1. Abstract 2. Introduction 3. AES Evaluation 3.1 The Origins of AES 3.2 AES Evaluation 3.3 AES Vs 3DES 4.

AES Cipher 5. Design Rationale 6. AES Structure 6.1 Substitute Byte Transformation 6.2 Shift Row Transformation 6.3 Mix Column Transformation 6.4 Add Round key Transformation 7. Equivalent Inverse Cipher 8. AES Advantage and Limitations 9.1 Advantages 9.2. Limitations 9. Conclusion 10. References

Page 1

1. Abstract:
In 1997, The National Institute of Standards and Technology (NIST) initiated a process to select a symmetric-key encryption algorithm to be used to protect sensitive Federal information in furtherance of NISTs statutory responsibilities. Initial NIST goals are Strong crypto algorithm for Government and Commercial use, significantly more efficient than DES and Variable key size so that security could be increased when needed. In 1998, NIST announced the acceptance of 15 candidate algorithm and requested the assistance of the cryptographic research community in analyzing the candidates. This analysis included an initial examination of the security and efficiency characteristics for each algorithm. NIST viewed the results of this preliminary research and selected MARS, RC6, Rijndael, Serpent and Twofish as finalists. Having viewed further public analysis of the finalists, NIST has decide to propose Rijndael as the Advanced encryption standard (AES)

2. Introduction
The Advanced Encryption standard (AES) was published by NIST (National institute of Standards and Technology) in 2001. AES is a symmetric block cipher that is intended to replace DES as the approved standard for wide range of applications

3. AES Evaluation
3.1. The origins of AES DES has few issues y With its 168 bit key length it overcomes the vulnerability to brute-force attack of DES y The original DES was designed 1970s Hardware implementation and does not produce efficient software code. y The underlying encryption algorithm in 3DES is the same as in DES y The principle draw back of 3DES is that the algorithm is relatively sluggish in software y 3DES which has three times as many rounds as DES is correspondingly slower y draw back is DES and 3DES use a 64-bit block size Because of these drawbacks, 3DES is not reasonable candidate for long term use. As a replacement NIST in 1997 issued a call for proposals for a new Advanced encryption standard (AES) which should have Security better than 3DES and significantly improved efficiency AES must be symmetric block cipher with a block length of 128 bits and support for key lengths 128,192, 256 bits

Page 2

In a First round evaluation 15 proposed algorithms were accepted. A second round narrowed the field to 5 algorithms. y Rijndale ( Joan Daemen & Vincent Rijmen) y MARS (IBM) Too slow and complicated y RC6 (RSA Laboratories) Too much RAM y Serpent (Ross Anderson from The University of Cambridge) Conservative but too slow y TwoFish (Bruce schneier & John Kelsey) Slow and subtle NIST completed its evaluation process and published a final standard (FIPS PUB 197) in November 2001 (FIPS Federal Information Processing Standard). NIST selected Rijndael as the proposed AES Algorithm. The two researches who developed and submitted Rijndael for the AES are both cryptographers from Belgium Dr. Joan Daemen and Dr. Vincent Rijmen Ultimately AES is intended to replace 3DES but this process will take a number of years. NIST anticipates that 3DES will remain an approved algorithm for the foreseeable future 3.2. AES Evaluation When NIST issued its original request for candidate algorithm nominations in 1997. The requested stated that candidate algorithm would be compared based on the three categories y Security minimum Key size should be 128 bit y Cost AES must have high computational efficiency, so as to be usable in high speed applications such as broadband links y Algorithm and implementation characteristics flexibility, suitability for a variety of Hardware and software implementations Under these criteria the initial 21 algorithms reduced to 15 algorithms and then to 5 candidates. The following criteria were used in Final evaluation y General security y Software implementation y Restricted-space environments - in some applications, such as smart cards relatively small amount of RAM and ROM are available y Hardware implementations y Attacks on implementations y Encryption Vs decryption y Key agility y Other versatility and flexibility y Potential for instruction level parallelism Based on the above criteria NIST selected Rijndale (pronounced rain-doll)

Page 3

3.3 AES Vs 3DES

AES vs. Triple-DES
AES Triple-DES

Type of algorithm Key size (in bits) Speed Time to crack (assume a machine could try 255 keys per second - NIST) Resource consumption

Symmetric, block cipher 128, 192, 256 High 149 trillion years

Symmetric, feistel cipher 112 or 168 Low 4.6 billion years

Low

Medium

4. AES Cipher
The Rijndael proposal for AES defined a cipher in which the block length and the key length can be indenpendently specified to be 128,192 or 256 bits. The AES specification uses the same three size alternatives but limits the block length to 128 bits Key size (Words/bytes/bits) Plaintext block size (Words/bytes/bits) Number of rounds Round key size (Words/bytes/bits) Expanded key size (words/bytes) 4/16/128 4/16/128 10 4/16/128 44/176 6/24/192 4/16/128 12 4/16/128 52/208 8/32/256 4/16/128 14 4/16/128 60/240

