# AES S-box How and Why? - PowerPoint PPT Presentation

Title:

## AES S-box How and Why?

Description:

### Title: Review Quiz Author: Chuck Easttom Last modified by: Chuck Easttom Created Date: 10/1/2013 12:55:36 AM Document presentation format: Widescreen – PowerPoint PPT presentation

Number of Views:699
Avg rating:3.0/5.0
Slides: 90
Provided by: Chuck194
Category:
Tags:
Transcript and Presenter's Notes

Title: AES S-box How and Why?

1
AES S-box How and Why?
2
Notes
• The general math review slides are taken from a
variety of internet sources. I tried to be
diligent in citing, but given the nature of basic
math, I may have missed some citation
• This presentation assumes you are comfortable
with symmetric ciphers as well as the details of
AES.

3
Basic Math Review Represent decimals as
polynomials
4
Basic Math Review Fields, groups, rings
• In mathematics, and more specifically in abstract
algebra, the term algebraic structure generally
refers to a set with one or more operations
defined on it
• A group is an algebraic system consisting of a
set, an identity element, one operation and its
inverse operation.
• A ring is an algebraic system consisting of a
set, an identity element, two operations and the
inverse operation of the first operation.
• A field is an algebraic system consisting of a
set, an identity element for each operation, two
operations and their respective inverse
operations.
• GF(p) for any prime, p, this Galois Field has p
elements which are the residue classes of
integers modulo p.

5
Basic Math Review Galois Fields
• The order of the field is given by pn while p is
called the characteristic of the field example
• gf(5) (0 1 2 3 4)
• which consists of 5 elements where each of them
is a polynomial of degree 0(a constant) while
• gf(23) (0 1 2 2 1 22 22 1 22 2 22
2 1)
• (0 1 2 3 4 5 6 7)
• which consists of 23 8 elements where each of
them is a polynomial of degree at most 2
evaluated at 2.

6
Basic Math Review Galois Field Addition
7
Basic Math Review Galois Field Addition
8
Basic Math Review Galois Field Multiplication
9
Basic Math Review First refresh your memory on
polynomial multiplication
10
Basic Math Review Polynomial Division
For additional review of basic polynomial math
http//www.doc.ic.ac.uk/mrh/330tutor/ch04s02.html

11
Basic Math Review Galois Field Multiplication
12
Basic Math Review Polynomial Arithmetic
• Can compute using polynomials
• Several alternatives available
• ordinary polynomial arithmetic
• poly arithmetic with coords mod p

13
Basic Math Review Polynomial Arithmetic
• add or subtract corresponding coefficients
• multiply all terms by each other
• For example
• let f(x) x3 x2 2 and g(x) x2 x 1
• f(x) g(x) x3 2x2 x 3
• f(x) g(x) x3 x 1
• f(x) x g(x) x5 3x2 2x 2

14
Basic Math Review Polynomial Arithmetic
• when computing value of each coefficient do
calculation modulo some value could be modulo any
prime but we are most interested in mod 2
• ie all coefficients are 0 or 1
• eg. let f(x) x3 x2 and g(x) x2 x 1
• f(x) g(x) x3 x 1
• f(x) x g(x) x5 x2

15
Basic Math Review Polynomial Arithmetic
• can write any polynomial in the form
• f(x) q(x) g(x) r(x)
• can interpret r(x) as being a remainder
• r(x) f(x) mod g(x)
• if have no remainder say g(x) divides f(x)
• if g(x) has no divisors other than itself 1 say
it is irreducible (or prime) polynomial
• arithmetic modulo an irreducible polynomial forms
a field

16
Basic Math Review Polynomial Arithmetic
• can compute in field GF(2n)
• polynomials with coefficients modulo 2
• whose degree is less than n
• hence must reduce modulo an irreducible poly of
degree n (for multiplication only)
• Form a finite field

17
Basic Math Review Polynomial Arithmetic
• Find the results of
• (x5x2x) (x7x4x3x2x )
• in GF(28) with irreducible polynomial
x8x4x3x1

18
Basic Math Review Polynomial Arithmetic Answer
• Multiply the two polynomials
• (x5x2x) x7x4x3x2x x5 (x7x4x3x2x )
x2 (x7x4x3x2x ) x (x7x4x3x2x )
(x12x7x2)
• Get the results of
• (x12x7x2) mod (x8x4x3x1) (x5x3x2x1)

