Cryptography Reference
In-Depth Information
used previously. For these reasons, we give in this paper a description of a white-
box implementation for the decryption case (but note that our technique can be
applied to the encryption case as well). The AES-128 will serve for illustration
purposes; but this can be adapted for AES-192 or AES-256.
The first step of the white-box AES implementation (WB-AES), is to convert
AES into a series of look-up tables and to hide the secret keys into these tables.
Compared with a standard AES implementation [10], the operations of the WB-
AES rounds are slightly modified without impacting the input or the output of
the round.
Algorithm 1.
Regular Implementation of AES Decryption
S ←
AddRoundKey
(
S
,ExpandedKey[10])
S ←
InvShiftRows
(
S
)
S ←
InvSubBytes
(
S
)
S ←
AddRoundKey
(
S
,ExpandedKey[9])
for
i
=9downto1
do
S ←
InvMixColumns
(
S
)
S ←
InvShiftRows
(
S
)
S ←
InvSubBytes
(
S
)
S ←
AddRoundKey
(
S
,ExpandedKey[
i −
1])
end for
are combined in a single step, and the
subkey (calculated using the AES key expansion) is integrated into
InvSubBytes
(
IS
)and
AddRoundKey
InvSubBytes
by creating the byte input/output look-up tables
T
r
of round
r
.
InvShiftRows
is implemented by providing shifted input data to the generated tables. The first
round table is slightly different from the other rounds as there is an additional
AddRoundKey
.The
T
-boxes
T
r
are defined as follows:
T
i,j
(
x
):=
IS
(
x
K
i,j
)
K
i,j
,
⊕
⊕
i
∈
[0
..
3]
,j
∈
[0
..
3]
T
i,j
(
x
):=
IS
(
x
)
K
i,j
,r
⊕
∈
[2
..
10]
,i
∈
[0
..
3]
,j
∈
[0
..
3]
.
K
i,j
i
+
j
of the round
r
and
K
10
i,j
represents the subkey byte number 4
·
is the
decryption key
1
K
. In total we have 10
×
16 = 160
T
-boxes.
operates on the AES state one column at a time. This can be
implemented by multiplying a 32
InvMixColumns
32 matrix
IMC
and a vector in
GF
(2). Mul-
tiplication of a 32-bit vector by the
IMC
matrix is performed by four separate
multiplications and three 32-bit XORs. To avoid large tables, the matrix
IMC
is divided into four 32
×
8 matrices (
IMC
0
,...,
IMC
3
) and the multiplication is
performed separately with each matrix.
×
1
To avoid confusion, we change the subkey numbering to make it correspond to round
numbering in the decryption process. ExpandedKey[10],
...
, ExpandedKey[0] are re-
named to
K
0
,...,K
10
.
Search WWH ::
Custom Search