diff options
| -rw-r--r-- | README.md | 74 | ||||
| -rwxr-xr-x | src/model/python/aes.py | 1058 | ||||
| -rwxr-xr-x | src/model/python/aes_key_gen.py | 568 | ||||
| -rw-r--r-- | src/model/python/rcon.py | 586 | ||||
| -rw-r--r-- | src/rtl/aes.v | 23 | ||||
| -rw-r--r-- | src/rtl/aes_core.v | 45 | ||||
| -rw-r--r-- | src/rtl/aes_decipher_block.v | 196 | ||||
| -rw-r--r-- | src/rtl/aes_encipher_block.v | 209 | ||||
| -rw-r--r-- | src/rtl/aes_key_mem.v | 22 | ||||
| -rw-r--r-- | src/tb/tb_aes.v | 100 | ||||
| -rw-r--r-- | src/tb/tb_aes_core.v | 89 | ||||
| -rw-r--r-- | src/tb/tb_aes_decipher_block.v | 10 | ||||
| -rw-r--r-- | src/tb/tb_aes_encipher_block.v | 27 | ||||
| -rw-r--r-- | src/tb/tb_aes_key_mem.v | 11 | ||||
| -rwxr-xr-x | toolruns/Makefile | 50 |
15 files changed, 284 insertions, 2784 deletions
@@ -1,17 +1,22 @@ -aes -====== +aes_speed +========= +Speed optimized Verilog implementation of the symmetric block cipher AES +(Advanced Encryption Standard) as specified in the NIST document [FIPS +197](http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf). -Verilog implementation of the symmetric block cipher AES (Advanced -Encryption Standard) as specified in the NIST document [FIPS 197](http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf). +This core is modified version of the Cryptech AES core. Note that the +name of the core modules are identical to that core. The purpose of this +is to allow a drop-in replacement in Cryptech designs. -## Introduction ## +## Status ## +Second round of optimizations done. Core similates correctly. Core has +been implemented in FPGA, but not functionally tested in real HW. + +## Introduction ## This implementation supports 128 and 256 bit keys. The -implementation is iterative and process one 128 block at a time. Blocks -are processed on a word level with 4 S-boxes in the data path. The -S-boxes for encryption are shared with the key expansion and the core -can thus not do key update in parallel with block processing. +implementation is iterative and process one 128 block at a time. The encipher and decipher block processing datapaths are separated and basically self contained given access to a set of round keys and a @@ -21,41 +26,34 @@ will reduce the size to about 50%. For cipher modes such as CTR, GCM decryption in the AES core will never be used and thus the decipher block processing can be removed. -This is a fairly compact implementation. Further reduction could be -achived by just having a single S-box. Similarly the performane can be -increased by having 8 or even 16 S-boxes which would reduce the number -of cycles to two cycles for each round. - +The core has been equipped with 16 S-boxes for encipher and 16 Inverse +S-boxes for decipher. This allows the core to perform the SubBytes and +InverseSubBytes operations in the AES round functions in one cycle. -## Implementation results ## -The core has been implemented in Altera and Xilinx FPGA devices. +The key expansion does not share S-boxes with the encipher datapath, so +the total number of S-boxes is 40. -### Altera Cyclone IV GX ### -- 7497 LEs -- 2994 Regs -- 96 MHz fmax -- 5 cycles/round +## Performance comparison +Number of cycles for the old Cryptech AES core: +- AES-128 Encipher one block with key expansion: 57 +- AES-256 Decipher one block with key expansion: 77 -This means that we can do just about 2 Mblocks/s or 256 Mbps -performance. +Number of cycles for the Cryptech AES speed core: +- AES-128 Encipher one block with key expansion: 16 +- AES-255 Decipher one block with key expansion: 20 -Removing the decipher module yields: -- 5497 LEs -- 2855 Regs -- 106 MHz fmax -- 5 cycles/round +## Implementation comparison +Implementation results for Xilinx Artix7-t200. -### Xilinx Spartan6LX-3 ### -- 2576 slices -- 3000 regs -- 100 MHz -- 5 cycles/round +Old Cryptech AES core: +- 2094 slices +- 2854 regs +- 114 MHz (8.76ns) -### Xilinx Artix7-3 T200 ### -- 2102 slices -- 2991 regs -- 113 MHz (8.79ns) -- 5 cycles/round +Cryptec AES speed core: +- 2112 slices +- 2984 regs +- 116 MHz. (8.62ns) diff --git a/src/model/python/aes.py b/src/model/python/aes.py deleted file mode 100755 index 848ca85..0000000 --- a/src/model/python/aes.py +++ /dev/null @@ -1,1058 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- -#======================================================================= -# -# aes.py -# ------ -# Simple, pure Python, word based model of the AES cipher with -# support for 128 and 256 bit keys. -# -# -# Author: Joachim Strombergson -# Copyright (c) 2014, NORDUnet A/S -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# - Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# - Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# - Neither the name of the NORDUnet nor the names of its contributors may -# be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS -# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#======================================================================= - -#------------------------------------------------------------------- -# Python module imports. -#------------------------------------------------------------------- -import sys - - -#------------------------------------------------------------------- -# Constants. -#------------------------------------------------------------------- -VERBOSE = True -DUMP_VARS = True - -AES_128_ROUNDS = 10 -AES_256_ROUNDS = 14 - - -sbox = [0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, - 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, - 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, - 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, - 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, - 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, - 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, - 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, - 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, - 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, - 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, - 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, - 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, - 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, - 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, - 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, - 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16] - - -inv_sbox = [0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, - 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, - 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, - 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, - 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, - 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, - 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, - 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, - 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, - 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, - 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, - 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, - 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, - 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, - 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, - 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, - 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, - 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, - 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, - 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, - 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, - 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, - 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, - 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, - 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, - 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, - 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, - 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, - 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, - 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, - 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, - 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d] - - -#------------------------------------------------------------------- -# print_bytekeys() -# -# Print a set of round keys given as an array of bytes. -#------------------------------------------------------------------- -def print_bytekeys(keys): - i = 0 - print("Number of round keys: %d" % (int(len(keys) / 16))) - while i < (len(keys) - 1): - for j in range(16): - print("0x%02x " % keys[i + j], end="") - print("") - i += 16 - -#------------------------------------------------------------------- -# print_block() -# -# Print the given block as four 32 bit words. -#------------------------------------------------------------------- -def print_block(block): - (w0, w1, w2, w3) = block - print("0x%08x, 0x%08x, 0x%08x, 0x%08x" % (w0, w1, w2, w3)) - - -#------------------------------------------------------------------- -# print_key() -# -# Print the given key as on or two sets of four 32 bit words. -#------------------------------------------------------------------- -def print_key(key): - if len(key) == 8: - (k0, k1, k2, k3, k4, k5, k6, k7) = key - print_block((k0, k1, k2, k3)) - print_block((k4, k5, k6, k7)) - else: - print_block(key) - - -#------------------------------------------------------------------- -# b2w() -# -# Create a word from the given bytes. -#------------------------------------------------------------------- -def b2w(b0, b1, b2, b3): - return (b0 << 24) + (b1 << 16) + (b2 << 8) + b3 - - -#------------------------------------------------------------------- -# w2b() -# -# Extracts the bytes in a word. -#------------------------------------------------------------------- -def w2b(w): - b0 = w >> 24 - b1 = w >> 16 & 0xff - b2 = w >> 8 & 0xff - b3 = w & 0xff - - return (b0, b1, b2, b3) - - -#------------------------------------------------------------------- -# gm2() -# -# The specific Galois Multiplication by two for a given byte. -#------------------------------------------------------------------- -def gm2(b): - return ((b << 1) ^ (0x1b & ((b >> 7) * 0xff))) & 0xff - - -#------------------------------------------------------------------- -# gm3() -# -# The specific Galois Multiplication by three for a given byte. -#------------------------------------------------------------------- -def gm3(b): - return gm2(b) ^ b - - -#------------------------------------------------------------------- -# gm4() -# -# The specific Galois Multiplication by four for a given byte. -#------------------------------------------------------------------- -def gm4(b): - return gm2(gm2(b)) - - -#------------------------------------------------------------------- -# gm8() -# -# The specific Galois Multiplication by eight for a given byte. -#------------------------------------------------------------------- -def gm8(b): - return gm2(gm4(b)) - - -#------------------------------------------------------------------- -# gm09() -# -# The specific Galois Multiplication by nine for a given byte. -#------------------------------------------------------------------- -def gm09(b): - return gm8(b) ^ b - - -#------------------------------------------------------------------- -# gm11() -# -# The specific Galois Multiplication by 11 for a given byte. -#------------------------------------------------------------------- -def gm11(b): - return gm8(b) ^ gm2(b) ^ b - - -#------------------------------------------------------------------- -# gm13() -# -# The specific Galois Multiplication by 13 for a given byte. -#------------------------------------------------------------------- -def gm13(b): - return gm8(b) ^ gm4(b) ^ b - - -#------------------------------------------------------------------- -# gm14() -# -# The specific Galois Multiplication by 14 for a given byte. -#------------------------------------------------------------------- -def gm14(b): - return gm8(b) ^ gm4(b) ^ gm2(b) - - -#------------------------------------------------------------------- -# substw() -# -# Returns a 32-bit word in which each of the bytes in the -# given 32-bit word has been used as lookup into the AES S-box. -#------------------------------------------------------------------- -def substw(w): - (b0, b1, b2, b3) = w2b(w) - - s0 = sbox[b0] - s1 = sbox[b1] - s2 = sbox[b2] - s3 = sbox[b3] - - res = b2w(s0, s1, s2, s3) - - if VERBOSE: - print("Inside substw:") - print("b0 = 0x%02x, b1 = 0x%02x, b2 = 0x%02x, b3 = 0x%02x" % - (b0, b1, b2, b3)) - print("s0 = 0x%02x, s1 = 0x%02x, s2 = 0x%02x, s3 = 0x%02x" % - (s0, s1, s2, s3)) - print("res = 0x%08x" % (res)) - - return res - - -#------------------------------------------------------------------- -# inv_substw() -# -# Returns a 32-bit word in which each of the bytes in the -# given 32-bit word has been used as lookup into -# the inverse AES S-box. -#------------------------------------------------------------------- -def inv_substw(w): - (b0, b1, b2, b3) = w2b(w) - - s0 = inv_sbox[b0] - s1 = inv_sbox[b1] - s2 = inv_sbox[b2] - s3 = inv_sbox[b3] - - res = b2w(s0, s1, s2, s3) - - if VERBOSE: - print("Inside inv_substw:") - print("b0 = 0x%02x, b1 = 0x%02x, b2 = 0x%02x, b3 = 0x%02x" % - (b0, b1, b2, b3)) - print("s0 = 0x%02x, s1 = 0x%02x, s2 = 0x%02x, s3 = 0x%02x" % - (s0, s1, s2, s3)) - print("res = 0x%08x" % (res)) - - return res - - -#------------------------------------------------------------------- -# rolx() -# -# Rotate the given 32 bit word x bits left. -#------------------------------------------------------------------- -def rolx(w, x): - return ((w << x) | (w >> (32 - x))) & 0xffffffff - - -#------------------------------------------------------------------- -# next_128bit_key() -# -# Generate