The AES cipher

The Advanced Encryption Standard (AES) has been selected by the National Institute of Standards and Technology (NIST) after a five-year long competition. The original name of the cipher is Rijndael from the names of the two inventors, the cryptographers Joan Daemen and Vincent Rijmen. As any modern cipher, AES is the composition of rather simple operations and contains a non-linear component to avoid known-plaintexts attacks (as the one we have seen on the Hill cipher). The composed operations give a non-idempotent cipher that is iterated for a fixed number of rounds.

Rijndael has been selected because it resulted to be the best one providing:

  • high security guarantees
  • high performance
  • flexibility (different key length)

All of these features are, in fact, crucial for any modern cipher.  Its predecessor, the Data Encryption Standard (DES) is still in use after almost 40 years, in a variant called Triple DES (3DES), which aims at improving the key length. In fact, DES key of only 56 bits is too short to resist brute-forcing on modern, parallel computers.

Mathematical background

AES works on the Galois Field with 2^8 elements noted \mathbf{GF}(2^8). Intuitively, it it the set of all 8-bit digits with sum and multiplications performed by interpreting the bits as (binary) coefficients of polinomials. For example, element 11010011 can be seens as x^7 + x^6 + x^4 + x + 1 while 00111010 is x^5+x^4+x^3 + x. The sum will thus be x^7+x^6+x^4+x+1+x^5+x^4+x^3+x=x^7+x^6+x^5+x^3+1, since two 1’s coefficient becomes 0, modulo 2, and the term disappears (for example x + x = 2x = 0x = 0). We see that sum and subtraction are just the bit-wise xor of the binary numbers, i.e., 11010011 \oplus 00111010 = 11101001 which is x^7+x^6+x^5+x^3+1.

Product is done modulo the irreducible polinomial x8 + x4 + x3 + x + 1. Irreducible means that it cannot be written as the product of two other polinomials (it is, intuitively, the equivalent of primality). For example, (x^7 + x^6 + x^4 + x + 1) \times (x^5+x^4+x^3 + x) gives

x^{12} + x^{11} + x^9 + x^6 + x^5+x^{11}+x^{10}+x^8+x^5+x^4+x^{10}+x^9+x^7+x^4+x^3+x^8+x^7+x^5+x^2+x = x^{12}+x^6+x^5+x^3+x^2+x

Now to divide x^{12}+x^6+x^5+x^3+x^2+x by x^8 + x^4 + x^3 + x + 1 and find the reminder we proceed as follows:

\begin{array}{ccccccccccccc}1&0&0&0&0&0&1&1&0&1&1&1&0 \\ 1&0&0&0&1&1&0&1&1 \\\hline & & & &1&1&1&0&1&1&1&1&0\\ & & & &1&0&0&0&1&1&0&1&1 \\\hline & & & & &1&1&0&0&0&1&0&1 \end{array}

which gives 11000101, i.e., x^7 + x^6 + x^2 + 1.

This operation is quadratic in general, with respect to the number of bits (8). It can be optimized with the following linear algorithm (which is, in fact, a working python code):

The correctness derives from the invariant, after each loop: ab+p is the product of the initial a and b (all operation does in the Galois Field). Since b is 0 at the end, we have that p will contain the product. This fact derives from the following observations:

  • b is shifted to the right and a is shifted to the left meaning that we respectively divide and multiply by x the two polynomials;
  • if b is odd the polynomial is no dividable by x so we throw away the least significant bit (this is what the right shift does, actually) and we accumulate one a in p to compensate and keep the invariant;
  • when a becomes more than 28 we need to sum to it the modulus 100011011, i.e. 0x11b, to keep it 8-bits long.

NOTE: to test the code just open a python shell (by running python from the terminal) and cut and paste the function into the shell, giving enter at the end. You can now try

The AES cipher

Now that we have introduced the basic operation used to implement AES we can describe the cipher. The official description of AES is available on-line.

AES operates on a 4×4 matrix of bytes. We have that 16 bytes are 128 bits which is, in fact, the block size. Plaintext bytes b_1,\ldots,b_{16} are copied in the matrix by columns following this scheme:


Cipher keys have lengths of 128, 192, and 256 bits. AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. Rijndael was designed to handle additional block sizes and key lengths, however they are not adopted in the AES standard. A round is composed of different operations, all of which are invertible:

  • AddRoundKey. The round key (see Key Expansion, below) is bitwise xor-ed with the block. A round key is thus 128 bits, independently of the chosen key size.
  • SubBytes. A fixed non-linear substitution, called S-box, is applied to each byte of the block. The substitution is reported below. Given a byte in hexadecimal notation, the first digit is used to select a row and the second one to select a column. For example, 0x25 would be the third row (2) and the sixth column (5) giving 0x3f.

    NOTE: This S-box has been obtained by taking, for each byte, its multiplicative inverse in the finite field (that can be computed efficiently via an algorithm that we will see later on), noted b_7, \ldots, b_0, and applying the affine transformation b_i = b_i \oplus b_{i+4 \mod 8} \oplus b_{i+5 \mod 8} \oplus b_{i+6 \mod 8}\oplus b_{i+7 \mod 8} \oplus c_i, with c_i representing the i-th bit of 01100011. The above transformation can be written as:

    \begin{bmatrix}b_0\\b_1\\b_2\\b_3\\b_4\\b_5\\b_6\\b_7\end{bmatrix}=\begin{bmatrix}1&0&0&0&1&1&1&1\\1&1&0&0&0&1&1&1\\1&1&1&0&0&0&1&1\\1&1&1&1&0&0&0&1\\1&1&1&1&1&0&0&0\\0&1&1&1&1&1&0&0\\0&0&1&1&1&1&1&0\\0&0&0&1&1&1&1&1\end{bmatrix}\begin{bmatrix}b_0\\b_1\\b_2\\b_3\\b_4\\b_5\\b_6\\b_7\end{bmatrix} \oplus \begin{bmatrix}1\\1\\0\\0\\0\\1\\1\\0\end{bmatrix}

    Using multiplicative inverses is known to give non-linear properties, while the affine transformation complicates the attempt of algebraic reductions.

  • ShiftRows. Rows of the block matrix are shifted to the left by 0,1,2,3, respectively. The shift is circular:

    \begin{bmatrix}b_1&b_5&b_9&b_{13}\\b_2&b_6&b_{10}&b_{14}\\b_{3}&b_7&b_{11}&b_{15}\\b_4&b_8&b_{12}&b_{16}\end{bmatrix} \Rightarrow\begin{bmatrix}b_1&b_5&b_9&b_{13}\\b_6&b_{10}&b_{14}&b_2\\b_{11}&b_{15}&b_{3}&b_7\\b_{16}&b_4&b_8&b_{12}\end{bmatrix}

  • MixColumns. Columns of the block matrix are multiplied by the following matrix

    \begin{bmatrix}c_0\\c_1\\c_2\\c_3\end{bmatrix} = \begin{bmatrix}2&3&1&1\\1&2&3&1\\1&1&2&3\\3&1&1&2\end{bmatrix}\begin{bmatrix}c_0\\c_1\\c_2\\c_3\end{bmatrix}

    For example the first byte of each column is computed as 2c_0 \oplus 3c_1 \oplus c_2 \oplus c_3.

    NOTE: This fixed matrix is obtained by considering each column as a four-term polynomial with coefficients in \mathbf{GF}(2^8). The columns are then multiplied modulo x^4 + 1 with a fixed polynomial a(x), given by a(x) = 3x^3 + x^2 + x + 2. This specific modulus is such that, e.g., x^4 becomes x^0, x^5 becomes x^1 and so on.

  • Key Expansion. We have mentioned that AES uses round keys in the AddRoundKey step. These keys are in fact derived from the initial AES key as follows.

    Keys are represented as arrays of words of 4 bytes. So, for example, a 128 bit key will be 4 words of 4 bytes, i.e., 16 bytes. This is expanded into an array of size 4 * (Nr + 1), where Nr is the number of rounds. In this way we obtain 4 different words of key for each round.

    Let Nk note the number of words of the initial key (e.g. 4 for 128 bits). The first Nk words of the key array are the same as the initial key. Next i-th word is obtained from the previous i-1 word, possibly transformed as described below, xor-ed with word i-Nk. The transformation happens only for words in position multiple of Nk and consists of a cyclic left shift of word bytes by one position (RotWord) followed by a byte-wise application of the S-box (SubWord) and a xor with a round constant (Rcon). This constant at step j is the word [x^{j-1},0x00,0x00,0x00] with x^{j-1} computed in the galois field, meaning 02^{j-1} since polynomial x is the binary number 00000010, i.e., 0x02.

