Cryptography Reference
In-Depth Information
out
r
+4
c
=
s
r,c
c<
4 at the end of the encryption (or decryption). The AES
encryption, key expansion, and decryption algorithms are overviewed next.
≤
r<
4 and 0
≤
for 0
10.2.2.3
Encryption Algorithm
The AES specification uses the term
cipher
to refer to the encryption algorithm. This
term, however, is not used in this topic (note that we use the term
cipher
to refer to
a full-fledged symmetric encryption system and not only to an encryption algorithm
or function).
As mentioned earlier, the 16 input bytes
in
0
,...,in
15
are copied into the State
s
at the beginning of the AES encryption algorithm. After an initial application of the
AddRoundKey() transformation, the State is transformed by implementing a
round
function
N
r
=10, 12, or 14 times (depending on the key length in use), with a final
round that slightly differs from the previous
N
r
−
1 rounds (i.e., the final round
does not include a MixColumns() transformation). The content of the State is finally
taken to represent the output of the AES encryption algorithm.
The round function, in turn, consists of the following four transformations:
1. The bytes of the State are substituted according to a given substitution table
(this transformation is called SubBytes() in the AES specification);
2. The rows of the State are shifted left by different offsets (this transformation
is called ShiftRows() in the AES specification);
3. The data within each column of the State are mixed (this transformation is
called MixColumns() in the AES specification);
4. A round key is added to the State (this transformation is called AddRound-
Key() in the AES specification). This is where the secret key and the key
schedule derived from it come into play.
The AES encryption algorithm is illustrated in Algorithm 10.2. Note that the
SubBytes() and ShiftRows() transformations commute—that is, a SubBytes() trans-
formation immediately followed by a ShiftRows() transformation is equivalent to a
ShiftRows() transformation immediately followed by a SubBytes() transformation.
Also note that
w
[
i
] refers to the
i
th
word in the key schedule and that
w
[
i, j
] refers
to the
j
−
i
+1words between
w
i
and
w
j
in the key schedule.
