Cryptography Reference
In-Depth Information
the 0th round) and then proceeds with
Nr-1
rounds each of which applies the four
basic operations mentioned. The last round, i.e., the
Nr
th round, is different because
in it the
MixColumns
operation is omitted.
We stress the fact that AES is a block cipher from which, as we shall soon see,
CPA secure encryption schemes can be built assuming that AES is a pseudo-random
permutation, but AES itself is not an encryption scheme. Of course, we may use a
key generation algorithm to generate AES keys and then use AES functions directly
to encrypt and decrypt messages—of fixed length equal to the block length—but the
resulting scheme is highly insecure because the encryption algorithm is deterministic.
Nevertheless, we speak of AES encryption and decryption algorithms to refer to the
AES function (also called the
forward cipher function
) and its inverse. Taking into
account the preceding discussion, a high-level description of the AES encryption
algorithm is the following:
Algorithm 4.1. AES encryption
.
Input
: Aplaintext block initialized as
state
and an expanded key
K[0]
,
K[1]
,
...
,
K[Nr]
.
Output
: A ciphertext block output as
state
.
AddRoundKey(state, K[0]);
#The 0th round
for i from 1 to Nr-1 do
#Rounds 1 to Nr-1
SubBytes(state);
ShiftRows(state);
MixColumns(state);
AddRoundKey(state, K[i]);
end do;
SubBytes(state);
#The last round begins
ShiftRows(state);
AddRoundKey(state, K[Nr]);
#The last round ends
return state.
Next we describe the AES operations and the function
KeyExpansion
that
generates the expanded key.
4.2.2.1 SubBytes
SubBytes
is a non-linear transformation that consists of applying to the state bytes
a permutation (usually called S-box in this context). The AES S-box, in contrast
with DES S-boxes, has a simple algebraic structure defined by the arithmetic of the
finite field
F
2
8
is also
referred to as the byte space. The S-box is the product of two permutations of the byte
space. The first assigns to each nonzero byte its inverse when viewed as an element
of
F
2
8
whose elements we have identified with the bytes, so that
F
2
8
and maps the 0 byte to itself. The second is an
affine transformation
of
F
2
8
when viewed as an
F
2
8
into itself—which is
actually an isomorphism—followed by a translation. More concretely,
SubBytes
consists of applying to all the state bytes the function
f
F
2
-vector space, i.e., a linear map of
◦
g
: F
2
8
→ F
2
8
, where
g
: F
2
8
→ F
2
8
is given by
