Textbook: Introduction to Cryptography 2nd ed.
By J.A. Buchmann
Chap 6 Advanced Encryption Standard (AES)
Department of Computer Science and Information Engineering,
Chaoyang University of Technology
朝陽科技大學資工系
Speaker: Fuw-Yi Yang 楊伏夷
伏夷非征番,
道德經 察政章(Chapter 58) 伏者潛藏也
道紀章(Chapter 14) 道無形象, 視之不可見者曰夷
Fuw-Yi Yang
1
Contents
Notation
Ciphers
Identification of bytes with the elements of GF(28)
SubBytes
ShiftRows
MixColumns
KeyExpansion
An example
Fuw-Yi Yang
2
6.1 Notation
In 1997 the National Institute of Standards and Technology (NIST)
initiated the selection process for the successor of DES. One of the
submissions was Rijndael cipher. It is named after its inventors
Rijmen and Daemen.
On November 16, 2001 this encryption scheme has been standardized
as the Advanced Encryption Standard (AES).
AES is a block cipher with alphabet Z2. It is a special case of the
Rijndael cipher.
Fuw-Yi Yang
3
6.1 Notation
In the description of the Rijndael cipher we use the following notation.
Nb The plaintext and ciphertext blocks consists of Nb 32-bit words,
4  Nb 8. For AES we have Nb = 4.
Nk The key consists of Nk 32-bit words, 4  Nk 8. For AES we have
Nk = 4, 6, 8. So the AES key space is Z2128, Z2192, Z2256.
Nr Number of rounds. For AES we have Nr = 10 for Nk = 4,
Nr = 12 for Nk = 6,
Nr = 14 for Nk = 8.
Fuw-Yi Yang
4
6.1 Notation
In the following description the data types byte and word are used. A
byte is a bit-vector of length 8. A word is a bit-vector of length 32.
Plaintext and ciphertext are represented as two-dimensional arrays.
Those arrays have four rows and Nb columns.
So in the AES algorithm a plaintext and a ciphertext look like this:
 s0 , 0

 s1, 0
 s2 , 0
s
 3, 0
s0,1
s1,1
s2,1
s3,1
s0 , 2
s1, 2
s2 , 2
s3, 2
s0 , 3 

s1,3 
s2 , 3 
s3,3 
Fuw-Yi Yang
5
6.2 Cipher
-------- The AES function Cipher
Cipher(byte in[4, Nb], byte out[4, Nb], word w[Nb*(Nr + 1])
{ byte state[4, Nb] = in
AddRoundKey(state, w[0, Nb - 1])
for round = 1 step 1 to Nr - 1
SubBytes(state)
ShiftRows(state)
MixColumns(state)
AddRoundKey(state, w[round * Nb, (round + 1) * Nb - 1])
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr * Nb, (Nr + 1) * Nb - 1])
out = state }
Fuw-Yi Yang
6
6.2 Cipher
6.2.1 Identification of bytes with elements of GF(28)
In the Rijndael cipher, bytes are identified with elements of the finite
field GF(28). As generating polynomial the irreducible polynomial
m(X) = X8 + X4 + X3 + X + 1  GF(2)[X] is used.
The byte (b7, b6, b5, b4, b3, b2, b1, b0) corresponds to the element
(b7 X7 + b6 X6 + b5 X5 + b4 X4 + b3 X3 + b2 X2 + b1 X1 + b0) of GF(28).
If a byte is different from zero, it can be inverted. For the inverse of a
byte b we write b-1 (we set 0-1 = 0).
Fuw-Yi Yang
7
6.2 Cipher
6.2.2 SubBytes—non-linear transformation
SubByte(state) is a non-linear function.
It transforms the individual bytes of state. The transformation is called
S-Box. Each byte of state is mapped to
b  A b-1  c with
1
1
1
1
A  1
0
0
0

0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
1
1 , c   0 .
0
0
1
0
1
0
0

1
 
Fuw-Yi Yang
8
6.2 Cipher
6.2.2 SubBytes
Since there are only 28 possible arguments, the S-Box can be tabulated.
Then SubBytes can be implemented by table lookups.
Example 6.2.3 We determine the value of the S-Box when applied to
b = (b7, b6, b5, b4, b3, b2, b1, b0) = (0, 0, 0, 0, 0, 0, 1, 1).
b(X) = X + 1 mod (X8 + X4 + X3 + X + 1).
X8 + X4 + X3 + X + 1= (X7 + X6 + X5 + X4 + X2 + X)(X + 1) + 1
(X7 + X6 + X5 + X4 + X2 + X)(X + 1) = (X8 + X4 + X3 + X + 1) + 1
(X7 + X6 + X5 + X4 + X2 + X)(X + 1) = 1 mod (X8 + X4 + X3 + X + 1)
b-1 = X7 + X6 + X5 + X4 + X2 + X = (1, 1, 1, 1, 0, 1, 1, 0)
A b-1= (0, 0, 0 , 1, 1, 0, 0, 0)
A b-1  c = (0, 1, 1 , 1, 1, 0, 1, 1) (lookup table 7B)
Fuw-Yi Yang
9
6.2 Cipher
6.2.2 SubBytes
1
1
1
1
1
0
0
0

