Rijndael S-box

Rijndael S-box

This article describes the S-box used by the Rijndael (aka AES) cryptographic algorithm.

The S-box is generated by determining the multiplicative inverse for a given number in Rijndael's finite field (zero,which has no inverse, is set to zero). The multiplicative inverse is then transformed using the following affine transformation:

:egin{bmatrix}1&0&0&0&1&1&1&1 \1&1&0&0&0&1&1&1 \1&1&1&0&0&0&1&1 \1&1&1&1&0&0&0&1 \1&1&1&1&1&0&0&0 \0&1&1&1&1&1&0&0 \0&0&1&1&1&1&1&0 \0&0&0&1&1&1&1&1end{bmatrix}egin{bmatrix}x_0\x_1\x_2\x_3\x_4\x_5\x_6\x_7end{bmatrix}+egin{bmatrix}1\1\0\0\0\1\1\0end{bmatrix}

where [x0, ..., x7] is the multiplicative inverse as a vector.

The matrix multiplication can be calculated by the following algorithm:

# Store the multiplicative inverse of the input number in two 8-bit unsigned temporary variables: "s" and "x".
# Rotate the value "s" one bit to the left; if the value of "s" had a high bit (eighth bit from the right) of one, make the low bit of "s" one; otherwise the low bit of "s" is zero.
# Exclusive or the value of "x" with the value of "s", storing the value in "x"
# For three more iterations, repeat steps two and three; steps two and three are done a total of four times.
# The value of "x" will now have the result of the multiplication.

After the matrix multiplication is done, exclusive or the value by the decimal number 99 (the hexadecimal number 0x63, the binary number 1100011, and the bit string 11000110 representing the number in LSb first notation).

This will generate the following S-box, which is represented here with hexadecimal notation:


0 1 2 3 4 5 6 7 8 9 a b c d e f---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--
00 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 |d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

Here the column is determined by the least significant nibble, and the row is determined by the most significant nibble. For example, the value 0x9a is converted in to 0xb8 by Rijndael's S-box. Note that the multiplicative inverse of 0x00 is defined as itself.

Inverse S-box

The inverse S-box is simply the S-box run in reverse. For example, the inverse S-box of 0xdb is 0x9f. It is calculated by first calculating the inverse affine transformation of the input value, followed by the multiplicative inverse. The inverse affine transformation is as follows:

:egin{bmatrix}0&0&1&0&0&1&0&1 \1&0&0&1&0&0&1&0 \0&1&0&0&1&0&0&1 \1&0&1&0&0&1&0&0 \0&1&0&1&0&0&1&0 \0&0&1&0&1&0&0&1 \1&0&0&1&0&1&0&0 \0&1&0&0&1&0&1&0end{bmatrix}egin{bmatrix}x_0\x_1\x_2\x_3\x_4\x_5\x_6\x_7end{bmatrix}+egin{bmatrix}1\0\1\0\0\0\0\0end{bmatrix}

The following table represents Rijndael's inverse S-box:


0 1 2 3 4 5 6 7 8 9 a b c d e f---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--
00 |52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 10 |7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 20 |54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 30 |08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 40 |72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 50 |6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 60 |90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 70 |d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b 80 |3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 90 |96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e a0 |47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b0 |fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 c0 |1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f d0 |60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e0 |a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 f0 |17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d

Design criteria

The Rijndael S-Box was specifically designed to be resistant to linear and differential cryptanalysis. This was done by minimizing the correlation between linear transformations of input/output bits, and at the same time minimizing the difference propagation probability.

In addition, to strengthen the S-Box against algebraic attacks, the affine transformation was added. In the case of suspicion of a trapdoor being built into the cipher, the current S-box might be replaced by another one. The authors claim that the Rijndael cipher structure should provide enough resistance against differential and linear cryptanalysis, even if an S-Box with "average" correlation / difference propagation properties is used.

An alternate equation for the Affine Transformation

An equivalent equation for the affine transformation is: b'_i = b_i oplus b_{(i+4)mod8} oplus b_{(i+5)mod8} oplus b_{(i+6)mod8} oplus b_{(i+7)mod8} oplus c_iwhere b' b and c are 8 bit arrays and c is 01100011. [http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS PUB 197: the official AES standard] , section 5.5.1

Implementations

This can be done with the following java code:public static boolean [] affineX (boolean [] bprime, boolean [] b, boolean [] c) { for (int j=0; j<8; j++) { bprime [ j ] = b [ j ] ^ b [ (j+4)%8 ] ; bprime [ j ] ^= b [ (j+5)%8 ] ; bprime [ j ] ^= b [ (j+6)%8 ] ; bprime [ j ] ^= b [ (j+7)%8 ] ; bprime [ j ] ^= c [ j ] ; } return bprime;}

Here is a C/C++ function for both forward and reverse S-box lookup:

S-box Lookup:int getSBoxValue(int num){static const int sbox [256] = {//0 1 2 3 4 5 6 7 8 9 A B C D E F0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, //00xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, //10xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, //20x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, //30x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, //40x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, //50xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, //60x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, //70xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, //80x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, //90xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, //A0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, //B0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, //C0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, //D0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, //E0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 }; //Freturn sbox [num] ;}

Reverse S-box lookup:int getSBoxInvert(int num){ static const int rsbox [256] = { 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d };

return rsbox [num] ;}

This C++ program verifies that the functions are inverses, assuming you have included the function definitions above:


#include using namespace std;

int main(){ bool err = false; int errorCount = 0; for (int i = 0; i < 256; ++i) { if (getSBoxInvert(getSBoxValue(i)) != i) { cout << "Wrong value at " << i << " "; err = true; errorCount ++; } }

if(err) cout << "There were " << errorCount << " errors in the lookup table "; else cout << "OK all lookups succeeded "; return 0;}

References

* [http://www.iaik.tu-graz.ac.at/research/krypto/AES/old/%7Erijmen/rijndael/rijndaeldocV2.zip Rijndael specification] (Zip compressed PDF file).
* [http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS PUB 197: the official AES standard] (PDF file)
* [http://www.iaik.tugraz.at/research/krypto/AES/old/~rijmen/rijndael/ The Rijndael Page]


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Rijndael — est le nom de l algorithme de chiffrement symétrique employé par le standard AES. Sommaire 1 Rijndael et AES 2 Objectifs 3 Origines 4 Voir auss …   Wikipédia en Français

  • Rijndael — AES Der Substitutionschritt, einer von 4 Teilschritten pro Runde Entwickler Joan Daemen, Vincent Rijmen Veröffentlicht 1998, Zertifizierung Oktober 2000 Abgeleitet von Sq …   Deutsch Wikipedia

  • Rijndael key schedule — AES (Rijndael) uses a key schedule to expand a short key into a number of separate round keys. This is known as the Rijndael key schedule. Common operations Rijndael s key schedule utilizes a number of operations, which will be described before… …   Wikipedia

  • S-box — (substitution box), terme anglais désignant une table de substitution utilisée dans un algorithme de chiffrement symétrique. Une S Box contribue à la « confusion » (terme employé par Claude Shannon) en rendant l information originale… …   Wikipédia en Français

  • S-Box — (substitution box), terme anglais désignant une table de substitution utilisée dans un algorithme de chiffrement symétrique. Une S Box contribue à la « confusion » (terme employé par Claude Shannon) en rendant l information originale… …   Wikipédia en Français

  • Substitution box — In cryptography, a substitution box (or S box) is a basic component of symmetric key algorithms. In block ciphers, they are typically used to obscure the relationship between the plaintext and the ciphertext mdash; Shannon s property of confusion …   Wikipedia

  • Advanced Encryption Standard — Infobox block cipher name = AES caption = The SubBytes step, one of four stages in a round of AES designers = Vincent Rijmen, Joan Daemen publish date = 1998 derived from = Square derived to = Anubis, Grand Cru related to = certification = AES… …   Wikipedia

  • Boite-S — S Box S Box (substitution box), terme anglais désignant une table de substitution utilisée dans un algorithme de chiffrement symétrique. Une S Box contribue à la « confusion » (terme employé par Claude Shannon) en rendant l information… …   Wikipédia en Français

  • Boîte-S — S Box S Box (substitution box), terme anglais désignant une table de substitution utilisée dans un algorithme de chiffrement symétrique. Une S Box contribue à la « confusion » (terme employé par Claude Shannon) en rendant l information… …   Wikipédia en Français

  • Table de substitution — S Box S Box (substitution box), terme anglais désignant une table de substitution utilisée dans un algorithme de chiffrement symétrique. Une S Box contribue à la « confusion » (terme employé par Claude Shannon) en rendant l information… …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”