Cryptography Reference
In-Depth Information
B
i
and
C
i
is an element from
GF
(2
8
). Also, the constants are elements from
GF
(2
8
).
The notation for the constants is hexadecimal and is the same as was used for the
MixColumn layer, for example:
0
B
=(0
B
)
hex
=(0000 1011)
2
=
x
3
+
x
+ 1
.
Additions in the vector-matrix multiplication are bitwise XORs.
Inverse ShiftRows Sublayer
In order to reverse the ShiftRows operation of the encryption algorithm, we must
shift the rows of the state matrix in the opposite direction. The first row is not
changed by the inverse ShiftRows transformation. If the input of the ShiftRows
sublayer is given as a state matrix
B
=(
B
0
,
B
1
,...,
B
15
):
B
0
B
4
B
8
B
12
B
1
B
5
B
9
B
13
B
2
B
6
B
10
B
14
B
3
B
7
B
11
B
15
the inverse ShiftRows sublayer yields the output:
B
0
B
4
B
8
B
12
no shift
B
13
B
1
B
5
B
9
−→
one position right shift
B
10
B
14
B
2
B
6
−→
two positions right shift
−→
B
7
B
11
B
15
B
3
three positions right shift
Inverse Byte Substitution Layer
The inverse S-Box is used when decrypting a ciphertext. Since the AES S-Box is
a bijective, i.e., a one-to-one mapping, it is possible to construct an inverse S-Box
such that:
A
i
=
S
−
1
(
B
i
)=
S
−
1
(
S
(
A
i
))
,
where
A
i
and
B
i
are elements of the state matrix. The entries of the inverse S-Box
are given in Table 4.4.
For readers who are interested in the details of how the entries of inverse S-Box
are constructed, we provide a derivation. However, for a functional understanding
of AES, the remainder of this section can be skipped. In order to reverse the S-
Box substitution, we first have to compute the inverse of the affine transformation.
For this, each input byte
B
i
is considered an element of
GF
(2
8
). The inverse affine
transformation on each byte
B
i
is defined by:
