Module 2

Symmetric and Asymmetric key

Cryptography and key
Management

No. of Hours: 12 Marks: 25

 Contends

• Part 1- Symmetric Key Cryptography :

➢ Block cipher principles
➢ block cipher modes of operation,
➢ DES, Double DES, Triple DES,
➢ Advanced Encryptions Standard (AES)
➢ Stream Ciphers: RC5 algorithm.
• Part 2- Public key cryptography:
➢ Principles of public key cryptosystems
➢ The RSA algorithm,
➢ The knapsack algorithm,
➢ ElGamal Algorithm.
• Part 3- Key Management Techniques:
➢ Using Symmetric and Asymmetric Algorithms
➢ Trusted Third Party
➢ Diffie Hellman Key Exchange Algorithm.

5/18/2021 CSS Module 2 Rohini Bhosale 2

 Stream and Block Ciphers

• On the basis of what size of plain text should be encrypted

in each step of algorithm the symmetric ciphers are
classified into two broad categories:
1. Stream Ciphers
2. Block Ciphers
• Although the definitions are normally applied to modern
ciphers, this categorization also applies to traditional
ciphers

5/18/2021 CSS Module 2 Rohini Bhosale 3

 Stream Cipher

• A stream cipher is one that encrypts a digital data stream

one bit or one byte at a time.
• Examples of classical stream ciphers are the autokeyed
Vigenère cipher and the Vernam cipher.

5/18/2021 CSS Module 2 Rohini Bhosale 4

 Stream Ciphers

• Let plaintext stream P, the ciphertext stream C, and the

key stream K.

Stream cipher

5/18/2021 CSS Module 2 Rohini Bhosale 5

 Block Cipher…

• A block cipher is one in which a block of plaintext is

treated as a whole and used to produce a ciphertext block
of equal length.
• Each block is of equal size and has fixed no of bits.
• The generated ciphertext has blocks equal to the number
of blocks in plaintext
• same key is used for en/decryption.
• Typically, a block size of 64 or 128 bits
• many current ciphers are block ciphers

Fig. Block Cipher

5/18/2021 CSS Module 2 Rohini Bhosale 6

 Block Cipher

Many block ciphers have a Feistel structure.

5/18/2021 CSS Module 2 Rohini Bhosale 7

Difference between Block Cipher and Stream
Cipher …….
Sr. Block Cipher Stream Cipher
No
1 Block Cipher Converts the plain Stream Cipher Converts the plain
text into cipher text by taking text into cipher text by taking 1
plain text’s block at a time. byte of plain text at a time.
2 Block cipher uses either 64 bits
While stream cipher uses 8 bits.
or more than 64 bits.
3 The complexity of block cipher While stream cipher is more
is simple. complex.
4 Block cipher Uses confusion as While stream cipher uses only
well as diffusion. confusion.

8
5/18/2021 CSS Module 2 Rohini Bhosale
Difference between Block Cipher and Stream
Cipher
Sr. No Block Cipher Stream Cipher

5 In block cipher, reverse While in stream cipher, reverse

encrypted text is hard. encrypted text is easy.
6 The algorithm modes which
The algorithm modes which are
are used in block cipher are:
used in stream cipher are: CFB
ECB (Electronic Code Book)
(Cipher Feedback) and OFB
and CBC (Cipher Block
(Output Feedback).
Chaining).
7 Block cipher is slow as While stream cipher is fast in
compared to stream cipher. comparison to block cipher.

5/18/2021 CSS Module 2 Rohini Bhosale 9

 Block Cipher Principles

• A block cipher is designed by considering its three critical

aspects :
1. Number of Rounds
2. Design of Function F
3. Key Schedule Algorithm
• Most symmetric block ciphers are based on a Feistel
Cipher Structure

5/18/2021 CSS Module 2 Rohini Bhosale 11

 Number of Rounds

 The greater the number of rounds, the more difficult it is to perform

cryptanalysis, even for a relatively weak F.

 In general, the criterion should be that the number of rounds is chosen

so that known cryptanalytic efforts require greater effort than a simple
brute-force key search attack. This criterion was certainly used in the
design of DES.

5/18/2021 CSS Module 2 Rohini Bhosale 12

 Design of Function F

 The heart of a Feistel block cipher is the function F, which

provides the element of confusion in a Feistel cipher. Thus,
it must be difficult to “unscramble” the substitution
performed by F.
 F must be nonlinear. The more nonlinear F, the more
difficult any type of cryptanalysis will be.

5/18/2021 CSS Module 2 Rohini Bhosale 13

 Key Schedule Algorithm

 With any Feistel block cipher, the key is used to generate

one subkey for each round.
 In general, we would like to select subkey to
maximize the difficulty of deducing individual subkeys and
the difficulty of working back to the main key.

5/18/2021 CSS Module 2 Rohini Bhosale 14

 Block Cipher Modes of Operation

A block cipher algorithm is a basic building block for providing

data security. To apply a block cipher in a variety of applications,
different "modes of operation" have been defined by NIST.
 In essence, a mode of operation is a technique for enhancing the
effect of a cryptographic algorithm or adapting the algorithm for
an application, such as applying a block cipher to a sequence of
data blocks or a data stream.
 The modes are intended to cover virtually all the possible
applications of encryption for which a block cipher could be
used.

5/18/2021 CSS Module 2 Rohini Bhosale 15

 Electronic Codebook Mode

 The simplest mode is the electronic codebook (ECB) mode, in which

plaintext is handled one block at a time and each block of plaintext is
encrypted using the same key (Figure a & b).
 The term codebook is used because, for a given key, there is a unique
ciphertext for every b-bit block of plaintext.
 For a message longer than b bits, the procedure is simply to break the
message into b-bit blocks, padding the last block if necessary.
 Decryption is performed one block at a time, always using the same key.
In Figure, the plaintext (padded as necessary) consists of a sequence of
b-bit blocks, P1, P2,..., PN; the corresponding sequence of ciphertext
blocks is C1, C2,..., CN.

5/18/2021 CSS Module 2 Rohini Bhosale 16

 Electronic Codebook Mode

Figure . Electronic Codebook (ECB) Mode

5/18/2021 CSS Module 2 Rohini Bhosale 17

 Electronic Codebook Mode

 The ECB method is ideal for a short amount of data, such as an encryption key.
Thus, if you want to transmit a DES key securely, ECB is the appropriate mode to use.
 The most significant characteristic of ECB is that the same b-bit block of plaintext, if
it appears more than once in the message, always produces the same ciphertext.

 For lengthy messages, the ECB mode may not be secure.

 If the message is highly structured, it may be possible for a cryptanalyst to exploit
these regularities. For example, if it is known that the message always starts out with
certain predefined fields, then the cryptanalyst may have a number of known
plaintext-ciphertext pairs to work with. If the message has repetitive elements, with
a period of repetition a multiple of b bits, then these elements can be identified by
the analyst. This may help in the analysis or may provide an opportunity for
substituting or rearranging blocks.

5/18/2021 CSS Module 2 Rohini Bhosale 18

 Cipher Block Chaining Mode

 To overcome the security deficiencies of ECB, we would like a technique

in which the same plaintext block, if repeated, produces different
ciphertext blocks.
 A simple way to satisfy this requirement is the cipher block chaining
(CBC) mode.
 In this scheme, the input to the encryption algorithm is the XOR of the
current plaintext block and the preceding ciphertext block; the
same key is used for each block.
 In effect, we have chained together the processing of the sequence of
plaintext blocks.
 The input to the encryption function for each plaintext block bears no
fixed relationship to the plaintext block. Therefore, repeating patterns
of b bits are not exposed.

5/18/2021 CSS Module 2 Rohini Bhosale 19

 CBC Mode Diagram

Figure : Cipher Block Chaining (CBC) Mode

5/18/2021 CSS Module 2 Rohini Bhosale 20

 Details of CBC

 For decryption, each cipher block is passed through the decryption algorithm. The
result is XORed with the preceding ciphertext block to produce the plaintext block.
 To produce the first block of ciphertext, an initialization vector (IV)(no special
meaning , it is randomly generated) is XORed with the first block of plaintext.
 On decryption, the IV is XORed with the output of the decryption algorithm to
recover the first block of plaintext. The IV is a data block that is that same size as
the cipher block.
 The IV must be known to both the sender and receiver but be unpredictable by
a third party.
 For maximum security, the IV should be protected against unauthorized changes.
This could be done by sending the IV using ECB encryption.
 Because of the chaining mechanism of CBC, it is an appropriate mode for encrypting
messages of length greater than b bits.
 CBC mode can be used for authentication.

5/18/2021 CSS Module 2 Rohini Bhosale 21

 Cipher Feedback Mode

 The DES scheme is essentially a block cipher technique that uses b-bit
blocks.
 However, it is possible to convert DES into a stream cipher, using either
the cipher feedback (CFB) or the output feedback mode.

 Figure depicts the CFB scheme. In the figure, it is assumed that the unit
of transmission is s bits; a common value is s = 8. As with CBC, the
units of plaintext are chained together, so that the ciphertext of any
plaintext unit is a function of all the preceding plaintext. In this case,
rather than units of b bits, the plaintext is divided into segments of s
bits.

5/18/2021 CSS Module 2 Rohini Bhosale 22

 CFB

First, consider encryption.

 The input to the encryption function is a b-bit shift register that is
initially set to some initialization vector (IV).

 The leftmost (most significant) s bits of the output of the encryption

function are XORed with the first segment of plaintext P1 to produce
the first unit of ciphertext C, which is then transmitted.

 In addition, the contents of the shift register are shifted left by s bits
and C is placed in the rightmost (least significant) s bits of the shift
register.

 This process continues until all plaintext units have been encrypted.

5/18/2021 CSS Module 2 Rohini Bhosale 23

 Diagram of CFB (Encryption)

Figure. s-bit Cipher Feedback (CFB) Mode

5/18/2021 CSS Module 2 Rohini Bhosale 24

 Diagram of CFB (Decryption)

Figure. s-bit Cipher Feedback (CFB) Mode

5/18/2021 CSS Module 2 Rohini Bhosale 25

 Output Feedback Mode

 The output feedback (OFB) mode is similar in structure to that of CFB, as

illustrated in
• Figure. As can be seen, it is the output of the encryption function that is
fed back to the shift register in OFB, whereas in CFB the ciphertext unit is
fed back to the shift register.

 One advantage of the OFB method is that bit errors in transmission do not
propagate. For example, if a bit error occurs in C1 only the recovered value
of is P1 affected; subsequent plaintext units are not corrupted. With CFB, C1
also serves as input to the shift register and therefore causes additional
corruption downstream.

 The disadvantage of OFB is that it is more vulnerable to a message stream

modification attack than is CFB.

5/18/2021 CSS Module 2 Rohini Bhosale 27

 Diagram of OFB (Encryption)

Figure. s-bit Output Feedback (OFB) Mode

5/18/2021 CSS Module 2 Rohini Bhosale 28

 Diagram of OFB (Encryption)

Figure. s-bit Output Feedback (OFB) Mode

5/18/2021 CSS Module 2 Rohini Bhosale 29

 Counter Mode

 In CTR mode a counter, equal to the plaintext block size is

used.
 The only requirement is that the counter value must be
different for each plaintext block that is encrypted.
 The counter is initialized to some value and then incremented by
1 for each subsequent block. For encryption, the counter is
encrypted and then XORed with the plaintext block to produce
the ciphertext block; there is no chaining.
 For decryption, the same sequence of counter values is used,
with each encrypted counter XORed with a ciphertext block to
recover the corresponding plaintext block.

5/18/2021 CSS Module 2 Rohini Bhosale 30

 CTR Encryption

Figure. Counter (CTR) Mode

5/18/2021 CSS Module 2 Rohini Bhosale 31

 CTR Decryption

Figure. Counter (CTR) Mode

5/18/2021 CSS Module 2 Rohini Bhosale 32

 Applications of Modes of Operation
Mode Description Typical Application

(ECB) Each block of 64 plaintext bits is encoded Secure transmission of single

independently using the same key values (e.g., an encryption
key)
(CBC) The input to the encryption algorithm is the XOR of General-purpose block-
thenext 64 bits of plaintext and the preceding 64 bits oriented transmission
of ciphertext Authentication
(CFB) Input is processed j bits at a time. Preceding General-purpose stream-
ciphertext is used as input to the encryption oriented transmission
algorithm to produce pseudorandom output, which Authentication
is XORed with plaintext to produce next unit of
ciphertext
(OFB) Similar to CFB, except that the input to the Stream-oriented transmission
encryption algorithm is the preceding DES output. overnoisy channel (e.g.,
satellite communication)
(CTR) Each block of plaintext is XORed with an encrypted General-purpose block-
counter. The counter is incremented for each oriented transmission
subsequent block Useful for high-speed
requirements

5/18/2021 CSS Module 2 Rohini Bhosale 33

 Feistel Cipher Structure

 Feistel proposed that we can approximate the ideal block cipher

by utilizing the concept of a product cipher, which is the
execution of two or more simple ciphers in sequence in such a
way that the final result or product is cryptographically stronger
than any of the component ciphers.

 The essence of the approach is to develop a block cipher with a

key length of k bits and a block length of n bits, allowing a total of
2k possible transformations, rather than the 2n! transformations
available with the ideal block cipher.

5/18/2021 CSS Module 2 Rohini Bhosale 34

 Feistel Cipher Design Elements
➢ block size
➢ key size
➢ number of rounds
➢ subkey generation
algorithm
➢ round function
➢ fast software
en/decryption
➢ ease of analysis

5/18/2021 CSS Module 2 Rohini Bhosale 35

 Feistel Cipher Structure

5/18/2021 CSS Module 2 Rohini Bhosale 38

 Data Encryption Standard

 It is a block cipher
 The most widely used encryption scheme is based on the
Data Encryption Standard (DES) adopted in 1977 by the
National Institute of Standards and Technology (NIST).
 The algorithm itself is referred to as the Data Encryption
Algorithm (DEA).
 For DES, data are encrypted in 64-bit blocks using a 56-bit
key. The algorithm transforms 64-bit input in a series of
steps into a 64-bit output. The same steps, with the same
key, are used to reverse the encryption.

5/18/2021 CSS Module 2 Rohini Bhosale 46

 Feistel Structure of DES

➢ block size ---64 bits

➢ key size ---64 bits
➢ number of rounds ---16
➢ number of rounds subkeys -- 16
➢ Size of subkeys – 56 bits
➢ Size of cipher block– 64 bits

5/18/2021 CSS Module 2 Rohini Bhosale 47

 Phases of DES

1. First, the 64-bit plaintext passes through an initial

permutation (IP) that rearranges the bits to produce the
permuted input.
2. Sixteen rounds of the same function, which involves both
permutation and substitution functions.
3. The output of the last round consists of 64 bits that are a
function of the input plaintext and the key. The left and
right halves of the output are swapped to produce the
pre-output.
4. The pre-output is passed through a permutation that is
the inverse of the initial permutation function, to
produce the 64-bit cipher text.

5/18/2021 CSS Module 2 Rohini Bhosale 48

General depiction of DES Encryption Algorithm

5/18/2021 CSS Module 2 Rohini Bhosale 50

 Initial Permutation
• The input to a table consists of 64
bits numbered from 1 to 64.
• The 64 entries in the permutation
table contain a permutation of the
numbers from 1 to 64.
• Each entry in the permutation table
indicates the position of a numbered
input bit in the output, which also
consists of 64 bits.
• From this the initial permutation and
its inverse are defined.
➢ example:

IP(675a6967 5e5a6b5a) =
(ffb2194d 004df6fb)

5/18/2021 CSS Module 2 Rohini Bhosale 52

 DES Round Structure

• uses two 32-bit L & R halves

• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit subkey:
➢ expands R to 48-bits using perm E
➢ adds to subkey using XOR
➢ passes through 8 S-boxes to get 32-bit result
➢ finally permutes using 32-bit perm P
 Rounds in DES

5/18/2021 CSS Module 2 Rohini Bhosale 54

 Expansion Permutation (E)
and Permutation Function (P)

Expansion Permutation (E) Permutation Function (P)

