UNIT II SYMMETRIC CIPHERS

Syllabus
Number theory – Algebraic Structures – Modular Arithmetic – Euclid‘s algorithm – Congruence
and matrices – Group, Rings, Fields, Finite Fields SYMMETRIC KEY CIPHERS: SDES –
Block Ciphers – DES, Strength of DES – Differential and linear cryptanalysis – Block cipher
design principles – Block cipher mode of operation – Evaluation criteria for AES –
Pseudorandom Number Generators – RC4 – Key distribution.
.

Algebraic structures:
Cryptography requires sets of integers and specific operations that are defined for those sets. The
combination of the set and the operations that are applied to the elements of the set is called an
algebraic structure. In this chapter, we will define three common algebraic structures:

Groups, Rings, Fields

Groups, rings, and fields are the fundamental elements of a branch of mathematics known
as abstract algebra, or modern algebra.
Groups
A group G, sometimes denoted by {G,*}, is a set of elements with a binary operation
denoted by * that associates to each ordered pair (a,b) of elements G in an element(a*b) in , such
that the following axioms are obeyed:

(A1) Closure: If a and b belong to G, then a*b is also in G.

(A2) Associative: a*(b*c)=(a*b)*c for all a,b, , in G .
(A3) Identity element: There is an element e in G such that a*e=e*a=a for all in G.
(A4) Inverse element: For each a in G, there is an element a’ in G such that
a*a’=a’*a=e .
If a group has a finite number of elements, it is referred to as a finite group, and the
order of the group is equal to the number of elements in the group. Otherwise, the group is an
infinite group.
A group is said to be abelian if it satisfies the following additional condition:
(A5) Commutative: a*b=b*a for all a b, in G.
CYCLIC GROUP: A group is cyclic if every element of G is a power a k ( k is an
integer) of a fixed element a£ G .The element is a said to generate the group G or to be a
generator of G.A cyclic group is always abelian and may be finite or infinite.
Rings
A ring R, sometimes denoted by{R, +, X}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a,b,c ,in R the following axioms
are obeyed
A ring is said to be commutative if it satisfies the following additional condition:

Next, we define an integral domain, which is a commutative ring that obeys the following
axioms

Fields
A field F , sometimes denoted by {F,+,X}, is a set of elements with two binary
operations, called addition and subtraction , such that for all a,b,c , in F the following axioms
are obeyed
MODULAR ARITHMETIC
If is an integer and n is a positive integer, we define a mod n to be the remainder when a
is divided by n. The integer n is called the modulus. Thus, for any integer a, we can rewrite
Equation as follows:

Properties of Congruences
Congruences have the following properties:

Modular Arithmetic Operations

A kind of integer arithmetic that reduces all numbers to one of a fixed set [0… n-1] for some
number n. Any integer outside this range is reduced to one in this range by taking the remainder
after division by n.
Modular arithmetic exhibits the following properties
Euclid‟s algorithm
One of the basic techniques of number theory is the EucliDEAN-IT algorithm, which is a
simple procedure for determining the greatest common divisor of two positive integers. First, we
need a simple definition: Two integers are relatively prime if their only common positive integer
factor is 1.

Greatest Common Divisor

Recall that nonzero b is defined to be a divisor ofa if a =mb for some m ,where a,b, and
m are integers. We will use the notation gcd(a , b) to mean the greatest common divisor of a and
b .The greatest common divisor of a and b is the largest integer that divides both a and b .We
also define gcd(0,0) = 0.
More formally, the positive integer c is said to be the greatest common divisor of a and
b if
1. c is a divisor of a and of b .
2. Any divisor of a and b is a divisor of c.
An equivalent definition is the following:

FINITE FIELDS OF THE FORM GF(p)

The finite field of order is generally written; GF stands for Galois field, in honor of the
mathematician who first studied finite fields
Finite Fields of Order p
For a given prime,, we define the finite field of order , , as the set of integers together
with the arithmetic operations modulo.

