University of Mosul

College of Engineering
Computer Engineering Dept.

Network Security
2024-2025
Lecture 4
AES: Advanced Encryption Standard
Asst. Prof. Dr. Mayada Faris Ghanim
 Advanced Encryption Standard
After a public competition and review, NIST
selected an algorithm named Rijndael as the new
advanced encryption system; Rijndael is now known
more widely as AES. AES was adopted for use by
the U.S. government in December 2001. AES is a
symmetric block cipher that is intended to
replace DES as the approved standard for a wide
range of applications.
2
 General Structure of AES
The following figure shows the overall structure of the AES
encryption process. The cipher takes a plaintext block size
of 128 bits, or 16 bytes. The key length can be 16, 24, or
32 bytes (128, 192, or 256 bits). The algorithm is referred
to as AES-128, AES-192, or AES-256, depending on the key
length. The input to the encryption and decryption
algorithms is a single 128-bit block. This block is depicted
as a 4 X 4 square matrix of bytes. This block is copied into
the State array, which is modified at each stage of
encryption or decryption. After the final stage, State is
copied to an output matrix.
3
 Figure 1. AES Encryption
Process

4
The operations of AES are depicted in Figure 2.a. Similarly,
the key is depicted as a square matrix of bytes. This key is
then expanded into an array of key schedule words.
Figure2.b shows the expansion for the 128-bit key. Each
word is four bytes, and the total key schedule is 44 words
for the 128-bit key. Note that the ordering of bytes within
a matrix is by column. So, for example, the first four bytes
of a 128-bit plaintext input to the encryption cipher
occupy the first column of the in matrix, the second four
bytes occupy the second column, and so on. Similarly, the
first four bytes of the expanded key, which form a word,
occupy the first column of the w matrix.
5
Figure 2. AES Data Structures
6
The cipher consists of N rounds, where the number
of rounds depends on the key length: 10 rounds for
a 16-byte key, 12 rounds for a 24-byte key, and 14
rounds for a 32-byte key (Table 1). The first N - 1
rounds consist of four distinct transformation
functions: SubBytes, ShiftRows, MixColumns, and
AddRoundKey, which are described subsequently.
The final round contains only three
transformations, and there is an initial single
transformation (AddRoundKey) before the first
round, which can be considered Round 0.
7
 Table 1. AES Parameters

Each transformation takes one or more 4 X 4 matrices as

input and produces a 4 X 4 matrix as output. Figure 1
shows that the output of each round is a 4 X 4 matrix, with
the output of the final round being the ciphertext. Also,
the key expansion function generates N + 1 round keys,
each of which is a distinct 4 X 4 matrix. Each round key
serves as one of the inputs to the AddRoundKey
transformation in each round. 8
 Detailed Structure
Figure 3 shows the AES cipher in more detail,
indicating the sequence of transformations in
each round and showing the corresponding
decryption function. we show encryption
proceeding down the page and decryption
proceeding up the page. Before delving into
details, we can make several comments about
the overall AES structure.
9
 Figure3. AES Encryption
and Decryption

10
1. It is not a Feistel structure. Recall that, in the classic
Feistel structure, half of the data block is used to
modify the other half of the data block and then the
halves are swapped. AES instead processes the entire
data block as a single matrix during each round using
substitutions and permutation.
2. The key that is provided as input is expanded into an
array of forty-four 32-bit words, w[i]. Four distinct
words (128 bits) serve as a round key for each round;
these are indicated in Figure 3.

11
3. Four different stages are used, one of permutation and
three of substitution:
■ Substitute bytes: Uses an S-box to perform a byte-by-byte
substitution of the block.
■ ShiftRows: A simple permutation.
■ MixColumns: A substitution that makes use of arithmetic.
■ AddRoundKey: A simple bitwise XOR of the current block
with a portion of the expanded key.
4. The structure is quite simple. For both encryption and
decryption, the cipher begins with an AddRoundKey stage,
followed by nine rounds that each includes all four stages,
followed by a tenth round of three stages. Figure 4 depicts
the structure of a full encryption round. 12
 Figure 4. AES Encryption
Round

13
5. Only the AddRoundKey stage makes use of the key. For this
reason, the cipher begins and ends with an AddRoundKey
stage. Any other stage, applied at the beginning or end, is
reversible without knowledge of the key and so would add no
security.
6. The AddRoundKey stage is, in effect, a form of Vernam
cipher and by itself would not be formidable. The other three
stages together provide confusion, diffusion, and
nonlinearity, but by themselves would provide no security
because they do not use the key. We can view the cipher as
alternating operations of XOR encryption (AddRoundKey) of a
block, followed by scrambling of the block (the other three
stages), followed by XOR encryption, and so on. This scheme
is both efficient and highly secure.
14
7. Each stage is easily reversible. For the Substitute
Byte, ShiftRows, and MixColumns stages, an inverse
function is used in the decryption algorithm. For the
AddRoundKey stage, the inverse is achieved by
XORing the same round key to the block, using the
result that A ⊕B ⊕B = A.
8. As with most block ciphers, the decryption
algorithm makes use of the expanded key in reverse
order. However, the decryption algorithm is not
identical to the encryption algorithm. This is a
consequence of the particular structure of AES.
15
9. Once it is established that all four stages are
reversible, it is easy to verify that decryption does
recover the plaintext. Figure 3 lays out encryption
and decryption going in opposite vertical directions.
At each horizontal point (e.g., the dashed line in the
figure), State is the same for both encryption and
decryption.
10. The final round of both encryption and decryption
consists of only three stages. Again, this is a
consequence of the particular structure of AES and is
required to make the cipher reversible.

16
 AES Transformation Functions
Substitute Bytes Transformation
FORWARD AND INVERSE TRANSFORMATIONS The forward
substitute byte transformation, called SubBytes, is a simple
table lookup (Figure 5a). AES defines a 16 X 16 matrix of byte
values, called an S-box (Table 2a), that contains a permutation of
all possible 256 8-bit values. Each individual byte of State is
mapped into a new byte in the following way: The leftmost 4 bits
of the byte are used as a row value and the rightmost 4 bits are
used as a column value. These row and column values serve as
indexes into the S-box to select a unique 8-bit output value. For
example, the hexadecimal value {95} references row 9, column 5
of the S-box, which contains the value {2A}. Accordingly, the
value {95} is mapped into the value {2A}. 17
 Figure 5. AES Byte-Level
Operations

18
 Table 2. AES S-Boxes

19
Here is an example of the SubBytes
transformation:

20
 AES Transformation Functions
ShiftRows Transformation
FORWARD AND INVERSE TRANSFORMATIONS The
forward shift row transformation, called ShiftRows, is
depicted in Figure 7a. The first row of State is not
altered. For the second row, a 1-byte circular left shift is
performed. For the third row, a 2-byte circular left shift
is performed. For the fourth row, a 3-byte circular left
shift is performed. The following is an example of
ShiftRows.

21
The inverse shift row transformation, called
InvShiftRows, performs the circular shifts in the
opposite direction for each of the last three rows,
with a 1-byte circular right shift for the second row,
and so on.

22
 Rationale
The shift row transformation is more substantial than it
may first appear. This is because the State, as well as
the cipher input and output, is treated as an array of
four 4-byte columns. Thus, on encryption, the first 4
bytes of the plaintext are copied to the first column of
State, and so on. Furthermore, as will be seen, the
round key is applied to State column by column. Thus, a
row shift moves an individual byte from one column to
another, which is a linear distance of a multiple of 4
bytes. Also note that the transformation ensures that
the 4 bytes of one column are spread out to four
different columns. Figure 4 illustrates the effect. 23
 AES Transformation Functions
MixColumns Transformation
FORWARD AND INVERSE TRANSFORMATIONS The
forward mix column transformation, called
MixColumns, operates on each column individually.
Each byte of a column is mapped into a new value that
is a function of all four bytes in that column. The
transformation can be defined by the following matrix
multiplication on State (Figure 7b):

