52 Things: Number 17: Describe and compare the round structure of DES and AES.
52 Things: Number 17: Describe and compare the round structure of DES and AES.
52 Things: Number 17: Describe and compare the round structure of DES and AES.
52件事:第17件:描述并比较DES和AES的圆形结构。This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year.In this week, we describe and compare the round structure of DES and AES.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周,我们将描述和比较DES和AES的圆形结构。
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周,我们将描述和比较DES和AES的圆形结构。
Both DES and AES are examples of iterated block ciphers. The block ciphers obtain their security by repeated use of a simple round function. The round function takes an n-bit block and returns an n-bit block, where n is the block size of the overall cipher. The number of rounds r can either be a variable or fixed. As a general rule increasing the number of rounds will increase the level of security of the block cipher. Each use of the round function employs a round key ki (where 1 ≤ i ≤ r) derived from the main secret key k, using an algorithm called a key schedule. To allow decryption, for every round key the function implementing the round must be invertible, and for decryption the round keys are used in the opposite order that they were used for encryption. In DES the functions needed to implement the round function are not invertible, but the whole round is invertible. For AES (Rijndael) not only is the whole round function invertible but every function used to create the round function is also invertible.
DES和AES都是迭代分组密码的例子。分组密码通过重复使用简单的循环函数来获得其安全性。round函数取一个n位块并返回一个n比特块,其中n是整个密码的块大小。轮次r可以是可变的,也可以是固定的。一般来说,增加轮次将提高分组密码的安全级别。循环函数的每次使用都使用从主密钥k导出的循环密钥k(其中1≤i≤r),使用称为密钥调度的算法。为了允许解密,对于每个循环密钥,实现循环的函数必须是可逆的,并且对于解密,循环密钥的使用顺序与用于加密的顺序相反。在DES中,实现舍入函数所需的函数是不可逆的,但整个舍入是可逆的。对于AES(Rijndael),不仅整个圆函数是可逆的,而且用于创建圆函数的每个函数也是可逆的。
More particularly, the DES cipher is a variant of the basic Feistel cipher. The interesting property of a Feistel cipher is that the round function is invertible regardless of the choice of the function in the box marked F. To see this notice that each encryption round is given by:
更具体地,DES密码是基本Feistel密码的变体。Feistel密码有趣的特性是,无论在标记为F的框中选择什么函数,循环函数都是可逆的。要注意,每个加密循环由以下公式给出:
DES和AES都是迭代分组密码的例子。分组密码通过重复使用简单的循环函数来获得其安全性。round函数取一个n位块并返回一个n比特块,其中n是整个密码的块大小。轮次r可以是可变的,也可以是固定的。一般来说,增加轮次将提高分组密码的安全级别。循环函数的每次使用都使用从主密钥k导出的循环密钥k(其中1≤i≤r),使用称为密钥调度的算法。为了允许解密,对于每个循环密钥,实现循环的函数必须是可逆的,并且对于解密,循环密钥的使用顺序与用于加密的顺序相反。在DES中,实现舍入函数所需的函数是不可逆的,但整个舍入是可逆的。对于AES(Rijndael),不仅整个圆函数是可逆的,而且用于创建圆函数的每个函数也是可逆的。
More particularly, the DES cipher is a variant of the basic Feistel cipher. The interesting property of a Feistel cipher is that the round function is invertible regardless of the choice of the function in the box marked F. To see this notice that each encryption round is given by:
更具体地,DES密码是基本Feistel密码的变体。Feistel密码有趣的特性是,无论在标记为F的框中选择什么函数,循环函数都是可逆的。要注意,每个加密循环由以下公式给出:
Li = Ri-1 L=R i-1
Ri = Li-1 ⊕ F(Ki,Ri-1).
R=L i-1 ŞF(K,R i-1 )。
R=L i-1 ŞF(K,R i-1 )。
Hence, the decryption can be performed via:
因此,可以通过以下方式执行解密:
因此,可以通过以下方式执行解密:
Ri-1 = L R i-1 =Li
Li-1 = Ri ⊕ F(Ki,Li).
L i-1 =RřF(K,L)。
L i-1 =RřF(K,L)。
This way we can choose any function for the function F, and we will still obtain an encryption function which can be inverted using the secret key. The same code/circuitry can be used for the encryption and decryption functions. We only need to use the round keys in the reverse order for decryption. As a variant of the Feistel cipher design, DES includes the following distinct characteristics:
通过这种方式,我们可以为函数F选择任何函数,并且我们仍然将获得可以使用密钥反转的加密函数。相同的代码/电路可以用于加密和解密功能。我们只需要以相反的顺序使用圆形密钥进行解密。作为Feistel密码设计的一种变体,DES具有以下明显特征:
通过这种方式,我们可以为函数F选择任何函数,并且我们仍然将获得可以使用密钥反转的加密函数。相同的代码/电路可以用于加密和解密功能。我们只需要以相反的顺序使用圆形密钥进行解密。作为Feistel密码设计的一种变体,DES具有以下明显特征:
- the number of rounds r is 16,
轮次r为16, - the block length n is 64 bits,
块长度n是64比特, - the key length is 56 bits,
密钥长度为56比特, - the round keys K1,...,K16 are each 48 bits
圆形键K 1 、,。。。,K 16 各为48位 - before and after the main Feistel iteration a permutation is performed.
在主Feistel迭代之前和之后执行置换。
总之,DES密码以以下方式对64位明文进行操作:
- Perform an initial permutation.
执行初始排列。 - Split the blocks into left and right half.
把积木分成左右两半。 - Perform 16 rounds of identical operations (Festal cipher). In each round the, the F function consists of the following six stages:
执行16轮相同的操作(Festal密码)。在每一轮中,F函数由以下六个阶段组成: - Expansion Permutation: The right half of 32 bits is expanded and permuted to 48 bits.
扩展置换:32位的右半部分被扩展并置换为48位。 - Round Key Addition: The 48-bit output from the expansion permutation is XORed with the round key, which is also 48 bits in length.
循环密钥相加:扩展排列输出的48位与循环密钥进行异或,循环密钥的长度也是48位。 - Splitting: The resulting 48-bit value is split into eight lots of six-bit values.
拆分:生成的48位值被拆分为八批6位值。 - S-Box: Each six-bit value is passed into one of eight different S-Boxes (Substitution Box) to produce a four-bit result. Each S-Box is a look-up table of four rows and sixteen columns. The six input bits specify which row and column to use. Bits 1 and 6 generate the row number, whilst bits 2, 3, 4 and 5 specify the column number. The output of each S-Box is the value held in that element in the table.
S-Box:每个六位值被传递到八个不同的S-Box(替换框)中的一个,以产生四位结果。每个S盒是一个四行十六列的查找表。六个输入位指定要使用的行和列。第1位和第6位生成行编号,而第2位、第3位、第4位和第5位指定列编号。每个S-Box的输出都是表中该元素中的值。 - P-Box: We now have eight lots of four-bit outputs which are then combined into a 32-bit value and permuted to form the output of the function F.
P-Box:我们现在有八批四位输出,然后将其组合成一个32位值,并进行排列以形成函数F的输出。 - Join the half blocks back together.
把半个方块重新连在一起。 - Perform a final permutation.
