FIPS PUB 197 - Advanced Encryption Standard AES - Documento Oficial

Federal Information Processing Standards Publication 197 November 26 2001 Announcing the ADVANCED ENCRYPTION STANDARD AES Federal Information Processing Standards Publications FIPS PUBS are issued by the National Institute of Standards and Technology NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 Public Law 104106 and the Computer Security Act of 1987 Public Law 100235 1 Name of Standard Advanced Encryption Standard AES FIPS PUB 197 2 Category of Standard Computer Security Standard Cryptography 3 Explanation The Advanced Encryption Standard AES specifies a FIPSapproved cryptographic algorithm that can be used to protect electronic data The AES algorithm is a symmetric block cipher that can encrypt encipher and decrypt decipher information Encryption converts data to an unintelligible form called ciphertext decrypting the ciphertext converts the data back into its original form called plaintext The AES algorithm is capable of using cryptographic keys of 128 192 and 256 bits to encrypt and decrypt data in blocks of 128 bits 4 Approving Authority Secretary of Commerce 5 Maintenance Agency Department of Commerce National Institute of Standards and Technology Information Technology Laboratory ITL 6 Applicability This standard may be used by Federal departments and agencies when an agency determines that sensitive unclassified information as defined in P L 100235 requires cryptographic protection Other FIPSapproved cryptographic algorithms may be used in addition to or in lieu of this standard Federal agencies or departments that use cryptographic devices for protecting classified information can use those devices for protecting sensitive unclassified information in lieu of this standard In addition this standard may be adopted and used by nonFederal Government organizations Such use is encouraged when it provides the desired security for commercial and private organizations ii 7 Specifications Federal Information Processing Standard FIPS 197 Advanced Encryption Standard AES affixed 8 Implementations The algorithm specified in this standard may be implemented in software firmware hardware or any combination thereof The specific implementation may depend on several factors such as the application the environment the technology used etc The algorithm shall be used in conjunction with a FIPS approved or NIST recommended mode of operation Object Identifiers OIDs and any associated parameters for AES used in these modes are available at the Computer Security Objects Register CSOR located at httpcsrcnistgovcsor 2 Implementations of the algorithm that are tested by an accredited laboratory and validated will be considered as complying with this standard Since cryptographic security depends on many factors besides the correct implementation of an encryption algorithm Federal Government employees and others should also refer to NIST Special Publication 80021 Guideline for Implementing Cryptography in the Federal Government for additional information and guidance NIST SP 80021 is available at httpcsrcnistgovpublications 9 Implementation Schedule This standard becomes effective on May 26 2002 10 Patents Implementations of the algorithm specified in this standard may be covered by US and foreign patents 11 Export Control Certain cryptographic devices and technical data regarding them are subject to Federal export controls Exports of cryptographic modules implementing this standard and technical data regarding them must comply with these Federal regulations and be licensed by the Bureau of Export Administration of the US Department of Commerce Applicable Federal government export controls are specified in Title 15 Code of Federal Regulations CFR Part 74017 Title 15 CFR Part 742 and Title 15 CFR Part 774 Category 5 Part 2 12 Qualifications NIST will continue to follow developments in the analysis of the AES algorithm As with its other cryptographic algorithm standards NIST will formally reevaluate this standard every five years Both this standard and possible threats reducing the security provided through the use of this standard will undergo review by NIST as appropriate taking into account newly available analysis and technology In addition the awareness of any breakthrough in technology or any mathematical weakness of the algorithm will cause NIST to reevaluate this standard and provide necessary revisions 13 Waiver Procedure Under certain exceptional circumstances the heads of Federal agencies or their delegates may approve waivers to Federal Information Processing Standards FIPS The heads of such agencies may redelegate such authority only to a senior official designated pursuant to Section 3506b of Title 44 US Code Waivers shall be granted only when compliance with this standard would a adversely affect the accomplishment of the mission of an operator of Federal computer system or b cause a major adverse financial impact on the operator that is not offset by government wide savings iii Agency heads may act upon a written waiver request containing the information detailed above Agency heads may also act without a written waiver request when they determine that conditions for meeting the standard cannot be met Agency heads may approve waivers only by a written decision that explains the basis on which the agency head made the required findings A copy of each such decision with procurement sensitive or classified portions clearly identified shall be sent to National Institute of Standards and Technology ATTN FIPS Waiver Decision Information Technology Laboratory 100 Bureau Drive Stop 8900 Gaithersburg MD 20899 8900 In addition notice of each waiver granted and each delegation of authority to approve waivers shall be sent promptly to the Committee on Government Operations of the House of Representatives and the Committee on Government Affairs of the Senate and shall be published promptly in the Federal Register When the determination on a waiver applies to the procurement of equipment andor services a notice of the waiver determination must be published in the Commerce Business Daily as a part of the notice of solicitation for offers of an acquisition or if the waiver determination is made after that notice is published by amendment to such notice A copy of the waiver any supporting documents the document approving the waiver and any supporting and accompanying documents with such deletions as the agency is authorized and decides to make under Section 552b of Title 5 US Code shall be part of the procurement documentation and retained by the agency 14 Where to obtain copies This publication is available electronically by accessing httpcsrcnistgovpublications A list of other available computer security publications including ordering information can be obtained from NIST Publications List 91 which is available at the same web site Alternatively copies of NIST computer security publications are available from National Technical Information Service NTIS 5285 Port Royal Road Springfield VA 22161 iv Federal Information Processing Standards Publication 197 November 26 2001 Specification for the ADVANCED ENCRYPTION STANDARD AES Table of Contents 1 INTRODUCTION 5 2 DEFINITIONS 5 21 GLOSSARY OF TERMS AND ACRONYMS 5 22 ALGORITHM PARAMETERS SYMBOLS AND FUNCTIONS 6 3 NOTATION AND CONVENTIONS 7 31 INPUTS AND OUTPUTS 7 32 BYTES 8 33 ARRAYS OF BYTES 8 34 THE STATE 9 35 THE STATE AS AN ARRAY OF COLUMNS 10 4 MATHEMATICAL PRELIMINARIES 10 41 ADDITION 10 42 MULTIPLICATION 10 421 Multiplication by x 11 43 POLYNOMIALS WITH COEFFICIENTS IN GF28 12 5 ALGORITHM SPECIFICATION 13 51 CIPHER 14 511 SubBytesTransformation 15 512 ShiftRows Transformation 17 513 MixColumns Transformation 17 514 AddRoundKey Transformation 18 52 KEY EXPANSION 19 53 INVERSE CIPHER 20 2 531 InvShiftRows Transformation 21 532 InvSubBytes Transformation 22 533 InvMixColumns Transformation 23 534 Inverse of the AddRoundKey Transformation 23 535 Equivalent Inverse Cipher 23 6 IMPLEMENTATION ISSUES 25 61 KEY LENGTH REQUIREMENTS 25 62 KEYING RESTRICTIONS 26 63 PARAMETERIZATION OF KEY LENGTH BLOCK SIZE AND ROUND NUMBER 26 64 IMPLEMENTATION SUGGESTIONS REGARDING VARIOUS PLATFORMS 26 APPENDIX A KEY EXPANSION EXAMPLES 27 A1 EXPANSION OF A 128BIT CIPHER KEY 27 A2 EXPANSION OF A 192BIT CIPHER KEY 28 A3 EXPANSION OF A 256BIT CIPHER KEY 30 APPENDIX B CIPHER EXAMPLE 33 APPENDIX C EXAMPLE VECTORS 35 C1 AES128 NK4 NR10 35 C2 AES192 NK6 NR12 38 C3 AES256 NK8 NR14 42 APPENDIX D REFERENCES 47 3 Table of Figures Figure 1 Hexadecimal representation of bit patterns 8 Figure 2 Indices for Bytes and Bits 9 Figure 3 State array input and output 9 Figure 4 KeyBlockRound Combinations 14 Figure 5 Pseudo Code for the Cipher 15 Figure 6 SubBytes applies the Sbox to each byte of the State 16 Figure 7 Sbox substitution values for the byte xy in hexadecimal format 16 Figure 8 ShiftRows cyclically shifts the last three rows in the State 17 Figure 9 MixColumns operates on the State columnbycolumn 18 Figure 10 AddRoundKey XORs each column of the State with a word from the key schedule 19 Figure 11 Pseudo Code for Key Expansion 20 Figure 12 Pseudo Code for the Inverse Cipher 21 Figure 13 InvShiftRowscyclically shifts the last three rows in the State 22 Figure 14 Inverse Sbox substitution values for the byte xy in hexadecimal format 22 Figure 15 Pseudo Code for the Equivalent Inverse Cipher 25 4 5 1 Introduction This standard specifies the Rijndael algorithm 3 and 4 a symmetric block cipher that can process data blocks of 128 bits using cipher keys with lengths of 128 192 and 256 bits Rijndael was designed to handle additional block sizes and key lengths however they are not adopted in this standard Throughout the remainder of this standard the algorithm specified herein will be referred to as the AES algorithm The algorithm may be used with the three different key lengths indicated above and therefore these different flavors may be referred to as AES128 AES192 and AES256 This specification includes the following sections 2 Definitions of terms acronyms and algorithm parameters symbols and functions 3 Notation and conventions used in the algorithm specification including the ordering and numbering of bits bytes and words 4 Mathematical properties that are useful in understanding the algorithm 5 Algorithm specification covering the key expansion encryption and decryption routines 6 Implementation issues such as key length support keying restrictions and additional blockkeyround sizes The standard concludes with several appendices that include stepbystep examples for Key Expansion and the Cipher example vectors for the Cipher and Inverse Cipher and a list of references 2 Definitions 21 Glossary of Terms and Acronyms The following definitions are used throughout this standard AES Advanced Encryption Standard Affine A transformation consisting of multiplication by a matrix followed by Transformation the addition of a vector Array An enumerated collection of identical entities eg an array of bytes Bit A binary digit having a value of 0 or 1 Block Sequence of binary bits that comprise the input output State and Round Key The length of a sequence is the number of bits it contains Blocks are also interpreted as arrays of bytes Byte A group of eight bits that is treated either as a single entity or as an array of 8 individual bits 6 Cipher Series of transformations that converts plaintext to ciphertext using the Cipher Key Cipher Key Secret cryptographic key that is used by the Key Expansion routine to generate a set of Round Keys can be pictured as a rectangular array of bytes having four rows and Nk columns Ciphertext Data output from the Cipher or input to the Inverse Cipher Inverse Cipher Series of transformations that converts ciphertext to plaintext using the Cipher Key Key Expansion Routine used to generate a series of Round Keys from the Cipher Key Plaintext Data input to the Cipher or output from the Inverse Cipher Rijndael Cryptographic algorithm specified in this Advanced Encryption Standard AES Round Key Round keys are values derived from the Cipher Key using the Key Expansion routine they are applied to the State in the Cipher and Inverse Cipher State Intermediate Cipher result that can be pictured as a rectangular array of bytes having four rows and Nb columns Sbox Nonlinear substitution table used in several byte substitution transformations and in the Key Expansion routine to perform a one forone substitution of a byte value Word A group of 32 bits that is treated either as a single entity or as an array of 4 bytes 22 Algorithm Parameters Symbols and Functions The following algorithm parameters symbols and functions are used throughout this standard AddRoundKey Transformation in the Cipher and Inverse Cipher in which a Round Key is added to the State using an XOR operation The length of a Round Key equals the size of the State ie for Nb 4 the Round Key length equals 128 bits16 bytes InvMixColumnsTransformation in the Inverse Cipher that is the inverse of MixColumns InvShiftRows Transformation in the Inverse Cipher that is the inverse of ShiftRows InvSubBytes Transformation in the Inverse Cipher that is the inverse of SubBytes K Cipher Key 7 MixColumns Transformation in the Cipher that takes all of the columns of the State and mixes their data independently of one another to produce new columns Nb Number of columns 32bit words comprising the State For this standard Nb 4 Also see Sec 63 Nk Number of 32bit words comprising the Cipher Key For this standard Nk 4 6 or 8 Also see Sec 63 Nr Number of rounds which is a function of Nk and Nb which is fixed For this standard Nr 10 12 or 14 Also see Sec 63 Rcon The round constant word array RotWord Function used in the Key Expansion routine that takes a fourbyte word and performs a cyclic permutation ShiftRows Transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets SubBytes Transformation in the Cipher that processes the State using a non linear byte substitution table Sbox that operates on each of the State bytes independently SubWord Function used in the Key Expansion routine that takes a fourbyte input word and applies an Sbox to each of the four bytes to produce an output word XOR ExclusiveOR operation ExclusiveOR operation Multiplication of two polynomials each with degree 4 modulo x4 1 Finite field multiplication 3 Notation and Conventions 31 Inputs and Outputs The input and output for the AES algorithm each consist of sequences of 128 bits digits with values of 0 or 1 These sequences will sometimes be referred to as blocks and the number of bits they contain will be referred to as their length The Cipher Key for the AES algorithm is a sequence of 128 192 or 256 bits Other input output and Cipher Key lengths are not permitted by this standard The bits within such sequences will be numbered starting at zero and ending at one less than the sequence length block length or key length The number i attached to a bit is known as its index and will be in one of the ranges 0 i 128 0 i 192 or 0 i 256 depending on the block length and key length specified above 8 32 Bytes The basic unit for processing in the AES algorithm is a byte a sequence of eight bits treated as a single entity The input output and Cipher Key bit sequences described in Sec 31 are processed as arrays of bytes that are formed by dividing these sequences into groups of eight contiguous bits to form arrays of bytes see Sec 33 For an input output or Cipher Key denoted by a the bytes in the resulting array will be referenced using one of the two forms an or an where n will be in one of the following ranges Key length 128 bits 0 n 16 Block length 128 bits 0 n 16 Key length 192 bits 0 n 24 Key length 256 bits 0 n 32 All byte values in the AES algorithm will be presented as the concatenation of its individual bit values 0 or 1 between braces in the order b7 b6 b5 b4 b3 b2 b1 b0 These bytes are interpreted as finite field elements using a polynomial representation 7 0 0 1 2 2 3 3 4 4 5 5 6 6 7 7 i bixi b b x b x b x b x b x b x b x 31 For example 01100011 identifies the specific finite field element 1 5 6 x x x It is also convenient to denote byte values using hexadecimal notation with each of two groups of four bits being denoted by a single character as in Fig 1 Bit Pattern Character Bit Pattern Character Bit Pattern Character Bit Pattern Character 0000 0 0100 4 1000 8 1100 c 0001 1 0101 5 1001 9 1101 d 0010 2 0110 6 1010 a 1110 e 0011 3 0111 7 1011 b 1111 f Figure 1 Hexadecimal representation of bit patterns Hence the element 01100011 can be represented as 63 where the character denoting the fourbit group containing the higher numbered bits is again to the left Some finite field operations involve one additional bit b8 to the left of an 8bit byte Where this extra bit is present it will appear as 01 immediately preceding the 8bit byte for example a 9bit sequence will be presented as 011b 33 Arrays of Bytes Arrays of bytes will be represented in the following form 15 2 0 1 a a a a The bytes and the bit ordering within bytes are derived from the 128bit input sequence input0 input1 input2 input126 input127 as follows a₀ input₀ input₁ input₇ a₁ input₈ input₉ input₁₅ a₁₅ input₁₂₀ input₁₂₁ input₁₂₇ The pattern can be extended to longer sequences ie for 192 and 256bit keys so that in general aₙ input₈ₙ input₈ₙ₁ input₈ₙ₇ 32 Taking Sections 32 and 33 together Fig 2 shows how bits within each byte are numbered Input bit sequence 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Byte number 0 1 2 Bit numbers in byte 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 Figure 2 Indices for Bytes and Bits 34 The State Internally the AES algorithms operations are performed on a twodimensional array of bytes called the State The State consists of four rows of bytes each containing Nb bytes where Nb is the block length divided by 32 In the State array denoted by the symbol s each individual byte has two indices with its row number r in the range 0 r 4 and its column number c in the range 0 c Nb This allows an individual byte of the State to be referred to as either src or src For this standard Nb4 ie 0 c 4 also see Sec 63 At the start of the Cipher and Inverse Cipher described in Sec 5 the input the array of bytes in₀ in₁ in₁₅ is copied into the State array as illustrated in Fig 3 The Cipher or Inverse Cipher operations are then conducted on this State array after which its final value is copied to the output the array of bytes out₀ out₁ out₁₅ input bytes State array output bytes in₀ in₄ in₈ in₁₂ s₀₀ s₀₁ s₀₂ s₀₃ out₀ out₄ out₈ out₁₂ in₁ in₅ in₉ in₁₃ s₁₀ s₁₁ s₁₂ s₁₃ out₁ out₅ out₉ out₁₃ in₂ in₆ in₁₀ in₁₄ s₂₀ s₂₁ s₂₂ s₂₃ out₂ out₆ out₁₀ out₁₄ in₃ in₇ in₁₁ in₁₅ s₃₀ s₃₁ s₃₂ s₃₃ out₃ out₇ out₁₁ out₁₅ Figure 3 State array input and output Hence at the beginning of the Cipher or Inverse Cipher the input array in is copied to the State array according to the scheme src inr 4c for 0 r 4 and 0 c Nb 33 10 and at the end of the Cipher and Inverse Cipher the State is copied to the output array out as follows outr 4c sr c for 0 r 4 and 0 c Nb 34 35 The State as an Array of Columns The four bytes in each column of the State array form 32bit words where the row number r provides an index for the four bytes within each word The state can hence be interpreted as a onedimensional array of 32 bit words columns w0w3 where the column number c provides an index into this array Hence for the example in Fig 3 the State can be considered as an array of four words as follows w0 s00 s10 s20 s30 w2 s02 s12 s22 s32 w1 s01 s11 s21 s31 w3 s03 s13 s23 s33 35 4 Mathematical Preliminaries All bytes in the AES algorithm are interpreted as finite field elements using the notation introduced in Sec 32 Finite field elements can be added and multiplied but these operations are different from those used for numbers The following subsections introduce the basic mathematical concepts needed for Sec 5 41 Addition The addition of two elements in a finite field is achieved by adding the coefficients for the corresponding powers in the polynomials for the two elements The addition is performed with the XOR operation denoted by ie modulo 2 so that 0 1 1 1 0 1 and 0 0 0 Consequently subtraction of polynomials is identical to addition of polynomials Alternatively addition of finite field elements can be described as the modulo 2 addition of corresponding bits in the byte For two bytes a7a6a5a4a3a2a1a0 and b7b6b5b4b3b2b1b0 the sum is c7c6c5c4c3c2c1c0 where each ci ai bi ie c7 a7 b7 c6 a6 b6 c0 a0 b0 For example the following expressions are equivalent to one another 1 2 4 6 x x x x 1 7 x x 2 4 6 7 x x x x polynomial notation 01010111 10000011 11010100 binary notation 57 83 d4 hexadecimal notation 42 Multiplication In the polynomial representation multiplication in GF28 denoted by corresponds with the multiplication of polynomials modulo an irreducible polynomial of degree 8 A polynomial is irreducible if its only divisors are one and itself For the AES algorithm this irreducible polynomial is 1 3 4 8 x x x x m x 41 11 or 011b in hexadecimal notation For example 57 83 c1 because 1 2 4 6 x x x x 1 7 x x 7 8 9 11 13 x x x x x x x x x x 2 3 5 7 1 2 4 6 x x x x 1 3 4 5 6 8 9 11 13 x x x x x x x x and 1 3 4 5 6 8 9 11 13 x x x x x x x x modulo 1 3 4 8 x x x x 1 6 7 x x The modular reduction by mx ensures that the result will be a binary polynomial of degree less than 8 and thus can be represented by a byte Unlike addition there is no simple operation at the byte level that corresponds to this multiplication The multiplication defined above is associative and the element 01 is the multiplicative identity For any nonzero binary polynomial bx of degree less than 8 the multiplicative inverse of bx denoted b1x can be found as follows the extended Euclidean algorithm 7 is used to compute polynomials ax and cx such that 1 m x c x b x a x 42 Hence 1 mod m x b x a x which means mod 1 m x a x x b 43 Moreover for any ax bx and cx in the field it holds that c x a x b x a x c x b x a x It follows that the set of 256 possible byte values with XOR used as addition and the multiplication defined as above has the structure of the finite field GF28 421 Multiplication by x Multiplying the binary polynomial defined in equation 31 with the polynomial x results in b x b x b x b x b x b x b x x b 0 2 1 3 2 4 3 5 4 6 5 7 6 7 8 44 The result x bx is obtained by reducing the above result modulo mx as defined in equation 41 If b7 0 the result is already in reduced form If b7 1 the reduction is accomplished by subtracting ie XORing the polynomial mx It follows that multiplication by x ie 00000010 or 02 can be implemented at the byte level as a left shift and a subsequent conditional bitwise XOR with 1b This operation on bytes is denoted by xtime Multiplication by higher powers of x can be implemented by repeated application of xtime By adding intermediate results multiplication by any constant can be implemented For example 57 13 fe because 12 57 02 xtime57 ae 57 04 xtimeae 47 57 08 xtime47 8e 57 10 xtime8e 07 thus 57 13 57 01 02 10 57 ae 07 fe 43 Polynomials with Coefficients in GF28 Fourterm polynomials can be defined with coefficients that are finite field elements as 0 1 2 2 3 3 a a x a x a x a x 45 which will be denoted as a word in the form a0 a1 a2 a3 Note that the polynomials in this section behave somewhat differently than the polynomials used in the definition of finite field elements even though both types of polynomials use the same indeterminate x The coefficients in this section are themselves finite field elements ie bytes instead of bits also the multiplication of fourterm polynomials uses a different reduction polynomial defined below The distinction should always be clear from the context To illustrate the addition and multiplication operations let 0 1 2 2 3 3 b b x b x b x b x 46 define a second fourterm polynomial Addition is performed by adding the finite field coefficients of like powers of x This addition corresponds to an XOR operation between the corresponding bytes in each of the words in other words the XOR of the complete word values Thus using the equations of 45 and 46 0 0 1 1 2 2 2 3 3 3 b a b x a b x a b x a b x a x 47 Multiplication is achieved in two steps In the first step the polynomial product cx ax bx is algebraically expanded and like powers are collected to give 0 1 2 2 3 3 4 4 5 5 6 6 c c x c x c x c x c x c x c x 48 where 0 0 0 b a c 3 1 2 2 1 3 4 b a b a b a c 1 0 0 1 1 b a b a c 3 2 2 3 5 b a b a c 2 0 1 1 0 2 2 b a b a b a c 3 3 6 b a c 49 13 3 0 2 1 1 2 0 3 3 b a b a b a b a c The result cx does not represent a fourbyte word Therefore the second step of the multiplication is to reduce cx modulo a polynomial of degree 4 the result can be reduced to a polynomial of degree less than 4 For the AES algorithm this is accomplished with the polynomial x4 1 so that mod 4 4 1 mod i i x x x 410 The modular product of ax and bx denoted by ax bx is given by the fourterm polynomial dx defined as follows 0 1 2 2 3 3 d d x d x d x d x 411 with 3 1 2 2 1 3 0 0 0 b a b a b a b a d 3 2 2 3 1 0 0 1 1 b a b a b a b a d 412 3 3 2 0 1 1 0 2 2 b a b a b a b a d 3 0 2 1 1 2 0 3 3 b a b a b a b a d When ax is a fixed polynomial the operation defined in equation 411 can be written in matrix form as 3 2 1 0 0 1 2 3 3 0 1 2 2 3 0 1 1 2 3 0 3 2 1 0 b b b b a a a a a a a a a a a a a a a a d d d d 413 Because x4 1 is not an irreducible polynomial over GF28 multiplication by a fixed fourterm polynomial is not necessarily invertible However the AES algorithm specifies a fixed fourterm polynomial that does have an inverse see Sec 513 and Sec 533 ax 03x3 01x2 01x 02 414 a1x 0bx3 0dx2 09x 0e 415 Another polynomial used in the AES algorithm see the RotWord function in Sec 52 has a0 a1 a2 00 and a3 01 which is the polynomial x3 Inspection of equation 413 above will show that its effect is to form the output word by rotating bytes in the input word This means that b0 b1 b2 b3 is transformed into b1 b2 b3 b0 5 Algorithm Specification For the AES algorithm the length of the input block the output block and the State is 128 bits This is represented by Nb 4 which reflects the number of 32bit words number of columns in the State 14 For the AES algorithm the length of the Cipher Key K is 128 192 or 256 bits The key length is represented by Nk 4 6 or 8 which reflects the number of 32bit words number of columns in the Cipher Key For the AES algorithm the number of rounds to be performed during the execution of the algorithm is dependent on the key size The number of rounds is represented by Nr where Nr 10 when Nk 4 Nr 12 when Nk 6 and Nr 14 when Nk 8 The only KeyBlockRound combinations that conform to this standard are given in Fig 4 For implementation issues relating to the key length block size and number of rounds see Sec 63 Key Length Nk words Block Size Nb words Number of Rounds Nr AES128 4 4 10 AES192 6 4 12 AES256 8 4 14 Figure 4 KeyBlockRound Combinations For both its Cipher and Inverse Cipher the AES algorithm uses a round function that is composed of four different byteoriented transformations 1 byte substitution using a substitution table Sbox 2 shifting rows of the State array by different offsets 3 mixing the data within each column of the State array and 4 adding a Round Key to the State These transformations and their inverses are described in Sec 511514 and 531534 The Cipher and Inverse Cipher are described in Sec 51 and Sec 53 respectively while the Key Schedule is described in Sec 52 51 Cipher At the start of the Cipher the input is copied to the State array using the conventions described in Sec 34 After an initial Round Key addition the State array is transformed by implementing a round function 10 12 or 14 times depending on the key length with the final round differing slightly from the first Nr 1 rounds The final State is then copied to the output as described in Sec 34 The round function is parameterized using a key schedule that consists of a onedimensional array of fourbyte words derived using the Key Expansion routine described in Sec 52 The Cipher is described in the pseudo code in Fig 5 The individual transformations SubBytes ShiftRows MixColumns and AddRoundKey process the State and are described in the following subsections In Fig 5 the array w contains the key schedule which is described in Sec 52 As shown in Fig 5 all Nr rounds are identical with the exception of the final round which does not include the MixColumns transformation 15 Appendix B presents an example of the Cipher showing values for the State array at the beginning of each round and after the application of each of the four transformations described in the following sections Figure 5 Pseudo Code for the Cipher1 511 SubBytesTransformation The SubBytes transformation is a nonlinear byte substitution that operates independently on each byte of the State using a substitution table Sbox This Sbox Fig 7 which is invertible is constructed by composing two transformations 1 Take the multiplicative inverse in the finite field GF28 described in Sec 42 the element 00 is mapped to itself 2 Apply the following affine transformation over GF2 i i i i i i i c b b b b b b 7 mod 8 6 mod8 5 mod 8 4 mod 8 51 for 8 0 i where bi is the ith bit of the byte and ci is the ith bit of a byte c with the value 63 or 01100011 Here and elsewhere a prime on a variable eg b indicates that the variable is to be updated with the value on the right In matrix form the affine transformation element of the Sbox can be expressed as 1 The various transformations eg SubBytes ShiftRows etc act upon the State array that is addressed by the state pointer AddRoundKey uses an additional pointer to address the Round Key Cipherbyte in4Nb byte out4Nb word wNbNr1 begin byte state4Nb state in AddRoundKeystate w0 Nb1 See Sec 514 for round 1 step 1 to Nr1 SubBytesstate See Sec 511 ShiftRowsstate See Sec 512 MixColumnsstate See Sec 513 AddRoundKeystate wroundNb round1Nb1 end for SubBytesstate ShiftRowsstate AddRoundKeystate wNrNb Nr1Nb1 out state end 16 0 1 1 0 0 0 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 b b b b b b b b b b b b b b b b 52 Figure 6 illustrates the effect of the SubBytes transformation on the State 00s 10s 2 0s 30s 0 0s 10s 2 0s 30s 1s 0 11s 1s 2 31s 01s 11s 1s 2 31s 0 2s 12s 2 2s 3 2s 0 2s 12s 2 2s 32s 3s 0 13s 2 3s 33s 03s 13s 3s 2 33s Figure 6 SubBytes applies the Sbox to each byte of the State The Sbox used in the SubBytes transformation is presented in hexadecimal form in Fig 7 For example if 11s 53 then the substitution value would be determined by the intersection of the row with index 5 and the column with index 3 in Fig 7 This would result in 11s having a value of ed y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df x f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16 Figure 7 Sbox substitution values for the byte xy in hexadecimal format c rs c rs SBox 17 512 ShiftRows Transformation In the ShiftRows transformation the bytes in the last three rows of the State are cyclically shifted over different numbers of bytes offsets The first row r 0 is not shifted Specifically the ShiftRows transformation proceeds as follows Nb c shift r Nb r r c s s mod for 0 r 4 and 0 c Nb 53 where the shift value shiftrNb depends on the row number r as follows recall that Nb 4 1 41 shift 2 42 shift 3 43 shift 54 This