In the previous lesson,

we looked at improving DES by using

the same DES functions multiple times with different keys.

Such approach can make the brute force attacking feasible by increasing the key length.

While triple DES provides greater security than DES,

it requires three times as much as computation for Alice and Bob and therefore slower.

An alternative approach is to design a completely new algorithm.

And we will look at a prominent example of that in Advanced Encryption Standard or AES.

By the time that DES brute force demonstrations were occurring,

the US National Institute of Standards and Technology or NIST sensing this insecurity

of DES requested call for proposals for a cipher standard that is supersede DES.

The call for proposal was posted in

1997 and the result of the call was Advanced Encryption Standard or AES.

AES was invented by the Belgian researchers,

Vincent Rijmen and Joan Daemen.

AES was standardized in 2001. AES has been designed for

simplicity to ease the implementation and to resist known attacks on block ciphers.

Also it is designed for speed and

code compactness and it's designed to be faster than triple DES.

AES processes the data on bytes which are eight bits.

The block length is 16 bytes in the form of four columns of

four bytes or in four by four matrix with each element being a byte.

This format is also called a state array.

This data is also called a state array in AES and

each row or column in a state array is called a ward.

So that word is four bytes or 32 bits long.

AES supports keys of 128 bits,

192 bits and 256 bits.

Because AES processes data on a four by four matrix blocks,

it is not based on Feistel Cipher structure,

which operates data by splitting them into left half and right half.

Rather, AES is based on

substitution permutation network structure which alternates substitution and permutation.

AES is comprised of multiple alternative rounds.

Before the rounds, there's an XOR operation that adds a round key.

This requires an additional round key that serves as the zeroth

round key and it's in addition to the other rounds.

The number of rounds vary with the key length.

There are 10 rounds if the key is 128 bits,

12 rounds if the key is 192 bits and 14 rounds if the key is 256 bits.

Except for the final round,

which excludes mixed columns set step and has three steps,

the rounds have the following four steps in that order for encryption.

First is the soft bytes operation which is a lookup table based substitution.

The second is shift roles step which takes the four

by four data block and perform role based transposition.

The next is the MixColumns step in which

each column is processed separately using

multiplications over Galois field or Finite field.

The last block is the AddRoundKey step which XORs the data with the round key.

Because the inputs for XOR need to be the same,

the round keys are the same 16 byte long as,

it's the same length as data block.

There's also a round key generation algorithm that

expands the key and generate round keys.

As mentioned previously, because there is an AddRoundKey

that uses the round key before round one,

there needs to be one more round key generated in addition to the number of rounds.

While AES by design is simple,

the actual mapping sort of transformations within these blocks,

within these steps, can be best described using finite field.

Finite field is a mathematical concept that

defines arithmetic operations such as addition,

multiplications and inverse operations which are computer implementation friendly.

More specifically in AES,

finite field based arithmetic is used for MixColumns,

key expansion for round key generation and

the substitution table construction in soft bytes.

The mathematical discussion about finite field is out of

scope for this module and we will leave

this AES description at a higher level with

the descriptions of the steps and their roles in data processing.

Among the steps only AddRoundKey

uses the round key and therefore provide

security by presenting randomness against an attacker who does not know the key.

If AddRoundKey steps were not there,

AES will merely produce a non-key permutation

whose mapping or transformation is known to the attacker.

This is why the AES cipher starts and ends with

an AddRoundKey step and includes the additional step of AddRoundKey before the rounds.

Each step within the rounds are reversible.

The decryption process reverses the encryption process one step at a time.

That is the last step for encryption will be

the first step to be reversed in the decryption.

For the reverse operation of each step,

the decryption uses the inverse function of each steps.

That is, it has inverse shift rules step,

inverse of bytes and the inverse MixColumn step.

The inverse of the AddRoundKey is AddRoundKey

itself because the inverse of XOR is the XOR itself.

If you take an input and apply the XOR twice

consecutively then the result is the same as the original input.

The AddRound key algorithm may be the same for the inverse,

but the round key order that the decryption uses is to be reversed from the encryption

because it reverses each of the steps in the reverse order.

Because these algorithms are different,

AES decryption implementation is different from AES encryption implementation.

This is in contrast to DES which has the same implementation for encryption and

decryption and thus can use the same hardware and

software for both encryption and decryption as we discussed in the last module.