Lectures #5

Advanced Encryption Standard (AES)

CYS535 Network Security

Prepared By: Dr. Ihab ELAFF
 Chapter 5
Advanced Encryption Standard
(AES)
Origins
• clear a replacement for DES was needed
▫ have theoretical attacks that can break it
▫ have demonstrated exhaustive key search attacks
• can use Triple-DES – pretty safe
▫ but slow, small blocks
• issued call for ciphers in `97
• 15 candidates accepted in Jun 98
• 5 were short-listed in Aug-99
• AES selected in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001
AES Requirements
• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger & faster than Triple-DES
• active life of 20-30 years (+ archival use)
• provide full specification & design details
• both C & Java implementations
• The National Institute of Standards and Technology
(NIST) have released all submissions & unclassified
analyses
AES Evaluation Criteria
• initial criteria (15 to 5):
▫ security – effort to practically cryptanalyse
▫ cost – computational, high-speed applications
▫ algorithm & implementation characteristics
 Flexibility, simplicity, maintainability
• final criteria
▫ general security
▫ software & hardware implementation ease
▫ implementation attacks
▫ flexibility (in changing en/decrypt, keying, #rounds, other factors)
AES Shortlist
• after testing and evaluation, shortlist in Aug-99:
▫ MARS (IBM) - complex, fast, high security margin
▫ RC6 (USA) - v. simple, v. fast, low security margin
▫ Rijndael (Belgium) - clean, fast, good security margin
▫ Serpent (Euro) - slow, clean, v. high security margin
▫ Twofish (USA) - complex, v. fast, high security margin
• then subject to further analysis & comment
• All were thought to be good – came down to best
balance of attributes to meet criteria.
• Note mix of commercial (MARS, RC6, Twofish) verses
academic (Rijndael, Serpent) proposals
The AES Cipher
• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than Feistel cipher
▫ treats data in 4 groups of 4 bytes
▫ operates an entire block in every round
▫ rather than Feistel (operate on halves at a time)
• designed to be:
▫ resistant against known attacks
▫ speed and code compactness on many CPUs
▫ design simplicity
AES Algorithm
• processes data as 4 groups of 4 bytes (state)
• has 10 (128-bit keys)/12 (192-bit keys)/14 (256-bit keys) rounds in
which state undergoes:
▫ byte substitution (1 S-box used on every byte)
▫ shift rows (permute bytes between groups/columns)
▫ mix columns (subs using matrix multiply of groups) [except for the last
round]
▫ add round key (XOR state with key material)
• initial XOR key material & incomplete last round
• all operations can be combined into XOR and table lookups - hence
very fast & efficient
AES Algorithm
AES Algorithm
AES Algorithm - Encryption
 Round0: Add Round Key (XOR)
 Round 1 to N-1:
◦ 1- Byte Substitution
◦ 2- Shift Rows
◦ 3- Mix Columns (AES S-Box)
◦ 4- Add Round Key (XOR)
 Round N:
◦ 1- Byte Substitution
◦ 2- Shift Rows
◦ 3- Add Round Key (XOR)
AES Round
AES Algorithm - Decryption
 Round 0: Add Round Key (XOR)
 Round 1 to N-1:
◦ 1- Inverse Shift Rows
◦ 2- Inverse Byte Substitution
◦ 3- Inverse Mix Columns (AES S-Box)
◦ 4-Add Round Key (XOR)
 Round N:
◦ 1- Inverse Shift Rows
◦ 2- Inverse Byte Substitution
◦ 3- Add Round Key (XOR)
Byte Substitution
• a simple substitution of each byte
• uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
• each byte of state is replaced by byte in row (left 4-
bits) & column (right 4-bits)
▫ eg. byte {95} is replaced by row 9 col 5 byte
▫ which is the value {2A}
Byte Substitution
• In AES, S-Box is generated by using GF(28) (Galois Field) and
irreducible polynomial x8 +x4 +x3 +x+1.
• AES S-Box is a matrix of (16 x 16 = 256) elements in which
rows and columns are having values ranging from 0 to 15 (0 to
f in hexadecimal).
Byte Substitution
Inverse Byte Substitution
Shift Rows
• a circular byte shift in each row
▫ 1st row is unchanged
▫ 2nd row does 1 byte circular shift to left
▫ 3rd row does 2 byte circular shift to left
▫ 4th row does 3 byte circular shift to left
• decrypt does shifts to right
• since state is processed by columns, this step permutes
bytes between the columns
Mix Columns
• each column is processed separately
• each byte is replaced by a value dependent on all 4
bytes in the column
• Bytes are treated as a polynomials rather than
numbers.
Add Round Key (XOR)
• XOR state with 128-bits of the round key
• again processed by column (though effectively a
series of byte operations)
• inverse for decryption is identical since XOR is own
inverse, just with correct round key
• designed to be as simple as possible
AES Key Expansion
• takes 128-bit (16-byte) key and expands into array of
44/52/60 32-bit words
• start by copying key into first 4 words
• then loop creating words that depend on values in
previous & 4 places back
▫ in 3 of 4 cases just XOR these together
▫ every 4th has S-box + rotate + XOR constant of previous
before XOR together
• designed to resist known attacks
AES Decryption
• AES decryption is not identical to encryption since steps
done in reverse
• but can define an equivalent inverse cipher with steps as
for encryption
▫ but using inverses of each step
▫ with a different key schedule
• works since result is unchanged when
▫ swap byte substitution & shift rows
▫ swap mix columns & add (tweaked) round key
Implementation Aspects
• can efficiently implement on 8-bit CPU
▫ byte substitution works on bytes using a table of 256
entries
▫ shift rows is simple byte shifting
▫ add round key works on byte XORs
▫ mix columns requires matrix multiply in GF(28) which
works on byte values, can be simplified to use a table
lookup
Implementation Aspects
• can efficiently implement on 32-bit CPU
▫ redefine steps to use 32-bit words
▫ can pre-compute 4 tables of 256-words
▫ then each column in each round can be computed
using 4 table lookups + 4 XORs
▫ at a cost of 16Kb to store tables
• designers believe this very efficient implementation
was a key factor in its selection as the AES cipher
AES Example
 ASCII Character Table
ASCII Character Table (0-127)
ASCII Character Table (0-255)
AES Example
Ex: Encrypt the following plain text using AES 128-bit key.
• Plaintext: “Two One Nine Two” (16 byte = 128 bits)
• Key: “Thats my Kung Fu” (16 byte = 128 bits)
Sol:
Step1: Convert Plaintext (Message) to ASCII
T w o O n e N i n e T w o
54 77 6F 20 4F 6E 65 20 4E 69 6E 65 20 54 77 6F
Step2: Convert Key to ASCII
T h a t s m y K u n g F u
54 68 61 74 73 20 6D 79 20 4B 75 6E 67 20 46 75
AES Example
T h a t s m y K u n g F u
54 68 61 74 73 20 6D 79 20 4B 75 6E 67 20 46 75

