Cryptography Reference
In-Depth Information
1. The input byte
s
r,c
is mapped to the multiplicative inverse in the AES field
(the element
0x00
is mapped to itself). The resulting byte is referred to as
b
.
2. The following affine transformation modulo 2 is applied for all bits
b
i
(0
≤
i<
8) of
b
:
b
i
b
i
⊕
b
(
i
+4) mod 8
⊕
b
(
i
+5) mod 8
⊕
=
b
(
i
+6) mod 8
⊕
b
(
i
+7) mod 8
⊕
c
i
In this formula,
c
i
refers to the
i
th
bit of a byte
c
with the hexadecimal
value
63
(i.e.,
01100011
). This transformation can be expressed in matrix
form as follows:
b
0
b
1
b
2
b
3
b
4
b
5
b
6
b
7
10001111
11000111
11100011
11110001
11111000
01111100
00111110
00011111
b
0
b
1
b
2
b
3
b
4
b
5
b
6
b
7
1
1
0
0
0
1
1
0
·
=
+
The resulting byte
b
is the output byte
s
r,c
of the transformation.
In summary, the SubBytes() transformation can be written as
s
r,c
=
A
s
−
1
·
r,c
+
c
where
A
and
c
represent the matrix and the vector of bytes specified earlier. Note
that the nonlinerarity of the SubBytes() transformation comes from the inversion
s
−
1
r,c
only (if the transformation were applied on
s
r,c
directly, then the corresponding
SubBytes() transformation would be linear). Also note that the invertibility of the
SubBytes() transformation requires that
A
is an invertible matrix (i.e., its rows
and columns must be linearly independent in the AES field). This is obviously
the case, and hence the SubBytes() transformation is invertible (the corresponding
InvSubBytes() transformation is addressed later).
