Advanced Encryption Standard

(Rijndael Algorithm)
 AES Selection Process

• September 12, 1997: the NIST publicly calls for nominees for the new AES
• 1st AES conference, August 20-23, 1998 – (15 algorithms are candidates for becoming AES)
• Public Review of the algorithms
• 2nd AES conference, March 22-23, 1999
– (presentation, analysis and testing)
• August 9, 1999: the 5 finalists are announced
– (MARS, RC6, RINJDAEL, SERPENT, TWOFISH)
• Public Review
• 3rd AES conferece, April 13-14, 2000
– (presentation, analysis and testing)
 AES selection process ..Contd.,
• October 2, 2000: the winner is chosen: RINJDAEL
• February 28, 2001: publication of a Draft by Federal Information Processing Standard (FIPS)
• Public Review of 90 days
• Proposal to the Secretary of Commerce for approval
• Publication on the Federal Register, December 6, 2001,
– Effective starting from May 26, 2002
 AES-128
128

128 128 128 128

𝐾0 𝐾1 𝐾2 𝐾9 𝐾10

input output
(1) SubBytes (1) SubBytes (1) SubBytes
⊕ (2) ShiftRow
(3) MixColumn
⊕ (2) ShiftRow
(3) MixColumn
⊕ ⋯ ⊕ (2) ShiftRow ⊕

10 rounds
AES round function

(1) SubBytes
(2) ShiftRow
(3) MixColumn
 AES is a Subs-Perm network (not Feistel)
k1 k2 kn
S1 S1 S1
S2 S2 S2
S3 S3 S3

output
input

⨁
⨁
⨁

⋯
⋯
⋯

S8 S8 S8
subs. perm.
layer layer inversion
 AES-128 chart
10 rounds

4
(1) ByteSub (1) ByteSub (1) ByteSub
4 input (2) ShiftRow ⋯ (2) ShiftRow

⨁
(2) ShiftRow

⨁
⨁
⨁

(3) MixColumn (3) MixColumn

invertible
k0 k1 k2 k9

⨁
k10
key key expansion:
4 output
16 bytes 16 bytes ⟶176 bytes 4
The Notable Features of AES
• AES is a block cipher with a block length of 128 bits.
• AES allows for three different key lengths: 128, 192, or 256 bits. Most of our discussion will assume that the key
length is 128 bits.
• Encryption consists of 10 rounds of processing for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-
bit keys.
• Except for the last round in each case, all other rounds are identical.
• Each round of processing includes: one single-byte based substitution step, a row-wise permutation step, a
column-wise mixing step, and the addition of the round key. The order in which these four steps are executed is
different for encryption and decryption.

• Notice that the first four bytes of a 128-bit input block occupy the first column in the 4 × 4 array of bytes.
• The next four bytes occupy the second column, and so on.
Input: encryption and decryption is a single 128-bit block,
and it depicted as a 4 * 4 square matrix of bytes.

This block is copied into State array, which modified at

each stage of encryption or decryption.

The key depicted as a square matrix of bytes (M bytes),

then expanded into an array of key schedule words.

Each word 4 bytes and total key schedule 44 words for 128-
bit key.

The ordering of bytes within a matrix is by column. 1st

cipher occupy 1st column of matrix, the 2nd four bytes
occupy 2nd second column, and so on. Similarly, the first
four bytes of the expanded key, which form a word, occupy
the first column of the w matrix
The Detailed Structure

Four different stages are used, one of

permutation and three of substitution:

■ Substitute bytes: Uses an S-box to perform a

byte-by-byte substitution of the block.

■ ShiftRows: A simple permutation.

■ MixColumns: A substitution that makes use

of arithmetic over GF(28 ).

■ AddRoundKey: A simple bitwise XOR of the

current block with a portion of the expanded
key.

Only the AddRoundKey stage makes use of the key

AES Encryption
Round
 AES Transformation Functions: State
• Internally, the AES algorithm’s operations are performed on a two-dimensional array of bytes
called the State.
4 rows, each containing Nb bytes
– Nb columns, costituted by 32-bit words
– Sr,c denotes the byte in row r and column c
AES Transformation Functions: Add-Round Key

• The forward add round key transformation: called Add-Round-Key, the 128 bits of State are bitwise XORed
with the 128 bits of the round key.

The first matrix is State, and the second matrix is the round key. The inverse add round key
transformation is identical to the forward add round key transformation, because the XOR operation is
its own inverse.

• From Figure: the operation is viewed as a column wise operation between the 4 bytes of a State column
and one word of the round key; it can also be viewed as a byte-level operation.
AES Transformation Functions: Substitute Bytes Transformation
• The forward substitute byte transformation called Sub-Bytes.
• Each individual byte of State is mapped into a new byte in the following way
(1) Leftmost 4 bits of the byte are used as a row value
(2) Rightmost 4 bits are used as a column value.
(3) These row and column values serve as indexes into the S-box to select a unique output value.
Contd., S-box Table

Example: hexa 53 is replaced with hexa ED

The first 4 bits in the byte (first hexadecimal value) indicate the row,
The last 4 bits indicate the column
AES Transformation Functions: Shift-Rows Transformation
• The forward shift row transformation called Shift-Rows.
(1) The first row of State is not altered.
(2) For the second row, a 1-byte circular left shift is performed.
(3) For the third row, a 2-byte circular left shift is performed.
(4) For the fourth row, a 3-byte circular left shift is performed.
• The following is an example of Shift-Rows.
AES Transformation Functions: mix column transformation
• The forward mix column transformation called MixColumns.
(1) Operates on each column individually.
(2) Each byte of a column is mapped into a new value that is a function of all four bytes in that column.
(3) The transformation can be defined by the following matrix multiplication on State
Contd., mix column transformation

Each element in the product matrix is the sum of products of elements of one row and one column
Contd., mix column transformation
• Thus, to verify the MixColumns transformation on the first column, we shown below explnation

The other equations can be similarly verified

Decrypt Block (Inverse Cipher)
Attacking block ciphers
Attacks on block ciphers
• Brute force attacks: search through every possible key in key space
• Generic: works for all block ciphers
• Not practical for large key spaces

• Advanced attacks: try to exploit the concrete details of the block cipher
• Differential cryptanalysis ('90, but known by the designers of DES + NSA since mid '70 )
• Linear cryptanalysis ('92)
• AES designed to resist both

• Implementation attacks: vulnerabilities due to implementation characteristics

• Power attraction
• Timing
• Cache misses
Summary

• Block ciphers are very important primitives (building blocks) – but they are not encryption
schemes!

• Correct abstraction: block ciphers = PRPs

• Right security notion for PRFs/PRPs: indistinguishability from random function/permutation

• Concrete block cipher designs: DES and AES

 The Big (Partial) Picture

Second-Level SSH, SSL/TLS, IPSec

Electronic Cash, Electronic Voting
Protocols
(Can do proofs)

First-Level Symmetric MAC Asymmetric Digital

Encryption Schemes Encryption Signatures
Protocols
(Can do proofs)

Block Stream Hash Hard

Primitives Ciphers Ciphers Functions Problems

(No one knows how to prove security; make assumptions)

Contd., Block chaining modes

• The modes of operation of block ciphers → allow ciphers to work with large data streams, without the risk of
compromising the provided security.

• It is not recommended → use one deterministic algorithm and same secret key bits for encrypting same plaintext
parts.

Identical input data, results in some identical ciphertext blocks.

• Checkpoint: An intruder able to get much information by knowing the distribution of identical message parts, even if
he would not be able to break the cipher and discover the original messages.

• Solution: Luckily, there exist ways to blur the cipher output.

The Idea: mix the plaintext blocks (which are known) with the ciphertext blocks (which have been just created),
and to use the result as the cipher input for the next blocks.

As a result, the user avoids creating identical output ciphertext blocks from identical plaintext data.

These modifications are called the block cipher modes of operations.

Modes of Operation
Electronic Codebook (ECB) Mode
It is the simplest mode of operation: Each plaintext block is encrypted separately, thus each ciphertext
block is decrypted separately.
 Contd.,
• Problem 1: It can be proved that each plaintext block at Alice’s site is exactly recovered at Bob’s
site. Because encryption and decryption are inverses of each other,

• Problem 2: This mode is called electronic codebook because one can precompile 2K codebooks (one for
each key) in which each codebook has 2n entries in two columns. Each entry can list the plaintext and the
corresponding ciphertext blocks. However, if K and n are large, the codebook would be far too large to
precompile and maintain.

• Problem 3: Assume that Eve works in a company a few hours per month (her monthly payment is very low).
She knows that the company uses several blocks of information for each employee in which the seventh
block is the amount of money to be deposited in the employee’s account. Eve can intercept the ciphertext
sent to the bank at the end of the month, replace the block with the information about her payment with a
copy of the block with the information about the payment of a full-time colleague. Each month Eve can
receive more money than she deserves.
 Contd.,
• Security Issues
• 1- Patterns at the block level are preserved
• 2- The block independency creates opportunities for Eve to exchange some ciphertext blocks
without knowing the key.

• Error Propagation

A single bit error in transmission can create errors in several in the corresponding block. However,
the error does not have any effect on the other blocks.

Applications of ECE:

• The ECB mode is not recommended for encryption of messages more than one block.
• One area where the independency of the ciphertext block is useful is where records need to be encrypted
before they are stored in a database or decrypted before they are retrieved….Access to the database can be
random.
• Another advantage of this mode is that we can use parallel processing if we need to create a very huge
encrypted database.
Cipher Block Chaining (CBC) Mode
• In CBC mode, each plaintext block is exclusive-ored with the previous ciphertext block before being encrypted.

The first plaintext block is added XOR to a random initialization vector (same size as a plaintext block) (referred to
as IV).
IV → A binary vector used as input to initialize algorithm for the encryption of a plaintext block sequence to
increase security.
Contd.,

It can be proved that each plaintext block at Alice’s site is recovered exactly at Bob’s site. Because
encryption and decryption are inverses of each other,

Initialization Vector (IV)

The initialization vector (IV) should be known by the sender and the receiver.
 Contd.,
• Security Issues
• Patterns at the block level are not preserved. However, if the first M blocks in two different
messages are equal, they are enciphered into equal blocks unless different Ivs are used. Hence,
recommend the use of timestamp as an IV.
• Eve can add some ciphertext blocks to the end of the ciphertext stream.

Error Propagation
In CBC mode, a single bit error in ciphertext block Cj during transmission may create error in most bits in
plaintext block Pj during decryption.

Applications
• Parallel processing is not possible.
• CBC mode is not used to encrypt and decrypt random-access files records because of the need to
access the previous records.
• CBC mode is used for authentication.
 CFB (Cipher Feedback) Mode
• The CFB mode similar to CBC mode → main difference is that one should encrypt ciphertext data from the previous
round (so not the plaintext block) and then add the output to the plaintext bits.

It does not affect the cipher security but the same encryption algorithm should be used during decryption process.
Contd.,
• Advantages
This mode does not need padding because the Size of the block r, is normally chosen to fit the Data unit to
be encrypted ( a character for example).

The system does not have to wait until It has Received a large block of data (64 or 128 bits) before starting
the encryption.

• Disadvantages
CFB is less efficient than CBC and ECB because it needs to apply the encryption function for
each small block of size r.
 Contd.,
• Security Issues
• The patterns are not preserved.
• The IV should be changed for each message
• Eve can add some ciphertext block to the end of the ciphertext stream.

• Error Propagation
• A single bit error in ciphertext block Ci during transmission creates a single bit error in plaintext block Pi.
• However most of the bits in the following plaintext blocks are in error.

• Application
• This mode can be used to encipher blocks of
• small size such as characters or bit at a time.
OFB (Output Feedback) Mode
• Algorithms that work in the OFB mode create keystream bits that are used for encryption subsequent data blocks.
Contd.,

• Security Issues
The patterns are not preserved.

• Error Propagation
A single bit error in the ciphertext affects only the corresponding bit in the plaintext.
 Counter (CTR) Mode
In the counter (CTR) mode, there is no feedback.

The pseudo randomness in the key stream is

achieved using a counter.

A counter equal to the plaintext block size is used.

The counter value must be different for each

plaintext block that is encrypted.

Typically, the counter is initialized to some value

and then incremented by 1 for each subsequent
block (modulo 2b , where b is the block size)
Contd., Notes

• CTR creates n-bit blocks that are independent from each other; they depend only on the value
• of the counter.
• CTR, like ECB mode, cannot be used for real- time processing.
• CTR, like ECB mode, can be used to encrypt and decrypt random access files as long as the
• value of the counter can be related to the record
• number in the file.