Cryptography Reference
In-Depth Information
Doing so, all rounds intermediate values will be different from those of classical
WB-AES. Value of
constants are not fixed but
vary from round to round depending on the dual parameters beeing used. For
a given input, these modifications do not change the output of our WB-AES,
when compared to Chow et al. implementation's output.
InvSubBytes
and
InvMixColumns
4.2 Construction of the New Tables
Each dual AES (D-AES) representation is allocated an index from 1 to 61200.
Choose randomly 10 values
σ
r
∈
R
for
r
=1
,...,
10 without
repetition. This random value permits to select, for a round number
r
of AES,
associated D-AES in which operations are performed.
{
1
,...,
61200
}
→
GF
(2
8
) the linear transformation that maps a byte state of AES into a byte
state of D-AES number
σ
r
.
Δ
σ
r
Let
Δ
σ
r
:
GF
(2
8
)
can be represented as an invertible matrix
M
r
of size 8
8in
GF
(2) which maps a representation of a byte of the state array
of AES into a byte of the state array of D-AES(
σ
r
). The inverse mapping
Δ
−
1
×
σ
r
is obtained by inverting the matrix
M
r
in
GF
(2).
The New
T
-Boxes.
operation can be represented in an algebraic
InvSubBytes
way:
IS
:
GF
(2
8
)
GF
(2
8
)
,x
→
→
IS
(
x
)=
A
·
x
+
b
where
A
is a matrix transformation and
b
is a constant vector. The non-linear
transformation is replaced by
IS
σ
r
(
x
)=(
M
r
· A · M
−
1
r
)
· x
+
M
r
· b
.
A dual subkey byte is obtained by
K
σ
r
i,j
K
i,j
from AES subkey byte.
The new look-up tables
T
σ
r
of round
r
are built as follows:
=
M
r
·
T
σ
1
K
0
K
σ
1
i,j
(
x
):=
IS
σ
1
(
x
[0
..
3]
2
⊕
i,j
)
⊕
i,j
,
(
i, j
)
∈
T
σ
r
K
σ
r
i,j
i,j
(
x
):=
IS
σ
r
(
x
)
⊕
,r
∈
[2
..
10]
,
(
i, j
)
∈
[0
..
3]
2
where
K
0
i,j
i,j
=
Δ
σ
r
(
K
i,j
)for
r ∈
[1
..
10]. The transfor-
mations
IS
σ
r
are modified from original
InvSubBytes
according to the matrix
representing
Δ
σ
r
.
=
Δ
σ
1
(
K
i,j
), and
K
σ
r
The New
IMC
Matrix.
Any constant
c
in
is replaced by
InvMixColumns
M
r
·
c
. This means that polynomial constants of
are replaced by
InvMixColumns
leading to a new matrix
IMC
=
IMC
σ
r
.
M
r
·
0b
,M
r
·
0d
,M
r
·
0e
and
M
r
·
09
IMC
is then combined with a 32
×
32 random matrix
MB
just like in the Chow
et al. implementation.
Encoding the Mixing Bijections.
In our new design of WB-AES, only the
mixing bijections in type I and II tables are modified.
For type II tables, we multiply the dual transformation of the current round
Δ
σ
r
with the inverse dual transformation of the previous round, i.e.
Δ
σ
(
r
)
×
Δ
−
1
σ
r
−
1
Δ
−
1
σ
r
−
1
with
r
in [2
..
10]. Next, we multiply the the result of
Δ
σ
r
×
with the
input mixing bijections of the current round
P
i,j
, which gives us the new mixing
Search WWH ::
Custom Search