The purpose of this assignment is to get familiar with AES and arithematics in GF(28) by implementing AES-128 (Nk=4, Nb=4, Nr=10) from scratch with the flexibility of changing some of the internal tables.
Compilingmake hw6an executable named hw6 is created. Commandline Syntax & Program Output The commandline syntax for hw6 is as follows:
hw6 tablecheck -t=tablefile
hw6 modprod -p1=poly1 -p2=poly2
hw6 keyexpand -k=key -t=tablefile
hw6 encrypt -k=key -t=tablefile [file]
hw6 decrypt -k=key -t=tablefile [file]
hw6 inverse -p=poly
Square bracketed items are optional. Follows the UNIX convention that commandline options can come in any order. (Note: a commandline option is a commandline argument that begins with a - character in a commandline syntax specification.) If an input file is not specified, the program reads from stdin. Output of the program goes to stdout and error messages go to stderr.
The meaning of the commands are:
tablecheck : Check the integrity of tablefile. Please see tablefile format to see the requirements. modprod : Perform modular product (modulo {01}x4+{01}) of two polynomials with coefficients in GF(28). (Please see equation (4.11) and (4.12) on page 13 of FIPS-197 to see how to perform modular product.) This is referred to as the circle X operation in lecture slides. The coefficients of the polynomials are represented as hexstrings in poly1 and poly2 (each hexstring has a string length of 8). The first two hex digits correspond to the coefficient for x3, the next two hex digits correspond to the coefficient for x2, etc. keyexpand : Perform the key expansion algorithm for AES-128 using key as the 16-byte cipher key in hexstring format (32 characters long). Please use the s-box in tablefile. encrypt : Encrypts the first 16 bytes of the input using AES-128 driven by tablefile in the ECB mode using key as the encryption key (16 bytes long and in hexstring format). If the filesize of the input is less than 16 bytes, please print an error message. (Please treat the input as a binary file.) decrypt : Decrypts the first 16 bytes of the input using AES-128 driven by tablefile in the ECB mode using key as the encryption key (16 bytes long and in hexstring format). If the filesize of the input is less than 16 bytes, please print an error message. (Please treat the input as a binary file.) Please note that you must not use the Equivalent Inverse Cipher (section 5.3.5 of FIPS-197) implementation because grading requires that you print out the intermediate values from the standard Inverse Cipher.
inverse : Calculate the multiplicative inverse (modulo {01}x4+{01}) of the polynomial poly with coefficients in GF(28) using the extended Euclidean algorithm. Although there are various ways of implementing the extended Euclidean algorithm, you are required to use the Table Method for this assignment. The Table Method for polymonials with coefficients in GF(28) is described on slide 36 of the AES slides.
The output for various commands are as follows.
tablecheck : The command should produce no output in stdout. All error output must go to stderr. modprod : The command should output poly1 CIRCLEX poly2 = poly3 where poly3 is the modular product of poly1 and poly2, and each coefficient of a polynomial is printed as {XX} where XX is a hexstring representing a single byte of data. The first two hex digits correspond to the coefficient for x3, the next two hex digits correspond to the coefficient for x2, etc. For example, if poly1 is 03010102 and poly2 is 0b0d090e, the output should be: {03}{01}{01}{02} CIRCLEX {0b}{0d}{09}{0e} = {00}{00}{00}{01}keyexpand : The command should output all the 44 round keys. Each round key is 4 bytes long and in hexstring format. If the key index is only one digit, please use a blank space before it. The following is an example showing