A Specification for Rijndael, the AES Algorithm

Transcription

1 A Speifiation for Rijndael, the AES Algorithm. Notation and Convention. Rijndael Input and Output The input, the output and the ipher key for Rijndael are eah it equene ontaining 28, 92 or 256 it with the ontraint that the input and output equene have the ame length. A it i a inary digit, or, while the term length refer to the numer of it in a equene. In general the length of the input and output equene an e any of the three allowed value ut for the Advaned Enryption Standard (AES) the only length allowed i 28. However, oth Rijndael and AES allow ipher key of all three length. The individual it within equene will e enumerated tarting at zero and inreaing to one le than the length of the equene. The numer i aoiated with a it, alled it index, i hene in one of the three range i < 28, i < 92 or i < 256 deping on the length of the partiular equene in quetion..2 Byte A yte in Rijndael i a group of 8 it and i the ai data unit for all ipher operation. Suh yte are interpreted a finite field element uing polynomial repreentation, where a yte with it 7 repreent the finite field element: i x + x + x + x + x + x + x + i x (.2.) The value of yte will e preented in inary a a onatenation of their it ( or ) etween rae. Hene {} identifie a peifi finite field element. Unle peifially indiated, it pattern will e preented with higher numered it to the left. It i alo onvenient to denote yte value uing hexadeimal notation, with eah of two group of four it eing denoted y a harater a follow. it pattern harater it pattern harater it pattern harater it pattern harater d 2 6 a e 3 7 f Hene the value {} an alo e written a {63}, where the harater denoting the 4-it group ontaining the higher numered it i again to the left. Some finite field operation utilie a ingle additional it ( 8 ) to the left of an 8-it yte. Where thi it i preent it will appear immediately to the left of the left rae, for example, a in {}..3 Array of Byte All input, output and ipher key it equene are repreented a one-dimenional array of yte where yte n onit of it 8n to 8n+7 from the equene with it 8n+i in the equene mapped to it 7-i in the yte for i < 8. For a equene denoted y the ymol a, the n th yte will e referred to uing either of the two notation a n or a[n, with n in one of the range n < 6, n < 24 or n < The Rijndael State Internally Rijndael operate on a two dimenional array of yte alled the tate that ontain 4 row and N olumn, where N i the input equene length divided y 32. In thi tate array, denoted y the ymol, eah individual yte ha two indexe: it row 2 7 i Dr. Brian Gladman, v3.2, 4 th July 2 page

2 numer r, in the range r < 4, and it olumn numer, in the range < N, hene allowing it to e referred to either a r, or [r,. For AES the range for i < 4 ine N ha a fixed value of 4. At the tart () of an enryption or deryption operation the yte of the ipher input (output) are opied to (from) thi tate array in the order hown in Figure. ipher input yte ipher tate array ipher output yte in in 4 in 8 in 2,,,2,3 out out 4 out 8 out 2 in in 5 in 9 in 3,,,2,3 out out 5 out 9 out 3 in 2 in 6 in in 4 2, 2, 2,2 2,3 out 2 out 6 out out 4 in 3 in 7 in in 5 3, 3, 3,2 3,3 Figure Input to, and output from, the ipher tate array out 3 out 7 out out 5 Hene at the tart of enryption or deryption the input array in i opied to the tate array aording to the heme: [r, in[r + 4 for r < 4 and < N (.4.) and when the ipher i omplete the tate i opied to the output array out aording to: out[r + 4 [r, for r < 4 and < N (.4.2).5 Array of 32-it Word The four yte in eah olumn of the tate an e thought of a an array of four yte indexed y the row numer r or a a ingle 32-it word (yte within all 32-it word will alway e enumerated uing the index r). The tate an hene e onidered a a onedimenional array of word for whih the olumn numer provide the array index. The key hedule for Rijndael, deried fully in Setion 4, i an array of 32-it word, denoted y the ymol k, with the lower element initialied from the ipher key input o that yte 4i+r of the key i opied into yte r of key hedule word k[i. The ipher iterate through a numer of yle, alled round, eah of whih ue N word from thi key hedule. Hene the key hedule an alo e viewed a an array of round key, eah of whih onit of an N word u-array. Hene word of round key n, whih i k[n * n +, will alo e referred to uing two dimenional array notation a either k[n, or k n,. Here the round key for round n a a whole, an N word u-array, will ometime e referred to y replaing the eond index with - a in k[n,- and 2. Finite Field Operation 2. Finite Field Addition The addition of two finite field element i ahieved y adding the oeffiient for orreponding power in their polynomial repreentation, thi addition eing performed in GF(2), that i, modulo 2, o that +. Conequently, addition and utration are oth equivalent to an exluive-or operation on the yte that repreent field element. Addition operation for finite field element will e denoted y the ymol. For example, the following expreion are equivalent: ( x + x + x + x + ) + ( x 7 + x +) x + k. n, x + x x (polynomial notation) {} {} {} (inary notation) {57} {83} {d4} (hexadeimal notation) Dr. Brian Gladman, v3.2, 4 th July 2 page 2

3 2.2 Finite Field Multipliation Finite field multipliation i more diffiult than addition and i ahieved y multiplying the polynomial for the two element onerned and olleting like power of x in the reult. Sine eah polynomial an have power of x up to 7, the reult an have power of x up to 4 and will no longer fit within a ingle yte. Thi ituation i handled y replaing the reult with the remainder polynomial after diviion y a peial eighth order irreduile polynomial, whih, for Rijndael, i: m ( x) x + x + x + x + (2.2.) Sine thi polynomial ha power of x up to 8 it annot e repreented y a ingle yte and will e written a either {} or {} a indiated earlier. Thi proe i illutrated in the following example of the produt {57} {83} {} (where i ued to repreent finite field multipliation): ( x + x + x + x + ) ( x 7 + x +) ( x + x + x + x + ) x x + x + x + x + x ( x + x + x + x + ) x x + x + x + x + x ( x + x + x + x + ) x + x + x + x x + x + x + x Thi intermediate reult i now divided y m(x) aove: ( x x + x + x + ) x 3 9 x + x + x utrat to give intermediate remainder ( x x + x + x + ) x x x x x + x + x x + x + x + x x + x + x + x x + x 7 6 x + x 7 6 utrat to give the final remainder x + x x + x x + x + Multipliation i aoiative, and there i a neutral element {}; for any inary polynomial (x) of degree le than 8, the exted Eulidean algorithm an e ued to ompute polynomial a(x) and (x), uh that: ( x) a( x) m( x) ( x) (2.2.2) a ( x) ( x) modm( x) (2.2.3) whih how that the polynomial a(x) and (x) are mutual invere. Furthermore: a ( x) ( ( x) ( x)) a( x) ( x) a( x) ( x) (2.2.4) It hene follow that the et of 256 yte value, with the XOR a addition and multipliation a defined aove ha the truture of the finite field GF(256). 2.3 Multipliation y Repeated Shift The finite field element {} i the polynomial x, whih mean that multiplying another element y thi value inreae all it power of x y. Thi i equivalent to hifting it yte repreentation up y one it o that the it at poition i move to potion i+. If the top it i et prior to thi move it will overflow to reate an x 8 term, in whih ae the modular polynomial i added to anel thi additional it, leaving a reult that fit within a ingle yte. For example, multiplying {} y x, that i {}, the initial reult i {}. The overflow it i then removed y adding {}, the modular polynomial, uing an exluive-or operation to give a final reult of {}. Dr. Brian Gladman, v3.2, 4 th July 2 page 3

