The Advanced Encryption Standard

1. The Advanced Encryption Standard • - see Susan Landau’s paper: “Communications security for the twenty-first century: the advanced encryption standard.” • In 1997, the NIST (the National Institute of Standards and Technology, formerly the NBS) began the process of choosing a replacement for DES, to be called the Advanced Encryption Standard (AES). • At that time, triple-DES had become popular, but it was too slow and the 64-bit block length was too small. (Aside: recall that double-DES is not much harder to break by brute-force than DES using a “meet-in-the-middle” attack.)

2. AES Requirements • The NIST solicited proposals from the international community. • The requirements for the algorithms were as follows: • The algorithm must implement private-key cryptography. • The algorithm must be a block cipher. • The algorithm must work on 128-bit blocks and support 3 keys sizes: 128, 192, and 256 bits. • If selected, the algorithm should be available world-wide on a royalty-free basis.

3. AES Requirements Evaluation criteria would be: security, cost, and algorithm and implementation characteristics. Submissions were due on June 15, 1998. Of the 21 submissions, 15 fulfilled the AES criteria. In August 1999, the NIST chose the following 5 finalists: MARS, RC6, Rijndael, Serpent, and Twofish. All finalists were felt to be secure. On October 2, 2000, Rijndael was selected as the AES. You can find short descriptions of the 5 finalists in Landau’s paper, and judge for yourself…

4. Description of AES • Recall that AES has block length 128, and three allowable key lengths: 128 bits, 192 bits, and 256 bits. • AES is an iterated cipher. The number of rounds (N) depends on the key length: N = 10 for 128-bit keys, N = 12 for 192-bit keys, and N = 14 for 256-bit keys. • Here is a high-level description of AES: • Perform operation AddRoundKey, which XORs the round key with the state. • For each of the N rounds: • perform operation ByteSub (a substitution using an S-box) • perform operation ShiftRow (a permutation) • perform operation MixColumn (unless it is the last round) • perform AddRoundKey.

5. State All operations in AES are byte-based. The state consists of 128 bits = 16 bytes, viewed as a 4x4 array of bytes. Initially, the 16 bytes of plaintext x0, … , x15 are arranged as follows:

6. ByteSub • operation performs a substitution on each byte • uses one S-box ¼S that maps bytes to bytes (see page 155) • represented as a 16 x 16 array: for hexadecimal digits X and Y, ¼S(XY) is at position (row X, column Y) • In contrast to the DES S-boxes, the AES S-box can be defined algebraically. It was designed for resistance against linear and differential cryptanalysis and it is invertible. • The AES box incorporates operations in the finite field with 28 elements: • GF(28) = Z2[X] (mod X8+X4+X3+X+1).

7. What ??? A field is a set containing elements 0 and 1, where 0  1, with two operations: multiplication and addition. Both operations are closed, commutative, and associative, and the distributive law holds. 0 is the additive identity, and 1 is the multiplicative identity. Every element has an additive inverse. Every non-zero element has a multiplicative inverse. Example fields ? For every prime power pk, there is exactly one field with pk elements. This field is called GF(pk) (Galois field). We will now see how to construct these fields.

8. Polynomials Z2[X] is the set of all polynomials with coefficients in Z2. Examples: Can we add/subtract/multiply elements of Z2[X] ? Is there an additive identity ? Is there a multiplicative identity ? Can we divide with remainder ? Divide X4+X3+1 by X2+X+1, get quotient: and remainder:

9. Polynomials Z2[X] is the set of all polynomials with coefficients in Z2. Since X4+X3+1 divided by X2+X+1 equals X2+1 with remainder X, we can write X4+X3+1 ≡ X (mod X2+X+1). It turns out that Z2[X] (mod X2+X+1) is the finite field GF(4). The elements of the field are 0, 1,X, and X+1, and the operations are addition and multiplication modulo X2+X+1.

10. Irreducible Polynomials You cannot just use any polynomial to get a field; you must use an irreducible polynomial. A polynomial F(X) in Z2[X] is irreducible if it doesn’t factor into two polynomials of lower degree. Z2[X] (mod F(X)) is a field if and only if F(X) is irreducible.

11. Back to AES Recall ;-) GF(28) = Z2[X] (mod X8+X4+X3+X+1). Every byte corresponds to a field element and vice versa.

12. More about the S-box As mentioned previously, although the S-box is implemented as a lookup table (see Table 5.1), it has a simple mathematical description. View a byte as an element of GF(28). For example, view the byte 01010011 as the field element X6+X4+X+1. Now take the inverse of this field element in GF(28). In our example, this is X7+X6+X3+X. How would you compute the inverse?

13. More about the S-box Computing the inverse of X6+X4+X+1 mod X8+X4+X3+X+1:

14. More about the S-box • S-box mapping of 01010011: • Compute the inverse of X6+X4+X+1, get X7+X6+X^3+X. • View this element as a bit vector, with the right-most bit in the top position. In our example, we get the vector (0,1,0,1,0,0,1,1). • Multiply this vector by the matrix on page 157, and add vector (1,1,0,0,0,1,1,0). • View the resulting vector as a byte (taking the top bit to be the rightmost bit). • This is the output of the S-box. • In our example, the output is 11101101, which we can verify with the S-box table.

15. ShiftRow, MixColumn, Key Schedule The operation ShiftRow cyclically shifts the elements of the i-th row i elements to the left. The operation MixColumn replaces each column of the state by a new column. This operation uses polynomials over GF(28). Key Schedule The book describes the key schedule for 10-round AES, which used a 128-bit key. We need 11 round keys, each of which consists of 16 bytes. The key schedule is word oriented. The concatenation of the 11 round keys is called the expanded key, and consists of 44 words. You can find the exact algorithm on page 156/157.