Finding the Multiplicative Inverse in It is easy to find the multiplicative inverse of an

element in for small values of .You simply construct a multiplication table,such as shown in
Table 4.5b,and the desired result can be read directly. However, for large values of , this
approach is not practical. p p GF(p) GF(p)
POLYNOMIAL ARITHMETIC
We are concerned with polynomials in a single variable, and we can distinguish three
classes of polynomial arithmetic. • Ordinary polynomial arithmetic, using the basic rules of
algebra. • Polynomial arithmetic in which the arithmetic on the coefficients is performed
modulo; that is, the coefficients are in.
Polynomial arithmetic in which the coefficients are in, and the polynomials are defined
modulo a polynomial whose highest power is some integer.
Ordinary Polynomial Arithmetic
A polynomial of degree (integer) is an expression of the form

Addition and subtraction are performed by adding or subtracting corresponding coefficients.

Thus, if
Polynomial Arithmetic with Coefficients in
Let us now consider polynomials in which the coefficients are elements of some field F;
we refer to this as a polynomial over the field F. In that case, it is easy to show that the set of
such polynomials is a ring, referred to as a polynomial ring. That is, if we consider each distinct
polynomial to be an element of the set, then that set is a ring.8 when polynomial arithmetic is
performed on polynomials over a field, then division is possible. Note that this does not mean
that exact division is possible. Let us clarify this distinction. Within a field, given two elements
and, the quotient is also an element of the field. However, given a ring that is not a field, in Ra /b
ba Zp. A polynomial over a field is called irreducible if and only if cannot be expressed as a
product of two polynomials, both over, and both of degree lower than that of. By analogy to
integers, an irreducible polynomial is also called a prime polynomial.
DATA ENCRYPTION STANDARD
The most widely used encryption scheme is based on the Data Encryption Standard
(DES) adopted in 1977. The algorithm itself is referred to as the Data Encryption Algorithm
(DEA).
For DES, data are encrypted in 64-bit blocks using a 56-bit key. The algorithm
transforms 64-bit input in a series of steps into a 64-bit output.
DES Encryption
The overall scheme for DES encryption is illustrated in the Figure 2.1. There are two
inputs to the encryption function: the plaintext to be encrypted and the key. The plaintext must
be 64 bits in length and the key is 56 bits in length.
General Depiction of DES Encryption Algorithm

Phase 1
 Looking at the left-hand side of the figure, we can see that the processing of the plaintext
proceeds in three phases.
First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the
bits to produce the permuted input.

Phase 2:
This is followed by a phase consisting of 16 rounds of the same function, which involves
both permutation and substitution functions.
The output of the last (sixteenth) round consists of 64 bits that are a function of the input
plaintext and the key. The left and right halves of the output are swapped to produce the pre
output.

Phase 3:
Finally, the pre output is passed through a permutation (IP-1) that is the inverse of the
initial permutation function, to produce the 64-bit ciphertext.
The right-hand portion of Figure shows the way in which the 56-bit key is used.

Operation on key:
Initially, the key is passed through a permutation function. Then, for each of the 16
rounds, a subkey (Ki) is produced by the combination of a left circular shift and a permutation.
The permutation function is the same for each round, but a different subkey is produced because
of the repeated shifts of the key bits.

Initial Permutation
 The input to a table consists of 64 bits numbered from 1 to 64. The 64 entries in the
permutation table contain a permutation of the numbers from 1 to 64. Each entry in the
permutation table indicates the position of a numbered input bit in the output, which also consists
of 64 bits.

Permutation Tables for DES

(a) Initial Permutation (IP)

58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
Inverse Initial Permutation (IP-1)
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
Expansion Permutation (E)
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

Permutation Function (P)

16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25

Consider the following 64-bit input M:

M1 M2 M3 M4 M5 M6 M7 M8
M9 M10 M11 M12 M13 M14 M15 M16
M17 M18 M19 M20 M21 M22 M23 M24
M25 M26 M27 M28 M29 M30 M31 M32
 M33 M34 M35 M36 M37 M38 M39 M40
M41 M42 M43 M44 M45 M46 M47 M48
M49 M50 M51 M52 M53 M54 M55 M56
M57 M58 M59 M60 M61 M62 M63 M64

whereMi is a binary digit. Then the permutation X = IP(M) is as follows:

M58 M50 M42 M34 M26 M18 M10 M2
M60 M52 M44 M36 M28 M20 M12 M4
M62 M54 M46 M38 M30 M22 M14 M6
M64 M56 M48 M40 M32 M24 M16 M8
M57 M49 M41 M33 M25 M17 M9 M1
M59 M51 M43 M35 M27 M19 M11 M3
M61 M53 M45 M37 M29 M21 M13 M5
M63 M55 M47 M39 M31 M23 M15 M7

Inverse permutation Y = IP-1 (X) = IP-1(IP (M)), Therefore we can see that the original ordering of
the bits is restored.
Details of Single Round

The below figure 2.2 shows the internal structure of a single round. The left and right halves of
each 64-bit intermediate value are treated as separate 32-bit quantities, labeled L (left) and R
(right). The overall processing at each round can be summarized in the following formulas:
Li= Ri-1
Ri= Li-1 x F(Ri-1, Ki)
The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by
using a table that defines a permutation plus an expansion that involves duplication of 16 of the
R bits. The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution
function that produces a 32-bit output, which is then permuted.

Definition of S-Boxes

The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input
and produces 4 bits as output. The first and last bits of the input to box Si form a 2-bit binary
number to select one of four substitutions defined by the four rows in the table for Si. The middle
four bits select one of the sixteen columns as shown in figure 5.3.
The decimal value in the cell selected by the row and column is then converted to its 4-bit
representation to produce the output.
For example, in S1 for input 011001, the row is 01 (row 1) and the column is 1100
(column 12). The value in row 1, column 12 is 9, so the output is 1001.

Key Generation
The 64-bit key is used as input to the algorithm. The bits of the key are numbered from 1
through 64; every eighth bit is ignored. The key is first subjected to a permutation governed by a
table labeled Permuted Choice One. The resulting 56-bit key is then treated as two 28-bit
quantities, labeled C0 and D0.
At each round, Ci-1 and Di-1 are separately subjected to a circular left shift, or rotation,
of 1 or 2 bits. These shifted values serve as input to the next round. They also serve as input to
Permuted Choice 2, which produces a 48-bit output that serves as input to the function F(Ri-1,
Ki).
DES Key Schedule Calculation
1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24
25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56
57 58 59 60 61 62 63 64
(b) Permuted Choice One (PC-1)
 57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
(c) Permuted Choice Two (PC-2)
14 17 11 24 1 5 3 28
15 6 21 10 23 19 12 4
26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40
51 45 33 48 44 49 39 56
34 53 46 42 50 36 29 32
(d) Schedule of Left Shifts
Roundnumber:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Bits rotated : 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

DES Decryption:

As with any Feistel cipher, decryption uses the same algorithm as encryption, except that the
application of the subkeys is reversed. Additionally, the initial and final permutations are
reversed.
The Strength of DES

The strength of DES depends on two factors:key size and the nature of the algorithm.

1. The Use of 56-Bit Keys

With a key length of 56 bits, there are 2 56 possible keys, which is approximately 7.2 x
16
10 . Thus, a brute-force attack appears impractical.

2. The Nature of the DES Algorithm

In DES algorithm, eight substitution boxes called S-boxes that are used in each iteration.
Because the design criteria for these boxes, and indeed for the entire algorithm, were not made
public, there is a suspicion that the boxes were constructed in such a way that cryptanalysis is
possible for an opponent who knows the weaknesses in the S-boxes. Despite this, no one has so
far succeeded in discovering the supposed fatal weaknesses in the S-boxes.

3. Timing Attacks
A timing attack is one in which information about the key or the plaintext is obtained by
observing how long it takes a given implementation to perform decryptions on various cipher
texts. A timing attack exploits the fact that an encryption or decryption algorithm often takes
slightly different amounts of time on different inputs.

Differential Cryptanalysis
 Differential cryptanalysis is the first published attack that is capable of breaking DES in less
than 255 complexities. The need to strengthen DES against attacks using differential
cryptanalysis played a large part in the design of the S-boxes and the permutation P.
 One of the most significant recent (public) advances in cryptanalysis
 Powerful method to analyze block ciphers
 Used to analyze most current block ciphers with varying degrees of success
Differential Cryptanalysis Attack:

The differential cryptanalysis attack is complex. The rationale behind differential

cryptanalysis is to observe the behavior of pairs of text blocks evolving along each round of the
cipher, instead of observing the evolution of a single text block.
Consider the original plaintext block m to consist of two halves m0,m1. Each round of
DES maps the right-hand input into the left-hand output and sets the right-hand output to be a
function of the left-hand input and the subkey for this round.
So, at each round, only one new 32-bit block is created. If we label each new block m1(2
≤ i ≤17), then the intermediate message halves are related as follows:

mi+1 = mi-1 f(mi, Ki), i = 1, 2, ..., 16

In differential cryptanalysis, we start with two messages, m and m', with a known XOR
difference Δm= m m', and consider the difference between the intermediate message halves:
mi= mi mi' Then we have:

∆mi+1 = mi+1 m’i-1

= [mi-1 f(mi,ki ] )] [ m’i-1 f(m’i,ki)]
= ∆mi-1 [ f(mi,ki ) f(m’i,ki)]

Let us suppose that there are many pairs of inputs to f with the same difference yield the
same output difference if the same subkey is used.
Therefore, if we know Δmi-1 and Δmiwith high probability, then we know Δmi+1 with high
probability. Furthermore, if a number of such differences are determined, it is feasible to
determine the subkey used in the function f.

Linear Cryptanalysis

This attack is based on the fact that linear equation can be framed to describe the
transformations.
The principle of linear crypt analysis is as follows
Length of CT and PT =n bits;key=mbit
Block of cipher text is c[1]c[2]…c[n];
Block of key is k[1]k[2]….k[m]
A[I,j,..k]= A[i] A[j] . A[k]

 Can attack DES with 247 known plaintexts, still in practice infeasible
 Find linear approximations with prob p != ½
 P[i1,i2,...,ia](+)c[j1,j2,...,jb] = k[k1,k2,...,kc]Where ia,jb,kc are bit locations in p,c,k

BLOCK CIPHER PRINCIPLES

There are three critical aspects of block cipher design:
 1. Number of rounds,
2. Design of the function F
3. Key scheduling.

Number of Rounds
 When the greater the number of rounds, the more difficult it is to perform cryptanalysis,
even for a relatively weak F.
 Then number of rounds is chosen so that known cryptanalytic efforts require greater
effort than a simple brute-force key search attack.
 When round DES S= 16, a differential cryptanalysis attack is slightly less efficient than
brute force, the differential cryptanalysis attack requires 255 operations.
 It makes it easy to judge the strength of an algorithm and to compare different algorithms.

Design of Function F

This is the most important function

Criteria needed for F,

 It must be difficult to “unscramble” the substitution performed by F.
 The function should satisfy strict avalanche criterion (SAC) which states that any
output bit j of an S-box should change with probability 1/2 when any single input bit i is
inverted for all i, j.
 The function should satisfy bit independence criterion(BIC), which states that output
bits j and k should change independently when any single input bit i is inverted for all i, j,
and k.

Key Schedule Algorithm

 The key is used to generate one sub key for each round.
 The sub keys to maximize the difficulty of deducing individual sub keys and the
difficulty of working back to the main key.

BLOCK CIPHER MODES OF OPERATION

 Block Cipher is the basic building block to provide data security.
 To apply the block cipher to various applications, NIST has proposed 4 modes of
operation. The block cipher is used to enhance the security of the encryption algorithm.
MODE 1: Electronic Code Book
 The simplest mode is the electronic codebook (ECB) mode shown in figure5.6.Here
plaintext is handled one block at a time and each block of plaintext is encrypted using the
same key.
 The term codebook is used because, for a given key, there is a unique cipher text for
every b-bit block of plaintext.
 When the message longer than b bits, to break the message into b-bit blocks .For the last
block when the no of bits is less than b, padding the last block if necessary.
 Decryption is performed one block at a time, always using the same key.

Uses: The ECB method is ideal for a short amount of data, such as an encryption key.

Disadvantage:
  When ‘b’ -bit block of plaintext appears more than once in the message, it always
produces the same cipher text output.
 For lengthy messages, the ECB mode may not be secure. If the message is highly
structured, it may be possible for a cryptanalyst to exploit these regularities.
 If the message has repetitive elements with a period of repetition a multiple of b bits, then
these elements can be identified by the analyst.
 This may help in the analysis or may provide an opportunity for substituting or
rearranging blocks.

MODE 2: Cipher Block Chaining Mode

This method is to overcome the disadvantage of ECB (i.e) when the PT block is repeated
CBC produces different cipher text blocks
The input to the encryption function for each plaintext block bears no fixed relationship
to the plaintext block. Therefore, repeating patterns of b bits are not exposed.
For decryption, each cipher block is passed through the decryption algorithm. The result
is XORed with the preceding cipher text block to produce the plain text block are shown in
figure 2.8.
Then

To produce the first block of cipher text, an initialization vector (IV) is XORed with the
first block of plaintext.
On decryption, the IV is XORed with the output of the decryption algorithm to recover
the first block of plaintext.
Size of IV = Size of data Blocks
We can define CBC mode as

For maximum security, the IV should be protected against unauthorized changes. This
could be done by sending the IV using ECB encryption.
MODE 3: Cipher Feedback Mode:
We know that the DES is a block cipher.it is possible to convert block cipher into stream Cipher
using CFB mode
The advantages of CFB is that

 Eliminates the need to pad a message

  It also can operate in real time
 The length of the CT =Length of PT
Figure 2.9 depicts the CFB scheme. In the figure, it is assumed that the unit
oftransmission is s bits; a common value is s = 8.
The units of plaintextare chained together; to get the cipher text is a function of all
preceding plaintext. Here the plaintext isdivided into segments of s bits.
Encryption:
The input to the encryption function is a b-bit shiftregister that is initially set to some
initialization vector (IV).
The leftmost (mostsignificant) s bits of the output of the encryption function are XORed
with thefirst segment of plaintext P1 to produce the first unit of cipher text C1.
The contents of the shift register are shifted left by s bits,and C1 is placed in the
rightmost (least significant) s bits of the shift register.
Thisprocess continues until all plaintext units have been encrypted.
Decryption:
The same scheme is used, except that the received cipher textunit is XORed with the
output of the encryption function to produce the plaintextunit.
Let MSBs(X) be defined as the most significant s bitsof X. Then

Therefore, by rearranging terms:

The same reasoning holds for subsequent steps in the process.

 Fig 2.8 S-bit Cipher Feedback (CFB)mode
We can define CFB mode as follows

Output Feedback Mode

The output feedback (OFB) mode is similar in structure to that of CFB.
The output of the encryption function is fed back to become the input for encrypting the
next block of plaintext as shown in figure 5.10.
Comparison between OFB and CFB
In CFB, the output of the XOR unit is fed back to become input for encrypting the next
block.
The other difference is that the OFB mode operates on full blocks of plaintext and cipher
text, whereas CFB operates on an s-bit subset.
OFB encryption can be expressed as

Where

we can rewrite the encryption expression as:

By rearranging terms, we can demonstrate that decryption works.

We can define OFB mode as follows.

Let the size of a block be b. If the last block of plaintext contains u bits (indicated by *), with
u<b, the most significant u bits of the last output block ON are used for the XOR operation
The remaining b - u bits of the last output block are discarded.

Fig 2.9 Output Feedback Mode

Advantage:
Bit errors in transmission do not propagate (i.e.) when bit errors occurs in Ci, Pi is alone
affected
Disadvantage:
Vulnerable to message stream modification attack
Counter Mode
The counter (CTR) mode has increased recently with applications to ATM (asynchronous
transfer mode) network security and IP sec (IP security).
A counter equal to the plaintext block size is used. The counter value must be different
for each plaintext block as shown in figure 2.10.
The counter is initialized to some value and then incremented by 1 for each subsequent
block (modulo 2b, where b is the block size). For encryption, the counter is encrypted and then
XORed with the plaintext block to produce the cipher text block.
For decryption, the same sequence of counter values is used, with each encrypted counter
XORed with a cipher text block to recover the corresponding plain text block.
Advantage:
1. Hardware efficiency
 CTR can be done in parallel
2. Software efficiency
 CTR supports parallel feature pipelining
3. Preprocessing
4. Simplicity
 Fig 2.10 Counter Mode

ADVANCED ENCRYPTION STANDARD (AES)

AES is a symmetric block cipher that is intended to replace DES as the approved
standard for a wide range of applications. Compared to public-key ciphers such as RSA, the
structure of AES and most symmetric ciphers is quite complex and cannot be explained as easily
as many other cryptographic, algorithms.
AES Structure
General Structure
 Figure 2.12 shows the overall structure of the AES encryption process. The cipher takes a
plaintext block size of 128 bits, or 16 bytes. The key length can be 16, 24, or32 bytes (128,
192, or 256 bits). The algorithm is referred to as AES-128, AES-192, orAES-256, depending
on the key length.
 The input to the encryption and decryption algorithms is a single 128-bit block. The block is
depicted as a 4 * 4 square matrix of bytes. This block is copied into the State array, which is
modified at each stage of encryption or decryption. After the final stage, State is copied to an
output matrix. These operations are depicted in Figure 5.12a. Similarly, the key is depicted as
a square matrix of bytes. This key is then expanded into an array of key schedule words.
 Below Figure shows the expansion for the 128-bit key. Each word is four bytes, and the total
key schedule is 44 words for the 128-bit key. Note that the ordering of bytes within a matrix
is by column. The first four bytes of a 128-bit plaintext input to the encryption cipher occupy
the first column of the in matrix. The second four bytes occupy the second column, and so
on. Similarly, the first four bytes of the expanded key, which form a word, occupy the first
column of the w matrix. The cipher consists of N rounds, where the number of rounds
depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14
rounds for a 32-byte key (Table 2.1).
 The first N - 1 round consist of four distinct transformation functions: Sub Bytes, Shift Rows,
Mix Columns, and Add Round Key, which are described subsequently. The final round
contains only three transformations, and there is a initial single transformation
(AddRoundKey) before the first round, which can be considered Round 0. Each
transformation takes one or more 4 * 4 matrices as input and produces a 4 * 4 matrix as
output Figure 5.1 shows that the output of each round is a 4 * 4 matrix, with the output of the
final round being the cipher text.
Detailed Structure
Below Figure 2.12 shows the AES cipher shows the sequence of transformations in each round
and showing the corresponding decryption function.
Overall detail about AES structure.
1. It is not a Feistel structure. Recall that, in the classic Feistel structure, half of the data
block is used to modify the other half of the data block and then the halves are swapped.
AES instead processes the entire data block as a single matrix during each round using
substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-four 32-bitwords,
w[i]. Four distinct words (128 bits) serve as a round key for each round as shown in
figure 5.14;
3. Four different stages are used, one of permutation and three of substitution:
 Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the
block
 ShiftRows: A simple permutation
 MixColumns: A substitution that makes use of arithmetic over GF(28)
 AddRoundKey: A simple bitwise XOR of the current block with a portion of the
expanded key
4. The structure is quite simple. For both encryption and decryption as shown in figure 2.15,
the cipher begins with an AddRoundKey stage, followed by nine rounds that each
includes all four stages, followed by a tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. The AddRoundKey stage would
provide no security because they do not use the key. We can view the cipher as
alternating operations of XOR encryption (AddRoundKey) of a block, followed by
scrambling of the block (the other three stages), and followed by XOR encryption, and so
on. This scheme is both efficient and highly secure.
6. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns
stages, an inverse function is used in the decryption algorithm. For the AddRoundKey
stage, the inverse is achieved by XORing the same round key to the block, using the
result that .
7. The decryption algorithm makes use of the expanded key in reverse order. However, the
decryption algorithm is not identical to the encryption algorithm. This is a consequence
of the particular structure of AES.
8. Once it is established that all four stages are reversible, it is easy to verify that decryption
does recover the plaintext.
9. The final round of both encryption and decryption consists of only three stages. Again,
this is a consequence of the particular structure of AES and is required, to make the cipher
reversible
AES Transformation Functions
Four transformations used in AES. For each stage, we describe the forward (encryption)
algorithm, the inverse (decryption)algorithm, and the rationale for the stage.

Substitute Bytes Transformation

Type 1: Forward and Inverse Transformations:

The forward substitute byte transformation, called Sub Bytes, is a simple table
lookup. AES defines a 16 * 16 matrix of byte values, called an S-box , that contains a
permutation of all possible 256 8-bit values.
Each individual byte of State is mapped into a new byte in the following way: The
leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a column
value. These row and column values serve as indexes into the S-box to select a unique8-bit
output value as shown in figure 2.17.
For example, the hexadecimal value {95} references row 9,column 5 of the S-box, which
contains the value {2A}. Accordingly, the value {95}is mapped into the value {2A}.
Fig 2.15 AES Byte level Operations
Here is an example of the SubBytes transformation:

The S-box is constructed in the following fashion.

1. Initialize the S-box with the byte values in ascending sequence row by row. The first row
contains {00}, {01}, {02}, c, {0F}; the second row contains {10}, {11}, etc.; and so on. Thus,
the value of the byte at row y, column x is {yx}.
2. Map each byte in the S-box to its multiplicative inverse in the finite field GF (28); the value
{00} is mapped to itself.
3. Consider that each byte in the S-box consists of 8 bits labeled (b7, b6, b5, b4, b3, b2, b1, b0).
Apply the following transformation to each bit of each byte in the S-box:

Where ci is the ith bit of byte c with the value {63}; that is, (c7c6c5c4c3c2c1c0) = (01100011). The
prime ( ‘) indicates that the variable is to be updated by the value on the right.
The AES standard depicts this transformation in matrix form as follows.

 In ordinary matrix multiplication, each element in the product matrix is the sum of
products of the elements of one row and one column. Each element in the product matrix
is the bitwise XOR of products of elements of one row and one column.
 As an example, consider the input value {95}. The multiplicative inverse in GF(28) is
{95}-1 = {8A}, which is 10001010 in binary. Using above Equation
The result is {2A}, which should appear in row {09} column {05} of the S-box.
Type 2: Inverse Substitute Byte Transformation:

The inverse substitute byte transformation, called InvSubBytes, For example, that the
input {2A} produces the output {95}, and the input {95} to the S-box produces {2A}. The
inverse S-box is constructed by applying the inverse of the transformation is followed by taking
the multiplicative inverse in GF(28). The inverse transformation is

where byte d = {05}, or 00000101. We can depict this transformation as follows.

InvSubBytes is the inverse of Sub Bytes, label the matrices in sub Bytes and InvSubBytes
as X and Y, respectively, and the vector versions of constants c and d as C and D, respectively.
For some 8-bit vector B, becomes . We need to show that .
To multiply out, we must show . This becomes

We have demonstrated that YX equals the identity matrix, and the YC = D, so that YC D
equals the null vector.
Type 3: Shift Rows Transformation

Forward and Inverse Shift Rows Transformations:

The forward shift row transformation, called Shift Rows, is depicted in Figure 2.18a.
The first row of State is not altered. For the second row, a 1-byte circular left shift is performed.
For the third row, a 2-bytecircular left shift is performed. For the fourth row, a 3-byte circular
left shift is performed. The following is an example of Shift Rows

Fig 2.18 Forward Shift Row Transformation

The inverse shift row transformation, called InvShiftRows, performs the circular shifts
in the opposite direction for each of the last three rows, with a 1-bytecircular right shift for the
second row, and as shown in figure 2.19.

Type 4: Mix Columns Transformation

Forward and Inverse Transformations: The forward mix column transformation,

called MixColumns, operates on each column individually. Each byte of a column is mapped
into a new value that is a function of all four bytes in that column. The transformation can be
defined by the following matrix multiplication on State
 Each element in the product matrix is the sum of products of elements of one row and
one column. In this case, the individual additions and multiplications are performed in GF(2 8).
The MixColumns transformation on a single column of State can be expressed as

The following is an example of MixColumns:

The MixColumns transformation on the first column, we need to show that

For the first equation, we have {02}.{87} =(0000 1110) (0001 1011) =(0001 0101) and

{03}. {6E} = {6E} ({02}. {6E}) = (0110 1110) (1101 1100) = (1011 0010)
then

The inverse mix column transformation, called InvMixColumns, is defined by the

following matrix multiplication:

Theinverse of Equation need to show

 That is, the inverse transformation matrix times the forward transformation matrix equals
the identity matrix. To verify the first column of above Equation.
For the first equation, we have {0E}.{02} =00011100 and {09}.{03} ={09} {09}.{02} =
00001001 00010010 =00011011 then

The encryption was deemed more important than decryption for two reasons:
1. For the CFB and OFB cipher modes only encryption is used.
2. AES can be used to construct a message authentication code and for this, only encryption is
used.
Type 5: AddRoundKey Transformation

Forward and Inverse Transformations

In the forward add round key transformation, called AddRoundKey, the 128 bits of State are
bitwise XORed with the 128bits of the round key.
The operation is viewed as a column wise operation between the 4 bytes of a State column and
one word of the round key; it can also be viewed as a byte-level operation.
The following is an example of AddRoundKey:

The first matrix is State, and the second matrix is the round key.

The inverses add round key transformation is identical to the forward add round key
transformation, because the XOR operation is its own inverse.
The Figure 2.20 is another view of a single round of AES, emphasizing the mechanisms and
inputs of each transformation.
Type 6: Key Expansion Algorithm
The AES key expansion algorithm takes as input a four-word (16-byte) key and produces
a linear array of 44 words (176 bytes). This is sufficient to provide a four word round key for the
initial AddRoundKey stage and each of the 10 rounds of the cipher.
Each added word w[i]depends on the immediately preceding word, w [i - 1], and the
word four positions back, w[i - 4]. In three out of four cases, a simple XOR is used. For a word
whose position in the w array is a multiple of 4, a more complex function is used.
Figure 2.21 illustrates the generation of the expanded key, using the symbol g to
represent that complex function. The function g consists of the following sub functions
1. RotWord performs a one-byte circular left shift on a word. This means that a input word [B0,
B1, B2, B3] is transformed into [B1, B2, B3, B0].
2. Sub Word performs a byte substitution on each byte of its input word, using theS-box.
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].
The round constant is a word in which the three rightmost bytes are always 0.Thus, the
effect of an XOR of a word with Rcon is to only perform an XOR on the leftmost byte of the
word.
The round constant is different for each round and is defined as Rcon[j] = (RC[j], 0, 0, 0),
with RC[1] = 1, RC[j] = 2 # RC[j-1] and with multiplication defined over the field GF(28). The
values of RC[j] in hexadecimal are

For example, suppose that the round key for round 8 is

EA D2 73 21 B5 8D BA D2 31 2B F5 60 7F 8D 29 2F
Then the first 4 bytes (first column) of the round key for round 9 are calculated as follows: