Lect 5: Information Security

Advanced Encryption Standard (AES)

DES Weaknesses
 Weaknesses in S-boxes
 Two specifically chosen inputs to an S-box can create same output
 Weaknesses in P-boxes
 initial and final permutations have no security benefits
 the first and fourth bits of every 4-bit series are repeated
 Weaknesses in Key
 Weak keys create same 16 round keys
 Semi-weak keys create 2 different round keys
 Possible weak keys create 4 distinct round keys
 Key complement
 There are four weak keys.
 After parity drop operation, a key consists either of all 0s, all 1s, or
half 0s and half 1s.
 Weak keys create same 16 round keys.
Advanced Encryption Standard (AES)
 The Advanced Encryption Standard (AES) is a symmetric block
cipher that is intended to replace DES as the approved standard
for a wide range of applications.
 National Institute of Standards and Technology (NIST)
 September 12, 1997: the NIST publicly calls for nominees for
the new AES
 1st AES conference,August 20-23, 1998
 (15 algorithms are candidates for becoming AES)
 Public Review of the algorithms
 2nd AES conference, March 22-23, 1999
 (presentation, analysis and testing)
 August 9, 1999: the 5 finalists are announced
 (MARS, RC6, RINJDAEL, SERPENT,TWOFISH)
Advanced Encryption Standard (AES)
 Evaluation Criteria
 Security
 Resistance to cryptanalysis
 Mathematical foundation
 Randomness of output bits
 Relative security compared to competitors
 Cost
Royalty and intellectual property

 Platform dependence (8 bit to 256 bit architectures)
 Speed
 Efficiency
 Memory requirements
 Algorithm and implementation characteristics
 Flexibility to handle key sizes beyond the minimum specifications
 Implementation in a variety of environments
 Additional services
 Algorithm simplicity
Candidates
 MARS  Rijndael (Rhinedoll)
 Proposed by IBM  Proposed by John Daemen and

 Extended Feistel architecture Vincent Rijmen

 Fast key set up
 Needed modification for
smart cards  Low memory requirements

 RC-6  Parallel execution possible

 Proposed by RSA Labs  Fastest in Java

 Algorithm fits in 1K of ROM for
 Feistel architecture
Smartcards
 Simple algorithm
 Fast!
 Selected for AES

MARS RC6 Rijndael Serpent Twofish

General Security 3 2 2 3 3
Implementation of Security 1 1 3 3 2
Software Performance 2 2 3 1 1
Smart Card Performance 1 1 3 3 2
Hardware Performance 1 2 3 3 2
5
Design Features 2 1 2 1 3
Rijndael Block Cipher
 Variables block size and key size
 Number of rounds determined by block and key size
 Does not use Feistel structure
 Instead, each round uses a state and 4 operations
 Non-linear layer, uses optimized S-boxes, for confusion
 16x16 S-box with all byte values, and a separate inverse S-box
 Linear mixing layer for diffusion
 Row shifts on the state matrix
 Column mixes on the state matrix
 Key addition layer, using a simple XOR
 Parameters
 Key size: Nk in 32-bit words
 128, 192, or 256 bit
 Example: 128 bit key => Four 32-bit words => Nk = 4
 Block size: Nb in 32 bit words
 128 bit
 Number of rounds: Nr
 Rijndael specifies Nr = 6 + max(Nk, Nb)
 10, 12 o 14
Layers for encryption in AES
 Confusion Layer
 A byte substitution layer
creates the confusion
block
 It is non-linear to prevent Substitution
easy analysis Layer in an SPN
 Diffusion Layer
 There are two layers that
introduce diffusion
Permutation
 Shift rows (ShiftRow)
Layer in an SPN
 Multiply columns
(MixColumn)
 Key Addition Layer Linear Transformation
Layer in an SPN

