- Home
- The AES cryptosystem
- The protocol explained
The Advanced Encryption Standard (AES)
The math and definitions explained
In cryptography, we often encrypt and sign messages that contain characters. However, asymmetric key cryptosystems (where Alice and Bob use different keys), such as RSA and ElGamal, are based on arithmetic operations on integers. Symmetric key cryptosystems (where Alice and Bob use the same key), such as DES and AES, are based on bitwise operations on bits (a bit is either 0 or 1 and is an abbreviation for binary digit). Therefore, we must convert characters into integers or bits before applying the cryptosystem to the message.
Because a computer can only handle bits, there already exists a method for converting characters into integers or bits, which uses the ASCII (American Standard Code for Information Interchange) table. A part of the ASCII table from Wikipedia is shown in the following table (note that the binary representation on the Wikipedia site uses only seven bits, but we use eight bits by prepending an extra 0):
Character |
Decimal |
Hexadecimal |
Binary |
(space) |
32 |
20 |
00100000 |
! |
33 |
21 |
00100001 |
\( \vdots \) |
\( \vdots \) |
\( \vdots \) |
\( \vdots \) |
A |
65 |
41 |
01000001 |
B |
66 |
42 |
01000010 |
\( \vdots \) |
\( \vdots \) |
\( \vdots \) |
\( \vdots \) |
a |
97 |
61 |
01100001 |
b |
98 |
62 |
01100010 |
\( \vdots \) |
\( \vdots \) |
\( \vdots \) |
\( \vdots \) |
For example, if Alice wants to send the message "Hey Bob!" encrypted to Bob using a symmetric key cryptosystem, she first converts it into its integer representation and then into its binary representation:
\( \eqalign{ H &\rightarrow 72 &&\rightarrow 01001000 \\ e &\rightarrow 101 &&\rightarrow 01100101 \\ y &\rightarrow 121 &&\rightarrow 01111001 \\ &\rightarrow 32 &&\rightarrow 00100000 \\ B &\rightarrow 66 &&\rightarrow 01000010 \\ o &\rightarrow 111 &&\rightarrow 01101111 \\ b &\rightarrow 98 &&\rightarrow 01100010 \\ ! &\rightarrow 33 &&\rightarrow 00100001 } \)
That is, the message "Hey Bob!" is represented with integers as "72 101 121 32 66 111 98 33" and in binary as "01001000 01100101 01111001 00100000 01000010 01101111 01100010 00100001".
While ASCII is sufficient for basic English text, modern cryptographic applications often need to handle international characters. Unicode standards like UTF-8 extend ASCII and can encode virtually all characters from all writing systems. In UTF-8, ASCII characters still use a single byte, while other characters may use 2-4 bytes.
Modern cryptographic algorithms typically operate on bytes (8-bit units) or words (groups of bytes). The binary representation shown above organizes characters into bytes, which serve as the fundamental unit for cryptographic operations in algorithms like AES, where data is processed in 128-bit (16-byte) blocks.
Notice the relationship between the different representations:
- The decimal form is what computers process mathematically
- The hexadecimal form (base 16) provides a more compact representation where each hex digit represents exactly 4 bits
- The binary form (base 2) shows the actual bit pattern stored in memory
It's important to note that encoding (converting characters to numbers or binary) is not the same as encryption. Encoding is a standardized, reversible process with no secret key. Anyone knowing the encoding scheme can decode the message. Encryption, on the other hand, requires a key to reverse the process, providing actual security.
Related Encoding Schemes in Cryptography
Several other encoding schemes are commonly used in cryptographic applications:
- Base64: Often used to encode binary data (like encryption keys or encrypted messages) into ASCII text for safe transmission over text-based channels
- Hex encoding: Frequently used to represent hashes, keys, and other binary values in a human-readable format
- Block padding: Many cryptographic algorithms operate on fixed-size blocks (e.g., AES uses 128-bit blocks), requiring messages to be padded to the appropriate length
In mathematics, we are all familiar with arithmetic operations such as addition, subtraction, multiplication, and division. However, computers work with bit strings — that is, sequences of 0s and 1s — and therefore require similar operations that act on two bit strings. The most important bitwise operations are NOT, AND, OR, and XOR. Below, we show the results of these operations with one or two bits as input.
