AES

1977 — DES published (FIPS 46), 56-bit key

1997 — NIST calls for AES candidates

1998 — 15 submissions from 12 countries

2000 — Rijndael selected as winner

2001 — FIPS 197 published

2003 — NSA approves for classified data

✓ Clean algebraic structure — easy to analyze

✓ Best combination of security + performance

✓ Efficient on 8-bit µC through 64-bit CPUs

✓ Low memory footprint

✓ Parallelizable — suited to pipelining

✓ Simple key schedule

Non-linear layer — SubBytes (S-box)
Provides confusion via GF(2⁸) inversion

Linear diffusion layer — ShiftRows + MixColumns
Provides diffusion via byte transposition & MDS mixing

Key mixing layer — AddRoundKey
XOR of state with round key

in[0] in[4] in[8] in[12]
in[1] in[5] in[9] in[13]
in[2] in[6] in[10] in[14]
in[3] in[7] in[11] in[15]

Coefficient-wise XOR

a(x) ⊕ b(x)

No carries — each bit is independent.

Polynomial multiply then reduce mod m(x)

a(x) · b(x) mod m(x)

Efficiently implemented via xtime() — left-shift + conditional XOR with 0x1B.

Every non-zero element has a unique inverse: a⁻¹ such that a · a⁻¹ = 1

By Fermat's little theorem: a⁻¹ = a²⁵⁴ in GF(2⁸)

Or use the Extended Euclidean Algorithm.

Step 1 Multiplicative inverse in GF(2⁸)

b = a⁻¹   (with 0⁻¹ defined as 0)

Provides non-linearity — max algebraic degree.

Step 2 Affine transformation over GF(2)

b_i' = b_i ⊕ b_(i+4)mod8 ⊕ b_(i+5)mod8
   ⊕ b_(i+6)mod8 ⊕ b_(i+7)mod8 ⊕ c_i

where c = 0x63 = 01100011₂

Non-linearity: 112 (maximum for 8-bit bijection)

Algebraic degree: 7

Differential uniformity: 4

Fixed points: 0 (no byte maps to itself)

No opposite fixed points

S(0x00) = 0x63   S(0x01) = 0x7C
S(0x53) = 0xED   S(0xFF) = 0x16

Input 0x53: inverse in GF(2⁸) = 0xCA, then affine → 0xED

×01 = identity

×02 = xtime(a)

×03 = xtime(a) ⊕ a

Branch number = 5 (maximum possible for 4×4)

A difference in 1 input byte propagates to all 4 output bytes.

Any 2-byte input difference → at least 3-byte output difference.

For decryption, use the inverse matrix with coefficients:

0E, 0B, 0D, 09

These are more expensive to compute — a key factor in hardware design.

Properties

✓ XOR is its own inverse — same for encrypt/decrypt

✓ Zero-cost in hardware — just wire connections

✓ Introduces the secret key into every round

✓ Without it, the cipher would be a public permutation

Key_r = W[4r] ‖ W[4r+1] ‖ W[4r+2] ‖ W[4r+3]

where W[] is the expanded key array (44 words for AES-128)

On a 32-bit CPU, AddRoundKey is 4 XOR operations (one per column-word).

state[c] ^= roundkey[c]; // c = 0..3

RotWord — Rotate 4 bytes left by 1 position

[a₀ a₁ a₂ a₃] → [a₁ a₂ a₃ a₀]

SubWord — Apply S-box to each of 4 bytes

[a₀ a₁ a₂ a₃] → [S(a₀) S(a₁) S(a₂) S(a₃)]

Rcon[i] — Round constant

= [xⁱ⁻¹, 00, 00, 00] in GF(2⁸)

01, 02, 04, 08, 10, 20, 40, 80, 1B, 36

Expands 192-bit key into 52 words (13 round keys)

Non-linear function (SubWord + RotWord + Rcon) applied every 6th word:

if i mod 6 == 0: apply g()

Otherwise: simple XOR chain

Expands 256-bit key into 60 words (15 round keys)

Extra SubWord applied at position 4 within each 8-word group:

if i mod 8 == 0: apply g()
if i mod 8 == 4: SubWord only

This extra non-linear step was added to resist related-key attacks.

AddRoundKey(State, Key_Nr)

for r = N_r−1 downto 1:

 InvShiftRows(State)

 InvSubBytes(State)

 AddRoundKey(State, Key_r)

 InvMixColumns(State)

InvShiftRows(State)

InvSubBytes(State)

AddRoundKey(State, Key₀)

Key insight: By reordering InvSubBytes↔InvShiftRows and InvMixColumns↔AddRoundKey, the inverse cipher has the same structure as encryption.

This requires applying InvMixColumns to round keys 1…N_r−1 during key expansion.

T₀[a] = [ 02·S(a), S(a), S(a), 03·S(a) ]
T₁[a] = [ 03·S(a), 02·S(a), S(a), S(a) ]
T₂[a] = [ S(a), 03·S(a), 02·S(a), S(a) ]
T₃[a] = [ S(a), S(a), 03·S(a), 02·S(a) ]

e_j = T₀[a_0,j] ⊕ T₁[a_1,j+1] ⊕ T₂[a_2,j+2] ⊕ T₃[a_3,j+3] ⊕ K_j

⚠ Cache-timing vulnerability

Table access patterns leak key-dependent indices. Bernstein (2005) demonstrated full AES key recovery from timing measurements alone.

AESENC — single cycle latency, fully pipelined

With AES-NI, AES-128-CTR achieves ~4 cycles/byte on modern x86.

That's ~8 GB/s single-core at 4 GHz.

✓ Constant-time execution — immune to cache-timing attacks

✓ No S-box/T-table in memory — no table access patterns

✓ S-box computed in hardware via GF(2⁴)² composite field

Store the 256×8-bit table directly:

✓ Simple — direct memory lookup

✓ FPGA: fits in one 18Kb BRAM

✗ 16 S-boxes needed → 16 BRAMs per round

✗ Larger area on ASIC

✗ Susceptible to power side-channels

Decompose GF(2⁸) into tower field GF((2⁴)²):

Inversion in GF(2⁸) → operations in GF(2⁴)

✓ ~20% fewer gates (Canright, 2005)

✓ Used in Intel AES-NI hardware

✓ Better for ASIC — pure logic

✗ More complex design verification

TIMING

T-table cache access patterns reveal key-dependent indices. Bernstein's attack (2005) recovers full AES-256 key from network timing.

POWER / EM

Differential Power Analysis (DPA) — correlate power traces with hypothetical S-box outputs across many encryptions.

Target: first or last round SubBytes, where known plaintext/ciphertext meets key.

FAULT

Differential Fault Analysis (DFA) — inject faults in round 8/9, compare correct/faulty ciphertexts → recover key.

A single byte fault in round 9 can reduce key search to ~2³².

The S-box is the primary target because:

1. Only non-linear operation → strongest correlation with power

2. Operates byte-by-byte → divide-and-conquer (16 × 2⁸ vs 2¹²⁸)

3. T-table indices directly reveal key bytes

Combined attacks exploit both fault injection and power analysis simultaneously, defeating higher-order masking countermeasures.

Roche et al. (2011), Dassance & Venelli (2012)

Cache attacks — Flush+Reload, Prime+Probe on shared L3 cache can extract AES keys across VMs.

MASKING

Split every sensitive variable into d+1 random shares such that x = x₁ ⊕ x₂ ⊕ … ⊕ x_d+1

d^th-order masking requires d+1 shares; attacker must combine d+1 trace points.

SHUFFLING

Randomize the order of S-box computations within a round (16 S-box calls can be permuted in 16! ways).

BITSLICING

Compute S-box as Boolean circuit — constant time, no table lookups. 32 AES blocks in parallel on 32-bit CPU.

DUAL-RAIL LOGIC

Each bit represented as complementary pair (a, ā). Constant Hamming weight per operation.

THRESHOLD IMPLEMENTATIONS

Hardware secret sharing with provable glitch resistance. Each share processed by independent logic.

REDUNDANCY (DFA defense)

Temporal: encrypt twice, compare
Spatial: TMR (triple modular redundancy)
Inverse check: decrypt ciphertext, compare with plaintext

NOISE INJECTION

Random delays, dummy operations, clock jitter to decorrelate power traces.

Biclique attack (Bogdanov et al., 2011)

AES-128: 2^126.1   AES-192: 2^189.7   AES-256: 2^254.4

Negligible improvement over brute force — 3–4 bit gain.

Related-key attacks (Biryukov & Khovratovich, 2009)

AES-256: 2^99.5 (chosen related keys)

Impractical — requires attacker to choose related keys. Addressed in key schedule design.

Square / integral attacks

Effective up to 6–7 rounds. Full AES (10+ rounds) has comfortable security margin.

AES remains unbroken

No practical attack reducing security below the intended level exists as of 2025.

Grover's algorithm reduces brute-force to 2^n/2:

AES-128 → ~2⁶⁴ quantum ops

AES-256 → ~2¹²⁸ quantum ops

Recommendation: use AES-256 for quantum-resistant symmetric encryption.

CNSA 2.0 (NSA) mandates AES-256.