0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1  0   1   0   1   1 
1  1   1   0   1   1 
1  1   0   0   0   0 
1  0    0    1    0    1 .
0  1   0   1   0   1 
0  1   1   0   1   1 
0  1   1   0   1   1 
1  1   0   0   0   0 
Fuw-Yi Yang
10
6.2 Cipher
6.2.3 ShiftRows—to achieve high diffusion when applied in
several rounds
Let s be a state, that is, a plaintext that has been subject to a few
transformations of AES. Write s as a matrix. The entries are bytes.
That is
 s0 , 0

 s1, 0
 s2 , 0
s
 3, 0
s0,1
s1,1
s2,1
s3,1
s0 , 2
s1, 2
s2 , 2
s3, 2
s0 , 3 

s1,3 
s2 , 3  .
s3,3 
The function ShiftRows applies cyclic left-shifts to the rows of this
matrix.  s0, 0 s0,1 s0, 2 s0,3 
 s0, 0 s0,1 s0, 2 s0,3 
I.e.

 s1, 0
 s2 , 0
s
 3, 0
s1,1
s2,1
s3,1
s1, 2
s2 , 2
s3, 2

s1,3 
s2 , 3  
s3,3 
Fuw-Yi Yang

 s1,1
 s2 , 2
s
 3, 3
s1, 2
s2 , 3
s3, 0
s1,3
s2 , 0
s3,1

s1, 0 
s2,1  .
s3, 2 
11
6.2 Cipher
6.2.4 MixColumns—to achieve diffusion within the
columns of state
This can be viewed as a linear transformation in GF(28)4.
For 0  j  Nb the column sj = (s0,j, s1,j, s2,j, s3,j) of state s is identified
with the polynomial s0,j + s1,j X + s2,j X2 + s3,j X3  GF(28)[X].
The transformation MixColumns is
sj  sj * a(X) mod X4 + 1, 0  j  Nb, where
a(X) = {03} * X3 + {01} * X2 + {01} * X1 + {02}.
Fuw-Yi Yang
12
6.2 Cipher
6.2.4 MixColumns—to achieve diffusion within the
columns of state
sj * a(X) = (s0,j + s1,j X + s2,j X2 + s3,j X3) *
({03} * X3 + {01} * X2 + {01} * X1 + {02})
= ({02}* s0,j + {03} * s1,j + {01} * s2,j + {01} * s3,j ) X0 +
({01}* s0,j + {02} * s1,j + {03} * s2,j + {01} * s3,j ) X1 +
({03}* s0,j + {01} * s1,j + {02} * s2,j + {03} * s3,j ) X2 +
({03}* s0,j + {01} * s1,j + {01} * s2,j + {02} * s3,j ) X3 mod X4 + 1,
0  j  Nb.
Or
{02}
 {01}
sj  
 {01}
 {03}
{03}
{02}
{01}
{01}
{01}
{03}
{02}
{01}
{01}   s0, j 
{01}   s1, j 
*
,
{03}   s2, j  0  j  Nb.
{0,2}  s3, j 


Fuw-Yi Yang
13
6.2 Cipher
6.2.5 AddRoundKey—make each round key-dependent
Let s0, s1, …, sNb-1 be columns of state, l the current round, the
expanded key word w[Nb * (Nr + 1)].
The function AddRoundKey(state, w[l * Nb, (l + 1) * Nb -1]) is
sj = sj  w[l * Nb + j], 0  j < Nb.
So the words of the round key are added mod 2 to the columns of state.
This is a very simple transformation which makes each round keydependent.
Fuw-Yi Yang
14
6.3 KeyExpansion
The algorithm KeyExpansion expands a Rijndael key key, which is a
byte-array of length 4*Nk (for AES Nk = 4, 16 bytes), an expanded
key w, which is a word-array of length Nb * (Nr + 1) (for AES Nk =
4, 44 words).
Initially, the first Nk words of the expanded key w are filled with the
bytes of key.
Fuw-Yi Yang
15
6.3 KeyExpansion
KeyExpansion(byte key[4 * Nk], word w[Nb * (Nr + 1), Nk)
{ word temp
for (i = 0; i < Nk; i = i + 1)
w[i] = word(key[4*i], key[4*i + 1], key[4*i + 2], key[4*i + 3])
while (i < Nb * (Nr + 1)) //(now i = Nk )
temp = w[i-1]
if (i mod Nk == 0)
temp = SubWord(RotWord(temp))  Rcon[i/Nk]
else if (Nk > 6 and i mod Nk == 4)
temp = SubWord(temp)
end if
w[i] = w[i - Nk]  temp; i = i + 1
end while }
Fuw-Yi Yang
16
6.3 KeyExpansion
The input to SubWord is a word. The word can be written as a
sequence (b0, b1, b2, b3) of bytes. To each byte the function SubBytes
is applied, that is
(b0, b1, b2, b3)  Ab0-1  c, Ab1-1  c, Ab2-1  c, Ab3-1  c.
The input to RotWord is also a word (b0, b1, b2, b3). The output is
(b0, b1, b2, b3)  (b1, b2, b3, b0).
Finally, we have
Rcon[n] = ({02}n-1, {00}, {00}, {00})
Note that {02}n = xn  GF(28)[x]
Fuw-Yi Yang
17