Image encryption using aes key expansion

Image Encryption using AES Key Expansion Seminar Report 2013
Department of Telecommunication Engineering,
PACE, Mangalore. Page 1
CHAPTER 1
Introduction
This chapter gives a brief introduction to Image Encryption and its advantages. The topics
covered are: Introduction to Image Encryption, Problem statement, Objective and scope
of Study, Literature Review and the need for proposed algorithm. Finally, limitations of
the study and organisation of chapters in this report are given.
1.1 General Introduction
A major issue for computer networks is to prevent important information from
being disclosed to illegal users. For this reason, encryption techniques were introduced.
Most encryption techniques have an easy implementation and are widely used in the field
of information security.
During the last decade, the use of computer networks has grown spectacularly,
and this growth continues unabated. New networks are being installed and connected to
global internet. The internet is commonly seen as the first incarnation of an information
superhighway. Today, the information transmitted over internet is not only text, but also
contains multimedia like image, audio etc. Mostly images are used. However, the more
extensively the images are used, the more important their security will be. For example, it
is important to protect military image databases, ensure confidential video conferencing,
and protect personal online photograph albums.
However, with the growth of computer processor processing power and storage,
illegal access has become easier. As a result image security has become an important
topic in the current computer world.
Most traditional or modern cryptosystems have been designed to protect textual
data. The original plain-text is converted into cipher-text (hidden form of message) which
is stored or transmitted over network. Upon reception, the cipher-text can be transformed
back into the original plain-text by using a decryption algorithm.

However images are different from text. Although the traditional cryptosystems,
such as RSA and DES-like cryptosystems may be used, to encrypt images directly, it is
not a good idea for two reasons.
One is that the image size is always much greater than that of text. Therefore,
the traditional cryptosystems need much time to directly encrypt the image
data.
The second is that, the decrypted text must be equal to that of original text.
However, this requirement is not necessary for image data. This is due to the
characteristics of human perception; a decrypted image containing small
distortion is usually acceptable.
A digital image is defined as a two dimensional (2D) rectangle array. The
elements of this array are denoted as pixels. Each pixel has an intensity value (digital
number) and a location address (row, column).
An image can be encrypted by combining MATLAB with the encoder. Each pixel
in an image is represented by 8 bits, i.e., 1 byte. Using MATLAB the pixel values can be
converted into bytes. These byte values are then used as input to the encoder. The 128 bit
encoder then convert this byte into corresponding encoded byte. The encoded bit values
are then converted into decimal values for pixels. This operation is then repeated for each
pixel to generate a 2D text array corresponding to the pixel value.
For protecting the stored 2D data, they must be converted to one dimensional (1D)
arrays before using various traditional encryption techniques. The raster sequence of
image data can be encrypted into blocks by using block cipher or a stream cipher. A
product cipher can also be used to encrypt a file of image data. However, it is more
efficient to encrypt an image after employing some compression techniques. This will
reduce the computational requirement and also the increases the speed of processing
(which is of high importance in real time scenario).
1.2Problem Statement
The two main problems that arise in image encryption process are with respect to
the time it takes for its computation and its security level. For real time image encryption
only those ciphers are preferable which takes lesser amount of computational time

without compromising security. An encryption scheme which runs very slowly, even
though may have higher degree of security features would be of little practical use for real
time processes. Hence a trade off has to be made.
Many encryption methods have been proposed in literature, and the most common
way to protect large multimedia files is by using conventional encryption techniques.
Private Key bulk encryption algorithms, such as Triple DES or Blowfish, are not suitable
for transmission of large amounts of data (such as images). Due to the complexity of their
internal structure, they are not particularly fast in terms of execution speed and cannot be
applied for images in the real time scenario. Also traditional cryptographic techniques
such as DES cannot be applied to images due to the intrinsic properties of images such as
bulk data capacity, redundancy and high correlation among pixels. Image encryption
algorithms can become an integral part of the image delivery process if they aim towards
efficiency and at the same time preserve the security level.
1.3 Objective of the Study
The three basic characteristics in the information security field: privacy (an
unauthorized user cannot disclose a message), integrity (an unauthorized user cannot
modify or corrupt a message) and availability (messages are made available to authorized
users faithfully).
A perfect image cryptosystem is not only flexible in the security mechanism, but
also has high overall performance.
The objective of this study is to realise an image cryptosystem that, besides the
above mentioned characteristics, also posses the following characteristics:
i. System should be computationally secure i.e., it should have an extremely long
computation time to break. In other words unauthorized users must not be able to
read privileged images.
ii. Encryption and decryption should be fast enough not to degrade system
performance. i.e., the algorithm should be simple enough to be done by users with
a personal computer.
iii. The security mechanism should be widely acceptable to design a cryptosystem
like a commercial product; and should be flexible.

1.4 Related Works
Due to the differences between images and text, a wide variety of cryptographic
algorithms have been proposed for image security.
In the paper [2], Kuo proposed an image encryption method - image distortion, which
obtains the encrypted image by adding the phase spectra of the plain image with those of
the key image. This method is safe but the image is not compressed, thus encryption &
decryption is inefficient.
In the paper [3], Bourbakis and Alexopoulos developed a new method which performs
both lossless compression and encryption of binary and gray-scale images. The
compression and encryption schemes are based on SCAN patterns generated by the
SCAN technique. SCAN is a formal language-based two-dimensional spatial- access
methodology which can efficiently specify and generate a wide range of scanning paths
or space filling curves. Here again security is high but no image compression is
considered.
In the paper [4], Chin-Chen Chang, Min-Shian Hwang, and Tung-Shou Chen used one of
the popular image compression techniques, vector quantization, to design an efficient
cryptosystem for images. The scheme is based on vector quantization (VQ),
cryptography, and other number theorems. In VQ, the images are first decomposed into
vectors and then sequentially encoded vector by vector. Major advantage- simple
hardware structure; required bit-rate for VQ is also small.
In the paper [5], Fridrich demonstrated the construction of a symmetric block encryption
technique based on 2D standard chaotic map. In this paper to encrypt large data files
private-key symmetric block encryption schemes are used because public key encryption
schemes are not suitable for encrypting of large amounts of data and archival due to their
relatively slow performance. Also, the security of public key cryptographic schemes lies
in the computational complexity of certain problems, such as factorization of large
numbers or computing of the discrete logarithm problem. Advances in algorithmic
techniques, number theory force us to re-encrypt large databases and archives with a
longer key to maintain a sufficient degree of security. Here a chaotic map is first
generalized by introducing parameters and is then discretized to a finite square lattice of
points (image) which represent data items (pixel). The discretized map is further extended

to three dimensions and composed with a simple diffusion mechanism to obtain a block
product encryption scheme. The main features of the encryption scheme studied in this
paper are a variable key length, a relatively large block size (several kB or more), and a
high encryption rate. However, the drawback here is the choices for the ciphering key
depend on the block size. Files with size smaller than 10kB would have to be padded to
guarantee sufficiently many encryption keys which will increase the size of the data to be
transmitted.
In the paper [6], Mitra had used a random combination of bit, pixel, and block
permutations. The permutation of bits decreases the perceptual information, whereas the
permutation of pixels and blocks produce high level security.
1.5 Limitation of the study
The algorithm for Image Encryption used here is based on 128-bit AES Key
Expansion. To increase the key space 192-bit/256-bit AES Algorithm may be used
in future.
Also the S-box used here provides only 70% non linearity to algorithm. Sbox with
better non linearity may be designed in future to increase the avalanche effect of
encrypted Image.
1.6 Chapter Organisation
The first 2 Chapters of this report, discusses the theoretical concepts required to
understand the image encryption and its importance. The next 4 chapters deal with
introduction to image cryptosystems and the proposed method to overcome the problems
faced in real time implementation of image cryptosystems. Last chapter deals with
Experimental analysis of proposed method and comparative results. The list of chapters
and brief description of their contents is given below.
Chapter 1: Gives the brief idea of image encryption requirements. It explains the
scope, literature survey, methodology and overall general view of this study.
Chapter 2: Gives a brief background to cryptography and some of the common
terms used in cryptography. It also discusses about the different types of cryptographies
and the types cryptanalysis attacks possible on images.

Chapter 3: Gives a brief overview of some of the image cryptosystem
implemented so far, its efficiency and drawback in regard to real time application.
Chapter 4, 5 ,6 & 7 : In these chapters, AES standard, mathematical preliminaries
required to understand AES Algorithm, AES algorithm with the transformations used and
Key expansion schedule ,An example for AES Key Expansion and modification to AES
Key Expansion to suite Image Cryptosystems in real time application have been
explained. The chapter 7 gives Experimental analysis and results of proposed method.

CHAPTER 2
Basics of Cryptography
This chapter just gives a basic idea about cryptography and its types, so that the concepts
in image cryptosystems can be understood better. The topics covered are: Definition of
cryptography and cryptanalysis, types of cryptography, types of cryptanalysis attacks for
evaluating the security of image cryptosystems.
2.1 Terms Used in Cryptography
―Cryptography‖ is the science of using mathematics to encrypt and decrypt data. It
enables us to store sensitive information or transmit it across insecure networks (like the
Internet) so that it cannot be read by anyone except the intended recipient.
While cryptography is the science of securing data, ―cryptanalysis‖ is the science
of analyzing and breaking secure communication. Classical cryptanalysis involves an
interesting combination of analytical reasoning, application of mathematical tools, pattern
finding, patience, determination, and luck. Cryptanalysts are also called as attackers.
Cryptology embraces both cryptography and cryptanalysis.
Cryptography can be strong or weak; its strength is measured in the time and
resources it would require to recover the plain-text. The result of strong cryptography is
cipher-text that is very difficult to decipher without possession of the appropriate
decoding tool.
A cryptographic algorithm, is a mathematical function used in the encryption and
decryption process. it works in combination with a key—a word, number, or phrase—to
encrypt the plain-text. The same plain-text encrypts to different cipher-text with different
keys. The security of encrypted data is thus entirely dependent on two things: the strength
of the cryptographic algorithm and the secrecy of the key.
A cryptographic algorithm, plus all possible keys and all the protocols that make it
work comprise a ―cryptosystem‖.

2.2 Types of cryptography
Cryptography is usually of two types based the type of key used. They are: Secret
key & Public key Cryptography.
2.2.1 Secret key Cryptography
 It is also known as Conventional or Symmetric Cryptography.
 Here same key is used for encryption & decryption as shown in figure 2.2.1(a).
 Example: DES (Data Encryption Standard).
Figure 2.1 Conventional encryption/decryption.
 Advantages of conventional cryptography are,
i. It is very fast.
ii. It is especially useful for encrypting data that is to be stored securely and
not transmitted.
 Main problem in conventional or secret key cryptography is ―Key Distribution‖.
For a sender and recipient to communicate securely using conventional
encryption, they must agree upon a key and keep it secret between themselves. If
they are in different physical locations, they must use some secure communication
medium to prevent the disclosure of the secret key during transmission else a third
party intercepting the key in transit can later read, modify or forge all information
encrypted.

2.2.2 Public Key Cryptography
 The problems of key distribution are solved by public key cryptography.
 It is an asymmetric scheme which uses a pair of keys for encryption: ―public key‖,
which encrypts the data and a corresponding ―private key‖ or ―secret key‖, which
decrypts the data.
 Here the public key is published to the world but private key is kept a secret i.e.,
anyone with the copy of public key can encrypt information whereas decryption
can only be done with the knowledge of private key.
 It is computationally infeasible to deduce the private key from the public key.
Anyone who has a public key can encrypt information but cannot decrypt it. Only
the person who has the corresponding private key can decrypt the information.
 Example: RSA (named after its inventors, Ron Rivest, Adi Shamir, and Leonard
Adleman)
Figure 2.2 Public key Encryption/Decryption
 Advantages of Public Key Cryptography are,
i. The primary benefit of public key cryptography is that it allows people
who have no pre-existing security arrangement to exchange messages
securely.
ii. The need for sender and receiver to share secret keys via some secure
channel is eliminated; all communications involve only public keys, and
no private key is ever transmitted or shared.

2.3 Types of Cryptanalysis Attacks for Evaluating the
Security of Image Cryptosystems
The following five attacks are used for evaluating the security of image
cryptosystems. Each of them assumes that the cryptanalyst has the complete knowledge
of the encryption algorithm used.
The first attack is called the cipher-image-only or brute force attack. In this attack,
an illegal user is assumed to obtain the cipher-image from networks, but does not have the
private key. In other words, a cryptanalyst must determine the private key solely from an
intercepted cipher-image.
The second attack is called the known-plain-image-only attack. The illegal users
are assumed to have obtained several plain-image and cipher-image pairs in this attack. A
cryptanalyst must deduce the private key used to encrypt the plain images or the
algorithm to decrypt any new cipher image encrypted with same private key.
The third attack is called the chosen plain-image attack. In this attack, the illegal
users are able to select the plain-images and obtain the corresponding cipher-images this
is more powerful than the known-plain-image-only attack, because cryptanalysts can
choose some specific pain-images to encrypt, and this yields more information about the
private key. The cryptanalysts uses this information to deduce the private key used to
encrypt the plain images.
The fourth attack is called jigsaw puzzle attack. In this attack, the illegal users first
divide a cipher-image into many small areas. The cryptanalysts then breaks these areas
one by one. Since each area is much smaller than the entire cipher-image, the
computational load for breaking each area is much less than that for breaking the entire
cipher-image. The jigsaw puzzle attack is therefore more efficient than other attacks.
The fifth attack is called the neighbour attack. In this attack, the illegal users are
assumed to know a part of the plain-image. The changes across the boundaries of the
areas are smooth in most images. Therefore, the cryptanalysts use this attribute to speed
up the selections for the boundaries of the neighbouring areas; and can derive the
neighbouring pixels for the known part of plain image and break the whole cipher
efficiently.[3]

CHAPTER 3
Efficiency and Security of Some Image Cryptosystems
This chapter gives brief explanation about the techniques previously applied to solve
problems related to real time image encryption. This chapter covers the topics: Image
Encryption Using SCAN Patterns, Image Encryption Using Combinational Permutation
Techniques, and the need for AES based method.
3.1 Image Encryption Using SCAN Patterns
Due to the differences between images and text, a wide variety of cryptographic
algorithms have been proposed for image security.
In the paper [3], Bourbakis and Alexopoulos developed a new method which
performs encryption of binary and gray-scale images. The encryption schemes are based
on SCAN patterns generated by the SCAN technique. This method converts 2D image
patterns into 1D list & employs a SCAN language to describe the converted result. SCAN
is a formal language based 2D spatial accessing methodology which can efficiently
specify and generate a wide range of scanning paths. In this language there are several
SCAN letters & each letter represents a scan order. The four basic SCAN patterns used by
SCAN language are: Continuous raster (C), Continuous diagonal (D), Continuous
orthogonal (O) and Spiral (S).These four patterns are shown in figure 3.1.
Figure 3.1 Basic SCAN patterns [3]
Different combinations of SCAN letters generate different kind of secret images.
Once the combination of SCAN letters is determined, the scheme generates a SCAN
string which defines the SCAN order of the original image. The algorithm then scans the
image and encrypts the SCAN string using commercial cryptosystems. Since illegal users

cannot obtain correct SCAN string, the original image is therefore secure. Figure 3.2
shows an example of SCAN key patterns.
Figure 3.2 Example of SCAN key pattern—B5(s2Z0(c5b0o0s5)c4d1) [3]
Drawbacks of Image Encryption using SCAN patterns are,
This method does not consider the advantages of image compression. As a result,
the size of the image is very large and is inefficient to encrypt or decrypt images
directly for real time applications.
Also, due to large image size encryption/decryption process is consumes lot of
time and hence is slow.
Although it provides fair enough security it is not preferred for real time
application because the time taken by this method to produce cipher image is not
acceptable for real time scenerio.
3.2 Image Encryption Using Combinational Permutation
Techniques
In the paper [6] Mitra presents an approach using a combinational permutation
techniques for image encryption. This technique uses a random combination of bit, pixel,
and block permutations. The permutation of bits decreases the perceptual information,
whereas the permutation of pixels and blocks produce high level security. It is observed
that the permutation of bits is effective in signiﬁcantly reducing the correlation thereby
decreasing the perceptual information, whereas the permutation of pixels and blocks are
good at producing higher level security compared to bit permutation. A random

combination method employing all the three techniques thus is observed to be useful for
tactical security applications, where protection is needed only against a casual observer.
The security of images used in electronic communication may be needed against
two types of attackers; casual listeners/observers or professional unauthorized recipients,
termed as cryptanalysts. In the former case, the security is needed only in terms of hours
while in the later it may be in terms of years. The duration roughly indicates the amount
of time that is needed to analyze the information available in unintelligible form in the
insecure channel without the knowledge of keys to derive the underlying information.
The scenario where security is needed against casual listener/observer, the
cryptographic structure should be as simple as possible in order to reduce the cost. The
present work focuses on development of improved private key cryptographic methods for
providing security against such casual observers in the context of image communications.
In designing private key cryptographic techniques, permutation methods and
pseudo random sequence generators play important roles due to their simple yet effective
information coding performances. This method uses many good keys, selected using
pseudo random index generators (PRIG), for different permutation operations. Since a
large number of keys are used, the security level offered is comparatively high. Further,
the amount of redundant information available in the encrypted image is kept as low as
possible, thereby providing fairly high security level against casual observers. In image
communication, the image is represented as a group of bits, pixels and blocks and
therefore, the encryption is done by permuting the respective groups. Further, to make it
more robust against casual attacks, a random combinational image encryption approach
with bit, pixel and block permutations is used. It is also shown that if the random
combinational sequence of permutations is not known to the observer, it will not be
possible for him/her to retrieve the original information, even if the permutation private
keys are known to that person.
The Pseudo random index generator (PRIG) for permutation purpose is usually
constructed using the linear feedback shift registers (LFSR). A PRIG contains ‗n‘ shift
registers and is initiated with a starting seed, which is usually transmitted through a
secured channel for intended users only. The outputs of the shift registers are multiplied
with the coefﬁcients (Cn−1,Cn−2,...,C1,C0) of a primitive polynomial with respect to mod-2

operation. The resultant output obtained by the modulo operation is then fed back to the
ﬁrst shift register. The shift register output values are converted into decimal index using
binary to decimal converter. The general structure of such a PRIG is shown in Fig. 3.3.
Note that the periodicity of such a random index generator is 2n−1
.
Figure 3.3 Structure of a general pseudo random index generator [6]
In the context of images, three basic permutation techniques, they are,
1) Bit permutation: The image can be seen as an array of pixels, each with eight bits for
256 gray levels. In the bit permutation technique, the bits in each pixel taken from the
image are permuted with a key chosen from the set of keys by using the PRIG. The entire
array of these permuted pixels forms the encrypted image. The encrypted image obtained
from the bit permutation technique is transmitted to the receiver through the insecure
channel. At the receiver the encrypted image is decrypted using the same set of keys and
same pseudo random index generator. As the number of bits in each pixel is eight, the key
length is also taken equal to eight. The number of permutations obtained with eight
elements is 8! (=40320) but the number of good keys formed by such eight elements is
only 121. Therefore, to get 127 keys using a PRIG of maximal length 127, other 6 keys
are taken randomly from these 121 good permutation keys to form the complete set.
2) Pixel permutation: In this scheme each group of pixels is taken from the image. The
pixels in the group are permuted using the key selected from the set of keys. The
encryption and decryption procedure is same as the bit permutation technique. The size of
the pixel group is same as the length of the keys, and all the keys are of same length. If
the length of the keys is more than the size of pixel group, the perceptual information

reduces. In this work the group of pixels is taken along the row without the loss of
generality, i.e., the column wise procedure would yield same kind of results.
3) Block permutation: In this technique, the image can be decomposed into blocks. A
group of blocks is taken from the image and these blocks are permuted same as bit and
pixel permutations. For better encryption the block size should be lower. If the blocks are
very small then the objects and its edges do not appear clearly. In this block permutation
the blocks are permuted horizontally in the image. The permutation of blocks along
vertical side is also similar to horizontal side block permutation. At the receiver the
original image can be obtained by the inverse permutation of the blocks.
Figure 3.4 Block diagram of Combinational Permutation technique [6]
The main idea behind this method is that an image can be viewed as an
arrangement of bits, pixels and blocks. The intelligible information present in an image is
due to the correlations among the bits, pixels and blocks in a given arrangement. This
perceivable information can be reduced by decreasing the correlation among the bits,
pixels and blocks using certain random permutation techniques. The advantage offered by
this scheme is that even if the private key is known to the attacker somehow and the

random combination key is unknown, then the person will not be able to extract/tamper
the image. Also, due the combination of three permutation approaches the redundancy,
visual intelligence reduces.
To get back the original image at the receiver, the order of the permutation
processes should be exactly reverse to the order at the transmitter; otherwise the output
will produce no visible information. Figure 3.4 shows the block diagram of this method.
However the drawback in this approach is that it provides security only against
casual observers and not against professional hackers; hence is not preferred for real time
application because it is not possible to predict the type of attackers posing danger to the
integrity of image data.
3.3 Need for AES Key Expansion Based Method
The above discussed two Cryptosystem were mainly developed for single
application scenario and hence had its own limitation when considering a general Image
security application. Also these methods were not suitable for Real Time Applications
because the algorithm either had very high security but was slow in processing or it was
very fast at the prize of security.
Hence there is need for an algorithm that in general is applicable for all Image
security applications in Real Time. Thus a method that is based on AES Key Expansion
which overcomes the limitations of above mentioned algorithm is preferred.
Here the encryption process is a Bitwise Exclusive OR operation of a set of image
pixels along with a 128 bit key which changes for every set of pixels. The cipher keys are
generated independently at the sender and receiver side based on AES Key Expansion
process, hence the initial key alone is shared and not the whole set of keys. The algorithm
has been experimented with standard bench mark images proposed in USC-SIPI database
and the result shows that it offers good resistance against brute force attack, key
sensitivity tests and statistical crypt analysis.

CHAPTER 4
Advanced Encryption Standard
This chapter contains a brief introduction to AES. The topics covered are: Introduction to
AES, Mathematical foundation for AES – Galios Field.
4.1 Introduction to AES
In January, 1997 NIST began its effort to develop the AES, a symmetric key
encryption algorithm, and made a worldwide public call for the algorithm to succeed
DES. Initially 15 algorithms were selected, which was then reduced down to 4
algorithms, RC6, Rijndael, Serpent and Two-fish, all of which were iterated block
ciphers. The four finalists were all determined to be qualified as the AES.
The final evaluation, which also solicited worldwide public input was based on three
characteristics [see table 4.1]
1) Security: It encompassed resistance to known attacks, mathematical soundness,
randomness of output and security compared to other algorithms.
2) Cost: encompassed encryption speed, required memory, and no licensing agreements
i.e. the algorithm had to be available worldwide royalty free.
3) Algorithm and implementation characteristics: The algorithm had to be suitable
across a wide range of hardware and software systems. The algorithm had to be relatively
simple as well. After extensive review the Rijndael algorithm was chosen to be the AES
algorithm.
Algorithm Security
Speed Memory
Encryption/Decryption Key RAM ROM
RC6 Adequate High end Average Average Average
Rijndael Adequate High end High end High end High end
Serpent High Low end Average Average Average
Two Fish High Average High end High end Average
Table 4.1 Some evaluation criteria and results for AES finalists

AES was designed to have the following characteristics:
Resistance against all known attacks.
Speed and code compactness on a wide range of platforms.
Design simplicity.
The AES Algorithm is a symmetric-key cipher, in which both the sender and the
receiver use a single key for encryption and decryption. The data block length is fixed to
be 128 bits, while the length can be 128, 192 or 256 bits. In addition, the AES is an
iterative algorithm; each iteration being called a round. The total number of rounds Nr is
dependent on Key length Nk, where Nr and Nk are specified in words. The 128 bit data
block is divided into 16 bytes. These bytes are mapped to a 4x4 array called the State, and
all the internal operations of the AES algorithm are performed on the State. The
parameters for AES algorithm are shown in Table 4.2
Algorithm Key length, Nk Block size, Nb No of rounds, Nr= Nk+ 6
AES-128 4 4 10
AES-192 6 4 12
AES-256 8 4 14
Table 4.2 AES Parameters.
Most of the operations in the AES algorithm take place on bytes of data or on words
of data 4 bytes long, which are represented in the field GF(28
), called the Galois Field.
These bytes are represented by the polynomial equation,
b7x7
+ b6x6
+ b5x5
+ b4x4
+ b3x3
+ b2x2
+ b1x + b0 = ∑ bixi
- - - - equation (4.1)
Where, bi {0,1} and i = 0,1,2,...7. There are 256 elements in GF(28
).
For example, 0x11(00010001) identifies the specific finite field x4
+1.
4.2 Mathematical Preliminaries
In abstract algebra, a finite field or Galois field is a field that contains a finite
number of elements. Finite fields are important in number theory, algebraic geometry,
Galois theory, cryptography, coding theory and quantum error correction. The finite fields
are classified by size; there is exactly one finite field up to isomorphism of size pk
for
each prime p and positive integer k. This is represented as GF(pk
). Finite field elements

can be added and multiplied, but these operations are different from those used in normal
algebra. [7]
4.2.1 Addition in Finite Field Algebra
The addition of two elements in GF(28
) is achieved by ―adding‖ the coefficients for
the corresponding powers in the polynomials for the two elements. The addition is
performed with the XOR operation (denoted by ) - i.e., modulo 2 addition.
i.e., (0 0) = 0; (0 1) = 1; (1 0) = 1; (1 1) = 0.
Consequently, subtraction of polynomials is identical to addition of polynomials. [7]
Example: (0x57 + 0x83) = (x6
+x4
+x2
+x+1) + ( x7
+x+1) = x7
+ x6
+x4
+x2
= 0xD4.
4.2.2 Multiplication in Finite Field Algebra
In the polynomial representation, multiplication in GF(28
) (denoted by •) corresponds
with the multiplication of polynomials modulo an irreducible polynomial m(x) of degree
8. A polynomial is irreducible if its only divisors are one and itself. For the AES
algorithm, this irreducible polynomial is, m(x)=x8
+x4
+x3
+x+1, or {01}{1b} in
hexadecimal notation. [7]
Example: {0x57} • {0x83} = {0xC1}.
i.e.., let A = (x6
+x4
+x2
+x+1) • ( x7
+x+1)
= x13
+x11
+x9
+x8
+x7
+x7
+x5
+x3
+x2
+x+ x6
+x4
+x2
+x+1
= x13
+x11
+x9
+x8
+ x6
+ x5
+ x4
+ x3
+1.
Result of multiplication = A mod (x8
+x4
+x3
+x+1) = x7
+x6
+1= 11000001 = 0xC1.
The modular reduction by m(x) ensures that the result will be a binary polynomial of
degree less than 8, and thus can be represented by a byte. Unlike addition, there is no
simple operation at the byte level that corresponds to this multiplication. There are three
rules which can help in multiplying polynomials in GF(28
). They are,
1) 0x01 is the identity in GF(28
). Thus anything multiplied by 0x01 remains unchanged.
2) Multiplying by two is the same as decimal arithmetic, provided the result does not
exceed the field size of 255 or 0xFF. Also multiplying by 2 in binary is the same as

shifting left by 1. If the result exceeds 0xFF then the result must be XORed with 0x1B.
This will prevent any overflow errors if working with bytes thus keeping the results
within range.
3) Multiplying by three is the same as multiplying by (1 + 2). Thus,
a • 0x03 = a • (0x02 + 0x01) = (a • 0x02) (a • 0x01).
4.2.3 Multiplicative Inverse in Finite Field Algebra
The multiplication defined above is associative, and the element {01} is the
multiplicative identity. For any non-zero binary polynomial b(x), the multiplicative
inverse of b(x) modulo m(x), denoted by b-1
(x) ,can be found using Extended Euclidean
Algorithm if degree of b(x) is less than that of m(x) and also if GCD[b(x),m(x)]=1. [7]
i.e.., if b(x) • b-1
(x) = 1 ( mod m(x) ), then b-1
(x) is the multiplicative inverse of b(x) in
modulo m(x).
=> [ b(x)*b-1
(x) ] – [ i*m(x) ] = 1, - - - - - - - - - - - - - - - - - - - - - - - -equation (4.2)
where i is the integer quotient of division [ b(x)*b-1
(x) ] ÷ m(x).
=> [ 1 + {i*m(x) ] ÷ b(x) = b-1
(x) - - - - - - - - - - - - - - - - - - - - - - - -equation (4.3)
Equation (4.3) represents the Euclidean Approach to find multiplicative inverse.
The basics of Galois field discussed in section 4.2, is required to understand AES
Algorithm better.

CHAPTER 5
AES Algorithm
This chapter gives detailed explanation about the steps involved in AES algorithm. The
topics covered includes: AES encryption/decryption, Transformations used in AES and
Key expansion Schedule.
5.1 AES Encryption/Decryption
For each round of AES, 128 bit input data and 128 bit key is required, i.e.., it needs 4
words of key in one round. Thus the input key must be expanded to the required number
of words depending upon the number of rounds. The output of each round serves as input
to the next stage. In AES system, same secret key is used for both encryption and
decryption; thus simplifies the design. The block diagram for AES Encryption and
Decryption is as shown in Figure 5.1
Figure 5.1 AES Encryption and Decryption.

For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that
is composed of four different byte-oriented transformations: 1) byte substitution using a
substitution table (S-box), 2) shifting rows of the State array by different offsets, 3)
mixing the data within each column of the State array, and 4) adding a Round Key to the
State. The above 4 transformation are looped Nr-1 times. In the last round (i.e.., Nr
th
round) Mixcolumn is not performed.
The AddRoundKey is performed at the beginning and at the end of the cipher in
order to provide initial and final randomness to the algorithm. Without this, the first or
last portion of the cipher could be easily deduced, and therefore would be irrelevant to the
security of the cipher. The last round in the cipher is different from the other rounds in
order to make the encryption and decryption routines more similar, allowing the
complexity to be reduced in hardware and software implementations.
5.2 AES Transformations
The four transformations used in AES Encryption are : ByteSub, ShiftRows,
MixColumns, AddRoundKey. The inverse of these operations are performed for
decryption.
5.2.1 Byte Substitution
The ByteSub transformation is a non-linear byte substitution that operates
independently on each byte of the State using a substitution table (S-box) as shown in
figure 5.2
Figure 5.2 ByteSub transformation

The S-box, which is invertible, is constructed by composing two transformations,
i. Take the multiplicative inverse in the finite field GF(28
); the element {00} is
mapped to itself.
ii. Apply the following affine transformation (over GF(2) ) which is defined as,
bi‘= bi b(i+4)mod8 b(i+5)mod8 b(i+6)mod8 b(i+7)mod8 Ci - - - - - -equation (5.1)
Where, 0 ≤ i ≤ 8 and bi is the ith
bit of byte and Ci is the ith
bit of byte C whose
value is 0x63 or (01100011).
In matrix form, the affine transformation element of the S-box can be expressed
as;
The S-box for ByteSub is as shown in Figure 5.3
The Inverse ByteSub is used to reverse this operation in decryption process. The
affine transformation for Inverse ByteSub is as shown below;
The S-1
box for inv ByteSub operation is shown in Figure 5.4

Figure 5.3 look up table for ByteSub transformation.
Figure 5.4 look up table for Inv ByteSub operation.

5.2.2 Shift Rows
Shift-Rows operates on individual rows of the state. It provides diffusion throughout
the AES algorithm. This operation will not change the values of byte in the row, but will
just change their order. It performs left circular shift on each row as follows;
Row 0  Shift 0; Row 1  Shift 1; Row 2  Shift 2; Row 3  Shift 3;
This is illustrated in Figure 5.5 below. For decryption this Shift operation is reversed.
Figure 5.5 Illustration of Shift Row transformation.
5.2.3 Mix Columns
The MixColumns transformation operates on the State column-by-column, treating
each column as a four-term polynomial. The columns are considered as polynomials over
GF(28
) and are multiplied modulo (x4
+1) with a mixing polynomial a(x) given by,
a(x)=(0x03) • x3
+ (0x01) • x2
+ (0x01) • x + (0x02).
This can represented by matrix equation as,
02010103
03020101
01030201
01010302
02010103
03020101
01030201
01010302
a3
a2
a1
a0
a3
a2
a1
a0
a’
3
a’
2
a’
1
a’
0
a’
3
a’
2
a’
1
a’
0
=

Figure 5.6 illustrates the mix column transformation.
Figure 5.6 Illustration of MixColumn transformation.
InvMixColumns performs the reverse operation for decryption and can be described by
the matrix equation is,
5.2.4 Add Round Key
It is the step that incorporates the round key, a portion of the expanded key, into the
plaintext. This routine performs bitwise XOR of each byte of the state with the
corresponding byte of the round key.
If Add Round Key operates on a variable twice, the variable itself is returned. This
property is used in decryption. Figure 5.7 illustrates this transformation.
0e090d0b
0b0e090d
0d0b0e09
090d0b0e
0e090d0b
0b0e090d
0d0b0e09
090d0b0e
a3
a2
a1
a0
a3
a2
a1
a0
a’
3
a’
2
a’
1
a’
0
a’
3
a’
2
a’
1
a’
0
=

Figure 5.7 Add round key Transformation
The above 4 transformation are looped Nr-1 times. In the last round (i.e.., Nr
th
round) Mixcolumn is not performed.
The AddRoundKey is performed at the beginning and at the end of the cipher in
order to provide initial and final randomness to the algorithm. Without this, the first or
last portion of the cipher could be easily deduced, and therefore would be irrelevant to the
security of the cipher. The last round in the cipher is different from the other rounds in
order to make the encryption and decryption routines more similar, allowing the
complexity to be reduced in hardware and software implementations.
5.3 Key Expansion schedule
Pseudo code for AES Key Expansion is given in Figure 5.9. The key-expansion
routine creates round keys word by word, where a word is an array of four bytes. The
routine creates 4x(Nr+1) words. For Nk=4words, Nr=10; this routine creates 44 words.
The process is as follows :
First 4 words of round key are made from initial cipher key. The key is considered
as an array of 16 bytes k[0:15]. The first four bytes (k0 to k3) become w0, the next
four bytes (k4 to k7) become w1, and so on.
The rest of the words (wi for i=4 to 43) are derived as follows:
if (i mod 4)!=0 then, wi = wi-1 wi-4 ;
else if(i mod 4)=0 then wi=t wi-4. Here ‗t‘ is a temporary word result of
applying SubByte transformation and rotate word on wi-1 and XORing the result
with a round constant.
Figure 5.8 shows the pictorial representation of AES key expansion.

Figure 5.8 AES Key Expansion
Figure 5.9 pseudo code for AES key expansion.

Steps to find wi when ( i mod 4) = 0
i. RotWord: performs one byte circular left shift on wi-1.
ii. SubWord: performs a byte substitution on each byte of its input word, using
the S-box.
iii. The result of step (i) and (ii) is XORed with a round constant Rcon[j] whichis
given by, Rcon[j]={RC[j],0,0,0},where RC[j]=2*RC[j-1], with multiplication
over GF(28
).
J 1 2 3 4 5 6 7 8 9 10
RC[j] 01 02 04 08 10 20 40 80 1B 36
Table 5.1 RC[j] values in hex.
5.3.1 Example for AES Key Expansion
Consider the 16 byte key to be, K = 2b7e151628aed2a6abf7158809cf4f3c.
Key length, Nk = 4 words. => expanded key has 44 words or 11 sets of 4 word keys( one
set used in each round).
AES key expansion steps to obtain the expanded key:
Step 1: Enter the K into key array byte by byte column wise.
2b 28 ab 09
7e ae f7 cf
15 d2 15 4f
16 a6 88 3c
W[0] W[1] W[2] W[3]

W[0:3] forms the cipher key.
Step 2: calculate the first set of 16byte key to be used for 1nd
round, i.e., w[4:7]
Step 2a: to find w[4] , follow the steps discussed in section 5.3.
Now, W[i-1] = W[3] = [ 09 cf 4f 3c ].
After shift row operation, W[3] = [ cf 4f 3c 09 ].
After SubByte transform, W[3]* = [ 8a 84 eb 01 ].
Now, W[i-4] = W[0] = [ 2b 7e 15 16 ] and Rcon[1] = [ 01 00 00 00].
 W[4] = W[3]* W[0] Rcon[1]
 W[4] = [ 8a 84 eb 01 ] [ 2b 7e 15 16 ] [ 01 00 00 00].
 W[4] = [a0 fa fe 17].
Step 2b: To find W[5], W[i-1] =W[4] = [a0 fa fe 17] and W[i-4]= W[1] = [ 28 ae d2 a6 ].
 W[5] = W[4] W[1].
 W[5] = [a0 fa fe 17] [ 28 ae d2 a6 ].
 W[5] = [ 88 54 2c b1 ].
Step 2c: Find W[6] and W[7] using the same procedure as 2b.
Thus W[6] = [ 23 a3 39 39 ]. And W[7] = [ 2a 6c 76 05 ].
Therefore, the 2nd
round key is,
A0 88 23 2a
Fa 54 A3 6c
Fe 2c 39 76
17 B1 39 05

Step 3: Similarly find rest of the 9 round keys using the step 2.
2nd
round key :
F2 79 59 73
C2 96 35 59
95 B9 80 F6
F2 43 7a 7f
3rd
round key:
3d 47 1e 6d
80 16 23 7a
47 fe 7e 88
7d 3e 44 3b
4th
round key:
Ef A8 B6 Db
44 52 71 0b
A5 5b 25 0d
41 7f 3b 00

5th
round key:
D4 7c Ca 11
D1 83 F2 F9
C6 9d B8 15
F8 87 bc Bc
6th
round key:
6d 11 Db Ca
88 0b F9 00
A3 3e 86 93
7a Fd 41 Fd
7th
round key:
4e 5f 84 4e
54 5f A6 A6
F7 C9 4f Dc
0e F3 B2 4f

8th
round key:
Ea B4 31 7f
D2 8d 2b 8d
73 Da F5 29
21 D2 60 2f
9th
round key:
Ac 19 28 57
77 Fa D1 5c
65 Dc 29 00
F3 21 41 6e
10th
round key:
D0 C9 E1 B6
14 Ee 3f 63
F9 25 0c 0c
A8 89 C8 A6

CHAPTER 6
Modified AES Key Expansion
This chapter gives the detailed description of the proposed method for Real Time Image
Cryptosystems-Modified AES Key Expansion Based Method. The topics covered
include: Changes in AES Key Expansion Schedule to suite Image Cryptosystems, Steps
involved in Image Encryption/Decryption and Experimental Results & Analysis.
6.1 Changes in AES Key Expansion Schedule to Suite Image
Cryptosystems
Certain changes made to the AES key expansion process (discussed in the section 5.3)
improves the encryption quality, and also increases the avalanche effect in the resulting
cipher image. The changes are,
The initial key is expanded based on the number of pixels in the image.
The Rcon value is not constant instead it is being formed from the initial key
itself.
Both the s-box and Inverse s-box are also used for the modified Key Expansion
process because it improves non-linearity in the expanded key and also improves
the encryption quality. The S-box and Inverse S-box are however not directly used
in this algorithm; instead some circular shifts are performed on the boxes based on
the initial key.
The above changes in the algorithm can be represented as discussed in the sections below.
6.1.1 Key Expansion for the image
Consider a plain gray-level image of size mxn. In this method, a set of 16 pixels (128
bits) is encrypted using 2 round keys.
∴ No of keys to Encrypt the whole image N=2*{(m*n)/16}.

6.1.2 Formation of Rcon values
Rcon[j] is formed from the initial cipher key as follows:
Rcon[0]=key[12:15]; Rcon[1]=key[4:7];
Rcon [2]=key[0 : 3]; Rcon [3]=key[8:11];
6.1.3 Using Inverse S-Box for key expansion
The ‗temp‘ value used in the algorithm is formed as follows,
temp = SubWord(RotWord(temp)) + InvSubWord(Rcon[i/4]);
here the Rcon values are not used directly, instead each byte of Rcon is substituted by its
corresponding InvSubByte value from S-1
box. This improves the non-linearity of the
expanded key.
6.1.4 Shifting of S-box and Inverse S-box
The offset for shifting S-box and S-1
box is obtained using following equation,
Sbox_offset = sum(key[0:15])mod256;
Inv_Sbox_offset = (sum(key[0:15])*mean(key[0:15]))mod256;
6.2 Steps Involved in Image Encryption/Decryption Using
Modified AES Key Expansion
The steps involved in Image Encryption/Decryption using Modified AES Key
Expansion include: Key selection, Generation of multiple keys, Encryption and
Decryption. Each of these steps are explained briefly below.
6.2.1 Key selection
The sender and receiver agree upon a 128 bit key. This key is used for encryption
and decryption of images. It is a symmetric key encryption technique, so they must share
this key in a secure manner.

The key is represented as blocks k[0],k[1]...k[15]. Where each block is 8bits long
(8*16=128 bits).
6.2.2 Generation of Multiple keys
The sender and receiver can now independently generate the keys required for the
process using the above explained Modified AES Key Expansion technique. This is a one
time process; these expanded keys can be used for future communications any number of
times till they change their initial key value.
6.2.3 Encryption
Encryption is done in spans, where 16 pixels are processed in each span. This
Algorithm performs two XOR operations and a SubBytes Transformation for each set of
pixels. Since two XOR operations are performed using the expanded key for every set of
pixels it is impossible to get the key from plain image and cipher image, and to improve
the non linearity the s-box values used in AES may also be used. This is shown in figure
6.1.
6.2.4 Decryption
The decryption process shown in figure 6.1 is similar as encryption, but here Inverse
SubByte Transformation is used and also the order of XOR operation using the expanded
key is reversed.
Figure 6.1 Encryption/Decryption process for image encryption using modified aes key expansion

CHAPTER 7
Experimental Analysis
The algorithm has been implemented in Mat Lab 6.0 in windows environment with a
system configuration of PIV processor with 1 GB RAM. The proposed algorithm has
been tested with various images in USC-SIPI repository which is a collection of digitized
images primarily to support image processing, image analysis and machine vision.
7.1Key Space Analysis
The strength of any cryptographic algorithm depends upon key space which should
be sufficiently large enough to make brute force attack infeasible. The proposed
algorithm has a huge key space which is 2^128 possible keys. If an opponent tries for
brute force attack, since the key sensitivity of this algorithm is very high he would have to
try all combinations of keys for the image which is computationally infeasible.
7.2Histogram Analysis
To prevent the leakage of information to an opponent, it is also advantageous if the
cipher image bears little or no statistical similarity to the plain image. An image
histogram illustrates how pixels in an image are distributed by graphing the number of
pixels at each colour intensity level. The histogram of the encrypted image is expected to
be fairly uniform and significantly different from the respective histograms of the original
image.
Figure 7.1 and figure 7.2 shows the histogram analysis of plain image and cipher
image. The histogram analysis shows that the histogram of the cipher image is fairly
uniform and is significantly different from the original image. The encryption algorithm
has covered up all the characters of the plain image and has complicated the statistical
relationship between the plain image and its ciphered version.
Figure 7.1 shows the analysis for grey scale image whereas figure 7.2 shows the
analysis for color image.

Figure 7.1 Histogram analysis of Grey Scale 1024X1024 Lena Image

Figure 7.2 Histogram Analysis of Colour 640X480 Mountain Image

7.3 Key Sensitivity Analysis
High key sensitivity is required by secure image cryptosystems, which means that
the cipher image cannot be decrypted correctly even if there is only a slight difference
between encryption or decryption keys. The proposed algorithm is experimented for
various key values whose difference is negligibly small. This is similar to avalanche
effect in text encryption where a small bit difference in the key could produce a
significant difference in the cipher text produced. The strength of the algorithm is that
even for a single bit change in the key value the image is not decrypted. Figure 7.3
illustrates the key sensitivity of the proposed algorithm.
Figure 7.3 Key Sensitivity Analysis of Proposed Algorithm

7.4 Execution Time
Another important factor that evaluates the efficiency of algorithms is measuring the
amount of time required to encrypt an image. In this investigation, actual time in CPU
cycles will be used as a measure of execution time. Table 7.1 shows the comparison of
computational time taken by algorithms specified in literature to that of proposed
algorithm to encrypt a 1024x1024 gray-scale Lena Image.
Algorithm Time in seconds for Lena Image
Bourbakis(SCAN patterns) 2.54
Mitra (CPT) 1.82
Proposed Algorithm 1.41
Table 7.1 Computational time comparison

CHAPTER 8
Conclusion and Future Work
8.1 Conclusion
Based on the experimental results shown in section 6.3, it can be observed that
The proposed algorithm offers high encryption quality with minimal
computational time.
The key sensitivity and key space of the algorithm is very high which makes it
resistant towards Brute force attack and statistical cryptanalysis.
The time taken for encryption is relatively less in comparison with the algorithms
proposed in the literature.
The above mentioned features make the algorithm suitable for image encryption in real
time applications.
8.2 Future work
S-box is the pivotal part of AES. Research may be done to improve the quality of
S-box design.
AES-192 or AES-256 may be used to further increase the key sensitivity and key
space of the algorithm.

References
[1] B.Subramanyan, Vivek.M.Chhabria, T.G.Sankar babu, Image Encryption Based On
AES Key Expansion, 2011 Second International Conference on Emerging Applications of
Information Technology, page 217-220.
[2] C.J.Kuo, Novel image Encryption Technique and its application in progressive
transmission. Journal of Electron imaging 24 1993 pp 345-351.
[3] N.J.Bourbakis , C.Alexopoulos, Picture data encryption using SCAN patterns. Pattern
Recognition 256 1992 pp567 -581.
[4] Chin-Chen Chang, Min-Shian Hwang, Tung-Shou Chen, ―A new encryption
algorithm for image cryptosystems‖, The Journal of Systems and Software 58 (2001), 83-
91.
[5] Fridrich Jiri, Symmetric ciphers based on two dimensional chaotic maps, Int. J.
Bifurcat Chaos 8 (1998) (6), pp. 1259– 1284.
[6] Mitra, Y. V. Subba Rao, and S. R. M. Prasanna, A new image encryption approach
using combinational permutation techniques, International Journal of Computer Science,
vol. 1, no. 2 , pp. 1306- 4428, 2006..
[7] http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

Image encryption using aes key expansion

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Image encryption using aes key expansion

Ähnlich wie Image encryption using aes key expansion (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Image encryption using aes key expansion