1. ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi

2. Outline  Background  AES Encryption and Decryption  Security Issues  Implementation Issues

3. Background  In 1977, the National Bureau of Standards (NBS) adopted DES.  In 1994, the National Institute of Standards and Technology (NIST), reaffirmed DES for federal use for another 5 years.  In 1999, NIST adopted 3DES.  Pros:  168-bit key  overcomes brute-force attack.  Cons:  Triple rounds  relatively slow in software.  64-bit block size  larger is better.  3DES is not a good candidate for long-term use.

4. Background  In 1997, NIST called for a new Advanced Encryption Standard (AES)  AES Requirements:  Must have equal or better security than 3DES.  Must improve the efficiency.  Must be a 128-bit symmetric block cipher.  Must support 128/192/256 bit key lengths.  In 2001, NIST selected Rijndael (by Rijmen and Daemen) as the new AES.  AES will replace 3DES eventually. Until then, NIST approves 3DES for US government use.

5. AES (Encryption)  Not a Feistel structure (data block is processed in parallel in each round) (data block is processed in parallel in each round)  Key Expansion provides 128-bit round keys (4 words each).  Each round has 4 stages :  Substitute bytes: using an S-box to perform a byte-by-byte substitution of the block  ShiftRows: a simple permutation  MixColumns: substitution using arithmetic over GF(2 8 )  AddRoundKey: bitwise XOR of the current block with a round key

6. byte-by-byte substitution using S-box Simple permutation Substitution using arithmetic over GF(2 8 ) XOR with round key

7. AES (Decryption)  Each stage is easily reversible:  Inv. Sub bytes: An inverse S-box is used.  Inv. ShiftRows: Inverse permutation  Inv. MixColumns: Inverse substitution using arithmetic over GF(2 8 )  AddRoundKey: XOR with a round key in reverse order (B  RK)  RK = B

8. AES Security Issues  Only the AddRoundKey stage makes use of the key.  Other stages are reversible without the key  add no security.  AddRoundKey stage by itself is just an XOR scheme  attackable.  Other three stages provide confusion/diffusion/ nonlinearity (i.e. scrambling the block), but no security.  The four stages together in each round make it both efficient and highly secure.  The S-box is designed such that:  It is resistant to known cryptanalytic attacks  It has no fixed point (S-box(n) = n)  it is not self-inverse. Eg. S-box(95) = 2A, but Inv.S-box(95) = AD

9. AES Implementation Issues  Very efficient on 8-bit processor:  AddRoundKey: bytewise XOR operation  ShiftRows: simple byte shifting  SubBytes: operates at byte-level  MixColumns: multiplies matrices in GF(2 8 )  On 32-bit processor, a more efficient implementation can be achieved with operations defined on 32-bit words.