Advanced Encryption Standard (AES) is a specification for the encryption of electronic data. It has been adopted by the U.S.

government and is now used worldwide. It supersedes DES.[3] The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. In the United States, AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a five-year standardization process in which fifteen competing designs were presented and evaluated before it was selected as the most suitable (see Advanced Encryption Standard process for more details). It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the National Security Agency (NSA) for top secret information (see Security of AES, below). Originally called Rijndael, the cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted by them to the AES selection process.[4] The name Rijndael (Dutch pronunciation: [rindal][5]) is a play on the names of the two inventors. Strictly speaking, AES is the name of the standard, and the algorithm described is a (restricted) variant of Rijndael. However, in practice the algorithm is also referred to as "AES".
Contents
[hide]

1 Description of the cipher

o o o o o o

1.1 High-level description of the algorithm 1.2 The SubBytes step 1.3 The ShiftRows step 1.4 The MixColumns step 1.5 The AddRoundKey step 1.6 Optimization of the cipher

2 Security

o o

2.1 Known attacks 2.2 Side-channel attacks

3 NIST/CSEC validation 4 Test vectors 5 Performance 6 Implementations 7 See also

8 Notes 9 References 10 External links

[edit]Description

of the cipher

AES is based on a design principle known as a substitution-permutation network. It is fast in both software and hardware.[6] Unlike its predecessor, DES, AES does not use a Feistel network. AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits. The blocksize has a maximum of 256 bits, but the keysize has no theoretical maximum. AES operates on a 44 column-major order matrix of bytes, termed the state (versions of Rijndael with a larger block size have additional columns in the state). Most AES calculations are done in a special finite field. The AES cipher is specified as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext. Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key. [edit]High-level

description of the algorithm

1. KeyExpansionround keys are derived from the cipher key using Rijndael's key schedule 2. Initial Round 1. AddRoundKeyeach byte of the state is combined with the round key using bitwise xor 3. Rounds 1. SubBytesa non-linear substitution step where each byte is replaced with another according to a lookup table. 2. ShiftRowsa transposition step where each row of the state is shifted cyclically a certain number of steps. 3. MixColumnsa mixing operation which operates on the columns of the state, combining the four bytes in each column. 4. AddRoundKey 4. Final Round (no MixColumns) 1. SubBytes 2. ShiftRows 3. AddRoundKey [edit]The SubBytes

step

In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-bit lookup table, S; bij = S(aij).

In the SubBytes step, each byte in the matrix is updated using an 8-bit substitution box, the Rijndael S-box. This operation provides the non-linearity in the cipher. The S-box used is derived from the multiplicative inverse over GF(28), known to have good non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible affine transformation. The S-box is also chosen to avoid any fixed points (and so is aderangement), and also any opposite fixed points. [edit]The ShiftRows

step

In the ShiftRows step, bytes in each row of the state are shifted cyclically to the left. The number of places each byte is shifted differs for each row.

The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes in each row by a certain offset. For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively. For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. In this way, each column of the output state of the ShiftRows step is composed of bytes from each column of the input state. (Rijndael variants with a larger block size have slightly different offsets). For a 256-bit block, the first row is unchanged and the shifting for the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectivelythis change only applies for the Rijndael cipher when used with a 256-bit block, as AES does not use 256-bit blocks. [edit]The MixColumns

step

In the MixColumns step, each column of the state is multiplied with a fixed polynomial c(x).

In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. The MixColumns function takes four bytes as input and outputs four bytes, where each input byte affects all four output bytes. Together with ShiftRows, MixColumns provides diffusion in the cipher. During this operation, each column is multiplied by the known matrix that for the 128 bit key is

The multiplication operation is defined as: multiplication by 1 means no change, multiplication by 2 means shifting to the left, and multiplication by 3 means shifting to the left and then performing xor with the initial unshifted value. After shifting, a conditional xor with 0x1B should be performed if the shifted value is larger than 0xFF. In more general sense, each column is treated as a polynomial over GF(28) and is then multiplied modulo x4+1 with a fixed polynomial c(x) = 0x03 x3 + x2 + x + 0x02. The coefficients are displayed in their hexadecimal equivalent of the binary representation of bit polynomials from GF(2)[x]. The MixColumns step can also be viewed as a multiplication by a particularMDS matrix in a finite field. This process is described further in the article Rijndael mix columns. [edit]The AddRoundKey

step

In the AddRoundKey step, each byte of the state is combined with a byte of the round subkey using the XORoperation ().

