The final round of both encryption and decryption consists of only three stages.
Substitute Bytes Transformation
The forward substitute byte transformation is called SubBytes. It is represented by
16x16 matrix called an S-box. For each individual byte of State the value
is mapped into a new
byte. The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used
as a column value. These row and column values serve as indexes into the S-box to select a
unique 8-bit output value. For example, the hexadecimal value {95} references row 9, column
5 of the S-box, which contains the value {2A}.

14
ShiftRows Transformation

15
MixColumns Transformation
The forward mix column transformation, called MixColumns, operates on each column
individually. Each byte of a column is mapped into a new value that is a function of all four
bytes in that column. The transformation can be defined by the following matrix
The following is an example for mixcolumns
Multiplication of a value by x (i.e., by {02}) can be implemented as a 1-bit left shift
followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original value
(prior to the shift) is 1. Thus, to verify the MixColumns transformation on the first column, we
need to show that
AddRoundKey Transformation
In the forward add round key transformation, called AddRoundKey, the 128 bits of
State are bitwise XORed with the 128 bits of the round key.

16
Key Expansion Algorithm
The input to this algorithm is 4 word key. The output is 44 words. The key is copied
to the first 4-words of the expanded key. The remainder of the expanded key is filled in four
words at a time. Each added word depends on the immediately preceding wordw(i-1) and the
word four positions back, w(i-4).
KeyExpansion
(
byte
key[16],
word
w[44])
{
word
temp
for
(i = 0; i < 4; i++)
w[i] = (key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]);
for
(i = 4; i < 44; i++)
{
temp = w[i - 1];
if
(i mod 4 = 0)
temp = SubWord (RotWord (temp))
⊕
Rcon[i/4];
w[i] = w[i-4]
⊕
temp
}
}

17
DOUBLE DES
The simplest form of multiple encryption has two encryption stages and two keys. Given a
plaintext P and two encryption keys K1 and K2, ciphertext C is generated as
C = E(K
2
, E(K
1
, P))
Drawback
Meet-in-the-middle attack
Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P for all 256 possible
values of K
1
. Store these results in a table and then sort the table by the values of X. Next,
decrypt C using all 256 possible values of K
2
. As each decryption is produced, check the result
against the table for a match. If a match occurs, then test the two resulting keys against a new
known plaintext-ciphertext pair. If the two keys produce the correct ciphertext, accept them as