AES Guest Lecturer

AES
Advanced
Encryption
Standard
CSC 7002 Computer Security
William Roche
http://ouray.cudenver.edu/~wrroche/Security/Presentation.html

Advanced Encryption Standard
• Adopted by National Institute of Standards
and Technology (NIST) on May 26, 2002.
• AES is a simple design, a high speed
algorithm, with low memory costs.
• AES is a symmetric block cipher.
– The same key is used to encrypt and decrypt
the message.
– The plain text and the cipher text are the
same size.

AES Block
• AES has a fixed block size of 128 bits called a
state
ABCDEFGHIJKLMNOP
A E I M 41 45 49 4D
B F J N
C G K O
(ASCII)
42 46 4A 4E
43 47 4B 4F
D H L P 44 48 4C 50

AES Key
• AES key is either 128 bits, 192 bits or
256 bits
128 bits (4 words):
11223344556677889900AABBCCDDEEFF
11 22 33 44
55 66 77 88
99 00 AA BB
CC DD EE FF

AES Key
or 192 bits (6 words)
1122334455667788
9900AABBCCDDEEFF
1122334455667788
11 22 33 44
55 66 77 88
99 00 AA BB
CC DD EE FF
11 22 33 44
55 66 77 88
or 256 bits (8 words)
1122334455667788
9900AABBCCDDEEFF
1122334455667788
9900AABBCCDDEEFF
11 22 33 44
55 66 77 88
99 00 AA BB
CC DD EE FF
11 22 33 44
55 66 77 88
99 00 AA BB
CC DD EE FF

Comparisons
Key Length
(N k words)
Expanded
Key Length
(words)
Block Size
(N b words)
Number of
Rounds N r
AES-128 4 44 4 10
AES-192 6 52 4 12
AES-256 8 60 4 14
4 10
Rijndael - 128 4 44 6 12
8 14
4 12
Rijndael - 192 6 52 6 12
8 14
4 14
Rijndael - 256 8 60 6 14
8 14
DES 2 * 256 2 16
* of 64 bits, only 56 are used

Security
• The key security feature is the size of the
key.
Assuming that one could build a machine that
could recover a DES key in a second (i.e., try
2 55 keys per second), then it would take that
machine approximately 149 thousand-billion
(149 trillion) years to crack a 128-bit AES key.
To put that into perspective, the universe is
believed to be less than 20 billion years old.
• Accepting Moore's Law, doubling processor
speed every 18 months, AES-128 will be
secure for another 109.5 years.

AES Operations
b 7 x 7 + b 6 x 6 + b 5 x 5 + b 4 x 4 + b 3 x 3 + b 2 x 2 + b 1 x + b 0
• Multiplication in GF(2 8 ) consists of
multiplying two polynomials modulo an
irreducible polynomial of degree 8.
– AES uses the following irreducible polynomial
m(x) = x 8 + x 4 + x 3 + x + 1

AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk)
Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])
for round = 1 step 1 to Nr–1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state,w[round*Nb,(round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end

AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk)
Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])
for round = 1 step 1 to Nr–1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state,w[round*Nb,(round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end

– Sample Key:
AES Algorithm
Key Expansion
11223344556677889900AABBCCDDEEFF
• The first 4 (N k ) words are set equal to the key
w[0] 11 22 33 44
w[1] 55 66 77 88
w[2] 99 00 AA BB
w[3] CC DD EE FF

AES Algorithm
Key Expansion
For words 4 through 43
i = N k // N k = 4
while (i < N b *(N r +1)) { // N b *(N r +1)= 4*(10+1)= 44
temp = w[ i – 1 ]
If ( i%N k == 0 )
rotate word left 1 byte
process each byte through sbox
XOR with RCON[i/N k -1] // just first byte of w[i]
w[ i ] = w[ i-4 ] XOR temp
i++}

AES Algorithm
Key Expansion
w[0] 11 22 33 44
w[1] 55 66 77 88
w[2] 99 00 AA BB
w[3] CC DD EE FF
i = N k // N k = 4
while (i < N b *(N r +1)) { // N b *(N r +1)= 4*(10+1)= 44
temp = w[ i - 1 ]
i = 4
temp = w[3] = CC DD EE FF