has the effect of moving bytes to lower positions in the row ie lower values of c in a given row while the lowest bytes wrap around into the top of the row ie higher values of c in a given row Figure 8 illustrates the ShiftRows transformation S S 00s 10s 2 0s 30s 00s 10s 2 0s 30s 1s 0 11s 1s 2 31s 11s 1s 2 31s 0 1s 0 2s 12s 2 2s 3 2s 2 2s 3 2s 0 2s 12s 3s 0 13s 2 3s 33s 33s 3s 0 13s 2 3s Figure 8 ShiftRows cyclically shifts the last three rows in the State 513 MixColumns Transformation The MixColumns transformation operates on the State columnbycolumn treating each column as a fourterm polynomial as described in Sec 43 The columns are considered as polynomials over GF28 and multiplied modulo x4 1 with a fixed polynomial ax given by ax 03x3 01x2 01x 02 55 As described in Sec 43 this can be written as a matrix multiplication Let s x a x s x ShiftRows 0 rs 1rs 2 rs 3rs 0 rs 2 rs 3rs 1rs 18 c c c c c c c c s s s s s s s s 3 2 1 0 3 2 1 0 02 01 01 03 03 02 01 01 01 03 02 01 01 01 03 02 for 0 c Nb 56 As a result of this multiplication the four bytes in a column are replaced by the following c s 0 02 s c 0 03 c s 1 s c 2 c s 3 c s 1 s c 0 02 c s 1 03 s c 2 c s 3 c s 2 s c 0 c s 1 02 s c 2 03 c s 3 c s 3 03 s c 0 c s 1 s c 2 02 c s 3 Figure 9 illustrates the MixColumns transformation 00s 10s 2 0s 30s 0 0s 10s 2 0s 30s 1s 0 11s 1s 2 31s 01s 11s 1s 2 31s 0 2s 12s 2 2s 3 2s 0 2s 12s 2 2s 32s 3s 0 13s 2 3s 33s 03s 13s 3s 2 33s Figure 9 MixColumns operates on the State columnbycolumn 514 AddRoundKey Transformation In the AddRoundKey transformation a Round Key is added to the State by a simple bitwise XOR operation Each Round Key consists of Nb words from the key schedule described in Sec 52 Those Nb words are each added into the columns of the State such that 3 2 1 0 3 2 1 0 round Nb c c c c c c c c c w s s s s s s s s for 0 c Nb 57 where wi are the key schedule words described in Sec 52 and round is a value in the range 0 round Nr In the Cipher the initial Round Key addition occurs when round 0 prior to the first application of the round function see Fig 5 The application of the AddRoundKey transformation to the Nr rounds of the Cipher occurs when 1 round Nr The action of this transformation is illustrated in Fig 10 where l round Nb The byte address within words of the key schedule was described in Sec 31 MixColumns c s 0 c s 1 c s 2 c s 3 0 c s 1 c s 2 c s s 3 c 19 00s 10s 2 0s 30s 0 0s 10s 2 0s 30s 1s 0 11s 1s 2 31s 01s 11s 1s 2 31s 0 2s 12s 2 2s 3 2s 0 2s 12s 2 2s 32s 3s 0 13s 2 3s 33s lw lw 1 lw 2 3 lw 03s 13s 3s 2 33s Figure 10 AddRoundKey XORs each column of the State with a word from the key schedule 52 Key Expansion The AES algorithm takes the Cipher Key K and performs a Key Expansion routine to generate a key schedule The Key Expansion generates a total of Nb Nr 1 words the algorithm requires an initial set of Nb words and each of the Nr rounds requires Nb words of key data The resulting key schedule consists of a linear array of 4byte words denoted wi with i in the range 0 i NbNr 1 The expansion of the input key into the key schedule proceeds according to the pseudo code in Fig 11 SubWord is a function that takes a fourbyte input word and applies the Sbox Sec 511 Fig 7 to each of the four bytes to produce an output word The function RotWord takes a word a0a1a2a3 as input performs a cyclic permutation and returns the word a1a2a3a0 The round constant word array Rconi contains the values given by xi1000000 with x i1 being powers of x x is denoted as 02 in the field GF28 as discussed in Sec 42 note that i starts at 1 not 0 From Fig 11 it can be seen that the first Nk words of the expanded key are filled with the Cipher Key Every following word wi is equal to the XOR of the previous word wi1 and the word Nk positions earlier wiNk For words in positions that are a multiple of Nk a transformation is applied to wi1 prior to the XOR followed by an XOR with a round constant Rconi This transformation consists of a cyclic shift of the bytes in a word RotWord followed by the application of a table lookup to all four bytes of the word SubWord It is important to note that the Key Expansion routine for 256bit Cipher Keys Nk 8 is slightly different than for 128 and 192bit Cipher Keys If Nk 8 and i4 is a multiple of Nk then SubWord is applied to wi1 prior to the XOR c s 0 c s 1 c s 2 c s 3 0 c s 1 c s 2 c s 3 c s wlc Nb round l 20 Figure 11 Pseudo Code for Key Expansion2 Appendix A presents examples of the Key Expansion 53 Inverse Cipher The Cipher transformations in Sec 51 can be inverted and then implemented in reverse order to produce a straightforward Inverse Cipher for the AES algorithm The individual transformations used in the Inverse Cipher InvShiftRows InvSubBytesInvMixColumns and AddRoundKey process the State and are described in the following subsections The Inverse Cipher is described in the pseudo code in Fig 12 In Fig 12 the array w contains the key schedule which was described previously in Sec 52 2 The functions SubWord and RotWord return a result that is a transformation of the function input whereas the transformations in the Cipher and Inverse Cipher eg ShiftRows SubBytes etc transform the State array that is addressed by the state pointer KeyExpansionbyte key4Nk word wNbNr1 Nk begin word temp i 0 while i Nk wi wordkey4i key4i1 key4i2 key4i3 i i1 end while i Nk while i Nb Nr1 temp wi1 if i mod Nk 0 temp SubWordRotWordtemp xor RconiNk else if Nk 6 and i mod Nk 4 temp SubWordtemp end if wi wiNk xor temp i i 1 end while end Note that Nk4 6 and 8 do not all have to be implemented they are all included in the conditional statement above for conciseness Specific implementation requirements for the Cipher Key are presented in Sec 61 21 Figure 12 Pseudo Code for the Inverse Cipher3 531 InvShiftRows Transformation InvShiftRows is the inverse of the ShiftRows transformation The bytes in the last three rows of the State are cyclically shifted over different numbers of bytes offsets The first row r 0 is not shifted The bottom three rows are cyclically shifted by Nb shift r Nb bytes where the shift value shiftrNb depends on the row number and is given in equation 54 see Sec 512 Specifically the InvShiftRows transformation proceeds as follows r c Nb r c shift r Nb s s mod for 0 r 4 and 0 c Nb 58 Figure 13 illustrates the InvShiftRows transformation 3 The various transformations eg InvSubBytes InvShiftRows etc act upon the State array that is addressed by the state pointer AddRoundKey uses an additional pointer to address the Round Key InvCipherbyte in4Nb byte out4Nb word wNbNr1 begin byte state4Nb state in AddRoundKeystate wNrNb Nr1Nb1 See Sec 514 for round Nr1 step 1 downto 1 InvShiftRowsstate See Sec 531 InvSubBytesstate See Sec 532 AddRoundKeystate wroundNb round1Nb1 InvMixColumnsstate See Sec 533 end for InvShiftRowsstate InvSubBytesstate AddRoundKeystate w0 Nb1 out state end 22 S S 00s 10s 2 0s 30s 00s 10s 2 0s 30s 1s 0 11s 1s 2 31s 31s 1s 0 11s 2 1s 0 2s 12s 2 2s 3 2s 2 2s 3 2s 0 2s 12s 3s 0 13s 2 3s 33s 13s 2 3s 33s 0 3s Figure 13 InvShiftRowscyclically shifts the last three rows in the State 532 InvSubBytes Transformation InvSubBytes is the inverse of the byte substitution transformation in which the inverse S box is applied to each byte of the State This is obtained by applying the inverse of the affine transformation 51 followed by taking the multiplicative inverse in GF28 The inverse Sbox used in the InvSubBytes transformation is presented in Fig 14 y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 1 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 2 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 3 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 4 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 5 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 6 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 7 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b 8 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 9 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e a 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 c 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f d 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 x f 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d Figure 14 Inverse Sbox substitution values for the byte xy in hexadecimal format InvShiftRows 0 rs 1rs 2 rs 3rs 0 rs 2 rs 3rs 1rs 23 533 InvMixColumns Transformation InvMixColumns is the inverse of the MixColumns transformation InvMixColumns operates on the State columnbycolumn treating each column as a four term polynomial as described in Sec 43 The columns are considered as polynomials over GF28 and multiplied modulo x4 1 with a fixed polynomial a1x given by a1x 0bx3 0dx2 09x 0e 59 As described in Sec 43 this can be written as a matrix multiplication Let 1 s x x a s x c c c c c c c c s s s s e d b b e d d b e d b e s s s s 3 2 1 0 3 2 1 0 0 09 0 0 0 0 09 0 0 0 0 09 09 0 0 0 for 0 c Nb 510 As a result of this multiplication the four bytes in a column are replaced by the following c s 0 0e s c 0 0b c s 1 0d s c 2 09 c s 3 c s 1 09 s c 0 0e c s 1 0b s c 2 0d c s 3 c s 2 0d s c 0 09 c s 1 0e s c 2 0b c s 3 c s 3 0b s c 0 0d c s 1 09 s c 2 0e c s 3 534 Inverse of the AddRoundKey Transformation AddRoundKey which was described in Sec 514 is its own inverse since it only involves an application of the XOR operation 535 Equivalent Inverse Cipher In the straightforward Inverse Cipher presented in Sec 53 and Fig 12 the sequence of the transformations differs from that of the Cipher while the form of the key schedules for encryption and decryption remains the same However several properties of the AES algorithm allow for an Equivalent Inverse Cipher that has the same sequence of transformations as the Cipher with the transformations replaced by their inverses This is accomplished with a change in the key schedule The two properties that allow for this Equivalent Inverse Cipher are as follows 1 The SubBytes and ShiftRows transformations commute that is a SubBytes transformation immediately followed by a ShiftRows transformation is equivalent to a ShiftRows transformation immediately followed buy a SubBytes transformation The same is true for their inverses InvSubBytes and InvShiftRows 24 2 The column mixing operations MixColumns and InvMixColumns are linear with respect to the column input which means InvMixColumnsstate XOR Round Key InvMixColumnsstate XOR InvMixColumnsRound Key These properties allow the order of InvSubBytes and InvShiftRows transformations to be reversed The order of the AddRoundKey and InvMixColumns transformations can also be reversed provided that the columns words of the decryption key schedule are modified using the InvMixColumns transformation The equivalent inverse cipher is defined by reversing the order of the InvSubBytes and InvShiftRows transformations shown in Fig 12 and by reversing the order of the AddRoundKey and InvMixColumns transformations used in the round loop after first modifying the decryption key schedule for round 1 to Nr1 using the InvMixColumns transformation The first and last Nb words of the decryption key schedule shall not be modified in this manner Given these changes the resulting Equivalent Inverse Cipher offers a more efficient structure than the Inverse Cipher described in Sec 53 and Fig 12 Pseudo code for the Equivalent Inverse Cipher appears in Fig 15 The word array dw contains the modified decryption key schedule The modification to the Key Expansion routine is also provided in Fig 15 25 Figure 15 Pseudo Code for the Equivalent Inverse Cipher 6 Implementation Issues 61 Key Length Requirements An implementation of the AES algorithm shall support at least one of the three key lengths specified in Sec 5 128 192 or 256 bits ie Nk 4 6 or 8 respectively Implementations EqInvCipherbyte in4Nb byte out4Nb word dwNbNr1 begin byte state4Nb state in AddRoundKeystate dwNrNb Nr1Nb1 for round Nr1 step 1 downto 1 InvSubBytesstate InvShiftRowsstate InvMixColumnsstate AddRoundKeystate dwroundNb round1Nb1 end for InvSubBytesstate InvShiftRowsstate AddRoundKeystate dw0 Nb1 out state end For the Equivalent Inverse Cipher the following pseudo code is added at the end of the Key Expansion routine Sec 52 for i 0 step 1 to Nr1Nb1 dwi wi end for for round 1 step 1 to Nr1 InvMixColumnsdwroundNb round1Nb1 note change of type end for Note that since InvMixColumns operates on a twodimensional array of bytes while the Round Keys are held in an array of words the call to InvMixColumns in this code sequence involves a change of type ie the input to InvMixColumns is normally the State array which is considered to be a twodimensional array of bytes whereas the input here is a Round Key computed as a onedimensional array of words 26 may optionally support two or three key lengths which may promote the interoperability of algorithm implementations 62 Keying Restrictions No weak or semiweak keys have been identified for the AES algorithm and there is no restriction on key selection 63 Parameterization of Key Length Block Size and Round Number This standard explicitly defines the allowed values for the key length Nk block size Nb and number of rounds Nr see Fig 4 However future reaffirmations of this standard could include changes or additions to the allowed values for those parameters Therefore implementers may choose to design their AES implementations with future flexibility in mind 64 Implementation Suggestions Regarding Various Platforms Implementation variations are possible that may in many cases offer performance or other advantages Given the same input key and data plaintext or ciphertext any implementation that produces the same output ciphertext or plaintext as the algorithm specified in this standard is an acceptable implementation of the AES Reference 3 and other papers located at Ref 1 include suggestions on how to efficiently implement the AES algorithm on a variety of platforms 27 Appendix A Key Expansion Examples This appendix shows the development of the key schedule for various key sizes Note that multi byte values are presented using the notation described in Sec 3 The intermediate values produced during the development of the key schedule see Sec 52 are given in the following table all values are in hexadecimal format with the exception of the index column i A1 Expansion of a 128bit Cipher Key This section contains the key expansion of the following cipher key Cipher Key 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c for Nk 4 which results in w0 2b7e1516 w1 28aed2a6 w2 abf71588 w3 09cf4f3c i dec temp After RotWord After SubWord RconiNk After XOR with Rcon wiNk wi temp XOR wiNk 4 09cf4f3c cf4f3c09 8a84eb01 01000000 8b84eb01 2b7e1516 a0fafe17 5 a0fafe17 28aed2a6 88542cb1 6 88542cb1 abf71588 23a33939 7 23a33939 09cf4f3c 2a6c7605 8 2a6c7605 6c76052a 50386be5 02000000 52386be5 a0fafe17 f2c295f2 9 f2c295f2 88542cb1 7a96b943 10 7a96b943 23a33939 5935807a 11 5935807a 2a6c7605 7359f67f 12 7359f67f 59f67f73 cb42d28f 04000000 cf42d28f f2c295f2 3d80477d 13 3d80477d 7a96b943 4716fe3e 14 4716fe3e 5935807a 1e237e44 15 1e237e44 7359f67f 6d7a883b 16 6d7a883b 7a883b6d dac4e23c 08000000 d2c4e23c 3d80477d ef44a541 17 ef44a541 4716fe3e a8525b7f 18 a8525b7f 1e237e44 b671253b 19 b671253b 6d7a883b db0bad00 20 db0bad00 0bad00db 2b9563b9 10000000 3b9563b9 ef44a541 d4d1c6f8 21 d4d1c6f8 a8525b7f 7c839d87 22 7c839d87 b671253b caf2b8bc 23 caf2b8bc db0bad00 11f915bc 28 24 11f915bc f915bc11 99596582 20000000 b9596582 d4d1c6f8 6d88a37a 25 6d88a37a 7c839d87 110b3efd 26 110b3efd caf2b8bc dbf98641 27 dbf98641 11f915bc ca0093fd 28 ca0093fd 0093fdca 63dc5474 40000000 23dc5474 6d88a37a 4e54f70e 29 4e54f70e 110b3efd 5f5fc9f3 30 5f5fc9f3 dbf98641 84a64fb2 31 84a64fb2 ca0093fd 4ea6dc4f 32 4ea6dc4f a6dc4f4e 2486842f 80000000 a486842f 4e54f70e ead27321 33 ead27321 5f5fc9f3 b58dbad2 34 b58dbad2 84a64fb2 312bf560 35 312bf560 4ea6dc4f 7f8d292f 36 7f8d292f 8d292f7f 5da515d2 1b000000 46a515d2 ead27321 ac7766f3 37 ac7766f3 b58dbad2 19fadc21 38 19fadc21 312bf560 28d12941 39 28d12941 7f8d292f 575c006e 40 575c006e 5c006e57 4a639f5b 36000000 7c639f5b ac7766f3 d014f9a8 41 d014f9a8 19fadc21 c9ee2589 42 c9ee2589 28d12941 e13f0cc8 43 e13f0cc8 575c006e b6630ca6 A2 Expansion of a 192bit Cipher Key This section contains the key expansion of the following cipher key Cipher Key 8e 73 b0 f7 da 0e 64 52 c8 10 f3 2b 80 90 79 e5 62 f8 ea d2 52 2c 6b 7b for Nk 6 which results in w0 8e73b0f7 w1 da0e6452 w2 c810f32b w3 809079e5 w4 62f8ead2 w5 522c6b7b i dec temp After RotWord After SubWord RconiNk After XOR with Rcon wiNk wi temp XOR wiNk 6 522c6b7b 2c6b7b52 717f2100 01000000 707f2100 8e73b0f7 fe0c91f7 7 fe0c91f7 da0e6452 2402f5a5 8 2402f5a5 c810f32b ec12068e 29 9 ec12068e 809079e5 6c827f6b 10 6c827f6b 62f8ead2 0e7a95b9 11 0e7a95b9 522c6b7b 5c56fec2 12 5c56fec2 56fec25c b1bb254a 02000000 b3bb254a fe0c91f7 4db7b4bd 13 4db7b4bd 2402f5a5 69b54118 14 69b54118 ec12068e 85a74796 15 85a74796 6c827f6b e92538fd 16 e92538fd 0e7a95b9 e75fad44 17 e75fad44 5c56fec2 bb095386 18 bb095386 095386bb 01ed44ea 04000000 05ed44ea 4db7b4bd 485af057 19 485af057 69b54118 21efb14f 20 21efb14f 85a74796 a448f6d9 21 a448f6d9 e92538fd 4d6dce24 22 4d6dce24 e75fad44 aa326360 23 aa326360 bb095386 113b30e6 24 113b30e6 3b30e611 e2048e82 08000000 ea048e82 485af057 a25e7ed5 25 a25e7ed5 21efb14f 83b1cf9a 26 83b1cf9a a448f6d9 27f93943 27 27f93943 4d6dce24 6a94f767 28 6a94f767 aa326360 c0a69407 29 c0a69407 113b30e6 d19da4e1 30 d19da4e1 9da4e1d1 5e49f83e 10000000 4e49f83e a25e7ed5 ec1786eb 31 ec1786eb 83b1cf9a 6fa64971 32 6fa64971 27f93943 485f7032 33 485f7032 6a94f767 22cb8755 34 22cb8755 c0a69407 e26d1352 35 e26d1352 d19da4e1 33f0b7b3 36 33f0b7b3 f0b7b333 8ca96dc3 20000000 aca96dc3 ec1786eb 40beeb28 37 40beeb28 6fa64971 2f18a259 38 2f18a259 485f7032 6747d26b 39 6747d26b 22cb8755 458c553e 40 458c553e e26d1352 a7e1466c 41 a7e1466c 33f0b7b3 9411f1df 42 9411f1df 11f1df94 82a19e22 40000000 c2a19e22 40beeb28 821f750a 43 821f750a 2f18a259 ad07d753 30 44 ad07d753 6747d26b ca400538 45 ca400538 458c553e 8fcc5006 46 8fcc5006 a7e1466c 282d166a 47 282d166a 9411f1df bc3ce7b5 48 bc3ce7b5 3ce7b5bc eb94d565 80000000 6b94d565 821f750a e98ba06f 49 e98ba06f ad07d753 448c773c 50 448c773c ca400538 8ecc7204 51 8ecc7204 8fcc5006 01002202 A3 Expansion of a 256bit Cipher Key This section contains the key expansion of the following cipher key Cipher Key 60 3d eb 10 15 ca 71 be 2b 73 ae f0 85 7d 77 81 1f 35 2c 07 3b 61 08 d7 2d 98 10 a3 09 14 df f4 for Nk 8 which results in w0 603deb10 w1 15ca71be w2 2b73aef0 w3 857d7781 w4 1f352c07 w5 3b6108d7 w6 2d9810a3 w7 0914dff4 i dec temp After RotWord After SubWord RconiNk After XOR with Rcon wiNk wi temp XOR wiNk 8 0914dff4 14dff409 fa9ebf01 01000000 fb9ebf01 603deb10 9ba35411 9 9ba35411 15ca71be 8e6925af 10 8e6925af 2b73aef0 a51a8b5f 11 a51a8b5f 857d7781 2067fcde 12 2067fcde b785b01d 1f352c07 a8b09c1a 13 a8b09c1a 3b6108d7 93d194cd 14 93d194cd 2d9810a3 be49846e 15 be49846e 0914dff4 b75d5b9a 16 b75d5b9a 5d5b9ab7 4c39b8a9 02000000 4e39b8a9 9ba35411 d59aecb8 17 d59aecb8 8e6925af 5bf3c917 18 5bf3c917 a51a8b5f fee94248 19 fee94248 2067fcde de8ebe96 20 de8ebe96 1d19ae90 a8b09c1a b5a9328a 21 b5a9328a 93d194cd 2678a647 22 2678a647 be49846e 98312229 31 23 98312229 b75d5b9a 2f6c79b3 24 2f6c79b3 6c79b32f 50b66d15 04000000 54b66d15 d59aecb8 812c81ad 25 812c81ad 5bf3c917 dadf48ba 26 dadf48ba fee94248 24360af2 27 24360af2 de8ebe96 fab8b464 28 fab8b464 2d6c8d43 b5a9328a 98c5bfc9 29 98c5bfc9 2678a647 bebd198e 30 bebd198e 98312229 268c3ba7 31 268c3ba7 2f6c79b3 09e04214 32 09e04214 e0421409 e12cfa01 08000000 e92cfa01 812c81ad 68007bac 33 68007bac dadf48ba b2df3316 34 b2df3316 24360af2 96e939e4 35 96e939e4 fab8b464 6c518d80 36 6c518d80 50d15dcd 98c5bfc9 c814e204 37 c814e204 bebd198e 76a9fb8a 38 76a9fb8a 268c3ba7 5025c02d 39 5025c02d 09e04214 59c58239 40 59c58239 c5823959 a61312cb 10000000 b61312cb 68007bac de136967 41 de136967 b2df3316 6ccc5a71 42 6ccc5a71 96e939e4 fa256395 43 fa256395 6c518d80 9674ee15 44 9674ee15 90922859 c814e204 5886ca5d 45 5886ca5d 76a9fb8a 2e2f31d7 46 2e2f31d7 5025c02d 7e0af1fa 47 7e0af1fa 59c58239 27cf73c3 48 27cf73c3 cf73c327 8a8f2ecc 20000000 aa8f2ecc de136967 749c47ab 49 749c47ab 6ccc5a71 18501dda 50 18501dda fa256395 e2757e4f 51 e2757e4f 9674ee15 7401905a 52 7401905a 927c60be 5886ca5d cafaaae3 53 cafaaae3 2e2f31d7 e4d59b34 54 e4d59b34 7e0af1fa 9adf6ace 55 9adf6ace 27cf73c3 bd10190d 56 bd10190d 10190dbd cad4d77a 40000000 8ad4d77a 749c47ab fe4890d1 57 fe4890d1 18501dda e6188d0b 32 58 e6188d0b e2757e4f 046df344 59 046df344 7401905a 706c631e 33 Appendix B Cipher Example The following diagram shows the values in the State array as the Cipher progresses for a block length and a Cipher Key length of 16 bytes each ie Nb 4 and Nk 4 Input 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34 Cipher Key 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c The Round Key values are taken from the Key Expansion example in