Chapter 3
Block Ciphers and the
Advanced Encryption Standard
1
Outline







3.1
3.2
3.3
3.4
3.5
3.6
3.7
Introduction
Substitution-Permutation Networks
Linear cryptanalysis
Differential cryptanalysis
The Data Encryption Standard
The Advanced Encryption Standard
Modes of Operation
2
3.1 Introduction

A commonly used design for modern-day
block ciphers is that of an iterated
cipher:
 The cipher requires the specification of a
round function and a key schedule, and
the encryption of a plaintext will proceed
through Nr similar rounds.
3
Introduction





random key K: used to construct Nr round
keys (also called subkeys), which are denoted
K1,…,KNr.
key schedule (K1,…,KNr): constructed from K
using a fixed, public algorithm.
round function g: takes two inputs: a round
key (Kr) and a current state (wr-1).
wr=g(wr-1,Kr) is the next state.
plaintext x: the initial state w0.
ciphertext y: the state after all Nr rounds
done.
4
Introduction

Encryption operations:
Decryption operations:
w0  x
w Nr  y
w1  g ( w0 , K 1 )
w2  g ( w1 , K 2 )

w Nr 1  g ( w Nr  2 , K Nr 1 )
w Nr  g ( w Nr 1 , K Nr )
y  w Nr
w Nr 1  g 1 ( w Nr , K Nr )

w1  g 1 ( w2 , K 2 )
w0  g 1 ( w1 , K 1 )
x  w0
Note: function g is injective
(one-to-one)
5
3.2 Substitution-Permutation
Networks (SPN)

Cryptosystem 3.1: SPN

l, m and Nr are positive integers
 S : {0,1}l  {0,1}l is a permutation
 P : {1,..., lm}  {1,..., lm} is a permutation.

P  C  {0,1}lm , and K  ({0,1}lm ) Nr 1 consist of all



possible key schedules that could be derived from
an initial key K using the key scheduling algorithm.
For a key schedule ( K 1 ,..., K Nr 1 ) , we encrypt the
plaintext x using Algorithm 3.1.
6
Substitution-Permutation
Networks

Algorithm 3.1: SPN ( x,  S ,  P , ( K 1 ,..., K Nr 1 ))
w0  x
for r  1 to Nr  1
u r  w r 1  K r

for i  1 to m
do 
r
r
do
v


(
u
(
i
)
S
(
i) )

w r  (v r ,..., v r
 P (1)
 P ( lm ) )

u Nr  w Nr 1  K Nr
for i  1 to m
do v(Nri)   S (u(Nri) )
y  v Nr  K Nr 1
ur is the input to the Sboxes in round r.
vr is the output of the Sboxes in round r.
wr is obtained from vr by
applying  P .
ur+1 is constructed from
wr by xor-ing with the
round key Kr+1 (called
round key mixing).
The very first and last
operations are xors with
subkeys (called whitening).
output ( y )
7
Substitution-Permutation
Networks

Example 3.1:
 Suppose
l  m  Nr  4 . Let  S be defined as follows,
where the input and the output are written in hexadecimal:
Let  P be defined as follows:
See Figure 3.1 for a pictorial representation of this
particular SPN, where Sir means i-th round, r-th S-box.
8
x
u1
v1
w1
u2
v2
w2
u3
v3
w3
u4
Figure 3.1: A substitutionpermutation network
v4
y
9
Substitution-Permutation
Networks



Key schedule: suppose we begin with a 32-bit key
K  (k1 ,..., k32 )  {0,1}32 . For 1  r  5 , define Kr to consist of
16 consecutive bits of K, beginning with k4r-3.
K= 0011 1010 1001 0100 1101 0110 0011 1111
Round keys:
K1= 0011 1010 1001 0100
K2= 1010 1001 0100 1101
K3= 1001 0100 1101 0110
K4= 0100 1101 0110 0011
K5= 1101 0110 0011 1111
10
Substitution-Permutation
Networks


