AES S-box How and Why?

Notes

- The general math review slides are taken from a

variety of internet sources. I tried to be

diligent in citing, but given the nature of basic

math, I may have missed some citation - This presentation assumes you are comfortable

with symmetric ciphers as well as the details of

AES.

Basic Math Review Represent decimals as

polynomials

Basic Math Review Fields, groups, rings

- In mathematics, and more specifically in abstract

algebra, the term algebraic structure generally

refers to a set with one or more operations

defined on it - A group is an algebraic system consisting of a

set, an identity element, one operation and its

inverse operation. - A ring is an algebraic system consisting of a

set, an identity element, two operations and the

inverse operation of the first operation. - A field is an algebraic system consisting of a

set, an identity element for each operation, two

operations and their respective inverse

operations. - GF(p) for any prime, p, this Galois Field has p

elements which are the residue classes of

integers modulo p.

Basic Math Review Galois Fields

- The order of the field is given by pn while p is

called the characteristic of the field example - gf(5) (0 1 2 3 4)
- which consists of 5 elements where each of them

is a polynomial of degree 0(a constant) while - gf(23) (0 1 2 2 1 22 22 1 22 2 22

2 1) - (0 1 2 3 4 5 6 7)
- which consists of 23 8 elements where each of

them is a polynomial of degree at most 2

evaluated at 2.

Basic Math Review Galois Field Addition

Basic Math Review Galois Field Addition

Basic Math Review Galois Field Multiplication

Basic Math Review First refresh your memory on

polynomial multiplication

Basic Math Review Polynomial Division

For additional review of basic polynomial math

http//www.doc.ic.ac.uk/mrh/330tutor/ch04s02.html

Basic Math Review Galois Field Multiplication

Basic Math Review Polynomial Arithmetic

- Can compute using polynomials
- Several alternatives available
- ordinary polynomial arithmetic
- poly arithmetic with coords mod p

Basic Math Review Polynomial Arithmetic

- add or subtract corresponding coefficients
- multiply all terms by each other
- For example
- let f(x) x3 x2 2 and g(x) x2 x 1
- f(x) g(x) x3 2x2 x 3
- f(x) g(x) x3 x 1
- f(x) x g(x) x5 3x2 2x 2

Basic Math Review Polynomial Arithmetic

- when computing value of each coefficient do

calculation modulo some value could be modulo any

prime but we are most interested in mod 2 - ie all coefficients are 0 or 1
- eg. let f(x) x3 x2 and g(x) x2 x 1
- f(x) g(x) x3 x 1
- f(x) x g(x) x5 x2

Basic Math Review Polynomial Arithmetic

- can write any polynomial in the form
- f(x) q(x) g(x) r(x)
- can interpret r(x) as being a remainder
- r(x) f(x) mod g(x)
- if have no remainder say g(x) divides f(x)
- if g(x) has no divisors other than itself 1 say

it is irreducible (or prime) polynomial - arithmetic modulo an irreducible polynomial forms

a field

Basic Math Review Polynomial Arithmetic

- can compute in field GF(2n)
- polynomials with coefficients modulo 2
- whose degree is less than n
- hence must reduce modulo an irreducible poly of

degree n (for multiplication only) - Form a finite field

Basic Math Review Polynomial Arithmetic

- Find the results of
- (x5x2x) (x7x4x3x2x )
- in GF(28) with irreducible polynomial

x8x4x3x1

Basic Math Review Polynomial Arithmetic Answer

- Multiply the two polynomials
- (x5x2x) x7x4x3x2x x5 (x7x4x3x2x )

x2 (x7x4x3x2x ) x (x7x4x3x2x )

(x12x7x2) - Get the results of
- (x12x7x2) mod (x8x4x3x1) (x5x3x2x1)

Basic Math Review Polynomial Arithmetic

Polynomial Algebra

- Operation of addition is performed using an XOR

operation denoted by . For example, all

notations below are equivalent - (x6 x4 x2 x 1) (x7 x 1) x7 x6

x4 x2 0 polynomial notation - 01010111 10000011 11010100 binary

notation. - Multiplication in Rijndael is the multiplication

of polynomials modulo the irreducible polynomial.

For example, in the polynomial notation - (x6 x4 x2 x 1) (x7 x 1)
- x13 x11 x9 x8 x6 x5 x4 x3 1,
- and
- (x13 x11 x9 x8 x6 x5 x4 x3 1) mod

(x6 x4 x2 x 1) x7 x 1.

