Is the order of the steps in AES commutative?

Question

Say I wanted to change the order of the 4 steps within a round in AES, would it change the final result?

What did you research? There are 4! possible positions and actually it depends on the order. This answer contains the possible case Does changing the order of the steps within a round affect the security of AES? ShiftRows and SubBytes are commutative, They are not commutative MixColumns — kelalaka, Apr 10 '20 at 13:13

score 4 · Answer 1 · answered Apr 10 '20 at 13:15

4

We have four components of AES round function:

SubBytes performs per-byte substitution operation.
ShiftRows is a permutation of bytes of the state.
MixColumns is a function that works on each column of the state.
AddRoundKey adds 128 bits of the round key to the corresponding bytes of the state.

The only two operations (that follow each other in the original order) that commute are SubBytes and ShiftRows since the first works independently on each byte (and the operation for each byte is the same) and the second one just reshuffles the bytes.

If you swap e.g. MixColumns and AddRoundKey you will get a different result, because instead of adding the round key $rk$ you will effectively add MixColumns($rk$) which is a different value for non-zero round key.

answered Apr 10 '20 at 13:15

Kris

632
4
8

1

Yet the swap of MixColumns and AddRoundKey is possible, if one adjust the key injected by AddRoundKey by first applying InvMixColumns to the key (that's necessary to obtain the same result as the original AES). That's part of why there is no MixColumnsin the last round: AddRoundKey and MixColumns are close enough to commutative that MixColumns in the last round would have little cryptographic value. – fgrieu Nov 30 '20 at 14:47
1

@fgrieu: Correct, it's possible but as you pointed out it needs a modification of the key schedule, so it may not count as the original AES. – Kris Dec 02 '20 at 09:17

Is the order of the steps in AES commutative?

1 Answers1