Image Encryption Using AES Key Expansion

Image Encryption using AES Key Expansion
Seminar Report 2013
CHAPTER 1
Introduction
This chapter gives a brief introduction to Image Encryption and its advantages. The topics covered are: Introduction to Image Encryption, Problem statement, Objective and scope of Study, Literature Review and the need for proposed algorithm. Finally, limitations of the study and organisation of chapters in this report are given.
1.1 General Introduction

A major issue for computer networks is to prevent important information from being disclosed to illegal users. For this reason, encryption techniques were introduced. Most encryption techniques have an easy implementation and are widely used in the field of information security. During the last decade, the use of computer networks has grown spectacularly, and this growth continues unabated. New networks are being installed and connected to global internet. The internet is commonly seen as the first incarnation of an information superhighway. Today, the information transmitted over internet is not only text, but also contains multimedia like image, audio etc. Mostly images are used. However, the more extensively the images are used, the more important their security will be. For example, it is important to protect military image databases, ensure confidential video conferencing, and protect personal online photograph albums. However, with the growth of computer processor processing power and storage, illegal access has become easier. As a result image security has become an important topic in the current computer world. Most traditional or modern cryptosystems have been designed to protect textual data. The original plain-text is converted into cipher-text (hidden form of message) which is stored or transmitted over network. Upon reception, the cipher-text can be transformed back into the original plain-text by using a decryption algorithm.
Department of Telecommunication Engineering, PACE, Mangalore.
Page 1
Seminar Report 2013
However images are different from text. Although the traditional cryptosystems, such as RSA and DES-like cryptosystems may be used, to encrypt images directly, it is not a good idea for two reasons. One is that the image size is always much greater than that of text. Therefore, the traditional cryptosystems need much time to directly encrypt the image data. The second is that, the decrypted text must be equal to that of original text. However, this requirement is not necessary for image data. This is due to the characteristics of human perception; a decrypted image containing small distortion is usually acceptable. A digital image is defined as a two dimensional (2D) rectangle array. The elements of this array are denoted as pixels. Each pixel has an intensity value (digital number) and a location address (row, column). An image can be encrypted by combining MATLAB with the encoder. Each pixel in an image is represented by 8 bits, i.e., 1 byte. Using MATLAB the pixel values can be converted into bytes. These byte values are then used as input to the encoder. The 128 bit encoder then convert this byte into corresponding encoded byte. The encoded bit values are then converted into decimal values for pixels. This operation is then repeated for each pixel to generate a 2D text array corresponding to the pixel value. For protecting the stored 2D data, they must be converted to one dimensional (1D) arrays before using various traditional encryption techniques. The raster sequence of image data can be encrypted into blocks by using block cipher or a stream cipher. A product cipher can also be used to encrypt a file of image data. However, it is more efficient to encrypt an image after employing some compression techniques. This will reduce the computational requirement and also the increases the speed of processing (which is of high importance in real time scenario).
1.2 Problem Statement

The two main problems that arise in image encryption process are with respect to the time it takes for its computation and its security level. For real time image encryption only those ciphers are preferable which takes lesser amount of computational time
Page 2
Seminar Report 2013
without compromising security. An encryption scheme which runs very slowly, even though may have higher degree of security features would be of little practical use for real time processes. Hence a trade off has to be made. Many encryption methods have been proposed in literature, and the most common way to protect large multimedia files is by using conventional encryption techniques. Private Key bulk encryption algorithms, such as Triple DES or Blowfish, are not suitable for transmission of large amounts of data (such as images). Due to the complexity of their internal structure, they are not particularly fast in terms of execution speed and cannot be applied for images in the real time scenario. Also traditional cryptographic techniques such as DES cannot be applied to images due to the intrinsic properties of images such as bulk data capacity, redundancy and high correlation among pixels. Image encryption algorithms can become an integral part of the image delivery process if they aim towards efficiency and at the same time preserve the security level.
1.3 Objective of the Study

The three basic characteristics in the information security field: privacy (an unauthorized user cannot disclose a message), integrity (an unauthorized user cannot modify or corrupt a message) and availability (messages are made available to authorized users faithfully). A perfect image cryptosystem is not only flexible in the security mechanism, but also has high overall performance. The objective of this study is to realise an image cryptosystem that, besides the above mentioned characteristics, also posses the following characteristics: i. System should be computationally secure i.e., it should have an extremely long computation time to break. In other words unauthorized users must not be able to read privileged images. ii. Encryption and decryption should be fast enough not to degrade system performance. i.e., the algorithm should be simple enough to be done by users with a personal computer. iii. The security mechanism should be widely acceptable to design a cryptosystem like a commercial product; and should be flexible.
Page 3
Seminar Report 2013
1.4
Related Works
Due to the differences between images and text, a wide variety of cryptographic
algorithms have been proposed for image security. In the paper [2], Kuo proposed an image encryption method - image distortion, which obtains the encrypted image by adding the phase spectra of the plain image with those of the key image. This method is safe but the image is not compressed, thus encryption & decryption is inefficient. In the paper [3], Bourbakis and Alexopoulos developed a new method which performs both lossless compression and encryption of binary and gray-scale images. The compression and encryption schemes are based on SCAN patterns generated by the SCAN technique. SCAN is a formal language-based two-dimensional spatial- access methodology which can efficiently specify and generate a wide range of scanning paths or space filling curves. Here again security is high but no image compression is considered. In the paper [4], Chin-Chen Chang, Min-Shian Hwang, and Tung-Shou Chen used one of the popular image compression techniques, vector quantization, to design an efficient cryptosystem for images. The scheme is based on vector quantization (VQ), cryptography, and other number theorems. In VQ, the images are first decomposed into vectors and then sequentially encoded vector by vector. Major advantage- simple hardware structure; required bit-rate for VQ is also small. In the paper [5], Fridrich demonstrated the construction of a symmetric block encryption technique based on 2D standard chaotic map. In this paper to encrypt large data files private-key symmetric block encryption schemes are used because public key encryption schemes are not suitable for encrypting of large amounts of data and archival due to their relatively slow performance. Also, the security of public key cryptographic schemes lies in the computational complexity of certain problems, such as factorization of large numbers or computing of the discrete logarithm problem. Advances in algorithmic techniques, number theory force us to re-encrypt large databases and archives with a longer key to maintain a sufficient degree of security. Here a chaotic map is first generalized by introducing parameters and is then discretized to a finite square lattice of points (image) which represent data items (pixel). The discretized map is further extended
Department of Telecommunication Engineering, PACE, Mangalore. Page 4
Seminar Report 2013
to three dimensions and composed with a simple diffusion mechanism to obtain a block product encryption scheme. The main features of the encryption scheme studied in this paper are a variable key length, a relatively large block size (several kB or more), and a high encryption rate. However, the drawback here is the choices for the ciphering key depend on the block size. Files with size smaller than 10kB would have to be padded to guarantee sufficiently many encryption keys which will increase the size of the data to be transmitted. In the paper [6], Mitra had used a random combination of bit, pixel, and block permutations. The permutation of bits decreases the perceptual information, whereas the permutation of pixels and blocks produce high level security.
1.5
Limitation of the study

The algorithm for Image Encryption used here is based on 128-bit AES Key Expansion. To increase the key space 192-bit/256-bit AES Algorithm may be used in future.
Also the S-box used here provides only 70% non linearity to algorithm. Sbox with better non linearity may be designed in future to increase the avalanche effect of encrypted Image.
1.6
Chapter Organisation
The first 2 Chapters of this report, discusses the theoretical concepts required to
understand the image encryption and its importance. The next 4 chapters deal with introduction to image cryptosystems and the proposed method to overcome the problems faced in real time implementation of image cryptosystems. Last chapter deals with Experimental analysis of proposed method and comparative results. The list of chapters and brief description of their contents is given below. Chapter 1: Gives the brief idea of image encryption requirements. It explains the scope, literature survey, methodology and overall general view of this study. Chapter 2: Gives a brief background to cryptography and some of the common terms used in cryptography. It also discusses about the different types of cryptographies and the types cryptanalysis attacks possible on images.
Page 5
Seminar Report 2013
Chapter 3: Gives a brief overview of some of the image cryptosystem implemented so far, its efficiency and drawback in regard to real time application. Chapter 4, 5 ,6 & 7 : In these chapters, AES standard, mathematical preliminaries required to understand AES Algorithm, AES algorithm with the transformations used and Key expansion schedule ,An example for AES Key Expansion and modification to AES Key Expansion to suite Image Cryptosystems in real time application have been explained. The chapter 7 gives Experimental analysis and results of proposed method.
Page 6
Seminar Report 2013
CHAPTER 2
Basics of Cryptography
This chapter just gives a basic idea about cryptography and its types, so that the concepts in image cryptosystems can be understood better. The topics covered are: Definition of cryptography and cryptanalysis, types of cryptography, types of cryptanalysis attacks for evaluating the security of image cryptosystems.
2.1
Terms Used in Cryptography

Cryptography is the science of using mathematics to encrypt and decrypt data. It
enables us to store sensitive information or transmit it across insecure networks (like the Internet) so that it cannot be read by anyone except the intended recipient. While cryptography is the science of securing data, cryptanalysis is the science of analyzing and breaking secure communication. Classical cryptanalysis involves an interesting combination of analytical reasoning, application of mathematical tools, pattern finding, patience, determination, and luck. Cryptanalysts are also called as attackers. Cryptology embraces both cryptography and cryptanalysis. Cryptography can be strong or weak; its strength is measured in the time and resources it would require to recover the plain-text. The result of strong cryptography is cipher-text that is very difficult to decipher without possession of the appropriate decoding tool. A cryptographic algorithm, is a mathematical function used in the encryption and decryption process. it works in combination with a keya word, number, or phraseto encrypt the plain-text. The same plain-text encrypts to different cipher-text with different keys. The security of encrypted data is thus entirely dependent on two things: the strength of the cryptographic algorithm and the secrecy of the key. A cryptographic algorithm, plus all possible keys and all the protocols that make it work comprise a cryptosystem.
Page 7
Seminar Report 2013
2.2
Types of cryptography
Cryptography is usually of two types based the type of key used. They are: Secret
key & Public key Cryptography.
2.2.1 Secret key Cryptography

It is also known as Conventional or Symmetric Cryptography. Here same key is used for encryption & decryption as shown in figure 2.2.1(a). Example: DES (Data Encryption Standard).
Figure 2.1 Conventional encryption/decryption.
Advantages of conventional cryptography are, i. ii. It is very fast. It is especially useful for encrypting data that is to be stored securely and not transmitted.
Main problem in conventional or secret key cryptography is Key Distribution. For a sender and recipient to communicate securely using conventional encryption, they must agree upon a key and keep it secret between themselves. If they are in different physical locations, they must use some secure communication medium to prevent the disclosure of the secret key during transmission else a third party intercepting the key in transit can later read, modify or forge all information encrypted.
Page 8
Seminar Report 2013
2.2.2 Public Key Cryptography

The problems of key distribution are solved by public key cryptography. It is an asymmetric scheme which uses a pair of keys for encryption: public key, which encrypts the data and a corresponding private key or secret key, which decrypts the data. Here the public key is published to the world but private key is kept a secret i.e., anyone with the copy of public key can encrypt information whereas decryption can only be done with the knowledge of private key. It is computationally infeasible to deduce the private key from the public key. Anyone who has a public key can encrypt information but cannot decrypt it. Only the person who has the corresponding private key can decrypt the information. Example: RSA (named after its inventors, Ron Rivest, Adi Shamir, and Leonard Adleman)
Figure 2.2 Public key Encryption/Decryption
Advantages of Public Key Cryptography are, i. The primary benefit of public key cryptography is that it allows people who have no pre-existing security arrangement to exchange messages securely. ii. The need for sender and receiver to share secret keys via some secure channel is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared.
Page 9
Seminar Report 2013
2.3
Types of Cryptanalysis Attacks for Evaluating the Security of Image Cryptosystems

The following five attacks are used for evaluating the security of image
cryptosystems. Each of them assumes that the cryptanalyst has the complete knowledge of the encryption algorithm used. The first attack is called the cipher-image-only or brute force attack. In this attack, an illegal user is assumed to obtain the cipher-image from networks, but does not have the private key. In other words, a cryptanalyst must determine the private key solely from an intercepted cipher-image. The second attack is called the known-plain-image-only attack. The illegal users are assumed to have obtained several plain-image and cipher-image pairs in this attack. A cryptanalyst must deduce the private key used to encrypt the plain images or the algorithm to decrypt any new cipher image encrypted with same private key. The third attack is called the chosen plain-image attack. In this attack, the illegal users are able to select the plain-images and obtain the corresponding cipher-images this is more powerful than the known-plain-image-only attack, because cryptanalysts can choose some specific pain-images to encrypt, and this yields more information about the private key. The cryptanalysts uses this information to deduce the private key used to encrypt the plain images. The fourth attack is called jigsaw puzzle attack. In this attack, the illegal users first divide a cipher-image into many small areas. The cryptanalysts then breaks these areas one by one. Since each area is much smaller than the entire cipher-image, the computational load for breaking each area is much less than that for breaking the entire cipher-image. The jigsaw puzzle attack is therefore more efficient than other attacks. The fifth attack is called the neighbour attack. In this attack, the illegal users are assumed to know a part of the plain-image. The changes across the boundaries of the areas are smooth in most images. Therefore, the cryptanalysts use this attribute to speed up the selections for the boundaries of the neighbouring areas; and can derive the neighbouring pixels for the known part of plain image and break the whole cipher efficiently.[3]
Seminar Report 2013
CHAPTER 3
Efficiency and Security of Some Image Cryptosystems

This chapter gives brief explanation about the techniques previously applied to solve problems related to real time image encryption. This chapter covers the topics: Image Encryption Using SCAN Patterns, Image Encryption Using Combinational Permutation Techniques, and the need for AES based method.
3.1 Image Encryption Using SCAN Patterns

Due to the differences between images and text, a wide variety of cryptographic algorithms have been proposed for image security. In the paper [3], Bourbakis and Alexopoulos developed a new method which performs encryption of binary and gray-scale images. The encryption schemes are based on SCAN patterns generated by the SCAN technique. This method converts 2D image patterns into 1D list & employs a SCAN language to describe the converted result. SCAN is a formal language based 2D spatial accessing methodology which can efficiently specify and generate a wide range of scanning paths. In this language there are several SCAN letters & each letter represents a scan order. The four basic SCAN patterns used by SCAN language are: Continuous raster (C), Continuous diagonal (D), Continuous orthogonal (O) and Spiral (S).These four patterns are shown in figure 3.1.
Figure 3.1 Basic SCAN patterns [3]
Different combinations of SCAN letters generate different kind of secret images. Once the combination of SCAN letters is determined, the scheme generates a SCAN string which defines the SCAN order of the original image. The algorithm then scans the image and encrypts the SCAN string using commercial cryptosystems. Since illegal users
Page 11
Seminar Report 2013
cannot obtain correct SCAN string, the original image is therefore secure. Figure 3.2 shows an example of SCAN key patterns.
Figure 3.2 Example of SCAN key patternB5(s2Z0(c5b0o0s5)c4d1) [3]
Drawbacks of Image Encryption using SCAN patterns are, This method does not consider the advantages of image compression. As a result, the size of the image is very large and is inefficient to encrypt or decrypt images directly for real time applications. Also, due to large image size encryption/decryption process is consumes lot of time and hence is slow. Although it provides fair enough security it is not preferred for real time application because the time taken by this method to produce cipher image is not acceptable for real time scenerio.
3.2
Image Encryption Using Combinational Permutation Techniques

In the paper [6] Mitra presents an approach using a combinational permutation
techniques for image encryption. This technique uses a random combination of bit, pixel, and block permutations. The permutation of bits decreases the perceptual information, whereas the permutation of pixels and blocks produce high level security. It is observed that the permutation of bits is effective in signicantly reducing the correlation thereby decreasing the perceptual information, whereas the permutation of pixels and blocks are good at producing higher level security compared to bit permutation. A random
Seminar Report 2013
combination method employing all the three techniques thus is observed to be useful for tactical security applications, where protection is needed only against a casual observer. The security of images used in electronic communication may be needed against two types of attackers; casual listeners/observers or professional unauthorized recipients, termed as cryptanalysts. In the former case, the security is needed only in terms of hours while in the later it may be in terms of years. The duration roughly indicates the amount of time that is needed to analyze the information available in unintelligible form in the insecure channel without the knowledge of keys to derive the underlying information. The scenario where security is needed against casual listener/observer, the cryptographic structure should be as simple as possible in order to reduce the cost. The present work focuses on development of improved private key cryptographic methods for providing security against such casual observers in the context of image communications. In designing private key cryptographic techniques, permutation methods and pseudo random sequence generators play important roles due to their simple yet effective information coding performances. This method uses many good keys, selected using pseudo random index generators (PRIG), for different permutation operations. Since a large number of keys are used, the security level offered is comparatively high. Further, the amount of redundant information available in the encrypted image is kept as low as possible, thereby providing fairly high security level against casual observers. In image communication, the image is represented as a group of bits, pixels and blocks and therefore, the encryption is done by permuting the respective groups. Further, to make it more robust against casual attacks, a random combinational image encryption approach with bit, pixel and block permutations is used. It is also shown that if the random combinational sequence of permutations is not known to the observer, it will not be possible for him/her to retrieve the original information, even if the permutation private keys are known to that person. The Pseudo random index generator (PRIG) for permutation purpose is usually constructed using the linear feedback shift registers (LFSR). A PRIG contains n shift registers and is initiated with a starting seed, which is usually transmitted through a secured channel for intended users only. The outputs of the shift registers are multiplied with the coefcients (Cn1,Cn2,...,C1,C0) of a primitive polynomial with respect to mod-2
Page 13
Seminar Report 2013
operation. The resultant output obtained by the modulo operation is then fed back to the rst shift register. The shift register output values are converted into decimal index using binary to decimal converter. The general structure of such a PRIG is shown in Fig. 3.3. Note that the periodicity of such a random index generator is 2n1.
Figure 3.3 Structure of a general pseudo random index generator [6]
In the context of images, three basic permutation techniques, they are, 1) Bit permutation: The image can be seen as an array of pixels, each with eight bits for 256 gray levels. In the bit permutation technique, the bits in each pixel taken from the image are permuted with a key chosen from the set of keys by using the PRIG. The entire array of these permuted pixels forms the encrypted image. The encrypted image obtained from the bit permutation technique is transmitted to the receiver through the insecure channel. At the receiver the encrypted image is decrypted using the same set of keys and same pseudo random index generator. As the number of bits in each pixel is eight, the key length is also taken equal to eight. The number of permutations obtained with eight elements is 8! (=40320) but the number of good keys formed by such eight elements is only 121. Therefore, to get 127 keys using a PRIG of maximal length 127, other 6 keys are taken randomly from these 121 good permutation keys to form the complete set. 2) Pixel permutation: In this scheme each group of pixels is taken from the image. The pixels in the group are permuted using the key selected from the set of keys. The encryption and decryption procedure is same as the bit permutation technique. The size of the pixel group is same as the length of the keys, and all the keys are of same length. If the length of the keys is more than the size of pixel group, the perceptual information
Seminar Report 2013
reduces. In this work the group of pixels is taken along the row without the loss of generality, i.e., the column wise procedure would yield same kind of results. 3) Block permutation: In this technique, the image can be decomposed into blocks. A group of blocks is taken from the image and these blocks are permuted same as bit and pixel permutations. For better encryption the block size should be lower. If the blocks are very small then the objects and its edges do not appear clearly. In this block permutation the blocks are permuted horizontally in the image. The permutation of blocks along vertical side is also similar to horizontal side block permutation. At the receiver the original image can be obtained by the inverse permutation of the blocks.
Figure 3.4 Block diagram of Combinational Permutation technique [6]
The main idea behind this method is that an image can be viewed as an arrangement of bits, pixels and blocks. The intelligible information present in an image is due to the correlations among the bits, pixels and blocks in a given arrangement. This perceivable information can be reduced by decreasing the correlation among the bits, pixels and blocks using certain random permutation techniques. The advantage offered by this scheme is that even if the private key is known to the attacker somehow and the
Page 15
Seminar Report 2013
random combination key is unknown, then the person will not be able to extract/tamper the image. Also, due the combination of three permutation approaches the redundancy, visual intelligence reduces. To get back the original image at the receiver, the order of the permutation processes should be exactly reverse to the order at the transmitter; otherwise the output will produce no visible information. Figure 3.4 shows the block diagram of this method. However the drawback in this approach is that it provides security only against casual observers and not against professional hackers; hence is not preferred for real time application because it is not possible to predict the type of attackers posing danger to the integrity of image data.
3.3 Need for AES Key Expansion Based Method

The above discussed two Cryptosystem were mainly developed for single application scenario and hence had its own limitation when considering a general Image security application. Also these methods were not suitable for Real Time Applications because the algorithm either had very high security but was slow in processing or it was very fast at the prize of security. Hence there is need for an algorithm that in general is applicable for all Image security applications in Real Time. Thus a method that is based on AES Key Expansion which overcomes the limitations of above mentioned algorithm is preferred. Here the encryption process is a Bitwise Exclusive OR operation of a set of image pixels along with a 128 bit key which changes for every set of pixels. The cipher keys are generated independently at the sender and receiver side based on AES Key Expansion process, hence the initial key alone is shared and not the whole set of keys. The algorithm has been experimented with standard bench mark images proposed in USC-SIPI database and the result shows that it offers good resistance against brute force attack, key sensitivity tests and statistical crypt analysis.
Page 16
Seminar Report 2013
CHAPTER 4
Advanced Encryption Standard

This chapter contains a brief introduction to AES. The topics covered are: Introduction to AES, Mathematical foundation for AES Galios Field.
4.1
Introduction to AES
In January, 1997 NIST began its effort to develop the AES, a symmetric key encryption algorithm, and made a worldwide public call for the algorithm to succeed DES. Initially 15 algorithms were selected, which was then reduced down to 4 algorithms, RC6, Rijndael, Serpent and Two-fish, all of which were iterated block ciphers. The four finalists were all determined to be qualified as the AES. The final evaluation, which also solicited worldwide public input was based on three characteristics [see table 4.1] 1) Security: It encompassed resistance to known attacks, mathematical soundness, randomness of output and security compared to other algorithms. 2) Cost: encompassed encryption speed, required memory, and no licensing agreements i.e. the algorithm had to be available worldwide royalty free. 3) Algorithm and implementation characteristics: The algorithm had to be suitable across a wide range of hardware and software systems. The algorithm had to be relatively simple as well. After extensive review the Rijndael algorithm was chosen to be the AES algorithm. Speed Algorithm RC6 Rijndael Serpent Two Fish Security Adequate Adequate High High Encryption/Decryption High end High end Low end Average Key Average High end Average High end Memory RAM Average High end Average High end ROM Average High end Average Average
Table 4.1 Some evaluation criteria and results for AES finalists
Page 17
Image Encryption using AES Key Expansion AES was designed to have the following characteristics: Resistance against all known attacks. Speed and code compactness on a wide range of platforms. Design simplicity.
Seminar Report 2013
The AES Algorithm is a symmetric-key cipher, in which both the sender and the receiver use a single key for encryption and decryption. The data block length is fixed to be 128 bits, while the length can be 128, 192 or 256 bits. In addition, the AES is an iterative algorithm; each iteration being called a round. The total number of rounds Nr is dependent on Key length Nk, where Nr and Nk are specified in words. The 128 bit data block is divided into 16 bytes. These bytes are mapped to a 4x4 array called the State, and all the internal operations of the AES algorithm are performed on the State. The parameters for AES algorithm are shown in Table 4.2 Algorithm AES-128 AES-192 AES-256 Key length, Nk 4 6 8 Block size, Nb 4 4 4
Table 4.2 AES Parameters.
No of rounds, Nr= Nk+ 6 10 12 14
Most of the operations in the AES algorithm take place on bytes of data or on words of data 4 bytes long, which are represented in the field GF(28), called the Galois Field. These bytes are represented by the polynomial equation, b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x + b0 = bixi - - - - equation (4.1) Where, bi {0,1} and i = 0,1,2,...7. There are 256 elements in GF(28). For example, 0x11(00010001) identifies the specific finite field x4+1.
4.2
Mathematical Preliminaries
In abstract algebra, a finite field or Galois field is a field that contains a finite
number of elements. Finite fields are important in number theory, algebraic geometry, Galois theory, cryptography, coding theory and quantum error correction. The finite fields are classified by size; there is exactly one finite field up to isomorphism of size pk for each prime p and positive integer k. This is represented as GF(pk). Finite field elements
Seminar Report 2013
can be added and multiplied, but these operations are different from those used in normal algebra. [7]
4.2.1 Addition in Finite Field Algebra

The addition of two elements in GF(28) is achieved by adding the coefficients for the corresponding powers in the polynomials for the two elements. The addition is performed with the XOR operation (denoted by i.e., (0 0) = 0; (0 1) = 1; (1 0) = 1; ) - i.e., modulo 2 addition. (1 1) = 0.
Consequently, subtraction of polynomials is identical to addition of polynomials. [7] Example: (0x57 + 0x83) = (x6+x4+x2+x+1) + ( x7+x+1) = x7+ x6+x4+x2 = 0xD4.
4.2.2 Multiplication in Finite Field Algebra

In the polynomial representation, multiplication in GF(28) (denoted by ) corresponds with the multiplication of polynomials modulo an irreducible polynomial m(x) of degree 8. A polynomial is irreducible if its only divisors are one and itself. For the AES algorithm, this irreducible polynomial is, m(x)=x8+x4+x3+x+1, or {01}{1b} in hexadecimal notation. [7] Example: {0x57} {0x83} = {0xC1}. i.e.., let A = (x6+x4+x2+x+1) ( x7+x+1) = x13+x11+x9+x8+x7+x7+x5+x3+x2+x+ x6+x4+x2+x+1 = x13+x11+x9+x8+ x6+ x5+ x4+ x3+1. Result of multiplication = A mod (x8+x4+x3+x+1) = x7+x6+1= 11000001 = 0xC1. The modular reduction by m(x) ensures that the result will be a binary polynomial of degree less than 8, and thus can be represented by a byte. Unlike addition, there is no simple operation at the byte level that corresponds to this multiplication. There are three rules which can help in multiplying polynomials in GF(28). They are, 1) 0x01 is the identity in GF(28). Thus anything multiplied by 0x01 remains unchanged. 2) Multiplying by two is the same as decimal arithmetic, provided the result does not exceed the field size of 255 or 0xFF. Also multiplying by 2 in binary is the same as
Page 19
Seminar Report 2013
shifting left by 1. If the result exceeds 0xFF then the result must be XORed with 0x1B. This will prevent any overflow errors if working with bytes thus keeping the results within range. 3) Multiplying by three is the same as multiplying by (1 + 2). Thus, a 0x03 = a (0x02 + 0x01) = (a 0x02) (a 0x01).
4.2.3 Multiplicative Inverse in Finite Field Algebra

The multiplication defined above is associative, and the element {01} is the multiplicative identity. For any non-zero binary polynomial b(x), the multiplicative inverse of b(x) modulo m(x), denoted by b-1(x) ,can be found using Extended Euclidean Algorithm if degree of b(x) is less than that of m(x) and also if GCD[b(x),m(x)]=1. [7] i.e.., if b(x) b-1(x) = 1 ( mod m(x) ), then b-1(x) is the multiplicative inverse of b(x) in modulo m(x). => [ b(x)*b-1(x) ] [ i*m(x) ] = 1, - - - - - - - - - - - - - - - - - - - - - - - -equation (4.2) where i is the integer quotient of division [ b(x)*b-1(x) ] m(x). => [ 1 + {i*m(x) ] b(x) = b-1(x) - - - - - - - - - - - - - - - - - - - - - - - -equation (4.3) Equation (4.3) represents the Euclidean Approach to find multiplicative inverse.
The basics of Galois field discussed in section 4.2, is required to understand AES Algorithm better.
Page 20
Seminar Report 2013
CHAPTER 5
AES Algorithm
This chapter gives detailed explanation about the steps involved in AES algorithm. The topics covered includes: AES encryption/decryption, Transformations used in AES and Key expansion Schedule.
5.1
AES Encryption/Decryption
For each round of AES, 128 bit input data and 128 bit key is required, i.e.., it needs 4 words of key in one round. Thus the input key must be expanded to the required number of words depending upon the number of rounds. The output of each round serves as input to the next stage. In AES system, same secret key is used for both encryption and decryption; thus simplifies the design. The block diagram for AES Encryption and Decryption is as shown in Figure 5.1
Figure 5.1 AES Encryption and Decryption.
Page 21
Seminar Report 2013
For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that is composed of four different byte-oriented transformations: 1) byte substitution using a substitution table (S-box), 2) shifting rows of the State array by different offsets, 3) mixing the data within each column of the State array, and 4) adding a Round Key to the State. The above 4 transformation are looped Nr-1 times. In the last round (i.e.., Nrth round) Mixcolumn is not performed. The AddRoundKey is performed at the beginning and at the end of the cipher in order to provide initial and final randomness to the algorithm. Without this, the first or last portion of the cipher could be easily deduced, and therefore would be irrelevant to the security of the cipher. The last round in the cipher is different from the other rounds in order to make the encryption and decryption routines more similar, allowing the complexity to be reduced in hardware and software implementations.
5.2
AES Transformations
The four transformations used in AES Encryption are : ByteSub, ShiftRows, MixColumns, AddRoundKey. The inverse of these operations are performed for decryption.
5.2.1 Byte Substitution

The ByteSub transformation is a non-linear byte substitution that operates independently on each byte of the State using a substitution table (S-box) as shown in figure 5.2
Figure 5.2 ByteSub transformation
Page 22
Seminar Report 2013
The S-box, which is invertible, is constructed by composing two transformations, i. Take the multiplicative inverse in the finite field GF(28); the element {00} is mapped to itself. ii. Apply the following affine transformation (over GF(2) ) which is defined as, bi= bi b(i+4)mod8 b(i+5)mod8 b(i+6)mod8 b(i+7)mod8 Ci - - - - - -equation (5.1) Where, 0 i 8 and bi is the ith bit of byte and Ci is the ith bit of byte C whose value is 0x63 or (01100011). In matrix form, the affine transformation element of the S-box can be expressed as;
The S-box for ByteSub is as shown in Figure 5.3 The Inverse ByteSub is used to reverse this operation in decryption process. The affine transformation for Inverse ByteSub is as shown below;
The S-1 box for inv ByteSub operation is shown in Figure 5.4
Page 23
Seminar Report 2013
Figure 5.3 look up table for ByteSub transformation.
Figure 5.4 look up table for Inv ByteSub operation.
Page 24
Seminar Report 2013
5.2.2 Shift Rows

Shift-Rows operates on individual rows of the state. It provides diffusion throughout the AES algorithm. This operation will not change the values of byte in the row, but will just change their order. It performs left circular shift on each row as follows; Row 0 Shift 0; Row 1 Shift 1; Row 2 Shift 2; Row 3 Shift 3; This is illustrated in Figure 5.5 below. For decryption this Shift operation is reversed.
Figure 5.5 Illustration of Shift Row transformation.
5.2.3 Mix Columns

The MixColumns transformation operates on the State column-by-column, treating each column as a four-term polynomial. The columns are considered as polynomials over GF(28) and are multiplied modulo (x4+1) with a mixing polynomial a(x) given by, a(x)=(0x03) x3 + (0x01) x2 + (0x01) x + (0x02). This can represented by matrix equation as,
a0 a1 a
2
02 03 01 01 01 02 03 01 01 01 02 03 03 01 01 02
a0 a1 a2 a3
a3
Page 25
Image Encryption using AES Key Expansion Figure 5.6 illustrates the mix column transformation.
Seminar Report 2013
Figure 5.6 Illustration of MixColumn transformation.
InvMixColumns performs the reverse operation for decryption and can be described by the matrix equation is,
a0 a1 a2 a3
5.2.4 Add Round Key
0e 0b 0d 09 09 0e 0b 0d 0d 09 0e 0b 0b 0d 09 0e
a0 a1 a2 a3
It is the step that incorporates the round key, a portion of the expanded key, into the plaintext. This routine performs bitwise XOR of each byte of the state with the corresponding byte of the round key. If Add Round Key operates on a variable twice, the variable itself is returned. This property is used in decryption. Figure 5.7 illustrates this transformation.
Page 26
Seminar Report 2013
Figure 5.7 Add round key Transformation
The above 4 transformation are looped Nr-1 times. In the last round (i.e.., Nrth round) Mixcolumn is not performed. The AddRoundKey is performed at the beginning and at the end of the cipher in order to provide initial and final randomness to the algorithm. Without this, the first or last portion of the cipher could be easily deduced, and therefore would be irrelevant to the security of the cipher. The last round in the cipher is different from the other rounds in order to make the encryption and decryption routines more similar, allowing the complexity to be reduced in hardware and software implementations.
5.3 Key Expansion schedule

Pseudo code for AES Key Expansion is given in Figure 5.9. The key-expansion routine creates round keys word by word, where a word is an array of four bytes. The routine creates 4x(Nr+1) words. For Nk=4words, Nr=10; this routine creates 44 words. The process is as follows : First 4 words of round key are made from initial cipher key. The key is considered as an array of 16 bytes k[0:15]. The first four bytes (k0 to k3) become w0, the next four bytes (k4 to k7) become w1, and so on. The rest of the words (wi for i=4 to 43) are derived as follows: if (i mod 4)!=0 then, wi = wi-1 else if(i mod 4)=0 then wi=t wi-4 ; wi-4. Here t is a temporary word result of
applying SubByte transformation and rotate word on wi-1 and XORing the result with a round constant. Figure 5.8 shows the pictorial representation of AES key expansion.
Page 27
Seminar Report 2013
Figure 5.8 AES Key Expansion
Figure 5.9 pseudo code for AES key expansion.
Page 28
Image Encryption using AES Key Expansion Steps to find wi when ( i mod 4) = 0 i. ii. RotWord: performs one byte circular left shift on wi-1.
Seminar Report 2013
SubWord: performs a byte substitution on each byte of its input word, using the S-box.
iii.
The result of step (i) and (ii) is XORed with a round constant Rcon[j] whichis given by, Rcon[j]={RC[j],0,0,0},where RC[j]=2*RC[j-1], with multiplication over GF(28). J RC[j] 1 01 2 02 3 04 4 08 5 10 6 20 7 40 8 80 9 1B 10 36
Table 5.1 RC[j] values in hex.
5.3.1 Example for AES Key Expansion

Consider the 16 byte key to be, K = 2b7e151628aed2a6abf7158809cf4f3c. Key length, Nk = 4 words. => expanded key has 44 words or 11 sets of 4 word keys( one set used in each round). AES key expansion steps to obtain the expanded key: Step 1: Enter the K into key array byte by byte column wise. 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
W[0]
W[1]
W[2]
W[3]
Page 29
Image Encryption using AES Key Expansion W[0:3] forms the cipher key.
Seminar Report 2013
Step 2: calculate the first set of 16byte key to be used for 1nd round, i.e., w[4:7] Step 2a: to find w[4] , follow the steps discussed in section 5.3. Now, W[i-1] = W[3] = [ 09 cf 4f 3c ]. After shift row operation, W[3] = [ cf 4f 3c 09 ]. After SubByte transform, W[3]* = [ 8a 84 eb 01 ]. Now, W[i-4] = W[0] = [ 2b 7e 15 16 ] and Rcon[1] = [ 01 00 00 00]. W[4] = W[3]* W[0] Rcon[1]
W[4] = [ 8a 84 eb 01 ] W[4] = [a0 fa fe 17].
[ 2b 7e 15 16 ]
[ 01 00 00 00].
Step 2b: To find W[5], W[i-1] =W[4] = [a0 fa fe 17] and W[i-4]= W[1] = [ 28 ae d2 a6 ]. W[5] = W[4] W[1]. [ 28 ae d2 a6 ].
W[5] = [a0 fa fe 17] W[5] = [ 88 54 2c b1 ].
Step 2c: Find W[6] and W[7] using the same procedure as 2b. Thus W[6] = [ 23 a3 39 39 ]. And W[7] = [ 2a 6c 76 05 ]. Therefore, the 2nd round key is, A0 Fa Fe 17 88 54 2c B1 23 A3 39 39 2a 6c 76 05
Page 30
Seminar Report 2013
Step 3: Similarly find rest of the 9 round keys using the step 2.
2nd round key : F2 C2 95 F2 3rd round key: 3d 80 47 7d 4th round key: Ef 44 A5 41 A8 52 5b 7f B6 71 25 3b Db 0b 0d 00 47 16 fe 3e 1e 23 7e 44 6d 7a 88 3b 79 96 B9 43 59 35 80 7a 73 59 F6 7f
Page 31
Seminar Report 2013
5th round key: D4 D1 C6 F8 7c 83 9d 87 Ca F2 B8 bc 11 F9 15 Bc
6th round key: 6d 88 A3 7a 11 0b 3e Fd Db F9 86 41 Ca 00 93 Fd
7th round key: 4e 54 F7 0e 5f 5f C9 F3 84 A6 4f B2 4e A6 Dc 4f
Page 32
Seminar Report 2013
8th round key: Ea D2 73 21 B4 8d Da D2 31 2b F5 60 7f 8d 29 2f
9th round key: Ac 77 65 F3 19 Fa Dc 21 28 D1 29 41 57 5c 00 6e
10th round key: D0 14 F9 A8 C9 Ee 25 89 E1 3f 0c C8 B6 63 0c A6
Page 33
Seminar Report 2013
CHAPTER 6
Modified AES Key Expansion

This chapter gives the detailed description of the proposed method for Real Time Image Cryptosystems-Modified AES Key Expansion Based Method. The topics covered include: Changes in AES Key Expansion Schedule to suite Image Cryptosystems, Steps involved in Image Encryption/Decryption and Experimental Results & Analysis.
6.1
Changes in AES Key Expansion Schedule to Suite Image Cryptosystems
Certain changes made to the AES key expansion process (discussed in the section 5.3) improves the encryption quality, and also increases the avalanche effect in the resulting cipher image. The changes are, The initial key is expanded based on the number of pixels in the image. The Rcon value is not constant instead it is being formed from the initial key itself. Both the s-box and Inverse s-box are also used for the modified Key Expansion process because it improves non-linearity in the expanded key and also improves the encryption quality. The S-box and Inverse S-box are however not directly used in this algorithm; instead some circular shifts are performed on the boxes based on the initial key. The above changes in the algorithm can be represented as discussed in the sections below.
6.1.1 Key Expansion for the image

Consider a plain gray-level image of size mxn. In this method, a set of 16 pixels (128 bits) is encrypted using 2 round keys. No of keys to Encrypt the whole image N=2*{(m*n)/16}.
Page 34
Seminar Report 2013
6.1.2 Formation of Rcon values

Rcon[j] is formed from the initial cipher key as follows: Rcon[0]=key[12:15]; Rcon [2]=key[0 : 3]; Rcon[1]=key[4:7]; Rcon [3]=key[8:11];
6.1.3 Using Inverse S-Box for key expansion

The temp value used in the algorithm is formed as follows, temp = SubWord(RotWord(temp)) + InvSubWord(Rcon[i/4]); here the Rcon values are not used directly, instead each byte of Rcon is substituted by its corresponding InvSubByte value from S-1 box. This improves the non-linearity of the expanded key.
6.1.4 Shifting of S-box and Inverse S-box

The offset for shifting S-box and S-1 box is obtained using following equation, Sbox_offset = sum(key[0:15])mod256; Inv_Sbox_offset = (sum(key[0:15])*mean(key[0:15]))mod256;
6.2 Steps Involved in Image Encryption/Decryption Using Modified AES Key Expansion
The steps involved in Image Encryption/Decryption using Modified AES Key Expansion include: Key selection, Generation of multiple keys, Encryption and Decryption. Each of these steps are explained briefly below.
6.2.1 Key selection

The sender and receiver agree upon a 128 bit key. This key is used for encryption and decryption of images. It is a symmetric key encryption technique, so they must share this key in a secure manner.
Page 35
Seminar Report 2013
The key is represented as blocks k[0],k[1]...k[15]. Where each block is 8bits long (8*16=128 bits).
6.2.2 Generation of Multiple keys

The sender and receiver can now independently generate the keys required for the process using the above explained Modified AES Key Expansion technique. This is a one time process; these expanded keys can be used for future communications any number of times till they change their initial key value.
6.2.3 Encryption
Encryption is done in spans, where 16 pixels are processed in each span. This Algorithm performs two XOR operations and a SubBytes Transformation for each set of pixels. Since two XOR operations are performed using the expanded key for every set of pixels it is impossible to get the key from plain image and cipher image, and to improve the non linearity the s-box values used in AES may also be used. This is shown in figure 6.1.
6.2.4 Decryption
The decryption process shown in figure 6.1 is similar as encryption, but here Inverse SubByte Transformation is used and also the order of XOR operation using the expanded key is reversed.
Figure 6.1 Encryption/Decryption process for image encryption using modified aes key expansion
Page 36
Seminar Report 2013
CHAPTER 7
Experimental Analysis
The algorithm has been implemented in Mat Lab 6.0 in windows environment with a system configuration of PIV processor with 1 GB RAM. The proposed algorithm has been tested with various images in USC-SIPI repository which is a collection of digitized images primarily to support image processing, image analysis and machine vision.
7.1 Key Space Analysis

The strength of any cryptographic algorithm depends upon key space which should be sufficiently large enough to make brute force attack infeasible. The proposed algorithm has a huge key space which is 2^128 possible keys. If an opponent tries for brute force attack, since the key sensitivity of this algorithm is very high he would have to try all combinations of keys for the image which is computationally infeasible.
7.2 Histogram Analysis

To prevent the leakage of information to an opponent, it is also advantageous if the cipher image bears little or no statistical similarity to the plain image. An image histogram illustrates how pixels in an image are distributed by graphing the number of pixels at each colour intensity level. The histogram of the encrypted image is expected to be fairly uniform and significantly different from the respective histograms of the original image. Figure 7.1 and figure 7.2 shows the histogram analysis of plain image and cipher image. The histogram analysis shows that the histogram of the cipher image is fairly uniform and is significantly different from the original image. The encryption algorithm has covered up all the characters of the plain image and has complicated the statistical relationship between the plain image and its ciphered version. Figure 7.1 shows the analysis for grey scale image whereas figure 7.2 shows the analysis for color image.
Page 37
Seminar Report 2013
Figure 7.1 Histogram analysis of Grey Scale 1024X1024 Lena Image
Page 38
Seminar Report 2013
Figure 7.2 Histogram Analysis of Colour 640X480 Mountain Image
Page 39
Seminar Report 2013
7.3 Key Sensitivity Analysis

High key sensitivity is required by secure image cryptosystems, which means that the cipher image cannot be decrypted correctly even if there is only a slight difference between encryption or decryption keys. The proposed algorithm is experimented for various key values whose difference is negligibly small. This is similar to avalanche effect in text encryption where a small bit difference in the key could produce a significant difference in the cipher text produced. The strength of the algorithm is that even for a single bit change in the key value the image is not decrypted. Figure 7.3 illustrates the key sensitivity of the proposed algorithm.
Figure 7.3 Key Sensitivity Analysis of Proposed Algorithm
Page 40
Seminar Report 2013
7.4 Execution Time

Another important factor that evaluates the efficiency of algorithms is measuring the amount of time required to encrypt an image. In this investigation, actual time in CPU cycles will be used as a measure of execution time. Table 7.1 shows the comparison of computational time taken by algorithms specified in literature to that of proposed algorithm to encrypt a 1024x1024 gray-scale Lena Image.
Algorithm Bourbakis(SCAN patterns) Mitra (CPT) Proposed Algorithm
Time in seconds for Lena Image 2.54 1.82 1.41
Table 7.1 Computational time comparison
Page 41
Seminar Report 2013
CHAPTER 8
Conclusion and Future Work

8.1 Conclusion
Based on the experimental results shown in section 6.3, it can be observed that The proposed algorithm offers high encryption quality with minimal computational time. The key sensitivity and key space of the algorithm is very high which makes it resistant towards Brute force attack and statistical cryptanalysis. The time taken for encryption is relatively less in comparison with the algorithms proposed in the literature. The above mentioned features make the algorithm suitable for image encryption in real time applications.
8.2 Future work

S-box is the pivotal part of AES. Research may be done to improve the quality of S-box design. AES-192 or AES-256 may be used to further increase the key sensitivity and key space of the algorithm.
Page 42
Seminar Report 2013
References
[1] B.Subramanyan, Vivek.M.Chhabria, T.G.Sankar babu, Image Encryption Based On AES Key Expansion, 2011 Second International Conference on Emerging Applications of Information Technology, page 217-220. [2] C.J.Kuo, Novel image Encryption Technique and its application in progressive transmission. Journal of Electron imaging 24 1993 pp 345-351. [3] N.J.Bourbakis , C.Alexopoulos, Picture data encryption using SCAN patterns. Pattern Recognition 256 1992 pp567 -581. [4] Chin-Chen Chang, Min-Shian Hwang, Tung-Shou Chen, A new encryption algorithm for image cryptosystems, The Journal of Systems and Software 58 (2001), 8391. [5] Fridrich Jiri, Symmetric ciphers based on two dimensional chaotic maps, Int. J. Bifurcat Chaos 8 (1998) (6), pp. 1259 1284. [6] Mitra, Y. V. Subba Rao, and S. R. M. Prasanna, A new image encryption approach using combinational permutation techniques, International Journal of Computer Science, vol. 1, no. 2 , pp. 1306- 4428, 2006.. [7] http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
Page 43

Image Encryption Using AES Key Expansion

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Image Encryption Using AES Key Expansion

Uploaded by

Copyright:

Available Formats

Image Encryption using AES Key Expansion

Seminar Report 2013

1.1 General Introduction

Department of Telecommunication Engineering, PACE, Mangalore.