Cryptography Reference
In-Depth Information
(i.e.,
w
[
i
N
k
]). For words in positions that are a multiple of
N
k
, a transformation
is applied to [
w
i−
1
] prior to the addition modulo 2, followed by an addition modulo
2 with the round constant word RCon[
i
]. This transformation basically consists of
a cyclic shift of the bytes in a word (i.e., RotWord()), followed by the application
of a table lookup to all 4 bytes of the word (i.e., SubWord()). It is important to note
that the AES key expansion algorithm for
N
k
=8is different than for
N
k
=6(i.e.,
AES-192) and
N
k
=4(i.e., AES-128). If
N
k
=8and
i
−
−
4 is a multiple of
N
k
,
then SubWord() is applied to
w
[
i
−
1] prior to the addition modulo 2.
10.2.2.5
Decryption Algorithm
The transformations used by the AES encryption algorithm can be inverted and
implemented in reverse order to produce a straightforward AES decryption algo-
rithm. The individual transformations used in the AES decryption algorithm are
called InvShiftRows(), InvSubBytes(), InvMixColumns(), and AddRoundKey(). As
mentioned earlier, the AddRoundKey() transformation is its own inverse, as it only
involves a bitwise addition modulo 2. Also, note that the SubBytes() and ShiftRows()
transformations commute, and that this is also true for their inverse InvSubBytes()
and InvShiftRows() transformations. The AES decryption algorithm is formally ex-
pressed in Algorithm 10.4, and the three inverse transformations are addressed next.
Algorithm 10.4
The AES decryption algorithm.
(
in
)
s ← in
s ←
AddRoundKey(
s, w
[
N
r
N
b
,
(
N
r
+1)
N
b
−
1])
for
r
=
N
r
−
1 downto 1 do
s ←
InvShiftRows(
s
)
s ←
InvSubBytes(
s
)
s ←
AddRoundKey(
s, w
[
rN
b
,
(
r
+1)
N
b
−
1])
s ←
InvMixColumns(
s
)
s
←
InvShiftRows(
s
)
s
←
InvSubBytes(
s
)
s
←
AddRoundKey(
s, w
[0
,N
b
−
1])
out
←
s
(
out
)
InvShiftRows() Transformation
The InvShiftRows() transformation is the inverse of the ShiftRows() transformation.
As such, the bytes in the last three rows of the State are cyclically shifted right over
