Cryptography Reference
In-Depth Information
·
s
0
,c
s
1
,c
s
2
,c
s
3
,c
s
0
,c
s
1
,c
s
2
,c
s
3
,c
0x02 0x03 0x01 0x01
0x01 0x02 0x03 0x01
0x01 0x01 0x02 0x03
0x03 0x01 0x01 0x02
=
This can also be expressed as follows:
s
0
,c
=
0x02
·
s
0
,c
)
⊕
(
0x03
·
s
1
,c
)
⊕
s
2
,c
⊕
s
3
,c
s
1
,c
=
s
0
,c
⊕
(
0x02
·
s
1
,c
)
⊕
(
0x03
·
s
2
,c
)
⊕
s
3
,c
s
2
,c
=
s
0
,c
⊕
s
1
,c
⊕
(
0x02
·
s
2
,c
)
⊕
(
0x03
·
s
3
,c
)
s
3
,c
=
0x03
·
s
0
,c
)
⊕
s
1
,c
⊕
s
2
,c
⊕
(
0x02
·
s
3
,c
)
Because the polynomial
c
(
x
) is relatively prime to
x
4
+1in
F
2
[
x
],an
inverse polynomial
c
(
x
)
−
1
(mo d
x
4
+1)exists, and hence the MixColumns()
transformation is invertible.
AddRoundKey() Transformation
In the AddRoundKey() transformation, a word of the key schedule
w
is added
modulo 2 to each column of the State. This means that
[
s
0
,c
,s
1
,c
,s
2
,c
,s
3
,c
]=[
s
0
,c
,s
1
,c
,s
2
,c
,s
3
,c
]
⊕
w
[
rN
b
+
c
]
for 0
N
r
. Because the AddRoundKey() transformation only
consists of a bitwise addition modulo 2, it is its own inverse.
≤
c<N
b
and 0
≤
r
≤
10.2.2.4
Key Expansion Algorithm
The AES key expansion algorithm takes a secret key
k
and generates a key schedule
w
that is employed by the AddRoundKey() transformation. The key
k
comprises
4
N
k
bytes or 32
N
k
bits. In the byte-wise representation,
k
i
refers to the
i
th
byte of
k
(0
i<
4
N
k
). The key schedule
w
is
N
b
(
N
r
+1)words long (the algorithm
requires an initial set of
N
b
words, and each of the
N
r
rounds requires
N
b
additional
words of key data). This means that
w
consists of a linear array of 4-byte words.
Again, we use
w
[
i
] for 0
≤
i<N
b
(
N
r
+1)to refer to the
i
th
word in this array.
≤