











































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Prof. Salil Vadhan , Prof. Raymond G Kammer, Computer Science, Advanced Encrption Standard, AES, Computer Security, THE STATE, POLYNOMIALS WITH COEFFICIENTS IN GF(28 ), CIPHER, Inverse Cipher, AES-128, AES-192, AES-256, Harvard, Lecture Notes
Typology: Study notes
1 / 51
This page cannot be seen from the preview
Don't miss anything!












































Federal Information Processing Standards Publication 197
November 26, 2001
Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Computer Security Act of 1987 (Public Law 100-235).
1. Name of Standard. Advanced Encryption Standard (AES) (FIPS PUB 197). 2. Category of Standard. Computer Security Standard, Cryptography. 3. Explanation. The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext.
The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.
4. Approving Authority. Secretary of Commerce. 5. Maintenance Agency. Department of Commerce, National Institute of Standards and Technology, Information Technology Laboratory (ITL). 6. Applicability. This standard may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information (as defined in P. L. 100-235) requires cryptographic protection.
Other FIPS-approved cryptographic algorithms may be used in addition to, or in lieu of, this standard. Federal agencies or departments that use cryptographic devices for protecting classified information can use those devices for protecting sensitive (unclassified) information in lieu of this standard.
In addition, this standard may be adopted and used by non-Federal Government organizations. Such use is encouraged when it provides the desired security for commercial and private organizations.
ii
7. Specifications. Federal Information Processing Standard (FIPS) 197, Advanced Encryption Standard (AES) (affixed). 8. Implementations. The algorithm specified in this standard may be implemented in software, firmware, hardware, or any combination thereof. The specific implementation may depend on several factors such as the application, the environment, the technology used, etc. The algorithm shall be used in conjunction with a FIPS approved or NIST recommended mode of operation. Object Identifiers (OIDs) and any associated parameters for AES used in these modes are available at the Computer Security Objects Register (CSOR), located at http://csrc.nist.gov/csor/ [2].
Implementations of the algorithm that are tested by an accredited laboratory and validated will be considered as complying with this standard. Since cryptographic security depends on many factors besides the correct implementation of an encryption algorithm, Federal Government employees, and others, should also refer to NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government , for additional information and guidance (NIST SP 800-21 is available at http://csrc.nist.gov/publications/).
9. Implementation Schedule. This standard becomes effective on May 26, 2002. 10. Patents. Implementations of the algorithm specified in this standard may be covered by U.S. and foreign patents. 11. Export Control. Certain cryptographic devices and technical data regarding them are subject to Federal export controls. Exports of cryptographic modules implementing this standard and technical data regarding them must comply with these Federal regulations and be licensed by the Bureau of Export Administration of the U.S. Department of Commerce. Applicable Federal government export controls are specified in Title 15, Code of Federal Regulations (CFR) Part 740.17; Title 15, CFR Part 742; and Title 15, CFR Part 774, Category 5, Part 2. 12. Qualifications. NIST will continue to follow developments in the analysis of the AES algorithm. As with its other cryptographic algorithm standards, NIST will formally reevaluate this standard every five years.
Both this standard and possible threats reducing the security provided through the use of this standard will undergo review by NIST as appropriate, taking into account newly available analysis and technology. In addition, the awareness of any breakthrough in technology or any mathematical weakness of the algorithm will cause NIST to reevaluate this standard and provide necessary revisions.
13. Waiver Procedure. Under certain exceptional circumstances, the heads of Federal agencies, or their delegates, may approve waivers to Federal Information Processing Standards (FIPS). The heads of such agencies may redelegate such authority only to a senior official designated pursuant to Section 3506(b) of Title 44, U.S. Code. Waivers shall be granted only when compliance with this standard would
a. adversely affect the accomplishment of the mission of an operator of Federal computer system or b. cause a major adverse financial impact on the operator that is not offset by government- wide savings.
iv
- Processing Standards Publication - November 26, Cipher Series of transformations that converts plaintext to ciphertext using the Cipher Key. Cipher Key Secret, cryptographic key that is used by the Key Expansion routine to generate a set of Round Keys; can be pictured as a rectangular array of bytes, having four rows and Nk columns. Ciphertext Data output from the Cipher or input to the Inverse Cipher. Inverse Cipher Series of transformations that converts ciphertext to plaintext using the Cipher Key. Key Expansion Routine used to generate a series of Round Keys from the Cipher Key. Plaintext Data input to the Cipher or output from the Inverse Cipher. Rijndael Cryptographic algorithm specified in this Advanced Encryption Standard (AES). Round Key Round keys are values derived from the Cipher Key using the Key Expansion routine; they are applied to the State in the Cipher and Inverse Cipher. State Intermediate Cipher result that can be pictured as a rectangular array of bytes, having four rows and Nb columns. S-box Non-linear substitution table used in several byte substitution transformations and in the Key Expansion routine to perform a one- for-one substitution of a byte value. Word A group of 32 bits that is treated either as a single entity or as an array of 4 bytes.
The following algorithm parameters, symbols, and functions are used throughout this standard:
AddRoundKey() Transformation in the Cipher and Inverse Cipher in which a Round Key is added to the State using an XOR operation. The length of a Round Key equals the size of the State (i.e., for Nb = 4, the Round Key length equals 128 bits/16 bytes). InvMixColumns() Transformation in the Inverse Cipher that is the inverse of MixColumns(). InvShiftRows() Transformation in the Inverse Cipher that is the inverse of ShiftRows(). InvSubBytes() Transformation in the Inverse Cipher that is the inverse of SubBytes(). K Cipher Key.
MixColumns() Transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns. Nb Number of columns (32-bit words) comprising the State. For this standard, Nb = 4. (Also see Sec. 6.3.) Nk Number of 32-bit words comprising the Cipher Key. For this standard, Nk = 4, 6, or 8. (Also see Sec. 6.3.) Nr Number of rounds, which is a function of Nk and Nb (which is fixed). For this standard, Nr = 10, 12, or 14. (Also see Sec. 6.3.) Rcon[] The round constant word array. RotWord() Function used in the Key Expansion routine that takes a four-byte word and performs a cyclic permutation. ShiftRows() Transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets. SubBytes() Transformation in the Cipher that processes the State using a non- linear byte substitution table (S-box) that operates on each of the State bytes independently. SubWord() Function used in the Key Expansion routine that takes a four-byte input word and applies an S-box to each of the four bytes to produce an output word. XOR Exclusive-OR operation. ⊕ Exclusive-OR operation. ⊗ Multiplication of two polynomials (each with degree < 4) modulo x^4 + 1.
The input and output for the AES algorithm each consist of sequences of 128 bits (digits with values of 0 or 1). These sequences will sometimes be referred to as blocks and the number of bits they contain will be referred to as their length. The Cipher Key for the AES algorithm is a sequence of 128, 192 or 256 bits. Other input, output and Cipher Key lengths are not permitted by this standard.
The bits within such sequences will be numbered starting at zero and ending at one less than the sequence length (block length or key length). The number i attached to a bit is known as its index and will be in one of the ranges 0 ≤ i < 128, 0 ≤ i < 192 or 0 ≤ i < 256 depending on the block length and key length (specified above).
a 0 = { input 0 , input 1 , …, input 7 }; a 1 = { input 8 , input 9 , …, input 15 }; M a 15 = { input 120 , input 121 , …, input 127 }.
The pattern can be extended to longer sequences (i.e., for 192- and 256-bit keys), so that, in general,
an = { input 8 n , input 8 n+ 1 , …, input 8 n +7}. (3.2)
Taking Sections 3.2 and 3.3 together, Fig. 2 shows how bits within each byte are numbered.
Input bit sequence 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 …
Byte number 0 1 2 …
Bit numbers in byte 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 …
Figure 2. Indices for Bytes and Bits.
Internally, the AES algorithm’s operations are performed on a two-dimensional array of bytes called the State. The State consists of four rows of bytes, each containing Nb bytes, where Nb is the block length divided by 32. In the State array denoted by the symbol s , each individual byte has two indices, with its row number r in the range 0 ≤ r < 4 and its column number c in the range 0 ≤ c < Nb. This allows an individual byte of the State to be referred to as either sr , c or s [ r , c ]. For this standard, Nb =4, i.e., 0 ≤ c < 4 (also see Sec. 6.3).
At the start of the Cipher and Inverse Cipher described in Sec. 5, the input – the array of bytes in 0 , in 1 , … in 15 – is copied into the State array as illustrated in Fig. 3. The Cipher or Inverse Cipher operations are then conducted on this State array, after which its final value is copied to the output – the array of bytes out 0 , out 1 , … out 15.
input bytes State array output bytes
in 3 in 7 in 11 in 15
out 3 out 7 out 11 out 15
Figure 3. State array input and output.
Hence, at the beginning of the Cipher or Inverse Cipher, the input array, in , is copied to the State array according to the scheme:
s [ r , c ] = in [ r + 4 c ] for 0 ≤ r < 4 and 0 ≤ c < Nb , (3.3)
and at the end of the Cipher and Inverse Cipher, the State is copied to the output array out as follows:
out [ r + 4 c ] = s [ r , c ] for 0 ≤ r < 4 and 0 ≤ c < Nb. (3.4)
The four bytes in each column of the State array form 32-bit words , where the row number r provides an index for the four bytes within each word. The state can hence be interpreted as a one-dimensional array of 32 bit words (columns), w 0 ... w 3 , where the column number c provides an index into this array. Hence, for the example in Fig. 3, the State can be considered as an array of four words, as follows:
w 0 = s 0,0 s 1,0 s 2,0 s 3,0 w 2 = s 0,2 s 1,2 s 2,2 s 3, w 1 = s 0,1 s 1,1 s 2,1 s 3,1 w 3 = s 0,3 s 1,3 s 2,3 s 3,3. (3.5)
All bytes in the AES algorithm are interpreted as finite field elements using the notation introduced in Sec. 3.2. Finite field elements can be added and multiplied, but these operations are different from those used for numbers. The following subsections introduce the basic mathematical concepts needed for Sec. 5.
The addition of two elements in a finite field is achieved by “adding” the coefficients for the corresponding powers in the polynomials for the two elements. The addition is performed with the XOR operation (denoted by ⊕ ) - i.e., modulo 2 - so that 1 ⊕ 1 = 0 , 1 ⊕ 0 = 1 , and 0 ⊕ 0 = 0. Consequently, subtraction of polynomials is identical to addition of polynomials.
Alternatively, addition of finite field elements can be described as the modulo 2 addition of corresponding bits in the byte. For two bytes { a 7 a 6 a 5 a 4 a 3 a 2 a 1 a 0 } and { b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 }, the sum is { c 7 c 6 c 5 c 4 c 3 c 2 c 1 c 0 }, where each ci = ai ⊕ bi (i.e., c 7 = a 7 ⊕ b 7 , c 6 = a 6 ⊕ b 6 , ...c 0 = a 0 ⊕ b 0 ).
For example, the following expressions are equivalent to one another:
( x^6 + x^4 + x^2 + x + 1 )+ ( x^7 + x + 1 )= x^7 + x^6 + x^4 + x^2 (polynomial notation);
{ 01010111 } ⊕ { 10000011 } = { 11010100 } (binary notation); { 57 } ⊕ { 83 } = {d4} (hexadecimal notation).
In the polynomial representation, multiplication in GF(2^8 ) (denoted by • ) corresponds with the multiplication of polynomials modulo an irreducible polynomial of degree 8. A polynomial is irreducible if its only divisors are one and itself. For the AES algorithm, this irreducible polynomial is
m ( x )= x^8 + x^4 + x^3 + x + 1 , (4.1)
{ 57 } • { 02 } = xtime({ 57 }) = {ae}
{ 57 } • { 04 } = xtime({ae}) = { 47 }
{ 57 } • { 08 } = xtime({ 47 }) = {8e} { 57 } • { 10 } = xtime({8e}) = { 07 },
thus,
{ 57 } • { 13 } = { 57 } • ({01} ⊕ {02} ⊕ {10}) = { 57 } ⊕ {ae} ⊕ { 07 } = {fe}.