5/18/2021 CSS Module 2 Rohini Bhosale 55

 Substitution Boxes S

➢ have eight S-boxes which map 6 to 4 bits

➢ each S-box is actually 4 little 4 bit boxes
⚫ outer bits 1 & 6 (row bits) select one row of 4
⚫ inner bits 2-5 (col bits) are substituted
⚫ result is 8 lots of 4 bits, or 32 bits
➢ row selection depends on both data & key
⚫ feature known as autoclaving (autokeying)
➢ example:
⚫ S(18 09 12 3d 11 17 38 39) = 5fd25e03
 S-Box

5/18/2021 CSS Module 2 Rohini Bhosale 57

 Example of S-box working

5/18/2021 CSS Module 2 Rohini Bhosale 58

 S-box in DES

5/18/2021 CSS Module 2 Rohini Bhosale 59

 Inverse Initial Permutation (IP-1)

Inverse Initial Permutation (IP-1)

5/18/2021 CSS Module 2 Rohini Bhosale 60

 Subkey Generation in DES

5/18/2021 CSS Module 2 Rohini Bhosale 61

 DES Key Schedule

➢ forms subkeys used in each round

⚫ initial permutation of the key (PC1) which selects 56-bits in two
28-bit halves
⚫ 16 stages consisting of:
• rotating each half separately either 1 or 2 places depending on
the key rotation schedule K
• selecting 24-bits from each half & permuting them by PC2 for
use in round function F
➢ note practical use issues in h/w vs s/w
5/18/2021 CSS Module 2 Rohini Bhosale 63
5/18/2021 CSS Module 2 Rohini Bhosale 64
 DES Decryption

• decrypt must unwind steps of data computation

• with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
➢ IP undoes final FP step of encryption
➢ 1st round with SK16 undoes 16th encrypt round
➢ ….
➢ 16th round with SK1 undoes 1st encrypt round
➢ then final FP undoes initial encryption IP
➢ thus recovering original data value
 DES Decryption

5/18/2021 CSS Module 2 Rohini Bhosale 66

DES Example
 Avalanche Effect

• key desirable property of encryption alg

• where a change of one input or key bit results in changing
approx half output bits
• making attempts to “home-in” by guessing keys
impossible
• DES exhibits strong avalanche
Avalanche in DES
 The Strength of DES

The Use of 56-Bit Keys

 With a key length of 56 bits, there are 256 possible keys, which is
approximately 7.2 x 1016.

 A brute-force attack appears impractical.

 Assuming that, on average, half the key space has to be searched, a single
machine performing one DES encryption per microsecond would take
more than a thousand years to break the cipher.

 Diffie and Hellman postulated that the technology existed to build a

parallel machine with 1 million encryption devices, each of which could
perform one encryption per microsecond. This would bring the average
search time down to about 10 hours.

5/18/2021 CSS Module 2 Rohini Bhosale 70

 The Nature of the DES Algorithm

1. Possibilities of cryptanalysis is done by finding the characteristics of

DES algorithm.

2. Learning of S-Box logic is complex.

3. Weakness of the S-boxes not been discovered.

5/18/2021 CSS Module 2 Rohini Bhosale 71

 Variants of DES

• The speed of exhaustive key searches against DES after

1990 began to cause discomfort amongst users of DES.
• There are two variants of
1. Double DES
2. Triple DES
i. Triple DES known as 3-key Triple DES (3TDES)
ii. 2-key Triple DES (2TDES)

5/18/2021 CSS Module 2 Rohini Bhosale 72

 Double DES

5/18/2021 CSS Module 2 Rohini Bhosale 73

 3-KEY Triple DES

5/18/2021 CSS Module 2 Rohini Bhosale 74

 2-key Triple DES (2TDES)

5/18/2021 CSS Module 2 Rohini Bhosale 75

 Origins of Advanced Encryption Standards

• clear a replacement for DES was needed

➢ have theoretical attacks that can break it
➢ have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001
 AES Requirements

• private key symmetric block cipher

• 128-bit data, 128/192/256-bit keys
• stronger & faster than Triple-DES
• active life of 20-30 years (+ archival use)
• provide full specification & design details
• both C & Java implementations
• NIST have released all submissions & unclassified
analyses
 AES Evaluation Criteria

• initial criteria:
➢ security – effort for practical cryptanalysis
➢ cost – in terms of computational efficiency
➢ algorithm & implementation characteristics
• final criteria
➢ general security
➢ ease of software & hardware implementation
➢ implementation attacks
➢ flexibility (in en/decrypt, keying, other factors)
 AES Shortlist

