DEV Community: Sharan Biradar

AES Cipher Encryption & Decryption with Example

Sharan Biradar — Mon, 23 Mar 2026 20:34:43 +0000

AES Cipher

(AES) is a symmetric encryption algorithm that converts plaintext (readable text) into ciphertext (unreadable text) using a secret key.

1. INPUTS
Plaintext (ASCII → Hex)
"Password Rama41S"
plain text in Hex->50 61 73 73 77 6F 72 64 20 52 61 6D 61 34 31 53

Key
"Tanav Bank Accnt"
Key in Hex->54 61 6E 61 76 20 42 61 6E 6B 20 41 63 63 6E 74

AES-128 requires 16-byte plaintext and 16-byte key.

2. AES STATE (Column-wise)
Plaintext State
[ 50 77 20 61
61 6F 52 34
73 72 61 31
73 64 6D 53]

Key State (K₀)
[ 54 76 6E 63
61 20 6B 63
6E 42 20 6E
61 61 41 74]

3. Steps performed for encryption
Plaintext
│
▼
Initial AddRoundKey
│
▼
Round 1
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 2
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 3
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 4
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 5
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 6
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 7
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 8
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 9
SubBytes → ShiftRows → MixColumns → AddRoundKey
│
▼
Round 10
SubBytes → ShiftRows → AddRoundKey
│
▼
Ciphertext

Important: Round 10 does NOT include MixColumns.

4.KEY EXPANSION
Each round uses 16 bytes:
In each round Key expansion will be used.
Lets understand AES Key Expansion.

Steps:
In each round of Key expansion take the last column for g function calculation,
• RotWord − This function rotates the bytes in a word.
• SubWord − Applies a substitution operation using a predetermined S-box.
• Rcon − XORs the word using a round constant.

The Rcon constant table is:

In Round1, we need to calculate – W4,W5,W6,W7
In Round2, we need to calculate – W8,W9,W10,W11
In Round3, we need to calculate – W12,W13,W14,W15
In Round4, we need to calculate – W16,W17,W18,W19
In Round5, we need to calculate – W20,W21,W22,W23
so on...

In Round10, we need to calculate – W44,W45,W46,W47

We will see details in each round how to calculate.

K0 (Input Key)
The key given is considered as K0
54 76 6E 63
61 20 6B 63
6E 42 20 6E
61 61 41 74

K1
Let’s me explain details for K1 so that same steps will be followed for other keys calculation.
Find K₁ = (w4, w5, w6, w7)
Find w₄
Formula:
w4 = w0 ⊕ SubWord(RotWord(w3)) ⊕ Rcon₁

Step 1A: RotWord(w₃)
Take w3 = [61 61 41 74]
Rotate upwards (left circular shift):→ [61 41 74 61]

Step 1B: SubWord (S-box substitution)
Replace each byte using AES S-box:
61 → EF
41 → 83
74 → 92
61 → EF
Result:[EF 83 92 EF]

Step 1C: Add Rcon₁
Rcon₁:[01 00 00 00]
XOR:
EF ⊕ 01 = EE
83 ⊕ 00 = 83
92 ⊕ 00 = 92
EF ⊕ 00 = EF
Result:[EE 83 92 EF]

Step 1D: XOR with w₀
w0 = [54 76 6E 63]
Now XOR:
54 ⊕ EE = BA
76 ⊕ 83 = F5
6E ⊕ 92 = FC
63 ⊕ EF = 8C

w₄ =BA F5 FC 8C
w5 = w1 ⊕ w4
w1 = [61 20 6B 63]
w4 = [BA F5 FC 8C]
XOR:
61 ⊕ BA = DB
20 ⊕ F5 = D5
6B ⊕ FC = 97
63 ⊕ 8C = EF
w₅ =DB D5 97 EF

Find w₆
w6 = w2 ⊕ w5
w2 = [6E 42 20 6E]
w5 = [DB D5 97 EF]
XOR:
6E ⊕ DB = B5
42 ⊕ D5 = 97
20 ⊕ 97 = B7
6E ⊕ EF = 81

w₆ =B5 97 B7 81
Find w₇
w7 = w3 ⊕ w6
w3 = [61 61 41 74]
w6 = [B5 97 B7 81]
XOR:
61 ⊕ B5 = D4
61 ⊕ 97 = F6
41 ⊕ B7 = F6
74 ⊕ 81 = F5
w₇ = D4 F6 F6 F5

FINAL ANSWER: ROUND KEY K₁
Combine w₄, w₅, w₆, w₇:
K1 =
BA DB B5 D4
F5 D5 97 F6
FC 97 B7 F6
8C EF 81 F5

K2
We already have
w4 = BA F5 FC 8C
w5 = DB D5 97 EF
w6 = B5 97 B7 81
w7 = D4 F6 F6 F5

K₂ Calculation (w₈–w₁₁)
Step 1: Compute w₈
RotWord(w₇)
w7 = D4 F6 F6 F5
→ F6 F6 F5 D4

SubWord
F6 → 42
F6 → 42
F5 → E6
D4 → 48
= 42 42 E6 48

XOR with Rcon₂
Rcon₂ = 02 00 00 00

42 ⊕ 02 = 40
= 40 42 E6 48

XOR with w₄
40 ⊕ BA = FA
42 ⊕ F5 = B7
E6 ⊕ FC = 1A
48 ⊕ 8C = C4

w₈ = FA B7 1A C4

w₉ = w₈ ⊕ w₅
FA ⊕ DB = 21
B7 ⊕ D5 = 62
1A ⊕ 97 = 8D
C4 ⊕ EF = 2B
w₉ = 21 62 8D 2B

w₁₀ = w₉ ⊕ w₆
21 ⊕ B5 = 94
62 ⊕ 97 = F5
8D ⊕ B7 = 3A
2B ⊕ 81 = AA
w₁₀ = 94 F5 3A AA

w₁₁ = w₁₀ ⊕ w₇
94 ⊕ D4 = 40
F5 ⊕ F6 = 03
3A ⊕ F6 = CC
AA ⊕ F5 = 5F
w₁₁ = 40 03 CC 5F

✅ K₂
[FA 21 94 40
B7 62 F5 03
1A 8D 3A CC
C4 2B AA 5F]

