Cryptography Reference
In-Depth Information
0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 },
{ 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb },
{ 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 },
{ 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 },
{ 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a },
{ 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e },
{ 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf },
{ 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 },
};
Performing the substitution is a matter of indexing this table with the high-
order four bits of each byte of input as the row and the low-order four bits as
the column, which is illustrated in Listing 2-31.
Listing 2-31: “aes.c” sub_word
static void sub_word( unsigned char *w )
{
int i = 0;
for ( i = 0; i < 4; i++ )
{
w[ i ] = sbox[ ( w[ i ] & 0xF0 ) >> 4 ][ w[ i ] & 0x0F ];
}
}
Finally, the rotated, substituted value is XORed with the round constant. The
low-order three bytes of the round constant are always 0, and the high-order
byte starts at 0x01 and shifts left every four iterations, so that it becomes 0x02
in the eighth iteration, 0x04 in the twelfth, and so on. Therefore, the fi rst round
constant, applied at iteration #4 if the key length is 128 bits, iteration #6 if the
key length is 192 bits, and iteration #8 if the key length is 256 bits, is 0x01000000.
The second round constant, applied at iteration #8, #12, or #16 depending on
key length, is 0x02000000. The third at iteration #12, #18, or #24 is 0x04000000,
and so on.
If you've been following closely, though, you may notice that for a 128-bit key,
the round constant is left-shifted 10 times because a 128-bit key requires 44 itera-
tions with a left-shift occurring every four iterations. However, if you left-shift a
single byte eight times, you end up with zeros from that point on. Instead, AES
mandates that, when the left-shift overfl ows, you XOR the result — which in this
case is zero — with 0x1B. Why 0x1B? Well, take a look at the fi rst 51 iterations
of this simple operation - left shift and XOR with 0x1B on overfl ow:
 
Search WWH ::




Custom Search