AES

1
AES
2
Advanced Encryption Standard

• Since DES was becoming less reliable as new
  cryptanalysis techniques were developed, the
  National Institute of Standards and Technology
  (NIST) put out a notice in early 1999 requesting
  submissions for a new encryption standard. The
  requirements were
• A symmetric block cipher with a variable length
  key (128, 192, or 256 bits) and a 128-bit block
• It must be more secure than TripleDES
• It must be in the public domain royalty free
  world wide
• It should remain secure for at least 30 years
• Fifteen algorithms were submitted from ten
  different countries.

3
Submitted Algorithms
Australia LOKI97 Belgium RIJNDAEL Canada
CAST-256 DEAL Costa Rica FROG France DFC
Germany MAGENTA
Japan E2 Korea CRYPTON USA HPC MARS
RC6 SAFER TWOFISH UK, Israel, Norway
SERPENT
4
Selection Process

• NIST relied on public participation
• algorithm proposals
• cryptanalysis
• efficiency testing
• AES Timetable
• Round 1 Aug. 20 - April 15, 1999
• Submit papers for 2nd AES conference Feb 1, 1999
• Second AES conference March 22-23, 1999
• Announcement of (about) five finalists
• Round 2 analysis of finalists 6-9 months
• Third AES Conference
• Selection of AES Algorithm

5
AES Finalists

• MARS (IBM)
• RC6 (Rivest, et. al.)
• Rijndael (top Belgium cryptographers)
• Serpent (Anderson, Biham, Knudsen)
• Twofish (Schneier, et. al.)

And the winner was . . .
6
Introduction to Rijndael

• One of the fastest and strongest algorithms
• Variable block length 128, 192, 256 bits
• Variable key length 128, 192, 256 bits
• Variable number of rounds (iterations) 10, 12,
  14
• Number of rounds depend on key/block length

7
Rijndael Structure

• The general structure of Rijndael is shown below
  
• Rather than using just a substitution and a
  permutation at each stage like DES, Rijndael
  consists of multiple cycles of Substitution,
  Shifting, Column mixing and a KeyAdd operation.

KeyAdd
KeyAdd
8
Initial Step

• The process begins by grouping the plaintext bits
  into a column array by bytes.
• The first four bytes form the first column the
  second four bytes form the second column, and so
  on.
• If the block size is 128 bits then this becomes a
  4x4 array. For larger block sizes the array has
  additional columns.
• The key is also grouped into an array using the
  same process.

9
Substitution

• The substitution layer uses a single S-box
  (rather than the 8 Sboxes used in DES). The
  Rijndael S-box is a 16 x 16 array
• Each element in the current column array serves
  as an address into the S-box where the first four
  bits identify the S-box row and the last 4 bits
  identify the S-box column.
• The S-box element at that location replaces the
  current column array element.

b1,2
a1,2
10
Row Shift Operation

• A row shift operation is applied to the output of
  the S-box in which the four rows of the column
  array are cyclically shifted to the left.
• The first row is shifted by 0, the second by 1,
  the third by 2, and the fourth by 3

11
Matrix Multiply

• Column mixing is accomplished by a matrix
  multiplication operation.
• The shifted column array is multiplied by a fixed
  matrix

12
Key Add

• The final operation adds a subkey derived from
  the original key to the column array
• This completes one round of AES

This is repeated 9 more times
13
Key Schedule

• The key is grouped into a column array and then
  expanded by adding 40 new columns.
• If the first four columns (given by the key) are
  C(0), C(1), C(2) and C(3) then the new columns
  are generated in a recursive manner.
• If i is not a multiple of 4 then column i is
  determined by C(i) C(i-4)
  XOR C(i-1)
• If i is a multiple of 4 then column i is
  determined by C(i) C(i-4)
  XOR T(C(i-1))
• Where T(C(i-1)) is a transformation of C(i-1)
  implemented as 1. Cyclically shift the
  elements of C(i-1) by one byte 2. Use each
  of these 4 bytes as input into the S-box to
  create four new bytes e,f,g,h.
  3. Calculate a round constant r(i) 2(i-4)/4
  4. Create the transformed column as (e XOR
  r(i), f, g, h)
• The round key for the ith round consists of the
  columns C(4i), C(4i1), C(4i2), C(4i3).

14
Key Generation Flow

• For whats worth