the required format: w[ 0]: 2b7e1516 w[ 1]: 28aed2a6 w[ 2]: abf71588 ... w[41]: c9ee2589 w[42]: e13f0cc8 w[43]: b6630ca6encrypt : The output of this command should look like page 36 of the FIPS 197 AES specification. Please see page 35 of the FIPS-197 document regarding the definitions of the lines. Below is an example: round[ 0].input 00112233445566778899aabbccddeeff round[ 0].k_sch 000102030405060708090a0b0c0d0e0f round[ 1].start 00102030405060708090a0b0c0d0e0f0 round[ 1].s_box 63cab7040953d051cd60e0e7ba70e18c round[ 1].s_row 6353e08c0960e104cd70b751bacad0e7 round[ 1].m_col 5f72641557f5bc92f7be3b291db9f91a round[ 1].k_sch d6aa74fdd2af72fadaa678f1d6ab76fe ... round[10].start bd6e7c3df2b5779e0b61216e8b10b689 round[10].s_box 7a9f102789d5f50b2beffd9f3dca4ea7 round[10].s_row 7ad5fda789ef4e272bca100b3d9ff59f round[10].k_sch 13111d7fe3944a17f307a78b4d2b30c5 round[10].output 69c4e0d86a7b0430d8cdb78070b4c55aPlease note that there are 4 spaces between the left and the right column, except for the last line where there are only 3 spaces separating the columns.decrypt : The output of this command should look like pages 36 and 37 of the FIPS 197 AES specification. Please see page 35 of the FIPS-197 document regarding the definitions of the lines. Below is an example: round[ 0].iinput 69c4e0d86a7b0430d8cdb78070b4c55a round[ 0].ik_sch 13111d7fe3944a17f307a78b4d2b30c5 round[ 1].istart 7ad5fda789ef4e272bca100b3d9ff59f round[ 1].is_row 7a9f102789d5f50b2beffd9f3dca4ea7 round[ 1].is_box bd6e7c3df2b5779e0b61216e8b10b689 round[ 1].ik_sch 549932d1f08557681093ed9cbe2c974e round[ 1].ik_add e9f74eec023020f61bf2ccf2353c21c7 ... round[10].istart 6353e08c0960e104cd70b751bacad0e7 round[10].is_row 63cab7040953d051cd60e0e7ba70e18c round[10].is_box 00102030405060708090a0b0c0d0e0f0 round[10].ik_sch 000102030405060708090a0b0c0d0e0f round[10].ioutput 00112233445566778899aabbccddeeffPlease note that there are 3 spaces between the left and the right column, except for the last line where there are only 2 spaces separating the columns.inverse : The command should output the trace of the execution of the Table Method version of the extended Euclidean algorithm. At step i (i ≥ 3), you need to make the coefficient for x 6 - i in rem[i] to be {00} (except when i = 6, then you need to make it to be {01}). At the end of iteration i, you should check to see if rem[i] is zero (i.e., all coefficients are {00}). If it is, then you terminate and say that there is no inverse. Below is an example with poly being 03010102:
i=1, rem[i]={00}{00}{00}{01}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{00} i=2, rem[i]={03}{01}{01}{02}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{01} i=3, rem[i]={00}{a4}{a5}{a5}, quo[i]={00}{00}{f6}{52}, aux[i]={00}{00}{f6}{52} i=4, rem[i]={00}{00}{4f}{c5}, quo[i]={00}{00}{8a}{4f}, aux[i]={00}{8f}{40}{45} i=5, rem[i]={00}{00}{00}{9a}, quo[i]={00}{00}{f3}{ca}, aux[i]={09}{78}{26}{cd} i=6, rem[i]={00}{00}{00}{01}, quo[i]={00}{00}{a8}{05}, aux[i]={0b}{0d}{09}{0e} Multiplicative inverse of {03}{01}{01}{02} is {0b}{0d}{09}{0e}Below is an example with poly being 01020102 where it does not have a multiplicative inverse:i=1, rem[i]={00}{00}{00}{01}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{00} i=2, rem[i]={01}{02}{01}{02}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{01} i=3, rem[i]={00}{05}{00}{05}, quo[i]={00}{00}{01}{02}, aux[i]={00}{00}{01}{02} i=4, rem[i]={00}{00}{00}{00}, quo[i]={00}{00}{52}{a4}, aux[i]={00}{52}{00}{52} {01}{02}{01}{02} does not have a multiplicative inverse.Please note that if the degree of poly is less than 3 or the degree of rem[i] does not decrease by exactly 1 in each step, the above algorithm would not work without a minor adjustment. If the degree of rem[i-1] is j and the degree of rem[i] is k, the quotient will be a polynomial of degree j - k. (The above case corresponds to the case where k is always j - 1 and the algorithm would terminate at the end of iteration 6.) With the adjustment, the algorithm may terminate before iteration 6.Below is an example with poly being 00020202:
i=1, rem[i]={00}{00}{00}{01}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{00} i=2, rem[i]={00}{02}{02}{02}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{01} i=3, rem[i]={00}{00}{01}{01}, quo[i]={00}{8d}{8d}{00}, aux[i]={00}{8d}{8d}{00} i=4, rem[i]={00}{00}{00}{02}, quo[i]={00}{00}{02}{00}, aux[i]={01}{01}{00}{01} i=5, rem[i]={00}{00}{00}{01}, quo[i]={00}{00}{8d}{00}, aux[i]={8d}{8d}{00}{8d} Multiplicative inverse of {00}{02}{02}{02} is {8d}{8d}{00}{8d}Here is another example with poly being 00000201:
i=1, rem[i]={00}{00}{00}{01}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{00} i=2, rem[i]={00}{00}{02}{01}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{01} i=3, rem[i]={00}{00}{00}{75}, quo[i]={8d}{cb}{e8}{74}, aux[i]={8d}{cb}{e8}{74} i=4, rem[i]={00}{00}{00}{01}, quo[i]={00}{00}{71}{00}, aux[i]={d7}{e6}{73}{b4} Multiplicative inverse of {00}{00}{02}{01} is {d7}{e6}{73}{b4}The following is the reverse of the previous example (poly is d7e673b4):
i=1, rem[i]={00}{00}{00}{01}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{00} i=2, rem[i]={d7}{e6}{73}{b4}, quo[i]={00}{00}{00}{00}, aux[i]={00}{00}{00}{01} i=3, rem[i]={00}{00}{00}{75}, quo[i]={00}{00}{ea}{75}, aux[i]={00}{00}{ea}{75} i=4, rem[i]={00}{00}{00}{01}, quo[i]={7e}{3f}{92}{fc}, aux[i]={00}{00}{02}{01} Multiplicative inverse of {d7}{e6}{73}{b4} is {00}{00}{02}{01}
For your convenience, the multiplicative inverses of {00} through {ff} in AES's finite field is listed below. (Clearly, {00} cannot have an inverse; but its inverse is listed as {00} anyway. It should not cause any problem because it should never be accessed.)
00018df6cb527bd1e84f29c0b0e1e5c7 74b4aa4b992b605f583ffdccff40eeb2 3a6e5af1554da8c9c10a98153044a2c2 2c45926cf3396642f235206f77bb5919 1dfe37672d31f569a764ab135425e909 ed5c05ca4c2487bf183e22f051ec6117 165eafd349a63643f44791df3393213b 79b7978510b5ba3cb670d006a1fa8182 837e7f809673be569b9e95d9f702b9a4 de6a326dd88a84722a149f88f9dc899a fb7c2ec38fb8654826c8124acee7d262 0ce01fef11757871a58e763dbdbc8657 0b282fa3dad4e40fa92753041bfcace6 7a07ae63c5dbe2ea948bc4d59df8906b b10dd6ebc60ecfad084ed7e35d501eb3 5b2338346846038cdd9c7da0cd1a411ctablefile Format A tablefile is an ASCII file containing exactly 3 lines. Each line has the format of key=value where key can be one of the following (must be in uppercase): S, P, and INVP. To the right of the equal sign, value contains a single hexstring. There should be no white spaces (such as space or tab characters). The S line corresponds to the AES S-box in row major order. The P line corresponds to the a(x) polynomial in the MixColumns() transformation. The INVP line corresponds to the a-1(x) polynomial in the InvMixColumns() transformation. The following are requirements for each of the tables (and corresponding input lines).
S : This table contains a random permutation of the values from 00 through ff, inclusive. (You need to compute the inverse transform in your code.) P : This table contains a hexstring of length 8 which corresponds to 4 byte of binary values. Each byte is a coefficient of the a(x) polynomial in the MixColumns() transformation. The first two hex digits correspond to the coefficient for x3, the next two hex digits correspond to the coefficient for x2, etc. INVP : This table contains a hexstring of length 8 which corresponds to 4 byte of binary values. Each byte is a coefficient of the a-1(x) polynomial in the InvMixColumns() transformation. The first two hex digits correspond to the coefficient for x3, the next two hex digits correspond to the coefficient for x2, etc.