Internet.Security

The modular product, a(x) b(x), of two four-term polynomials a(x) and b(x), is given by

d(x) = a(x) b(x) = d3x3 + d2x2 + d1x + d0

where

d0 = a0b0 a3b1 a2b2 a1b3 d1 = a1b0 a0b1 a3b2 a2b3 d2 = a2b0 a1b1 a0b2 a3b3 d3 = a3b0 a2b1 a1b2 a0b3

Thus, d(x) in matrix form is written as:

The AES algorithm also defines the inverse polynomials as:

a(x) = (03)x3 + (01)x2 + (01)x1 + (02)

a−1(x) = (0b)x3 + (0d)x2 + (09)x1 + (0e)

3.5.3 AES Algorithm Specification

For the AES algorithm, Nb denotes the number of 32-bit words with respect to the 128-bit block of the input, output, or state (128 = N b × 32, from which N b = 4).

Nk represents the number of 32-bit words with respect to the cipher-key length of 128, 192 or 256 bits:

The number of rounds are 10, 12 and 14, respectively.

Rcon[13] = [x12, {00}, {00}, {00}] = [x11 • x, {00}, {00}, {00}] = ab000000 x11 • x = xtime(x11) = xtime(d8) = {leftshift(d8)} {1b} = ab

Rcon[i] is a useful component for the round constant ward array in order to compute the key expansion routine.

The input key expansion into the key schedule proceeds as shown in Figure 3.16.

Computation of w[4] for i = 4 is as follows:

Temp = w[3] = 3131276e

A cyclic permutation of w[3] by one byte produces

RotWord(w[3]) = 31276e31

Taking each byte of RotWord(w[3]) at a time and applying to the S-box yields SubWord(31276e31) = c7cc9fc7

Compute a round constant Rcon[i/N k]:

Rcon[4/4] = Rcon[1] = 01000000

XORing SubWord() with Rcon[1] yields

Figure 3.16 Pseudocode for key expansion (FIPS Publication, 2001).

SubWord() Rcon[1] = c6cc9fc7

w[i − N k] = w[0] = 368ac0f4

Finally, w[4] is computed as:

w[4] = c6cc9fc7 368ac0f4 = f0465f33.

Continuing in this fashion, the remaining w[i], 4 ≤ i ≤ 43, can be computed as shown in Table 3.16.

Cipher

The 128-bit cipher input is fed in a column-by-column manner, comprising each column with a four-byte word. In other words, the input is copied to the state array as shown in Table 3.17.

The cipher is described in the pseudocode in Figure 3.17.

Individual transformations for the pseudocode computation consist of SubBytes(), ShiftRows(), MixColumns() and AddRoundKey(). These transformations play a role in processing the state and are briefly described below.

ShiftRows() Transformation

In the ShiftRows(), the first row (row 0) is not shifted and the remaining rows proceed as follows:

where the shift value shift (r, N b) = shift (r, 4) depends on the row number r as follows:

shift (1, 4) = 1; shift (2, 4) = 2; shift (3, 4) = 3;

This has the effect of shifting the leftmost bytes around into the rightmost positions over different numbers of bytes in a given row.

MixColumns() Transformation

The MixColumns() transformation operates on the state column-by-column, treating each column as a four-term polynomial over GF(28) and multiplied modulo x4 + 1 with a fixed polynomial a(x) as:

s (x) = a(x) s(x)

where a(x) = {03}x3 + {01}x2 + {01}x + {02}, s(x) is the input polynomial and s (x) is the corresponding polynomial after the MixColumns() transformation.

The matrix multiplication of s (x) is

The four bytes in a column after the matrix multiplication are

s ,c = ({02} • s0,c) ({03} • s1,c) s2,c s3,c

0

s ,c = s0,c ({02} • s1,c) ({03} • s2,c) s3,c

1

s ,c = s0,c s1,c ({02} • s2,c) ({03} • s3,c)

2

s ,c = ({03} • s0,c) s1,c s2,c ({02} • s3,c)

3

AddRoundKey() Transformation

In AddRoundKey() transformation, a round key is added to the state by a simple bitwise XOR operation. Each round key consists of Nb words from the key schedule. These Nb words are added into the columns of the state such that

where [wi ] are the key schedule words, and round is a value in the range 0 ≤ round ≤ N r. The initial round key addition occurs when round = 0, prior to the first application of the round function. The application of the AddRoundKey() transformation to the Nr rounds of the cipher occurs when 1 ≤ round ≤ N r.

Example 3.25 Assume that the input block and a cipher key whose length of 16 bytes each are given as:

Plaintext = a3 c5 08 08 78 a4 ff d3 00 ff 36 36 28 5f 01 02

Cipherkey = 36 8a c0 f4 ed cf 76 a6 08 a3 b6 78 31 31 27 6e

Using the algorithm for the pseudocode computation described in Figure 3.17, the intermediate values in the state array are given in the following table. The round key values w[i] are taken from Example 3.24.

Cipher (Encrypt)

Inverse cipher

The Cipher transformation can be implemented in reverse order to produce a Inverse Cipher for the AES algorithm. The individual transformations used in the Inverse Cipher are InvShiftRows(), InvSubBytes(), InvMixColumns() and AddRoundKey(). These inverse transformations process the state as described in the following.

InvShiftRows() Transformation

InvShiftRows() is the inverse of the ShiftRows() transformation. The first row (Row 0) is not shifted. The bytes in the last three rows (Row 1, Row 2, Row 3) are cyclically shifted over different numbers of bytes as follows:

shift (r, N b): shift values, where ris a row number and N b = 4.

shift (1, 4) = 1, shift (2, 4) = 2, shift (3, 4) = 3, respectively.

Specifically, the InvShiftRows() transformation proceeds as:

InvSubBytes() Transformation

InvSubBytes() is the inverse of the byte substitution transformation, in which the inverse S-box is applied to each byte of the state. The inverse S-box used in the InvSubBytes() transformation is presented in Figure 3.19.