AES

A
AES (ADVANCED ENCRYPTION STANDARD)

, . ., .

.: 210-3352643, e-mail: zorkadis@dpa.gr
1997, National Institute of Standards and Technology (NIST)

.
DES, . , DES,
,
.
1998, NIST 15 ,
. ,
NIST
. ,
, NIST 5
10.
5 ,
NIST ( Secretary of Commerce, )
Rijndael Advanced Encryption Standard (AES).
Rijndael Joan Daemen
Vincent Rijmen. 2001
2002,
Rijndael.
, ,
,
,
AES.
1.

, 1997.
: ,

.

.
,
,
.
, ,
(),
.
()
, 8, 32 64 bits.
128, 192 256
bits. , NIST
,
.

, .
,
() ,
. ,
,
(stream cipher), (hashing
algorithm) . ,
,
firmware.
.

AES MARS, RC6, Rijndael, Serpent Twofish.
2
Rijndael,
. MARS
32 , 16
.
. 16
8 (S-boxes) 32 bit,
. ,

( 32 bits) ( )
.
RC6 20 .
,
. ,
, (XOR),
. Serpent 32 .
:
, 32
8 (S-boxes) .
, ,
. ,
Twofish 16 .
(S-boxes 8x8),
. , Hadamard (
) .
2. AES
Rijndael o (block oriented cipher)
o .
AES ,
128 bits 128, 192 256 bits.
,
Rijndael, ,

3
, . Rijndael
Feistel, , , bits
.
AES,
AES
Rijndael. AES
Rijndael,
Rijndael.
AES,
, (layers).
bit .
(linear mixing layer)
. (non-linear layer)
(S-boxes),
(optimum worst-case
nonlinearity properties). , (key
addition layer),

(XOR).
(XOR)
, , ,
,
,

( DES).

, IDEA
Blowfish.
.

.
DES.
3. AES
( ) GF(28)

. ,
GF(28) . ,
.
AES .
, byte b, bits b7 b6 b5 b4 b3 b2 b1 b0,
{0, 1}:
b7 x7 + b6 x6+ b5 x5 + b4 x4 + b3 x3 + b2 x2 + b1 x + b0.
, byte 57 ( 01010111)
x6 + x4 + x2 + x + 1.
( : 0=0000,
1=0001, 2=0010, 3=0011, 4=0100, 5=0101, 6=0110, 7=0111, 8=1000,
9=1001, a=1010, b=1011, c=1100, d=1101, e=1110 f=1111.)
GF(28)
,

(mod 2), . (1+1=0, 0+0=0,
0+1=1, 1+0=1.)
1
(x6 + x4 + x2 + x +1)+( x7 + x4 + x3 +1)= x7 + x6 + x3 + x2 + x
01010111 + 10011001= 11001110
57+ 99 = CF.
,
bytes.
GF(28)

modulo (irreducible)
5
8 . (
1 .) AES
m(x)= x8 + x4 + x3 + x + 1 000100011011
11 .
2
57 83 = C1 (x6 + x4 + x2 + x +1) ( x7 + x + 1) = (x13 + x11 + x9 + x8 +
x7) + (x7 + x5 + x3+ x2 + x ) + (x6 + x4 + x2 + x + 1 ) = (x13 + x11 + x9 + x8 + x6 + x5
+ x4+ x3 + 1 ) mod (x8 + x4 + x3 + x + 1) = x7 + x6 + 1.

, .
01 ,
.
(
) mod m(x).
, b(x), 8,
a(x) c(x), : b(x) a(x) + c(x) m(x) = 1.
, b(x) a(x) mod m(x) = 1 b-1(x) = a(x) mod m(x).
, a(x) (b(x)+ c(x))= a(x) b(x) + a(x) c(x).
256 bytes, XOR
, ,
GF(28).
x
b(x) x :
x b(x)=(b7 x8 + b6 x7+ b5 x6 + b4 x5 + b3 x4 + b2 x3 + b1 x2 + b0 x) mod m(x). b7 =0,
8
mod m(x) . , ,

b(x). b7 =1, 8,
m(x) m(x) x b(x).
, b(x) x

b(x), m(x)
b7 =1.
3
01010111 00000010= 10101110 57 02 = .
10101110 00000010= 01001111 02 = 47.
b(x) x,

.
GF(28)

GF(28). , bytes
4.
,

GF(28) bit.
, . a(x)=
a3 x3 + a2 x2 + a1 x1 + a0 b(x)= b3 x3 + b2 x2 + b1 x + b0
GF(28), :
c(x)=a(x) b(x) = c6 x6+ c5 x5 + c4 x4 + c3 x3 + c2 x2 + c1 x1 + c0 ,
c0= a0 b0 , c1= a1 b0 a0 b1, c2= a2 b0 a1 b1 a0 b2, c3= a3 b0 a2
b1 a1 b2 a0 b3, c4= a3 b1 a2 b2 a1 b3, c5= a3 b2 a2 b3
c6= a3 b3.
, c(x)
bytes. modulo
c(x) 4.
AES M(x)= x4 + 1,

. ( AES a(x)
= 03 x3 + 01 x2 + 01x + 02 a-1(x)
= 0 x3 + 0D x2 + 09x + 0E.) xj mod (x4 + 1) = xj mod 4,

a(x) c(x) :
d(x)= a(x) b(x) = d3 x3 + d2 x2 + d1 x + d0,
d0= (ao b0) (a3 b1) (a2 b2) (a1 b3),
d1= (a1 b0) (a0 b1) (a3 b2) (a2 b3),
d2= (a2 b0) (a1 b1) (a0 b2) (a3 b3),
d3= (a3 b0) (a2 b1) (a1 b2) (a0 b3).
,
, :
d 0 a0
d a
1= 1
d 2 a 2

d 3 a3
a3
a0
a1
a2
a2
a3
a0
a1
a1 b0
a 2 b1
.
a3 b2

a 0 b3
GF(28) x
b(x) x :
x b(x)= b3 x4 + b2 x3 + b1 x2 + b0 x mod (x4 + 1) = b2 x3 + b1 x2 + b0 x + b3.

, a(x) 00 a1 = 01.
4. AES

, (state).
, bytes.

. AES ,
128 bits,
4. ( Rijndael 4 6 8
, 128 192 256 bits.)
, 128
bits .
.
() .
, .
128 bits, 4,
192 256 bits, 6 8
.
Nb
Nk. 1
Nb=4 Nk=6.
0,0
0,1
0,2 0,3
1,0
1,1
1,2
1,3
2,0
2,1
2,2
2,3
3,0
3,1
3,2
3,3
k0,0
k0,1
k0,2
k0,3
k0,4
k0,5
k1,0
k1,1
k1,2
k1,3
k1,4
k1,5
k2,0
k2,1
k2,2
k2,3
k2,4
k2,5
k3,0
k3,1
k3,2
k3,3
k3,4
k3,5
1 (Nb=4) (Nk=6)
(Nr), ,
. ( Rijndael .)
10 14. AES ,
( 1).

(Nk)
(Nb)
(Nr)
AES-128
10
AES-192
12
AES-256
14
1 (Nr) Nk
(O Rijndael Nk, Nb Nr,

2.)
Nb=4
Nb=6
Nb=8
Nk=4
10
12
14
Nk=6
12
12
14
Nk=8
14
14
14
2 (Nr) Rijndael Nb
Nk
( , )
A d d R o un d K e y
B yte S u b
S hiftR o w
M ix C o lum n
: 2 (N r-1 )
B yte S u b
S hiftR o w
2 AES
, ,
:
SubBytes( ), .
ShiftRows( ),
( , ).
MixColumns( ),
( , bytes ).
AddRoundKey( ), () .
10
2 AES.

.

( 3).
Cipher (byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
begin
byte state[4, Nb]
state = in
AddRoundKey(state, w[0, Nb 1])
for roun = 1 step 1 to Nr-1
SubBytes(state)
ShiftRows(state)
MixColumns()
AddRoundKey(state, w[round*Nb, (roun+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
out = state
end
3 AES
AES:
SubBytes(),
ShiftRows(),
MixColumns()
AddRoundKey().
()
.
SubBytes( )
, (Sboxes) DES, byte :
1. byte
finite field GF(28) ( 3).
2. 1 (affine)
GF(2). ( affine

.)
11
y 0 1
y
1 1
y 2 1

y 3 = 1
y 1
4
y 5 0
y 0
6
y 7 0
0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1 x0 1

1 x1 1
1 x 2 0

1 x 3 0
+
0 x 4 0

0 x5 1
0 x6 1

1 x7 0
byte a,
x finite field GF(28), byte y.
x y,
,
. byte
GF(28)
, bits
.

SubBytes()
( 3). (
256.)
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
0
63
ca
b7
04
09
53
d0
51
cd
60
e0
e7
ba
70
e1
8c
1
7c
82
fd
c7
83
d1
ef
a3
0c
81
32
c8
78
3e
f8
a1
2
77
c9
93
23
2c
00
aa
40
13
4f
3a
37
25
b5
98
89
3
7b
7d
26
c3
1a
ed
fb
8f
ec
dc
0a
6d
2e
66
11
0d
4
f2
fa
36
18
1b
20
43
92
5f
22
49
8d
1c
48
69
bf
5
6b
59
3f
96
6e
fc
4d
9d
97
2a
06
d5
d6
03
d9
e6
6
6f
47
fa
05
5a
b1
33
38
44
90
24
4e
b4
f6
8e
42
v
7
c5
f0
cc
9a
a0
5b
85
f5
17
88
5c
a9
c6
0e
94
68
8
30
ad
34
07
52
6a
45
bc
c4
46
c2
6c
e8
61
9b
41
9
01
d4
a5
12
3b
cb
f9
b6
a7
ee
d3
56
dd
35
1e
99
a
67
a2
e5
80
d6
be
02
da
7e
b8
ac
f4
74
57
87
2d
b
2b
af
f1
e2
b3
39
7f
21
3d
14
62
ea
1f
b9
e9
0f
c
fe
9c
71
eb
29
4a
50
10
64
de
91
65
4b
86
ce
b0
d
d7
a4
d8
27
e3
4c
3c
ff
5d
5e
95
7a
bd
c1
55
54
e
ab
72
31
b2
2f
58
9f
f3
19
0b
e4
ae
8b
1d
28
bb
f
76
c0
15
75
84
cf
a8
d2
73
db
79
08
8a
9e
df
16
3 AES, SubBytes()
12

. , byte
uv, , byte
u v . , byte 53
byte 5 3,
byte ed.
ShiftRows()
ShiftRows(), bytes

. Rijndael, 0 .
1 bytes C1, 2 C2
3 C3 . C1, C2 C3
, ,
4.
Nb
C1
C2
C3
4 C1, C2 C3 Nb
Rijndael.
4
ShistRow .
m
m
m
n
n
o
o
p
p
o p
o
p
p
m
m n
n o
4 ShixtRows() AES
13
MixColumns()
GF(28)
, c(x)= 03x3 + 01x2 + 01x +
02, modulo (x4+1). 4.4.3,
(x4+1) , c(x)
.
,
c(x) modulo (x4+1),
( 1). ,
modulo (x4+1).
a 0, j
b0, j
a

1, j c( x) = b1, j
a 2, j
b2, j

a3, j
b3, j
, bytes :
b0,j= (02 a0,j) (03 a1,j) ( a2,j) (a3,j ),
b1,j= (a0,j) (02 a1,j) (03 a2,j) (a3,j),
b2,j= (a0,j) (a1,j) (02 a2,j) (03 a3,j),
b3,j= (03 a0,j) (aa,j) (a2,j ) (02 a3,j).

. ,
( 1) d(x)= 0Bx3 +
0Dx2 + 09x + 0E (modulo x4+1). c(x) d(x) : c(x).
d(x)= 01 mod (x4+1).
AddRoundKey()

byte bytes
(XOR).
AddRoundKey
.
14
5.
( ),
AddRoundKey(), K.
bits ,
, .
,
AddRoundKey() (
2), bits bits ,
b(Nr+1) 4 bytes = 32Nb(Nr+1) bits. , 128
bits 1408 bits .

K
AddRoundKey() (
).
Expanded_Key ,
Nk ( 4 bytes) K.
Expanded_Key
, Nk.
bytes K Expanded_Key,
-, [i] bytes
K E_K[j] Expanded_Key.
KeyExpansion (byte [4*Nk], word E_K[Nb*(Nr+1)], Nk)
begin
word temp
i=0
while (i<Nk)
E_K[i] = word(K[4*i], K[4*i+1], K[4*i+2], K[4*i+3])
i = i+1
end while
i = Nk
while (i<[Nb*(Nr+1)]
temp = E_K[i-1]
if (i mod Nk = 0)
temp = SubWord(RotWord(temp)) Rcon[i/Nk]
else if (k > 6 and i mod Nk = 4)
15
temp = SubWord(temp)
end if
E_K[i] = E_K[i-Nk] temp
i=i+1
end while
end
5
SubWord() , 4
bytes, , 4 bytes bytes
SubBytes() bytes
. RotWord() bytes (a,b,c,d)
(b,c,d,a).
Rcon[i], :
Rcon[i]=(RC[i], 00, 00, 00), RC[i]
GF(28) x(i-1). , RC[1]=1,
01, RC[2]=x, 02, . ( i 1
0.)
KeyExpansion Nk
Expanded_Key, K,
_[i] Expanded-Key
(XOR) _[i-1]
_[i-Nk]. , Nk,
_[i-1]
,
Rcon[i].
bytes
(RotWord()), bytes
(SubWord()).
256 bits. ,
Nk>6 (i-4) k,
SubWord() _[i-1].
16
6. AES

InvShiftRows(),
InvSubBytes(),
InvMixColumns()
AddRoundKey().
.
InvCipher (byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])
begin
byte state[4, Nb]
state = in
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb 1])
for round = Nr-1 step -1 downto 1
InvShiftRows(state)
InvSubBytes(state)
InvMixColumns()
end for
InvShiftRows(state)
InvSubBytes(state)
AddRoundKey(state, w[0, Nb-1])
out = state
end
6 AES

AES: InvShiftRows(), InvSubBytes(), InvMixColumns() AddRoundKey().
InvShiftRows()
InvShiftRows(), bytes

ShiftRows(). , 0
. 1 bytes 1 , 2
2 3 3 .
InvSubBytes( )
InvSubBytes() byte
.
v
0
1
0
52
7c
1
09
e3
2
6
39
3
d5
82
4
30
9b
5
36
2f
6
a5
ff
7
38
87
8
bf
34
9
40
8e
a
a3
43
b
9e
44
c
81
c4
d
f3
de
e
d7
e9
f
fb
cb
17
2
3
4
5
6
7
8
9
a
b
c
d
e
f
54
08
72
6c
90
d0
3a
96
47
fc
1f
60
a0
17
7b
2e
f8
70
d8
2c
91
ac
f1
56
dd
51
e0
2b
94
a1
f6
48
ab
1e
11
74
1a
3e
a8
7f
3b
04
32
66
64
50
00
8f
41
22
71
4b
33
a9
4d
7e
a6
28
86
fd
8c
ca
4f
e7
1d
c6
88
19
ae
ba
c2
d9
68
ed
bc
3f
67
ad
29
d2
07
b5
2a
77
23
24
98
b9
d3
0f
dc
35
c5
79
c7
4a
f5
d6
3d
b2
16
da
0a
02
ea
85
89
20
31
od
b0
26
ee
76
d4
5e
f7
c1
97
e2
6f
9a
b1
2d
c8
e1
4c
5b
a4
15
e4
af
f2
f9
b7
db
12
e5
eb
69
95
a2
5c
46
58
bd
cf
37
62
c0
10
7a
bb
14
0b
49
cc
57
05
03
ce
e8
0e
fe
59
9f
3c
63
42
6d
5d
a7
b8
01
f0
1c
aa
78
27
93
83
55
fa
8b
65
8d
b3
13
b4
75
18
cd
80
c9
53
21
c3
d1
b6
9d
45
8a
e6
df
be
5a
ec
9c
99
0c
4a
25
92
84
06
6b
73
6e
1b
f4
5f
ef
61
7d
5 AES, InvSubBytes()
InvMixColumns()
MixColumns().

GF(28).
d(x)= 0bx3 + 0dx2 + 09x + 0e (modulo x4+1). d(x)
c(x) MixColumns(), c(x). d(x)=
01 mod (x4+1).
b(x),
a(x) d(x)
modulo (x4+1), . , bytes
:
b0,j= (0e a0,j) (0b a1,j) ( 0d a2,j) (09 a3,j ),
b1,j= (09 a0,j) (0e a1,j) (0b a2,j) (0d a3,j),
b2,j= (0ed a0,j) (09 a1,j) (0e a2,j) (0b a3,j),
b3,j= (0b a0,j) (0d aa,j) (09 a2,j ) (0e a3,j).
InvAddRoundKey()
AddRoundKey(),
(XOR),
AddRoundKey .
,
. ,
18

,
.
O AES ,
DES, Triple DES.
, DES,
. AES Rijndael,
10, 12 14 ,
. AES 4 , ByteSub,
ShiftRow, MixColumn AddKeyRound.
byte .
.
bytes bytes
XOR. AddKeyRound
, MixColumn.
Advanced Encryption Standard, http://www.nist.gov/CryptoToolkit.

J. Daemen and V. Rijmen, Rijndael, 1999, http://www.nist.gov/CryptoToolkit.
. , , 2002, ISBN: 960-538-390-X,
.
19

AES

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AES

Uploaded by

Copyright:

Available Formats

A

AES (ADVANCED ENCRYPTION STANDARD)

= 0 x3 + 0D x2 + 09x + 0E.) xj mod (x4 + 1) = xj mod 4,

(O Rijndael Nk, Nb Nr,

Advanced Encryption Standard, http://www.nist.gov/CryptoToolkit.

You might also like