the next four key words for aes-128 based on given -# rcon and previous key words. -#------------------------------------------------------------------- -def next_128bit_key(prev_key, rcon): - (w0, w1, w2, w3) = prev_key - - rol = rolx(w3, 8) - subst = substw(rol) - t = subst ^ (rcon << 24) - - k0 = w0 ^ t - k1 = w1 ^ w0 ^ t - k2 = w2 ^ w1 ^ w0 ^ t - k3 = w3 ^ w2 ^ w1 ^ w0 ^ t - - if VERBOSE: - print("Inside next 128bit key:") - print("w0 = 0x%08x, w1 = 0x%08x, w2 = 0x%08x, w3 = 0x%08x" % - (w0, w1, w2, w3)) - print("rol = 0x%08x, subst = 0x%08x, rcon = 0x%02x, t = 0x%08x" % - (rol, subst, rcon, t)) - print("k0 = 0x%08x, k1 = 0x%08x, k2 = 0x%08x, k3 = 0x%08x" % - (k0, k1, k2, k3)) - - return (k0, k1, k2, k3) - - -#------------------------------------------------------------------- -# key_gen128() -# -# Generating the keys for 128 bit keys. -#------------------------------------------------------------------- -def key_gen128(key): - print("Doing the 128 bit key expansion") - - round_keys = [] - - round_keys.append(key) - - for i in range(10): - round_keys.append(next_128bit_key(round_keys[i], get_rcon(i + 1))) - - if VERBOSE: - print("Input key:") - print_block(key) - print("") - - print("Generated keys:") - for k in round_keys: - print_block(k) - print("") - - return round_keys - - -#------------------------------------------------------------------- -# next_256bit_key_a() -# -# Generate the next four key words for aes-256 using algorithm A -# based on given rcon and the previous two keys. -#------------------------------------------------------------------- -def next_256it_key_a(key0, key1, rcon): - (w0, w1, w2, w3) = key0 - (w4, w5, w6, w7) = key1 - - sw = substw(rolx(w7, 8)) - rw = (rcon << 24) - t = sw ^ rw - - k0 = w0 ^ t - k1 = w1 ^ w0 ^ t - k2 = w2 ^ w1 ^ w0 ^ t - k3 = w3 ^ w2 ^ w1 ^ w0 ^ t - - if (DUMP_VARS): - print("next_256bit_key_a:") - print("w0 = 0x%08x, w0 = 0x%08x, w0 = 0x%08x, w0 = 0x%08x" % (w0, w1, w2, w3)) - print("w4 = 0x%08x, w5 = 0x%08x, w6 = 0x%08x, w7 = 0x%08x" % (w4, w5, w6, w7)) - print("t = 0x%08x, sw = 0x%08x, rw = 0x%08x" % (t, sw, rw)) - print("k0 = 0x%08x, k0 = 0x%08x, k0 = 0x%08x, k0 = 0x%08x" % (k0, k1, k2, k3)) - print("") - - return (k0, k1, k2, k3) - - -#------------------------------------------------------------------- -# next_256bit_key_b() -# -# Generate the next four key words for aes-256 using algorithm B -# based on given previous eight keywords. -#------------------------------------------------------------------- -def next_256it_key_b(key0, key1): - (w0, w1, w2, w3) = key0 - (w4, w5, w6, w7) = key1 - - t = substw(w7) - - k0 = w0 ^ t - k1 = w1 ^ w0 ^ t - k2 = w2 ^ w1 ^ w0 ^ t - k3 = w3 ^ w2 ^ w1 ^ w0 ^ t - - if (DUMP_VARS): - print("next_256bit_key_b:") - print("w0 = 0x%08x, w0 = 0x%08x, w0 = 0x%08x, w0 = 0x%08x" % (w0, w1, w2, w3)) - print("w4 = 0x%08x, w5 = 0x%08x, w6 = 0x%08x, w7 = 0x%08x" % (w4, w5, w6, w7)) - print("t = 0x%08x" % (t)) - print("k0 = 0x%08x, k0 = 0x%08x, k0 = 0x%08x, k0 = 0x%08x" % (k0, k1, k2, k3)) - print("") - - return (k0, k1, k2, k3) - - -#------------------------------------------------------------------- -# key_gen256() -# -# Generating the keys for 256 bit keys. -#------------------------------------------------------------------- -def key_gen256(key): - round_keys = [] - (k0, k1, k2, k3, k4, k5, k6, k7) = key - - round_keys.append((k0, k1, k2, k3)) - round_keys.append((k4, k5, k6, k7)) - - j = 1 - for i in range(0, (AES_256_ROUNDS - 2), 2): - k = next_256it_key_a(round_keys[i], round_keys[i + 1], get_rcon(j)) - round_keys.append(k) - k = next_256it_key_b(round_keys[i + 1], round_keys[i + 2]) - round_keys.append(k) - j += 1 - - # One final key needs to be generated. - k = next_256it_key_a(round_keys[12], round_keys[13], get_rcon(7)) - round_keys.append(k) - - if VERBOSE: - print("Input key:") - print_block((k0, k1, k2, k3)) - print_block((k4, k5, k6, k7)) - print("") - - print("Generated keys:") - for k in round_keys: - print_block(k) - print("") - - return round_keys - - -#------------------------------------------------------------------- -# get_rcon() -# -# Function implementation of rcon. Calculates rcon for a -# given round. This could be implemented as an iterator. -#------------------------------------------------------------------- -def get_rcon(round): - rcon = 0x8d - - for i in range(0, round): - rcon = ((rcon << 1) ^ (0x11b & - (rcon >> 7))) & 0xff - - return rcon - - -#------------------------------------------------------------------- -# addroundkey() -# -# AES AddRoundKey block operation. -# Perform XOR combination of the given block and the given key. -#------------------------------------------------------------------- -def addroundkey(key, block): - (w0, w1, w2, w3) = block - (k0, k1, k2, k3) = key - - res_block = (w0 ^ k0, w1 ^ k1, w2 ^ k2, w3 ^ k3) - - if VERBOSE: - print("AddRoundKey key, block in and block out:") - print_block(key) - print_block(block) - print_block(res_block) - print("") - - return res_block - - -#------------------------------------------------------------------- -# mixw() -# -# Perform bit mixing of the given words. -#------------------------------------------------------------------- -def mixw(w): - (b0, b1, b2, b3) = w2b(w) - - mb0 = gm2(b0) ^ gm3(b1) ^ b2 ^ b3 - mb1 = b0 ^ gm2(b1) ^ gm3(b2) ^ b3 - mb2 = b0 ^ b1 ^ gm2(b2) ^ gm3(b3) - mb3 = gm3(b0) ^ b1 ^ b2 ^ gm2(b3) - - return b2w(mb0, mb1, mb2, mb3) - - -#------------------------------------------------------------------- -# mixcolumns() -# -# AES MixColumns on the given block. -#------------------------------------------------------------------- -def mixcolumns(block): - (c0, c1, c2, c3) = block - - mc0 = mixw(c0) - mc1 = mixw(c1) - mc2 = mixw(c2) - mc3 = mixw(c3) - - res_block = (mc0, mc1, mc2, mc3) - - if VERBOSE: - print("MixColumns block in and block out:") - print_block(block) - print_block(res_block) - print("") - - return res_block - - -#------------------------------------------------------------------- -# subbytes() -# -# AES SubBytes operation on the given block. -#------------------------------------------------------------------- -def subbytes(block): - (w0, w1, w2, w3) = block - - res_block = (substw(w0), substw(w1), substw(w2), substw(w3)) - - if VERBOSE: - print("SubBytes block in and block out:") - print_block(block) - print_block(res_block) - print("") - - return res_block - - -#------------------------------------------------------------------- -# shiftrows() -# -# AES ShiftRows block operation. -#------------------------------------------------------------------- -def shiftrows(block): - (w0, w1, w2, w3) = block - - c0 = w2b(w0) - c1 = w2b(w1) - c2 = w2b(w2) - c3 = w2b(w3) - - ws0 = b2w(c0[0], c1[1], c2[2], c3[3]) - ws1 = b2w(c1[0], c2[1], c3[2], c0[3]) - ws2 = b2w(c2[0], c3[1], c0[2], c1[3]) - ws3 = b2w(c3[0], c0[1], c1[2], c2[3]) - - res_block = (ws0, ws1, ws2, ws3) - - if VERBOSE: - print("ShiftRows block in and block out:") - print_block(block) - print_block(res_block) - print("") - - return res_block - - -#------------------------------------------------------------------- -# aes_encipher() -# -# Perform AES encipher operation for the given block using the -# given key length. -#------------------------------------------------------------------- -def aes_encipher_block(key, block): - tmp_block = block[:] - - # Get round keys based on the given key. - if len(key) == 4: - round_keys = key_gen128(key) - num_rounds = AES_128_ROUNDS - else: - round_keys = key_gen256(key) - num_rounds = AES_256_ROUNDS - - # Init round - print(" Initial AddRoundKeys round.") - tmp_block4 = addroundkey(round_keys[0], block) - - # Main rounds - for i in range(1 , (num_rounds)): - print("") - print(" Round %02d" % i) - print(" ---------") - - tmp_block1 = subbytes(tmp_block4) - tmp_block2 = shiftrows(tmp_block1) - tmp_block3 = mixcolumns(tmp_block2) - tmp_block4 = addroundkey(round_keys[i], tmp_block3) - - - # Final round - print(" Final round.") - tmp_block1 = subbytes(tmp_block4) - tmp_block2 = shiftrows(tmp_block1) - tmp_block3 = addroundkey(round_keys[num_rounds], tmp_block2) - - return tmp_block3 - - -#------------------------------------------------------------------- -# inv_mixw() -# -# Perform inverse bit mixing of the given words. -#------------------------------------------------------------------- -def inv_mixw(w): - (b0, b1, b2, b3) = w2b(w) - - mb0 = gm14(b0) ^ gm11(b1) ^ gm13(b2) ^ gm09(b3) - mb1 = gm09(b0) ^ gm14(b1) ^ gm11(b2) ^ gm13(b3) - mb2 = gm13(b0) ^ gm09(b1) ^ gm14(b2) ^ gm11(b3) - mb3 = gm11(b0) ^ gm13(b1) ^ gm09(b2) ^ gm14(b3) - - return b2w(mb0, mb1, mb2, mb3) - - -#------------------------------------------------------------------- -# inv_mixcolumns() -# -# AES Inverse MixColumns on the given block. -#------------------------------------------------------------------- -def inv_mixcolumns(block): - (c0, c1, c2, c3) = block - - mc0 = inv_mixw(c0) - mc1 = inv_mixw(c1) - mc2 = inv_mixw(c2) - mc3 = inv_mixw(c3) - - res_block = (mc0, mc1, mc2, mc3) - - if VERBOSE: - print("Inverse MixColumns block in and block out:") - print_block(block) - print_block(res_block) - print("") - - return res_block - - -#------------------------------------------------------------------- -# inv_shiftrows() -# -# AES inverse ShiftRows block operation. -#------------------------------------------------------------------- -def inv_shiftrows(block): - (w0, w1, w2, w3) = block - - c0 = w2b(w0) - c1 = w2b(w1) - c2 = w2b(w2) - c3 = w2b(w3) - - ws0 = b2w(c0[0], c3[1], c2[2], c1[3]) - ws1 = b2w(c1[0], c0[1], c3[2], c2[3]) - ws2 = b2w(c2[0], c1[1], c0[2], c3[3]) - ws3 = b2w(c3[0], c2[1], c1[2], c0[3]) - - res_block = (ws0, ws1, ws2, ws3) - - if VERBOSE: - print("Inverse ShiftRows block in and block out:") - print_block(block) - print_block(res_block) - print("") - - return res_block - - -#------------------------------------------------------------------- -# inv_subbytes() -# -# AES inverse SubBytes operation on the given block. -#------------------------------------------------------------------- -def inv_subbytes(block): - (w0, w1, w2, w3) = block - - res_block = (inv_substw(w0), inv_substw(w1), inv_substw(w2), inv_substw(w3)) - - if VERBOSE: - print("Inverse SubBytes block in and block out:") - print_block(block) - print_block(res_block) - print("") - - return res_block - - -#------------------------------------------------------------------- -# aes_decipher() -# -# Perform AES decipher operation for the given block -# using the given key length. -#------------------------------------------------------------------- -def aes_decipher_block(key, block): - tmp_block = block[:] - - # Get round keys based on the given key. - if len(key) == 4: - round_keys = key_gen128(key) - num_rounds = AES_128_ROUNDS - else: - round_keys = key_gen256(key) - num_rounds = AES_256_ROUNDS - - # Initial round - print(" Initial, partial round.") - tmp_block1 = addroundkey(round_keys[len(round_keys) - 1], tmp_block) - tmp_block2 = inv_shiftrows(tmp_block1) - tmp_block4 = inv_subbytes(tmp_block2) - - # Main rounds - for i in range(1 , (num_rounds)): - print("") - print(" Round %02d" % i) - print(" ---------") - - tmp_block1 = addroundkey(round_keys[(len(round_keys) - i - 1)], tmp_block4) - tmp_block2 = inv_mixcolumns(tmp_block1) - tmp_block3 = inv_shiftrows(tmp_block2) - tmp_block4 = inv_subbytes(tmp_block3) - - # Final round - print(" Final AddRoundKeys round.") - res_block = addroundkey(round_keys[0], tmp_block4) - - return res_block - - -#------------------------------------------------------------------- -# test_mixcolumns() -# -# Test the mixcolumns and inverse mixcolumns operations using -# some simple test values. -#------------------------------------------------------------------- -def test_mixcolumns(): - nist_aes128_key = (0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c) - - print("Test of mixcolumns and inverse mixcolumns:") - mixresult = mixcolumns(nist_aes128_key) - inv_mixresult = inv_mixcolumns(mixresult) - - print("Test of mixw ochi inv_mixw:") - testw = 0xdb135345 - expw = 0x8e4da1bc - mixresult = mixw(testw) - inv_mixresult = inv_mixw(mixresult) - print("Testword: 0x%08x" % testw) - print("expexted: 0x%08x" % expw) - print("mixword: 0x%08x" % mixresult) - print("invmixword: 0x%08x" % inv_mixresult) - - -#------------------------------------------------------------------- -# test_aes() -# -# Test the AES implementation with 128 and 256 bit keys. -#------------------------------------------------------------------- -def test_aes(): - nist_aes128_key = (0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c) - nist_aes256_key = (0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781, - 0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4) - - nist_plaintext0 = (0x6bc1bee2, 0x2e409f96, 0xe93d7e11, 0x7393172a) - nist_plaintext1 = (0xae2d8a57, 0x1e03ac9c, 0x9eb76fac, 0x45af8e51) - nist_plaintext2 = (0x30c81c46, 0xa35ce411, 0xe5fbc119, 0x1a0a52ef) - nist_plaintext3 = (0xf69f2445, 0xdf4f9b17, 0xad2b417b, 0xe66c3710) - - nist_exp128_0 = (0x3ad77bb4, 0x0d7a3660, 0xa89ecaf3, 0x2466ef97) - nist_exp128_1 = (0xf5d3d585, 0x03b9699d, 0xe785895a, 0x96fdbaaf) - nist_exp128_2 = (0x43b1cd7f, 0x598ece23, 0x881b00e3, 0xed030688) - nist_exp128_3 = (0x7b0c785e, 0x27e8ad3f, 0x82232071, 0x04725dd4) - - nist_exp256_0 = (0xf3eed1bd, 0xb5d2a03c, 0x064b5a7e, 0x3db181f8) - nist_exp256_1 = (0x591ccb10, 0xd410ed26, 0xdc5ba74a, 0x31362870) - nist_exp256_2 = (0xb6ed21b9, 0x9ca6f4f9, 0xf153e7b1, 0xbeafed1d) - nist_exp256_3 = (0x23304b7a, 0x39f9f3ff, 0x067d8d8f, 0x9e24ecc7) - - - print("Doing block encryption.") - enc_result128_0 = aes_encipher_block(nist_aes128_key, nist_plaintext0) - enc_result128_1 = aes_encipher_block(nist_aes128_key, nist_plaintext1) - enc_result128_2 = aes_encipher_block(nist_aes128_key, nist_plaintext2) - enc_result128_3 = aes_encipher_block(nist_aes128_key, nist_plaintext3) - - enc_result256_0 = aes_encipher_block(nist_aes256_key, nist_plaintext0) - enc_result256_1 = aes_encipher_block(nist_aes256_key, nist_plaintext1) - enc_result256_2 = aes_encipher_block(nist_aes256_key, nist_plaintext2) - enc_result256_3 = aes_encipher_block(nist_aes256_key, nist_plaintext3) - - print("Doing block decryption.") - dec_result128_0 = aes_decipher_block(nist_aes128_key, nist_exp128_0) - dec_result128_1 = aes_decipher_block(nist_aes128_key, nist_exp128_1) - dec_result128_2 = aes_decipher_block(nist_aes128_key, nist_exp128_2) - dec_result128_3 = aes_decipher_block(nist_aes128_key, nist_exp128_3) - - dec_result256_0 = aes_decipher_block(nist_aes256_key, nist_exp256_0) - dec_result256_1 = aes_decipher_block(nist_aes256_key, nist_exp256_1) - dec_result256_2 = aes_decipher_block(nist_aes256_key, nist_exp256_2) - dec_result256_3 = aes_decipher_block(nist_aes256_key, nist_exp256_3) - - - if VERBOSE: - print(" AES Encipher tests") - print(" ==================") - - print("Test 0 for AES-128.") - print("Key:") - print_key(nist_aes128_key) - print("Block in:") - print_block(nist_plaintext0) - print("Expected block out:") - print_block(nist_exp128_0) - print("Got block out:") - print_block(enc_result128_0) - print("") - - print("Test 1 for AES-128.") - print("Key:") - print_key(nist_aes128_key) - print("Block in:") - print_block(nist_plaintext1) - print("Expected block out:") - print_block(nist_exp128_1) - print("Got block out:") - print_block(enc_result128_1) - print("") - - print("Test 2 for AES-128.") - print("Key:") - print_key(nist_aes128_key) - print("Block in:") - print_block(nist_plaintext2) - print("Expected block out:") - print_block(nist_exp128_2) - print("Got block out:") - print_block(enc_result128_2) - print("") - - print("Test 3 for AES-128.") - print("Key:") - print_key(nist_aes128_key) - print("Block in:") - print_block(nist_plaintext3) - print("Expected block out:") - print_block(nist_exp128_3) - print("Got block out:") - print_block(enc_result128_3) - print("") - - - print("Test 0 for AES-256.") - print("Key:") - print_key(nist_aes256_key) - print("Block in:") - print_block(nist_plaintext0) - print("Expected block out:") - print_block(nist_exp256_0) - print("Got block out:") - print_block(enc_result256_0) - print("") - - print("Test 1 for AES-256.") - print("Key:") - print_key(nist_aes256_key) - print("Block in:") - print_block(nist_plaintext1) - print("Expected block out:") - print_block(nist_exp256_1) - print("Got block out:") - print_block(enc_result256_1) - print("") - - print("Test 2 for AES-256.") - print("Key:") - print_key(nist_aes256_key) - print("Block in:") - print_block(nist_plaintext2) - print("Expected block out:") - print_block(nist_exp256_2) - print("Got block out:") - print_block(enc_result256_2) - print("") - - print("Test 3 for AES-256.") - print("Key:") - print_key(nist_aes256_key) - print("Block in:") - print_block(nist_plaintext3) - print("Expected block out:") - print_block(nist_exp256_3) - print("Got block out:") - print_block(enc_result256_3) - print("") - - print("") - print(" AES Decipher tests") - print(" ==================") - - print("Test 0 for AES-128.") - print("Key:") - print_key(nist_aes128_key) - print("Block in:") - print_block(nist_exp128_0) - print("Expected block out:") - print_block(nist_plaintext0) - print("Got block out:") - print_block(dec_result128_0) - print("") - - print("Test 1 for AES-128.") - print("Key:") - print_key(nist_aes128_key) - print("Block in:") - print_block(nist_exp128_1) - print("Expected block out:") - print_block(nist_plaintext1) - print("Got block out:") - print_block(dec_result128_1) - print("") - - print("Test 2 for AES-128.") - print("Key:") - print_key(nist_aes128_key) - print("Block in:") - print_block(nist_exp128_2) - print("Expected block out:") - print_block(nist_plaintext2) - print("Got block out:") - print_block(dec_result128_2) - print("") - - print("Test 3 for AES-128.") - print("Key:") - print_key(nist_aes128_key) - print("Block in:") - print_block(nist_exp128_3) - print("Expected block out:") - print_block(nist_plaintext3) - print("Got block out:") - print_block(dec_result128_3) - print("") - - print("Test 0 for AES-256.") - print("Key:") - print_key(nist_aes256_key) - print("Block in:") - print_block(nist_exp256_0) - print("Expected block out:") - print_block(nist_plaintext0) - print("Got block out:") - print_block(dec_result256_0) - print("") - - print("Test 1 for AES-256.") - print("Key:") - print_key(nist_aes256_key) - print("Block in:") - print_block(nist_exp256_1) - print("Expected block out:") - print_block(nist_plaintext1) - print("Got block out:") - print_block(dec_result256_1) - print("") - - print("Test 2 for AES-256.") - print("Key:") - print_key(nist_aes256_key) - print("Block in:") - print_block(nist_exp256_2) - print("Expected block out:") - print_block(nist_plaintext2) - print("Got block out:") - print_block(dec_result256_2) - print("") - - print("Test 3 for AES-256.") - print("Key:") - print_key(nist_aes256_key) - print("Block in:") - print_block(nist_exp256_3) - print("Expected block out:") - print_block(nist_plaintext3) - print("Got block out:") - print_block(dec_result256_3) - print("") - - -#------------------------------------------------------------------- -# main() -# -# If executed tests the ChaCha class using known test vectors. -#------------------------------------------------------------------- -def main(): - print("Testing the AES cipher model") - print("============================") - print - - # test_mixcolumns() - test_aes() - - -#------------------------------------------------------------------- -# __name__ -# Python thingy which allows the file to be run standalone as -# well as parsed from within a Python interpreter. -#------------------------------------------------------------------- -if __name__=="__main__": - # Run the main function. - sys.exit(main()) - -#======================================================================= -# EOF aes_key_gen.py -#======================================================================= diff --git a/src/model/python/aes_key_gen.py b/src/model/python/aes_key_gen.py deleted file mode 100755 index 626c740..0000000 --- a/src/model/python/aes_key_gen.py +++ /dev/null @@ -1,568 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- -#======================================================================= -# -# aes_key_gen.py -# ------------- -# Simple, pure Python test model of the AES key generation. -# This one is operating on 32 bit words. The key generation -# supports 128 and 256 bit keys. -# -# -# Author: Joachim Strombergson -# Copyright (c) 2014, NORDUnet A/S -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# - Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# - Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# - Neither the name of the NORDUnet nor the names of its contributors may -# be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS -# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#======================================================================= - -#------------------------------------------------------------------- -# Python module imports. -#------------------------------------------------------------------- -import sys - - -#------------------------------------------------------------------- -# Constants. -#------------------------------------------------------------------- -VERBOSE = True - -DUMP_VARS = True - -AES_128_ROUNDS = 10 -AES_256_ROUNDS = 14 - - -sbox = [0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, - 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, - 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, - 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, - 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, - 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, - 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, - 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, - 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, - 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, - 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, - 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, - 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, - 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, - 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, - 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, - 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16] - - -#------------------------------------------------------------------- -# substw() -# -# Returns a 32-bit word in which each of the bytes in the -# given 32-bit word has been used as lookup into the AES S-box. -#------------------------------------------------------------------- -def substw(w): - b0 = w >> 24 - b1 = w >> 16 & 0xff - b2 = w >> 8 & 0xff - b3 = w & 0xff - - s0 = sbox[b0] - s1 = sbox[b1] - s2 = sbox[b2] - s3 = sbox[b3] - - res = (s0 << 24) + (s1 << 16) + (s2 << 8) + s3 - - if VERBOSE: - print("Inside substw:") - print("b0 = 0x%02x, b1 = 0x%02x, b2 = 0x%02x, b3 = 0x%02x" % - (b0, b1, b2, b3)) - print("s0 = 0x%02x, s1 = 0x%02x, s2 = 0x%02x, s3 = 0x%02x" % - (s0, s1, s2, s3)) - print("res = 0x%08x" % (res)) - - return res - - -#------------------------------------------------------------------- -# rol8() -# -# Rotate the given 32 bit word 8 bits left. -#------------------------------------------------------------------- -def rol8(w): - return ((w << 8) | (w >> 24)) & 0xffffffff - - -#------------------------------------------------------------------- -# next_128bit_key() -# -# Generate the next four key words for aes-128 based on given -# rcon and previous key words. -#------------------------------------------------------------------- -def next_128bit_key(prev_key, rcon): - (w0, w1, w2, w3) = prev_key - - rol = rol8(w3) - subst = substw(rol) - t = subst ^ (rcon << 24) - - k0 = w0 ^ t - k1 = w1 ^ w0 ^ t - k2 = w2 ^ w1 ^ w0 ^ t - k3 = w3 ^ w2 ^ w1 ^ w0 ^ t - - if VERBOSE: - print("Inside next 128bit key:") - print("w0 = 0x%08x, w1 = 0x%08x, w2 = 0x%08x, w3 = 0x%08x" % - (w0, w1, w2, w3)) - print("rol = 0x%08x, subst = 0x%08x, rcon = 0x%02x, t = 0x%08x" % - (rol, subst, rcon, t)) - print("k0 = 0x%08x, k1 = 0x%08x, k2 = 0x%08x, k3 = 0x%08x" % - (k0, k1, k2, k3)) - - return (k0, k1, k2, k3) - - -#------------------------------------------------------------------- -# key_gen128() -# -# Generating the keys for 128 bit keys. -#------------------------------------------------------------------- -def key_gen128(key): - round_keys = [] - - round_keys.append(key) - - round_keys.append(next_128bit_key(round_keys[0], get_rcon(1))) - round_keys.append(next_128bit_key(round_keys[1], get_rcon(2))) - round_keys.append(next_128bit_key(round_keys[2], get_rcon(3))) - round_keys.append(next_128bit_key(round_keys[3], get_rcon(4))) - round_keys.append(next_128bit_key(round_keys[4], get_rcon(5))) - round_keys.append(next_128bit_key(round_keys[5], get_rcon(6))) - round_keys.append(next_128bit_key(round_keys[6], get_rcon(7))) - round_keys.append(next_128bit_key(round_keys[7], get_rcon(8))) - round_keys.append(next_128bit_key(round_keys[8], get_rcon(9))) - round_keys.append(next_128bit_key(round_keys[9], get_rcon(10))) - - return round_keys - - -#------------------------------------------------------------------- -# next_256bit_key_a() -# -# Generate the next four key words for aes-256 using algorithm A -# based on given rcon and the previous two keys. -#------------------------------------------------------------------- -def next_256it_key_a(key0, key1, rcon): - (w0, w1, w2, w3) = key0 - (w4, w5, w6, w7) = key1 - - sw = substw(rol8(w7)) - rw = (rcon << 24) - t = sw ^ rw - - k0 = w0 ^ t - k1 = w1 ^ w0 ^ t - k2 = w2 ^ w1 ^ w0 ^ t - k3 = w3 ^ w2 ^ w1 ^ w0 ^ t - - if (DUMP_VARS): - print("next_256bit_key_a:") - print("w0 = 0x%08x, w0 = 0x%08x, w0 = 0x%08x, w0 = 0x%08x" % (w0, w1, w2, w3)) - print("w4 = 0x%08x, w5 = 0x%08x, w6 = 0x%08x, w7 = 0x%08x" % (w4, w5, w6, w7)) - print("t = 0x%08x, sw = 0x%08x, rw = 0x%08x" % (t, sw, rw)) - print("k0 = 0x%08x, k0 = 0x%08x, k0 = 0x%08x, k0 = 0x%08x" % (k0, k1, k2, k3)) - print("") - - return (k0, k1, k2, k3) - - -#------------------------------------------------------------------- -# next_256bit_key_b() -# -# Generate the next four key words for aes-256 using algorithm B -# based on given previous eight keywords. -#------------------------------------------------------------------- -def next_256it_key_b(key0, key1): - (w0, w1, w2, w3) = key0 - (w4, w5, w6, w7) = key1 - - t = substw(w7) - - k0 = w0 ^ t - k1 = w1 ^ w0 ^ t - k2 = w2 ^ w1 ^ w0 ^ t - k3 = w3 ^ w2 ^ w1 ^ w0 ^ t - - if (DUMP_VARS): - print("next_256bit_key_b:") - print("w0 = 0x%08x, w0 = 0x%08x, w0 = 0x%08x, w0 = 0x%08x" % (w0, w1, w2, w3)) - print("w4 = 0x%08x, w5 = 0x%08x, w6 = 0x%08x, w7 = 0x%08x" % (w4, w5, w6, w7)) - print("t = 0x%08x" % (t)) - print("k0 = 0x%08x, k0 = 0x%08x, k0 = 0x%08x, k0 = 0x%08x" % (k0, k1, k2, k3)) - print("") - - return (k0, k1, k2, k3) - - -#------------------------------------------------------------------- -# key_gen256() -# -# Generating the keys for 256 bit keys. -#------------------------------------------------------------------- -def key_gen256(key): - round_keys = [] - (k0, k1, k2, k3, k4, k5, k6, k7) = key - - round_keys.append((k0, k1, k2, k3)) - round_keys.append((k4, k5, k6, k7)) - - j = 1 - for i in range(0, (AES_256_ROUNDS - 2), 2): - k = next_256it_key_a(round_keys[i], round_keys[i + 1], get_rcon(j)) - round_keys.append(k) - k = next_256it_key_b(round_keys[i + 1], round_keys[i + 2]) - round_keys.append(k) - j += 1 - - # One final key needs to be generated. - k = next_256it_key_a(round_keys[12], round_keys[13], get_rcon(7)) - round_keys.append(k) - - return round_keys - - -#------------------------------------------------------------------- -# key_gen() -# -# The actual key generation. -#------------------------------------------------------------------- -def key_gen(key): - if VERBOSE: - print("Generating keys for AES-%d." % (len(key) * 32)) - - if (len(key) * 32) == 128: - return key_gen128(key) - - else: - return key_gen256(key) - - -#------------------------------------------------------------------- -# get_rcon() -# -# Function implementation of rcon. Calculates rcon for a -# given round. This could be implemented as an iterator. -#------------------------------------------------------------------- -def get_rcon(round): - rcon = 0x8d - - for i in range(0, round): - rcon = ((rcon << 1) ^ (0x11b & - (rcon >> 7))) & 0xff - - return rcon - - -#------------------------------------------------------------------- -# print_bytekeys() -# -# Print a set of round keys given as an array of bytes. -#------------------------------------------------------------------- -def print_bytekeys(keys): - i = 0 - print("Number of round keys: %d" % (int(len(keys) / 16))) - while i < (len(keys) - 1): - for j in range(16): - print("0x%02x " % keys[i + j], end="") - print("") - i += 16 - - -#------------------------------------------------------------------- -# test_rcon() -# -# Test of the rcon function. -#------------------------------------------------------------------- -def test_rcon(): - print("Testing rcon:") - for i in range(20): - print("rcon %02d = 0x%02x" % (i, get_rcon(i))) - - -#------------------------------------------------------------------- -# test_key() -# -# Generate round keys for a given key and compare them to -# the given expected round keys. -#------------------------------------------------------------------- -def test_key(key, expected): - if len(key) not in [4, 8]: - print("Error: Key is %d bits, not 128 or 256 bits" % (len(key) * 32)) - return - - generated = key_gen(key) - - if VERBOSE: - for k in generated: - (w0, w1, w2, w3) = k - print("0x%08x, 0x%08x, 0x%08x, 0x%08x" % - (w0, w1, w2, w3)) - - if (len(generated) != len(expected)): - print("Error: Incorrect number of keys generated.") - print("Expected number of round keys: %d" % len(expected)) - print("Got number of round keys: %d" % len(generated)) - - for i in range(len(generated)): - exp = expected[i] - got = generated[i] - if (exp != got): - print("Error: Error in round key %d." % i) - (e0, e1, e2, e3) = exp - (g0, g1, g2, g3) = got - print("Expected: 0x%08x 0x%08x 0x%08x 0x%08x"\ - % (e0, e1, e2, e3)) - print("Got: 0x%08x 0x%08x 0x%08x 0x%08x"\ - % (g0, g1, g2, g3)) - else: - print("Correct key generated.") - - -#------------------------------------------------------------------- -# test_key_expansion() -# -# Perform key expansion tests. -# The test keys and expected round keys are taken from: -# http://www.samiam.org/key-schedule.html -#------------------------------------------------------------------- -def test_key_expansion(): - # 128 bit keys. - key128_1 = (0x00000000, 0x00000000, 0x00000000, 0x00000000) - exp128_1 = ((0x00000000, 0x00000000, 0x00000000, 0x00000000), - (0x62636363, 0x62636363, 0x62636363, 0x62636363), - (0x9b9898c9, 0xf9fbfbaa, 0x9b9898c9, 0xf9fbfbaa), - (0x90973450, 0x696ccffa, 0xf2f45733, 0x0b0fac99), - (0xee06da7b, 0x876a1581, 0x759e42b2, 0x7e91ee2b), - (0x7f2e2b88, 0xf8443e09, 0x8dda7cbb, 0xf34b9290), - (0xec614b85, 0x1425758c, 0x99ff0937, 0x6ab49ba7), - (0x21751787, 0x3550620b, 0xacaf6b3c, 0xc61bf09b), - (0x0ef90333, 0x3ba96138, 0x97060a04, 0x511dfa9f), - (0xb1d4d8e2, 0x8a7db9da, 0x1d7bb3de, 0x4c664941), - (0xb4ef5bcb, 0x3e92e211, 0x23e951cf, 0x6f8f188e)) - - key128_2 = (0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff) - exp128_2 = ((0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff), - (0xe8e9e9e9, 0x17161616, 0xe8e9e9e9, 0x17161616), - (0xadaeae19, 0xbab8b80f, 0x525151e6, 0x454747f0), - (0x090e2277, 0xb3b69a78, 0xe1e7cb9e, 0xa4a08c6e), - (0xe16abd3e, 0x52dc2746, 0xb33becd8, 0x179b60b6), - (0xe5baf3ce, 0xb766d488, 0x045d3850, 0x13c658e6), - (0x71d07db3, 0xc6b6a93b, 0xc2eb916b, 0xd12dc98d), - (0xe90d208d, 0x2fbb89b6, 0xed5018dd, 0x3c7dd150), - (0x96337366, 0xb988fad0, 0x54d8e20d, 0x68a5335d), - (0x8bf03f23, 0x3278c5f3, 0x66a027fe, 0x0e0514a3), - (0xd60a3588, 0xe472f07b, 0x82d2d785, 0x8cd7c326)) - - key128_3 = (0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f) - exp128_3 = ((0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f), - (0xd6aa74fd, 0xd2af72fa, 0xdaa678f1, 0xd6ab76fe), - (0xb692cf0b, 0x643dbdf1, 0xbe9bc500, 0x6830b3fe), - (0xb6ff744e, 0xd2c2c9bf, 0x6c590cbf, 0x0469bf41), - (0x47f7f7bc, 0x95353e03, 0xf96c32bc, 0xfd058dfd), - (0x3caaa3e8, 0xa99f9deb, 0x50f3af57, 0xadf622aa), - (0x5e390f7d, 0xf7a69296, 0xa7553dc1, 0x0aa31f6b), - (0x14f9701a, 0xe35fe28c, 0x440adf4d, 0x4ea9c026), - (0x47438735, 0xa41c65b9, 0xe016baf4, 0xaebf7ad2), - (0x549932d1, 0xf0855768, 0x1093ed9c, 0xbe2c974e), - (0x13111d7f, 0xe3944a17, 0xf307a78b, 0x4d2b30c5)) - - key128_4 = (0x6920e299, 0xa5202a6d, 0x656e6368, 0x69746f2a) - exp128_4 = ((0x6920e299, 0xa5202a6d, 0x656e6368, 0x69746f2a), - (0xfa880760, 0x5fa82d0d, 0x3ac64e65, 0x53b2214f), - (0xcf75838d, 0x90ddae80, 0xaa1be0e5, 0xf9a9c1aa), - (0x180d2f14, 0x88d08194, 0x22cb6171, 0xdb62a0db), - (0xbaed96ad, 0x323d1739, 0x10f67648, 0xcb94d693), - (0x881b4ab2, 0xba265d8b, 0xaad02bc3, 0x6144fd50), - (0xb34f195d, 0x096944d6, 0xa3b96f15, 0xc2fd9245), - (0xa7007778, 0xae6933ae, 0x0dd05cbb, 0xcf2dcefe), - (0xff8bccf2, 0x51e2ff5c, 0x5c32a3e7, 0x931f6d19), - (0x24b7182e, 0x7555e772, 0x29674495, 0xba78298c), - (0xae127cda, 0xdb479ba8, 0xf220df3d, 0x4858f6b1)) - - nist_aes128_key = (0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c) - exp_nist128_key = ((0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c), - (0xa0fafe17, 0x88542cb1, 0x23a33939, 0x2a6c7605), - (0xf2c295f2, 0x7a96b943, 0x5935807a, 0x7359f67f), - (0x3d80477d, 0x4716fe3e, 0x1e237e44, 0x6d7a883b), - (0xef44a541, 0xa8525b7f, 0xb671253b, 0xdb0bad00), - (0xd4d1c6f8, 0x7c839d87, 0xcaf2b8bc, 0x11f915bc), - (0x6d88a37a, 0x110b3efd, 0xdbf98641, 0xca0093fd), - (0x4e54f70e, 0x5f5fc9f3, 0x84a64fb2, 0x4ea6dc4f), - (0xead27321, 0xb58dbad2, 0x312bf560, 0x7f8d292f), - (0xac7766f3, 0x19fadc21, 0x28d12941, 0x575c006e), - (0xd014f9a8, 0xc9ee2589, 0xe13f0cc8, 0xb6630ca6)) - - - # 256 bit keys. - key256_1 = (0x00000000, 0x00000000, 0x00000000, 0x00000000, - 0x00000000, 0x00000000, 0x00000000, 0x0000000) - exp256_1 = ((0x00000000, 0x00000000, 0x00000000, 0x00000000), - (0x00000000, 0x00000000, 0x00000000, 0x00000000), - (0x62636363, 0x62636363, 0x62636363, 0x62636363), - (0xaafbfbfb, 0xaafbfbfb, 0xaafbfbfb, 0xaafbfbfb), - (0x6f6c6ccf, 0x0d0f0fac, 0x6f6c6ccf, 0x0d0f0fac), - (0x7d8d8d6a, 0xd7767691, 0x7d8d8d6a, 0xd7767691), - (0x5354edc1, 0x5e5be26d, 0x31378ea2, 0x3c38810e), - (0x968a81c1, 0x41fcf750, 0x3c717a3a, 0xeb070cab), - (0x9eaa8f28, 0xc0f16d45, 0xf1c6e3e7, 0xcdfe62e9), - (0x2b312bdf, 0x6acddc8f, 0x56bca6b5, 0xbdbbaa1e), - (0x6406fd52, 0xa4f79017, 0x553173f0, 0x98cf1119), - (0x6dbba90b, 0x07767584, 0x51cad331, 0xec71792f), - (0xe7b0e89c, 0x4347788b, 0x16760b7b, 0x8eb91a62), - (0x74ed0ba1, 0x739b7e25, 0x2251ad14, 0xce20d43b), - (0x10f80a17, 0x53bf729c, 0x45c979e7, 0xcb706385)) - - - key256_2 = (0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, - 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff) - exp256_2 = ((0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff), - (0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff), - (0xe8e9e9e9, 0x17161616, 0xe8e9e9e9, 0x17161616), - (0x0fb8b8b8, 0xf0474747, 0x0fb8b8b8, 0xf0474747), - (0x4a494965, 0x5d5f5f73, 0xb5b6b69a, 0xa2a0a08c), - (0x355858dc, 0xc51f1f9b, 0xcaa7a723, 0x3ae0e064), - (0xafa80ae5, 0xf2f75596, 0x4741e30c, 0xe5e14380), - (0xeca04211, 0x29bf5d8a, 0xe318faa9, 0xd9f81acd), - (0xe60ab7d0, 0x14fde246, 0x53bc014a, 0xb65d42ca), - (0xa2ec6e65, 0x8b5333ef, 0x684bc946, 0xb1b3d38b), - (0x9b6c8a18, 0x8f91685e, 0xdc2d6914, 0x6a702bde), - (0xa0bd9f78, 0x2beeac97, 0x43a565d1, 0xf216b65a), - (0xfc223491, 0x73b35ccf, 0xaf9e35db, 0xc5ee1e05), - (0x0695ed13, 0x2d7b4184, 0x6ede2455, 0x9cc8920f), - (0x546d424f, 0x27de1e80, 0x88402b5b, 0x4dae355e)) - - - key256_3 = (0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f, - 0x10111213, 0x14151617, 0x18191a1b, 0x1c1d1e1f) - exp256_3 = ((0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f), - (0x10111213, 0x14151617, 0x18191a1b, 0x1c1d1e1f), - (0xa573c29f, 0xa176c498, 0xa97fce93, 0xa572c09c), - (0x1651a8cd, 0x0244beda, 0x1a5da4c1, 0x0640bade), - (0xae87dff0, 0x0ff11b68, 0xa68ed5fb, 0x03fc1567), - (0x6de1f148, 0x6fa54f92, 0x75f8eb53, 0x73b8518d), - (0xc656827f, 0xc9a79917, 0x6f294cec, 0x6cd5598b), - (0x3de23a75, 0x524775e7, 0x27bf9eb4, 0x5407cf39), - (0x0bdc905f, 0xc27b0948, 0xad5245a4, 0xc1871c2f), - (0x45f5a660, 0x17b2d387, 0x300d4d33, 0x640a820a), - (0x7ccff71c, 0xbeb4fe54, 0x13e6bbf0, 0xd261a7df), - (0xf01afafe, 0xe7a82979, 0xd7a5644a, 0xb3afe640), - (0x2541fe71, 0x9bf50025, 0x8813bbd5, 0x5a721c0a), - (0x4e5a6699, 0xa9f24fe0, 0x7e572baa, 0xcdf8cdea), - (0x24fc79cc, 0xbf0979e9, 0x371ac23c, 0x6d68de36)) - - - nist_aes256_key = (0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781, - 0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4) - - exp_nist256_key = ((0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781), - (0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4), - (0x9ba35411, 0x8e6925af, 0xa51a8b5f, 0x2067fcde), - (0xa8b09c1a, 0x93d194cd, 0xbe49846e, 0xb75d5b9a), - (0xd59aecb8, 0x5bf3c917, 0xfee94248, 0xde8ebe96), - (0xb5a9328a, 0x2678a647, 0x98312229, 0x2f6c79b3), - (0x812c81ad, 0xdadf48ba, 0x24360af2, 0xfab8b464), - (0x98c5bfc9, 0xbebd198e, 0x268c3ba7, 0x09e04214), - (0x68007bac, 0xb2df3316, 0x96e939e4, 0x6c518d80), - (0xc814e204, 0x76a9fb8a, 0x5025c02d, 0x59c58239), - (0xde136967, 0x6ccc5a71, 0xfa256395, 0x9674ee15), - (0x5886ca5d, 0x2e2f31d7, 0x7e0af1fa, 0x27cf73c3), - (0x749c47ab, 0x18501dda, 0xe2757e4f, 0x7401905a), - (0xcafaaae3, 0xe4d59b34, 0x9adf6ace, 0xbd10190d), - (0xfe4890d1, 0xe6188d0b, 0x046df344, 0x706c631e)) - - print("*** Test of 128 bit keys: ***") - test_key(key128_1, exp128_1) - test_key(key128_2, exp128_2) - test_key(key128_3, exp128_3) - test_key(key128_4, exp128_4) - - print("The NIST 128 key:") - test_key(nist_aes128_key, exp_nist128_key) - print("") - - - print("*** Test of 256 bit keys: ***") - test_key(key256_1, exp256_1) - test_key(key256_2, exp256_2) - test_key(key256_3, exp256_3) - - print("The NIST 256 key:") - test_key(nist_aes256_key, exp_nist256_key) - print("") - - print("") - - -#------------------------------------------------------------------- -# main() -# -# If executed tests the ChaCha class using known test vectors. -#------------------------------------------------------------------- -def main(): - print("Testing the AES key generation") - print("==============================") - print - - test_key_expansion() - - -#------------------------------------------------------------------- -# __name__ -# Python thingy which allows the file to be run standalone as -# well as parsed from within a Python interpreter. -#------------------------------------------------------------------- -if __name__=="__main__": - # Run the main function. - sys.exit(main()) - -#======================================================================= -# EOF aes_key_gen.py -#======================================================================= diff --git a/src/model/python/rcon.py b/src/model/python/rcon.py deleted file mode 100644 index acd6ea4..0000000 --- a/src/model/python/rcon.py +++ /dev/null @@ -1,586 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- -#======================================================================= -# -# aes_key_gen.py -# ------------- -# Simple, pure Python test model of the AES key generation. -# -# -# Author: Joachim Strombergson -# Copyright (c) 2014, NORDUnet A/S -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# - Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# - Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# - Neither the name of the NORDUnet nor the names of its contributors may -# be used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS -# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#======================================================================= - -#------------------------------------------------------------------- -# Python module imports. -#------------------------------------------------------------------- -import sys - - -#------------------------------------------------------------------- -# Constants. -#------------------------------------------------------------------- -VERBOSE = True - -AES_128_ROUNDS = 10 -AES_192_ROUNDS = 12 -AES_256_ROUNDS = 14 - - -sbox = [0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, - 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, - 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, - 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, - 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, - 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, - 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, - 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, - 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, - 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, - 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, - 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, - 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, - 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, - 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, - 