• after testing and evaluation, shortlist in Aug-99:

➢ MARS (IBM) - complex, fast, high security margin
➢ RC6 (USA) - v. simple, v. fast, low security margin
➢ Rijndael (Belgium) - clean, fast, good security margin
➢ Serpent (Euro) - slow, clean, v. high security margin
➢ Twofish (USA) - complex, v. fast, high security margin
• then subject to further analysis & comment
• saw contrast between algorithms with
➢ few complex rounds verses many simple rounds
➢ which refined existing ciphers verses new proposals
 Specifications of AES

➢ block size ---128 bits

➢ key size ---128 bits
➢ number of rounds ---10
➢ number of subkeys -- 44
➢ Size of subkeys – 32 bits
➢ No of subkeys used in each round ---4 subkeys
➢ Pre-count calculation –4 subkeys
➢ Size of cipher block– 128 bits

• 1 word=32 bits =4 bytes

5/18/2021 CSS Module 2 Rohini Bhosale 80

 The AES Cipher - Rijndael

• designed by Rijmen-Daemen in Belgium

• has 128/192/256 bit keys, 128 bit data
• an iterative rather than feistel cipher
➢ processes data as block of 4 columns of 4 bytes
➢ operates on entire data block in every round
• designed to be:
➢ resistant against known attacks
➢ speed and code compactness on many CPUs
➢ design simplicity
 Rijndael

• data block of 4 columns of 4 bytes is state

• key is expanded to array of words
• has 9/11/13 rounds in which state undergoes:
➢ byte substitution (1 S-box used on every byte)
➢ shift rows (permute bytes between groups/columns)
➢ mix columns (subs using matrix multipy of groups)
➢ add round key (XOR state with key material)
➢ view as alternating XOR key & scramble data bytes
• initial XOR key material & incomplete last round
• with fast XOR & table lookup implementation
Rijndael
 State Array Input and Output

5/18/2021 CSS Module 2 Rohini Bhosale 84

 AES Data Processing

5/18/2021 CSS Module 2 Rohini Bhosale 85

 Byte Substitution

• a simple substitution of each byte

• uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
• each byte of state is replaced by byte indexed by
row (left 4-bits) & column (right 4-bits)
➢ eg. byte {95} is replaced by byte in row 9 column 5
➢ which has value {2A}
• S-box constructed using defined transformation
of values in GF(28)
• designed to be resistant to all known attacks
Byte Substitution
 S-Box lookup table for SubByte

5/18/2021 CSS Module 2 Rohini Bhosale 88

 Substitute Bytes Example

5/18/2021 CSS Module 2 Rohini Bhosale 89

 Shift Rows

• a circular byte shift in each

➢ 1st row is unchanged
➢ 2nd row does 1 byte circular shift to left
➢ 3rd row does 2 byte circular shift to left
➢ 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step
permutes bytes between the columns
Shift Rows
 Mix Columns

• each column is processed separately

• each byte is replaced by a value dependent on all 4 bytes
in the column
• effectively a matrix multiplication in GF(28) using prime
poly m(x) =x8+x4+x3+x+1
Mix Columns
 Mix Columns

• can express each col as 4 equations

➢ to derive each new byte in col
• decryption requires use of inverse matrix
➢ with larger coefficients, hence a little harder
• have an alternate characterisation
➢ each column a 4-term polynomial
➢ with coefficients in GF(28)
➢ and polynomials multiplied modulo (x4+1)
 Add Round Key

• XOR state with 128-bits of the round key

• again processed by column (though effectively a series of
byte operations)
• inverse for decryption identical
➢ since XOR own inverse, with reversed keys
• designed to be as simple as possible
➢ a form of Vernam cipher on expanded key
➢ requires other stages for complexity / security
Add Round Key
AES Round
 AES Decryption

• AES decryption is not identical to encryption since steps

done in reverse
• but can define an equivalent inverse cipher with steps as
for encryption
➢ but using inverses of each step
➢ with a different key schedule
• works since result is unchanged when
➢ swap byte substitution & shift rows
➢ swap mix columns & add (tweaked) round key
AES Decryption