5 0 Lect5 AES-2

Highly Secure Systems
Advanced Encryption Standard – AES
Diagrams are taken from textbook "Understanding Cryptography" by Christof Paar and Jan Pelzl 1/25
Polynomial Arithmetic – Motivation
• AES encryption uses multiplication and addition operations
on 8-bit data, i.e. numbers ∈ {0, · · · , 255}
• The set {0, · · · , 255} mod 256 is an additive group, but not
a multiplicative group.
• Fields are multiplicative and additive, so need to find a field
that uses 8-bits elements.
• A finite field is GF (p) ∈ {0, 1, · · · , p − 1} where p is prime.
• It has an extension field GF (p m ) where the elements are
represented as polynomials, ai ∈ {0, · · · , p − 1}
A(x) = am−1 x m−1 + am−2 x m−2 + · · · + a2 x 2 + a1 x 1 + a0
There are p m polynomials.
• Using p = 2, m = 8, GF (28 ) has 28 = 256 elements in this
field.
• Given a byte, represent each bit by the coefficient
a ∈ {0, 1}, e.g. 1011 0111 becomes
A(x) = x 7 + x 5 + x 4 + x 2 + 1x + 1
Arithmetic in AES
• Need to multiply, divide (inverse), add, subtract (inverse)
on 8-bit data (byte).
• Data must be elements in a field.
• Not all integers in GF (2561) = {0, 1, 2, · · · , 255} have
multiplicative inverses
• Instead, use GF (28 ), except zero for AES data
• Elements of GF (28 ) are:
A(x) = a7 x 7 + a6 x 6 + a5 x 5 + a4 x 4 + a3 x 3 + a2 x 2 + a1 x 1 + a0
where ai ∈ GF (2) = {0, 1}
• Hence can represent and store elements as
A(x) = (a7 a6 a5 a4 a3 a2 a1 a0 )
e.g. if A(x) = x 7 + x 5 + x 2 + x 1 + 1, represent it as
A = 10100111 for operations and storage.
Finite Fields
• GF (p) – finite field of order (number of elements) p m ,

where p is prime and m is a positive integer.
• If m = 1, then GF (p) = {0, 1, · · · , p − 1} (mod p)
• Has 2 operations: +, and × (modulo p), such that;
• Has closure
• Is associative
• Has neutral/identity elements: 0 (+); 1 (×)
• Elements have inverses: for +; for × – all, except zero.
• Extension field GF (p m ), where m > 1
• Elements in GF (p m ) are polynomials of degree = (m − 1);
A(x) = am−1 x m−1 + · · · + a1 x 1 + a0 , and ai ∈ GF (p)
the zero element is exclude in multiplicative operations.
Examples of Extension fields
• if p = 2, m = 1, the elements of GF (21 ) are
A(x) = a1 x 0 = a0 , and a ∈ GF (2), i.e. a ∈ {0, 1}
i.e. elements are {0, 1}
A(x) = a1 x 1 + a0 x 0 , and a ∈ GF (2), i.e. a ∈ {0, 1}
i.e. elements are
{0x + 0, 0x + 1, 1x + 0, 1x + 1} = {0, 1, x, x + 1}
A(x) = a2 x 2 + a1 x 1 + a0 x 0 , and a ∈ GF (2), i.e. a ∈ {0, 1}
i.e. possilbe elements are
{0x 2 + 0x + 0, 0x 2 + 0x + 1, 0x 2 + 1x + 0, 0x 2 + 1x + 1, ...} =
{0, 1, x, x + 1, ...}
• in binary representation:
000 001 010 011 100 101 110 111
Extension Field GF (28 )
• If p = 2, m = 8, then elements in GF (28 ) are
A(x) = a7 x m−1 + · · · + a1 x 1 + a0 , ai ∈ GF (2) = {0, 1}
• Elements include:
{0, 1, x, x + 1, x 2 , x 2 + 1, x 2 + x, x 2 + x + 1, ....}
Can be represented as an 8-bit vector
(a7 a6 a5 a4 a3 a2 a1 a0 ),
stored as a byte, e.g.
{(0000 0000), (0000 0001), (0000 0010), (0000 0010), ...}
i.e there are 28 = 256 elements
Polynomial arithmetic
• Addition and subtraction in GF (2m )

• Given A(x ) and B(x ) ∈ GF (2m )
X
m−1
C(x ) = A(x ) + B(x ) = ci x i , ci ≡ ai + bi mod 2
i=0
• Example: Find A(x) + B(x) given
A(x) = x 7 + x 5 + x 2 + x 1 + 1, i.e A = 1 0 1 0 0 1 1 1
B(x) = x 7 + x 6 + x 3 + x 1 , i.e. B = 1 1 0 0 1 0 1 0
C(x) = x 6 + x 5 + x 3 + x 2 + 1, i.e. C = 0 1 1 0 1 1 0 1
• Subtraction: Since −1 ≡ 1 mod 2, and −0 ≡ 0 mod 2 then

A(x) − B(x) = C(x) where ci = ai − bi ≡ ai + bi mod 2
• Addition and subtraction is equivalent mod 2
Polynomial multiplication in GF (2m )
• Let P(x) be an irreducible polynomial of degree m

C(x ) ≡ A(x ) · B(x ) mod P(x )
• E.g. Using GF (24 ), irreducible polynomial is
P(x) = x 4 + x + 1
• Given A(x) = x 3 + x 2 + 1, B(x) = x 2 + x,
find C(x) = A(x) · B(x)
• First find C ′ (x ) = A(x ) · B(x ) = x 5 + x 3 + x 2 + x
• Now divide C ′ (x ) by P(x ) and get the remainder, i.e.
C ′ (x ) = x · (x 4 + x + 1) + r = x · (x 4 + x + 1) + x 3
• Hence C(x ) = A(x ) · B(x ) ≡ x 3 mod (x 4 + x + 1)
• i.e. Given A = (1101), B = (0110), then C = A · B = (1000)
AES operation
• Key addition layer

Key schedule – derives
subkeys from the original
input key
• AES round
• Byte substitution using
S-boxes
• Diffusion Layer –
shiftRows, and
MixColumn
• Last round –no MixColumn
• Key sizes & rounds :
128-bit key – 10 rounds
Key Addition layer and key schedule
• For 128-bit key –

generate 11 subkeys
key0 , . . . , key10
• Adds non-linearity,
removes symmetry
in AES.
• RC are round
coefficients, e.g.
RC[1] =
(00000001)2
• Key addition layer –
keyi XOR with state
matrix Ci at each
round.
AES round
AES Byte substitution: S-box
computation
• In AES 128-bit data is

divided into 16 1-byte
blocks:
• Byte inversion in GF (28 ) mod P(x) = x 8 + x 4 + x 3 + x + 1
• Often use lookup table (Table 4.2 in text). Includes a

special entry for 0 which has no inverse but is mapped to 0.
• Example: From Table 4.2, find inverse of (11000010)2
A−1
i = Bi′ = (2F )hex = (00101111)2
Byte substitution: S-box computation
Byte substition: S-box computation
• Affine mapping
• E.g. Given input Ai = (11000010)2 what is the S-box

output?
From inverse Table 4.2;
A−1
i = Bi′ = (2F )hex = (00101111)2
Then, from above affine mapping,
Bi = (00100101)2 = (25)hex
• Byte substitution can be done without computation using
S-box (lookup table) in Table 4.3
Byte Substitution using S-box
• AES S-Box is non-linear, i.e. S(A) + S(B) 6= S(A + B)

• For each input, there is one unique output
AES – Diffusion layer
• 16-byte input, A0 , . . . , A15 matrix A, output B
• AES S-Box is non-linear, i.e. S(A) + S(B) 6= S(A + B)

• For each input, there is one unique output
AES – Diffusion layer
• Has 2 sublayers
1. ShiftRows – to increase the diffusion properties:
2. MixColumn – by multiplying each column of B with a fixed

matrix.
Note: Multiplication is in GF (28 ) mod irreducible polynomial

P(x ).
AES – Diffusion layer MixColumn
• E.g. Input state to MixColumn is B = (25, 25, 25, · · · , 25)

only need these two products:
02 · 25 = x · (x 5 + x 2 + 1) = x 6 + x 3 + x
03 · 25 = (x + 1) · (x 5 + x 2 + 1) = x 6 + x 5 + x 3 + x 2 + x + 1
For any row, Ci :

01 · 25 = x5 +x 2 +1
01 · 25 = x5 +x 2 +1
02 · 25 = +x 6 +x 3 +x
03 · 25 = x 6 +x 5 3 2
+x +x +x +1
Ci = x5 +x 2 +1
Hence state C = (25, 25, · · · , 25)hex
AES decryption
• The key schedule

order is reversed
• Each round
operates in reverse
of encryption
1 Key addition
2 Inverse MixColumn
(except 1st round)
3 Inverse shiftRows
4 Inverse Byte
Substitution
Inverse Diffusion
• Inverse MixColumns. Use the precomputed inverse matrix

in GF (28 ) mod 2
• Inverse ShiftRows
Inverse Byte substitution using S-box
• Compute Ai = S −1 (Bi )
Inverse Byte substitution by calculation
• Compute the inverse of the affine transformation,B ′

• Compute Ai = (Bi′ )−1 ∈ GF (28 ), i.e. use inverse GF (28 )
Table 4.2 again.
Summary - AES
• Efficient in software and hardware

• Commercial ASIC or FPGA implementations
• Currently no known analytical attack
• Widely used in modern systems – WPA2, IPsec, TLS, etc.
Rules about making and using
cryptography
• Never make your own crypto algorithm unless there is a

team of cryptanalysts checking your design.
• Only use well proven standard algorithms which have
undergone extensive analysis and tests.
• Use long encryption keys – 64 bits for short term, 128 bits
for several decades, 256 bits for decades and against
quantum computers.
• Change the key often
• Security by obscurity is no security
Conclusion
• Symmetric key crypto – same shared key is used to

encrypt and decrypt
• Works in stream or block mode
• Fast, easy to implement, efficient
• Can be implemented in hardware or software
• Used for bulk encryption of data
• Protects confidentiality
• Problem: How to share the secret key?

5 0 Lect5 AES-2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

5 0 Lect5 AES-2

Uploaded by

Copyright:

Available Formats

Highly Secure Systems

Advanced Encryption Standard – AES

• GF (p) – finite field of order (number of elements) p m ,

• Addition and subtraction in GF (2m )

• Subtraction: Since −1 ≡ 1 mod 2, and −0 ≡ 0 mod 2 then

• Let P(x) be an irreducible polynomial of degree m

• Key addition layer

• For 128-bit key –

• In AES 128-bit data is

• Byte inversion in GF (28 ) mod P(x) = x 8 + x 4 + x 3 + x + 1

• Often use lookup table (Table 4.2 in text). Includes a

• E.g. Given input Ai = (11000010)2 what is the S-box

• AES S-Box is non-linear, i.e. S(A) + S(B) 6= S(A + B)

• 16-byte input, A0 , . . . , A15 matrix A, output B

• AES S-Box is non-linear, i.e. S(A) + S(B) 6= S(A + B)

2. MixColumn – by multiplying each column of B with a fixed

Note: Multiplication is in GF (28 ) mod irreducible polynomial

• E.g. Input state to MixColumn is B = (25, 25, 25, · · · , 25)

For any row, Ci :

• The key schedule

• Inverse MixColumns. Use the precomputed inverse matrix

• Compute the inverse of the affine transformation,B ′

• Efficient in software and hardware

• Never make your own crypto algorithm unless there is a

• Symmetric key crypto – same shared key is used to

You might also like