Me and one of my friends are working on AES algorithm. We have understood how multiplicative inverse table is generated. Rijndael AES algorithm shows us how S-Box is generated through the affine transformation process. In the original algorithm they have multiply each byte of the state with an constant matrix and then add the result with another constant byte which is 0x63 to get the substitute value. We have understood how the constant matrix is generated as there is a formula to generate it but couldn't find out why 0x63 constant value is chosen. We have already gone through many resources but could not find any appropriate solution. Can any one help us in this regarding issue?
Asked
Active
Viewed 1,403 times
1 Answers
8
According to the Rijndael AES proposal (emphasis mine):
We have chosen an affine mapping that has a very simple description per se, but a complicated algebraic expression if combined with the ‘inverse’ mapping. It can be seen as modular polynomial multiplication followed by an addition: $$b(x) = (x^7 + x^6 + x^2 + x) + a(x)(x^7 + x^6 + x^5 + x^4 + 1) \mod x^8 + 1$$ The modulus has been chosen as the simplest modulus possible. The multiplication polynomial has been chosen from the set of polynomials coprime to the modulus as the one with the simplest description. The constant has been chosen in such a way that that the S-box has no fixed points (S-box($a$) = $a$) and no ’opposite fixed points' (S-box($a$) = $\bar a$).
I'm not personally aware of any other design considerations in the choice of the additive constant 0x63, although it's worth noting that it does have a fairly nice and simple binary representation (0x63 = 0b0110 0011), which might perhaps simplify some implementations slightly.
Ilmari Karonen
- 46,700
- 5
- 112
- 189