Cryptography Reference
In-Depth Information
:=
b
i
,
j
−
i
mod 4
.
b
i
,
j
Thus
b
i
,
j
goes to the
(
i
,
i
+
j
mod 4
)
position in the state array which is changed as
follows:
b
0
,
0
b
0
,
1
b
0
,
2
b
0
,
3
b
1
,
0
b
1
,
1
b
1
,
2
b
1
,
3
b
2
,
0
b
2
,
1
b
2
,
2
b
2
,
3
b
3
,
0
b
3
,
1
b
3
,
2
b
3
,
3
b
0
,
0
b
0
,
1
b
0
,
2
b
0
,
3
b
1
,
3
b
1
,
0
b
1
,
1
b
1
,
2
b
2
,
2
b
2
,
3
b
2
,
0
b
2
,
1
b
3
,
1
b
3
,
2
b
3
,
3
b
3
,
0
:=
4.2.3.3 InvMixColumns
MixColumns
changes the state bymatrixmultiplicationwith a specifiedmatrix over
F
2
8
. This matrix is invertible and hence the inverse operation
InvMixColumns
acts
by multiplying the state by the inverse matrix, namely
⎛
⎞
⎛
⎞
⎛
⎞
b
0
,
0
b
0
,
1
b
0
,
2
b
0
,
3
b
1
,
0
b
1
,
1
b
1
,
2
b
1
,
3
b
2
,
0
b
2
,
1
b
2
,
2
b
2
,
3
b
3
,
0
b
3
,
1
b
3
,
2
b
3
,
3
b
0
,
0
b
0
,
1
b
0
,
2
b
0
,
3
b
1
,
0
b
1
,
1
b
1
,
2
b
1
,
3
b
2
,
0
b
2
,
1
b
2
,
2
b
2
,
3
b
3
,
0
b
3
,
1
b
3
,
2
b
3
,
3
0e 0b 0d 09
09 0e 0b 0d
0d 09 0e 0b
0b 0d 09 0e
⎝
⎠
:=
⎝
⎠
⎝
⎠
Exercise 4.5
Show that the
SubBytes
and the
ShiftRows
operations commute.
Do either of them commute with
MixColumns
?
4.2.4 Remarks on AES Design and AES Security
The first thing that should be emphasized is that, as we have already remarked, AES
is a cryptographic primitive that is useful to build encryption and authentication
schemes but AES itself is not such a scheme, and if naively used to encrypt and
decrypt then the resulting encryption scheme is deterministic and hence is not CPA
secure by Proposition 3.4. We will see later how modes of operation can be used
to avoid this difficulty but, for now, we will only discuss the security of the AES
primitive itself and, in particular, its resistance to key-recovery attacks.
It is generally accepted that the resistance of block ciphers against cryptanalytic
attacks increases with the number of rounds but, of course, this must be balanced
against the fact that, as the number of rounds increases, the cipher becomes less
efficient. One of the main criteria used today in the evaluation of a block cipher's
security is based on the non-existence of
shortcut attacks
, namely, key-recovery
attacks faster than exhaustive search. Since there are 2
128
possible 128-bit AES keys
and the largest publicly known exhaustive key search so far has been against a 64-bit
key, it is clear that the existence of a shortcut attack does not mean that the cipher is
broken in practice. For example, a hypothetical attack that reduced the search to, say,