How is Rijndael mix columns inverse calculated?

Question

I'm trying to understand AES encryption-decryption in detail. I have a working level knowledge of all parts of it, except mix columns step. i.e how does decryption is inverse operation of encryption.

Mathematical question, ignoring cryptography:

$$ \begin{bmatrix} 5d\\ e0\\ 70\\ bb \end{bmatrix} = \begin{bmatrix} 2& 3& 1& 1\\ 1& 2& 3& 1\\ 1& 1& 2& 3\\ 3& 1& 1& 2 \end{bmatrix} \begin{bmatrix} 63\\ 47\\ a2\\ f0 \end{bmatrix} $$ $$ \begin{bmatrix} 63\\ 47\\ a2\\ f0 \end{bmatrix} = \begin{bmatrix} e& b& d& 9\\ 9& e& b& d\\ d& 9& e& b\\ b& d& 9& e \end{bmatrix} \begin{bmatrix} 5d\\ e0\\ 70\\ bb \end{bmatrix} $$

In these matrix operations on hex numbers, addition is xor(i.e characteristic is 2) and multiplication is in GF(2^8) so reduced by $x^8 + x^4 + x^3 + x + 1$

Ex: $e * 5d = (x^3 + x^2 + x) * (x^6 + x^4 + x^3 + x^2 + 1) = x^3 + x + 1 = 0b$

Wikipedia explains that those square matrices are based on below polynomials

a(x) = $3x^3 + x^2 + x + 2$ modulo $x^4 + 1$

$ \mathrm{a}^{-1}(x) = 11x^3 + 13x^2 + 9x + 14 $

But how is the $ \mathrm{a}^{-1}(x)$ derived?

What I tried

Rijndael pdf doesn't derive that inverse but mentions that even though $x^4 + 1$ is not irreducible polynomial but since $3x^3 + x^2 + x + 2$ is coprime with it, inverse exists and gives that result.

They mention that mix columns operation is linear transformation in modulo $x^4 +1$ and then each coefficient is in GF(2^8) field. So I'm assuming that you don't need to rely on GF(2^8) i.e. $x^8 + x^4 + x^3 + x + 1$ to calculate that inverse vector function above.

When I tried to find inverse using Extended Euclidean algorithm & polynomial division, I got $$-\frac{4}{135}x^3 - \frac{4}{135}x^2 - \frac{12}{135}x + \frac{8}{135}$$ When you normalize it and consider negative as positive since they mention use of xor in modulo $x^4 + 1$ too, we get $x^3 + x^2 + 3x + 2$, which doesn't work when used in corresponding inverse matrix.

How is that inverse function derived?

PS: I'm guessing my confusion is in interaction between modulo $x^4 + 1$ and regular GF(2^8) in this step of AES.

Please write the full context of your question, introducing all the necessary notations. It's no fun going to several links to understand the context. — Francis H., May 27 '25 at 20:47
If your program gave that polynomial with rational coefficients as the inverse, then there is a misunderstanding somewhere along the line. I suggest a few possible places in my answer, and also explain why the claimed polynomial is the inverse modulo $x^4+1$. Don't know how much more time i can invest into this. Hope that answer clears up some of the fog anyway. — Jyrki Lahtonen, May 31 '25 at 08:43
For example here another asker had similar difficulties (but possibly distinct from yours). — Jyrki Lahtonen, May 31 '25 at 09:55
Thanks, your hint would have reduced some time in deriving my solution — Sharan Mora, May 31 '25 at 19:30

Jyrki Lahtonen · Answer 1 · 2025-05-31T08:45:02.973

I don't know what went wrong in your run of Euclid's algorithm. But before we delve into that I want to check one thing about your understanding. Please don't take this as an insult. I have simply seen many bright people make mistakes here simply because somebody tossed them into a non-shallow part of the finite field pool without a course on abstract algebra.

A common confusion is to take that $x$ used as an indeterminate in defining the field $K=GF(2^8)$ too seriously. It really is just a tool for constructing the field, and once you have the field implemented, it is actually best disposed of, because often you will be needing polynomials with coefficients in $K$. My preferred way of handling this would be to denote the coset of $x$ modulo $f(x):=x^8+x^4+x^3+x+1$ in the field $K:=GF(2)[x]/\langle f(x)\rangle$ by $\alpha$. Then, for example, $3=11_2=\alpha+1$, $11=1011_2=\alpha^3+\alpha+1$ et cetera. I assume that you are already familiar with the process of converting byte values into elements of $K$ like this. If not, then you need to study that first.

