Jump to content

  • Log In with Google      Sign In   
  • Create Account

Interested in a FREE copy of HTML5 game maker Construct 2?

We'll be giving away three Personal Edition licences in next Tuesday's GDNet Direct email newsletter!

Sign up from the right-hand sidebar on our homepage and read Tuesday's newsletter for details!


AES Encryption


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
6 replies to this topic

#1 Ectara   Crossbones+   -  Reputation: 3015

Like
3Likes
Like

Posted 30 March 2014 - 06:30 PM

I'm writing an implementation of the AES cipher, and while I have 128, 192, and 256 bit encryption working, only 256 bit decryption is working.

One of the biggest roadblocks in seeking out reference implementations is that I generate the key expansion sequence incrementally, to reduce memory constraints, rather than generate the whole sequence from the start.
 
I managed to fix my 192 bit encryption with the aid of this site, which has example key expansions for 128, 192, and 256 bit encryption keys. As it stands now, the most I know is that the decryption process fails tests on its output, but I have no tests for its inner workings like the key expansion to know which parts are working.

 

Can anyone output their decryption key expansion for the 128 bit key 2b7e151628aed2a6abf7158809cf4f3c and the 192 bit key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b?

If anyone has a solid understanding of the Rijndael cipher, I can post code, but it isn't likely to make any sense because I, myself, have a flimsy understanding, and I'm doing it in a low-resource way.



Sponsor:

#2 NewVoxel   Members   -  Reputation: 361

Like
-10Likes
Like

Posted 30 March 2014 - 07:35 PM

I took a class in all this cryptology nonsense just last year and failed miserably. Glad I could have been of assistance.

First

-3 AES Encryption


Edited by NewVoxel, 06 April 2014 - 03:01 PM.

Your authority is not recognized in Fort Kick-ass http://www.newvoxel.com


#3 incertia   Crossbones+   -  Reputation: 779

Like
5Likes
Like

Posted 30 March 2014 - 07:59 PM

I don't have any Rijndael at hand with me right now, but this is a working version of Rijndael and you can just add some stuff to get the expanded key.
what

#4 Bacterius   Crossbones+   -  Reputation: 9044

Like
4Likes
Like

Posted 30 March 2014 - 08:08 PM

The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.


The slowsort algorithm is a perfect illustration of the multiply and surrender paradigm, which is perhaps the single most important paradigm in the development of reluctant algorithms. The basic multiply and surrender strategy consists in replacing the problem at hand by two or more subproblems, each slightly simpler than the original, and continue multiplying subproblems and subsubproblems recursively in this fashion as long as possible. At some point the subproblems will all become so simple that their solution can no longer be postponed, and we will have to surrender. Experience shows that, in most cases, by the time this point is reached the total work will be substantially higher than what could have been wasted by a more direct approach.

 

- Pessimal Algorithms and Simplexity Analysis


#5 Ectara   Crossbones+   -  Reputation: 3015

Like
0Likes
Like

Posted 30 March 2014 - 10:07 PM

I don't have any Rijndael at hand with me right now, but this is a working version of Rijndael and you can just add some stuff to get the expanded key.

That looks so different from my implementation that I don't know where to begin.

 

 

 


The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.

My implementation, and the implementation I used as a reference, uses two key expansion functions per key size, one for encryption, one for decryption.

My 128 bit pair of functions are:

static void expandEncKey128(ui8 * k, ui8 * rc){
                k[0] ^= sbox[k[13]] ^ *rc;
                k[1] ^= sbox[k[14]];
                k[2] ^= sbox[k[15]];
                k[3] ^= sbox[k[12]];
                
                *rc = ((*rc << 1) ^ (((*rc >> 7) & 1) * 0x1bu));
                
                for(int i = 4; i < 16; i += 4){
                        k[i + 0] ^= k[i - 4];
                        k[i + 1] ^= k[i - 3];
                        k[i + 2] ^= k[i - 2];
                        k[i + 3] ^= k[i - 1];
                }
}

static void expandDecKey128(ui8 * k, ui8 * rc){
        for(int i = 12; i > 0; i -= 4){
                k[i + 0] ^= k[i - 4];
                k[i + 1] ^= k[i - 3];
                k[i + 2] ^= k[i - 2];
                k[i + 3] ^= k[i - 1];
        }
        
        *rc = (*rc >> 1) ^ ((*rc & 1u) * 0x8du);
        
        k[0] ^= sbox[k[13]] ^ *rc;
        k[1] ^= sbox[k[14]];
        k[2] ^= sbox[k[15]];
        k[3] ^= sbox[k[12]];
}