19
Basic Math Review Polynomial Arithmetic
Polynomial Algebra
• Operation of addition is performed using an XOR
operation denoted by . For example, all
notations below are equivalent
•   (x6 x4 x2 x 1) (x7 x 1) x7 x6
x4 x2 0 polynomial notation
• 01010111 10000011 11010100 binary
notation.
• Multiplication in Rijndael is the multiplication
of polynomials modulo the irreducible polynomial.
For example, in the polynomial notation
• (x6 x4 x2 x 1) (x7 x 1)
• x13 x11 x9 x8 x6 x5 x4 x3 1,
• and
• (x13 x11 x9 x8 x6 x5 x4 x3 1) mod
(x6 x4 x2 x 1) x7 x 1.

The set of 256 possible byte values, with XOR
used as addition, and the multiplication
defined as above, has the structure of the finite
field GF(28).
20
Basic Math Review Matrix multiplication
• Here is a key point You cannot just multiply
each number by the corresponding number in the
other matrix. Matrix multiplication is not like

From http//www.freemathhelp.com/matrix-multiplic
ation.html
21
Basic Math Review Matrix Multiplication Continued
• The first two steps

From http//www.freemathhelp.com/matrix-multiplic
ation.html
22
Basic Math Review Matrix Multiplication
• Steps 3 4

From http//www.freemathhelp.com/matrix-multiplic
ation.html
23
Basic Math Review Matrix Multiplication
• Step 5

From http//www.freemathhelp.com/matrix-multiplic
ation.html
24
Basic Math Review Matrix Multiplication
• Matrix Multiplication is NOT Commutative! Order
matters!
• You can multiply matrices only if the number of
columns in the first matrix equals the number of
rows in the second matrix.

25
Basic Math Review Matrix Determinants
To find the determinant of a 2 x 2 matrix,
multiply diagonal 1 and subtract the product of
diagonal 2.
26
Basic Math Review Matrix Determinants
To find the determinant of a 3 x 3 matrix, first
recopy the first two columns. Then do 6 diagonal
products.
27
Basic Math Review Inverse Matrices
• When you multiply a matrix and its inverse, you
get the identity matrix.

28
Basic Math Review Inverse Matrices
• Not all matrices have an inverse!
• To find the inverse of a 2 x 2 matrix, first find
the determinant.
• If the determinant 0, the inverse does not
exist!
• The inverse of a 2 x 2 matrix is the reciprocal
of the determinant times the matrix with the main
diagonal swapped and the other terms multiplied
by -1.

29
Basic Math Review Inverse Matrices
• Example 1

30
Basic Math Review Scalar Multiplication
• To do this, multiply each entry in the matrix by
the number outside (called the scalar). This is
like distributing a number to a polynomial.

Example
31
AES Rijndael mathematics
• Rijndael is defined in the Galois field GF (28)
by the irreducible polynomial
• In HEX this is 11B, in binary it is 100011011
• Why this one? The polynomial m(x) (11B) for
the multiplication in GF(28) is the first one of
the list of irreducible polynomials of degree 8,
given in LiNi86, p. 378. page 22 of AES
Proposal Rijndael
• LiNi86 is R. Lidl and H. Niederreiter,
Introduction to finite fields and their
applications, Cambridge University Press, 1986)

P x8 x4 x3 x 1
32
Irreducible Polynomials
A polynomial is irreducible in GF(p) if it does
not factor over GF(p). Otherwise it is
reducible. Examples
The same polynomial is reducible in Z5 but
irreducible in Z2. Are there other irreducible
polynomials of power 8? Yes of course, the only
list I am aware of is in the book cited by the
inventors of Rijndael
33
Irreducible Polynomials
You can check the same source that was cited by
the inventors of Rijndael. In fact on Amazon,
there is the look inside option and with a bit
of work you can find the table. To save you some
time, here are a few irreducible polynomials from
that list (in binary form, you may place them in
polynomial or hex form if you wish) 100101011 1001
11001 100111111 101001101 101011111 101110111 1100
01011 OK why degree 8 (9 digits) isnt that one
too many? Clearly, the result will be a binary
polynomial of degree below 8. Unlike for
addition, there is no simple operation at byte
level. page ¾ of the specification The reason
an irreducible but not primitive polynomial is
used is that we are trying to make a non-linear
permutation function that has diffusion,
spreading input bits to output bits in an
non-linear way.
34
The Finite Field GF(28).
• The case in which n is greater than one is much
more difficult to describe. In cryptography, one
almost always takes p to be 2 in this case. This
section just treats the special case of p 2 and
n 8, that is. GF(28), because this is the field
used by Advanced Encryption Standard (AES).
• The AES works primarily with bytes (8 bits),
represented from the right as
• b7b6b5b4b3b2b1b0.The 8-bit elements of the field
are regarded as polynomials with coefficients in
the field Z2
• b7x7 b6x6 b5x5 b4x4 b3x3 b2x2 b1x1
b0.
• The field elements will be denoted by their
sequence of bits, using two hex digits.

35
The multiplicative inverse
• Multiplication in Galois Field, however, requires
more tedious work. Suppose f(p) and g(p) are
polynomials in gf(pn) and let m(p) be an
irreducible polynomial (or a polynomial that
cannot be factored) of degree at least n in
gf(pn). We want m(p) to be a polynomial of degree
at least n so that the product of two f(p) and
g(p) does not exceed 11111111 255 as the
product needs to be stored as a byte. If h(p)
denotes the resulting product then
• h(p) (f(p) g(p)) (mod m(p))
• On the other hand, the multiplicative inverse of
f(p) is given by a(p) such
• that
• (f(p) a(p)) (mod m(p)) 1

36
The multiplicative inverse
• Note that calculating the product of two
polynomials and the multiplicative inverse of a
polynomial requires both reducing coeficients
modulo p and reducing polynomials modulo m(p).
The reduced polynomial can be calculated easily
with long division while the best way to compute
the multiplicative inverse is by using Extended
Euclidean Algorithm. The details on the
calculations in gf(28) is best explained in the
following example.
• Princeton University offers this calculator for
multiplicative inverse http//www.cs.princeton.edu
• We will look at two methods for calculating
multiplicative inverse later in this lesson, but
you can also use this calculator if you prefer,
or the multiplicative inverse table I have
provided.
• There is also a calculator online that does all
modular arithmetic http//ptrow.com/perl/calculato
r.pl

37
More on Galois Fields
• Galois Field sizes can be defined with various
field sizes like GF(16) or GF(256). AES is not
the only cryptographic algorithm to use these
finite fields. Quad also uses finite fields under
a polynomial modulus

38
Implementing GF(pk) arithmetic
Theorem Let f(x) be an irreducible polynomial of
degree k over Zp. The finite field GF(pk) can
be realized as the set of degree k-1 polynomials
over Zp, with addition and multiplication done
modulo f(x).
39
Example Implementing GF(2k)
By the theorem the finite field GF(25) can be
realized as the set of degree 4 polynomials over
Z2, with addition and multiplication done modulo
the irreducible polynomial f(x)x5x4x3x1.
The coefficients of polynomials over Z2 are 0 or
1. So a degree k polynomial can be written down
by k1 bits. For example, with k4 x3x1
(0,1,0,1,1) x4 x3x1
(1,1,0,1,1)
40
Implementing GF(2k)
x3x1 (0,1,0,1,1) x4 x3x
(1,1,0,1,0) -------------------------------
x4 1 (1,0,0,0,1)
41
Implementing GF(2k)
Multiplication Polynomial multiplication, and
then remainder modulo the defining polynomial
f(x)
(1,1,0,1,1) (0,1,0,1,1) (1,1,0,0,1)
For small size finite field, a lookup table is
the most efficient method for implementing
multiplication.
42
Mathematical background(Cont.)
• Polynomials with coefficients in GF(28)
• The operation consisting of multiplication by a
fixed polynomial a( x ) can be written as matrix
multiplication where the matrix is a circulant
matrix. We have

43
What is a multiplicative inverse?
• In mathematics, the reciprocal, or multiplicative
inverse, of a number x is the number which, when
multiplied by x, yields 1. The multiplicative
inverse for the real numbers, for example, is
1/x. To avoid confusion by writing the inverse
using set specific notation, we generally write
x-1.
• Zero does not have a reciprocal, as division by 0
is undefined

44
Multiplication of polynomials
• Finite field multiplication is more difficult
than addition and is achieved by multiplying the
polynomials for the two elements concerned and
collecting like powers of x in the result. Since
each polynomial can have powers of x up to 7, the
result can have powers of x up to 14 and will no
longer fit within a single byte.
• This situation is handled by replacing the result
with the remainder polynomial after division by a
special eighth order irreducible polynomial,
which, for Rijndael, is
• m(x) x8 x4 x3 x 1
• Note we will discuss why this irreducible
polynomial in just a little while.

45
Multiplication Polynomials by Repeated Shifts
• The finite field element 00000010 is the
polynomial x, which means that multiplying
another element by this value increases all its
powers of x by 1. This is equivalent to shifting
its byte representation up by one bit so that the
bit at position i moves to position i1. If the
top bit is set prior to this move it will
overflow to create an x8 term, in which
• case the modular polynomial is added to cancel
this additional bit, leaving a result that fits
within a single byte.
• For example, multiplying 11001000 by x, that is
00000010, the initial result is
• 110010000. The overflow bit is then removed
• polynomial, using an exclusive-or operation to
give a final result of 10001011.
• NOTE This why the implementation of creating the
S-boxes includes four steps of shifting. This is
in essence, multiplying.

46
Affine Transformation What is it
• This concept originates in graphics, and is also
used in transforming graphics. Moving pixels in
one direction or another is very similar to
moving a value in a matrix, so the concept gets
applied to matrices (as in AES)
• In geometry, an affine transformation or affine
map or an affinity (from the Latin, affinis,
"connected with") between two vector spaces
(strictly speaking, two affine spaces) consists
of a linear transformation followed by a
translation
• In general, an affine transform is composed of
linear transformations (rotation, scaling or
shear) and a translation (or "shift"). Several
linear transformations can be combined into a
single one, so that the general formula given
above is still applicable. For our purposes it
is just a word for a linear transformation. This
video also gives a good explanation
• Now what are linear transformation? Well for
more detail
• http//www.samiam.org/galois.html

47
Rijndael Galois
• The Rijndael Block Chiper uses finite field
arithmetic in the field of GF( 28 ) or the Galois
• Field. For Rijndael we show this eld as a
polynomial where each b is a bit in a byte that
can contain the binary value of either 1 or 0.
• b7x7 b6x6 b5x5 b4x4 b3x3 b2x2 b1x
b0
• The values used in Rijndael are displayed in
correspond to a polynomial representation. Fore
example Here is a byte containing the
hexadecimal value of 57 and it corresponding
binary and polynomial representations
• Binary 01010111 Polynomial x6 x4 x2 x
1

48
Rijndael Galois
• The s-box is generated by determining the
multiplicative inverse for a given number in the
Galois led, zero would be set to zero. The
multiplicative inverse is transformed using the
following affine transformation
• where x0, ..., x7 is the multiplicative inverse
as a vector.
• Now you can do this with matrix mathematics,
first multiplying the matrix by the vectors, then
xoring with the values in the final column. This
affine transformation is the sum of multiple
rotations of the byte as a vector, where addition
is the XOR operation. NOTE This is what we are
duplicating in the function to create this
transform that we did earlier this week

49
Why these choices?
• We dont know all the whys of these choices, but
we do know some.
• The last vector that is xord in is meant to
prevent the generation of a fixed point In other
words S-box(a)a
• The matrix obviously has meaning. Now they did
not state it, but looking at it even briefly
reveals a pattern.
• Look at the next slide to analyze the choices

50
Why these choices?
To avoid Fixed point
• Modulo 2 arithmetic

Input bits (the multiplicative inverse)
Output bits(what goes in the sbox)
51
AES S-Box Design
• The S-box is generated by determining the
multiplicative inverse for a given number in
Rijndael's Galois field. The multiplicitive
inverse is then transformed using the following
affine transformation matrix
• GF(28) GF(2)x/(x8 x4 x3 x 1)
• Now you can do this with matrix math we already
described, or you can do it with the function we
provided to you yesterday (and is also at the end
of this presentation)

52
Why these choices?
• In the submission of Rijndael Joan Daemen
Vincent Rijmen stated reasons for many things,
such as the particular modulus to use. But
questions still may be in your mind?
• Why this matrix for the affine transform and not
some other?
• Why this particular vector for the affine
transform and not some other?
• Here are the only answers they gave, and the
following is a quote directly from their
submission.

53
How to calculate this yourself
• Unfortunately, no, it is not the same as
computing the inverse of a matrix. Also, there
are at least two issues involved here. One is
what are elements of this finite field GF(28)?
The other is how are they represented on the
computer (i.e. in binary)? And then we can get to
the question of how to invert them.
• First of all, an element of GF(28) is a
polynomial of degree less than 8 over GF(2) (with
coefficients in GF(2)) modulo an irreducible
polynomial of degree 8. So the first thing you
have to do is pick a polynomial of degree 8, and
use this as your field modulus. The AES standard
says what this modulus is.

54
How to calculate the Multiplicative inverse
• The multiplicative inverse for an element a of a
finite field can be calculated a number of
different ways
• By multiplying a by every number in the field
until the product is one. This is a Brute-force
search.
• By using the Extended Euclidean algorithm
• By making a logarithm table of the finite field,
and performing subtraction in the table.
Subtraction of logarithms is the same as
division.

55
Compute multiplicative inverse
• Remember that in modular arithmetic, the modular
multiplicative inverse of x is the number a such
that ax 1 (mod n). This multiplicative inverse
exists if and only if a and n are coprime. For
example, the inverse of 3 modulo 11 is 4 because
it is the solution to 3x 1 (mod 11).
• Put another way you are trying to find a number
that is coprime to x mod n.
• The extended Euclidean algorithm may be used to
compute it. In fact this is probably the most
common way to compute it.

56
Extended Euclidean
• The extended Euclidean algorithm is a version of
the Euclidean algorithm its input are two
integers a and b and the algorithm computes their
greatest common divisor (GCD) as well as integers
x and y such that ax by gcd(a,b). This works
because the steps of Euclid's algorithm always
deal with sums of multiples of a and b.
• We are going to look first at a video
demonstration of this, then at an example here in
this presentation, then at a second and different
video demonstration. The hope is that seeing it
done three different times, should assist you in
understanding it. Here is the first video demo
clear, easy to follow

57
Extended Euclidean
• Consider as an example the computation of
gcd(120,23) with Euclid's algorithm
• 120 / 23 5 remainder 5
• 23 / 5 4 remainder 3
• 5 / 3 1 remainder 2
• 3 / 2 1 remainder 1
• 2 / 1 2 remainder 0
• In this case, the remainder in the
second-to-last line indicates that the gcd is 1
that is, 120 and 23 are coprime.

58
Extended Euclidean step 2
• Now do a little algebra on each of the above
lines
• 120 / 23 5 r 5 gt 5 120 - 523
• 23 / 5 4 r 3 gt 3 23 - 45
• 5 / 3 1 r 2 gt 2 5 - 13
• 3 / 2 1 r 1 gt 1 3 - 12
• 2 / 1 2 r 0 gt 0 2 - 21
• Now observe that the first line contains
multiples of 120 and 23. Also, the rightmost
values are in each case the remainders listed on
the previous line, and the left side of the
differences are the residues from two lines up.
We can thus progressively calculate each
successive remainder as sums of products of our
two original values.
• Here we rewrite the second equations in the
above table
• 5 120 - 523 1120 - 523
• 3 23 - 45 123 - 4(1120 -
523) -4120 2123
• 2 5 - 13 (1120 - 523) - 1(-4120
2123) 5120 - 2623
• 1 3 - 12 (-4120 2123) - 1(5120 -
2623) -9120 4723
• Notice that the last line says that 1 -9120
4723, which is what we wanted x -9 and y
47.
• This means that -9 is the multiplicative inverse
of 120 modulo 23, because 1 -9 120 (mod 23).

59
Extended Euclidean step 3
• So remember the original formula? ax by
gcd(a,b). That means in this case b is the
modulo, a is the number you are trying to find
the multiplicative inverse for. Here is an
example ( too see this entire example online
http//www.fact-index.com/e/ex/extended_euclidean_
algorithm.html

60
Euclids Greatest Common Divisor Algorithm
• Since m mod n m - ?m/n?n, We can now apply
statement 4 and statement 3 to see that
gcd(m,n) gcd(m mod n, n) gcd(n, m mod n)
• 5. For integers m and n with n gt 0, gcd(m,n)
gcd(n, m mod n).
• We can apply statement 5 to derive an algorithm
for computing - greatest common divisors
• Euclids Algorithm
• Input integers m and n, not both zeroOutput
d gcd(m,n)
• If n 0 d melse while n ? 0 c n n
m mod n m c d mreturn d

61
Euclids Greatest Common Divisor Algorithm
• One of the special properties of the greatest
common divisor of two numbers is that it can be
written as an integer linear combination of the
numbers
• Example 2 gcd(32,24) 8
• 32 1?24 8
• Thus 8 1?32 (-1)?24
• Example 3 gcd(54,42)
• 54 1?42 12
• 42 3?12 6
• 12 2?6 0, so 6 gcd(54,42)
• Using back-substitution
• 6 1?42 - 3?12 and 12 1?54 - 1?42
• Thus 6 1?42 - 3?(1?54 - 1?42 ) 4?42
(-3)?54

62
Euclidean VIDEO Tutorials
clear, easy to follow
is a little longer, but a pretty good one.

63
Here is another method method
• One divided by a given number is the
multiplicative inverse of that number. To find
the multiplicative inverse of the number a
• Find the logarithm for a
• Subtract 255 by a's logarithm
• Take the anti-log of the resulting number
• This is the multiplicative inverse (In other
words, 1 / a)
• Here is some code which uses the above log and
anti-log tables to calculate the multiplicative
inverse unsigned char gmul_inverse(unsigned char
in)
• / 0 is self inverting /
• if(in 0)
• return 0
• else
• return atable(255 - ltablein)
• This example comes from http//www.samiam.org/galo
is.html

64
Rijendael step by step- The s-box
• This is the standard s-box

65
Multiplicative inverse
• The S-box is generated by determining the
multiplicative inverse for a given number in
GF(28) GF(2)x/(x8 x4 x3 x 1),
Rijndael's finite field (zero, which has no
inverse, is set to zero). Rijndael uses a
characteristic 2 finite field with 256 elements,
which can also be called the Galois field GF(28).
It employs the following reducing polynomial for
multiplication x8 x4 x3 x 1.
• The multiplicative inverse is then transformed
using the following affine transformation

66
S-box Derivation

The S-box maps byte x to byte z via the function
z Ax-1b Input byte x x7x6x5x4x3x2x1x0 Compu
te the inverse in GF(28) y7y6y5y4y3y2y1y0
(non-linear, vs. attacks) (use 0 as inverse of
0) Compute this linear function z in
GF(28) (to complicate attacks) (A
is simple to implement) b chosen so

67
Calculate the multiplicative inverse
• Recall that the multiplicative inverse in a
modulo n world is defined as being the number,
a-1, such that
• (a)(a-1) 1 (mod n)
• Thus, for example, 3 and 7 are multiplicative
inverses of each other in a mod 10 world while 5
and 11 are multiplicative inverses of each other
in a mod 27 world.
• For very small moduli, finding the multiplicative
inverse of a number is not terribly difficult to
do via exhaustive search since, by definition,
• (a)(a-1) kn 1
• So it becomes a simple matter of writing this as
•  (a-1) (kn 1)/a
• and trying successive values of k until one is
found that results in the right hand side being
an integer. All that is then left is to reduce
the resulting integer modulo n. But as the
modulus grows, this process quickly becomes
unwieldy and impractical. What is needed is a
more systematic means of finding a-1.

68
Calculate the multiplicative inverse
• We have to find x such that ax 1 (mod m)
• Above equivalence can be stated alternatively
as
• ax pm 1
• or ax my 1 known as Bézouts identity

69
Table of Multiplicative inverses
70
Generating the standard S-Box
• The next slides provide this. However if you wish
to alter the s-box you should attempt the
following
• Find a different irreducible polynomial to use as
the mod operation.
• Find a different affine transform, that simply
means a different matrix to multiple the
multiplicative inverse by. This changes the
shifts/operations you see in the following slides.

71
Rijendael step by step- The s-box
• This will generate the Rijndael (AES) S-box,
which is represented here with hexadecimal
notation

72
Rijendael step by step- step one
• Take a number for GF(28) lets pick 2. Looking at
the multiplicative inverse table that gives us 8d
in hex or 10001101 in binary
• Now we need to do four iterations of the process
of affine transformation. We start by putting
the multiplicative inverse into two variables s
and x
• s 10001101
• x 10001101

73
Rijendael step by step- step two (first iteration)
• Rotate s(10001101) to the left 00011010
• If the high bit is one make the low bit 1
• else low bit is 0
• Now in this case the high bit WAS 1 so we change
the low bit
• so s is 00011011
• xor with x so 00011011 xor 10001101 10010110
• s 00011011 x 10010110

74
Rijendael step by step- step three (second
iteration)
• rotate s (00011011 )to the left 00110110
• If then(shown above) still gives us 00110110
• xor with x so 00110110 xor 10010110 10100000
• s 00110110 x 10100000

75
Rijendael step by step- step four (third
iteration)
• rotate s(00110110) to the left 01101100
• if then (shown above ) still gives us 01101100
• xor with x so 01101100 xor 10100000 11001100
• so s 01101100 x 11001100

76
Rijendael step by step- step five(fourth
iteration)
• rotate s(01101100) to the left 11011000
• if then (shown above) still gives us 11011000
• xor with x so 01101100 xor 11001100 00010100
• so s 11011000 x 00010100

77
Rijendael step by step- step six
• Now x (00010100) gets xor'd with decimal 99 (hex
x63 binary 1100011) 1110111 or 77
• And if we check the s-box table for what 2 should
give us we get

78
So what are we seeing?
• The output is actually the multiplicative invers
of the input then put through this affine
transform.
• Still not convinced lets see it again?

79
Rijendael step by step- step one
• Take a number for GF(28) lets pick 7. Looking at
the multiplicative inverse table that gives us d1
in hex or 11010001 in binary
• Now we need to do four iterations of the process
of affine transformation. We start by putting
the multiplicative inverse into two variables s
and x
• s 11010001
• x 11010001

80
Rijendael step by step- step two (first iteration)
• Rotate s(11010001) to the left 10100010
• If the high bit is one make the low bit 1
• else low bit is 0
• Now in this case the high bit WAS 1 so we change
the low bit
• so s is 10100011
• xor with x so 10100011 xor 11010001 1110010
• s 10100011 x 1110010

81
Rijendael step by step- step three (second
iteration)
• rotate s(10100011) to the left 01000110
• If then(shown above)
• gives us 01000111
• xor with x so 01000111 xor 1110010 00110101
• s 01000111 x 00110101

82
Rijendael step by step- step four (third
iteration)
• rotate s(01000111) to the left 10001110
• if then (shown above ) still gives us 10001110
• xor with x so 10001110 xor 00110101 10111011
• so s 10001110 x 10111011

83
Rijendael step by step- step five(fourth
iteration)
• rotate s(10001110) to the left 00011100
• if then (shown above)
• gives us 00011101
• xor with x so 00011101 xor 10111011 10100110
• so s 00011101 x 10100110

84
Rijendael step by step- step six
• Now x (10100110) gets xor'd with decimal 99 (hex
x63 binary 1100011) 11000101 or c5
• And if we check the s-box table for what 7 should
give us we get

85
That is IT!!
• That is how you generate the entire Rijndael s
box!
• Is this clearer? Well lets reiterate the basics
• Use GF(28) and look at each possible value in
that filed one at a time.
• Find the multiplicative inverse, then compute the
transform.
• That takes four steps, and gives us the output
for the s box

86
But wait
• What was the matrix we saw earlier? Well that is
an alternative way to do this. You can put all
the GF(28) values in a matrix, and use the matrix
we saw to produce the multiplicative inverse of
the GF(28) matrixOR you can use the formula we
just did!
• What does this mean? Well either method works,
but I think you will find the formula method
easier to code in any programming language and
easier to alter.

87
Alter it? How
• Some obvious solutions come into play
• What about different shifts? Left or right, or by
more than one? Will that affect the output?
• Of course a different value of GF(28) perhaps
GF(29) for 512 bits?
• Perhaps building this output table (this s box)
then xoring it with the round key so there is a
different s-box each round? And it is semi key
dependent?
• Of course you could construct an entirely
different affine transform.

88
How to change an AES s-box
• Remember you want the entire cipher to meet
• Strict Avalanche Criteria
• Bit independence criteria
• Balance
• As much as possible the s-box should fulfill
this. So when making any change, we know that we
must make certain our change meets these criteria

89
So what changes can we make
• Isomorphic fields to the underlying field can be
generated by using different irreducible
polynomials of the same degree. There are a total
of 30 irreducible polynomials of degree 8 to
choose from. This gives you 29 alternatives to
the traditional s-box for AES, each with well
tested security. (note for more details you can
look into Rabins test for irreducibility).
• Change the affine transform. This is a little
more tricky but safe if you simply alter
parameters within the existing transform.
Section 5.2 of Algebraic Construction and
Cryptographic Properties of Rijndael
Substitution discusses this in detail.
• Change the translation vector (the final number
you xor with). Obviously there are 255 possible
variations.

90
Comments on changing the affine transform
• We propose to increase the complexity and
security of AES S-box by modifying the affine