Home
Blogs
Forums
News
Portfolios
Projects
Tutorials
33 users logged in
New? Learn about game development.
Before posting, review our community guidelines.
Follow Us
Chat in the GameDev.net Discord!
Mastodon
Back to General and Gameplay Programming

AES Encryption

Started by
5 comments, last by Ectara 10 years ago

I'm writing an implementation of the AES cipher, and while I have 128, 192, and 256 bit encryption working, only 256 bit decryption is working.

One of the biggest roadblocks in seeking out reference implementations is that I generate the key expansion sequence incrementally, to reduce memory constraints, rather than generate the whole sequence from the start.

I managed to fix my 192 bit encryption with the aid of this site, which has example key expansions for 128, 192, and 256 bit encryption keys. As it stands now, the most I know is that the decryption process fails tests on its output, but I have no tests for its inner workings like the key expansion to know which parts are working.

Can anyone output their decryption key expansion for the 128 bit key 2b7e151628aed2a6abf7158809cf4f3c and the 192 bit key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b?

If anyone has a solid understanding of the Rijndael cipher, I can post code, but it isn't likely to make any sense because I, myself, have a flimsy understanding, and I'm doing it in a low-resource way.

Advertisement

I took a class in all this cryptology nonsense just last year and failed miserably. Glad I could have been of assistance.

First

-3 AES Encryption

Your authority is not recognized in Fort Kick-ass http://www.newvoxel.com

I don't have any Rijndael at hand with me right now, but this is a working version of Rijndael and you can just add some stuff to get the expanded key.
what

The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.

“If I understand the standard right it is legal and safe to do this but the resulting value could be anything.”

I don't have any Rijndael at hand with me right now, but this is a working version of Rijndael and you can just add some stuff to get the expanded key.

That looks so different from my implementation that I don't know where to begin.


The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.

My implementation, and the implementation I used as a reference, uses two key expansion functions per key size, one for encryption, one for decryption.

My 128 bit pair of functions are:


static void expandEncKey128(ui8 * k, ui8 * rc){
                k[0] ^= sbox[k[13]] ^ *rc;
                k[1] ^= sbox[k[14]];
                k[2] ^= sbox[k[15]];
                k[3] ^= sbox[k[12]];
                
                *rc = ((*rc << 1) ^ (((*rc >> 7) & 1) * 0x1bu));
                
                for(int i = 4; i < 16; i += 4){
                        k[i + 0] ^= k[i - 4];
                        k[i + 1] ^= k[i - 3];
                        k[i + 2] ^= k[i - 2];
                        k[i + 3] ^= k[i - 1];
                }
}

static void expandDecKey128(ui8 * k, ui8 * rc){
        for(int i = 12; i > 0; i -= 4){
                k[i + 0] ^= k[i - 4];
                k[i + 1] ^= k[i - 3];
                k[i + 2] ^= k[i - 2];
                k[i + 3] ^= k[i - 1];
        }
        
        *rc = (*rc >> 1) ^ ((*rc & 1u) * 0x8du);
        
        k[0] ^= sbox[k[13]] ^ *rc;
        k[1] ^= sbox[k[14]];
        k[2] ^= sbox[k[15]];
        k[3] ^= sbox[k[12]];
}

They combine a lot of steps into few operations; my implementation is byte-oriented, if it isn't obvious. From my perspective, these are inverses of each other. The (obfuscated) encryption routine looks like this:



                
                static ui8 gfXTime(ui8 x){
                        return ((x << 1) ^ (((x >> 7) & 1) * 0x1bu));
                }
                
                static ui8 rconInv(ui8 rc){
                        return (rc >> 1) ^ ((rc & 1u) * 0x8du);
                }
                
                /*
                 * 0  4  8  12
                 * 1  5  9  13
                 * 2  6  10 14
                 * 3  7  11 15
                 */
                
                static void subBytes(ui8 * a){
                        for(int i = 16; i--;)
                                a[i] = sbox[a[i]];
                }
                
                static void subBytesInv(ui8 * a){
                        for(int i = 16; i--;)
                                a[i] = sboxInv[a[i]];
                }
                
                static void addRoundKey(ui8 * a, ui8 * key){
                        for(int i = 16; i--;)
                                a[i] ^= key[i];
                }
                
                static void addRoundKeyCopy(ui8 * buf, ui8 * key, ui8 * copyKey){
                        for(int i = 16; i--;){
                                copyKey[i] = key[i];
                                buf[i] ^= key[i];
                                copyKey[i + 16] = key[i + 16];
                        }
                }
                
                static void shiftRows(ui8 * a){
                        unsigned int t1, t2;
                        
                        /* 1 -> 13 -> 9 -> 5 -> 1 */
                        t1 = a[1];
                        a[1] = a[5];
                        a[5] = a[9];
                        a[9] = a[13];
                        a[13] = t1;
                        
                        /* 2 -> 10 -> 2 */
                        t1 = a[10];
                        a[10] = a[2];
                        a[2] = t1;
                        
                        /* 3 -> 7 -> 11 -> 15 -> 3 */
                        t2 = a[3];
                        a[3] = a[15];
                        a[15] = a[11];
                        a[11] = a[7];
                        a[7] = t2;
                        
                        /* 14 -> 6 -> 14 */
                        t2 = a[6];
                        a[6] = a[14];
                        a[14] = t2;
                }
                
                static void shiftRowsInv(ui8 * a){
                        unsigned int t1, t2;
                        
                        /* 1 <- 13 <- 9 <- 5 <- 1 */
                        t1 = a[1];
                        a[1] = a[13];
                        a[13] = a[9];
                        a[9] = a[5];
                        a[5] = t1;
                        
                        /* 2 <- 10 <- 2 */
                        t1 = a[2];
                        a[2] = a[10];
                        a[10] = t1;
                        
                        /* 3 <- 7 <- 11 <- 15 <- 3 */
                        t2 = a[3];
                        a[3] = a[7];
                        a[7] = a[11];
                        a[11] = a[15];
                        a[15] = t2;
                        
                        /* 6 <- 14 <- 6 */
                        t2 = a[6];
                        a[6] = a[14];
                        a[14] = t2;
                }
                
                static void mixColumns(ui8 * r){
                        ui8 a[4];
                        ui8 b[4];
                        
                        for(int i = 0; i < 16; i += 4){
                                a[0] = r[i];
                                a[1] = r[i + 1];
                                a[2] = r[i + 2];
                                a[3] = r[i + 3];
                                
                                b[0] = gfXTime(r[i]);
                                b[1] = gfXTime(r[i + 1]);
                                b[2] = gfXTime(r[i + 2]);
                                b[3] = gfXTime(r[i + 3]);
                                
                                r[i] = b[0] ^ a[3] ^ a[2] ^ b[1] ^ a[1];
                                r[i + 1] = b[1] ^ a[0] ^ a[3] ^ b[2] ^ a[2];
                                r[i + 2] = b[2] ^ a[1] ^ a[0] ^ b[3] ^ a[3];
                                r[i + 3] = b[3] ^ a[2] ^ a[1] ^ b[0] ^ a[0];
                        }
                }
                
                static void mixColumnsInv(ui8 * r){
                        ui32 a, b, c, d, e, x, y, z;
                        
                        for(int i = 0; i < 16; i += 4){
                                a = r[i];
                                b = r[i + 1];
                                c = r[i + 2];
                                d = r[i + 3];
                                
                                e = a ^ b ^ c ^ d;
                                z = gfXTime(e);
                                x = e ^ gfXTime(gfXTime(z ^ a ^ c));  y = e ^ gfXTime(gfXTime(z ^ b ^ d));
                                
                                r[i] ^= x ^ gfXTime(a ^ b);
                                r[i + 1] ^= y ^ gfXTime(b ^ c);
                                r[i + 2] ^= x ^ gfXTime(c ^ d);
                                r[i + 3] ^= y ^ gfXTime(d ^ a);
                        }
                }


void encrypt(ui8 * out, const ui8 * in){
        ui8 state[16];
        
        for(sizeType i = 16; i--;)
                state[i] = in[i];
        
        ui8 rcon = 1;
        
        addRoundKeyCopy(state, encryptKey_, key_);
        
        for(sizeType i = 1; i < 10; ++i){
                subBytes(state);
                shiftRows(state);
                mixColumns(state);
                
                expandEncKey(key_, &rcon);
                addRoundKey(state, key_);
                
                subBytes(state);
                shiftRows(state);
                
                expandEncKey(key_, &rcon);
                addRoundKey(state, key_);
                
                for(sizeType i = 16; i--;)
                        out[i] = state[i];
        }
        
        for(sizeType i = 16; i--;)
                state[i] = 0;
}

This encryption method produces results that align with published test vectors. However, this decryption does not work, whether it is this decryption function doesn't work, or the key expansion doesn't work, or something.


void decrypt(void * out, const void * in){
        ui8 state[16];
        
        for(sizeType i = 16; i--;)
                state[i] = in[i];
        
        ui8 rcon = 0x6c;
        
        addRoundKeyCopy(state, decryptKey_, key_);
        
        for(sizeType i = 1; i < 10; ++i){
                shiftRowsInv(state);
                subBytesInv(state);
                
                expandDecKey(key_, &rcon);
                addRoundKey(state, key_);
                
                mixColumnsInv(state);
        }
        
        shiftRowsInv(state);
        subBytesInv(state);
        
        addRoundKey(state, key_);
        
        for(sizeType i = 16; i--;)
                out[i] = state[i];
        
        for(sizeType i = 16; i--;)
                state[i] = 0;
}

encryptKey_ and decryptKey_ are both initialized to the bytes of the key by the caller.

Interestingly, the 256 bit decryption works, with a similar pair of key expansion functions, with a quirk: the decryption key is expanded seven times using the encryption key expansion function after the state is set up, before any data is processed. I have no idea why it is necessary to work, but it doesn't work without it. If I use one expansion function and key sequence for both, decryption fails.

The expanded key material for encryption and decryption is the same afaik (unless there exists some strange variant that does not) so if your encryption routines work then it suggests your decryption routines are wrong. Perhaps you could post them so we can take a look.

This had me thinking, and I tried to reconcile it by having both encryption and decryption routines use the same expansion sequence, to no avail. My last post is of interest:

Interestingly, the 256 bit decryption works, with a similar pair of key expansion functions, with a quirk: the decryption key is expanded seven times using the encryption key expansion function after the state is set up, before any data is processed. I have no idea why it is necessary to work, but it doesn't work without it. If I use one expansion function and key sequence for both, decryption fails.

Seven just so happens to be the number of times that the key is expanded (see below for the linear coefficients of the production of round keys). After much experimentation, it turns out that the encryption expansion raises the rcon value's exponent, and manipulates the bytes in a specific sequence, and the decryption expansion lowers the rcon value's exponent, and performs the inverse manipulation. The purpose of using the encryption expansion routine on the decryption key at the start is to "advance" the key expansion sequence to the point where it would have ended after encryption, and "move backward" from that "endpoint" as it decrypts, traversing the sequence in reverse. This is all a consequence of the low-resource design, by not expanding the entire sequence at once, taking almost an entire kilobyte in the process.

I managed to get it all working. There were various bugs here and there, which I managed to find after learning its ins and outs through experimentation. There's somewhat of a fencepost error in the code posted above: there should be one more key expansion before the final round key addition. 256bit mode generates two round keys per expansion, and 192bit mode generates 1.5 round keys per expansion, so 128bit was the only one that needed that last expansion; I noticed that the decryption key was expanded once less than the encryption key, after many exhaustive tests. There were several errors in the 192bit encryption and decryption that I solved, encryption first, but that's done with, too.

This topic is closed to new replies.

Advertisement

Popular Topics

Aybe One
How do you manage yourself and your time as years pass on? GDNet Lounge
Jikoob
Too many managers? General and Gameplay Programming
ReignOnU
Do your part to stop global warming and climate change GDNet Lounge
aigan
The promise of freedom in story games Game Design and Theory
robertrobert
Facebook Ads for sales on steam, does it work? Games Business and Law
AliAbdulKareem
Understanding the wavy-like shape in alpha-testing magnification for text rendering Graphics and GPU Programming
Advertisement

Recommended Tutorials

Myopic Rhino
Using Modern C++ to Eliminate Memory Problems General and Gameplay Programming
Gamevec
Parallel Algorithm Framework General and Gameplay Programming
Myopic Rhino
Indie Games Con 2004 - Shovels, Consoles, Coin-Op, and Portals Event Coverage
ricvalerio
Make it Difficult, Not Punishing Game Design and Theory
GameDev.net
rec.games.design FAQ Game Design and Theory

Reticulating splines

About GameDev.net
Community Guidelines
Terms of Service
Privacy Policy
Contact Us
Copyright (c) 1999-2024 GameDev.net, LLC
Back to Top