Cryptography Reference
In-Depth Information
where the bytes of plain text are sorted according to the following ordering:
m
0
→ b
0
,
0
,
m
1
→ b
1
,
0
,
m
2
→ b
2
,
0
,
m
3
→ b
3
,
0
,
m
4
→ b
0
,
1
,
m
5
→ b
1
,
1
,
. . .
m
n
→ b
i,j
,
. . .
with
i
=
n
mod 4
and
j
=
n/
4
.
Access to
B
within the Rijndael functions takes place in different ways
according to the operation. The S-box transformation operates bytewise,
ShiftRows
operates on rows
b
i,
0
,b
i,
1
,b
i,
2
,...,b
i,L
b
−
1
of
B
, and the functions
AddRoundKey
and
MixColumns
operate on 4-byte words and access the values of
B
by columns
(
b
0
,j
,b
1
,j
,b
2
,j
,b
3
,j
)
.
11.3 Calculating the Round Key
Encryption and decryption each require the generation of
L
r
round keys, called
collectively the
key schedule
. This occurs through expansion of the secret user key
by attaching recursively derived 4-byte words
k
i
= (
k
0
,i
,k
1
,i
,k
2
,i
,k
3
,i
)
to the
user key.
The first
L
k
words
k
0
,...,k
L
k
−
1
of the key schedule are formed from the
secret user key itself. For
L
k
the next 4-byte word
k
i
is determined by
XOR-ing the preceding word
k
i
−
1
with
k
i
−
L
k
. If
i ≡
0mod
L
k
, then a function
F
L
k
(
k, i
)
is applied before the XOR operation, which is composed of a cyclic left
shift (left rotation)
r
(
k
)
of
k
bytes, a substitution
S
(
r
(
k
))
from the Rijndael S-box
(we shall return to this later), and an XOR with a constant
c
(
i/L
k
)
, so that
altogether the function
F
is given by
F
L
k
(
k, i
):=
S
(
r
(
k
))
∈ {
4
,
6
}
)
.
The constants
c
(
j
)
are defined by
c
(
j
) := (rc(
j
)
,
0
,
0
,
0)
, where
rc(
j
)
are
recursively determined elements from
⊕
c
(
i/L
k
F
2
8
:
rc(1) := 1
,
rc(
j
) := rc(
j
−
1)
·
x
=
x
j
−
1
. Expressed in numerical values, this is equivalent to
rc(1) :=
'
01
',
rc(
j
) := rc(
j
'
02
'. From the standpoint of programming,
rc(
j
)
is computed
by a
(
j −
1)
-fold execution of the function
xtime
described above, beginning with
the argument
1
, or more rapidly by access to a table (Tables 11-6 and 11-7).
−
1)
•
Table 11-6.
rc(
j
)
constants (hexadecimal)
'01'
'02'
'04'
'08'
'10'
'20'
'40'
'80'
'1B'
'36'
'6C'
'D8'
'AB'
'4D'
'9A'
'2F'
'5E'
'BC'
'63'
'C6'
'97'
'35'
'6A'
'D4'
'B3'
'7D'
'FA'
'EF'
'C5'
'91'
For keys of length 256 bits (that is,
L
k
=8
) an additional S-box operation is
inserted: If
i ≡
4mod
L
k
, then before the XOR operation
k
i
−
1
is replaced by
S
(
k
i
−
1
)
.