Cryptography Reference
In-Depth Information
On a bit level — and remember, the only thing that is ultimate of interest in encryp-
tion is the manipulation of bits — this substitution can be described as:
S
(1100 0010)=(0010 0101)
.
Even though the S-Box is bijective, it does not have any fixed points, i.e., there
aren't any input values
A
i
such that
S
(
A
i
)=
A
i
. Even the zero-input is not a fixed
point:
S
(0000 0000)=(0110 0011).
Example 4.9.
Let's assume the input to the Byte Substitution layer is
(
C
2
,
C
2
,...,
C
2)
in hexadecimal notation. The output state is then
(25
,
25
,...,
25)
.
Mathematical description of the S-Box
For readers who are interested in how
the S-Box entries are constructed, a more detailed description now follows. This
description, however, is not necessary for a basic understanding of AES, and the
remainder of this subsection can be skipped without problem. Unlike the DES S-
Boxes, which are essentially random tables that fulfill certain properties, the AES
S-Boxes have a strong algebraic structure. An AES S-Box can be viewed as a two-
step mathematical transformation (Fig. 4.4).
Fig. 4.4
The two operations within the AES S-Box which computes the function
B
i
=
S
(
A
i
)
The first part of the substitution is a Galois field inversion, the mathematics of
which were introduced in Sect. 4.3.2. For each input element
A
i
, the inverse is com-
puted:
B
i
=
A
−
i
, where both
A
i
and
B
i
are considered elements in the field
GF
(2
8
)
with the fixed irreducible polynomial
P
(
x
)=
x
8
+
x
4
+
x
3
+
x
+ 1. A lookup table
with all inverses is shown in Table 4.2. Note that the inverse of the zero element does
not exist. However, for AES it is defined that the zero element
A
i
= 0 is mapped to
itself.
In the second part of the substitution, each byte
B
i
is multiplied by a constant bit-
matrix followed by the addition of a constant 8-bit vector. The operation is described
by:
