AES[Advanced Encryption Standard]高级加密标准
AES Parameters[参数]
Key Sizes(bits) | 128 | 192 | 256 |
Block Sizes(bits) | 128 | 128 | 128 |
Number of Rounds | 10 | 12 | 14 |
Round Key Sizes(bits) | 128 | 128 | 128 |
AES加密流程图
Byte Substitution(字节替换)
先将128bit数据分成16*16byte块:
S0,0,S1,0,S2,0,S3,0,S0,1,S1,1,…,S3,3
按列排成矩阵
S0,0 | S0,1 | S0,2 | S0,3 |
S1,0 | S1,1 | S1,2 | S1,3 |
S2,0 | S2,1 | S2,2 | S2,3 |
S3,0 | S3,1 | S3,2 | S3,3 |
以S1,1=0101 0011为例,即将S-box中第5行第3列的值置换到S1,1的位置
与DES算法不同,除了查表之外,此S-Table是可以通过运算得到的,用软件实现时比DES更快,下面是运算过程。
Build A Map
还是以S1,1=0101 0011为例
1.先将8位二进制数映射到伽罗瓦域,求多项式的逆,再转换为8位二进制数。
GF(28) = Z2[x]/(x8+x4+x3+x+1)
(1) Z256 → Z2[x]/(x8+x4+x3+x+1),即 01010011→x6+x4+x+1
(2) 求x6+x4+x+1 的逆(根据欧几里得扩展算法):
令p(x)=x8+x4+x3+x+1, q(x)=x6+x4+x+1
p(x) = q(x) * (x2 + 1) + x2
q(x) = x2 * (x4 + x2) + (x + 1)
x2 = (x+1) * (x+1) + 1
1 = x2 + (x+1) * (x+1)
= x2 + (q(x) + x2 * (x4 + x2)) * (x + 1)
= q(x) * (x + 1) + x2 * ((x4 + x2) * (x + 1) + 1)
= q(x) * (x + 1) + (p(x) + q(x) * (x2 + 1)) * ((x4 + x2) * (x + 1) + 1)
= q(x) * ((x2 + 1) * ((x4 + x2) * (x + 1) + 1) + (x + 1)) + p(x) * ((x4 + x2) * (x + 1) + 1)
q(x)-1 = ((x2 + 1) * ((x4 + x2) * (x + 1) + 1) + (x + 1))
= x7 + x6 + x3 + x
(3)将多项式转换为8位二进制数 x7 + x6 + x3 + x → 11001010
2.仿射变换B=ZA-1+C
B
=
[
b
0
b
1
b
2
b
3
b
4
b
5
b
6
b
7
]
Z
=
[
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
1
1
1
1
1
1
0
0
0
0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
0
0
0
0
1
1
1
1
1
]
A
−
1
=
[
a
0
a
1
a
2
a
3
a
4
a
5
a
6
a
7
]
=
[
0
1
0
1
0
0
1
1
]
C
=
[
1
1
0
0
0
1
1
0
]
B=\left[\begin{matrix} b0\\b1\\b2\\b3\\b4\\b5\\b6\\b7 \end{matrix}\right]\ Z=\left[\begin{matrix} 1&0&0&0&1&1&1&1\\ 1&1&0&0&0&1&1&1\\ 1&1&1&0&0&0&1&1\\ 1&1&1&1&0&0&0&1\\ 1&1&1&1&1&0&0&0\\ 0&1&1&1&1&1&0&0\\ 0&0&1&1&1&1&1&0\\ 0&0&0&1&1&1&1&1 \end{matrix}\right]\ A^{-1}=\left[\begin{matrix} a0\\a1\\a2\\a3\\a4\\a5\\a6\\a7 \end{matrix}\right]\ = \left[\begin{matrix} 0\\1\\0\\1\\0\\0\\1\\1\end{matrix}\right]\ C=\left[\begin{matrix} 1\\1\\0\\0\\0\\1\\1\\0 \end{matrix}\right]
B=⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡b0b1b2b3b4b5b6b7⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤ Z=⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡1111100001111100001111100001111110001111110001111110001111110001⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤ A−1=⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡a0a1a2a3a4a5a6a7⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤ =⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡01010011⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤ C=⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡11000110⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤
计算得:
B
=
[
0
1
1
1
0
0
0
1
]
+
[
1
1
0
0
0
1
1
0
]
=
[
1
0
1
1
0
1
1
1
]
B=\left[\begin{matrix} 0\\1\\1\\1\\0\\0\\0\\1 \end{matrix}\right]\ + \left[\begin{matrix} 1\\1\\0\\0\\0\\1\\1\\0 \end{matrix}\right]\ = \left[\begin{matrix} 1\\0\\1\\1\\0\\1\\1\\1 \end{matrix}\right]
B=⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡01110001⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤ +⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡11000110⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤ =⎣⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎡10110111⎦⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎤
B=11101101 → ED, 与查表所得结果相等。
至于为什么要这么进行仿射变换,Joan Daemen和Vincent Rijmen是这么说的:
' We have chosen an affine transformation that has a very simple description per se, but a complicated algebraic expression if combined with the transformation g.'
[1]
注:g指求逆的过程
Shift Row(行移位)
将Byte Substitution字节替代后的4*4字节块方阵B进行循环移位变换,第一行不移动,第二行循环左移一位,第三行循环左移两位,第四行循环左移三位,用方阵C表示。
Mix Column(列混合)
C(X)=’03’X3+’01’X2+’01’X+’02’
将方阵C的每一列作为系数转换为3次多项式,如第一列转换为C0,0+C1,0X+C2,0X2+C3,0X3,用此多项式与多项式C(X)相乘并模(x2+4),得到的三次多项式的系数和常数即方阵D的第一列,如下图所示:
为了方便起见,可以用矩阵运算来代替这一步,即:
[
02
03
01
01
01
02
03
01
01
01
02
03
03
01
01
02
]
∗
[
c
0
,
0
c
0
,
1
c
0
,
2
c
0
,
3
c
1
,
0
c
1
,
1
c
1
,
2
c
1
,
3
c
2
,
0
c
2
,
1
c
2
,
2
c
2
,
3
c
3
,
0
c
3
,
1
c
3
,
2
c
3
,
3
]
=
[
d
0
,
0
d
0
,
1
d
0
,
2
d
0
,
3
d
1
,
0
d
1
,
1
d
1
,
2
d
1
,
3
d
2
,
0
d
2
,
1
d
2
,
2
d
2
,
3
d
3
,
0
d
3
,
1
d
3
,
2
d
3
,
3
]
(1)
\left[\begin{matrix} 02&03&01&01\\ 01&02&03&01\\ 01&01&02&03\\ 03&01&01&02 \end{matrix}\right]\ * \left[\begin{matrix} c_0,_0&c_0,_1&c_0,_2&c_0,_3\\ c_1,_0&c_1,_1&c_1,_2&c_1,_3\\ c_2,_0&c_2,_1&c_2,_2&c_2,_3\\ c_3,_0&c_3,_1&c_3,_2&c_3,_3 \end{matrix}\right]\ = \left[\begin{matrix} d_0,_0&d_0,_1&d_0,_2&d_0,_3\\ d_1,_0&d_1,_1&d_1,_2&d_1,_3\\ d_2,_0&d_2,_1&d_2,_2&d_2,_3\\ d_3,_0&d_3,_1&d_3,_2&d_3,_3 \end{matrix}\right]\tag{1}
⎣⎢⎢⎡02010103030201010103020101010302⎦⎥⎥⎤ ∗⎣⎢⎢⎡c0,0c1,0c2,0c3,0c0,1c1,1c2,1c3,1c0,2c1,2c2,2c3,2c0,3c1,3c2,3c3,3⎦⎥⎥⎤ =⎣⎢⎢⎡d0,0d1,0d2,0d3,0d0,1d1,1d2,1d3,1d0,2d1,2d2,2d3,2d0,3d1,3d2,3d3,3⎦⎥⎥⎤(1)
现在已知d0,0 -> '02’c0,0+'03’c1,0+'01’c2,0+'01’c3,0 ,那么该如何求出d0,0的八位二进制数呢?
答案依然是先将其转换为多项式计算再转换为八位二进制数。
假如
[
c
0
,
0
c
1
,
0
c
2
,
0
c
3
,
0
]
=
[
02
E
D
01
01
]
\left[\begin{matrix}c_0,_0\\c_1,_0\\c_2,_0\\c_3,_0\end{matrix}\right]\ =\left[\begin{matrix}02\\ED\\01\\01\end{matrix}\right]
⎣⎢⎢⎡c0,0c1,0c2,0c3,0⎦⎥⎥⎤ =⎣⎢⎢⎡02ED0101⎦⎥⎥⎤
那么
'02’c0,0+'03’c1,0+'01’c2,0+'01’c3,0 = ‘02’‘02’+‘03’‘ED’+‘01’‘01’+‘01’‘01’
->(x)(x)+(x+1)(x7+x6+x5+x3+x2+1)+(1)(1)+(1)(1) mod(x8+x4+x3+x+1)
=x2+(x8+x7+x6+x4+x3+x)+(x7+x6+x5+x3+x2+1)+1+1 mod(x8+x4+x3+x+1)
= x8+x5+x4+x+1 mod(x8+x4+x3+x+1)
= x5+x3 mod(x8+x4+x3+x+1)
则x5+x3 -> 0010 1000 -> ‘28’
即d0,0 = ‘28’
以此类推便可求出方阵D
至于选择多项式C(x)和mod(x4+1),是因为C(x)mod(x4+1)可逆,C(x)形成的矩阵(1)是可逆矩阵,而且C(x)比较简单。Joan Daemen和Vincent Rijmen是这么说的:
'Selection. The diffusion and performance criteria have lead us to the following choice for the definition of the D-box in MixColumns . The columns of the state are considered as polynomials over GF(2^8) and multiplied modulo x4+1 with a fixed polynomial c(x) . The criteria about invertibility, diffusion and performance impose conditions on the coefficients of c(x) . The performance criterion can be satisfied if the coefficients have simple values, such as 00, 01, 02, 03, .... Multiplication with the value 00 or 01 implies no processing at all, multiplication with 02 can be implemented efficiently with a dedicated routine (see Sect. 4.1.1) and multiplication with 03 can be implemented as a multiplication with 02 plus an additional XOR operation with the operand. The diffusion criterion induces a more complicated condition on the coefficients of c( x) . We determined the coefficients in such a way that the branch number of MixColumns is five, i.e. the maximum possible for a transformation with these dimensions. '
[1]
XOR Round Key(异或轮密钥)
显而易见,就是将经过列混合后的方阵D与轮密钥方阵K异或得到第一轮加密的方阵E:
轮密钥通过密钥扩展得到。
Key Expansion(密钥扩展)
首先将初始密钥矩阵(initial 128-bits key)按列编组,分别为w0, w1, w2, w3,
w
0
=
[
k
0
,
0
k
1
,
0
k
2
,
0
k
3
,
0
]
w
1
=
[
k
0
,
1
k
1
,
1
k
2
,
1
k
3
,
1
]
w
2
=
[
k
0
,
2
k
1
,
2
k
2
,
2
k
3
,
2
]
w
3
=
[
k
0
,
3
k
1
,
3
k
2
,
3
k
3
,
3
]
w_0=\left[\begin{matrix}k_0,_0\\k_1,_0\\k_2,_0\\k_3,_0\end{matrix}\right] w_1=\left[\begin{matrix}k_0,_1\\k_1,_1\\k_2,_1\\k_3,_1\end{matrix}\right] w_2=\left[\begin{matrix}k_0,_2\\k_1,_2\\k_2,_2\\k_3,_2\end{matrix}\right] w_3=\left[\begin{matrix}k_0,_3\\k_1,_3\\k_2,_3\\k_3,_3\end{matrix}\right]
w0=⎣⎢⎢⎡k0,0k1,0k2,0k3,0⎦⎥⎥⎤w1=⎣⎢⎢⎡k0,1k1,1k2,1k3,1⎦⎥⎥⎤w2=⎣⎢⎢⎡k0,2k1,2k2,2k3,2⎦⎥⎥⎤w3=⎣⎢⎢⎡k0,3k1,3k2,3k3,3⎦⎥⎥⎤
那么第一个轮密钥矩阵,即w4, w5, w6, w7怎么求呢?
由图可列出公式:
wi=wi-4+wi-1 (i is not divisible by 4)
wi=wi-4+g(wi-1) (i is divisible by 4,即每一组第一列)
w5由w4和w1异或得到,w6, w7同理,不同之处在w4的求法多了个函数g。
下面是函数g的具体运算过程(以g(w3)为例):
1.将整列循环向下移动一块
w
3
=
[
A
C
C
1
07
B
D
]
−
>
[
C
1
07
B
D
A
C
]
w_3=\left[\begin{matrix}AC\\C1\\07\\BD\end{matrix}\right]\ ->\left[\begin{matrix}C1\\07\\BD\\AC\end{matrix}\right]
w3=⎣⎢⎢⎡ACC107BD⎦⎥⎥⎤ −>⎣⎢⎢⎡C107BDAC⎦⎥⎥⎤
2.然后查询S-box,将每个字节块即向S-box映射
w
3
=
[
A
C
C
1
07
B
D
]
−
>
[
C
1
07
B
D
A
C
]
−
>
[
78
85
7
A
91
]
w_3=\left[\begin{matrix}AC\\C1\\07\\BD\end{matrix}\right]\ ->\left[\begin{matrix}C1\\07\\BD\\AC\end{matrix}\right]\ ->\left[\begin{matrix}78\\85\\7A\\91\end{matrix}\right]
w3=⎣⎢⎢⎡ACC107BD⎦⎥⎥⎤ −>⎣⎢⎢⎡C107BDAC⎦⎥⎥⎤ −>⎣⎢⎢⎡78857A91⎦⎥⎥⎤
3.最后将第一行的字节块与r(i)=2(i-4)/4 按位异或,78H + 2(i-4)/4=78H+01H=79H,即
w
3
=
[
A
C
C
1
07
B
D
]
−
>
[
C
1
07
B
D
A
C
]
−
>
[
78
85
7
A
91
]
−
>
[
79
85
7
A
91
]
w_3=\left[\begin{matrix}AC\\C1\\07\\BD\end{matrix}\right]\ ->\left[\begin{matrix}C1\\07\\BD\\AC\end{matrix}\right]\ ->\left[\begin{matrix}78\\85\\7A\\91\end{matrix}\right]\ ->\left[\begin{matrix}79\\85\\7A\\91\end{matrix}\right]
w3=⎣⎢⎢⎡ACC107BD⎦⎥⎥⎤ −>⎣⎢⎢⎡C107BDAC⎦⎥⎥⎤ −>⎣⎢⎢⎡78857A91⎦⎥⎥⎤ −>⎣⎢⎢⎡79857A91⎦⎥⎥⎤
g
(
w
3
)
=
[
79
85
7
A
91
]
g(w_3) = \left[\begin{matrix}79\\85\\7A\\91\end{matrix}\right]
g(w3)=⎣⎢⎢⎡79857A91⎦⎥⎥⎤
迭代之后即可求出十轮的轮密钥
References:
[1] J. Daemen, V. Rijmen, “The Design of Rijndael AES - The Advanced Encryption Standard,” Springer-Verlag Berlin Heidelberg New York, 2002, Germany, pp. 36-39
[2] Tyler_Z, “AES加密过程详解” ,URL:https://blog.csdn.net/qq_38289815/article/details/80900813