Round 0 Key
54 73 20 67
68 20 4B 20
61 6D 75 46
74 79 6E 75
 AES Example
• Step 3: Generate Rounds Keys
Round0 Key = 54 68 61 74 73 20 6D 79 20 4B 75 6E 67 20 46 75
To find Round1 Key:
w[0] = (54; 68; 61; 74)
w[1] = (73; 20; 6D; 79)
w[2] = (20; 4B; 75; 6E)
w[3] = (67; 20; 46; 75)
• g(w[3]):
▫ circular byte left shift of w[3]: (20; 46; 75; 67)
▫ Byte Substitution (S-Box): (B7; 5A; 9D; 85)
▫ Adding round constant (01; 00; 00; 00) gives:
g(w[3]) = (B6; 5A; 9D; 85)
Byte Substitution
 AES Example
• w[4] = w[0] ⊕ g(w[3]) = (E2; 32; FC; F1)
• w[5] = w[4] ⊕ w[1] = (91; 12; 91; 88)
• w[6] = w[5] ⊕ w[2] = (B1; 59;E4;E6)
• w[7] = w[6] ⊕ w[3] = (D6; 79;A2; 93)
Round1 key= E2 32 FC F1 91 12 91 88 B1 59 E4 E6 D6 79 A2 93
E2 91 B1 D6
32 12 59 79
FC 91 E4 A2
F1 88 E6 93
 AES Example
Round1 Key = E2 32 FC F1 91 12 91 88 B1 59 E4 E6 D6 79 A2 93

To find Round1 Key:

w[0] = (E2; 32; FC; F1)
w[1] = (91; 12; 91; 88 )
w[2] = (B1; 59; E4; E6 )
w[3] = (D6; 79; A2; 93)
• g(w[3]):
▫ circular byte left shift of w[3]: (79; A2; 93; D6)
▫ Byte Substitution (S-Box): (B6; 3A; DC; F6)
▫ Adding round constant (02; 00; 00; 00) gives:
g(w[3]) = (B4; 3A; DC; F6)
 AES Example
• w[4] = w[0] ⊕ g(w[3]) = (56; 08; 20; 07)
• w[5] = w[4] ⊕ w[1] = (C7; 1A; B1; 8F)
• w[6] = w[5] ⊕ w[2] = (76; 43; 55; 69)
• w[7] = w[6] ⊕ w[3] = (A0; 3A; F7; FA)
Round2 key= 56 08 20 07 C7 1A B1 8F 76 43 55 69 A0 3A F7 FA
56 08 20 07
C7 1A B1 8F
76 43 55 69
A0 3A F7 FA
AES Example
• Step4: Round 0:
Message Round0 Key
54 4F 4E 20 54 73 20 67
77 6E 69 54 68 20 4B 20
6F 65 6E 77 61 6D 75 46
20 20 65 6F 74 79 6E 75

AES output after Round 0= State Matrix ⊕ Round0 Key

00 3C 6E 47
1F 4E 22 74
0E 08 1B 31
54 59 0B 1A
AES Example
• Step5: Round1
00 3C 6E 47 63 EB 9F A0
S-Box
1F 4E 22 74 C0 2F 93 92
1) 0E 08 1B 31  AB 30 AF C7
54 59 0B 1A 20 CB 2B A2
AES Example
• Step6: Round1
63 EB 9F A0 63 EB 9F A0
Shift Rows
C0 2F 93 92 2F 93 92 C0
2) AB 30 AF C7  AF C7 AB 30
20 CB 2B A2 Circulate left A2 20 CB 2B
by 0,1,2,3
bytes
AES Example
• Step7: Round 1
02 03 01 01 63 EB 9F A0
01 02 03 01 2F 93 92 C0
3) 01 01 02 03 x AF C7 AB 30 =
03 01 01 02 A2 20 CB 2B

BA 84 E8 1B
75 A4 8D 40
F4 8D 06 7D
7A 32 0E 5D

02x63 ⊕ 03x2F ⊕ 01xAF ⊕ 01xA2 = BA

 AES Example
02x63 ⊕ 03x2F ⊕ 01xAF ⊕ 01xA2 = BA
• Bytes are treated as a polynomials rather
than numbers.
02 = 0000 0010 = X
63 = 0110 0011 = X6+X5+X+1
02x63 = X7+X6+X2+X = 1100 0110
~~~~~~~~~~~~~~~~~~~~~~~~~~
03x2F = X6+X5+X4+1 = 0111 0001
01xAF = X7+X5+X3+X2+X+1 = 1010 1111
01xA2 = X7+X5+X = 1010 0010
 AES Example
02x63 = 1100 0110
03x2F = 0111 0001
01xAF = 1010 1111
01xA2 = 1010 0010
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ XOR
= 1011 1010 = BA
 AES Example
• Step8: Round 1
State Matrix Round1 Key
BA 84 E8 1B E2 91 B1 D6
75 A4 8D 40 32 12 59 79
F4 8D 06 7D FC 91 E4 A2
7A 32 0E 5D F1 88 E6 93

AES output after Round 1= State Matrix ⊕ Round1 Key

58 15 59 CD
47 B6 D4 39
08 1C E2 DF
8B BA E8 CE
 AES Example
43 0E 09 3D
C6 57 08 F8
AES output after Round 2 A9 C0 EB 7F
62 C8 FE 37

09 A2 F0 7B
66 D1 FC 3B
8B 9A E6 30
AES output after Round 9
78 65 C4 89
 AES Example
Last Steps: Round 10
09 A2 F0 7B 01 3A 8C 21
66 D1 FC 3B 33 3E B0 E2
8B 9A E6 30  3D B8 8E 04
78 65 C4 89 BC 4D 1C A7
 AES Example
Last Steps: Round 10
01 3A 8C 21 01 3A 8C 21
33 3E B0 E2 3E B0 E2 33
3D B8 8E 04  8E 04 3D B8
BC 4D 1C A7 A7 BC 4D 1C
 AES Example
Last Steps: Round 10
Round10 Key
01 3A 8C 21 28 FD DE F8
3E B0 E2 33 6D A4 24 4A
8E 04 3D B8 ⊕ CC C0 A4 FE
A7 BC 4D 1C 3B 31 6F 26

Ciphertext Matrix (Final)

29 57 40 1A
C3 14 22 02
50 20 99 D7
5F F6 B3 3A
 AES Example
Last Steps: Round 10
Ciphertext Matrix (Final)
29 57 40 1A
C3 14 22 02
50 20 99 D7
5F F6 B3 3A

Ciphertext: 29 C3 50 5F 57 14 20 F6 40 22 99 B3 1A 02 D7 3A
End.