1.1

Background

The Advanced Encryption Standard is called AES for short. Before it appeared, Data Encryption Standard, which is shorted as DES, was used by programmers for encryption on the world scale. DES is a symmetric cryptosystem developed by IBM in 1972. In 1977, it was identified as the Federal Data Processing Standard by the Federal Government of the United States and authorized to be used in non-secret government communications. However, DES only has a key length of 64 bits. It began to fail to meet the security requirements of encryption algorithm over time.

In 1990s, NIST started to collect for AES scheme to replace DES. The requirements for this standard were that it should be faster than Triple DES and should have at least the same security with Triple DES. Another request is that the winner should be able to resist both practical attacks and theoretical attacks with academic cryptanalysis methods [2]. During that period, Rijndael algorithm, which is the predecessors of AES, is created by Joan Daemen and Vincent Rijmen. For the design of Rijndael algorithm, it has principles of pursuing simplicity, focusing on performance and using well-understood components [2].

By 1999, five algorithms had been included as final alternative solutions. They are MARS, RC6, Rijndael, Serpent and Twofish. In 2000, Rijndael algorithm won in the competition with other algorithms and became the final standard in early 2000s. In US, NIST withdrew DES in 2004, which is a significant symbol for the recognition of AES. Internationally, AES has been included in ISO, IETF and IEEE standard [2].

1.2

Features

AES is a symmetric encryption algorithm. It means that its encryption key and decryption key have the same length. The decryption process of AES is the inverse of its encryption process. As a symmetric encryption algorithm, AES has advantages of relatively light computation requirements, fast encryption speed and high efficiency during the process of encryption.

What’s more, AES is a block cipher algorithm in structure, which represents that the block length and key length are independent and the block length is fixed. Moreover, the plaintext and ciphertext are texts with the same bit length. For AES, it has a fixed block length of 128 bits. Its key length is not fixed and can be adjusted according to different demands. It can be 128 bits, 192bits and 256bits, which correspond to 10, 12 and 14 rounds of encryption.

2.1

Overall Process

For more detailed study, the research contributes insight into AES-128, which has a key length of 128 bits and 10rounds of encryption. It contains universal procedures of plaintext processing, and four procedures for each round. A diagram for a typical 10 rounds encryption is shown in Figure 1.

Figure 1.

Procedures

As shown in this diagram, the origin message is blocked and has a length of 128 bits. The zero round only contains the operation of adding round key. During the next 9 rounds of encryption, each round has procedures of substituting bytes firstly, shifting rows secondly, then mixing columns and adding round keys. However, for the last round, the operation of mixing columns is removed.

2.2

Plaintext Processing

Before rounds, operations should be done to transform plaintext to a matrix. The matrix is 4×4 bytes. The plaintext is fixed as 128 bits for one process. One letter takes up one byte (8 bits) of space. For example, Plaintext = “abcdefghijklmnop”. The matrix is P₀, P₁, …, P₁₅ from top to bottom and left to right. Then “a” corresponds to “P₀”, and “p” corresponds to “P₁₅”. Figure 2 provides a visualization of the concrete operation.

Figure 2.

Text Processing

2.3

Substitute Bytes

After entering rounds, operation of substituting bytes should be first completed. A S-Box, which is constructed complicatedly, is used. It is a 16×16matrix. A S-box is shown below in Figure 3.

Figure 3.

S-box [3]

For example, for an 8-bit to 8-bit mapping, a = a₀a₁a₂a₃a₄a₅a₆a₇. Then the output should be S[a₀a₁a₂a₃][a₄a₅a₆a₇]. For this S-Box, if a = 00000000_B, then the output should be S[0][0]=63_H.

It comes to S-box and its structure. S-box provides mix functions for block key cipher and also serves as defender for different kinds of attacks. For AES-128, S-box is used for 160 times during processing and encryption. In consequence, the security of S-box is strongly associated to the safety of the whole cipher system [4].

To ensure the security of the whole system and make it able to withstand different attacks, the design of S-box should take differential cryptanalysis analysis and linear analysis into consideration. The process of designing one specific S-box is kept secret and should match several requirements. The S-box should be reversible to deal with encryption and decryption demands and should have complexity based on GF (2⁸) [5]. GF (2⁸) has a field of 256 elements and it is constructed according to the polynomial that f(x) = x₈+x₄+x₃+x+1 is irreducible in the ring Z₂[x] [6]. An algebraic interpretation of a S-box is started with one byte (eight bits) with each bit representing 0 or 1. Its S-box entry can be found applying GF (2⁸) and computing algebraically [6].

2.4

Shift Rows

This procedure is a transformation of bytes in a 4×4 matrix (the data matrix). The first row on the top remains unchanged. The second row is shifted left for 8 bits (one byte) circularly. The third row is shifted left for two bytes circularly. The last row on the bottom is shifted left for three bytes circularly. The initial matrix and the result matrix obtained after row-shifts are shown in Figure 4.

Figure 4.

Shift Rows

2.5

Mix Columns

In this procedure, a left multiplication is applied by multiplying data matrix with a fixed mix matrix. The basic requirements of mixing columns are as follows. The process should be reversible and symmetric [7]. It should also on GF (2⁸). A more specific process is shown in Figure 5 as below.

Figure 5.

Mix Columns

Different from common matrix multiplication, the calculation is based on GF (2⁸) and the XOR calculation is applied.

2.6

Add Round Keys

For AES-128, key length is equal to 128 bits. By applying Key-generating function, 44 elements can be generated with each having a length of 4: W[0], W[1],….,W[43].

Among them, the elements from W[0] to W[3] are the original key. Others are divided into 10 groups and serve as round keys for 10rounds encryption.

For every round, XOR calculation is done with the data and the round key. Restoring the text of this round is available by doing the XOR calculation with the round key again.

3.1

Brute Force Attack Analysis and Time Security

Brute force attack means applying exhaustive methods to figure out the key of the encryption. The time complexity of brute force attack is mainly decided by the block length and the key length of the algorithm. For this study, AES-128 has key length of 128 bits. After careful calculation, the results show that brute force attack has to try 3.403×10³⁸ key combinations in the worst condition. This number of possible keys means that even for the fastest computer in the world, it will need about 3.19×10¹⁴ years to find that correct key [10]. This computation result shows a barely imaginable time demand for brute force attack, which verifies the time safety. What’s more, the block size for plaintext and key length are both 128-bit for AES-128 and it has an additional random key size of 8 bits. For the additional bits, the attacker needs to try 8.712×10⁴⁰ key combinations in the worst condition. It will still need about 8.165×10¹⁶ years in maximum to crack the AES-128 algorithm even with the currently fastest computer in the world [10]. To be brief, it is totally impossible for human to try all the key combinations in a short time with current computation capacity.

3.2

Differential Cryptanalysis Analysis

Differential cryptanalysis is an effective method for block key analysis. It is proposed by Bihamand Shamiin in 1991 as a branch of chosen-plaintext attack. The fundamental idea of differential cryptanalysis is to acquire as many key bits as possible through the method of analyzing the effect of chosen plaintext changes on the ciphertext. This method is useful to attack block ciphers and ciphers constructed by iterating over a fixed round function.

For AES, the differential cryptanalysis is based on S-box attacks. Since the security of one encryption system is mainly dependent on the keys rather than the system. The keys of AES are the round keys generated by S-box. As a result, S-box is studied in every round to figure out part of the key. Linear analysis is applied for finding the most suitable linear functions among bits to try to find all bits [8]. For X, X’ ⊕ {0, 1}ⁿ, the differential of X, X’ can be expressed as ΔX = X ⊕ X’. For input pair (X, X’) and the output cipher pair (Y, Y’), the differential pair is (α, β), which satisfies α = X⊕X’ and β = Y⊕Y’.

To generate differential distribution table of S-box, IN_s is defined. As S-box is a mapping of , IN_s refer to the assemble of (α, β) which satisfies S(X⊕α) ⊕ S(X) = β. It means that . The attacker can only get several plaintext pairs, but he can observe the differential from different cipher pairs. Then the attacker should follow these steps:

3.3

Square Attack Analysis

Square attack is an attack based on the A set balance and is also a kind of chosen-plaintext attack. The designer of AES recommends that the method of using the square algorithm to calculate passwords based on byte structures is called Persistent Threat. Since AES algorithm integrates the byte-structure-oriented feature of square algorithm, the square attack can also be applied to AES [11]. According to analysis of basic attacks of square attack, there’s no successful square attack towards the complete AES algorithm. There’re several methods for solving AES with the reduced rounds, which are 4~6 rounds in detail [9]. This means that the attack is only possible for AES with less than 6 rounds. To avoid the square attack and ensure the security, the number of rounds must be equal to or greater than 7 [11]. Therefore, after taking this condition and other features into consideration, the AES algorithm requires 10 rounds of operations, which correspond to 128-bit key.

3.4

Improvements

As the AES algorithm is a widely used cipher system currently, the potential risks as mentioned above need to be faced and solved. Continually being open to attacks will leave the practical users and platforms unsecure. To face up these attacks, divisions of them should be made. The differential cryptanalysis attack and square attack are both chosen-plaintext attacks. Besides, side channel attack and energy analysis attack are all methods that are likely to break the algorithm.

For improvements, a lot of researches and optimizations have been carried out. In Mouna’s research, an improved method for AES implementation is discussed [12]. It uses temporal redundancy and adjusts the AES cycle to make it able to perceive fault attacks that may appear during runtime execution. This change can improve working frequency because pipelined registers are used. According to the research results and statistics, the detection of single fault attacks and multiple fault attacks becomes possible reality with its efficient fault detection system.