AES Equivalent Decryption Algorithm

The equivalent decryption algorithm of the AES-128 encryption is provided. It follows the same sequence of applying transformation procedures as the encryption algorithm, but uses modified round keys.

The second type of AES decryption algorithms is called "Equivalent Inverse Cipher" in the FIPS publication, "Announcing the ADVANCED ENCRYPTION STANDARD (AES)" in 2001.

The difference of equivalent decryption algorithms and standard decryption algorithms can be summarized as:

• Standard decryption algorithms use same round keys as the encryption algorithm, but applies transformation procedures in a different sequence.
• Equivalent decryption algorithms have the same sequence of applying transformation procedures as the encryption algorithm, but uses modified round keys.

Here is the equivalent decryption algorithm for a single block of 128-bit ciphertext with a 128-bit cipher key:

```Input:
C: 128 bits of ciphertext
K: 128 bits cipher key

InvS[]: Inverse substitution box of 16x16 byte values
InvKeyExpansion(): Inverse procedure to expand cipher key
InvShiftRows(): Inverse shift rows procedure
InvSubBytes(): Inverse substitution of bytes procedure
InvMixColumns(): Inverse mix columns procedure

Output:
T: 128 bits of plaintext

Algorithm:
InvKeyExpansion(K,ik[])      # expanding K to 11 round keys:

state = C                     # copying ciphertext to state

for i = 9 to 1                # loop to repeat 9 rounds backward
InvSubBytes(state)         # performing reverse substitution
InvShiftRows(state)        # performing reverse byte shifting
InvMixColumns(state)       # reversely mixing columns in state
end for                       # end of loop

InvSubBytes(state)            # performing reverse substitution
InvShiftRows(state)           # performing reverse byte shifting

T = state                     # copying state to plaintext
```

All procedures used in this equivalent decryption algorithm are identical to the standard decryption algorithm except for the InvKeyExpansion() procedure. Comparing with the KeyExpansion procedure, the InvKeyExpansion() procedure only has 1 extra step at the end as shown below:

```Procedure Name:
InvKeyExpansion(K,ik[])

Input:
K: 128 bits cipher key
Rcon[]: Round constant array
SubWord(): Word substitution procedure
RotWord(): Word rotation procedure

Output:
ik[11]: 11 round keys as 4x4 byte arrays

Algorithm:
w[4*11]              # a word array holding 11 round keys
w[0..3] = K          # setting cipher key as the first round key

for i = 4 to 43      # computing words of other round keys
temp = w[i-1]     # copying previous word to a temp variable
if (i mod 4 = 0)
temp = SubWord(RotWord(temp))
temp = temp XOR Rcon[i/4]
end if
w[i] = w[i-4] XOR temp
end for

for i = 0 to 10      # building 11 round keys as 4x4 byte arrays
ik[i] = w[4*i..4*i+3]
end for

for r = 1 to 9       # extra step for the inverse round keys
InvMixColumns(ik[r])
end for
```

Last update: 2015.