Appendix A Round Number Start of Round After SubBytes After ShiftRows After MixColumns Round Key Value 32 88 31 e0 2b 28 ab 09 43 5a 31 37 7e ae f7 cf f6 30 98 07 15 d2 15 4f input a8 8d a2 34 16 a6 88 3c 19 a0 9a e9 d4 e0 b8 1e d4 e0 b8 1e 04 e0 48 28 a0 88 23 2a 3d f4 c6 f8 27 bf b4 41 bf b4 41 27 66 cb f8 06 fa 54 a3 6c e3 e2 8d 48 11 98 5d 52 5d 52 11 98 81 19 d3 26 fe 2c 39 76 1 be 2b 2a 08 ae f1 e5 30 30 ae f1 e5 e5 9a 7a 4c 17 b1 39 05 a4 68 6b 02 49 45 7f 77 49 45 7f 77 58 1b db 1b f2 7a 59 73 9c 9f 5b 6a de db 39 02 db 39 02 de 4d 4b e7 6b c2 96 35 59 7f 35 ea 50 d2 96 87 53 87 53 d2 96 ca 5a ca b0 95 b9 80 f6 2 f2 2b 43 49 89 f1 1a 3b 3b 89 f1 1a f1 ac a8 e5 f2 43 7a 7f aa 61 82 68 ac ef 13 45 ac ef 13 45 75 20 53 bb 3d 47 1e 6d 8f dd d2 32 73 c1 b5 23 c1 b5 23 73 ec 0b c0 25 80 16 23 7a 5f e3 4a 46 cf 11 d6 5a d6 5a cf 11 09 63 cf d0 47 fe 7e 88 3 03 ef d2 9a 7b df b5 b8 b8 7b df b5 93 33 7c dc 7d 3e 44 3b 48 67 4d d6 52 85 e3 f6 52 85 e3 f6 0f 60 6f 5e ef a8 b6 db 6c 1d e3 5f 50 a4 11 cf a4 11 cf 50 d6 31 c0 b3 44 52 71 0b 4e 9d b1 58 2f 5e c8 6a c8 6a 2f 5e da 38 10 13 a5 5b 25 ad 4 ee 0d 38 e7 28 d7 07 94 94 28 d7 07 a9 bf 6b 01 41 7f 3b 00 e0 c8 d9 85 e1 e8 35 97 e1 e8 35 97 25 bd b6 4c d4 7c ca 11 92 63 b1 b8 4f fb c8 6c fb c8 6c 4f d1 11 3a 4c d1 83 f2 f9 7f 63 35 be d2 fb 96 ae 96 ae d2 fb a9 d1 33 c0 c6 9d b8 15 5 e8 c0 50 01 9b ba 53 7c 7c 9b ba 53 ad 68 8e b0 f8 87 bc bc 34 f1 c1 7c 5d a1 78 10 4c a1 78 10 4c 4b 2c 33 37 6d 11 db ca 00 92 c8 b5 63 4f e8 d5 4f e8 d5 63 86 4a 9d d2 88 0b f9 00 6f 4c 8b d5 a8 29 3d 03 3d 03 a8 29 8d 89 f4 18 a3 3e 86 93 6 55 ef 32 0c fc df 23 fe fe fc df 23 6d 80 e8 d8 7a fd 41 fd 26 3d e8 fd f7 27 9b 54 f7 27 9b 54 14 46 27 34 4e 5f 84 4e 0e 41 64 d2 ab 83 43 b5 83 43 b5 ab 15 16 46 2a 54 5f a6 a6 2e b7 72 8b 31 a9 40 3d 40 3d 31 a9 b5 15 56 d8 f7 c9 4f dc 7 17 7d a9 25 f0 ff d3 3f 3f f0 ff d3 bf ec d7 43 0e f3 b2 4f 5a 19 a3 7a be d4 0a da be d4 0a da 00 b1 54 fa ea b5 31 7f 41 49 e0 8c 83 3b e1 64 3b e1 64 83 51 c8 76 1b d2 8d 2b 8d 42 dc 19 04 2c 86 d4 f2 d4 f2 2c 86 2f 89 6d 99 73 ba f5 29 8 b1 1f 65 0c c8 c0 4d fe fe c8 c0 4d d1 ff cd ea 21 d2 60 2f ea 04 65 85 87 f2 4d 97 87 f2 4d 97 47 40 a3 4c ac 19 28 57 83 45 5d 96 ec 6e 4c 90 6e 4c 90 ec 37 d4 70 9f 77 fa d1 5c 5c 33 98 b0 4a c3 46 e7 46 e7 4a c3 94 e4 3a 42 66 dc 29 00 9 f0 2d ad c5 8c d8 95 a6 a6 8c d8 95 ed a5 a6 bc f3 21 41 6e eb 59 8b 1b e9 cb 3d af e9 cb 3d af d0 c9 e1 b6 40 2e a1 c3 09 31 32 2e 31 32 2e 09 14 ee 3f 63 f2 38 13 42 89 07 7d 2c 7d 2c 89 07 f9 25 0c 0c 10 1e 84 e7 d2 72 5f 94 b5 b5 72 5f 94 a8 89 c8 a6 39 02 dc 19 25 dc 11 6a 84 09 85 0b output 1d fb 97 32 35 Appendix C Example Vectors This appendix contains example vectors including intermediate values for all three AES key lengths Nk 4 6 and 8 for the Cipher Inverse Cipher and Equivalent Inverse Cipher that are described in Sec 51 53 and 535 respectively Additional examples may be found at 1 and 5 All vectors are in hexadecimal notation with each pair of characters giving a byte value in which the left character of each pair provides the bit pattern for the 4 bit group containing the higher numbered bits using the notation explained in Sec 32 while the right character provides the bit pattern for the lowernumbered bits The array index for all bytes groups of two hexadecimal digits within these test vectors starts at zero and increases from left to right Legend for CIPHER ENCRYPT round number r 0 to 10 12 or 14 input cipher input start state at start of roundr sbox state after SubBytes srow state after ShiftRows mcol state after MixColumns ksch key schedule value for roundr output cipher output Legend for INVERSE CIPHER DECRYPT round number r 0 to 10 12 or 14 iinput inverse cipher input istart state at start of roundr isbox state after InvSubBytes isrow state after InvShiftRows iksch key schedule value for roundr ikadd state after AddRoundKey ioutput inverse cipher output Legend for EQUIVALENT INVERSE CIPHER DECRYPT round number r 0 to 10 12 or 14 iinput inverse cipher input istart state at start of roundr isbox state after InvSubBytes isrow state after InvShiftRows imcol state after InvMixColumns iksch key schedule value for roundr ioutput inverse cipher output C1 AES128 Nk4 Nr10 PLAINTEXT 00112233445566778899aabbccddeeff KEY 000102030405060708090a0b0c0d0e0f CIPHER ENCRYPT 36 round 0input 00112233445566778899aabbccddeeff round 0ksch 000102030405060708090a0b0c0d0e0f round 1start 00102030405060708090a0b0c0d0e0f0 round 1sbox 63cab7040953d051cd60e0e7ba70e18c round 1srow 6353e08c0960e104cd70b751bacad0e7 round 1mcol 5f72641557f5bc92f7be3b291db9f91a round 1ksch d6aa74fdd2af72fadaa678f1d6ab76fe round 2start 89d810e8855ace682d1843d8cb128fe4 round 2sbox a761ca9b97be8b45d8ad1a611fc97369 round 2srow a7be1a6997ad739bd8c9ca451f618b61 round 2mcol ff87968431d86a51645151fa773ad009 round 2ksch b692cf0b643dbdf1be9bc5006830b3fe round 3start 4915598f55e5d7a0daca94fa1f0a63f7 round 3sbox 3b59cb73fcd90ee05774222dc067fb68 round 3srow 3bd92268fc74fb735767cbe0c0590e2d round 3mcol 4c9c1e66f771f0762c3f868e534df256 round 3ksch b6ff744ed2c2c9bf6c590cbf0469bf41 round 4start fa636a2825b339c940668a3157244d17 round 4sbox 2dfb02343f6d12dd09337ec75b36e3f0 round 4srow 2d6d7ef03f33e334093602dd5bfb12c7 round 4mcol 6385b79ffc538df997be478e7547d691 round 4ksch 47f7f7bc95353e03f96c32bcfd058dfd round 5start 247240236966b3fa6ed2753288425b6c round 5sbox 36400926f9336d2d9fb59d23c42c3950 round 5srow 36339d50f9b539269f2c092dc4406d23 round 5mcol f4bcd45432e554d075f1d6c51dd03b3c round 5ksch 3caaa3e8a99f9deb50f3af57adf622aa round 6start c81677bc9b7ac93b25027992b0261996 round 6sbox e847f56514dadde23f77b64fe7f7d490 round 6srow e8dab6901477d4653ff7f5e2e747dd4f round 6mcol 9816ee7400f87f556b2c049c8e5ad036 round 6ksch 5e390f7df7a69296a7553dc10aa31f6b round 7start c62fe109f75eedc3cc79395d84f9cf5d round 7sbox b415f8016858552e4bb6124c5f998a4c round 7srow b458124c68b68a014b99f82e5f15554c round 7mcol c57e1c159a9bd286f05f4be098c63439 round 7ksch 14f9701ae35fe28c440adf4d4ea9c026 round 8start d1876c0f79c4300ab45594add66ff41f round 8sbox 3e175076b61c04678dfc2295f6a8bfc0 round 8srow 3e1c22c0b6fcbf768da85067f6170495 round 8mcol baa03de7a1f9b56ed5512cba5f414d23 round 8ksch 47438735a41c65b9e016baf4aebf7ad2 round 9start fde3bad205e5d0d73547964ef1fe37f1 round 9sbox 5411f4b56bd9700e96a0902fa1bb9aa1 round 9srow 54d990a16ba09ab596bbf40ea111702f round 9mcol e9f74eec023020f61bf2ccf2353c21c7 round 9ksch 549932d1f08557681093ed9cbe2c974e round10start bd6e7c3df2b5779e0b61216e8b10b689 round10sbox 7a9f102789d5f50b2beffd9f3dca4ea7 round10srow 7ad5fda789ef4e272bca100b3d9ff59f round10ksch 13111d7fe3944a17f307a78b4d2b30c5 round10output 69c4e0d86a7b0430d8cdb78070b4c55a INVERSE CIPHER DECRYPT round 0iinput 69c4e0d86a7b0430d8cdb78070b4c55a round 0iksch 13111d7fe3944a17f307a78b4d2b30c5 round 1istart 7ad5fda789ef4e272bca100b3d9ff59f 37 round 1isrow 7a9f102789d5f50b2beffd9f3dca4ea7 round 1isbox bd6e7c3df2b5779e0b61216e8b10b689 round 1iksch 549932d1f08557681093ed9cbe2c974e round 1ikadd e9f74eec023020f61bf2ccf2353c21c7 round 2istart 54d990a16ba09ab596bbf40ea111702f round 2isrow 5411f4b56bd9700e96a0902fa1bb9aa1 round 2isbox fde3bad205e5d0d73547964ef1fe37f1 round 2iksch 47438735a41c65b9e016baf4aebf7ad2 round 2ikadd baa03de7a1f9b56ed5512cba5f414d23 round 3istart 3e1c22c0b6fcbf768da85067f6170495 round 3isrow 3e175076b61c04678dfc2295f6a8bfc0 round 3isbox d1876c0f79c4300ab45594add66ff41f round 3iksch 14f9701ae35fe28c440adf4d4ea9c026 round 3ikadd c57e1c159a9bd286f05f4be098c63439 round 4istart b458124c68b68a014b99f82e5f15554c round 4isrow b415f8016858552e4bb6124c5f998a4c round 4isbox c62fe109f75eedc3cc79395d84f9cf5d round 4iksch 5e390f7df7a69296a7553dc10aa31f6b round 4ikadd 9816ee7400f87f556b2c049c8e5ad036 round 5istart e8dab6901477d4653ff7f5e2e747dd4f round 5isrow e847f56514dadde23f77b64fe7f7d490 round 5isbox c81677bc9b7ac93b25027992b0261996 round 5iksch 3caaa3e8a99f9deb50f3af57adf622aa round 5ikadd f4bcd45432e554d075f1d6c51dd03b3c round 6istart 36339d50f9b539269f2c092dc4406d23 round 6isrow 36400926f9336d2d9fb59d23c42c3950 round 6isbox 247240236966b3fa6ed2753288425b6c round 6iksch 47f7f7bc95353e03f96c32bcfd058dfd round 6ikadd 6385b79ffc538df997be478e7547d691 round 7istart 2d6d7ef03f33e334093602dd5bfb12c7 round 7isrow 2dfb02343f6d12dd09337ec75b36e3f0 round 7isbox fa636a2825b339c940668a3157244d17 round 7iksch b6ff744ed2c2c9bf6c590cbf0469bf41 round 7ikadd 4c9c1e66f771f0762c3f868e534df256 round 8istart 3bd92268fc74fb735767cbe0c0590e2d round 8isrow 3b59cb73fcd90ee05774222dc067fb68 round 8isbox 4915598f55e5d7a0daca94fa1f0a63f7 round 8iksch b692cf0b643dbdf1be9bc5006830b3fe round 8ikadd ff87968431d86a51645151fa773ad009 round 9istart a7be1a6997ad739bd8c9ca451f618b61 round 9isrow a761ca9b97be8b45d8ad1a611fc97369 round 9isbox 89d810e8855ace682d1843d8cb128fe4 round 9iksch d6aa74fdd2af72fadaa678f1d6ab76fe round 9ikadd 5f72641557f5bc92f7be3b291db9f91a round10istart 6353e08c0960e104cd70b751bacad0e7 round10isrow 63cab7040953d051cd60e0e7ba70e18c round10isbox 00102030405060708090a0b0c0d0e0f0 round10iksch 000102030405060708090a0b0c0d0e0f round10ioutput 00112233445566778899aabbccddeeff EQUIVALENT INVERSE CIPHER DECRYPT round 0iinput 69c4e0d86a7b0430d8cdb78070b4c55a round 0iksch 13111d7fe3944a17f307a78b4d2b30c5 round 1istart 7ad5fda789ef4e272bca100b3d9ff59f round 1isbox bdb52189f261b63d0b107c9e8b6e776e round 1isrow bd6e7c3df2b5779e0b61216e8b10b689 round 1imcol 4773b91ff72f354361cb018ea1e6cf2c 38 round 1iksch 13aa29be9c8faff6f770f58000f7bf03 round 2istart 54d990a16ba09ab596bbf40ea111702f round 2isbox fde596f1054737d235febad7f1e3d04e round 2isrow fde3bad205e5d0d73547964ef1fe37f1 round 2imcol 2d7e86a339d9393ee6570a1101904e16 round 2iksch 1362a4638f2586486bff5a76f7874a83 round 3istart 3e1c22c0b6fcbf768da85067f6170495 round 3isbox d1c4941f7955f40fb46f6c0ad68730ad round 3isrow d1876c0f79c4300ab45594add66ff41f round 3imcol 39daee38f4f1a82aaf432410c36d45b9 round 3iksch 8d82fc749c47222be4dadc3e9c7810f5 round 4istart b458124c68b68a014b99f82e5f15554c round 4isbox c65e395df779cf09ccf9e1c3842fed5d round 4isrow c62fe109f75eedc3cc79395d84f9cf5d round 4imcol 9a39bf1d05b20a3a476a0bf79fe51184 round 4iksch 72e3098d11c5de5f789dfe1578a2cccb round 5istart e8dab6901477d4653ff7f5e2e747dd4f round 5isbox c87a79969b0219bc2526773bb016c992 round 5isrow c81677bc9b7ac93b25027992b0261996 round 5imcol 18f78d779a93eef4f6742967c47f5ffd round 5iksch 2ec410276326d7d26958204a003f32de round 6istart 36339d50f9b539269f2c092dc4406d23 round 6isbox 2466756c69d25b236e4240fa8872b332 