The Advanced Encryption Standard

a.k.a. the Rijndael algorithm Calvin Li March 5, 2012

Rijndael is the algorithm behind the Advanced Encryption Standard. It is a substition-permutation network with a fairly simple algebraic description. AES is the rst public cipher approved by the NSA for Top Secret information.

Maths
Mathematics for Rijndael are done in GF(28 ), a nite eld.

0.1

Finite elds

Finite elds are elds with a nite number of elements. A eld is dened as an abelian (commutative) group that has a few axioms, such as closure, associativity, commutativity, the existence of inverses and identities under addition and multiplication, and distributivity of multiplication over addition.

0.2

Representing numbers for Rijndael

Numbers are represented as polynomials of degree < 7. Each bit of the number is the corresponding coecient on the polynomial. For example, 8310 = 5316 = 010100112 = x6 + x4 + x + 1

0.3

Addition and subtraction

Addition and subtraction are done (mod 2). This means that they are actually the same thing, a bitwise xor operation.

0.4

Multiplication

Multiplication is done modulo a xed irreducible polynomial, which for the Rijndael nite eld happens to be this: x8 + x4 + x3 + x + 1

Key Expansion

Rijndael has a key schedule for expanding out the 128-bit key into keys for each of the rounds. This key schedule is quite involved and doesnt really involve matrices at all, so Im skipping it.

Initial round
state: a0,3 a1,3 a2,3 a3,3

The block is a 4x4 matrix of bytes called the a0,0 a0,1 a0,2 a1,0 a1,1 a1,2 a2,0 a2,1 a2,2 a3,0 a3,1 a3,2

2.1

AddRoundKey

The state is added to (xored with) the round key.

Rounds

For a 128-bit block and 128-bit key, there are 9 normal rounds and one nal round. Each of the 9 normal rounds consists of the following:

3.1

SubBytes

This is where the Rijndael S-box (substition box) is applied. This is usually implemented as a lookup table. For each byte (matrix entry), its inverse in GF (28 ) is found and then transformed like so: 1 0 0 0 1 1 1 1 x0 1 1 1 0 0 0 1 1 1 x1 1 1 1 1 0 0 0 1 1 x2 0 1 1 1 1 0 0 0 1 x3 0 1 1 1 1 1 0 0 0 x4 + 0 0 1 1 1 1 1 0 0 x5 1 0 0 1 1 1 1 1 0 x6 1 0 0 0 1 1 1 1 1 x7 0 (This is an ane transformation and is invertible.) The numbers in the transformation matrices are specically chosen so that the transformation has no xed points, and for resistance against linear and dierential cryptanalysis.

3.2

ShiftRows

Each row is cyclically shifted to the left. The rst row is shifted over by 0, the second by 1, the third by 2, and the fourth by 3: a0,0 a0,1 a0,2 a0,3 a1,1 a1,2 a1,3 a1,0 a2,2 a2,3 a2,0 a2,1 a3,3 a3,0 a3,1 a3,2

3.3

MixColumns

Each column is multiplied by a particular matrix like so: 2 3 1 1 a0 1 2 3 1 a1 1 1 2 3 a2 3 1 1 2 a3 (This matrix is a linear transformation and is also invertible. It also happens to have a fast computer implementation.)

3.4

AddRoundKey

The last step in a round is to do AddRoundKey again.

Final round

The nal round is just like a normal round except MixColumns is left out. This is to make decryption more symmetrical to encryption (dont ask).

Security
SubBytes, ShiftRows and MixColumns are designed to provide diusion. This means the cipher (and each step) satises the strict avalanche criterion, the requirement that if a single input bit is changed, the probability of each output bit changing is 1/2.

Sources
In no particular order, Wikipedia articles Finite eld, Field (mathematics), Finite eld arithmetic, Advanced Encryption Standard, Rijndael S-box, and Rijndael mix columns. http://www.cs.utsa.edu/~wagner/laws/FFM.html http://www.quadibloc.com/crypto/co040401.htm