Suppose the plaintext is x= 0010 0110 1011 0111.
Then the encryption of x proceeds as follows:
w0= 0010 0110 1011 0111
K1= 0011 1010 1001 0100
u1= 0001 1100 0010 0011
v1= 0100 0101 1101 0001
w1= 0010 1110 0000 0111
K2= 1010 1001 0100 1101
u2= 1000 0111 0100 1010
v2= 0011 1000 0010 0110
w2= 0100 0001 1011 1000
11
Substitution-Permutation
Networks
K3= 1001 0100 1101 0110
u3= 1101 0101 0110 1110
v3= 1001 1111 1011 0000
w3= 1110 0100 0110 1110
K4= 0100 1101 0110 0011
u4= 1010 1001 0000 1101
v4= 0110 1010 1110 1001
K5= 1101 0110 0011 1111, and
y= 1011 1100 1101 0110
is the ciphertext.
12
3.3 Linear Cryptanalysis



We want to find a probabilistic linear relationship
between a subset of plaintext bits and a subset of
data bits preceding the last round. This relation
behaves in a non-random fashion.
The attacker has a lot of plaintext-ciphertext pairs
(known plaintext attack).
For each candidate subkey, we partially decrypt the
cipher and check if the relation holds. If the relation
holds then increment its corresponding counter. At
the end, the candidate key that counts furthest from
½ is the most likely subkey.
13
Linear Cryptanalysis

3.3.1 The Piling-up Lemma

Suppose X1, X2,… are independent random variables from
{0,1}. And
Pr[ X i  0]  pi ,
i  1,2,... Hence,
Pr[ X i  1]  1  pi , i  1,2,...

The independence of Xi, Xj implies
Pr[ X i  0, X j  0]  pi p j
Pr[ X i  0, X j  1]  pi (1  p j )
Pr[ X i  1, X j  0]  (1  pi ) p j
Pr[ X i  1, X j  1]  (1  pi )(1  p j )
14
Linear Cryptanalysis

Now consider X i  X j .
Pr[ X i  X j  0]  pi p j  (1  pi )(1  p j )
Pr[ X i  X j  1]  pi (1  p j )  (1  pi ) p j


The bias of Xi is defined to be the quantity
 i  pi  12
And we have
 12   i  12 ,
Pr[ X i  0]  12   i ,
Pr[ X i  1]  12   i .
15
Linear Cryptanalysis


Let
 i ,i ,..., i denote the bias of
1 2
k
X i1      X ik .
Lemma 3.1 (Piling-up lemma) : Let  i1 ,i2 ,..., ik denote
the bias of the random variable X i      X i . Then
1
k
k
 i ,i ,..., i  2 k 1   i .
1 2
k
j
j 1
Corollary 3.2: Let  i1 ,i2 ,..., ik denote the bias of the
random variable X i      X i . Suppose that  i j  0 for
some j. Then  i1 ,i2 ,..., ik  0 .
1
k
16
Linear Cryptanalysis

3.3.2 Linear Approximations of S-boxes



Consider an S-box  S : {0,1}  {0,1}.
Let the input m-tuple be X=(x1,…,xm). And the output n-tuple be
Y=(y1,…,yn).
We can see that
Pr[ X 1  x1 ,..., X m  xm , Y1  y1 ,..., Yn  yn ]  0
m
n
if ( y1 ,..., yn )   S ( x1 ,..., xm ) ; and
Pr[ X 1  x1 ,..., X m  xm , Y1  y1 ,..., Yn  yn ]  2 m
if ( y1 ,..., yn )   S ( x1 ,..., xm ).

Now we can compute the bias of the form
X i1      X ik  Y j1      Y jl
using the formulas stated above.
17
Linear Cryptanalysis

Example 3.2: We use the S-box as Example 3.1.
18
Linear Cryptanalysis


Consider X1  X 4  Y2 . The probability that X1  X 4  Y2  0
can be determined by counting the number of rows in which
X1  X 4  Y2  0 , and then dividing by 16.
It is seen that
Pr[ X 1  X 4  Y2  0]  12

Hence, the bias is 0.
If we instead analyze X 3  X 4  Y1  Y4 , we find that the
bias is –3/8.
19
Linear Cryptanalysis


We can record the bias of all 28=256 possible random
variables.
We represent the relevant random variable in the
form  4
  4

  ai X i     biYi 
 i 1
  i 1


where ai {0,1}, bi {0,1}, i  1,2,3,4 .
We treat (a1,a2,a3,a4) and (b1,b2,b3,b4) as
hexadecimal digit (they are called input sum and
output sum, respectively)
20
Linear Cryptanalysis