    Pseudocode follows:

    IMPORTANT NOTE: for 256 bit key, when i-4 is a multiple of Nk SubWord is applied to w[i-1] before the xor. This has been omitted in the code for the sake of readability.

    Of course the first byte of Rcon can be precomputed. Here is the table:

Here is the overall scheme for AES assuming that variable state is initialized with the 4×4 matrix of the plaintext (see above) and w[] has been initialized by key expansion:

Decryption is computed by applying inverse operations:

Notice that AddRoundKey is unchanged since xor is the inverse of itself. InvShiftRows trivially amounts to revert the shifts on the row (to the right instead of left). InvSubBytes is computed by using the following inverse substitution of the S-Box:

Finally, InvMixColumns is given by the following operation

\begin{bmatrix}c_0\\c_1\\c_2\\c_3\end{bmatrix} = \begin{bmatrix}0e&0b&0d&09\\09&0e&0b&0d\\0d&09&0e&0b\\0b&0d&09&0e\end{bmatrix}\begin{bmatrix}c_0\\c_1\\c_2\\c_3\end{bmatrix}

For example the first byte of each column is computed as 0e c_0 \oplus 0b c_1 \oplus 0d c_2 \oplus 09 c_3.

NOTE: This fixed matrix is obtained by considering each column as a four-term polynomial with coefficients in \mathbf{GF}(2^8). The columns are then multiplied modulo x^4 + 1 with the inverse of the fixed polynomial a(x), given by a^{-1}(x) = 0b x^3 + 0d x^2 + 09 x + 0e.

The algorithm for decryption is written in a form similar to the one for encryption but operations are not in the same order. It can, in fact, become the very same algorithm by noticing that

  1. SubBytes and ShiftRows commute. It does not matter if we first apply the byte-wise substitution or if we first shift the rows. The final result will be the same. Of course, the same holds for the inverse transformations
  2. InvMixColumns(state \oplus roundKey) = InvMixColumns(state) \oplus InvMixColumns(roundKey). This allows for inverting the two functions, provided that InvMixColumns is applied to the all the round keys.

Call dw the array containing the round keys transformed via InvMixColumns. The final decryption algorithm is:

This is exactly the same as the one for encryption, but with the inverse functions. Having the same algorithm for encryption and decryption simplifies a lot implementations, especially if they are done in hardware.


Challenge: 1-round AES

(This challenge will give a +2 score for the first working solution posted and a +2 score for the most elegant one. Any original contribution will give some extra score).

It has been intercepted the following ciphertext:

Rumors tell that it is a mail to Joan Daemen (one of AES authors) encrypted with ECB mode using a simplified 1-round AES cipher:

Can you recover the whole message?
NOTE: If you want to test AES implementation look at the official AES description (also linked from the AES lesson): at page 35, Appendix C, it gives example vectors.

1 thought on “The AES cipher”

  1. If you want to see the algorithm for multiplication at work save this in a file named and run it by issuing python in a terminal. It will show the intermediate values and the invariant at each step.
    Notice that the invariant is computed using the algorithm itself as it assumes all operations in the field.

    def AESmult(a, b, debug):
        p = 0                       # p is 0 at the beginning
        for i in range(0,8):        # for the 8 bits of a and b do:
            if b & 1 != 0:          # the least significant bit of b is set
                p = p ^ a           # sum a to p (xor)
            b >>= 1                 # shifts b to the right
            hbit = (a & 0x80) != 0  # true if the most significant bit of a is set
            a <<= 1                 # shifts a to the left
            if hbit:                # if the most significant bit of a was set
                a = a ^ 0x11b       # sum 100011011 to a (xor), this always returns
                                    # a 8-bit number
            if debug:
                print 'a={0:08b} b={1:08b} p={2:08b} axb+p={3:n}'.format( a,b,p, AESmult(a,b,False) ^ p )
        return p
    r = AESmult(0b11010011,0b00111010,True)
    print r, bin(r)

Leave a Reply

Your email address will not be published. Required fields are marked *