29

Chapter 3

AES SPECIFICATIONS

This dissertation has implemented hard disk drive security using partial disk

encryption. The proposed partial disk encryption is based on Advanced Encryption

Standards(AES). This chapter discusses the specifications of Advanced Encryption

Standard, Data Encryption Standard which would be helpful to implement proposed

encryption algorithms. The chapter also implements AES(128, 192, 256) algorithm

using Java programming and compares the performance of AES for different key size.

While implementing any cryptography technique it is necessary to analyze the

mathematics related to encryption. It is discussed in section 3.1. The encryption

standard used in proposed thesis is a block cipher. The details of block cipher are

discussed in section 3.2, the detail implementation of AES is discussed in section 3.3.

3.1 Finite Field

In algebra, the field that has a finite number of elements is called finite field or Galois

field (GF). Each finite field has a prime integer which represents its characteristic. For

example, the finite field GF(p), represents a field with the range of integers {0,1, ….,

p-1}[62]

. The total number of elements in the finite field is called the finite field

order. Fields with prime integer orders have characteristic equal to their order.

Some finite fields use non prime integer orders; in this case the finite field will be

represented using the prime number ‘p’ which represents the characteristic along with

the power ‘n’. Equation (3.1) shows how to represent the finite field with order ‘k’,

using the prime number ‘p’ and the power ‘n’.

k = GF(pn)………………………..(3.1)

The finite field in equation (3.1) has a range of integers that vary between {0,1,…, k-

1}.

Finite fields are used in many cryptographic algorithms. The Advanced Encryption

Standard uses the finite field GF(28), where each data byte represents a value between

(00-FF)H.

30

Each data byte can be represented as a polynomial over the GF(28). Equation (3.2)

shows the polynomial representations in GF(28)

a(x) = b7x7+b6x

6+b5x

5+b4x

4+b3x

3+b2x

2+b1x+b0…………… (3.2)

Equation (3.2) can be also written as:

a(x) = ∑i=0 7

bi xi

……………………………………….(3.3)

Where bi ε {0,1}.

The next sub-sections has explained the arithmetic in finite fields based on the

characteristic p=2.

3.1.1 Addition in Finite Field

Arithmetic in finite field is different than normal algebra arithmetic. In finite field

with characteristic of two, an addition is obtained by applying bit-wise XOR

operation between the operands. Equation (3.5) shows the result of the finite field

addition in equation(3.4).

a3(x) = a1(x) + a2(x) = ∑i=0 7

bi xi

+ ∑i=0 7

bi xi

..........(3.4)

a3(x) = ∑i=0 7

(b1i(XOR) b2i)xi………………………….(3.5)

3.1.2 Multiplication in Finite Field

In finite field, the multiplication product of two polynomials will be modulo an

irreducible polynomial so that the final answer can be within the used finite field.

Irreducible polynomial means it cannot be factorized and expressed as a product of

two or more polynomials over the same field.

Equation (3.6) represents the multiplication operation of the polynomials a2(x) and

a1(x) using the modulus m(x).

a3(x) = (a1(x) × a2(x)) mod m(x)………………….(3.6)

31

3.2 Block Cipher

A symmetric-key block cipher is a cryptographic system whose principal aim is to

guarantee the confidentiality of data. Mao [63]

gives the following definition of a

cryptographic system.

Definition 3.2.1 (Cryptographic system). A cryptographic system consists of the

following:

- a plaintext message space P which is a set of strings over some alphabet;

- a ciphertext message space C which is set of possible ciphertext messages;

- an encryption key space K which is the set of possible encryption keys, and a

decryption key space K' which is the set of possible decryption keys;

- a key length l is maximum length of the key k;

- an efficient key generation algorithm: γ : N → K × K';

-an efficient encryption algorithm: ε : P × K → C;

- an efficient decryption algorithm: ε' : C × K' → P.

For a security parameter l, the key generation algorithm outputs a key pair (k, k') ∈ K

× K' of length l. For k ∈ K and p∈ P, we denote by

c = εk(p)……………………………………(3.7)

the encryption operation and by

p = ε'k' (c)………………………………….(3.8)

the decryption operation. It is furthermore necessary that for all m ∈ M

and all k ∈ K, there exists k'∈ K' such that

32

ε'k' (εk (p) ) = p…………………………………………………………..….(3.9)

A block cipher can be seen in a simple way as a deterministic, memoryless, invertible

function mapping an n-bit plaintext block p ∈ {0, 1}n to an n-bit ciphertext block c∈

{0, 1}n furthermore, this function is parameterised by a single l-bit secret key k ∈ {0,

1}l in other words, and using the terminology of Def. 3.2.1, ε = ε', K = K', and k = k'.

The notion of symmetry in block ciphers comes hence from the fact that the same key

is used for both encryption and decryption operations; the opposed notion is the

asymmetric or public-key cryptography [64,65]

which uses different, related keys for

both operations.

In order that a ciphertext decrypts to a unique plaintext for a given fixed key, it is

necessary that the encryption function is a bijection; this restrict the number of block

ciphers to the (2n)! permutations on n-bit values. As this value is extremely large one

for common values of n (64 or 128 bits), the size of the key further restricts the

number of reachable permutations. Usual key lengths (up to 256 bits) imply that this

number is actually very small fraction of all possible permutations. Informally, the

goal is to make it practically impossible to retrieve the plaintext from the ciphertext

without any knowledge on the secret key. The concept of block cipher is summarized

in a formal way in Def. 3.2.2, taken out of [66]

. As the block cipher is memoryless, we

will see it as a function and therefore use a different notation.

Definition 3.2.2 (Symmetric-Key Block Cipher). An n-bit symmetric key block

cipher is a function e : {0, 1}n

× {0, 1}l → {0, 1}

n such that for each key k ∈ {0, 1}

l

the encryption function e(p,k), written ek(p), is an invertible mapping from {0, 1}n

to

{0, 1}n. The inverse mapping is the decryption function, denoted dk(c), where c =

ek(p) denotes the ciphertext c resulting from the encryption of plaintext p under key k.

Note that it is possible to imagine probabilistic block ciphers which take some

randomness in addition to the key as input in order to select a mapping in a non-

deterministic way; thus, each time a plaintext block p is encrypted under the key k,

the output is a set of eligible ciphertext blocks and the function chooses one ciphertext

block c out of this set. Since the encryption function is essentially one-to-many, the

requirement for invertibility implies data expansion, which is a disadvantage of

33

randomized encryption. Furthermore, gathering “good" randomness is not a trivial

problem in the real world. However, depending on the strength of the security model

under consideration, some randomness may be required. In practice, this property is

often shifted to the use of randomized modes of operations. Virtually all block ciphers

are product ciphers, i.e. they combine at least two or more transformations in a

manner intending that the resulting cipher is more secure than the individual

components. The underlying idea is to build a complex encryption function by

combining several simple operations which offer complementary, but individually

insufficient security properties. A very important class of product ciphers is the

category of iterated blockciphers (see Figure 3.1). The key idea is to iterate the same

round function f several times on the plaintext block p.

P - Plain Test C- Cipher Text K- Key

Fig. 3.1 Diagram of an iterated Block-Cipher

More precisely, an iterated block cipher is a block cipher involving the sequential

repetition of an internal function f called a round function. Parameters include the

number of rounds r, the block bit size n and the bit size l of the input key k from

which r subkeys k(i)

(also called round keys) are derived. For invertibility purposes,

the round function f must be a bijection on the round input for each value k(i)

. The

round keys k(i)

are derived from the key k by an algorithm named key-schedule

algorithm. Iterated block ciphers have several advantages: it is possible to implement

them in an efficient way, because one can reuse the same code or circuit in each

round. Furthermore, it is easier to analyze them in a security point of view since

34

several theoretical results concerning iterated block ciphers are available. A more

“high-level" way to build a new block cipher consists in combining directly block

ciphers. The key point is that the keys used by the individual block ciphers should be

statistically independent; however, the distinction is not always clear. A cascade

cipher is usually defined as being the concatenation of s ≥ 2 block ciphers (called

stages), each with (statistically) independent keys: the plaintext is the input of the first

stage, the output of stage i is the input of stage i + 1 and the output of stage s is

defined to be the ciphertext. Multiple encryption is similar to cascade ciphers, but the

keys may be dependent and the stage block ciphers may be either a block cipher e or

its corresponding decryption function d. Most common constructions of multiple

encryption are the double encryption and triple encryption. With this discussion on

block cipher, the present research work proceeds with AES implementation.

3.3 AES Specifications

In 1998 Rijndael cipher developed by the two Belgian cryptographers, John Daemen

and Vincent Rijmen was published. This cipher was selected later on by the NIST as

the Advanced Encryption Standard to supersede the old Data Encryption Standard.

The NIST has published full details of AES under the FIPS publication 1997[67 ]

.

The AES according to [68]

has a constant block size of 128 bits (16 bytes) with 3

different key sizes of 128 bits, 192 bits and 256 bits, where 10, 12 and 14 encryption

rounds will be applied for each key size, respectively. During the encryption and

decryption processes, the 16 bytes of data will form a changeable (4*4) array called

the state array as shown in Figure 3.2. During the encryption process, the state array

consists initially of the input data, this array will keep changing until reaching the

final enciphered data. In the decryption process the state array will start by the

enciphered data and will keep changing until the original data is retrieved.

Each encryption round has 4 main steps, Shift Rows, Byte Substitution using the

Substitution Box (S-Box), Mix Columns, and Add Round Key. The decryption

process consists of the inverse steps, where each decryption round consists of: Inverse

Shift Rows, Byte Substitution using Inverse S-Box, Add Round Key and Inverse Mix

Columns.

35

Fig. 3.2 Input, State and Output Arrays

The round keys will be generated using a unit called the key expansion unit. This unit

will be generating 176, 208 or 240 bytes of round keys depending on the size of the

used key, more details about the key expansion unit will be explained later in this

chapter. Figure 3.3 Shows the AES encryption and decryption processes.

Fig. 3.3 AES Encryption and Decryption Process

36

As can be seen from Figure 3.3, the encryption and decryption processes start by

adding the round key to the data. This round key is called the initial round key and it

consists of the first 16 bytes of round keys in case of encryption and the last 16 bytes

in case of decryption. The encryption iteration starts with the Shift Rows step, then

the Bytes Substitution is applied, followed by the Mix Columns step, and finally the

Round Key is added. In the decryption iteration the Round Key is obtained before the

Inverse Mix Columns step. These iterations are repeated 9, 11 and 13 times for the

key sizes 128,192 and 256 bits, respectively. The last encryption and decryption

iterations exclude the Mix column and Inverse Mix column steps.

3.3.1 Shift Rows/ Inverse Shift Rows

In Shift Rows step the second, third and fourth row of the state array are shifted one,

two and three cyclic shifts to the left, respectively. Most references consider the shift

rows step as the first step in the encryption iteration; however it can be done after the

Byte Substitution step without affecting the algorithm. Figure 3.4 shows how the Shift

Rows step is obtained.

Fig. 3.4 Shift Rows Step

The Inverse Shift Rows step is obtained during the decryption process by shifting the

second, third and fourth rows, one, two and three cyclically shift to the right,

respectively. Figure 3.5 shows how the Inverse Shift Rows step is obtained.

37

Fig. 3.5 Inverse Shift Rows Step

3.3.2 Byte Substitution and Inverse Byte

Byte substitution and Inverse Byte Substitution are the most complex steps in the

encryption and decryption processes. In these steps each byte of the state array will be

replaced with its equivalent byte in the S-Box or the Inverse S-Box as shown in

Figure 3.6.

Fig. 3.6 Byte Substitution

As AES algorithm uses elements within the GF(28), each element in the state array

represents a byte with a value that varies between 00H-FFH. The S-Box has a fixed

size of 256 bytes represented as (16 * 16) bytes matrix. Figure 3.7 shows the AES S-

Box. In this figure the variable ‘b2’ represents the most significant nibble while the

variable ‘b1’represents the least significant nibble.

The Inverse S-Box which is used during the decryption processes will be retrieving

the original byte that was substituted using the S-Box during the encryption process.

For example from the S-Box in Figure 3.7 shows that the S-Box will substitute the

byte ‘00H’ with the byte ‘63H’. Also the byte ‘63H’ in the Inverse S-Box shown in

Figure 3.8 will be substituted by ‘00H’.

38

Fig. 3.7 AES S-Box

Fig. 3.8 AES Inverse S-Box

39

The generation of S-Box is done by two steps, first finding the multiplicative inverse

for the numbers 00H-FFH in the GF(28), then applying the affine transformation on

them. On the other hand, the generation of the Inverse S-Box starts by applying the

inverse affine transformation followed by finding the multiplicative inverse. The two

step generation of S-Box and inverse S-Box is as shown in Figure 3.9. The next sub-

sections have explained these sub-steps in more details.

Fig. 3.9 Generation of S-Box and Inverse S-Box

3.3.2.1 Multiplicative Inverse Calculation

The first step of S-Box generation is finding the multiplicative inverse for the

numbers 00H-FFH, This requires using the irreducible polynomial p(x) defined in the

equation (3.10).

p(x) = x8 + x

4 + x

3 + x + 1……………………………..(3.10)

Since AES is dealing with numbers within the GF(28), it uses the 8

th degree

irreducible polynomial shown in equation(3.10) as defined by[67]

. This polynomial is

used as a reduction polynomial by applying it as a modulus for the multiplication

result of two polynomials so that the final result can be within the finite field GF(28).

Calculating the multiplicative inverse requires using the Extended Euclidean

algorithm, which state that for every polynomial a(x) there exists two polynomials

b(x) and c(x) such that:

a(x) b(x) + p(x) c(x) = 1……………………………….(3.11)

40

And since:

(a(x) ∙ b(x)) mod p(x) = 1……………………………….(3.12)

a(x)-1

can be obtain as:

a(x)-1

= b(x) mod ( p(x))………………………………....(3.13)

3.3.2.2 Affine Transformation

The affine transformation is applied after the multiplicative inverse calculation in the

Byte Substitution step, while it is applied first in the Inverse Byte Substitution step.

The affine transformation and its inverse have two parts, the multiplication part where

a constant matrix will be multiplied with the data, then the addition part, where a

constant vector is added to multiplication result. The matrix ‘A1’ and the vector ‘C1’

are used for the affine transformation as shown in equation(3.14), while the matrix

‘A2’ and the vector ‘C2’ are using for the inverse affine transformation as shown in

equation(3.15).

..(3.14)

.(3.15)

41

3.3.3 Mix Columns / Inverse Mix Columns Steps

After performing the Byte Substitution step during the encryption process, Mix

Columns step is applied. In the decryption process the Inverse Mix Columns step is

applied after adding the Round Key. The Mix Columns step and its inverse are shown

in Figure 3.10. The Mix Columns step and its inverse are not applied in the last

encryption or decryption processes as described in [69]

. In these steps each column of

the state array will be processed using four polynomials. Each polynomial consists of

four operands representing the old state array column elements and they will be used

to obtain the new state array element.

Fig. 3.10 Mix Columns and Inverse Mix Columns Step

According to[70]

, the polynomial c(x) given in equation(3.16) is used to obtain the Mix

Column step:

c(x) = {0,3} ∙ x3 + {0,1} ∙ x

2 + {0,1} ∙ x

2 + 02…………(3.16)

To obtain the Mix Column Step, each 4 bytes state array column is represented as

polynomials over GF (28) as shown in equation(3.17). Each polynomial is multiplied

by the fix polynomial c(x) modulo the polynomial k(x) described in equation(3.18).

b(x) = S3,c∙ x3

+ S2,c ∙ x2 + S1,c ∙ x

2 + S0,c ……………(3.17)

k(x)= x4 + 1……………………………………………(3.18)

According to [71]

, multiplication between the polynomials c(x) and b(x) modulo k(x)

will result in the matrix equation(3.19).

42

………(3.19)

Matrix equation(3.15) can be written in the polynomials equation(3.20):

S0,c' = {02} ∙ S0,c + {03} ∙ S1,c + S2,c + S3,c

S1,c' = {02} ∙ S1,c + {03} ∙ S2,c + S3,c + S0,c …. (3.20)

S2,c' = {02} ∙ S2,c + {03} ∙ S3,c + S1,c + S1,c

S3,c' = {02} ∙ S3,c + {03} ∙ S0,c + S0,c + S2,c

The Inverse Mix Column step is obtained by multiplying the 4 bytes state array

column polynomial b(x) (3.10) by the Inverse Mix Columns polynomial c(x)-1

(3.21)

Modulo k(x) equation(3.18).

c(x)-1

= {0B} ∙ x3

+ {0D} ∙ x2 + {09} ∙ x

2 + 0E……….……(3.21)

The latter multiplication can be represented using the matrix in equation(3.22):

…………(3.22)

Matrix (3.18) can be written using the polynomials equation(3.23):

S0,c' = {0E} ∙ S0,c + {0B} ∙ S1,c + {0D} S2,c + {09} S3,c

S1,c' = {0E} ∙ S1,c + {0B} ∙ S2,c + {0D} S3,c +{09} S0,c .. (3.23)

S2,c' = {0E} ∙ S2,c + {0B} ∙ S3,c +{0D} S1,c + {09} S1,c

S3,c' = {0E} ∙ S3,c + {0B} ∙ S0,c + {0D}S0,c + {09} S2,c

43

3.3.4 Add Round Key Step

Add Round Key step is applied one additional time comparing to the other encryption

and decryption steps. The first Add Round Key step is as shown in Figure 3.11. The

first Add Round Key step is applied before starting the encryption and decryption

iterations, where in the encryption process the first 128 bits of the input key the whole

key in case of using key size of 128 bits are added to the original data block. This

round key is called the initial round key. For the decryption process the initial round

key is the last 128 bits of the generated keys as will be explained later.

Fig. 3.11 Add Round Key

In addition to the initial 16 bytes round keys, another 16 bytes of round keys will be

required for each encryption or decryptions iterations, this makes the total as 176

bytes, 224 bytes and 240 bytes for the key sizes 128,192 and 256 bits, respectively.

These round keys are generated using an operation called the key expansion. In the

key expansion all the round keys will be generated from the original input key. The

next sub-section explains the round keys generation using the key expansion

operation.

3.3.4.1 Key Expansion

The key expansion term is used to describe the operation of generating all Round

Keys from the original input key. The initial round key will be the original key in case

of encryption and the last group of the generated key expansion keys in case of

decryption –the first and last 16 bytes in case of key sizes of 192 and 256 bits. As

mentioned previously this initial round key will be added to the input initially before

starting the encryption or decryption iterations. Using the 128 bits key size, 10 groups

of round keys will be generated with 16 bytes size for each [68].

44

The first four bytes column in each group will be generated as follows:

1) Taking the S-Box equivalent to the last column of the previous group (one previous

column).

2) Perform one cyclic permutation “rotate elements [R0r R1r R2r R3r] to [R1r R2r R3r

R0r].

3) Add the round constant.

4) Add the result to the first column of the previous group (four previous columns).

The remaining second, third and fourth column of each group will be created by

adding the direct previous column with the equivalent column in the previous group

(four previous columns). This will create a total of 176 bytes of round keys.

In the 192 bits key size, each group consists of six columns. The first column will be

created in the same way as in the case of 128 bits key size. The remaining second to

sixth column of each group will be also created by adding the direct previous column

with the equivalent column in the previous group (six previous columns). In the 192

bits key size, 192 bytes of round keys will be generated in addition to the original 24

bytes key. The round keys will be retaken as groups of four columns each and are

applied 13 times during the encryption and decryption processes.

Finally, for the 256 key sizes, each group will consist of 8 columns; the first column

in the group will be created exactly the same way as in the 128 and 192 key sizes. The

fourth column of each group will be created by applying the byte substitution to the

third column values and then adding it to the equivalent column in the previous group

(eight previous columns). The remaining columns are created also by adding the

direct previous column with the equivalent column of the previous group. In the 256

bits key size, 208 bytes of generated round keys in addition to the original 32 bytes

key are applied 15 times as groups of 16 bytes in the encryption and decryption

processes. The Key expansion process is as shown in Figure 3.12.

45

Fig. 3.12 Key Expansion

The round constant matrix “known as RCON” is a constant matrix used during the

key expansion process. Each row of the round constant matrix will be added to the

first row of each group during the key generation as explained previously. The first

column of this matrix is generated according to equation(3.24) while the second, third

and fourth row are zeros. The standard AES reduction polynomial will be used to

keep the elements in the GF(28).

RC[0] = x0 = 1

RC[1] = x …….. …... …….. .. …. (3.24)

RC[j] = x ∙ RC[j-1] = xj , j > 1

3.4 Data Encryption Standard(DES)

The DES[72]

algorithm was designed to encrypt blocks of data containing 64-bits

under control of 56-bit key. DES is considered as the successor of the Lucifer cipher,

which was developed by Horst Feistel and his colleagues at IBM in 1970s. DES

consist of 16 iterations of round a function, which is named as F-function, and an

initial permutation (IP) and a final permutation(FP). The sketch of the DES

encryption is given in Figure 3.13, where K1, K

2, ….., K

16 are subkeys. Note that the

subkeys are derived from the 56-bit secret key by the key scheduling algorithm.

46

Fig. 3.13 The Feistel structure of DES

The F-function of DES is illustrated in Figure 3.14. In each round, the block is

divided into 32-bit halves: the left half L and the right half R. The F-function accepts

R and subkey Ki as its inputs, uses expansion E to expand R from 32-bits to 48 bits,

and XORs the result with 48-bit Ki. The result of the XOR operation is substituted by

employing eight S-Boxes. Each S-Box accepts 6-bit input and generates a 4-bit

output. The Permutation P is used to permute the 32-bit result of the S-Box operation.

The output of the F-function, denoted by F(R, Ki), is XORed with the left half L, and

then the left and right halves are interchanged. The complete specification of the DES

cipher can be found in[73]

.

47

Fig. 3.14 DES F- Function

3.5 AES Implementation

The detailed implementation of standard AES algorithm[67]

is discussed in section

3.3. Here the pseudo code and flowchart for implementation are given for AES(128,

192, 256)encryption. The encryption algorithm takes a plaintext and a key as input

and outputs a ciphertext. The plaintexts represented as a byte matrix with 4 rows and

4 columns. The intermediate cipher result is called state. After an initial round key

addition, the state is transformed by implementing a round function 10, 12 or 14 times

for 128-bit, 192-bit or 256-bit keys, respectively [74]

. Each round function, except the

final round, contains four transformations which are SubBytes (SB), ShiftRows (SR),

MixColumns (MC) and AddRoundKey(AK). The final round is slightly different

from Nr – 1 round as it does not include the MixColumns operation. The details

process is as per section 3.3[67]

. The operation routine is illustrated below in

Procedure 3.1:

48

Procedure 3.1 [74]

Cipher (byte in[4 * Nb], byte out[4 * Nb], word w[Nb * (Nr + 1])

1. byte s[4, Nb]

2. s = in

3: AddRound(s, w[0, Nb-1])

4. For round = 1 to Nr -1 do

5.SubBttes(s).

6. ShiftRows(s)

7. MixColumns(s)

8. Add Round Key(s, w[round * Nb, (round + 1) * Nb – 1])

9. end for

10. SubBytes(s)

11. ShiftRows(s)

12. AddRundKey(s, w[Nr * Nb, (Nr + 1) * (Nb – 1])

13 out = s

The flow chart of AES encryption algorithm is as shown in Figure 3.15[74]

.

Fig. 3.15 AES Implementation: Encryption Flow chart

49

3.5.1 Decryption

For decryption, the decryption cipher takes a ciphertext and a key as two input

parameters and outputs the corresponding plaintext. The four transformations:

SubBytes, ShiftRows, MixColumns and AddRoundKey, can be inverted in reverse

order to provide the decryption of the cipher. The decryption algorithm is expressed in

pseudo code in Procedure3.2 [47].

The decryption process is shown in Figure 3.16[74].

The inverse operation is performed on SubBytes, ShiftRows, and MixColumns. The

inverse operation of AddRoundKey is itself.

Procedure 3.2 [74] InvCipher (byte in[4 * Nb], byte out[4 * Nb], word w[Nb *(Nr + 1])

1. byte s[4, Nb]

2. s = in

3. AddRound(s, w[Nr * Nb, Nr + 1 * Nb-1])

4. InvShiftRows(s)

5. InvSubBttes(s).

6. For round = Nr -1 to 1 do

7. InvShiftRows(s)

8. InvSubBttes(s).

9. Add Round Key(s, w [round * Nb, (round + 1) * Nb – 1])

10. InvMixColumns(s)

11. end for

12. AddRundKey(s, w [Nr * Nb, (Nr + 1) * (Nb – 1])

13 out = s

The flow chart of AES decryption algorithm is as shown in Figure 3.16[74]

.

50

Fig. 3.16 AES Implementation: Decryption Flow chart

3.5.2 Key Schedule

The AES cipher is specified as a number of repetitions of transformation rounds that

convert the input plaintext into the final output of ciphertext. The numbers of cycles

of repetition are as follows:

10 cycles of repetition for 128 bit keys.

12 cycles of repetition for 192 bit keys.

14 cycles of repetition for 256 bit keys.

Each round consists of several processing steps, including one that depends on the

encryption key. A set of reverse rounds are applied to transform ciphertext back into

the original plaintext using the same encryption key [68].

51

The AES uses the key schedule to expand the cipher key into the round keys. The

total number of words in the round keys generated by the key schedule is equal to Nb

* (Nr +1) since the algorithm requires a block of Nb words for the initial key addition,

and each of the Nr rounds need Nb words of key data.

The round keys are represented as a linear array of four byte words, denoted by W[i],

with i in the range 0 ≤ i < Nb(Nr + 1). Therefore, the rounds key contains 44, 52 and

60 words for AES-128, AES-192 and AES-256 respectively. The pseudo code for the

key schedule of AES algorithm is shown in Procedure3.3 [74].

The RotWord(RW) function takes a four-byte as input, and applies a cyclic

permutation to the input. Figure 3.17 [68]

illustrates the RotWord operation.

SubWord(SW) is a transformation that takes an input, and uses the SubBytes

operation described in section 2, to substitute each byte of the input. The SubWord

operation is depicted in Figure 3.18 Rcon[i] is a word array that contains the round

constants. The constants are values given by[xi-1

, 00, 00, 00] with xi-1

being powers of

x(x is denoted as {02}) in the field GF(28). Note that i begin with 1, not 0.

Procedure 3.3 [74]

KeyExpansion byte in[4 * Nk], word w[Nb * (Nr + 1], Nk)

1. word temp

2. i = 0

3. while (i < Nk) do

4. W[i] = word(key[4 * i], key[4 * i + 1], key[4 * i + 2], key[4 * i + 3])

5. i = i +1

6. end while

7. i = Nk

8. while(i < Nb * (Nr + 1)) do

9. temp = SubWord (RotWord(temp) xor Rcon[i/Nk]

10. else if ( Nk > 6 and I mod NK = 4) then

11. temp = SubWord(RotWord(temp) xor Rcon[i/Nk]

12. else if ( Nk > 6 and I mod Nk = 4) then

13 temp = SubWord(temp)

52

14. end if

15. W[i] = W[i – Nk] xor temp

16. i = i + 1

17. end while

Fig. 3.17 RotWord Transformation

Fig. 3.18 The SubWord Operation

It is demonstrated in Procedure 3.3[67]

that the cipher key is copied to the first Nk

words of array W. The calculation of every following word W[i], is carried out by

XORing the previous word W[i-1], with the word Nk positions earlier, W[i-Nk]. For

words in positions that are multiple of Nk, the key schedule first applies the word

RotWord and SubWord transformation to W[i-1], and then XORs the resulting W[i-1]

with W[i – Nk] and the a round constant, Rcon[i] .

3.5.2.1 The AES-128 Key Schedule

Let K be a 128-bit secret key, and it is denoted by four words: K = (K0, K1, K2, K3),

where Ki is a 4-byte word. The expanded round keys are contained in a 4-byte word

array W[i], 0 ≤ i ≤ 43[68, 48]

. In the key schedule of AES-128, W[i] is defined by

following method:

Ki, 0 ≤ i ≤4;

53

W[i] = { W[i - 4] ⊕ W[i – 1], 4 ≤ i ≤43 and i mod 4 ≠ 0;…………(3.25)

W[i - 4] ⊕ f(W[i – 1]), 4 ≤ i ≤43 and i mod 4 ≠ 0;

where f(W[i – 1]) = SubWord(RotWord(W[i – 1])) ⊕ Rcon[i/4]. Figure 3.19 gives a

diagrammatic representation of the AES-128 key schedule.

Fig. 3.19 AES 128-bit Key Schedule

3.5.2.2 The AES-192 Key Schedule

This work represents a 192-bit cipher key as 6 four-byte words: K = (K0, K1, K2, K3,

K4, K5), where Ki is a four-byte word. A four-bytes word array W[i], 0 ≤ i ≤ 51, is

54

used to store the expanded round keys . The key schedule of AES-192 employs the

following formula to calculate W[i] :

the key schedule of AES-128, W[i] is defined by following method :

Ki, 0 ≤ i ≤6;

W[i] = { W[i - 6] ⊕W[i – 1], 6 ≤ i ≤51 and i mod 6 ≠ 0;

W[i - 6] ⊕ f(W[i – 1]), 6 ≤ i ≤51 and i mod 6 ≠ 0;…………(3.26)

where f(W[i – 1]) = SubWord(RotWord(W[i – 1])) ⊕ Rcon[i/6]. Figure 3.20 gives a

diagrammatic representation of the AES-192 key schedule.

Fig. 3.20 The AES-192 Key Schedule

55

3.5.2.3 AES-256 bit Key Schedule

Fig. 3.21 AES-256 bit Key Schedule

Assume that the K is a 256-bit secret key, and it is expressed as 8 four-byte words: K

= (K0, K1, K2……., K7) where Ki is a four-byte word. The resultant round key are

contained in four-byte word array W[i], 0 ≤ i ≤ 59. In the following key schedule of

AES-256, the calculation of W[i] is determined by following routine:

Ki, 0 ≤ i ≤8;

W[i] = { W[i - 8] ⊕ W[i – 1], 8 ≤ i ≤59 and i mod 8 e {0, 4};

W[i - 8] ⊕ f(W[i – 1]), 8≤ i ≤59 and i mod 8 = 0;

W[i - 8] ⊕ g(W[i – 1]), 8≤ i ≤59 and i mod 8 = 4;…………(3.27)

where f(W[i – 1]) and g(W[i – 1]) are defined as fillows:

f(W[i – 1]) = SubWord(RotWord(W[i – 1])) ⊕ Rcon[i/8].

g(W[i – 1]) = SubWord(W[i - 1])

56

Figure 3.21 gives a diagrammatic representation of the AES-256 key schedule. The

AES-256 key schedule (Nk = 8) is slightly different from the AES-128, AES-192 key

schedules. If Nk = 8 and i – 4 is a multiple of Nk, an extra SubWord operation is

applied to W[i–1] prior to XOR operation. For instance, if i=12, the AES-256 key

schedule carries out an extra SubWord operation on W[11] before XOring it with

W[4] (shown in Figure 3.19)

3.6 Results

The AES algorithm with different key size is implemented in Java. For the

experiment, the current work used a laptop PentiumV 2.4 GHz CPU, in which

performance data is collected. The encryption/decryption time required for specific

amount of data is observed. The encryption/decryption time is used to calculate the

throughput of an encryption scheme. It indicates the speed of encryption. The

throughput of the encryption scheme is calculated as the total plaintext in bytes

encrypted by the encryption time. The increase in key size increases the

encryption/decryption time. It also increases the complexity of algorithm so that it

would be almost impossible to break the algorithm. The performance of AES

algorithm for different key size on different size data files is observed. The simulation

results with different key sizes are as shown in Table 3.1

Table 3.1 AES Performance with Different Key Size

Input Size

(KB)

Time (Millisecond)

AES(128) AES(192) AES(256)

45 38 56 67 76 86 94 102

102 93 105 121

500 130 167 178

900 206 267 290

1025 300 301 320

Avg. Time 142.1 165 179.6

Throughput 18.62 16.04 14.73

57

The observed values are graphically plotted as shown in Figure 3.22. The x-axis

shows the file size and the y-axis represents time in milliseconds. The calculated

throughput and average from the observed values are graphically plotted,

Fig. 3.22 AES Performance with different key size

The observations are

1. In case of AES it can be seen that higher key size leads to clear change in the

battery and time consumption.

2. It can be seen that going from 128 bits key to 192 bits causes increase in

power and time consumption about 8% and to 256 bit key causes an increase

of 16%.

0

50

100

150

200

250

300

350

Time ms

Input Data KB

AES(128,192,256) Performance

Time (Millisecond) AES(128)

Time (Millisecond) AES(192)

Time (Millisecond) AES(256)

58

3. Hence user can select higher key size algorithm when higher security is

desired and lower key size for higher performance in terms of resources.

3.7 Summary

The chapter studied AES and DES specifications. The chapter also conations

implementation of AES(128, 192, 256) algorithm using Java programming and

compared the performance of AES for different key size.