SlideShare a Scribd company logo

CNS Module 3_AES. in cryptography and network security

Download as PPTX, PDF
B
bodamaddy

The document discusses the Advanced Encryption Standard (AES) as a successor to the outdated Data Encryption Standard (DES) and Triple DES (3DES), highlighting the limitations of 3DES in terms of speed and block size. NIST selected AES after a comprehensive evaluation process to ensure it met security and efficiency requirements, resulting in Rijndael being chosen for its superior capabilities. AES utilizes a series of substitution and permutation operations for encryption and is designed to support key lengths of 128, 192, and 256 bits, while 3DES is set to be deprecated after 2023.

Engineering
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Department of Information Science and Engineering Cryptography and Network Security Subject Code: 21IST44 Module 3: Advanced Encryption Standard By Dr Mohan D N Assistant Professor
Introduction There is a high level of confidence that 3DES is very resistant to cryptanalysis. If security were the only consideration, then 3DES would be an appropriate choice for a standardized encryption algorithm for decades to come. The principal drawback of 3DES is that the algorithm is relatively sluggish in software. The original DES was designed for mid-1970s hardware implementation and does not produce efficient software code.3DES, which has three times as many rounds as DES, is correspondingly slower. A secondary drawback is that both DES and 3DES use a 64-bit block size. For reasons of both efficiency and security, a larger block size is desirable. Because of these drawbacks, 3DES is not a reasonable candidate for long-term use. As a replacement, NIST in 1997 issued a call for proposals for a new Advanced Encryption Standard (AES), which should have a security strength equal to or better than 3DES and significantly improved efficiency. In addition to these general requirements, NIST specified that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128, 192, and 256 bits. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr. Vincent Rijmen. 2
AES replaced DES encryption • The Data Encryption Standard, also known as DES, is no longer considered secure. While there are no known severe weaknesses in its internals, it is inherently flawed because its 56-bit key is too short. A German court recently declared DES to be “out-of-date and not secure enough,” and held a bank accountable for utilizing it. • One of the primary objectives for the DES replacement algorithm from the National Institute of Standards and Technology (NIST) was that it be efficient in both software and hardware implementations. (Originally, DES was only practical in hardware implementations.) Performance analysis of the algorithms was carried out using Java and C reference implementations. AES was chosen in an open competition that included 15 candidates from as many research teams as possible from around the world, and the overall amount of resources dedicated to the process was enormous. • Finally, in October 2000, the National Institute of Standards and Technology (NIST) announced Rijndael as the proposed Advanced Encryption Standard (AES). 3
Difference between 3DES and AES encryption • Both AES and 3DES, often known as triple-DES, are symmetric block ciphers. These are the current data encryption standards. Though the use of 3DES has become increasingly unpopular in recent years. Both have the same goals and objectives, yet there are a lot of similarities between them. 4
AES Evaluation It is worth examining the criteria used by NIST to evaluate potential candidates. When NIST issued its original request for candidate algorithm nominations in 1997 [NIST97], the request stated that candidate algorithms would be compared based on the crieterias. The three categories of criteria were as follows: i. Security: This refers to the effort required to cryptanalyze an algorithm. The emphasis in the evaluation was on the practicality of the attack. Because the minimum key size for AES is 12 bits, brute-force attacks with current and projected technology were considered impractical. Therefore, the emphasis, with respect to this point, is cryptanalysis other than a brute-force attack. ii. Cost: NIST intends AES to be practical in a wide range of applications. Accordingly, AES must have high computational efficiency, so as to be usable in high-speed applications, such as broadband links. iii. Algorithm and implementation characteristics: This category includes a variety of considerations, including flexibility; suitability for a variety of hardware and software implementations; and simplicity, which will make an analysis of security more straightforward. 5
6 Operations of AES AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations). Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing as a matrix Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key. The Triple Data Encryption Algorithm (TDEA or 3DES) is being officially decommissioned, according to draught guidelines provided by NIST on July 19, 2018. According to the standards, 3DES will be deprecated for all new applications following a period of public deliberation, and its use will be prohibited after 2023.
