AES (Advanced

Encryption Standard)

By-
Sharmistha Roy
M.Tech, CSE 1st semester
NIT, Agartala
 Introduction:
 After DES, the need for coming up with a new algorithm was
actually because of the perceived weakness in DES. The 56-bit
keys of DES were no longer considered safe against attacks
based on exhaustive key searches and the 64-bit blocks were
also considered as weak.
 AES was to be based on 128-bit blocks, with 128-bit keys or
192-bit or 256-bit keys.
 In general, two versions of AES are used: 128-bit plain text
block combined with 128-bit key block and 128-bit plain text
block combined with 256-bit key block.
 Many proposals of AES were submitted and after a lot of
debate, an algorithm called as Rijndael was accepted. It was
developed by Joan Daemen and Vincent Rijmen.
 Introduction:
 According to its designers, the main features of AES are:
a. Symmetric and parallel structure: This gives the implementers of the
algorithm a lot of flexibility. It also stands up well against cryptanalysis
attacks.
b. Adapted to modern processors: The algorithm works well with modern
processors (Pentium, RISC, parallel)
c. Suited to smart cards: The algorithm can work well with smart cards.
 Since 128-bits give a possible key range of 2^128 or 3*10^38 keys, so
AES is very much secure and faster than Triple-DES.
 Rijndael has a variable number of rounds.
i. 10 if both the block and the key are 128 bits long.
ii. 12 if either the block or the key is 192 bits long, and neither of them is
longer than that.
iii. 14 if either the block or the key is 256 bits long.
 One key differentiator between DES and Rijndael is that all the
Rijndael operation involve entire byte and not individual bits of a byte.
Operation of STATE

each round
Sub bytes  One AddRoundKey
is applied before the
STATE first round.
 The Mix column
Shiftrows is missing at last round.

STATE

Mixcolumns

STATE

AddRoundKey

STATE Structure of each round

 AES Process:
 Block:
A block in AES is a group of 128 bits which is represented as a
row matrix of 16 bytes.
 State:
The data block in AES are treated as State.
For example
Let us take a text block “AES USES A MATRIX”.
 To make it 16 bytes add Z at the end.
 Now assign values to the characters from 0 to 25.
 Form state matrix with their equivalent two hexadecimal
digits.
 AES Encryption Procedure
State Processing:
Text: A E S U S E S A M A T R I X Z Z
Hex : 00 04 12 14 12 04 12 00 0C 00 13 11 08 23 19 19

 Step-1: Hence the resulting State Matrix is as follows:

00 12 0C 08
04 04 00 23
12 12 13 19
14 00 11 19 (4 X 4) matrix

 Step-2: Pre-round operation

Here in this step the state matrix is added with the cipher key i.e.
(the key matrix containing W[0] to W[3]). Addition means
performing XOR operation.
 Pre-round Operation:
6A 6D 73 6A 00 12 0C 08
75 65 74 75 04 04 00 23
73 6A 6D 73  12 12 13 19
74 75 65 74 14 00 11 19
Cipher Key State matrix
 Hence the resulting State Matrix after pre-round is as follows:
6A 7F 7F 62
71 61 74 56
61 78 7E 6A
60 75 74 6D

 Step-3: Sub-byte Transformation

Next step is the sub-byte transformation, which requires S-box.
Byte by byte substitution is done to replace the contents of the state
array with the respective entries in the S-box.
AES S-Box Lookup Table
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 2 3 C3 18 9 6 05 9A 0 7 12 8 0 E 2 E B 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9 E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
 Sub-byte:
The sub-byte transformation of the above example is:
02 D2 D2 AA
A3 EF 92 B1
EF BC F3 02
D0 9D 92 3C
Shift rows Transformation:

Row 0 : 0 byte Lshift

Row 1 : 1 byte Lshift
Row 2: 2 byte Lshift
Row 3: 3 byte Lshift
 Shift row Transformation:
 Step-4: Shift-row Transformation
Shift-row transformation involves byte-wise left shift. The shift-
row transformation of the above example is:
02 D2 D2 AA
EF 92 B1 A3
F3 02 EF BC
3C D0 9D 92
Mix- column Transformation:
 Step-5: Mix-column Transformation
The mix column transformation operates at the column level. It
transform each column of the state to a new column. This
transformation is actually a matrix multiplication of state
column by a constant square matrix.
 The constant matrix is as: 02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
 Mix column overview

X =

Mix column constant

state
state
 Mix column overview
b1 b5 b9 b13
2 3 1 1 B1 B5 B9 B13
b2 b6 b10 b14 1 2 3 1 B2 B6 B10 B14
b3 b7 b11 b15 B3 B7 B11 B15
b4 b8 b12 b16
1 1 2 3 B4 B8 B12 b16
3 1 1 2
16 byte state array Mix-column array
Constant matrix

• B1=(b1*2) (b2*3) (b3*1) (b4*1)

• B2=(b1*1) (b2*2) (b3*3) (b4*1)
• B3=(b1*1) (b2*1) (b3*2) (b4*3)
• B4=(b1*3) (b2*1) (b3*1) (b4*2)
• B5=(b5*2) (b6*3) (b7*1) (b8*1)
• B6=(b5*1) (b6*2) (b7*3) (b8*1)
• B7=(b5*1) (b6*1) (b7*2) (b8*3)
• B8=(b5*3) (b6*1) (b7*1) (b8*2)
 Mix column operation:
In this example mix-column operation is as:
B1=02*2 EF*3 F3*1 3C*1 02 2 3 1 1
02*2=(00000010)(00000010) EF 1 2 3 1
X
=(x)(x) F3 1 1 2 3
= x^2 3C 3 1 1 2
= 00000100
EF*3=(11101111)(00000011)
= (x^7 + x^6 + x^5 + x^3+x^2+x+1)(x+1)
=x^8+x^7+x^6+x^4+x^3+x^2+x+x^7+x^6+x^5+x^3+x^2+x+1
= x^8+x^5+x^4+1 (mod x^8+x^4+x^3+x+1)
= x^5+x^3+x
= 00101010
F3*1=F3=11110011
3C*1=3C=00111100
 Mix column operation:
B1=00000100  00101010  11110011 00111100
=11100001 = E1
 This matrix multiplication can be done with the help of another
method known as Galois Field Multiplication, which involves
the use of L-Table & E-table.
 All numbers being multiplied using the Mix Column function
converted to HEX will form a maximum of 2 digit Hex number.
We use the first digit in the number on the vertical index and the
second number on the horizontal index. If the value being
multiplied is composed of only one digit we use 0 on the vertical
index.
 Multiplication in GF(28) consists of multiplying two polynomials
modulo an irreducible polynomial of degree 8.
– AES uses the following irreducible polynomial
m(x) = x8 + x4 + x3 + x + 1
 L-Table
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 00 19 01 32 02 1A C6 4B C7 1B 68 33 EE DF 03
1 64 04 E0 0E 34 8D 81 EF 4C 71 08 C8 F8 69 1C C1
2 7D C2 1D B5 F9 B9 27 6A 4D E4 A6 72 9A C9 09 78
3 65 2F 8A 05 21 0F E1 24 12 F0 82 45 35 93 DA 8E
4 96 8F DB BD 36 D0 CE 94 13 5C D2 F1 40 46 83 38
5 66 DD FD 30 BF 06 8B 62 B3 25 E2 98 22 88 91 10
6 7E 6E 48 C3 A3 B6 1E 42 3A 6B 28 54 FA 85 3D BA
7 2B 79 0A 15 9B 9F 5E CA 4E D4 AC E5 F3 73 A7 57
8 AF 58 A8 50 F4 EA D6 74 4F AE E9 D5 E7 E6 AD E8
9 2C D7 75 7A EB 16 0B F5 59 CB 5F B0 9C A9 51 A0
A 7F 0C F6 6F 17 C4 49 EC D8 43 1F 2D A4 76 7B B7
B CC BB 3E 5A FB 60 B1 86 3B 52 A1 6C AA 55 29 9D
C 97 B2 87 90 61 BE DC FC BC 95 CF CD 37 3F 5B D1
D 53 39 84 3C 41 A2 6D 47 14 2A 9E 5D 56 F2 D3 AB
E 44 11 92 D9 23 20 2E 89 B4 7C B8 26 77 99 E3 A5
F 67 4A ED DE C5 31 FE 18 0D 63 8C 80 C0 F7 70 07
 E-Table
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 01 03 05 0F 11 33 55 FF 1A 2E 72 96 A1 F8 13 35
1 5F E1 38 48 D8 73 95 A4 F7 02 06 0A 1E 22 66 AA
2 E5 34 5C E4 37 59 EB 26 6A BE D9 70 90 AB E6 31
3 53 F5 04 0C 14 3C 44 CC 4F D1 68 B8 D3 6E B2 CD
4 4C D4 67 A9 E0 3B 4D D7 62 A6 F1 08 18 28 78 88
5 83 9E B9 D0 6B BD DC 7F 81 98 B3 CE 49 DB 76 9A
6 B5 C4 57 F9 10 30 50 F0 0B 1D 27 69 BB D6 61 A3
7 FE 19 2B 7D 87 92 AD EC 2F 71 93 AE E9 20 60 A0
8 FB 16 3A 4E D2 6D B7 C2 5D E7 32 56 FA 15 3F 41
9 C3 5E E2 3D 47 C9 40 C0 5B ED 2C 74 9C BF DA 75
A 9F BA D5 64 AC EF 2A 7E 82 9D BC DF 7A 8E 89 80
B 9B B6 C1 58 E8 23 65 AF EA 25 6F B1 C8 43 C5 54
C FC 1F 21 63 A5 F4 07 09 1B 2D 77 99 B0 CB 46 CA
D 45 CF 4A DE 79 8B 86 91 A8 E3 3E 42 C6 51 F3 0E
E 12 36 5A EE 29 7B 8D 8C 8F 8A 85 94 A7 F2 0D 17
F 39 4B DD 7C 84 97 A2 FD 1C 24 6C B4 C7 52 F6 01
 Galois Field Operation
 For example if the two Hex values being multiplied are AF * 8
we first lookup L (AF) index which returns B7 and then
lookup L (08) which returns 4B. Once the L table lookup is
complete we can then simply add the numbers together.
 The only trick being that if the addition result is greater then
FF we subtract FF from the addition result. For example
AF+B7= 166. Because 166 > FF, we perform: 166-FF which
gives us 67.
 The last step is to look up the addition result on the E table.
Again we take the first digit to look up the vertical index and
the second digit to look up the horizontal index. For example
E (67)=F0.
 There fore the result of multiplying AF * 8 over a Galois Field
is F0
Note: In the last round i.e. round 10 we omit the mix-column
operation
 Key Adding
 Step-6: Add round Key
The most important transformation is to include cipher key. If
cipher is not added with the state at each round it is very easy
to find the plain text from cipher text. The cipher key is only
secret between sender and receiver.
 Each round key is 128 bits long and its form 4X4 matrix for
each step.
 Add round key also proceeds one column at a time. Add round
key adds a round key with each state column matrix. The
operation in add round key is matrix addition. (addition means
XOR operation)
 So in 1st round the add round key uses the round key from
w[4] to w[7] and in the last i.e. 10th round the add round key
uses the round key from w[40] to w[43].
Key Processing:
 To create round key for each round AES uses a key expansion
processes.
 The first round key is used for pre-round transformation i.e. (W0 to
W3).
 The remaining round keys are used for Add round Key i.e. the last
transformation of each round.
 Key expansion routine creates keys word by word where a word is
an array of 4 bytes.