7
AES methods
 Convert to state array
 Transformations (and their inverses)
 AddRoundKey
 SubBytes
 ShiftRows
 MixColumns
 Key Expansion
 Each round (except the last one) is a uniform and parallel
composition of 4 steps
 SubBytes (byte-by-byte substitution using an S-box)
 ShiftRows (a permutation, which cyclically shifts the last three
rows in the State)
 MixColumns (substitution that uses Galois Fields, corps de Galois,
GF(28) arithmetic)
 AddRound key (bit-by- bit XOR with an expanded key)
AES Encryption
Process
Data Units Data units used in AES

7.10
Block-to-state and state-to-block transformation

Text=N e t w o r k S e c u r I t y
Hex=4e 65 74 77 6f 72 6b 20 53 65 63 75 72 69 74 79

4e 6f 53 72
65 72 65 69
State 74 6b 63 74
77 20 75 79
 State
 Internally, the AES algorithm’s operations
S0,0 S0,1 S0,2 S0,3
are performed on a two-dimensional array
S1,0 S1,1 S1,2 S1,3
of bytes called the State S2,0 S2,1 S2,2 S2,3
 4 rows, each containing Nb bytes S3,0 S3,1 S3,2 S3,3

 Nb columns, constituted by 32-bit words

 Sr,c denotes the byte in row r and column c
 The array of bytes in input is copied in the
State matrix
 At the end, the State matrix is copied in the
output matrix

12
 The “Stuff” behind AES: The State
 The input word is usually
written as a matrix of bytes
 This is the “state” in the SPN
 For example, if the input is
A0 A4 A8 A12
128 bits:
 We break it into 128/8 = 16 bytes
 A = A0 A1 A2 A3 A4 A5 A6 A7 A8 A9
A10 A11 A12 A13 A14 A15 A1 A5 A9 A13
 We write it in the following array
(columnwise)
 Note that a byte has 8 bits
 It is an element of the Galois Field A2 A6 A10 A14
GF(?)

A3 A7 A11 A15

13
Convert to State Array

Input block:

0 4 8 12 S0,0 S0,1 S0,2 S0,3

0
1 9 13
1 2 3 4 5
5
2 6 10 14
3 7 11 15
=
6 7 8
S S1,1 S1,2 S1,3
9 1,0
10 11 12 13 14 15
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
Block Diagram of AES Encryption
x
128

Add Round Key Byte Byte

Substitution Substitution
128
Shift Rows Shift Rows
Round 1
Mix Columns Add Round Key

Add Round Key 128

128
y
Round Nr-1
Last round does
not have the
MixColumns
layer
15
Structure of each round at the encryption site

FOUR STEPS IN EACH ROUND

1. SubByte
2. ShiftRows
3. MixColumns
4. Key Adding
SubByte (Substitute Bytes)
 SubByte is the Byte Substitution Layer
 This step consists of using a 16 × 16 lookup table to
find a replacement byte for a given byte in the
input state array.
 The S-Box in AES
 The Substitute bytes stage uses an S-box to
perform a byte-by-byte substitution of the block.
 each byte of state is replaced by byte indexed by row
(left 4-bits) & column (right 4-bits)
 eg. byte {95} is replaced by byte in row 9 column 5
 which has value {2A}

17
Substitute Bytes
SubByte Table Source: NIST FIPS-197

19
SubBytes
 Replace each byte in the state array with its
corresponding value from the S-Box

00 44 88 CC
11 55
55 99 DD
22 66 AA EE
33 77 BB FF
Substitute Bytes Example
ShiftRows

 The ShiftRows stage provides a simple “permutation” of

the data, whereas the other steps involve substitutions.
 the state is treated as a block of columns,
 it is this step which provides for diffusion of values
between columns.
 It performs a circular rotate on each row of 0, 1, 2 & 3
places for respective rows.
 This row shift moves an individual byte from one column
to another, which is a linear distance of a multiple of 4
bytes, and ensures that the 4 bytes of one column are
spread out to four different columns.
22
Diffusion: ShiftRows Sub Layer
 Linear operation
 ShiftRow  Left cyclic shift of rows
 Also can be considered as a right cyclic shift
 Easy to invert for decryption
 Shifting is nothing but multiplication by some polynomial
modulo some other polynomial 
 Significant because the output is read in columns

A0 A4 A8 A12 0 positions A0 A4 A8 A12

A1 A5 A9 A13 1 positions A5 A9 A13 A1

A2 A6 A10 A14 2 positions A10 A14 A2 A6

A3 A7 A11 A15 3 position A15 A3 A7 A11

23
ShiftRows
 Last three rows are cyclically shifted

S0,0 S0,1 S0,2 S0,3

S1,0 S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,0 S3,1 S3,2 S3,3

Shift Rows
MixColumns
 We need an interbyte transformation that changes the bits
inside a byte, based on the bits inside the neighboring bytes.
 We need to mix bytes to provide diffusion at the bit level.

Mixing bytes using matrix multiplication

7.26
 7.2.3 Continue

MixColumns

The MixColumns transformation operates at the column

level; it transforms each column of the state to a new
column.

MixColumns transformation

7.27
Mix Columns
 each column is processed separately
 each byte is replaced by a value dependent on all 4 bytes
in the column
 effectively a matrix multiplication in GF(28) using prime
poly m(x) =x8+x4+x3+x+1
 7.2.3 Continue
MixColumns

Constant matrices used by MixColumns and InvMixColumns

7.29
Mix Columns
Mix Columns Example
Add Round Key
 Add Round Key stage is a simple bitwise XOR of the current
block with a portion of the expanded key.
 Note this is the only step which makes use of the key and obscures
the result,
 MUST be used at start and end of each round,
 XOR state with 128-bits of the round key
 again processed by column (though effectively a series of byte
operations)
 inverse for decryption identical
 since XOR own inverse, with reversed keys
 designed to be as simple as possible
 a form of Vernam cipher on expanded key
 requires other stages for complexity / security
Add Round Key
 AddRoundKey
 XOR each byte of the round key with its corresponding
byte in the state array

XOR
S0,1
S0,0 S0,1 S0,2 S0,3
S1,0 SS1,1
1,1 S1,2 S1,3 S’0,1
R0,1
S2,0 SS 2,1 S2,2 S2,3 S’0,0 S’0,1 S’0,2 S’0,3
2,1 R0,0 R0,1 R0,2 R0,3
S3,0 S3,1 S3,2 S3,3 R1,1 R R S’ S’
1,0 S’1,1 S’ S’
1,1 1,2 1,3
R R
S3,1 1,0 1,1 1,2 1,3
S’2,0S’
S’2,1 S’2,2 S’2,3
R2,0 R
R2,1 R2,2 R2,3
2,1
2,1 S’3,0 S’3,1 S’3,2 S’3,3
R3,0 R3,1 R3,2 R3,3
S’3,1
R3,1
35
Key Expansion
 Each round has its own round key that is derived from the
original 128-bit encryption key in the manner described in this
section.
 One of the four steps of each round, for both encryption and
decryption, involves XORing of the round key with the state
array.
 To create round keys for each round, AES uses a key-expansion
process. If the number of rounds is Nr , the key-expansion
routine creates Nr + 1 128-bit round keys from one single 128-
bit cipher key.
 Generates Nb(Nr+1) words
Key expansion in AES

7.37
 Key Expansion
 Let the key K be 128 bits
long 1 byte
Initial key K: 128 bits
 Denote it as a set of
16 bytes k0 to k15 k0 k1 k2 k3 k4 k5 k6 k7 k8 k9 k10 k11 k12 k13 k14 k15
 From this we create a
set of 44 words w0 to
w43 of length 32 bits each w0 k0 k1 k2 k3 Initialize the first 4 words as
 Use two operations follows:
 ROTWORD
w1 k4 k5 k6 k7 For i = 0 to 3
 Rotate word
 SUBWORD
w2 k8 k9 k10 k11 wi = [k4i k4i+1 k4i+2 k4i+3]

Substitute word

w3 k12 k13 k14 k15

ROTWORD b0 b1 b2 b3 b1 b2 b3 b0

Cyclic shift of the four bytes in a word

38
Key Expansion

 If 4|j or j mod 4 = 0, do a SUBWORD

special operation for wj SUBWORD takes the word as
 RCon[j] is a round b0 b1 b2 b3 input
constant that is 32 bits
long and is defined for j = It sends each byte in the word
1, 2, …,10 S S S S through the S-box
 Otherwise, compute wj as Compute inverse in GF(28), do
follows: u0 u1 u2 u3
matrix multiplication
 wj = wj-4  wj-1

If j mod 4 = 0 (e.g., j = 4,8,12, …

temp = ROTWORD(wj-1)
temp = SUBWORD(temp)  RCon[j/4]
wj = wj-4  temp

Note j is divisible by 4
39
AES Key Expansion
Key expansion in AES

41
Key: 0f1571c947d9e8590cb7add6af7f6798

AES Example
Key Expansion
Where does the key come in?
 Key Addition Layer
 Simply XOR with the sub-key
 Sub-keys are generated by a non-linear key schedule
 First, the key is filled up in an array similar to the input (in columns of 4
bytes each)
 4 bytes of the key is called a word
 One column of 4 bytes = one word
 Subkeys depend on the block length and key length
 Total number of columns of keys = Nb (Nr + 1)
 For a 128 bit block with 10 rounds, you need 11 round keys
 Example: Nb = 4 (128 bits), Nr = 10, number of columns = 4 x 11 = 44
 The other keys are created in sets of 4 words (128 bits)

43
Encryption
byte state[4,Nb]

state = in

AddRoundKey(state, keySchedule[0, Nb-1])

for round = 1 step 1 to Nr–1 {

SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state, keySchedule[round*Nb, (round+1)*Nb-1])
}

SubBytes(state)
ShiftRows(state)
AddRoundKey(state, keySchedule[Nr*Nb, (Nr+1)*Nb-1])

out = state
Decryption
byte state[4,Nb]

state = in

AddRoundKey(state, keySchedule[Nr*Nb, (Nr+1)*Nb-1])

for round = Nr-1 step -1 downto 1 {

InvShiftRows(state)
InvSubBytes(state)
AddRoundKey(state, keySchedule[round*Nb, (round+1)*Nb-1])
InvMixColumns(state)
}

InvShiftRows(state)
InvSubBytes(state)
AddRoundKey(state, keySchedule[0, Nb-1])

out = state
Encrypt and Decrypt

Encryption Decryption

AddRoundKey AddRoundKey

SubBytes InvShiftRows
ShiftRows InvSubBytes
MixColumns AddRoundKey
AddRoundKey InvMixColumns

SubBytes InvShiftRows
ShiftRows InvSubBytes
AddRoundKey AddRoundKey
 Feistel Structure and SPN Structure

State
wi-1 Li-1e Ri-1e w0,i-1 w1,i-1 w2,i-1 w3,i-1 w4,i-1

S1,i
P S1 S2 S3 S4 S5
S2,i Substitution
Permutation
S-box S
P
Permutation
P
wi L ie Rie w0,i w1,i w2,i w3,i w4,i
State
There is a key that comes into the picture somewhere in the operations
47
Strength/Implementation of AES
 AES is fast
 Table look-up and XOR operations
 Can combine byte substitution and mix column operations in table
lookup
 Parallel computations are possible
 900 Mbps in Altera PLD
 Strength
 No complementation property
 Square Attack
 A modified byte in the plaintext leads to 4 modified bytes after one round,
sixteen after two rounds etc.
 Can be used to attack 5 to 7 rounds of AES
 No other known shortcut attacks

48