AN HARDWARE IMPLEMENTATION OF THE

ADVANCED ENCRYPTION STANDARD CORE

CONTENTS
 Why AES?
 The AES Cipher
 AES Functions and Inverse Functions
 AES Key Expansion
 Implementation Aspects
 AES Security and Strength
WHY AES?
 Symmetric block cipher, published in 2001
 Intended to replace DES and 3DES
DES is vulnerable to differential attacks
3DES has slow performances
NIST CRITERIA TO EVALUATE
POTENTIAL CANDIDATES
 Security: The effort to crypt analyze an algorithm.
 Cost: The algorithm should be practical in a wide range
of applications.
 Algorithm and Implementation Characteristics :
Flexibility, simplicity etc.
NIST CRITERIA – CONT.
 General Security
 Software Implementations
 Hardware Implementations
 Restricted-Space Environments
 Attacks on Implementations
 Encryption vs. Decryption
 Key Agility
 Potential for Instruction-Level Parallelism
 Other versatility and Flexibility
NIST selected Rijndael as the proposed AES algorithm
THE AES CIPHER
 Block length is limited to 128 bit
 The key size can be independently specified to 128, 192
or 256 bits

Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256

Number of rounds 10 12 14

Expanded key size (words/byte) 44/176 52/208 60/240

THE AES CIPHER
 Key received as input array of 4 rows and Nk columns
 Nk = 4,6, or 8, parameter which depends key size
 Input key is expanded into an array of 44/52/60 words of
32 bits each
 4 different words serve as a key for each round

k0 k4 k8 k12
k1 k5 k9 k13 w0 w1 w2 …… w42 w43
k2 k6 k10 k14
k3 k7 k11 k15
THE AES CIPHER

 Single128 bit block as input

 Copied to a State array with Nb columns (Nb=4)

Input State array Output

in0 in4 in8 in12 S00 S01 S02 S03 o0 o4 o8 o12
in1 in5 in9 in13 S10 S11 S12 S13 o1 o5 o9 o13
in2 in6 in10 in14 S20 S21 S22 S23 o2 o6 o10 o14
in3 in7 in11 in15 S30 S31 S32 S33 o3 o7 o11 o15
THE AES CIPHER
 Number of rounds, Nr, depends on key size
 Each round is a repetition of functions that perform a
transformation over State array
 Consists of 4 main functions: one permutation and three
substitutions
Substitute bytes, Shift rows, Mix columns, Add round
key
THE AES CIPHER
 AddRoundKey() – round key is added to the
State using XOR operation
 MixColumns() – takes all the columns of the
State and mixes their data, independently of one
another, making use of arithmetic over GF(2^8)
 ShiftRows() – processes the State by cyclically
shifting the last three rows of the State by
different offsets
 SubBytes() – uses S-box to perform a byte-by-
byte substitution of State
 THE AES CIPHER
plaintext

Add round key

Substitute bytes Substitute bytes

Substitute bytes
Shift rows Shift rows
Round 1

Shift rows
Round 9

Mix columns Mix columns Add round key

Add Round key Add round key Cipher
text
W[4,7] W[36,39] W[40,43]
key
THE AES CIPHER
Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
Begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])

for round=1 to Nr-1

SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state, w[round*Nb, round+1)*Nb-1])
end for

SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1)

Out = state
end
THE AES CIPHER
 Only Add round key makes use of the key
 Other three functions are used for diffusion and
confusion
 Final round consists of only three stages
AES METHODS
 Convert to state array
 Transformations (and their inverses)
 AddRoundKey
 SubBytes

 ShiftRows

 MixColumns

 Key Expansion
CONVERT TO STATE ARRAY

Input block:

0 4 8 12 S0,0 S0,1 S0,2 S0,3

1
2
3
5 9 13
6 10 14
7 11 15
= S1,0 S1,1 S1,2 S1,3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
 ADDROUNDKEY
 XOR each byte of the round key with its corresponding
byte in the state array

XOR
S0,1
S0,0 S0,1 S0,2 S0,3
S
S1,0 S1,1
1,1 S1,2 S1,3 S’0,1
R0,1 S’0,0 S’0,1 S’0,2 S’0,3
S2,0 S
S2,1 S2,2 S2,3
R0,0 R0,1 R0,2 R0,3
S’1,0S’
2,1
S’1,1
1,1 S’1,2 S’1,3
R1,0 R
S3,0 S3,1 S3,2 S3,3
R1,1
1,1 R
1,2 R1,3
S3,1 S’2,0S’
S’2,1 S’2,2 S’2,3
R2,0 R
R2,1 R2,2 R2,3 2,1
2,1 S’3,0 S’3,1 S’3,2 S’3,3
R3,0 R3,1 R3,2 R3,3 S’3,1
R3,1
SUBBYTES
 Replace each byte in the state array with its
corresponding value from the S-Box

00 44 88 CC
11 55
55 99 DD
22 66 AA EE
33 77 BB FF
SHIFTROWS
 Last three rows are cyclically shifted

S0,0 S0,1 S0,2 S0,3

S1,0 S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,0 S3,1 S3,2 S3,3
MIXCOLUMNS
 Apply MixColumn transformation to each column

S’0,c = ({02}  S0,c)  ({03}  S1,c)  S2,c  S3,c

MixColumns()
S’1,c = S0,c  ({02}  S1,c)  ({03}  S2,c)  S3,c
S0,1 S’0,1
S0,0 S0,1 S0,2 S0,3 S’0,0 S’0,1 S’0,2 S’0,3
S’SS2,c1,1=SS0,cS 
S1,0 S1,c  ({02}  S2,c )  S’ S’1,1S’S3,cS’)
S’
({03}
1,1 1,2 1,3 1,0 1,1 1,2 1,3

S2,0 S
S2,1 S2,2 S2,3 S’2,0S’
S’2,1 S’2,2 S’2,3
S’ 2,1
S3,c
= ({03}
S3,0 3,1 S3,2 S3,3
 S0,c)  S1,c  S 2,c  ({02} 2,1
 S S’
S’3,0 S’3,1 S’3,23,c 3,3
S3,1 S’3,1
 The AES Inverse Cipher
ciphertext

Add round key

Inv. Shift rows Inv. Shift rows

Inv. Shift rows
Inv. Sub bytes Inv. Sub bytes
Round 1

Inv. Sub bytes

Round 9

Add round key Add round key Add round key

Inv. Mix Columns Inv. Mix columns plaintext

W[36,39] W[4,7] W[0,3]

key
THE AES INVERSE CIPHER
InvCipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
Begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1)

for round=1 to Nr-1

InvShiftRows(state)
InvSubBytes(state)
AddRoundKey(state, w[round*Nb, round+1)*Nb-1])
InvMixColumns(state)
end for

InvShiftRows(state)
InvSubBytes(state)
AddRoundKey(state, w[0, Nb-1])

Out = state
end
THE AES INVERSE CIPHER
 Decryption algorithm uses the expanded key in reverse
order
 All functions are easily reversible and their inverse form
is used in decryption
 Decryption algorithm is not identical to the encryption
algorithm
 Again, final round consists of only three stages