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, - 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16] - - -#------------------------------------------------------------------- -# substw() -# -# Returns a 32-bit word in which each of the bytes in the -# given 32-bit word has been used as lookup into the AES S-box. -#------------------------------------------------------------------- -def substw(w): - b0 = w >> 24 - b1 = w >> 16 & 0xff - b2 = w >> 8 & 0xff - b3 = w & 0xff - - s0 = sbox[b0] - s1 = sbox[b1] - s2 = sbox[b2] - s3 = sbox[b3] - - return (s0 << 24) + (s1 << 16) + (s2 << 8) + s3 - - -#------------------------------------------------------------------- -# rol8() -# -# Rotate the given 32 bit word 8 bits left. -#------------------------------------------------------------------- -def rol8(w): - return ((w << 8) | (w >> 24)) & 0xffffffff - - -#------------------------------------------------------------------- -# next_words() -# -# Generate the next four key words based on given rcon and -# previous key words. -#------------------------------------------------------------------- -def next_words(prev_words, rcon): - (prev_x0, prev_x1, prev_x2, prev_x3) = prev_words - tmp = substw(rol8(prev_x3)) ^ (rcon << 24) - x0 = prev_x0 ^ tmp - x1 = prev_x1 ^ x0 - x2 = prev_x2 ^ x1 - x3 = prev_x3 ^ x2 - return (x0, x1, x2, x3) - - -#------------------------------------------------------------------- -# key_gen() -# -# The actual key generation. -#------------------------------------------------------------------- -def key_gen(key): - nr_rounds = {4:AES_128_ROUNDS, 6:AES_192_ROUNDS, 8:AES_256_ROUNDS}[len(key)] - if VERBOSE: - print("Generating keys for AES-%d." % (len(key) * 32)) - - round_keys = [] - if nr_rounds == AES_128_ROUNDS: - round_keys.append(key) - - elif nr_rounds == AES_192_ROUNDS: - (k0, k1, k2, k3, k4, k5) = key - round_keys.append((k0, k1, k2, k3)) - rcon = ((0x8d << 1) ^ (0x11b & - (0x8d >> 7))) & 0xff - (x0, x1, x2, x3) = next_words((k0, k1, k2, k3), rcon) - round_keys.append((k4, k5, x2, x3)) - nr_rounds -= 1 - - else: - # nr_rounds == AES_192_ROUNDS - (k0, k1, k2, k3, k4, k5, k6, k7) = key - round_keys.append((k0, k1, k2, k3)) - round_keys.append((k4, k5, k6, k7)) - nr_rounds -= 1 - - rcon = 0x8d - - for i in range(0, nr_rounds): - rcon = ((rcon << 1) ^ (0x11b & - (rcon >> 7))) & 0xff - round_keys.append(next_words(round_keys[i], rcon)) - - return round_keys - - -#------------------------------------------------------------------- -# sam_rcon() -# -# Function implementation of rcon. Calculates rcon for a -# given round. This could be implemented as an iterator -#------------------------------------------------------------------- -def sam_rcon(round): - rcon = 0x8d - - for i in range(0, round): - rcon = ((rcon << 1) ^ (0x11b & - (rcon >> 7))) & 0xff - - return rcon - - -#------------------------------------------------------------------- -# sam_schedule_core() -# -# Perform the rotate and SubBytes operation used in all schedules. -#------------------------------------------------------------------- -def sam_schedule_core(word, i): - # Rotate one byte left - word = word[1 : 4] + [word[0]] - - # Perform SubBytes on all bytes in the word. - for a in range(4): - word[a] = sbox[word[a]] - - # XOR with rcon on the first byte - rcon = sam_rcon(i) - print("rcon = 0x%02x" % rcon) - word[0] = word[0] ^ rcon - - return word - - -#------------------------------------------------------------------- -# sam_128_bit_key_expansion() -# -# Byte based key expansion for 128 bit keys by Sam Trenholme: -# http://www.samiam.org/key-schedule.html -# -# the key here should be supplied as an array of bytes. -# The array will be updated during processing. -#------------------------------------------------------------------- -def sam_128_bit_key_expansion(key): - t = [0] * 4 - expkey = [0x0] * (11 * 16) - expkey[0:15] = key[:] - - # c is 16 because the first sub-key is the user-supplied key - c = 16; - i = 1; - - # We need 11 sets of sixteen bytes each for 128-bit mode - # 11 * 16 = 176 - while (c < 176): - # Copy the temporary variable over from the last 4-byte block - for a in range(4): - t[a] = expkey[a + c - 4] - - # Every four blocks (of four bytes), do a complex calculation */ - if (c % 16 == 0): - t = sam_schedule_core(t, i) - i += 1 - - # New key is old key xored with the copied and possibly - # transformed word. - for a in range(4): - expkey[c] = expkey[c - 16] ^ t[a] - c += 1 - - return expkey - - -#------------------------------------------------------------------- -# sam_192_bit_key_expansion() -# -# Byte based key expansion for 192 bit keys by Sam Trenholme: -# http://www.samiam.org/key-schedule.html -#------------------------------------------------------------------- -def sam_192_bit_key_expansion(key): - pass -#void expand_key(unsigned char *key) { -# unsigned char t[4]; -# unsigned char c = 24; -# unsigned char i = 1; -# unsigned char a; -# while(c < 208) { -# /* Copy the temporary variable over */ -# for(a = 0; a < 4; a++) -# t[a] = key[a + c - 4]; -# /* Every six sets, do a complex calculation */ -# if(c % 24 == 0) { -# schedule_code(t,i); -# i++; -# } -# for(a = 0; a < 4; a++) { -# key[c] = key[c - 24] ^ t[a]; -# c++; -# } -# } -#} - - - - -#------------------------------------------------------------------- -# sam_256_bit_key_expansion() -# -# Byte based key expansion for 256 bit keys by Sam Trenholme: -# http://www.samiam.org/key-schedule.html -#------------------------------------------------------------------- -def sam_256_bit_key_expansion(key): - pass -#void expand_key(unsigned char *key) { -# unsigned char t[4]; -# unsigned char c = 32; -# unsigned char i = 1; -# unsigned char a; -# while(c < 240) { -# /* Copy the temporary variable over */ -# for(a = 0; a < 4; a++) -# t[a] = key[a + c - 4]; -# /* Every eight sets, do a complex calculation */ -# if(c % 32 == 0) { -# schedule_core(t,i); -# i++; -# } -# /* For 256-bit keys, we add an extra sbox to the -# * calculation */ -# if(c % 32 == 16) { -# for(a = 0; a < 4; a++) -# t[a] = sbox(t[a]); -# } -# for(a = 0; a < 4; a++) { -# key[c] = key[c - 32] ^ t[a]; -# c++; -# } -# } -#} - - -#------------------------------------------------------------------- -# print_bytekeys() -# -# Print a set of round keys given as an array of bytes. -#------------------------------------------------------------------- -def print_bytekeys(keys): - i = 0 - print("Number of round keys: %d" % (int(len(keys) / 16))) - while i < (len(keys) - 1): - for j in range(16): - print("0x%02x " % keys[i + j], end="") - print("") - i += 16 - - -#------------------------------------------------------------------- -# test_key() -# -# Generate round keys for a given key and compare them to -# the given expected round keys. -#------------------------------------------------------------------- -def test_key(key, expected): - if len(key) not in [4, 6, 8]: - print("Error: Key is %d bits, not 128, 192 or 256 bits" % (len(key) * 32)) - return - - generated = key_gen(key) - - if (len(generated) != len(expected)): - print("Error: Incorrect number of keys generated.") - print("Expected number of round keys: %d" % len(expected)) - print("Got number of round keys: %d" % len(generated)) - - for i in range(len(generated)): - exp = expected[i] - got = generated[i] - if (exp != got): - print("Error: Error in round key %d." % i) - (e0, e1, e2, e3) = exp - (g0, g1, g2, g3) = got - print("Expected: 0x%08x 0x%08x 0x%08x 0x%08x"\ - % (e0, e1, e2, e3)) - print("Got: 0x%08x 0x%08x 0x%08x 0x%08x"\ - % (g0, g1, g2, g3)) - - -#------------------------------------------------------------------- -# test_key_expansion() -# -# Perform key expansion tests. -# The test keys and expected round keys are taken from: -# http://www.samiam.org/key-schedule.html -#------------------------------------------------------------------- -def test_key_expansion(): - # recon-test - print("rcon test:") - for i in range(20): - print("rcon %02d = 0x%02x" % (i, sam_rcon(i))) - - # Test of sam-implementations. - sam_key128_1 = [0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00] - - my_expkey = sam_128_bit_key_expansion(sam_key128_1) - print_bytekeys(my_expkey) - - - # 128 bit keys. -# key128_1 = (0x00000000, 0x00000000, 0x00000000, 0x00000000) -# exp128_1 = ((0x00000000, 0x00000000, 0x00000000, 0x00000000), -# (0x62636363, 0x62636363, 0x62636363, 0x62636363), -# (0x9b9898c9, 0xf9fbfbaa, 0x9b9898c9, 0xf9fbfbaa), -# (0x90973450, 0x696ccffa, 0xf2f45733, 0x0b0fac99), -# (0xee06da7b, 0x876a1581, 0x759e42b2, 0x7e91ee2b), -# (0x7f2e2b88, 0xf8443e09, 0x8dda7cbb, 0xf34b9290), -# (0xec614b85, 0x1425758c, 0x99ff0937, 0x6ab49ba7), -# (0x21751787, 0x3550620b, 0xacaf6b3c, 0xc61bf09b), -# (0x0ef90333, 0x3ba96138, 0x97060a04, 0x511dfa9f), -# (0xb1d4d8e2, 0x8a7db9da, 0x1d7bb3de, 0x4c664941), -# (0xb4ef5bcb, 0x3e92e211, 0x23e951cf, 0x6f8f188e)) -# -# key128_2 = (0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff) -# exp128_2 = ((0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff), -# (0xe8e9e9e9, 0x17161616, 0xe8e9e9e9, 0x17161616), -# (0xadaeae19, 0xbab8b80f, 0x525151e6, 0x454747f0), -# (0x090e2277, 0xb3b69a78, 0xe1e7cb9e, 0xa4a08c6e), -# (0xe16abd3e, 0x52dc2746, 0xb33becd8, 0x179b60b6), -# (0xe5baf3ce, 0xb766d488, 0x045d3850, 0x13c658e6), -# (0x71d07db3, 0xc6b6a93b, 0xc2eb916b, 0xd12dc98d), -# (0xe90d208d, 0x2fbb89b6, 0xed5018dd, 0x3c7dd150), -# (0x96337366, 0xb988fad0, 0x54d8e20d, 0x68a5335d), -# (0x8bf03f23, 0x3278c5f3, 0x66a027fe, 0x0e0514a3), -# (0xd60a3588, 0xe472f07b, 0x82d2d785, 0x8cd7c326)) -# -# key128_3 = (0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f) -# exp128_3 = ((0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f), -# (0xd6aa74fd, 0xd2af72fa, 0xdaa678f1, 0xd6ab76fe), -# (0xb692cf0b, 0x643dbdf1, 0xbe9bc500, 0x6830b3fe), -# (0xb6ff744e, 0xd2c2c9bf, 0x6c590cbf, 0x0469bf41), -# (0x47f7f7bc, 0x95353e03, 0xf96c32bc, 0xfd058dfd), -# (0x3caaa3e8, 0xa99f9deb, 0x50f3af57, 0xadf622aa), -# (0x5e390f7d, 0xf7a69296, 0xa7553dc1, 0x0aa31f6b), -# (0x14f9701a, 0xe35fe28c, 0x440adf4d, 0x4ea9c026), -# (0x47438735, 0xa41c65b9, 0xe016baf4, 0xaebf7ad2), -# (0x549932d1, 0xf0855768, 0x1093ed9c, 0xbe2c974e), -# (0x13111d7f, 0xe3944a17, 0xf307a78b, 0x4d2b30c5)) -# -# key128_4 = (0x6920e299, 0xa5202a6d, 0x656e6368, 0x69746f2a) -# exp128_4 = ((0x6920e299, 0xa5202a6d, 0x656e6368, 0x69746f2a), -# (0xfa880760, 0x5fa82d0d, 0x3ac64e65, 0x53b2214f), -# (0xcf75838d, 0x90ddae80, 0xaa1be0e5, 0xf9a9c1aa), -# (0x180d2f14, 0x88d08194, 0x22cb6171, 0xdb62a0db), -# (0xbaed96ad, 0x323d1739, 0x10f67648, 0xcb94d693), -# (0x881b4ab2, 0xba265d8b, 0xaad02bc3, 0x6144fd50), -# (0xb34f195d, 0x096944d6, 0xa3b96f15, 0xc2fd9245), -# (0xa7007778, 0xae6933ae, 0x0dd05cbb, 0xcf2dcefe), -# (0xff8bccf2, 0x51e2ff5c, 0x5c32a3e7, 0x931f6d19), -# (0x24b7182e, 0x7555e772, 0x29674495, 0xba78298c), -# (0xae127cda, 0xdb479ba8, 0xf220df3d, 0x4858f6b1)) -# -# # 192 bit keys. -# key192_1 = (0x00000000, 0x00000000, 0x00000000, -# 0x00000000, 0x00000000, 0x00000000) -# exp192_1 = ((0x00000000, 0x00000000, 0x00000000, 0x00000000), -# (0x00000000, 0x00000000, 0x62636363, 0x62636363), -# (0x62636363, 0x62636363, 0x62636363, 0x62636363), -# (0x9b9898c9, 0xf9fbfbaa, 0x9b9898c9, 0xf9fbfbaa), -# (0x9b9898c9, 0xf9fbfbaa, 0x90973450, 0x696ccffa), -# (0xf2f45733, 0x0b0fac99, 0x90973450, 0x696ccffa), -# (0xc81d19a9, 0xa171d653, 0x53858160, 0x588a2df9), -# (0xc81d19a9, 0xa171d653, 0x7bebf49b, 0xda9a22c8), -# (0x891fa3a8, 0xd1958e51, 0x198897f8, 0xb8f941ab), -# (0xc26896f7, 0x18f2b43f, 0x91ed1797, 0x407899c6), -# (0x59f00e3e, 0xe1094f95, 0x83ecbc0f, 0x9b1e0830), -# (0x0af31fa7, 0x4a8b8661, 0x137b885f, 0xf272c7ca), -# (0x432ac886, 0xd834c0b6, 0xd2c7df11, 0x984c5970)) -# -# key192_2 = (0xffffffff, 0xffffffff, 0xffffffff, -# 0xffffffff, 0xffffffff, 0xffffffff) -# exp192_2 = ((0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff), -# (0xffffffff, 0xffffffff, 0xe8e9e9e9, 0x17161616), -# (0xe8e9e9e9, 0x17161616, 0xe8e9e9e9, 0x17161616), -# (0xadaeae19, 0xbab8b80f, 0x525151e6, 0x454747f0), -# (0xadaeae19, 0xbab8b80f, 0xc5c2d8ed, 0x7f7a60e2), -# (0x2d2b3104, 0x686c76f4, 0xc5c2d8ed, 0x7f7a60e2), -# (0x1712403f, 0x686820dd, 0x454311d9, 0x2d2f672d), -# (0xe8edbfc0, 0x9797df22, 0x8f8cd3b7, 0xe7e4f36a), -# (0xa2a7e2b3, 0x8f88859e, 0x67653a5e, 0xf0f2e57c), -# (0x2655c33b, 0xc1b13051, 0x6316d2e2, 0xec9e577c), -# (0x8bfb6d22, 0x7b09885e, 0x67919b1a, 0xa620ab4b), -# (0xc53679a9, 0x29a82ed5, 0xa25343f7, 0xd95acba9), -# (0x598e482f, 0xffaee364, 0x3a989acd, 0x1330b418)) -# -# key192_3 = (0x00010203, 0x04050607, 0x08090a0b, -# 0x0c0d0e0f, 0x10111213, 0x14151617) -# exp192_3 = ((0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f), -# (0x10111213, 0x14151617, 0x5846f2f9, 0x5c43f4fe), -# (0x544afef5, 0x5847f0fa, 0x4856e2e9, 0x5c43f4fe), -# (0x40f949b3, 0x1cbabd4d, 0x48f043b8, 0x10b7b342), -# (0x58e151ab, 0x04a2a555, 0x7effb541, 0x6245080c), -# (0x2ab54bb4, 0x3a02f8f6, 0x62e3a95d, 0x66410c08), -# (0xf5018572, 0x97448d7e, 0xbdf1c6ca, 0x87f33e3c), -# (0xe5109761, 0x83519b69, 0x34157c9e, 0xa351f1e0), -# (0x1ea0372a, 0x99530916, 0x7c439e77, 0xff12051e), -# (0xdd7e0e88, 0x7e2fff68, 0x608fc842, 0xf9dcc154), -# (0x859f5f23, 0x7a8d5a3d, 0xc0c02952, 0xbeefd63a), -# (0xde601e78, 0x27bcdf2c, 0xa223800f, 0xd8aeda32), -# (0xa4970a33, 0x1a78dc09, 0xc418c271, 0xe3a41d5d)) -# -# # 256 bit keys. -# key256_1 = (0x00000000, 0x00000000, 0x00000000, 0x00000000, -# 0x00000000, 0x00000000, 0x00000000, 0x0000000) -# exp256_1 = ((0x00000000, 0x00000000, 0x00000000, 0x00000000), -# (0x00000000, 0x00000000, 0x00000000, 0x00000000), -# (0x62636363, 0x62636363, 0x62636363, 0x62636363), -# (0xaafbfbfb, 0xaafbfbfb, 0xaafbfbfb, 0xaafbfbfb), -# (0x6f6c6ccf, 0x0d0f0fac, 0x6f6c6ccf, 0x0d0f0fac), -# (0x7d8d8d6a, 0xd7767691, 0x7d8d8d6a, 