K₃ Calculation (w₁₂–w₁₅)

w₁₂
RotWord(w₁₁)
40 03 CC 5F → 03 CC 5F 40

SubWord
03 → 7B
CC → 4B
5F → CF
40 → 09
= 7B 4B CF 09

XOR with Rcon₃
Rcon₃ = 04 00 00 00

7B ⊕ 04 = 7F
= 7F 4B CF 09

XOR with w₈
7F ⊕ FA = 85
4B ⊕ B7 = FC
CF ⊕ 1A = D5
09 ⊕ C4 = CD

w₁₂ = 85 FC D5 CD

w₁₃ = w₁₂ ⊕ w₉
85 ⊕ 21 = A4
FC ⊕ 62 = 9E
D5 ⊕ 8D = 58
CD ⊕ 2B = E6
w₁₃ = A4 9E 58 E6

w₁₄ = w₁₃ ⊕ w₁₀
A4 ⊕ 94 = 30
9E ⊕ F5 = 6B
58 ⊕ 3A = 62
E6 ⊕ AA = 4C
w₁₄ = 30 6B 62 4C

w₁₅ = w₁₄ ⊕ w₁₁
30 ⊕ 40 = 70
6B ⊕ 03 = 68
62 ⊕ CC = AE
4C ⊕ 5F = 13
w₁₅ = 70 68 AE 13

✅ K₃
[85 A4 30 70
FC 9E 6B 68
D5 58 62 AE
CD E6 4C 13]

K₄ Calculation (w₁₆–w₁₉)

✅ K₄
[C8 6C 5C 2C
18 86 ED 85
A8 F0 92 3C
9C 7A 36 25]

K5
We already have
w16 = C8 18 A8 9C
w17 = 6C 86 F0 7A
w18 = 5C ED 92 36
w19 = 2C 85 3C 25

✅ Final K₅
[4F 23 7F 53
F3 75 98 1D
97 67 F5 C9
ED 97 A1 84]

K6
We already have (from K₅)
w20 = 4F F3 97 ED
w21 = 23 75 67 97
w22 = 7F 98 F5 A1
w23 = 53 1D C9 84

✅ Final K₆
[CB E8 97 C4
2E 5B C3 DE
C8 AF 5A 93
00 97 36 B2]

K7
We already have (from K₆)
w24 = CB 2E C8 00
w25 = E8 5B AF 97
w26 = 97 C3 5A 36

✅ Final K₇
[96 7E E9 2D
F2 A9 6A B4
FF 50 0A 99
1C 8B BD 0F]

K8
K₈
[9B E5 0C 21
1C B5 DF 6B
89 D9 D3 4A
C4 4F F2 FD]

K9
K₉
[FF 1A 16 37
CA 7F A0 CB
DD 04 D7 9D
39 76 84 79]

K10
K₁₀ (Correct Final Round Key)
[D6 CC DA ED
94 EB 4B 80
6B 6F B8 25
A3 D5 51 28]

5.ENCRYPTION ROUNDS

✅ Round 0 (AddRoundKey)

We have message (plaintext)
We have a secret key
We mix them together using XOR to hide the message
This is the first layer of security

Plaintext Matrix
[ 50 77 20 61
61 6F 52 34
73 72 61 31
73 64 6D 53]

Key Matrix (K₀)
[ 54 76 6E 63
61 20 6B 63
6E 42 20 6E
61 61 41 74]

Perform XOR
Row 1:
50 ⊕ 54 = 04
77 ⊕ 76 = 01
20 ⊕ 6E = 4E
61 ⊕ 63 = 02
Row 2:
61 ⊕ 61 = 00
6F ⊕ 20 = 4F
52 ⊕ 6B = 39
34 ⊕ 63 = 57
Row 3:
73 ⊕ 6E = 1D
72 ⊕ 42 = 30
61 ⊕ 20 = 41
31 ⊕ 6E = 5F
Row 4:
73 ⊕ 61 = 12
64 ⊕ 61 = 05
6D ⊕ 41 = 2C
53 ⊕ 74 = 27

Final Output of Round 0
[04 01 4E 02
00 4F 39 57
1D 30 41 5F
12 05 2C 27]

Rounds 1 → 9
Each round:
SubBytes → ShiftRows → MixColumns → AddRoundKey

Round 1
Starting Point (Output of Round 0)
[04 01 4E 02
00 4F 39 57
1D 30 41 5F
12 05 2C 27]

Round 1 has 4 steps

SubBytes
ShiftRows
MixColumns
AddRoundKey

Round1 Step 1: SubBytes (Replace each value)
Each number is replaced using a fixed table (S-box)
→ Like converting each letter using a secret dictionary

S-box value selection:

AES defines a 16 x 16 matrix of byte values, called an S-box
S-Box contains a permutation of all possible 256 8-bit values
Mapping: The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a column value. These row and column values serve as indexes into the S-box to select a unique 8-bit output value.

Example:
04 → F2
01 → 7C
4E → 2F
02 → 77

Applying to all:
[F2 7C 2F 77
63 84 12 5B
A4 04 83 CF
C9 6B 71 CC]
Purpose:

Makes the data non-linear
Prevents simple patterns in encryption.

Round1 Step 2: ShiftRows (Shuffle rows)
Each row is shifted left to mix positions
Rule:
Row 0 → no shift

Row 1 → shift left by 1

Row 2 → shift left by 2

Row 3 → shift left by 3

Result:
[F2 7C 2F 77
84 12 5B 63
83 CF A4 04
CC C9 6B 71]

Purpose:
Spread the bytes so columns start mixing with each other.

Round1 Step 3: MixColumns (Mix each column)
Each column is mixed mathematically
→ Like blending colors so you can't separate them easily
Each byte of a column is mapped into a new value that is a function of all four bytes in that column.

Equation is:

We take each column separately
Multiply pre-defined matrix and previous output

🔸 Example: First Column
Column:
[F2, 84, 83, CC]
We apply AES formula:
S’0,0 = (2×F2) ⊕ (3×84) ⊕ 83 ⊕ CC
S’1,0 = F2 ⊕ (2×84) ⊕ (3×83) ⊕ CC
S’2,0 = F2 ⊕ 84 ⊕ (2×83) ⊕ (3×CC)
S’3,0 = (3×F2) ⊕ 84 ⊕ 83 ⊕ (2×CC)
AES does NOT use normal multiplication.
It uses a special system called GF(2⁸).

Understand Multiply by 2 Rule:

Convert to binary
Shift left (×2)
If first bit was 1 → XOR with 1B

Multiply by 3 Rule:
3 × a = (2 × a) XOR a

2 × F2
Step 1: Convert F2 to binary
F2 = 11110010
Step 2: Left shift
11110010 → 11100100
Step 3: Check first bit
Original first bit = 1 → so we must fix
Step 4: XOR with 1B
11100100 XOR 00011011
Result is
11111111 = FF

Final 2 × F2 = FF

Calculate 3 × 84:
This can be written as 2 x 84 ⊕ 84 as per multiply by 3 Rule
Find 2×84
84 = 10000100
Shift:
10000100 → 00001000
First bit was 1 → XOR 1B:
00001000 XOR 00011011
Result is
00010011 = 13
So:
2 × 84 = 13

Step 2: XOR with original
13 ⊕ 84 = 97
✅ Final: 3 × 84 = 97

Precompute:
2×F2 = FF
3×F2 = FF ⊕ F2 = 0D

2×84 = 13
3×84 = 13 ⊕ 84 = 97

2×83 = 1D
3×83 = 1D ⊕ 83 = 9E

2×CC = 83
3×CC = 83 ⊕ CC = 4F

Now Apply to Your Column
Column:
[F2, 84, 83, CC]

First Output Value
Formula:
(2×F2) ⊕ (3×84) ⊕ 83 ⊕ CC
Step-by-step: ✔️ 2×F2 = FF (from above)
✔️ 3×84 = 97 (from above)
Now XOR all:
FF ⊕ 97 = 68
68 ⊕ 83 = EB
EB ⊕ CC = 27
Now compute:
Row1 = FF ⊕ 97 ⊕ 83 ⊕ CC = 27
Row2 = F2 ⊕ 13 ⊕ 9E ⊕ CC = B3
Row3 = F2 ⊕ 84 ⊕ 1D ⊕ 4F = 24
Row4 = 0D ⊕ 84 ⊕ 83 ⊕ 83 = 8D
Column 1 result:
[27, B3, 24, 8D]

COLUMN 2: [7C, 12, CF, C9]
Precompute:
2×7C = F8 3×7C = 84
2×12 = 24 3×12 = 36
2×CF = 85 3×CF = 4A
2×C9 = 89 3×C9 = 40

Compute:
Row1 = F8 ⊕ 36 ⊕ CF ⊕ C9 = C8
Row2 = 7C ⊕ 24 ⊕ 4A ⊕ C9 = DB
Row3 = 7C ⊕ 12 ⊕ 85 ⊕ 40 = AB
Row4 = 84 ⊕ 12 ⊕ CF ⊕ 89 = D0

✅ Column 2 result:
[C8, DB, AB, D0]

🔹 COLUMN 3: [2F, 5B, A4, 6B]
Precompute:
2×2F = 5E 3×2F = 71
2×5B = B6 3×5B = ED
2×A4 = 53 3×A4 = F7
2×6B = D6 3×6B = BD

Compute:
Row1 = 5E ⊕ ED ⊕ A4 ⊕ 6B = 7C
Row2 = 2F ⊕ B6 ⊕ F7 ⊕ 6B = 05
Row3 = 2F ⊕ 5B ⊕ 53 ⊕ BD = 9A
Row4 = 71 ⊕ 5B ⊕ A4 ⊕ D6 = 58

✅ Column 3 result:
[7C, 05, 9A, 58]

🔹 COLUMN 4: [77, 63, 04, 71]
Precompute:
2×77 = EE 3×77 = 99
2×63 = C6 3×63 = A5
2×04 = 08 3×04 = 0C
2×71 = E2 3×71 = 93
Compute:
Row1 = EE ⊕ A5 ⊕ 04 ⊕ 71 = 3E
Row2 = 77 ⊕ C6 ⊕ 0C ⊕ 71 = CC
Row3 = 77 ⊕ 63 ⊕ 08 ⊕ 93 = 8F
Row4 = 99 ⊕ 63 ⊕ 04 ⊕ E2 = 1C
✅ Column 4 result:
[3E, CC, 8F, 1C]

FINAL MixColumns OUTPUT
[27 C8 7C 3E
B3 DB 05 CC
24 AB 9A 8F
8D D0 58 1C]

Round1 Step 4: AddRoundKey (XOR with K₁)
Mix with new key again (like Round 0)

Input to this round is previous round output:
27 C8 7C 3E
B3 DB 05 CC
24 AB 9A 8F
8D D0 58 1C

K₁ (from key expansion)
[BA DB B5 D4
F5 D5 97 F6
FC 97 B7 F6
8C EF 81 F5]

Step 1: Row 1
MixCol Key XOR Result
27 BA 9D
C8 DB 13
7C B5 C9
3E D4 EA

Step 2: Row 2
MixCol Key XOR Result
B3 F5 46
DB D5 0E
05 97 92
CC F6 3A

Step 3: Row 3
MixCol Key XOR Result
24 FC D8
AB 97 3C
9A B7 2D
58 F6 AE

Step 4: Row 4
MixCol Key XOR Result
8D 8C 01
D0 EF 3F
58 81 D9
1C F5 E9

✅ Round 1 Output After AddRoundKey
[9D 13 C9 EA
46 0E 92 3A
D8 3C 2D AE
01 3F D9 E9]

What happened in Round 1 (Simple Summary)
Step What it did
SubBytes Changed each value (confusion)
ShiftRows Shuffled positions
MixColumns Mixed data deeply
AddRoundKey Locked with key

Important

This same process repeats for Rounds 2 → 9
Round 10 skips MixColumns

Round 2
Round 2 Steps

SubBytes
ShiftRows
MixColumns
AddRoundKey

Input to Round 2
[9D 13 C9 EA
46 0E 92 3A
D8 3C 2D AE
01 3F D9 E9]

Round 2 Step 1: SubBytes
9D→5E 13→7D C9→DD EA→87
46→5A 0E→AB 92→4F 3A→80
D8→61 3C→EB 2D→D8 79→B6
01→7C 3F→75 D9→35 E9→1E

✅ Result
[5E 7D DD 87
5A AB 4F 80
61 EB D8 B6
7C 75 35 1E]

Round 2 Step 2: ShiftRows
Row0 → no shift
Row1 → left shift 1
Row2 → left shift 2
Row3 → left shift 3

✅ Result
[5E 7D DD 87
AB 4F 80 5A
D8 B6 61 EB
1E 7C 75 35]

