Real Time Application of DES
Block Ciphers: Introduction
•
•
•
•
•
•
Work on blocks of message bits rather than a stream of
message bits
Main Idea
• Suppose we encrypt in blocks of size n
• Let E:{0,1}k x {0,1}n {0,1}n be a function
• For a message block M of n bits, and key K, the
ciphertext is given by C = E(K,M)
Example:
DES: {0,1}56 x {0,1}64
{0,1}64
Triple DES: {0,1}168 x {0,1}64
{0,1}64
AES: : {0,1}k x {0,1}128 {0,1}128
k=128,192,256
Dr. Preeti Chandrakar (NIT, Raipur)
Data Encryption Standard (DES)
•
•
•
DES is the most widely used
encryption scheme, adopted in 1977
by the National Bureau of Standards,
now the National Institute of Standards
and Technology (NIST)
DES is a 16-round Feistel cipher
having a block length of 64
Encrypt a plaintext bitstring x (of length
64) using a 56-bit key, k, obtaining a
ciphertext bitstring (of length 64)
Plaintext
(64 bit)
DES
Ciphertext
(64 bit)
Dr. Preeti Chandrakar (NIT, Raipur)
56 bit
Key
Feistel Cipher
•
•
•
Used
to
build
various
symmetric block ciphers such
as DES
L1=R0
R1=L0 ⊕ f(R0,K1)
• So
• Li=Ri-1
• Ri=Li ⊕ f(Ri-1,Ki)
32 bits
32 bits
L0
R0
⊕
f(.)
L1
32 bits
Dr. Preeti Chandrakar (NIT, Raipur)
K1
R1
32 bits
DES (Data Encryption Standard)
⮚Block Size- 64 bit
⮚No. of Rounds- 16 rounds
⮚Key Size-64 bit
⮚No. of sub keys: 16 subkeys
⮚Subkey Size: 48 bit subkey
⮚Cipher text- 64 bit cipher text
⮚It follows Feistel Structure
DES Numerology
64 bits block length
56 bits key length
16 rounds of operations
48 bits of key used each
round(subkey)
• Each round is simple(for a
block cipher)
• Security depends primarily on
S-box
• Each S-boxes maps 6 bits to
4 bits
64 bits plaintext
Initial permutation
Round-key generator
•
•
•
•
56
bits
key
Dr. Preeti Chandrakar (NIT, Raipur)
k1
k2
48
bits
k16
Round 1
Round 2
.
.
.
Round 16
Final permutation
64 bits ciphertext
DES
Encryption
[1
]
Key Generation
Parity Drop
It drops the parity bits (bits 8,16,24….64) from 64 bit
key and permutes the rest of the bits according to
Parity bit drop table.
Bits 9,18,22,25,35,38,43 and 54 are blocked
DES Construction
• function DESk(M) // |k| = 56 and |M| = 64
•
(k1,……,k16)
KeySchedule(k) // |ki| = 48 for 1<=i<=16
•
M
IP(M)
•
Parse M as L0 || R0 // |L0| = |R0|=32
•
for i=1 to 16 do
•
Li
Ri-1;
•
Ri
f(ki,Ri-1) ⊕ Li-1
•
C
IP-1(L16||R16)
•
Return C
•
•
Note:
M= message, k=key, IP= Initial permutation, L=left bit, R= right bit,
C=ciphertext
Dr. Preeti Chandrakar (NIT, Raipur)
DES Construction
• function DES-1k(C) // |k| = 56 and |M| = 64
•
(k1,……,k16)
KeySchedule(k) // |ki| = 48 for 1<=i<=16
•
C
IP(C)
•
Parse C as L16 || R16
•
for i=16 downto 1 do
•
Ri-1
Li;
•
Li-1
f(ki,Ri-1) ⊕ Ri
•
M
IP-1(L0||R0)
•
Return M
•
•
Note:
M= message, k=key, IP= Initial permutation, L=left bit, R= right bit,
C=ciphertext
Dr. Preeti Chandrakar (NIT, Raipur)
Initial Permutations
•
•
•
Takes 64-bit input and permutes them according to a
predefined rule
Permutations are keyless and predetermined
They have no cryptographic significance
Initial and Final (Inverse Initial) Permutations
⮚It takes a 64 bit input and permutes them according to a predefined rule
Example
⮚In the initial permutation, the 58th bit in the input becomes the first bit in the output
⮚The 50th bit becomes 2nd bit. 1st bit becomes 40th bit. 2nd bit becomes 8th bit.
⮚Smilarly, in the final permutation, the 1st bit in the input becomes the 58th bit in
the output. 2nd bit in the input 50th bit in the output. 3rd bit in input 42nd bit in the
output. 8th bit becomes 2nd bit. 25th bit becomes 64th bit. 40th bit becomes 1st bit.
Example
• Find the output of the initial permutation box when the input is
given in hexadecimal 0x0002 0000 0000 0001
• Soln:
• 0000 0000 0000 0010 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0001
• Only two bits, 15 and 64, are is 1. The output must also have
only two 1s. Using IP table Bit 15 in the input becomes bit 63
in the output. Bit 64 in the input becomes bit 25 in the output.
So the output has only two 1s, bit 25 and bit 63.
• 0000 0000 0000 0000 0000 0000 1000 0000 0000 0000
0000 0000 0000 0000 0000 0010
• So
0x0000 0080 0000 0002
Example
•
•
•
•
Find the output of the final permutation if the input is
0x0000 0080 0000 0002
Soln:
0000 0000 0000 0000 0000 0000 1000 0000 0000 0000
0000 0000 0000 0000 0000 0010
• Only bit 25 and bit 63 are 1s, the other bits are 0s. In the final
permutation, bit 25 becomes bit 64, and bit 63 becomes bit
15, The result
• 0000 0000 0000 0010 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0001
• So 0x0002 0000 0000 0001
Encryption (Each Round Detail)
(Key Generation)
[1
]
Expansion
Expansion
• E is an expansion function which
takes a block of 32 bits as input and
produces a block of 48 bits as output
ki
Ri-1
32 bit
E
32
1
2
3
4
5
4
5
6
7
8
9
8
9
10
11
12
13
12
13
14
15
16
17
16
17
18
19
20
21
20
21
22
23
24
25
24
25
26
27
28
29
28
29
30
31
32
1
16 bits appear twice, in the expansion
48 bit
⊕
48 bit
S1
C1
S2 S3 S4 S5 S6 S7 S8
C2
C4
C3
C5
32 bit
E
32 bit
C6
C7
C8
Substitution Box (S box)
⮚DES uses 8 S-boxes, each with a 6 bit input and 4 bit output
⮚48 bits data is divided into eight 6 bits chunk and each chunk is fed into a box.
⮚The result of each box is a 4 bit chunk
⮚The substitution in each box follows a pre-defined rule based on 4 rows by 16 column
table
S-boxes
• S-boxes are the only non-linear elements in DES design
B (6 bit)
•
•
•
•
•
S-Box
C (4 bit)
8 S-Box
S= matrix 4x16, values from 0 to 15
B(6 bit long) = b1b2b3b4b5b6
b 1b 6
r= row of the matrix( 2 bits: 0,1,2,3)
b2b3b4b5 c=column of the matrix(4 bits:0,1,…..,15)
C(4 bit long)= Binary representation of S(r,c)
Dr. Preeti Chandrakar (NIT, Raipur)
Example (S1)
R
0
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15
0
14
4
13
1
2
15 11
8
3
10
6
12
5
9
0
7
1
0
15
7
4
14
2
13
1
10
6
12 11
9
5
3
8
2
4
1
14
8
13
6
2
11 15 12
9
7
3
10
