Cryptography Reference
In-Depth Information
2. Do the following
r
− 1 times:
(a) Run
InvSubBytes
on the state.
(b) Run
InvShiftRows
on the state.
(c) Run
InvMixColumns
on the state.
(d) Run
AddRoundKey
on the state.
3. Run
InvSubBytes
on the state.
4. Run
InvShiftRows
on the state.
5. Run
AddRoundKey
on the state.
The most important thing to note is that the keys must be submitted in reverse order.
It is also important to note that the key expansion is changed slightly, as I show in Section 4.9.3.
The inverse operations are fairly easy to derive from the normal ones: We simply construct
InvShiftRows
by
shifting in the opposite direction the appropriate number of times. We construct
InvSubBytes
by inverting the
S-box used (either with the inverse matrix or the inverse of the table). And finally, the
InvMixColumns
trans-
formation is found by using the following matrix for the multiplication step:
4.9.3 Key Expansion
The key expansion step computes the key schedule for use in either encryption or decryption.
Rijndael computes its sizes in terms of 32-bit words. Therefore, in this case, a 128-bit block cipher would
have a block size denoted as
N
b
of 4. The key size is denoted as
N
k
in a similar manner, so that, for example, a
192-bit key is denoted with
N
k
= 6. The number of rounds is denoted as
r
.
Two functions need to be explained in order to describe the key expansion. The
SubWord
function takes a
32-bit argument, splits it into four 8-bit bytes, computes the S-box transformation from
SubBytes
on each 8-bit
value, and concatenates them back together. The
RotWord
function takes a 32-bit argument, splits it into four
8-bit bytes, and then rotates left cyclically, replacing each 8-bit value in the word with the 8-bit value that was
on the right. Specifically, it computes
RotWord(a
3
|| a
2
|| a
1
|| a
0
) = a
2
|| a
1
|| a
0
|| a
3
Finally, there is a constant matrix that is used, denoted as
Rcon.
The values of
Rcon
can be calculated fairly
easily using the finite field multiplication operation •. Essentially, the values are calculated as
Rcon
(
i
) = 2
i
-1
|| 0 || 0 || 0
where each of the four parts is an 8-bit number and a member of Rijndael's finite field. Owing to this fact, 2
i
-1
must be calculated using the • multiplication operator [calculating the previous result times (•) 2], and not nor-
mal multiplication. The first few values of 2
i-1
are straightforward (starting at
i
= 1): 1, 2, 4, 8, 16, 32, 64, 128.
When we get to 256, though, we need to start using the finite field modulo. Therefore, the next few values are
27, 54, 108, and so on.
Table 4-5
shows the required values.
Table 4-5
Rijndael Table for First Entry of
Rcon
Values
These entries should be sufficient for any implementations of AES.
Search WWH ::
Custom Search