UNIT-3

Private Key Cryptography

Symmetric Key Cryptography(Private Key
Cryptography)
 Use the same key (the secret key) to encrypt and decrypt a
message
 P encrypts to C with key K and C decrypts P to with same key K.
Symmetric Encryption
 The main disadvantage of a secret-key cryptosystem is related to the exchange of keys.
Symmetric encryption is based on the exchange of a secret (keys). The problem of key
distribution therefore arises:
 The Public Key is what its name suggests - Public. It is made available to everyone via a
publicly accessible repository or directory.
 On the other hand, the Private Key must remain confidential to its respective owner.
 Because the key pair is mathematically related, whatever is encrypted with a Public Key
may only be decrypted by its private key
 For example, if Bob wants to send sensitive data to Alice, and wants to be sure that only
Alice may be able to read it, he will encrypt the data with Alice's Public Key. Only Alice has
access to her corresponding Private Key and as a result is the only person with the
capability of decrypting the encrypted data back into its original form corresponding
Private Key and vice versa.
 As only Alice has access to her Private Key, it is possible that only Alice can decrypt the
encrypted data. Even if someone else gains access to the encrypted data, it will remain
confidential as they should not have access to Alice's Private Key.
Cryptographic Algorithms

 Cryptographic algorithms and protocols can be grouped into

four main areas
Cryptographic
algorithms and
protocols

Symmetric Asymmetric Data integrity Authentication

encryption encryption algorithms protocols

 Symmetric encryption used to secure the contents of

blocks or streams of data of any size, including messages,
files, encryption keys, and passwords
 Data integrity algorithms used to protect blocks of data, such as messages, from
alteration.
 Asymmetric encryption used to conceal small blocks of data, such as encryption
keys and hash function values, which are used in digital signatures.

 Authentication Protocols are schemes based on the use of cryptographic

algorithms designed to authenticate the identity of entities.
 ALGORITHM TYPES

 It defines what size of plain text encrypted in each step of algorithm

 Two ways:
• Stream Ciphers

• Block Ciphers
 SYMMETRIC KEY ALOGRITHM

 Key remains same for encryption and decryption

 Two aspects :
• Algorithm Types

• Algorithm Modes
Ciphers

 Symmetric cipher: same key used for encryption and decryption.

There are two kinds of symmetric ciphers: stream ciphers and block
ciphers.
 Asymmetric cipher: different keys used for encryption and
decryption

12
 STREAM CIPHERS

 Plain text is encrypted one bit or one byte at a time

 Example:

Plain Text
10111001
(a)
Key
10101011
(b) +
00010010
Cipher
Text
Stream Cipher

 A stream cipher is one that encrypts a digital data stream one bit or one byte at a
time.
 Examples:

• Autokeyed Vigenère cipher

• Vernam cipher.
Block Cipher

 A block cipher is one in which a block of plaintext is treated as a whole and used to
produce a ciphertext block of equal length.
 Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two
users share a symmetric encryption.
 Examples:

• Feistel cipher

• DES

• Triple DES

• AES
Block Cipher

b bits b bits

Plaintext Ciphertext

Key Encryption Key Decryption

(K) Algorithm (K) Algorithm

Ciphertext Plaintext

b bits b bits
 ALGORITHM MODES

 It is not recommended, however it is possible while working with block ciphers, to use the same secret key
bits for encrypting the same plaintext parts.
 Using one deterministic algorithm for a number of identical input data, results in some number of identical
cipher text blocks.

 The idea is to mix the plaintext blocks (which are known) with the cipher text blocks (which have been just
created), and to use the result as the cipher input for the next blocks.
 As a result, the user avoids creating identical output cipher text blocks from identical plaintext data. These
modifications are called the block cipher modes of operations.
To apply block cipher in a variety of applications five modes are used
 Electronic Code Book (ECB)
 Cipher Block Chain (CBC)
 Cipher Feedback (CFB)
 Output Feedback (OFC)
 Counter Mode
 ELECTROINC CODEBOOK (ECB)

 The message is divided into block and each block is encrypted separately
 Each block of 64 bit of plaintext is encoded independently using the same [Link] to
encrypt short amount of data
 Generally, if a message is larger than b bits in size, it can be broken down into bunch of
blocks and the procedure is repeated.
 Transmitting a single value in a secure fashion (password or key used for encryption)
 ECB encrypts identical plaintext blocks into identical ciphertext blocks, it does not hide
data patterns well
 ECB WORKING

