Editing Advanced Encryption Standard (section)

=== The {{mono|SubBytes}} step ===
{{Main|Rijndael S-box}}
[[Image:AES-SubBytes.svg|right|320px|thumbnail|In the {{mono | SubBytes}} step, each byte in the state is replaced with its entry in a fixed 8-bit lookup table, ''S''; ''b<sub>ij</sub>'' = ''S(a<sub>ij</sub>)''.]]
In the {{mono | SubBytes}} step, each byte <math>a_{i,j}</math> in the ''state'' array is replaced with a {{mono | SubByte}} <math>S(a_{i,j})</math> using an 8-bit [[substitution box]]. Before round 0, the ''state'' array is simply the plaintext/input. This operation provides the non-linearity in the [[cipher]]. The S-box used is derived from the [[multiplicative inverse]] over {{math|[[Finite field|GF]](2<sup>8</sup>)}}, known to have good non-linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible [[affine transformation]]. The S-box is also chosen to avoid any fixed points (and so is a [[derangement]]), i.e., <math> S(a_{i,j}) \neq a_{i,j} </math>, and also any opposite fixed points, i.e., <math> S(a_{i,j}) \oplus a_{i,j} \neq \text{FF}_{16} </math>.
While performing the decryption, the {{mono | InvSubBytes}} step (the inverse of {{mono | SubBytes}}) is used, which requires first taking the inverse of the affine transformation and then finding the multiplicative inverse.