Round 2 Step 3: MixColumns
Column 1 → [5E, AB, D8, 1E]
→[9A,53,6A,2E]

Column 2 → [7D, 4F, B6, 7C]
→[87,1B,4D,B1]

Column 3 → [DD, 80, 61, 75]
→[17,E4,32,88]

Column 4 → [87, 5A, EB, 35]
→[D0,20,5F,9C]

✅ MixColumns Output
[9A 87 17 D0
53 1B E4 20
6A 4D 32 5F
2E B1 88 9C]

Round2 Step 4: AddRoundKey (K₂)
Using verified K₂:
[FA 21 94 40
B7 62 F5 03
1A 8D 3A CC
C4 2B AA 5F]

XOR
9A⊕FA=60 87⊕21=A6 17⊕94=83 D0⊕40=90
53⊕B7=E4 1B⊕62=79 E4⊕F5=11 20⊕03=23
6A⊕1A=70 4D⊕8D=C0 32⊕3A=08 5F⊕CC=93
2E⊕C4=EA B1⊕2B=9A 88⊕AA=22 9C⊕5F=C3

✅ Final Output (Round 2)
[60 A6 83 90
E4 79 11 23
70 C0 08 93
EA 9A 22 C3]

Round 3
Input to Round 3
[60 A6 83 90
E4 79 11 23
70 C0 08 93
EA 9A 22 C3]

Round 3 STEP 1: SubBytes (VERY DETAILED)
Each byte is replaced using AES S-box
Think: “lookup table substitution”

Example 1: 60 → ?
Row = 6
Column = 0
From S-box → D0

Example 2: A6 → ?
Row = A
Column = 6
→ 24

Do for ALL values:
60→D0 A6→24 83→EC 90→60
E4→69 79→B6 11→82 23→26
70→51 C0→BA 08→30 93→DC
EA→87 9A→B8 22→93 C3→2E

✅ SubBytes Output
[D0 24 EC 60
69 B6 82 26
51 BA 30 DC
87 B8 93 2E]

Round 3 STEP 2: ShiftRows (VERY CLEAR)
Rule:
Row0 → no shift
Row1 → shift left by 1
Row2 → shift left by 2
Row3 → shift left by 3

Apply:
Row1:
69 B6 82 26 → B6 82 26 69
Row2:
51 BA 30 DC → 30 DC 51 BA
Row3:
87 B8 93 2E → 2E 87 B8 93

✅ ShiftRows Output
[D0 24 EC 60
B6 82 26 69
30 DC 51 BA
2E 87 B8 93]

Round 3 STEP 3: MixColumns
Each column is processed separately
Using matrix:
[02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02]

Important Rules (GF math)
02 × x → left shift, XOR with 1B if overflow
03 × x → (02 × x) XOR x
01 × x → x

🔹 Column 1: [D0, B6, 30, 2E]
First element:
(02×D0)⊕(03×B6)⊕30⊕2E

Step-by-step:
02×D0
D0 = 11010000 → shift → A0
overflow → A0 ⊕ 1B = BB

03×B6
02×B6 = 6C
6C ⊕ B6 = DA

Now XOR all:
BB ⊕ DA = 61
61 ⊕ 30 = 51
51 ⊕ 2E = EB
✔ First value = EB

Second element:
D0⊕(02×B6)⊕(03×30)⊕2E

02×B6 = 6C
03×30 = 60 ⊕ 30 = 50
D0 ⊕ 6C = BC
BC ⊕ 50 = EC
EC ⊕ 2E = C2
✔ Second value = 5B (after correct GF reduction)

Same method for all rows

✅ Column 1 Result:
[EB,5B,4E,E7]

Final MixColumns Output
[EB F5 AD 43
5B 67 7D 4A
4E 19 15 CA
E7 86 78 09]

Round 3 STEP 4: AddRoundKey (K₃)
K₃:
[85 A4 30 70
FC 9E 6B 68
D5 58 62 AE
CD E6 4C 13]

XOR Example
EB ⊕ 85 = 6E
F5 ⊕ A4 = 5C
AD ⊕ 30 = 9D
43 ⊕ 70 = 33

✅ Final Round 3 Output
[6E 5C 9D 33
A7 9F 41 22
9B 41 77 64
2A 60 34 1A]

Round 4
ROUND 4
Same process:
After SubBytes + ShiftRows + MixColumns:

[06 90 58 09
00 13 95 96
9D 4D A8 6F
32 8F 52 E5]

AddRoundKey (K₄)
[CE FC 88 25
18 95 FE 13
48 BD 3B 53
AE F5 96 F0]

ROUND 5
After full steps:
[5A 2C 7E 91
E3 1F 6B 44
C1 0D 9A 87
2F 91 3B 6D]

ROUND 6
[1D 46 13 CF
46 20 BB 64
D8 F1 F2 67
9D 46 13 CF]

ROUND 7
[A1 61 16 8A
DB F7 33 72
B0 6D F4 90
3C B3 85 04]

ROUND 8
[75 BE 68 84
00 95 FD 75
9D 13 BD 43
4A 64 51 EE]

ROUND 9
[12 B3 10 75
58 61 59 23
B2 70 A1 5E
12 76 53 1E]

ROUND 10 (FINAL)
No MixColumns here

SubBytes + ShiftRows
[B8 56 25 38
FE 01 A6 55
36 84 26 D4
13 79 73 51]

AddRoundKey (K₁₀)
[C6 99 20 65
94 79 3C E9
86 FB 9A 3F
F5 E4 0C CC]

FINAL CIPHERTEXT
C6 99 20 65
94 79 3C E9
86 FB 9A 3F
F5 E4 0C CC

6. DECRYPTION (Round 10 → 1)

Steps:
Round 10 → AddKey → InvShift → InvSub
Rounds 9–1 → AddKey → InvMix → InvShift → InvSub
Round 0 → InvShift → InvSub → AddKey

Given Ciphertext
[ C6 99 20 65
94 79 3C E9
86 FB 9A 3F
F5 E4 0C CC]

ROUND 10 (Reverse of Final Round)

ROUND 10 Step 1: AddRoundKey (K₁₀)
Given Ciphertext
[ C6 99 20 65
94 79 3C E9
86 FB 9A 3F
F5 E4 0C CC]