5
0
3 15 12
8
2
4
9
1
7
3
14 10
0
6
13
5
11
• Example: B= 101111 so b1 b2 b3 b4 b5 b6
•
1 0 1 1 1 1
• b1b6=11= row 3
• b2b3b4b5=0111= column 7
• C=7=0111
Dr. Preeti Chandrakar (NIT, Raipur)
S-box
S-box 1
R
0
1
2
3
4
5
6
7
8
9
10
11
12 13 14 15
0
14
4
13
1
2
15
11
8
3
10
6
12
5
9
0
7
1
0
15
7
4
14
2
13 10
3
6
12
11
9
5
3
8
2
4
1
14
8
13
6
2
11
15 12
9
7
3
10
5
0
3
15 12
8
2
4
9
1
7
5
11
3
14 10
0
6
13
R
0
1
2
3
4
5
6
7
8
9
10
11
0
15
1
8
14
6
11
3
4
9
7
2
13 12
0
5
10
1
3
13
4
7
15
2
8
14 12
0
1
10
6
9
11
5
2
0
14
7
11
10
4
13
1
5
8
12
6
9
3
2
15
3
13
8
10
1
3
15
4
2
11
6
7
12
0
5
14
9
S-box 2
12 13 14 15
S-box
S-box 3
R
0
1
2
3
4
5
6
7
8
9
10
11
12 13 14 15
0
10
0
9
14
6
3
15
5
1
13 12
7
11
4
2
8
1
13
7
0
9
3
4
6
10
2
8
5
14 12
11
15
1
2
13
6
4
9
8
15
3
0
11
1
2
12
5
10 14
7
3
1
10 13
0
6
9
8
7
4
15 14
3
11
5
12
R
0
1
2
3
4
5
6
7
8
9
10
11
12 13 14 15
0
7
13 14
3
0
6
9
10
1
2
8
5
11
12
4
15
1
13
8
11
5
6
15
0
3
4
7
2
12
1
10 14
9
2
10
6
9
0
12
11
7
13 15
1
3
14
5
2
8
4
3
3
15
0
6
10
1
13
8
4
5
11
12
7
2
14
2
S-box 4
9
S-box
S-box 5
R
0
1
2
3
4
5
6
7
8
9
10
11
12 13 14 15
0
2
12
4
1
7
10
11
6
8
5
3
15 13
1
14
11
2
12
4
7
13
1
5
0
15 10
2
4
2
1
11
10 13
7
8
15
9
12
3
11
8
12
7
1
14
2
13
6
15
R
0
1
2
3
4
5
6
7
8
0
12
1
10 15
9
2
6
8
1
10 15
4
2
7
12
9
2
9
14 15
5
2
8
12
3
4
3
12
9
5
0
14
9
3
9
8
6
5
6
3
0
14
0
9
10
4
5
3
9
10
11
12 13 14 15
0
12
3
4
14
7
5
11
5
6
1
13 14
0
11
3
8
3
7
0
4
10
1
13
11
6
15 10
11
14
1
7
10
0
8
13
S-box 6
2
S-box
S-box 7
R
0
1
2
3
4
5
6
7
8
9
10
11
12 13 14 15
0
4
11
2
14 15
0
8
13
3
12
9
7
5
10
6
1
1
13
0
11
7
4
9
1
10 14
3
5
12
2
15
8
6
2
1
4
11
13 12
3
7
14 10 15
6
8
0
5
9
2
3
6
11
13
8
1
4
10
7
9
5
0
15 14
2
3
12
R
0
1
2
3
4
5
6
7
8
9
10
11
12 13 14 15
0
13
2
8
4
6
15
11
1
10
9
3
14
5
0
12
7
1
1
15 13
8
10
3
7
4
12
5
6
11
10 14
9
2
2
7
11
4
1
9
12 14
2
0
6
10 10 15
3
5
8
3
2
1
14
7
4
10
13 15 12
9
5
6
11
S-box 8
8
9
3
DES Analysis
•
Avalanche effect:
• A small changes in the plaintext(or key) should create a
significant change in the ciphertext
• Example- Encrypt two plaintext blocks with the same
key
• Plaintext: 0000000000000000
–
Ciphertext: 4789FD476E82A5F1
–
Key: 22234512987ABB23
• Plaintext: 0000000000000001
–
Ciphertext: 0A4ED5C15A63FEA3
–
Key: 22234512987ABB23
Dr. Preeti Chandrakar (NIT, Raipur)
DES Analysis
– 0100 0111 1000 1001 1111 1101 0100 0111 0110 1110
1000 0010 1010 0101 1111 0001
– 0000 1010 0100 1110 1101 0101 1100 0001 0101 1010
0110 0011 1111 1110 1010 0011
• Two plaintext blocks differ only in the rightmost bit, the
ciphertext blocks differ in 29 bits.
• Approximately 1.5% of changes in the plaintext create
approximately 45% of changes in ciphertext
DES weak keys
•
•
DES uses 16, 48-bits keys generated from a master 56-bit
key
Weak keys
•
•
•
Keys make the same sub-key to be generated in more
than one round
It reduces cipher complexity
Weak keys can be avoided at key generation
Keys before parities drop (64
bits)
Actual key (56 bits)
0101 0101 0101 0101
0000000 0000000
1F1F 1F1F 1F1F 1F1F
0000000 FFFFFFF
E0E0 E0E0 F1F1 F1F1
FFFFFFF 0000000
FEFE FEFE FEFE FEFE
FFFFFFF FFFFFFF
Security of DES
• Brute-Force Attack
• Weakness of DES is short cipher key
• DES can be broken using 256 encryptions
• Differential Cryptanalysis
• To break all 16 rounds of the DES, it required 247
chosen plaintexts
• Attacker finds a suitable text, not beyond 247 attempt
• Linear Cryptanalysis
• Only needed 243 known plaintexts
Dr. Preeti Chandrakar (NIT, Raipur)
Increasing the key length of a Block cipher
•
Making internal modifications to the existing design to handle
larger-sized key
• Modified key-schedule
• Modified S-boxes
• Modified mixing permutation
• Even a slight modification to DES structure has severe security
consequences
• Incorporate a larger key in a block-box fashion without internal
modifications
• Ex. Double encryption
• Let F: {0,1}n x {0,1}l
{0,1}l be a secure block cipher (best
possible attack 2n)
• n is key length, block length l, output size is l bits
Dr. Preeti Chandrakar (NIT, Raipur)
Cont….
• Double encryption
• Define Fnew {0,1}2n x {0,1}l
{0,1}l as:
•
Fnewk1,k2 (x) = Fk2(Fk1(x))
• If F is DES, then the key size becomes 56 x 2= 112;
hence it’s a double DES
Dr. Preeti Chandrakar (NIT, Raipur)
So now we have to analyze new double encryption block cipher that we
have designed, is practically secure or not? Is the best possible attack of
order 22n or not
Answer is no
Insecurity of Double Encryption:
Meet-in-the-middle Attack
•
•
•
•
•
An adversary can recover the unknown key of a double
encryption block cipher with a complexity of order 2n, which
is much less than 22n
Let adversary hold (x,y), with,
Fnewk1,k2 (x) = Fk2(Fk1(x)),for an unknown k= k1 || k2
Adversary can find candidate k, with computation of order
O(n. 2n) as follows:
Adversary has do brute force in 2 opposite directions
• It performs a brute force over all candidate k1
• It performs a brute force over all candidates but is the
inverse of the function on the output
Dr. Preeti Chandrakar (NIT, Raipur)
Cont…
• For each candidate k1ε {0,1}n, compute z= Fk1(x) and
store (k1,z) in L-list(left list) of order 2n
• For each candidate k2ε {0,1}n , compute z= F-1 k2(y)
and store (k2,z) in R-list(right list) of order 2n
Fk1,i(x)
X
Dr. Preeti Chandrakar (NIT, Raipur)
.
.
.
.
F-1k2,i(x)
.
.
.
.
y
Cont…
•
•
Adversary sort the L-list and R-list, according to z-values
If (k1,z1) ε L- list and (k2,z2) R-list, with z1 = z2 then k1 || k2 is
a candidate k
Fk1(x)
Fk1,i(x)
X
.
.
.
.
F-1k2,i(y)
.
.
.
.
F-1k2(y)
y
Fk2(Fk1(x))
Cont…
• The adversary definitely there will be one candidate k1
and one candidates, k2, it researches the same point
• To obtain the meeting point adversary have to perform
a computation of order O(n2n)
• It has to perform two brute forces and then do sorting,
and then it has to find out the meeting point
• When we have constructed a double encryption block
cipher, with a key of size bits and we expect that the
best possible attack should be order n2n
• Adversary can recover the key it on n. 2n time
• Hence double encryption is not sufficient
Dr. Preeti Chandrakar (NIT, Raipur)
Triple Encryption
• Let F: {0,1}n x {0,1}l
{0,1}l be a secure block cipher (best
possible attack 2n)
• Define a new block cipher triple-encryption as follows:
• Variant I (three keys):
•
Fnewk1,k2,k3(x) = Fk3(F-1k2(Fk1(x)))
• Variant II (two keys):
•
Fnewk1,k2(x) = Fk1(F-1k2(Fk1(x)))
Dr. Preeti Chandrakar (NIT, Raipur)
Variant I
C=E(K3,D(K2,E(K1,P)))
P=D(K1,E(K2,D(K3,C)))
Variant II
C=E(K1,D(K2,E(K1,P)))
P=D(K1,E(K2,D(K1,C)))
Cont…
• The middle invocation in both variants is F-1k, instead of Fk
• If Fk is secure, then so is F-1k – not a security concern
• Ensures backward compatibility: by setting k1=k2=k3,
Fnew becomes equivalent to F
• We prefer Variant II because where we get the maximum
possible security
• Variant I: Use 3 keys, we are operating with key of size 3n,
the best possible attack should be of order 23n
• But we can launch a meet-in-middle attack of order O(22n)
which is not desirable
Dr. Preeti Chandrakar (NIT, Raipur)
Cont…
•
Variant II: We are using key of size 2n bits, no better attack,
other than the brute-force attack of order O(22n)
Total round = 16 x 3= 48
Key length = 56 x 2= 112
•
•
K= k1||k2
k1
X
EDES
k2
DDES
k1
EDES
y
DES Limitations
•
•
•
•
DES algorithm was broken in 1998 using a system that
costs about $250,000
Small block length (64 bits) and slow speed
Triple DES turned out to be too slow for efficiency as
the DES algorithm was developed for mid-1970’s
hardware and does not produce efficient software
code.
Triple DES, on the other hand, has three times as
many rounds as DES and is correspondingly slower
Algorithm
Key size
Block size
DES
56 bits
64 bits
2DES
112 bits
64 bits
3DES
112 bits
64 bits
• Advanced Encryption Standard (AES)
AES History
•
•
•
•
•
•
•
1997: National Institute of Standards and Technology
(NIST) announced a world-wide competition to come up
with a replacement of DES
2000: After rigorous analysis of the submissions 5 finalists
selected
Rijndael
• No serious vulnerabilities found in any of the
Serpent
finalists
Twofish
• Rijndel(designed by the Belgian cryptographer’s
RC6
Vincent Rijmen and Joan Daemen) was selected
MARS
as the winner, due to efficiency, hardware
performance, flexibility, etc.
Dr. Preeti Chandrakar (NIT, Raipur)
Overview of AES
•
•
•
•
Like DES, AES is a symmetric block cipher. However,
AES is quite different from DES in a number of ways
Block length – 128 bits
Key length- support for 128, 192, and 256 bits
r- round- number of rounds depends upon the key size
Key size
No. of rounds
128 bits
10
192 bits
12
256 bits
14
Dr. Preeti Chandrakar (NIT, Raipur)
⮚Plaintext- 128 bits (4 Word/ 16 Bytes)
⮚Key Size-128 bits/192 bits/256 bits
⮚No. of Rounds- 10/12/14 rounds
⮚No. of sub keys: 44
⮚Each round- 4 sub keys used
⮚Sub key size (One round): 128 bit (4 word /16 bytes)
⮚Pre round calculation- 4 sub keys
⮚Cipher text- 128 bit cipher text
Data Units
⮚Bit-A binary digit with a value of 0 or 1
⮚Byte- A byte is a group of eight bits that can be treated as
a single entity
⮚Word- A word is a group of 32 bits that can be treated as
single entity, a row matrix of four bytes, or a column matrix
of four bytes
⮚Block- A block in AES is a group of 128 bits. Block can be
represented as a row matrix of 16 bytes.
Block-to-State and State-to-Block Transformation
Overall structure of AES
Cont…
•
•
•
•
•
The AES algorithm maintains a 4 x 4 array of bytes (state),
modified in various rounds
Initial array: the 128-bit input to the AES
In each round, the state is modified in four stages as
follows
Stage I--- AddRoundKey:
• 128-bit subkey derived from the master key (as per
key-schedule) and XORed with the state
Stage II --- SubBytes:
• Each byte replaced by another byte according to a
single, fixed bijection S: {0,1}8
{0,1}8
Dr. Preeti Chandrakar (NIT, Raipur)
Cont…
•
•
•
Stage III--- ShiftRows:
Bytes in the rows are left-shifted in a cyclic fashion:
• 1st row: no shift
• 2nd row: shift by 1 position
• 3rd row: shift by 2 positions
• 4th row: shift by 3 positions
Stages IV ---MixColumns:
• An invertible linear transformation applied to the four
bytes in each column
• If the inputs to the transformation differ in b bytes (b>0)
outputs of the transformation differ in at least 5-b bytes
SubByte Transformation
•
The SubBytes and InvSubBytes transformations are
inverses of each other
SubByte
32
04
12
14
12
04
12
00
0C
00
13
11
08
23
19
19
23
F2
C9
FA
InvSubByte
Dr. Preeti Chandrakar (NIT, Raipur)
C9
F2
C9
63
FE
63
7D
82
30
26
D4
D4
SubBytes Transformation Table
InvSubBytes Transformation Table
Shift Rows
The number of left shifts depends on the row number (0, 1, 2, 3) of the state matrix
Row 0:
Row 1:
Row 2:
Row 3:
No shift
1 Byte shift
2 Byte Shift
3 Byte Shift
The transformation is actually the matrix multiplication of a state
column by a constant square matrix
Mix Column Transformation
•
•
•
•
•
•
•
This stage is basically a substitution, but it makes use of the
arithmetic of GF(28)
Each column is operated on individually. Each byte of a
column is mapped into a new value that is a function of all
four bytes in the column
The
following
multiplication
can
determine
the
transformation on state
02
01
01
03
03
02
01
01
01
03
02
01
01
01
03
02
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S2,0 S3,1 S2,2 S3,3
=
S’0,0 S’0,1 S’0,2 S’0,3
S’1,0 S’1,1 S’1,2 S’1,3
S’2,0 S’2,1 S’2,2 S’2,3
S’2,0 S’3,1 S’2,2 S’3,3
Mix Columns
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
Cont…
•
•
•
•
•
•
•
•
Example, lets take the first column of a matrix to be
S0,0={87}. S1,0={6E}, S2,0={46}, S3,0={A6}
For j=0 we have
(02 . 87) ⊕ (03 . 6E) ⊕ 46 ⊕ A6= 47
(87)16= (135)10
So, to show this is the case we can represent each
Hex number be a polynomial
{02}= x, and {87}= x7+x2+x+1
Multiply these two together and we get:
x . (x7+x2+x+1) = x8+x3+x2+x
Dr. Preeti Chandrakar (NIT, Raipur)
Cont…
•
•
•
•
•
•
•
•
The degree of this result is greater than 7 so we have to
reduce it modulo an irreducible polynomial m(x). The
designers of AES chose m(x) = x8+x4+x3+x+1 so it can be
seen that
(x8+x3+x2+x) mod (x8+x4+x3+x+1) = x4+x2+1
x4+x2+1= 0001 0101
02 . 87 = 0001 0101
03 . 6E =1011 0010
46
= 0100 0110
A6
=1010 0110
S0
⊕
= 0100 0 111={47}
Dr. Preeti Chandrakar (NIT, Raipur)
Add Round Key Transformation
•
•
•
•
•
In this stage, the 128 bits of state are bitwise XORed
with the 128 bits of the round key
The operation is viewed as a column-wise operation
between the 4 bytes of a state column and one word of
the round key
This transformation is as simple as possible, which
helps in efficiency, but it also effects every bit of state
AES key expansion algorithm takes as input a 4-word
key and produces a linear array of 44 words
Each word contains 32 bytes which mean each subkey
is 128 bits long
Dr. Preeti Chandrakar (NIT, Raipur)
RotWord- It is similar to the ShiftRows transformation. The routines
takes a word as an array of four bytes and shifts each bytes to the left
with wrapping
Rot Word performs a one-byte circular left shift on a word. This
means that an input word [b0,b1,b2,b3] is transformed into
[b1,b2,b3,b0]
SubWord- Performs a byte substituion on each byte of input word
using S-box
Cont…
•
•
•
•
The round constant Rcon[j] is a word in which the three
rightmost bytes are always 0
Thus the effect of an XOR of a word with Rcon is to
only perform an XOR on the leftmost byte of the word
The round constant is different for each round and is
defined as Rcon[j]=(RC[J],0,0,0), with RC[1]=1,
RC[j]= 2 .RC[j-1] and with multiplication defined over
the field GF(28)
The key expansion was designed to be resistant to
know cryptanalytic attacks
Dr. Preeti Chandrakar (NIT, Raipur)
Round Constant- RCon, is a 4 byte value in which the rightmost three bytes are
always zero
Cont..
•
•
The inclusion of a round-dependent round constant
eliminates the symmetry, or similarity, between the way
in which round key are generated in different rounds
The ShiftRows column is depicted here as a linear shift
which gives a better idea how this section helps in the
encryption
Dr. Preeti Chandrakar (NIT, Raipur)
AES Decryption
• AES is not based on a Feistel network.
• The Byte Substitution layer becomes the Inv
Byte Substitution layer.
• The ShiftRows layer becomes the Inv ShiftRows
layer, and the MixColumn layer becomes Inv
MixColumn layer.
• The order of the subkeys is reversed
AES decryption block diagram
Contd…