AES is designed to withstand cryptographic attack against (unclassified) government information well into the new century. It is to be optionally used by the private sector. However, since it will provide far more security than DES does, this optionality is really a smoke screen, AES will be the defacto standard for the private sector. Information on the selection and specifics of the Rijndael algorithm for AES can be obtained on-line from NIST.

The 128 bit input is divided into 16 bytes of 8 bits apiece. These are arranged in a 4 × 4 matrix. The ShiftRow and MixColumn steps operate on this matrix while the ByteSub and AddRoundKey steps just operate on the bytes. Some of the operations use the finite field GF(2^{8} = 256). The important features of this field are that each of its elements is represented by a single byte (8 bits), and one can add and multiply these bytes to get another byte. The construction of this field (and more importantly the multiplication rule) depends on a fixed irreducible polynomial of degree 8. The polynomial used for Rijndael is x^{8} + x^{4} + x^{3} + x + 1.

1 2 3 1

1 1 2 3

3 1 1 2

To finish the description of the algorithm, we need to examine how the round keys are determined (the Key Schedule).

if i is not a multiple of 4,** W(i) = W(i-4) + W(i-1)**,

but if i is a multiple of 4 then W(i-1) is modified before XORing (the addition in the formula). The modification is:

- Cyclically shift the elements of the column up by one.
- Using the S-box of the ByteSub step, replace the bytes in the column.
- Compute the round constant, r(i) = 00000010
^{(i-4)/4}in GF(256) and add the result to the first byte of the column.

14 11 13 9 9 14 11 13 13 9 14 11 11 13 9 14

Now a round of Rijndael consists of (with the obvious abbreviations) BS, SR, MC and ARK. The inverse of this would be ARK, IMC, ISR, IBS. Since IBS acts on bytes and ISR moves bytes, the order in which these operations are performed is not important (i.e., they commute as operations). The operations ARK and IMC however do not commute, and we desire that they do in some sense. Since "ARK then IMC" is the inverse of "MC then ARK", lets look at "MC then ARK" in more detail. In matrix notation, "MC then ARK" is simply Y = MX + K, where K is the round key matrix, M is the MixColumn matrix, X the current state of the working matrix and Y the matrix that results. The inverse of this is given by X = M^{-1}(Y + K) = M^{-1}Y + M^{-1}K. But this is just IMC applied to Y followed by adding, not K but IMC applied to K. By defining ** InvAddRoundKey** to be XORing with IMC of K, we see that "ARK then IMC" can be replaced by "IMC then IARK". Now look at the inverse of the complete round structure of Rijndael (and recall the missing MC in the last round):

ARK ISR IBS

ARK IMC ISR IBS

..........

ARK IMC ISR IBS

ARK

Now apply the switches in the last paragraph:

ARK IBS ISR

IMC IARK IBS ISR

....

IMC IARK IBS ISR

ARK

which can be rewritten as:

ARK

IBS ISR IMC IARK (9 rounds of this)

IBS ISR ARK

Thus we have the decryption algorithm written in the same form as the encryption algorithm, only replacing the steps by their inverses. The round keys of course have to be supplied in the reverse order as well.