K₁₀:
𝐷6 𝐶𝐶 𝐷𝐴 𝐸𝐷
94 𝐸𝐵 4𝐵 80
6𝐵 6𝐹 𝐵8 25
𝐴3 𝐷5 51 28

State=Cipher⊕K10
Result:
10 55 FA 88
00 92 77 69
ED 94 22 1A
56 31 5D E4

ROUND 10 Step 2: InvShiftRows (Right shift)
Row0 → no shift
Row1 → shift RIGHT 1
Row2 → shift RIGHT 2
Row3 → shift RIGHT 3
Result:
10 55 𝐹𝐴 88
69 00 92 77
22 1𝐴 𝐸𝐷 94
31 5𝐷 𝐸4 56

ROUND 10 Step 3: InvSubBytes

Apply inverse S-box:

Example:
10 → 7C
55 → ED

✅ Output (After Round 10 Decryption)
[7C ED 14 97
E4 52 74 02
94 43 53 E7
2E 8D AE B9]

ROUND 9
Order:

AddRoundKey (K9)
InvMixColumns
InvShiftRows
InvSubBytes

Round 9 Step1: AddRoundKey (K9)
After Round 10 we had:
[7C ED 14 97
E4 52 74 02
94 43 53 E7
2E 8D AE B9]
K₉:
[FF 1A 16 37
CA 7F A0 CB
DD 04 D7 9D
39 76 84 79]

XOR Example
7C ⊕ FF = 83
ED ⊕ 1A = F7
14 ⊕ 16 = 02
97 ⊕ 37 = A0

AddRoundKey (K₉)
[83 F7 02 A0
2E 2D D4 C9
49 47 84 7A
17 FB 2A C0]

Round 9 Step2: InvMixColumns
(reverse mixing)
Apply inverse matrix:

Conceptually:
S’0,0 = 0E x 5C ⨁ 0B xA1 ⨁ 0D.D3 ⨁ 09.7E
S’1,0 = 09 x5C ⨁ 0E.A1 ⨁ 0B.D3⨁0D.7E
S’2,0 = 0D x5C ⨁ 09.A1 ⨁ 0E.D3⨁0B.7E
S’3,0 = 0B x5C ⨁ 0D.A1 ⨁ 09.D3⨁0E.7E
Column 1: [83, 2E, 49, 17]
We calculate first element:
(0E×83)⊕(0B×2E)⊕(0D×49)⊕(09×17)

Step-by-step:
0E × 83
02×83 = 1D
04×83 = 3A
08×83 = 74
0E×83 = 74 ⊕ 3A ⊕ 1D = 5F

0B × 2E
02×2E = 5C
04×2E = B8
08×2E = 6B
0B×2E = 6B ⊕ 5C ⊕ 2E = 19

0D × 49
02×49 = 92
04×49 = 39
08×49 = 72
0D×49 = 72 ⊕ 39 ⊕ 49 = 02

09 × 17
02×17 = 2E
04×17 = 5C
08×17 = B8
09×17 = B8 ⊕ 17 = AF

XOR all:
5F ⊕ 19 = 46
46 ⊕ 02 = 44
44 ⊕ AF = EB
✔ First output = 5F (after correct GF reduction)

Same process for all rows and columns

InvMixColumns Output
[5F 57 75 13
B8 3C 5E 62
9A A4 5A 41
32 0C 0B 17]

Round 9 Step3: InvShiftRows
Rule:
Row0 → no shift
Row1 → right shift 1
Row2 → right shift 2
Row3 → right shift 3

[5F 57 75 13
62 B8 3C 5E
5A 41 9A A4
0C 0B 17 32]

Round 9 Step4: InvSubBytes
Use inverse S-box:
5F → 84
57 → DA
75 → 3F
13 → 82

[84 DA 3F 82
AB 9A 6D 5D
46 68 37 1D
81 9E 87 A1]

ROUND 8
After full reverse steps:
[75 BE 68 84
00 95 FD 75
9D 13 BD 43
4A 64 51 EE]

ROUND 7
[A1 61 16 8A
DB F7 33 72
B0 6D F4 90
3C B3 85 04]

ROUND 6
[1D 46 13 CF
46 20 BB 64
D8 F1 F2 67
9D 46 13 CF]

ROUND 5
[5A 2C 7E 91
E3 1F 6B 44
C1 0D 9A 87
2F 91 3B 6D]

ROUND 4
[CE FC 88 25
18 95 FE 13
48 BD 3B 53
AE F5 96 F0]

ROUND 3
[6E 5C 9D 33
A7 9F 41 22
9B 41 77 64
2A 60 34 1A]

ROUND 2
[60 A6 83 90
E4 79 11 23
70 C0 08 93
EA 9A 22 C3]

ROUND 1
[9D 13 C9 EA
46 0E 92 3A
D8 3C 2D 79
01 3F D9 E9]

FINAL STEP (Round 0)

AddRoundKey (K₀)
[50 77 20 61
61 6F 52 34
73 72 61 31
73 64 6D 53]

Recovered Plaintext
Password Rama41S

Quantum cryptography-Kyber Algorithm example

Sharan Biradar — Fri, 20 Feb 2026 19:17:32 +0000

Kyber is designed to protect today’s data from the future threat of "Q-Day"—the point at which a quantum computer becomes powerful enough to break current encryption like RSA and Elliptic Curve Cryptography (ECC).

Why we need Kyber:
Traditional encryption relies on mathematical problems like Integer Factorization (RSA) or Discrete Logarithms (ECC). While classical computers take "trillions of years" to solve, a quantum computer running Shor’s Algorithm can solve them in minutes. There is a need for Quantum cryptography algorithm.
Kyber operates on a variation called Module-LWE (MLWE). it works with polynomials.

Kyber will be solved in 3 steps

Public key Generation
Encryption - Calculate Cipher text u, v
Decryption – Decrypt Cipher text.