7 The AES Cipher
8 AES Encryption Process
9 AES Encryption Process • The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key (Table 6.1). • The first N - 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. • The final round contains only three transformations, and there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as output. • Figure shows that the output of each round is a 4 * 4 matrix, with the output of the final round being the ciphertext. • Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 * 4 matrix. • Each round key serves as one of the inputs to the AddRoundKey transformation in each round.
AES Key Expansion  takes 128-bit (16-byte) key and expands into array of 44 32-bit words  start by copying key into first 4 words  then loop creating words that depend on values in previous & 4 places back  in 3 of 4 cases just XOR these together  1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th back
AES Key Expansion
12 Figure 6.2 AES Data Structures
13 The AES Detailed Structure
14 The AES Detailed Structure 1. AES structure is not a Feistel structure. In the classic Feistel structure, half of the data block is used to modify the other half of the data block and then the halves are swapped. AES instead processes the entire data block as a single matrix during each round using substitutions and permutation. 2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]. Four distinct words (128 bits) serve as a round key for each round; these are indicated in Figure further. 3. Four different stages are used, one of permutation and three of substitution: • Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block. • ShiftRows: A simple permutation. • MixColumns: A substitution that makes use of arithmetic over GF(28 ) (Finite Field Arithmetic) • AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.
The AES Detailed Structure Contd.. 4. The structure is quite simple. For both encryption and decryption, the cipher begins with an AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth round of three stages. 5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without knowledge of the key and so would add no security. 6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by themselves would provide no security because they do not use the key. We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by XOR encryption, and so on. This scheme is both efficient and highly secure. 7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block, using the result that A B B = A. ⊕ ⊕ 15
The AES Detailed Structure Contd.. 8. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However, the decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES. 9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the plaintext. At each horizontal point (e.g., the dashed line in the figure), State is the same for both encryption an decryption. 10. The final round of both encryption and decryption consists of only three stages. Again, this is a consequence of the particular structure of AES and is required to make the cipher reversible. 16
Some Comments on AES 1. an iterative rather than Feistel cipher 2. key expanded into array of 32-bit words 1. four words form round key in each round 3. 4 different stages are used in each round 4. has a simple structure 5. only AddRoundKey uses key 6. AddRoundKey a form of Vernam cipher 7. each stage is easily reversible 8. decryption uses keys in reverse order 9. decryption does recover plaintext 10. final round has only 3 stages
18 AES TRANSFORMATION FUNCTIONS
1. SUBSTITUTE BYTES  a simple substitution of each byte  uses one table of 16x16 bytes containing a permutation of all 256 8-bit values  each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)  eg. byte {95} is replaced by byte in row 9 column 5  which has value {2A}  S-box constructed using defined transformation of values in GF(28)  designed to be resistant to all known cryptanalytic attacks
Substitute Bytes
S-Box
Substitute Bytes Example
2. SHIFT ROWS  a circular byte shift in each each  Row 0: 0 bytes circular shift to left  Row 1: 1 byte circular shift to left  Row 2: 2 byte circular shift to left  Row 3: 3 byte circular shift to left  decrypt inverts using shifts to right  since state is processed by columns, this step permutes bytes between the columns
Shift Rows
3. MIX COLUMNS  each column is processed separately  each byte is replaced by a value dependent on all 4 bytes in the column  effectively a matrix multiplication in GF(28)
Mix Columns
Mix Columns Example
Addition and Multiplication in GF(28) • In GF(28), addition is the bitwise XOR operation and multiplication can be performed as follows: • Multiplication of a value by (i.e.by {02}) can be implemented as a 1- bit left shift followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original value (prior to the shift) is 1.
Mix Columns Example
4. ADD ROUND KEY  XOR state with 128-bits of the round key  again processed by column (though effectively a series of byte operations)  inverse for decryption identical  since XOR own inverse, with reversed keys  designed to be as simple as possible  a form of Vernam cipher on expanded key  requires other stages for complexity / security
Add Round Key
32

More Related Content

Similar to CNS Module 3_AES. in cryptography and network security (20)

PPT
AES.ppt
BincySam2
 
PPT
advance encryption standard chapter 5.ppt
roueida mohammed
 
PDF
Data encryption techniques and standard
Dr Sarika Jadhav
 
PPTX
694 lecture1aes
Ankur Human
 
PDF
Aes
Muhammad Asif
 
PPTX
Topic5 advanced encryption standard (aes)
MdFazleRabbi18
 
PPT
CR 05 - Advanced Encryption Standard.ppt
ssuseraaf866
 
PPT
AES.ppt
ssuser6602e0
 
PPTX
Cryptography
Mannat Gill
 
PDF
Renas Rajab Asaad
Renas Rekany
 
PPTX
1-aes.pptx
anithachristopher3
 
DOCX
What is AES? Advanced Encryption Standards
Faisal Shahzad Khan
 
PDF
Advanced Encryption Standard (AES)
Hardik Manocha
 
PPT
Advanced Encryption System - Network and Security.ppt
VimalAadhithan
 
PPT
Chapter 5 module 3
daneshwarihatti
 
PPT
AES ppt.pptAES ppt.pptAES ppt.pptAES ppt.pptAES ppt.pptAES ppt.pptAES ppt.ppt
Vijay Sagar
 
PDF
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
ijistjournal
 
PDF
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
ijistjournal
 
PDF
Unit 2_AES_AES_Structure_Encryption_Example.pdf
KanchanPatil34
 
PPT
Unit -2.ppt
DHANABALSUBRAMANIAN
 
AES.ppt
BincySam2
 
advance encryption standard chapter 5.ppt
roueida mohammed
 
Data encryption techniques and standard
Dr Sarika Jadhav
 
694 lecture1aes
Ankur Human
 
Aes
Muhammad Asif
 
Topic5 advanced encryption standard (aes)
MdFazleRabbi18
 
CR 05 - Advanced Encryption Standard.ppt
ssuseraaf866
 
AES.ppt
ssuser6602e0
 
Cryptography
Mannat Gill
 
Renas Rajab Asaad
Renas Rekany
 
1-aes.pptx
anithachristopher3
 
What is AES? Advanced Encryption Standards
Faisal Shahzad Khan
 
Advanced Encryption Standard (AES)
Hardik Manocha
 
Advanced Encryption System - Network and Security.ppt
VimalAadhithan
 
Chapter 5 module 3
daneshwarihatti
 
AES ppt.pptAES ppt.pptAES ppt.pptAES ppt.pptAES ppt.pptAES ppt.pptAES ppt.ppt
Vijay Sagar
 
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
ijistjournal
 
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
ijistjournal
 
Unit 2_AES_AES_Structure_Encryption_Example.pdf
KanchanPatil34
 
Unit -2.ppt
DHANABALSUBRAMANIAN
 

Recently uploaded (20)

PPTX
Arduino Based Gas Leakage Detector Project
CircuitDigest
 
PPTX
Thermal runway and thermal stability.pptx
godow93766
 
PPTX
Break Statement in Programming with 6 Real Examples
manojpoojary2004
 
PPTX
Server Side Web Development Unit 1 of Nodejs.pptx
sneha852132
 
PDF
Zilliz Cloud Demo for performance and scale
Zilliz
 
PPTX
Innowell Capability B0425 - Commercial Buildings.pptx
regobertroza
 
PPTX
Heart Bleed Bug - A case study (Course: Cryptography and Network Security)
Adri Jovin
 
PPTX
ISO/IEC JTC 1/WG 9 (MAR) Convenor Report
Kurata Takeshi
 
DOCX
8th International Conference on Electrical Engineering (ELEN 2025)
elelijjournal653
 
PPTX
Introduction to Neural Networks and Perceptron Learning Algorithm.pptx
Kayalvizhi A
 
PDF
PORTFOLIO Golam Kibria Khan — architect with a passion for thoughtful design...
MasumKhan59
 
PPTX
Introduction to Design of Machine Elements
PradeepKumarS27
 
PPTX
原版一样(Acadia毕业证书)加拿大阿卡迪亚大学毕业证办理方法
Taqyea
 
PDF
MAD Unit - 1 Introduction of Android IT Department
JappanMavani
 
PDF
Ethics and Trustworthy AI in Healthcare – Governing Sensitive Data, Profiling...
AlqualsaDIResearchGr
 
PDF
Book.pdf01_Intro.ppt algorithm for preperation stu used
archu26
 
PDF
POWER PLANT ENGINEERING (R17A0326).pdf..
haneefachosa123
 
PDF
monopile foundation seminar topic for civil engineering students
Ahina5
 
PPTX
265587293-NFPA 101 Life safety code-PPT-1.pptx
chandermwason
 
PPTX
Solar Thermal Energy System Seminar.pptx
Gpc Purapuza
 
Arduino Based Gas Leakage Detector Project
CircuitDigest
 
Thermal runway and thermal stability.pptx
godow93766
 
Break Statement in Programming with 6 Real Examples
manojpoojary2004
 
Server Side Web Development Unit 1 of Nodejs.pptx
sneha852132
 
Zilliz Cloud Demo for performance and scale
Zilliz
 
Innowell Capability B0425 - Commercial Buildings.pptx
regobertroza
 
Heart Bleed Bug - A case study (Course: Cryptography and Network Security)
Adri Jovin
 
ISO/IEC JTC 1/WG 9 (MAR) Convenor Report
Kurata Takeshi
 
8th International Conference on Electrical Engineering (ELEN 2025)
elelijjournal653
 
Introduction to Neural Networks and Perceptron Learning Algorithm.pptx
Kayalvizhi A
 
PORTFOLIO Golam Kibria Khan — architect with a passion for thoughtful design...
MasumKhan59
 
Introduction to Design of Machine Elements
PradeepKumarS27
 
原版一样(Acadia毕业证书)加拿大阿卡迪亚大学毕业证办理方法
Taqyea
 
MAD Unit - 1 Introduction of Android IT Department
JappanMavani
 
Ethics and Trustworthy AI in Healthcare – Governing Sensitive Data, Profiling...
AlqualsaDIResearchGr
 
Book.pdf01_Intro.ppt algorithm for preperation stu used
archu26
 
POWER PLANT ENGINEERING (R17A0326).pdf..
haneefachosa123
 
monopile foundation seminar topic for civil engineering students
Ahina5
 
265587293-NFPA 101 Life safety code-PPT-1.pptx
chandermwason
 
Solar Thermal Energy System Seminar.pptx
Gpc Purapuza
 
Ad

CNS Module 3_AES. in cryptography and network security

  • 1. Department of Information Science and Engineering Cryptography and Network Security Subject Code: 21IST44 Module 3: Advanced Encryption Standard By Dr Mohan D N Assistant Professor
  • 2. Introduction There is a high level of confidence that 3DES is very resistant to cryptanalysis. If security were the only consideration, then 3DES would be an appropriate choice for a standardized encryption algorithm for decades to come. The principal drawback of 3DES is that the algorithm is relatively sluggish in software. The original DES was designed for mid-1970s hardware implementation and does not produce efficient software code.3DES, which has three times as many rounds as DES, is correspondingly slower. A secondary drawback is that both DES and 3DES use a 64-bit block size. For reasons of both efficiency and security, a larger block size is desirable. Because of these drawbacks, 3DES is not a reasonable candidate for long-term use. As a replacement, NIST in 1997 issued a call for proposals for a new Advanced Encryption Standard (AES), which should have a security strength equal to or better than 3DES and significantly improved efficiency. In addition to these general requirements, NIST specified that AES must be a symmetric block cipher with a block length of 128 bits and support for key lengths of 128, 192, and 256 bits. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr. Vincent Rijmen. 2
  • 3. AES replaced DES encryption • The Data Encryption Standard, also known as DES, is no longer considered secure. While there are no known severe weaknesses in its internals, it is inherently flawed because its 56-bit key is too short. A German court recently declared DES to be “out-of-date and not secure enough,” and held a bank accountable for utilizing it. • One of the primary objectives for the DES replacement algorithm from the National Institute of Standards and Technology (NIST) was that it be efficient in both software and hardware implementations. (Originally, DES was only practical in hardware implementations.) Performance analysis of the algorithms was carried out using Java and C reference implementations. AES was chosen in an open competition that included 15 candidates from as many research teams as possible from around the world, and the overall amount of resources dedicated to the process was enormous. • Finally, in October 2000, the National Institute of Standards and Technology (NIST) announced Rijndael as the proposed Advanced Encryption Standard (AES). 3
  • 4. Difference between 3DES and AES encryption • Both AES and 3DES, often known as triple-DES, are symmetric block ciphers. These are the current data encryption standards. Though the use of 3DES has become increasingly unpopular in recent years. Both have the same goals and objectives, yet there are a lot of similarities between them. 4
  • 5. AES Evaluation It is worth examining the criteria used by NIST to evaluate potential candidates. When NIST issued its original request for candidate algorithm nominations in 1997 [NIST97], the request stated that candidate algorithms would be compared based on the crieterias. The three categories of criteria were as follows: i. Security: This refers to the effort required to cryptanalyze an algorithm. The emphasis in the evaluation was on the practicality of the attack. Because the minimum key size for AES is 12 bits, brute-force attacks with current and projected technology were considered impractical. Therefore, the emphasis, with respect to this point, is cryptanalysis other than a brute-force attack. ii. Cost: NIST intends AES to be practical in a wide range of applications. Accordingly, AES must have high computational efficiency, so as to be usable in high-speed applications, such as broadband links. iii. Algorithm and implementation characteristics: This category includes a variety of considerations, including flexibility; suitability for a variety of hardware and software implementations; and simplicity, which will make an analysis of security more straightforward. 5
  • 6. 6 Operations of AES AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations). Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing as a matrix Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key. The Triple Data Encryption Algorithm (TDEA or 3DES) is being officially decommissioned, according to draught guidelines provided by NIST on July 19, 2018. According to the standards, 3DES will be deprecated for all new applications following a period of public deliberation, and its use will be prohibited after 2023.
