AES – The Advanced Encryption Standard

In January 1997, the National Institute of Standards and Technology of the United States (NIST) announced that they were seeking a new block cipher to replace the DES standard. The new cipher was to be called theAdvanced Encryption Standard, or AES for short. Later that year the terms of the AES competition were published. The competition was ingeniously designed and resulted in extraordinarily intensive scrutiny on the proposed ciphers. This was achieved by having two rounds in the competition. In the first round, any team could submit acandidate algorithm. There were 15 different algorithms that were submitted from all over the world. These submissions included the work of many of the best cryptographers and cryptanalysts today. Follow-ing the first round of submission, the different algorithms were analyzed for their security and performance. Two AES conferences were held, one in 1998 and one in 1999, in which papers were published regarding the different se-curity and other properties of the submitted schemes. Following the second AES conference, NIST narrowed the field down to 5 submissions and the sec-ond round begun. A third AES conference was then held, inviting additional scrutiny on the five finalists. Finally, in October 2000 NIST announced that the winning algorithm is Rijndael (a block cipher designed by John Daemen and Vincent Rijmen from Belgium). This process was ingenious because any group who submitted an algorithm, and was therefore interested in having their algorithm be adopted, had strong motivation to attack all the other submissions.⁴ In this way, essentially all of the world’s best cryptanalysts worked intensively to find even the slightest weaknesses in the AES submis-sions. Thus, after only a few years, the scrutiny received was very great, and our confidence in the security of the winning algorithm was high. Of course, the longer the algorithm is used, the more our confidence will grow. However today, only about 5 years later, the AES block cipher is already very widely used and no significant security weaknesses have been discovered.

The AES construction. In this section, we will present the high-level structure of the AES block cipher. As with DES, we will not present a full specification and our description should never be used as a basis for implemen-tation. In particular, we will not present the AES S-box or describe the key schedule. Rather, our aim is to provide a general idea of how the algorithm works. Before we begin, we remark that although the terms AES and Rijndael are used interchangeably, the AES is a specific standard and is different from Rijndael. For example, Rijndael can be implemented with a large range of

4We note that the motivation was not financial because the winning submission could not be patented. Nevertheless, much honor and glory was at stake.

block and key sizes whereas the AES is limited to a block size of 128 and a key size of 128, 192 or 256 bits.

In contrast to DES that has a Feistel structure, AES is essentially a substitution-permutation network. The AES algorithm holds a 4 by 4 array of bytes called thestate, that is initialized to the input to the cipher (note that the input is 128 bits which is exactly 16 bytes). The substitution and permutation oper-ations (providing confusion and diffusion) are all applied to the state array.

There are four stages in every round of AES (see Figure ?? for a graphical presentation of each of the four steps):

1. Stage 1 –AddRoundKey: In every round of AES, a 16 byte round key is derived from the master key, and is interpreted as a 4 by 4 array of bytes.⁵ Then, the key array is simply XORed with the state array.

Denote byai,j the byte appearing in thei^th row andj^th column of the state array, and likewise byki,j that analogous byte in the key array.

Then theAddRoundKeystep consists of computingai,j=ai,j⊕ki,j for every 1≤i≤4 and 1≤j≤4.

2. Stage 2 – SubBytes: In this step, each byte of the state array is re-placed by another byte, according to a single fixed lookup tableS. This substitution table (orS-box) is a bijection over{0,1}⁸. Thus, the Sub-Bytesstep consists of computingai,j =S(ai,j) for every 1≤i≤4 and 1≤j ≤ 4. We stress that there is only one S-box and it is used for substitutingall of the bytes in the state array.

3. Stage 3 – ShiftRows: In this step, the bytes in each row of the state array are cyclically shifted to the left as follows: the first row of the array is untouched, the second row is shifted one place to the left, the third row is shifted two places to the left, and the fourth row is shifted three places to the left. Of course, all shifts are cyclic so in the second row, we have that bytea2,1 becomea2,4, bytea2,2 becomes a2,1 and so on.

4. Stage 4 – MixColumns: In this step, each column is mixed via an in-vertible linear transformation. Specifically, each column is interpreted as a polynomial over GF[2⁸] (with the entries being the polynomial coefficients) and is multiplied modulo x⁴+ 1 with a fixed polynomial c(x) = 3x³+x²+x+ 2. This step can also be viewed as a matrix multiplication inGF[2⁸].

By viewing stages 3 and 4 as a “mixing permutation” step, we have that each round of AES has the structure of a substitution-permutation network.

(That is, the round key is first XORed with the intermediate value. Then,

5Recall that the master key may be of size 16, 24 or 32 bytes. This effects the key schedule only.

confusion is applied by applying a small, invertible random-looking function to each byte. Finally, the bytes are mixed. We stress that unlike our general description of a substitution-permutation network, here the third stage is not via a simple mixing permutation.)

The number of rounds in AES depends on the key-size. There are 10 rounds for a 128-bit key, 12 rounds for a 192-bit key, and 14 rounds for a 256-bit key.

In the final round of AES theMixColumnsstage is replaced with an additional AddRoundKeystep (this prevents simply rewinding the last round as we have seen).

Security of AES.As we have mentioned, the AES cipher underwent intense scrutiny during the selection process and this has continued ever since. To date, the only non-trivial cryptanalytic attacks that have been found are for reduced-round variants of AES. It is often hard to compare cryptanalytic attacks because they vary on different parameters. We will therefore describe the complexity of one set of attacks that gives the flavor of what is known.

There are known attacks on 6-round AES for 128 bit keys (taking time in the order of 2⁷² encryptions), 8-round AES for 192 bit keys (taking time in the order of 2¹⁸⁸ encryptions), and 8-round AES for 256 bit keys (taking time in the order of 2²⁰⁴ encryptions). We stress that the above attacks are for reduced-round variants of AES, and as of today nothing better than an exhaustive search on the key space is known for the full AES construction.

(Observe that even the complexities on the reduced-round variants are very high.) Of course, the fact that no attack is known today does not mean that one does not exist. In any case, it appears that AES has a large security margin (especially if one uses 192-bit or 256-bit keys).

A different class of attacks, calledside-channel attacks, consider the scenario that the adversary is somehow able to make measurements on the processor computing the encryption or decryption with the unknown secret key. Al-though it sounds far-fetched, information such as the time taken to encrypt or the power consumed during encryption has actually been used to extract secret keys in reasonable amounts of time. Such attacks are sometimes feasi-ble (e.g., when a secure coprocessor, typically called a smartcard, is used for carrying out encryption and decryption, and may fall into the hands of the adversary). In any case, a number of side-channel attacks have been demon-strated on AES. However, they typically require very strong assumptions on the power of the adversary.

We conclude that as of today, AES constitutes an excellent choice for almost any cryptographic implementation that needs a pseudorandom permutation or function. It is free, standardized and highly secure.