• Create Account

# AES Encryption

Old topic!

Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

6 replies to this topic

### #1Ectara  Crossbones+   -  Reputation: 3097

Like
3Likes
Like

Posted 30 March 2014 - 06:30 PM

I'm writing an implementation of the AES cipher, and while I have 128, 192, and 256 bit encryption working, only 256 bit decryption is working.

One of the biggest roadblocks in seeking out reference implementations is that I generate the key expansion sequence incrementally, to reduce memory constraints, rather than generate the whole sequence from the start.

I managed to fix my 192 bit encryption with the aid of this site, which has example key expansions for 128, 192, and 256 bit encryption keys. As it stands now, the most I know is that the decryption process fails tests on its output, but I have no tests for its inner workings like the key expansion to know which parts are working.

Can anyone output their decryption key expansion for the 128 bit key 2b7e151628aed2a6abf7158809cf4f3c and the 192 bit key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b?

If anyone has a solid understanding of the Rijndael cipher, I can post code, but it isn't likely to make any sense because I, myself, have a flimsy understanding, and I'm doing it in a low-resource way.

### #2NewVoxel  Members   -  Reputation: 394

Like
-10Likes
Like

Posted 30 March 2014 - 07:35 PM

I took a class in all this cryptology nonsense just last year and failed miserably. Glad I could have been of assistance.

First

-3 AES Encryption

Edited by NewVoxel, 06 April 2014 - 03:01 PM.

Your authority is not recognized in Fort Kick-ass http://www.newvoxel.com

### #3incertia  Crossbones+   -  Reputation: 779

Like
5Likes
Like

Posted 30 March 2014 - 07:59 PM

POPULAR

I don't have any Rijndael at hand with me right now, but this is a working version of Rijndael and you can just add some stuff to get the expanded key.
what

### #4Bacterius  Crossbones+   -  Reputation: 13032

Like
4Likes
Like

Posted 30 March 2014 - 08:08 PM

The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.

“If I understand the standard right it is legal and safe to do this but the resulting value could be anything.”

### #5Ectara  Crossbones+   -  Reputation: 3097

Like
0Likes
Like

Posted 30 March 2014 - 10:07 PM

I don't have any Rijndael at hand with me right now, but this is a working version of Rijndael and you can just add some stuff to get the expanded key.

That looks so different from my implementation that I don't know where to begin.

The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.

My implementation, and the implementation I used as a reference, uses two key expansion functions per key size, one for encryption, one for decryption.

My 128 bit pair of functions are:

static void expandEncKey128(ui8 * k, ui8 * rc){
k[0] ^= sbox[k[13]] ^ *rc;
k[1] ^= sbox[k[14]];
k[2] ^= sbox[k[15]];
k[3] ^= sbox[k[12]];

*rc = ((*rc << 1) ^ (((*rc >> 7) & 1) * 0x1bu));

for(int i = 4; i < 16; i += 4){
k[i + 0] ^= k[i - 4];
k[i + 1] ^= k[i - 3];
k[i + 2] ^= k[i - 2];
k[i + 3] ^= k[i - 1];
}
}

static void expandDecKey128(ui8 * k, ui8 * rc){
for(int i = 12; i > 0; i -= 4){
k[i + 0] ^= k[i - 4];
k[i + 1] ^= k[i - 3];
k[i + 2] ^= k[i - 2];
k[i + 3] ^= k[i - 1];
}

*rc = (*rc >> 1) ^ ((*rc & 1u) * 0x8du);

k[0] ^= sbox[k[13]] ^ *rc;
k[1] ^= sbox[k[14]];
k[2] ^= sbox[k[15]];
k[3] ^= sbox[k[12]];
}


They combine a lot of steps into few operations; my implementation is byte-oriented, if it isn't obvious. From my perspective, these are inverses of each other. The (obfuscated) encryption routine looks like this:



static ui8 gfXTime(ui8 x){
return ((x << 1) ^ (((x >> 7) & 1) * 0x1bu));
}

static ui8 rconInv(ui8 rc){
return (rc >> 1) ^ ((rc & 1u) * 0x8du);
}

/*
* 0  4  8  12
* 1  5  9  13
* 2  6  10 14
* 3  7  11 15
*/

static void subBytes(ui8 * a){
for(int i = 16; i--;)
a[i] = sbox[a[i]];
}

static void subBytesInv(ui8 * a){
for(int i = 16; i--;)
a[i] = sboxInv[a[i]];
}

static void addRoundKey(ui8 * a, ui8 * key){
for(int i = 16; i--;)
a[i] ^= key[i];
}

static void addRoundKeyCopy(ui8 * buf, ui8 * key, ui8 * copyKey){
for(int i = 16; i--;){
copyKey[i] = key[i];
buf[i] ^= key[i];
copyKey[i + 16] = key[i + 16];
}
}

static void shiftRows(ui8 * a){
unsigned int t1, t2;

/* 1 -> 13 -> 9 -> 5 -> 1 */
t1 = a[1];
a[1] = a[5];
a[5] = a[9];
a[9] = a[13];
a[13] = t1;

/* 2 -> 10 -> 2 */
t1 = a[10];
a[10] = a[2];
a[2] = t1;

/* 3 -> 7 -> 11 -> 15 -> 3 */
t2 = a[3];
a[3] = a[15];
a[15] = a[11];
a[11] = a[7];
a[7] = t2;

/* 14 -> 6 -> 14 */
t2 = a[6];
a[6] = a[14];
a[14] = t2;
}

static void shiftRowsInv(ui8 * a){
unsigned int t1, t2;

/* 1 <- 13 <- 9 <- 5 <- 1 */
t1 = a[1];
a[1] = a[13];
a[13] = a[9];
a[9] = a[5];
a[5] = t1;

/* 2 <- 10 <- 2 */
t1 = a[2];
a[2] = a[10];
a[10] = t1;

/* 3 <- 7 <- 11 <- 15 <- 3 */
t2 = a[3];
a[3] = a[7];
a[7] = a[11];
a[11] = a[15];
a[15] = t2;

/* 6 <- 14 <- 6 */
t2 = a[6];
a[6] = a[14];
a[14] = t2;
}

static void mixColumns(ui8 * r){
ui8 a[4];
ui8 b[4];

for(int i = 0; i < 16; i += 4){
a[0] = r[i];
a[1] = r[i + 1];
a[2] = r[i + 2];
a[3] = r[i + 3];

b[0] = gfXTime(r[i]);
b[1] = gfXTime(r[i + 1]);
b[2] = gfXTime(r[i + 2]);
b[3] = gfXTime(r[i + 3]);

r[i] = b[0] ^ a[3] ^ a[2] ^ b[1] ^ a[1];
r[i + 1] = b[1] ^ a[0] ^ a[3] ^ b[2] ^ a[2];
r[i + 2] = b[2] ^ a[1] ^ a[0] ^ b[3] ^ a[3];
r[i + 3] = b[3] ^ a[2] ^ a[1] ^ b[0] ^ a[0];
}
}

static void mixColumnsInv(ui8 * r){
ui32 a, b, c, d, e, x, y, z;

for(int i = 0; i < 16; i += 4){
a = r[i];
b = r[i + 1];
c = r[i + 2];
d = r[i + 3];

e = a ^ b ^ c ^ d;
z = gfXTime(e);
x = e ^ gfXTime(gfXTime(z ^ a ^ c));  y = e ^ gfXTime(gfXTime(z ^ b ^ d));

r[i] ^= x ^ gfXTime(a ^ b);
r[i + 1] ^= y ^ gfXTime(b ^ c);
r[i + 2] ^= x ^ gfXTime(c ^ d);
r[i + 3] ^= y ^ gfXTime(d ^ a);
}
}

void encrypt(ui8 * out, const ui8 * in){
ui8 state[16];

for(sizeType i = 16; i--;)
state[i] = in[i];

ui8 rcon = 1;

for(sizeType i = 1; i < 10; ++i){
subBytes(state);
shiftRows(state);
mixColumns(state);

expandEncKey(key_, &rcon);

subBytes(state);
shiftRows(state);

expandEncKey(key_, &rcon);

for(sizeType i = 16; i--;)
out[i] = state[i];
}

for(sizeType i = 16; i--;)
state[i] = 0;
}


This  encryption method produces results that align with published test vectors. However, this decryption does not work, whether it is this decryption function doesn't work, or the key expansion doesn't work, or something.

void decrypt(void * out, const void * in){
ui8 state[16];

for(sizeType i = 16; i--;)
state[i] = in[i];

ui8 rcon = 0x6c;

for(sizeType i = 1; i < 10; ++i){
shiftRowsInv(state);
subBytesInv(state);

expandDecKey(key_, &rcon);

mixColumnsInv(state);
}

shiftRowsInv(state);
subBytesInv(state);

for(sizeType i = 16; i--;)
out[i] = state[i];

for(sizeType i = 16; i--;)
state[i] = 0;
}


encryptKey_ and decryptKey_ are both initialized to the bytes of the key by the caller.

Edited by Ectara, 30 March 2014 - 10:38 PM.

### #6Ectara  Crossbones+   -  Reputation: 3097

Like
1Likes
Like

Posted 30 March 2014 - 10:39 PM

Interestingly, the 256 bit decryption works, with a similar pair of key expansion functions, with a quirk: the decryption key is expanded seven times using the encryption key expansion function after the state is set up, before any data is processed. I have no idea why it is necessary to work, but it doesn't work without it. If I use one expansion function and key sequence for both, decryption fails.

Edited by Ectara, 30 March 2014 - 10:40 PM.

### #7Ectara  Crossbones+   -  Reputation: 3097

Like
0Likes
Like

Posted 01 April 2014 - 09:15 PM

The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.

This had me thinking, and I tried to reconcile it by having both encryption and decryption routines use the same expansion sequence, to no avail. My last post is of interest:

Interestingly, the 256 bit decryption works, with a similar pair of key expansion functions, with a quirk: the decryption key is expanded seven times using the encryption key expansion function after the state is set up, before any data is processed. I have no idea why it is necessary to work, but it doesn't work without it. If I use one expansion function and key sequence for both, decryption fails.

Seven just so happens to be the number of times that the key is expanded (see below for the linear coefficients of the production of round keys). After much experimentation, it turns out that the encryption expansion raises the rcon value's exponent, and manipulates the bytes in a specific sequence, and the decryption expansion lowers the rcon value's exponent, and performs the inverse manipulation. The purpose of using the encryption expansion routine on the decryption key at the start is to "advance" the key expansion sequence to the point where it would have ended after encryption, and "move backward" from that "endpoint" as it decrypts, traversing the sequence in reverse. This is all a consequence of the low-resource design, by not expanding the entire sequence at once, taking almost an entire kilobyte in the process.

I managed to get it all working. There were various bugs here and there, which I managed to find after learning its ins and outs through experimentation. There's somewhat of a fencepost error in the code posted above: there should be one more key expansion before the final round key addition. 256bit mode generates two round keys per expansion, and 192bit mode generates 1.5 round keys per expansion, so 128bit was the only one that needed that last expansion; I noticed that the decryption key was expanded once less than the encryption key, after many exhaustive tests. There were several errors in the 192bit encryption and decryption that I solved, encryption first, but that's done with, too.

Old topic!

Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

PARTNERS