In the AddRoundKey step, the subkey is combined with the state. For each round, a subkey is derived from the main keyusing Rijndael's key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR. [edit]Optimization

of the cipher

On systems with 32-bit or larger words, it is possible to speed up execution of this cipher by combining SubBytes andShiftRows with MixColumns, and transforming them into a sequence of table lookups. This requires four 256-entry 32-bit tables, which utilizes a total of four kilobytes (4096 bytes) of memoryone kilobyte for each table. A round can now be done with 16 table lookups and 12 32-bit exclusive-or operations, followed by four 32-bit exclusive-or operations in theAddRoundKey step.[7] If the resulting four kilobyte table size is too large for a given target platform, the table lookup operation can be performed with a single 256-entry 32-bit (i.e. 1 kilobyte) table by the use of circular rotates. Using a byte-oriented approach, it is possible to combine the SubBytes, ShiftRows, and MixColumns steps into a single round operation.[2] Arithmetic in a finite field is different from standard integer arithmetic. There are a limited number of elements in the finite field; all operations performed in the finite field result in an element within that field. While each finite field is itself not infinite, there are infinitely many different finite fields; their number of elements (which is also called cardinality) is necessarily of the form pn where p is aprime number and n is a positive integer, and two finite fields of the same size are isomorphic. The

prime p is called the characteristic of the field, and the positive integer n is called thedimension of the field over its prime field. Finite fields are used in a variety of applications, including in classical coding theory in linear block codes such as BCH and RS and in cryptography algorithms such as the Rijndaelencryption algorithm.
Contents
[hide]

1 Effective polynomial representation 2 Addition and subtraction 3 Multiplication

o o o

3.1 Rijndael's finite field 3.2 Multiplicative inverse 3.3 Primitive finite fields

4 Program examples

4.1 C Programming Example

5 Arithmetic example (where the Characteristic is different than 2) 6 External links

[edit]Effective

polynomial representation

The finite field with pn elements is denoted GF(pn) and is also called the Galois Field, in honor of the founder of finite field theory, variste Galois. GF(p), where p is a prime number, is simply the ring of integers modulo p. That is, one can perform operations (addition, subtraction, multiplication) using the usual operation on integers, followed by reduction modulo p. For instance, in GF(5), 4+3=7 is reduced to 2 modulo 5. Division is multiplication by the inverse modulo p, which may be computed using the extended Euclidean algorithm. A particular case is GF(2), where addition is exclusive OR (XOR) and multiplication is AND. Since the only invertible element is 1, division is the identity function. Elements of GF(pn) may be represented as polynomials of degree strictly less than n over GF(p). Operations are then performed modulo R where R is an irreducible polynomial of degreen over GF(p), for instance using polynomial long division. The addition of two polynomials P and Q is done as usual; multiplication may be done as follows: compute W =P.Q as usual, then compute the remainder modulo R (there exist better ways to do this). When the prime is 2, it is conventional to express elements of GF(pn) as binary numbers, with each term in a polynomial represented by one bit in the corresponding element's binary expression. Braces ( "{" and "}" ) or similar delimiters are commonly added to binary numbers, or to their

hexadecimal equivalents, to indicate that the value is an element of a field. For example, the following are equivalent representations of the same value in a characteristic 2 finite field: Polynomial: x6 + x4 + x + 1 Binary: {01010011} Hexadecimal: {53} [edit]Addition

and subtraction

Addition and subtraction are performed by adding or subtracting two of these polynomials together, and reducing the result modulo the characteristic. In a finite field with characteristic 2, addition modulo 2, subtraction modulo 2, and XOR are identical. Thus, Polynomial: (x6 + x4 + x + 1) + (x7 + x6 + x3 + x) = x7 + x4 + x3 + 1 Binary: {01010011} + {11001010} = {10011001} Hexadecimal: {53} + {CA} = {99} Notice that under regular addition of polynomials, the sum would contain a term 2x6, but that this term becomes 0x6 and is dropped when the answer is reduced modulo 2. Here is a table with both the normal algebraic sum and the characteristic 2 finite field sum of a few polynomials: p1 + p2 (normal algebra) p1 + p2 in GF(2n)

p1

p2

x3 + x + 1 x3 + x2 2x3 + x2 + x + 1

x2 + x + 1

x4 + x2

x6 + x2 x6 + x4 + 2x2

x6 + x4

x+1

x2 + 1 x2 + x + 2

x2 + x

x3 + x

x2 + 1 x3 + x2 + x + 1

x3 + x2 + x + 1

x2 + x

x2 + x 2x2 + 2x

Note: In computer science applications, the operations are simplified for finite fields of characteristic 2, also called GF(2n) Galois fields, making these fields especially popular choices for applications. [edit]Multiplication

Multiplication in a finite field is multiplication modulo an irreducible reducing polynomial used to define the finite field. (I.e., it is multiplication followed by division using the reducing polynomial as the divisorthe remainder is the product.) The symbol "" may be used to denote multiplication in a finite field. [edit]Rijndael's

finite field

Rijndael uses a characteristic 2 finite field with 8 terms, which can also be called the Galois field GF(28). It employs the following reducing polynomial for multiplication: x8 + x4 + x3 + x + 1. For example, {53} {CA} = {01} in Rijndael's field because (x6 + x4 + x + 1)(x7 + x6 + x3 + x) = (x13 + x12 + x9 + x7) + (x11 + x10 + x7 + x5) + (x8 + x7 + x4 + x2) + (x7 + x6 + x3 + x) = x13 + x12 + x9 + x11 + x10 + x5 + x8 + x4 + x2 + x6 + x3 + x = x13 + x12 + x11 + x10 + x9 + x8 + x6 + x5 + x4 + x3 + x2 + x and x13 + x12 + x11 + x10 + x9 + x8 + x6 + x5 + x4 + x3 + x2 + x modulo x8 + x4 + x3 + x + 1 = (11111101111110 mod 100011011) = 1, which can be demonstrated through long division(shown using binary notation, since it lends itself well to the task. Notice that exclusive OR is applied in the example and not arithmetic subtraction, as one might use in grade-school long division.):

11111101111110 (mod) 100011011 ^100011011

ES (Rijndael) uses a key schedule to expand a short key into a number of separate round keys. This is known as the Rijndael key schedule. Contents [hide]

1 Common operations
o o

1.1 Rotate 1.2 Rcon

o o

1.3 S-box 1.4 Key schedule core

2 The key schedule

o o

2.1 Constants 2.2 Key schedule description

3 References 4 See also

[edit]Common operations Rijndael's key schedule utilizes a number of operations, which will be described before describing the key schedule. [edit]Rotate The rotate operation takes a 32-bit word like this (in hexadecimal): 1D 2C 3A 4F and rotates it eight bits to the left such that the high eight bits "wrap around" and become the low eight bits of the result. 2C 3A 4F 1D [edit]Rcon Rcon is what the Rijndael documentation calls the exponentiation of 2 to a user-specified value. Note that this operation is not performed with regular integers, but in Rijndael's finite field. In polynomial form, 2 is compute , and we

in

or equivalently,

in

For example, the rcon(1) = 1, the rcon(2) = 2, the rcon(3) = 4, and the rcon(9) is the hexadecimal number 0x1b (27 in decimal). Rcon[256] = { 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39,

0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d} [edit]S-box The key schedule uses Rijndael's S-box. [edit]Key schedule core This operation is used as an inner loop in the key schedule, and is done thus:

The input is a 32-bit word and at an iteration number i. The output is a 32-bit word. Copy the input over to the output. Use the above described rotate operation to rotate the output eight bits to the left Apply Rijndael's S-box on all four individual bytes in the output word On just the first (leftmost) byte of the output word, exclusive or the byte with 2 to the power of (i-1). In other words, perform the rcon operation with i as the input, and exclusive or the rcon output with the first byte of the output word

[edit]The key schedule [edit]Constants Since the key schedule for 128-bit, 192-bit, and 256-bit encryption are very similar, with only some constants changed, the following keysize constants are defined here:

n has a value of 16 for 128-bit keys, 24 for 192-bit keys, and 32 for 256-bit keys b has a value of 176 for 128-bit keys, 208 for 192-bit keys, and 240 for 256-bit keys

[edit]Key schedule description Rijndael's key schedule is done as follows: 1. The first n bytes of the expanded key are simply the encryption key. 2. The rcon iteration value i is set to 1 3. Until we have b bytes of expanded key, we do the following to generate n more bytes of expanded key:

We do the following to create 4 bytes of expanded key: 1. We create a 4-byte temporary variable, t 2. We assign the value of the previous four bytes in the expanded key to t 3. We perform the key schedule core (see above) on t, with i as the rcon iteration value 4. We increment i by 1 5. We exclusive-or t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key

We then do the following three times to create the next twelve bytes of expanded key: 1. We assign the value of the previous 4 bytes in the expanded key to t 2. We exclusive-or t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key

If we are generating a 256-bit key, we do the following to generate the next 4 bytes of expanded key: 1. We assign the value of the previous 4 bytes in the expanded key to t 2. We run each of the 4 bytes in t through Rijndael's S-box 3. We exclusive-or t with the 4-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key.