For the time being I stick to abusing $x$ as a shorthand of that coset. In other words $x=2$, $x+1=3$, $x^2=4$ etc. The point I want to clear up in this note is that then you need another indeterminate to be used when playing with polynomials with coefficients in $K$. Let's use $T$ to that end.

When thinking about it this way, you need to use $T$ in the quantity $$ a(T)=3T^3+T^2+T+2=(x+1)T^3+T^2+T+x\in K[T] $$ modulo $T^4+1$. You must also remember that the coefficients of $a(T)$, i.e. $3,1,1,2$ really are elements of $K$. So to calculate the inverse $a^{-1}(T)$ modulo $T^4+1$, you must run the extended Euclidean algorithm in the ring $K[T]$. If you have problems there, please ask a specific question about that. For now, let's simply check that the claimed polynomial $$ \begin{aligned}b(T)&=11T^3+13T^2+9T+14=1011_2T^3+1101_2T^2+1001_2T+1110_2\\ &=(x^3+x+1)T^3+(x^3+x^2+1)T^2+(x^3+1)T+(x^3+x^2+x) \end{aligned} $$ works as the inverse modulo $T^4+1$.

This pair of polynomials may have been carefully designed to make this step simple, as we don't need to do reductions modulo $f(x)$ at all! Anyway, we simply expand that $$ \begin{aligned} a(T) b(T)&=T^6 \left(x^4+x^3+x^2+1\right)+T^5 \left(x^4+x^3+x^2\right)+T^4 \left(x^4+x^3+x^2+1\right)\\ &+T^2 \left(x^4+x^3+x^2+1\right)+T \left(x^4+x^3+x^2\right)+x^4+x^3+x^2. \end{aligned} $$ All we need to is to pair up the $T^6$ and $T^2$ as well as $T^5$ and $T$ and $T^4$ and $1$ terms to see that $$ a(T)b(T)=1+(T^4+1)\left([x^4+x^3+x^2+1]T^2+[x^4+x^3+x^2]T+[x^4+x^3+x^2+1]\right). $$ In other words, $$a(T)b(T)\equiv1\pmod{T^4+1}.$$

Yes, That was my mistake of using those numbers directly in Extended Euclid rather than as polynomials. I found a way to determine that polynomial, albeit its laborious. — Sharan Mora, May 31 '25 at 19:27

score 0 · Accepted Answer · answered May 31 '25 at 20:08

My mistake was treating those numbers directly, instead of polynomials in $x^4 + 1$, I was confused by matrix presence.

Due to the choice of field $x^4 + 1$ and initial polynomial $3x^3 + x^2 + x + 2$ we know:

inverse exists due to coprime
equations form circulant matrices

We can represent our expected equation as matrix. Then multiplying below two matrices would give us Identity. $$ \begin{bmatrix} k_{03}x^3+k_{02}x^2+k_{01}x+k_{00}& k_{33}x^3+k_{32}x^2+k_{31}x+k_{30}& k_{23}x^3+k_{22}x^2+k_{21}x+k_{20}& k_{13}x^3+k_{12}x^2+k_{11}x+k_{10}\\ k_{13}x^3+k_{12}x^2+k_{11}x+k_{10}& k_{03}x^3+k_{02}x^2+k_{01}x+k_{00}& k_{33}x^3+k_{32}x^2+k_{31}x+k_{30}& k_{23}x^3+k_{22}x^2+k_{21}x+k_{20}\\ k_{23}x^3+k_{22}x^2+k_{21}x+k_{20}& k_{13}x^3+k_{12}x^2+k_{11}x+k_{10}& k_{03}x^3+k_{02}x^2+k_{01}x+k_{00}& k_{33}x^3+k_{32}x^2+k_{31}x+k_{30}\\ k_{33}x^3+k_{32}x^2+k_{31}x+k_{30}& k_{23}x^3+k_{22}x^2+k_{21}x+k_{20}& k_{13}x^3+k_{12}x^2+k_{11}x+k_{10}& k_{03}x^3+k_{02}x^2+k_{01}x+k_{00}\\ \end{bmatrix} $$ $$ \begin{bmatrix} x& x+1& 1& 1\\ 1& x& x+1& 1\\ 1& 1& x& x+1\\ x+1& 1& 1& x\\ \end{bmatrix} $$

Resulting equations are in characteristic two, So to solve them, we can only add them in different combinations to reduce them.

I got 16 5-variable equations, which were reduced to 20 4-variable equations, next 16 3-variable equations, next 12 2-variable equations. Finally I got $k_0=1110$, $k_3=1011$, $k_2=1101$, $k_1=1001$, which is as expected.

How is Rijndael mix columns inverse calculated?

2 Answers2