5. Design Rationale
The three criteria taken into account in the design of Rijndael are y Resistance against all known attacks y Speed and code compactness on a wide range of platforms y Design simplicity In most ciphers, the round transformation has the Feistel structure. In this structure typically part of the bits of the intermediate state are simply transposed unchanged to another position. The round transformation of Rijndale does not have the Feistel structure. Instead the round transformation is composed of three distinct invertible uniform transformations, called layers; every layer has its own function y y y The linear mixing layer : Guarantees high diffusion over multiple rounds The non linear layer : Parallel application of S-boxes that have optimum worst case non linearity properties The key addition layer : A simple XOR of the round key to the intermediate state Page 4

6. AES Structure

Page 5

The input to the encryption and decryption algorithms is a single 128 bit block. In FIPS PUB 1997 this block is depicted as a square matrix of bytes. This block is copied into the state array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output matrix

Page 6

The 128-bit key is depicted as a square matrix of bytes. This key then expanded into an array of key schedule words. Each word is four bytes and total key schedule is 44 words for the 128 bit key

y y

AES structure is not a Feistel structure (Feistel structure half of the data block is used to modify the other half of the data block, and then halves are swapped). AES do not use Feistel structure but process the entire data block in parallel during each round using substitutions and permutations The key that is provided as input is expanded into an array of fourty four 32-bit words, w[i]. Four distinct words (128 bits) server as a round key for each round 4 different stages are used, one of permutation and three of substitution o Substitute bytes Uses an S-box to perform a byte-by-byte substitution of the block o Shift rows A simple permutation o Mix columns A substitution that makes use of arithmetic over GF (2**8) o Add Round key A Simple bit wise XOR of the current block with a portion of the expanded key The structure is quite simple. For both encryption and decryption the cipher begins with an Add Round key stage, followed by nine rounds that each includes all four stages, followed by a tenth round of three stages

Page 7

y y

Only the Add Round key stage makes use of the key. For this reason, the cipher begins and ends with an Add round key stage. Any other stage applied at the beginning or end, is reversible without knowledge of the key and so would add no security Only the Add round key stage is, in effect, a form of vernam cipher and by itself would not be formidable. The other three stages together provide confusion, diffusion, and nonlinearity, but by themselves would provide no security because they do not use the key. We can view the cipher as alternating operations of XOR encryption (Add Round key) of a block, followed by scrambling of the block, followed by XOR encryption and so on. This scheme is both efficient and highly secure Each Stage is easily reversible. For the substitute byte, shift row and mix columns stages, an inverse function is used in the decryption algorithm. For the Add round key stage, the inverse is achieved by XORing the same round key to the block, using the result A + A + B = B As with most block ciphers, the decryption algorithm makes use of the expanded key in reverse order. However the decryption algorithm is not identical to the encryption algorithm. This is a consequence of the particular structure of AES Once it is established that all 4 stages are reversible, it is easy to verify that decryption does recover the plaintext. The final round of both encryption and decryption consists of only three stages.

Page 8

Stages Used in AES

Each of the four stages used in AES. For each stage we have Forward (encryption) algorithm and Inverse (decryption) algorithm

6.1. Substitute Byte Transformation

Forward (encryption) substitute byte transformation Called SubBytes, is a simple table lookup. The SubBytes transformation is a non linear byte substitution, operating on each of the state bytes independently

Page 9

AES defines a 16*16 matrix of byte values, called an S-Box that contains a permutation of all possible 256 8-bit values. Each individual byte of State is mapped into a new byte in the following way. The left most 4 bits of the bytes are used as a row value, Right most 4 bits of the byte are used as a column value. These rows and column values serve as indexes into the S-box to select a unique 8-bit output value Ex: {95} references row 9, column 5 of the S-box which contains {2A} Example of the SubBytes transformations

Inverse (decrypt) Substitute byte transformation Called InvSubBytes, makes use of the inverse S-Box. The inverse S-box is constructed by applying the inverse of the transformation

Page 10

6.2 Shift row Transformation

Forward (encrypt) Shift row transformation

Called ShiftRows. The first row of State is not altered. For the second row a 1-byte circular left shift is performed, for the 3rd row a 2-byte circular left shift is performed. For the 4th row a 3-byte circular left shift is performed

Inverse shift row Transformation The inverse shift row transformation, called InvShiftRows. Performs the circular shifts in the opposite direction for each of the last three rows, with a one-byte circular right shift for the second row and so on

6.3 Mix column Transformation

Forward (encryption) mix column transformation Called MixColumns operates on each column individually. Each byte of a column is mapped into a new value that is a function of all four bytes in the column. The transformation can be defined by the following matrix multiplication on State

Page 11

Each element in the product matrix is the sum of products of elements of one row and one column. The MixColumns transformation on a single column of State can be express as

The following is an example of Mixcolumns

Page 12

Inverse MixColumn Transformation The inverse mix column transformation, called InvMixColumns is defined by the inverse of equation

6.4 Add Round key Transformations

Forward (encryption) add round key transformation

Called AddRoundKey, the 128 bits of State are bitwise XORed with the 128 bits of the round key. The operation is viewed as a column wise operation between the 4 bytes of a State column and one word of the round key; it can also be viewed as a byte-level operation Example

The First matrix is State, and the second matrix is the round key Inverse Add Round Key Transformation The inverse add round key transformation is identical to the forward add round key transformation, because the XOR operation is its own inverse

Page 13

7. Equivalent Inverse cipher

The AES decryption cipher is not identical to the encryption cipher. That is the sequence of transformations for decryption differs from that for encryption, although the form of the key schedules for encryption and decryption is the same. This has the disadvantage that two separate software or firmware modules are needed for applications that require both encryption and decryption. There is however an equivalent version of the decryption algorithm that has the same structure as the encryption algorithm. The equivalent version has the same sequence of transformations as the encryption algorithm. To achieve this a change in key schedule is needed. Two separate changes are needed to bring the decryption structure in line with the encryption structure. An encryption round has the structure SubBytes, ShiftRows, MixColumns, AddRoundKey. The standard decryption round has the structure InvShiftRows, InvSubBytes, AddRoundkey, InvMixColumns. y Thus first two stages of the decryption round need to be interchanged (Interchanging InvShiftRows and InvSubBytes) y second two changes of the decryption round need to be interchanged (Interchanging Add Round key and InvMixColumns)

Page 14

Implementation Aspects The Rijndale proposal provides some suggestions for efficient implementation on 8-bit processors, typical for current smart cards, 32bit processor for PCs

Page 15

8. AES Advantages and Limitations

8.1 Advantages Implementation aspects y Rijndael can be implemented to run at speeds unusually fast for a block cipher on a Pentium (pro) ( trade off between table size/performance) y Rijndael can be implemented on a smart card in a small amount of code, using a small amount of RAM and taking a small number of cycles. ( ROM/Performance) y The round transformation is parallel by design, an important advantage in future processors and dedicated hardware Simplicity Design y The cipher is fully self-supporting. It does not make use of another cryptographic component y The cipher does not base its security or part of it on obscure and not well understood interactions between arithmetic operations y The tighter cipher design does not leave enough room to hide a trapdoor Variable block length y The block length of 192 and 256 bits allow the construction of a collisionresistant iterated hash function using Rijndale as the compression function Extension y The design allows the specification of variants with the block length and key length both ranging from 128 to 256 bits in steps of 32 bits y Although a number of rounds of Rijndael is fixed in the specification, it can be modified as a parameter in case of security problems 8.2 Limitations The limitations of the cipher have to do with its inverse y In Software, the cipher and its inverse make use of different code and/or tables y In hardware, the inverse cipher can only partially re-use the circuitry that implements the cipher y The inverse cipher is less suited to be implemented on a smart card than the cipher itself; it takes more code and cycles

9. Conclusion
y y y y y AES provides a better combination of safety and speed than DES AES provides higher security against brute-force attack than the old 56-bit DES keys Unixs NetBSD open source version incorporated Rijndale into its IP Security protocol DES provides poor security 3DES provides poor performance

Page 16

y y y

y y y

y y y

Rijndael appears to be consistently a very good performer in both H/W and S/W across a wide range of computing environments regardless of its use in feedback or non feedback modes Key set up time is excellent and its key agility is good Rijndale very low memory requirements make it very well suited for restrictedspace environments, in which it also demonstrates excellent performance Rijndale is designed with some flexibility in terms of blocks and key sizes, and the algorithm can accommodate alterations in the number of rounds, although these features would require further study and are not being considered at this time Rijndelas internal round structure appears to have good potential to benefit from instruction level parallelism AES combines performance, security and the assurance of a federal standard The S-box is designed to be resistant to known cryptanalytic attacks. Has low correlation between input and output bits. Can not be described as a simple mathematical function Shift rows moves individual bytes from one column to another. Ensures four bytes of one column are spread out over four different columns Mix column based on linear code with maximal distance between code words Add round key affects every bit of the input array. Complexity of round key expansion plus complexity of other stages ensure security

10. References y Cryptography and Network Security by William Stallings y http://west.poly.edu/~pkermani o Student projects y NIST AES site http://csrc.nist.gov/encryption/aes/ y Rijndael Home - http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ y AES FAQ http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html y Book : The Design of Rijndael by Joan Daemen, Vincent Rijmen
y www.google.com

Page 17