Cryptograph

y and
Network
Security
Seventh Edition, Global Edition
by William Stallings

© 2017 Pearson Education, Ltd., All rights reserved.

 Chapter 6
Advanced Encryption Standard

© 2017 Pearson Education, Ltd., All rights reserved.

 Advanced Encryption
Standard (AES)
• The Advanced Encryption Standard
(AES) was published by the National
Institute of Standards and Technology
(NIST) in 2001.
• AES is a symmetric block cipher that is
intended to replace DES as the
approved standard for a wide range of
applications.

• Compared to public-key ciphers such

as RSA, the structure of AES and most
© 2017 Pearson Education, Ltd., All
rights reserved.
 Finite Field
Arithmetic
• In the Advanced Encryption Standard (AES) all operations
are performed on 8-bit bytes.
• The arithmetic operations of addition, multiplication, and
division are performed over the finite field GF(28)
• A field is a set in which we can do addition, subtraction,
multiplication, and division without leaving the set
• Division is defined with the following rule:
• a /b = a (b-1 )

• An example of a finite field (one with a finite number of

elements) is the set Zp consisting of all the integers
{0, 1, . . . . , p - 1}, where p is a prime number and in
which arithmetic is carried out modulo p.

• What will be Z5, Z7, Z11.

© 2017 Pearson Education, Ltd., All rights reserved.
 Finite Field
Arithmetic
If one of the For convenience and
operations used in for implementation
the algorithm is efficiency we would
division, then we like to work with
need to work in integers that fit
arithmetic defined exactly into a given
over a field number of bits with no
• Division requires that each wasted bit patterns
nonzero element have a • Integers in the range 0
multiplicative inverse through 2n – 1, which fit
into an n-bit word

The set of such A finite field

integers, Z2n, using containing 2n
modular arithmetic, is elements is referred
not a field to as GF(2n)
• Every polynomial in GF(2n)
• For example, the integer 2
can be represented by an
has no multiplicative inverse n-bit number
in Z2n, that is, there is no
integer b, such that 2b mod
2n = 1

© 2017 Pearson Education, Ltd., All rights reserved.

 AES Structure – I
• Figure 6.1 on next slide shows the
overall structure of the AES encryption
process.

• The cipher takes a plaintext block size

of 128 bits, or 16 bytes.
• The key length can be 16, 24, or 32
bytes (128, 192, or 256 bits).

• The algorithm is referred to as AES-

128,
© 2017 Pearson AES-192,
Education, Ltd., All or AES-256, depending
rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 AES Structure – II
• The input to the encryption and decryption
algorithms is a single 128-bit block.
• In FIPS PUB 197, this block is depicted as a
4 * 4 square matrix of bytes.
• This block is copied into the State array,
which is modified at each stage of
encryption or decryption.

• After the final stage, State is copied to an

output matrix. These operations are depicted
in Figure 6.2a.
• Similarly, the key is depicted as a square
© 2017 Pearson Education, Ltd., All
rights reserved.matrix of bytes
© 2017 Pearson Education, Ltd., All rights reserved.
 AES Structure – III
• This key is then expanded into an array of key
schedule words.
• Figure 6.2b shows the expansion for the 128-bit key.
Each word is four bytes, and the total key schedule
is 44 words for the 128-bit key.

• Note that the ordering of bytes within a matrix is by

column.
• So, for example, the first four bytes of a 128-bit
plaintext input to the encryption cipher occupy the
first column of the in matrix, the second four bytes
occupy the second column, and so on.
• Similarly, the first four bytes of the expanded key,
which form a word, occupy the first column of the w
© 2017 Pearsonmatrix.
Education, Ltd., All
rights reserved.
 Table 6.1
AES Parameters

© 2017 Pearson Education, Ltd., All rights reserved.

 AES Structure – IV
• The cipher consists of N rounds, where the number of
rounds depends on the key length:
• 10 rounds for a 16-byte key,
• 12 rounds for a 24-byte key, and
• 14 rounds for a 32-byte key.

• The first N - 1 rounds consist of four distinct

transformation functions:
• SubBytes, ShiftRows, MixColumns, and
AddRoundKey, which are described subsequently.

• The final round contains only three transformations.

• There is a initial single transformation (AddRoundKey)

before the first round, which can be considered Round
© 2017 Pearson Education, Ltd., All
0.
rights reserved.
 AES Structure – V
• Each transformation takes one or more 4 * 4
matrices as input and produces a 4 * 4 matrix
as output.
• Figure 6.1 shows that the output of each
round is a 4 * 4 matrix, with the output of
the final round being the ciphertext.

• Also, the key expansion function generates N

+ 1 round keys, each of which is a distinct 4 *
4 matrix.

• Each round key serves as one of the inputs to

theEducation,
© 2017 Pearson AddRoundKey
Ltd., All transformation in each
round.
rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Detailed Structure
• Processes the entire data block as a single matrix during each round using
substitutions and permutation
• The key that is provided as input is expanded into an array of forty-four 32-bit
words (11 rounds, each onedifferent
Four is 128 bits), w[i] are used:
stages
• Substitute bytes – uses an S-box to perform a byte-by-byte substitution of the block
• ShiftRows – a simple permutation
• MixColumns – a substitution that makes use of arithmetic over GF(28)
• AddRoundKey – a simple bitwise XOR of the current block with a portion of the
expanded key

• The cipher begins and ends with an AddRoundKey stage

• Can view the cipher as alternating operations of XOR encryption (AddRoundKey)
of a block, followed by scrambling of the block (the other three stages), followed
by XOR encryption, and so on
• Each stage is easily reversible
• The decryption algorithm makes use of the expanded key in reverse order,
however the decryption algorithm is not identical to the encryption algorithm
• State is the same for both encryption and decryption
• Final
© 2017 Pearson round
Education, Ltd.,of
Allboth encryption
rights reserved. and decryption consists of only three stages
© 2017 Pearson Education, Ltd., All rights reserved.
 AES
Transformatio
n Functions

© 2017 Pearson Education, Ltd., All

rights reserved.
 Substitute Bytes
Transformation – I
• The forward substitute byte
transformation, called SubBytes, is a
simple table lookup.

• AES defines a 16 * 16 matrix of byte

values, called an S-box (Table 6.2a),
that contains a permutation of all
possible 256 8-bit values.

© 2017 Pearson Education, Ltd., All

rights reserved.
 Table 6.2

(a) S-box
(Table can be found on page 163 in
textbook)
© 2017 Pearson Education, Ltd., All rights reserved.
 Table 6.2

(b) Inverse S-box

(Table can be found on page 163 in textbook)

© 2017 Pearson Education, Ltd., All rights reserved.

 Substitute Bytes
Transformation – II
• Each individual byte of State is mapped into
a new byte in the following way:
• The leftmost 4 bits of the byte are used as
a row value and the rightmost 4 bits are
used as a column value.
• These row and column values serve as
indexes into the S-box to select a unique 8-
bit output value.
• For example, the hexadecimal value {95}
references row 9, column 5 of the S-box, which
contains the value {2A}.
• Accordingly, the value {95} is mapped into the
value
© 2017 Pearson Education, {2A}.
Ltd., All
rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 S-Box Rationale
• The S-box is designed to be resistant
to known cryptanalytic attacks

• The Rijndael developers sought a

design that has a low correlation
between input bits and output bits and
the property that the output is not a
linear mathematical function of the
input

• The nonlinearity is due to the use of

the multiplicative inverse
© 2017 Pearson Education, Ltd., All rights reserved.
 S-Box Rationale
• Initialize the S-box with the byte values in ascending
sequence row by row.
• The first row contains {00}, {01}, {02}, c, {0F};
the second row contains {10}, {11}, etc.; and so
on.
• Thus, the value of the byte at row y, column x is
{yx}.

• Map each byte in the S-box to its multiplicative inverse

in the finite field GF(28); the value {00} is mapped to
itself.

• Consider that each byte in the S-box consists of 8 bits

labeled (b7, b6, b5, b4, b3, b2, b1, b0).
• Apply the following transformation to each bit of
© 2017 Pearsoneach byte
Education, in the S-box:
Ltd., All
rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Shift Row
Transformation
• The forward shift row transformation, called
ShiftRows:
• The first row of State is not altered.
• For the second row, a 1-byte circular left shift is
performed.
• For the third row, a 2-byte circular left shift is
performed.
• For the fourth row, a 3-byte circular left shift is
performed.

• The inverse shift row transformation, called

InvShiftRows, performs the circular shifts in the
opposite direction
• For
© 2017 Pearson
rights reserved.
each of the last three rows, with a 1-byte
Education, Ltd., All
 Shift Row Rationale
• More substantial than it may first appear

• The State, as well as the cipher input and output,

is treated as an array of four 4-byte columns

• On encryption, the first 4 bytes of the plaintext are

copied to the first column of State, and so on

• The round key is applied to State column by

column
• Thus, a row shift moves an individual byte from one
column to another, which is a linear distance of a
multiple of 4 bytes

• Transformation ensures that the 4 bytes of one

column are spread out to four different columns
© 2017 Pearson Education, Ltd., All rights reserved.
 Shift Row
Transformation

© 2017 Pearson Education, Ltd., All

rights reserved.
 Mix Column
Transformation
• The forward mix column
transformation, called MixColumns,
operates on each column individually.
• Each byte of a column is mapped into a
new value that is a function of all four
bytes in that column.

• Each element in the product matrix is

the sum of products of elements of one
row and one column.
© 2017 Pearson Education, Ltd., All
rights reserved.
 Mix Column
Transformation

© 2017 Pearson Education, Ltd., All

rights reserved.
 Mix Columns
Rationale
• Coefficients of a matrix based on a
linear code with maximal distance
between code words ensures a good
mixing among the bytes of each
column

• The mix column transformation

combined with the shift row
transformation ensures that after a few
rounds all output bits depend on all
input bits
© 2017 Pearson Education, Ltd., All rights reserved.
 MixColumns

© 2017 Pearson Education, Ltd., All

rights reserved.
© 2017 Pearson Education, Ltd., All
rights reserved.
 AddRoundKey
Transformation
• The 128 bits of State
are bitwise XORed
with the 128 bits of Rationale:
the round key

• Operation is viewed as Is as simple as possible

and affects every bit of
a columnwise State
operation between the
4 bytes of a State
column and one word The complexity of the
round key expansion
of the round key plus the complexity of
• Can also be viewed as the other stages of AES
ensure security
a byte-level operation

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 AES Key Expansion
• Takes as input a four-word (16 byte) key and produces a
linear array of 44 words (176) bytes
• This is sufficient to provide a four-word round key for the
initial AddRoundKey stage and each of the 10 rounds of
the cipher

• Key is copied into the first four words of the expanded

key
• The remainder of the expanded key is filled in four words
at a time

• Each added word w[i] depends on the immediately

preceding word, w[i – 1], and the word four positions
back, w[i – 4]
• In three out of four cases a simple XOR is used
• For a word whose position in the w array is a multiple of
4, Ltd.,
© 2017 Pearson Education, a more complex function is used
All rights reserved.
© 2017 Pearson Education, Ltd., All rights reserved.
 Key Expansion
Rationale
The specific criteria that were
• The Rijndael used are:
developers designed • Knowledge of a part of the cipher
the expansion key key or round key does not enable
algorithm to be calculation of many other round-
resistant to known key bits
• An invertible transformation
cryptanalytic attacks
• Speed on a wide range of
processors
• Inclusion of a round- • Usage of round constants to
dependent round eliminate symmetries
constant eliminates • Diffusion of cipher key
the symmetry differences into the round keys
• Enough nonlinearity to prohibit
between the ways in
the full determination of round
which round keys are key differences from cipher key
generated in different differences only
rounds • Simplicity of description
© 2017 Pearson Education, Ltd., All rights reserved.
 AES
Example

© 2017 Pearson Education, Ltd., All

rights reserved.
 AES Example – I
• For this example, the plaintext is a
hexadecimal palindrome.

• The plaintext, key, and resulting

ciphertext are
• Plaintext:
0123456789abcdeffedcba9876543210
• Key:
0f1571c947d9e8590cb7add6af7f6798
• Ciphertext:
ff0b844a0853bf7c6934ab4364148fb9
© 2017 Pearson Education, Ltd., All
rights reserved.
 AES Example – II
• Table 6.3 shows the expansion of the 16-byte
key into 10 round keys.
• As previously explained, this process is
performed word by word, with each four-
byte word occupying one column of the
word round-key matrix.

• The left-hand column shows the four round-

key words generated for each round.

• The right-hand column shows the steps used

to generate the auxiliary word used in key
expansion.
© 2017 Pearson Education, Ltd., All
rights reserved.
 Table 6.3

AES
Example
Key
Expansion
(Table is located on page 175
in textbook)

© 2017 Pearson Education, Ltd., All rights reserved.

 AES Example – III
• Table 6.4 shows the progression of State through the
AES encryption process.
• The first column shows the value of State at the
start of a round.
• For the first row, State is just the matrix
arrangement of the plaintext.
• The second, third, and fourth columns show the
value of State for that round after the SubBytes,
ShiftRows, and MixColumns transformations,
respectively.
• The fifth column shows the round key. You can verify
that these round keys equate with those shown in
Table 6.3.
• The first column shows the value of State
resulting
© 2017 Pearson Education, Ltd., All from the bitwise XOR of State after the
rights reserved.
preceding MixColumns with the round key for the
 Table
6.4

AES
Example
(Table is located on page 177
in textbook)

© 2017 Pearson Education, Ltd., All rights reserved.

 AES Example:
Avalanche Effect
• If a small change in the key or
plaintext were to produce a
corresponding small change in the
ciphertext.
• This might be used to effectively reduce
the size of the plaintext (or key) space
to be searched.

• What is desired is the avalanche effect,

in which a small change in plaintext or
key produces a large change in the
ciphertext.
© 2017 Pearson
rights reserved.
Education, Ltd., All
 Table
6.5

Avalanch
e Effect
in AES:
Change in
Plaintext
(Table is located on page 178
in textbook)

© 2017 Pearson Education, Ltd., All rights reserved.

 Table
6.6

Avalanche
Effect
in AES:
Change
in Key
(Table is located on page 179
in textbook)

© 2017 Pearson Education, Ltd., All rights reserved.

 Equivalent Inverse
Cipher
• AES decryption cipher is Two separate changes
not identical to the are needed to bring
the decryption
encryption cipher structure in line with
• The sequence of the encryption
transformations differs structure
although the form of the
key schedules is the The first two stages of
the decryption round
same need to be
• Has the disadvantage interchanged
that two separate
software or firmware
modules are needed for The second two stages
of the decryption
applications that require
round need to be
both encryption and interchanged
decryption

© 2017 Pearson Education, Ltd., All rights reserved.

 Interchanging
InvShiftRows and
InvSubBytes
• InvShiftRows affects the sequence of
bytes in State but does not alter byte
contents and does not depend on byte
contents to perform its transformation
• InvSubBytes affects the contents of bytes
in State but does not alter byte sequence
and does not depend on byte sequence
to perform its transformation

Thus, these two operations commute

and can be interchanged
© 2017 Pearson Education, Ltd., All rights reserved.
 Interchanging
AddRoundKey and
InvMixColumns
If we view
The
the key as a
transformatio
sequence of
ns
words, then These two
AddRoundKe
both operations
y and
AddRoundKe are linear
InvMixColum
y and with respect
ns do not
InvMixColum to the
alter the
ns operate column input
sequence of
on State one
bytes in
column at a
State
time

© 2017 Pearson Education, Ltd., All rights reserved.

© 2017 Pearson Education, Ltd., All rights reserved.
 Implementation
Aspects
• AES can be implemented very efficiently on
an 8-bit processor

• AddRoundKey is a bytewise XOR operation

• ShiftRows is a simple byte-shifting operation

• SubBytes operates at the byte level and

only requires a table of 256 bytes

• MixColumns requires matrix multiplication

in the field GF(28), which means that all
operations are carried out on bytes
© 2017 Pearson Education, Ltd., All rights reserved.
 Implementation
Aspects
• Can efficiently implement on a 32-bit
processor
• Redefine steps to use 32-bit words
• Can precompute 4 tables of 256-words
• Then each column in each round can be
computed using 4 table lookups + 4 XORs
• At a cost of 4Kb to store tables

• Designers believe this very efficient

implementation was a key factor in its
selection as the AES cipher

© 2017 Pearson Education, Ltd., All rights reserved.

 Summary
• AES transformation
• Finite field
functions
arithmetic
• Substitute bytes
• AES structure • ShiftRows
• General structure • MixColumns
• Detailed structure • AddRoundKey

• AES key expansion • AES

• Key expansion implementation
algorithm • Equivalent inverse
• Rationale cipher
• Implementation
© 2017 Pearson Education, Ltd., All rights reserved.
aspects