Chapter 7 Advanced Encryption Standard (AES)

Chapter 7Advanced Encryption Standard(AES)7.1Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

7-1 INTRODUCTIONThe Advanced Encryption Standard (AES) is asymmetric-key block cipher published by the NationalInstitute of Standards and Technology (NIST) inDecember 2001.Topics discussed in this section:7.1.1 History7.1.2 Criteria7.1.3 Rounds7.1.4 Data Units7.1.5 Structure of Each Round7.3

7.1.1 History.In February 2001, NIST announced that a draft of theFederal Information Processing Standard (FIPS) wasavailable for public review and comment. Finally, AESwas published as FIPS 197 in the Federal Register inDecember 2001.7.4

7.1.2 CriteriaThe criteria defined by NIST for selecting AES fallinto three areas:1. Security2. Cost3. Implementation.7.5

7.1.4 Data Units.Figure 7.2 Data units used in AES7.8

7.1.4 ContinueFigure 7.3 Block-to-state and state-to-block transformation7.9

7.1.4 ContinueExample 7.1ContinueFigure 7.4 Changing plaintext to state7.10

7.1.5 Structure of Each RoundFigure 7.5 Structure of each round at the encryption site7.11

7-2 TRANSFORMATIONSTo provide security, AES uses four types oftransformations: substitution, permutation, mixing,and key-adding.Topics discussed in this section:7.2.1 Substitution7.2.2 Permutation7.2.3 Mixing7.2.4 Key Adding7.12

7.2.1 SubstitutionAES, like DES, uses substitution. AES uses twoinvertible transformations.SubBytesThe first transformation, SubBytes, is used at theencryption site. To substitute a byte, we interpret the byteas two hexadecimal digits.NoteThe SubBytes operation involves 16independent byte-to-byte transformations.7.13

7.2.1 ContinueFigure 7.6 SubBytes transformation7.14

7.157.2.1 Continue

7.167.2.1 Continue

7.2.1 ContinueInvSubBytes7.17

7.2.1 ContinueInvSubBytes (Continued)7.18

7.2.1 ContinueExample 7.2Figure 7.7 shows how a state is transformed using theSubBytes transformation. The figure also shows that theInvSubBytes transformation creates the original one. Notethat if the two bytes have the same values, theirtransformation is also the same.Figure 7.7 SubBytes transformation for Example 7.27.19

7.2.1 ContinueTransformation Using the GF(2 8 ) FieldAES also defines the transformation algebraically usingthe GF(28) field with the irreducible polynomials(x 8 + x 4 + x 3 + x + 1), as shown in Figure 7.8.NoteThe SubBytes and InvSubBytestransformations are inverses of each other.7.20

7.2.1 ContinueFigure 7.8 SubBytes and InvSubBytes processes7.21

7.2.1 ContinueExample 7.3Let us show how the byte 0C is transformed to FE by subbyteroutine and transformed back to 0C by the invsubbyteroutine.7.22

7.237.2.1 Continue

7.2.2 PermutationAnother transformation found in a round is shifting,which permutes the bytes.ShiftRowsIn the encryption, the transformation is called ShiftRows.Figure 7.9 ShiftRows transformation7.24

7.2.2 ContinueInvShiftRowsIn the decryption, the transformation is calledInvShiftRows and the shifting is to the right.7.25

7.2.2 ContinueExample 7.4Figure 7.10 shows how a state is transformed using ShiftRowstransformation. The figure also shows that InvShiftRowstransformation creates the original state.Figure 7.10 ShiftRows transformation in Example 7.47.26

7.2.3 MixingWe need an interbyte transformation that changes thebits inside a byte, based on the bits inside theneighboring bytes. We need to mix bytes to providediffusion at the bit level.Figure 7.11 Mixing bytes using matrix multiplication7.27

7.2.3 ContinueFigure 7.12 Constant matrices used by MixColumns and InvMixColumns7.28

7.2.3 ContinueMixColumnsThe MixColumns transformation operates at the columnlevel; it transforms each column of the state to a newcolumn.Figure 7.13 MixColumns transformation7.29

7.2.3 ContinueInvMixColumnsThe InvMixColumns transformation is basically the sameas the MixColumns transformation.NoteThe MixColumns and InvMixColumnstransformations are inverses of each other.7.30

7.317.2.3 Continue

7.2.3 ContinueExample 7.5Figure 7.14 shows how a state is transformed using theMixColumns transformation. The figure also shows that theInvMixColumns transformation creates the original one.Figure 7.14 The MixColumns transformation in Example 7.57.32

7.2.4 Key AddingAddRoundKeyAddRoundKey proceeds one column at a time.AddRoundKey adds a round key word with each statecolumn matrix; the operation in AddRoundKey is matrixaddition.NoteThe AddRoundKey transformation is theinverse of itself.7.33

7.2.4 ContinueFigure 7.15 AddRoundKey transformation7.34

7-3 KEY EXPANSIONTo create round keys for each round, AES uses a keyexpansionprocess. If the number of rounds is N r , thekey-expansion routine creates N r + 1 128-bit roundkeys from one single 128-bit cipher key.Topics discussed in this section:7.3.1 Key Expansion in AES-1287.3.2 Key Expansion in AES-192 and AES-2567.3.3 Key-Expansion Analysis7.35

7.367-3 Continued

7.3.1 Key Expansion in AES-128Figure 7.16 Key expansion in AES7.37

7.387.3.1 Continue

7.3.1 ContinueThe key-expansion routine can either use the abovetable when calculating the words or use the GF(2 8 )field to calculate the leftmost byte dynamically, asshown below (prime is the irreducible polynomial):7.39

7.407.3.1 Continue

7.417.3.1 ContinueExample 7.6Table 7.5 shows how the keys for each round are calculatedassuming that the 128-bit cipher key agreed upon by Aliceand Bob is (24 75 A2 B3 34 75 56 88 31 E2 12 00 13 AA 5487) 16 .

7.3.1 ContinueExample 7.7Each round key in AES depends on the previous round key.The dependency, however, is nonlinear because of SubWordtransformation. The addition of the round constants alsoguarantees that each round key will be different from theprevious one.Example 7.8The two sets of round keys can be created from two cipherkeys that are different only in one bit.7.42

7.437.3.1 ContinueExample 7.8 Continue

7.3.1 ContinueExample 7.9The concept of weak keys, as we discussed for DES inChapter 6, does not apply to AES. Assume that all bits in thecipher key are 0s. The following shows the words for somerounds:7.44The words in the pre-round and the first round are all thesame. In the second round, the first word matches with thethird; the second word matches with the fourth. However,after the second round the pattern disappears; every word isdifferent.

7.3.2 Key Expansion in AES-192 and AES-256Key-expansion algorithms in the AES-192 and AES-256versions are very similar to the key expansion algorithm inAES-128, with the following differences:7.45

7.3.3 Key-Expansion AnalysisThe key-expansion mechanism in AES has beendesigned to provide several features that thwart thecryptanalyst.7.46

7-4 CIPHERSAES uses four types of transformations for encryptionand decryption. In the standard, the encryptionalgorithm is referred to as the cipher and thedecryption algorithm as the inverse cipher.Topics discussed in this section:7.4.1 Original Design7.4.2 Alternative Design7.47

7.4.1 Original DesignFigure 7.17 Ciphers and inverse ciphers of the original design7.48

7.4.1 ContinueAlgorithmThe code for the AES-128 version of this design is shownin Algorithm 7.6.7.49

7.4.2 Alternative DesignFigure 7.18 Invertibility of SubBytes and ShiftRows combinations7.50

7.4.2 ContinueFigure 7.19 Invertibility of MixColumns and AddRoundKey combination7.51

7.4.2 ContinueFigure 7.20 Cipher and reverse cipher in alternate design7.52

7.4.2 ContinueChanging Key-Expansion AlgorithmInstead of using InvRoundKey transformation in thereverse cipher, the key-expansion algorithm can bechanged to create a different set of round keys for theinverse cipher.7.53

7-5 ExamplesIn this section, some examples of encryption/decryption and key generation are given to emphasizesome points discussed in the two previous sections.Example 7.10The following shows the ciphertext block created from aplaintext block using a randomly selected cipher key.7.54

7-5 ContinuedExample 7.10Continued7.55

7-5 ContinuedExample 7.10Continued7.56

7-5 ContinuedExample 7.10Continued7.57

7-5 ContinuedExample 7.11Figure 7.21 shows the state entries in one round, round 7, inExample 7.10.Figure 7.21 States in a single round7.58

7-5 ContinuedExample 7.12One may be curious to see the result of encryption when theplaintext is made of all 0s. Using the cipher key in Example7.10 yields the ciphertext.7.59

7-5 ContinuedExample 7.13Let us check the avalanche effect that we discussed inChapter 6. Let us change only one bit in the plaintext andcompare the results. We changed only one bit in the last byte.The result clearly shows the effect of diffusion and confusion.Changing a single bit in the plaintext has affected many bitsin the ciphertext.7.60

7-5 ContinuedExample 7.14The following shows the effect of using a cipher key in whichall bits are 0s.7.61

7-6 ANALYSIS OF AESThis section is a brief review of the threecharacteristics of AES.Topics discussed in this section:7.6.1 Security7.6.2 Implementation7.6.3 Simplicity and Cost7.62

7.6.1 Security7.63AES was designed after DES. Most of the knownattacks on DES were already tested on AES.Brute-Force AttackAES is definitely more secure than DES due to thelarger-size key.Statistical AttacksNumerous tests have failed to do statistical analysis ofthe ciphertext.Differential and Linear AttacksThere are no differential and linear attacks on AES asyet.

7.6.1 ContinueStatistical AttacksNumerous tests have failed to do statistical analysis ofthe ciphertext.Differential and Linear AttacksThere are no differential and linear attacks on AES asyet.7.64

7.6.2 ImplementationAES can be implemented in software, hardware, andfirmware. The implementation can use table lookupprocess or routines that use a well-defined algebraicstructure.7.65

7.6.3 Simplicity and CostThe algorithms used in AES are so simple that theycan be easily implemented using cheap processors anda minimum amount of memory.7.66