Let NL(a,b) denote the number of binary eight-tuples
(x1,x2,x3,x4,y1,y2,y3,y4) s.t
( y1 , y2 , y3 , y4 )   S ( x1 , x2 , x3 , x4 )
and 4
4

 

  ai X i     biYi   0
 i 1
  i 1



The bias is computed as  (a, b)  ( N L (a, b)  8) / 16 .
The table of all NL is called the linear approximation
table (Figure 3.2).
21
Example
3.2
Figure 3.2: Linear approximation table: values of
NL(a,b)-8
22
Linear Cryptanalysis

3.3.3 Linear Attack on an SPN


Linear cryptanalysis requires a set of linear approximations
of S-boxes that can be used to derive a linear approximation
of the entire SPN (excluding the last round).
Figure 3.3 illustrates the structure of the approximation we
will use.

Arrows are the random variables involved in the approximations
and the labeled S-boxes (active S-boxes) are used in the
approximations.
23
x
u1
v1
w1
u2
v2
w2
u3
v3
w3
u4
Figure 3.3: A linear
approximation of an SPN
v4
y
24
Linear Cryptanalysis

The approximation incorporates four active S-boxes:





In
In
In
In
S12,
S22,
S32,
S34,
T1  U 51  U 71  U 81  V61 has bias ¼
T2  U 62  V62  V82 has bias -¼
T3  U 63  V63  V83 has bias -¼
T4  U143  V143  V163 has bias -¼
T1 , T2 , T3 , T4 have biases that are high in absolute value.
Further, we will see their XOR will lead to
cancellations of “intermediate” random variables.
25
Linear Cryptanalysis

Using Piling-up lemma, T1  T2  T3  T4 has bias equal
to 23(1/4)(-1/4)3=-1/32.


Note: we assume the four r.v are independent.
Then T1 , T2 , T3 , T4 can be expressed in terms of
plaintext bits, bits of u4 (input to the last round) and
key bits as follows:
T1  U 51  U 71  U 81  V61  X 5  K 51  X 7  K 71  X 8  K 81  V61
T2  U 62  V62  V82
 V61  K 62  V62  V82
T3  U 63  V63  V83
 V62  K 63  V63  V83
T4  U143  V143  V163
 V82  K143  V143  V163
26
Linear Cryptanalysis

XOR the right side and we get
X 5  X 7  X 8  V63  V83  V143  V163
 K51  K 71  K81  K 62  K 63  K143


(3.1)
Then replace Vi 3 by U i4 and key bits:
V63  U 64  K 64
V83  U144  K144
V143  U 84  K84
V163  U164  K164
Now substitute them into 3.1:
X 5  X 7  X 8  U 64  U 84  U144  U164
 K 51  K 71  K81  K 62  K 63  K143  K 64  K84  K144  K164 (3.2)
27
Linear Cryptanalysis


The expression above only involves plaintext bits, bits
of u4 and key bits.
Suppose the key bits are fixed. Then
K 51  K 71  K 81  K 62  K 63  K143  K 64  K 84  K144  K164

has the (fixed) value 0 or 1.
It follows that
X 5  X 7  X 8  U 64  U 84  U144  U164
(3.3)
has bias -1/32 or 1/32 where the sign depends on
the key bits (=0 or =1).
28
Linear Cryptanalysis


The fact that (3.3) has bias bounded away from 0
allows us to carry out linear attack.
Suppose that we have T plaintext-ciphertext pairs
(denoted by  ), all use the same unknown key, K.
The attack will allow us to obtain the eight key bits,
K 55 , K 65 , K 75 , K 85 , K135 , K145 , K155 , K165

There are 28=256 possibilities for the eight key bits.
We refer to a binary 8-tuple as a candidate subkey.
29
Linear Cryptanalysis


For each ( x, y )  and for each candidate subkey, we
compute a partial decryption of y and obtain the
resulting value for u(42) ,u(44) .
Then we compute the value
x5  x7  x8  u64  u84  u144  u164


(3.4)
We maintain an array of counters indexed by the 256
possible candidate subkeys, and increment the
counter corresponding to a particular subkey when
(3.4) has the value 0.
In the end, we expect most counters will have a
value close to T/2, but the correct candidate subkey
will close to T/2±T/32.
30
Linear Cryptanalysis

The attack is presented as Algorithm 3.2.




L1 and L2 are hexadecimal value.
 S 1 is the inverse of the S-box.
The output, maxkey, contains the most likely subkey.
In general, it is suggested that a linear attack based
on a linear approximation having bias  will be
successful if the number of plaintext-ciphertext pairs
2
c

is approximately
for some “small” constant c.
31
for ( L1 , L2 )  (0,0) to ( F , F )
do Count[ L1 , L2 ]  0
1
Algorithm 3.2: LINEARATTACK( , T ,  S )
for each ( x, y ) 
for ( L1 , L2 )  (0,0) to ( F , F )

4
 v( 2 )  L1  y( 2 )
  4
 v( 4 )  L2  y( 4 )
 u 4   1 (v 4 )
S
( 2)
  ( 2)
do   4
1
4
do u( 4 )   S (v( 4 ) )
 z  x  x  x  u 4  u 4  u 4  u 4
5
7
8
6
8
14
16
 
 if z  0
 
  then Count[ L1 , L2 ]  Count[ L1 , L2 ]  1
 
max  1
for ( L1 , L2 )  (0,0) to ( F , F )


Count[ L1 , L2 ]|Count[ L1 , L2 ]T / 2|

do if Count[ L1 , L2 ] max

 then maxCount[ L1 , L2 ]

maxkey( L1 , L2 )
output (maxkey)
32
3.5 The Data Encryption
Standard



DES was developed at IBM, as a modification of an
earlier system known as Lucifer.
DES was first published in the Federal Register of
March 17, 1975.
DES was adopted as a standard for “unclassified”
applications on January 15, 1977.
33
The Data Encryption Standard

3.5.1 Description of DES

DES is a special type of iterated cipher called a Feistel
cipher.


In a Feistel cipher, each state ui is divided into two halves of
equal length, say Li and Ri.
Round function g: g(Li-1, Ri-1, Ki)=(Li, Ri), where
Li  R i 1

R i  Li 1  f ( R i 1 , K i ).
Invertible:
Li 1  R i  f ( Li , K i )
R i 1  Li .
34
Plaintext
IP
L0
R0
f
L1=R0
K1
R1=L0 xor f (R0,K1)
f
K2
L2=R1
R2=L0 xor f (R0,K1)
L15=R14
R15=L14 xor f (R14,K15)
f
R16=L15 xor f (R15,K16)
One round
K16
L16=R15
IP -1
Ciphertext
Overview of DES
35
The Data Encryption Standard


Initial permutation IP: IP(x)=L0R0
Inverse permutation IP-1: y=IP-1(R16L16)




Note L16 and R16 are swapped before IP-1 is applied.
Each Li and Ri is 32 bits in length.
The function
f : {0,1}32 {0,1}48  {0,1}32
takes as input a 32-bit string (the right half of the
current state) and a round key.
Key schedule (K1,K2,…,K16) consists of 48-bit round
keys that are derived from the 56-bit key, K.
36
The Data Encryption Standard

Suppose we denote the first argument of f function
(Figure 3.7) by A, and the second argument by J.




A is expanded to 48-bit according to a fixed expansion
function E.
Compute E( A)  J and write the result as concatenation of
eight 6-bit strings B=B1B2B3B4B5B6B7B8.
6
4
The next step uses eight S-boxes (S1,…,S8), Si : {0,1}  {0,1}
Given a bitstring of length 6, Bj=b1b2b3b4b5b6.
b1b6 determine the row r of Sj, and b2b3b4b5 determine the
column c of Sj. We compute Cj=Sj(Bj).
The bitstring C=C1C2C3C4C5C6C7C8 is permuted according to
the permutation P. Then f (A,J)=P(C).
37
A
J
E
E(A)
+
B1
B2
B3
B4
B5
S1
S2
S3
S4
S5
C1
C2
C3
C4
C5
B6
S6
C6
B7
S7
C7
B8
S8
C8
P
Figure 3.7
The DES f function
f(A,J)
38
S1
14
4
13
1
2
15
11
8
3
10
6
12
5
9
0
7
0
15
7
4
14
2
13
1
10
6
12
11
6
5
3
8
4
1
14
8
13
6
2
11
15
12
9
7
3
10
5
0
15
12
8
2
4
9
1
7
5
11
3
14
10
0
6
13
Example
3.4
S2
15
1
8
14
6
11
3
4
9
7
2
13
12
0
5
10
3
13
4
7
15
2
8
14
12
0
1
10
6
9
11
5
0
14
7
11
10
4
13
1
5
8
12
6
9
3
2
15
13
8
10
1
3
15
4
2
11
6
7
12
0
5
14
9
S3
10
0
9
14
6
3
15
5
1
13
12
7
11
4
2
8
13
7
0
9
3
4
6
10
2
8
5
14
12
11
15
1
13
6
4
9
8
15
3
0
11
1
2
12
5
10
14
7
1
10
13
0
6
9
8
7
4
15
14
3
11
5
2
12
S4
S-boxes
7
13
14
3
0
6
9
10
1
2
8
5
11
12
4
15
13
8
11
5
6
15
0
3
14
7
2
12
1
10
14
9
10
6
9
0
12
11
7
13
15
1
3
14
5
2
8
4
3
15
0
6
10
1
13
8
9
4
5
11
12
7
2
14
39
S5
2
12
4
1
7
10
11
6
8
5
3
15
13
0
14
9
14
11
2
12
4
7
13
1
5
0
15
10
3
9
8
6
4
2
1
11
10
13
7
8
15
9
12
5
6
3
0
14
11
8
12
7
1
14
2
13
6
15
0
9
10
4
5
3
S6
12
1
10
15
9
2
6
8
0
13
3
4
14
7
5
11
10
15
4
2
7
12
9
5
6
1
13
14
0
11
3
8
9
14
15
5
2
8
12
3
7
0
4
10
1
13
11
6
4
3
2
12
9
5
15
10
11
14
1
7
6
0
8
13
S7
4
11
2
14
15
0
8
13
3
12
9
7
5
10
6
1
13
0
11
7
4
9
1
10
14
3
5
12
2
15
8
6
1
4
11
13
12
3
7
14
10
15
6
8
0
5
9
2
6
11
13
8
1
4
10
7
9
5
0
15
14
2
3
12
S8
S-boxes
13
2
8
4
6
15
11
1
10
9
3
14
5
0
12
7
1
15
13
8
10
3
7
4
12
5
6
11
0
14
9
2
7
11
4
1
9
12
14
2
0
6
10
13
15
3
5
8
2
1
14
7
4
10
8
13
15
12
9
0
3
5
6
11
40
The Data Encryption Standard

Example 3.4: We show how to compute an output
of S-box S1 with input 101000.



b1b6=10 which is 2
b2b3b4b5=1000 which is 4
Output is row 2 and column 4 of S1.


Note: rows are numbered 0,1,2,3 and columns are 0,1,2,…15
So the output is 13 which is 1101 in binary.
41
The Data Encryption Standard


The expansion function E is specified by the
following table:
E bit-selection table
32
1
2
3
4
5
4
5
6
7
8
9
8
9
10
11
12
13
12
13
14
15
16
17
16
17
18
19
20
21
20
21
22
23
24
25
24
25
26
27
28
29
28
29
30
31
32
1
If A=(a1,a2,…,a32) then
E(A)=(a32,a1,a2,a3,a4,a5,a4,…,a31,a32,a1).
42
The Data Encryption Standard

The permutation P is as follows:
P

16
7
20
21
29
12
28
17
1
15
23
26
5
18
31
10
2
8
24
14
32
27
3
9
19
13
30
6
22
11
4
25
If C=(c1,c2,…,c32) then
P(C)=(c16,c7,c20,c21,c29,…,c11,c4,c25).
43
The Data Encryption Standard

Key scheduling:
44
The Data Encryption Standard
45
The Data Encryption Standard

3.5.2: Analysis of DES


The S-boxes, being the non-linear components of the
cryptosystem, are vital to its security.
DES was to make differential cryptanalysis infeasible.


Differential cryptanalysis was known to IBM when they design
DES, but it was kept secret for almost 20 years until Biham and
Shamir invented the technique in the early 1990’s.
The most pertinent criticism of DES is that the size of the
keyspace, 256, is too small.
46
The Data Encryption Standard

Many people try to design a special purpose machine to do
exhaustive key search.


Ex: “DES Cracker” contained 1536 chips and could search 88
billion keys per second. It won RSA Laboratory’s “DES
Challenge II-2” by successfully finding a DES key in 56 hours.
Other than exhaustive key search, differential cryptanalysis
and linear cryptanalysis are the most important attacks.
(linear attack is more efficient)


In 1994, Matsui implemented the attack by using 243 plaintextciphertext pairs with the same key. It took 40 days to generate
the pairs and 10 days to find the key.
DES is still secure theoretically due to the extremely large
number of pairs required. An adversary is impossible to collect
that amount of pairs.
47
3.6 The Advanced Encryption
Standard



On January 2, 1997, NIST began the process of
choosing a replacement for DES and called the
Advanced Encryption Standard, or AES.
It was required that the AES have a block length of
128 bits, and supported key lengths of 128, 192, and
256 bits.
After several AES candidate conferences were held.
On Oct. 2, 2000, Rijndael was selected.

3 main criteria: security, cost, algorithm and implementation
characteristics
48
The Advanced Encryption
Standard

3.6.1 Description of AES

Block length:




Key length:




128 bits (Nb=4)
192 bits (Nb=6)
256 bits (Nb=8)
S0,0
S0,1
S0,2
S0,3
S0,4
S0,5
S0,6
S0,7
S1,0
S1,1
S1,2
S1,3
S1,4
S1,5
S1,6
S1,7
S2,0
S2,1
S2,2
S2,3
S2,4
S2,5
S2,6
S2,7
S3,0
S3,1
S3,2
S3,3
S3,4
S3,5
S3,6
S3,7
128 bits (Nk=4)
192 bits (Nk=6)
256 bits (Nk=8)
Number of rounds Nr:
49
The Advanced Encryption
Standard

Overview of AES:




ADDROUNDKEY, which xors the RoundKey with State.
For each of the first Nr-1 rounds: perform
SUBBYTES(State), SHIFTROWS(State),
MIXCOLUMN(State), ADDROUNDKEY.
Final round: SUBBYTES, SHIFTROWS, ADDROUNDKEY.
All operations in AES are byte-oriented.


The plaintext x consists of 16 byte, x0,x1,…,x15.
Initially State is plaintext x (for 128-bit case):
S0,0
S0,1
S0,2
S0,3
x0
x4
x8
x12
S1,0
S1,1
S1,2
S1,3
x1
x5
x9
x13
S2,0
S2,1
S2,2
S2,3
x2
x6
x10
x14
S3,0
S3,1
S3,2
S3,3
x3
x7
x11
x15
50
The Advanced Encryption
Standard

SUBBYTES:


It performs a substitution on each byte of State using an Sbox, say  S .
 S is a 16x16 array (Figure 3.8). A byte is represented as
two hexadecimal digits XY. So XY after substitution
is  S (XY ).
51
X
Example
3.5
Y
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
0
63
7C
77
7B
F2
6B
6F
C5
30
01
67
2B
FE
D7
AB
76
1
CA
82
C9
7D
FA
59
47
F0
AD
D4
A2
AF
9C
A4
72
C0
2
B7
FD
93
26
36
3F
F7
CC
34
A5
E5
F1
71
D8
31
15
3
04
C7
23
C3
18
96
05
9A
07
12
80
E2
EB
27
B2
75
4
09
83
2C
1A
1B
6E
5A
A0
52
3B
D6
B3
29
E3
2F
84
5
53
D1
00
ED
20
FC
B1
5B
6A
CB
BE
39
4A
4C
58
CF
6
D0
EF
AA
FB
43
4D
33
85
45
F9
02
7F
50
3C
9F
A8
7
51
A3
40
8F
92
9D
38
F5
BC
B6
DA
21
10
FF
F3
D2
8
CD
0C
13
EC
5F
97
44
17
C4
A7
7E
3D
64
5D
19
73
9
60
81
4F
DC
22
2A
90
88
46
EE
B8
14
DE
5E
0B
DB
A
E0
32
3A
0A
49
06
24
5C
C2
D3
AC
62
91
95
E4
79
B
E7
C8
37
6D
8D
D5
4E
A9
6C
56
F4
EA
65
7A
AE
08
C
BA
78
25
2E
1C
A6
B4
C6
E8
DD
74
1F
4B
BD
8B
8A
D
70
3E
B5
66
48
03
F6
0E
61
35
57
B9
86
C1
1D
9E
E
E1
F8
98
11
69
D9
8E
94
9B
1E
87
E9
CE
55
28
DF
F
8C
A1
89
0D
BF
E6
42
68
41
99
2D
0F
B0
54
BB
16
Figure 3.8
The AES S-box
52
The Advanced Encryption
Standard

The AES S-box can be defined algebraically. The
permutation  S incorporates operations in the finite
field
F28  Ζ2 [ x] /( x8  x 4  x3  x  1).