If we are generating a 128-bit key, we do not perform the following steps. If we are generating a 192-bit key, we run the following steps twice. If we are generating a 256-bit key, we run the following steps three times: 1. We assign the value of the previous 4 bytes in the expanded key to t 2. We exclusive-or t with the four-byte block n bytes before the new expanded key. This becomes the next 4 bytes in the expanded key

In cryptography, the so-called product ciphers are a certain kind of ciphers, where the (de-)ciphering

of data is done in "rounds". The general setup of each round is the same, except for some hardcoded parameters and a part of the cipher key, called a subkey. A key schedule is an algorithm that, given the key, calculates the subkeys for these rounds. [edit]Some

types of key schedules

Some ciphers have simple key schedules. For example, the block cipher TEA simply splits the 128-bit key into four 32-bit pieces and uses them repeatedly in successive rounds. DES uses a key schedule where the 56 bit key is divided into two 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by one or two bits (specified for each round), and then 48 subkey bits are selected by Permuted Choice 2 (PC2) 24 bits from the left half, and 24 from the right. The rotations mean that a different set of bits is used in each subkey; each bit is used in approximately 14 out of the 16 subkeys. In an effort to avoid simple relationships between the cipher key and the subkeys, to resist such forms of cryptanalysis as related-key attacks and slide attacks, many modern ciphers use much more elaborate key schedules, algorithms that use a one-way function to generate an "expanded key" from which subkeys are drawn. Some ciphers, such as Rijndael (AES) and Blowfish, use parts of the cipher algorithm itself for this key expansion, sometimes initialized with some "nothing up my sleeve numbers". Other ciphers, such as RC5, expand keys with functions that are somewhat or completely different from the encryption functions.

5 06 70 |d0 80 |3a 90 |96 a0 |47 b0 |fc c0 |1f d0 |60 e0 |a0

2c 91 ac f1 56 dd 51 e0

1e 11 74 1a 3e a8 7f 3b

8f 41 22 71 4b 33 a9 4d

ca 4f e7 1d c6 88 19 ae

3f 67 ad 29 d2 07 b5 2a

0f dc 35 c5 79 c7 4a f5

02 ea 85 89 20 31 0d b0

c1 97 e2 6f 9a b1 2d c8

af f2 f9 b7 db 12 e5 eb

bd cf 37 62 c0 10 7a bb

03 ce e8 0e fe 59 9f 3c

01 f0 1c aa 78 27 93 83

13 b4 75 18 cd 80 c9 53

8a e6 df be 5a ec 9c 99

6b 73 6e 1b f4 5f ef 61

f0 |17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d For C, C++ implementation, here is the initialization of the table: unsigned char inv_s[256] = { 0x52, 0x09, 0x6A, 0xD5, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 0x42, 0xFA, 0xC3, 0x4E, 0x08, 0x2E, 0xA1, 0x66, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xA7, 0x8D, 0x9D, 0x84, 0x90, 0xD8, 0xAB, 0x00, 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 0xF0, 0xB4, 0xE6, 0x73, 0x96, 0xAC, 0x74, 0x22, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 0x78, 0xCD, 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2B, 0x04, 0x7E, 0x55, 0x21, 0x0C, 0x7D }; [edit]Design

0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,

criteria

The Rijndael S-Box was specifically designed to be resistant to linear and differential cryptanalysis. This was done by minimizing the correlation between linear transformations of input/output bits, and at the same time minimizing the difference propagation probability.

In addition, to strengthen the S-Box against algebraic attacks, the affine transformation was added. In the case of suspicion of a trapdoor being built into the cipher, the current S-box might be replaced by another one. The authors claim that the Rijndael cipher structure should provide enough resistance against differential and linear cryptanalysis, even if an S-Box with "average" correlation / difference propagation properties is used.