This article describes the Sbox used by the Rijndael (aka AES) cryptographic algorithm.
Contents 
The Sbox is generated by determining the multiplicative inverse for a given number in Rijndael's finite field (zero, which has no inverse, is set to zero). The multiplicative inverse is then transformed using the following affine transformation:
where [x_{0}, ..., x_{7}] is the multiplicative inverse as a vector.
The matrix multiplication can be calculated by the following algorithm:
After the matrix multiplication is done, exclusive or the value by the decimal number 99 (the hexadecimal number 0x63, the binary number 1100011, and the bit string 11000110 representing the number in LSb first notation).
This will generate the following Sbox, which is represented here with hexadecimal notation:
 0 1 2 3 4 5 6 7 8 9 a b c d e f  00 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 10 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 30 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 40 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 50 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 70 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 80 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a0 e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e0 e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f0 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
Here the column is determined by the least significant nibble, and the row is determined by the most significant nibble. For example, the value 0x9a is converted in to 0xb8 by Rijndael's Sbox. Note that the multiplicative inverse of 0x00 is defined as itself.
The inverse Sbox is simply the Sbox run in reverse. For example, the inverse Sbox of 0xdb is 0x9f. It is calculated by first calculating the inverse affine transformation of the input value, followed by the multiplicative inverse. The inverse affine transformation is as follows:
The following table represents Rijndael's inverse Sbox:
 0 1 2 3 4 5 6 7 8 9 a b c d e f  00 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 10 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 20 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 30 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 40 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 50 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 60 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 70 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b 80 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 90 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e a0 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b0 fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 c0 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f d0 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e0 a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 f0 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d
The Rijndael SBox was specifically designed to be resistant to linear and differential cryptanalysis. This was done by minimizing the correlation between linear transformations of input/output bits, and at the same time minimizing the difference propagation probability.
In addition, to strengthen the SBox against algebraic attacks, the affine transformation was added. In the case of suspicion of a trapdoor being built into the cipher, the current Sbox might be replaced by another one. The authors claim that the Rijndael cipher structure should provide enough resistance against differential and linear cryptanalysis, even if an SBox with "average" correlation / difference propagation properties is used.
An equivalent equation for the affine transformation is
where b' b and c are 8 bit arrays and c is 01100011.^{[1]}
This can be done with the following java code:
public static boolean[] affineX (boolean[] bprime, boolean[] b, boolean[] c) { for (int j=0; j<8; j++) { bprime[ j ] = b[ j ] ^ b[ (j+4)%8 ]; bprime[ j ] ^= b[ (j+5)%8 ]; bprime[ j ] ^= b[ (j+6)%8 ]; bprime[ j ] ^= b[ (j+7)%8 ]; bprime[ j ] ^= c [ j ]; } return bprime; }