FIELDINV: the multiplicative inverse of a filed element
BINARYTOFIELD: convert a byte to a field element
FIELDTOBINARY: inverse operation

7
i
a
x
 i
i 0
corresponds to the byte
a7 a6 a5 a4 a3a2 a1a0
53
The Advanced Encryption
Standard

Algorithm 3.4: SUBBYTES(a7a6a5a4a3a2a1a0)
external FIELDINV, BINARYTOFIELD, FIELDTOBINARY
z  BINARYTOFILED(a7a6a5a4a3a2a1a0)
if z  0
then z  FIELDINV(z)
(a7a6a5a4a3a2a1a0)  FIELDTOBINARY(z)
(c7c6c5c4c3c2c1c0)  (01100011)
comment: In the following loop, all subscripts are to be
reduced modulo 8
for i  0 to 7
do bi  (ai  ai  4  ai 5  ai 6  ai 7  ci ) mod 2
return (b7b6b5b4b3b2b1b0)
54
The Advanced Encryption
Standard

Example 3.5: (illustrates Algorithm 3.4)

Suppose we begin with (hex) 53. In binary, it’s 01010011,
which represents the field element
x6  x4  x  1
The multiplicative inverse (in F 8 ) can be shown to be
2
x7  x6  x3  x
Thus we have
(a7 a6 a5 a4 a3a2 a1a0 )  (11001010).
55
The Advanced Encryption
Standard
b0  a0  a4  a5  a6  a7  c0 mod 2
 0  0  0  1  1  1 mod 2
1
b1  a1  a5  a6  a7  a0  c1 mod 2
 1  0  1  1  0  1 mod 2
 0,
etc. The result is
(b7b6b5b4b3b2b1b0 )  (11101101).
which is ED in hex.

This computation can be checked by verifying the entry in row
5 and column 3 of Figure 3.8.
56
The Advanced Encryption
Standard

SHIFTROWS:


S0,0
S0,1
S0,2
S0,3
S0,0
S0,1
S0,2
S0,3
S1,0
S1,1
S1,2
S1,3
S1,1
S1,2
S1,3
S1,0
S2,0
S2,1
S2,2
S2,3
S2,2
S2,3
S2,0
S2,1
S3,0
S3,1
S3,2
S3,3
S3,3
S3,0
S3,1
S3,2
Case Nb=4 or 6
Row 0: no shift
Row i: shift Ci
57
The Advanced Encryption
Standard

MIXCOLUMNS: (Algorithm 3.5)



It is carried out on each of the four columns of State.
Each column of State is replaced by a new column which is
formed by multiplying that column by a certain matrix of
elements of the field F28 .
FIELDMULT computes two inputs product in the field.
Note: 2 is x in F28 and 3 is x+1 in F28
58
The Advanced Encryption
Standard

Algorithm 3.5: MIXCOLUMN(c)
external FIELDMULT, BINARYTOFIELD, FIELDTOBINARY
for i  0 to 3
do ti  BINARYTOFIELD(si,c)
u0 FIELDMULT(x,t0)  FIELDMULT(x+1,t1)  t2 
u1  FIELDMULT(x,t1)  FIELDMULT(x+1,t2)  t3 
u2  FIELDMULT(x,t2)  FIELDMULT(x+1,t3)  t0 
u3  FIELDMULT(x,t3)  FIELDMULT(x+1,t0)  t1 
for i  0 to 3
do si,c  FIELDTOBINARY(ui)
t3
t0
t1
t2
59
The Advanced Encryption
Standard

KEYEXPANSION: (for 10-round AES)





