AES

来源：保捱科技网

Federal Information

Processing Standards Publication 197

November 26, 2001

Announcing the

ADVANCED ENCRYPTION STANDARD (AES)

Federal Information Processing Standards Publications (FIPS PUBS) are issued by the NationalInstitute of Standards and Technology (NIST) after approval by the Secretary of Commercepursuant to Section 5131 of the Information Technology Management Reform Act of 1996(Public Law 104-106) and the Computer Security Act of 1987 (Public Law 100-235).1. Name of Standard. Advanced Encryption Standard (AES) (FIPS PUB 197).2. Category of Standard. Computer Security Standard, Cryptography.

3. Explanation. The Advanced Encryption Standard (AES) specifies a FIPS-approvedcryptographic algorithm that can be used to protect electronic data. The AES algorithm is asymmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertextconverts the data back into its original form, called plaintext.

The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encryptand decrypt data in blocks of 128 bits.

4. Approving Authority. Secretary of Commerce.

5. Maintenance Agency. Department of Commerce, National Institute of Standards andTechnology, Information Technology Laboratory (ITL).

6. Applicability. This standard may be used by Federal departments and agencies when anagency determines that sensitive (unclassified) information (as defined in P. L. 100-235) requirescryptographic protection.

Other FIPS-approved cryptographic algorithms may be used in addition to, or in lieu of, thisstandard. Federal agencies or departments that use cryptographic devices for protecting classifiedinformation can use those devices for protecting sensitive (unclassified) information in lieu ofthis standard.

In addition, this standard may be adopted and used by non-Federal Government organizations.Such use is encouraged when it provides the desired security for commercial and privateorganizations.

7. Specifications. Federal Information Processing Standard (FIPS) 197, AdvancedEncryption Standard (AES) (affixed).

8. Implementations. The algorithm specified in this standard may be implemented insoftware, firmware, hardware, or any combination thereof. The specific implementation maydepend on several factors such as the application, the environment, the technology used, etc. Thealgorithm shall be used in conjunction with a FIPS approved or NIST recommended mode ofoperation. Object Identifiers (OIDs) and any associated parameters for AES used in these modesare available at the Computer Security Objects Register (CSOR), located athttp://csrc.nist.gov/csor/ [2].

Implementations of the algorithm that are tested by an accredited laboratory and validated will beconsidered as complying with this standard. Since cryptographic security depends on manyfactors besides the correct implementation of an encryption algorithm, Federal Governmentemployees, and others, should also refer to NIST Special Publication 800-21, Guideline forImplementing Cryptography in the Federal Government, for additional information and guidance(NIST SP 800-21 is available at http://csrc.nist.gov/publications/).9.

Implementation Schedule. This standard becomes effective on May 26, 2002.

10.Patents. Implementations of the algorithm specified in this standard may be covered byU.S. and foreign patents.

11.Export Control. Certain cryptographic devices and technical data regarding them aresubject to Federal export controls. Exports of cryptographic modules implementing this standardand technical data regarding them must comply with these Federal regulations and be licensed bythe Bureau of Export Administration of the U.S. Department of Commerce. Applicable Federalgovernment export controls are specified in Title 15, Code of Federal Regulations (CFR) Part740.17; Title 15, CFR Part 742; and Title 15, CFR Part 774, Category 5, Part 2.

12.Qualifications. NIST will continue to follow developments in the analysis of the AESalgorithm. As with its other cryptographic algorithm standards, NIST will formally reevaluatethis standard every five years.

Both this standard and possible threats reducing the security provided through the use of thisstandard will undergo review by NIST as appropriate, taking into account newly availableanalysis and technology. In addition, the awareness of any breakthrough in technology or anymathematical weakness of the algorithm will cause NIST to reevaluate this standard and providenecessary revisions.

13.Waiver Procedure. Under certain exceptional circumstances, the heads of Federalagencies, or their delegates, may approve waivers to Federal Information Processing Standards(FIPS). The heads of such agencies may redelegate such authority only to a senior officialdesignated pursuant to Section 3506(b) of Title 44, U.S. Code. Waivers shall be granted onlywhen compliance with this standard would

a. adversely affect the accomplishment of the mission of an operator of Federal computersystem orb. cause a major adverse financial impact on the operator that is not offset by government-wide savings.

Agency heads may act upon a written waiver request containing the information detailed above.Agency heads may also act without a written waiver request when they determine that conditionsfor meeting the standard cannot be met. Agency heads may approve waivers only by a writtendecision that explains the basis on which the agency head made the required finding(s). A copyof each such decision, with procurement sensitive or classified portions clearly identified, shallbe sent to: National Institute of Standards and Technology; ATTN: FIPS Waiver Decision,Information Technology Laboratory, 100 Bureau Drive, Stop 00, Gaithersburg, MD 209-00.

In addition, notice of each waiver granted and each delegation of authority to approve waiversshall be sent promptly to the Committee on Government Operations of the House ofRepresentatives and the Committee on Government Affairs of the Senate and shall be publishedpromptly in the Federal Register.

When the determination on a waiver applies to the procurement of equipment and/or services, anotice of the waiver determination must be published in the Commerce Business Daily as a partof the notice of solicitation for offers of an acquisition or, if the waiver determination is madeafter that notice is published, by amendment to such notice.

A copy of the waiver, any supporting documents, the document approving the waiver and anysupporting and accompanying documents, with such deletions as the agency is authorized anddecides to make under Section 552(b) of Title 5, U.S. Code, shall be part of the procurementdocumentation and retained by the agency.

14.Where to obtain copies. This publication is available electronically by accessinghttp://csrc.nist.gov/publications/. A list of other available computer security publications,including ordering information, can be obtained from NIST Publications List 91, which isavailable at the same web site. Alternatively, copies of NIST computer security publications areavailable from: National Technical Information Service (NTIS), 5285 Port Royal Road,Springfield, VA 22161.

iii

Federal Information

Processing Standards Publication 197

November 26, 2001

Specification for the

ADVANCED ENCRYPTION STANDARD (AES)

Table of Contents

1.2.

INTRODUCTION.............................................................................................................................................5DEFINITIONS..................................................................................................................................................52.12.23.

GLOSSARY OF TERMS AND ACRONYMS...........................................................................................................5ALGORITHM PARAMETERS, SYMBOLS, AND FUNCTIONS.................................................................................6

NOTATION AND CONVENTIONS...............................................................................................................73.13.23.33.43.5

INPUTS AND OUTPUTS.....................................................................................................................................7BYTES.............................................................................................................................................................8ARRAYS OF BYTES..........................................................................................................................................8THE STATE......................................................................................................................................................9THE STATE AS AN ARRAY OF COLUMNS........................................................................................................10

4.MATHEMATICAL PRELIMINARIES.......................................................................................................104.14.24.3

ADDITION......................................................................................................................................................10MULTIPLICATION..........................................................................................................................................10

Multiplication by x..............................................................................................................................11POLYNOMIALS WITH COEFFICIENTS IN GF(28)..............................................................................................12

4.2.1

5.ALGORITHM SPECIFICATION.................................................................................................................135.1

CIPHER..........................................................................................................................................................14

SubBytes()Transformation............................................................................................................15ShiftRows() Transformation........................................................................................................17MixColumns() Transformation......................................................................................................17AddRoundKey() Transformation..................................................................................................18

5.1.15.1.25.1.35.1.45.25.3

KEY EXPANSION...........................................................................................................................................19INVERSE CIPHER............................................................................................................................................20

5.3.15.3.25.3.35.3.45.3.56.

InvShiftRows() Transformation.................................................................................................21InvSubBytes() Transformation...................................................................................................22InvMixColumns() Transformation...............................................................................................23Inverse of the AddRoundKey() Transformation.............................................................................23Equivalent Inverse Cipher..................................................................................................................23

IMPLEMENTATION ISSUES......................................................................................................................256.16.26.36.4

KEY LENGTH REQUIREMENTS.......................................................................................................................25KEYING RESTRICTIONS.................................................................................................................................26PARAMETERIZATION OF KEY LENGTH, BLOCK SIZE, AND ROUND NUMBER.................................................26IMPLEMENTATION SUGGESTIONS REGARDING VARIOUS PLATFORMS...........................................................26

APPENDIX A - KEY EXPANSION EXAMPLES................................................................................................27A.1EXPANSION OF A 128-BIT CIPHER KEY..........................................................................................................27A.2EXPANSION OF A 192-BIT CIPHER KEY..........................................................................................................28A.3EXPANSION OF A 256-BIT CIPHER KEY..........................................................................................................30APPENDIX B – CIPHER EXAMPLE....................................................................................................................33APPENDIX C – EXAMPLE VECTORS................................................................................................................35C.1AES-128 (NK=4, NR=10)..............................................................................................................................35C.2AES-192 (NK=6, NR=12)..............................................................................................................................38C.3AES-256 (NK=8, NR=14)..............................................................................................................................42APPENDIX D - REFERENCES..............................................................................................................................47

Table of Figures

Figure 1. Hexadecimal representation of bit patterns..................................................................8Figure 2. Indices for Bytes and Bits............................................................................................9Figure 3. State array input and output.........................................................................................9Figure 4. Key-Block-Round Combinations...............................................................................14Figure 5. Pseudo Code for the Cipher.......................................................................................15Figure 6. SubBytes() applies the S-box to each byte of the State.......................................16Figure 7. S-box: substitution values for the byte xy (in hexadecimal format)........................16Figure 8. ShiftRows() cyclically shifts the last three rows in the State..............................17Figure 9. MixColumns() operates on the State column-by-column.....................................18Figure 10. AddRoundKey() XORs each column of the State with a word from the key

schedule.......................................................................................................................19Figure 11. Pseudo Code for Key Expansion................................................................................20Figure 12. Pseudo Code for the Inverse Cipher...........................................................................21Figure 13. InvShiftRows()cyclically shifts the last three rows in the State........................22Figure 14. Inverse S-box: substitution values for the byte xy (in hexadecimal format).............22Figure 15. Pseudo Code for the Equivalent Inverse Cipher.........................................................25

1.Introduction

This standard specifies the Rijndael algorithm ([3] and [4]), a symmetric block cipher that canprocess data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.Rijndael was designed to handle additional block sizes and key lengths, however they are notadopted in this standard.

Throughout the remainder of this standard, the algorithm specified herein will be referred to as“the AES algorithm.” The algorithm may be used with the three different key lengths indicatedabove, and therefore these different “flavors” may be referred to as “AES-128”, “AES-192”, and“AES-256”.

This specification includes the following sections:

2. Definitions of terms, acronyms, and algorithm parameters, symbols, and functions;3. Notation and conventions used in the algorithm specification, including the ordering andnumbering of bits, bytes, and words;4. Mathematical properties that are useful in understanding the algorithm;

5. Algorithm specification, covering the key expansion, encryption, and decryption routines;6. Implementation issues, such as key length support, keying restrictions, and additionalblock/key/round sizes.The standard concludes with several appendices that include step-by-step examples for KeyExpansion and the Cipher, example vectors for the Cipher and Inverse Cipher, and a list ofreferences.

2.1

Definitions

Glossary of Terms and Acronyms

AES

Affine

TransformationArrayBitBlock

Advanced Encryption Standard

A transformation consisting of multiplication by a matrix followed bythe addition of a vector.

An enumerated collection of identical entities (e.g., an array of bytes).A binary digit having a value of 0 or 1.

Sequence of binary bits that comprise the input, output, State, andRound Key. The length of a sequence is the number of bits it contains.Blocks are also interpreted as arrays of bytes.

A group of eight bits that is treated either as a single entity or as anarray of 8 individual bits.

The following definitions are used throughout this standard:

Byte

CipherCipher Key

Series of transformations that converts plaintext to ciphertext using theCipher Key.

Secret, cryptographic key that is used by the Key Expansion routine togenerate a set of Round Keys; can be pictured as a rectangular array ofbytes, having four rows and Nk columns.

Data output from the Cipher or input to the Inverse Cipher.

Series of transformations that converts ciphertext to plaintext using theCipher Key.

Routine used to generate a series of Round Keys from the Cipher Key.Data input to the Cipher or output from the Inverse Cipher.

Cryptographic algorithm specified in this Advanced EncryptionStandard (AES).

Round keys are values derived from the Cipher Key using the KeyExpansion routine; they are applied to the State in the Cipher andInverse Cipher.

Intermediate Cipher result that can be pictured as a rectangular arrayof bytes, having four rows and Nb columns.

Non-linear substitution table used in several byte substitutiontransformations and in the Key Expansion routine to perform a one-for-one substitution of a byte value.

A group of 32 bits that is treated either as a single entity or as an arrayof 4 bytes.

CiphertextInverse CipherKey ExpansionPlaintextRijndaelRound Key

StateS-box

Word

2.2Algorithm Parameters, Symbols, and Functions

AddRoundKey()

Transformation in the Cipher and Inverse Cipher in which a RoundKey is added to the State using an XOR operation. The length of aRound Key equals the size of the State (i.e., for Nb = 4, the RoundKey length equals 128 bits/16 bytes).

The following algorithm parameters, symbols, and functions are used throughout this standard:

InvMixColumns()Transformation in the Inverse Cipher that is the inverse of

MixColumns().InvShiftRows()Transformation in the Inverse Cipher that is the inverse of

ShiftRows().InvSubBytes()K

Transformation in the Inverse Cipher that is the inverse ofSubBytes().Cipher Key.

MixColumns()

Transformation in the Cipher that takes all of the columns of theState and mixes their data (independently of one another) toproduce new columns.

Number of columns (32-bit words) comprising the State. For thisstandard, Nb = 4. (Also see Sec. 6.3.)

Number of 32-bit words comprising the Cipher Key. For thisstandard, Nk = 4, 6, or 8. (Also see Sec. 6.3.)

Number of rounds, which is a function of Nk and Nb (which isfixed). For this standard, Nr = 10, 12, or 14. (Also see Sec. 6.3.)The round constant word array.

Function used in the Key Expansion routine that takes a four-byteword and performs a cyclic permutation.

Transformation in the Cipher that processes the State by cyclicallyshifting the last three rows of the State by different offsets.Transformation in the Cipher that processes the State using a non-linear byte substitution table (S-box) that operates on each of theState bytes independently.

Function used in the Key Expansion routine that takes a four-byteinput word and applies an S-box to each of the four bytes toproduce an output word.Exclusive-OR operation.Exclusive-OR operation.

Multiplication of two polynomials (each with degree < 4) modulox4 + 1.

Finite field multiplication.

NbNkNrRcon[]RotWord()ShiftRows()SubBytes()

SubWord()

XOR

⊕⊗

•

3.1

Notation and Conventions

Inputs and Outputs

The input and output for the AES algorithm each consist of sequences of 128 bits (digits withvalues of 0 or 1). These sequences will sometimes be referred to as blocks and the number ofbits they contain will be referred to as their length. The Cipher Key for the AES algorithm is asequence of 128, 192 or 256 bits. Other input, output and Cipher Key lengths are not permittedby this standard.

The bits within such sequences will be numbered starting at zero and ending at one less than thesequence length (block length or key length). The number i attached to a bit is known as its indexand will be in one of the ranges 0 ≤ i < 128, 0 ≤ i < 192 or 0 ≤ i < 256 depending on the blocklength and key length (specified above).

3.2Bytes

The basic unit for processing in the AES algorithm is a byte, a sequence of eight bits treated as asingle entity. The input, output and Cipher Key bit sequences described in Sec. 3.1 are processedas arrays of bytes that are formed by dividing these sequences into groups of eight contiguousbits to form arrays of bytes (see Sec. 3.3). For an input, output or Cipher Key denoted by a, thebytes in the resulting array will be referenced using one of the two forms, an or a[n], where n willbe in one of the following ranges:

Key length = 128 bits,0 ≤ n < 16;Key length = 192 bits,0 ≤ n < 24;Key length = 256 bits,0 ≤ n < 32.

All byte values in the AES algorithm will be presented as the concatenation of its individual bitvalues (0 or 1) between braces in the order {b7, b6, b5, b4, b3, b2, b1, b0}. These bytes areinterpreted as finite field elements using a polynomial representation:

Block length = 128 bits,0 ≤ n < 16;

b7x+b6x+b5x+b4x+b3x+b2x+b1x+b0=∑bixi.

i=0

(3.1)

For example, {01100011} identifies the specific finite field element x6+x5+x+1.

It is also convenient to denote byte values using hexadecimal notation with each of two groups offour bits being denoted by a single character as in Fig. 1.

Bit Pattern

Character

Bit Pattern

Character

Bit Pattern

Character

Bit Pattern

Character

00000001001000110123010001010110011145671000100110101011ab1100110111101111cdef

Figure 1. Hexadecimal representation of bit patterns.

Hence the element {01100011} can be represented as {63}, where the character denoting thefour-bit group containing the higher numbered bits is again to the left.

Some finite field operations involve one additional bit (b8) to the left of an 8-bit byte. Where thisextra bit is present, it will appear as ‘{01}’ immediately preceding the 8-bit byte; for example, a9-bit sequence will be presented as {01}{1b}.

3.3Arrays of Bytes

a0a1a2...a15

Arrays of bytes will be represented in the following form:

The bytes and the bit ordering within bytes are derived from the 128-bit input sequence

as follows:

input0 input1 input2 … input126 input127

a0 = {input0, input1, …, input7};a1 = {input8, input9, …, input15};

a15 = {input120, input121, …, input127}.

The pattern can be extended to longer sequences (i.e., for 192- and 256-bit keys), so that, ingeneral,

an = {input8n, input8n+1, …, input8n+7}.

(3.2)

Taking Sections 3.2 and 3.3 together, Fig. 2 shows how bits within each byte are numbered.

Input bit sequenceByte numberBit numbers in byte

303

1113

1923

………

Figure 2. Indices for Bytes and Bits.

3.4The State

Internally, the AES algorithm’s operations are performed on a two-dimensional array of bytescalled the State. The State consists of four rows of bytes, each containing Nb bytes, where Nb isthe block length divided by 32. In the State array denoted by the symbol s, each individual bytehas two indices, with its row number r in the range 0 ≤ r < 4 and its column number c in therange 0 ≤ c < Nb. This allows an individual byte of the State to be referred to as either sr,c ors[r,c]. For this standard, Nb=4, i.e., 0 ≤ c < 4 (also see Sec. 6.3).

At the start of the Cipher and Inverse Cipher described in Sec. 5, the input – the array of bytesin0, in1, … in15 – is copied into the State array as illustrated in Fig. 3. The Cipher or InverseCipher operations are then conducted on this State array, after which its final value is copied tothe output – the array of bytes out0, out1, … out15.

input bytes

State array

output bytes

in0in1in2in3

in4in5

in8in12in9in13

s0,0s0,1s0,2s0,3out0out4out8out12

in6in10in14in7in11in15

s1,0s1,1s1,2s1,3s2,0s2,1s2,2s2,3s3,0s3,1s3,2s3,3

out1out5out9out13out2out6out10out14out3out7out11out15

Figure 3. State array input and output.

Hence, at the beginning of the Cipher or Inverse Cipher, the input array, in, is copied to the Statearray according to the scheme:

s[r, c] = in[r + 4c]

for 0 ≤ r < 4 and 0 ≤ c < Nb,

(3.3)

and at the end of the Cipher and Inverse Cipher, the State is copied to the output array out asfollows:

out[r + 4c] = s[r, c]

for 0 ≤ r < 4 and 0 ≤ c < Nb.

(3.4)

3.5The State as an Array of Columns

The four bytes in each column of the State array form 32-bit words, where the row number rprovides an index for the four bytes within each word. The state can hence be interpreted as aone-dimensional array of 32 bit words (columns), w0...w3, where the column number c providesan index into this array. Hence, for the example in Fig. 3, the State can be considered as an arrayof four words, as follows:

w0 = s0,0 s1,0 s2,0 s3,0w1 = s0,1 s1,1 s2,1 s3,1

w2 = s0,2 s1,2 s2,2 s3,2w3 = s0,3 s1,3 s2,3 s3,3 .

(3.5)

4.Mathematical Preliminaries

All bytes in the AES algorithm are interpreted as finite field elements using the notationintroduced in Sec. 3.2. Finite field elements can be added and multiplied, but these operationsare different from those used for numbers. The following subsections introduce the basicmathematical concepts needed for Sec. 5.

4.1Addition

The addition of two elements in a finite field is achieved by “adding” the coefficients for thecorresponding powers in the polynomials for the two elements. The addition is performed withthe XOR operation (denoted by ⊕) - i.e., modulo 2 - so that 1⊕1=0, 1⊕0=1, and 0⊕0=0.Consequently, subtraction of polynomials is identical to addition of polynomials.

Alternatively, addition of finite field elements can be described as the modulo 2 addition ofcorresponding bits in the byte. For two bytes {a7a6a5a4a3a2a1a0} and {b7b6b5b4b3b2b1b0}, the sum is{c7c6c5c4c3c2c1c0}, where each ci = ai ⊕ bi (i.e., c7 = a7 ⊕ b7, c6 = a6 ⊕ b6, ...c0 = a0 ⊕ b0).For example, the following expressions are equivalent to one another:

(x6+x4+x2+x+1) + (x7+x+1) = x7+x6+x4+x2{01010111} ⊕ {10000011} = {11010100}{57} ⊕ {83} = {d4}

(polynomial notation);(binary notation);(hexadecimal notation).

4.2Multiplication

In the polynomial representation, multiplication in GF(28) (denoted by •) corresponds with themultiplication of polynomials modulo an irreducible polynomial of degree 8. A polynomial isirreducible if its only divisors are one and itself. For the AES algorithm, this irreduciblepolynomial is

m(x)=x8+x4+x3+x+1,

(4.1)

or {01}{1b} in hexadecimal notation.For example, {57} • {83} = {c1}, because

(x6+x4+x2+x+1)(x7+x+1)

x13+x11+x9+x8+x7+x7+x5+x3+x2+x+x6+x4+x2+x+1

and

x13+x11+x9+x8+x6+x5+x4+x3+1 modulo (x8+x4+x3+x+1)

x7+x6+1.

The modular reduction by m(x) ensures that the result will be a binary polynomial of degree lessthan 8, and thus can be represented by a byte. Unlike addition, there is no simple operation at thebyte level that corresponds to this multiplication.

The multiplication defined above is associative, and the element {01} is the multiplicativeidentity. For any non-zero binary polynomial b(x) of degree less than 8, the multiplicativeinverse of b(x), denoted b-1(x), can be found as follows: the extended Euclidean algorithm [7] isused to compute polynomials a(x) and c(x) such that

b(x)a(x)+m(x)c(x)=1.

Hence, a(x)•b(x)modm(x)=1, which means

b−1(x)=a(x)modm(x).

Moreover, for any a(x), b(x) and c(x) in the field, it holds that

a(x)•(b(x)+c(x))=a(x)•b(x)+a(x)•c(x).

It follows that the set of 256 possible byte values, with XOR used as addition and themultiplication defined as above, has the structure of the finite field GF(28).

4.2.1Multiplication by x

Multiplying the binary polynomial defined in equation (3.1) with the polynomial x results in

b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x.

(4.4)(4.3)(4.2)

x13+x11+x9+x8+x6+x5+x4+x3+1

The result x•b(x)is obtained by reducing the above result modulo m(x), as defined in equation(4.1). If b7 = 0, the result is already in reduced form. If b7 = 1, the reduction is accomplished bysubtracting (i.e., XORing) the polynomial m(x). It follows that multiplication by x (i.e.,{00000010} or {02}) can be implemented at the byte level as a left shift and a subsequentconditional bitwise XOR with {1b}. This operation on bytes is denoted by xtime().Multiplication by higher powers of x can be implemented by repeated application of xtime().By adding intermediate results, multiplication by any constant can be implemented.For example, {57} • {13} = {fe} because

{57} • {02} = xtime({57}) = {ae}{57} • {04} = xtime({ae}) = {47}{57} • {08} = xtime({47}) = {8e}{57} • {10} = xtime({8e}) = {07},

thus,

{57} • {13} = {57} • ({01} ⊕ {02} ⊕ {10})

= {57} ⊕ {ae} ⊕ {07}= {fe}.

4.3

Polynomials with Coefficients in GF(28)

a(x)=a3x3+a2x2+a1x+a0

(4.5)

Four-term polynomials can be defined - with coefficients that are finite field elements - as:

which will be denoted as a word in the form [a0 , a1 , a2 , a3 ]. Note that the polynomials in thissection behave somewhat differently than the polynomials used in the definition of finite fieldelements, even though both types of polynomials use the same indeterminate, x. The coefficientsin this section are themselves finite field elements, i.e., bytes, instead of bits; also, themultiplication of four-term polynomials uses a different reduction polynomial, defined below.The distinction should always be clear from the context.To illustrate the addition and multiplication operations, let

b(x)=b3x3+b2x2+b1x+b0

(4.6)

define a second four-term polynomial. Addition is performed by adding the finite fieldcoefficients of like powers of x. This addition corresponds to an XOR operation between thecorresponding bytes in each of the words – in other words, the XOR of the complete wordvalues.

Thus, using the equations of (4.5) and (4.6),

a(x)+b(x)=(a3⊕b3)x3+(a2⊕b2)x2+(a1⊕b1)x+(a0⊕b0)

(4.7)

Multiplication is achieved in two steps. In the first step, the polynomial product c(x) = a(x) •b(x) is algebraically expanded, and like powers are collected to give

c(x)=c6x6+c5x5+c4x4+c3x3+c2x2+c1x+c0

where

c0=a0•b0

c1=a1•b0⊕a0•b1

c2=a2•b0⊕a1•b1⊕a0•b2

c4=a3•b1⊕a2•b2⊕a1•b3c5=a3•b2⊕a2•b3c6=a3•b3

(4.9)(4.8)

c3=a3•b0⊕a2•b1⊕a1•b2⊕a0•b3.

The result, c(x), does not represent a four-byte word. Therefore, the second step of themultiplication is to reduce c(x) modulo a polynomial of degree 4; the result can be reduced to apolynomial of degree less than 4. For the AES algorithm, this is accomplished with thepolynomial x4 + 1, so that

ximod(x4+1)=ximod4.

(4.10)

The modular product of a(x) and b(x), denoted by a(x) ⊗ b(x), is given by the four-termpolynomial d(x), defined as follows:

d(x)=d3x3+d2x2+d1x+d0

with

d0=(a0•b0)⊕(a3•b1)⊕(a2•b2)⊕(a1•b3)d1=(a1•b0)⊕(a0•b1)⊕(a3•b2)⊕(a2•b3)d2=(a2•b0)⊕(a1•b1)⊕(a0•b2)⊕(a3•b3)d3=(a3•b0)⊕(a2•b1)⊕(a1•b2)⊕(a0•b3)

When a(x) is a fixed polynomial, the operation defined in equation (4.11) can be written inmatrix form as:

d0a0da1=1d2a2d3a3

a0a1a2

a2a3a0a1

a1b0a2b1a3b2a0b3

(4.12)(4.11)

(4.13)

Because x4+1 is not an irreducible polynomial over GF(28), multiplication by a fixed four-termpolynomial is not necessarily invertible. However, the AES algorithm specifies a fixed four-termpolynomial that does have an inverse (see Sec. 5.1.3 and Sec. 5.3.3):

a(x) = {03}x3 + {01}x2 + {01}x + {02} a-1(x) = {0b}x3 + {0d}x2 + {09}x + {0e}.

(4.14)(4.15)

Another polynomial used in the AES algorithm (see the RotWord() function in Sec. 5.2) has a0= a1 = a2 = {00} and a3 = {01}, which is the polynomial x3. Inspection of equation (4.13) abovewill show that its effect is to form the output word by rotating bytes in the input word. Thismeans that [b0, b1, b2, b3] is transformed into [b1, b2, b3, b0].

5.Algorithm Specification

For the AES algorithm, the length of the input block, the output block and the State is 128bits. This is represented by Nb = 4, which reflects the number of 32-bit words (number ofcolumns) in the State.

For the AES algorithm, the length of the Cipher Key, K, is 128, 192, or 256 bits. The keylength is represented by Nk = 4, 6, or 8, which reflects the number of 32-bit words (number ofcolumns) in the Cipher Key.

For the AES algorithm, the number of rounds to be performed during the execution of thealgorithm is dependent on the key size. The number of rounds is represented by Nr, where Nr =10 when Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8.

The only Key-Block-Round combinations that conform to this standard are given in Fig. 4.For implementation issues relating to the key length, block size and number of rounds, see Sec.6.3.

Key Length(Nk words)

AES-128AES-192AES-256

468

Block Size(Nb words)

444

Number ofRounds(Nr)101214

Figure 4. Key-Block-Round Combinations.

For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that iscomposed of four different byte-oriented transformations: 1) byte substitution using asubstitution table (S-box), 2) shifting rows of the State array by different offsets, 3) mixing thedata within each column of the State array, and 4) adding a Round Key to the State. Thesetransformations (and their inverses) are described in Sec. 5.1.1-5.1.4 and 5.3.1-5.3.4.

The Cipher and Inverse Cipher are described in Sec. 5.1 and Sec. 5.3, respectively, while the KeySchedule is described in Sec. 5.2.

5.1Cipher

At the start of the Cipher, the input is copied to the State array using the conventions described inSec. 3.4. After an initial Round Key addition, the State array is transformed by implementing around function 10, 12, or 14 times (depending on the key length), with the final round differingslightly from the first Nr −1 rounds. The final State is then copied to the output as described inSec. 3.4.

The round function is parameterized using a key schedule that consists of a one-dimensionalarray of four-byte words derived using the Key Expansion routine described in Sec. 5.2.The Cipher is described in the pseudo code in Fig. 5. The individual transformations -SubBytes(), ShiftRows(), MixColumns(), and AddRoundKey() – process the Stateand are described in the following subsections. In Fig. 5, the array w[] contains the keyschedule, which is described in Sec. 5.2.

As shown in Fig. 5, all Nr rounds are identical with the exception of the final round, which doesnot include the MixColumns() transformation.

Appendix B presents an example of the Cipher, showing values for the State array at thebeginning of each round and after the application of each of the four transformations described inthe following sections.

Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])beginbytestate[4,Nb]state = inAddRoundKey(state, w[0, Nb-1])// See Sec. 5.1.4for round = 1 step 1 to Nr–1SubBytes(state)// See Sec. 5.1.1ShiftRows(state)// See Sec. 5.1.2MixColumns(state)// See Sec. 5.1.3AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])end forSubBytes(state)ShiftRows(state)AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])out = stateendFigure 5. Pseudo Code for the Cipher.1

5.1.1SubBytes()Transformation

The SubBytes() transformation is a non-linear byte substitution that operates independentlyon each byte of the State using a substitution table (S-box). This S-box (Fig. 7), which isinvertible, is constructed by composing two transformations:

1. Take the multiplicative inverse in the finite field GF(28), described in Sec. 4.2; theelement {00} is mapped to itself.2. Apply the following affine transformation (over GF(2) ):

bi'=bi⊕b(i+4)mod8⊕b(i+5)mod8⊕b(i+6)mod8⊕b(i+7)mod8⊕ci

(5.1)

for 0≤i<8, where bi is the ith bit of the byte, and ci is the ith bit of a byte c with thevalue {63} or {01100011}. Here and elsewhere, a prime on a variable (e.g., b′)indicates that the variable is to be updated with the value on the right.

In matrix form, the affine transformation element of the S-box can be expressed as:

The various transformations (e.g., SubBytes(), ShiftRows(), etc.) act upon the State array that is addressedby the ‘state’ pointer. AddRoundKey() uses an additional pointer to address the Round Key.

1b0

'b11'b21'b3=1b'14'b50b'06'0b7

11111000011111000011111100011111100011111100011

1b01b1111b201b30

+.0b400b510b6110b7

(5.2)

Figure 6 illustrates the effect of the SubBytes() transformation on the State.

s0,0s0,1s0,2s0,3s1,0s1,1s1,2s1,3S-Box''''s0s0s0s0,0,1,2,3sr,cs1',0s1',1's1',2s2,0s2,1s2,2s2,3s3,0s3,1s3,2s3,3''''s2s2s2s2,0,1,2,3''''s3s3s3s3,0,1,2,3sr,cs1',3Figure 6. SubBytes() applies the S-box to each byte of the State.

The S-box used in the SubBytes() transformation is presented in hexadecimal form in Fig. 7.For example, if s1,1={53}, then the substitution value would be determined by the intersection′,1havingof the row with index ‘5’ and the column with index ‘3’ in Fig. 7. This would result in s1a value of {ed}.

01234567xabcdef063cab7040953d051cd60e0e7ba70e18c17c82fdc783d1efa30c8132c8783ef8a1277c993232c00aa40134f3a3725b59837b7d26c31aedfb8fecdc0a6d2e66110d4f2fa36181b2043925f22498d1c4869bf56b593f966efc4d9d972a06d5a603d9e666f47f7055ab133384490244eb4f68e427c5f0cc9aa05b85f517885ca9c60e9468830ad3407526a45bcc446c26ce8619b41901d4a5123bcbf9b6a7eed356dd351e99a67a2e580d6be02da7eb8acf47457872db2baff1e2b3397f213d1462ea1fb9e90fcfe9c71eb294a5010de91654b86ceb0dd7a4d827e34c3cff5d5e957abdc15554eab7231b22f5ff3190be4ae8b1d28bbf76c0157584cfa8d273db79088a9edf16Figure 7. S-box: substitution values for the byte xy (in hexadecimal format).

5.1.2ShiftRows() Transformation

In the ShiftRows() transformation, the bytes in the last three rows of the State are cyclicallyshifted over different numbers of bytes (offsets). The first row, r = 0, is not shifted.Specifically, the ShiftRows() transformation proceeds as follows:

sr',c=sr,(c+shift(r,Nb))modNb for 0 < r < 4 and 0 ≤ c < Nb,shift(1,4)=1;shift(2,4)=2; shift(3,4)=3.

(5.3)

where the shift value shift(r,Nb) depends on the row number, r, as follows (recall that Nb = 4):

(5.4)

This has the effect of moving bytes to “lower” positions in the row (i.e., lower values of c in agiven row), while the “lowest” bytes wrap around into the “top” of the row (i.e., higher values ofc in a given row).

Figure 8 illustrates the ShiftRows() transformation.

ShiftRows()sr,0sr,1sr,2sr,3S

sr',0sr',1sr',2sr',3S ’

s0,0s0,1s0,2s0,3s1,0s1,1s1,2s1,3s2,0s2,1s2,2s2,3s3,0s3,1s3,2s3,3

s0,0s0,1s0,2s0,3s1,1

s1,2

s1,3

s1,0

s2,2s2,3s2,0s2,1s3,3s3,0s3,1s3,2

Figure 8. ShiftRows() cyclically shifts the last three rows in the State.

5.1.3MixColumns() Transformation

The MixColumns() transformation operates on the State column-by-column, treating eachcolumn as a four-term polynomial as described in Sec. 4.3. The columns are considered aspolynomials over GF(28) and multiplied modulo x4 + 1 with a fixed polynomial a(x), given by

a(x) = {03}x3 + {01}x2 + {01}x + {02} .

As described in Sec. 4.3, this can be written as a matrix multiplication. Lets′(x)=a(x)⊗s(x):

(5.5)

02s0,c

's1,c=01's201,c

'03s3,c030101s0,c

s

0203011,c for 0 ≤ c < Nb.010203s2,c



010102s3,c

(5.6)

As a result of this multiplication, the four bytes in a column are replaced by the following:

′,c= ({02} • s0,c) ⊕ ({03} • s1,c) ⊕ s2,c⊕ s3,cs0

′,c= s0,c⊕ ({02} • s1,c) ⊕ ({03} • s2,c) ⊕ s3,cs1

s′2,c= s0,c⊕ s1,c⊕ ({02} • s2,c) ⊕ ({03} • s3,c)′,c= ({03} • s0,c) ⊕ s1,c⊕ s2,c⊕ ({02} • s3,c).s3

Figure 9 illustrates the MixColumns() transformation.

MixColumns()s0,0s0,1s0,2s0,3s1,0s2,0s3,0s0,cs'0,0''s0,1s0s0,2,3's'0,cs,cs11,1s1,2s1,3ss2,css2,12,2s'1,02,3's2,0's'1,cs1,1s1',2s1',3''''s,cs2,2s2,3s22,1''''ss33,cs3,2s3,3,1ss3c3,,1s3,2s3,3s'3,0Figure 9. MixColumns() operates on the State column-by-column.

5.1.4AddRoundKey() Transformation

In the AddRoundKey() transformation, a Round Key is added to the State by a simple bitwiseXOR operation. Each Round Key consists of Nb words from the key schedule (described in Sec.5.2). Those Nb words are each added into the columns of the State, such that

[s'0,c,s'1,c,s'2,c,s'3,c]=[s0,c,s1,c,s2,c,s3,c]⊕[wround∗Nb+c] for 0 ≤ c < Nb,

(5.7)

where [wi] are the key schedule words described in Sec. 5.2, and round is a value in the range0≤ round ≤Nr. In the Cipher, the initial Round Key addition occurs when round = 0, prior tothe first application of the round function (see Fig. 5). The application of the AddRoundKey()transformation to the Nr rounds of the Cipher occurs when 1≤ round ≤Nr.

The action of this transformation is illustrated in Fig. 10, where l = round * Nb. The byteaddress within words of the key schedule was described in Sec. 3.1.

l=round*Nbs0,0s0,1s0,2s0,3s1,0s1,1s1,2s1,3s2,0ss2,cs2,12,2s0,cs1,cs2,3⊕wl+cwlwl+1wl+2wl+3''''sss00,20,3,0s0,1''s0,css'1,0'2,0's's2,cs'2,1s1,1s1',2s1',32,2's2,3s'1,c's3,0s3s,1s3,2s3,33,c''''s3s,0s3,13,cs3,2s3,3Figure 10. AddRoundKey() XORs each column of the State with a word

from the key schedule.

5.2Key Expansion

The AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to generate akey schedule. The Key Expansion generates a total of Nb (Nr + 1) words: the algorithm requiresan initial set of Nb words, and each of the Nr rounds requires Nb words of key data. Theresulting key schedule consists of a linear array of 4-byte words, denoted [wi ], with i in the range0 ≤ i < Nb(Nr + 1).

The expansion of the input key into the key schedule proceeds according to the pseudo code inFig. 11.

SubWord() is a function that takes a four-byte input word and applies the S-box (Sec. 5.1.1,Fig. 7) to each of the four bytes to produce an output word. The function RotWord() takes aword [a0,a1,a2,a3] as input, performs a cyclic permutation, and returns the word [a1,a2,a3,a0]. Theround constant word array, Rcon[i], contains the values given by [xi-1,{00},{00},{00}], withx i-1 being powers of x (x is denoted as {02}) in the field GF(28), as discussed in Sec. 4.2 (notethat i starts at 1, not 0).

From Fig. 11, it can be seen that the first Nk words of the expanded key are filled with theCipher Key. Every following word, w[i], is equal to the XOR of the previous word, w[i-1], andthe word Nk positions earlier, w[i-Nk]. For words in positions that are a multiple of Nk, atransformation is applied to w[i-1] prior to the XOR, followed by an XOR with a roundconstant, Rcon[i]. This transformation consists of a cyclic shift of the bytes in a word(RotWord()), followed by the application of a table lookup to all four bytes of the word(SubWord()).

It is important to note that the Key Expansion routine for 256-bit Cipher Keys (Nk = 8) isslightly different than for 128- and 192-bit Cipher Keys. If Nk = 8 and i-4 is a multiple of Nk,then SubWord() is applied to w[i-1] prior to the XOR.

KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)], Nk)beginwordtempi = 0while (i < Nk)w[i] = word(key[4*i], key[4*i+1], key[4*i+2], key[4*i+3])i = i+1end whilei = Nkwhile (i < Nb * (Nr+1)]temp = w[i-1]if (i mod Nk = 0)temp = SubWord(RotWord(temp)) xor Rcon[i/Nk]else if (Nk > 6 and i mod Nk = 4)temp = SubWord(temp)end ifw[i] = w[i-Nk] xor tempi = i + 1end whileendNote that Nk=4, 6, and 8 do not all have to be implemented;they are all included in the conditional statement above forconciseness. Specific implementation requirements for theCipher Key are presented in Sec. 6.1.Figure 11. Pseudo Code for Key Expansion.2

Appendix A presents examples of the Key Expansion.

5.3Inverse Cipher

The Cipher transformations in Sec. 5.1 can be inverted and then implemented in reverse order toproduce a straightforward Inverse Cipher for the AES algorithm. The individual transformationsused in the Inverse Cipher - InvShiftRows(), InvSubBytes(),InvMixColumns(),and AddRoundKey() – process the State and are described in the following subsections.The Inverse Cipher is described in the pseudo code in Fig. 12. In Fig. 12, the array w[] containsthe key schedule, which was described previously in Sec. 5.2.

The functions SubWord() and RotWord() return a result that is a transformation of the function input, whereasthe transformations in the Cipher and Inverse Cipher (e.g., ShiftRows(), SubBytes(), etc.) transform theState array that is addressed by the ‘state’ pointer.

InvCipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])beginbytestate[4,Nb]state = inAddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])// See Sec. 5.1.4for round = Nr-1 step -1 downto 1InvShiftRows(state)// See Sec. 5.3.1InvSubBytes(state)// See Sec. 5.3.2AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])InvMixColumns(state)// See Sec. 5.3.3end forInvShiftRows(state)InvSubBytes(state)AddRoundKey(state, w[0, Nb-1])out = stateendFigure 12. Pseudo Code for the Inverse Cipher.3

5.3.1InvShiftRows() Transformation

InvShiftRows() is the inverse of the ShiftRows() transformation. The bytes in the lastthree rows of the State are cyclically shifted over different numbers of bytes (offsets). The firstrow, r = 0, is not shifted. The bottom three rows are cyclically shifted by Nb−shift(r,Nb)bytes, where the shift value shift(r,Nb) depends on the row number, and is given in equation (5.4)(see Sec. 5.1.2).

Specifically, the InvShiftRows() transformation proceeds as follows:

sr',(c+shift(r,Nb))modNb=sr,c for 0 < r < 4 and 0 ≤ c < Nb

Figure 13 illustrates the InvShiftRows() transformation.

(5.8)

The various transformations (e.g., InvSubBytes(), InvShiftRows(), etc.) act upon the State array that isaddressed by the ‘state’ pointer. AddRoundKey() uses an additional pointer to address the Round Key.

InvShiftRows()sr,0sr,1sr,2sr,3S

sr',0sr',1sr',2sr',3S ’

s0,0s0,1s0,2s0,3s1,0s1,1s1,2s1,3s2,0s2,1s2,2s2,3s3,0s3,1s3,2s3,3

s0,0s0,1s0,2s0,3s1,3

s1,0

s1,1s1,2

s2,2s2,3s2,0s2,1s3,1s3,2s3,3s3,0

Figure 13. InvShiftRows()cyclically shifts the last three rows in the State.

5.3.2InvSubBytes() Transformation

InvSubBytes() is the inverse of the byte substitution transformation, in which the inverse S-box is applied to each byte of the State. This is obtained by applying the inverse of the affinetransformation (5.1) followed by taking the multiplicative inverse in GF(28).

The inverse S-box used in the InvSubBytes() transformation is presented in Fig. 14:

01234567xabcdef0527c5408726c90d03a97fc1f60a017109e37b2ef870d82c91acf156dd51e02b26a3994a1f8ab1e11741a3ea87f3b043d582326650008f4122714b33a94d7e4309ba62886fd8cca4fe71dc68819aeba5362fc2d968edbc3f67ad29d207b52a776a5ff232498b9d30fdc35c579c74af5d6738873db216da0a02ea8520310db0268bf34ee76d45ef7c197e26f9ab12dc8e19408e4c5ba415e4aff2f9b7db12e5eb69aa34395a25c4658bdcf3762c0107abb14b9e440b49cc570503cee80efe599f3c63c81c4426d5da7b801f01caa7827938355df3defa8b658db313b47518cd80c95321ed7e9c3d1b69d458ae6dfbe5aec9c990cffbcb4e259284066b736e1bf45fef617d Figure 14. Inverse S-box: substitution values for the byte xy (in

hexadecimal format).

5.3.3InvMixColumns() Transformation

InvMixColumns() is the inverse of the MixColumns() transformation.InvMixColumns() operates on the State column-by-column, treating each column as a four-term polynomial as described in Sec. 4.3. The columns are considered as polynomials overGF(28) and multiplied modulo x4 + 1 with a fixed polynomial a-1(x), given by

a-1(x) = {0b}x3 + {0d}x2 + {09}x + {0e}.

As described in Sec. 4.3, this can be written as a matrix multiplication. Lets′(x)=a−1(x)⊗s(x):

0e0b0d09s0,cs0,c

's09000ebds1,c=1,c for 0 ≤ c < Nb.'s20d090e0bs2,c,c

'

00090bdes3,cs3,c

(5.9)

(5.10)

As a result of this multiplication, the four bytes in a column are replaced by the following:

′,c= ({0e} • s0,c) ⊕ ({0b} • s1,c) ⊕ ({0d} • s2,c) ⊕ ({09} • s3,c)s0

′,c= ({09} • s0,c) ⊕ ({0e} • s1,c) ⊕ ({0b} • s2,c) ⊕ ({0d} • s3,c)s1

s′2,c= ({0d} • s0,c) ⊕ ({09} • s1,c) ⊕ ({0e} • s2,c) ⊕ ({0b} • s3,c)′,c= ({0b} • s0,c) ⊕ ({0d} • s1,c) ⊕ ({09} • s2,c) ⊕ ({0e} • s3,c)s3

5.3.4Inverse of the AddRoundKey() Transformation

AddRoundKey(), which was described in Sec. 5.1.4, is its own inverse, since it only involvesan application of the XOR operation.

5.3.5Equivalent Inverse Cipher

In the straightforward Inverse Cipher presented in Sec. 5.3 and Fig. 12, the sequence of thetransformations differs from that of the Cipher, while the form of the key schedules forencryption and decryption remains the same. However, several properties of the AES algorithmallow for an Equivalent Inverse Cipher that has the same sequence of transformations as theCipher (with the transformations replaced by their inverses). This is accomplished with a changein the key schedule.

The two properties that allow for this Equivalent Inverse Cipher are as follows:

1.The SubBytes() and ShiftRows() transformations commute; that is, aSubBytes() transformation immediately followed by a ShiftRows()transformation is equivalent to a ShiftRows() transformation immediatelyfollowed buy a SubBytes() transformation. The same is true for their inverses,InvSubBytes() and InvShiftRows.

2.The column mixing operations - MixColumns() and InvMixColumns() - arelinear with respect to the column input, which means

InvMixColumns(state XOR Round Key) =

InvMixColumns(state) XOR InvMixColumns(Round Key).

These properties allow the order of InvSubBytes() and InvShiftRows()transformations to be reversed. The order of the AddRoundKey() and InvMixColumns()transformations can also be reversed, provided that the columns (words) of the decryption keyschedule are modified using the InvMixColumns() transformation.

The equivalent inverse cipher is defined by reversing the order of the InvSubBytes() andInvShiftRows() transformations shown in Fig. 12, and by reversing the order of theAddRoundKey() and InvMixColumns() transformations used in the “round loop” afterfirst modifying the decryption key schedule for round = 1 to Nr-1 using theInvMixColumns() transformation. The first and last Nb words of the decryption keyschedule shall not be modified in this manner.

Given these changes, the resulting Equivalent Inverse Cipher offers a more efficient structurethan the Inverse Cipher described in Sec. 5.3 and Fig. 12. Pseudo code for the EquivalentInverse Cipher appears in Fig. 15. (The word array dw[] contains the modified decryption keyschedule. The modification to the Key Expansion routine is also provided in Fig. 15.)

EqInvCipher(byte in[4*Nb], byte out[4*Nb], word dw[Nb*(Nr+1)])beginbytestate[4,Nb]state = inAddRoundKey(state, dw[Nr*Nb, (Nr+1)*Nb-1])for round = Nr-1 step -1 downto 1InvSubBytes(state)InvShiftRows(state)InvMixColumns(state)AddRoundKey(state, dw[round*Nb, (round+1)*Nb-1])end forInvSubBytes(state)InvShiftRows(state)AddRoundKey(state, dw[0, Nb-1])out = stateendFor the Equivalent Inverse Cipher, the following pseudo code is added atthe end of the Key Expansion routine (Sec. 5.2):for i = 0 step 1 to (Nr+1)*Nb-1dw[i] = w[i]end forfor round = 1 step 1 to Nr-1InvMixColumns(dw[round*Nb, (round+1)*Nb-1])typeend for// note change ofNote that, since InvMixColumns operates on a two-dimensional array of byteswhile the Round Keys are held in an array of words, the call toInvMixColumns in this code sequence involves a change of type (i.e. theinput to InvMixColumns() is normally the State array, which is consideredto be a two-dimensional array of bytes, whereas the input here is a RoundKey computed as a one-dimensional array of words).Figure 15. Pseudo Code for the Equivalent Inverse Cipher.

6.1

Implementation Issues

Key Length Requirements

An implementation of the AES algorithm shall support at least one of the three key lengthsspecified in Sec. 5: 128, 192, or 256 bits (i.e., Nk = 4, 6, or 8, respectively). Implementations

may optionally support two or three key lengths, which may promote the interoperability ofalgorithm implementations.

6.2Keying Restrictions

No weak or semi-weak keys have been identified for the AES algorithm, and there is norestriction on key selection.

6.3Parameterization of Key Length, Block Size, and Round Number

This standard explicitly defines the allowed values for the key length (Nk), block size (Nb), andnumber of rounds (Nr) – see Fig. 4. However, future reaffirmations of this standard couldinclude changes or additions to the allowed values for those parameters. Therefore,implementers may choose to design their AES implementations with future flexibility in mind.

6.4Implementation Suggestions Regarding Various Platforms

Implementation variations are possible that may, in many cases, offer performance or other

advantages. Given the same input key and data (plaintext or ciphertext), any implementation thatproduces the same output (ciphertext or plaintext) as the algorithm specified in this standard is anacceptable implementation of the AES.

Reference [3] and other papers located at Ref. [1] include suggestions on how to efficientlyimplement the AES algorithm on a variety of platforms.

Appendix A - Key Expansion Examples

This appendix shows the development of the key schedule for various key sizes. Note that multi-byte values are presented using the notation described in Sec. 3. The intermediate valuesproduced during the development of the key schedule (see Sec. 5.2) are given in the followingtable (all values are in hexadecimal format, with the exception of the index column (i)).

A.1Expansion of a 128-bit Cipher Key

Cipher Key = 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

This section contains the key expansion of the following cipher key:for Nk = 4, which results in

w0 = 2b7e1516

w1 = 28aed2a6

w2 = abf71588

w3 = 09cf4f3c

w[i]=temp XORw[i-Nk]a0fafe1788542cb123a339392a6c7605f2c295f27a96b9435935807a7359f67f3d80477d4716fe3e1e237e446d7a883bef44a541a8525b7fb671253bdb0bad00d4d1c6f87c839d87caf2b8bc11f915bci(dec)45671011121314151617181920212223

temp09cf4f3ca0fafe1788542cb123a339392a6c7605f2c295f27a96b9435935807a7359f67f3d80477d4716fe3e1e237e446d7a883bef44a541a8525b7fb671253bdb0bad00d4d1c6f87c839d87caf2b8bcAfter XORAfterAfterRcon[i/Nk]

RotWord()SubWord()with Rconcf4f3c098a84eb01010000008b84eb01w[i–Nk]2b7e151628aed2a6abf7158809cf4f3c6c76052a50386be50200000052386be5a0fafe1788542cb123a339392a6c760559f67f73cb42d28f04000000cf42d28ff2c295f27a96b9435935807a7359f67f7a883b6ddac4e23c08000000d2c4e23c3d80477d4716fe3e1e237e446d7a883b0bad00db2b9563b9100000003b9563b9ef44a541a8525b7fb671253bdb0bad0027

2425262728293031323334353637383940414243

11f915bc6d88a37a110b3efddbf981ca0093fd4e54f70e5f5fc9f384afb24ea6dc4fead27321b58dbad2312bf5607f8d292fac7766f319fadc2128d12941575c006ed014f9a8c9ee25e13f0cc8f915bc119959658220000000b9596582d4d1c6f87c839d87caf2b8bc11f915bc6d88a37a110b3efddbf981ca0093fd4e54f70e5f5fc9f384afb24ea6dc4fead27321b58dbad2312bf5607f8d292fac7766f319fadc2128d12941575c006ed014f9a8c9ee25e13f0cc8b6630ca60093fdca63dc54744000000023dc54746d88a37a110b3efddbf981ca0093fda6dc4f4e2486842f80000000a486842f4e54f70e5f5fc9f384afb24ea6dc4f8d292f7f5da515d21b00000046a515d2ead27321b58dbad2312bf5607f8d292f5c006e574a639f5b360000007c639f5bac7766f319fadc2128d12941575c006eA.2Expansion of a 192-bit Cipher Key

Cipher Key =

8e 73 b0 f7 da 0e 52 c8 10 f3 2b80 90 79 e5 62 f8 ea d2 52 2c 6b 7b

This section contains the key expansion of the following cipher key:

for Nk = 6, which results in

w0 = 8e73b0f7w4 = 62f8ead2

w1 = da0e52w5 = 522c6b7b

w[i]=temp XORw[i-Nk]fe0c91f72402f5a5ec12068ew2 = c810f32bw3 = 809079e5

i(dec)678

temp522c6b7bfe0c91f72402f5a5After XORAfterAfterRcon[i/Nk]

RotWord()SubWord()with Rcon2c6b7b52717f210001000000707f2100w[i–Nk]8e73b0f7da0e52c810f32b28

910111213141516171819202122232425262728293031323334353637383940414243

ec12068e6c827f6b0e7a95b95c56fec24db7b4bd69b5411885a74796e92538fde75fad44bb0953885af05721efb14fa448f6d94d6dce24aa326360113b30e6a25e7ed583b1cf9a27f939436a94f767c0a69407d19da4e1ec1786eb6fa971485f703222cb8755e26d135233f0b7b340beeb282f18a2596747d26b458c553ea7e1466c9411f1df821f750a11f1df9482a19e2240000000c2a19e22f0b7b3338ca96dc320000000aca96dc39da4e1d15e49f83e100000004e49f83e3b30e611e2048e8208000000ea048e82095386bb01ed44ea0400000005ed44ea56fec25cb1bb254a02000000b3bb254a809079e562f8ead2522c6b7bfe0c91f72402f5a5ec12068e6c827f6b0e7a95b95c56fec24db7b4bd69b5411885a74796e92538fde75fad44bb0953885af05721efb14fa448f6d94d6dce24aa326360113b30e6a25e7ed583b1cf9a27f939436a94f767c0a69407d19da4e1ec1786eb6fa971485f703222cb8755e26d135233f0b7b340beeb282f18a2596c827f6b0e7a95b95c56fec24db7b4bd69b5411885a74796e92538fde75fad44bb0953885af05721efb14fa448f6d94d6dce24aa326360113b30e6a25e7ed583b1cf9a27f939436a94f767c0a69407d19da4e1ec1786eb6fa971485f703222cb8755e26d135233f0b7b340beeb282f18a2596747d26b458c553ea7e1466c9411f1df821f750aad07d75329

44454748495051

ad07d753ca4005388fcc5006282d166abc3ce7b5e98ba06f448c773c8ecc72043ce7b5bceb94d565800000006b94d5656747d26b458c553ea7e1466c9411f1df821f750aad07d753ca4005388fcc5006ca4005388fcc5006282d166abc3ce7b5e98ba06f448c773c8ecc720401002202A.3Expansion of a 256-bit Cipher Key

Cipher Key =

60 3d eb 10 15 ca 71 be 2b 73 ae f0 85 7d 77 811f 35 2c 07 3b 61 08 d7 2d 98 10 a3 09 14 df f4

This section contains the key expansion of the following cipher key:

for Nk = 8, which results in

w0 = 603deb10w4 = 1f352c07

w1 = 15ca71bew5 = 3b6108d7

w2 = 2b73aef0w6 = 2d9810a3

w3 = 857d7781w7 = 0914dff4

w[i]=temp XORw[i-Nk]9ba354118e6925afa51a8b5f2067fcdea8b09c1a93d194cdbe49846eb75d5b9ad59aecb85bf3c917fee94248de8ebe96b5a9328a2678a798312229i(dec)10111213141516171819202122

temp0914dff49ba354118e6925afa51a8b5f2067fcdea8b09c1a93d194cdbe49846eb75d5b9ad59aecb85bf3c917fee94248de8ebe96b5a9328a2678a7After XORAfterAfterRcon[i/Nk]

RotWord()SubWord()with Rcon14dff409fa9ebf0101000000fb9ebf01w[i–Nk]603deb1015ca71be2b73aef0857d7781b785b01d1f352c073b6108d72d9810a30914dff45d5b9ab74c39b8a9020000004e39b8a99ba354118e6925afa51a8b5f2067fcde1d19ae90a8b09c1a93d194cdbe49846e30

23242526272829303132333435363738394041424344454748495051525354555657

983122292f6c79b3812c81addadf48ba24360af2fab8b498c5bfc9bebd198e268c3ba709e0421468007bacb2df331696e939e46c518d80c814e20476a9fb8a5025c02d59c58239de1369676ccc5a71fa2563959674ee155886ca5d2e2f31d77e0af1fa27cf73c3749c47ab18501ddae2757e4f7401905acafaaae3e4d59b349adf6acebd10190dfe40d110190dbdcad4d77a400000008ad4d77a927c60becf73c3278a8f2ecc20000000aa8f2ecc90922859c5823959a61312cb10000000b61312cb50d15dcde0421409e12cfa0108000000e92cfa012d6c8d436c79b32f50b66d150400000054b66d15b75d5b9ad59aecb85bf3c917fee94248de8ebe96b5a9328a2678a7983122292f6c79b3812c81addadf48ba24360af2fab8b498c5bfc9bebd198e268c3ba709e0421468007bacb2df331696e939e46c518d80c814e20476a9fb8a5025c02d59c58239de1369676ccc5a71fa2563959674ee155886ca5d2e2f31d77e0af1fa27cf73c3749c47ab18501dda2f6c79b3812c81addadf48ba24360af2fab8b498c5bfc9bebd198e268c3ba709e0421468007bacb2df331696e939e46c518d80c814e20476a9fb8a5025c02d59c58239de1369676ccc5a71fa2563959674ee155886ca5d2e2f31d77e0af1fa27cf73c3749c47ab18501ddae2757e4f7401905acafaaae3e4d59b349adf6acebd10190dfe40d1e6188d0b31

5859

e6188d0b046df344e2757e4f7401905a046df344706c631e32

Appendix B – Cipher Example

The following diagram shows the values in the State array as the Cipher progresses for a blocklength and a Cipher Key length of 16 bytes each (i.e., Nb = 4 and Nk = 4).

Input =

32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34

Cipher Key = 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

The Round Key values are taken from the Key Expansion example in Appendix A.

RoundStart ofNumber

Round

328831e0input

435a3137f6309807a88da23419a09ae91

3df4c6f8e3e28d48be2b2a08a4686b022

9c9f5b6a7f35ea50f22b4349aa6182683

8fddd2325fe34a4603efd29a48674dd

6c1de35f4e9db158ee0d38e7e0c8d9855

9263b1b87f6335bee8c05001AfterSubBytes

d4e0b81e27bfb44111985d52aef1e53049457f77dedb3902d2968753f11a3bacef134573c1b523cf11d65a7bdfb5b85285e3f650a411cf2f5ec86a28d70794e1e835974ffbc86cd2fb96ae9bba537cAfterShiftRows

d4e0b81ebfb441275d52119830aef1e549457f77db3902de8753d2963bf11aacef1345c1b52373d65acf11b87bdfb55285e3f6a411cf50c86a2f5e9428d707e1e83597fbc86c4f96aed2fb7c9bba5333

AfterRound KeyMixColumns

Value

2b28ab097eaef7cf⊕

15d2154f=

16a6883c04e04828a088232a66cbf806fa54a36c8119d326⊕

fe2c3976=

e59a7a4c17b13905581bdb1bf27a59734d4be76bc2963559ca5acab0⊕

95b980f6=

f1aca8e5f2437a7f752053bb3d471e6dec0bc0258016237a0963cfd0⊕

47fe7e88=

93337cdc7d3e443b0f606f5eefa8b6dbd631c0b34452710bda381013⊕

a55b25ad=

a9bf6b01417f3b0025bdbcd47cca11d1113a4cd183f2f9a9d133c0⊕

c69db815=

ad688eb0f887bcbcf1c17c5d6

0092c8b56f4c8bd555ef320c263de8fd7

0e41d22eb7728b177da9255a19a37a8

4149e08c42dc1904b11f650cea046585

83455d965c3398b0f02dadc5eb598b1b

402ea1c3f23813421e84e7d23902dc19

output

25dc116a8409850b1dfb9732a178104c634fe8d5a8293d03fcdf23fef7279b54ab8343b531a9403df0ffd33fbed40ada833be12c86d4f2c8c04dfe87f24d97ec6e4c904ac346e78cd5a6e9cb3daf0931322e077d2c725f94b5a178104c4fe8d5633d03a829fefcdf23f7279b548343b5ab403d31a93ff0ffd3bed40ada3be183d4f22c86fec8c04d87f24d976e4c90ec46e74ac3a68cd5e9cb3daf31322e097d2c07b5725f9434

4b2c33376d11dbca8a9dd2880bf9008df418⊕

a33e8693=

6d80e8d87afd41fd144627344e5f844e15162a545fa6a6b51556d8⊕

f7c94fdc=

bfecd7430ef3b24f00b154faeab5317f51c8761bd28d2b8d2f6d99⊕

73baf529=

d1ffcdea21d2602f4740a34cac19285737d4709f77fad15c94e43a42⊕

66dc2900=

eda5a6bcf321416ed0c9e1b614ee3f63⊕

f9250c0c=

a8c8a6Appendix C – Example Vectors

This appendix contains example vectors, including intermediate values – for all three AES keylengths (Nk = 4, 6, and 8), for the Cipher, Inverse Cipher, and Equivalent Inverse Cipher that aredescribed in Sec. 5.1, 5.3, and 5.3.5, respectively. Additional examples may be found at [1] and[5].

All vectors are in hexadecimal notation, with each pair of characters giving a byte value in whichthe left character of each pair provides the bit pattern for the 4 bit group containing the highernumbered bits using the notation explained in Sec. 3.2, while the right character provides the bitpattern for the lower-numbered bits. The array index for all bytes (groups of two hexadecimaldigits) within these test vectors starts at zero and increases from left to right.

Legend for CIPHER (ENCRYPT) (round number r = 0 to 10, 12 or 14):

input:start:s_box:s_row:m_col:k_sch:output:

cipher input

state at start of round[r]state after SubBytes()state after ShiftRows()state after MixColumns()

key schedule value for round[r]cipher output

Legend for INVERSE CIPHER (DECRYPT) (round number r = 0 to 10, 12 or 14):

iinput:inverse cipher input

istart:state at start of round[r]is_box:state after InvSubBytes()is_row:state after InvShiftRows()

ik_sch:key schedule value for round[r]ik_add:state after AddRoundKey()ioutput: inverse cipher outputLegend for EQUIVALENT INVERSE CIPHER (DECRYPT) (round number r = 0 to 10, 12

or 14):

iinput:inverse cipher input

istart:state at start of round[r]is_box:state after InvSubBytes()is_row:state after InvShiftRows()im_col:state after InvMixColumns()

ik_sch:key schedule value for round[r]ioutput: inverse cipher output

C.1AES-128 (Nk=4, Nr=10)

PLAINTEXT: 0011223344556677aabbccddeeffKEY: 000102030405060708090a0b0c0d0e0fCIPHER (ENCRYPT):

round[ 0].input 0011223344556677aabbccddeeffround[ 0].k_sch 000102030405060708090a0b0c0d0e0fround[ 1].start 00102030405060708090a0b0c0d0e0f0round[ 1].s_box 63cab7040953d051cd60e0e7ba70e18cround[ 1].s_row 6353e08c0960e104cd70b751bacad0e7round[ 1].m_col 5f721557f5bc92f7be3b291db9f91around[ 1].k_sch d6aa74fdd2af72fadaa678f1d6ab76feround[ 2].start d810e8855ace682d1843d8cb128fe4round[ 2].s_box a761ca9b97be8b45d8ad1a611fc97369round[ 2].s_row a7be1a6997ad739bd8c9ca451f618b61round[ 2].m_col ff87968431d86a515151fa773ad009round[ 2].k_sch b692cf0b3dbdf1be9bc5006830b3feround[ 3].start 4915598f55e5d7a0daca94fa1f0a63f7round[ 3].s_box 3b59cb73fcd90ee05774222dc067fb68round[ 3].s_row 3bd92268fc74fb735767cbe0c0590e2dround[ 3].m_col 4c9c1e66f771f0762c3f868e534df256round[ 3].k_sch b6ff744ed2c2c9bf6c590cbf0469bf41round[ 4].start fa636a2825b339c940668a3157244d17round[ 4].s_box 2dfb02343f6d12dd09337ec75b36e3f0round[ 4].s_row 2d6d7ef03f33e334093602dd5bfb12c7round[ 4].m_col 6385b79ffc538df997be478e7547d691round[ 4].k_sch 47f7f7bc95353e03f96c32bcfd058dfdround[ 5].start 247240236966b3fa6ed2753288425b6cround[ 5].s_box 300926f9336d2d9fb59d23c42c3950round[ 5].s_row 36339d50f9b539269f2c092dc4406d23round[ 5].m_col f4bcd45432e554d075f1d6c51dd03b3cround[ 5].k_sch 3caaa3e8a99f9deb50f3af57adf622aaround[ 6].start c81677bc9b7ac93b25027992b0261996round[ 6].s_box e847f56514dadde23f77bfe7f7d490round[ 6].s_row e8dab6901477d4653ff7f5e2e747dd4fround[ 6].m_col 9816ee7400f87f556b2c049c8e5ad036round[ 6].k_sch 5e390f7df7a69296a7553dc10aa31f6bround[ 7].start c62fe109f75eedc3cc79395d84f9cf5dround[ 7].s_box b415f8016858552e4bb6124c5f998a4cround[ 7].s_row b458124c68b68a014b99f82e5f15554cround[ 7].m_col c57e1c159a9bd286f05f4be098c63439round[ 7].k_sch 14f9701ae35fe28c440adf4d4ea9c026round[ 8].start d1876c0f79c4300ab45594add66ff41fround[ 8].s_box 3e175076b61c04678dfc2295f6a8bfc0round[ 8].s_row 3e1c22c0b6fcbf768da85067f6170495round[ 8].m_col baa03de7a1f9b56ed5512cba5f414d23round[ 8].k_sch 47438735a41c65b9e016baf4aebf7ad2round[ 9].start fde3bad205e5d0d735479ef1fe37f1round[ 9].s_box 5411f4b56bd9700e96a0902fa1bb9aa1round[ 9].s_row 54d990a16ba09ab596bbf40ea111702fround[ 9].m_col e9f74eec023020f61bf2ccf2353c21c7round[ 9].k_sch 549932d1f08557681093ed9cbe2c974eround[10].start bd6e7c3df2b5779e0b61216e8b10b6round[10].s_box 7a9f1027d5f50b2beffd9f3dca4ea7round[10].s_row 7ad5fda7ef4e272bca100b3d9ff59fround[10].k_sch 13111d7fe3944a17f307a78b4d2b30c5round[10].output 69c4e0d86a7b0430d8cdb78070b4c55aINVERSE CIPHER (DECRYPT):

round[ 0].iinput 69c4e0d86a7b0430d8cdb78070b4c55around[ 0].ik_sch 13111d7fe3944a17f307a78b4d2b30c5round[ 1].istart 7ad5fda7ef4e272bca100b3d9ff59f

round[ 1].is_row 7a9f1027d5f50b2beffd9f3dca4ea7round[ 1].is_box bd6e7c3df2b5779e0b61216e8b10b6round[ 1].ik_sch 549932d1f08557681093ed9cbe2c974eround[ 1].ik_add e9f74eec023020f61bf2ccf2353c21c7round[ 2].istart 54d990a16ba09ab596bbf40ea111702fround[ 2].is_row 5411f4b56bd9700e96a0902fa1bb9aa1round[ 2].is_box fde3bad205e5d0d735479ef1fe37f1round[ 2].ik_sch 47438735a41c65b9e016baf4aebf7ad2round[ 2].ik_add baa03de7a1f9b56ed5512cba5f414d23round[ 3].istart 3e1c22c0b6fcbf768da85067f6170495round[ 3].is_row 3e175076b61c04678dfc2295f6a8bfc0round[ 3].is_box d1876c0f79c4300ab45594add66ff41fround[ 3].ik_sch 14f9701ae35fe28c440adf4d4ea9c026round[ 3].ik_add c57e1c159a9bd286f05f4be098c63439round[ 4].istart b458124c68b68a014b99f82e5f15554cround[ 4].is_row b415f8016858552e4bb6124c5f998a4cround[ 4].is_box c62fe109f75eedc3cc79395d84f9cf5dround[ 4].ik_sch 5e390f7df7a69296a7553dc10aa31f6bround[ 4].ik_add 9816ee7400f87f556b2c049c8e5ad036round[ 5].istart e8dab6901477d4653ff7f5e2e747dd4fround[ 5].is_row e847f56514dadde23f77bfe7f7d490round[ 5].is_box c81677bc9b7ac93b25027992b0261996round[ 5].ik_sch 3caaa3e8a99f9deb50f3af57adf622aaround[ 5].ik_add f4bcd45432e554d075f1d6c51dd03b3cround[ 6].istart 36339d50f9b539269f2c092dc4406d23round[ 6].is_row 300926f9336d2d9fb59d23c42c3950round[ 6].is_box 247240236966b3fa6ed2753288425b6cround[ 6].ik_sch 47f7f7bc95353e03f96c32bcfd058dfdround[ 6].ik_add 6385b79ffc538df997be478e7547d691round[ 7].istart 2d6d7ef03f33e334093602dd5bfb12c7round[ 7].is_row 2dfb02343f6d12dd09337ec75b36e3f0round[ 7].is_box fa636a2825b339c940668a3157244d17round[ 7].ik_sch b6ff744ed2c2c9bf6c590cbf0469bf41round[ 7].ik_add 4c9c1e66f771f0762c3f868e534df256round[ 8].istart 3bd92268fc74fb735767cbe0c0590e2dround[ 8].is_row 3b59cb73fcd90ee05774222dc067fb68round[ 8].is_box 4915598f55e5d7a0daca94fa1f0a63f7round[ 8].ik_sch b692cf0b3dbdf1be9bc5006830b3feround[ 8].ik_add ff87968431d86a515151fa773ad009round[ 9].istart a7be1a6997ad739bd8c9ca451f618b61round[ 9].is_row a761ca9b97be8b45d8ad1a611fc97369round[ 9].is_box d810e8855ace682d1843d8cb128fe4round[ 9].ik_sch d6aa74fdd2af72fadaa678f1d6ab76feround[ 9].ik_add 5f721557f5bc92f7be3b291db9f91around[10].istart 6353e08c0960e104cd70b751bacad0e7round[10].is_row 63cab7040953d051cd60e0e7ba70e18cround[10].is_box 00102030405060708090a0b0c0d0e0f0round[10].ik_sch 000102030405060708090a0b0c0d0e0fround[10].ioutput 0011223344556677aabbccddeeffEQUIVALENT INVERSE CIPHER (DECRYPT):

round[ 0].iinput 69c4e0d86a7b0430d8cdb78070b4c55around[ 0].ik_sch 13111d7fe3944a17f307a78b4d2b30c5round[ 1].istart 7ad5fda7ef4e272bca100b3d9ff59fround[ 1].is_box bdb521f261b63d0b107c9e8b6e776eround[ 1].is_row bd6e7c3df2b5779e0b61216e8b10b6round[ 1].im_col 4773b91ff72f354361cb018ea1e6cf2c

round[ 1].ik_sch 13aa29be9c8faff6f770f58000f7bf03round[ 2].istart 54d990a16ba09ab596bbf40ea111702fround[ 2].is_box fde596f1054737d235febad7f1e3d04eround[ 2].is_row fde3bad205e5d0d735479ef1fe37f1round[ 2].im_col 2d7e86a339d9393ee6570a1101904e16round[ 2].ik_sch 1362a4638f25886bff5a76f7874a83round[ 3].istart 3e1c22c0b6fcbf768da85067f6170495round[ 3].is_box d1c4941f7955f40fb46f6c0ad68730adround[ 3].is_row d1876c0f79c4300ab45594add66ff41fround[ 3].im_col 39daee38f4f1a82aaf432410c36d45b9round[ 3].ik_sch 8d82fc749c47222be4dadc3e9c7810f5round[ 4].istart b458124c68b68a014b99f82e5f15554cround[ 4].is_box c65e395df779cf09ccf9e1c3842fed5dround[ 4].is_row c62fe109f75eedc3cc79395d84f9cf5dround[ 4].im_col 9a39bf1d05b20a3a476a0bf79fe51184round[ 4].ik_sch 72e3098d11c5de5f7dfe1578a2cccbround[ 5].istart e8dab6901477d4653ff7f5e2e747dd4fround[ 5].is_box c87a79969b0219bc2526773bb016c992round[ 5].is_row c81677bc9b7ac93b25027992b0261996round[ 5].im_col 18f78d779a93eef4f6742967c47f5ffdround[ 5].ik_sch 2ec410276326d7d26958204a003f32deround[ 6].istart 36339d50f9b539269f2c092dc4406d23round[ 6].is_box 2466756c69d25b236e4240fa8872b332round[ 6].is_row 247240236966b3fa6ed2753288425b6cround[ 6].im_col 85cf8bf472d124c10348f545329c0053round[ 6].ik_sch a8a2f5044de2c7f50a7ef79869671294round[ 7].istart 2d6d7ef03f33e334093602dd5bfb12c7round[ 7].is_box fab38a17256d2840246ac957633931round[ 7].is_row fa636a2825b339c940668a3157244d17round[ 7].im_col fc1fc1f91934c98210fbfb8da340eb21round[ 7].ik_sch c7c6e391e54032f1479c306d6319e50cround[ 8].istart 3bd92268fc74fb735767cbe0c0590e2dround[ 8].is_box 49e594f755ca638fda0a59a01f15d7faround[ 8].is_row 4915598f55e5d7a0daca94fa1f0a63f7round[ 8].im_col 076518f0b52ba2fb7a15c8d93be45e00round[ 8].ik_sch a0db02992286d160a2dc029c2485d561round[ 9].istart a7be1a6997ad739bd8c9ca451f618b61round[ 9].is_box 5a43e485188fe82d121068cbd8ced8round[ 9].is_row d810e8855ace682d1843d8cb128fe4round[ 9].im_col ef053f7c8b3d32fd4d2aad3c93071around[ 9].ik_sch 8c56dff0825dd3f9805ad3fc8659d7fdround[10].istart 6353e08c0960e104cd70b751bacad0e7round[10].is_box 0050a0f04090e03080d02070c01060b0round[10].is_row 00102030405060708090a0b0c0d0e0f0round[10].ik_sch 000102030405060708090a0b0c0d0e0fround[10].ioutput 0011223344556677aabbccddeeff

C.2AES-192 (Nk=6, Nr=12)

0011223344556677aabbccddeeff

000102030405060708090a0b0c0d0e0f1011121314151617

PLAINTEXT:KEY:

CIPHER (ENCRYPT):

round[ 0].input 0011223344556677aabbccddeeffround[ 0].k_sch 000102030405060708090a0b0c0d0e0fround[ 1].start 00102030405060708090a0b0c0d0e0f0

round[ 1].s_box 63cab7040953d051cd60e0e7ba70e18cround[ 1].s_row 6353e08c0960e104cd70b751bacad0e7round[ 1].m_col 5f721557f5bc92f7be3b291db9f91around[ 1].k_sch 10111213141516175846f2f95c43f4feround[ 2].start 4f637603e0aa85aff8c9d041fa0de4round[ 2].s_box 84fb386f1ae1ac977941dd70832dd769round[ 2].s_row 84e1dd691a41d76f792d3783fbac70round[ 2].m_col 9f487f794f955f662afc86abd7f1ab29round[ 2].k_sch 544afef55847f0fa4856e2e95c43f4feround[ 3].start cb02818c17d2af9c62aa428bb25fd7round[ 3].s_box 1f770cf0b579deaaac432c3d37cf0eround[ 3].s_row 1fb5430ef0accfaa370cde3d77792cround[ 3].m_col b7a53ecbbf9d75a0c40efc79b674cc11round[ 3].k_sch 40f949b31cbabd4d48f043b810b7b342round[ 4].start f75c7778a327c8ed8cfebfc1a6c37f53round[ 4].s_box 684af5bc0acce855bb0878242ed2edround[ 4].s_row 68cc08ed0abbd2bc2ef555244ae878round[ 4].m_col 7a1e98bdacb6d1141a6944dd06eb2d3eround[ 4].k_sch 58e151ab04a2a5557effb5416245080cround[ 5].start 22ffc916a814744196f19cae2532round[ 5].s_box 9316dd47c2fa92834390a1de43e43f23round[ 5].s_row 93faa123c2903f4743e4dd83431692deround[ 5].m_col aaa755b34cffe57cef6f98e1f01c13e6round[ 5].k_sch 2ab54bb43a02f8f662e3a95d610c08round[ 6].start 80121e0776fd1d8a8d8c31bc965d1feeround[ 6].s_box cdc972c53854a47e5dc765904cc028round[ 6].s_row cd54c72838c0c55d4c727e90c9a465round[ 6].m_col 921f748fd96e937d622d7725ba8ba50cround[ 6].k_sch f501857297448d7ebdf1c6ca87f33e3cround[ 7].start 671ef1fd4e2a1e03dfdcb1ef3d7b30round[ 7].s_box 8572a1542fe5727b9e86c8df27bc1404round[ 7].s_row 85e5c8042f8614549ebca17b277272dfround[ 7].m_col e913e7b18f507d4b227ef652758acbccround[ 7].k_sch e510976183519b6934157c9ea351f1e0round[ 8].start 0c0370d00c01e622166b8accd6db3a2cround[ 8].s_box fe7b5170fe7c8e93477f7e4bf6b98071round[ 8].s_row fe7c7e71fe7f807047b95193f67b8e4bround[ 8].m_col 6cf5edf996eb0a069c4ef21cbfc25762round[ 8].k_sch 1ea0372a995309167c439e77ff12051eround[ 9].start 7255dad30fb80310e00d6c6b40d0527cround[ 9].s_box 40fc5766766c7bcae1d7507f09700010round[ 9].s_row 406c501076d70066e17057ca09fc7b7fround[ 9].m_col 7478bcdce8a50b81d4327a9009188262round[ 9].k_sch dd7e0e887e2fff68608fc842f9dcc154round[10].start a906b254968af4e9b4bdb2d2f0c44336round[10].s_box d36f3720907ebf1e8d7a37b58c1c1a05round[10].s_row d37e3705907a1a208d1c371e8c6fbfb5round[10].m_col 0d73cc2d8f6abe8b0cf2dd9bb83d422eround[10].k_sch 859f5f237a8d5a3dc0c02952beefd63around[11].start 88ec930ef5e7e4b6cc32f4c906d29414round[11].s_box c4cedcabe694694e4b23bfdd6fb522faround[11].s_row c494bffae62322ab4bb5dc4e6fce69ddround[11].m_col 71d720933b6d677dc00b8f28238e0fb7round[11].k_sch de601e7827bcdf2ca223800fd8aeda32round[12].start afb73eeb1cd1b85162280f27fb20d585round[12].s_box 79a9b2e99c3e6cd1aa3476cc0fb70397round[12].s_row 793e76979c3403e9aab7b2d10fa96ccc

round[12].k_sch a4970a331a78dc09c418c271e3a41d5dround[12].output dda97ca48cdfe06eaf70a0ec0d7191INVERSE CIPHER (DECRYPT):

round[ 0].iinput dda97ca48cdfe06eaf70a0ec0d7191round[ 0].ik_sch a4970a331a78dc09c418c271e3a41d5dround[ 1].istart 793e76979c3403e9aab7b2d10fa96cccround[ 1].is_row 79a9b2e99c3e6cd1aa3476cc0fb70397round[ 1].is_box afb73eeb1cd1b85162280f27fb20d585round[ 1].ik_sch de601e7827bcdf2ca223800fd8aeda32round[ 1].ik_add 71d720933b6d677dc00b8f28238e0fb7round[ 2].istart c494bffae62322ab4bb5dc4e6fce69ddround[ 2].is_row c4cedcabe694694e4b23bfdd6fb522faround[ 2].is_box 88ec930ef5e7e4b6cc32f4c906d29414round[ 2].ik_sch 859f5f237a8d5a3dc0c02952beefd63around[ 2].ik_add 0d73cc2d8f6abe8b0cf2dd9bb83d422eround[ 3].istart d37e3705907a1a208d1c371e8c6fbfb5round[ 3].is_row d36f3720907ebf1e8d7a37b58c1c1a05round[ 3].is_box a906b254968af4e9b4bdb2d2f0c44336round[ 3].ik_sch dd7e0e887e2fff68608fc842f9dcc154round[ 3].ik_add 7478bcdce8a50b81d4327a9009188262round[ 4].istart 406c501076d70066e17057ca09fc7b7fround[ 4].is_row 40fc5766766c7bcae1d7507f09700010round[ 4].is_box 7255dad30fb80310e00d6c6b40d0527cround[ 4].ik_sch 1ea0372a995309167c439e77ff12051eround[ 4].ik_add 6cf5edf996eb0a069c4ef21cbfc25762round[ 5].istart fe7c7e71fe7f807047b95193f67b8e4bround[ 5].is_row fe7b5170fe7c8e93477f7e4bf6b98071round[ 5].is_box 0c0370d00c01e622166b8accd6db3a2cround[ 5].ik_sch e510976183519b6934157c9ea351f1e0round[ 5].ik_add e913e7b18f507d4b227ef652758acbccround[ 6].istart 85e5c8042f8614549ebca17b277272dfround[ 6].is_row 8572a1542fe5727b9e86c8df27bc1404round[ 6].is_box 671ef1fd4e2a1e03dfdcb1ef3d7b30round[ 6].ik_sch f501857297448d7ebdf1c6ca87f33e3cround[ 6].ik_add 921f748fd96e937d622d7725ba8ba50cround[ 7].istart cd54c72838c0c55d4c727e90c9a465round[ 7].is_row cdc972c53854a47e5dc765904cc028round[ 7].is_box 80121e0776fd1d8a8d8c31bc965d1feeround[ 7].ik_sch 2ab54bb43a02f8f662e3a95d610c08round[ 7].ik_add aaa755b34cffe57cef6f98e1f01c13e6round[ 8].istart 93faa123c2903f4743e4dd83431692deround[ 8].is_row 9316dd47c2fa92834390a1de43e43f23round[ 8].is_box 22ffc916a814744196f19cae2532round[ 8].ik_sch 58e151ab04a2a5557effb5416245080cround[ 8].ik_add 7a1e98bdacb6d1141a6944dd06eb2d3eround[ 9].istart 68cc08ed0abbd2bc2ef555244ae878round[ 9].is_row 684af5bc0acce855bb0878242ed2edround[ 9].is_box f75c7778a327c8ed8cfebfc1a6c37f53round[ 9].ik_sch 40f949b31cbabd4d48f043b810b7b342round[ 9].ik_add b7a53ecbbf9d75a0c40efc79b674cc11round[10].istart 1fb5430ef0accfaa370cde3d77792cround[10].is_row 1f770cf0b579deaaac432c3d37cf0eround[10].is_box cb02818c17d2af9c62aa428bb25fd7round[10].ik_sch 544afef55847f0fa4856e2e95c43f4feround[10].ik_add 9f487f794f955f662afc86abd7f1ab29round[11].istart 84e1dd691a41d76f792d3783fbac70

round[11].is_row 84fb386f1ae1ac977941dd70832dd769round[11].is_box 4f637603e0aa85aff8c9d041fa0de4round[11].ik_sch 10111213141516175846f2f95c43f4feround[11].ik_add 5f721557f5bc92f7be3b291db9f91around[12].istart 6353e08c0960e104cd70b751bacad0e7round[12].is_row 63cab7040953d051cd60e0e7ba70e18cround[12].is_box 00102030405060708090a0b0c0d0e0f0round[12].ik_sch 000102030405060708090a0b0c0d0e0fround[12].ioutput 0011223344556677aabbccddeeffEQUIVALENT INVERSE CIPHER (DECRYPT):

round[ 0].iinput dda97ca48cdfe06eaf70a0ec0d7191round[ 0].ik_sch a4970a331a78dc09c418c271e3a41d5dround[ 1].istart 793e76979c3403e9aab7b2d10fa96cccround[ 1].is_box afd10f851c28d5eb62203e51fbb7b827round[ 1].is_row afb73eeb1cd1b85162280f27fb20d585round[ 1].im_col 122a02f7242ac8e20605afce51cc72round[ 1].ik_sch d6bebd0dc209ea494db073803e021bb9round[ 2].istart c494bffae62322ab4bb5dc4e6fce69ddround[ 2].is_box 88e7f414f532940eccd293b606ece4c9round[ 2].is_row 88ec930ef5e7e4b6cc32f4c906d29414round[ 2].im_col 5cc7aecce3c872194ae5ef8309a933c7round[ 2].ik_sch 8fb999c973b26839c7f9dd85c68c72round[ 3].istart d37e3705907a1a208d1c371e8c6fbfb5round[ 3].is_box a98ab23696bd4354b4c4b2e9f006f4d2round[ 3].is_row a906b254968af4e9b4bdb2d2f0c44336round[ 3].im_col b7113ed134e854b20866b51d4b2c3bround[ 3].ik_sch f77d6ec1423f54ef5378317f14b75744round[ 4].istart 406c501076d70066e17057ca09fc7b7fround[ 4].is_box 72b86c7c0f0d52d3e0d0da104055036bround[ 4].is_row 7255dad30fb80310e00d6c6b40d0527cround[ 4].im_col ef3b1be1b9b0ebdcb79f1e0a707fbbround[ 4].ik_sch 1147659047cf663b9b0ece8dfc0bf1f0round[ 5].istart fe7c7e71fe7f807047b95193f67b8e4bround[ 5].is_box 0c018a2c0c6b3ad016db7022d603e6ccround[ 5].is_row 0c0370d00c01e622166b8accd6db3a2cround[ 5].im_col 592460b248832b2952e0b831923048f1round[ 5].ik_sch dcc1a8b667053f7dcc5c194ab5423a2eround[ 6].istart 85e5c8042f8614549ebca17b277272dfround[ 6].is_box 672ab1304edc9bfddf78f1033d1e1eefround[ 6].is_row 671ef1fd4e2a1e03dfdcb1ef3d7b30round[ 6].im_col 0b8a7783417ae3a1f9492dc0c1a7ceround[ 6].ik_sch c6deb0ab791e23a4055fbe568803abround[ 7].istart cd54c72838c0c55d4c727e90c9a465round[ 7].is_box 80fd31ee768c1f078d5d1e8a96121dbcround[ 7].is_row 80121e0776fd1d8a8d8c31bc965d1feeround[ 7].im_col 4ee1ddf9301d6352c9ad769ef8d20515round[ 7].ik_sch dd1b7cdaf28d5c158a49ab1dbbc497cbround[ 8].istart 93faa123c2903f4743e4dd83431692deround[ 8].is_box 2214f132a62516aec941ff749cround[ 8].is_row 22ffc916a814744196f19cae2532round[ 8].im_col 1008ffe53b36ee6af27b42549b8a7bb7round[ 8].ik_sch 78c4f708318d3cd69655b701bfc093cfround[ 9].istart 68cc08ed0abbd2bc2ef555244ae878round[ 9].is_box f727bf53a3fe7f788cc377eda65cc8c1round[ 9].is_row f75c7778a327c8ed8cfebfc1a6c37f53round[ 9].im_col 7f69ac1ed939ebaac8ece3cb12e159e3

round[ 9].ik_sch 60dcef10299524ce62dbef152f9620cfround[10].istart 1fb5430ef0accfaa370cde3d77792cround[10].is_box cbd2d717aa5f8c62b2819c8b02af42round[10].is_row cb02818c17d2af9c62aa428bb25fd7round[10].im_col cfaf16b2570c18b52e7fef50cab267aeround[10].ik_sch 4b4ecbdb4d4dcfda5752d7c74949cbderound[11].istart 84e1dd691a41d76f792d3783fbac70round[11].is_box 4fe0c9e443f80d06affa76854163aad0round[11].is_row 4f637603e0aa85aff8c9d041fa0de4round[11].im_col 794cf1177bfd1d8a327086f3831b39round[11].ik_sch 1a1f181d1e1b1c194742c7d74949cbderound[12].istart 6353e08c0960e104cd70b751bacad0e7round[12].is_box 0050a0f04090e03080d02070c01060b0round[12].is_row 00102030405060708090a0b0c0d0e0f0round[12].ik_sch 000102030405060708090a0b0c0d0e0fround[12].ioutput 0011223344556677aabbccddeeff

C.3AES-256 (Nk=8, Nr=14)

0011223344556677aabbccddeeff

000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f

PLAINTEXT:KEY:

CIPHER (ENCRYPT):

round[ 7].s_row d22f0c291ffe031a7d83b2ecc53cround[ 7].m_col ebb19e1c3ee7c9e87d7535e9ed6b9144round[ 7].k_sch 3de23a75524775e727bf9eb45407cf39round[ 8].start d653a4696ca0bc0f5acaab5db96c5e7dround[ 8].s_box f6ed49f950e06576be74624c565058ffround[ 8].s_row f6e062ff507458f9be50497656ed654cround[ 8].m_col 5174c8669da98435a8b3e62ca974a5earound[ 8].k_sch 0bdc905fc27b0948ad5245a4c1871c2fround[ 9].start 5aa858395fd28d7d05e1a38868f3b9c5round[ 9].s_box bec26a12cfb55dff6bf80ac4450d56a6round[ 9].s_row beb50aa6cff856126b0d6aff45c25dc4round[ 9].m_col 0f77ee31d2ccadc05430a83f4ef96ac3round[ 9].k_sch 45f5a66017b2d387300d4d330a820around[10].start 4a824851c57e7e473de50c2af3e8c9round[10].s_box d61352d1a6f3f3a04327d9fee50d9bddround[10].s_row d6f3d9dda6279bd1430d52a0e513f3feround[10].m_col bd86f0ea748fc4f4630f11c1e9331233round[10].k_sch 7ccff71cbeb4fe5413e6bbf0d261a7dfround[11].start c14907f6ca3b3aa070e9aa313b52b5ecround[11].s_box 783bc54274e280e0511eacc7e200d5ceround[11].s_row 78e2acce741ed5425100c5e0e23b80c7round[11].m_col af8690415d6e1dd387e5fbedd5c013round[11].k_sch f01afafee7a82979d7a54ab3afe0round[12].start 5f9c6abfbac634aa50409fa766677653round[12].s_box cfde0208f4b418ac5309db5c338538edround[12].s_row cfb4dbedf4093808538502ac33de185cround[12].m_col 7427fae4d8a695269ce83d315be0392bround[12].k_sch 2541fe719bf500258813bbd55a721c0around[13].start 516604954353950314fb86e401922521round[13].s_box d133f22a1aed2a7bfa0f44697c4f3ffdround[13].s_row d1ed44fd1a0f3f2afa4ff27b7c332a69round[13].m_col 2c21a820306f154ab712c75eee0da04fround[13].k_sch 4e5a6699a9f24fe07e572baacdf8cdearound[14].start 627bceb9999d5aaac945ecf423f56da5round[14].s_box aa218b56ee5ebeacdd6ecebf26e63c06round[14].s_row aa5ece06ee6e3c56dde68bac2621bebfround[14].k_sch 24fc79ccbf0979e9371ac23c6d68de36round[14].output 8ea2b7ca516745bfeafc49904b4960INVERSE CIPHER (DECRYPT):

round[ 4].istart 78e2acce741ed5425100c5e0e23b80c7round[ 4].is_row 783bc54274e280e0511eacc7e200d5ceround[ 4].is_box c14907f6ca3b3aa070e9aa313b52b5ecround[ 4].ik_sch 7ccff71cbeb4fe5413e6bbf0d261a7dfround[ 4].ik_add bd86f0ea748fc4f4630f11c1e9331233round[ 5].istart d6f3d9dda6279bd1430d52a0e513f3feround[ 5].is_row d61352d1a6f3f3a04327d9fee50d9bddround[ 5].is_box 4a824851c57e7e473de50c2af3e8c9round[ 5].ik_sch 45f5a66017b2d387300d4d330a820around[ 5].ik_add 0f77ee31d2ccadc05430a83f4ef96ac3round[ 6].istart beb50aa6cff856126b0d6aff45c25dc4round[ 6].is_row bec26a12cfb55dff6bf80ac4450d56a6round[ 6].is_box 5aa858395fd28d7d05e1a38868f3b9c5round[ 6].ik_sch 0bdc905fc27b0948ad5245a4c1871c2fround[ 6].ik_add 5174c8669da98435a8b3e62ca974a5earound[ 7].istart f6e062ff507458f9be50497656ed654cround[ 7].is_row f6ed49f950e06576be74624c565058ffround[ 7].is_box d653a4696ca0bc0f5acaab5db96c5e7dround[ 7].ik_sch 3de23a75524775e727bf9eb45407cf39round[ 7].ik_add ebb19e1c3ee7c9e87d7535e9ed6b9144round[ 8].istart d22f0c291ffe031a7d83b2ecc53cround[ 8].is_row d2c5831a1f2f36b278fe0c4cec9d0329round[ 8].is_box 7f074143cb4e243ec10c815d8375d54cround[ 8].ik_sch c656827fc9a799176f294cec6cd5598bround[ 8].ik_add b951c33c02e9bd29ae25cdb1efa08cc7round[ 9].istart 2e6e7a2dafc6eef83a86ace7c25ba934round[ 9].is_row 2e5bacf8af6ea9e73ac67a34c286ee2dround[ 9].is_box c357aae11b45b7b0a2c7bd28a8dc99faround[ 9].ik_sch 6de1f1486fa54f9275f8eb5373b8518dround[ 9].ik_add aeb65ba974e0f822d73f567bdbc877round[10].istart 9cf0a62049fd59a3995184f26be178round[10].is_row 9c6ba349f0e18499fda678f2515920round[10].is_box 1c05f271a417e04ff921c5c104701554round[10].ik_sch ae87dff00ff11b68a68ed5fb03fc1567round[10].ik_add b2822d81abe6fb275faf103a078c0033round[11].istart 88db34fb1f807678d3f833c2194a759eround[11].is_row 884a33781fdb75c2d380349e19f876fbround[11].is_box 975c66c1cb9f3fa8a93a28df8ee10f63round[11].ik_sch 1651a8cd0244beda1a5da4c100baderound[11].ik_add 810dce0cc9db8172b3678c1e88a1b5bdround[12].istart ad9c7e017e55ef25bc150fe01ccb6395round[12].is_row adcb0f257e9c63e0bc557e951c15ef01round[12].is_box 1859fbc28a1c00a078ed8aadc42f6109round[12].ik_sch a573c29fa176c498a97fce93a572c09cround[12].ik_add bd2a395d2b6ac438d192443e615da195round[13].istart 84e1fd6b1a5c946fdf49377cfbac23round[13].is_row 84fb386f1ae1ac97df5cfd237c49946bround[13].is_box 4f637603e0aa85efa7213201a4e705round[13].ik_sch 101112131415161718191a1b1c1d1e1fround[13].ik_add 5f721557f5bc92f7be3b291db9f91around[14].istart 6353e08c0960e104cd70b751bacad0e7round[14].is_row 63cab7040953d051cd60e0e7ba70e18cround[14].is_box 00102030405060708090a0b0c0d0e0f0round[14].ik_sch 000102030405060708090a0b0c0d0e0fround[14].ioutput 0011223344556677aabbccddeeffEQUIVALENT INVERSE CIPHER (DECRYPT):

round[ 0].iinput 8ea2b7ca516745bfeafc49904b4960round[ 0].ik_sch 24fc79ccbf0979e9371ac23c6d68de36round[ 1].istart aa5ece06ee6e3c56dde68bac2621bebfround[ 1].is_box 629deca599456db9c9f5ceaa237b5af4round[ 1].is_row 627bceb9999d5aaac945ecf423f56da5round[ 1].im_col e51c9502a5c1950506a61024596b2b07round[ 1].ik_sch 34f1d1ffbfceaa2ffce9e25f2558016eround[ 2].istart d1ed44fd1a0f3f2afa4ff27b7c332a69round[ 2].is_box 5153862143fb259514920403016695e4round[ 2].is_row 516604954353950314fb86e401922521round[ 2].im_col 91a29306cc450d0226f4b5eaef5efed8round[ 2].ik_sch 5e18eb384c350a7571b746dc80e684round[ 3].istart cfb4dbedf4093808538502ac33de185cround[ 3].is_box 5fc69f53ba4076bf50676aaa669c34a7round[ 3].is_row 5f9c6abfbac634aa50409fa766677653round[ 3].im_col b041a94eff21ae9212278d903b8a63f6round[ 3].ik_sch c8a305808b3f7bd043274870d9b1e331round[ 4].istart 78e2acce741ed5425100c5e0e23b80c7round[ 4].is_box c13baaeccae9b5f6705207a03b493a31round[ 4].is_row c14907f6ca3b3aa070e9aa313b52b5ecround[ 4].im_col 638357cec07de6300e30d0ec4ce2a23cround[ 4].ik_sch b5708e13665a7de14d3d824ca9f151c2round[ 5].istart d6f3d9dda6279bd1430d52a0e513f3feround[ 5].is_box 4a7ee5c9c53de851f348472a827e0cround[ 5].is_row 4a824851c57e7e473de50c2af3e8c9round[ 5].im_col ca6f71058c2842a315595fdf54f685round[ 5].ik_sch 74da7ba3439c7e50c81833a09a96ab41round[ 6].istart beb50aa6cff856126b0d6aff45c25dc4round[ 6].is_box 5ad2a3c55fe1b93905f3587d68a88d88round[ 6].is_row 5aa858395fd28d7d05e1a38868f3b9c5round[ 6].im_col ca46f5ea835eab0b9537b6dbb221b6c2round[ 6].ik_sch 3ca69715d32af3f22b67ffade4ccd38eround[ 7].istart f6e062ff507458f9be50497656ed654cround[ 7].is_box d6a0ab7d6cca5e695a6ca40fb953bc5dround[ 7].is_row d653a4696ca0bc0f5acaab5db96c5e7dround[ 7].im_col 2a70c8da28b806e9f319ce42be4baeadround[ 7].ik_sch f85fc4f3374605f38b844df0528e98e1round[ 8].istart d22f0c291ffe031a7d83b2ecc53cround[ 8].is_box 7f4e814ccb0cd543c175413e8307245dround[ 8].is_row 7f074143cb4e243ec10c815d8375d54cround[ 8].im_col f0073ab7404a8a1fc2cba0b80df08517round[ 8].ik_sch de69409aef8ce7f84d0c5fcfab2c23round[ 9].istart 2e6e7a2dafc6eef83a86ace7c25ba934round[ 9].is_box c345bdfa1bc799e1a2dcaab0a857b728round[ 9].is_row c357aae11b45b7b0a2c7bd28a8dc99faround[ 9].im_col 3225fe3686e498a32593c1872b613469round[ 9].ik_sch aed55816cf19c100bcc24803d90ad511round[10].istart 9cf0a62049fd59a3995184f26be178round[10].is_box 1c17c554a4211571f970f24f0405e0c1round[10].is_row 1c05f271a417e04ff921c5c104701554round[10].im_col 9d1d5c462e655205c4395b7a2eac55e2round[10].ik_sch 15c668bd31e5247d17c168b837e6207cround[11].istart 88db34fb1f807678d3f833c2194a759eround[11].is_box 979f2863cb3a0fc1a9e166a88e5c3fdfround[11].is_row 975c66c1cb9f3fa8a93a28df8ee10f63round[11].im_col d24bfb0e1f997633cfce86e37903fe87round[11].ik_sch 7fd7850f61cc991673db0365cd12

round[12].istart ad9c7e017e55ef25bc150fe01ccb6395round[12].is_box 181c8a098aed61c2782ffba0c45900adround[12].is_row 1859fbc28a1c00a078ed8aadc42f6109round[12].im_col aec9bda23e7fd8aff96d74525cdce4e7round[12].ik_sch 2a2840c924234cc026244cc5202748c4round[13].istart 84e1fd6b1a5c946fdf49377cfbac23round[13].is_box 4fe0210543a7e706efa476850163aa32round[13].is_row 4f637603e0aa85efa7213201a4e705round[13].im_col 794cf1177bfd1ddf67a744acd9c4f6round[13].ik_sch 1a1f181d1e1b1c191217101516131411round[14].istart 6353e08c0960e104cd70b751bacad0e7round[14].is_box 0050a0f04090e03080d02070c01060b0round[14].is_row 00102030405060708090a0b0c0d0e0f0round[14].ik_sch 000102030405060708090a0b0c0d0e0fround[14].ioutput 0011223344556677aabbccddeeff

Appendix D - References

[1][2][3][4][5][6]

AES page available via http://www.nist.gov/CryptoToolkit.4

Computer Security Objects Register (CSOR): http://csrc.nist.gov/csor/.J. Daemen and V. Rijmen, AES Proposal: Rijndael, AES Algorithm Submission,September 3, 1999, available at [1].

J. Daemen and V. Rijmen, The block cipher Rijndael, Smart Card research andApplications, LNCS 1820, Springer-Verlag, pp. 288-296.B. Gladman’s AES related home page

http://fp.gladman.plus.com/cryptography_technology/.

A. Lee, NIST Special Publication 800-21, Guideline for Implementing Cryptographyin the Federal Government, National Institute of Standards and Technology,November 1999.

A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography,CRC Press, New York, 1997, p. 81-83.

J. Nechvatal, et. al., Report on the Development of the Advanced Encryption Standard(AES), National Institute of Standards and Technology, October 2, 2000, available at[1].

[7][8]

A complete set of documentation from the AES development effort – including announcements, public comments,analysis papers, conference proceedings, etc. – is available from this site.

因篇幅问题不能全部显示，请点此查看更多更全内容

查看全文

全部频道

AES