Image Encryption Using AES Key Expansion

Image Encryption using AES Key Expansion Seminar Report 2013

CHAPTER 1

Introduction

This chapter gives a brief introduction to Image Encryption and its advantages. The topics

covered are: Introduction to Image Encryption, Problem statement, Objective and scope

of Study, Literature Review and the need for proposed algorithm. Finally, limitations of

the study and organisation of chapters in this report are given.

1.1 General Introduction

A major issue for computer networks is to prevent important information from

being disclosed to illegal users. For this reason, encryption techniques were introduced.

Most encryption techniques have an easy implementation and are widely used in the field

of information security.

During the last decade, the use of computer networks has grown spectacularly,

and this growth continues unabated. New networks are being installed and connected to

global internet. The internet is commonly seen as the first incarnation of an information

superhighway. Today, the information transmitted over internet is not only text, but also

contains multimedia like image, audio etc. Mostly images are used. However, the more

extensively the images are used, the more important their security will be. For example, it

is important to protect military image databases, ensure confidential video conferencing,

and protect personal online photograph albums.

However, with the growth of computer processor processing power and storage,

illegal access has become easier. As a result image security has become an important

topic in the current computer world.

Most traditional or modern cryptosystems have been designed to protect textual

data. The original plain-text is converted into cipher-text (hidden form of message) which

is stored or transmitted over network. Upon reception, the cipher-text can be transformed

back into the original plain-text by using a decryption algorithm.

Department of Telecommunication Engineering,PACE, Mangalore. Page 1


However images are different from text. Although the traditional cryptosystems,

such as RSA and DES-like cryptosystems may be used, to encrypt images directly, it is

not a good idea for two reasons.

One is that the image size is always much greater than that of text. Therefore,

the traditional cryptosystems need much time to directly encrypt the image

data.

The second is that, the decrypted text must be equal to that of original text.

However, this requirement is not necessary for image data. This is due to the

characteristics of human perception; a decrypted image containing small

distortion is usually acceptable.

A digital image is defined as a two dimensional (2D) rectangle array. The

elements of this array are denoted as pixels. Each pixel has an intensity value (digital

number) and a location address (row, column).

An image can be encrypted by combining MATLAB with the encoder. Each pixel

in an image is represented by 8 bits, i.e., 1 byte. Using MATLAB the pixel values can be

converted into bytes. These byte values are then used as input to the encoder. The 128 bit

encoder then convert this byte into corresponding encoded byte. The encoded bit values

are then converted into decimal values for pixels. This operation is then repeated for each

pixel to generate a 2D text array corresponding to the pixel value.

For protecting the stored 2D data, they must be converted to one dimensional (1D)

arrays before using various traditional encryption techniques. The raster sequence of

image data can be encrypted into blocks by using block cipher or a stream cipher. A

product cipher can also be used to encrypt a file of image data. However, it is more

efficient to encrypt an image after employing some compression techniques. This will

reduce the computational requirement and also the increases the speed of processing

(which is of high importance in real time scenario).

1.2Problem Statement

The two main problems that arise in image encryption process are with respect to

the time it takes for its computation and its security level. For real time image encryption

only those ciphers are preferable which takes lesser amount of computational time

without compromising security. An encryption scheme which runs very slowly, even



though may have higher degree of security features would be of little practical use for real

time processes. Hence a trade off has to be made.

Many encryption methods have been proposed in literature, and the most common

way to protect large multimedia files is by using conventional encryption techniques.

Private Key bulk encryption algorithms, such as Triple DES or Blowfish, are not suitable

for transmission of large amounts of data (such as images). Due to the complexity of their

internal structure, they are not particularly fast in terms of execution speed and cannot be

applied for images in the real time scenario. Also traditional cryptographic techniques

such as DES cannot be applied to images due to the intrinsic properties of images such as

bulk data capacity, redundancy and high correlation among pixels. Image encryption

algorithms can become an integral part of the image delivery process if they aim towards

efficiency and at the same time preserve the security level.

1.3 Objective of the Study

The three basic characteristics in the information security field: privacy (an

unauthorized user cannot disclose a message), integrity (an unauthorized user cannot

modify or corrupt a message) and availability (messages are made available to authorized

users faithfully).

A perfect image cryptosystem is not only flexible in the security mechanism, but

also has high overall performance.

The objective of this study is to realise an image cryptosystem that, besides the

above mentioned characteristics, also posses the following characteristics:

i. System should be computationally secure i.e., it should have an extremely long

computation time to break. In other words unauthorized users must not be able to

read privileged images.

ii. Encryption and decryption should be fast enough not to degrade system

performance. i.e., the algorithm should be simple enough to be done by users with

a personal computer.

iii. The security mechanism should be widely acceptable to design a cryptosystem

like a commercial product; and should be flexible.

1.4 Related Works



Due to the differences between images and text, a wide variety of cryptographic

algorithms have been proposed for image security.

In the paper [2], Kuo proposed an image encryption method - image distortion, which

obtains the encrypted image by adding the phase spectra of the plain image with those of

the key image. This method is safe but the image is not compressed, thus encryption &

decryption is inefficient.

In the paper [3], Bourbakis and Alexopoulos developed a new method which performs

both lossless compression and encryption of binary and gray-scale images. The

compression and encryption schemes are based on SCAN patterns generated by the

SCAN technique. SCAN is a formal language-based two-dimensional spatial- access

methodology which can efficiently specify and generate a wide range of scanning paths

or space filling curves. Here again security is high but no image compression is

considered.

In the paper [4], Chin-Chen Chang, Min-Shian Hwang, and Tung-Shou Chen used one of

the popular image compression techniques, vector quantization, to design an efficient

cryptosystem for images. The scheme is based on vector quantization (VQ),

cryptography, and other number theorems. In VQ, the images are first decomposed into

vectors and then sequentially encoded vector by vector. Major advantage- simple

hardware structure; required bit-rate for VQ is also small.

In the paper [5], Fridrich demonstrated the construction of a symmetric block encryption

technique based on 2D standard chaotic map. In this paper to encrypt large data files

private-key symmetric block encryption schemes are used because public key encryption

schemes are not suitable for encrypting of large amounts of data and archival due to their

relatively slow performance. Also, the security of public key cryptographic schemes lies

in the computational complexity of certain problems, such as factorization of large

numbers or computing of the discrete logarithm problem. Advances in algorithmic

techniques, number theory force us to re-encrypt large databases and archives with a

longer key to maintain a sufficient degree of security. Here a chaotic map is first

generalized by introducing parameters and is then discretized to a finite square lattice of

points (image) which represent data items (pixel). The discretized map is further extended

to three dimensions and composed with a simple diffusion mechanism to obtain a block



product encryption scheme. The main features of the encryption scheme studied in this

paper are a variable key length, a relatively large block size (several kB or more), and a

high encryption rate. However, the drawback here is the choices for the ciphering key

depend on the block size. Files with size smaller than 10kB would have to be padded to

guarantee sufficiently many encryption keys which will increase the size of the data to be

transmitted.

In the paper [6], Mitra had used a random combination of bit, pixel, and block

permutations. The permutation of bits decreases the perceptual information, whereas the

permutation of pixels and blocks produce high level security.

1.5 Limitation of the study

The algorithm for Image Encryption used here is based on 128-bit AES Key

Expansion. To increase the key space 192-bit/256-bit AES Algorithm may be used

in future.

Also the S-box used here provides only 70% non linearity to algorithm. Sbox with

better non linearity may be designed in future to increase the avalanche effect of

encrypted Image.

1.6 Chapter Organisation

The first 2 Chapters of this report, discusses the theoretical concepts required to

understand the image encryption and its importance. The next 4 chapters deal with

introduction to image cryptosystems and the proposed method to overcome the problems

faced in real time implementation of image cryptosystems. Last chapter deals with

Experimental analysis of proposed method and comparative results. The list of chapters

and brief description of their contents is given below.

Chapter 1: Gives the brief idea of image encryption requirements. It explains the

scope, literature survey, methodology and overall general view of this study.

Chapter 2: Gives a brief background to cryptography and some of the common

terms used in cryptography. It also discusses about the different types of cryptographies

and the types cryptanalysis attacks possible on images.



Chapter 3: Gives a brief overview of some of the image cryptosystem

implemented so far, its efficiency and drawback in regard to real time application.

Chapter 4, 5 ,6 & 7 : In these chapters, AES standard, mathematical preliminaries

required to understand AES Algorithm, AES algorithm with the transformations used and

Key expansion schedule ,An example for AES Key Expansion and modification to AES

Key Expansion to suite Image Cryptosystems in real time application have been

explained. The chapter 7 gives Experimental analysis and results of proposed method.



CHAPTER 2

Basics of Cryptography

This chapter just gives a basic idea about cryptography and its types, so that the concepts

in image cryptosystems can be understood better. The topics covered are: Definition of

cryptography and cryptanalysis, types of cryptography, types of cryptanalysis attacks for

evaluating the security of image cryptosystems.

2.1 Terms Used in Cryptography

“Cryptography” is the science of using mathematics to encrypt and decrypt data. It

enables us to store sensitive information or transmit it across insecure networks (like the

Internet) so that it cannot be read by anyone except the intended recipient.

While cryptography is the science of securing data, “cryptanalysis” is the science

of analyzing and breaking secure communication. Classical cryptanalysis involves an

interesting combination of analytical reasoning, application of mathematical tools, pattern

finding, patience, determination, and luck. Cryptanalysts are also called as attackers.

Cryptology embraces both cryptography and cryptanalysis.

Cryptography can be strong or weak; its strength is measured in the time and

resources it would require to recover the plain-text. The result of strong cryptography is

cipher-text that is very difficult to decipher without possession of the appropriate

decoding tool.

A cryptographic algorithm, is a mathematical function used in the encryption and

decryption process. it works in combination with a key—a word, number, or phrase—to

encrypt the plain-text. The same plain-text encrypts to different cipher-text with different

keys. The security of encrypted data is thus entirely dependent on two things: the strength

of the cryptographic algorithm and the secrecy of the key.

A cryptographic algorithm, plus all possible keys and all the protocols that make it

work comprise a “cryptosystem”.



2.2 Types of cryptography

Cryptography is usually of two types based the type of key used. They are: Secret

key & Public key Cryptography.

2.2.1 Secret key Cryptography

It is also known as Conventional or Symmetric Cryptography.

Here same key is used for encryption & decryption as shown in figure 2.2.1(a).

Example: DES (Data Encryption Standard).

Figure 2.1 Conventional encryption/decryption.

Advantages of conventional cryptography are,

i. It is very fast.

ii. It is especially useful for encrypting data that is to be stored securely and

not transmitted.

Main problem in conventional or secret key cryptography is “Key Distribution”.

For a sender and recipient to communicate securely using conventional

encryption, they must agree upon a key and keep it secret between themselves. If

they are in different physical locations, they must use some secure communication

medium to prevent the disclosure of the secret key during transmission else a third

party intercepting the key in transit can later read, modify or forge all information

encrypted.



2.2.2 Public Key Cryptography

The problems of key distribution are solved by public key cryptography.

It is an asymmetric scheme which uses a pair of keys for encryption: “public key”,

which encrypts the data and a corresponding “private key” or “secret key”, which

decrypts the data.

Here the public key is published to the world but private key is kept a secret i.e.,

anyone with the copy of public key can encrypt information whereas decryption

can only be done with the knowledge of private key.

It is computationally infeasible to deduce the private key from the public key.

Anyone who has a public key can encrypt information but cannot decrypt it. Only

the person who has the corresponding private key can decrypt the information.

Example: RSA (named after its inventors, Ron Rivest, Adi Shamir, and Leonard

Adleman)

Figure 2.2 Public key Encryption/Decryption

Advantages of Public Key Cryptography are,

i. The primary benefit of public key cryptography is that it allows people

who have no pre-existing security arrangement to exchange messages

securely.

ii. The need for sender and receiver to share secret keys via some secure

channel is eliminated; all communications involve only public keys, and

no private key is ever transmitted or shared.



2.3 Types of Cryptanalysis Attacks for Evaluating the

Security of Image Cryptosystems

The following five attacks are used for evaluating the security of image

cryptosystems. Each of them assumes that the cryptanalyst has the complete knowledge

of the encryption algorithm used.

The first attack is called the cipher-image-only or brute force attack. In this attack,

an illegal user is assumed to obtain the cipher-image from networks, but does not have the

private key. In other words, a cryptanalyst must determine the private key solely from an

intercepted cipher-image.

The second attack is called the known-plain-image-only attack. The illegal users

are assumed to have obtained several plain-image and cipher-image pairs in this attack. A

cryptanalyst must deduce the private key used to encrypt the plain images or the

algorithm to decrypt any new cipher image encrypted with same private key.

The third attack is called the chosen plain-image attack. In this attack, the illegal

users are able to select the plain-images and obtain the corresponding cipher-images this

is more powerful than the known-plain-image-only attack, because cryptanalysts can

choose some specific pain-images to encrypt, and this yields more information about the

private key. The cryptanalysts uses this information to deduce the private key used to

encrypt the plain images.

The fourth attack is called jigsaw puzzle attack. In this attack, the illegal users first

divide a cipher-image into many small areas. The cryptanalysts then breaks these areas

one by one. Since each area is much smaller than the entire cipher-image, the

computational load for breaking each area is much less than that for breaking the entire

cipher-image. The jigsaw puzzle attack is therefore more efficient than other attacks.

The fifth attack is called the neighbour attack. In this attack, the illegal users are

assumed to know a part of the plain-image. The changes across the boundaries of the

areas are smooth in most images. Therefore, the cryptanalysts use this attribute to speed

up the selections for the boundaries of the neighbouring areas; and can derive the

neighbouring pixels for the known part of plain image and break the whole cipher

efficiently.[3]



CHAPTER 3

Efficiency and Security of Some Image Cryptosystems

This chapter gives brief explanation about the techniques previously applied to solve

problems related to real time image encryption. This chapter covers the topics: Image

Encryption Using SCAN Patterns, Image Encryption Using Combinational Permutation

Techniques, and the need for AES based method.

3.1 Image Encryption Using SCAN Patterns

Due to the differences between images and text, a wide variety of cryptographic

algorithms have been proposed for image security.

In the paper [3], Bourbakis and Alexopoulos developed a new method which

performs encryption of binary and gray-scale images. The encryption schemes are based

on SCAN patterns generated by the SCAN technique. This method converts 2D image

patterns into 1D list & employs a SCAN language to describe the converted result. SCAN

is a formal language based 2D spatial accessing methodology which can efficiently

specify and generate a wide range of scanning paths. In this language there are several

SCAN letters & each letter represents a scan order. The four basic SCAN patterns used by

SCAN language are: Continuous raster (C), Continuous diagonal (D), Continuous

orthogonal (O) and Spiral (S).These four patterns are shown in figure 3.1.

Figure 3.1 Basic SCAN patterns [3]

Different combinations of SCAN letters generate different kind of secret images.

Once the combination of SCAN letters is determined, the scheme generates a SCAN

string which defines the SCAN order of the original image. The algorithm then scans the

image and encrypts the SCAN string using commercial cryptosystems. Since illegal users



cannot obtain correct SCAN string, the original image is therefore secure. Figure 3.2

shows an example of SCAN key patterns.

Figure 3.2 Example of SCAN key pattern—B5(s2Z0(c5b0o0s5)c4d1) [3]

Drawbacks of Image Encryption using SCAN patterns are,

This method does not consider the advantages of image compression. As a result,

the size of the image is very large and is inefficient to encrypt or decrypt images

directly for real time applications.

Also, due to large image size encryption/decryption process is consumes lot of

time and hence is slow.

Although it provides fair enough security it is not preferred for real time

application because the time taken by this method to produce cipher image is not

acceptable for real time scenerio.

3.2 Image Encryption Using Combinational Permutation Techniques

In the paper [6] Mitra presents an approach using a combinational permutation

techniques for image encryption. This technique uses a random combination of bit, pixel,

and block permutations. The permutation of bits decreases the perceptual information,

whereas the permutation of pixels and blocks produce high level security. It is observed

that the permutation of bits is effective in significantly reducing the correlation thereby

decreasing the perceptual information, whereas the permutation of pixels and blocks are

good at producing higher level security compared to bit permutation. A random



combination method employing all the three techniques thus is observed to be useful for

tactical security applications, where protection is needed only against a casual observer.

The security of images used in electronic communication may be needed against

two types of attackers; casual listeners/observers or professional unauthorized recipients,

termed as cryptanalysts. In the former case, the security is needed only in terms of hours

while in the later it may be in terms of years. The duration roughly indicates the amount

of time that is needed to analyze the information available in unintelligible form in the

insecure channel without the knowledge of keys to derive the underlying information.

The scenario where security is needed against casual listener/observer, the

cryptographic structure should be as simple as possible in order to reduce the cost. The

present work focuses on development of improved private key cryptographic methods for

providing security against such casual observers in the context of image communications.

In designing private key cryptographic techniques, permutation methods and

pseudo random sequence generators play important roles due to their simple yet effective

information coding performances. This method uses many good keys, selected using

pseudo random index generators (PRIG), for different permutation operations. Since a

large number of keys are used, the security level offered is comparatively high. Further,

the amount of redundant information available in the encrypted image is kept as low as

possible, thereby providing fairly high security level against casual observers. In image

communication, the image is represented as a group of bits, pixels and blocks and

therefore, the encryption is done by permuting the respective groups. Further, to make it

more robust against casual attacks, a random combinational image encryption approach

with bit, pixel and block permutations is used. It is also shown that if the random

combinational sequence of permutations is not known to the observer, it will not be

possible for him/her to retrieve the original information, even if the permutation private

keys are known to that person.

The Pseudo random index generator (PRIG) for permutation purpose is usually

constructed using the linear feedback shift registers (LFSR). A PRIG contains ‘n’ shift

registers and is initiated with a starting seed, which is usually transmitted through a

secured channel for intended users only. The outputs of the shift registers are multiplied

with the coefficients (Cn−1,Cn−2,...,C1,C0) of a primitive polynomial with respect to mod-2



operation. The resultant output obtained by the modulo operation is then fed back to the

first shift register. The shift register output values are converted into decimal index using

binary to decimal converter. The general structure of such a PRIG is shown in Fig. 3.3.

Note that the periodicity of such a random index generator is 2n−1.

Figure 3.3 Structure of a general pseudo random index generator [6]

In the context of images, three basic permutation techniques, they are,

1) Bit permutation: The image can be seen as an array of pixels, each with eight bits for

256 gray levels. In the bit permutation technique, the bits in each pixel taken from the

image are permuted with a key chosen from the set of keys by using the PRIG. The entire

array of these permuted pixels forms the encrypted image. The encrypted image obtained

from the bit permutation technique is transmitted to the receiver through the insecure

channel. At the receiver the encrypted image is decrypted using the same set of keys and

same pseudo random index generator. As the number of bits in each pixel is eight, the key

length is also taken equal to eight. The number of permutations obtained with eight

elements is 8! (=40320) but the number of good keys formed by such eight elements is

only 121. Therefore, to get 127 keys using a PRIG of maximal length 127, other 6 keys

are taken randomly from these 121 good permutation keys to form the complete set.

2) Pixel permutation: In this scheme each group of pixels is taken from the image. The

pixels in the group are permuted using the key selected from the set of keys. The

encryption and decryption procedure is same as the bit permutation technique. The size of

the pixel group is same as the length of the keys, and all the keys are of same length. If

the length of the keys is more than the size of pixel group, the perceptual information



reduces. In this work the group of pixels is taken along the row without the loss of

generality, i.e., the column wise procedure would yield same kind of results.

3) Block permutation: In this technique, the image can be decomposed into blocks. A

group of blocks is taken from the image and these blocks are permuted same as bit and

pixel permutations. For better encryption the block size should be lower. If the blocks are

very small then the objects and its edges do not appear clearly. In this block permutation

the blocks are permuted horizontally in the image. The permutation of blocks along

vertical side is also similar to horizontal side block permutation. At the receiver the

original image can be obtained by the inverse permutation of the blocks.

Figure 3.4 Block diagram of Combinational Permutation technique [6]

The main idea behind this method is that an image can be viewed as an

arrangement of bits, pixels and blocks. The intelligible information present in an image is

due to the correlations among the bits, pixels and blocks in a given arrangement. This

perceivable information can be reduced by decreasing the correlation among the bits,

pixels and blocks using certain random permutation techniques. The advantage offered by

this scheme is that even if the private key is known to the attacker somehow and the



random combination key is unknown, then the person will not be able to extract/tamper

the image. Also, due the combination of three permutation approaches the redundancy,

visual intelligence reduces.

To get back the original image at the receiver, the order of the permutation

processes should be exactly reverse to the order at the transmitter; otherwise the output

will produce no visible information. Figure 3.4 shows the block diagram of this method.

However the drawback in this approach is that it provides security only against

casual observers and not against professional hackers; hence is not preferred for real time

application because it is not possible to predict the type of attackers posing danger to the

integrity of image data.

3.3 Need for AES Key Expansion Based Method

The above discussed two Cryptosystem were mainly developed for single

application scenario and hence had its own limitation when considering a general Image

security application. Also these methods were not suitable for Real Time Applications

because the algorithm either had very high security but was slow in processing or it was

very fast at the prize of security.

Hence there is need for an algorithm that in general is applicable for all Image

security applications in Real Time. Thus a method that is based on AES Key Expansion

which overcomes the limitations of above mentioned algorithm is preferred.

Here the encryption process is a Bitwise Exclusive OR operation of a set of image

pixels along with a 128 bit key which changes for every set of pixels. The cipher keys are

generated independently at the sender and receiver side based on AES Key Expansion

process, hence the initial key alone is shared and not the whole set of keys. The algorithm

has been experimented with standard bench mark images proposed in USC-SIPI database

and the result shows that it offers good resistance against brute force attack, key

sensitivity tests and statistical crypt analysis.



CHAPTER 4

Advanced Encryption Standard

This chapter contains a brief introduction to AES. The topics covered are: Introduction to

AES, Mathematical foundation for AES – Galios Field.

4.1 Introduction to AES

In January, 1997 NIST began its effort to develop the AES, a symmetric key

encryption algorithm, and made a worldwide public call for the algorithm to succeed

DES. Initially 15 algorithms were selected, which was then reduced down to 4

algorithms, RC6, Rijndael, Serpent and Two-fish, all of which were iterated block

ciphers. The four finalists were all determined to be qualified as the AES.

The final evaluation, which also solicited worldwide public input was based on three

characteristics [see table 4.1]

1) Security: It encompassed resistance to known attacks, mathematical soundness,

randomness of output and security compared to other algorithms.

2) Cost: encompassed encryption speed, required memory, and no licensing agreements

i.e. the algorithm had to be available worldwide royalty free.

3) Algorithm and implementation characteristics: The algorithm had to be suitable

across a wide range of hardware and software systems. The algorithm had to be relatively

simple as well. After extensive review the Rijndael algorithm was chosen to be the AES

algorithm.

Algorithm Security

Speed Memory

Encryption/Decryption Key RAM ROM

RC6 Adequate High end Average Average Average

Rijndael Adequate High end High end High end High end

Serpent High Low end Average Average Average

Two Fish High Average High end High end Average

Table 4.1 Some evaluation criteria and results for AES finalists



AES was designed to have the following characteristics:

Resistance against all known attacks.

Speed and code compactness on a wide range of platforms.

Design simplicity.

The AES Algorithm is a symmetric-key cipher, in which both the sender and the

receiver use a single key for encryption and decryption. The data block length is fixed to

be 128 bits, while the length can be 128, 192 or 256 bits. In addition, the AES is an

iterative algorithm; each iteration being called a round. The total number of rounds N r is

dependent on Key length Nk, where Nr and Nk are specified in words. The 128 bit data

block is divided into 16 bytes. These bytes are mapped to a 4x4 array called the State, and

all the internal operations of the AES algorithm are performed on the State. The

parameters for AES algorithm are shown in Table 4.2

Algorithm Key length, Nk Block size, Nb No of rounds, Nr= Nk+ 6

AES-128 4 4 10

AES-192 6 4 12

AES-256 8 4 14

Table 4.2 AES Parameters.

Most of the operations in the AES algorithm take place on bytes of data or on words

of data 4 bytes long, which are represented in the field GF(28), called the Galois Field.

These bytes are represented by the polynomial equation,

b7x7 + b6x6 + b5x5 + b4x4 + b3x3 + b2x2 + b1x + b0 = ∑ bixi - - - - equation (4.1)

Where, bi {0,1} and i = 0,1,2,...7. There are 256 elements in GF(28).

For example, 0x11(00010001) identifies the specific finite field x4+1.

4.2 Mathematical Preliminaries

In abstract algebra, a finite field or Galois field is a field that contains a finite

number of elements. Finite fields are important in number theory, algebraic geometry,

Galois theory, cryptography, coding theory and quantum error correction. The finite fields

are classified by size; there is exactly one finite field up to isomorphism of size pk for

each prime p and positive integer k. This is represented as GF(pk). Finite field elements


http://en.wikipedia.org/wiki/Up_to


can be added and multiplied, but these operations are different from those used in normal

algebra. [7]

4.2.1 Addition in Finite Field Algebra

The addition of two elements in GF(28) is achieved by “adding” the coefficients for

the corresponding powers in the polynomials for the two elements. The addition is

performed with the XOR operation (denoted by ) - i.e., modulo 2 addition.

i.e., (0 0) = 0; (0 1) = 1; (1 0) = 1; (1 1) = 0.

Consequently, subtraction of polynomials is identical to addition of polynomials. [7]

Example: (0x57 + 0x83) = (x6+x4+x2+x+1) + ( x7+x+1) = x7+ x6+x4+x2 = 0xD4.

4.2.2 Multiplication in Finite Field Algebra

In the polynomial representation, multiplication in GF(28) (denoted by •) corresponds

with the multiplication of polynomials modulo an irreducible polynomial m(x) of degree

8. A polynomial is irreducible if its only divisors are one and itself. For the AES

algorithm, this irreducible polynomial is, m(x)=x8+x4+x3+x+1, or {01}{1b} in

hexadecimal notation. [7]

Example: {0x57} • {0x83} = {0xC1}.

i.e.., let A = (x6+x4+x2+x+1) • ( x7+x+1)

= x13+x11+x9+x8+x7+x7+x5+x3+x2+x+ x6+x4+x2+x+1

= x13+x11+x9+x8+ x6+ x5+ x4+ x3+1.

Result of multiplication = A mod (x8+x4+x3+x+1) = x7+x6+1= 11000001 = 0xC1.

The modular reduction by m(x) ensures that the result will be a binary polynomial of

degree less than 8, and thus can be represented by a byte. Unlike addition, there is no

simple operation at the byte level that corresponds to this multiplication. There are three

rules which can help in multiplying polynomials in GF(28). They are,

1) 0x01 is the identity in GF(28). Thus anything multiplied by 0x01 remains unchanged.

2) Multiplying by two is the same as decimal arithmetic, provided the result does not

exceed the field size of 255 or 0xFF. Also multiplying by 2 in binary is the same as



shifting left by 1. If the result exceeds 0xFF then the result must be XORed with 0x1B.

This will prevent any overflow errors if working with bytes thus keeping the results

within range.

3) Multiplying by three is the same as multiplying by (1 + 2). Thus,

a • 0x03 = a • (0x02 + 0x01) = (a • 0x02) (a • 0x01).

4.2.3 Multiplicative Inverse in Finite Field Algebra

The multiplication defined above is associative, and the element {01} is the

multiplicative identity. For any non-zero binary polynomial b(x), the multiplicative

inverse of b(x) modulo m(x), denoted by b-1(x) ,can be found using Extended Euclidean

Algorithm if degree of b(x) is less than that of m(x) and also if GCD[b(x),m(x)]=1. [7]

i.e.., if b(x) • b-1(x) = 1 ( mod m(x) ), then b-1(x) is the multiplicative inverse of b(x) in

modulo m(x).

=> [ b(x)*b-1(x) ] – [ i*m(x) ] = 1, - - - - - - - - - - - - - - - - - - - - - - - -equation (4.2)

where i is the integer quotient of division [ b(x)*b-1(x) ] ÷ m(x).

=> [ 1 + {i*m(x) ] ÷ b(x) = b-1(x) - - - - - - - - - - - - - - - - - - - - - - - -equation (4.3)

Equation (4.3) represents the Euclidean Approach to find multiplicative inverse.

The basics of Galois field discussed in section 4.2, is required to understand AES

Algorithm better.



CHAPTER 5

AES Algorithm

This chapter gives detailed explanation about the steps involved in AES algorithm. The

topics covered includes: AES encryption/decryption, Transformations used in AES and

Key expansion Schedule.

5.1 AES Encryption/Decryption

For each round of AES, 128 bit input data and 128 bit key is required, i.e.., it needs 4

words of key in one round. Thus the input key must be expanded to the required number

of words depending upon the number of rounds. The output of each round serves as input

to the next stage. In AES system, same secret key is used for both encryption and

decryption; thus simplifies the design. The block diagram for AES Encryption and

Decryption is as shown in Figure 5.1

Figure 5.1 AES Encryption and Decryption.



For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that

is composed of four different byte-oriented transformations: 1) byte substitution using a

substitution table (S-box), 2) shifting rows of the State array by different offsets, 3)

mixing the data within each column of the State array, and 4) adding a Round Key to the

State. The above 4 transformation are looped Nr-1 times. In the last round (i.e.., Nrth

round) Mixcolumn is not performed.

The AddRoundKey is performed at the beginning and at the end of the cipher in

order to provide initial and final randomness to the algorithm. Without this, the first or

last portion of the cipher could be easily deduced, and therefore would be irrelevant to the

security of the cipher. The last round in the cipher is different from the other rounds in

order to make the encryption and decryption routines more similar, allowing the

complexity to be reduced in hardware and software implementations.

5.2 AES Transformations

The four transformations used in AES Encryption are : ByteSub, ShiftRows,

MixColumns, AddRoundKey. The inverse of these operations are performed for

decryption.

5.2.1 Byte Substitution

The ByteSub transformation is a non-linear byte substitution that operates

independently on each byte of the State using a substitution table (S-box) as shown in

figure 5.2

Figure 5.2 ByteSub transformation



The S-box, which is invertible, is constructed by composing two transformations,

i. Take the multiplicative inverse in the finite field GF(28); the element {00} is

mapped to itself.

ii. Apply the following affine transformation (over GF(2) ) which is defined as,

bi’= bi b(i+4)mod8 b(i+5)mod8 b(i+6)mod8 b(i+7)mod8 Ci - - - - - -equation (5.1)

Where, 0 ≤ i ≤ 8 and bi is the ith bit of byte and Ci is the ith bit of byte C whose

value is 0x63 or (01100011).

In matrix form, the affine transformation element of the S-box can be expressed

as;

The S-box for ByteSub is as shown in Figure 5.3

The Inverse ByteSub is used to reverse this operation in decryption process. The

affine transformation for Inverse ByteSub is as shown below;

The S-1 box for inv ByteSub operation is shown in Figure 5.4



Figure 5.3 look up table for ByteSub transformation.

Figure 5.4 look up table for Inv ByteSub operation.



5.2.2 Shift Rows

Shift-Rows operates on individual rows of the state. It provides diffusion throughout

the AES algorithm. This operation will not change the values of byte in the row, but will

just change their order. It performs left circular shift on each row as follows;

Row 0 à Shift 0; Row 1 à Shift 1; Row 2 à Shift 2; Row 3 à Shift 3;

This is illustrated in Figure 5.5 below. For decryption this Shift operation is reversed.

Figure 5.5 Illustration of Shift Row transformation.

5.2.3 Mix Columns

The MixColumns transformation operates on the State column-by-column, treating

each column as a four-term polynomial. The columns are considered as polynomials over

GF(28) and are multiplied modulo (x4+1) with a mixing polynomial a(x) given by,

a(x)=(0x03) • x3 + (0x01) • x2 + (0x01) • x + (0x02).

This can represented by matrix equation as,


02010103

03020101

01030201

01010302

02010103

03020101

01030201

01010302

a3

a2

a1

a0

a3

a2

a1

a0

a’3

a’2

a’1

a’0

a’3

a’2

a’1

a’0

=


Figure 5.6 illustrates the mix column transformation.

Figure 5.6 Illustration of MixColumn transformation.

InvMixColumns performs the reverse operation for decryption and can be described by

the matrix equation is,

5.2.4 Add Round Key

It is the step that incorporates the round key, a portion of the expanded key, into the

plaintext. This routine performs bitwise XOR of each byte of the state with the

corresponding byte of the round key.

If Add Round Key operates on a variable twice, the variable itself is returned. This

property is used in decryption. Figure 5.7 illustrates this transformation.


0e090d0b

0b0e090d

0d0b0e09

090d0b0e

0e090d0b

0b0e090d

0d0b0e09

090d0b0e

a3

a2

a1

a0

a3

a2

a1

a0

a’3

a’2

a’1

a’0

a’3

a’2

a’1

a’0

=


Figure 5.7 Add round key Transformation

The above 4 transformation are looped N r-1 times. In the last round (i.e.., Nrth

round) Mixcolumn is not performed.

The AddRoundKey is performed at the beginning and at the end of the cipher in

order to provide initial and final randomness to the algorithm. Without this, the first or

last portion of the cipher could be easily deduced, and therefore would be irrelevant to the

security of the cipher. The last round in the cipher is different from the other rounds in

order to make the encryption and decryption routines more similar, allowing the

complexity to be reduced in hardware and software implementations.

5.3 Key Expansion schedule

Pseudo code for AES Key Expansion is given in Figure 5.9. The key-expansion

routine creates round keys word by word, where a word is an array of four bytes. The

routine creates 4x(Nr+1) words. For Nk=4words, Nr=10; this routine creates 44 words.

The process is as follows :

First 4 words of round key are made from initial cipher key. The key is considered

as an array of 16 bytes k[0:15]. The first four bytes (k0 to k3) become w0, the next

four bytes (k4 to k7) become w1, and so on.

The rest of the words (wi for i=4 to 43) are derived as follows:

if (i mod 4)!=0 then, wi = wi-1 wi-4 ;

else if(i mod 4)=0 then wi=t wi-4. Here ‘t’ is a temporary word result of

applying SubByte transformation and rotate word on wi-1 and XORing the result

with a round constant.

Figure 5.8 shows the pictorial representation of AES key expansion.



Figure 5.8 AES Key Expansion

Figure 5.9 pseudo code for AES key expansion.



Steps to find wi when ( i mod 4) = 0

i. RotWord: performs one byte circular left shift on wi-1.

ii. SubWord: performs a byte substitution on each byte of its input word, using

the S-box.

iii. The result of step (i) and (ii) is XORed with a round constant Rcon[j] whichis

given by, Rcon[j]={RC[j],0,0,0},where RC[j]=2*RC[j-1], with multiplication

over GF(28).

J 1 2 3 4 5 6 7 8 9 10

RC[j] 01 02 04 08 10 20 40 80 1B 36

Table 5.1 RC[j] values in hex.

3.3.1 Example for AES Key Expansion

Consider the 16 byte key to be, K = 2b7e151628aed2a6abf7158809cf4f3c.

Key length, Nk = 4 words. => expanded key has 44 words or 11 sets of 4 word keys( one

set used in each round).

AES key expansion steps to obtain the expanded key:

Step 1: Enter the K into key array byte by byte column wise.

2b 28 ab 09

7e ae f7 cf

15 d2 15 4f

16 a6 88 3c

W[0] W[1] W[2] W[3]



W[0:3] forms the cipher key.

Step 2: calculate the first set of 16byte key to be used for 1nd round, i.e., w[4:7]

Step 2a: to find w[4] , follow the steps discussed in section 5.3.

Now, W[i-1] = W[3] = [ 09 cf 4f 3c ].

After shift row operation, W[3] = [ cf 4f 3c 09 ].

After SubByte transform, W[3]* = [ 8a 84 eb 01 ].

Now, W[i-4] = W[0] = [ 2b 7e 15 16 ] and Rcon[1] = [ 01 00 00 00].

W[4] = W[3]* W[0] Rcon[1]

W[4] = [ 8a 84 eb 01 ] [ 2b 7e 15 16 ] [ 01 00 00 00].

W[4] = [a0 fa fe 17].

Step 2b: To find W[5], W[i-1] =W[4] = [a0 fa fe 17] and W[i-4]= W[1] = [ 28 ae d2 a6 ].

W[5] = W[4] W[1].

W[5] = [a0 fa fe 17] [ 28 ae d2 a6 ].

W[5] = [ 88 54 2c b1 ].

Step 2c: Find W[6] and W[7] using the same procedure as 2b.

Thus W[6] = [ 23 a3 39 39 ]. And W[7] = [ 2a 6c 76 05 ].

Therefore, the 2nd round key is,

A0 88 23 2a

Fa 54 A3 6c

Fe 2c 39 76

17 B1 39 05



Step 3: Similarly find rest of the 9 round keys using the step 2.

2nd round key :

F2 79 59 73

C2 96 35 59

95 B9 80 F6

F2 43 7a 7f

3rd round key:

3d 47 1e 6d

80 16 23 7a

47 fe 7e 88

7d 3e 44 3b

4th round key:

Ef A8 B6 Db

44 52 71 0b

A5 5b 25 0d

41 7f 3b 00



5th round key:

D4 7c Ca 11

D1 83 F2 F9

C6 9d B8 15

F8 87 bc Bc

6th round key:

6d 11 Db Ca

88 0b F9 00

A3 3e 86 93

7a Fd 41 Fd

7th round key:

4e 5f 84 4e

54 5f A6 A6

F7 C9 4f Dc

0e F3 B2 4f



8th round key:

Ea B4 31 7f

D2 8d 2b 8d

73 Da F5 29

21 D2 60 2f

9th round key:

Ac 19 28 57

77 Fa D1 5c

65 Dc 29 00

F3 21 41 6e

10th round key:

D0 C9 E1 B6

14 Ee 3f 63

F9 25 0c 0c

A8 89 C8 A6



CHAPTER 6

Modified AES Key Expansion

This chapter gives the detailed description of the proposed method for Real Time Image

Cryptosystems-Modified AES Key Expansion Based Method. The topics covered

include: Changes in AES Key Expansion Schedule to suite Image Cryptosystems, Steps

involved in Image Encryption/Decryption and Experimental Results & Analysis.

6.1 Changes in AES Key Expansion Schedule to Suite Image

Cryptosystems

Certain changes made to the AES key expansion process (discussed in the section 5.3)

improves the encryption quality, and also increases the avalanche effect in the resulting

cipher image. The changes are,

The initial key is expanded based on the number of pixels in the image.

The Rcon value is not constant instead it is being formed from the initial key

itself.

Both the s-box and Inverse s-box are also used for the modified Key Expansion

process because it improves non-linearity in the expanded key and also improves

the encryption quality. The S-box and Inverse S-box are however not directly used

in this algorithm; instead some circular shifts are performed on the boxes based on

the initial key.

The above changes in the algorithm can be represented as discussed in the sections below.

6.1.1 Key Expansion for the image

Consider a plain gray-level image of size mxn. In this method, a set of 16 pixels (128

bits) is encrypted using 2 round keys.

∴ No of keys to Encrypt the whole image N=2*{(m*n)/16}.



6.1.2 Formation of Rcon values

Rcon[j] is formed from the initial cipher key as follows:

Rcon[0]=key[12:15]; Rcon[1]=key[4:7];

Rcon [2]=key[0 : 3]; Rcon [3]=key[8:11];

6.1.3 Using Inverse S-Box for key expansion

The ‘temp’ value used in the algorithm is formed as follows,

temp = SubWord(RotWord(temp)) + InvSubWord(Rcon[i/4]);

here the Rcon values are not used directly, instead each byte of Rcon is substituted by its

corresponding InvSubByte value from S-1 box. This improves the non-linearity of the

expanded key.

6.1.4 Shifting of S-box and Inverse S-box

The offset for shifting S-box and S-1 box is obtained using following equation,

Sbox_offset = sum(key[0:15])mod256;

Inv_Sbox_offset = (sum(key[0:15])*mean(key[0:15]))mod256;

6.2 Steps Involved in Image Encryption/Decryption Using

Modified AES Key Expansion

The steps involved in Image Encryption/Decryption using Modified AES Key

Expansion include: Key selection, Generation of multiple keys, Encryption and

Decryption. Each of these steps are explained briefly below.

6.2.1 Key selection

The sender and receiver agree upon a 128 bit key. This key is used for encryption

and decryption of images. It is a symmetric key encryption technique, so they must share

this key in a secure manner.



The key is represented as blocks k[0],k[1]...k[15]. Where each block is 8bits long

(8*16=128 bits).

6.2.2 Generation of Multiple keys

The sender and receiver can now independently generate the keys required for the

process using the above explained Modified AES Key Expansion technique. This is a one

time process; these expanded keys can be used for future communications any number of

times till they change their initial key value.

6.2.3 Encryption

Encryption is done in spans, where 16 pixels are processed in each span. This

Algorithm performs two XOR operations and a SubBytes Transformation for each set of

pixels. Since two XOR operations are performed using the expanded key for every set of

pixels it is impossible to get the key from plain image and cipher image, and to improve

the non linearity the s-box values used in AES may also be used. This is shown in figure

6.1.

6.2.4 Decryption

The decryption process shown in figure 6.1 is similar as encryption, but here Inverse

SubByte Transformation is used and also the order of XOR operation using the expanded

key is reversed.

Figure 6.1 Encryption/Decryption process for image encryption using modified aes key expansion



CHAPTER 7

Experimental Analysis

The algorithm has been implemented in Mat Lab 6.0 in windows environment with a

system configuration of PIV processor with 1 GB RAM. The proposed algorithm has

been tested with various images in USC-SIPI repository which is a collection of digitized

images primarily to support image processing, image analysis and machine vision.

7.1Key Space Analysis

The strength of any cryptographic algorithm depends upon key space which should

be sufficiently large enough to make brute force attack infeasible. The proposed

algorithm has a huge key space which is 2^128 possible keys. If an opponent tries for

brute force attack, since the key sensitivity of this algorithm is very high he would have to

try all combinations of keys for the image which is computationally infeasible.

7.2Histogram Analysis

To prevent the leakage of information to an opponent, it is also advantageous if the

cipher image bears little or no statistical similarity to the plain image. An image

histogram illustrates how pixels in an image are distributed by graphing the number of

pixels at each colour intensity level. The histogram of the encrypted image is expected to

be fairly uniform and significantly different from the respective histograms of the original

image.

Figure 7.1 and figure 7.2 shows the histogram analysis of plain image and cipher

image. The histogram analysis shows that the histogram of the cipher image is fairly

uniform and is significantly different from the original image. The encryption algorithm

has covered up all the characters of the plain image and has complicated the statistical

relationship between the plain image and its ciphered version.

Figure 7.1 shows the analysis for grey scale image whereas figure 7.2 shows the

analysis for color image.



Figure 7.1 Histogram analysis of Grey Scale 1024X1024 Lena Image


(a) Lena (b) Encrypted Lena

(c) Histogram of Lena

(d)Histogram of Encrypted Lena


Figure 7.2 Histogram Analysis of Colour 640X480 Mountain Image


(a)Mountains (b)Encrypted Mountain

(c) Histogram of Mountain

(d) Histogram of Encrypted Mountain


7.3 Key Sensitivity Analysis

High key sensitivity is required by secure image cryptosystems, which means that

the cipher image cannot be decrypted correctly even if there is only a slight difference

between encryption or decryption keys. The proposed algorithm is experimented for

various key values whose difference is negligibly small. This is similar to avalanche

effect in text encryption where a small bit difference in the key could produce a

significant difference in the cipher text produced. The strength of the algorithm is that

even for a single bit change in the key value the image is not decrypted. Figure 7.3

illustrates the key sensitivity of the proposed algorithm.

Figure 7.3 Key Sensitivity Analysis of Proposed Algorithm



7.4 Execution Time

Another important factor that evaluates the efficiency of algorithms is measuring the

amount of time required to encrypt an image. In this investigation, actual time in CPU

cycles will be used as a measure of execution time. Table 7.1 shows the comparison of

computational time taken by algorithms specified in literature to that of proposed

algorithm to encrypt a 1024x1024 gray-scale Lena Image.

Algorithm Time in seconds for Lena Image

Bourbakis(SCAN patterns) 2.54

Mitra (CPT) 1.82

Proposed Algorithm 1.41

Table 7.1 Computational time comparison



CHAPTER 8

Conclusion and Future Work

8.1 Conclusion

Based on the experimental results shown in section 6.3, it can be observed that

The proposed algorithm offers high encryption quality with minimal

computational time.

The key sensitivity and key space of the algorithm is very high which makes it

resistant towards Brute force attack and statistical cryptanalysis.

The time taken for encryption is relatively less in comparison with the algorithms

proposed in the literature.

The above mentioned features make the algorithm suitable for image encryption in real

time applications.

8.2 Future work

S-box is the pivotal part of AES. Research may be done to improve the quality of

S-box design.

AES-192 or AES-256 may be used to further increase the key sensitivity and key

space of the algorithm.



References

[1] B.Subramanyan, Vivek.M.Chhabria, T.G.Sankar babu, Image Encryption Based On

AES Key Expansion, 2011 Second International Conference on Emerging Applications of

Information Technology, page 217-220.

[2] C.J.Kuo, Novel image Encryption Technique and its application in progressive

transmission. Journal of Electron imaging 24 1993 pp 345-351.

[3] N.J.Bourbakis , C.Alexopoulos, Picture data encryption using SCAN patterns. Pattern

Recognition 256 1992 pp567 -581.

[4] Chin-Chen Chang, Min-Shian Hwang, Tung-Shou Chen, “A new encryption

algorithm for image cryptosystems”, The Journal of Systems and Software 58 (2001), 83-

91.

[5] Fridrich Jiri, Symmetric ciphers based on two dimensional chaotic maps, Int. J.

Bifurcat Chaos 8 (1998) (6), pp. 1259– 1284.

[6] Mitra, Y. V. Subba Rao, and S. R. M. Prasanna, A new image encryption approach

using combinational permutation techniques, International Journal of Computer Science,

vol. 1, no. 2 , pp. 1306- 4428, 2006..

[7] http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.


Documents

Image Encryption Using AES Key Expansion