AES S-box How and Why?

1
AES S-box How and Why?
2
Notes

• The general math review slides are taken from a
  variety of internet sources. I tried to be
  diligent in citing, but given the nature of basic
  math, I may have missed some citation
• This presentation assumes you are comfortable
  with symmetric ciphers as well as the details of
  AES.

3
Basic Math Review Represent decimals as
polynomials
4
Basic Math Review Fields, groups, rings

• In mathematics, and more specifically in abstract
  algebra, the term algebraic structure generally
  refers to a set with one or more operations
  defined on it
• A group is an algebraic system consisting of a
  set, an identity element, one operation and its
  inverse operation.
• A ring is an algebraic system consisting of a
  set, an identity element, two operations and the
  inverse operation of the first operation.
• A field is an algebraic system consisting of a
  set, an identity element for each operation, two
  operations and their respective inverse
  operations.
• GF(p) for any prime, p, this Galois Field has p
  elements which are the residue classes of
  integers modulo p.

5
Basic Math Review Galois Fields

• The order of the field is given by pn while p is
  called the characteristic of the field example
• gf(5) (0 1 2 3 4)
• which consists of 5 elements where each of them
  is a polynomial of degree 0(a constant) while
• gf(23) (0 1 2 2 1 22 22 1 22 2 22
  2 1)
• (0 1 2 3 4 5 6 7)
• which consists of 23 8 elements where each of
  them is a polynomial of degree at most 2
  evaluated at 2.

6
Basic Math Review Galois Field Addition
7
Basic Math Review Galois Field Addition
8
Basic Math Review Galois Field Multiplication
9
Basic Math Review First refresh your memory on
polynomial multiplication
10
Basic Math Review Polynomial Division
For additional review of basic polynomial math
http//www.doc.ic.ac.uk/mrh/330tutor/ch04s02.html

11
Basic Math Review Galois Field Multiplication
12
Basic Math Review Polynomial Arithmetic

• Can compute using polynomials
• Several alternatives available
• ordinary polynomial arithmetic
• poly arithmetic with coords mod p

13
Basic Math Review Polynomial Arithmetic

• add or subtract corresponding coefficients
• multiply all terms by each other
• For example
• let f(x) x3 x2 2 and g(x) x2 x 1
• f(x) g(x) x3 2x2 x 3
• f(x) g(x) x3 x 1
• f(x) x g(x) x5 3x2 2x 2

14
Basic Math Review Polynomial Arithmetic

• when computing value of each coefficient do
  calculation modulo some value could be modulo any
  prime but we are most interested in mod 2
• ie all coefficients are 0 or 1
• eg. let f(x) x3 x2 and g(x) x2 x 1
• f(x) g(x) x3 x 1
• f(x) x g(x) x5 x2

15
Basic Math Review Polynomial Arithmetic

• can write any polynomial in the form
• f(x) q(x) g(x) r(x)
• can interpret r(x) as being a remainder
• r(x) f(x) mod g(x)
• if have no remainder say g(x) divides f(x)
• if g(x) has no divisors other than itself 1 say
  it is irreducible (or prime) polynomial
• arithmetic modulo an irreducible polynomial forms
  a field

16
Basic Math Review Polynomial Arithmetic

• can compute in field GF(2n)
• polynomials with coefficients modulo 2
• whose degree is less than n
• hence must reduce modulo an irreducible poly of
  degree n (for multiplication only)
• Form a finite field

17
Basic Math Review Polynomial Arithmetic

• Find the results of
• (x5x2x) (x7x4x3x2x )
• in GF(28) with irreducible polynomial
  x8x4x3x1

18
Basic Math Review Polynomial Arithmetic Answer

• Multiply the two polynomials
• (x5x2x) x7x4x3x2x x5 (x7x4x3x2x )
  x2 (x7x4x3x2x ) x (x7x4x3x2x )
  (x12x7x2)
• Get the results of
• (x12x7x2) mod (x8x4x3x1) (x5x3x2x1)

