Introduction To Network Security: Theory And Practice (2015)
Chapter 2. Data Encryption Algorithms
2.4 Advanced Encryption Standard
Researchers have never stopped searching for better encryption algorithms that are more efficient, more secure, and more flexible. New encryption algorithms should be able to use longer keys and handle larger blocks. In some applications, people may also want to specify their own key length and block size. Thus, it would be desirable to have key length and block size as parameters.
A number of encryption algorithms have since been devised. Some of the early ones include Blowfish, CAST, GOST (the former Soviet Encryption Standard), International Data Encryption Algorithm (IDEA), LOKI, RC4, RC5, REDOC-II, REDOC-III, SAFER, and Skipjack. Most of these encryption algorithms are Feistel ciphers.
Realizing the urgent need to establish a new encryption standard, NIST launched in 1997 the advanced encryption standard competition for selecting a successor to DES. The following encryption algorithms were submitted for consideration: CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER, Serpent, and Twofish, where MARS, RC6, Rijndael, Serpent, and Twofish were selected semifinalists. In November 2001, NIST officially chose Rijndael to be the new AES. Rijndael was devised by Belgian cryptographers Joan Daemen and Vincent Rijmen.
2.4.1 AES Basic Structures
AES is a block cipher, but it is not a Feistel cipher. Its encryption and decryption, although similar, are not symmetrical. The basic computation unit in AES is a byte, rather than a bit as in DES. A byte is an 8-bit binary string. AES divides the plaintext string into 128-bit blocks. AES can use encryption keys of three different key lengths. An AES-encryption key can be 16-byte long, 24-byte long, or 32-byte long. Regardless of what key length is used, AES will generate and use 16-byte subkeys, also called round keys. AES can also run a different number of operation rounds. To generate a sufficient number of round keys, AES expands encryption keys depending on the number of rounds and the length of the encryption key specified by the users. Table 2.2 depicts the relations between key lengths, the number of rounds, and the length of expanded encryption keys, where a word is a binary string of length equal to four bytes.
Table 2.2 AES key lengths, the number of rounds, and the length of expanded encryption keys
Key length |
Number of Rounds |
Expansion key length |
||||
Words |
Bytes |
Bits |
Words |
Bytes |
Bits |
|
4 |
16 |
128 |
10 |
44 |
176 |
1408 |
6 |
24 |
192 |
12 |
52 |
208 |
1664 |
8 |
32 |
256 |
14 |
60 |
240 |
1920 |
AES treats a 128-bit block as a sequence of 16 bytes and represents it as a square matrix, where each element is a byte in the block. In particular, let be a plaintext block, where each is a byte. Then AES rewrites as Matrix 2.11:
2.11
We refer to a matrix of bytes as a state matrix. AES encryption executes in each round (except the last round) the same sequence of simple operations on state matrices that transforms the plaintext block into a ciphertext block. These operations are substitute-bytes, shift-rows, mix-columns, and add-round-key.
1. The operation of substitute-bytes is a nonlinear operation based on a specially designed substitution box. The purpose of this operation is to resist differential cryptanalysis, linear cryptanalysis, and other mathematical attacks.
2. The operation of shift-rows is an elementary operation on state matrices. It is a linear operation. The purpose of this operation is to produce diffusion.
3. The operation of mix-columns is also an elementary operation on state matrices. Its purpose is the same as shift-rows.
4. The operation of add-round-key is a simple set of exclusive-OR operations on state matrices. It is a linear operation. The purpose of this operation is to produce confusion.
It is customary to use AES-128, AES-192, and AES-256 to denote, respectively, AES under 128-bit keys, 192-bit keys, and 256-bit keys. These three variants of AES all have the same encryption and decryption structures. They differ only on the number of rounds, where each round uses a different round key.
We describe AES using AES-128. AES-128 first expands the 128-bit key into an array of words. It then rewrites as a sequence of eleven 128-bit round keys . In other words,
where .
For convenience, we use sub to denote the operation of substitute-bytes, shr the operation of shift-rows, mic the operation of mix-columns, and ark the operation of add-round-key. Denote by inv_sub (or ) the inverse operation of sub, inv_shr (or ) the inverse operation of shr, and inv_mic (or ) the inverse operation of mic. Figure 2.2 depicts the AES-128 encryption and decryption block diagram.
Figure 2.2 AES-128 encryption and decryption diagram
In the following several subsections, we describe AES S-Boxes, the subkey generation algorithm, the operations of ark, sub, shr, mic, and their inverse operations. We then introduce the Galois field and show how S-Boxes are constructed. Skipping the last two topics will not affect the understanding of AES encryption and decryption operations.
2.4.2 AES S-Boxes
AES uses only one S-Box. It is used to generate subkeys and define the operation of substitute bytes. The AES S-Box is a matrix of bytes, which is defined on the basis of the multiplication operation of the Galois field . Unlike the S-Boxes used in DES, the AES S-Box is a permutation of all 256 bytes. Its reverse permutation is called the reverse S-Box.
We only present the S-Box and the reverse S-Box in this subsection, where each element and index is represented by two hexadecimal digits. We describe how they are constructed in Section 2.4.11. We use
to denote the AES S-Box and
to denote its reverse. The S-Box is given in Table 2.3, and the reverse S-Box is given in Table 2.4.
Table 2.3 The S-Box of AES
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
a |
b |
c |
d |
e |
f |
|
0 |
63 |
7c |
77 |
7b |
f2 |
6b |
6f |
c5 |
30 |
01 |
67 |
2b |
fe |
d7 |
ab |
76 |
1 |
ca |
82 |
c9 |
7d |
fa |
59 |
47 |
f0 |
ad |
d4 |
a2 |
af |
9c |
a4 |
72 |
c0 |
2 |
b7 |
fd |
93 |
26 |
36 |
3f |
f7 |
cc |
34 |
a5 |
e5 |
f1 |
71 |
d8 |
31 |
15 |
3 |
04 |
c7 |
23 |
c3 |
18 |
96 |
05 |
9a |
07 |
12 |
80 |
e2 |
eb |
27 |
b2 |
75 |
4 |
09 |
83 |
2c |
1a |
1b |
6e |
5a |
a0 |
52 |
3b |
d6 |
b3 |
29 |
e3 |
2f |
84 |
5 |
53 |
d1 |
00 |
ed |
20 |
fc |
b1 |
5b |
6a |
cb |
be |
39 |
4a |
4c |
58 |
cf |
6 |
d0 |
ef |
aa |
fb |
43 |
4d |
33 |
85 |
45 |
f9 |
02 |
7f |
50 |
3c |
9f |
a8 |
7 |
51 |
a3 |
40 |
8f |
92 |
9d |
38 |
f5 |
bc |
b6 |
da |
21 |
10 |
ff |
f3 |
d2 |
8 |
cd |
0c |
13 |
ec |
5f |
97 |
44 |
17 |
c4 |
a7 |
7e |
3d |
64 |
5d |
19 |
73 |
9 |
60 |
81 |
4f |
dc |
22 |
2a |
90 |
88 |
46 |
ee |
b8 |
14 |
de |
5e |
0b |
db |
a |
e0 |
32 |
3a |
0a |
49 |
06 |
24 |
5c |
c2 |
d3 |
ac |
62 |
91 |
95 |
e4 |
79 |
b |
e7 |
c8 |
37 |
6d |
8d |
d5 |
4e |
a9 |
6c |
56 |
f4 |
ea |
65 |
7a |
ae |
08 |
c |
ba |
78 |
25 |
2e |
1c |
a6 |
b4 |
c6 |
e8 |
dd |
74 |
1f |
4b |
bd |
8b |
8a |
d |
70 |
3e |
b5 |
66 |
48 |
03 |
f6 |
0e |
61 |
35 |
57 |
b9 |
86 |
c1 |
1d |
9e |
e |
e1 |
f8 |
98 |
11 |
69 |
d9 |
8e |
94 |
9b |
1e |
87 |
e9 |
ce |
55 |
28 |
df |
f |
8c |
a1 |
89 |
0d |
bf |
e6 |
42 |
68 |
41 |
99 |
2d |
0f |
b0 |
54 |
bb |
16 |
Table 2.4 The reverse S-Box of AES
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
a |
b |
c |
d |
e |
f |
|
0 |
52 |
09 |
6a |
d5 |
30 |
36 |
a5 |
38 |
bf |
40 |
a3 |
9e |
81 |
f3 |
d7 |
fb |
1 |
7c |
e3 |
39 |
82 |
9b |
2f |
ff |
87 |
34 |
8e |
43 |
44 |
c4 |
de |
e9 |
cb |
2 |
54 |
7b |
94 |
32 |
a6 |
c2 |
23 |
3d |
ee |
4c |
95 |
0b |
42 |
fa |
c3 |
4e |
3 |
08 |
2e |
a1 |
66 |
28 |
d9 |
24 |
b2 |
76 |
5b |
a2 |
49 |
6d |
8b |
d1 |
25 |
4 |
72 |
f8 |
f6 |
64 |
86 |
68 |
98 |
16 |
d4 |
a4 |
5c |
cc |
5d |
65 |
b6 |
92 |
5 |
6c |
70 |
48 |
50 |
fd |
ed |
b9 |
da |
5e |
15 |
46 |
57 |
a7 |
8d |
9d |
84 |
6 |
90 |
d8 |
ab |
00 |
8c |
bc |
d3 |
0a |
f7 |
e4 |
58 |
05 |
b8 |
b3 |
45 |
06 |
7 |
d0 |
2c |
1e |
8f |
ca |
3f |
0f |
02 |
c1 |
af |
bd |
03 |
01 |
13 |
8a |
6b |
8 |
3a |
91 |
11 |
41 |
4f |
67 |
dc |
ea |
97 |
f2 |
cf |
ce |
f0 |
b4 |
e6 |
73 |
9 |
96 |
ac |
74 |
22 |
e7 |
ad |
35 |
85 |
e2 |
f9 |
37 |
e8 |
1c |
75 |
df |
6e |
a |
47 |
f1 |
1a |
71 |
1d |
29 |
c5 |
89 |
6f |
b7 |
62 |
0e |
aa |
18 |
be |
1b |
b |
fc |
56 |
3e |
4b |
c6 |
d2 |
79 |
20 |
9a |
db |
c0 |
fe |
78 |
cd |
5a |
f4 |
c |
1f |
dd |
a8 |
33 |
88 |
07 |
c7 |
31 |
b1 |
12 |
10 |
59 |
27 |
80 |
ec |
5f |
d |
60 |
51 |
7f |
a9 |
19 |
b5 |
4a |
0d |
2d |
e5 |
7a |
9f |
93 |
c9 |
9c |
ef |
e |
a0 |
e0 |
3b |
4d |
ae |
2a |
f5 |
b0 |
c8 |
eb |
bb |
3c |
83 |
53 |
99 |
61 |
f |
17 |
2b |
04 |
7e |
ba |
77 |
d6 |
26 |
e1 |
69 |
14 |
63 |
55 |
21 |
0c |
7d |
Let be a byte, where each is a bit. Define a byte-substitution function as follows: let denote the binary representation of the row index and denote the binary representation of a column index of in the S-Box. Then
2.12
2.13
That is, () is the element on the intersection of the th row and the th column in the S-Box . Likewise, is the element on the intersection of the th row and the th column in the inverse S-Box .
For example, let , then , and .
It is straightforward to see from the S-Box and its reverse that, for any 8-bit string , we have
2.4.3 AES-128 Round Keys
Let be a 4-word encryption key, where each is a 32-bit binary string, . AES expands into a 44-word array . We first define a byte transformation function as follows:
2.14
where each is a bit. We see in Section 2.4.10 that represents a multiplication operation of 00000010 and over Galois field .
For example,
Let be a non-negative number. Define () as follows:
2.15
We see in Section 2.4.10 that function () represents the result of multiplying the element 00000010 by itself for times.
We now define a word-substitution function that transforms a 32-bit string to a 32-bit string on the basis of parameter and the AES S-Box. Let , where each is a byte. Let be a positive integer. Let
where is the byte-substitution function defined by Equality 2.12.
We now expand to obtain as follows:
2.4.4 Add Round Keys
Let be an AES-128 round key, where . Rewrite as a matrix of bytes:
where each element is a byte and .
In what follows we use
to represent the current state matrix. Initially, (see Matrix 2.11). The add-round-key operation ark is defined as follows:
The inverse operation is the same as ark. That is, . It is straightforward to verify that
2.4.5 Substitute-Bytes
The substitute-bytes operation sub is defined as follows:
where is the byte-substitution function defined in Section 2.4.2 (see formula 2.12).
It is straightforward to verify that the inverse operation is given by
where is defined in Section 2.4.2 (see formula 2.13). This is because for any byte , we have , which implies that
2.4.6 Shift-Rows
The shift-row operation shr performs a left-circular-shift times on the th row in the state matrix , where . Its inverse performs a right-circular-shift times on the th row. That is,
It is straightforward to verify that
2.4.7 Mix-Columns
The mix-columns operation mic is defined as follows:
where each element in is determined by the following operations
For example, let
2.16
We verify as follows:
The reader is asked to verify the rest of the elements.
Let be a byte and a positive integer. Define
Let
2.17
2.18
2.19
2.20
The inverse operation of is defined by
where each column in is defined as follows:
2.21
2.22
2.23
2.24
We show in Section 2.4.10 that for any state matrix the following relation holds:
2.25
2.4.8 AES-128 Encryption
Let be a sequence of state matrices, where is the initial state matrix (i.e., Matrix 2.11), represents the input state matrix at round , and is the ciphertext block , which is in the form of state matrix. Given below are the encryption steps of AES-128:
2.4.9 AES-128 Decryption and Correctness Proof
Let be a sequence of state matrices, where is the ciphertext block represents the input state matrix at round , and is the output state matrix at round 10. The following are the decryption steps of AES-128:
We now show that . We first show the following equality using mathematical induction:
2.26
A proof of Equality 2.26 goes as follows. When , we have
Thus, Equality 2.26 holds. Assume that Equality 2.26 holds for . We have
Thus, Equality 2.26 is true.
Finally, we have
This completes the correctness proof of AES-128 decryption.
2.4.10 Galois Fields
In addition to the shift-rows operation, the basic operations of AES are based on the XOR operation and a special multiplication operation on 8-bit strings. These two operations and the set of all 8-bit strings form a finite field.
A field is an algebraic structure that consists of a set and two operations on elements in . These two operations are addition and multiplication, denoted by and , respectively, which satisfy the following conditions:
1. Closure: .
2. Associativity: :
3. Distributivity: :
4. Unit element: There are elements , where , such that :
The element is called the unit element of the addition operation and the unit element of the multiplication operation.
5. Inverse:
Elements are called, respectively, the additive inverse (denoted by ) and the multiplicative inverse (denoted by .)
6. Commutativity: .
7. Nonzero divisor: If and , then or .
We use to denote a field. It is called a finite field if is a finite set and an infinite field otherwise. The field of real numbers, for example, is the set of all real numbers with the ordinary addition and multiplication operations.
Finite fields have a nice property; namely, any finite field consists of exactly elements for some prime number and integer . A prime number is a positive integer that is divisible only by 1 and by itself. Elements in a finite field of size can be uniquely represented by polynomials of degree with coefficients in the set . A finite field with its elements written in this form is called a Galois field, denoted by . Each element in is represented by the following polynomial
denoted in short by , where each coefficient
The addition operation over is addition modulo of coefficients for terms of the same degree. The multiplication operation first multiplies two polynomials in the normal way. If the degree of the resulting polynomial is greater than , then divide it by a fixedirreducible polynomial of degree , and take the remainder as the result of the multiplication. A polynomial is irreducible if it cannot be expressed as a product of two polynomials whose degrees are at least 1.
Modern electronic computers operate on binary operations using memory with bytes as basic units. Thus, choosing to form the basic operation space for encryption algorithms becomes natural. consists of all 8-bit binary strings as elements, where each element represents the following polynomial:
where the addition operation “” is the exclusive-OR operation , and we use them interchangeably when there is no confusion. Thus, the inverse element of any element is . We use to denote the multiplication operation on . The definition of the multiplication operation depends on the chosen irreducible polynomial. AES chooses the following irreducible polynomial:
This irreducible polynomial makes multiplication simple. We use () mod () to denote the remainder polynomial of dividing () by (). It is straightforward to verify that
Hence, we have
Denoting this formula using binary strings and XOR, we have
This is the definition of function defined in Section 2.4.3 (see Formula 2.14). That is,
The function () defined in Section 2.4.3 is the result of multiplying 00000010 by itself for times. That is,
where the number of is .
We now verify Equality 2.25. We first note that and are the products of the following matrix multiplications:
2.27
2.28
The matrix multiplication in this case follows the standard rule, with being the addition operation and the multiplication operation. In particular, we can verify Equality 2.27 from Equalities 2.17 –2.20 by noting that
Likewise, we can verify Equality 2.28 from Equalities 2.21 –2.24 by noting that
Hence,
We can therefore show that by verifying the following equalities, where is the identity matrix of size 4:
2.29
2.30
For example, the first element at the right-hand side in Equality 2.29 is
2.4.11 Construction of the AES S-Box and Its Inverse
The S-Box used by AES is constructed as follows:
1. Initially, is a matrix of all 8-bit strings in the lexicographical order. That is, its first row is vector , its second row is vector , and so on, and its last row is vector .
2. Keep the first two elements in (i.e., 00 and 01) unchanged, and replace any other element with its inverse .
For example, as 02's multiplication inverse is 8d, the element 02 is replaced with 8d.
3. Replace each element with , where each bit is determined by
and .
For example, from Step 2 we know that the element at the intersection of the first row and the third column is . Thus,
Hence, .
It is required that each element in the inverse S-Box must satisfy the following relations:
Element , where , can be calculated as follows: first find the element ij in . Let . Then let .
For example, as , we have .
2.4.12 AES Security Strength
AES is designed to resist differential cryptanalysis and linear cryptanalysis. It uses 128-bit (or longer) encryption keys to resist brute-force attacks. It modifies each element in the current state matrix in each round, and so it will achieve good diffusion and confusion effects after a few rounds of execution. AES is believed to be superior to DES.
In June 2003, the U.S. government decided that classified government information should be encrypted using AES-128, and for TOP SECRET information, AES-192 or AES-256 must be used. The New European Schemes for Signatures, Integrity, and Encryption (NESSIE) also supported the use of AES. In June 2004, the Institute of Electrical and Electronics Engineers (IEEE) adopted AES in its 802.11i wireless security standard. IEEE 802.11i is also known as Wireless-Fidelity Protected Access 2 (Wi-Fi WPA 2). Today, AES has been used in almost all network security protocols and software products.
No methods have been found that are efficient enough to be considered serious threats to AES, although certain types of side channel attacks have been discovered. Algebraic attacks, however, have attracted attentions. For example, if the attacker knows a pair of AES-128 plaintext and ciphertext blocks, then the attacker may be able to calculate the AES encryption key by solving a system of 1600 quadratic equations of 8000 unknowns. Although solving a system of quadratic equations of this magnitude by today's mathematical theory and computing technology is hopeless, this study opens up a new direction of investigation.