round 6isrow 247240236966b3fa6ed2753288425b6c round 6imcol 85cf8bf472d124c10348f545329c0053 round 6iksch a8a2f5044de2c7f50a7ef79869671294 round 7istart 2d6d7ef03f33e334093602dd5bfb12c7 round 7isbox fab38a1725664d2840246ac957633931 round 7isrow fa636a2825b339c940668a3157244d17 round 7imcol fc1fc1f91934c98210fbfb8da340eb21 round 7iksch c7c6e391e54032f1479c306d6319e50c round 8istart 3bd92268fc74fb735767cbe0c0590e2d round 8isbox 49e594f755ca638fda0a59a01f15d7fa round 8isrow 4915598f55e5d7a0daca94fa1f0a63f7 round 8imcol 076518f0b52ba2fb7a15c8d93be45e00 round 8iksch a0db02992286d160a2dc029c2485d561 round 9istart a7be1a6997ad739bd8c9ca451f618b61 round 9isbox 895a43e485188fe82d121068cbd8ced8 round 9isrow 89d810e8855ace682d1843d8cb128fe4 round 9imcol ef053f7c8b3d32fd4d2a64ad3c93071a round 9iksch 8c56dff0825dd3f9805ad3fc8659d7fd round10istart 6353e08c0960e104cd70b751bacad0e7 round10isbox 0050a0f04090e03080d02070c01060b0 round10isrow 00102030405060708090a0b0c0d0e0f0 round10iksch 000102030405060708090a0b0c0d0e0f round10ioutput 00112233445566778899aabbccddeeff C2 AES192 Nk6 Nr12 PLAINTEXT 00112233445566778899aabbccddeeff KEY 000102030405060708090a0b0c0d0e0f1011121314151617 CIPHER ENCRYPT round 0input 00112233445566778899aabbccddeeff round 0ksch 000102030405060708090a0b0c0d0e0f round 1start 00102030405060708090a0b0c0d0e0f0 39 round 1sbox 63cab7040953d051cd60e0e7ba70e18c round 1srow 6353e08c0960e104cd70b751bacad0e7 round 1mcol 5f72641557f5bc92f7be3b291db9f91a round 1ksch 10111213141516175846f2f95c43f4fe round 2start 4f63760643e0aa85aff8c9d041fa0de4 round 2sbox 84fb386f1ae1ac977941dd70832dd769 round 2srow 84e1dd691a41d76f792d389783fbac70 round 2mcol 9f487f794f955f662afc86abd7f1ab29 round 2ksch 544afef55847f0fa4856e2e95c43f4fe round 3start cb02818c17d2af9c62aa64428bb25fd7 round 3sbox 1f770c64f0b579deaaac432c3d37cf0e round 3srow 1fb5430ef0accf64aa370cde3d77792c round 3mcol b7a53ecbbf9d75a0c40efc79b674cc11 round 3ksch 40f949b31cbabd4d48f043b810b7b342 round 4start f75c7778a327c8ed8cfebfc1a6c37f53 round 4sbox 684af5bc0acce85564bb0878242ed2ed round 4srow 68cc08ed0abbd2bc642ef555244ae878 round 4mcol 7a1e98bdacb6d1141a6944dd06eb2d3e round 4ksch 58e151ab04a2a5557effb5416245080c round 5start 22ffc916a81474416496f19c64ae2532 round 5sbox 9316dd47c2fa92834390a1de43e43f23 round 5srow 93faa123c2903f4743e4dd83431692de round 5mcol aaa755b34cffe57cef6f98e1f01c13e6 round 5ksch 2ab54bb43a02f8f662e3a95d66410c08 round 6start 80121e0776fd1d8a8d8c31bc965d1fee round 6sbox cdc972c53854a47e5d64c765904cc028 round 6srow cd54c7283864c0c55d4c727e90c9a465 round 6mcol 921f748fd96e937d622d7725ba8ba50c round 6ksch f501857297448d7ebdf1c6ca87f33e3c round 7start 671ef1fd4e2a1e03dfdcb1ef3d789b30 round 7sbox 8572a1542fe5727b9e86c8df27bc1404 round 7srow 85e5c8042f8614549ebca17b277272df round 7mcol e913e7b18f507d4b227ef652758acbcc round 7ksch e510976183519b6934157c9ea351f1e0 round 8start 0c0370d00c01e622166b8accd6db3a2c round 8sbox fe7b5170fe7c8e93477f7e4bf6b98071 round 8srow fe7c7e71fe7f807047b95193f67b8e4b round 8mcol 6cf5edf996eb0a069c4ef21cbfc25762 round 8ksch 1ea0372a995309167c439e77ff12051e round 9start 7255dad30fb80310e00d6c6b40d0527c round 9sbox 40fc5766766c7bcae1d7507f09700010 round 9srow 406c501076d70066e17057ca09fc7b7f round 9mcol 7478bcdce8a50b81d4327a9009188262 round 9ksch dd7e0e887e2fff68608fc842f9dcc154 round10start a906b254968af4e9b4bdb2d2f0c44336 round10sbox d36f3720907ebf1e8d7a37b58c1c1a05 round10srow d37e3705907a1a208d1c371e8c6fbfb5 round10mcol 0d73cc2d8f6abe8b0cf2dd9bb83d422e round10ksch 859f5f237a8d5a3dc0c02952beefd63a round11start 88ec930ef5e7e4b6cc32f4c906d29414 round11sbox c4cedcabe694694e4b23bfdd6fb522fa round11srow c494bffae62322ab4bb5dc4e6fce69dd round11mcol 71d720933b6d677dc00b8f28238e0fb7 round11ksch de601e7827bcdf2ca223800fd8aeda32 round12start afb73eeb1cd1b85162280f27fb20d585 round12sbox 79a9b2e99c3e6cd1aa3476cc0fb70397 round12srow 793e76979c3403e9aab7b2d10fa96ccc 40 round12ksch a4970a331a78dc09c418c271e3a41d5d round12output dda97ca4864cdfe06eaf70a0ec0d7191 INVERSE CIPHER DECRYPT round 0iinput dda97ca4864cdfe06eaf70a0ec0d7191 round 0iksch a4970a331a78dc09c418c271e3a41d5d round 1istart 793e76979c3403e9aab7b2d10fa96ccc round 1isrow 79a9b2e99c3e6cd1aa3476cc0fb70397 round 1isbox afb73eeb1cd1b85162280f27fb20d585 round 1iksch de601e7827bcdf2ca223800fd8aeda32 round 1ikadd 71d720933b6d677dc00b8f28238e0fb7 round 2istart c494bffae62322ab4bb5dc4e6fce69dd round 2isrow c4cedcabe694694e4b23bfdd6fb522fa round 2isbox 88ec930ef5e7e4b6cc32f4c906d29414 round 2iksch 859f5f237a8d5a3dc0c02952beefd63a round 2ikadd 0d73cc2d8f6abe8b0cf2dd9bb83d422e round 3istart d37e3705907a1a208d1c371e8c6fbfb5 round 3isrow d36f3720907ebf1e8d7a37b58c1c1a05 round 3isbox a906b254968af4e9b4bdb2d2f0c44336 round 3iksch dd7e0e887e2fff68608fc842f9dcc154 round 3ikadd 7478bcdce8a50b81d4327a9009188262 round 4istart 406c501076d70066e17057ca09fc7b7f round 4isrow 40fc5766766c7bcae1d7507f09700010 round 4isbox 7255dad30fb80310e00d6c6b40d0527c round 4iksch 1ea0372a995309167c439e77ff12051e round 4ikadd 6cf5edf996eb0a069c4ef21cbfc25762 round 5istart fe7c7e71fe7f807047b95193f67b8e4b round 5isrow fe7b5170fe7c8e93477f7e4bf6b98071 round 5isbox 0c0370d00c01e622166b8accd6db3a2c round 5iksch e510976183519b6934157c9ea351f1e0 round 5ikadd e913e7b18f507d4b227ef652758acbcc round 6istart 85e5c8042f8614549ebca17b277272df round 6isrow 8572a1542fe5727b9e86c8df27bc1404 round 6isbox 671ef1fd4e2a1e03dfdcb1ef3d789b30 round 6iksch f501857297448d7ebdf1c6ca87f33e3c round 6ikadd 921f748fd96e937d622d7725ba8ba50c round 7istart cd54c7283864c0c55d4c727e90c9a465 round 7isrow cdc972c53854a47e5d64c765904cc028 round 7isbox 80121e0776fd1d8a8d8c31bc965d1fee round 7iksch 2ab54bb43a02f8f662e3a95d66410c08 round 7ikadd aaa755b34cffe57cef6f98e1f01c13e6 round 8istart 93faa123c2903f4743e4dd83431692de round 8isrow 9316dd47c2fa92834390a1de43e43f23 round 8isbox 22ffc916a81474416496f19c64ae2532 round 8iksch 58e151ab04a2a5557effb5416245080c round 8ikadd 7a1e98bdacb6d1141a6944dd06eb2d3e round 9istart 68cc08ed0abbd2bc642ef555244ae878 round 9isrow 684af5bc0acce85564bb0878242ed2ed round 9isbox f75c7778a327c8ed8cfebfc1a6c37f53 round 9iksch 40f949b31cbabd4d48f043b810b7b342 round 9ikadd b7a53ecbbf9d75a0c40efc79b674cc11 round10istart 1fb5430ef0accf64aa370cde3d77792c round10isrow 1f770c64f0b579deaaac432c3d37cf0e round10isbox cb02818c17d2af9c62aa64428bb25fd7 round10iksch 544afef55847f0fa4856e2e95c43f4fe round10ikadd 9f487f794f955f662afc86abd7f1ab29 round11istart 84e1dd691a41d76f792d389783fbac70 41 round11isrow 84fb386f1ae1ac977941dd70832dd769 round11isbox 4f63760643e0aa85aff8c9d041fa0de4 round11iksch 10111213141516175846f2f95c43f4fe round11ikadd 5f72641557f5bc92f7be3b291db9f91a round12istart 6353e08c0960e104cd70b751bacad0e7 round12isrow 63cab7040953d051cd60e0e7ba70e18c round12isbox 00102030405060708090a0b0c0d0e0f0 round12iksch 000102030405060708090a0b0c0d0e0f round12ioutput 00112233445566778899aabbccddeeff EQUIVALENT INVERSE CIPHER DECRYPT round 0iinput dda97ca4864cdfe06eaf70a0ec0d7191 round 0iksch a4970a331a78dc09c418c271e3a41d5d round 1istart 793e76979c3403e9aab7b2d10fa96ccc round 1isbox afd10f851c28d5eb62203e51fbb7b827 round 1isrow afb73eeb1cd1b85162280f27fb20d585 round 1imcol 122a02f7242ac8e20605afce51cc7264 round 1iksch d6bebd0dc209ea494db073803e021bb9 round 2istart c494bffae62322ab4bb5dc4e6fce69dd round 2isbox 88e7f414f532940eccd293b606ece4c9 round 2isrow 88ec930ef5e7e4b6cc32f4c906d29414 round 2imcol 5cc7aecce3c872194ae5ef8309a933c7 round 2iksch 8fb999c973b26839c7f9d89d85c68c72 round 3istart d37e3705907a1a208d1c371e8c6fbfb5 round 3isbox a98ab23696bd4354b4c4b2e9f006f4d2 round 3isrow a906b254968af4e9b4bdb2d2f0c44336 round 3imcol b7113ed134e85489b20866b51d4b2c3b round 3iksch f77d6ec1423f54ef5378317f14b75744 round 4istart 406c501076d70066e17057ca09fc7b7f round 4isbox 72b86c7c0f0d52d3e0d0da104055036b round 4isrow 7255dad30fb80310e00d6c6b40d0527c round 4imcol ef3b1be1b9b0e64bdcb79f1e0a707fbb round 4iksch 1147659047cf663b9b0ece8dfc0bf1f0 round 5istart fe7c7e71fe7f807047b95193f67b8e4b round 5isbox 0c018a2c0c6b3ad016db7022d603e6cc round 5isrow 0c0370d00c01e622166b8accd6db3a2c round 5imcol 592460b248832b2952e0b831923048f1 round 5iksch dcc1a8b667053f7dcc5c194ab5423a2e round 6istart 85e5c8042f8614549ebca17b277272df round 6isbox 672ab1304edc9bfddf78f1033d1e1eef round 6isrow 671ef1fd4e2a1e03dfdcb1ef3d789b30 round 6imcol 0b8a7783417ae3a1f9492dc0c641a7ce round 6iksch c6deb0ab791e2364a4055fbe568803ab round 7istart cd54c7283864c0c55d4c727e90c9a465 round 7isbox 80fd31ee768c1f078d5d1e8a96121dbc round 7isrow 80121e0776fd1d8a8d8c31bc965d1fee round 7imcol 4ee1ddf9301d6352c9ad769ef8d20515 round 7iksch dd1b7cdaf28d5c158a49ab1dbbc497cb round 8istart 93faa123c2903f4743e4dd83431692de round 8isbox 2214f132a896251664aec94164ff749c round 8isrow 22ffc916a81474416496f19c64ae2532 round 8imcol 1008ffe53b36ee6af27b42549b8a7bb7 round 8iksch 78c4f708318d3cd69655b701bfc093cf round 9istart 68cc08ed0abbd2bc642ef555244ae878 round 9isbox f727bf53a3fe7f788cc377eda65cc8c1 round 9isrow f75c7778a327c8ed8cfebfc1a6c37f53 round 9imcol 7f69ac1ed939ebaac8ece3cb12e159e3 42 round 9iksch 60dcef10299524ce62dbef152f9620cf round10istart 1fb5430ef0accf64aa370cde3d77792c round10isbox cbd264d717aa5f8c62b2819c8b02af42 round10isrow cb02818c17d2af9c62aa64428bb25fd7 round10imcol cfaf16b2570c18b52e7fef50cab267ae round10iksch 4b4ecbdb4d4dcfda5752d7c74949cbde round11istart 84e1dd691a41d76f792d389783fbac70 round11isbox 4fe0c9e443f80d06affa76854163aad0 round11isrow 4f63760643e0aa85aff8c9d041fa0de4 round11imcol 794cf891177bfd1d8a327086f3831b39 round11iksch 1a1f181d1e1b1c194742c7d74949cbde round12istart 6353e08c0960e104cd70b751bacad0e7 round12isbox 0050a0f04090e03080d02070c01060b0 round12isrow 00102030405060708090a0b0c0d0e0f0 round12iksch 000102030405060708090a0b0c0d0e0f round12ioutput 00112233445566778899aabbccddeeff C3 AES256 Nk8 Nr14 PLAINTEXT 00112233445566778899aabbccddeeff KEY 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f CIPHER ENCRYPT round 0input 00112233445566778899aabbccddeeff round 0ksch 000102030405060708090a0b0c0d0e0f round 1start 00102030405060708090a0b0c0d0e0f0 round 1sbox 63cab7040953d051cd60e0e7ba70e18c round 1srow 6353e08c0960e104cd70b751bacad0e7 round 1mcol 5f72641557f5bc92f7be3b291db9f91a round 1ksch 101112131415161718191a1b1c1d1e1f round 2start 4f63760643e0aa85efa7213201a4e705 round 2sbox 84fb386f1ae1ac97df5cfd237c49946b round 2srow 84e1fd6b1a5c946fdf4938977cfbac23 round 2mcol bd2a395d2b6ac438d192443e615da195 round 2ksch a573c29fa176c498a97fce93a572c09c