AES Algorithm
Key Expansion
If ( i%N k == 0 )
rotate word left 1 byte
process each byte through sbox
temp = CC DD EE FF
temp = DD EE FF CC
temp = sbox[DD] sbox[EE] sbox[FF] sbox[CC]
= C1 28 16 4B
XOR with RCON[i/N k -1] RCON[0] = 01
temp = (C1 ⨁ 01) 28 16 4B
temp = C0 28 16 4B

Con – round
Constants
Powers of x = 0x02
i 0 1 2 3 4 5 6 7
x i 0x01 0x02 0x04 0x08 0x10 0x20 0x40 0x80
Powers of x = 0x02
i 8 9 A B C D E
x i 0x1b 0x36 0x6c 0xd8 0xab 0x4d 0x9a
• rCon can be implemented with a look-up-table
• 2 i in GF(2 8 )
• Removes symmetry and linearity from key expansion.

AES Algorithm
Key Expansion
For words 4 through 43
i = N k // N k = 4
while (i < N b *(N r +1)) {// N b *(N r +1)= 4*(10+1)= 44
temp = W[i-1]
If (i%N k == 0)
i = 4
rotate word left 1 byte
process each byte through sbox
XOR with RCON[i]
w[i] = w[i-4] XOR ⨁ temp temp
i++}
temp // just = first C0 element 28 16 of w4B

AES Algorithm
Key Expansion
w[0] 11 22 33 44
w[1] 55 66 77 88
w[2] 99 00 AA BB
w[3] CC DD EE FF
w[4] D1 0A 25 0F
w[4] = D1 0A 25 0F

AES Algorithm
Key Expansion
For words 4 through 43
i = N k // Nk = 4 i = 5
while (i < N b *(N r +1)) { // N b *(N r +1)= 4*(10+1)= 44
temp = w[i-1]
temp = w[4] = D1 0A 25 0F
If (i%N k == 0)
rotate word left 1 byte
process each byte through sbox
XOR with RCON[i/N k -1] // just first element of W
w[i] = w[i-4] ⨁ temp
i++}

AES Algorithm
Key Expansion
w[0] 11 22 33 44
w[1] 55 66 77 88
w[2] 99 00 AA BB
w[3] CC DD EE FF
w[4] D1 0A 25 0F
i = 5
temp = D1 0A 25 0F
w[i] = w[i-4] ⨁ temp
w[5] = (55 ⨁ D1) (66 ⨁ 0A) (77 ⨁ 25) (88 ⨁ 0F)
w[5] = 84 C6 52 87

Beginning Key Expansion for:
11 22 33 44 55 66 77 88 99 00 AA BB CC DD EE FF
i subword rCon w[i-4]XORtemp
w[i]
0 11 22 33 44
1 55 66 77 88
2 99 00 AA BB
3 CC DD EE FF
4 C1 28 16 4B C0 28 16 4B D1 0A 25 0F
5 84 6C 52 87
6 1D 6C F8 3C
7 D1 B1 16 C3
8 C8 47 2E 3E CA 47 2E 3E 1B 4D 0B 31
9 9F 21 59 B6
10 82 4D A1 8A
11 53 FC B7 49
12 B0 A9 3B ED B4 A9 3B ED AF E4 30 DC
13 30 C5 69 6A
14 B2 88 C8 E0
15 E1 74 7F A9
16 92 D2 D3 F8 9A D2 D3 F8 35 36 E3 24
17 05 F3 8A 4E
18 B7 7B 42 AE
19 56 0F 3D 07
20 76 27 C5 B1 66 27 C5 B1 53 11 26 95
21 56 E2 AC DB
22 E1 99 EE 75
23 B7 96 D3 72
24 90 66 40 A9 B0 66 40 A9 E3 77 66 3C
25 B5 95 CA E7
26 54 0C 24 92
27 E3 9A F7 E0
28 B8 68 E1 11 F8 68 E1 11 1B 1F 87 2D
29 AE 8A 4D CA
30 FA 86 69 58
31 19 1C 9E B8
32 9C 0B 6C D4 1C 0B 6C D4 07 14 EB F9
33 A9 9E A6 33
34 53 18 CF 6B
35 4A 04 51 D3
36 F2 D1 66 D6 E9 D1 66 D6 EE C5 8D 2F
37 47 5B 2B 1C
38 14 43 E4 77
39 5E 47 B5 A4
40 A0 D5 49 58 96 D5 49 58 78 10 C4 77
41 3F 4B EF 6B
42 2B 08 0B 1C
43 75 4F BE B8

AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk)
Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])
for round = 1 step 1 to Nr–1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state,w[round*Nb,(round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end

AES Algorithm
AddRoundKey
• The state is XORed into the expanded key Nr +
1 times.
• This is the same as adding the expanded key to
the state Nr+1 times in GF(2 8 )
– in GF(2 8 ) adding two numbers together is the same
as XORing them.
void AddRoundKey(byte[][] state) {
for (int c = 0; c < Nb; c++)
for (int r = 0; r < 4; r++)
state[r][c] = state[r][c] ˆ w[wCount++];}
global counter

AES Algorithm
AddRoundKey
State
41 45 49 4D
42 46 4A 4E
43 47 4B 4F
44 48 4C 50
41 ⨁ 11 45 ⨁ 55 49 ⨁ 99 4D ⨁ CC
42 ⨁ 22 46 ⨁ 66 4A ⨁ 00 4E ⨁ DD
43 ⨁ 33 47 ⨁ 77 4B ⨁ AA 4F ⨁ EE
44 ⨁ 44 48 ⨁ 88 4C ⨁ BB 50 ⨁ FF
Expanded Key
w[0] w[4]
11 22 33 44
55 66 77 88
99 00 AA BB
CC DD EE FF
After
AddRoundKey
50 10 D0 81
60 20 4A 93
70 30 E1 A1
00 C0 F7 AF

AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk)
Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])
for round = 1 step 1 to Nr–1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state,w[round*Nb,(round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end

AES Algorithm
SubBytes
• SubBytes is the SBOX for AES
• This make AES a non-linear cryptographic system.
• For every value of b there is a unique value for b’
– It is faster to use a substitution table (and easier).
b' 0
b' 1
b' 2
b' 3
b' 4
b' 5
b' 6
b' 7
=
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
x 0
x 1
x 2
x 3
x 4
+
x 5
x 6
x 7
1
1
0
0
0
1
1
0
x is the inverse value of the byte b

AES Algorithm
InvSubBytes
b' 0
-1
1 0 0 0 1 1 1 1
b' 1
1 1 0 0 0 1 1 1
b' 2 1 1 1 0 0 0 1 1
b' 3 = 1 1 1 1 0 0 0 1
b' 0 0 1 1 1 1 1 0
6
b' 0 0 0 1 1 1 1 1
7
b' 4 1 1 1 1 1 0 0 0
b' 5
0 1 1 1 1 1 0 0
b' 0
0 1 0 1 0 0 1 0
b' 1 0 0 1 0 1 0 0 1
b' 2 1 0 0 1 0 1 0 0
b' 3 = 0 1 0 0 1 0 1 0
b' 4 0 0 1 0 0 1 0 1
b' 5 1 0 0 1 0 0 1 0
b' 6 0 1 0 0 1 0 0 1
1 0 1 0 0 1 0 0
x is the inverse value of the byte b
x 0
x 1
x 2
x 3
x 4
x 0
x 1
x 2
x 3
x 4
+
x 5
x 6
x 6
x 7
+
x 5
x 6
x 7
1
1
0
0
0
1
1
0
1
1
0
0
0
1
1
0

AES Algorithm
SubBytes
X
Y
0 1 2 3 4 5 6 7 8 9 a b c d e f
0 63 7c 77 7b f2 6b 6f c5 30 1 67 2b fe d7 ab 76
1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
3 4 c7 23 c3 18 96 5 9a 7 12 80 e2 eb 27 b2 75
4 9 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
5 53 d1 0 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
6 d0 ef aa fb 43 4d 33 85 45 f9 2 7f 50 3c 9f a8
7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
a e0 32 3a 0a 49 6 24 5c c2 d3 ac 62 91 95 e4 79
b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 8
c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
d 70 3e b5 66 48 3 f6 0e 61 35 57 b9 86 c1 1d 9e
e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