4 By repeating thi proe, a finite field element an e multiplied y all power of x from to 7. Multipliation of thi element y any other field element an then e ahieved y adding the reult for the appropriate power of x. For example, Tale arrie out thi alulation for the produt of the field element {57} and {83} to give {}. p {57} x p m(x) {57} x p {83} to reult reult {} {} {} {} {} {} {} {} 2 {} {} {} 3 {} {} 4 {} {} {} 5 {} {} 6 {} {} 7 {} {} {} {} 2.4 Finite Field Multipliation Uing Tale Tale Finite field multiply {57} {83} When ertain finite field element (known a generator) are repeatedly multiplied to produe a lit of their power, g p, they progreively generate all 255 non-zero element in the field. When p reahe 256 the original field element reur, indiating that g 255 i equal to {}. The p value for eah field element an e thought of a logarithm and thee provide a way of onverting multipliation into addition. Hene the two element a g α and g β have the produt a g α + β. With a logarithm tale liting the power of the generator for eah finite field element we an hene find the power α and β orreponding to the element a and and add thee value to find the power of g for the reult. A revere tale an then e ued to look up the produt element. Sine the two initial power value an eah e a high a 255, their um may e greater than 255 ut if thi our, 255 an e utrated from the value to ring it into the range of the tale eaue g 255 {}. Although deimal exponent have een ued in thi explanation, all exponent in what follow are in hexadeimal notation. y L(xy) a d e f a ee df e e 34 8d 8 ef f d 2 d 5 f a 4d e4 a6 72 9a f 8a 5 2 f e 24 2 f da 8e f d d 36 d e d2 f dd fd 3 f e e 6e 48 3 a3 6 e 42 3a fa 85 3d a x a 5 9 9f 5e a 4e d4 a e5 f3 73 a af 58 a8 5 f4 ea d6 74 4f ae e9 d5 e7 e6 ad e8 9 2 d7 75 7a e 6 f5 59 5f 9 a9 5 a a 7f f6 6f e d8 43 f 2d a e 5a f a 6 aa d e d f 95 f d 37 3f 5 d d a2 6d a 9e 5d 56 f2 d3 a e d e e3 a5 f 67 4a ed de 5 3 fe 8 d f7 7 7 Tale 2 Log L value uh that {xy} {3} L for a given a finite field element {xy} Dr. Brian Gladman, v3.2, 4 th July 2 page 4

5 y E(xy) a d e f 3 5 f ff a 2e a f f e d a4 f7 2 6 a e aa 2 e e e 26 6a e d9 7 9 a e f f d 68 8 d3 6e 2 d 4 4 d4 67 a9 e 3 4d d7 62 a6 f e 9 d 6 d d 7f e 49 d 76 9a f9 3 5 f d d6 6 a3 7 fe 9 2 7d ad e 2f 7 93 ae e9 2 6 a x 8 f 6 3a 4e d2 6d 7 2 5d e fa 5 3f e e2 3d ed f da 75 a 9f a d5 64 a ef 2a 7e 82 9d df 7a 8e e af ea 25 6f f f 2 63 a5 f d a d 45 f 4a de a8 e3 3e f3 e e a ee d 8 8f 8a a7 f2 d 7 f 39 4 dd a2 fd f6 Tale 3 Antilog field element {E} uh that {E} {3} (xy) given the power (xy) For the Rijndael field {3} i a generator that yield Tale 2 and Tale 3. Uing the previou example, Tale 2 how that {57} {3} (62) and {83} {3} (5) (where the raket on the exponent identify them a hexadeimal numer). Thi give the produt a {57} {83} {3} (62) + (5) and ine (62) + (5) (2) in hexadeimal, Tale 3 give the reult {}, a efore. Thee tale an alo e ued to find the invere of field element ine g (X) ha the invere g (ff)-(x). Hene the element {af} {3} (7) ha the invere g (ff)-(7) g (48) {62}. All element exept {} have invere. 2.5 Polynomial with Coeffiient in GF(256) Four term polynomial an e defined with oeffiient that are finite field element a: a + (2.5.) 3 2 ( x) a3x + a2x + ax a where the four oeffiient, eah repreented y a yte, will e denoted a a 32-it word in the form [a 3, a 2, a, a. With a eond polynomial: + (2.5.2) 3 2 ( x) 3x + 2 x + x addition an e performed y adding the finite field oeffiient of like power of x, whih orrepond to an XOR operation etween the orreponding yte in eah of the word or an XOR of the omplete 32-it word value (note that the variale x here i different to that ued in the definition of individual finite field element). Multipliation i ahieved y algeraially expanding the polynomial produt and olleting like power of x to give: + (2.5.3) ( x) 6x + 5x + 4x + 3x + 2x + x where: a 4 a3 a2 2 a 3 a a 5 a3 2 a2 3 2 a2 a a 2 5 a3 3 (2.5.4) 3 a3 a2 a 2 a 3 Dr. Brian Gladman, v3.2, 4 th July 2 page 5

6 with and repreenting finite field multipliation and addition (XOR) repetively. Thi reult require ix yte to repreent it oeffiient ut it an e redued modulo a degree 4 polynomial to produe a reult that i of degree le than 4. In Rijndael the polynomial ued i x 4 + and redution produe the following polynomial oeffiient: d 3 a3 a2 a 2 a 3 d 2 a2 a a 2 a3 3 (2.5.5) d a a a3 2 a2 3 d a a3 a2 2 a 3 If one of the polynomial i fixed, thi an onveniently e written in matrix form a: d d d d 3 2 a a a a 3 2 a a a a 3 2 a a a a 2 3 a33 a 2 2 a a (2.5.6) Beaue x 4 + i not an irreduile polynomial, not all polynomial multipliation are invertile. For Rijndael, however, a polynomial that ha an invere ha een hoen: 3 2 a ( x) {3} x + {} x + {} x + {2} (2.5.7) 3 2 a ( x) {} x + {d} x + {9} x + {e} (2.5.8) Another polynomial that Rijndael ue ha a a 2 a 3 {} and a {}, whih i the polynomial x. Inpetion of (2.5.6) aove will how that it effet i to form the output word y rotating the yte in the input word o that [ 3, 2,, i tranformed into [ 2,,, 3, with yte moving to higher index poition and the top yte wrapping round to the lowet poition. Higher power of x orrepond to the other yli permutation of the four yte within a 32-it word. The RotWord funtion that i ued in the key hedule orrepond to x The Cipher At the tart of the ipher the ipher input i opied into the internal tate uing the onvention deried in Setion.4. An initial round key i then added and the tate i then tranformed y iterating a round funtion in a numer of yle. The numer of yle Nn varie with the key length and lok ize. On ompletion the final tate i opied into the ipher output uing the ame onvention. The round funtion i parameteried uing a round key whih onit of an N word uarray from the key hedule. The latter i onidered either a a one-dimenional array of 32-it word or an array of round key with a truture and initialiation a deried in etion.5. In general the length of the ipher input, the ipher output and the ipher tate, N, meaured in multiple of 32 it, i 4, 6 or 8 ut the AES tandard only allow a length of 4. The length of the ipher key, Nk, again meaured in multiple of 32 it, i alo 4, 6 or 8, all of whih are allowed y oth Rijndael and the AES tandard. The ipher i deried in the following peudo ode with the individual tranformation and the key hedule deried uequently. Here the key hedule i treated a an array of Nn + individual round key, eah of whih i itelf an array of N word. Dr. Brian Gladman, v3.2, 4 th July 2 page 6

7 Cipher(yte in[4*n, yte out[4*n, word k[nn+,n, N, Nn) Begin yte tate[4,n // The notation k[nn+,n aove indiate that // the array k ontain Nn + individual round tate in // key that are eah array of N word XorRoundKey(tate, k[,-, N) // k[,- k[..n- for round tep to Nn SuByte(tate, N) ShiftRow(tate, N) MixColumn(tate, N) XorRoundKey(tate, k[round,-, N) // k[round*n..(round+)*n- SuByte(tate, N) ShiftRow(tate, N) XorRoundKey(tate, k[nn,-, N) // k[nn*n..(nn+)*n- out tate The numer of round for the ipher (Nn) varie with the lok length and the key length a hown in the following tale. Nk Nn N Tale 4 The numer of round a a funtion of lok and key ize 3. The SuByte Tranformation The SuByte tranformation i a non-linear yte utitution that at on every yte of the tate in iolation to produe a new yte value uing an S-ox utitution tale. The ation of thi tranformation i illutrated in Figure 2 for a lok ize of 6.,,,2,3,4,5,,,2,3,4,5,,,2,3,4,5 Su,,,2,3,4,5 Sr, 2, 2, 2,2 2,3 2,4 2,5 Byte Sr, 2, 2, 2,2 2,3 2,4 2,5 3, 3, 3,2 3,3 3,4 3,5 3, 3, 3,2 3,3 3,4 3,5 Figure 2 SuByte at on every yte in the tate in iolation Thi utitution, whih i invertile, i ontruted y ompoing two tranformation:. Firt the multipliative invere in the finite field deried earlier (with element {} mapped to itelf). 2. Seond the affine tranformation over GF(2) defined y: i i ( i+ 4) mod8 ( i+ 5) mod8 ( i+ 6) mod8 ( i+ 7) mod 8 i (3..) for i < 8 where i i it i of the yte and i i it i of a yte with the value {63} or {}. Here and elewhere a prime on a variale on the left of an equation indiate that it value i to e updated with the value on the right. In matrix form the latter omponent of the S-ox tranformation an e expreed a: Dr. Brian Gladman, v3.2, 4 th July 2 page 7

8 Dr. Brian Gladman, v3.2, 4 th July 2 page (3..2) The final reult of thi two tage tranformation i given in the following tale. y hex a d e f f2 6 6f fe d7 a 76 a d fa f ad d4 a2 af 9 a fd f f7 34 a5 e5 f 7 d a e2 e a 6e 5a a 52 3 d e3 2f d ed 2 f 5 6a e 39 4a 4 58 f 6 d ef aa f 43 4d f9 2 7f 5 3 9f a8 7 5 a3 4 8f 92 9d 38 f5 6 da 2 ff f3 d2 8 d 3 e 5f a7 7e 3d 64 5d f d 22 2a ee 8 4 de 5e d a e 32 3a a d3 a e4 79 e d 8d d5 4e a f4 ea 65 7a ae 8 a e a6 4 6 e8 dd 74 f 4 d 8 8a d 7 3e f6 e d 9e e e f d9 8e 94 9 e 87 e9 e df x f 8 a 89 d f e d f 54 6 Tale 5 The Sutitution Tale Sox[xy (in hexadeimal) The peudo ode for thi tranformation i a follow. SuByte(yte tate[4,n, N) egin for r tep to 3 for tep to N - tate[r, Sox[tate[r, 3.2 The ShiftRow Tranformation The ShiftRow tranformation operate individually on eah of the lat three row of the tate y ylially hifting the yte in the row uh that: N N r h r r mod ), (,[, + for < N and < r < 4 (3.2.) where the hift amount h(r, N) dep on row numer r and lok length a follow: row (r) h(r, N) N Tale 6 Shift offet for different row and lok length

9 Thi ha the effet of moving yte to lower poition in the row exept that the lowet yte wrap around into the top of the row (note that a prime on a variale indiate an updated value). The ation of thi tranformation i illutrated in Figure 3 for a ipher lok ize of 6.,,,2,3,4,5 ShiftRow,,,2,3,4,5,,,2,3,4,5,,,2,3,4,5 S r, S r, S r,2 S r,3 S r,4 S r,5 S r, S r, S r,2 S r,3 S r,4 S r,5 2, 2, 2,2 2,3 2,4 2,5 2, 2, 2,2 2,3 2,4 2,5 3, 3, 3,2 3,3 3,4 3,5 3, 3, 3,2 3,3 3,4 3,5 Figure 3 ShiftRow at indepently on row in the tate The peudo ode for thi tranformation i a follow. ShiftRow(yte tate[4,n, N) egin yte t[n for r tep to 3 for tep to N - t[ tate[r, ( + h(r,n)) mod N for tep to N tate[r, t[ 3.3 The MixColumn Tranformation The MixColumn tranformation at indepently on every olumn of the tate and treat eah olumn a a four-term polynomial a deried in Setion 2.6. In matrix form the tranformation ued given in equation (3.3.), where all the value are finite field element a diued in Setion 2. 3, 2,,, , 2,,, for < N (3.3.) The ation of thi tranformation i illutrated in Figure 4 for a ipher lok ize of 6. S,,,,2,3,4,5,,,2,3,4,5 S,,,,2,3,4,5 Mix,,,2,3,4,5 2, 2, 2,2 2,3 2,4 2,5 Column S 2, 2, 2, 2,2 S 2, 2,3 2,4 2,5 S, S, 3, 3, 3,2 3,3 3,4 3,5 S 3, 3, 3, 3,2 3,3 3,4 3,5 S 3, Figure 4 MixColumn at indepently on eah olumn in the tate The peudo ode for thi tranformation i a follow, where the funtion FFmul(x, y) return the produt of two finite field element x and y. Dr. Brian Gladman, v3.2, 4 th July 2 page 9

10 MixColumn(yte tate[4,n, N) egin yte t[4 for tep to N for r tep to 3 t[r tate[r, for r tep to 3 tate[r, FFmul(x2, t[r) xor FFmul(x3, t[(r + ) mod 4) xor t[(r + 2) mod 4 xor t[(r + 3) mod The XorRoundKey Tranformation In the XorRoundKey tranformation N word from the key hedule (the round key deried later) are eah added (XOR d) into the olumn of the tate o that: [ 3, 2,, [ 3, 2,, [ kround, for < N (3.4.) where the round key word k, (hortened to round r k in the diagram elow) will e deried later. The round numer, round, i in the range round Nn, with the value of eing ued to denote the initial round key that i applied efore the round funtion. S,,,,2,3,4,5,,,2,3,4,5 S,,,,2,3,4,5,,,2,3,4,5 2, 2, 2,2 2,3 2,4 k r k r k r r k r k r r S 2 k k , 2,5 2, 2, 2,2 S 2, 2,3 2,4 2,5 S, S, 3, 3, 3,2 3,3 3,4 3,5 S 3, 3, 3, 3,2 3,3 3,4 3,5 S 3, Figure 5 Word from the key hedule are XOR d into olumn in the tate The ation of thi tranformation i illutrated in Figure 5 for a ipher lok ize of 6. The yte addre within eah word of the key hedule i that deried in Setion. The peudo ode for thi tranformation i a follow, where xyte(r, w) extrat yte r from word w. XorRoundKey(yte tate[4,n, word k[round,-, N) Begin for tep to N for r tep to 3 tate[r, tate[r, xor xyte(r, k[round,) 4. The Key Shedule The round key are derived from the ipher key y mean of a key hedule with eah round requiring N word of key data whih, with an additional initial et, make a total of N(Nn + ) word, where Nn i the numer of ipher round. Thi key hedule i onidered either a a one dimenional array k of N(Nn + ) 32-it word with an index i in the range i < N(Nn + ) or a a two dimenional array k[n, of Nn + round key, eah or whih individually onit of a u-array of N word. The expanion of the input key into the key hedule proeed aording to the following peudo ode. The funtion SuWord(x) give an output word for whih the S-ox Dr. Brian Gladman, v3.2, 4 th July 2 page

