In the previous lesson, we looked at improving DES by using the same DES functions multiple times with different keys. Such approach can make the brute force attacking feasible by increasing the key length. While triple DES provides greater security than DES, it requires three times as much as computation for Alice and Bob and therefore slower. An alternative approach is to design a completely new algorithm. And we will look at a prominent example of that in Advanced Encryption Standard or AES. By the time that DES brute force demonstrations were occurring, the US National Institute of Standards and Technology or NIST sensing this insecurity of DES requested call for proposals for a cipher standard that is supersede DES. The call for proposal was posted in 1997 and the result of the call was Advanced Encryption Standard or AES. AES was invented by the Belgian researchers, Vincent Rijmen and Joan Daemen. AES was standardized in 2001. AES has been designed for simplicity to ease the implementation and to resist known attacks on block ciphers. Also it is designed for speed and code compactness and it's designed to be faster than triple DES. AES processes the data on bytes which are eight bits. The block length is 16 bytes in the form of four columns of four bytes or in four by four matrix with each element being a byte. This format is also called a state array. This data is also called a state array in AES and each row or column in a state array is called a ward. So that word is four bytes or 32 bits long. AES supports keys of 128 bits, 192 bits and 256 bits. Because AES processes data on a four by four matrix blocks, it is not based on Feistel Cipher structure, which operates data by splitting them into left half and right half. Rather, AES is based on substitution permutation network structure which alternates substitution and permutation. AES is comprised of multiple alternative rounds. Before the rounds, there's an XOR operation that adds a round key. This requires an additional round key that serves as the zeroth round key and it's in addition to the other rounds. The number of rounds vary with the key length. There are 10 rounds if the key is 128 bits, 12 rounds if the key is 192 bits and 14 rounds if the key is 256 bits. Except for the final round, which excludes mixed columns set step and has three steps, the rounds have the following four steps in that order for encryption. First is the soft bytes operation which is a lookup table based substitution. The second is shift roles step which takes the four by four data block and perform role based transposition. The next is the MixColumns step in which each column is processed separately using multiplications over Galois field or Finite field. The last block is the AddRoundKey step which XORs the data with the round key. Because the inputs for XOR need to be the same, the round keys are the same 16 byte long as, it's the same length as data block. There's also a round key generation algorithm that expands the key and generate round keys. As mentioned previously, because there is an AddRoundKey that uses the round key before round one, there needs to be one more round key generated in addition to the number of rounds. While AES by design is simple, the actual mapping sort of transformations within these blocks, within these steps, can be best described using finite field. Finite field is a mathematical concept that defines arithmetic operations such as addition, multiplications and inverse operations which are computer implementation friendly. More specifically in AES, finite field based arithmetic is used for MixColumns, key expansion for round key generation and the substitution table construction in soft bytes. The mathematical discussion about finite field is out of scope for this module and we will leave this AES description at a higher level with the descriptions of the steps and their roles in data processing. Among the steps only AddRoundKey uses the round key and therefore provide security by presenting randomness against an attacker who does not know the key. If AddRoundKey steps were not there, AES will merely produce a non-key permutation whose mapping or transformation is known to the attacker. This is why the AES cipher starts and ends with an AddRoundKey step and includes the additional step of AddRoundKey before the rounds. Each step within the rounds are reversible. The decryption process reverses the encryption process one step at a time. That is the last step for encryption will be the first step to be reversed in the decryption. For the reverse operation of each step, the decryption uses the inverse function of each steps. That is, it has inverse shift rules step, inverse of bytes and the inverse MixColumn step. The inverse of the AddRoundKey is AddRoundKey itself because the inverse of XOR is the XOR itself. If you take an input and apply the XOR twice consecutively then the result is the same as the original input. The AddRound key algorithm may be the same for the inverse, but the round key order that the decryption uses is to be reversed from the encryption because it reverses each of the steps in the reverse order. Because these algorithms are different, AES decryption implementation is different from AES encryption implementation. This is in contrast to DES which has the same implementation for encryption and decryption and thus can use the same hardware and software for both encryption and decryption as we discussed in the last module.