 k3,3
2 3
e0,0 e0,1 e0,2 e0,3
6 e1,0 e1,1 e1,2 e1,3 7
= 6
4 e2,0
7.
e2,1 e2,2 e2,3 5
e3,0 e3,1 e3,2 e3,3
• The critical part of performing this step is determining how the matrix
Of course, the critical part of performing this step is determining how
the matrix of keys, k i,j , for this round, are derived from the single 128-bit
of keys, ki,j, for this round, are derived from the single 128-bit secret
secret key, K.