Rijndael S-box
From Wikipedia, the free encyclopedia
This article describes the S-box used by the Rijndael cryptographic algorithm.
The S-box is generated by determining the multiplicative inverse for a given number in Rijndael's finite field. The multiplicative inverse is then transformed using the following affine transformation:
where [x0, ..., x7] is the multiplicative inverse as a vector.
The matrix multiplication can be calculated by the following algorithm:
- Store the multiplicative inverse of the input number in two 8-bit unsigned temporary variables: s and x
- Rotate the value s one bit to the left; if the value of s had a high bit (eight bit from the left) of one, make the low bit of s one; otherwise the low bit of s is zero.
- Exclusive or the value of x with the value of s, storing the value in x
- For three more iterations, repeat steps two and three; steps two and three are done a total of four times.
- The value of x will now have the result of the multiplication.
After the matrix multiplication is done, exclusive or the value by the decimal number 99 (the hexadecimal number 0x63).
This will generate the following S-box, which is represented here with hexadecimal notation:
| 0 1 2 3 4 5 6 7 8 9 a b c d e f ---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--| 00 |63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 |ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 |b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 |04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 |09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 |d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 |51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 |cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 |60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 |e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 |ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 |70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 |e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 |8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
Here the column is determined by the least significant nybble, and the row is determined by the most significant nybble. For example, the value 0x9a is converted in to 0xb8 by Rijndael's S-box. Note that the multiplicative inverse of 0x00 is defined as itself.
The inverse S-box is simply the S-box run in reverse. For example, the inverse S-box of 0xdb is 0x9f. The following table represents Rijndael's inverse S-box:
| 0 1 2 3 4 5 6 7 8 9 a b c d e f ---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--| 00 |52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 10 |7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 20 |54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 30 |08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 40 |72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 50 |6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 60 |90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 70 |d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b 80 |3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 90 |96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e a0 |47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b0 |fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 c0 |1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f d0 |60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e0 |a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 f0 |17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d
[edit] An alternate equation for the Affine Transformation
An equivalent equation for the affine transformation is
where b' b and c are 8 bit arrays and c is 01100011. FIPS PUB 197: the official AES standard , section 5.5.1
This can be done with the following java code
public static boolean[] affineX (boolean[] bprime, boolean[] b, boolean[] c) {
for (int j=0; j<8; j++) {
bprime[ j ] = b[ j ] ^ b[ (j+4)%8 ];
bprime[ j ] ^= b[ (j+5)%8 ];
bprime[ j ] ^= b[ (j+6)%8 ];
bprime[ j ] ^= b[ (j+7)%8 ];
bprime[ j ] ^= c [ j ];
}
return bprime;
}
For those who can't figure that one out (like me!) I've written a very simple cut and paste function for both forward SBox lookup and reverse lookup. Here is the C++ code:
Sbox Lookup:
int getSBoxValue(int num)
{
int sbox[256] = {
//0 1 2 3 4 5 6 7 8 9 A B C D E F
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, //0
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, //1
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, //2
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, //3
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, //4
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, //5
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, //6
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, //7
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, //8
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, //9
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, //A
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, //B
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, //C
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, //D
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, //E
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 }; //F
return sbox[num];
}
Reverse SBox lookup:
int getSBoxInvert(int num)
{
int rsbox[256] =
{ 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb
, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb
, 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e
, 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25
, 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92
, 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84
, 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06
, 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b
, 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73
, 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e
, 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b
, 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4
, 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f
, 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef
, 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61
, 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d };
return rsbox[num];
}
As test that it works you can execute the following:
int main(int argc, char *argv[])
{
for (int i = 0; i < 1 << 8; i++)
{
if (getSBoxInvert(getSBoxValue(i)) != i)
{
cout << "Wrong value at " << i;
exit(-1);
}
}
cout << "OK all lookups succeeded";
system("PAUSE");
return EXIT_SUCCESS;
}