8
Four-term polynomials can be defined - with coefficients that are finite field elements - as:
1 0
2 2
3 a ( x )= a 3 x + ax + ax + a (4.5)
which will be denoted as a word in the form [ a 0 , a 1 , a 2 , a 3 ]. Note that the polynomials in this section behave somewhat differently than the polynomials used in the definition of finite field elements, even though both types of polynomials use the same indeterminate, x. The coefficients in this section are themselves finite field elements, i.e., bytes, instead of bits; also, the multiplication of four-term polynomials uses a different reduction polynomial, defined below. The distinction should always be clear from the context.
To illustrate the addition and multiplication operations, let
1 0
2 2
3 b ( x )= b 3 x + bx + bx + b (4.6)
define a second four-term polynomial. Addition is performed by adding the finite field coefficients of like powers of x. This addition corresponds to an XOR operation between the corresponding bytes in each of the words – in other words, the XOR of the complete word values.
Thus, using the equations of (4.5) and (4.6),
a ( x )+ b ( x )=( a 3 ⊕ b 3 ) x^3 +( a 2 ⊕ b 2 ) x^2 +( a 1 ⊕ b 1 ) x +( a 0 ⊕ b 0 ) (4.7)
Multiplication is achieved in two steps. In the first step, the polynomial product c ( x ) = a ( x ) • b ( x ) is algebraically expanded, and like powers are collected to give
1 0
2 2
3 3
4 4
5 5
6 c ( x )= c 6 x + cx + cx + cx + cx + cx + c (4.8)
where
c 0 (^) = a 0 • b 0 c 4 (^) = a 3 • b 1 ⊕ a 2 • b 2 ⊕ a 1 • b 3 c 1 (^) = a 1 • b 0 ⊕ a 0 • b 1 c 5 (^) = a 3 • b 2 ⊕ a 2 • b 3 c 2 (^) = a 2 • b 0 ⊕ a 1 • b 1 ⊕ a 0 • b 2 c 6 (^) = a 3 • b 3 (4.9)
c 3 (^) = a 3 • b 0 ⊕ a 2 • b 1 ⊕ a 1 • b 2 ⊕ a 0 • b 3.
The result, c ( x ), does not represent a four-byte word. Therefore, the second step of the multiplication is to reduce c ( x ) modulo a polynomial of degree 4; the result can be reduced to a polynomial of degree less than 4. For the AES algorithm, this is accomplished with the polynomial x^4 + 1 , so that
x i^ mod( x^4 + 1 )= xi mod^4. (4.10)
The modular product of a ( x ) and b ( x ), denoted by a ( x ) ⊗ b ( x ), is given by the four-term polynomial d ( x ), defined as follows:
1 0
2 2
3 d ( x )= d 3 x + d x + dx + d (4.11)
with d (^) 0 =( a 0 • b 0 )⊕( a 3 • b 1 )⊕( a 2 • b 2 )⊕( a 1 • b 3 )
d 1 (^) = ( a 1 • b 0 )⊕( a 0 • b 1 )⊕( a 3 • b 2 )⊕( a 2 • b 3 ) (4.12)
d (^) 2 =( a 2 • b 0 )⊕( a 1 • b 1 )⊕( a 0 • b 2 )⊕( a 3 • b 3 )
d (^) 3 =( a 3 • b 0 )⊕( a 2 • b 1 )⊕( a 1 • b 2 )⊕( a 0 • b 3 )
When a ( x ) is a fixed polynomial, the operation defined in equation (4.11) can be written in matrix form as:
3
2
1
0
3 2 1 0
2 1 0 3
1 0 3 2
0 3 2 1
3
2
1
0
b
b
b
b
a a a a
a a a a
a a a a
a a a a
d
d
d
d
(4.13)
Because x^4 + 1 is not an irreducible polynomial over GF(2^8 ), multiplication by a fixed four-term polynomial is not necessarily invertible. However, the AES algorithm specifies a fixed four-term polynomial that does have an inverse (see Sec. 5.1.3 and Sec. 5.3.3):
a ( x ) = { 03 } x^3 + { 01 } x^2 + { 01 } x + { 02 } (4.14) a -1( x ) = {0b} x^3 + {0d} x^2 + { 09 } x + {0e}. (4.15)
Another polynomial used in the AES algorithm (see the RotWord() function in Sec. 5.2) has a 0 = a 1 = a 2 = { 00 } and a 3 = { 01 }, which is the polynomial x^3. Inspection of equation (4.13) above will show that its effect is to form the output word by rotating bytes in the input word. This means that [ b 0 , b 1 , b 2 , b 3 ] is transformed into [ b 1 , b 2 , b 3 , b 0 ].
For the AES algorithm , the length of the input block, the output block and the State is 128 bits. This is represented by Nb = 4, which reflects the number of 32-bit words (number of columns) in the State.
Appendix B presents an example of the Cipher, showing values for the State array at the beginning of each round and after the application of each of the four transformations described in the following sections.
Figure 5. Pseudo Code for the Cipher.^1
5.1.1 SubBytes()Transformation
The SubBytes() transformation is a non-linear byte substitution that operates independently on each byte of the State using a substitution table (S-box). This S-box (Fig. 7), which is invertible, is constructed by composing two transformations:
bi = bi ⊕ b ( i + 4 )mod 8 ⊕ b ( i + 5 )mod 8 ⊕ b ( i + 6 )mod 8 ⊕ b ( i + 7 )mod 8 ⊕ c i
for 0 ≤ i < 8 , where bi is the i th^ bit of the byte, and ci is the i th^ bit of a byte c with the value { 63 } or { 01100011 }. Here and elsewhere, a prime on a variable (e.g., b ′^ ) indicates that the variable is to be updated with the value on the right. In matrix form, the affine transformation element of the S-box can be expressed as:
(^1) The various transformations (e.g., SubBytes() , ShiftRows() , etc.) act upon the State array that is addressed
by the ‘state’ pointer. AddRoundKey() uses an additional pointer to address the Round Key.
Cipher(byte in[4Nb], byte out[4Nb], word w[Nb(Nr+1)]) begin byte state[4,Nb]*
state = in
AddRoundKey(state, w[0, Nb-1]) // See Sec. 5.1.
for round = 1 step 1 to Nr– SubBytes(state) // See Sec. 5.1. ShiftRows(state) // See Sec. 5.1. MixColumns(state) // See Sec. 5.1. AddRoundKey(state, w[roundNb, (round+1)Nb-1]) end for**
SubBytes(state) ShiftRows(state) AddRoundKey(state, w[NrNb, (Nr+1)Nb-1])**
out = state end
7
6
5
4
3
2
1
0
' 7
' 6
' 5
' 4
' 3
' 2
' 1
' 0
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
Figure 6 illustrates the effect of the SubBytes() transformation on the State.
s 0 (^) , 0 s 0 (^) , 1 s 0 (^) , 2 s 0 (^) , 3 ' s 0 (^) , 0 ' s 0 (^) , 1 ' s 0 (^) , 2 ' s 0 , 3
s 1 (^) , 0 s 1 (^) , 1 s 1 (^) , 2 s 1 (^) , 3 ' s 1 (^) , 0 ' s 1 (^) , 1 ' s 1 (^) , 2 ' s 1 , 3
s 2 (^) , 0 s 2 (^) , 1 s 2 (^) , 2 s 2 (^) , 3 ' s 2 (^) , 0 ' s 2 (^) , 1 ' s 2 (^) , 2 ' s 2 , 3
s 3 (^) , 0 s 3 (^) , 1 s 3 (^) , 2 s 3 (^) , 3 ' s 3 (^) , 0 ' s 3 (^) , 1 ' s 3 (^) , 2 ' s 3 , 3
Figure 6. SubBytes() applies the S-box to each byte of the State.
The S-box used in the SubBytes() transformation is presented in hexadecimal form in Fig. 7.
For example, if s 1 (^) , 1 ={ 53 }, then the substitution value would be determined by the intersection
of the row with index ‘5’ and the column with index ‘3’ in Fig. 7. This would result in s 1 ′,^1 having
a value of {ed}.
y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c 2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d 8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
x
f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16 Figure 7. S-box: substitution values for the byte xy (in hexadecimal format).
sr (^) , c ' sr , c
S-Box