They combine a lot of steps into few operations; my implementation is byte-oriented, if it isn't obvious. From my perspective, these are inverses of each other. The (obfuscated) encryption routine looks like this:


                
                static ui8 gfXTime(ui8 x){
                        return ((x << 1) ^ (((x >> 7) & 1) * 0x1bu));
                }
                
                static ui8 rconInv(ui8 rc){
                        return (rc >> 1) ^ ((rc & 1u) * 0x8du);
                }
                
                /*
                 * 0  4  8  12
                 * 1  5  9  13
                 * 2  6  10 14
                 * 3  7  11 15
                 */
                
                static void subBytes(ui8 * a){
                        for(int i = 16; i--;)
                                a[i] = sbox[a[i]];
                }
                
                static void subBytesInv(ui8 * a){
                        for(int i = 16; i--;)
                                a[i] = sboxInv[a[i]];
                }
                
                static void addRoundKey(ui8 * a, ui8 * key){
                        for(int i = 16; i--;)
                                a[i] ^= key[i];
                }
                
                static void addRoundKeyCopy(ui8 * buf, ui8 * key, ui8 * copyKey){
                        for(int i = 16; i--;){
                                copyKey[i] = key[i];
                                buf[i] ^= key[i];
                                copyKey[i + 16] = key[i + 16];
                        }
                }
                
                static void shiftRows(ui8 * a){
                        unsigned int t1, t2;
                        
                        /* 1 -> 13 -> 9 -> 5 -> 1 */
                        t1 = a[1];
                        a[1] = a[5];
                        a[5] = a[9];
                        a[9] = a[13];
                        a[13] = t1;
                        
                        /* 2 -> 10 -> 2 */
                        t1 = a[10];
                        a[10] = a[2];
                        a[2] = t1;
                        
                        /* 3 -> 7 -> 11 -> 15 -> 3 */
                        t2 = a[3];
                        a[3] = a[15];
                        a[15] = a[11];
                        a[11] = a[7];
                        a[7] = t2;
                        
                        /* 14 -> 6 -> 14 */
                        t2 = a[6];
                        a[6] = a[14];
                        a[14] = t2;
                }
                
                static void shiftRowsInv(ui8 * a){
                        unsigned int t1, t2;
                        
                        /* 1 <- 13 <- 9 <- 5 <- 1 */
                        t1 = a[1];
                        a[1] = a[13];
                        a[13] = a[9];
                        a[9] = a[5];
                        a[5] = t1;
                        
                        /* 2 <- 10 <- 2 */
                        t1 = a[2];
                        a[2] = a[10];
                        a[10] = t1;
                        
                        /* 3 <- 7 <- 11 <- 15 <- 3 */
                        t2 = a[3];
                        a[3] = a[7];
                        a[7] = a[11];
                        a[11] = a[15];
                        a[15] = t2;
                        
                        /* 6 <- 14 <- 6 */
                        t2 = a[6];
                        a[6] = a[14];
                        a[14] = t2;
                }
                
                static void mixColumns(ui8 * r){
                        ui8 a[4];
                        ui8 b[4];
                        
                        for(int i = 0; i < 16; i += 4){
                                a[0] = r[i];
                                a[1] = r[i + 1];
                                a[2] = r[i + 2];
                                a[3] = r[i + 3];
                                
                                b[0] = gfXTime(r[i]);
                                b[1] = gfXTime(r[i + 1]);
                                b[2] = gfXTime(r[i + 2]);
                                b[3] = gfXTime(r[i + 3]);
                                
                                r[i] = b[0] ^ a[3] ^ a[2] ^ b[1] ^ a[1];
                                r[i + 1] = b[1] ^ a[0] ^ a[3] ^ b[2] ^ a[2];
                                r[i + 2] = b[2] ^ a[1] ^ a[0] ^ b[3] ^ a[3];
                                r[i + 3] = b[3] ^ a[2] ^ a[1] ^ b[0] ^ a[0];
                        }
                }
                
                static void mixColumnsInv(ui8 * r){
                        ui32 a, b, c, d, e, x, y, z;
                        
                        for(int i = 0; i < 16; i += 4){
                                a = r[i];
                                b = r[i + 1];
                                c = r[i + 2];
                                d = r[i + 3];
                                
                                e = a ^ b ^ c ^ d;
                                z = gfXTime(e);
                                x = e ^ gfXTime(gfXTime(z ^ a ^ c));  y = e ^ gfXTime(gfXTime(z ^ b ^ d));
                                
                                r[i] ^= x ^ gfXTime(a ^ b);
                                r[i + 1] ^= y ^ gfXTime(b ^ c);
                                r[i + 2] ^= x ^ gfXTime(c ^ d);
                                r[i + 3] ^= y ^ gfXTime(d ^ a);
                        }
                }
void encrypt(ui8 * out, const ui8 * in){
        ui8 state[16];
        
        for(sizeType i = 16; i--;)
                state[i] = in[i];
        
        ui8 rcon = 1;
        
        addRoundKeyCopy(state, encryptKey_, key_);
        
        for(sizeType i = 1; i < 10; ++i){
                subBytes(state);
                shiftRows(state);
                mixColumns(state);
                
                expandEncKey(key_, &rcon);
                addRoundKey(state, key_);
                
                subBytes(state);
                shiftRows(state);
                
                expandEncKey(key_, &rcon);
                addRoundKey(state, key_);
                
                for(sizeType i = 16; i--;)
                        out[i] = state[i];
        }
        
        for(sizeType i = 16; i--;)
                state[i] = 0;
}

This  encryption method produces results that align with published test vectors. However, this decryption does not work, whether it is this decryption function doesn't work, or the key expansion doesn't work, or something.

void decrypt(void * out, const void * in){
        ui8 state[16];
        
        for(sizeType i = 16; i--;)
                state[i] = in[i];
        
        ui8 rcon = 0x6c;
        
        addRoundKeyCopy(state, decryptKey_, key_);
        
        for(sizeType i = 1; i < 10; ++i){
                shiftRowsInv(state);
                subBytesInv(state);
                
                expandDecKey(key_, &rcon);
                addRoundKey(state, key_);
                
                mixColumnsInv(state);
        }
        
        shiftRowsInv(state);
        subBytesInv(state);
        
        addRoundKey(state, key_);
        
        for(sizeType i = 16; i--;)
                out[i] = state[i];
        
        for(sizeType i = 16; i--;)
                state[i] = 0;
}

encryptKey_ and decryptKey_ are both initialized to the bytes of the key by the caller.


Edited by Ectara, 30 March 2014 - 10:38 PM.


#6 Ectara   Crossbones+   -  Reputation: 3015

Like
1Likes
Like

Posted 30 March 2014 - 10:39 PM

Interestingly, the 256 bit decryption works, with a similar pair of key expansion functions, with a quirk: the decryption key is expanded seven times using the encryption key expansion function after the state is set up, before any data is processed. I have no idea why it is necessary to work, but it doesn't work without it. If I use one expansion function and key sequence for both, decryption fails.


Edited by Ectara, 30 March 2014 - 10:40 PM.


#7 Ectara   Crossbones+   -  Reputation: 3015

Like
0Likes
Like

Posted 01 April 2014 - 09:15 PM

The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.

This had me thinking, and I tried to reconcile it by having both encryption and decryption routines use the same expansion sequence, to no avail. My last post is of interest:

 

Interestingly, the 256 bit decryption works, with a similar pair of key expansion functions, with a quirk: the decryption key is expanded seven times using the encryption key expansion function after the state is set up, before any data is processed. I have no idea why it is necessary to work, but it doesn't work without it. If I use one expansion function and key sequence for both, decryption fails.

Seven just so happens to be the number of times that the key is expanded (see below for the linear coefficients of the production of round keys). After much experimentation, it turns out that the encryption expansion raises the rcon value's exponent, and manipulates the bytes in a specific sequence, and the decryption expansion lowers the rcon value's exponent, and performs the inverse manipulation. The purpose of using the encryption expansion routine on the decryption key at the start is to "advance" the key expansion sequence to the point where it would have ended after encryption, and "move backward" from that "endpoint" as it decrypts, traversing the sequence in reverse. This is all a consequence of the low-resource design, by not expanding the entire sequence at once, taking almost an entire kilobyte in the process.

 

I managed to get it all working. There were various bugs here and there, which I managed to find after learning its ins and outs through experimentation. There's somewhat of a fencepost error in the code posted above: there should be one more key expansion before the final round key addition. 256bit mode generates two round keys per expansion, and 192bit mode generates 1.5 round keys per expansion, so 128bit was the only one that needed that last expansion; I noticed that the decryption key was expanded once less than the encryption key, after many exhaustive tests. There were several errors in the 192bit encryption and decryption that I solved, encryption first, but that's done with, too.






Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS