Cryptography Reference
In-Depth Information
4.2.2 Introducing AES
In 1997, the same year in which DES was definitely broken by a brute-force attack,
NIST announced an initiative to develop a new encryption standard, called the
Advanced Encryption Standard (AES), which would replace DES. The selection
process was open and the candidates had to meet a series of requirements among
which the most important were support for key lengths of 128, 192, and 256 bits and
a block size of 128 bits. The evaluation criteria focused on aspects related to secu-
rity, cost, and implementation characteristics and, after a selection process that took
three years to be completed, in October 2000, NIST announced that the algorithm
Rijndael
, designed by Belgian cryptographers Joan Daemen and Vincent Rijmen,
would become AES.
As already mentioned, the input and output of the AES algorithm are 128-bit
blocks and the key length is either 128, 192 or 256 bits. AES is byte-oriented in
the sense that the basic processing unit in the algorithm is a byte, i.e., a sequence
of eight bits treated as a single entity. With this in mind, the blocks are just 16-byte
arrays and the key is an array of 16, 24 or 32 bytes. These bytes will be identified with
elements of the field
operations in this field can be applied to them. For brevity, we will usually represent
bytes in hexadecimal notation, i.e., using two hexadecimal digits for each byte.
Like almost all other block ciphers, AES is a
key-iterated block cipher
that acts
inaseriesof
rounds
. Each round can be regarded as a simple cipher that uses a
key obtained from the AES key by a process called
key expansion
. There is some
heuristic evidence suggesting that this iteration process may lead to a secure (i.e.,
pseudo-random) cipher, although this has not been rigorously proven. Of course,
the round functions have to meet some criteria such as, for example, being highly
non-linear, since the composition of linear functions is again linear and hence far
from pseudo-random (recall, for example, the cryptanalysis of the Hill cipher, where
linearity played a crucial role). Experience shows that the security of a well-designed
block cipher increases with the number of rounds and one of the criteria used to
evaluate the practical security of these ciphers is to attack versions with a reduced
number of rounds to see how many rounds can be successfully attacked.
In AES, each 128-bit plaintext block is initialized as a 4
4 two-dimensional
byte array. Then AES transforms the plaintext into ciphertext by performing a series
of operations on an intermediate result called the
state
. Thus the initial state value
is just a plaintext block and the final value is the corresponding ciphertext block,
given also as a 4
×
4 byte array. AES acts by means of the repeated application of
a round to the state, where each round, in turn, consists of the application of several
basic operations. For the initial state, the 16 bytes in a plaintext block are mapped
columnwise to the state array, so that if the sequence of bytes corresponding to this
block is denoted by:
×
in
0
,
in
1
,...,
in
15
,
and the sequence of bytes in the corresponding ciphertext block by:
