Re: AES operation order

Sebastian Gottschalk wrote:

> I still wonder why you even assumed that '*' is distributive over XOR

Because Brian Gladman wrote in his document, chapter "5.5 The Equivalent
Inverse Cipher":

"Moreover, the order of the XorRoundKey and
InvMixColumns operations can be inverted to put the forward and inverse
ciphers in the
same form provided that an adjustment is made to the key schedule. The order
of round
key addition and column mixing can be changed because the column mixing
operation is
linear with respect to the column input so that:
InvMixColumns(state xor rk) = InvMixColumns(state) xor InvMixColumns(rk)
where rk represents a round key in the form of a state array."

So I decided to do the same trick, i.e. to construct an "Equivalent Cipher",
to follow Mr. Gladman's nomenclature. And since InvMixColumns() is
essentially the same as MixColumns() (i.e. 4x4 matrix * vector
multiplication),
and "=" is reflexive, I believe that my solution is correct too. Am I wrong?

> in any non-trivial field like GF(2^8). For much more fun, the same
> thing for GF(2^16) is an esential element of the security of IDEA,
> and I bet this also holds for AES.

Well, but now it works. :-) I had a nasty bug in my GF(2^8) multiplication
routine;
the idea posted here in the seminal article seems to be correct -- I have
fixed ffmul
and now all my test vectors agree with those provided in the AES
documentation.

    Thanks, Tomek
Received on Tue Jan 3 03:41:26 2006