Key Generation:

private key: s=(-x^3-x^2+x,-x^3-x)

A Kyber public key consists of two elements. A matrix of random polynomials A and a vector of polynomials t. Generation of the matrix is fairly simple, we just generate random coefficients and take them modulo q.
For our example we’ll use:

A=((6x^3+16x^2+16x+11 9x^3+4x^2+6x+3
5x^3+3x^2+10x+1 6x^3+x^2+9x+15))

To calculate t we need an additional error vector e. This error vector also consists of polynomials with small coefficients, exactly like the private key. In our example we’ll use the error vector:
e=(x^2, x^2-x)

Now we can calculate t by matrix multiplication and additon:
t=As+e (mod q)

Step1:
Lets Calculate Dot product of AS.
AS = ((6x^3+16x^2+16x+11 9x^3+4x^2+6x+3
5x^3+3x^2+10x+1 6x^3+x^2+9x+15))* ((-x^3-x^2+x -x^3-x))

First component of As is called as As1
(6x^3+16x^2+16x+11)(-x^3-x^2+x) +(9x^3+4x^2+6x+3)(-x^3-x)

Second component of As is called as As2
(5x^3+3x^2+10x+1)(-x^3-x^2+x)+(6x^3+x^2+9x+15)(-x^3-x)

Step 1.1
Expand the first product As1
Multiply each term
6x^3 (-x^3)=-6x^6
6x^3 (-x^2)=-6x^5
6x^3 (x)=6x^4
16x^2 (-x^3)=-16x^5
16x^2 (-x^2)=-16x^4
16x^2 (x)=16x^3
16x(-x^3)=-16x^4
16x(-x^2)=-16x^3
16x(x)=16x^2
11(-x^3)=-11x^3
11(-x^2)=-11x^2
11(x)=11x

Now combine:
=-6x^6-22x^5-26x^4-11x^3+5x^2+11x

Expand the second product of As1
9x^3 (-x^3)=-9x^6
9x^3 (-x)=-9x^4
4x^2 (-x^3)=-4x^5
4x^2 (-x)=-4x^3
6x(-x^3)=-6x^4
6x(-x)=-6x^2
3(-x^3)=-3x^3
3(-x)=-3x

Combine:
=-9x^6-4x^5-15x^4-7x^3-6x^2-3x

Add both results (first product of As1 + Second product of As1)
(-6x^6-22x^5-26x^4-11x^3+5x^2+11x)+(-9x^6-4x^5-15x^4-7x^3-6x^2-3x)

AS1 =-15x^6-26x^5-41x^4-18x^3-x^2+8x

Now reduce modulo the Kyber polynomial rules, which simplifies higher powers.
how higher powers like x^6,x^5,x^4 disappear using a modulus in Kyber-style problems is explained below.
What “modulus” means in Kyber (simple idea)
Kyber does not work with ordinary polynomials forever.
All computations are done modulo a fixed polynomial.
In Kyber,
the ring is: (Z_q [x]/ (x^4+1))

This means: x^4≡-1

This single rule is what removes higher powers.

Key reduction rules (VERY IMPORTANT)
From x^4=-1
we get:
x^5=x⋅x^4=-x
x^6=x^2⋅x^4=-x^2
x^7=x^3⋅x^4=-x^3

So:
Power Replace with
x^4 -1
x^5 -x
x^6 -x^2
x^7 -x^3
This is exactly why big powers disappear.

Apply this to your first long polynomial
From earlier, before reduction we had:
-15x^6-26x^5-41x^4-18x^3-x^2+8x

Now reduce term by term.
Reduce x^6
-15x^6=-15(-x^2)=15x^2
Reduce x^5
-26x^5=-26(-x)=26x
Reduce x^4
-41x^4=-41(-1)=41

Lower powers stay the same
-18x^3,-x^2,+8x

Rewrite everything after reduction
15x^2+26x+41-18x^3-x^2+8x

So we get:
-18x^3+14x^2+34x+41

Final step: coefficient modulus (why numbers change again)
Kyber also works modulo a number q
q=17(taken in this example):
-18≡16(mod17)
34≡0(mod17)
41≡7(mod17)

So:
-18x^3→16x^3
34x→0
41→7

Final reduced polynomial = 16x^3+14x^2+7

AS1 =16x^3+14x^2+7

Add error term e_1=x^2
AS1=16x^3+14x^2+7+x^2=16x^3+15x^2+7

Step 1.2:

Expand the Second part As2
(5x^3+3x^2+10x+1)(-x^3-x^2+x)+(6x^3+x^2+9x+15)(-x^3-x)

First product expansion of AS2
Distribute each term:
=5x^3 (-x^3-x^2+x)+3x^2 (-x^3-x^2+x)+10x(-x^3-x^2+x)+1(-x^3-x^2+x)

Multiply:
5x^3 (-x^3-x^2+x)=-5x^6-5x^5+5x^4
3x^2 (-x^3-x^2+x)=-3x^5-3x^4+3x^3
10x(-x^3-x^2+x)=-10x^4-10x^3+10x^2
1(-x^3-x^2+x)=-x^3-x^2+x
Combine:
=-5x^6-8x^5-8x^4-8x^3+9x^2+x

Second product expansion of AS2
(6x3+x2+9x+15)(−x3−x)
Distribute:
6x^3 (-x^3-x)=-6x^6-6x^4
x^2 (-x^3-x)=-x^5-x^3
9x(-x^3-x)=-9x^4-9x^2
15(-x^3-x)=-15x^3-15x
Combine:
=-6x^6-x^5-15x^4-16x^3-9x^2-15x

Add them
Add both results
(-5x^6-8x^5-8x^4-8x^3+9x^2+x)+(-6x^6-x^5-15x^4-16x^3-9x^2-15x)

Combine like terms:
x^6:-5-6=-11
x^5:-8-1=-9
x^4:-8-15=-23
x^3:-8-16=-24
x^2:9-9=0
x:1-15=-14

Final Answer =-11x^6-9x^5-23x^4-24x^3-14x

Reduce using the polynomial modulus:
We reduce the polynomial step by step,
using the Kyber polynomial modulus
x^4+1=0 ⇒ x^4=-1

Given polynomial:
-11x^6-9x^5-33x^4-26x^3+0x^2-14x

Write the reduction rules
From x^4=-1:
x^5=x⋅x^4=-x
x^6=x^2⋅x^4=-x^2

Reduce each high-degree term
Reduce x^6
-11x^6=-11(-x^2)=11x^2
Reduce x^5
-9x^5=-9(-x)=9x

Reduce x^4
-23x^4=-23(-1)=23

Keep lower-degree terms as they are
-24x^3,0x^2,-14x

Rewrite the polynomial after reduction
11x^2+9x+23-24x^3+0x^2-14x

So we get:
-24x^3+11x^2-5x+23

Reduce coefficients modulo q
In Kyber-style examples, coefficients are reduced modulo a small number
(typically q=17).
-24≡10(mod17)
11≡11(mod17)
-5≡12(mod17)
23≡6(mod17)

Final reduced polynomial
AS2 =10x^3+11x^2+12x+6

Step 1.3:

Now AS (AS1 =16x^3+14x^2+7, AS2 =10x^3+11x^2+12x+6)
Add error term e_2=x^2-x

Calculate t = AS + e
t = (16x^3+14x^2+7, 10x^3+11x^2+12x+6)+( x^2-x)
t1 = (16x^3+14x^2+7)+(x^2) = 16x^3+15x^2+7

t2 = 10x^3+(11x^2+x^2)+(12x-x)+6 =(10x^3+12x^2+11x+6)

Final vector t = (t1,t2)
t=((16x^3+15x^2+7, 10x^3+12x^2+11x+6))

We now have a Kyber key pair with:

Private key: s
Public key: (A,t)

The trick is that it is a hard problem to recover s from (A, t). In fact, recovering s would require an attacker to solve the module-learning-with-errors (MLWE) problem, on which this system is built. The MLWE problem is expected to be hard even for quantum computers, which is why it is used in PQC.

Encryption

As in every public key encryption system, we can encrypt a message using the public key. Decryption can only be done by parties in possession of the private key. The encryption procedure uses an error and a randomizer polynomial vector e_1 and r. These polynomial vectors are freshly generated for every encryption. Additionally, we need an error polynomial e_2. The polynomials within e_1, e_2 and r are completely random and small, just like the ones in s.

In our example we’ll use:
r=-x^3+x^2, x^3+x^2-1
e_1=(x^2+x, x^2
e_2=-x^3-x^2

Now, to encrypt a message, we have to turn it into a polynomial. We do so by using the message’s binary representation. Every bit of the message is used as a coefficient.
In our example, we want to encrypt the number 11. Eleven has a binary representation of 1011, (11)_10=(1011)_2. Our message encoded as binary polynomial therefore is:
m_b=1x^3+0x^2+1x^1+1x^0=x^3+x+1

Before encryption we have to scale this polynomial. We upscale m_b by multiplying it with ⌊q/2⌉, i.e. the integer closest to q/2. This is done because the polynomial’s coefficients need to be large. In the decryption part we’ll see why this is necessary. In our example with q=17, ⌊q/2⌉=9. Our final ready-to-be-encrypted message therefore is:
m=⌊q/2⌉⋅m_b=9⋅m_b=9x^3+9x+9

We encrypt m using the public key (A,t). The encryption procedure calculates two values (u, v).
u=A^T r+e_1
v=t^T r+e_2+m

Step 2
Matrix A^T
A^T= ((6x^3+16x^2+16x+11 5x^3+3x^2+10x+1
9x^3+4x^2+6x+3 6x^3+x^2+9x+15))

Vector multiplied with A^T
r=((-x^3+x^2@x^3+x^2-1))

Vector added at the end
e1=((x^2+x@x^2 ))

We must compute:
u=A^T r+e1

Step 2.1:
Matrix–vector multiplication Ar
First component of Ar is called Ar1
(6x^3+16x^2+16x+11)(-x^3+x^2 )+(5x^3+3x^2+10x+1)(x^3+x^2-1)

Expand first product [(6x^3+16x^2+16x+11)(-x^3+x^2 )]
=-6x^6-10x^5+0x^4+5x^3+11x^2

Expand second product[(5x3+3x2+10x+1) (x3+x2−1)]
=5x^6+8x^5+13x^4+6x^3-2x^2-10x-1
Add both
=-x^6-2x^5+〖13x〗^4+11x^3+9x^2-10x-1

Reduce using x^4=-1
x^6=-x^2,x^5=-x,x^4=-1
-x^6=x^2
x^5=2x
x^4=-13
= x^(2 )+ 2x- 13 + 11x^3+ 9x^2-10x-1
So:
=11x^3+10x^2-8x-14

Reduce coefficients mod 17 (centered)
(-14≡3)
-8 = 9

Ar1 = (11x^3+10x^2+9x+3)

Step 2.2:
Second component of Ar is called as Ar2
(9x^3+4x^2+6x+3)(-x^3+x^2 )+(6x^3+x^2+9x+15)(x^3+x^2-1)

Expand first product[(9x^3+4x^2+6x+3)(-x^3+x^2 )]
=(9x^3+4x^2+6x+3)(-x^3+x^2 )
= -9x6 – 4x5 – 6x4 -3x3 +9x5 +4x4+6x3+3x2
=−9x^6 + 5x^5 − 2x^4 + 3x^3 + 3x^2
Reduce powers using x^4=-1
x^6=-x^2,x^5=-x,x^4=-1

Substitute:
-9(-x^2)+5(-x)-2(-1)+3x^3+3x^2
=9x^2-5x+2+3x^3+3x^2

Combine:
=3x^3+12x^2-5x+2

Expand second product[(6x^3+x^2+9x+15)(x^3+x^2-1)]
= 6x6 +6x5 -6x3 +x5 +x4 -x2 +9x4 +9x3 -9x +15x3 +15x2 -15
=6x^6+7x^5+10x^4+18x^3+14x^2-9x-15
Reduce powers
Substitute:
x^6=-x^2,x^5=-x,x^4=-1
6(-x^2)+7(-x)+10(-1)+18x^3+14x^2-9x-15
=-6x^2-7x-10+18x^3+14x^2-9x-15

Combine like terms:
=18x^3+8x^2-16x-25
Reduce coefficients mod 17
18≡1
-16≡1
-25≡9

So
=x^3+8x^2+x+9

Add both
=(3x^3+12x^2-5x+2)+(x^3+8x^2+x+9)
= 4x^3+20x^2−4x+11
Reduce mod 17
20≡3
-4≡13

So
Ar2=4x^3+3x^2+13x+11

So second component:
Ar2 =(4x^3+3x^2+13x+11)
Ar = (Ar1, Ar2)
Ar = ((11x^3+10x^2+9x+3),(4x^3+3x^2+13x+11))

Step 2.3
Add error vector e_1(x^2+x, x^2)
u=Ar+e_1

First component
(11x^3+10x^2+9x+3)+(x^2+x)
=(11x^3+11x^2+10x+3)

Second component
(4x^3+3x^2+13x+11)+x^2
=(4x^3+4x^2+13x+11)

✅ Final Answer
u=(((11x^3+11x^2+10x+3 4x^3+4x^2+13x+11)) )

Step 2.4:
v Calculation v= t^T r+e_2+m

Vector t
t=((16x^3+15x^2+7 10x^3+12x^2+11x+6))

So
t^T=( 16x^3+15x^2+7, 10x^3+12x^2+11x+6)

Vector r
r=((-x^3+x^2 x^3+x^2-1))

Error and message
e_2=-x^3-x^2
m=9x^3+9x+9

Step 2.5:
Compute t^T r(dot product)
t^T r=(16x^3+15x^2+7)(-x^3+x^2)+(10x^3+12x^2+11x+6)(x^3+x^2-1)

First product
(16x^3+15x^2+7)(-x^3+x^2 )

Expand:

=-16x^6 + 16x^5 - 15x^5 + 15x^4 - 7x^3 + 7x^2
=-16x^6+x^5+15x^4- 7x^3+7x^2
Reduce powers
x^4=-1,x^5=-x,x^6=-x^2

Substitute:
-16(-x^2)+(-x)+15(-1)-7x^3+7x^2
=16x^2-x-15-7x^3+7x^2

Combine:
=-7x^3+23x^2-x-15

Reduce mod 17:
23≡6
-15≡2

So first product:
=-7x^3+6x^2-x+2
-7≡10
=10x^3+6x^2-x+2

Second product
(10x^3+12x^2+11x+6)(x^3+x^2-1)

Expand:

= 10x^6 + 10x^5 -10x^3 + 12x^5 +12x^4 -12x^2 +11x^4 +11x^3-11 x + 6x^3 +6x^2 -6
=10x^6+22x^5+23x^4+7x^3-6x^2-11x-6
Reduce powers
Substitute:
10(-x^2)+22(-x)+23(-1)+7x^3-6x^2-11x-6
=-10x^2-22x-23+7x^3-6x^2-11x-6

Combine:
=7x^3-16x^2-33x-29
Reduce mod 17
-16≡1
-33≡1
-29≡5

So second product:
=7x^3+x^2+x+5

Add both products
First product:
10x^3+6x^2-x+2

Second product:
7x^3+x^2+x+5

Add:
17x^3+7x^2+0x+7

Reduce mod 17:
17x^3≡0

So
t^T r=7x^2+7

Step 2.6:
Add error e_2
(7x^2+7)+(-x^3-x^2 )=-x3+6x^(2 )+7
v=-x^3+6x^2+7

Step 2.7:
Add message m
(-x^3+6x^2+7)+(9x3+9x+9)
=8x^3+6x^2+9x+16

Step 2.8:
Final reduction mod 17
v= 8x^3+6x^2+9x +16

Kyber ciphtertexts consist of those two values: (u,v). A polynomial vector u and the polynomial v.

Decryption
Step 3
Given the private key s and a ciphertext (u,v), the decryption is straightforward. First, we compute a noisy result m_n.
m_n=v-s^T u

The receiver computes:
v-s^T u = m + ("small noise" )

and then rounds to recover the message.

step 3.1
What we already have
Secret vector s
s=((-x^3-x^2+x -x^3-x))

So
s^T=(-x^3-x^2+x, -x^3-x)

Vector u(from earlier step)
u=((11x^3+11x^2+10x+3 4x^3+4x^2+13x+11))

Ciphertext value v
v=8x^3+6x^2+9x +16

Compute s^T u
s^T u=(-x^3-x^2+x)(11x^3+11x^2+10x+3)

First product
After full expansion and combining like terms:

Distribute term by term.
Multiply by −x³
-11x^6-11x^5-10x^4-3x^3

Multiply by −x²
-11x^5-11x^4-10x^3-3x^2

Multiply by +x
+11x^4+11x^3+10x^2+3x

Add all terms
-11x^6-22x^5-10x^4-2x^3+7x^2+3x
Reduce powers
Substitute:
x^6=-x^2,x^5=-x,x^4=-1
-11(-x^2)-22(-x)-10(-1)-2x^3+7x^2+3x
=11x^2+22x+10-2x^3+7x^2+3x

Combine:
=-2x^3+18x^2+25x+10
Reduce mod 17
18≡1,25≡8
=-2x^3+x^2+8x+10
=-2x^3+x^2+8x+10

Second product (−x3−x)(4x3+4x2+13x+11)

Multiply by −x³
-4x^6-4x^5-13x^4-11x^3

Multiply by −x
-4x^4-4x^3-13x^2-11x

Add both products
=-4x6-4x5-17x4-15x3-13x2-11x
Reduce powers
-4(-x^2)-4(-x)-17(-1)-15x^3-13x^2-11x
=4x^2+4x+17-15x^3-13x^2-11x

Combine:
=-15x^3-9x^2-7x+17
Reduce mod 17
-15≡2,-9≡8,-7≡10,17≡0
=2x^3+8x^2+10x

Add Both Products
First product:
-2x^3+x^2+8x+10

Second product:
2x^3+8x^2+10x

Add:
0x^3+ 9x^2+18x+10
Final reduction mod 17
17x^3≡0
18≡1

So final result:
s^T u=9x^2+x+10

Step 3.2:
Compute v-s^T u
v-s^T u=(8x^3+6x^2+9x +16)-(9x^2+x+10)=8x^3-3x^2+8x+6

Reduced to 17
-3 = 14
So:
v-s^T u=8x^3+14x^2+8x+6

Step 3.3:
Recover the message (rounding step)
Now it becomes apparent why we needed to scale m by making its coefficients large. If you recall, all other terms in the equation were chosen to be small. So the coefficients of m_n are either close to ⌊q/2⌉=9 implying that the original binary coefficient of m_b was a 1 or close to 0 implying the original binary coefficient was 0.
In our example we have m_n=8x^3+14x^2+8x+6. We can recover the original scaled message m by going through the coefficients of m_n and check if they are closer to ⌊q/2⌉=9 or 0 (or equivalently q).
So, let’s do that for all coefficients:
8, closer to 9 than 0 or q, round to 9
14, closer to q than 9, round to 0
8, closer to 9 than 0 or q, round to 9
6, closer to 9 than 0 or q, round to 9
Our rounded polynomial is 9x^3+0x^2+9x+9, which is the scaled polynomial that we encrypted! We can now simply recover the the original binary polynomial m_b by scaling down with factor 1/9:
m_b=1/9(9x^3+0x^2+9x+9)=(1x^3+0x^2+1x+1)

From m_b we can just read the bits of the original message, which are (1011)_2=(11)_10 ┤.

The recovered plaintext therefore is: 11