11 utitution ha een individually applied to eah of the four yte of it input x. The funtion RotWord(x) onvert an input word [ 3, 2,, to an output [, 3, 2,. The word array Ron[i ontain the value [,,, x i- with x i- eing the power of x in the field GF(256) diued in etion 2.3 (note that the index i tart at ). KeyExpanion(yte key[4*nk, word k[nn+,n, N, Nk, Nn) egin i while (i < Nk) k[i word [ key[4*i+3, key[4*i+2, key[4*i+, key[4*i i i + while i Nk while (i < N * (Nn + )) word temp k[i - if (i mod Nk ) temp SuWord(RotWord(temp)) xor Ron[i / Nk ele if ((Nk > 6) and (i mod Nk 4)) temp SuWord(temp) if k[i k[i - Nk xor temp i i + while Note that thi key hedule, whih i illutrated in Figure 6 for Nk 4 and N 6, an e generated on-the fly if neeary uing a uffer of max(n, Nk) word. It an alo e plit into eparate, omewhat impler, key hedule for Nk 6 and Nk > 6 repetively. k k k 2 k 3 k 4 k 5 k 4 k 7 k 8 k 9 k k k 2 k 3 k 4 k 5 k 6 k 7 round Key k[,- round key k[,- round key 2 k[2,- Figure 6 The key hedule and round key eletion for Nk 4 and N 6 5. The Invere Cipher The inverion of the ipher ode preented in etion 3 i traightforward and provide the following peudo ode for the invere ipher. InvCipher(yte in[4*n, yte out[4*n, word k[nn+,n, N, Nn) egin yte tate[4,n tate in XorRoundKey(tate, k[nn,-, N) // k[nn*n..(nn+)*n- for round Nn - tep - to InvShiftRow(tate, N) InvSuByte(tate, N) XorRoundKey(tate, k[round,-, N) // k[round*n..(round+)*n- InvMixColumn(tate, N) InvShiftRow(tate, N) InvSuByte(tate, N) XorRoundKey(tate, k[,-, N) // k[..n- out tate Dr. Brian Gladman, v3.2, 4 th July 2 page

12 5. The Invere ShiftRow Tranformation The InvShiftRow tranformation operate individually on eah of the lat three row of the tate ylially hifting the yte in the row uh that: r, [ h( r, N)mod N r, + for < N and < r < 4 (5..) where the yli hift value h(r, N) are given in Tale 6. The peudo ode for thi tranformation i a follow. InvShiftRow(yte tate[4,n, N) egin yte t[n for r tep to 3 for tep to N - t[( + h(r,n)) mod N tate[r, for tep to N tate[r, t[ 5.2 The Invere SuByte Tranformation The invere S-ox tale needed for the invere InvSuByte tranformation i given in Setion 3.. The peudo ode for thi tranformation i a follow: InvSuByte(yte tate[4,n, N) egin for r tep to 3 for tep to N - tate[r, InvSox[tate[r, Tale 7 give the full invere S-ox, the invere of the affine tranformation (3..) eing: i ( i+ 2) mod8 ( i+ 5) mod8 ( i+ 7) mod 8 d i, where yte d {5} (5.2.) y hex a d e f a d a5 38 f 4 a3 9e 8 f3 d7 f 7 e f ff e de e a d ee fa 3 4e 3 8 2e a d a2 49 6d 8 d f8 f d4 a4 5 5d fd ed 9 da 5e a7 8d 9d d8 a 8 d3 a f7 e d 2 e 8f a 3f f 2 af d 3 3 8a 6 x 8 3a 9 4 4f 67 d ea 97 f2 f e f 4 e a e7 ad e2 f9 37 e8 75 df 6e a 47 f a 7 d f 7 62 e aa 8 e f 56 3e 4 6 d a d fe 78 d 5a f4 f dd a e 5f d 6 5 7f a a d 2d e5 7a 9f ef e a e 3 4d ae 2a f5 8 e f e a 77 d6 26 e d Tale 7 The Invere Sutitution Tale InvSox[xy (in hexadeimal) 5.3 The Invere XorRoundKey Tranformation The XorRoundKey tranformation i it own invere. Dr. Brian Gladman, v3.2, 4 th July 2 page 2

13 5.4 The Invere MixColumn Tranformation The InvMixColumn tranformation at indepently on every olumn of the tate and treat eah olumn a a four-term polynomial a deried in Setion 2.6. In matrix form the tranformation ued given in equation (5.4.), where all the value are finite field element a diued in Setion e d 9 9 e d d 9 e d 9 e 3 for < N (5.4.) The peudo ode for thi tranformation i a follow, where the funtion FFmul(x, y) return the produt of two finite field element x and y. InvMixColumn(yte lok[4,n, N) egin yte t[4 for tep to N for r tep to 3 t[r lok[r, for r tep to 3 lok[r, FFmul(xe, t[r) xor FFmul(x, t[(r + ) mod 4) xor FFmul(xd, t[(r + 2) mod 4) xor FFmul(x9, t[(r + 3) mod 4) 5.5 The Equivalent Invere Cipher The invere ipher ue the ame key hedule a the forward ipher (in revere) ut it form i different. However a erie of tranformation an e applied to tranform the invere ipher to math the form of the forward ipher. Thi i poile eaue the order of ome operation in the invere ipher an e hanged without hanging the final reult. For example the order of the SuByte and ShiftRow tranformation doe not matter eaue SuByte hange the value of yte without hanging their poition wherea ShiftRow doe the exat oppoite. Moreover, the order of the XorRoundKey and InvMixColumn operation an e inverted to put the forward and invere ipher in the ame form provided that an adjutment i made to the key hedule. The order of round key addition and olumn mixing an e hanged eaue the olumn mixing operation i linear with repet to the olumn input o that: InvMixColumn(tate xor k)invmixcolumn(tate) xor InvMixColumn(k) where k repreent a round key in the form of a tate array. Hene, provided that an invere olumn mixing operation i performed on appropriate word (olumn) of the deryption key hedule, the order of thee tranformation an e revered during deryption. Note, however, that thi operation i not e performed on the firt and lat round key (the firt and lat N word of the key hedule) ine thee do not operate in aoiation with the olumn-mixing tep. The importane of thi tranformation i that the truture of the forward ipher allow the round funtion to e expreed in an effiient form for implementation. By tranforming the invere ipher into the ame equene of operation a the ipher itelf, it an e implemented in the ame way, therey ahieving thi effiieny. Dr. Brian Gladman, v3.2, 4 th July 2 page 3

14 In thi modified form the invere ipher i a follow (with the modified deryption key hedule in the word array dk[nn+,n). EqInvCipher(yte in[4*n, yte out[4*n, word dk[nn+,n, N, Nn) egin yte tate[4,n tate in XorRoundKey(tate, dk[nn,-, N) // dk[nn*n..(nn+)*n- for round Nn - tep - to InvSuByte(tate, N) InvShiftRow(tate, N) InvMixColumn(tate, N) XorRoundKey(tate, dk[round,-, N) // dk[round*n..(round+)*n- InvSuByte(tate, N) InvShiftRow(tate, N) XorRoundKey(tate, dk[,-, N) // dk[..n- out tate where the following peudo ode i added to the of the key expanion tep (thi an e made more effiient if enryption and deryption are not required imultaneouly). for round tep to Nn dk[i,- k[i,- for round tep to Nn InvMixColumn(dk[round,-) // opy N word at a time // note impliit hange of type Note that, ine InvMixColumn operate on a two-dimenional array of yte while the round key are held in an array of word, the all to InvMixColumn in thi peudo ode equene involve a hange of type. Thi require are with yte order onvention. 6. Implementation Iue 6. Impliit Aumption While hardware implementation of Rijndael an treat the input, output and ipher key input a it equene, oftware implementation will almot alway to treat thee entitie a array of 8-it yte. Equally, while a hardware implementation will have to inlude a deription of how Rijndael input and output are interfaed, a oftware implementation will often operate in an environment where Rijndael two key enumeration the enumeration of it within 8-it yte and the enumeration of yte within array are already defined. Where the environment in whih Rijndael i implemented provide oth for 8-it yte a addreale entitie and for the enumeration of it within yte, it i reaonale to aume that Rijndael input and output will omply with thee onvention. In onequene Rijndael implementation in oftware hould either indiate that thi aumption i orret or alternatively undertake one of the following: (a) onvert input and output to (or from) thee tandard format to thoe eing ued internally; () doument the interfae to enure that uer of the implementation know that the input and output are in non-tandard format. Dr. Brian Gladman, v3.2, 4 th July 2 page 4

15 6.2 Bit Enumeration In proeing yte to undertake finite field multipliation it i ueful to define a funtion to multiply y x, an operation that involve hifting the value of a yte y one and then performing a onditional XOR operation. If y onvention it i the lowet it in a yte (i.e. it repreent a numeri value of ) then multiplying y x will orrepond to a left hift. Thi i the mot likely ituation ut it i not unknown for it to e deignated a the highet it in a yte, the it that repreent a numeri value of 28 in deimal, in whih ae multipliation y x will orrepond to a right hift. When thi applie, all yte value will alo have their it revered o that {} or {63}, whih in former onvention would e aoiated with a numeri value of x63 in hexadeimal, will intead e aoiated with a numeri value of x6. For thi reaon the term left and right when referring to hift have een avoided in thi peifiation y uing the term up and down to refer to operation in whih yte at an index poition move to higher or lower index poition repetively. 6.3 Byte Within Word A numer of Rijndael operation involve the manipulation of the four 8-it yte within a 32-it word, one uh operation eing the yli hift (rotation) of thee four yte into new poition. Whether the operation of moving yte to higher array index poition orrepond to a yli left or a yli right hift for a 32-it word will dep on how the yte are organied within word. On ome ( little-ian ) proeor yte are numered upward from the low of 32-it word and thi mean that a yli hift of yte to higher array index poition will orrepond to a yli left hift. But on other ( ig-ian ) proeor yte are numered upward tarting at the high of a word o that a yli hift to higher index poition orrepond to a yli right hift. In onequene are i needed in implementing Rijndael to enure that the right diretion of hift and rotate are employed for the proeor or proeor for whih an implementation i eing deigned. In general thee iue an e takled either y the onverion of input and output value efore ue or y enuring that the onvention employed for implementation are thoe of the arhiteture on whih the ipher will operate. 7. Implementation Tehnique In the peudo ode in thi etion the following ymol will e ued: & it in reult are the AND of the orreponding it in the two operand it in reult are the OR of the orreponding it in the two operand ^ it in reult are the XOR of the orreponding it in the two operand >> right hift of left operand y amount given y right operand << left hift of left operand y amount given y right operand <> not equal x... hexadeimal value 7. Finite Field Multipliation The ai tehnique for finite field multipliation i explained in Setion 2.4 and i implemented a follow: Dr. Brian Gladman, v3.2, 4 th July 2 page 5

16 yte FFmul(ont yte a, ont yte ) egin yte aa a,, r, t while (aa <> ) if ((aa & ) <> ) r r ^ if t & x8 << if (t <> ) ^ x // top it of field polynomial (x) i not if // needed here ine i an 8 it value aa aa >> while return r But thi approah an e quite low ompared with tale lookup uing the tehnique deried in Setion 2.5. With a 256-yte array from tale 2 and 3 we otain: yte FFlog[256 // array from tale 2 yte FFpow[256 // array from tale 3 yte FFmul(ont yte a, ont yte ) egin if ((a <> ) and ( <> )) word t FFlog[a + FFlog[ if(t > 255) t t 255 if return FFpow[t ele return if Thi an e peeded up y douling the length of the FFpow[ array and etting the value for element 255 to 59 to the ame value a element to 254 repetively o that FFmul() an e oded a: yte FFmul(ont yte a, ont yte ) egin if ((a <> ) and ( <> )) return FFpow[FFlog[a + FFlog[ ele return if In pratie many ompiler will allow thee funtion to e peified a inline ode and thi make finite field multipliation very effiient. 7.2 Column Mixing Provided that the tate array i arranged appropriately in memory, eah of the olumn will e a ingle 32-it word. If the yte in uh a word are [ to [3 then the mixing operation i: [ {2} [ {3} [ [2 [3 [ {2} [ {3} [2 [3 [ (7.2.) [2 {2} [2 {3} [3 [ [ [3 {2} [3 {3} [ [ [2 where the yte are updated with the value on the left at the of thi equene. But ine {3} [ {2} [ [, thi an alo e written a: Dr. Brian Gladman, v3.2, 4 th July 2 page 6

17 [ [ t {2} ([ [) [ [ t {2} ([ [2) (7.2.2) [2 [2 t {2} ([2 [3) [3 [3 t {2} ([3 [) where t [ [ [2 [3. When the need for temporary torage i taken into aount, thi ode equene eome: t [ ^ [ ^ [2 ^ [3 u [ ^ t ^ FFmul(x2, [ ^ [) [ [ ^ t ^ FFmul(x2, [ ^ [2) [2 [2 ^ t ^ FFmul(x2, [2 ^ [3) [3 [3 ^ t ^ FFmul(x2, [3 ^ [) [ u Morover, multipliation y the element {2} i jut a hift followed y a onditional exluive-or operation. Although thi formulation i quite effiient on 8-it proeor, the operation an e peeded up onideraly on proeor with 32 it word provided that there are operation that an ylily rotate the yte within uh word. The funtion required are a follow: rot(w) move the yte in poition, and 2 in the word w to poition, 2 and 3 repetively and move the yte in poition 3 to poition. rot2(w) move the yte in poition,, 2 and 3 in w to poition 2, 3, and repetively (or exhange yte with yte 2 and yte with yte 3). rot3(w) move the yte in poition, 2 and 3 in w to poition, and 2 repetively and move the yte in poition to poition 3. Uing thee operation on eah word w of the tate allow the aove ode equene on individual yte to e rewritten a one operation on eah word (olumn) a a whole: w rot3(w) ^ rot2(w) ^ rot(w) ^ FFmulX(w ^ rot3(w)) where the funtion FFmulX(w) perform a finite field multipliation of eah of the four yte in the word w y {2}. Thi itelf an e oded to operate in parallel on the four yte in the word a follow: word FFmulX(ont word w) egin word t w & x8888 return ((w ^ t) << ) ^ ((t >> 3) (t >> 4) (t >> 6) (t >> 7)) Here the word t extrat the highet it from eah yte within w, while the term w^t extrat the lower 7 it. The four individual yte within the latter an then e multiplied y {2} in parallel uing a ingle 32-it left hift without reating overflow from one yte to the next. The ((t >> 3) (t >> 4) (t >> 6) (t >> 7)) ontrution leave zero yte within t unhanged ut hange the yte whoe top it are et to x. There are everal alternative way of performing thi tep inluding, for example ((u - (u >> 7)) & x) or ((u >> 7) * x), the mot effiient deping on the harateriti of the proeor intrution et availale for it implementation. Finally, when thi value i XOR ed into the reult the effet i that required namely, the modular polynomial i added to all yte in whih the top it were originally et. Similar tehnique an e ued to peed up the invere olumn mixing operation. Dr. Brian Gladman, v3.2, 4 th July 2 page 7

