Rijndael MixColumns

${\displaystyle {\begin{aligned}a(x)\bullet b(x)=c(x)&=\left(a_{3}x^{3}+a_{2}x^{2}+a_{1}x+a_{0}\right)\bullet \left(b_{3}x^{3}+b_{2}x^{2}+b_{1}x+b_{0}\right)\\&=c_{6}x^{6}+c_{5}x^{5}+c_{4}x^{4}+c_{3}x^{3}+c_{2}x^{2}+c_{1}x+c_{0}\end{aligned}}}$

where:

${\displaystyle c_{0}=a_{0}\bullet b_{0}}$

${\displaystyle c_{1}=a_{1}\bullet b_{0}\oplus a_{0}\bullet b_{1}}$

${\displaystyle c_{2}=a_{2}\bullet b_{0}\oplus a_{1}\bullet b_{1}\oplus a_{0}\bullet b_{2}}$

${\displaystyle c_{3}=a_{3}\bullet b_{0}\oplus a_{2}\bullet b_{1}\oplus a_{1}\bullet b_{2}\oplus a_{0}\bullet b_{3}}$

${\displaystyle c_{4}=a_{3}\bullet b_{1}\oplus a_{2}\bullet b_{2}\oplus a_{1}\bullet b_{3}}$

${\displaystyle c_{5}=a_{3}\bullet b_{2}\oplus a_{2}\bullet b_{3}}$

${\displaystyle c_{6}=a_{3}\bullet b_{3}}$

The result ${\displaystyle c(x)}$ is a seven-term polynomial, which must be reduced to a four-byte word, which is done by doing the multiplication modulo ${\displaystyle x^{4}+1}$.

If we do some basic polynomial modular operations we can see that:

${\displaystyle {\begin{aligned}x^{6}{\bmod {\left(x^{4}+1\right)}}&=-x^{2}=x^{2}{\text{ over }}\operatorname {GF} \left(2^{8}\right)\\x^{5}{\bmod {\left(x^{4}+1\right)}}&=-x=x{\text{ over }}\operatorname {GF} \left(2^{8}\right)\\x^{4}{\bmod {\left(x^{4}+1\right)}}&=-1=1{\text{ over }}\operatorname {GF} \left(2^{8}\right)\end{aligned}}}$

In general, we can say that ${\displaystyle x^{i}{\bmod {\left(x^{4}+1\right)}}=x^{i{\bmod {4}}}.}$

So

${\displaystyle {\begin{aligned}&a(x)\otimes b(x)=c(x){\bmod {\left(x^{4}+1\right)}}\\={}&\left(c_{6}x^{6}+c_{5}x^{5}+c_{4}x^{4}+c_{3}x^{3}+c_{2}x^{2}+c_{1}x+c_{0}\right){\bmod {\left(x^{4}+1\right)}}\\={}&c_{6}x^{6{\bmod {4}}}+c_{5}x^{5{\bmod {4}}}+c_{4}x^{4{\bmod {4}}}+c_{3}x^{3{\bmod {4}}}+c_{2}x^{2{\bmod {4}}}+c_{1}x^{1{\bmod {4}}}+c_{0}x^{0{\bmod {4}}}\\={}&c_{6}x^{2}+c_{5}x+c_{4}+c_{3}x^{3}+c_{2}x^{2}+c_{1}x+c_{0}\\={}&c_{3}x^{3}+\left(c_{2}\oplus c_{6}\right)x^{2}+\left(c_{1}\oplus c_{5}\right)x+c_{0}\oplus c_{4}\\={}&d_{3}x^{3}+d_{2}x^{2}+d_{1}x+d_{0}\end{aligned}}}$

where

${\displaystyle d_{0}=c_{0}\oplus c_{4}}$

${\displaystyle d_{1}=c_{1}\oplus c_{5}}$

${\displaystyle d_{2}=c_{2}\oplus c_{6}}$

${\displaystyle d_{3}=c_{3}}$

The coefficient ${\displaystyle d_{3}}$, ${\displaystyle d_{2}}$, ${\displaystyle d_{1}}$ and ${\displaystyle d_{0}}$ can also be expressed as follows:

${\displaystyle d_{0}=a_{0}\bullet b_{0}\oplus a_{3}\bullet b_{1}\oplus a_{2}\bullet b_{2}\oplus a_{1}\bullet b_{3}}$

${\displaystyle d_{1}=a_{1}\bullet b_{0}\oplus a_{0}\bullet b_{1}\oplus a_{3}\bullet b_{2}\oplus a_{2}\bullet b_{3}}$

${\displaystyle d_{2}=a_{2}\bullet b_{0}\oplus a_{1}\bullet b_{1}\oplus a_{0}\bullet b_{2}\oplus a_{3}\bullet b_{3}}$

${\displaystyle d_{3}=a_{3}\bullet b_{0}\oplus a_{2}\bullet b_{1}\oplus a_{1}\bullet b_{2}\oplus a_{0}\bullet b_{3}}$

And when we replace the coefficients of ${\displaystyle a(x)}$ with the constants ${\displaystyle {\begin{bmatrix}3&1&1&2\end{bmatrix}}}$ used in the cipher we obtain the following:

${\displaystyle d_{0}=2\bullet b_{0}\oplus 3\bullet b_{1}\oplus 1\bullet b_{2}\oplus 1\bullet b_{3}}$

${\displaystyle d_{1}=1\bullet b_{0}\oplus 2\bullet b_{1}\oplus 3\bullet b_{2}\oplus 1\bullet b_{3}}$

${\displaystyle d_{2}=1\bullet b_{0}\oplus 1\bullet b_{1}\oplus 2\bullet b_{2}\oplus 3\bullet b_{3}}$

${\displaystyle d_{3}=3\bullet b_{0}\oplus 1\bullet b_{1}\oplus 1\bullet b_{2}\oplus 2\bullet b_{3}}$

This demonstrates that the operation itself is similar to a Hill cipher. It can be performed by multiplying a coordinate vector of four numbers in Rijndael's Galois field by the following circulant MDS matrix:

${\displaystyle {\begin{bmatrix}d_{0}\\d_{1}\\d_{2}\\d_{3}\end{bmatrix}}={\begin{bmatrix}2&3&1&1\\1&2&3&1\\1&1&2&3\\3&1&1&2\end{bmatrix}}{\begin{bmatrix}b_{0}\\b_{1}\\b_{2}\\b_{3}\end{bmatrix}}}$