执行最后的排列。
The DES key schedule takes the 56-bit key, which is actually input as a bitstring of 64 bits comprising of the key and eight parity bits, for error detection. It first permutes the bits of the key (which takes a 64-bit input and produces a 56-bit output, hence discarding the parity bits). The output of this permutation, called PC-1 in the literature, is divided into a 28-bit left half C0 and a 28-bit right half D0. Now for each round we compute:
DES密钥调度采用56位密钥进行错误检测,该56位密钥实际上作为包括密钥和八个奇偶校验位的64位的比特串输入。它首先对密钥的比特进行排列(它接受64比特的输入并产生56比特的输出,因此丢弃奇偶校验比特)。这种排列的输出,在文献中被称为PC-1,被划分为28比特的左半部分C 0 和28比特的右半部分D 0 。现在,对于每一轮,我们计算:
DES密钥调度采用56位密钥进行错误检测,该56位密钥实际上作为包括密钥和八个奇偶校验位的64位的比特串输入。它首先对密钥的比特进行排列(它接受64比特的输入并产生56比特的输出,因此丢弃奇偶校验比特)。这种排列的输出,在文献中被称为PC-1,被划分为28比特的左半部分C 0 和28比特的右半部分D 0 。现在,对于每一轮,我们计算:
Ci=Ci−1 ≪ p C=C i−1 ≪pi
Di=Di−1 ≪ p
D=D i−1 ≪pi
Di=Di−1 ≪ p
D=D i−1 ≪pi
where x ≪ pi means perform a cyclic shift on x to the left by pi positions. Finally the two portions Ci and Di are joined back together and are subject to another permutation, called PC-2, to produce the final 48-bit round key.
其中x≪p表示在x上向左循环移位p个位置。最后,两个部分C和D被重新连接在一起,并接受另一种称为PC-2的排列,以产生最终的48位循环密钥。
Note that a key length of 56 bits is insufficient for many modern applications, hence often one uses DES by using three keys and three iterations of the main cipher. Such a version is called Triple DES or 3DES. In 3DES the key length is equal to 168. There is another way of using DES three times, but using two keys instead of three giving rise to a key length of 112. In this two-key version of 3DES one uses the 3DES basic structure but with the first and third key being equal. However, two-key 3DES is not as secure as one might initially think.
注意,56位的密钥长度不足以用于许多现代应用,因此通常通过使用三个密钥和主密码的三次迭代来使用DES。这样的版本被称为三重DES或3DES。在3DES中,密钥长度等于168。还有一种方法是使用DES三次,但使用两个密钥而不是三个密钥,从而产生112的密钥长度。在3DES的这个双密钥版本中,使用3DES基本结构,但是第一密钥和第三密钥相等。然而,双密钥3DES并不像人们最初想象的那样安全。
More details on actual values (S-Boxes, P-Boxes and all Permutation tables) can be found in [1].
有关实际值(S-Boxes、P-Boxes和所有置换表)的更多详细信息,请参阅[1]。
The AES (Rijndael) algorithm, unlike DES, is a block cipher that does not rely on the basic design of the Feistel cipher. However, AES does have a number of similarities with DES. It uses a repeated number of rounds to obtain security and each round consists of substitutions and permutations, plus a key addition phase. AES in addition has a strong mathematical structure, as most of its operations are based on arithmetic in the field F28 . However, unlike DES the encryption and decryption operations are distinct.
与DES不同,AES(Rijndael)算法是一种不依赖于Feistel密码的基本设计的分组密码。然而,AES与DES有许多相似之处。它使用重复的轮次来获得安全性,每一轮都包括替换和排列,以及密钥添加阶段。AES还有一个强大的数学结构,因为它的大多数运算都是基于字段F 2 8 中的算术。然而,与DES不同的是,加密和解密操作是不同的。
AES identifies 32-bit words with polynomials in F28[X] of degree less than four. AES is a parametrized algorithm in that it can operate on block sizes of 128, 192 or 256 bits. It can also accept keys of size 128, 192 or 256 bits. For each combination of block and key size a different number of rounds is specified.