0xd7767691), -# (0x5354edc1, 0x5e5be26d, 0x31378ea2, 0x3c38810e), -# (0x968a81c1, 0x41fcf750, 0x3c717a3a, 0xeb070cab), -# (0x9eaa8f28, 0xc0f16d45, 0xf1c6e3e7, 0xcdfe62e9), -# (0x2b312bdf, 0x6acddc8f, 0x56bca6b5, 0xbdbbaa1e), -# (0x6406fd52, 0xa4f79017, 0x553173f0, 0x98cf1119), -# (0x6dbba90b, 0x07767584, 0x51cad331, 0xec71792f), -# (0xe7b0e89c, 0x4347788b, 0x16760b7b, 0x8eb91a62), -# (0x74ed0ba1, 0x739b7e25, 0x2251ad14, 0xce20d43b), -# (0x10f80a17, 0x53bf729c, 0x45c979e7, 0xcb706385)) -# -# key256_2 = (0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, -# 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff) -# exp256_2 = ((0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff), -# (0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff), -# (0xe8e9e9e9, 0x17161616, 0xe8e9e9e9, 0x17161616), -# (0x0fb8b8b8, 0xf0474747, 0x0fb8b8b8, 0xf0474747), -# (0x4a494965, 0x5d5f5f73, 0xb5b6b69a, 0xa2a0a08c), -# (0x355858dc, 0xc51f1f9b, 0xcaa7a723, 0x3ae0e064), -# (0xafa80ae5, 0xf2f75596, 0x4741e30c, 0xe5e14380), -# (0xeca04211, 0x29bf5d8a, 0xe318faa9, 0xd9f81acd), -# (0xe60ab7d0, 0x14fde246, 0x53bc014a, 0xb65d42ca), -# (0xa2ec6e65, 0x8b5333ef, 0x684bc946, 0xb1b3d38b), -# (0x9b6c8a18, 0x8f91685e, 0xdc2d6914, 0x6a702bde), -# (0xa0bd9f78, 0x2beeac97, 0x43a565d1, 0xf216b65a), -# (0xfc223491, 0x73b35ccf, 0xaf9e35db, 0xc5ee1e05), -# (0x0695ed13, 0x2d7b4184, 0x6ede2455, 0x9cc8920f), -# (0x546d424f, 0x27de1e80, 0x88402b5b, 0x4dae355e)) -# -# key256_3 = (0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f, -# 0x10111213, 0x14151617, 0x18191a1b, 0x1c1d1e1f) -# exp256_3 = ((0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f), -# (0x10111213, 0x14151617, 0x18191a1b, 0x1c1d1e1f), -# (0xa573c29f, 0xa176c498, 0xa97fce93, 0xa572c09c), -# (0x1651a8cd, 0x0244beda, 0x1a5da4c1, 0x0640bade), -# (0xae87dff0, 0x0ff11b68, 0xa68ed5fb, 0x03fc1567), -# (0x6de1f148, 0x6fa54f92, 0x75f8eb53, 0x73b8518d), -# (0xc656827f, 0xc9a79917, 0x6f294cec, 0x6cd5598b), -# (0x3de23a75, 0x524775e7, 0x27bf9eb4, 0x5407cf39), -# (0x0bdc905f, 0xc27b0948, 0xad5245a4, 0xc1871c2f), -# (0x45f5a660, 0x17b2d387, 0x300d4d33, 0x640a820a), -# (0x7ccff71c, 0xbeb4fe54, 0x13e6bbf0, 0xd261a7df), -# (0xf01afafe, 0xe7a82979, 0xd7a5644a, 0xb3afe640), -# (0x2541fe71, 0x9bf50025, 0x8813bbd5, 0x5a721c0a), -# (0x4e5a6699, 0xa9f24fe0, 0x7e572baa, 0xcdf8cdea), -# (0x24fc79cc, 0xbf0979e9, 0x371ac23c, 0x6d68de36)) -# -# print("*** Test of 128 bit keys: ***") -# test_key(key128_1, exp128_1) -# test_key(key128_2, exp128_2) -# test_key(key128_3, exp128_3) -# test_key(key128_4, exp128_4) -# print("") -# -# print("*** Test of 192 bit keys: ***") -# test_key(key192_1, exp192_1) -# test_key(key192_2, exp192_2) -# test_key(key192_3, exp192_3) -# print("") -# -# print("*** Test of 256 bit keys: ***") -# test_key(key256_1, exp256_1) -# test_key(key256_2, exp256_2) -# test_key(key256_3, exp256_3) -# print("") - - -#------------------------------------------------------------------- -# main() -# -# If executed tests the ChaCha class using known test vectors. -#------------------------------------------------------------------- -def main(): - print("Testing the AES key generation") - print("==============================") - print - - test_key_expansion() - - -#------------------------------------------------------------------- -# __name__ -# Python thingy which allows the file to be run standalone as -# well as parsed from within a Python interpreter. -#------------------------------------------------------------------- -if __name__=="__main__": - # Run the main function. - sys.exit(main()) - -#======================================================================= -# EOF aes_key_gen.py -#======================================================================= diff --git a/src/rtl/aes.v b/src/rtl/aes.v index 4f668bc..492ba56 100644 --- a/src/rtl/aes.v +++ b/src/rtl/aes.v @@ -107,10 +107,6 @@ module aes( reg [31 : 0] key_reg [0 : 7]; reg key_we; - reg [127 : 0] result_reg; - reg valid_reg; - reg ready_reg; - //---------------------------------------------------------------- // Wires. @@ -189,16 +185,9 @@ module aes( next_reg <= 1'b0; encdec_reg <= 1'b0; keylen_reg <= 1'b0; - - result_reg <= 128'h0; - valid_reg <= 1'b0; - ready_reg <= 1'b0; end else begin - ready_reg <= core_ready; - valid_reg <= core_valid; - result_reg <= core_result; init_reg <= init_new; next_reg <= next_new; @@ -239,10 +228,10 @@ module aes( if (core_ready) begin if (address == ADDR_CTRL) - begin - init_new = write_data[CTRL_INIT_BIT]; - next_new = write_data[CTRL_NEXT_BIT]; - end + begin + init_new = write_data[CTRL_INIT_BIT]; + next_new = write_data[CTRL_NEXT_BIT]; + end if (address == ADDR_CONFIG) config_we = 1'b1; @@ -262,7 +251,7 @@ module aes( ADDR_NAME1: tmp_read_data = CORE_NAME1; ADDR_VERSION: tmp_read_data = CORE_VERSION; ADDR_CTRL: tmp_read_data = {28'h0, keylen_reg, encdec_reg, next_reg, init_reg}; - ADDR_STATUS: tmp_read_data = {30'h0, valid_reg, ready_reg}; + ADDR_STATUS: tmp_read_data = {30'h0, core_valid, core_ready}; default: begin @@ -271,7 +260,7 @@ module aes( if ((address >= ADDR_RESULT0) && (address <= ADDR_RESULT3)) if (core_ready) - tmp_read_data = result_reg[(3 - (address - ADDR_RESULT0)) * 32 +: 32]; + tmp_read_data = core_result[(3 - (address - ADDR_RESULT0)) * 32 +: 32]; end end end // addr_decoder diff --git a/src/rtl/aes_core.v b/src/rtl/aes_core.v index 5196a1f..518b20f 100644 --- a/src/rtl/aes_core.v +++ b/src/rtl/aes_core.v @@ -85,8 +85,6 @@ module aes_core( //---------------------------------------------------------------- // Wires. //---------------------------------------------------------------- - reg init_state; - wire [127 : 0] round_key; wire key_ready; @@ -94,7 +92,6 @@ module aes_core( wire [3 : 0] enc_round_nr; wire [127 : 0] enc_new_block; wire enc_ready; - wire [31 : 0] enc_sboxw; reg dec_next; wire [3 : 0] dec_round_nr; @@ -105,11 +102,6 @@ module aes_core( reg [3 : 0] muxed_round_nr; reg muxed_ready; - wire [31 : 0] keymem_sboxw; - - reg [31 : 0] muxed_sboxw; - wire [31 : 0] new_sboxw; - //---------------------------------------------------------------- // Instantiations. @@ -124,9 +116,6 @@ module aes_core( .round(enc_round_nr), .round_key(round_key), - .sboxw(enc_sboxw), - .new_sboxw(new_sboxw), - .block(block), .new_block(enc_new_block), .ready(enc_ready) @@ -159,15 +148,10 @@ module aes_core( .round(muxed_round_nr), .round_key(round_key), - .ready(key_ready), - - .sboxw(keymem_sboxw), - .new_sboxw(new_sboxw) + .ready(key_ready) ); - aes_sbox sbox_inst(.sboxw(muxed_sboxw), .new_sboxw(new_sboxw)); - //---------------------------------------------------------------- // Concurrent connectivity for ports etc. @@ -207,25 +191,6 @@ module aes_core( //---------------------------------------------------------------- - // sbox_mux - // - // Controls which of the encipher datapath or the key memory - // that gets access to the sbox. - //---------------------------------------------------------------- - always @* - begin : sbox_mux - if (init_state) - begin - muxed_sboxw = keymem_sboxw; - end - else - begin - muxed_sboxw = enc_sboxw; - end - end // sbox_mux - - - //---------------------------------------------------------------- // encdex_mux // // Controls which of the datapaths that get the next signal, have @@ -264,7 +229,6 @@ module aes_core( //---------------------------------------------------------------- always @* begin : aes_core_ctrl - init_state = 1'b0; ready_new = 1'b0; ready_we = 1'b0; result_valid_new = 1'b0; @@ -277,7 +241,6 @@ module aes_core( begin if (init) begin - init_state = 1'b1; ready_new = 1'b0; ready_we = 1'b1; result_valid_new = 1'b0; @@ -287,7 +250,6 @@ module aes_core( end else if (next) begin - init_state = 1'b0; ready_new = 1'b0; ready_we = 1'b1; result_valid_new = 1'b0; @@ -299,8 +261,6 @@ module aes_core( CTRL_INIT: begin - init_state = 1'b1; - if (key_ready) begin ready_new = 1'b1; @@ -312,8 +272,6 @@ module aes_core( CTRL_NEXT: begin - init_state = 1'b0; - if (muxed_ready) begin ready_new = 1'b1; @@ -327,7 +285,6 @@ module aes_core( default: begin - end endcase // case (aes_core_ctrl_reg) diff --git a/src/rtl/aes_decipher_block.v b/src/rtl/aes_decipher_block.v index 82bdffb..b62065c 100644 --- a/src/rtl/aes_decipher_block.v +++ b/src/rtl/aes_decipher_block.v @@ -64,17 +64,14 @@ module aes_decipher_block( localparam AES128_ROUNDS = 4'ha; localparam AES256_ROUNDS = 4'he; - localparam NO_UPDATE = 3'h0; - localparam INIT_UPDATE = 3'h1; - localparam SBOX_UPDATE = 3'h2; - localparam MAIN_UPDATE = 3'h3; - localparam FINAL_UPDATE = 3'h4; + localparam NO_UPDATE = 2'h0; + localparam INIT_UPDATE = 2'h1; + localparam MAIN_UPDATE = 2'h2; + localparam FINAL_UPDATE = 2'h3; - localparam CTRL_IDLE = 3'h0; - localparam CTRL_INIT = 3'h1; - localparam CTRL_SBOX = 3'h2; - localparam CTRL_MAIN = 3'h3; - localparam CTRL_FINAL = 3'h4; + localparam CTRL_IDLE = 2'h0; + localparam CTRL_INIT = 2'h1; + localparam CTRL_MAIN = 2'h2; //---------------------------------------------------------------- @@ -192,11 +189,9 @@ module aes_decipher_block( //---------------------------------------------------------------- // Registers including update variables and write enable. //---------------------------------------------------------------- - reg [1 : 0] sword_ctr_reg; - reg [1 : 0] sword_ctr_new; - reg sword_ctr_we; - reg sword_ctr_inc; - reg sword_ctr_rst; + reg [127 : 0] block_reg; + reg [127 : 0] block_new; + reg block_we; reg [3 : 0] round_ctr_reg; reg [3 : 0] round_ctr_new; @@ -204,44 +199,43 @@ module aes_decipher_block( reg round_ctr_set; reg round_ctr_dec; - reg [127 : 0] block_new; - reg [31 : 0] block_w0_reg; - reg [31 : 0] block_w1_reg; - reg [31 : 0] block_w2_reg; - reg [31 : 0] block_w3_reg; - reg block_w0_we; - reg block_w1_we; - reg block_w2_we; - reg block_w3_we; - reg ready_reg; reg ready_new; reg ready_we; - reg [2 : 0] dec_ctrl_reg; - reg [2 : 0] dec_ctrl_new; + reg [1 : 0] dec_ctrl_reg; + reg [1 : 0] dec_ctrl_new; reg dec_ctrl_we; //---------------------------------------------------------------- // Wires. //---------------------------------------------------------------- - reg [31 : 0] tmp_sboxw; - wire [31 : 0] new_sboxw; - reg [2 : 0] update_type; + reg [31 : 0] sboxw0; + reg [31 : 0] sboxw1; + reg [31 : 0] sboxw2; + reg [31 : 0] sboxw3; + wire [31 : 0] new_sboxw0; + wire [31 : 0] new_sboxw1; + wire [31 : 0] new_sboxw2; + wire [31 : 0] new_sboxw3; + reg [1 : 0] update_type; //---------------------------------------------------------------- - // Instantiations. + // Inverse S-boxes. //---------------------------------------------------------------- - aes_inv_sbox inv_sbox_inst(.sword(tmp_sboxw), .new_sword(new_sboxw)); + aes_inv_sbox inv_sbox_inst0(.sword(sboxw0), .new_sword(new_sboxw0)); + aes_inv_sbox inv_sbox_inst1(.sword(sboxw1), .new_sword(new_sboxw1)); + aes_inv_sbox inv_sbox_inst2(.sword(sboxw2), .new_sword(new_sboxw2)); + aes_inv_sbox inv_sbox_inst3(.sword(sboxw3), .new_sword(new_sboxw3)); //---------------------------------------------------------------- // Concurrent connectivity for ports etc. //---------------------------------------------------------------- + assign new_block = block_reg; assign round = round_ctr_reg; - assign new_block = {block_w0_reg, block_w1_reg, block_w2_reg, block_w3_reg}; assign ready = ready_reg; @@ -256,31 +250,15 @@ module aes_decipher_block( begin: reg_update if (!reset_n) begin - block_w0_reg <= 32'h0; - block_w1_reg <= 32'h0; - block_w2_reg <= 32'h0; - block_w3_reg <= 32'h0; - sword_ctr_reg <= 2'h0; + block_reg <= 128'h0; round_ctr_reg <= 4'h0; ready_reg <= 1'b1; dec_ctrl_reg <= CTRL_IDLE; end else begin - if (block_w0_we) - block_w0_reg <= block_new[127 : 096]; - - if (block_w1_we) - block_w1_reg <= block_new[095 : 064]; - - if (block_w2_we) - block_w2_reg <= block_new[063 : 032]; - - if (block_w3_we) - block_w3_reg <= block_new[031 : 000]; - - if (sword_ctr_we) - sword_ctr_reg <= sword_ctr_new; + if (block_we) + block_reg <= block_new; if (round_ctr_we) round_ctr_reg <= round_ctr_new; @@ -301,86 +279,43 @@ module aes_decipher_block( //---------------------------------------------------------------- always @* begin : round_logic - reg [127 : 0] old_block, inv_shiftrows_block, inv_mixcolumns_block; + reg [127 : 0] subbytes_block, inv_shiftrows_block, inv_mixcolumns_block; reg [127 : 0] addkey_block; inv_shiftrows_block = 128'h0; inv_mixcolumns_block = 128'h0; addkey_block = 128'h0; block_new = 128'h0; - tmp_sboxw = 32'h0; - block_w0_we = 1'b0; - block_w1_we = 1'b0; - block_w2_we = 1'b0; - block_w3_we = 1'b0; + block_we = 1'b0; - old_block = {block_w0_reg, block_w1_reg, block_w2_reg, block_w3_reg}; + sboxw0 = block_reg[127 : 96]; + sboxw1 = block_reg[95 : 64]; + sboxw2 = block_reg[63 : 32]; + sboxw3 = block_reg[31 : 0]; + subbytes_block = {new_sboxw0, new_sboxw1, new_sboxw2, new_sboxw3}; - // Update based on update type. case (update_type) - // InitRound INIT_UPDATE: begin - old_block = block; - addkey_block = addroundkey(old_block, round_key); + addkey_block = addroundkey(block, round_key); inv_shiftrows_block = inv_shiftrows(addkey_block); block_new = inv_shiftrows_block; - block_w0_we = 1'b1; - block_w1_we = 1'b1; - block_w2_we = 1'b1; - block_w3_we = 1'b1; - end - - SBOX_UPDATE: - begin - block_new = {new_sboxw, new_sboxw, new_sboxw, new_sboxw}; - - case (sword_ctr_reg) - 2'h0: - begin - tmp_sboxw = block_w0_reg; - block_w0_we = 1'b1; - end - - 2'h1: - begin - tmp_sboxw = block_w1_reg; - block_w1_we = 1'b1; - end - - 2'h2: - begin - tmp_sboxw = block_w2_reg; - block_w2_we = 1'b1; - end - - 2'h3: - begin - tmp_sboxw = block_w3_reg; - block_w3_we = 1'b1; - end - endcase // case (sbox_mux_ctrl_reg) + block_we = 1'b1; end MAIN_UPDATE: begin - addkey_block = addroundkey(old_block, round_key); + addkey_block = addroundkey(subbytes_block, round_key); inv_mixcolumns_block = inv_mixcolumns(addkey_block); inv_shiftrows_block = inv_shiftrows(inv_mixcolumns_block); block_new = inv_shiftrows_block; - block_w0_we = 1'b1; - block_w1_we = 1'b1; - block_w2_we = 1'b1; - block_w3_we = 1'b1; + block_we = 1'b1; end FINAL_UPDATE: begin - block_new = addroundkey(old_block, round_key); - block_w0_we = 1'b1; - block_w1_we = 1'b1; - block_w2_we = 1'b1; - block_w3_we = 1'b1; + block_new = addroundkey(subbytes_block, round_key); + block_we = 1'b1; end default: @@ -391,29 +326,6 @@ module aes_decipher_block( //---------------------------------------------------------------- - // sword_ctr - // - // The subbytes word counter with reset and increase logic. - //---------------------------------------------------------------- - always @* - begin : sword_ctr - sword_ctr_new = 2'h0; - sword_ctr_we = 1'b0; - - if (sword_ctr_rst) - begin - sword_ctr_new = 2'h0; - sword_ctr_we = 1'b1; - end - else if (sword_ctr_inc) - begin - sword_ctr_new = sword_ctr_reg + 1'b1; - sword_ctr_we = 1'b1; - end - end // sword_ctr - - - //---------------------------------------------------------------- // round_ctr // // The round counter with reset and increase logic. @@ -450,8 +362,6 @@ module aes_decipher_block( //---------------------------------------------------------------- always @* begin: decipher_ctrl - sword_ctr_inc = 1'b0; - sword_ctr_rst = 1'b0; round_ctr_dec = 1'b0; round_ctr_set = 1'b0; ready_new = 1'b0; @@ -475,32 +385,18 @@ module aes_decipher_block( CTRL_INIT: begin - sword_ctr_rst = 1'b1; + round_ctr_dec = 1'b1; update_type = INIT_UPDATE; - dec_ctrl_new = CTRL_SBOX; + dec_ctrl_new = CTRL_MAIN; dec_ctrl_we = 1'b1; end - CTRL_SBOX: - begin - sword_ctr_inc = 1'b1; - update_type = SBOX_UPDATE; - if (sword_ctr_reg == 2'h3) - begin - round_ctr_dec = 1'b1; - dec_ctrl_new = CTRL_MAIN; - dec_ctrl_we = 1'b1; - end - end - CTRL_MAIN: begin - sword_ctr_rst = 1'b1; if (round_ctr_reg > 0) begin + round_ctr_dec = 1'b1; update_type = MAIN_UPDATE; - dec_ctrl_new = CTRL_SBOX; - dec_ctrl_we = 1'b1; end else begin diff --git a/src/rtl/aes_encipher_block.v b/src/rtl/aes_encipher_block.v index 094653a..f98d755 100644 --- a/src/rtl/aes_encipher_block.v +++ b/src/rtl/aes_encipher_block.v @@ -49,9 +49,6 @@ module aes_encipher_block( output wire [3 : 0] round, input wire [127 : 0] round_key, - output wire [31 : 0] sboxw, - input wire [31 : 0] new_sboxw, - input wire [127 : 0] block, output wire [127 : 0] new_block, output wire ready @@ -67,17 +64,14 @@ module aes_encipher_block( localparam AES128_ROUNDS = 4'ha; localparam AES256_ROUNDS = 4'he; - localparam NO_UPDATE = 3'h0; - localparam INIT_UPDATE = 3'h1; - localparam SBOX_UPDATE = 3'h2; - localparam MAIN_UPDATE = 3'h3; - localparam FINAL_UPDATE = 3'h4; + localparam NO_UPDATE = 2'h0; + localparam INIT_UPDATE = 2'h1; + localparam MAIN_UPDATE = 2'h2; + localparam FINAL_UPDATE = 2'h3; - localparam CTRL_IDLE = 3'h0; - localparam CTRL_INIT = 3'h1; - localparam CTRL_SBOX = 3'h2; - localparam CTRL_MAIN = 3'h3; - localparam CTRL_FINAL = 3'h4; + localparam CTRL_IDLE = 2'h0; + localparam CTRL_INIT = 2'h1; + localparam CTRL_MAIN = 2'h2; //---------------------------------------------------------------- @@ -159,11 +153,9 @@ module aes_encipher_block( //---------------------------------------------------------------- // Registers including update variables and write enable. //---------------------------------------------------------------- - reg [1 : 0] sword_ctr_reg; - reg [1 : 0] sword_ctr_new; - reg sword_ctr_we; - reg sword_ctr_inc; - reg sword_ctr_rst; + reg [127 : 0] block_reg; + reg [127 : 0] block_new; + reg block_we; reg [3 : 0] round_ctr_reg; reg [3 : 0] round_ctr_new; @@ -171,42 +163,48 @@ module aes_encipher_block( reg round_ctr_rst; reg round_ctr_inc; - reg [127 : 0] block_new; - reg [31 : 0] block_w0_reg; - reg [31 : 0] block_w1_reg; - reg [31 : 0] block_w2_reg; - reg [31 : 0] block_w3_reg; - reg block_w0_we; - reg block_w1_we; - reg block_w2_we; - reg block_w3_we; - reg ready_reg; reg ready_new; reg ready_we; - reg [2 : 0] enc_ctrl_reg; - reg [2 : 0] enc_ctrl_new; + reg [1 : 0] enc_ctrl_reg; + reg [1 : 0] enc_ctrl_new; reg enc_ctrl_we; //---------------------------------------------------------------- // Wires. //---------------------------------------------------------------- - reg [2 : 0] update_type; - reg [31 : 0] muxed_sboxw; + reg [1 : 0] update_type; + + reg [31 : 0] sboxw0; + reg [31 : 0] sboxw1; + reg [31 : 0] sboxw2; + reg [31 : 0] sboxw3; + wire [31 : 0] new_sboxw0; + wire [31 : 0] new_sboxw1; + wire [31 : 0] new_sboxw2; + wire [31 : 0] new_sboxw3; //---------------------------------------------------------------- // Concurrent connectivity for ports etc. //---------------------------------------------------------------- + assign new_block = block_reg; assign round = round_ctr_reg; - assign sboxw = muxed_sboxw; - assign new_block = {block_w0_reg, block_w1_reg, block_w2_reg, block_w3_reg}; assign ready = ready_reg; //---------------------------------------------------------------- + // Sboxes + //---------------------------------------------------------------- + aes_sbox sbox_inst0(.sboxw(sboxw0), .new_sboxw(new_sboxw0)); + aes_sbox sbox_inst1(.sboxw(sboxw1), .new_sboxw(new_sboxw1)); + aes_sbox sbox_inst2(.sboxw(sboxw2), .new_sboxw(new_sboxw2)); + aes_sbox sbox_inst3(.sboxw(sboxw3), .new_sboxw(new_sboxw3)); + + + //---------------------------------------------------------------- // reg_update // // Update functionality for all registers in the core. @@ -217,31 +215,15 @@ module aes_encipher_block( begin: reg_update if (!reset_n) begin - block_w0_reg <= 32'h0; - block_w1_reg <= 32'h0; - block_w2_reg <= 32'h0; - block_w3_reg <= 32'h0; - sword_ctr_reg <= 2'h0; + block_reg <= 128'h0; round_ctr_reg <= 4'h0; ready_reg <= 1'b1; enc_ctrl_reg <= CTRL_IDLE; end else begin - if (block_w0_we) - block_w0_reg <= block_new[127 : 096]; - - if (block_w1_we) - block_w1_reg <= block_new[095 : 064]; - - if (block_w2_we) - block_w2_reg <= block_new[063 : 032]; - - if (block_w3_we) - block_w3_reg <= block_new[031 : 000]; - - if (sword_ctr_we) - sword_ctr_reg <= sword_ctr_new; + if (block_we) + block_reg <= block_new; if (round_ctr_we) round_ctr_reg <= round_ctr_new; @@ -262,18 +244,19 @@ module aes_encipher_block( //---------------------------------------------------------------- always @* begin : round_logic - reg [127 : 0] old_block, shiftrows_block, mixcolumns_block; + reg [127 : 0] subbytes_block, shiftrows_block, mixcolumns_block; reg [127 : 0] addkey_init_block, addkey_main_block, addkey_final_block; - block_new = 128'h0; - muxed_sboxw = 32'h0; - block_w0_we = 1'b0; - block_w1_we = 1'b0; - block_w2_we = 1'b0; - block_w3_we = 1'b0; + block_new = 128'h0; + block_we = 1'b0; - old_block = {block_w0_reg, block_w1_reg, block_w2_reg, block_w3_reg}; - shiftrows_block = shiftrows(old_block); + sboxw0 = block_reg[127 : 96]; + sboxw1 = block_reg[95 : 64]; + sboxw2 = block_reg[63 : 32]; + sboxw3 = block_reg[31 : 0]; + + subbytes_block = {new_sboxw0, new_sboxw1, new_sboxw2, new_sboxw3}; + shiftrows_block = shiftrows(subbytes_block); mixcolumns_block = mixcolumns(shiftrows_block); addkey_init_block = addroundkey(block, round_key); addkey_main_block = addroundkey(mixcolumns_block, round_key); @@ -282,60 +265,20 @@ module aes_encipher_block( case (update_type) INIT_UPDATE: begin - block_new = addkey_init_block; - block_w0_we = 1'b1; - block_w1_we = 1'b1; - block_w2_we = 1'b1; - block_w3_we = 1'b1; - end - - SBOX_UPDATE: - begin - block_new = {new_sboxw, new_sboxw, new_sboxw, new_sboxw}; - - case (sword_ctr_reg) - 2'h0: - begin - muxed_sboxw = block_w0_reg; - block_w0_we = 1'b1; - end - - 2'h1: - begin - muxed_sboxw = block_w1_reg; - block_w1_we = 1'b1; - end - - 2'h2: - begin - muxed_sboxw = block_w2_reg; - block_w2_we = 1'b1; - end - - 2'h3: - begin - muxed_sboxw = block_w3_reg; - block_w3_we = 1'b1; - end - endcase // case (sbox_mux_ctrl_reg) + block_new = addkey_init_block; + block_we = 1'b1; end MAIN_UPDATE: begin - block_new = addkey_main_block; - block_w0_we = 1'b1; - block_w1_we = 1'b1; - block_w2_we = 1'b1; - block_w3_we = 1'b1; + block_new = addkey_main_block; + block_we = 1'b1; end FINAL_UPDATE: begin - block_new = addkey_final_block; - block_w0_we = 1'b1; - block_w1_we = 1'b1; - block_w2_we = 1'b1; - block_w3_we = 1'b1; + block_new = addkey_final_block; + block_we = 1'b1; end default: @@ -346,29 +289,6 @@ module aes_encipher_block( //---------------------------------------------------------------- - // sword_ctr - // - // The subbytes word counter with reset and increase logic. - //---------------------------------------------------------------- - always @* - begin : sword_ctr - sword_ctr_new = 2'h0; - sword_ctr_we = 1'b0; - - if (sword_ctr_rst) - begin - sword_ctr_new = 2'h0; - sword_ctr_we = 1'b1; - end - else if (sword_ctr_inc) - begin - sword_ctr_new = sword_ctr_reg + 1'b1; - sword_ctr_we = 1'b1; - end - end // sword_ctr - - - //---------------------------------------------------------------- // round_ctr // // The round counter with reset and increase logic. @@ -401,16 +321,10 @@ module aes_encipher_block( reg [3 : 0] num_rounds; if (keylen == AES_256_BIT_KEY) - begin - num_rounds = AES256_ROUNDS; - end + num_rounds = AES256_ROUNDS; else - begin - num_rounds = AES128_ROUNDS; - end + num_rounds = AES128_ROUNDS; - sword_ctr_inc = 1'b0; - sword_ctr_rst = 1'b0; round_ctr_inc = 1'b0; round_ctr_rst = 1'b0; ready_new = 1'b0; @@ -435,32 +349,17 @@ module aes_encipher_block( CTRL_INIT: begin round_ctr_inc = 1'b1; - sword_ctr_rst = 1'b1; update_type = INIT_UPDATE; - enc_ctrl_new = CTRL_SBOX; + enc_ctrl_new = CTRL_MAIN; enc_ctrl_we = 1'b1; end - CTRL_SBOX: - begin - sword_ctr_inc = 1'b1; - update_type = SBOX_UPDATE; - if (sword_ctr_reg == 2'h3) - begin - enc_ctrl_new = CTRL_MAIN; - enc_ctrl_we = 1'b1; - end - end - CTRL_MAIN: begin - sword_ctr_rst = 1'b1; round_ctr_inc = 1'b1; if (round_ctr_reg < num_rounds) begin update_type = MAIN_UPDATE; - enc_ctrl_new = CTRL_SBOX; - enc_ctrl_we = 1'b1; end else begin diff --git a/src/rtl/aes_key_mem.v b/src/rtl/aes_key_mem.v index f57d4dd..07e338f 100644 --- a/src/rtl/aes_key_mem.v +++ b/src/rtl/aes_key_mem.v @@ -47,11 +47,7 @@ module aes_key_mem( input wire [3 : 0] round, output wire [127 : 0] round_key, - output wire ready, - - - output wire [31 : 0] sboxw, - input wire [31 : 0] new_sboxw + output wire ready ); @@ -109,7 +105,8 @@ module aes_key_mem( //---------------------------------------------------------------- // Wires. //---------------------------------------------------------------- - reg [31 : 0] tmp_sboxw; + reg [31 : 0] sboxw; + wire [31 : 0] new_sboxw; reg round_key_update; reg [3 : 0] num_rounds; @@ -122,7 +119,12 @@ module aes_key_mem( //---------------------------------------------------------------- assign round_key = tmp_round_key; assign ready = ready_reg; - assign sboxw = tmp_sboxw; + + + //---------------------------------------------------------------- + // S-box for key expansion. + //---------------------------------------------------------------- + aes_sbox sbox_inst(.sboxw(sboxw), .new_sboxw(new_sboxw)); //---------------------------------------------------------------- @@ -141,11 +143,11 @@ module aes_key_mem( for (i = 0 ; i < 15 ; i = i + 1) key_mem [i] <= 128'h0; - prev_key0_reg <= 128'h0; - prev_key1_reg <= 128'h0; rcon_reg <= 8'h0; ready_reg <= 1'b0; round_ctr_reg <= 4'h0; + prev_key0_reg <= 128'h0; + prev_key1_reg <= 128'h0; key_mem_ctrl_reg <= CTRL_IDLE; end else @@ -225,7 +227,7 @@ module aes_key_mem( w7 = prev_key1_reg[031 : 000]; rconw = {rcon_reg, 24'h0}; - tmp_sboxw = w7; + sboxw = w7; rotstw = {new_sboxw[23 : 00], new_sboxw[31 : 24]}; trw = rotstw ^ rconw; tw = new_sboxw; diff --git a/src/tb/tb_aes.v b/src/tb/tb_aes.v index 6561b4d..84be6a8 100644 --- a/src/tb/tb_aes.v +++ b/src/tb/tb_aes.v @@ -429,11 +429,64 @@ module tb_aes(); //---------------------------------------------------------------- - // nist_fips_tests() + // single_block_mangle_test() // - // Perform tests based on NIST FIPS-197 test vectors. + // Perform single block test, but try to mangle the operation + // by changing from encryption to decryption mid-processing. + // This should cause errors unless changes to config during + // processing. + //---------------------------------------------------------------- + task single_block_mangle_test(input [7 : 0] tc_number, + input [255 : 0] key, + input [127 : 0] block, + input [127 : 0] expected); + begin + $display("*** TC %0d mangle test started.", tc_number); + tc_ctr = tc_ctr + 1; + + init_key(key, AES_128_BIT_KEY); + write_block(block); + dump_dut_state(); + + // Set that we want to encipher and start processing. + $display("*** Staring encipher operation"); + write_word(ADDR_CONFIG, (8'h00 + (AES_128_BIT_KEY << 1) + AES_ENCIPHER)); + write_word(ADDR_CTRL, 8'h02); + + // Wait a number of cycles and then switch from encipher to decipher. + #(10 * CLK_PERIOD); + $display("*** Switching to decipher operation"); + write_word(ADDR_CONFIG, (8'h00 + (AES_128_BIT_KEY << 1) + AES_DECIPHER)); + + wait_ready(); + $display("*** Ready has been set!"); + dump_dut_state(); + read_result(); + + if (result_data == expected) + begin + $display("*** TC %0d successful.", tc_number); + $display(""); + end + else + begin + $display("*** ERROR: TC %0d NOT successful.", tc_number); + $display("Expected: 0x%032x", expected); + $display("Got: 0x%032x", result_data); + $display(""); + + error_ctr = error_ctr + 1; + end + end + endtask // ecb_mode_single_block_test + + //---------------------------------------------------------------- - task nist_fips_tests; + // aes_test() + // + // Main test task will perform complete NIST test of AES. + //---------------------------------------------------------------- + task aes_test; reg [255 : 0] nist_aes128_key; reg [255 : 0] nist_aes256_key; @@ -472,8 +525,8 @@ module tb_aes(); nist_ecb_256_enc_expected3 = 128'h23304b7a39f9f3ff067d8d8f9e24ecc7; - $display("NIST FIPS ECB 128 bit key tests"); - $display("-------------------------------"); + $display("ECB 128 bit key tests"); + $display("---------------------"); ecb_mode_single_block_test(8'h01, AES_ENCIPHER, nist_aes128_key, AES_128_BIT_KEY, nist_plaintext0, nist_ecb_128_enc_expected0); @@ -501,8 +554,8 @@ module tb_aes(); $display(""); - $display("NIST FIPS ECB 256 bit key tests"); - $display("-------------------------------"); + $display("ECB 256 bit key tests"); + $display("---------------------"); ecb_mode_single_block_test(8'h10, AES_ENCIPHER, nist_aes256_key, AES_256_BIT_KEY, nist_plaintext0, nist_ecb_256_enc_expected0); @@ -527,34 +580,14 @@ module tb_aes(); ecb_mode_single_block_test(8'h17, AES_DECIPHER, nist_aes256_key, AES_256_BIT_KEY, nist_ecb_256_enc_expected3, nist_plaintext3); - end - endtask // aes_test - - //---------------------------------------------------------------- - // nist_kwp_test() - // - // Test that we can perform operations based on NIST KWP - // AE 128 test vectors. - //---------------------------------------------------------------- - task nist_kwp_test; - reg [255 : 0] kwp_key; - reg [127 : 0] kwp_plaintext; - reg [127 : 0] kwp_expected; - begin - kwp_key = 256'hc03db3cc1416dcd1c069a195a8d77e3d00000000000000000000000000000000; - kwp_plaintext = 128'ha65959a60000001f46f87f58cdda4200; - kwp_expected = 128'hd1bac797ff82fa4bde9f7490729fd0a7; - - $display(""); - $display("NIST KWP AE 128 bit test"); - - ecb_mode_single_block_test(8'h18, AES_ENCIPHER, kwp_key, AES_128_BIT_KEY, - kwp_plaintext, kwp_expected); + $display("Block processing mangling test"); + $display("------------------------------"); + single_block_mangle_test(8'h18, nist_aes128_key, nist_plaintext0, + nist_ecb_128_enc_expected0); end - endtask // nist_kwp_test - + endtask // aes_test //---------------------------------------------------------------- @@ -573,8 +606,7 @@ module tb_aes(); reset_dut(); dump_dut_state(); - nist_fips_tests(); - nist_kwp_test(); + aes_test(); display_test_results(); diff --git a/src/tb/tb_aes_core.v b/src/tb/tb_aes_core.v index d7c424c..d36d0bc 100644 --- a/src/tb/tb_aes_core.v +++ b/src/tb/tb_aes_core.v @@ -339,8 +339,15 @@ module tb_aes_core(); endtask // ecb_mode_single_block_test - task nist_fips_tests; - begin : fips_tests + //---------------------------------------------------------------- + // aes_core_test + // The main test functionality. + // + // Test cases taken from NIST SP 800-38A: + // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf + //---------------------------------------------------------------- + initial + begin : aes_core_test reg [255 : 0] nist_aes128_key; reg [255 : 0] nist_aes256_key; @@ -378,19 +385,29 @@ module tb_aes_core(); nist_ecb_256_enc_expected3 = 128'h23304b7a39f9f3ff067d8d8f9e24ecc7; - $display("NIST FIPS ECB 128 bit key tests"); - $display("-------------------------------"); + $display(" -= Testbench for aes core started =-"); + $display(" ================================"); + $display(""); + + init_sim(); + dump_dut_state(); + reset_dut(); + dump_dut_state(); + + + $display("ECB 128 bit key tests"); + $display("---------------------"); ecb_mode_single_block_test(8'h01, AES_ENCIPHER, nist_aes128_key, AES_128_BIT_KEY, nist_plaintext0, nist_ecb_128_enc_expected0); - ecb_mode_single_block_test(8'h02, AES_ENCIPHER, nist_aes128_key, AES_128_BIT_KEY, - nist_plaintext1, nist_ecb_128_enc_expected1); + ecb_mode_single_block_test(8'h02, AES_ENCIPHER, nist_aes128_key, AES_128_BIT_KEY, + nist_plaintext1, nist_ecb_128_enc_expected1); - ecb_mode_single_block_test(8'h03, AES_ENCIPHER, nist_aes128_key, AES_128_BIT_KEY, - nist_plaintext2, nist_ecb_128_enc_expected2); + ecb_mode_single_block_test(8'h03, AES_ENCIPHER, nist_aes128_key, AES_128_BIT_KEY, + nist_plaintext2, nist_ecb_128_enc_expected2); - ecb_mode_single_block_test(8'h04, AES_ENCIPHER, nist_aes128_key, AES_128_BIT_KEY, - nist_plaintext3, nist_ecb_128_enc_expected3); + ecb_mode_single_block_test(8'h04, AES_ENCIPHER, nist_aes128_key, AES_128_BIT_KEY, + nist_plaintext3, nist_ecb_128_enc_expected3); ecb_mode_single_block_test(8'h05, AES_DECIPHER, nist_aes128_key, AES_128_BIT_KEY, @@ -407,8 +424,8 @@ module tb_aes_core(); $display(""); - $display("NIST FIPS ECB 256 bit key tests"); - $display("-------------------------------"); + $display("ECB 256 bit key tests"); + $display("---------------------"); ecb_mode_single_block_test(8'h10, AES_ENCIPHER, nist_aes256_key, AES_256_BIT_KEY, nist_plaintext0, nist_ecb_256_enc_expected0); @@ -433,55 +450,7 @@ module tb_aes_core(); ecb_mode_single_block_test(8'h17, AES_DECIPHER, nist_aes256_key, AES_256_BIT_KEY, nist_ecb_256_enc_expected3, nist_plaintext3); - end - endtask // nist_fips_tests - - - //---------------------------------------------------------------- - // nist_kwp_test() - // - // Test that we can perform operations based on NIST KWP - // AE 128 test vectors. - //---------------------------------------------------------------- - task nist_kwp_test; - reg [255 : 0] kwp_key; - reg [127 : 0] kwp_plaintext; - reg [127 : 0] kwp_expected; - - begin - kwp_key = 256'hc03db3cc1416dcd1c069a195a8d77e3d00000000000000000000000000000000; - kwp_plaintext = 128'ha65959a60000001f46f87f58cdda4200; - kwp_expected = 128'hd1bac797ff82fa4bde9f7490729fd0a7; - - $display(""); - $display("NIST KWP AE 128 bit test"); - - ecb_mode_single_block_test(8'h18, AES_ENCIPHER, kwp_key, AES_128_BIT_KEY, - kwp_plaintext, kwp_expected); - end - endtask // nist_kwp_test - - - //---------------------------------------------------------------- - // aes_core_test - // The main test functionality. - // - // Test cases taken from NIST SP 800-38A: - // http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf - //---------------------------------------------------------------- - initial - begin : aes_core_test - $display(" -= Testbench for aes core started =-"); - $display(" ================================"); - $display(""); - - init_sim(); - dump_dut_state(); - reset_dut(); - dump_dut_state(); - nist_fips_tests(); - nist_kwp_test(); display_test_result(); $display(""); diff --git a/src/tb/tb_aes_decipher_block.v b/src/tb/tb_aes_decipher_block.v index ec228c0..13b9949 100644 --- a/src/tb/tb_aes_decipher_block.v +++ b/src/tb/tb_aes_decipher_block.v @@ -152,17 +152,15 @@ module tb_aes_decipher_block(); $display("Control states"); $display("round = 0x%01x", dut.round); - $display("dec_ctrl = 0x%01x, update_type = 0x%01x, sword_ctr = 0x%01x, round_ctr = 0x%01x", - dut.dec_ctrl_reg, dut.update_type, dut.sword_ctr_reg, dut.round_ctr_reg); + $display("dec_ctrl = 0x%01x, update_type = 0x%01x, round_ctr = 0x%01x", + dut.dec_ctrl_reg, dut.update_type, dut.round_ctr_reg); $display(""); $display("Internal data values"); $display("round_key = 0x%016x", dut.round_key); - $display("sboxw = 0x%08x, new_sboxw = 0x%08x", dut.tmp_sboxw, dut.new_sboxw); - $display("block_w0_reg = 0x%08x, block_w1_reg = 0x%08x, block_w2_reg = 0x%08x, block_w3_reg = 0x%08x", - dut.block_w0_reg, dut.block_w1_reg, dut.block_w2_reg, dut.block_w3_reg); + $display("block_reg = 0x%016x", dut.block_reg); $display(""); - $display("old_block = 0x%08x", dut.round_logic.old_block); + $display("subbytes_block = 0x%08x", dut.round_logic.subbytes_block); $display("inv_shiftrows_block = 0x%08x", dut.round_logic.inv_shiftrows_block); $display("inv_mixcolumns_block = 0x%08x", dut.round_logic.inv_mixcolumns_block); $display("addkey_block = 0x%08x", dut.round_logic.addkey_block); diff --git a/src/tb/tb_aes_encipher_block.v b/src/tb/tb_aes_encipher_block.v index 68e88dd..0606d95 100644 --- a/src/tb/tb_aes_encipher_block.v +++ b/src/tb/tb_aes_encipher_block.v @@ -74,9 +74,6 @@ module tb_aes_encipher_block(); wire [3 : 0] tb_round; wire [127 : 0] tb_round_key; - wire [31 : 0] tb_sboxw; - wire [31 : 0] tb_new_sboxw; - reg [127 : 0] tb_block; wire [127 : 0] tb_new_block; @@ -92,13 +89,6 @@ module tb_aes_encipher_block(); //---------------------------------------------------------------- // Device Under Test. //---------------------------------------------------------------- - // We need an sbox for the tests. - aes_sbox sbox( - .sboxw(tb_sboxw), - .new_sboxw(tb_new_sboxw) - ); - - // The device under test. aes_encipher_block dut( .clk(tb_clk), @@ -110,9 +100,6 @@ module tb_aes_encipher_block(); .round(tb_round), .round_key(tb_round_key), - .sboxw(tb_sboxw), - .new_sboxw(tb_new_sboxw), - .block(tb_block), .new_block(tb_new_block), .ready(tb_ready) @@ -166,25 +153,21 @@ module tb_aes_encipher_block(); $display("Control states"); $display("round = 0x%01x", dut.round); - $display("enc_ctrl = 0x%01x, update_type = 0x%01x, sword_ctr = 0x%01x, round_ctr = 0x%01x", - dut.enc_ctrl_reg, dut.update_type, dut.sword_ctr_reg, dut.round_ctr_reg); + $display("enc_ctrl = 0x%01x, update_type = 0x%01x, round_ctr = 0x%01x", + dut.enc_ctrl_reg, dut.update_type, dut.round_ctr_reg); $display(""); $display("Internal data values"); $display("round_key = 0x%016x", dut.round_key); - $display("sboxw = 0x%08x, new_sboxw = 0x%08x", dut.sboxw, dut.new_sboxw); - $display("block_w0_reg = 0x%08x, block_w1_reg = 0x%08x, block_w2_reg = 0x%08x, block_w3_reg = 0x%08x", - dut.block_w0_reg, dut.block_w1_reg, dut.block_w2_reg, dut.block_w3_reg); + $display("block_reg = 0x%016x", dut.block_reg); $display(""); - $display("old_block = 0x%08x", dut.round_logic.old_block); + $display("subbytes_block = 0x%08x", dut.round_logic.subbytes_block); $display("shiftrows_block = 0x%08x", dut.round_logic.shiftrows_block); $display("mixcolumns_block = 0x%08x", dut.round_logic.mixcolumns_block); $display("addkey_init_block = 0x%08x", dut.round_logic.addkey_init_block); $display("addkey_main_block = 0x%08x", dut.round_logic.addkey_main_block); $display("addkey_final_block = 0x%08x", dut.round_logic.addkey_final_block); - $display("block_w0_new = 0x%08x, block_w1_new = 0x%08x, block_w2_new = 0x%08x, block_w3_new = 0x%08x", - dut.block_new[127 : 096], dut.block_new[095 : 064], - dut.block_new[063 : 032], dut.block_new[031 : 000]); + $display("block_new = 0x%08x", dut.block_new); $display(""); end endtask // dump_dut_state diff --git a/src/tb/tb_aes_key_mem.v b/src/tb/tb_aes_key_mem.v index cac216a..b76fb64 100644 --- a/src/tb/tb_aes_key_mem.v +++ b/src/tb/tb_aes_key_mem.v @@ -78,9 +78,6 @@ module tb_aes_key_mem(); wire [127 : 0] tb_round_key; wire tb_ready; - wire [31 : 0] tb_sboxw; - wire [31 : 0] tb_new_sboxw; - //---------------------------------------------------------------- // Device Under Test. @@ -95,15 +92,9 @@ module tb_aes_key_mem(); .round(tb_round), .round_key(tb_round_key), - .ready(tb_ready), - - .sboxw(tb_sboxw), - .new_sboxw(tb_new_sboxw) + .ready(tb_ready) ); - // The DUT requirees Sboxes. - aes_sbox sbox(.sboxw(tb_sboxw), .new_sboxw(tb_new_sboxw)); - //---------------------------------------------------------------- // clk_gen diff --git a/toolruns/Makefile b/toolruns/Makefile index 8408abd..835a92f 100755 --- a/toolruns/Makefile +++ b/toolruns/Makefile @@ -37,51 +37,44 @@ # #=================================================================== -SBOX_SRC = ../src/rtl/aes_sbox.v -INV_SBOX_SRC = ../src/rtl/aes_inv_sbox.v -KEYMEM_SRC = ../src/rtl/aes_key_mem.v -ENCIPHER_SRC = ../src/rtl/aes_encipher_block.v -DECIPHER_SRC = ../src/rtl/aes_decipher_block.v -CORE_SRC = ../src/rtl/aes_core.v $(KEYMEM_SRC) $(SBOX_SRC) $(INV_SBOX_SRC) $(ENCIPHER_SRC) $(DECIPHER_SRC) -TOP_SRC = ../src/rtl/aes.v $(CORE_SRC) +SBOX_SRC=../src/rtl/aes_sbox.v +INV_SBOX_SRC=../src/rtl/aes_inv_sbox.v +KEYMEM_SRC=../src/rtl/aes_key_mem.v +ENCIPHER_SRC=../src/rtl/aes_encipher_block.v +DECIPHER_SRC=../src/rtl/aes_decipher_block.v +CORE_SRC=../src/rtl/aes_core.v $(KEYMEM_SRC) $(SBOX_SRC) $(INV_SBOX_SRC) $(ENCIPHER_SRC) $(DECIPHER_SRC) +TOP_SRC=../src/rtl/aes.v $(CORE_SRC) -TB_TOP_SRC = ../src/tb/tb_aes.v -TB_CORE_SRC = ../src/tb/tb_aes_core.v -TB_KEYMEM_SRC = ../src/tb/tb_aes_key_mem.v -TB_ENCIPHER_SRC = ../src/tb/tb_aes_encipher_block.v -TB_DECIPHER_SRC = ../src/tb/tb_aes_decipher_block.v +TB_TOP_SRC =../src/tb/tb_aes.v +TB_CORE_SRC =../src/tb/tb_aes_core.v +TB_KEYMEM_SRC =../src/tb/tb_aes_key_mem.v +TB_ENCIPHER_SRC =../src/tb/tb_aes_encipher_block.v +TB_DECIPHER_SRC =../src/tb/tb_aes_decipher_block.v -CC = iverilog -CC_FLAGS = -Wall - -LINT = verilator -LINT_FLAGS = +1364-2001ext+ --lint-only -Wall -Wno-fatal -Wno-DECLFILENAME +CC=iverilog +LINT=verilator all: top.sim core.sim keymem.sim encipher.sim decipher.sim top.sim: $(TB_TOP_SRC) $(TOP_SRC) - $(CC) $(CC_FLAGS) -o top.sim $(TB_TOP_SRC) $(TOP_SRC) + $(CC) -o top.sim $(TB_TOP_SRC) $(TOP_SRC) core.sim: $(TB_CORE_SRC) $(CORE_SRC) - $(CC) $(CC_FLAGS) -o core.sim $(TB_CORE_SRC) $(CORE_SRC) + $(CC) -o core.sim $(TB_CORE_SRC) $(CORE_SRC) keymem.sim: $(TB_KEYMEM_SRC) $(KEYGEN_SRC) $(SBOX_SRC) - $(CC) $(CC_FLAGS) -o keymem.sim $(TB_KEYMEM_SRC) $(KEYMEM_SRC) $(SBOX_SRC) + $(CC) -o keymem.sim $(TB_KEYMEM_SRC) $(KEYMEM_SRC) $(SBOX_SRC) encipher.sim: $(TB_ENCIPHER_SRC) $(ENCIPHER_SRC) $(SBOX_SRC) - $(CC) $(CC_FLAGS) -o encipher.sim $(TB_ENCIPHER_SRC) $(ENCIPHER_SRC) $(SBOX_SRC) + $(CC) -o encipher.sim $(TB_ENCIPHER_SRC) $(ENCIPHER_SRC) $(SBOX_SRC) decipher.sim: $(TB_DECIPHER_SRC) $(DECIPHER_SRC) $(INV_SBOX_SRC) - $(CC) $(CC_FLAGS) -o decipher.sim $(TB_DECIPHER_SRC) $(DECIPHER_SRC) $(INV_SBOX_SRC) - - -lint: $(TOP_SRC) - $(LINT) $(LINT_FLAGS) $(TOP_SRC) + $(CC) -o decipher.sim $(TB_DECIPHER_SRC) $(DECIPHER_SRC) $(INV_SBOX_SRC) sim-keymem: keymem.sim @@ -103,6 +96,11 @@ sim-core: core.sim sim-top: top.sim ./top.sim + +lint: + verilator +1364-2001ext+ --lint-only -Wall $(TOP_SRC) + + clean: rm -f decipher.sim rm -f encipher.sim |