Shulou(Shulou.com)06/01 Report--

AES appears as an alternative standard for DES, the full name is Advanced Encryption Standard, namely: advanced encryption standard. The AES encryption algorithm has undergone public selection. Finally, in 2000, the Rijndael algorithm designed by Belgian cryptographers Joan Daemen and Vincent Rijmen was selected and became the AES standard.

The AES plaintext packet length is 128bits, or 16 bytes, and the key length can be 16 bytes, 24 bytes, or 32 bytes, that is, 128-bit keys, 192-bit keys, or 256-bit keys.

General structure

Like DES, AES is also composed of multiple wheels, each of which is divided into four steps: SubBytes, ShiftRows, MixColumns and AddRoundKey, namely: byte substitution, row shift, column obfuscation and wheel key addition. The number of rounds required varies according to the key length. 128-bit, 192-bit and 256-bit keys require 10 rounds, 12 rounds and 14 rounds, respectively. There is an AddRoundKey before round 1, that is, wheel key addition, which can be regarded as round 0; after round 1 to Nmuri round 1, the last round of SubBytes, ShiftRows, MixColumns and AddRoundKey; only includes: SubBytes, MixColumns, AddRoundKey.

The number of rounds is represented by Nr, which requires the addition of Nr+1 secondary wheel keys, so Nr+1 sub-keys are required. Take the 128-bit key as an example, 11 subkeys are needed, so key expansion is needed. The key extension method is described below. The Feistel network is not used in AES, and its structure is called SPN structure.

The decryption algorithm of AES, that is, the reverse operation of encryption algorithm.

The following is a schematic diagram of the overall structure of AES:

Key expansion

Nk represents the number of words of the initial key. One word is 4 bytes. Take the 16-byte initial key as an example, the initial key has a total of 4 words. The AES encryption process requires a total of Nk+7 subkeys, that is, 4 (Nk+7) words. Take the 16-byte initial key as an example, a total of 11 subkeys and 44 words are needed. The first word Nk is used as the seed key, which is populated by the initial key. Take the 16-byte initial key as an example, the first four words are filled by the initial key. For each word after that, W [I] is equal to the preceding word W [I-1] and the word W [i-Nk] before Nk. But for words with integer multiple positions of Nk, W [I-1] is transformed as follows before XOR: byte cyclic shift, S-box transformation, and XOR round constant.

The following is a schematic diagram of the key extension:

The AES key extension of the go standard library is implemented as follows:

Func expandKeyGo (key [] byte, enc, dec [] uint32) {var i int nk: = len (key) / 4 for I = 0; I

8&0xff]] ^ td3 [sbox0 [x & 0xff]]} dec [iBoxj] = x} / / Code location src/crypto/aes/block.go

The four steps in each round are described below: byte substitution, row shift, column obfuscation, and wheel key addition.

Byte instead of SubBytes

AES defines an S-box, which consists of a matrix of 16x16 bytes and contains a replacement table of 256 numbers that can be represented by 8 bits. The packet length of AES is 128bits, that is, 16 bytes, each byte high 4 bits as row value, low 4 bits as column value, from S box to find the value of specified row and column as output. The 16 bytes entered by AES, each of which is mapped to a new byte in the above way, that is, byte substitution.

The following are the S-boxes and inverse S-boxes used in the go standard library:

/ S Box var sbox0 = [256B] byte {0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0xfd, 0x93, 0x93, 0x93, 0x93, 0x93, 0x26, 0x3f, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 0x8c, 0xa1 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,} / inverse S-Box var sbox1 = byte {0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x82, 0x9b, 0x9b, 0x9b, 0x2f, 0x2f, 0xff, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, 0xa0, 0xe0, 0x3b, 0x4d 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d,} / / Code location src/crypto/aes/const.go Line shift ShiftRows

The 16 bytes inputted by AES make up the 4x4 byte matrix. The row shift means that the first line remains unchanged, the second line moves 1 byte to the left, the third line moves 2 bytes to the left, and the fourth line moves 3 bytes to the left. Reverse row shift does the reverse operation of row shift for the last three lines, such as the second line moves 1 byte to the right in a loop, and other lines are treated similarly.

The diagram of the attached line shift is as follows:

Column confusion MixColumns

Column obfuscation and inverse column obfuscation actually use multiplication matrix, but their addition and multiplication are both addition and multiplication defined in finite fields.

The following is the confusion of positive columns:

The following is reverse column confusion:

Wheel key plus AddRoundKey

Wheel key addition, that is, 128-bit input and 128-bit wheel key do XOR operation.

Implementation of AES encryption algorithm in go Standard Library

The encryption and decryption code of AES algorithm in go standard library is as follows:

Func newCipherGeneric (key [] byte) (cipher.Block, error) {n: = len (key) + 28 c: = aesCipher {make ([] uint32, n), make ([] uint32, n)} / / key extension expandKeyGo (key, c.enc, c.dec) return & c, nil} / encryption / / xk, that is, subkey group func encryptBlockGo (xk [] uint32, dst, src [] byte) {var s0, S1, S2, S3, t0, T1, T2 T3 uint32 / / arrange s0 = uint32 (src [0]) 8)] ^ te3 [uint8 (S2)] k + = 4 S0, S1, S2, S3 = t0, T1, T2 by 4x4 matrix T3} / / the last round includes only byte substitution, row shift, wheel key plus / / here is byte substitution and row shift s0 = uint32 (Sbox0 [t0 > 24]) 16&0xff]) 8&0xff]) 24] 16&0xff]) 8&0xff] 24]) 16&0xff] 24]) 16&0xff]) 24), byte (S0 > 16), byte (S0 > 8), byte (S0) dst [4], dst [5] Dst [6], dst [7] = byte (S1 > 24), byte (S1 > > 16), byte (S1 > > 8), byte (S1) dst [8], dst [9], dst [10], dst [11] = byte (S2 > > 24), byte (S2 > > 16), byte (S2 > 8), byte (S2) dst [12], dst [13], dst [14], dst [15] = byte (S2 > > 24), byte (S3 > > 16), byte (S3 > 8), byte (S3)} / decryption / xk immediate subkey group func decryptBlockGo (xk [uint32]) Dst, src [] byte) {var S0, S1, S2, S3, t0, T1, T2, T3 uint32 / / arrange S0 = uint32 (src [0]) 8) ^ td3 [uint8 (S0)] k + = 4 S0, S1, S2, S3 = T2, T1, T2 T3} / / the last round only includes reverse byte substitution, reverse row shift, wheel key plus / / reverse byte substitution and reverse row shift s0 = uint32 (Sbox1 [t0 > 24]) 16&0xff]) 8&0xff] 24]) 16&0xff]) 24]) 16&0xff]) 24]) 16&0xff] 24) 8&0xff] 24), byte (S0 > 16), byte (S0 > 8) Byte (s0) dst [4], dst [5], dst [6], dst [7] = byte (S1 > > 24), byte (S1 > > 16), byte (S1 > 8), byte (S1) dst [8], dst [9], dst [10], dst [11] = byte (S2 > 24), byte (S2 > 16), byte (S2 > 8), byte (S2) dst [12], dst [13], dst [14], dst [15] = byte (S2 > 24), byte (S3 > > 16), byte (S2 > 8) Byte (S3)} / / Code location src/crypto/aes/block.go postscript

At present, the AES algorithm is safe enough.

To be continued.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.