19
Basic Math Review Polynomial Arithmetic
Polynomial Algebra

• Operation of addition is performed using an XOR
  operation denoted by . For example, all
  notations below are equivalent
•   (x6 x4 x2 x 1) (x7 x 1) x7 x6
  x4 x2 0 polynomial notation
• 01010111 10000011 11010100 binary
  notation.
• Multiplication in Rijndael is the multiplication
  of polynomials modulo the irreducible polynomial.
  For example, in the polynomial notation
• (x6 x4 x2 x 1) (x7 x 1)
• x13 x11 x9 x8 x6 x5 x4 x3 1,
• and
• (x13 x11 x9 x8 x6 x5 x4 x3 1) mod
  (x6 x4 x2 x 1) x7 x 1.

The set of 256 possible byte values, with XOR
used as addition, and the multiplication
defined as above, has the structure of the finite
field GF(28).
20
Basic Math Review Matrix multiplication

• Here is a key point You cannot just multiply
  each number by the corresponding number in the
  other matrix. Matrix multiplication is not like
  addition or subtraction.

From http//www.freemathhelp.com/matrix-multiplic
ation.html
21
Basic Math Review Matrix Multiplication Continued

• The first two steps

From http//www.freemathhelp.com/matrix-multiplic
ation.html
22
Basic Math Review Matrix Multiplication

• Steps 3 4

From http//www.freemathhelp.com/matrix-multiplic
ation.html
23
Basic Math Review Matrix Multiplication

• Step 5

From http//www.freemathhelp.com/matrix-multiplic
ation.html
24
Basic Math Review Matrix Multiplication

• Matrix Multiplication is NOT Commutative! Order
  matters!
• You can multiply matrices only if the number of
  columns in the first matrix equals the number of
  rows in the second matrix.

25
Basic Math Review Matrix Determinants
To find the determinant of a 2 x 2 matrix,
multiply diagonal 1 and subtract the product of
diagonal 2.
26
Basic Math Review Matrix Determinants
To find the determinant of a 3 x 3 matrix, first
recopy the first two columns. Then do 6 diagonal
products.
27
Basic Math Review Inverse Matrices

• When you multiply a matrix and its inverse, you
  get the identity matrix.

28
Basic Math Review Inverse Matrices

• Not all matrices have an inverse!
• To find the inverse of a 2 x 2 matrix, first find
  the determinant.
• If the determinant 0, the inverse does not
  exist!
• The inverse of a 2 x 2 matrix is the reciprocal
  of the determinant times the matrix with the main
  diagonal swapped and the other terms multiplied
  by -1.

29
Basic Math Review Inverse Matrices

• Example 1

30
Basic Math Review Scalar Multiplication

• To do this, multiply each entry in the matrix by
  the number outside (called the scalar). This is
  like distributing a number to a polynomial.

Example
31
AES Rijndael mathematics

• Rijndael is defined in the Galois field GF (28)
  by the irreducible polynomial
• In HEX this is 11B, in binary it is 100011011
• Why this one? The polynomial m(x) (11B) for
  the multiplication in GF(28) is the first one of
  the list of irreducible polynomials of degree 8,
  given in LiNi86, p. 378. page 22 of AES
  Proposal Rijndael
• LiNi86 is R. Lidl and H. Niederreiter,
  Introduction to finite fields and their
  applications, Cambridge University Press, 1986)

P x8 x4 x3 x 1
32
Irreducible Polynomials
A polynomial is irreducible in GF(p) if it does
not factor over GF(p). Otherwise it is
reducible. Examples
The same polynomial is reducible in Z5 but
irreducible in Z2. Are there other irreducible
polynomials of power 8? Yes of course, the only
list I am aware of is in the book cited by the
inventors of Rijndael
33
Irreducible Polynomials
You can check the same source that was cited by
the inventors of Rijndael. In fact on Amazon,
there is the look inside option and with a bit
of work you can find the table. To save you some
time, here are a few irreducible polynomials from
that list (in binary form, you may place them in
polynomial or hex form if you wish) 100101011 1001
11001 100111111 101001101 101011111 101110111 1100
01011 OK why degree 8 (9 digits) isnt that one
too many? Clearly, the result will be a binary
polynomial of degree below 8. Unlike for
addition, there is no simple operation at byte
level. page ¾ of the specification The reason
an irreducible but not primitive polynomial is
used is that we are trying to make a non-linear
permutation function that has diffusion,
spreading input bits to output bits in an
non-linear way.
34
The Finite Field GF(28).

• The case in which n is greater than one is much
  more difficult to describe. In cryptography, one
  almost always takes p to be 2 in this case. This
  section just treats the special case of p 2 and
  n 8, that is. GF(28), because this is the field
  used by Advanced Encryption Standard (AES).
• The AES works primarily with bytes (8 bits),
  represented from the right as
• b7b6b5b4b3b2b1b0.The 8-bit elements of the field
  are regarded as polynomials with coefficients in
  the field Z2
• b7x7 b6x6 b5x5 b4x4 b3x3 b2x2 b1x1
  b0.
• The field elements will be denoted by their
  sequence of bits, using two hex digits.

35
The multiplicative inverse

• Multiplication in Galois Field, however, requires
  more tedious work. Suppose f(p) and g(p) are
  polynomials in gf(pn) and let m(p) be an
  irreducible polynomial (or a polynomial that
  cannot be factored) of degree at least n in
  gf(pn). We want m(p) to be a polynomial of degree
  at least n so that the product of two f(p) and
  g(p) does not exceed 11111111 255 as the
  product needs to be stored as a byte. If h(p)
  denotes the resulting product then
• h(p) (f(p) g(p)) (mod m(p))
• On the other hand, the multiplicative inverse of
  f(p) is given by a(p) such
• that
• (f(p) a(p)) (mod m(p)) 1

36
The multiplicative inverse

• Note that calculating the product of two
  polynomials and the multiplicative inverse of a
  polynomial requires both reducing coeficients
  modulo p and reducing polynomials modulo m(p).
  The reduced polynomial can be calculated easily
  with long division while the best way to compute
  the multiplicative inverse is by using Extended
  Euclidean Algorithm. The details on the
  calculations in gf(28) is best explained in the
  following example.
• Princeton University offers this calculator for
  multiplicative inverse http//www.cs.princeton.edu
  /dsri/modular-inversion-answer.php?n9p8
• We will look at two methods for calculating
  multiplicative inverse later in this lesson, but
  you can also use this calculator if you prefer,
  or the multiplicative inverse table I have
  provided.
• There is also a calculator online that does all
  modular arithmetic http//ptrow.com/perl/calculato
  r.pl

37
More on Galois Fields

• Galois Field sizes can be defined with various
  field sizes like GF(16) or GF(256). AES is not
  the only cryptographic algorithm to use these
  finite fields. Quad also uses finite fields under
  a polynomial modulus

38
Implementing GF(pk) arithmetic
Theorem Let f(x) be an irreducible polynomial of
degree k over Zp. The finite field GF(pk) can
be realized as the set of degree k-1 polynomials
over Zp, with addition and multiplication done
modulo f(x).
39
Example Implementing GF(2k)
By the theorem the finite field GF(25) can be
realized as the set of degree 4 polynomials over
Z2, with addition and multiplication done modulo
the irreducible polynomial f(x)x5x4x3x1.
The coefficients of polynomials over Z2 are 0 or
1. So a degree k polynomial can be written down
by k1 bits. For example, with k4 x3x1
(0,1,0,1,1) x4 x3x1
(1,1,0,1,1)
40
Implementing GF(2k)
Addition bit-wise XOR (since 110)
x3x1 (0,1,0,1,1) x4 x3x
(1,1,0,1,0) -------------------------------
x4 1 (1,0,0,0,1)
41
Implementing GF(2k)
Multiplication Polynomial multiplication, and
then remainder modulo the defining polynomial
f(x)
(1,1,0,1,1) (0,1,0,1,1) (1,1,0,0,1)
For small size finite field, a lookup table is
the most efficient method for implementing
multiplication.
42
Mathematical background(Cont.)

