Cryptography Reference
In-Depth Information
used previously. For these reasons, we give in this paper a description of a white-
box implementation for the decryption case (but note that our technique can be
applied to the encryption case as well). The AES-128 will serve for illustration
purposes; but this can be adapted for AES-192 or AES-256.
The first step of the white-box AES implementation (WB-AES), is to convert
AES into a series of look-up tables and to hide the secret keys into these tables.
Compared with a standard AES implementation [10], the operations of the WB-
AES rounds are slightly modified without impacting the input or the output of
the round.
Algorithm 1. Regular Implementation of AES Decryption
S ← AddRoundKey ( S ,ExpandedKey[10])
S ← InvShiftRows ( S )
S ← InvSubBytes ( S )
S ← AddRoundKey ( S ,ExpandedKey[9])
for i =9downto1 do
S ← InvMixColumns ( S )
S ← InvShiftRows ( S )
S ← InvSubBytes ( S )
S ← AddRoundKey ( S ,ExpandedKey[ i − 1])
end for
are combined in a single step, and the
subkey (calculated using the AES key expansion) is integrated into
InvSubBytes
( IS )and
AddRoundKey
InvSubBytes
by creating the byte input/output look-up tables T r of round r .
InvShiftRows
is implemented by providing shifted input data to the generated tables. The first
round table is slightly different from the other rounds as there is an additional
AddRoundKey
.The T -boxes T r
are defined as follows:
T i,j ( x ):= IS ( x
K i,j )
K i,j ,
i
[0 .. 3] ,j
[0 .. 3]
T i,j ( x ):= IS ( x )
K i,j ,r
[2 .. 10] ,i
[0 .. 3] ,j
[0 .. 3] .
K i,j
i + j of the round r and K 10
i,j
represents the subkey byte number 4
·
is the
decryption key 1 K . In total we have 10
×
16 = 160 T -boxes.
operates on the AES state one column at a time. This can be
implemented by multiplying a 32
InvMixColumns
32 matrix IMC and a vector in GF (2). Mul-
tiplication of a 32-bit vector by the IMC matrix is performed by four separate
multiplications and three 32-bit XORs. To avoid large tables, the matrix IMC
is divided into four 32
×
8 matrices ( IMC 0 ,..., IMC 3 ) and the multiplication is
performed separately with each matrix.
×
1 To avoid confusion, we change the subkey numbering to make it correspond to round
numbering in the decryption process. ExpandedKey[10], ... , ExpandedKey[0] are re-
named to K 0 ,...,K 10 .
 
Search WWH ::




Custom Search