Cryptography Reference
In-Depth Information
Add round key
: The 16 bytes of the square resulting from themix-columns process
are now considered as 128 bits and are XORed to the 128 bits of the round
key. If this is the last round then the output is the ciphertext. Otherwise, the
resulting 128 bits are interpreted as 16 bytes and we begin another round,
commencing with a new byte substitution process.
Themost important issue to note is that the whole AES encryption process is based
on a series of table lookups and XOR operations, which are very fast operations
to perform on a computer. It is this speed of processing on a number of different
computing platforms that gave the original Rijndael algorithm the edge during
the AES selection process.
AES DECRYPTION
Decryption of an AES ciphertext simply consists of conducting the encryption
process in the reverse order. In particular:
• each round consists of the four processes conducted in the order:
add round
key
,
mix columns
,
shift rows
,
byte substitution
;
• each process 'reverses' the corresponding encryption process: for example,
add round key
involves XORing the ciphertext with the appropriate round key,
while
mix columns
involves applying the inverse of the function used during
encryption;
• the round keys are applied in the opposite order to encryption;
Hence, unlike for a Feistel Cipher, the encryption and decryption algorithms do
have to be separately implemented, although they are very closely related.
4.5.3
AES today
AES is now widely adopted and supported in both hardware and software,
including for low-cost environments such as RFID. While there has been a
great deal of scrutiny and analysis of AES, there have thus far been no practical
cryptanalytic attacks against AES. There have been some academic attacks against
the 192- and 256-bit key versions of AES that aremore effective than an exhaustive
key search. Nonetheless, AES is widely believed to offer good security for the
foreseeable future. As it was arguably designed using a more effective process
than DES, pending any surprising cryptanalytic breakthroughs, these claims have
reasonable grounding.
In contrast to DES, AES has built-in flexibility of key length, which allows a
degree of 'future-proofing' against progress in the ability to perform exhaustive
key searches.
However, just as for DES, the use of AES only guarantees security if it is
correctly implemented and good key management is applied. In particular, there
have been some very impressive side-channel attacks (see Section 1.6.5) against
AES implementations, indicating the point that we want to keep emphasising
