1 with d − 1 ( i, j ):= j

for j =0 ,...,L b −

−

c L b ,i mod L b (cf. page 250) and the

j th column k − j the “inverse” round key.

Again in the last round the MixColumns transformation is omitted, and thus

the result of the last round is given by

S − 1 ( b 0 ,j ) ,S − 1 b 1 ,d − 1 (1 ,j ) ,S − 1 b 2 ,d − 1 (2 ,j ) ,S − 1 b 3 ,d − 1 (3 ,j )

⊕ k − 1

b j ←

j

for j =0 ,...,L b −

1 .

To save memory one can also make do in decryption with a table of only 256

4-byte words, in which

[ b 0 ,j ] ⊕ r T − 0 b 1 ,d − 1 (1 ,j )

⊕ r T − 1

0

b j ← T − 1

0

b 2 ,d − 1 (2 ,j ) ⊕ r T − 1

b 3 ,d − 1 (3 ,j )

⊕ k − 1

j

,

0

with a right rotation r ( a, b, c, d )=( d, a, b, c ) of one byte.

11.10 Performance

Implementations for various platforms have verified the superior performance

of Rijndael. The bandwidth suffices for realizations for small 8-bit controllers

with small amounts of memory and key generation on the fly up through current

32-bit processors. For purposes of comparison, Table 11-18 provides encryption

rates for the candidates RC6, Rijndael, and Twofish, as well as for the older 8051

controller and the Advanced Risc Machine (ARM) as a modern 32-bit chip card

controller.

Table 11-18. Comparative Rijndael performance in bytes per second, after [Koeu]

8051 (3.57 MHz)

ARM (28.56 MHz)

RC6

165

151 260

Rijndael

3005

311 492

Twofish

525

56 289