The NOT operation is often represented as !:
The AND operation is represented as \( \wedge \):
- \( 0 \wedge 0 = 0\)
- \( 1 \wedge 0 = 0\)
- \( 0 \wedge 1 = 0\)
- \( 1 \wedge 1 = 1\)
The OR operation is represented as \( \vee \):
- \( 0 \vee 0 = 0\)
- \( 1 \vee 0 = 1\)
- \( 0 \vee 1 = 1\)
- \( 1 \vee 1 = 1\)
The XOR (exclusive OR) operation is represented as \( \oplus \):
- \( 0 \oplus 0 = 0\)
- \( 1 \oplus 0 = 1\)
- \( 0 \oplus 1 = 1\)
- \( 1 \oplus 1 = 0\)
Operations on Multi-Bit Values
These operations work on each bit position independently when applied to longer bit strings. Let A = 10110110
and B = 11001101
:
Operation |
Bit Values |
Description |
NOT A |
NOT 10110110 = 01001001 |
Each bit flipped |
A AND B |
10110110 AND 11001101 = 10000100 |
Bitwise AND of each position |
A OR B |
10110110 OR 11001101 = 11111111 |
Bitwise OR of each position |
A XOR B |
10110110 XOR 11001101 = 01111011 |
Bitwise XOR of each position |
Common Notations
These operations are represented differently across contexts:
- Mathematical notation: ! (NOT), \(\wedge\) (AND), \(\vee\) (OR), \(\oplus\) (XOR)
- Programming notation: ~ (NOT), & (AND), | (OR), ^ (XOR)
- Boolean logic: NOT, AND, OR, XOR
Importance in Cryptography
Bitwise operations are fundamental to modern cryptography:
- XOR is especially important because it forms the basis of the one-time pad and is used extensively in stream ciphers and block cipher modes
- AND and OR are commonly used in hash functions and S-box implementations
- Bit permutations (rearrangements) combined with these operations create diffusion and confusion in many algorithms
Key Properties of XOR
XOR has special properties that make it valuable in cryptography:
- Self-inverse: A \(\oplus\) A = 0 (XORing any value with itself gives zero)
- Identity element: A \(\oplus\) 0 = A (XORing with zero leaves the value unchanged)
- Associative: A \(\oplus\) (B \(\oplus\) C) = (A \(\oplus\) B) \(\oplus\) C
- Commutative: A \(\oplus\) B = B \(\oplus\) A
These properties allow operations like: C = P \(\oplus\) K (encryption), P = C \(\oplus\) K (decryption)
Additional Bitwise Operations
Other important operations in cryptography include:
- Shift operations (left << and right >>): Move bits to the left or right, filling with zeros
- Rotate operations (ROL and ROR): Similar to shifts but wrap the bits around
- Bit permutation: Rearranging bits according to a fixed pattern
These operations are fundamental components in many encryption algorithms and hash functions.
Types of Attacks on Symmetric Cryptosystems
Alice and Bob's adversary, Eve, can attempt the following types of attacks on a symmetric key cryptosystem such as DES or AES:
- Ciphertext-only attack: Eve tries to guess the key used to encrypt an observed ciphertext sent between Alice and Bob.
- Known-plaintext attack: Eve somehow knows the plaintext corresponding to an observed ciphertext sent between Alice and Bob and tries to guess the key.
- Chosen-plaintext attack (CPA): Eve tricks Alice or Bob into encrypting a message of her choice. Using her knowledge of the resulting ciphertext and plaintext, she tries to guess the key used.
- Chosen-ciphertext attack (CCA): Eve can send a ciphertext to Alice or Bob, who then return the decrypted message. With her knowledge of the ciphertext and plaintext, she tries to guess the key used.
Deterministic vs. Probabilistic Encryption
Symmetric key cryptosystems can be divided into two groups: deterministic and probabilistic cryptosystems. A deterministic cryptosystem, such as DES or AES, uses no randomness during encryption; that is, encrypting the same plaintext twice with the same key always produces the same ciphertext (which can be observed by Eve). This issue can be addressed with a probabilistic cryptosystem, such as the various modes of operation for DES and AES, which use randomness in the form of an initialization vector.
In a good deterministic cryptosystem, there should be no discernible relationship between the plaintext and ciphertext when the key is unknown. In other words, encryption in a deterministic cryptosystem should behave like a truly random function. If this is the case, we say that the encryption function is a pseudo-random function (PRF), and the cryptosystem is PRF-secure if Eve's advantage in correctly guessing in the following game is negligible:
Eve sends a message \( m \) to an oracle, which returns a ciphertext \( c \). Here, \( c \) is either an encryption of \( m \) using the cryptosystem's encryption function or an encryption of \( m \) using a truly random function. Eve then tries to guess which encryption function the oracle used.
PRF Security Model
With a probabilistic cryptosystem, we can achieve higher security compared to a deterministic cryptosystem. Therefore, we require that Eve cannot distinguish between a real encryption of her message \( m \) and an encryption of a random message unrelated to \( m \). We say that a probabilistic cryptosystem is CPA-secure if Eve's advantage in correctly guessing in the following game is negligible:
Eve sends a message \( m \) to an oracle, which returns a ciphertext \( c \). Here, \( c \) is either an encryption of \( m \) or a random message of the same length as \( m \). Eve then tries to guess what \( c \) is an encryption of.
Hence, if a probabilistic cryptosystem is CPA-secure, the only information that a ciphertext reveals is the length of the encrypted message.
Formally, Eve's "advantage" in these security games is defined as the absolute difference between 1/2 and the probability that Eve correctly distinguishes the scenarios: |Pr[Eve guesses correctly] - 1/2|. We say this advantage is "negligible" if it decreases faster than any polynomial in the security parameter (typically the key length).
Block Cipher Modes of Operation
The security properties of symmetric ciphers depend heavily on their modes of operation:
- ECB (Electronic Codebook): The simplest mode, but not CPA-secure as identical plaintext blocks produce identical ciphertext blocks
- CBC (Cipher Block Chaining): CPA-secure when used with a random IV
- CTR (Counter): CPA-secure with a unique nonce, effectively turning a block cipher into a stream cipher
- GCM (Galois/Counter Mode): Provides both confidentiality (CPA-security) and authenticity
The initialization vector (IV) or nonce is crucial for providing the randomness needed for CPA security.
Semantic Security and Indistinguishability
CPA security is often referred to as "semantic security" or "indistinguishability under chosen plaintext attack" (IND-CPA). These terms all describe the same fundamental security property: an adversary cannot extract meaningful information about the plaintext from the ciphertext, even when they can obtain encryptions of chosen messages.
Practical Implications
These security definitions have important practical consequences:
- Systems using ECB mode can reveal patterns in the data (e.g., the famous "ECB penguin" demonstration)
- Reusing the same IV/nonce in CBC or CTR mode can completely break the security
- Many real-world attacks target implementation flaws rather than the algorithms themselves
- Modern systems typically require authenticated encryption (combining confidentiality with integrity)
The cryptography explained
Historical Background
Until 1999, the Data Encryption Standard (DES) served as the standard algorithm for encryption. However, due to its relatively short 56-bit keys and 64-bit blocks, NIST (the National Institute of Standards and Technology) began the process of selecting a replacement, which became known as the Advanced Encryption Standard (AES).
Historical timeline:
- 1997: NIST announces competition for AES
- 1998: 21 algorithm submissions received
- 1999: 15 submissions advance as AES candidates
- 2000: Rijndael selected as the winner
- 2001: NIST publishes AES as FIPS 197 standard
- 2003: U.S. government approves AES for classified information
- 2001-Present: No practical cryptanalytic attacks discovered
NIST established an open competition with specific requirements: AES must use 128-bit blocks and support keys of 128, 192, and 256 bits. Initially, in 1998, 21 cryptosystems were submitted, of which 15 met all the necessary criteria and advanced as AES candidates. In 1999, NIST narrowed the field to five finalists: MARS, RC6, Rijndael, Serpent, and Twofish. These were evaluated according to three criteria: security, efficiency (in both hardware and software implementations), and ease of implementation. While all finalists were considered secure, and none excelled in all three criteria, Rijndael demonstrated the best overall balance and was announced as the AES winner in 2000. The Rijndael cipher, developed by Belgian cryptographers Joan Daemen and Vincent Rijmen, was officially adopted as a standard in 2001, replacing DES.
Key AES Properties:
- Block size: 128 bits
- Key sizes: 128, 192, or 256 bits
- Rounds: 10 (128-bit key), 12 (192-bit key), or 14 (256-bit key)
- Structure: Substitution-permutation network
- Core operations: SubBytes (substitution), ShiftRows (permutation), MixColumns (mixing), AddRoundKey (key addition)
- Mathematical foundation: Operations in finite field GF(2^8)
AES Block & Algorithm Structure
AES is an iterated cipher that processes plaintexts and ciphertexts of 128 bits, where Alice and Bob use the same 128-, 192-, or 256-bit key \( K \) for both encryption and decryption. Because both parties use identical keys, AES is classified as a symmetric key cryptosystem. For example, Alice can securely transmit the key to Bob using an asymmetric cryptosystem such as RSA or ElGamal. The reason symmetric key cryptosystems are used, even though an asymmetric cryptosystem is needed to exchange the key, is that symmetric systems operate significantly faster than asymmetric cryptosystems.
A fundamental distinction between the following description of AES and asymmetric cryptosystems is that AES operates with bits and bitwise operations rather than integers and arithmetic operations. As a result, plaintexts and ciphertexts in symmetric cryptosystems are often referred to as blocks because they consist of bitstrings.
AES resembles DES in that it repeatedly executes a series of basic operations during encryption and decryption. If the key \( K \) is 128 bits, AES performs 10 rounds (iterations); a 192-bit key requires 12 rounds, and a 256-bit key requires 14 rounds. We denote the number of rounds as \( n \), meaning \( n = 10 \), \( n = 12 \), or \( n = 14 \) depending on the key length.
Figure 1: The AES encryption algorithm \( E_{K} \)
Figure 2: The AES decryption algorithm \( D_{K} \)
Key Schedule
As explained earlier, AES employs the addRoundKey operation \( n+1 \) times, which XORs the current state \( s \) with the current round key \( K^{i} \). However, Alice and Bob initially agree on only a single 128-, 192-, or 256-bit key \( K \). To address this requirement, they use a key schedule that derives from the key \( K \) the \( n+1 \) round keys \( K^{1}, K^{2}, \dots, K^{n+1} \), where each \( K^{i} \) represents a specific permuted selection of bits from \( K \).
Core AES Operations
The State Representation
The state operation transforms the 128-bit input block \( x \) (the plaintext \( m \) in the encryption algorithm or the ciphertext \( c \) in the decryption algorithm) into the state matrix \( s \), as illustrated in Figure 3. This state matrix consists of four rows and four columns, where each entry represents 1 byte (8 bits). Thus, the 16-byte (128-bit) input block \( x \) is divided into 16 individual blocks \( s_{1}, s_{2}, \dots, s_{16} \), each comprising 1 byte (8 bits).
The inverse operation, stateInv, is illustrated in Figure 4. In this process, the state matrix \( s \) is converted back into the 128-bit output block \( y \) (the ciphertext \( c \) in the encryption algorithm or the plaintext \( m \) in the decryption algorithm). This conversion is represented as \( y = s_{1} \| s_{2} \| \cdots \| s_{16} \), where \( \| \) denotes the concatenation operator.
Figure 3: The \( state \) operation
Figure 4: The \( stateInv \) operation
The AddRoundKey Operation
The addRoundKey operation, as illustrated in Figure 5, XORs the 128-bit state \( s \) with the current 128-bit round key \( K^{i} \). An important property of the XOR operator is that it functions as its own inverse.
Figure 5: The \( addRoundKey \) operation
The SubBytes Operation
The subBytes operation substitutes each entry in the state matrix \( s \) with a corresponding value from the S-box \( S \), as Figure 6 demonstrates for the first entry \( s_{1} \). Since each entry in the state matrix \( s \) represents 1 byte (8 bits), it can be expressed as a two-digit hexadecimal number. The first digit identifies a row in the S-box, and the second digit identifies a column. The output of the subBytes operation is the value located at that specific position in the S-box.
The S-box \( S \) (shown below) is a lookup table with 16 rows and 16 columns, where each row contains a permutation of hexadecimal numbers. Unlike the eight S-boxes in DES, which featured "random" permutations of integers from 0 to 15 (carefully selected to resist specific types of attacks, particularly differential cryptanalysis), the entries in the single AES S-box are mathematically defined according to operations in the polynomial group \( \mathbb{F}_{2^{8}}[X] \). This mathematical structure is also commonly referred to as the Galois field and denoted by \( GF(2^{8}) \).
The S-box \( S \) |
|
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
a |
b |
c |
d |
e |
f |
0 |
63 |
7c |
77 |
7b |
f2 |
6b |
6f |
c5 |
30 |
01 |
67 |
2b |
fe |
d7 |
ab |
76 |
1 |
ca |
82 |
c9 |
7d |
fa |
59 |
47 |
f0 |
ad |
d4 |
a2 |
af |
9c |
a4 |
72 |
c0 |
2 |
b7 |
fd |
93 |
26 |
36 |
3f |
f7 |
cc |
34 |
a5 |
e5 |
f1 |
71 |
d8 |
31 |
15 |
3 |
04 |
c7 |
23 |
c3 |
18 |
96 |
05 |
9a |
07 |
12 |
80 |
e2 |
eb |
27 |
b2 |
75 |
4 |
09 |
83 |
2c |
1a |
1b |
6e |
5a |
a0 |
52 |
3b |
d6 |
b3 |
29 |
e3 |
2f |
84 |
5 |
53 |
d1 |
00 |
ed |
20 |
fc |
b1 |
5b |
6a |
cb |
be |
39 |
4a |
4c |
58 |
cf |
6 |
d0 |
ef |
aa |
fb |
43 |
4d |
33 |
85 |
45 |
f9 |
02 |
7f |
50 |
3c |
9f |
a8 |
7 |
51 |
a3 |
40 |
8f |
92 |
9d |
38 |
f5 |
bc |
b6 |
da |
21 |
10 |
ff |
f3 |
d2 |
8 |
cd |
0c |
13 |
ec |
5f |
97 |
44 |
17 |
c4 |
a7 |
7e |
3d |
64 |
5d |
19 |
73 |
9 |
60 |
81 |
4f |
dc |
22 |
2a |
90 |
88 |
46 |
ee |
b8 |
14 |
de |
5e |
0b |
db |
a |
e0 |
32 |
3a |
0a |
49 |
06 |
24 |
5c |
c2 |
d3 |
ac |
62 |
91 |
95 |
e4 |
79 |
b |
e7 |
c8 |
37 |
6d |
8d |
d5 |
4e |
a9 |
6c |
56 |
f4 |
ea |
65 |
7a |
ae |
08 |
c |
ba |
78 |
25 |
2e |
1c |
a6 |
b4 |
c6 |
e8 |
dd |
74 |
1f |
4b |
bd |
8b |
8a |
d |
70 |
3e |
b5 |
66 |
48 |
03 |
f6 |
0e |
61 |
35 |
57 |
b9 |
86 |
c1 |
1d |
9e |
e |
e1 |
f8 |
98 |
11 |
69 |
d9 |
8e |
94 |
9b |
1e |
87 |
e9 |
ce |
55 |
28 |
df |
f |
8c |
a1 |
89 |
0d |
bf |
e6 |
42 |
68 |
41 |
99 |
2d |
0f |
b0 |
54 |
bb |
16 |
To clarify the use of the S-box with an example: Suppose we have the entry \( s_{1} = a8 \). The hexadecimal digit \( a \) identifies the row, while \( 8 \) identifies the column in the S-box \( S \). The value at this intersection is the hexadecimal number \( 5c \), so \( S(s_{1}) = S(a8) = 5c \).
The inverse S-box \( S^{-1} \) |
|
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
a |
b |
c |
d |
e |
f |
0 |
52 |
09 |
6a |
d5 |
30 |
36 |
a5 |
38 |
bf |
40 |
a3 |
9e |
81 |
f3 |
d7 |
fb |
1 |
7c |
e3 |
39 |
82 |
9b |
2f |
ff |
87 |
34 |
8e |
43 |
44 |
c4 |
de |
e9 |
cb |
2 |
54 |
7b |
94 |
32 |
a6 |
c2 |
23 |
3d |
ee |
4c |
95 |
0b |
42 |
fa |
c3 |
4e |
3 |
08 |
2e |
a1 |
66 |
28 |
d9 |
24 |
b2 |
76 |
5b |
a2 |
49 |
6d |
8b |
d1 |
25 |
4 |
72 |
f8 |
f6 |
64 |
86 |
68 |
98 |
16 |
d4 |
a4 |
5c |
cc |
5d |
65 |
b6 |
92 |
5 |
6c |
70 |
48 |
50 |
fd |
ed |
b9 |
da |
5e |
15 |
46 |
57 |
a7 |
8d |
9d |
84 |
6 |
90 |
d8 |
ab |
00 |
8c |
bc |
d3 |
0a |
f7 |
e4 |
58 |
05 |
b8 |
b3 |
45 |
06 |
7 |
d0 |
2c |
1e |
8f |
ca |
3f |
0f |
02 |
c1 |
af |
bd |
03 |
01 |
13 |
8a |
6b |
8 |
3a |
91 |
11 |
41 |
4f |
67 |
dc |
ea |
97 |
f2 |
cf |
ce |
f0 |
b4 |
e6 |
73 |
9 |
96 |
ac |
74 |
22 |
e7 |
ad |
35 |
85 |
e2 |
f9 |
37 |
e8 |
1c |
75 |
df |
6e |
a |
47 |
f1 |
1a |
71 |
1d |
29 |
c5 |
89 |
6f |
b7 |
62 |
0e |
aa |
18 |
be |
1b |
b |
fc |
56 |
3e |
4b |
c6 |
d2 |
79 |
20 |
9a |
db |
c0 |
fe |
78 |
cd |
5a |
f4 |
c |
1f |
dd |
a8 |
33 |
88 |
07 |
c7 |
31 |
b1 |
12 |
10 |
59 |
27 |
80 |
ec |
5f |
d |
60 |
51 |
7f |
a9 |
19 |
b5 |
4a |
0d |
2d |
e5 |
7a |
9f |
93 |
c9 |
9c |
ef |
e |
a0 |
e0 |
3b |
4d |
ae |
2a |
f5 |
b0 |
c8 |
eb |
bb |
3c |
83 |
53 |
99 |
61 |
f |
17 |
2b |
04 |
7e |
ba |
77 |
d6 |
26 |
e1 |
69 |
14 |
63 |
55 |
21 |
0c |
7d |
During decryption, the inverse S-box \( S^{-1} \) is used in the subBytesInv operation, as illustrated in Figure 7. This inverse corresponds to the reverse operations in the polynomial group \( \mathbb{F}_{2^{8}}[X] \).
Figure 6: The \( subBytes \) operation during encryption
Figure 7: The \( subBytesInv \) operation during decryption
The ShiftRows Operation
The shiftRows operation shifts the second row one position to the left, the third row two positions to the left, and the fourth row three positions to the left, as illustrated in Figure 8. The inverse operation, shiftRowsInv (illustrated in Figure 9), applies the same shifts but in the opposite direction: the second row shifts one position to the right, the third row shifts two positions to the right, and the fourth row shifts three positions to the right.
Figure 8: The \( shiftRows \) operation during encryption
Figure 9: The \( shiftRowsInv \) operation during decryption
The MixColumns Operation
The mixColumns operation multiplies each column in the state matrix \( s \) with a fixed matrix \( M \). In this process, both the column and \( M \) are treated as elements (polynomials) from the group \( \mathbb{F}_{2^{8}}[X] \) and multiplied accordingly. Figure 10 illustrates this operation for the first column. The group \( \mathbb{F}_{2^{8}}[X] \) is the same mathematical structure described earlier in the S-box section. In the inverse operation mixColumnsInv, the inverse matrix \( M^{-1} \) is used instead (as illustrated for the first column in Figure 11).
Figure 10: The \( mixColumns \) operation during encryption
Figure 11: The \( mixColumnsInv \) operation during decryption
Encryption and Decryption Process
The AES encryption algorithm \( E_{K} \), as illustrated in Figure 1, executes the following steps:
- First, the plaintext \( m \) (a 128-bit block) is converted into a state \( s \) (a 128-bit block), and the state \( s \) is XORed with the first round key \( K^{1} \) using the addRoundKey operation.
- Then, the operations subBytes, shiftRows, mixColumns, and addRoundKey are executed \( n-1 \) times on the state \( s \), where the round key \( K^{i+1} \) is used in the \( i \)-th round (for \( i = 1, 2, \ldots, n-1 \)).
- Next, the operations subBytes, shiftRows, and addRoundKey are executed on the state \( s \) (note that these are the same operations as in step (2), except that the mixColumns operation is omitted), where addRoundKey XORs the state with the last round key \( K^{n+1} \). Finally, the state \( s \) is converted into the ciphertext \( c \) (a 128-bit block).
The AES decryption algorithm \( D_{K} \), as illustrated in Figure 2, is the encryption algorithm executed in reverse order (with the round keys used in reverse order). All operations in the decryption algorithm are the inverse operations of those in the encryption algorithm, except for addRoundKey, which is its own inverse. \( D_{K} \) executes the following steps:
- First, the ciphertext \( c \) (a 128-bit block) is converted into a state \( s \) (a 128-bit block), and the state \( s \) is XORed with the last round key \( K^{n+1} \) using the addRoundKey operation.
- Then, the operations shiftRowsInv, subBytesInv, addRoundKey, and mixColumnsInv are executed \( n-1 \) times on the state \( s \), where the round key \( K^{n-i+1} \) is used in the \( i \)-th round (for \( i = 1, 2, \ldots, n-1 \)).
- Next, the operations shiftRowsInv, subBytesInv, and addRoundKey are performed on the state \( s \) (note that these are the same operations as in step (2), except that the mixColumnsInv operation is omitted). Here, addRoundKey XORs the state with the first round key \( K^{1} \). Finally, the state \( s \) is converted back into the plaintext \( m \) (a 128-bit block).
Security Properties
AES is considered highly secure for the following reasons:
- Key Length: AES supports 128, 192, and 256-bit keys, making brute force attacks computationally infeasible.
- Confusion: The SubBytes operation provides strong non-linearity.
- Diffusion: The ShiftRows and MixColumns operations ensure that changes to one byte affect many bytes in subsequent rounds.
- Resistance to Known Attacks: AES has withstood extensive cryptanalysis for over two decades.
The best known attacks against AES are still largely theoretical and require computational resources far beyond what is currently possible.
Practical Applications
AES is widely used in various applications and protocols:
- TLS/SSL: Securing web communications
- File Encryption: Protecting sensitive documents
- Wi-Fi Security: WPA2/WPA3 protocols
- VPN Technologies: Securing private network communications
Common AES modes of operation include:
- ECB (Electronic Codebook): The simplest mode, but not recommended for most applications
- CBC (Cipher Block Chaining): Each block's encryption depends on the previous block's ciphertext
- CTR (Counter): Converts block cipher into stream cipher by encrypting sequential counter values
- GCM (Galois/Counter Mode): Provides both encryption and authentication
See the "Modes of operation" page for more information.
The protocol
Key exchange |
Alice and Bob agree on the 128-, 192-, or 256-bit key \( K \). |
Encryption |
Alice:
- Uses the key \( K \) in the key schedule to generate the \( n+1 \) 128-bit round keys \( K^{1}, K^{2}, \dots, K^{n+1} \), where \( n = 10 \) if \( K \) is 128-bit, \( n = 12 \) if \( K \) is 192-bit, and \( n = 14 \) if \( K \) is 256-bit.
- Uses the round keys in the order \( K^{1}, K^{2}, \dots, K^{n+1} \) in the AES encryption algorithm \( E_{K} \) to encrypt the message \( m \) by computing \( c = E_{K}(m) \).
|
|
Alice sends the 128-bit ciphertext \( c \) to Bob. |
Decryption |
|
Bob:
- Uses the key \( K \) in the key schedule to generate the \( n+1 \) 128-bit round keys \( K^{1}, K^{2}, \dots, K^{n+1} \), where \( n = 10 \) if \( K \) is 128-bit, \( n = 12 \) if \( K \) is 192-bit, and \( n = 14 \) if \( K \) is 256-bit.
- Uses the round keys in the reverse order \( K^{n+1}, K^{n}, \dots, K^{1} \) in the AES decryption algorithm \( D_{K} \) to decrypt the ciphertext \( c \) by computing \( m = D_{K}(c) \).
|
Try a demo of the encryption scheme here.
Example
In the following example, we present keys, plaintext, and ciphertext using hexadecimal notation. Recall that hexadecimal digits \( 0, 1, \dots, 9, a, b, \dots, f \) correspond to decimal values from 0 to 15. Each of these decimal values can be represented as four binary bits; for example, the decimal number 4 in binary is \( 0100 \) and 15 is \( 1111 \). Since four bits convert to one hexadecimal digit, a 128-bit value requires 32 hexadecimal digits, a 192-bit value requires 48 hexadecimal digits, and a 256-bit value requires 64 hexadecimal digits.
Alice wants to send an encrypted message \( m \) to Bob using the AES algorithm. They first establish a shared 128-bit key \( K = 2b7e151628aed2a6abf7158809cf4f3c \) and both generate the \( n+1 = 10+1 = 11 \) round keys (each 128 bits) using the key schedule:
\( \eqalign{ K^{1} &= 2b7e151628aed2a6abf7158809cf4f3c \\ K^{2} &= a0fafe1788542cb123a339392a6c7605 \\
&\vdots \\ K^{11} &= d014f9a8c9ee2589e13f0cc8b6630ca6 } \)
Alice then encrypts her 128-bit message \( m = 3243f6a8885a308d313198a2e0370734 \) using the round keys in sequential order \( K^{1}, K^{2}, \dots K^{11} \) and sends the resulting 128-bit ciphertext \( c = E_{K}(m) = 3925841d02dc09fbdc118597196a0b32 \) to Bob.
Bob decrypts the received ciphertext using the round keys in reverse order \( K^{11}, K^{10}, \dots K^{1} \) by computing \( m = D_{K}(c) = 3243f6a8885a308d313198a2e0370734 \).