帮助我关于invmixcolumns aes [英] help me about invmixcolumns aes

问题描述

1。如何实现这个inv矩阵乘法？

1. How does implement this inv matrix multiplication?

0e 0b 0d 09     04
09 0e 0b 0d     66
0d 09 0e 0b  .  81
0b 0d 09 0e     e5

2.解决解密的规则是什么矩阵乘法（invmixcolumns）？例如，如果在mixcolumns中，据我所知规则是：

-if msb = 1，那么1位左移后跟条件按位xor和1B

-if msb = 0只剩下1位左移

- 当乘以03时，则03分解为2和1 ..因为03（二进制11）= 2 （二进制10）xor 1（二进制01）



thx。

2. What rules to solve decryption with this matrix multiplication (invmixcolumns)? for example if in the mixcolumns, as far as i know the rules are:
-if msb = 1, then 1-bit left shift followed by a conditional bitwise xor with "1B"
-if msb = 0 just 1-bit left shift
-and when multiplied by 03, then 03 is broken down into 2 and 1.. because 03 (11 in binary) = 2 (10 in binary) xor 1 (01 in binary)

thx.

推荐答案

你好，



我遇到了同样的问题，分别产生{09} x，{0b} x，{0d} x和{0e} x。

所以我想我理解你的问题，虽然你有点迟了:)



无论如何，这是我写的最简单的答案，也是任何人都能理解的，如下：



方法1

你应该使用维基百科慷慨提供的查询表< a href =https://en.wikipedia.org/wiki/Rijndael_mix_columns#Galois_Multiplication_lookup_tables> https://en.wikipedia.org/wiki/Rijndael_mix_col umns＃Galois_Multiplication_lookup_tables [ ^ ]。 />




如果需要额外的1.5千字节内存，则可以删除MixColumns和InvMixColumns函数中涉及的所有数学运算。

所有操作都减少到4次查找和3次按位异或操作。



此方法具有不受定时攻击影响的附加值可以通过分析在算法的不同阶段中执行的操作数来推断出密钥或明文消息的某些位。

例如，在MixColumns函数中，只要x具有MSbit = 1 ，有一个额外的XOR操作，0x1B，所以，理论上，人们可以精确定位这些额外的操作，并推断出状态的所有字节中最重要的位。



是的，有一些方法可以强制两个分支都有sa我没有。但是你仍然容易受到编译器优化的攻击，而这些编译优化现在已经非常聪明了，并且（编译器）可以优化x XOR 0操作，让你离开你的位置。 />




所以无论如何，一旦你有了查找表，MixColumns函数应该是这样的：



X（i，0）= Lookup2 [X（0,0）] ^ Lookup3 [X（0,1）] ^ X（0,2）^ X（0,3）

X（i，1）= X（0,0）^ Lookup2 [X（0,1） ] ^ Lookup3 [X（0,2）] ^ X（0,3）

...依此类推......



InvMixColumns应该是这样的：

X（i，0）= Lookup14 [X（0,0）] ^ Lookup11 [X（0,1）] ^ Lookup13 [X（0,2）] ^ Lookup9 [X（0,3）]

X（i，0）= Lookup9 [X（0,0）] ^ Lookup14 [X（0,1）] ^ Lookup11 [X（0,2）] ^ Lookup13 [X（0,3）]

......依此类推......





方法2

如果你坚持计算{09} x，{0b} x，{ 0d} x和{0e} x，就像你一样id为{02} x和{03} x，仍然不想进入奇妙的多项式算术中/有限/ galois域......那么你需要坚持MixColumns描述中提供的技巧。

这些技巧是：

1. 2 {x} ...涉及 0x1B 常数的东西:)

2. {x} + {y}

请注意{x} + {x}不像我们正常人们想象的那样，使用常规算术...注意{x} ^ {x} = 0，任何{x}的值。

你需要使用0x1B thingy......



无论如何，为了计算{09} x，{0b} x，{0d} x和{0e} x，以下方法似乎有效：

1.计算{02} x = 2（x）

2.计算{04} x = 2（{02} x）

3.计算{ 08} x = 2（{04} x）

5. {09} x = {08} x ^ x

6. {11} x = {08} x ^ {02} x ^ x

7. {13} x = {08} x ^ {04} x ^ x

8. {14} x = { 08} x ^ {04} x ^ {02} x



现在您可以应用为MixColumns描述的算法，但将上面的计算值用作XOR项。

Hi there,

I had the same problem, generating {09}x, {0b}x, {0d}x, and {0e}x respectively.
So I guess I understand your question, although a bit late for you :)

Anyways, the easiest answer for me to write, and for anyone to understand, is the following :

Method 1
You should use the lookup tables graciously provided by Wikipedia at https://en.wikipedia.org/wiki/Rijndael_mix_columns#Galois_Multiplication_lookup_tables[^].


For an extra 1.5 kilobytes of memory, you take away all the math involved in "MixColumns" and "InvMixColumns" functions.
All the operations reduce to 4 lookups and 3 bitwise-XOR operations.

This method has the added value of being impervious to "Timing attacks" which may deduce certain bits of the key, or plaintext message, just by analyzing how many operations are performed in different phases of the algorithm.
For example, in "MixColumns" functions, whenever x has MSbit = 1, there is an extra XOR operation with 0x1B, so, in theory, one can pinpoint these extra operations and deduce the most significant bit in all the bytes of the "state".

Yes, there are methods to force both branches to have the same no. of operations, but still you are vulnerable to "compiler optimizations", which are known to be very smart these days, and (the compilers) may "optimize out" a "x XOR 0" operation, leaving you where you started.


So anyways, once you have your lookup tables, the MixColumns function should be like:

X(i,0) = Lookup2[X(0,0)] ^ Lookup3[X(0,1)] ^ X(0,2) ^ X(0,3)
X(i,1) = X(0,0) ^ Lookup2[X(0,1)] ^ Lookup3[X(0,2)] ^ X(0,3)
...and so on...

InvMixColumns should be like:
X(i,0) = Lookup14[X(0,0)] ^ Lookup11[X(0,1)] ^ Lookup13[X(0,2)] ^ Lookup9[X(0,3)]
X(i,0) = Lookup9[X(0,0)] ^ Lookup14[X(0,1)] ^ Lookup11[X(0,2)] ^ Lookup13[X(0,3)]
...and so on...


Method 2
If you insist computing {09}x, {0b}x, {0d}x, and {0e}x, just as you did with {02}x and {03}x, and still don't want to get into the marvelous "polynomial arithmetics in/over finite/galois fields" ... then you need to stick to the tricks provided in the MixColumns description.
These tricks are:
1. 2{x} ... the thingy which involves the 0x1B constant :)
2. {x} + {y}
Note that {x} + {x} does not work the way we "normal" people imagine, using "regular arithmetics" ... notice that {x} ^ {x} = 0, for any value of {x}.
You need to employ "the 0x1B thingy"...

Anyways, to get to the point, in order to compute {09}x, {0b}x, {0d}x, and {0e}x the following method seems to work:
1. Compute {02}x = 2(x)
2. Compute {04}x = 2({02}x)
3. Compute {08}x = 2({04}x)
5. {09}x = {08}x ^ x
6. {11}x = {08}x ^ {02}x ^ x
7. {13}x = {08}x ^ {04}x ^ x
8. {14}x = {08}x ^ {04}x ^ {02}x

Now you can apply the algorithm described for MixColumns, but using the computed values above as XOR terms.

这篇关于帮助我关于invmixcolumns aes的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！