AES识别在F 2 8 [X]中具有小于4次的多项式的32位字。AES是一种参数化算法,因为它可以对128、192或256位的块大小进行操作。它还可以接受大小为128、192或256位的密钥。对于块和键大小的每种组合,都指定了不同数量的轮次。
To make our discussion simpler we shall consider the simpler, and probably more used, variant which uses a block size of 128 bits and a key size of 128 bits, in which case 10 rounds are specified. AES operates on an internal four-by-four matrix (S(4,4)) of bytes, called the state matrix, which is usually held as a vector of four 32-bit words, each word representing a column. Each round key is also held as a four-by-four matrix [1]. The AES round function operates using a set of four operations:
为了使我们的讨论更简单,我们将考虑更简单且可能更常用的变体,该变体使用128位的块大小和128位的密钥大小,在这种情况下指定10轮。AES对字节的内部四乘四矩阵(S(4,4))进行运算,称为状态矩阵,通常作为四个32位字的矢量,每个字代表一列。每个圆形键也被保持为四乘四矩阵[1]。AES舍入函数使用一组四个操作进行操作:
其中x≪p表示在x上向左循环移位p个位置。最后,两个部分C和D被重新连接在一起,并接受另一种称为PC-2的排列,以产生最终的48位循环密钥。
Note that a key length of 56 bits is insufficient for many modern applications, hence often one uses DES by using three keys and three iterations of the main cipher. Such a version is called Triple DES or 3DES. In 3DES the key length is equal to 168. There is another way of using DES three times, but using two keys instead of three giving rise to a key length of 112. In this two-key version of 3DES one uses the 3DES basic structure but with the first and third key being equal. However, two-key 3DES is not as secure as one might initially think.
注意,56位的密钥长度不足以用于许多现代应用,因此通常通过使用三个密钥和主密码的三次迭代来使用DES。这样的版本被称为三重DES或3DES。在3DES中,密钥长度等于168。还有一种方法是使用DES三次,但使用两个密钥而不是三个密钥,从而产生112的密钥长度。在3DES的这个双密钥版本中,使用3DES基本结构,但是第一密钥和第三密钥相等。然而,双密钥3DES并不像人们最初想象的那样安全。
More details on actual values (S-Boxes, P-Boxes and all Permutation tables) can be found in [1].
有关实际值(S-Boxes、P-Boxes和所有置换表)的更多详细信息,请参阅[1]。
The AES (Rijndael) algorithm, unlike DES, is a block cipher that does not rely on the basic design of the Feistel cipher. However, AES does have a number of similarities with DES. It uses a repeated number of rounds to obtain security and each round consists of substitutions and permutations, plus a key addition phase. AES in addition has a strong mathematical structure, as most of its operations are based on arithmetic in the field F28 . However, unlike DES the encryption and decryption operations are distinct.
与DES不同,AES(Rijndael)算法是一种不依赖于Feistel密码的基本设计的分组密码。然而,AES与DES有许多相似之处。它使用重复的轮次来获得安全性,每一轮都包括替换和排列,以及密钥添加阶段。AES还有一个强大的数学结构,因为它的大多数运算都是基于字段F 2 8 中的算术。然而,与DES不同的是,加密和解密操作是不同的。
AES identifies 32-bit words with polynomials in F28[X] of degree less than four. AES is a parametrized algorithm in that it can operate on block sizes of 128, 192 or 256 bits. It can also accept keys of size 128, 192 or 256 bits. For each combination of block and key size a different number of rounds is specified.