Round Words
Pre-round W0 W1 W2 W3
1 W4 W5 W6 W7
2 W8 W9 W10 W11

10 W40 W41 W42 W43

Key Expansion:
 The first words ( w0,w1,w2,w3 ) are made from the cipher
key. The cipher key is thought of as an array of 16 (k0…k15)
bytes. The first four bytes (k0..k3) become w0, next 4 bytes
become w1 and so on.
 The rest of the words w4 to w43 are made as follows:
a) if (i mod 4) ≠0 wi=w(i-1) w(i-4)
b) if (i mod 4) = =0 wi=t w(i-4)
where t is a temporary word, result of applying two routines
subword and rotword on wi-1 and X-ORing the result with a
round constant
t = subword(rotword(w(i-1))) constant [i /4]
Key Expansion:
 Rotword:
similar to shiftrows
 Subword:
similar to subbyte operation in earlier cases
 Roundconstant:
The round constant matrix is as:

round 1 2 3 4 5 6 7 8 9 10
Const 01 02 04 08 10 20 40 80 1B 36
 Key Processing
 Let us take one key matrix
6A 6D 73 6A F6 9B E8 82
75 65 74 75 FA 9F EB 9E
73 6A 6D 73 E1 8B E6 95
74 75 65 74 76 03 66 12

W[0] W[1] W[2] W[3] W[4] W[5] W[6] W[7]

Next we have to find out W[4], W[5], W[6], W[7]

For W[4], since i mod 4 =0 so,
W[4]= t XOR W[i-4]
= t XOR W[0]
Here t= subword(rotword(w[i-1])) XOR constant [i /4]
= subword(rotword(W[3])) XOR constant [0]
For W[5], since I mod 4 = 0 so,
W[5] = W[i-1] XOR W[i-4]
= W[4] XOR W[1]
In this way keys are created from W[4] to W[43].
 Key Processing
Finding W[4]:
W[3]= 6A 75 73 74
Rotword W[3]= 75 73 74 6A
Subword(Rotword W[3])= subword(75 73 74 6A)= 9D 8F 92 02
Subword(Rotword W[3]) XOR constant [0]
= 9D 8F 92 02 XOR 01 00 00 00= 9C 8F 92 02
Therefore W[4]= t XOR W[0]
= 9C 8F 92 02 XOR 6A 75 73 74 = F6 FA E1 76
Finding W[5]:
W[5]= W[4] XOR W[1]
= F6 FA E1 76 XOR 6D 65 6A 75
= 9B 9F 8B 03
 AES Decryption Procedure
 Decryption algorithm uses the expanded key in
reverse order.
 All functions are easily reversible and their inverse
form is used in decryption.
 Decryption algorithm is not identical to the
encryption algorithm.
 In the beginning there is a pre-round operation using
the cipher text as the state matrix and the last round
key as the key matrix(i.e. W[40] to W[43]).
 Again, final round consists of only three stages. Mix-
column operation is omitted here.
Conclusion of AES