Symmetric Cryptography
AES in depth
Replacing DES
•
Between 1972 and 1974 NIST issued the first public request for an
encryption standard. As a result DES became the accepted encryption
standard. Although this algorithm was very popular, it has always been
surrounded by controversy as many cryptographers objected to the
“closed

door” design of the algorithm. There was also a suspicion that
NSA planted a “back

door” in the algorithm, as NSA modified it before it
was standardized, although none was able to prove this until now.
•
Furthermore the key length of DES became to small for acceptable
commercial security, so as a interim solution Triple

DES was used for a
while because it provided increased security.
•
Responding to the desire to replace DES with stronger and more reliable
algorithm, NIST announced another public request for an encryption
standard, called Advanced Encryption Standard(AES), in 1997.
•
Twofish is one of the candidates that made it to the final round of the
AES program.
NIST General Criteria for AES
•
A 128

bit symmetric block cipher.
•
Key lengths of 128 bits, 192 bits, and 256 bits.
•
No weak keys.
•
Efficiency, both on the Intel Pentium Pro and other
software and hardware platforms.
•
Flexible design: e.g., accept additional key lengths;
be implementable on a wide variety of platforms
and applications; and be suitable for a stream
cipher, hash function, and MAC.
•
Simple design, both to facilitate ease of analysis and
ease of implementation.
AES
Advanced Encryption
Standard was ultimately chosen as
a replacement for DES. AES is also Known as
Rijndael
block
cipher. It was officially designated as a
replacement for DES in 2001 after a 5 year process
involving 15 competing algorithms. AES is designated
as
FIPS
197. Other algorithms that did not win that
competition include such well known algorithms as
Twofish
.
AES can have three different key sizes, they are:128
, 192,
or 256
bits. The three different implementations of AES
are referred to as AES 128, AES 192, and AES 256. All
three operate on a block size of 128 bits.
This algorithm was developed
by two Belgian
cryptographers, Joan
Daemen
and Vincent
Rijmen
.
Unlike both DES And 3DES, AES is not based on a
Feistel
network.
AES Continued
•
This uses a substitution

permutation matrix rather than a Feistel
network
•
AES operates on a 4
×
4 column

major order matrix of bytes, termed
the state (versions of AES with a larger block size have additional
columns in the state).
AES General Overview
•
1.Key Expansion
—
round keys are derived from the cipher key using
Rijndael's key schedule
•
2.Initial Round
•
1.AddRoundKey
—
each byte of the state is combined with the round key using bitwise
xor
•
3.Rounds
•
1.SubBytes
—
a non

linear substitution step where each byte is replaced with another
according to a lookup table.
•
2.ShiftRows
—
a transposition step where each row of the state is shifted cyclically a certain
number of steps.
•
3.MixColumns
—
a mixing operation which operates on the columns of the state, combining
the four bytes in each column.
•
4.AddRoundKey
•
4.Final Round (no
MixColumns
)
•
1.SubBytes
•
2.ShiftRows
•
3.AddRoundKey
AES specifics
•
In the SubBytes step, each byte in the matrix is substitued
for another byte using an 8

bit substitution box, called the
Rijndael S

box
•
The ShiftRows step by shifting the bytes in each row by a
certain amount. The first row is left unchanged. The second
row is shifted one to the left. The third row by two, etc.
•
In the MixColumns step, the four bytes of each column of
the state are combined using an invertible linear
transformation. This takes four bytes as input and outputs
four bytes. Together with ShiftRows, MixColumns provides
diffusion in the cipher.
Rijndael key schedule
The Steps
•
Rotate
: The rotate operation takes a 32

bit word (in hexadecimal) and
rotates it eight bits to the left such that the high eight bits "wrap
around" and become the low eight bits of the result.
•
Rcon
: Rcon is what the Rijndael documentation calls the exponentiation
of 2 to a user

specified value. Note that this operation is not performed
with regular integers, but in Rijndael's finite field. In polynomial form, 2
is 2 = 00000010 = 0 x^7 + 0 x^6 + 0 x^5 + 0 x^4 + 0 x^3 + 0 x^2 + 1 x + 0 =
x.
•
For example, the rcon(1) = 1, the rcon(2) = 2, the rcon(3) = 4, and the
rcon(9) is the hexadecimal number 0x1b (27 in decimal).
•
Key schedule inner loop
•
The input is a 32

bit word and at an iteration number
i
. The output is a 32

bit word.
•
Copy the input over to the output.
•
Use the above described rotate operation to rotate the output eight bits to the left
•
Apply Rijndael's S

box on all four individual bytes in the output word
•
On just the first (leftmost) byte of the output word, exclusive OR the byte with 2 to the
power of (
i

1). In other words, perform the rcon operation with
i
as the input, and
exclusive or the rcon output with the first byte of the output word
Rijndael key schedule
Some constants
•
Since the key schedule for 128

bit, 192

bit, and 256

bit encryption
are very similar, with only some constants changed, the following
keysize constants are defined here:
•
n
has a value of 16 for 128

bit keys, 24 for 192

bit keys, and 32 for 256

bit
keys
•
b
has a value of 176 for 128

bit keys, 208 for 192

bit keys, and 240 for 256

bit
keys (with 128

bit blocks as in AES, it is correspondingly larger for variants of
Rijndael with larger block sizes).
Rijndael key schedule
The actual key schedule
•
The first
n
bytes of the expanded key are simply the encryption key.
•
The rcon iteration value
i
is set to 1
•
Until we have
b
bytes of expanded key, we do the following to generate
n
more
bytes of expanded key:
•
We do the following to create 4 bytes of expanded key:
•
We create a 4

byte temporary variable,
t
•
We assign the value of the previous four bytes in the expanded key to
t
•
We perform the key schedule core (see above) on
t
, with
i
as the rcon iteration value
•
We increment
i
by 1
•
We exclusive

OR
t
with the four

byte block
n
bytes before the new expanded key. This becomes the next 4
bytes in the expanded key
•
We then do the following three times to create the next twelve bytes of expanded key:
•
We assign the value of the previous 4 bytes in the expanded key to
t
•
We exclusive

OR
t
with the four

byte block
n
bytes before the new expanded key. This becomes the next 4
bytes in the expanded key
•
If we are processing a 256

bit key, we do the following to generate the next 4 bytes of expanded
key:
•
We assign the value of the previous 4 bytes in the expanded key to
t
•
We run each of the 4 bytes in
t
through Rijndael's
S

box
•
We exclusive

OR
t
with the 4

byte block
n
bytes before the new expanded key. This becomes the next 4 bytes
in the expanded key.
•
If we are processing a 128

bit key, we do not perform the following steps. If we are processing a
192

bit key, we run the following steps twice. If we are processing a 256

bit key, we run the
following steps three times:
•
We assign the value of the previous 4 bytes in the expanded key to
t
•
We exclusive

OR
t
with the four

byte block
n
bytes before the new expanded key. This becomes the next 4
bytes in the expanded key
References
•
http://www.samiam.org/key

schedule.html
•
https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture8
.pdf
•
http://www.utdallas.edu/~muratk/courses/crypto09s_files/aes.pdf
•
http://www.utdallas.edu/~muratk/courses/crypto09s_files/aes.pdf
•
http://buzzard.ups.edu/courses/2013spring/projects/berger

aes

ups

434

2013.pdf
•
http://www.math.wisc.edu/~boston/nover.pdf
•
http://eprint.iacr.org/2009/317.pdf
•
http://comp.utm.my/pars/files/2013/04/A

Survey

on

the

Cryptanalysis

of

the

Advanced

Encryption

Standard.pdf
Comments 0
Log in to post a comment