AES Algorithm
InvSubBytes
X
Y
0 1 2 3 4 5 6 7 8 9 a b c d e f
0 52 9 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb
1 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb
2 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e
3 8 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25
4 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92
5 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84
6 90 d8 ab 0 8c bc d3 0a f7 e4 58 5 b8 b3 45 6
7 d0 2c 1e 8f ca 3f 0f 2 c1 af bd 3 1 13 8a 6b
8 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73
9 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e
a 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b
b fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4
c 1f dd a8 33 88 7 c7 31 b1 12 10 59 27 80 ec 5f
d 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef
e a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61
f 17 2b 4 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d

AES Algorithm
SubBytes
State
50 10 D0 81
60 20 4A 93
70 30 E1 A1
00 C0 F7 AF
Sbox( 50 ) Sbox( 10 ) Sbox( D0 ) Sbox( 81 )
Sbox( 60 ) Sbox( 20 ) Sbox( 4A ) Sbox( 93 )
Sbox( 70 ) Sbox( 30 ) Sbox( E1 ) Sbox( A1 )
Sbox( 00 ) Sbox( C0 ) Sbox( F7 ) Sbox( AF )
After SubBytes
53 CA 70 0C
D0 B7 D6 DC
51 04 F8 32
63 BA 68 79

AES Algorithm
KeyExpansion(byte key[4*Nk],word w[Nb*(Nr+1)],Nk)
Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])
for round = 1 step 1 to Nr–1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state,w[round*Nb,(round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end

AES Algorithm
ShiftRows
• Simple routine which performs a left shift rows 1,
2 and 3 by 1, 2 and 3 bytes respectively
Before Shift Rows
53 CA 70 0C
D0 B7 D6 DC
51 04 F8 32
63 BA 68 79
After Shift Rows
53 CA 70 0C
B7 D6 DC D0
F8 32 51 04
79 63 BA 68

AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk)
Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])
for round = 1 step 1 to Nr–1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state,w[round*Nb,(round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end

AES Algorithm - MixColumns
• This with shift rows provides diffusion
• The columns are considered polynomials over
GF(2 8 ) and multiplied modulo x 4 +1 with a(x)
where a(x) = {03}x 3 + {01}x 2 + {01}x + {02}
NOTE: x 4 +1 is relatively prime to a(x)
a ’ j (a j *a(x))mod(x 4 +1)
• This can also be written as matrix multiplication.
a ’ 0
02 03 01 01
a 0
a ’ 1
a ’ 2
=
01 02 03 01
01 01 02 03
a 1
a 2
a ’ 3
03 01 01 02
a 3

AES Algorithm - MixColumns
a ’ 0
a ’ 1
a ’ 2
=
02 03 01 01
01 02 03 01
01 01 02 03
a 0
a 1
a 2
a ’ 0 = 2a 0 ⨁ 3a 1 ⨁ a 2 ⨁ a 3
a ’ 1 = a 0 ⨁ 2a 1 ⨁3a 2 ⨁a 3
a ’ 2 = a 0 ⨁ a 1 ⨁ 2a 2 ⨁ 3a 3
a ’ 3
03 01 01 02
a 3
a ’ 3 = 3a 0 ⨁a 1 ⨁ a 2 ⨁ 2a 3
Addition is easy in GF(2 8 ) : Addition is just the XOR operation
Multiplication by 1 is easy in GF(2 8 ) : Multiplication by one is the identity
Multiplication by 2 in GF(2 8 ) takes some work:
. If multiplying by a value < 0x80 just shift all the bits left by 1
. If multiplying by a value ≥ 0x80 shift left by 1 and XOR with 0x1b
. This prevents overflow and keeps the values within range
To Multiply by 3 in GF(2 8 ) : a * 03 = a * (02 + 01) = (a * 02) ⨁ (a * 01)

AES Algorithm - InvMixColumns
a ’ 0
a ’ 1
a ’ 2
a ’ 3
=
0e 0b 0d 09
09 0e 0b 0d
0d 09 0e 0b
a 0
a 1
a 2
a 3
0b 0d 09 0e a 3
To Multiply in GF(2 8 ) :
a * 09 = a * (08 ⨁ 01)
= (a * 02 * 02 * 02) ⨁ (a * 01)
a * 0b = a * (08 ⨁ 02 ⨁ 01)
= (a * 02 * 02 * 02) ⨁ (a * 02) ⨁ (a * 01)
a * 0e = a * (08 ⨁ 04 ⨁ 02)
= (a * 02 * 02 * 02) ⨁ (a * 02 * 02) ⨁ (a * 02)

AES Algorithm
KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)],Nk)
Cipher(byte in[4*Nb],byte out[4*Nb],word w[Nb*(Nr+1)])
begin
byte state[4,Nb]
state = in
AddRoundKey(state, w[0, Nb-1])
for round = 1 step 1 to Nr–1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state,w[round*Nb,(round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end

Sample Conversions
Input String Key Output String (HEX)
ABCDEFGHIJKLMNOP 11223344556677889900AABBCCDDEEFF BC4784A37D6F46452656B993D53393F5
ABCDEFGHIJKLMNOP 01223344556677889900AABBCCDDEEFF 855866490543FDF6504FC84088FEDCA0
ABCDEFFHIJKLMNOP 11223344556677889900AABBCCDDEEFF 372CCA446C0D391C4381392344630EE1
Input String(HEX) Key Output String (HEX)
00000000000000000000000000000000 00000000000000000000000000000000 66E94BD4EF8A2C3B884CFA59CA342B2E
00000000000000000000000000000000 00000000000000000000000000000001 0545AAD56DA2A97C3663D1432A3D1C84
00000000000000000000000000000001 00000000000000000000000000000001 A17E9F69E4F25A8B8620B4AF78EEFD6F

AES Algorithm
Encryption
PlainText
Decryption
Cipher Text
RoundKey
AddRoundKey
1 st Round
RoundKey *
AddRoundKey
1 st Round
SubBytes
InvShiftRows
RoundKey
ShiftRows
MixColumns
AddRoundKey
Repeat
N r -1
Round
RoundKey *
InvSubBytes
AddRoundKey
InvMixColumns
Repeat
N r -1
Round
RoundKey
SubBytes
ShiftRows
AddRoundKey
Last
Round
RoundKey *
InvShiftRows
InvSubBytes
AddRoundKey
Last
Round
CipherText
Plain Text
*
RoundKey Added in reverse order

Larger Plain Texts
Encryption
• How to encrypt texts larger than 16 bytes
• Answer: Encrypt one block at a time
Electronic CodeBook Mode
But this can be subject to frequency analysis

Larger Plain Texts
Encryption
• How to avoid frequency analysis
• Answer: Cipher Block Chaining
The original image
An image
encrypted
without any
form of Cipher
Block
Chainging
An image
encrypted
with cipher
block
chainging

Larger Plain Texts
Encryption
Cipher Block Chaining

Larger Plain Texts
Decryption

Padding
• If plaintext messages are not divisible by
16 bytes. Padding may be a solution.
• An easy method is to add a single 1 bit at
the end of the message followed by
enough 0’s to fill the block.
– If the block is filled, encode one more block
with a 1 followed by 0’s.

Attacks on AES
• Differential Cryptanalysis – Study of how
differences in input affect differences in
output.
– Greatly reduced due to high number of rounds.
• Linear Cryptanalysis – Study of correlations
between input and output.
– SBOX & Mix Columns are designed to frustrate
Linear Analysis

Attacks on AES
• XSL Cryptanalysis – A new attack method
developed in 2002, Analyses ciphers
internal workings and generates a system
on nonlinear simultaneous equations.
– AES analyses to 8000 equations and 1600
unknowns.
– It is arguable if this can be solved any faster
than a brute force attack.

Attacks on AES
• Side Channel Attacks – Attacks based on
studying and measuring the actual
implementation of the code.
– For some implementations of AES the key has
been obtained in under 100 minutes.
• Computer running AES was 850MHz, Pentium III
running FreeBSD 4.8

Types of Side Channel Attacks
• Timing Attacks – Watches movement of
data in and out of the CPU or memory.
– It is difficult to retrieve an array element in a
time that is not dependent on the index value.
• Power Attacks – Watches power
consumption by CPU or memory.
– Changing one bit requires considerably less
power than changing all bits in a byte.

Attack Precautions
• Avoid use of arrays. Compute values in
SBOX and rCon.
• Design algorithms and devices to work
with constant time intervals. (independent
of key and plaintext.)
– Hidden CPU timing data is a threat.
• Use same memory throughout, Cache is
faster than DRAM
• Compute Key Expansion on the fly.
• Utilize pipelining to stabilize CPU power
consumption.

Joan Daemen & Vincent Rijmen’s
AES Selling Points
• Extremely fast compared to other block
ciphers. (tradeoff between size and speed)
• The round transformation is parallel by
design. Important in dedicated hardware.
• Amenable to pipelining
• The cipher does not use arithmetic
operations so has no bias towards big or
little endian architectures.

Joan Daemen & Vincent Rijmen’s
AES Selling Points

Joan Daemen & Vincent Rijmen’s
AES Limitations
• The inverse cipher is less suited to smart
cards, as it takes more codes and cycles.
• The cipher and inverse cipher make use of
different codes and/or tables.
• In hardware, The inverse cipher can only
partially re-use circuitry which implements
the cipher.

References
About AES
AES Proposal : Rijndael
Joan Daemen, Vincent Rijmen,
2nd version of document to NIST
Polynomials in the Nations Service: Using Algebra to Design the
Advanced Encryption Standard Susan Landau
The Mathmatical Association of America,
Monthly 111 Feb 2004 Page(s):89-117
Selecting the Advanced Encryption Standard Burr, W.E.;
Security & Privacy Magazine, IEEE
Volume 1, Issue 2, Mar-Apr 2003 Page(s):43 - 52
Title: Introduction to Cryptography
Author: Johannes A Buchman
Publisher: Springer; 2 edition (July 13, 2004)

References
Security and Attacking AES
Power-analysis attack on an ASIC AES implementation
Ors, S.B.; Gurkaynak, F.; Oswald, E.; Preneel, B.;Information Technology:
Coding and Computing, 2004. Proceedings. ITCC 2004. International
Conference onVolume 2, 2004 Page(s):546 - 552 Vol.2
Algebraic attacks on cipher systems
Penzhorn, W.T.;
AFRICON, 2004. 7th AFRICON Conference in Africa
Volume 2, 2004 Page(s):969 - 974 Vol.2
Cache-Timing attacks on AES Daniel J Bernstein
Preliminary version of report to National Science Foundation, grant CCR-
9983950

Applications / Implementations: AES
References
A high throughput low cost AES processor
Chih-Pin Su; Tsung-Fu Lin; Chih-Tsiun Huang; Cheng-Wen Wu;
Communications Magazine, IEEE
Volume 41, Issue 12, Dec. 2003 Page(s):86 - 91
An efficient FPGA implementation of advanced encryption standard
algorithm
Shuenn-Shyang Wang; Wan-Sheng Ni;
Circuits and Systems, 2004. ISCAS '04.
Volume 2, 23-26 May 2004 Page(s):II - 597-600 Vol.2
High-speed VLSI architectures for the AES algorithm
Xinmiao Zhang; Parhi, K.K.;
Very Large Scale Integration (VLSI) Systems
Volume 12, Issue 9, Sept. 2004 Page(s):957 – 967
Fast implementation of AES cryptographic algorithms in smart cards
Chi-Feng Lu; Yan-Shun Kao; Hsia-Ling Chiang; Chung-Huang Yang;
Security Technology, 2003.
14-16 Oct. 2003 Page(s):573 - 579

References
Applications / Implementations : AES
A new VLSI implementation of the AES algorithm
Liang Deng; Hongyi Chen;
Communications, Circuits and Systems and West Sino Expositions, IEEE
2002 International Conference on
Volume 2, 29 June-1 July 2002 Page(s):1500 - 1504 vol.2