The set of 256 possible byte values, with XOR

used as addition, and the multiplication

defined as above, has the structure of the finite

field GF(28).

Basic Math Review Matrix multiplication

- Here is a key point You cannot just multiply

each number by the corresponding number in the

other matrix. Matrix multiplication is not like

addition or subtraction.

From http//www.freemathhelp.com/matrix-multiplic

ation.html

Basic Math Review Matrix Multiplication Continued

- The first two steps

From http//www.freemathhelp.com/matrix-multiplic

ation.html

Basic Math Review Matrix Multiplication

- Steps 3 4

From http//www.freemathhelp.com/matrix-multiplic

ation.html

Basic Math Review Matrix Multiplication

- Step 5

From http//www.freemathhelp.com/matrix-multiplic

ation.html

Basic Math Review Matrix Multiplication

- Matrix Multiplication is NOT Commutative! Order

matters! - You can multiply matrices only if the number of

columns in the first matrix equals the number of

rows in the second matrix.

Basic Math Review Matrix Determinants

To find the determinant of a 2 x 2 matrix,

multiply diagonal 1 and subtract the product of

diagonal 2.

Basic Math Review Matrix Determinants

To find the determinant of a 3 x 3 matrix, first

recopy the first two columns. Then do 6 diagonal

products.

Basic Math Review Inverse Matrices

- When you multiply a matrix and its inverse, you

get the identity matrix.

Basic Math Review Inverse Matrices

- Not all matrices have an inverse!
- To find the inverse of a 2 x 2 matrix, first find

the determinant. - If the determinant 0, the inverse does not

exist! - The inverse of a 2 x 2 matrix is the reciprocal

of the determinant times the matrix with the main

diagonal swapped and the other terms multiplied

by -1.

Basic Math Review Inverse Matrices

- Example 1

Basic Math Review Scalar Multiplication

- To do this, multiply each entry in the matrix by

the number outside (called the scalar). This is

like distributing a number to a polynomial.

Example

AES Rijndael mathematics

- Rijndael is defined in the Galois field GF (28)

by the irreducible polynomial - In HEX this is 11B, in binary it is 100011011
- Why this one? The polynomial m(x) (11B) for

the multiplication in GF(28) is the first one of

the list of irreducible polynomials of degree 8,

given in LiNi86, p. 378. page 22 of AES

Proposal Rijndael - LiNi86 is R. Lidl and H. Niederreiter,

Introduction to finite fields and their

applications, Cambridge University Press, 1986)

P x8 x4 x3 x 1

Irreducible Polynomials

A polynomial is irreducible in GF(p) if it does

not factor over GF(p). Otherwise it is

reducible. Examples

The same polynomial is reducible in Z5 but

irreducible in Z2. Are there other irreducible

polynomials of power 8? Yes of course, the only

list I am aware of is in the book cited by the

inventors of Rijndael

Irreducible Polynomials

You can check the same source that was cited by

the inventors of Rijndael. In fact on Amazon,

there is the look inside option and with a bit

of work you can find the table. To save you some

time, here are a few irreducible polynomials from

that list (in binary form, you may place them in

polynomial or hex form if you wish) 100101011 1001

11001 100111111 101001101 101011111 101110111 1100

01011 OK why degree 8 (9 digits) isnt that one

too many? Clearly, the result will be a binary

polynomial of degree below 8. Unlike for

addition, there is no simple operation at byte

level. page ¾ of the specification The reason

an irreducible but not primitive polynomial is

used is that we are trying to make a non-linear

permutation function that has diffusion,

spreading input bits to output bits in an

non-linear way.

The Finite Field GF(28).

- The case in which n is greater than one is much

more difficult to describe. In cryptography, one

almost always takes p to be 2 in this case. This

section just treats the special case of p 2 and

n 8, that is. GF(28), because this is the field

used by Advanced Encryption Standard (AES). - The AES works primarily with bytes (8 bits),

represented from the right as - b7b6b5b4b3b2b1b0.The 8-bit elements of the field

are regarded as polynomials with coefficients in

the field Z2 - b7x7 b6x6 b5x5 b4x4 b3x3 b2x2 b1x1

b0. - The field elements will be denoted by their

sequence of bits, using two hex digits.

The multiplicative inverse

- Multiplication in Galois Field, however, requires

more tedious work. Suppose f(p) and g(p) are

polynomials in gf(pn) and let m(p) be an

irreducible polynomial (or a polynomial that

cannot be factored) of degree at least n in

gf(pn). We want m(p) to be a polynomial of degree

at least n so that the product of two f(p) and

g(p) does not exceed 11111111 255 as the

product needs to be stored as a byte. If h(p)

denotes the resulting product then - h(p) (f(p) g(p)) (mod m(p))
- On the other hand, the multiplicative inverse of

f(p) is given by a(p) such - that
- (f(p) a(p)) (mod m(p)) 1

The multiplicative inverse

- Note that calculating the product of two

polynomials and the multiplicative inverse of a

polynomial requires both reducing coeficients

modulo p and reducing polynomials modulo m(p).

The reduced polynomial can be calculated easily

with long division while the best way to compute

the multiplicative inverse is by using Extended

Euclidean Algorithm. The details on the

calculations in gf(28) is best explained in the

following example. - Princeton University offers this calculator for

multiplicative inverse http//www.cs.princeton.edu

/dsri/modular-inversion-answer.php?n9p8 - We will look at two methods for calculating

multiplicative inverse later in this lesson, but

you can also use this calculator if you prefer,

or the multiplicative inverse table I have

provided. - There is also a calculator online that does all

modular arithmetic http//ptrow.com/perl/calculato

r.pl

More on Galois Fields

- Galois Field sizes can be defined with various

field sizes like GF(16) or GF(256). AES is not

the only cryptographic algorithm to use these

finite fields. Quad also uses finite fields under

a polynomial modulus

Implementing GF(pk) arithmetic

Theorem Let f(x) be an irreducible polynomial of

degree k over Zp. The finite field GF(pk) can

be realized as the set of degree k-1 polynomials

over Zp, with addition and multiplication done

modulo f(x).

Example Implementing GF(2k)

By the theorem the finite field GF(25) can be

realized as the set of degree 4 polynomials over

Z2, with addition and multiplication done modulo

the irreducible polynomial f(x)x5x4x3x1.

The coefficients of polynomials over Z2 are 0 or

1. So a degree k polynomial can be written down

by k1 bits. For example, with k4 x3x1

(0,1,0,1,1) x4 x3x1

(1,1,0,1,1)

Implementing GF(2k)

Addition bit-wise XOR (since 110)

x3x1 (0,1,0,1,1) x4 x3x

(1,1,0,1,0) -------------------------------

x4 1 (1,0,0,0,1)

Implementing GF(2k)

Multiplication Polynomial multiplication, and

then remainder modulo the defining polynomial

f(x)

(1,1,0,1,1) (0,1,0,1,1) (1,1,0,0,1)

For small size finite field, a lookup table is

the most efficient method for implementing

multiplication.

Mathematical background(Cont.)

- Polynomials with coefficients in GF(28)
- The operation consisting of multiplication by a

fixed polynomial a( x ) can be written as matrix

multiplication where the matrix is a circulant

matrix. We have

What is a multiplicative inverse?

- In mathematics, the reciprocal, or multiplicative

inverse, of a number x is the number which, when

multiplied by x, yields 1. The multiplicative

inverse for the real numbers, for example, is

1/x. To avoid confusion by writing the inverse

using set specific notation, we generally write

x-1. - Zero does not have a reciprocal, as division by 0

is undefined

Multiplication of polynomials

- Finite field multiplication is more difficult

than addition and is achieved by multiplying the

polynomials for the two elements concerned and

collecting like powers of x in the result. Since

each polynomial can have powers of x up to 7, the

result can have powers of x up to 14 and will no

longer fit within a single byte. - This situation is handled by replacing the result

with the remainder polynomial after division by a

special eighth order irreducible polynomial,

which, for Rijndael, is - m(x) x8 x4 x3 x 1
- Note we will discuss why this irreducible

polynomial in just a little while.

Multiplication Polynomials by Repeated Shifts

- The finite field element 00000010 is the

polynomial x, which means that multiplying

another element by this value increases all its

powers of x by 1. This is equivalent to shifting

its byte representation up by one bit so that the

bit at position i moves to position i1. If the

top bit is set prior to this move it will

overflow to create an x8 term, in which - case the modular polynomial is added to cancel

this additional bit, leaving a result that fits

within a single byte. - For example, multiplying 11001000 by x, that is

00000010, the initial result is - 110010000. The overflow bit is then removed

by adding 100011011, the modular - polynomial, using an exclusive-or operation to

give a final result of 10001011. - NOTE This why the implementation of creating the

S-boxes includes four steps of shifting. This is

in essence, multiplying.

Affine Transformation What is it

- This concept originates in graphics, and is also

used in transforming graphics. Moving pixels in

one direction or another is very similar to

moving a value in a matrix, so the concept gets

applied to matrices (as in AES) - In geometry, an affine transformation or affine

map or an affinity (from the Latin, affinis,

"connected with") between two vector spaces

(strictly speaking, two affine spaces) consists

of a linear transformation followed by a

translation - In general, an affine transform is composed of

linear transformations (rotation, scaling or

shear) and a translation (or "shift"). Several

linear transformations can be combined into a

single one, so that the general formula given

above is still applicable. For our purposes it

is just a word for a linear transformation. This

video also gives a good explanation - http//www.youtube.com/watch?v4vrYNxlkrpI
- Now what are linear transformation? Well for

more detail - http//www.samiam.org/galois.html

Rijndael Galois

- The Rijndael Block Chiper uses finite field

arithmetic in the field of GF( 28 ) or the Galois - Field. For Rijndael we show this eld as a

polynomial where each b is a bit in a byte that

can contain the binary value of either 1 or 0. - b7x7 b6x6 b5x5 b4x4 b3x3 b2x2 b1x

b0 - The values used in Rijndael are displayed in

hexadecimal value form and each hexadecimal value

correspond to a polynomial representation. Fore

example Here is a byte containing the

hexadecimal value of 57 and it corresponding

binary and polynomial representations - Binary 01010111 Polynomial x6 x4 x2 x

1

Rijndael Galois

- The s-box is generated by determining the

multiplicative inverse for a given number in the

Galois led, zero would be set to zero. The

multiplicative inverse is transformed using the

following affine transformation - where x0, ..., x7 is the multiplicative inverse

as a vector. - Now you can do this with matrix mathematics,

first multiplying the matrix by the vectors, then

xoring with the values in the final column. This

affine transformation is the sum of multiple

rotations of the byte as a vector, where addition

is the XOR operation. NOTE This is what we are

duplicating in the function to create this

transform that we did earlier this week

Why these choices?

- We dont know all the whys of these choices, but

we do know some. - The last vector that is xord in is meant to

prevent the generation of a fixed point In other

words S-box(a)a - The matrix obviously has meaning. Now they did

not state it, but looking at it even briefly

reveals a pattern. - Look at the next slide to analyze the choices

Why these choices?

To avoid Fixed point

- Modulo 2 arithmetic

Input bits (the multiplicative inverse)

Output bits(what goes in the sbox)

AES S-Box Design

- The S-box is generated by determining the

multiplicative inverse for a given number in

Rijndael's Galois field. The multiplicitive

inverse is then transformed using the following

affine transformation matrix - GF(28) GF(2)x/(x8 x4 x3 x 1)
- Now you can do this with matrix math we already

described, or you can do it with the function we

provided to you yesterday (and is also at the end

of this presentation)

Why these choices?

- In the submission of Rijndael Joan Daemen

Vincent Rijmen stated reasons for many things,

such as the particular modulus to use. But

questions still may be in your mind? - Why this matrix for the affine transform and not

some other? - Why this particular vector for the affine

transform and not some other? - Here are the only answers they gave, and the

following is a quote directly from their

submission.

How to calculate this yourself

- Unfortunately, no, it is not the same as

computing the inverse of a matrix. Also, there

are at least two issues involved here. One is

what are elements of this finite field GF(28)?

The other is how are they represented on the

computer (i.e. in binary)? And then we can get to

the question of how to invert them. - First of all, an element of GF(28) is a

polynomial of degree less than 8 over GF(2) (with

coefficients in GF(2)) modulo an irreducible

polynomial of degree 8. So the first thing you

have to do is pick a polynomial of degree 8, and

use this as your field modulus. The AES standard

says what this modulus is.

How to calculate the Multiplicative inverse

- The multiplicative inverse for an element a of a

finite field can be calculated a number of

different ways - By multiplying a by every number in the field

until the product is one. This is a Brute-force

search. - By using the Extended Euclidean algorithm
- By making a logarithm table of the finite field,

and performing subtraction in the table.

Subtraction of logarithms is the same as

division.

Compute multiplicative inverse

- Remember that in modular arithmetic, the modular

multiplicative inverse of x is the number a such

that ax 1 (mod n). This multiplicative inverse

exists if and only if a and n are coprime. For

example, the inverse of 3 modulo 11 is 4 because

it is the solution to 3x 1 (mod 11). - Put another way you are trying to find a number

that is coprime to x mod n. - The extended Euclidean algorithm may be used to

compute it. In fact this is probably the most

common way to compute it.

Extended Euclidean

- The extended Euclidean algorithm is a version of

the Euclidean algorithm its input are two

integers a and b and the algorithm computes their

greatest common divisor (GCD) as well as integers

x and y such that ax by gcd(a,b). This works

because the steps of Euclid's algorithm always

deal with sums of multiples of a and b. - We are going to look first at a video

demonstration of this, then at an example here in

this presentation, then at a second and different

video demonstration. The hope is that seeing it

done three different times, should assist you in

understanding it. Here is the first video demo - http//www.youtube.com/watch?vfz1vxq5ts5I very

clear, easy to follow

Extended Euclidean

- Consider as an example the computation of

gcd(120,23) with Euclid's algorithm - 120 / 23 5 remainder 5
- 23 / 5 4 remainder 3
- 5 / 3 1 remainder 2
- 3 / 2 1 remainder 1
- 2 / 1 2 remainder 0
- In this case, the remainder in the

second-to-last line indicates that the gcd is 1

that is, 120 and 23 are coprime.

Extended Euclidean step 2

- Now do a little algebra on each of the above

lines - 120 / 23 5 r 5 gt 5 120 - 523
- 23 / 5 4 r 3 gt 3 23 - 45
- 5 / 3 1 r 2 gt 2 5 - 13
- 3 / 2 1 r 1 gt 1 3 - 12
- 2 / 1 2 r 0 gt 0 2 - 21
- Now observe that the first line contains

multiples of 120 and 23. Also, the rightmost

values are in each case the remainders listed on

the previous line, and the left side of the

differences are the residues from two lines up.

We can thus progressively calculate each

successive remainder as sums of products of our

two original values. - Here we rewrite the second equations in the

above table - 5 120 - 523 1120 - 523
- 3 23 - 45 123 - 4(1120 -

523) -4120 2123 - 2 5 - 13 (1120 - 523) - 1(-4120

2123) 5120 - 2623 - 1 3 - 12 (-4120 2123) - 1(5120 -

2623) -9120 4723 - Notice that the last line says that 1 -9120

4723, which is what we wanted x -9 and y

47. - This means that -9 is the multiplicative inverse

of 120 modulo 23, because 1 -9 120 (mod 23).

Extended Euclidean step 3

- So remember the original formula? ax by

gcd(a,b). That means in this case b is the

modulo, a is the number you are trying to find

the multiplicative inverse for. Here is an

example ( too see this entire example online

http//www.fact-index.com/e/ex/extended_euclidean_

algorithm.html

Euclids Greatest Common Divisor Algorithm

- Since m mod n m - ?m/n?n, We can now apply

statement 4 and statement 3 to see that

gcd(m,n) gcd(m mod n, n) gcd(n, m mod n) - 5. For integers m and n with n gt 0, gcd(m,n)

gcd(n, m mod n). - We can apply statement 5 to derive an algorithm

for computing - greatest common divisors - Euclids Algorithm
- Input integers m and n, not both zeroOutput

d gcd(m,n) - If n 0 d melse while n ? 0 c n n

m mod n m c d mreturn d

Euclids Greatest Common Divisor Algorithm

- One of the special properties of the greatest

common divisor of two numbers is that it can be

written as an integer linear combination of the

numbers - Example 2 gcd(32,24) 8
- 32 1?24 8
- Thus 8 1?32 (-1)?24
- Example 3 gcd(54,42)
- 54 1?42 12
- 42 3?12 6
- 12 2?6 0, so 6 gcd(54,42)
- Using back-substitution
- 6 1?42 - 3?12 and 12 1?54 - 1?42
- Thus 6 1?42 - 3?(1?54 - 1?42 ) 4?42

(-3)?54

Euclidean VIDEO Tutorials

- http//www.youtube.com/watch?vfz1vxq5ts5I very

clear, easy to follow - http//www.youtube.com/watch?vshaQZg8bqUM This

is a little longer, but a pretty good one.

Here is another method method

- One divided by a given number is the

multiplicative inverse of that number. To find

the multiplicative inverse of the number a - Find the logarithm for a
- Subtract 255 by a's logarithm
- Take the anti-log of the resulting number
- This is the multiplicative inverse (In other

words, 1 / a) - Here is some code which uses the above log and

anti-log tables to calculate the multiplicative

inverse unsigned char gmul_inverse(unsigned char

in) - / 0 is self inverting /
- if(in 0)
- return 0
- else
- return atable(255 - ltablein)
- This example comes from http//www.samiam.org/galo

is.html

Rijendael step by step- The s-box

- This is the standard s-box

Multiplicative inverse

- The S-box is generated by determining the

multiplicative inverse for a given number in

GF(28) GF(2)x/(x8 x4 x3 x 1),

Rijndael's finite field (zero, which has no

inverse, is set to zero). Rijndael uses a

characteristic 2 finite field with 256 elements,

which can also be called the Galois field GF(28).

It employs the following reducing polynomial for

multiplication x8 x4 x3 x 1. - The multiplicative inverse is then transformed

using the following affine transformation

S-box Derivation

The S-box maps byte x to byte z via the function

z Ax-1b Input byte x x7x6x5x4x3x2x1x0 Compu

te the inverse in GF(28) y7y6y5y4y3y2y1y0

(non-linear, vs. attacks) (use 0 as inverse of

0) Compute this linear function z in

GF(28) (to complicate attacks) (A

is simple to implement) b chosen so

Calculate the multiplicative inverse

- Recall that the multiplicative inverse in a

modulo n world is defined as being the number,

a-1, such that - (a)(a-1) 1 (mod n)
- Thus, for example, 3 and 7 are multiplicative

inverses of each other in a mod 10 world while 5

and 11 are multiplicative inverses of each other

in a mod 27 world. - For very small moduli, finding the multiplicative

inverse of a number is not terribly difficult to

do via exhaustive search since, by definition, - (a)(a-1) kn 1
- So it becomes a simple matter of writing this as
- (a-1) (kn 1)/a
- and trying successive values of k until one is

found that results in the right hand side being

an integer. All that is then left is to reduce

the resulting integer modulo n. But as the

modulus grows, this process quickly becomes

unwieldy and impractical. What is needed is a

more systematic means of finding a-1.

Calculate the multiplicative inverse

- We have to find x such that ax 1 (mod m)
- Above equivalence can be stated alternatively

as - ax pm 1
- or ax my 1 known as Bézouts identity

Table of Multiplicative inverses

Generating the standard S-Box

- The next slides provide this. However if you wish

to alter the s-box you should attempt the

following - Find a different irreducible polynomial to use as

the mod operation. - Find a different affine transform, that simply

means a different matrix to multiple the

multiplicative inverse by. This changes the

shifts/operations you see in the following slides.

Rijendael step by step- The s-box

- This will generate the Rijndael (AES) S-box,

which is represented here with hexadecimal

notation

Rijendael step by step- step one

- Take a number for GF(28) lets pick 2. Looking at

the multiplicative inverse table that gives us 8d

in hex or 10001101 in binary - Now we need to do four iterations of the process

of affine transformation. We start by putting

the multiplicative inverse into two variables s

and x - s 10001101
- x 10001101

Rijendael step by step- step two (first iteration)

- Rotate s(10001101) to the left 00011010
- If the high bit is one make the low bit 1
- else low bit is 0
- Now in this case the high bit WAS 1 so we change

the low bit - so s is 00011011
- xor with x so 00011011 xor 10001101 10010110
- s 00011011 x 10010110

Rijendael step by step- step three (second

iteration)

- rotate s (00011011 )to the left 00110110
- If then(shown above) still gives us 00110110
- xor with x so 00110110 xor 10010110 10100000
- s 00110110 x 10100000

Rijendael step by step- step four (third

iteration)

- rotate s(00110110) to the left 01101100
- if then (shown above ) still gives us 01101100
- xor with x so 01101100 xor 10100000 11001100
- so s 01101100 x 11001100

Rijendael step by step- step five(fourth

iteration)

- rotate s(01101100) to the left 11011000
- if then (shown above) still gives us 11011000
- xor with x so 01101100 xor 11001100 00010100
- so s 11011000 x 00010100

Rijendael step by step- step six

- Now x (00010100) gets xor'd with decimal 99 (hex

x63 binary 1100011) 1110111 or 77 - And if we check the s-box table for what 2 should

give us we get

So what are we seeing?

- The output is actually the multiplicative invers

of the input then put through this affine

transform. - Still not convinced lets see it again?

Rijendael step by step- step one

- Take a number for GF(28) lets pick 7. Looking at

the multiplicative inverse table that gives us d1

in hex or 11010001 in binary - Now we need to do four iterations of the process

of affine transformation. We start by putting

the multiplicative inverse into two variables s

and x - s 11010001
- x 11010001

Rijendael step by step- step two (first iteration)

- Rotate s(11010001) to the left 10100010
- If the high bit is one make the low bit 1
- else low bit is 0
- Now in this case the high bit WAS 1 so we change

the low bit - so s is 10100011
- xor with x so 10100011 xor 11010001 1110010
- s 10100011 x 1110010

Rijendael step by step- step three (second

iteration)

- rotate s(10100011) to the left 01000110
- If then(shown above)
- gives us 01000111
- xor with x so 01000111 xor 1110010 00110101
- s 01000111 x 00110101

Rijendael step by step- step four (third

iteration)

- rotate s(01000111) to the left 10001110
- if then (shown above ) still gives us 10001110
- xor with x so 10001110 xor 00110101 10111011
- so s 10001110 x 10111011

Rijendael step by step- step five(fourth

iteration)

- rotate s(10001110) to the left 00011100
- if then (shown above)
- gives us 00011101
- xor with x so 00011101 xor 10111011 10100110
- so s 00011101 x 10100110

Rijendael step by step- step six

- Now x (10100110) gets xor'd with decimal 99 (hex

x63 binary 1100011) 11000101 or c5 - And if we check the s-box table for what 7 should

give us we get

That is IT!!

- That is how you generate the entire Rijndael s

box! - Is this clearer? Well lets reiterate the basics
- Use GF(28) and look at each possible value in

that filed one at a time. - Find the multiplicative inverse, then compute the

transform. - That takes four steps, and gives us the output

for the s box

But wait

- What was the matrix we saw earlier? Well that is

an alternative way to do this. You can put all

the GF(28) values in a matrix, and use the matrix

we saw to produce the multiplicative inverse of

the GF(28) matrixOR you can use the formula we

just did! - What does this mean? Well either method works,

but I think you will find the formula method

easier to code in any programming language and

easier to alter.

Alter it? How

- Some obvious solutions come into play
- What about different shifts? Left or right, or by

more than one? Will that affect the output? - Of course a different value of GF(28) perhaps

GF(29) for 512 bits? - Perhaps building this output table (this s box)

then xoring it with the round key so there is a

different s-box each round? And it is semi key

dependent? - Of course you could construct an entirely

different affine transform.

How to change an AES s-box

- Remember you want the entire cipher to meet
- Strict Avalanche Criteria
- Bit independence criteria
- Balance
- As much as possible the s-box should fulfill

this. So when making any change, we know that we

must make certain our change meets these criteria

So what changes can we make

- Isomorphic fields to the underlying field can be

generated by using different irreducible

polynomials of the same degree. There are a total

of 30 irreducible polynomials of degree 8 to

choose from. This gives you 29 alternatives to

the traditional s-box for AES, each with well

tested security. (note for more details you can

look into Rabins test for irreducibility). - Change the affine transform. This is a little

more tricky but safe if you simply alter

parameters within the existing transform.

Section 5.2 of Algebraic Construction and

Cryptographic Properties of Rijndael

Substitution discusses this in detail. - Change the translation vector (the final number

you xor with). Obviously there are 255 possible

variations.

Comments on changing the affine transform

- We propose to increase the complexity and

security of AES S-box by modifying the affine

transformation and adding an affine

transformation - -AN IMPROVED AES S-BOX AND ITS PERFORMANCE

ANALYSIS improved AES s-box performance.pdf