24
 Figure 7. AES Row and
Column Operations

25
The inverse mix column transformation, called
InvMixColumns, is defined by the following matrix
multiplication:

26
 AES Transformation Functions
AddRoundKey Transformation
FORWARD AND INVERSE TRANSFORMATIONS In the
forward add round key transformation, called
AddRoundKey, the 128 bits of State are bitwise XORed
with the 128 bits of the round key. As shown in Figure
5b, the operation is viewed as a columnwise operation
between the 4 bytes of a State column and one word of
the round key; it can also be viewed as a byte-level
operation. The following is an example of
AddRoundKey:
27
The first matrix is State, and the second matrix is
the round key.
The inverse add round key transformation is
identical to the forward add round key
transformation, because the XOR operation is its
own inverse.
Figure 8 is another view of a single round of AES,
emphasizing the mechanisms and inputs of each
transformation. 28
 Figure 8. Inputs for Single
AES Round

29
 AES Key Expansion
The AES key expansion algorithm takes as input a four-word
(16-byte) key and produces a linear array of 44 words (176
bytes). This is sufficient to provide a four word round key for
the initial AddRoundKey stage and each of the 10 rounds of the
cipher. The pseudocode on the next page describes the
expansion. The key is copied into the first four words of the
expanded key. The remainder of the expanded key is filled in
four words at a time. Each added word w[i] depends on the
immediately preceding word, w[i - 1], and the word four
positions back, w[i - 4]. In three out of four cases, a simple XOR
is used. For a word whose position in the w array is a multiple
of 4, a more complex function is used.
30
 AES Key Expansion

Figure 9 illustrates the generation of the expanded key, using the

symbol g to represent that complex function. The function g
consists of the following subfunctions. 31
 Figure 9. AES Key
Expansion

32
 AES Key Expansion
1. RotWord performs a one-byte circular left shift on a
word. This means that an input word [B0, B1, B2, B3] is
transformed into [B1, B2, B3, B0].
2. SubWord performs a byte substitution on each byte of
its input word, using thenS-box (Table 2a).
3. The result of steps 1 and 2 is XORed with a round
constant, Rcon[j].
j 1 2 3 4 5 6 7 8 9 10
RC[j] 01 02 04 08 10 20 40 80 1B 36

33
 Strength of the Algorithm
The characteristics and apparent strength of DES and AES are
compared in Table 3. Remember, of course, that these strength
figures apply only if the implementation and use are robust; a
strong algorithm loses strength if used with a weakness that lets
outsiders determine key properties of the encrypted data.
Moreover, the number of cycles can be extended in a natural
way. With DES the algorithm was defined for precisely 16 cycles;
to extend that number would require substantial redefinition of
the algorithm. The internal structure of AES has no a priori
limitation on the number of cycles. If a cryptanalyst ever
concluded that 10 or 12 or 14 rounds were too low, the only
change needed to improve the algorithm would be to change the
limit on a repeat loop. 34
 Strength of the Algorithm
A mark of confidence is that the U.S.
government has approved AES for protecting
Secret and Top Secret classified documents. This
is the first time the United States has ever
approved the use of a commercial algorithm
derived outside the government (and
furthermore, outside the United States) to
encrypt classified data.
35
 Table [Link] of DES
and AES

36
 Strength of the Algorithm
No one can predict now what limitations cryptanalysts
might identify in the future. Fortunately, talented
cryptologists continue to investigate even stronger
algorithms that will be able to replace AES when it
becomes obsolete. At present, AES seems to be a
significant improvement over DES, and it can be
improved in a natural way if necessary. DES is still in
widespread use, but AES is also widely adopted,
particularly for new applications.
37
Next Lecture
Access Control

38