1

Image Security 205823

AES ALGORITHM SPECIFICATION

Overview
2

Introduction. Forward Substitute Byte Transformation. Finite Field: GF(p), GF(2n). Construction (S-Box). Shift Rows. Mix columns. Add round Key. Putting all together. Few words and References.

Introduction
3

Designed by Rijmen-Daemen in Belgium. Has 128/192/256 bit keys, 128 bit data. An iterative cipher with key expenssion to array of words. AES has 10/12/14 rounds with four stages, one of permutation and three of substitution:

Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block. ShiftRows: A simple permutation. MixColumns: A substitution that makes use of arithmetic over GF(28). AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.

Forward Substitute Byte Transformation (S-Box)

S-Box is a simple 16x16 size lookup table. It contains all possible 256 single byte permutations. Each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits). Replacement is multiplicative inverse in GF(28). The main objective of S-Box operation to provide confusion and non linearity.

Finite Field-Galois Field

A eld is a set with two operations, addition and multiplication:

both satisfy closure both associative both commutative each has identity (0 and 1) any element a has additive inverse. any nonzero element a = 0 has multiplicative inverse a 1 multiplication distributive over addition

Fields with same number of elements are isomorphic. In cryptography often use the fields:

GF(p) GF(pn) and particularly GF(2n)

Galois Fields GF(p)

GF(p) is the set of integers {0,1, , p-1} with arithmetic operations modulo prime p These form a finite field

since have multiplicative inverses

Hence arithmetic is well-behaved and can do addition, subtraction, multiplication, and division without leaving the field GF(p)

Finding Inverses in GF
7

EXTENDED EUCLID(m, b)
1. (A1, A2, A3)=(1, 0, m); (B1, B2, B3)=(0, 1, b) 2. if B3 = 0 return A3 = gcd(m, b); no inverse 3. if B3 = 1 return B3 = gcd(m, b); B2 = b1 mod m 4. Q = A3 div B3 5. (T1, T2, T3)=(A1 Q B1, A2 Q B2, A3 Q B3) 6. (A1, A2, A3)=(B1, B2, B3) 7. (B1, B2, B3)=(T1, T2, T3) 8. goto 2

Inverse of 550 in GF(1759)

Q
3 5 21

A1
1 0 1 5

A2
0 1 3 16

A3
1759 550 109 5

B1
0 1 5 106

B2
1 3 16 339

B3
550 109 5 4

106

339

111

355

Galois Fields GF(pn)

A nite eld F has pn elements (prime p, integer n > 0). For any a F,

a + a + .+ a (p times) = 0.

Polynomials over pn, with n > 1, operations modulo pn do not produce a field. GF(2n) polynomials with modulo-2 coefficient using irreducible polynomial, generates a Galois field.

Galois Fields GF(2n)

Motivation for using GF(2n).

gives the integer of all range for n-bits

word. The frequency of occurrence of integers are same. All the integers 0~n-1 has corresponding multiplicative inverse. Modified Euclids algorithm [1] compute the inverse with less computational complexity. The modification make it possible to compute division with less computation.
1.

2.

Find the inverse element B-1(x). A(x)/B(x) = A(x) . B-1(x).

Finding Inverses in GF(2n)

TENDED EUCLID[m(x), b(x)] 1. [A1(x), A2(x), A3(x)] = [1, 0, m(x)]; [B1(x), B2(x), B3(x)] = [0, 1, b(x)] 2. if B3(x) = 0 return A3(x) = gcd[m(x), b(x)]; no inverse 3. if B3(x) = 1 return B3(x) = gcd[m(x), b(x)]; B2(x) = b(x)1 mod m(x) 4. Q(x) = quotient of A3(x)/B3(x) 5. [T1(x), T2(x), T3(x)] = [A1(x)-Q(x)B1(x), A2(x)Q(x)B2(x), A3(x)-QB3(x)] 6. [A1(x), A2(x), A3(x)] = [B1(x), B2(x), B3(x)] 7. [B1(x), B2(x), B3(x)] = [T1(x), T2(x), T3(x)] 8. goto 2

12

Multiplicative inverse of (x7 + x + 1) mod (x8 + x4 + x3 + x + 1).

A1
1 0 1

A2
0 1 x

A3
x8 + x4 + x3 +x+1 x7 + x + 1

B1
0 1

B2
1 x

B3
x7 + x + 1 x4 + x3 + x2 +1 x 1

x3 + x2 + 1

x4 + x3 + x2 +1 x

x3 + x2 + 1

x4 + x3 + x + 1 x7

x3 + x2 + 1

x3 + x2 + 1

x4 + x3 + x + 1

x6 + x2 + x + 1

Construction (S-Box)
13

Number the rows and columns of S-Box in ascending order. Map each byte in the S-box to its multiplicative inverse in the finite field GF(28); the value {00} is mapped to itself. Then take affine transformation over GF(28):
bi = bi + b(i+4) mod 8 + b(i+5) mod 8 + b(i+6) mod 8 + b(i+7) mod 8 + ci

S-BOX
14
0
01
AE 6C B1 F0 36 E9 B4 00 C5 0B 7D D3 78 CB D8

1
DE
04 24 6F 16 88 86 5A 44 43 9A F4 90 4D CF 48

2
A5
BA 8A E3 6B 45 C0 84 93 60 76 5E 30 13 58 77

3
63
B5 B9 80 EB 8E 40 C4 47 20 E6 FD 92 73 7A 11

4
6A
B2 D9 35 59 DD 18 52 DF 0C 65 BF C1 AC EE D1

5
26
50 E2 3B 28 8C 83 5F 46 57 FF 23 2D CE A0 A7

6
7E
3A CC B6 1D 34 F6 E5 1A 7B C3 0D 1B D0 B7 BC

7
C9
17 38 4A 2C CD 25 02 D7 A3 3C DA E0 1E DC 70

8
7F
08 B0 E7 D6 2F C2 5D 37 61 9F AA 81 FE 12 F1

9
67
82 6D 21 41 A2 A1 EA 51 E1 75 99 97 8B 42 FA

A
A4
0F EC 55 3F 22 54 D4 49 2A 56 95 15 2B FB BB

B
05
94 8D B3 D5 F7 AB DB A8 E4 F8 9B 72 0A FC 79

C
03
ED 3D 68 C7 AF 66 D2 1C 33 69 0E 10 06 07 09

D
64
7C CA BD 3E 29 EF 85 B8 C6 F3 5C 1F C8 14 BE

E
2E
F5 9D 6E 8F 9E A6 5B 4F 53 9C 96 98 4E 4B 4C

F
32
71 A9 19 89 91 E8 27 F9 74 87 39 62 F2 AD 31

0
1 2 3 4 5 6 7 8 9 A B C D E F

Shift Rows
15

A circular byte shift in each

1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left

Decryption inverts using shifts to right Since state is processed by columns, this step permutes bytes between the columns. The main objective of Shift Row operation is to provide diffusion.

Mix Columns
16

Each column is processed separately. Each byte is replaced by a value dependent on all 4 bytes in the column. Matrix multiplication in GF(28). The main objective of Mix Column operation is to provide confusion but operation is linear.

Inverse transformation matrix times the forward transformation matrix equals the identity matrix.

Mix Columns
17

Another way of Mixcolumn:

Consider each column of state to be a four term polynomial in GF(28). Multiply each column using modulo (x4 + 1) with fixed polynomial.

Inverse Mix Column

A(x)=01x3 + 03x2 + 01x + 02

In inverse operation each column using modulo (x4 + 1) with fixed polynomial.

b(x)=0Bx3 + 0Dx2 + 09x + 0E b(x) = a1 (x) mod (x4 + 1).

Add Round Key

The AddRoundKey stage is, in effect, a form of Vernam cipher. In AddRoundKey, the 128 bits of State are bitwise XORed with the 128 bits of the round key. Column wise, series of byte operations. The AES takes a 4-word (16-byte) input key and produces a linear array of 44 words (176 bytes). The main objective of Add Round Key operation is to provide security.

Add Round Key

Key Expansion

Key expansion is based on diffusion (Rotate byte) fallowed by nonlinear confusion (S-Box) operation. 16 byte of initial key and 44 word array of size 176 bytes.

KeyExpansion(byte Key[16] word W[44]) { word temp; for(i = 0; i < 4; i++) W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]); for(i = 4; i < 44; i++) { temp = W[i - 1]; if (i % 4 == 0) temp = SubByte(RotByte(temp)) ^ Rcon[i / 4]; W[i] = W[i - 4] ^ temp; } }

Round constant (Rcon) array is computed by following equation. rcon(i) = x(254 + i) mod x8 + x4 + x3 + x + 1 In GF(2). The inclusion of a round-dependent round constant eliminates the symmetry, between the process of key generation

20

AES Structure- Putting Altogether

Few words
21

Only AddRoundKey stage make use of key, cipher begins and ends with AddRoundKey function because other stages are reversible.
An

illusion box with a key.

Final round consists of three stages, without any reason this is structure of AES.

References
22

Federal Information Processing Standards Publication 197 November 26, 2001 Announcing the ADVANCED ENCRYPTION STANDARD (AES). A Very Compact S-box for AES, D. Canright, dcanright@nps.edu, Applied Mathematics Dept. Naval Postgraduate School Monterey CA 93943, USA. www.cprogramming.com, [Tutorial] Implementing the Advanced Encryption Standard. Cryptography and Network Security Principles and Practices, Fourth Edition By William Stallings, Print ISBN-10 : 0-13-187316-4.