round 3start 1859fbc28a1c00a078ed8aadc42f6109 round 3sbox adcb0f257e9c63e0bc557e951c15ef01 round 3srow ad9c7e017e55ef25bc150fe01ccb6395 round 3mcol 810dce0cc9db8172b3678c1e88a1b5bd round 3ksch 1651a8cd0244beda1a5da4c10640bade round 4start 975c66c1cb9f3fa8a93a28df8ee10f63 round 4sbox 884a33781fdb75c2d380349e19f876fb round 4srow 88db34fb1f807678d3f833c2194a759e round 4mcol b2822d81abe6fb275faf103a078c0033 round 4ksch ae87dff00ff11b68a68ed5fb03fc1567 round 5start 1c05f271a417e04ff921c5c104701554 round 5sbox 9c6b89a349f0e18499fda678f2515920 round 5srow 9cf0a62049fd59a399518984f26be178 round 5mcol aeb65ba974e0f822d73f567bdb64c877 round 5ksch 6de1f1486fa54f9275f8eb5373b8518d round 6start c357aae11b45b7b0a2c7bd28a8dc99fa round 6sbox 2e5bacf8af6ea9e73ac67a34c286ee2d round 6srow 2e6e7a2dafc6eef83a86ace7c25ba934 round 6mcol b951c33c02e9bd29ae25cdb1efa08cc7 round 6ksch c656827fc9a799176f294cec6cd5598b round 7start 7f074143cb4e243ec10c815d8375d54c round 7sbox d2c5831a1f2f36b278fe0c4cec9d0329 43 round 7srow d22f0c291ffe031a789d83b2ecc5364c round 7mcol ebb19e1c3ee7c9e87d7535e9ed6b9144 round 7ksch 3de23a75524775e727bf9eb45407cf39 round 8start d653a4696ca0bc0f5acaab5db96c5e7d round 8sbox f6ed49f950e06576be74624c565058ff round 8srow f6e062ff507458f9be50497656ed654c round 8mcol 5174c8669da98435a8b3e62ca974a5ea round 8ksch 0bdc905fc27b0948ad5245a4c1871c2f round 9start 5aa858395fd28d7d05e1a38868f3b9c5 round 9sbox bec26a12cfb55dff6bf80ac4450d56a6 round 9srow beb50aa6cff856126b0d6aff45c25dc4 round 9mcol 0f77ee31d2ccadc05430a83f4ef96ac3 round 9ksch 45f5a66017b2d387300d4d33640a820a round10start 4a824851c57e7e47643de50c2af3e8c9 round10sbox d61352d1a6f3f3a04327d9fee50d9bdd round10srow d6f3d9dda6279bd1430d52a0e513f3fe round10mcol bd86f0ea748fc4f4630f11c1e9331233 round10ksch 7ccff71cbeb4fe5413e6bbf0d261a7df round11start c14907f6ca3b3aa070e9aa313b52b5ec round11sbox 783bc54274e280e0511eacc7e200d5ce round11srow 78e2acce741ed5425100c5e0e23b80c7 round11mcol af8690415d6e1dd387e5fbedd5c89013 round11ksch f01afafee7a82979d7a5644ab3afe640 round12start 5f9c6abfbac634aa50409fa766677653 round12sbox cfde0208f4b418ac5309db5c338538ed round12srow cfb4dbedf4093808538502ac33de185c round12mcol 7427fae4d8a695269ce83d315be0392b round12ksch 2541fe719bf500258813bbd55a721c0a round13start 516604954353950314fb86e401922521 round13sbox d133f22a1aed2a7bfa0f44697c4f3ffd round13srow d1ed44fd1a0f3f2afa4ff27b7c332a69 round13mcol 2c21a820306f154ab712c75eee0da04f round13ksch 4e5a6699a9f24fe07e572baacdf8cdea round14start 627bceb9999d5aaac945ecf423f56da5 round14sbox aa218b56ee5ebeacdd6ecebf26e63c06 round14srow aa5ece06ee6e3c56dde68bac2621bebf round14ksch 24fc79ccbf0979e9371ac23c6d68de36 round14output 8ea2b7ca516745bfeafc49904b496089 INVERSE CIPHER DECRYPT round 0iinput 8ea2b7ca516745bfeafc49904b496089 round 0iksch 24fc79ccbf0979e9371ac23c6d68de36 round 1istart aa5ece06ee6e3c56dde68bac2621bebf round 1isrow aa218b56ee5ebeacdd6ecebf26e63c06 round 1isbox 627bceb9999d5aaac945ecf423f56da5 round 1iksch 4e5a6699a9f24fe07e572baacdf8cdea round 1ikadd 2c21a820306f154ab712c75eee0da04f round 2istart d1ed44fd1a0f3f2afa4ff27b7c332a69 round 2isrow d133f22a1aed2a7bfa0f44697c4f3ffd round 2isbox 516604954353950314fb86e401922521 round 2iksch 2541fe719bf500258813bbd55a721c0a round 2ikadd 7427fae4d8a695269ce83d315be0392b round 3istart cfb4dbedf4093808538502ac33de185c round 3isrow cfde0208f4b418ac5309db5c338538ed round 3isbox 5f9c6abfbac634aa50409fa766677653 round 3iksch f01afafee7a82979d7a5644ab3afe640 round 3ikadd af8690415d6e1dd387e5fbedd5c89013 44 round 4istart 78e2acce741ed5425100c5e0e23b80c7 round 4isrow 783bc54274e280e0511eacc7e200d5ce round 4isbox c14907f6ca3b3aa070e9aa313b52b5ec round 4iksch 7ccff71cbeb4fe5413e6bbf0d261a7df round 4ikadd bd86f0ea748fc4f4630f11c1e9331233 round 5istart d6f3d9dda6279bd1430d52a0e513f3fe round 5isrow d61352d1a6f3f3a04327d9fee50d9bdd round 5isbox 4a824851c57e7e47643de50c2af3e8c9 round 5iksch 45f5a66017b2d387300d4d33640a820a round 5ikadd 0f77ee31d2ccadc05430a83f4ef96ac3 round 6istart beb50aa6cff856126b0d6aff45c25dc4 round 6isrow bec26a12cfb55dff6bf80ac4450d56a6 round 6isbox 5aa858395fd28d7d05e1a38868f3b9c5 round 6iksch 0bdc905fc27b0948ad5245a4c1871c2f round 6ikadd 5174c8669da98435a8b3e62ca974a5ea round 7istart f6e062ff507458f9be50497656ed654c round 7isrow f6ed49f950e06576be74624c565058ff round 7isbox d653a4696ca0bc0f5acaab5db96c5e7d round 7iksch 3de23a75524775e727bf9eb45407cf39 round 7ikadd ebb19e1c3ee7c9e87d7535e9ed6b9144 round 8istart d22f0c291ffe031a789d83b2ecc5364c round 8isrow d2c5831a1f2f36b278fe0c4cec9d0329 round 8isbox 7f074143cb4e243ec10c815d8375d54c round 8iksch c656827fc9a799176f294cec6cd5598b round 8ikadd b951c33c02e9bd29ae25cdb1efa08cc7 round 9istart 2e6e7a2dafc6eef83a86ace7c25ba934 round 9isrow 2e5bacf8af6ea9e73ac67a34c286ee2d round 9isbox c357aae11b45b7b0a2c7bd28a8dc99fa round 9iksch 6de1f1486fa54f9275f8eb5373b8518d round 9ikadd aeb65ba974e0f822d73f567bdb64c877 round10istart 9cf0a62049fd59a399518984f26be178 round10isrow 9c6b89a349f0e18499fda678f2515920 round10isbox 1c05f271a417e04ff921c5c104701554 round10iksch ae87dff00ff11b68a68ed5fb03fc1567 round10ikadd b2822d81abe6fb275faf103a078c0033 round11istart 88db34fb1f807678d3f833c2194a759e round11isrow 884a33781fdb75c2d380349e19f876fb round11isbox 975c66c1cb9f3fa8a93a28df8ee10f63 round11iksch 1651a8cd0244beda1a5da4c10640bade round11ikadd 810dce0cc9db8172b3678c1e88a1b5bd round12istart ad9c7e017e55ef25bc150fe01ccb6395 round12isrow adcb0f257e9c63e0bc557e951c15ef01 round12isbox 1859fbc28a1c00a078ed8aadc42f6109 round12iksch a573c29fa176c498a97fce93a572c09c round12ikadd bd2a395d2b6ac438d192443e615da195 round13istart 84e1fd6b1a5c946fdf4938977cfbac23 round13isrow 84fb386f1ae1ac97df5cfd237c49946b round13isbox 4f63760643e0aa85efa7213201a4e705 round13iksch 101112131415161718191a1b1c1d1e1f round13ikadd 5f72641557f5bc92f7be3b291db9f91a round14istart 6353e08c0960e104cd70b751bacad0e7 round14isrow 63cab7040953d051cd60e0e7ba70e18c round14isbox 00102030405060708090a0b0c0d0e0f0 round14iksch 000102030405060708090a0b0c0d0e0f round14ioutput 00112233445566778899aabbccddeeff EQUIVALENT INVERSE CIPHER DECRYPT 45 round 0iinput 8ea2b7ca516745bfeafc49904b496089 round 0iksch 24fc79ccbf0979e9371ac23c6d68de36 round 1istart aa5ece06ee6e3c56dde68bac2621bebf round 1isbox 629deca599456db9c9f5ceaa237b5af4 round 1isrow 627bceb9999d5aaac945ecf423f56da5 round 1imcol e51c9502a5c1950506a61024596b2b07 round 1iksch 34f1d1ffbfceaa2ffce9e25f2558016e round 2istart d1ed44fd1a0f3f2afa4ff27b7c332a69 round 2isbox 5153862143fb259514920403016695e4 round 2isrow 516604954353950314fb86e401922521 round 2imcol 91a29306cc450d0226f4b5eaef5efed8 round 2iksch 5e1648eb384c350a7571b746dc80e684 round 3istart cfb4dbedf4093808538502ac33de185c round 3isbox 5fc69f53ba4076bf50676aaa669c34a7 round 3isrow 5f9c6abfbac634aa50409fa766677653 round 3imcol b041a94eff21ae9212278d903b8a63f6 round 3iksch c8a305808b3f7bd043274870d9b1e331 round 4istart 78e2acce741ed5425100c5e0e23b80c7 round 4isbox c13baaeccae9b5f6705207a03b493a31 round 4isrow c14907f6ca3b3aa070e9aa313b52b5ec round 4imcol 638357cec07de6300e30d0ec4ce2a23c round 4iksch b5708e13665a7de14d3d824ca9f151c2 round 5istart d6f3d9dda6279bd1430d52a0e513f3fe round 5isbox 4a7ee5c9c53de85164f348472a827e0c round 5isrow 4a824851c57e7e47643de50c2af3e8c9 round 5imcol ca6f71058c642842a315595fdf54f685 round 5iksch 74da7ba3439c7e50c81833a09a96ab41 round 6istart beb50aa6cff856126b0d6aff45c25dc4 round 6isbox 5ad2a3c55fe1b93905f3587d68a88d88 round 6isrow 5aa858395fd28d7d05e1a38868f3b9c5 round 6imcol ca46f5ea835eab0b9537b6dbb221b6c2 round 6iksch 3ca69715d32af3f22b67ffade4ccd38e round 7istart f6e062ff507458f9be50497656ed654c round 7isbox d6a0ab7d6cca5e695a6ca40fb953bc5d round 7isrow d653a4696ca0bc0f5acaab5db96c5e7d round 7imcol 2a70c8da28b806e9f319ce42be4baead round 7iksch f85fc4f3374605f38b844df0528e98e1 round 8istart d22f0c291ffe031a789d83b2ecc5364c round 8isbox 7f4e814ccb0cd543c175413e8307245d round 8isrow 7f074143cb4e243ec10c815d8375d54c round 8imcol f0073ab7404a8a1fc2cba0b80df08517 round 8iksch de69409aef8c64e7f84d0c5fcfab2c23 round 9istart 2e6e7a2dafc6eef83a86ace7c25ba934 round 9isbox c345bdfa1bc799e1a2dcaab0a857b728 round 9isrow c357aae11b45b7b0a2c7bd28a8dc99fa round 9imcol 3225fe3686e498a32593c1872b613469 round 9iksch aed55816cf19c100bcc24803d90ad511 round10istart 9cf0a62049fd59a399518984f26be178 round10isbox 1c17c554a4211571f970f24f0405e0c1 round10isrow 1c05f271a417e04ff921c5c104701554 round10imcol 9d1d5c462e655205c4395b7a2eac55e2 round10iksch 15c668bd31e5247d17c168b837e6207c round11istart 88db34fb1f807678d3f833c2194a759e round11isbox 979f2863cb3a0fc1a9e166a88e5c3fdf round11isrow 975c66c1cb9f3fa8a93a28df8ee10f63 round11imcol d24bfb0e1f997633cfce86e37903fe87 round11iksch 7fd7850f61cc991673db890365c89d12 46 round12istart ad9c7e017e55ef25bc150fe01ccb6395 round12isbox 181c8a098aed61c2782ffba0c45900ad round12isrow 1859fbc28a1c00a078ed8aadc42f6109 round12imcol aec9bda23e7fd8aff96d74525cdce4e7 round12iksch 2a2840c924234cc026244cc5202748c4 round13istart 84e1fd6b1a5c946fdf4938977cfbac23 round13isbox 4fe0210543a7e706efa476850163aa32 round13isrow 4f63760643e0aa85efa7213201a4e705 round13imcol 794cf891177bfd1ddf67a744acd9c4f6 round13iksch 1a1f181d1e1b1c191217101516131411 round14istart 6353e08c0960e104cd70b751bacad0e7 round14isbox 0050a0f04090e03080d02070c01060b0 round14isrow 00102030405060708090a0b0c0d0e0f0 round14iksch 000102030405060708090a0b0c0d0e0f round14ioutput 00112233445566778899aabbccddeeff 47 Appendix D References 1 AES page available via httpwwwnistgovCryptoToolkit4 2 Computer Security Objects Register CSOR httpcsrcnistgovcsor 3 J Daemen and V Rijmen AES Proposal Rijndael AES Algorithm Submission September 3 1999 available at 1 4 J Daemen and V Rijmen The block cipher Rijndael Smart Card research and Applications LNCS 1820 SpringerVerlag pp 288296 5 B Gladmans AES related home page httpfpgladmanpluscomcryptographytechnology 6 A Lee NIST Special Publication 80021 Guideline for Implementing Cryptography in the Federal Government National Institute of Standards and Technology November 1999 7 A Menezes P van Oorschot and S Vanstone Handbook of Applied Cryptography CRC Press New York 1997 p 8183 8 J Nechvatal et al Report on the Development of the Advanced Encryption Standard AES National Institute of Standards and Technology October 2 2000 available at 1 4 A complete set of documentation from the AES development effort including announcements public comments analysis papers conference proceedings etc is available from this site