The AES-256 Algorithm

In AES-128, we used the following steps to encrypt 16 bytes of plaintext:

1. Use a 16 byte key to generate a key schedule, which is 176 bytes long (11 words made up of 16 bytes).
2. Put the 16 bytes of plaintext into a 4x4 state matrix.
3. Combine the first word of the key schedule with the state.
4. Apply 10 rounds of transformations to the state, involving the key schedule.
5. Retrieve 16 bytes of ciphertext from the state matrix.

The transformations involve several functions which mix together the bytes of the state. These functions are SubBytes(), MixColumns(), and ShiftRows().

AES-256 is not much different from AES-128. The encryption process is:

1. Use a 32 byte key to generate a key schedule, which is 240 bytes long (15 words made up of 16 bytes).
2. Put the 16 bytes of plaintext into a 4x4 state matrix.
3. Combine the first word of the key schedule with the state.
4. Apply 14 rounds of transformations to the state, involving the key schedule.
5. Retrieve 16 bytes of ciphertext from the state matrix.

Notice that most of this algorithm is the same. Earlier, we could attack a target by examining the output of a substitution box; since AES-256 uses these same S-boxes, we should have no problem finding a sensitive point to attack.

The following code is an example of the AES-256 decryption algorithm, written by Ilya O. Levin:

aes_addRoundKey_cpy(buf, ctx->deckey, ctx->key);
aes_shiftRows_inv(buf);
aes_subBytes_inv(buf);

for (i = 14, rcon = 0x80; --i;)
{
    if( ( i & 1 ) )
    {
        aes_expandDecKey(ctx->key, &rcon);
        aes_addRoundKey(buf, &ctx->key[16]);
    }
    else aes_addRoundKey(buf, ctx->key);
    aes_mixColumns_inv(buf);
    aes_shiftRows_inv(buf);
    aes_subBytes_inv(buf);
}
aes_addRoundKey( buf, ctx->key);

Note that this implementation chooses to expand the key during the decryption process. This order of events isn't a big deal to us - the subBytes() operation will still be visible in a power trace.

Attacking AES-256 Decryption