## Math 5410 Advanced Encryption Standard (AES)

In 1997 the National Institute of Standards and Technology (NIST) put out a call for candidates to replace DES. The requirements included the ability to allow key sizes of 128, 192 and 256 bits; the algorithm should work on blocks of 128 bits; and it should be highly portable, working on a variety of hardware platforms including 8-bit processors used in smart cards and 32-bit processors used in most personal computers. Speed and of course cryptographic strength were also considerations. From the submissions, NIST selected 15 algorithms and asked the cryptographic community to comment on them in a series of forums and workshops. In the Spring of 2000 the list had been reduced to five finalists: MARS (the IBM entry), RC6 (from RSA Laboratories), Rijndael (from Joan Daemen and Vincent Rijmen), Serpent and Twofish. Eventually Rijndael was selected to be the AES and the official announcement that it was the new standard was made on Dec. 4, 2001 (to be effective March 26, 2002).

AES is designed to withstand cryptographic attack against (unclassified) government information well into the new century. It is to be optionally used by the private sector. However, since it will provide far more security than DES does, this optionality is really a smoke screen, AES will be the defacto standard for the private sector. Information on the selection and specifics of the Rijndael algorithm for AES can be obtained on-line from NIST.

### Rijndael

The algorithm is designed to use keys of length 128, 192 or 256. It works on one block of 128 bits at a time, producing 128 bits of ciphertext. There are 10 rounds, after an initial XOR'ing (bitwise addition mod 2) with the original key (assuming a key length of 128). These rounds, except for the last, consist of 4 steps (layers), called ByteSub, ShiftRow, MixColumn and AddRoundKey. In the 10th round the MixColumn step is omitted.

The 128 bit input is divided into 16 bytes of 8 bits apiece. These are arranged in a 4 × 4 matrix. The ShiftRow and MixColumn steps operate on this matrix while the ByteSub and AddRoundKey steps just operate on the bytes. Some of the operations use the finite field GF(28 = 256). The important features of this field are that each of its elements is represented by a single byte (8 bits), and one can add and multiply these bytes to get another byte. The construction of this field (and more importantly the multiplication rule) depends on a fixed irreducible polynomial of degree 8. The polynomial used for Rijndael is x8 + x4 + x3 + x + 1.

#### ByteSub

In this step each byte of the matrix is replaced by another byte. The original byte is split into two 4 bit nibbles. The first (most significant) nibble is used as a row index and the second (least significant) nibble is used as a column index. These indices pick an entry in a 16 × 16 matrix whose entries are all the distinct bytes, and this byte replaces the original byte. This matrix is called an S-box. Unlike the S-boxes used in DES, the construction of this S-box is public (and one does not have to use the look-up table to find the value ... but this would require a larger program). To calculate the replacement byte, view the original byte as an element of GF(256) and first find its multiplicative inverse (if the original byte is the 0 byte, it is unchanged). Consider this inverse as a binary vector of length 8 and multiply it by a fixed 8 × 8 right circulant matrix (C(10001111)) and then add (XOR) a fixed vector (byte form of 99) to the result.

#### ShiftRow

The rows of the 4 × 4 matrix of bytes are cyclically shifted to the left. The first row is not shifted, the second shifted by one place, the third by two places and the fourth by three places.

#### MixColumn

The 4 × 4 matrix is multiplied on the left by the matrix
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
where the entries are written as bytes and the multiplication is done in GF(256).

In each round a different round key of 128 bits is generated from the original key. This round key is divided into 16 bytes, and each byte is XOR'ed with an entry of the 4 × 4 matrix.

To finish the description of the algorithm, we need to examine how the round keys are determined (the Key Schedule).

#### Key Schedule

The original key is broken up into bytes and these are arranged in a 4 × Y array where Y depends on the key length (Y = 4 for 128 bits, 6 for 192 bits and 8 for 256 bits). New columns are added to this array so that the total number of columns is 44. These additional columns are generated recursively. Letting W(j) be the j+1st column (columns are numbered starting at 0), we have:

if i is not a multiple of 4, W(i) = W(i-4) + W(i-1),
but if i is a multiple of 4 then W(i-1) is modified before XORing (the addition in the formula). The modification is:

1. Cyclically shift the elements of the column up by one.
2. Using the S-box of the ByteSub step, replace the bytes in the column.
3. Compute the round constant, r(i) = 00000010(i-4)/4 in GF(256) and add the result to the first byte of the column.
For the ith round of Rijndael use the key which consists of the columns W(4i), W(4i+1), W(4i+2) and W(4i+3).

### Decrypting Rijndael

Unlike DES which uses the same algorithm to encrypt and decrypt (a symmetric system), the decryption algorithm differs from the encryption algorithm. However, since each step of Rijndael is invertible, the structure of the decryption algorithm is similar to the encryption algorithm. The inverse of ByteSub is another lookup table, called InvByteSub. The inverse of ShiftRow is just shifting rows to the right instead of the left, called InvShiftRow. The matrix used in MixColumn is invertible, so InvMixColumn uses the inverse matrix:
```            14  11  13   9
9  14  11  13
13   9  14  11
11  13   9  14
```
Finally, AddRoundKey is its own inverse.

Now a round of Rijndael consists of (with the obvious abbreviations) BS, SR, MC and ARK. The inverse of this would be ARK, IMC, ISR, IBS. Since IBS acts on bytes and ISR moves bytes, the order in which these operations are performed is not important (i.e., they commute as operations). The operations ARK and IMC however do not commute, and we desire that they do in some sense. Since "ARK then IMC" is the inverse of "MC then ARK", lets look at "MC then ARK" in more detail. In matrix notation, "MC then ARK" is simply Y = MX + K, where K is the round key matrix, M is the MixColumn matrix, X the current state of the working matrix and Y the matrix that results. The inverse of this is given by X = M-1(Y + K) = M-1Y + M-1K. But this is just IMC applied to Y followed by adding, not K but IMC applied to K. By defining InvAddRoundKey to be XORing with IMC of K, we see that "ARK then IMC" can be replaced by "IMC then IARK". Now look at the inverse of the complete round structure of Rijndael (and recall the missing MC in the last round):

ARK ISR IBS
ARK IMC ISR IBS
..........
ARK IMC ISR IBS
ARK

Now apply the switches in the last paragraph:

ARK IBS ISR
IMC IARK IBS ISR
....
IMC IARK IBS ISR
ARK

which can be rewritten as:

ARK
IBS ISR IMC IARK (9 rounds of this)
IBS ISR ARK

Thus we have the decryption algorithm written in the same form as the encryption algorithm, only replacing the steps by their inverses. The round keys of course have to be supplied in the reverse order as well.