• Polynomials with coefficients in GF(28)
• The operation consisting of multiplication by a
  fixed polynomial a( x ) can be written as matrix
  multiplication where the matrix is a circulant
  matrix. We have

43
What is a multiplicative inverse?

• In mathematics, the reciprocal, or multiplicative
  inverse, of a number x is the number which, when
  multiplied by x, yields 1. The multiplicative
  inverse for the real numbers, for example, is
  1/x. To avoid confusion by writing the inverse
  using set specific notation, we generally write
  x-1.
• Zero does not have a reciprocal, as division by 0
  is undefined

44
Multiplication of polynomials

• Finite field multiplication is more difficult
  than addition and is achieved by multiplying the
  polynomials for the two elements concerned and
  collecting like powers of x in the result. Since
  each polynomial can have powers of x up to 7, the
  result can have powers of x up to 14 and will no
  longer fit within a single byte.
• This situation is handled by replacing the result
  with the remainder polynomial after division by a
  special eighth order irreducible polynomial,
  which, for Rijndael, is
• m(x) x8 x4 x3 x 1
• Note we will discuss why this irreducible
  polynomial in just a little while.

45
Multiplication Polynomials by Repeated Shifts

• The finite field element 00000010 is the
  polynomial x, which means that multiplying
  another element by this value increases all its
  powers of x by 1. This is equivalent to shifting
  its byte representation up by one bit so that the
  bit at position i moves to position i1. If the
  top bit is set prior to this move it will
  overflow to create an x8 term, in which
• case the modular polynomial is added to cancel
  this additional bit, leaving a result that fits
  within a single byte.
• For example, multiplying 11001000 by x, that is
  00000010, the initial result is
• 110010000. The overflow bit is then removed
  by adding 100011011, the modular
• polynomial, using an exclusive-or operation to
  give a final result of 10001011.
• NOTE This why the implementation of creating the
  S-boxes includes four steps of shifting. This is
  in essence, multiplying.

46
Affine Transformation What is it

• This concept originates in graphics, and is also
  used in transforming graphics. Moving pixels in
  one direction or another is very similar to
  moving a value in a matrix, so the concept gets
  applied to matrices (as in AES)
• In geometry, an affine transformation or affine
  map or an affinity (from the Latin, affinis,
  "connected with") between two vector spaces
  (strictly speaking, two affine spaces) consists
  of a linear transformation followed by a
  translation
• In general, an affine transform is composed of
  linear transformations (rotation, scaling or
  shear) and a translation (or "shift"). Several
  linear transformations can be combined into a
  single one, so that the general formula given
  above is still applicable. For our purposes it
  is just a word for a linear transformation. This
  video also gives a good explanation
• http//www.youtube.com/watch?v4vrYNxlkrpI
• Now what are linear transformation? Well for
  more detail
• http//www.samiam.org/galois.html

47
Rijndael Galois

• The Rijndael Block Chiper uses finite field
  arithmetic in the field of GF( 28 ) or the Galois
• Field. For Rijndael we show this eld as a
  polynomial where each b is a bit in a byte that
  can contain the binary value of either 1 or 0.
• b7x7 b6x6 b5x5 b4x4 b3x3 b2x2 b1x
  b0
• The values used in Rijndael are displayed in
  hexadecimal value form and each hexadecimal value
  correspond to a polynomial representation. Fore
  example Here is a byte containing the
  hexadecimal value of 57 and it corresponding
  binary and polynomial representations
• Binary 01010111 Polynomial x6 x4 x2 x
  1

48
Rijndael Galois

• The s-box is generated by determining the
  multiplicative inverse for a given number in the
  Galois led, zero would be set to zero. The
  multiplicative inverse is transformed using the
  following affine transformation
• where x0, ..., x7 is the multiplicative inverse
  as a vector.
• Now you can do this with matrix mathematics,
  first multiplying the matrix by the vectors, then
  xoring with the values in the final column. This
  affine transformation is the sum of multiple
  rotations of the byte as a vector, where addition
  is the XOR operation. NOTE This is what we are
  duplicating in the function to create this
  transform that we did earlier this week

49
Why these choices?

• We dont know all the whys of these choices, but
  we do know some.
• The last vector that is xord in is meant to
  prevent the generation of a fixed point In other
  words S-box(a)a
• The matrix obviously has meaning. Now they did
  not state it, but looking at it even briefly
  reveals a pattern.
• Look at the next slide to analyze the choices

50
Why these choices?
To avoid Fixed point

• Modulo 2 arithmetic

Input bits (the multiplicative inverse)
Output bits(what goes in the sbox)
51
AES S-Box Design

• The S-box is generated by determining the
  multiplicative inverse for a given number in
  Rijndael's Galois field. The multiplicitive
  inverse is then transformed using the following
  affine transformation matrix
• GF(28) GF(2)x/(x8 x4 x3 x 1)
• Now you can do this with matrix math we already
  described, or you can do it with the function we
  provided to you yesterday (and is also at the end
  of this presentation)

52
Why these choices?

• In the submission of Rijndael Joan Daemen
  Vincent Rijmen stated reasons for many things,
  such as the particular modulus to use. But
  questions still may be in your mind?
• Why this matrix for the affine transform and not
  some other?
• Why this particular vector for the affine
  transform and not some other?
• Here are the only answers they gave, and the
  following is a quote directly from their
  submission.

53
How to calculate this yourself

• Unfortunately, no, it is not the same as
  computing the inverse of a matrix. Also, there
  are at least two issues involved here. One is
  what are elements of this finite field GF(28)?
  The other is how are they represented on the
  computer (i.e. in binary)? And then we can get to
  the question of how to invert them.
• First of all, an element of GF(28) is a
  polynomial of degree less than 8 over GF(2) (with
  coefficients in GF(2)) modulo an irreducible
  polynomial of degree 8. So the first thing you
  have to do is pick a polynomial of degree 8, and
  use this as your field modulus. The AES standard
  says what this modulus is.

54
How to calculate the Multiplicative inverse

• The multiplicative inverse for an element a of a
  finite field can be calculated a number of
  different ways
• By multiplying a by every number in the field
  until the product is one. This is a Brute-force
  search.
• By using the Extended Euclidean algorithm
• By making a logarithm table of the finite field,
  and performing subtraction in the table.
  Subtraction of logarithms is the same as
  division.

55
Compute multiplicative inverse

• Remember that in modular arithmetic, the modular
  multiplicative inverse of x is the number a such
  that ax 1 (mod n). This multiplicative inverse
  exists if and only if a and n are coprime. For
  example, the inverse of 3 modulo 11 is 4 because
  it is the solution to 3x 1 (mod 11).
• Put another way you are trying to find a number
  that is coprime to x mod n.
• The extended Euclidean algorithm may be used to
  compute it. In fact this is probably the most
  common way to compute it.

56
Extended Euclidean

• The extended Euclidean algorithm is a version of
  the Euclidean algorithm its input are two
  integers a and b and the algorithm computes their
  greatest common divisor (GCD) as well as integers
  x and y such that ax by gcd(a,b). This works
  because the steps of Euclid's algorithm always
  deal with sums of multiples of a and b.
• We are going to look first at a video
  demonstration of this, then at an example here in
  this presentation, then at a second and different
  video demonstration. The hope is that seeing it
  done three different times, should assist you in
  understanding it. Here is the first video demo
• http//www.youtube.com/watch?vfz1vxq5ts5I very
  clear, easy to follow

57
Extended Euclidean

• Consider as an example the computation of
  gcd(120,23) with Euclid's algorithm
• 120 / 23 5 remainder 5
• 23 / 5 4 remainder 3
• 5 / 3 1 remainder 2
• 3 / 2 1 remainder 1
• 2 / 1 2 remainder 0
• In this case, the remainder in the
  second-to-last line indicates that the gcd is 1
  that is, 120 and 23 are coprime.

58
Extended Euclidean step 2

• Now do a little algebra on each of the above
  lines
• 120 / 23 5 r 5 gt 5 120 - 523
• 23 / 5 4 r 3 gt 3 23 - 45
• 5 / 3 1 r 2 gt 2 5 - 13
• 3 / 2 1 r 1 gt 1 3 - 12
• 2 / 1 2 r 0 gt 0 2 - 21
• Now observe that the first line contains
  multiples of 120 and 23. Also, the rightmost
  values are in each case the remainders listed on
  the previous line, and the left side of the
  differences are the residues from two lines up.
  We can thus progressively calculate each
  successive remainder as sums of products of our
  two original values.
• Here we rewrite the second equations in the
  above table
• 5 120 - 523 1120 - 523
• 3 23 - 45 123 - 4(1120 -
  523) -4120 2123
• 2 5 - 13 (1120 - 523) - 1(-4120
  2123) 5120 - 2623
• 1 3 - 12 (-4120 2123) - 1(5120 -
  2623) -9120 4723
• Notice that the last line says that 1 -9120
  4723, which is what we wanted x -9 and y
  47.
• This means that -9 is the multiplicative inverse
  of 120 modulo 23, because 1 -9 120 (mod 23).

59
Extended Euclidean step 3

• So remember the original formula? ax by
  gcd(a,b). That means in this case b is the
  modulo, a is the number you are trying to find
  the multiplicative inverse for. Here is an
  example ( too see this entire example online
  http//www.fact-index.com/e/ex/extended_euclidean_
  algorithm.html

60
Euclids Greatest Common Divisor Algorithm

• Since m mod n m - ?m/n?n, We can now apply
  statement 4 and statement 3 to see that
  gcd(m,n) gcd(m mod n, n) gcd(n, m mod n)
• 5. For integers m and n with n gt 0, gcd(m,n)
  gcd(n, m mod n).
• We can apply statement 5 to derive an algorithm
  for computing - greatest common divisors
• Euclids Algorithm
• Input integers m and n, not both zeroOutput
  d gcd(m,n)
• If n 0 d melse while n ? 0 c n n
  m mod n m c d mreturn d

61
Euclids Greatest Common Divisor Algorithm

• One of the special properties of the greatest
  common divisor of two numbers is that it can be
  written as an integer linear combination of the
  numbers
• Example 2 gcd(32,24) 8
• 32 1?24 8
• Thus 8 1?32 (-1)?24
• Example 3 gcd(54,42)
• 54 1?42 12
• 42 3?12 6
• 12 2?6 0, so 6 gcd(54,42)
• Using back-substitution
• 6 1?42 - 3?12 and 12 1?54 - 1?42
• Thus 6 1?42 - 3?(1?54 - 1?42 ) 4?42
  (-3)?54

62
Euclidean VIDEO Tutorials

• http//www.youtube.com/watch?vfz1vxq5ts5I very
  clear, easy to follow
• http//www.youtube.com/watch?vshaQZg8bqUM This
  is a little longer, but a pretty good one.

63
Here is another method method

• One divided by a given number is the
  multiplicative inverse of that number. To find
  the multiplicative inverse of the number a
• Find the logarithm for a
• Subtract 255 by a's logarithm
• Take the anti-log of the resulting number
• This is the multiplicative inverse (In other
  words, 1 / a)
• Here is some code which uses the above log and
  anti-log tables to calculate the multiplicative
  inverse unsigned char gmul_inverse(unsigned char
  in)
• / 0 is self inverting /
• if(in 0)
• return 0
• else
• return atable(255 - ltablein)
• This example comes from http//www.samiam.org/galo
  is.html

64
Rijendael step by step- The s-box

• This is the standard s-box

65
Multiplicative inverse

• The S-box is generated by determining the
  multiplicative inverse for a given number in
  GF(28) GF(2)x/(x8 x4 x3 x 1),
  Rijndael's finite field (zero, which has no
  inverse, is set to zero). Rijndael uses a
  characteristic 2 finite field with 256 elements,
  which can also be called the Galois field GF(28).
  It employs the following reducing polynomial for
  multiplication x8 x4 x3 x 1.
• The multiplicative inverse is then transformed
  using the following affine transformation

66
S-box Derivation

The S-box maps byte x to byte z via the function
z Ax-1b Input byte x x7x6x5x4x3x2x1x0 Compu
te the inverse in GF(28) y7y6y5y4y3y2y1y0
(non-linear, vs. attacks) (use 0 as inverse of
0) Compute this linear function z in
GF(28) (to complicate attacks) (A
is simple to implement) b chosen so

67
Calculate the multiplicative inverse

• Recall that the multiplicative inverse in a
  modulo n world is defined as being the number,
  a-1, such that
• (a)(a-1) 1 (mod n)
• Thus, for example, 3 and 7 are multiplicative
  inverses of each other in a mod 10 world while 5
  and 11 are multiplicative inverses of each other
  in a mod 27 world.
• For very small moduli, finding the multiplicative
  inverse of a number is not terribly difficult to
  do via exhaustive search since, by definition,  
• (a)(a-1) kn 1
• So it becomes a simple matter of writing this as
•  (a-1) (kn 1)/a
• and trying successive values of k until one is
  found that results in the right hand side being
  an integer. All that is then left is to reduce
  the resulting integer modulo n. But as the
  modulus grows, this process quickly becomes
  unwieldy and impractical. What is needed is a
  more systematic means of finding a-1.

68
Calculate the multiplicative inverse

• We have to find x such that ax 1 (mod m)
• Above equivalence can be stated alternatively
  as
• ax pm 1
• or ax my 1 known as Bézouts identity

69
Table of Multiplicative inverses
70
Generating the standard S-Box

• The next slides provide this. However if you wish
  to alter the s-box you should attempt the
  following
• Find a different irreducible polynomial to use as
  the mod operation.
• Find a different affine transform, that simply
  means a different matrix to multiple the
  multiplicative inverse by. This changes the
  shifts/operations you see in the following slides.

71
Rijendael step by step- The s-box

• This will generate the Rijndael (AES) S-box,
  which is represented here with hexadecimal
  notation

72
Rijendael step by step- step one

• Take a number for GF(28) lets pick 2. Looking at
  the multiplicative inverse table that gives us 8d
  in hex or 10001101 in binary
• Now we need to do four iterations of the process
  of affine transformation. We start by putting
  the multiplicative inverse into two variables s
  and x
• s 10001101
• x 10001101

73
Rijendael step by step- step two (first iteration)

• Rotate s(10001101) to the left 00011010
• If the high bit is one make the low bit 1
• else low bit is 0
• Now in this case the high bit WAS 1 so we change
  the low bit
• so s is 00011011
• xor with x so 00011011 xor 10001101 10010110
• s 00011011 x 10010110

74
Rijendael step by step- step three (second
iteration)

• rotate s (00011011 )to the left 00110110
• If then(shown above) still gives us 00110110
• xor with x so 00110110 xor 10010110 10100000
• s 00110110 x 10100000

75
Rijendael step by step- step four (third
iteration)

• rotate s(00110110) to the left 01101100
• if then (shown above ) still gives us 01101100
• xor with x so 01101100 xor 10100000 11001100
• so s 01101100 x 11001100

76
Rijendael step by step- step five(fourth
iteration)

• rotate s(01101100) to the left 11011000
• if then (shown above) still gives us 11011000
• xor with x so 01101100 xor 11001100 00010100
• so s 11011000 x 00010100

77
Rijendael step by step- step six

• Now x (00010100) gets xor'd with decimal 99 (hex
  x63 binary 1100011) 1110111 or 77
• And if we check the s-box table for what 2 should
  give us we get

78
So what are we seeing?

• The output is actually the multiplicative invers
  of the input then put through this affine
  transform.
• Still not convinced lets see it again?

79
Rijendael step by step- step one

• Take a number for GF(28) lets pick 7. Looking at
  the multiplicative inverse table that gives us d1
  in hex or 11010001 in binary
• Now we need to do four iterations of the process
  of affine transformation. We start by putting
  the multiplicative inverse into two variables s
  and x
• s 11010001
• x 11010001

80
Rijendael step by step- step two (first iteration)

• Rotate s(11010001) to the left 10100010
• If the high bit is one make the low bit 1
• else low bit is 0
• Now in this case the high bit WAS 1 so we change
  the low bit
• so s is 10100011
• xor with x so 10100011 xor 11010001 1110010
• s 10100011 x 1110010

81
Rijendael step by step- step three (second
iteration)

• rotate s(10100011) to the left 01000110
• If then(shown above)
• gives us 01000111
• xor with x so 01000111 xor 1110010 00110101
• s 01000111 x 00110101

82
Rijendael step by step- step four (third
iteration)

• rotate s(01000111) to the left 10001110
• if then (shown above ) still gives us 10001110
• xor with x so 10001110 xor 00110101 10111011
• so s 10001110 x 10111011

83
Rijendael step by step- step five(fourth
iteration)

• rotate s(10001110) to the left 00011100
• if then (shown above)
• gives us 00011101
• xor with x so 00011101 xor 10111011 10100110
• so s 00011101 x 10100110

84
Rijendael step by step- step six

• Now x (10100110) gets xor'd with decimal 99 (hex
  x63 binary 1100011) 11000101 or c5
• And if we check the s-box table for what 7 should
  give us we get

85
That is IT!!

• That is how you generate the entire Rijndael s
  box!
• Is this clearer? Well lets reiterate the basics
• Use GF(28) and look at each possible value in
  that filed one at a time.
• Find the multiplicative inverse, then compute the
  transform.
• That takes four steps, and gives us the output
  for the s box

86
But wait

• What was the matrix we saw earlier? Well that is
  an alternative way to do this. You can put all
  the GF(28) values in a matrix, and use the matrix
  we saw to produce the multiplicative inverse of
  the GF(28) matrixOR you can use the formula we
  just did!
• What does this mean? Well either method works,
  but I think you will find the formula method
  easier to code in any programming language and
  easier to alter.

87
Alter it? How

• Some obvious solutions come into play
• What about different shifts? Left or right, or by
  more than one? Will that affect the output?
• Of course a different value of GF(28) perhaps
  GF(29) for 512 bits?
• Perhaps building this output table (this s box)
  then xoring it with the round key so there is a
  different s-box each round? And it is semi key
  dependent?
• Of course you could construct an entirely
  different affine transform.

88
How to change an AES s-box

• Remember you want the entire cipher to meet
• Strict Avalanche Criteria
• Bit independence criteria
• Balance
• As much as possible the s-box should fulfill
  this. So when making any change, we know that we
  must make certain our change meets these criteria

89
So what changes can we make

• Isomorphic fields to the underlying field can be
  generated by using different irreducible
  polynomials of the same degree. There are a total
  of 30 irreducible polynomials of degree 8 to
  choose from. This gives you 29 alternatives to
  the traditional s-box for AES, each with well
  tested security. (note for more details you can
  look into Rabins test for irreducibility).
• Change the affine transform. This is a little
  more tricky but safe if you simply alter
  parameters within the existing transform.
  Section 5.2 of Algebraic Construction and
  Cryptographic Properties of Rijndael
  Substitution discusses this in detail.
• Change the translation vector (the final number
  you xor with). Obviously there are 255 possible
  variations.

90
Comments on changing the affine transform

• We propose to increase the complexity and
  security of AES S-box by modifying the affine
  transformation and adding an affine
  transformation
• -AN IMPROVED AES S-BOX AND ITS PERFORMANCE
  ANALYSIS improved AES s-box performance.pdf