AES Structure
CSCI 5857: Encoding and Encryption
Outline
• Overall AES Structure
• Individual round structure
– Substitution
– Word rotation
– Matrix multiplication
• Round key generation
• Analysis
AES Bytes and Words
Blocks represented as arrays of smaller groups of bits
• Byte: 8 bits
• Word: 32 bits
(4 bytes in word)
AES States
• Each word (each 4 bytes) corresponds to column in state
– Used to add confustion
Hexadecimal AES States
• Example:
17
17
Note that a byte can be represented by a 2digit hexadecimal (base 16) number
AES Structure
AES Round Structure
• SubBytes: Each byte transformed
by an S-Box
• ShiftRows: Permutation to swap
bytes around
• MixColumns: Matrix multiplication
to permute bits within bytes
• AddRoundKey: XOR result with
current round key
• Notes:
– Extra AddRoundKey before first round
– No MixColumns in last round
SubBytes Stage
• Each 8-bit byte run through S-Box
• Each byte transformed by same S-Box
• S-Box structure: 2 dimensional 16 x 16 table
– First 4 bits of input determine row
– Last 4 bits of input determine column
• Example: 1101 0101  row 13, column 5
– Often represented in hexadecimal:
1011 0110  row d, column 5
– Result (see table next slide): 03  0000 0011
AES S-Box
S-Box Basis
• Inverse of each byte computed in
GF(28) using x8 + x4 + x3 + x + 1
• Additional diffusion created by
array multiplication and addition
– Multiplication/addition in mod 2
– Resulting byte with bits b0 – b7
multiplied by 8 x 8 matrix X
• Each output bit cj is effectively xor of
different bi’s
– Resulting byte with bits c0 – c7
added to 8 x 1 matrix d
• Has effect of inverting bits 0, 1, 5, and 6
Inverse S-Box
• Subtract matrix d
• Multiply by inverse of matrix X
• Invert in GF(28)
ShiftRows Stage
• Goal: Swap bytes around within a state
– State = bytes arranged in columns
• Shift rows around within this 2 dimensional structure
to add diffusion
ShiftRows Stage
• Circular shift used on each row
• Each row shifted by different number of bytes
• Inverse just reverses shift
ShiftRows Stage
b0
b4
b8 b12
b5
b9 b13 b1
b10 b14 b2
b15 b3
b6
b7 b11
ShiftRows Example
• Input: 63F2C9FAC9F2C963FE637D823026D4D4
Shift 0
Shift 1
Shift 2
Shift 3
• Output: 63F27DD4C963D4FAFE26C96330F2C982
MixColumns Stage
• Goal: permute bits within each 4-byte word
(column of state)
• Matrix multiplication with 4x4 byte constant matrix
– Multiplication in GF(28), mod x8 + x4 + x3 + x + 1
MixColumns Stage
• Idea: Matrix multiplication makes each bit depend
on every other bit in word (diffusion)
MixColumns Stage
• Matrices used:
– Hexadecimal representation
• Example: 0E  00001110  x3 + x2 + x
– Computed to maximize diffusion
– Decryption uses inverse of encryption matrix
MixColumns Example
MixColumns Example
• Example: column 1, row 1 of example
63*02 + F2*03 + 7D*01 + D4*01 =
01100011*10
+ 11110010*11
+ 01111101*01
+ 11010100*01
= 11000110 (shift 1 digit)
= 100010110 (111100100+11110010)
= 01111101
= 11010100
101111001 (addition = XOR)
-100011011 (mod x8+x4+x3+x+1)
001100010 (subtraction = XOR)
= 62
AddRoundKey Stage
• Round Key: 128 bits
– Broken into 4 round key words (32 bits each)
– Round key words combined with columns using XOR
Overall AES Structure
Round Key Expansion
• Generates
rounds + 1
round keys of
size 128 bits
– First used at
beginning of
cipher
– Rest used at
end of each
round
Round Key Expansion
• Keys broken down into 4 4-byte words
• Initial round key = cipher key
• Subsequent key words are wn function of :
– Previous word (wn-1)
– Corresponding word in previous round key (wn-4)
Round Key Expansion
• For n not multiple of 4: Wn = Wn-1  Wn-4
– Difficult to work back from final ciphertext to key
• For n multiple of 4: Wn = tn  Wn-4
tn = more complex function of Wn-1
– Adds confusion to relationship between key and ciphertext
Round Key Expansion
• RotWord:
Circular left shift of byte (like ShiftRows)
– B1 B2 B3 B4  B 2 B3 B4 B1
• SubWord
Use S-Box to transform each of the 4 bytes (like
SubBytes)
– Adds more nonlinearity
Round Key Expansion
• RCon: Round constant
– Recursive function
RCon[i] = 2 x RCon[i-1]
over GF(28)
round
RCon
1
01 00 00 00
2
02 00 00 00
3
04 00 00 00
4
08 00 00 00
5
10 00 00 00
6
20 00 00 00
7
40 00 00 00
8
80 00 00 00
9
1B 00 00 00
10
36 00 00 00
AES Analysis
• Security
– Key size prevents exhaustive key search
– Designed to be resistant to cryptanalysis
• Substitution (SubBytes) and permutation
(ShiftRows/MixColumns) prevent statistical
analysis
• S-Box design prevent linear cryptanalysis
AES Analysis
• Efficiency
– Operations done at byte level for 8–bit devices
• SubBytes: byte-wise substitution
• ShiftRows: moves bytes
• MixColumns: multiplies bytes
– Operations can be done one word at a time
for maximum speed on 32-bit processors
• All 4 bytes in word can be processed
simultaneously in each operation