18 7.3 Implementation Uing Tale Rijndael an e implemented very effiiently on proeor with 32-it word y tranforming it in the following way. Conidering a ingle olumn (word) of the tate and applying the SuByte, ShiftRow, MixColumn and XorRoundKey tranformation in turn give: after SuByte: after ShiftRow: after MixColumn: after XorRoundKey:,, 2, 3,,, 2, 3,,, 2, 3,,, 2, 3, ,, 2, 3,,,[ + h(, N)mod N 2,[ + h(2, N)mod N 3,[ + h(3, N)mod N , (), () 2, (2) 3, (3), (), () 2, (2) 3, (3), (), () 2, (2) 3, (3) k k k k,, 2, 3, (7.3.) (7.3.2) (7.3.3) (7.3.4) where the horthand notation ( r) [ + h( r, N) modn, with (), ha een ued in the olumn index. Treating thi a one omplex tranformation (i.e. with a ingle prime), it an e written in olumn vetor form a:,, 2, 3, S k k 3 k 2 k [, (), () 2, (2) 3, (3), (7.3.5) 2, And if four tale eah of it word are defined (for x < 256) a follow: T[ T[ T2[ 2 3 equation (6.3.5) an then e expreed in the form: T3[ 3 2, 3, (7.3.6) where,, 2, 3, T[, () T[, () T2[ 2, (2) T3[ 3, (3) k round, ( r) [ + h( r, N) mod N, () and k round, i word of round key round. (7.3.7) Dr. Brian Gladman, v3.2, 4 th July 2 page 8

19 Thi how that eah olumn in the output tate an e omputed uing four XOR intrution involving a word from the key hedule and four word from tale that are indexed uing four yte from the input tate. Equation (6.3.7) applie to all ut the lat round eaue the latter i different in that the MixColumn tep i not preent. Thi mean that different tale are required for the lat round a follow: U[ U[ U2[ U3[ (7.3.8) Thee tale an e implemented diretly or an e omputed either from the S-Box tale or y making the appropriate tale for normal round. The tale for the main round amount to 4 kyte of tale pae and thi i douled if the lat round tale are alo implemented. However, it i worth noting that thee tale are loely related ine T i (x) rot(t i- (x)), and thi mean that the tale pae an e redued y a fator of four at the expene of three additional rotation in the alulation of eah olumn of the tate. Thi implementation tehnique an alo e ued for the equivalent invere ipher ine it ha the ame form a the forward ipher. Thi require another et of tale ine the invere S-Boxe have to e ued in the aove tranformation. The yte indexing for the tale value i alo different for the invere ipher ( r) [ h( r, N) + N mod N. 8. Aknowledgement Thi peifiation wa originally written a an input to the AES FIPS development proe ut ha een developed further ine then a a reult of omment reeived on the original verion. I would like to aknowledge and thank Joan Daemen and Vinent Rijmen for many ignifiant input that they made during it development. I would alo like to thank oth Jim Foti and Elaine Barker of NIST for their many helpful omment and uggetion, many of whih are emodied oth here and in the FIPS. My thank alo go to Paulo Barreto for hi ooperation in pulihing the original development tet vetor and to Lawrene Baham of NIST for indepently heking their orretne. 9. Referene J. Daemen and V. Rijmen, AES Propoal: Rijndael, AES Algorithm Sumiion, Septemer 3, 999, availale from the US National Intitute of Standard and Tehnology (NIST) AES we ite at Error Thi peifiation ha een produed from the ae doument referened in etion 9 aove. It ha no formal tatu ut the author would e grateful if any error found in it ould e reported to him at rg@gladman.uk.net. Software implementation of Rijndael y the author (in C/C++) are availale at: Dr. Brian Gladman, v3.2, 4 th July 2 page 9

20 . An Example of Cipher Operation The following diagram how the hexadeimal value in the tate array a the ipher progree for a ipher input length (N) of 4 and a ipher key length (Nk) of 4. The notation for the folllowing input i given at the tart of Setion 2. Input 3243f6a8885a38d3398a2e37734 (pi * 2^24) Key 27e5628aed2a6af75889f4f3 ( e * 2^24) round numer tart of round after uyte after hiftrow after mixolumn round key value input output e 2 28 a a e ae f7 f f d2 5 4f a8 8d a a a 9a e9 d4 e 8 e d4 e 8 e 4 e a a 3d f4 6 f8 27 f 4 4 f f8 6 fa 54 a3 6 e3 e2 8d d 52 5d d3 26 fe e 2 2a 8 ae f e5 3 3 ae f e5 e5 9a 7a a f f d f2 7a f 5 6a de d 39 2 d 39 2 de 4d 4 e f 35 ea 5 d d2 96 a 5a a f6 f f a f a f a a8 e5 f2 43 7a 7f aa a ef 3 45 a ef d 47 e 6d 8f dd d e a 5f e3 4a 46 f d6 5a d6 5a f 9 63 f d 47 fe 7e 88 3 ef d2 9a 7 df df d 7d 3e d d e3 f e3 f6 f 6 6f 5e ef a8 6 d 6 d e3 5f 5 a4 f a4 f 5 d e 9d 58 2f 5e 8 6a 8 6a 2f 5e da 38 3 a ad ee d 38 e7 28 d d7 7 a9 f 6 4 7f 3 e 8 d9 85 e e e e d 6 4 d4 7 a f f 8 6 f 8 6 4f d 3a 4 d 83 f2 f9 7f e d2 f 96 ae 96 ae d2 f a9 d d 8 5 e8 5 9 a a 53 ad 68 8e f8 87 f 7 5d a 78 4 a d d a f e8 d5 4f e8 d a 9d d2 88 f9 6f 4 8 d5 a8 29 3d 3 3d 3 a8 29 8d 89 f4 8 a3 3e ef 32 f df 23 fe fe f df 23 6d 8 e8 d8 7a fd 4 fd 26 3d e8 fd f f e 5f 84 4e e 4 64 d2 a a a 54 5f a6 a6 2e a9 4 3d 4 3d 3 a d8 f7 9 4f d 7 7d a9 25 f ff d3 3f 3f f ff d3 f e d7 43 e f3 2 4f 5a 9 a3 7a e d4 a da e d4 a da 54 fa ea 5 3 7f 4 49 e e 64 3 e d2 8d 2 8d 42 d d4 f2 d4 f f 89 6d a f5 29 f d fe fe 8 4d d ff d ea 2 d2 6 2f ea f2 4d f2 4d a3 4 a d 96 e 6e 4 9 6e 4 9 e 37 d4 7 9f 77 fa d a 3 46 e7 46 e7 4a 3 94 e4 3a d 29 f 2d ad 5 8 d8 95 a6 a6 8 d8 95 ed a5 a6 f e e 59 8 e9 3d af e9 3d af d 9 e 6 4 2e a e e 9 4 ee 3f 63 f d 2 7d f9 25 e 84 e7 d2 72 5f f 94 a a d 9 25 d 6a d f Dr. Brian Gladman, v3.2, 4 th July 2 page 2

21 2. Rijndael Development Tet Vetor All vetor are in hexadeimal notation with eah pair of harater giving a yte value where the left and right harater of eah pair provide the it pattern for the 4 it group ontaining the higher and lower numered it repetively uing the format explained in Setion.2. The array index for all yte (group of two hexadeimal digit) within thee tet vetor tart at zero on the left and inreae from left to right. Conidered intead a it equene, with hexadeimal digit numered from left to right tarting from, hexadeimal digit n give the value of it 4n to 4n+3 in the equene uing the 4-it notation given in Setion.2 exept that lower numered it are now on the left (thi arie eaue it in it equene and it in yte are mapped in revere). Thee tet have een generated y Dr Brian Gladman uing the program ae_ve.pp <rg@gladman.uk.net> 24th January 2. LEGEND FOR ENCRYPT (round numer r to, 2 or 4) input: ipher input tart: tate at tart of round[r _ox: tate after _ox utitution _row: tate after hift row tranformation m_ol: tate after mix olumn tranformation k_h: key hedule value for round[r output: ipher output LEGEND FOR DECRYPT (round numer r to, 2 or 4) KEY SCHEDULE FOR KEY XOR FOLLOWED BY INVERSE MIX COLUMN iinput: invere ipher input itart: tate at tart of round[r i_ox: tate after invere _ox utitution i_row: tate after invere hift row tranformation ik_h: key hedule value for round[r ik_add: tate after key addition ioutput: ipher output LEGEND FOR DECRYPT (MOD) (round numer r to, 2 or 4) KEY SCHEDULE FOR INVERSE MIX COLUMN FOLLOWED BY KEY XOR iinput: invere ipher input itart: tate at tart of round[r i_ox: tate after invere _ox utitution i_row: tate after invere hift row tranformation im_ol: tate after invere mix olumn tranformation ik_h: key hedule value for round[r ioutput: ipher output PLAINTEXT: 3243f6a8885a38d3398a2e37734 (pi * 2^24) KEY: 27e5628aed2a6af75889f4f3 ( e * 2^24) ENCRYPT R[.input 3243f6a8885a38d3398a2e37734 R[.k_h 27e5628aed2a6af75889f4f3 R[.tart 93de3eaf4e229a68d2ae9f8488 R[._ox d427aeef98f845de5e4523 R[._row d4f5d3e452ae84fe2798e5 R[.m_ol 4668e5e99a48f8d37a R[.k_h afafe a339392a6765 R[ 2.tart a497ff2689f35265ea4326a549 R[ 2._ox 49ded28945d96f7f3987a R[ 2._row 49d f2d2f77de96a R[ 2.m_ol 584daf45aade7aa86e5 R[ 2.k_h f2295f27a a7359f67f R[ 3.tart aa8f5f36dde3ef82d24ad a R[ 3._ox a73f7efdf35d a8 R[ 3._row ad68ef55a7323fdf45735 R[ 3.m_ol 75e f725dd R[ 3.k_h 3d8477d476fe3ee237e446d7a883 R[ 4.tart 4864eee67d9dd4de338d65f58e7 R[ 4._ox 5252f2885a45ed7e387f6f6a94 Dr. Brian Gladman, v3.2, 4 th July 2 page 2

22 R[ 4._row 52a a28e3f2fd7f655e7 R[ 4.m_ol fd6daa96338f6f65e33 R[ 4.k_h ef44a54a85257f67253dad R[ 5.tart e927fe886363d e R[ 5._ox e4fd29e8ffa ae7 R[ 5._row ef967e88ae9356d2a974ff53 R[ 5.m_ol 25da9addd6863a338e44 R[ 5.k_h d4d6f87839d87af28f95 R[ 6.tart f6f55924ef788325d5d5 R[ 6._ox a63a8f784f29dfe83d234d53fe R[ 6._row a4f3dfe78e83fd5a8df R[ 6.m_ol 4868d6d24a898339df4e837d28d8 R[ 6.k_h 6d88a37a3efddf9864a93fd R[ 7.tart 26e2e73d477de86472a9fdd2825 R[ 7._ox f7a3f2783a9ff9434d35453d3f R[ 7._row f78343f27433df953ff54aa9d3 R[ 7.m_ol 455f4665e274656d7342ad843 R[ 7.k_h 4e54f7e5f5f9f384a64f24ea6d4f R[ 8.tart 5a442949dfa3e9657a84 R[ 8._ox e8328d4386aed44dda64f2fe R[ 8._row e3d4fed4ef28a642da83864d R[ 8.m_ol 52fd889ff54766ddfa99ea R[ 8.k_h ead273258dad232f567f8d292f R[ 9.tart ea835f445332d655d98ad85965 R[ 9._ox 87e4a8f26e3d84d e7a6 R[ 9._row 876e46a6f24e784d94ad897e395 R[ 9.m_ol ed4d4e4a5a373aa649f42 R[ 9.k_h a7766f39fad228d e R[.tart e4f2e592e38848a3e7342d2 R[._ox e f3d327d94af2e25 R[._row e937d d2e895faf9794 R[.k_h d4f9a89ee2589e3f8663a6 R[.output d2d9fd859796a32 DECRYPT R[.iinput d2d9fd859796a32 R[.ik_h d4f9a89ee2589e3f8663a6 R[.itart e937d d2e895faf9794 R[.i_row e f3d327d94af2e25 R[.i_ox e4f2e592e38848a3e7342d2 R[.ik_h a7766f39fad228d e R[.ik_add ed4d4e4a5a373aa649f42 R[ 2.itart 876e46a6f24e784d94ad897e395 R[ 2.i_row 87e4a8f26e3d84d e7a6 R[ 2.i_ox ea835f445332d655d98ad85965 R[ 2.ik_h ead273258dad232f567f8d292f R[ 2.ik_add 52fd889ff54766ddfa99ea R[ 3.itart e3d4fed4ef28a642da83864d R[ 3.i_row e8328d4386aed44dda64f2fe R[ 3.i_ox 5a442949dfa3e9657a84 R[ 3.ik_h 4e54f7e5f5f9f384a64f24ea6d4f R[ 3.ik_add 455f4665e274656d7342ad843 R[ 4.itart f78343f27433df953ff54aa9d3 R[ 4.i_row f7a3f2783a9ff9434d35453d3f R[ 4.i_ox 26e2e73d477de86472a9fdd2825 R[ 4.ik_h 6d88a37a3efddf9864a93fd R[ 4.ik_add 4868d6d24a898339df4e837d28d8 R[ 5.itart a4f3dfe78e83fd5a8df R[ 5.i_row a63a8f784f29dfe83d234d53fe R[ 5.i_ox f6f55924ef788325d5d5 R[ 5.ik_h d4d6f87839d87af28f95 R[ 5.ik_add 25da9addd6863a338e44 R[ 6.itart ef967e88ae9356d2a974ff53 R[ 6.i_row e4fd29e8ffa ae7 R[ 6.i_ox e927fe886363d e R[ 6.ik_h ef44a54a85257f67253dad R[ 6.ik_add fd6daa96338f6f65e33 R[ 7.itart 52a a28e3f2fd7f655e7 R[ 7.i_row 5252f2885a45ed7e387f6f6a94 R[ 7.i_ox 4864eee67d9dd4de338d65f58e7 R[ 7.ik_h 3d8477d476fe3ee237e446d7a883 Dr. Brian Gladman, v3.2, 4 th July 2 page 22

23 R[ 7.ik_add 75e f725dd R[ 8.itart ad68ef55a7323fdf45735 R[ 8.i_row a73f7efdf35d a8 R[ 8.i_ox aa8f5f36dde3ef82d24ad a R[ 8.ik_h f2295f27a a7359f67f R[ 8.ik_add 584daf45aade7aa86e5 R[ 9.itart 49d f2d2f77de96a R[ 9.i_row 49ded28945d96f7f3987a R[ 9.i_ox a497ff2689f35265ea4326a549 R[ 9.ik_h afafe a339392a6765 R[ 9.ik_add 4668e5e99a48f8d37a R[.itart d4f5d3e452ae84fe2798e5 R[.i_row d427aeef98f845de5e4523 R[.i_ox 93de3eaf4e229a68d2ae9f8488 R[.ik_h 27e5628aed2a6af75889f4f3 R[.ioutput 3243f6a8885a38d3398a2e37734 DECRYPT (MOD) R[.iinput d2d9fd859796a32 R[.ik_h d4f9a89ee2589e3f8663a6 R[.itart e937d d2e895faf9794 R[.i_ox e2e3d259a42e83f284438e7 R[.i_row e4f2e592e38848a3e7342d2 R[.im_ol 855e55d72fda9248fa382 R[.ik_h 75a6339eafe f4 R[ 2.itart 876e46a6f24e784d94ad897e395 R[ 2.i_ox ea df659652d858333ad R[ 2.i_row ea835f445332d655d98ad85965 R[ 2.im_ol 64646a a9444eaef6f569 R[ 2.ik_h df7d925af629da32626ed R[ 3.itart e3d4fed4ef28a642da83864d R[ 3.i_ox 5a4999e4a3842f7a4d65 R[ 3.i_row 5a442949dfa3e9657a84 R[ 3.im_ol e e75f3727f7e32fe899 R[ 3.ik_h 27647f22742d2f375554a R[ 4.itart f78343f27433df953ff54aa9d3 R[ 4.i_ox d6487e8d22e7dfde7a9 R[ 4.i_row 26e2e73d477de86472a9fdd2825 R[ 4.im_ol f3e588aa e8574ea9a R[ 4.ik_h 6efd876d2df54875df R[ 5.itart a4f3dfe78e83fd5a8df R[ 5.i_ox f9288d555756fef5d432 R[ 5.i_row f6f55924ef788325d5d5 R[ 5.im_ol 8f589854e226d9ee76e2258de R[ 5.ik_h 6ea3af238f6ae82a4454a338d R[ 6.itart ef967e88ae9356d2a974ff53 R[ 6.i_ox e63358ee8d987f R[ 6.i_row e927fe886363d e R[ 6.im_ol e22f6e795ed9893e R[ 6.ik_h d2886a2a R[ 7.itart 52a a28e3f2fd7f655e7 R[ 7.i_ox 48de767e358ee4d5f4edd669d38 R[ 7.i_row 4864eee67d9dd4de338d65f58e7 R[ 7.im_ol dde54fadd9862d326974aaee R[ 7.ik_h 7f3f ae48969f7 R[ 8.itart ad68ef55a7323fdf45735 R[ 8.i_ox aadd4a9a6d fef688fe3d2 R[ 8.i_row aa8f5f36dde3ef82d24ad a R[ 8.im_ol 85ae82d72e8267fd2eae R[ 8.ik_h 755e3e7dee R[ 9.itart 49d f2d2f77de96a R[ 9.i_ox a49fea496855f266a7f R[ 9.i_row a497ff2689f35265ea4326a549 R[ 9.im_ol ff d686a47fa4e5546e587 R[ 9.ik_h 2378a7f262d453edf467d62 R[.itart d4f5d3e452ae84fe2798e5 R[.i_ox 9f48d8a648e9af8e32e93de22a R[.i_row 93de3eaf4e229a68d2ae9f8488 R[.ik_h 27e5628aed2a6af75889f4f3 R[.ioutput 3243f6a8885a38d3398a2e37734 Dr. Brian Gladman, v3.2, 4 th July 2 page 23

24 PLAINTEXT: 3243f6a8885a38d3398a2e37734 (pi * 2^24) KEY: 27e5628aed2a6af75889f4f3 ( e * 2^88) 762e76f384da5 ENCRYPT R[.input 3243f6a8885a38d3398a2e37734 R[.k_h 27e5628aed2a6af75889f4f3 R[.tart 93de3eaf4e229a68d2ae9f8488 R[._ox d427aeef98f845de5e4523 R[._row d4f5d3e452ae84fe2798e5 R[.m_ol 4668e5e99a48f8d37a R[.k_h 762e76f384da579d33f33d R[ 2.tart 7248f f5f656735e7f R[ 2._ox d9275f4daeff9694a R[ 2._row 49aa7d4d9497f96875f522ef R[ 2.m_ol 826de2a2ed7a6dd25a2d8 R[ 2.k_h 944d4359d99e25ea698aea7 R[ 3.tart 4e2af3d3a fd3da756f7 R[ 3._ox fa98676d868aa da85 R[ 3._row fa86556da859d67aa R[ 3.m_ol 3a83a524fdd487273af87e2d R[ 3.k_h f586ef2995a364d3e73dd637 R[ 4.tart 42fd92333f28432fe843a8a R[ 4._ox f2544f37534afd825fe652a2 R[ 4._row f75a238224ffd6554ae2345f R[ 4.m_ol 88fa8def8de9d24e8 R[ 4.k_h 2835e346992d57ae75278ea5 R[ 5.tart 94996ee a79725 R[ 5._ox 22ee eaf2a9588a3f R[ 5._row 223f56f2a28ea88495ee22a9 R[ 5.m_ol a57ddda533543e23ef59a5466 R[ 5.k_h 2f39e825a43429f2f8226 R[ 6.tart 8a6e3ed78a64ef5d7862ead6a4 R[ 6._ox 7e fe69aa87f6497 R[ 6._row 7e799492e6f6722f87524aa R[ 6.m_ol e3e257a4295f5f8a885e6e7aa9 R[ 6.k_h ae2722d554987fad48a2f89f R[ 7.tart 435e d877ff7799e59 R[ 7._ox a4a986a88476a376686d4d9d4 R[ 7._row a76d488d96aa3d498664a4768 R[ 7.m_ol a6748f8828f9e32ff78683a R[ 7.k_h d e4229f54d54ad5d52 R[ 8.tart 78379aef85d2aa556d74e R[ 8._ox 569a56e43d654a56264e2f R[ 8._row 5622fe45e564a9a65463d6 R[ 8.m_ol 24a3547f4fd72a3e373f9d2578 R[ 8.k_h 974ea2f98fe7435e527a9e R[ 9.tart 94a233ed28fded7d65834a9ede R[ 9._ox 223a2e755348def6a6e3d35572 R[ 9._row 2234a67255f6557ed32ed33a8e R[ 9.m_ol 9d7399a594da6d5d73363f R[ 9.k_h 9ee45fd5d d5969dd37 R[.tart 522d885eda94e25e73fa68 R[._ox d84a65562d42f3fe8f9822d7f3 R[._row 628f355e7fa63f2d42f82d8d49 R[.m_ol 97e378d3af5949e2dff624d2562 R[.k_h 2f638e87d959d634de443 R[.tart a82546da724d2f R[._ox 62326f574e3fef R[._row ff232fe23e325 R[.m_ol 3a58225d5ee24a542298ed72f38 R[.k_h 79d97af944dde52f6ed62f6d3 R[2.tart af768e84fa42a3a4d455f R[2._ox a46df e58e36ef R[2._row a6849f246ef784e36d98445e5 R[2.k_h e39366fe7324d287a35a838af9e5 R[2.output f9f29aef384a2534d83387e DECRYPT Dr. Brian Gladman, v3.2, 4 th July 2 page 24