10-round, 128-bit key
We need 11 round keys, each of 16 bytes
Key scheduling algorithm is word-oriented (4 bytes), so a
round key consists of 4 words
The concatenation of round keys is called the expanded key,
which consists of 44 words, w[0], w[1],…, w[43].
See Algorithm 3.6
60
The Advanced Encryption
Standard

Notations of Algorithm 3.6:





Input: 128-bit key, key, key[0],…,key[15]
Output: words, w
ROTWORD: a cyclic shift of four bytes B0,B1,B2,B3
ROTWORD (B0,B1,B2,B3)= (B1,B2,B3,B0)
SUBWORD: applies the S-box to each byte
SUBWORD (B0,B1,B2,B3)=(B0’,B1’,B2’,B3’)
where Bi’=SUBBYTES(Bi)
RCon: an array of 10 words, RCon[1],…,RCon[10], they are
constants defined at the beginning
61
Algorithm 3.6: KEYEXPANSION(key)
external ROTWORD, SUBWORD
RCon[1]  01000000
RCon[2]  02000000
RCon[3]  04000000
RCon[4]  08000000
RCon[5]  10000000
RCon[6]  20000000
RCon[7]  40000000
RCon[8]  80000000
RCon[9]  1B000000
RCon[10]  36000000
for i  0 to 3
do w[i] (key[4i],key[4i+1],key[4i+2],key[4i+3])
for i  4 to 43
do temp  w[i-1]
if i  0 (mod 4)
then temp SUBWORD(ROTWORD(temp)) RCon[1/4]
w[i]  w[i-4]  temp
return (w[0],…,w[43])
62
The Advanced Encryption
Standard



Above are the operations need to encrypt in AES.
To decrypt, we perform all operations and the key
schedule in the reverse order.
Each operation, SHIFTROWS, SUBBYTES, MIXCOLUMNS
must be replaced by their inverse operations.

ADDROUNDKEY is its own reverse.
63
The Advanced Encryption
Standard

3.6.2 Analysis of AES


AES is secure against all known attacks.
Various aspects of design incorporate specific features to
against specific attacks.


Ex1: Finite field inversion in S-box yields linear approximation
and difference distribution tables close to uniform.
Ex2: MIXCOLUMNS makes it impossible to find differential and
linear attacks that involve “few” active S-boxes (wide trail
strategy).
64
3.7 Modes of Operation

Four modes of operation for DES:





Electronic codebook mode (ECB mode)
Cipher feedback mode (CFB mode)
Cipher block chaining mode (CBC mode)
Output feedback mode (OFB mode)
ECB mode corresponds to the naive use of a
block cipher:

x1,x2,…of 64-bit plaintext blocks, encrypted with the same
key K, producing a string of ciphertext blocks, y1,y2,…
65
Modes of Operation

CBC mode:


IV=y0
encrypt
initialization vector IV and y0=IV
yi  eK ( yi 1  xi ), i  1.
x1
x2
+
+
eK
eK
y1
y2
decrypt
IV=y0
y1
y2
dK
dK
+
+
x1
x2
Figure 3.9 CBC mode
66
Modes of Operation

OFB mode:



a synchronous stream cipher (cf. section 1.1.7)
z0=IV, then keystream z1z2…
zi  eK ( zi 1 ), for i  1.
encryption:
yi  xi  zi , for i  1.
x2
x1
eK
+
encrypt
y1
IV=z0
eK
+
y2
y2
y1
IV=z0
eK
decrypt
+
x1
eK
+
x2
67
Modes of Operation

CFB mode:



y0=IV
keystream: zi  eK ( yi 1 ), for i  1.
encryption: yi  xi  zi , for i  1.
x2
x1
IV=y0
eK
encrypt
+
y1
eK
+
y2
y2
y1
IV=y0
eK
decrypt
+
x1
eK
+
x2
Figure 3.10 CFB mode
68
Modes of Operation

Some properties:

In ECB and OFB modes, changing one 64-bit plaintext block,
xi, causes the corresponding ciphertext block, yi, to be
altered, but other ciphertext blocks are not affected.


It is useful in some cases, like communicating on an unreliable
channel.
In CBC and CFB modes, if a plaintext block xi is changed,
then yi and all subsequent ciphertext blocks will be affected.

These modes can be used to produce a message
authentication code (MAC). (see Chap 4)
69