The Advanced Encryption Standard (AES) - Understanding Cryptography

Cryptography Reference

In-Depth Information

⎛

⎝

⎞

⎠

⎛

⎝

⎞

⎠

⎛

⎝

⎞

⎠

⎛

⎝

⎞

⎠

b 0

b 1

b 2

b 3

b 4

b 5

b 6

b 7

b 0

b 1

b 2

b 3

b 4

b 5

b 6

b 7

10001111

11000111

11100011

11110001

11111000

01111100

00111110

00011111

1

0

1

0

≡

+

mod 2 .

Note that B =( b 7 ,..., b 0 ) is the bitwise vector representation of B i ( x )= A − i ( x ).

This second step is referred to as affine mapping . Let's look at an example of how

the S-Box computations work.

Example 4.10. We assume the S-Box input A i =(1100 0010) 2 =( C 2) hex .FromTa-

ble 4.2 we can see that the inverse is:

A − 1

i

= B i =(2 F ) hex =(0010 1111) 2 .

We now apply the B i bit vector as input to the affine transformation. Note that the

least significant bit (lsb) b 0 of B i is at the rightmost position.

B i =(0010 0101)=(25) hex

Thus, S (( C 2) hex )=(25) hex , which is exactly the result that is also given in the S-Box

Table 4.3.

If one computes both steps for all 256 possible input elements of the S-Box and

stores the results, one obtains Table 4.3. In most AES implementations, in particular

in virtually all software realizations of AES, the S-Box outputs are not explicitly

computed as shown here, but rather lookup tables like Table 4.3 are used. However,

for hardware implementations it is sometimes advantageous to realize the S-Boxes

as digital circuits which actually compute the inverse followed by the affine map-

ping.

The advantage of using inversion in GF (2 8 ) as the core function of the Byte

Substitution layer is that it provides a high degree of nonlinearity, which in turn

provides optimum protection against some of the strongest known analytical attacks.

The affine step “destroys” the algebraic structure of the Galois field, which in turn

is needed to prevent attacks that would exploit the finite field inversion.

4.4.2 Diffusion Layer

In AES, the Diffusion layer consists of two sublayers, the ShiftRows transformation

and the MixColumn transformation. We recall that diffusion is the spreading of the

influence of individual bits over the entire state. Unlike the nonlinear S-Box, the

Understanding Cryptography

Search WWH ::

Custom Search

Home