6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

AdvancedEncryptionStandard
FromWikipedia,thefreeencyclopedia

TheAdvancedEncryptionStandard(AES),also
referencedasRijndael[4][5](itsoriginalname),isa
specificationfortheencryptionofelectronicdata
establishedbytheU.S.NationalInstituteofStandards
andTechnology(NIST)in2001.[6]
AESisbasedontheRijndaelcipher[5]developedby
twoBelgiancryptographers,JoanDaemenand
VincentRijmen,whosubmittedaproposaltoNIST
duringtheAESselectionprocess.[7]Rijndaelisa
familyofcipherswithdifferentkeyandblocksizes.
ForAES,NISTselectedthreemembersofthe
Rijndaelfamily,eachwithablocksizeof128bits,
butthreedifferentkeylengths:128,192and256bits.
AEShasbeenadoptedbytheU.S.governmentandis
nowusedworldwide.ItsupersedestheData
EncryptionStandard(DES),[8]whichwaspublishedin
1977.ThealgorithmdescribedbyAESisa
symmetrickeyalgorithm,meaningthesamekeyis
usedforbothencryptinganddecryptingthedata.
IntheUnitedStates,AESwasannouncedbythe
NISTasU.S.FIPSPUB197(FIPS197)on
November26,2001.[6]Thisannouncementfolloweda
fiveyearstandardizationprocessinwhichfifteen
competingdesignswerepresentedandevaluated,
beforetheRijndaelcipherwasselectedasthemost
suitable(seeAdvancedEncryptionStandardprocess
formoredetails).
AESbecameeffectiveasafederalgovernment
standardonMay26,2002afterapprovalbythe
SecretaryofCommerce.AESisincludedinthe
ISO/IEC180333standard.AESisavailableinmany
differentencryptionpackages,andisthefirstpublicly
accessibleandopencipherapprovedbytheNational
SecurityAgency(NSA)fortopsecretinformation
whenusedinanNSAapprovedcryptographicmodule
(seeSecurityofAES,below).
ThenameRijndael(Dutchpronunciation:[rindal])isa
playonthenamesofthetwoinventors(JoanDaemen
andVincentRijmen).Itisalsoacombinationofthe
DutchnamefortheRhineriverandaDale.
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

AdvancedEncryptionStandard
(Rijndael)

The SubBytesstep,oneoffourstagesinaroundof
AES
General
Designers

VincentRijmen,JoanDaemen

First
published

1998

Derived
from

Square

Successors

Anubis,GrandCru

Certification AESwinner,CRYPTREC,NESSIE,
NSA
Cipherdetail
Keysizes

128,192or256bits[1]

Blocksizes

128bits[2]

Structure

Substitutionpermutationnetwork

Rounds

10,12or14(dependingonkeysize)
Bestpubliccryptanalysis

Attackshavebeenpublishedthatare
computationallyfasterthanafullbruteforceattack,
thoughnoneasof2013arecomputationally
feasible:[3]
ForAES128,thekeycanberecoveredwitha
computationalcomplexityof2126.1usingthe
bicliqueattack.ForbicliqueattacksonAES192
andAES256,thecomputationalcomplexitiesof
2189.7and2254.4respectivelyapply. Relatedkey
attackscanbreakAES192andAES256with
complexities2176and299.5,respectively.

1/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

Contents
1Definitivestandards
2Descriptionofthecipher
2.1Highleveldescriptionofthealgorithm
2.2TheSubBytesstep
2.3TheShiftRowsstep
2.4TheMixColumnsstep
2.5TheAddRoundKeystep
2.6Optimizationofthecipher
3Security
3.1Knownattacks
3.2Sidechannelattacks
4NIST/CSECvalidation
5Testvectors
6Performance
7Implementations
8Seealso
9Notes
10References
11Externallinks

Definitivestandards
TheAdvancedEncryptionStandard(AES)isdefinedineachof:
FIPSPUB197:AdvancedEncryptionStandard(AES)[6]
ISO/IEC180333:InformationtechnologySecuritytechniquesEncryptionalgorithms
Part3:Blockciphers[9]

Descriptionofthecipher
AESisbasedonadesignprincipleknownasasubstitutionpermutationnetwork,combinationofboth
substitutionandpermutation,andisfastinbothsoftwareandhardware.[10]UnlikeitspredecessorDES,
AESdoesnotuseaFeistelnetwork.AESisavariantofRijndaelwhichhasafixedblocksizeof128
bits,andakeysizeof128,192,or256bits.Bycontrast,theRijndaelspecificationperseisspecified
withblockandkeysizesthatmaybeanymultipleof32bits,bothwithaminimumof128anda
maximumof256bits.
AESoperatesona44columnmajorordermatrixofbytes,termedthestate,althoughsomeversionsof
Rijndaelhavealargerblocksizeandhaveadditionalcolumnsinthestate.MostAEScalculationsare
doneinaspecialfinitefield.
ThekeysizeusedforanAEScipherspecifiesthenumberofrepetitionsoftransformationroundsthat
converttheinput,calledtheplaintext,intothefinaloutput,calledtheciphertext.Thenumberofcycles
ofrepetitionareasfollows:
10cyclesofrepetitionfor128bitkeys.
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

2/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

12cyclesofrepetitionfor192bitkeys.
14cyclesofrepetitionfor256bitkeys.
Eachroundconsistsofseveralprocessingsteps,eachcontainingfoursimilarbutdifferentstages,
includingonethatdependsontheencryptionkeyitself.Asetofreverseroundsareappliedtotransform
ciphertextbackintotheoriginalplaintextusingthesameencryptionkey.

Highleveldescriptionofthealgorithm
1. KeyExpansionsroundkeysarederivedfromthecipherkeyusingRijndael'skeyschedule.AES
requiresaseparate128bitroundkeyblockforeachroundplusonemore.
2. InitialRound
1. AddRoundKeyeachbyteofthestateiscombinedwithablockoftheroundkeyusingbitwise
xor.
3. Rounds
1. SubBytesanonlinearsubstitutionstepwhereeachbyteisreplacedwithanotheraccording
toalookuptable.
2. ShiftRowsatranspositionstepwherethelastthreerowsofthestateareshiftedcyclicallya
certainnumberofsteps.
3. MixColumnsamixingoperationwhichoperatesonthecolumnsofthestate,combiningthe
fourbytesineachcolumn.
4. AddRoundKey
4. FinalRound(noMixColumns)
1. SubBytes
2. ShiftRows
3. AddRoundKey.

TheSubBytesstep
IntheSubBytesstep,eachbyte
inthestate
matrixisreplacedwithaSubByte
using
an8bitsubstitutionbox,theRijndaelSbox.This
operationprovidesthenonlinearityinthecipher.
TheSboxusedisderivedfromthemultiplicative
inverseoverGF(28),knowntohavegoodnon
linearityproperties.Toavoidattacksbasedon
simplealgebraicproperties,theSboxis
constructedbycombiningtheinversefunction
withaninvertibleaffinetransformation.TheS
Inthe SubBytesstep,eachbyteinthestateisreplaced
boxisalsochosentoavoidanyfixedpoints(and
withitsentryinafixed8bitlookuptable,Sbij=
soisaderangement),i.e.,
,and
S(aij).
alsoanyoppositefixedpoints,i.e.,
.Whileperforming
thedecryption,InverseSubBytesstepisused,whichrequiresfirsttakingtheaffinetransformationand
thenfindingthemultiplicativeinverse(justreversingthestepsusedinSubBytesstep).

TheShiftRowsstep
TheShiftRowsstepoperatesontherowsofthestateitcyclicallyshiftsthebytesineachrowbya
certainoffset.ForAES,thefirstrowisleftunchanged.Eachbyteofthesecondrowisshiftedonetothe
left.Similarly,thethirdandfourthrowsareshiftedbyoffsetsoftwoandthreerespectively.Forblocks
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

3/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

ofsizes128bitsand192bits,theshiftingpatternisthesame.Rownisshiftedleftcircularbyn1bytes.
Inthisway,eachcolumnoftheoutputstateoftheShiftRowsstepiscomposedofbytesfromeach
columnoftheinputstate.(Rijndaelvariantswithalargerblocksizehaveslightlydifferentoffsets).For
a256bitblock,thefirstrowisunchangedand
theshiftingforthesecond,thirdandfourthrowis
1byte,3bytesand4bytesrespectivelythis
changeonlyappliesfortheRijndaelcipherwhen
usedwitha256bitblock,asAESdoesnotuse
256bitblocks.Theimportanceofthisstepisto
avoidthecolumnsbeinglinearlyindependent,in
whichcase,AESdegeneratesintofour
Inthe ShiftRowsstep,bytesineachrowofthestateare
independentblockciphers.
shiftedcyclicallytotheleft.Thenumberofplaceseach

TheMixColumnsstep

byteisshifteddiffersforeachrow.

IntheMixColumnsstep,thefourbytesofeach
columnofthestatearecombinedusingan
invertiblelineartransformation.TheMixColumns
functiontakesfourbytesasinputandoutputs
fourbytes,whereeachinputbyteaffectsallfour
outputbytes.TogetherwithShiftRows,
MixColumnsprovidesdiffusioninthecipher.
Duringthisoperation,eachcolumnis
transformedusingafixedmatrix(matrix
multipliedbycolumngivesnewvalueofcolumn
inthestate):

Inthe MixColumnsstep,eachcolumnofthestateis
multipliedwithafixedpolynomialc(x).

Matrixmultiplicationiscomposedofmultiplicationandadditionoftheentries.Entriesare8bitbytes
treatedascoefficientsofpolynomialoforderx7.AdditionissimplyXOR.Multiplicationismodulo
irreduciblepolynomialx8+x4+x3+x+1.IfprocessedbitbybitthenaftershiftingaconditionalXORwith
0x1Bshouldbeperformediftheshiftedvalueislargerthan0xFF(overflowmustbecorrectedby
subtractionofgeneratingpolynomial).ThesearespecialcasesoftheusualmultiplicationinGF(28).
Inmoregeneralsense,eachcolumnistreatedasapolynomialoverGF(28)andisthenmultiplied
modulox4+1withafixedpolynomialc(x)=0x03x3+x2+x+0x02.Thecoefficientsaredisplayedin
theirhexadecimalequivalentofthebinaryrepresentationofbitpolynomialsfromGF(2)[x].The
MixColumnsstepcanalsobeviewedasamultiplicationbytheshownparticularMDSmatrixinthefinite
fieldGF(28).ThisprocessisdescribedfurtherinthearticleRijndaelmixcolumns.

TheAddRoundKeystep

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

4/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

IntheAddRoundKeystep,thesubkeyiscombinedwiththestate.Foreachround,asubkeyisderivedfrom
themainkeyusingRijndael'skeyscheduleeach
subkeyisthesamesizeasthestate.Thesubkeyis
addedbycombiningeachbyteofthestatewith
thecorrespondingbyteofthesubkeyusing
bitwiseXOR.

Optimizationofthecipher
Onsystemswith32bitorlargerwords,itis
possibletospeedupexecutionofthiscipherby
combiningtheSubBytesandShiftRowsstepswith
theMixColumnsstepbytransformingthemintoa
sequenceoftablelookups.Thisrequiresfour
256entry32bittables,andutilizesatotaloffour
kilobytes(4096bytes)ofmemoryone
kilobyteforeachtable.Aroundcanthenbedone
with16tablelookupsand1232bitexclusiveor
operations,followedbyfour32bitexclusiveor
operationsintheAddRoundKeystep.[11]

Inthe AddRoundKeystep,eachbyteofthestateis
combinedwithabyteoftheroundsubkeyusingthe
XORoperation().

Iftheresultingfourkilobytetablesizeistoolargeforagiventargetplatform,thetablelookupoperation
canbeperformedwithasingle256entry32bit(i.e.1kilobyte)tablebytheuseofcircularrotates.
Usingabyteorientedapproach,itispossibletocombinetheSubBytes,ShiftRows,andMixColumnssteps
intoasingleroundoperation.[12]

Security
UntilMay2009,theonlysuccessfulpublishedattacksagainstthefullAESweresidechannelattackson
somespecificimplementations.TheNationalSecurityAgency(NSA)reviewedalltheAESfinalists,
includingRijndael,andstatedthatallofthemweresecureenoughforU.S.Governmentnonclassified
data.InJune2003,theU.S.GovernmentannouncedthatAEScouldbeusedtoprotectclassified
information:
ThedesignandstrengthofallkeylengthsoftheAESalgorithm(i.e.,128,192and256)are
sufficienttoprotectclassifiedinformationuptotheSECRETlevel.TOPSECRET
informationwillrequireuseofeitherthe192or256keylengths.Theimplementationof
AESinproductsintendedtoprotectnationalsecuritysystemsand/orinformationmustbe
reviewedandcertifiedbyNSApriortotheiracquisitionanduse.[13]
AEShas10roundsfor128bitkeys,12roundsfor192bitkeys,and14roundsfor256bitkeys.By
2006,thebestknownattackswereon7roundsfor128bitkeys,8roundsfor192bitkeys,and9rounds
for256bitkeys.[14]

Knownattacks

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

5/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

Forcryptographers,acryptographic"break"isanythingfasterthanabruteforceperformingonetrial
decryptionforeachkey(seeCryptanalysis).Thisincludesresultsthatareinfeasiblewithcurrent
technology.Thelargestsuccessfulpubliclyknownbruteforceattackagainstanyblockcipher
encryptionwasagainsta64bitRC5keybydistributed.netin2006.[15]
AEShasafairlysimplealgebraicdescription.[16]In2002,atheoreticalattack,termedthe"XSLattack",
wasannouncedbyNicolasCourtoisandJosefPieprzyk,purportingtoshowaweaknessintheAES
algorithmduetoitssimpledescription.[17]Sincethen,otherpapershaveshownthattheattackas
originallypresentedisunworkableseeXSLattackonblockciphers.
DuringtheAESprocess,developersofcompetingalgorithmswroteofRijndael,"...weareconcerned
about[its]use...insecuritycriticalapplications."[18]However,inOctober2000attheendoftheAES
selectionprocess,BruceSchneier,adeveloperofthecompetingalgorithmTwofish,wrotethatwhilehe
thoughtsuccessfulacademicattacksonRijndaelwouldbedevelopedsomeday,hedoesnot"believethat
anyonewilleverdiscoveranattackthatwillallowsomeonetoreadRijndaeltraffic."[19]
OnJuly1,2009,BruceSchneierblogged[20]aboutarelatedkeyattackonthe192bitand256bit
versionsofAES,discoveredbyAlexBiryukovandDmitryKhovratovich,[21]whichexploitsAES's
somewhatsimplekeyscheduleandhasacomplexityof2119.InDecember2009itwasimprovedto
299.5.Thisisafollowuptoanattackdiscoveredearlierin2009byAlexBiryukov,Dmitry
Khovratovich,andIvicaNikoli,withacomplexityof296foroneoutofevery235keys.[22]However,
relatedkeyattacksarenotofconcerninanyproperlydesignedcryptographicprotocol,asproperly
designedsoftwarewillnotuserelatedkeys.
AnotherattackwasbloggedbyBruceSchneier[23]onJuly30,2009andreleasedasapreprint[24]on
August3,2009.Thisnewattack,byAlexBiryukov,OrrDunkelman,NathanKeller,Dmitry
Khovratovich,andAdiShamir,isagainstAES256thatusesonlytworelatedkeysand239timeto
recoverthecomplete256bitkeyofa9roundversion,or245timefora10roundversionwithastronger
typeofrelatedsubkeyattack,or270timeforan11roundversion.256bitAESuses14rounds,sothese
attacksaren'teffectiveagainstfullAES.
InNovember2009,thefirstknownkeydistinguishingattackagainstareduced8roundversionofAES
128wasreleasedasapreprint.[25]Thisknownkeydistinguishingattackisanimprovementofthe
reboundorthestartfromthemiddleattacksforAESlikepermutations,whichviewtwoconsecutive
roundsofpermutationastheapplicationofasocalledSuperSbox.Itworksonthe8roundversionof
AES128,withatimecomplexityof248,andamemorycomplexityof232.128bitAESuses10rounds,
sothisattackisn'teffectiveagainstfullAES128.
InJuly2010VincentRijmenpublishedanironicpaperon"chosenkeyrelationsinthemiddle"attacks
onAES128.[26]
ThefirstkeyrecoveryattacksonfullAESwereduetoAndreyBogdanov,DmitryKhovratovich,and
ChristianRechberger,andwerepublishedin2011.[27]Theattackisabicliqueattackandisfasterthan
bruteforcebyafactorofaboutfour.Itrequires2126.1operationstorecoveranAES128key.ForAES
192andAES256,2189.7and2254.4operationsareneeded,respectively.Thisisaverysmallgain,asa
126bitkey(insteadof128bits)wouldstilltakebillionsofyears.Also,theauthorscalculatethebest

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

6/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

attackusingtheirtechniqueonAESwitha128bitkeyrequiresstoring288bitsofdata.Thatworksout
toabout38trillionterabytesofdata,whichismorethanallthedatastoredonallthecomputersonthe
planet.AssuchthisisatheoreticalattackthathasnopracticalimplicationonAESsecurity.[28]
AccordingtotheSnowdendocuments,theNSAisdoingresearchonwhetheracryptographicattack
basedontaustatisticmayhelptobreakAES.[29]
Asfornow,therearenoknownpracticalattacksthatwouldallowanyonetoreadcorrectlyimplemented
AESencrypteddata.

Sidechannelattacks
Sidechannelattacksdonotattacktheunderlyingcipher,andthusarenotrelatedtosecurityinthat
context.Theyratherattackimplementationsofthecipheronsystemswhichinadvertentlyleakdata.
ThereareseveralsuchknownattacksoncertainimplementationsofAES.
InApril2005,D.J.Bernsteinannouncedacachetimingattackthatheusedtobreakacustomserverthat
usedOpenSSL'sAESencryption.[30]Theattackrequiredover200millionchosenplaintexts.[31]The
customserverwasdesignedtogiveoutasmuchtiminginformationaspossible(theserverreportsback
thenumberofmachinecyclestakenbytheencryptionoperation)however,asBernsteinpointedout,
"reducingtheprecisionoftheserver'stimestamps,oreliminatingthemfromtheserver'sresponses,does
notstoptheattack:theclientsimplyusesroundtriptimingsbasedonitslocalclock,andcompensates
fortheincreasednoisebyaveragingoveralargernumberofsamples."[30]
InOctober2005,DagArneOsvik,AdiShamirandEranTromerpresentedapaperdemonstrating
severalcachetimingattacksagainstAES.[32]OneattackwasabletoobtainanentireAESkeyafteronly
800operationstriggeringencryptions,inatotalof65milliseconds.Thisattackrequirestheattackerto
beabletorunprogramsonthesamesystemorplatformthatisperformingAES.
InDecember2009anattackonsomehardwareimplementationswaspublishedthatuseddifferential
faultanalysisandallowsrecoveryofakeywithacomplexityof232.[33]
InNovember2010EndreBangerter,DavidGullaschandStephanKrennpublishedapaperwhich
describedapracticalapproachtoa"nearrealtime"recoveryofsecretkeysfromAES128withoutthe
needforeitherciphertextorplaintext.TheapproachalsoworksonAES128implementationsthatuse
compressiontables,suchasOpenSSL.[34]Likesomeearlierattacksthisonerequirestheabilitytorun
unprivilegedcodeonthesystemperformingtheAESencryption,whichmaybeachievedbymalware
infectionfarmoreeasilythancommandeeringtherootaccount.[35]

NIST/CSECvalidation
TheCryptographicModuleValidationProgram(CMVP)isoperatedjointlybytheUnitedStates
Government'sNationalInstituteofStandardsandTechnology(NIST)ComputerSecurityDivisionand
theCommunicationsSecurityEstablishment(CSE)oftheGovernmentofCanada.Theuseof
cryptographicmodulesvalidatedtoNISTFIPS1402isrequiredbytheUnitedStatesGovernmentfor
encryptionofalldatathathasaclassificationofSensitivebutUnclassified(SBU)orabove.From
NSTISSP#11,NationalPolicyGoverningtheAcquisitionofInformationAssurance:"Encryption
productsforprotectingclassifiedinformationwillbecertifiedbyNSA,andencryptionproducts
intendedforprotectingsensitiveinformationwillbecertifiedinaccordancewithNISTFIPS1402."[36]
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

7/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

TheGovernmentofCanadaalsorecommendstheuseofFIPS140validatedcryptographicmodulesin
unclassifiedapplicationsofitsdepartments.
AlthoughNISTpublication197("FIPS197")istheuniquedocumentthatcoverstheAESalgorithm,
vendorstypicallyapproachtheCMVPunderFIPS140andasktohaveseveralalgorithms(suchas
TripleDESorSHA1)validatedatthesametime.Therefore,itisraretofindcryptographicmodulesthat
areuniquelyFIPS197validatedandNISTitselfdoesnotgenerallytakethetimetolistFIPS197
validatedmodulesseparatelyonitspublicwebsite.Instead,FIPS197validationistypicallyjustlisted
asan"FIPSapproved:AES"notation(withaspecificFIPS197certificatenumber)inthecurrentlistof
FIPS140validatedcryptographicmodules.
TheCryptographicAlgorithmValidationProgram(CAVP)[37]allowsforindependentvalidationofthe
correctimplementationoftheAESalgorithmatareasonablecost.Successfulvalidationresultsinbeing
listedontheNISTvalidationspage(http://csrc.nist.gov/groups/STM/cmvp/documents/1401/140val
all.htm).ThistestingisaprerequisitefortheFIPS1402modulevalidationdescribedbelow.However,
successfulCAVPvalidationinnowayimpliesthatthecryptographicmoduleimplementingthe
algorithmissecure.AcryptographicmodulelackingFIPS1402validationorspecificapprovalbythe
NSAisnotdeemedsecurebytheUSGovernmentandcannotbeusedtoprotectgovernmentdata.[36]
FIPS1402validationischallengingtoachievebothtechnicallyandfiscally.[38]Thereisastandardized
batteryoftestsaswellasanelementofsourcecodereviewthatmustbepassedoveraperiodofafew
weeks.Thecosttoperformtheseteststhroughanapprovedlaboratorycanbesignificant(e.g.,wellover
$30,000US)[38]anddoesnotincludethetimeittakestowrite,test,documentandprepareamodulefor
validation.Aftervalidation,modulesmustberesubmittedandreevaluatediftheyarechangedinany
way.Thiscanvaryfromsimplepaperworkupdatesifthesecurityfunctionalitydidnotchangetoamore
substantialsetofretestingifthesecurityfunctionalitywasimpactedbythechange.

Testvectors
Testvectorsareasetofknownciphersforagiveninputandkey.NISTdistributesthereferenceofAES
testvectorsasAESKnownAnswerTest(KAT)Vectors(inZIPformat)
(http://csrc.nist.gov/groups/STM/cavp/documents/aes/KAT_AES.zip).

Performance
HighspeedandlowRAMrequirementswerecriteriaoftheAESselectionprocess.ThusAESperforms
wellonawidevarietyofhardware,from8bitsmartcardstohighperformancecomputers.
OnaPentiumPro,AESencryptionrequires18clockcyclesperbyte,[39]equivalenttoathroughputof
about11MB/sfora200MHzprocessor.Ona1.7GHzPentiumMthroughputisabout60MB/s.
OnIntelCorei3/i5/i7andAMDAPUandFXCPUssupportingAESNIinstructionsetextensions,
throughputcanbeover700MB/sperthread.[40]

Implementations
Seealso
Diskencryption
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

8/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

WhirlpoolhashfunctioncreatedbyVincentRijmenandPauloS.L.M.Barreto

Notes
1. Keysizesof128,160,192,224,and256bitsaresupportedbytheRijndaelalgorithm,butonlythe128,192,
and256bitkeysizesarespecifiedintheAESstandard.
2. Blocksizesof128,160,192,224,and256bitsaresupportedbytheRijndaelalgorithm,butonlythe128bit
blocksizeisspecifiedintheAESstandard.
3. "BicliqueCryptanalysisoftheFullAES"(http://research.microsoft.com/en
us/projects/cryptanalysis/aesbc.pdf)(PDF).RetrievedJuly23,2013.
4. "Rijndael"(http://searchsecurity.techtarget.com/definition/Rijndael).RetrievedMarch9,2015.
5. Daemen,JoanRijmen,Vincent(March9,2003)."AESProposal:Rijndael"
(http://csrc.nist.gov/archive/aes/rijndael/Rijndaelammended.pdf#page=1)(PDF).NationalInstituteof
StandardsandTechnology.p.1.Retrieved21February2013.
6. "AnnouncingtheADVANCEDENCRYPTIONSTANDARD(AES)"
(http://csrc.nist.gov/publications/fips/fips197/fips197.pdf)(PDF).FederalInformationProcessingStandards
Publication197.UnitedStatesNationalInstituteofStandardsandTechnology(NIST).November26,2001.
RetrievedOctober2,2012.
7. JohnSchwartz(October3,2000)."U.S.SelectsaNewEncryptionTechnique"
(http://www.nytimes.com/2000/10/03/business/technologyusselectsanewencryptiontechnique.html).New
YorkTimes.
8. Westlund,HaroldB.(2002)."NISTreportsmeasurablesuccessofAdvancedEncryptionStandard"
(http://www.findarticles.com/p/articles/mi_m0IKZ/is_3_107?pnum=2&opg=90984479).JournalofResearch
oftheNationalInstituteofStandardsandTechnology.
9. "ISO/IEC180333:InformationtechnologySecuritytechniquesEncryptionalgorithmsPart3:Block
ciphers"(http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54531).
10. BruceSchneierJohnKelseyDougWhitingDavidWagnerChrisHallNielsFergusonTadayoshiKohnoet
al.(May2000)."TheTwofishTeam'sFinalCommentsonAESSelection"(http://www.schneier.com/paper
twofishfinal.pdf)(PDF).
11. "EfficientsoftwareimplementationofAESon32bitplatforms".
(http://www.springerlink.com/index/UVX5NQGNN55VK199.pdf)LectureNotesinComputerScience:2523.
2003
12. "byteorientedaesApublicdomainbyteorientedimplementationofAESinCGoogleProjectHosting"
(https://code.google.com/p/byteorientedaes).Code.google.com.Retrieved20121223.
13. LynnHathaway(June2003)."NationalPolicyontheUseoftheAdvancedEncryptionStandard(AES)to
ProtectNationalSecuritySystemsandNationalSecurityInformation"
(http://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf)(PDF).Retrieved20110215.
14. JohnKelsey,StefanLucks,BruceSchneier,MikeStay,DavidWagner,andDougWhiting,Improved
CryptanalysisofRijndael,FastSoftwareEncryption,2000pp213230[1](http://www.schneier.com/paper
rijndael.html)
15. Ou,George(April30,2006)."Isencryptionreallycrackable?"(http://www.webcitation.org/5rocpRxhN).
ZiffDavis.Archivedfromtheoriginal(http://www.zdnet.com/blog/ou/isencryptionreallycrackable/204)on
August7,2010.RetrievedAugust7,2010.
16. "SeanMurphy"(http://www.isg.rhul.ac.uk/~sean/).UniversityofLondon.Retrieved20081102.
17. BruceSchneier."AESNews,CryptoGramNewsletter,September15,2002"
(http://www.schneier.com/cryptogram0209.html).Archived
(http://web.archive.org/web/20070707105715/http://www.schneier.com/cryptogram0209.html)fromthe
originalon7July2007.Retrieved20070727.
18. NielsFergusonRichardSchroeppelDougWhiting(2001)."AsimplealgebraicrepresentationofRijndael"
(http://web.archive.org/web/20061104080748/http://www.macfergus.com/pub/rdalgeq.html).Proceedingsof
SelectedAreasinCryptography,2001,LectureNotesinComputerScience.SpringerVerlag.pp.103111.
Archivedfromtheoriginal(http://www.macfergus.com/pub/rdalgeq.html)(PDF/POSTSCRIPT)on4November
2006.Retrieved20061006.
19. BruceSchneier,AESAnnounced(http://www.schneier.com/cryptogram0010.html),October15,2000
20. BruceSchneier(20090701)."NewAttackonAES"
(http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html).SchneieronSecurity,Ablog
coveringsecurityandsecuritytechnology.Archived
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

9/11

6/15/2015

21.
22.
23.
24.

25.
26.
27.
28.
29.
30.
31.

32.
33.

34.
35.
36.
37.
38.
39.
40.

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

coveringsecurityandsecuritytechnology.Archived
(http://web.archive.org/web/20100208155652/http://www.schneier.com/blog/archives/2009/07/new_attack_on_
a.html)fromtheoriginalon8February2010.Retrieved20100311.
Biryukov,AlexKhovratovich,Dmitry(20091204)."RelatedkeyCryptanalysisoftheFullAES192and
AES256"(http://eprint.iacr.org/2009/317).Retrieved20100311.
Nikoli,Ivica(2009)."DistinguisherandRelatedKeyAttackontheFullAES256".AdvancesinCryptology
CRYPTO2009.SpringerBerlin/Heidelberg.pp.231249.doi:10.1007/9783642033568_14
(https://dx.doi.org/10.1007%2F9783642033568_14).ISBN9783642033551.
BruceSchneier(20090730)."AnotherNewAESAttack"
(http://www.schneier.com/blog/archives/2009/07/another_new_aes.html).SchneieronSecurity,Ablog
coveringsecurityandsecuritytechnology.Retrieved20100311.
AlexBiryukovOrrDunkelmanNathanKellerDmitryKhovratovichAdiShamir(20090819)."Key
RecoveryAttacksofPracticalComplexityonAESVariantsWithUpTo10Rounds"
(http://eprint.iacr.org/2009/374).Archived
(http://web.archive.org/web/20100128050656/http://eprint.iacr.org/2009/374)fromtheoriginalon28January
2010.Retrieved20100311.
HenriGilbertThomasPeyrin(20091109)."SuperSboxCryptanalysis:ImprovedAttacksforAESlike
permutations"(http://eprint.iacr.org/2009/531).Retrieved20100311.
VincentRijmen(2010)."PracticalTitledAttackonAES128UsingChosenTextRelations"
(http://eprint.iacr.org/2010/337.pdf)(PDF).
AndreyBogdanovDmitryKhovratovich&ChristianRechberger(2011)."BicliqueCryptanalysisoftheFull
AES"(http://research.microsoft.com/enus/projects/cryptanalysis/aesbc.pdf)(PDF).
JeffreyGoldberg."AESEncryptionisn'tCracked"(https://blog.agilebits.com/2011/08/18/aesencryptionisnt
cracked/).Retrieved30December2014.
http://www.spiegel.de/international/germany/insidethensaswaroninternetsecuritya1010361.html
"Indexofformalscientificpapers"(http://cr.yp.to/papers.html#cachetiming).Cr.yp.to.Retrieved20081102.
BruceSchneier."AESTimingAttack"
(http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html).Archived
(http://web.archive.org/web/20070212015727/http://www.schneier.com/blog/archives/2005/05/aes_timing_atta
_1.html)fromtheoriginalon12February2007.Retrieved20070317.
DagArneOsvikAdiShamirEranTromer(20051120)."CacheAttacksandCountermeasures:theCaseof
AES"(http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf)(PDF).Retrieved20081102.
DhimanSahaDebdeepMukhopadhyayDipanwitaRoyChowdhury."ADiagonalFaultAttackonthe
AdvancedEncryptionStandard"(http://eprint.iacr.org/2009/581.pdf)(PDF).Archived
(http://web.archive.org/web/20091222070135/http://eprint.iacr.org/2009/581.pdf)(PDF)fromtheoriginalon
22December2009.Retrieved20091208.
EndreBangerterDavidGullasch&StephanKrenn(2010)."CacheGamesBringingAccessBasedCache
AttacksonAEStoPractice"(http://eprint.iacr.org/2010/594.pdf)(PDF).
"BreakingAES128inrealtime,nociphertextrequired|HackerNews"(http://news.ycombinator.com/item?
id=1937902).News.ycombinator.com.Retrieved20121223.
http://www.cnss.gov/Assets/pdf/nstissp_11_fs.pdf
"NIST.govComputerSecurityDivisionComputerSecurityResourceCenter"
(http://csrc.nist.gov/groups/STM/cavp/index.html).Csrc.nist.gov.Retrieved20121223.
OpenSSL,openssl@openssl.org."OpenSSL'sNotesaboutFIPScertification"
(http://openssl.org/docs/fips/fipsnotes.html).Openssl.org.Retrieved20121223.
Schneier,BruceKelsey,JohnWhiting,DougWagner,DavidHall,ChrisFerguson,Niels(19990201).
"PerformanceComparisonsoftheAESsubmissions"(http://www.schneier.com/paperaesperformance.pdf)
(PDF).Retrieved20101228.
McWilliams,Grant(6July2011)."HardwareAESShowdownVIAPadlockvs.IntelAESNIvs.AMD
Hexacore"(http://grantmcwilliams.com/tech/technology/387hardwareaesshowdownviapadlockvsintel
aesnivsamdhexacore).Retrieved20130828.

References
NicolasCourtois,JosefPieprzyk,"CryptanalysisofBlockCipherswithOverdefinedSystemsof
Equations".pp267287,ASIACRYPT2002.
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

10/11

6/15/2015

AdvancedEncryptionStandardWikipedia,thefreeencyclopedia

JoanDaemen,VincentRijmen,"TheDesignofRijndael:AESTheAdvancedEncryption
Standard."Springer,2002.ISBN3540425802.
ChristofPaar,JanPelzl,"TheAdvancedEncryptionStandard"
(http://wiki.crypto.rub.de/Buch/sample_chapters.php),Chapter4of"Understanding
Cryptography,ATextbookforStudentsandPractitioners".(companionwebsitecontainsonline
lecturesonAES),Springer,2009.

Externallinks
256bitCiphersAESReferenceimplementationandderivedcode
(http://embeddedsw.net/Cipher_Reference_Home.html)
FIPSPUB197:theofficialAESstandard(http://csrc.nist.gov/publications/fips/fips197/fips
197.pdf)(PDFfile)
AESalgorithmarchiveinformation(old,unmaintained)
(http://csrc.nist.gov/archive/aes/rijndael/wsdindex.html)
PreviewofISO/IEC180333(http://webstore.iec.ch/preview/info_isoiec18033
3%7Bed2.0%7Den.pdf)
AnimationofRijndael
(http://www.formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation_v4_eng.swf)
AESencryptioniscracked(http://www.theinquirer.net/inquirer/news/2102435/aesencryption
cracked/)
Retrievedfrom"https://en.wikipedia.org/w/index.php?
title=Advanced_Encryption_Standard&oldid=666183137"
Categories: Blockciphers AdvancedEncryptionStandard Brokenblockciphers
Thispagewaslastmodifiedon9June2015,at13:21.
TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionalterms
mayapply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.Wikipediaisa
registeredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

11/11