On Partial Linearization of Byte Substitution Transformation of Rijndael-The AES

: Rijndael-The AES [1-3] is 128-bit block cipher based on an elegant algebraic structure over F 28 . This cipher employs a simple approach to its substitution, permutation (SP) operations. We take a close look at its internals; the byte substitution transformation function is the only non-linear function in Rijndael - The AES. This transformation comprises of two steps operating on each byte. Here we are trying to remodel this to one step operation using indicator vector matrix representation. This representation is further extended to mathematically represent one complete encryption or decryption round of Rijndael the using indicator vector matrix representation that can be explored for better crypto-analysis [4,5] of the cipher.


INTRODUCTION
Rijndael Algorithm [1][2][3] was designed by two Belgian cryptographers: Vincent Rijmen and John Daemen, as one of the candidates for the Advanced Encryption Standard (AES) selection. The AES committee was formulated by the U.S. Government under the umbrella of National Institute of Standards and Technology (NIST) to find another cryptographic algorithm in order to replace the existing 64-bit block cipher of 1977 -the Data Encryption Standards (DES) to protect sensitive digital information over the next few decades.
After a stringent qualifying process of three rounds involving the whole world's cryptographic community [6] , Rijndael algorithm was proposed by the AES committee as Advanced Encryption Standard -The AES on Nov. 26 Rijndael possesses an elegant algebraic structure over F 2 8 [7][8][9][10]. It supports a variable block size and variable key size of 128, 160, 192, 224 or 256 bits each. But for the AES, its block size is fixed to 128-bits and keeping the variable key size of 128, 192 and 256 bits. It has 10, 12 or 14 iterations of round transformations depending on the key size of 128, 192 or 256 bits respectively in conjunction with an initial round of key addition. Each (except the last) round transformation function is composed of the four sub transformation functions: Byte Substitution or bs, Row Shift or rs, Mix Column or mc and Add Round Key or ak. The last round transformation does not include the mc function.
In this study we present an analysis of the block cipher Rijndael while concentrating on its 128-bit version. This cipher employs a simple approach to its substitution, permutation (SP) operations. We take a close look at its internals, recast some of these and present the cipher in a manner amenable for better analysis.

Notations:
We fix the block size and key size to 128 bit. We consider the 10 round version. We use the following notations. Let for all round index i 0, ,10  Brief description of Rijndael internals: Rijndael has an elegant algebraic structure over F 2 8 . The input plain text or the output cipher text of block size of 128-bits is viewed as a 4x4 matrix of 16 bytes arranged in a column major format. Rijndael consists of an initial round of key addition (ak) followed by 10 iterations of round transformations for the key size of 128-bits. Each (except the last) round transformation function is composed of the four sub transformation functions: Byte Substitution or bs, Row Shift or rs, Mix Column or mc and Add Round Key or ak. The last round transformation does not include the mc function.

Byte substitution transformation: bs:
This is the only non-linear transformation in the entire Rijndael structure. It operates independently on each byte using a substitution table (S-box). The S-box, which is invertible in nature, is composed of two transformations: 1. Taking multiplicative inverse of the desired byte in the finite field GF (2 8 )  Thus, the byte substitution operation transforms a byte a(x) to bs(a(x)) as per the following relation. Let 1. ( The inverse S-box is constructed by taking an inverse affine transform followed by a multiplicative inverse in the finite field F 8 2 . 1.

Row shift transformation: rs:
The 16 input bytes are arranged in a column major format of a 4x4 matrix. To achieve the desired confusion, a linear transformation rs is applied. Here, the bytes in each row of the matrix are given a cyclic left shift. For i = 1, 2, 3, 4 the bytes in the i-th row are circularly left shifted by (i-1) bytes.
The inverse of a row shift transformation is obtained by cyclically shifting the bytes in the reverse direction i.e. circularly right shifting 0, 1, 2, and 3 bytes in the first, second, third and fourth row of the 4x4 input matrix, respectively.

Modified Rijndael's key expansion mechanism:
The Key expansion mechanism for 128-bit key size, in Rijndael is defined in the following manner. The expanded key of ( )( ) Till now we have discussed briefly the internals of Rijndael algorithm. Now we are going to present the modified form of the bs followed with indicator vector matrix representation of one complete round involving all the four transformation functions namely: bs, rs mc and ak in the subsequent sections.

Modified byte substitution bs transformation:
The bs transformation, as stated in previous section comprises of two steps -first step is to calculate multiplicative inverse of the desired byte followed by the second step of an affine transformation . Let b b , b , b , b , b , b , b , b i 0 1 2 3 4 5 6 7 represents the bits of a byte as a vector in big endian format. In matrix form, the affine transformation component of the S-box can be expressed as: (2) The inverse byte substitution transformation can similarly be represented as: Where, ( ) Here, we partially linearized the bs transformation. In the next section we extend this formulation idea of Iv to recast the Rijndael round functions to represent mathematically as a simple Iv matrix relation. The Fig. 1 gives the pictorial representation of an i-th round transformation function. We recast the cipher round with an abuse of notation in the following manner: Let , j 1, 2,3 j µ = are the "operators" such that:

Recasting of Rijndael internals
bs a x , 1 2 x bs a x mod g x , 2 3 x 1 bs a x mod g x , 3 µ = µ = µ = ⋅ µ = ⋅ µ = ⋅ µ = + ⋅ These j µ`s correspond to the mc transformation of the bs transformed byte and their position in the matrix R corresponds to the rs transformation on the byte X. Thus, one round of Rijndael can completely be characterized as: