Cryptography Reference
In-Depth Information
AES — Preliminary Overview
1. Non-Feistel Structure : As noted in the leadup to this overview, AES is
not of a Feistel construction. Instead, the entire data block is processed
in parallel, during each round, using a combination of substitution and
permutation.
2. Keys : The input key, which may be variable in length as we shall see,
will be assumed, for the purposes of this introductory discussion, to be
of keylength 128 bits. This key is expanded into a matrix of forty-four
4-byte words, wherein four distinct words play the role of the round key
for the succeeding round.
3. Rounds : For both encryption and decryption (see Diagrams 3.6 and 3.7
on pages 148 and 149, with Nr = 10), the AES cipher begins with an add
round key stage, followed by nine rounds, each round having four stages,
which in addition to the add round key stage, are called, bytesub, shift
rows, and mix columns (all described in the detailed delineation of AES
below). This is followed by a tenth round having three stages (with the mix
columns eliminated for this round, since its inclusion would unnecessarily
slow the algorithm).
4. Round Stages : Only the add round key stage uses the key. The other three
stages provide confusion (bytesub), diffusion (mix columns), and nonlin-
earity (S-boxes). These three stages do not add security by themselves
since they do not use the key. Moreover all stages are reversible.
5. Decryption : The decryption uses the expanded key in reverse order. How-
ever, the decryption algorithm is not the same as the encryption algo-
rithm. One needs the inverse lookup table of the S-box, and the inverse
mix columns, which is distinct from the enciphering mix column opera-
tion. It is this fact that causes decryption to be slower than encryption,
namely, the inverse mix columns operation is a more complex operation
that can take a third longer than encryption on 8-bit processors. Yet, this
is not seen as a disadvantage since many implementations do not need
deciphering, such as CFB mode (see page 135).
6. S-boxes : The S-boxes are all identical, and map bytes to bytes. The AES
S-box was designed to be highly resistant to cryptanalytic attacks. In
particular, the designers ensured that there is a low correlation between
the input bits and the output bits. This is the reason, cited on page 143,
that AES does not have the DES complementation property. The S-boxes
are also invertible, but not self-inverses.
7. Last Add Round Key Stage : Since only the add round key stage uses
the key, the cipher begins and ends with this stage. By itself, the add
round key stage (a virtual one-time-pad) will not add enough security,
but its interaction with the other three stages provides a highly e0cient
and secure cryptosystem.
Search WWH ::




Custom Search