AES识别在F 2 8 [X]中具有小于4次的多项式的32位字。AES是一种参数化算法,因为它可以对128、192或256位的块大小进行操作。它还可以接受大小为128、192或256位的密钥。对于块和键大小的每种组合,都指定了不同数量的轮次。
To make our discussion simpler we shall consider the simpler, and probably more used, variant which uses a block size of 128 bits and a key size of 128 bits, in which case 10 rounds are specified. AES operates on an internal four-by-four matrix (S(4,4)) of bytes, called the state matrix, which is usually held as a vector of four 32-bit words, each word representing a column. Each round key is also held as a four-by-four matrix [1]. The AES round function operates using a set of four operations:
为了使我们的讨论更简单,我们将考虑更简单且可能更常用的变体,该变体使用128位的块大小和128位的密钥大小,在这种情况下指定10轮。AES对字节的内部四乘四矩阵(S(4,4))进行运算,称为状态矩阵,通常作为四个32位字的矢量,每个字代表一列。每个圆形键也被保持为四乘四矩阵[1]。AES舍入函数使用一组四个操作进行操作:
- SubBytes: There are two types of S-Boxes used in Rijndael: One for the encryption rounds and one for the decryption rounds, each one being the inverse of the other. For the encryption S-Box each byte s = [s7,...,s0] of the state matrix is taken in turn and considered as an element of F28. The S-Box can be mathematically described in two steps:
SubBytes:Rijndael中使用了两种类型的S盒:一种用于加密轮,另一种用于解密轮,每种都是另一种的倒数。对于加密S-Box,状态矩阵的每个字节S=[S 7 ,…,S 0 ]依次取为F 2 8 的元素。S盒可以通过两个步骤进行数学描述:
- The multiplicative inverse in F28 of s is computed to produce a new byte x = [x7, . . . , x0].
计算F 2 8 中s的乘法逆,以产生新的字节x=[x 7 ,…,x 0 ]。 - The bit-vector x is then mapped, via an affine F2 transformation [1], to a new bit-vector y. The new byte is given by y. The decryption S-Box is obtained by first inverting the affine transformation and then taking the multiplicative inverse.
然后,通过仿射F2变换[1]将比特矢量x映射到新的比特矢量y。新字节由y给出。解密S-Box是通过首先反转仿射变换,然后取乘性逆来获得的。
- ShiftRows: The ShiftRows operation in AES performs a cyclic shift on the state matrix. Each row is shifted by different offsets [1]. The inverse of the ShiftRows operation is simply a similar shift but in the opposite direction. The ShiftRows operation ensures that the columns of the state matrix ‘interact’ with each other over a number of rounds.
ShiftRows:AES中的ShiftRows操作对状态矩阵执行循环移位。每行移位不同的偏移量[1]。ShiftRows操作的相反方向只是一个类似的移位,但方向相反。ShiftRows操作确保状态矩阵的列在多个循环中相互“交互”。 - MixColumns: The MixColumns operation ensures that the rows in the state matrix ‘interact’ with each other over a number of rounds; combined with the ShiftRows operation it ensures each byte of the output state depends on each byte of the input state [1].
MixColumns:MixColumn操作确保状态矩阵中的行在多轮中相互“交互”;结合ShiftRows操作,它确保输出状态的每个字节都取决于输入状态的各个字节[1]。 - AddRoundKey: The round key addition is particularly simple. One takes the state matrix and XORs it, byte by byte, with the round key matrix. The inverse of this operation is clearly the same operation.
AddRoundKey:添加圆形键特别简单。取状态矩阵,逐字节与循环键矩阵进行XOR运算。此运算的逆运算显然是相同的运算。
The AES algorithm can be described using the pseudo-code:
AES算法可以使用伪代码来描述:
AddRoundKey(S, K0) AddRoundKey(S,K0)
for i = 1 to 9 do
对于i=1到9 do
SubBytes(S) 子字节(S)
ShiftRows(S) ShiftRows(S)
MixColumns(S) 混合柱(S)
AddRoundKey(S, Ki) AddRoundKey(S,Ki)
end
SubBytes(S) 子字节(S)
ShiftRows(S) ShiftRows(S)
AddRoundKey(S, K10) AddRoundKey(S,K10)
The message block to encrypt is assumed to be entered into the state matrix S. The output encrypted block is also given by the state matrix S.
假设要加密的消息块被输入到状态矩阵S中。输出加密块也由状态矩阵S给出。
The AES key schedule makes use of a round constant which we shall denote by:
AES密钥调度使用了一个舍入常数,我们将用它来表示:
AES算法可以使用伪代码来描述:
AddRoundKey(S, K0) AddRoundKey(S,K0)
for i = 1 to 9 do
对于i=1到9 do
SubBytes(S) 子字节(S)
ShiftRows(S) ShiftRows(S)
MixColumns(S) 混合柱(S)
AddRoundKey(S, Ki) AddRoundKey(S,Ki)
end
SubBytes(S) 子字节(S)
ShiftRows(S) ShiftRows(S)
AddRoundKey(S, K10) AddRoundKey(S,K10)
The message block to encrypt is assumed to be entered into the state matrix S. The output encrypted block is also given by the state matrix S.
假设要加密的消息块被输入到状态矩阵S中。输出加密块也由状态矩阵S给出。
The AES key schedule makes use of a round constant which we shall denote by:
AES密钥调度使用了一个舍入常数,我们将用它来表示:
RCi = xi (mod x8 + x4 + x3 + x + 1)
RC=x(mod x 8 +x 4 +x 3 +x+1)
RC=x(mod x 8 +x 4 +x 3 +x+1)
We label the round keys as (W4i, W4i+1, W4i+2, W4i+3) where i is the round. The initial main key is first divided into four 32-bit words (k0, k1, k2, k3). The round keys are then computed as algorithm below, where RotBytes is the function which rotates a word to the left by a single byte, and SubBytes applies the Rijndael encryption S-Box to every byte in a word [1].
我们将圆形键标记为(W 4i ,W 4i+1 ,W 4i+2 ,W 4i+3 ),其中i是圆形。初始主密钥首先被划分为四个32位字(k 0 、k 1 、k 2 、k 3 )。然后按照下面的算法计算循环密钥,其中RotBytes是将单词向左旋转一个字节的函数,SubBytes将Rijndael加密S-Box应用于单词中的每个字节[1]。
W0 =K0,W1 =K1,W2 =K2,W3 =K3
在 0 =K 0 ,W 1 =K 1 ,W 2 =K 2 ,W 3 =K 3
for i = 1 to 10 do
对于i=1到10 do
T = RotBytes(W4i−1)
T=RotBytes(W 4i−1 )
T = SubBytes(T)
T=子字节(T)
T = T ⊕ RCi
T=TŞRC i
W4i = W4i−4 ⊕ T
W 4i =W 4i−4 ŞT
W4i+1 = W4i−3 ⊕ W4i
W 4i+1 =W 4i−3 ŞW 4i
W4i+2 = W4i−2 ⊕ W4i+1
W 4i+2 =W 4i−2 ŞW 4i+1
W4i+3 = W4i−1 ⊕ W4i+2
W 4i+3 =W 4i−1 ŞW 4i+2
end
我们将圆形键标记为(W 4i ,W 4i+1 ,W 4i+2 ,W 4i+3 ),其中i是圆形。初始主密钥首先被划分为四个32位字(k 0 、k 1 、k 2 、k 3 )。然后按照下面的算法计算循环密钥,其中RotBytes是将单词向左旋转一个字节的函数,SubBytes将Rijndael加密S-Box应用于单词中的每个字节[1]。
W0 =K0,W1 =K1,W2 =K2,W3 =K3
在 0 =K 0 ,W 1 =K 1 ,W 2 =K 2 ,W 3 =K 3
for i = 1 to 10 do
对于i=1到10 do
T = RotBytes(W4i−1)
T=RotBytes(W 4i−1 )
T = SubBytes(T)
T=子字节(T)
T = T ⊕ RCi
T=TŞRC i
W4i = W4i−4 ⊕ T
W 4i =W 4i−4 ŞT
W4i+1 = W4i−3 ⊕ W4i
W 4i+1 =W 4i−3 ŞW 4i
W4i+2 = W4i−2 ⊕ W4i+1
W 4i+2 =W 4i−2 ŞW 4i+1
W4i+3 = W4i−1 ⊕ W4i+2
W 4i+3 =W 4i−1 ŞW 4i+2
end
The Working Class Must Lead!