P1 P2 Pn

K Encrypt K Encrypt … K Encrypt

C1 C2 Cn

C1 C2 Cn

K Decrypt K Decrypt … K Decrypt

P1 P2 Pn
The bitmap image encrypted using DES and the same secret key. The ECB mode
was used for the left image and the more complicated CBC mode was used for
the right image.
Original image Encrypted using ECB mode Modes other than ECB
result in pseudo-
randomness
Advantages of using ECB –
 Parallel encryption of blocks of bits is possible, thus it is a faster way of encryption.
 Simple way of block cipher.
Disadvantages of using ECB –

 Prone to cryptanalysis since there is a direct relationship between plaintext and ciphertext.

Example:
 For example, if a ciphertext from the ECB mode is known to encrypt a salary figure, then a
small number of trials will allow an attacker to recover the figure. In general, we do not
wish to use a deterministic cipher, and hence the ECB mode should not be used in most
applications.
 CIPHER BLOCK CHAINING

 Repeated bit pattern in block cipher is eliminated

 CBC mode is used for authentication and confidentiality
 Long messages can be encrypted by chaining mechanism
 This mode is about adding XOR each plaintext block to the ciphertext block that was
previously produced.

 The result is then encrypted using the cipher algorithm in the usual way.

 As a result, every subsequent ciphertext block depends on the previous one.

 The first plaintext block is added XOR to a random initialization vector (commonly referred
to as IV). The vector has the same size as a plaintext block.
 If the first block has index 1, the mathematical formula for CBC encryption is

while the mathematical formula for CBC decryption is

 If one bit of a plaintext message is damaged (for example because of some earlier
transmission error), all subsequent cipher text blocks will be damaged and it will be never
possible to decrypt the cipher text received from this plaintext.

 As opposed to that, if one cipher text bit is damaged, only two received plaintext blocks
will be damaged. It might be possible to recover the data.
Advantages of CBC –
 CBC works well for input greater than b bits.
 CBC is a good authentication mechanism.
 Better resistive nature towards cryptanalysis than ECB.

Disadvantages of CBC –
 Parallel encryption is not possible since every encryption requires previous cipher.
CIPHER FEEDBACK MODE (CFB)

 The CFB mode is similar to the CBC mode described above.

 The main difference is that one should encrypt ciphertext data from the previous round
(so not the plaintext block) and then add the output to the plaintext bits.
 It does not affect the cipher security but it results in the fact that the same encryption
algorithm (as was used for encrypting plaintext data) should be used during the
decryption process.
Encryption in the CFB mode
Decryption in the CFB mode
 If one bit of a plaintext message is damaged, the corresponding ciphertext block and all
subsequent ciphertext blocks will be damaged. Encryption in CFB mode can be performed
only by using one thread.

 On the other hand, as in CBC mode, one can decrypt ciphertext blocks using many threads
simultaneously. Similarly, if one ciphertext bit is damaged, only two received plaintext
blocks will be damaged.
 OUTPUT FEEDBACK MODE
On-1
IV(i –Bit)
Shift Register
I-J Bit J-Bit I-J Bit J-Bit
J-Bit (i-j )Bit

K Encrypt
K Encrypt
K Encrypt

P + P + P +

C1 C2 Cn
(J-Bit) (J-Bit) (J-Bit)
 OUTPUT FEEDBACK MODE
On-1
IV(i –Bit)
Shift Register

J-Bit (i-j )Bit I-J Bit J-Bit I-J Bit J-Bit

K Encrypt
K Encrypt
K Encrypt

+ C1 + C2 + Cn

P1 P2 Pn
(J-Bit) (J-Bit) (J-Bit)
 COUNTER MODE

COUNTER COUNTER + COUNTER + N - 1

K ENCRYPT
K ENCRYPT
………. K ENCRYPT

p + p + p +
1 2 n

C C C
1 1 1
 COUNTER MODE

COUNTER COUNTER + COUNTER + N - 1

K ENCRYPT
K ENCRYPT
………. K ENCRYPT

C + C + Cn +
1 2

P P Pn
1 2
 ADVANTAGES OF COUNTER MODE

 Hardware Efficiency
 Software Efficiency
 Preprocessing
 Random Access
 Provable Security
 Simplicity
 CONFUSION & DIFFUSION

 Claude Shannon introduced this two terms

 Confusion
• It is a technique of ensuring that a cipher text gives no clue about plain text

• Confusion means that each binary digit (bit) of the ciphertext should depend on several parts of
the key,

• Achieved by Substitution technique

 Diffusion
• Increases the redundancy of the plain text by spreading it across rows and columns.

• Achieved by permutation known as Transposition technique

 Diffusion means that if we change a single bit of the plaintext, then (statistically) half of
the bits in the ciphertext should change, and similarly, if we change one bit of the
ciphertext, then approximately one half of the plaintext bits should change.

 This complexity is generally implemented through a well-defined and repeatable series of

substitutions and permutations. Substitution refers to the replacement of certain
components (usually bits) with other components, following certain rules. Permutation
refers to manipulation of the order of bits according to some algorithm.
 Diffusion and Confusion

Confusion Diffusion
 Confusion hides the relationship  Diffusion hides the relationship between
between the ciphertext and the key. the ciphertext and the plaintext.
 This is achieved by changing one
 This is achieved by the use of a
plaintext digit which affect the value of
complex substitution algorithm. many cipher text digits.

Y1=1011 1001
X1=0010 1011
Diffusion Y2=0110 1100
X2=0000 1011

Single bit flip Many bit flips

 substitution–permutation network (SPN), is a series of linked mathematical operations
used in block cipher algorithms substitution–permutation network (SPN), is a series of
linked mathematical operations used in block cipher algorithms.

 Such a network takes a block of the plaintext and the key as inputs, and applies several
alternating "rounds" or "layers" of substitution boxes (S-boxes) and permutation boxes (P-
boxes) to produce the ciphertext block.

 The S-boxes and P-boxes transform (sub-)blocks of input bits into output bits.

 Decryption is done by simply reversing the process (using the inverses of the S-boxes and
P-boxes and applying the round keys in reversed order).
 FEISTEL CIPHER

 Feistel proposed a scheme to produced a block cipher using permutation and substitution
alternatively.
 Virtually all conventional block encryption algorithms including data encryption standard
(DES) are based on Feistel Cipher Structure.
 partitions input block into two halves

• process through multiple rounds which:

• perform a substitution on left data half

• based on round function of right half & sub key

• then have permutation swapping halves

 The plaintext is divided into two halves L and R
0 0
 Then the two halves pass through n rounds of processing then combine to produce the
cipher block.
 Each round has as input Li  1 and Ri  1 derived from the previous round as well as a sub-
key K i derived from the overall K
 All rounds have the same structure
 A substitution is performed on the left half of the data. This is done by applying a round
function to the right half of the data followed by the XOR of the output of that function
and the left half of the data.
 It is the approach to develop a block cipher with a key length of k-bits and a block length
of n-bits allowing a total 2k possible transformation.
 The Feistel structure has the advantage that encryption and decryption operations are
very similar, even identical in some cases, requiring only a reversal of the key schedule.
Classical Feistel Network

1. Plaintext is split into 32-bit

halves Li and Ri
2. Ri is fed into the function
F.
3. The output of function F is
then XORed with Li
4. Left and right half are
swapped.

Ri = L i -1 (R i – 1, Ki)
Li = R i – 1
Classical Feistel Network
 FEISTEL NETWORK PARAMETERS

 Block Size
• Large block size provide high security achieved by diffusion

• 64 bit block is universal block cipher design

• Less encryption/decryption speed of algo

 Key Size
• Large key size provide high security achieved by confusion

• 128 bit is common key size

Cont…

 Number of Rounds
• Single round offers less security

• Multiple round provide greater security

• 16 rounds are common

 Sub key generation Algo.
• Complex algo provide high security
 Round Function
• Complex rounding operation provide high security

• Again, greater complexity generally means greater resistance to cryptanalysis.

 Ease of Analysis:
• to be able to develop a higher level of assurance as to its strength

 Decryption:
• use the same algorithm with reversed keys.
Data Encryption Standard (DES)
How DES works?

 Type :- BLOCK
 For encryption DES
 For decryption DES with minor
difference.
 Key length used key is 56bit.
How we get 56 bit key.
 Des is based on two fundamental

• Substitution (Confusion)

• Transpositions (diffusion)

o Consist of 16 rounds

o Each round contain

o Substitution (Confusion)

o Transpositions (diffusion)
Steps for Des algorithm
 Step 2 Initial permutation.
Here conversion
take place as
follows.
Step 3 16 Rounds
• confusion step is
the S-box
substitution, while
the diffusion step
is where the
output of the S-
boxes is
rearranged
according to the
P-box
permutation rules.
DES Single Round
DES Single Round (Cont…)

1. Key Transformation
• Permutation of selection of sub-key from original key
2. Expansion Permutation (E-table)
• Right half is expanded from 32-bits to 48-bits
3. S-box Substitution
• Accepts 48-bits from XOR operation and produce 32-bits using 8 substitution boxes
(each S-boxes has a 6-bit i/p and 4-bit o/p).
4. P-Box Permutation
5. XOR and Swap
 First, the 64-bit plaintext passes through an initial permutation (IP) that rearranges the bits
to produce the permuted input.
 This is followed by a phase consisting of sixteen rounds of the same function, which
involves both permutation and substitution functions.
 Finally, the pre output is passed through a permutation that is the inverse of the initial
permutation function, to produce the 64-bit ciphertext.
 The 56-bit key is passed through a permutation function.
 For each of the sixteen rounds, a subkey (Ki) is produced by the combination of a left

circular shift and a permutation.

1. Initial permutation: First, the 64-bit plaintext passes through an initial permutation (IP)
that rearranges the bits to produce the permuted input.
2. The F function: This phase consisting of sixteen rounds of the same function, which
involves both permutation and substitution functions.
3. Swap: L and R swapped again at the end of the cipher, i.e., after round 16 followed by a
final permutation.
4. Inverse (Final) permutation: It is the inverse of the initial permutation.
5. Subkey generation: For each of the sixteen rounds, a different subkey (Ki) derived from
main key by the combination of a left circular shift and a permutation.
 Initial and Inverse Permutation
 The initial permutation of the DES
algorithm changes the order of the
plaintext prior to the first round of
encryption.

 The final permutation occurs after

the sixteen rounds of DES are
completed. It is the inverse of the
initial permutation.
Initial and Final Permutation

IP IP-1

58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32

60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31

62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30

64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29

57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28

59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27

34 2 42 10 50 18 58 26
61 53 45 37 29 21 13 5
33 1 41 9 49 17 57 25
63 55 47 39 31 23 15 7
Step 1 of 3 key Transformation

• For each round different subset of the key is used that make not easy to crack.
• Here in each of the round the bits are shifted randomly.
Step 2 of 3 Expansion Permutation

 Now we will talk about these 8 block of 4bit each in next slide.
 These 4bit block are then expand to 6 bit block in a particular
manner.
 6bit * 8 bit = 48 bit key generation.
 Until now
 Key transformation 56 bit  48 bits
 Expansion permutation 32bit RPT  48bit RPT
 Now 48 bit RPT XOR 48 bit key  output  S-box substitution
Step 3 0f 3 S-box Substitution
How S-box works
3. The DES S-Boxes
Ri-1
 S-Box substitution. 32
 Eight substitution tables.
Expansion/permutation
 6 bits of input (E table)
 4 bits of output. 48
 Convert 48 bits to 32 bits Ki
XOR
 Non-linear and resistant to 48
48
differential cryptanalysis.
 Crucial element for DES security! 6 6 6 6 6 6 6 6
 Introduces confusion. S1 S2 S3 S4 S5 S6 S7 S8

4 4 4 4 4 4 4 4

32
S-box

 In cryptography, an S-box (substitution-box) is a basic component of symmetric key

algorithms which performs substitution.

 In block ciphers, they are typically used to obscure the relationship between the key and
the ciphertext — Shannon's property of confusion.

 In general, an S-box takes some number of input bits, m, and transforms them into some
number of output bits, n, where n is not necessarily equal to m.

 One good example of a fixed table is the S-box from DES (S5), mapping 6-bit input into a 4-
bit output:
• Given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits
(the first and last bits), and the column using the inner four bits.
• For example, an input "011011" has outer bits "01" and inner bits "1101"; the corresponding
output would be "1001".
 In cryptography, a permutation box (or P-box) is a method of bit-shuffling used to permute
or transpose bits across S-boxes inputs,
 In block ciphers, the S-boxes and P-boxes are used to make the relation between the
plaintext and the ciphertext difficult to understand.

 P-boxes are typically classified as compression, expansion, and straight, depending on

whether the number of output bits is less than, greater than, or equal to the number of
input bits.
Role of S-box

 The outer two bits of each group select one row of an S-box.
 Inner four bits selects one column of an S-box.

S-box 1
 Example:
Input 0 1 1 0 0 1 Output 1 0 0 1

Row Column
Step 4 0f 3 P-box permutation
4. The Permutation P
Ri-1
 Permutation P 32
 Bitwise permutation. Expansion/permutation
(E table)
 Introduces diffusion. 48
Ki
XOR 48
Permutation Table P 48
16 7 20 21 29 12 28 17 6 6 6 6 6 6 6 6

01 15 23 26 05 18 31 10 S1 S2 S3 S4 S5 S6 S7 S8
4 4 4 4 4 4 4 4
02 08 24 14 32 27 03 09

19 13 30 06 22 11 04 25
32
Permutation
(P)
32
Key schedule of DES

K
 Derives 16 round keys (or subkeys) ki of 64

48 bits each from the original 56 bit key. PC-1

56
 The input key size of the DES is 64 bit:
Permuted choice (PC-1)
56 bit key and 8 bit parity 57 49 41 33 25 17 09 01
 Parity bits are removed in a first 58 50 42 34 26 18 10 02
59 51 43 35 27 19 11 03
permuted choice PC-1: (note that the 60 52 44 36 63 55 47 39
bits 8, 16, 24, 32, 40, 48, 56 and 64 are 31 23 15 07 62 54 46 38
30 22 14 06 61 53 45 37
not used at all)
29 21 13 05 28 20 12 04
Key schedule of DES

 Split key into 28-bit halves C0 and D0.

 In rounds i = 1, 2, 9 ,16, the two halves are each
rotated left by one bit.
 In all other rounds where the two halves are
each rotated left by two bits.
 These shifted values are input to the next round.

Round 1 2 3 4 5 6 7 8 9 1 1 1 1 1 1 1
0 1 2 3 4 5 6
key 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Key schedule of DES

K
 In each round i permuted choice
64

PC-2 selects a permuted subset PC-1

56
of 48 bits of Ci and Di as round D0 C0

28 28
key ki. Transform 1

Permuted choice (PC-2) LS1 LS1

14 17 11 24 01 05 03 28 28 28

15 06 21 10 23 19 12 04 K1 PC-2 D1 C1
48 56
26 08 16 07 27 20 13 02

41 52 31 37 47 55 30 40

51 45 33 48 44 49 39 56

34 53 46 42 50 36 29 32
Subkey generation
Step 5 0f 3 XOR and Swap
 6bit * 8 bit = 48 bit key generation.
 Until now
 Key transformation 56 bit  48 bits
 Expansion permutation 32bit RPT  48bit RPT
 Now 48 bit RPT XOR 48 bit key  output  S-box substitution
1. The Expansion Function E
Ri-1
 Main purpose: Increases diffusion 32

 Since Ri-1 is a 32-bit input and Ki is a 48-bit Expansion/permutation

(E table)
key, we first need to expand Ri-1 to 48 bits. 48
 Input: (8 blocks, each of them consisting 4 Expansion Table E
32 1 2 3 4 5
bits) - 32 bits
4 5 6 7 8 9
 Output: (8 blocks, each of them consisting 6 8 9 10 11 12 13
12 13 14 15 16 17
bits) – 48 bits 16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
2. Add round key

 XOR Round Key Ri-1

 After the expansion permutation, DES 32

uses the XOR operation on the Expansion/permutation

expanded right section and the round (E table)
48
key.
Ki
 Note that both the right section and XOR
48
the key are 48-bits in length now. 48
ROUND FUNCTION

R0 (32-Bit)

EXPANSION
PERMUATATION (48-Bit)

+ Key (48-Bit)

48-Bit

Substitution

32-Bit

PERMUATATION
(32-Bit)
Avalanche Effect

 Desirable property of any encryption algorithm is that a change in one bit of the plaintext
or of the key should produce a change in many bits of cipher text.
 DES performs strong avalanche effect.

 Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks
differ in 29 bits.
• This means that changing approximately 1.5 % of the plaintext creates a change of
approximately 45 % in the ciphertext.
• If a block cipher or cryptographic hash function does not exhibit the avalanche effect to a
significant degree, then it has poor randomization, and thus a cryptanalyst can make
predictions about the input, being given only the output.
• This may be sufficient to partially or completely break the algorithm.
• Thus, the avalanche effect is a desirable condition from the point of view of the designer
of the cryptographic algorithm or device.
Strength of DES

 The use of 56-bit keys: 56-bit key is used in encryption, there are 256 possible keys. A
brute force attack on such number of keys is impractical.
 The nature of algorithm: Cryptanalyst can perform cryptanalysis by exploiting the
characteristic of DES algorithm but no one has succeeded in finding out the weakness.
Double DES

 In this approach, we use two instances of DES ciphers for encryption and two instances of
reverse ciphers for decryption.
 Each instances use a different key. The size of the key is doubled.

 Given a plaintext P and two encryption keys 𝐾1 and 𝐾2, a cipher text can be generated
as,

C = E(𝐾2, E(𝐾1, P))

 Decryption requires that the keys be applied in reverse order,
P = D(𝐾1, D(𝐾2, C))
Triple DES with 2-key
 Use three stages of DES for encryption and decryption.
 The 1 st , 3 rd stage use 𝐾1 key and 2 nd stage use 𝐾2 key.
 To make triple DES compatible with single DES, the middle stage uses decryption in the
encryption side and encryption in the decryption side.
 It’s much stronger than double DES.
 The function follows an encrypt-decrypt-encrypt (EDE) sequence.

• C = E(𝐾1, D(𝐾2, E(𝐾1, P)))

• P = D(𝐾1, E(𝐾2, D(𝐾1, C)))

Advanced Encryption Standard (AES)

 The Advanced Encryption Standard, or AES, is a symmetric block cipher chosen by the U.S.
government to protect classified information and is implemented in software and
hardware throughout the world to encrypt sensitive data.

 AES comprises three block ciphers: AES-128, AES-192 and AES-256. Each cipher encrypts
and decrypts data in blocks of 128 bits using cryptographic keys of 128-, 192- and 256-bits,
respectively.

 There are 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit
keys -- a round consists of several processing steps that include substitution, transposition
and mixing of the input plaintext and transform it into the final output of ciphertext.
 AES (Advanced Encryption Standard)

 The Rijndael proposal for AES defined a cipher in which the block length and the key length can be independently

specified to be 128, 192, or 256 bits.

Key size (words/ bytes/ bits) 4/16/128 6/24/192 8/32/256
Block size (words/ bytes/ bits) 4/16/128 4/16/128 4/16/128
Round key size (words/ bytes/ 4/16/128 4/16/128 4/16/128
bits)
Number of Rounds 10 12 14

 AES designed to have characteristics

1. Resistance against all known attacks

2. Speed and code compactness on a wide range of platforms

3. Design simplicity
Characteristics
 General Security
Uses S-Box as a nonlinear Components
 Software Implementations
High performance due to parallelism
Executes on variety of platform
No of round decrease so speed is incresed
 Restricted-space Environments
For S-Boxes pre-computation or Boolean representation is used
Very Low ROM and RAM requirement
AES (Advanced Encryption Standard)

128 bits

Plaintext

AES Key (128-256 bits)

Ciphertext

128 bits
AES (Advanced Encryption Standard)
128 bits Plaintext
AES
Cipher key
AddRoundKey (128, 192 or 256 bits)
K0

Round-1
K1

Key expansion
Round-2
K2

Round-N
(slightly different) K10

128 bits Ciphertext

 Key
Plaintext

AddRoundKey Round key 0

Notes:
SubBytes 1. One AddRoundKey is applied
before the First round.
2. The third transformation is missing
ShiftRows

Round 1
in the last round

MixColumns

AddRoundKey Round key 1

SubBytes

Round 10
ShiftRows

AddRoundKey Round key 10

Ciphertext
 AES Structure
Initialization
1. Expand 16-byte key to get
the actual key block to be
used.
2. Initialize 16-byte plaintext
block called as state.
3. XOR the state with the
key block.
For each round
1. Apply S-box
2. Rotate rows of state
3. Mix columns
4. Add Round key: XOR the
state with key block.
Data Units in AES
Block to State & State to Block
Plain Text to State
AES Structure

 The first N-1 rounds consist of four distinct transformation

functions.

• The 16 input bytes are substituted using

SubBytes
an S-box

• Each of the four rows of the matrix is

ShiftRows
shifted to the left
• Each column of four bytes is now
MixColumns transformed using a special mathematical
function.
• The 16 bytes of the matrix are now considered
AddRoundK
as 128 bits and are XORed to the 128 bits of
ey the round key.
AES structure

State: Cipher
32 88 31 e0 key:
2b 28 ab 09
43 5a 31 37 7e ae f7 cf
f6 30 98 07 15 d2 15 4f
a8 8d a2 34 16 a6 88 3c
Initial transformation(AddRoundKey)

AddRoundKey: input state⊕Cipher key

32 88 31 e0 2b 28 ab 09 19 a0 9a e9
43 5a 31 37 7e ae f7 cf 3d f4 c6 f8
f6 30 98 07 ⊕ 15 d2 15 4f = e3 e2 8d 48
a8 8d a2 34 16 a6 88 3c be 2b 2a 08
SubByte Transformation

 The forward substitute byte transformation, called SubBytes, is a simple table

lookup
Input: 19 Output: D4

Row Column
SubByte output

Input for SubByte Output of SubByte

19 a0 9a e9 d4 e0 b8 le
3d f4 c6 f8 27 bf b4 41
e3 e2 8d 48 11 98 5d 52
be 2b 2a 08 ae f1 e5 30
ShiftRows

 The first row of State is not altered.

 For the second row, a 1-byte circular left shift is performed.
 For the third row, a 2-byte circular left shift is performed.
 For the fourth row, a 3-byte circular left shift is performed.

d4 e0 b8 le No rotation d4 e0 b8 le
27 bf b4 41 Rotate 1 byte bf b4 41 27
11 98 5d 52 Rotate 2 bytes 5d 52 11 98
ae f1 e5 30 Rotate 3 bytes 30 ae f1 e5
Input for ShiftRows Output of ShiftRows
MixColumns

 Each byte of a column is mapped into a new value that is a function of all four
bytes in that column.
 Constant matrices used by MixColumns.
MixColumns

d4 e0 b8 le 02 03 01 01 04 e0 48 28
bf
5d
b4
52
41
11
27
98
01
01
02
01
03
02
01
03
= 66 cb f8
81 19 d3 26
06

30 ae f1 e5 03 01 01 02 e5 9a 7a 4c

02 03 01 01 d4 04
01 02 03 01 bf 66
01 01 02 03 5d = 81
03 01 01 02 30 e5
AddRoundKey

 In the forward add round key transformation, the 128 bits of State are bitwise
XORed with the 128 bits of the round key.
04 e0 48 28 a0 88 23 2a A 68 6b 02
66 cb f8 06 fa 54 a3 6c 4
81 19 d3 26 ⊕ fe 2c 39 76 =9c 9f 5b 6a
e5 9a 7a 4c 17 b1 39 05 7f 35 E 50
a
F 2b 43 49
04 a0 A 2
66 fa 4
81 ⊕ fe = 9c
e5 17 7f
F
2
AES Overall Structure
AES key expansion

Words for each round

Round Words
Pre-round W0 W1 W2 W3
Round 1 W4 W5 W6 W7
Round 2 W8 W9 W10 W11
... ...
Round N W40 W41 W42 W43
AES key expansion

K0 K4 K8 K12  The AES key expansion algorithm

K1 K5 K9 K13 takes as input a four-word (16-
K2 K6 K10 K14 byte) key and produces a linear
K3 K7 K11 K15 array of 44 words (176 bytes).
W0 W1 W2 W3 g  Each added word w[i] depends
on the immediately preceding
⊕⊕⊕⊕ word, w[i - 1].
W4 W5 W6 W7
 In three out of four cases, a
simple XOR is used.

⊕⊕⊕⊕
W40 W41 W42 W43
g function of key expansion

32

V0 V1 V2 V3

V1 V2 V3 V0

Rcon Table
1 2 3 4 5 6 7 8 9 10 S S S S
01 02 04 08 10 20 40 80 1b 36

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00
RC[i]
⊕ 32
Key Expansion Example