  • 9. 9 AES Encryption Process • The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key (Table 6.1). • The first N - 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. • The final round contains only three transformations, and there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as output. • Figure shows that the output of each round is a 4 * 4 matrix, with the output of the final round being the ciphertext. • Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 * 4 matrix. • Each round key serves as one of the inputs to the AddRoundKey transformation in each round.
  • 10. AES Key Expansion  takes 128-bit (16-byte) key and expands into array of 44 32-bit words  start by copying key into first 4 words  then loop creating words that depend on values in previous & 4 places back  in 3 of 4 cases just XOR these together  1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th back
  • 12. 12 Figure 6.2 AES Data Structures
  • 14. 14 The AES Detailed Structure 1. AES structure is not a Feistel structure. In the classic Feistel structure, half of the data block is used to modify the other half of the data block and then the halves are swapped. AES instead processes the entire data block as a single matrix during each round using substitutions and permutation. 2. The key that is provided as input is expanded into an array of forty-four 32-bit words, w[i]. Four distinct words (128 bits) serve as a round key for each round; these are indicated in Figure further. 3. Four different stages are used, one of permutation and three of substitution: • Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block. • ShiftRows: A simple permutation. • MixColumns: A substitution that makes use of arithmetic over GF(28 ) (Finite Field Arithmetic) • AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.
  • 15. The AES Detailed Structure Contd.. 4. The structure is quite simple. For both encryption and decryption, the cipher begins with an AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a tenth round of three stages. 5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible without knowledge of the key and so would add no security. 6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by themselves would provide no security because they do not use the key. We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a block, followed by scrambling of the block (the other three stages), followed by XOR encryption, and so on. This scheme is both efficient and highly secure. 7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages, an inverse function is used in the decryption algorithm. For the AddRoundKey stage, the inverse is achieved by XORing the same round key to the block, using the result that A B B = A. ⊕ ⊕ 15
  • 16. The AES Detailed Structure Contd.. 8. As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However, the decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES. 9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the plaintext. At each horizontal point (e.g., the dashed line in the figure), State is the same for both encryption an decryption. 10. The final round of both encryption and decryption consists of only three stages. Again, this is a consequence of the particular structure of AES and is required to make the cipher reversible. 16
  • 17. Some Comments on AES 1. an iterative rather than Feistel cipher 2. key expanded into array of 32-bit words 1. four words form round key in each round 3. 4 different stages are used in each round 4. has a simple structure 5. only AddRoundKey uses key 6. AddRoundKey a form of Vernam cipher 7. each stage is easily reversible 8. decryption uses keys in reverse order 9. decryption does recover plaintext 10. final round has only 3 stages
  • 19. 1. SUBSTITUTE BYTES  a simple substitution of each byte  uses one table of 16x16 bytes containing a permutation of all 256 8-bit values  each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)  eg. byte {95} is replaced by byte in row 9 column 5  which has value {2A}  S-box constructed using defined transformation of values in GF(28)  designed to be resistant to all known cryptanalytic attacks
  • 21. S-Box
  • 23. 2. SHIFT ROWS  a circular byte shift in each each  Row 0: 0 bytes circular shift to left  Row 1: 1 byte circular shift to left  Row 2: 2 byte circular shift to left  Row 3: 3 byte circular shift to left  decrypt inverts using shifts to right  since state is processed by columns, this step permutes bytes between the columns
  • 25. 3. MIX COLUMNS  each column is processed separately  each byte is replaced by a value dependent on all 4 bytes in the column  effectively a matrix multiplication in GF(28)
  • 28. Addition and Multiplication in GF(28) • In GF(28), addition is the bitwise XOR operation and multiplication can be performed as follows: • Multiplication of a value by (i.e.by {02}) can be implemented as a 1- bit left shift followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original value (prior to the shift) is 1.
  • 30. 4. ADD ROUND KEY  XOR state with 128-bits of the round key  again processed by column (though effectively a series of byte operations)  inverse for decryption identical  since XOR own inverse, with reversed keys  designed to be as simple as possible  a form of Vernam cipher on expanded key  requires other stages for complexity / security
  • 32. 32

Editor's Notes

  • #9: Freedom from risk or danger; safety means taking appropriate measures for prevention of attacks. having systems in place beforehand which prevent attacks before they begin. Related to the first definition, having peace of mind knowing that your systems are safe and protected. This includes contingency plans for what to do when attackers strike, keeping up with the latest CERT advisories, hiring network security consultants to find insecurities in your network, etc.
  • #10: The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a linear array of words, providing a 4-word round key for the initial AddRoundKey stage and each of the 10/12/14 rounds of the cipher. It involves copying the key into the first group of 4 words, and then constructing subsequent groups of 4 based on the values of the previous & 4th back words. The first word in each group of 4 gets “special treatment” with rotate + S-box + XOR constant on the previous word before XOR’ing the one from 4 back. In the 256-bit key/14 round version, there’s also an extra step on the middle word. The text includes in section 5.4 pseudocode that describes the key expansion.
  • #11: The first block of the AES Key Expansion is shown here in Stallings Figure 5.9a. It shows each group of 4 bytes in the key being assigned to the first 4 words, then the calculation of the next 4 words based on the values of the previous 4 words, which is repeated enough times to create all the necessary subkey information.
  • #13: Stallings Figure 5.3 shows the structure of AES in more detail. The cipher consists of N rounds, where the number of rounds depends on the key length: 10 rounds for a 16-byte key; 12 rounds for a 24-byte key; and 14 rounds for a 32-byte key. The first N – 1 rounds consist of four distinct transformation functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described subsequently. The final round contains only 3 transformation, and there is a initial single transformation (AddRoundKey) before the first round, which can be considered Round 0. Each transformation takes one or more 4 x 4 matrices as input and produces a 4 x 4 matrix as output. Figure 5.1 shows that the output of each round is a 4 x 4 matrix, with the output of the final round being the ciphertext. Also, the key expansion function generates N + 1 round keys, each of which is a distinct 4 x 4 matrix. Each round key serve as one of the inputs to the AddRoundKey transformation in each round.
  • #17: Before delving into details, can make several comments about the overall AES structure. See text for details.
  • #19: We now turn to a discussion of each of the four transformations used in AES. For each stage, we mention the forward (encryption) algorithm, the inverse (decryption) algorithm, and the rationale for the design of that stage. The Substitute bytes stage uses an S-box to perform a byte-by-byte substitution of the block. There is a single 8-bit wide S-box used on every byte. This S-box is a permutation of all 256 8-bit values, constructed using a transformation which treats the values as polynomials in GF(28) – however it is fixed, so really only need to know the table when implementing. Decryption requires the inverse of the table. These tables are given in Stallings Table 5.2. The table was designed to be resistant to known cryptanalytic attacks. Specifically, the Rijndael developers sought a design that has a low correlation between input bits and output bits, with the property that the output cannot be described as a simple mathematical function of the input, with no fixed points and no “opposite fixed points”.
  • #20: As this diagram from Stallings Fig 5.5a shows, the Byte Substitution operates on each byte of state independently, with the input byte used to index a row/col in the table to retrieve the substituted value.
  • #22: Show an example of the SubBytes transformation from the text.
  • #23: The ShiftRows stage provides a simple “permutation” of the data, whereas the other steps involve substitutions. Further, since the state is treated as a block of columns, it is this step which provides for diffusion of values between columns. It performs a circular rotate on each row of 0, 1, 2 & 3 places for respective rows. When decrypting it performs the circular shifts in the opposite direction for each row. This row shift moves an individual byte from one column to another, which is a linear distance of a multiple of 4 bytes, and ensures that the 4 bytes of one column are spread out to four different columns.
  • #24: Stalling Figure 5.7a illustrates the Shift Rows permutation. Then show an example of ShiftRows from the text.
  • #25: The forward mix column transformation, called MixColumns, operates on each column individually. Each byte of a column is mapped into a new value that is a function of all four bytes in that column. It is a substitution that makes use of arithmetic over GF(2^8). Each byte of a column is mapped into a new value that is a function of all four bytes in that column. It is designed as a matrix multiplication where each byte is treated as a polynomial in GF(28). The inverse used for decryption involves a different set of constants. The constants used are based on a linear code with maximal distance between code words – this gives good mixing of the bytes within each column. Combined with the “shift rows” step provides good avalanche, so that within a few rounds, all output bits depend on all input bits.
  • #26: Stalling Figure 5.5b illustrates the Mix Columns transformation.
  • #27: Show an example of the MixColumns transformation from the text, along with verification of the first column of this example.
  • #30: Lastly is the Add Round Key stage which is a simple bitwise XOR of the current block with a portion of the expanded key. Note this is the only step which makes use of the key and obscures the result, hence MUST be used at start and end of each round, since otherwise could undo effect of other steps. But the other steps provide confusion/diffusion/non-linearity. That us you can look at the cipher as a series of XOR with key then scramble/permute block repeated. This is efficient and highly secure it is believed.
  • #31: Stallings Figure 5.5b illustrates the Add Round Key stage, which like Byte Substitution, operates on each byte of state independently.