CN109302280B - AES key expansion method - Google Patents

AES key expansion method Download PDF

Info

Publication number
CN109302280B
CN109302280B CN201810870149.3A CN201810870149A CN109302280B CN 109302280 B CN109302280 B CN 109302280B CN 201810870149 A CN201810870149 A CN 201810870149A CN 109302280 B CN109302280 B CN 109302280B
Authority
CN
China
Prior art keywords
key
byte
data
round
aes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810870149.3A
Other languages
Chinese (zh)
Other versions
CN109302280A (en
Inventor
李一兵
刘恒壮
田园
孙骞
王一凡
李斌
徐横宇
田弘博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Engineering University
Original Assignee
Harbin Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Engineering University filed Critical Harbin Engineering University
Priority to CN201810870149.3A priority Critical patent/CN109302280B/en
Publication of CN109302280A publication Critical patent/CN109302280A/en
Application granted granted Critical
Publication of CN109302280B publication Critical patent/CN109302280B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an AES key expansion method, and belongs to the technical field of information security. For the case that the AES key is 128 bits and 192 bits in length, a specific key interception rule is given, by which the key of the corresponding length can be intercepted from the output digest of the sha256 hash function. For the AES encryption algorithm with 128, 192 and 256-bit keys, even if an attacker knows the corresponding intercept rule, he needs to first obtain the digest generated by the hash digest function of the key at sha256, but cannot get the digest information by collision unless guessing the output digest by traversal according to the characteristics of sha256, and the complexity of the output digest by traversal is 2^256, which is significantly higher than the complexity of the 128-bit key and the 192-bit key. The single direction of the AES key expansion method is ensured by using the irreversibility of the sha256 Hash digest function, and the difficulty of violently cracking the key is improved by using the non-crashworthiness of the sha256 Hash digest function, so that the safety of AES key expansion is improved.

Description

AES key expansion method
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an AES key expansion method.
Background
In 2001 the united states federal government used the Rijndael Encryption algorithm as Advanced Encryption Standard (AES) to replace DES algorithms that failed to meet security requirements. Since the disclosure, AES has become one of the most popular algorithms in symmetric cipher algorithms, and is widely applied in communication scenarios such as wireless communication.
AES is an encryption algorithm supporting a plaintext block length of 128 bits, and its key length is divided into three cases, i.e., 128 bits, 192 bits, and 256 bits, corresponding to 10, 12, and 14 rounds of data processing. The round processing part of the AES encryption algorithm is divided into 4 steps: the method comprises the steps of row shifting, column confusion, byte replacement and round key addition, wherein the round key addition is used for linking the correlation between data and a key, and the change of a key bit can cause the change of the data bit through a plurality of rounds of iterative processing, so that the safety performance of the cryptographic algorithm is improved, and the performance of the cryptographic algorithm is directly influenced.
The key expansion algorithm relates to the relevant information of the key, so the most critical problem to be solved is the security problem, and the design of the current key expansion algorithm needs to satisfy two characteristics: statistical independence and sensitivity. Statistical independence, i.e., the evolution of round keys, is not based on simple relational design. Whereas a change in sensitivity, i.e. a few bits of the seed key, will result in a change in the seed key that satisfies the avalanche effect, i.e. the number of output bits changes by fifty percent.
Because the current AES key expansion algorithm cannot resist differential key attack, an attacker can deduce round keys above the round and round keys below the round through differential key analysis of rounds while knowing some sub-key bytes, thereby bringing hidden danger to system security. The related scholars use double S-boxes to replace the original single S-box on the basis of the original key expansion method, but the increase of the S-boxes means the increase of the occupied memory, and the hardware requirement of the system is increased. Meanwhile, in the related literature, a hash function with an output of 160 bits is used for key expansion, but the hash function with 160 bits is broken by scholars such as the royal clout, and the like, which cannot guarantee the security of key expansion. Therefore, the invention generates the round keys of each round by using the sha256 hash function, and the sha256 plays a crucial role in digital digest and data integrity authentication as a key member in cryptography. Depending on the cryptographic properties of sha256, a change in a certain bit of data will result in a change of at least fifty percent of the digest value, which can satisfy the avalanche effect requirement of key expansion. Therefore, the invention ensures the safety of AES key expansion by using the non-crashability and the non-reversibility of the sha256 hash function and provides a specific expansion mode of the AES key expansion.
Disclosure of Invention
The invention aims to provide an AES key expansion method which improves the safety of AES key expansion and can also give consideration to reusability of round keys.
The purpose of the invention is realized by the following technical scheme:
first, a random number of a key length is generated by using a pseudo-random number generator according to the key length and stored as a key of a transmitting end and a receiving end. In the specific AES key expansion, the round key of the previous round is shifted to the left or right, and the shifted data is used as the input of the sha256 hash function to obtain the digest value. And on the basis of the previous step, a corresponding interception method is used to obtain and store the round key of the round.
An AES key expansion method comprises the following steps:
(1) generating a random number with a required bit number by using a pseudo-random number generator according to the key length of the selected AES algorithm so as to obtain an initial key, and storing the initial key as an encryption and decryption key;
(2) initializing a key round number i to be 1, wherein the key expansion round numbers of the key round number i are respectively 10 rounds, 12 rounds and 14 rounds for a key with a length of 128 bits, a key with a length of 192 bits and a key with a length of 256 bits;
(3) processing the key by using a sha256 hash function to obtain a hash abstract of the key;
(4) intercepting the hash value to obtain a round key with a required length;
(5) after the round key is obtained, the round key is shifted;
(6) and (4) judging whether the number of expansion rounds is reached, if so, outputting a final round key matrix, and otherwise, jumping to the step (3) to continue key expansion.
The step (3) specifically comprises the following steps:
(3.1) filling the key, wherein the data length after filling according to the characteristics of the sha256 hash function meets the following formula:
l+1+k=448mod512
in the formula, l is the length of the key, 1 refers to the number 1, and k is the number of bits of 0 to be filled;
(3.2) processing the data block after the hash array is initialized to obtain a corresponding hash value;
and (3.3) carrying out iterative processing on the expanded key data to obtain a hash value.
The step (3.3) specifically comprises the following steps:
(3.3.1) initialize 8 words of intermediate storage variables, namely:
Figure BDA0001751917640000021
(3.3.2) performing the following processing on the data after the key expansion:
for the initial 16 rounds of data processing, the procedure is as follows:
Wt=Mt
for the subsequent 48 rounds of treatment, the treatment method is shown as follows:
Wt=EP1(Wt-2)+Wt-7+EP0(Wt-5)+Wt-16
wherein M istRepresented by the data word after expansion of the original key, WtRepresenting the memory cell after data preprocessing, the lower subscript t of M and W refers to the sequence number of its intermediate storage variable,
Figure BDA0001751917640000031
Figure BDA0001751917640000032
ROTight in EP0 and EP1i(x) Refer to shifting x by i bits, SHIFTRight, cyclicallyi(x) Indicating that for x the shift is i bits to the right,
Figure BDA0001751917640000033
representing a bit exclusive or operation;
(3.3.3) after preprocessing the expanded key data, the hash iterative computation can be executed, and the processing of the operation variables is as follows:
t1=h+EP1(e)+CH(e,f,g)+Kt+Wt
t2=EP0(a)+MAJ(a,b,c)
h=g
g=f
f=e
e=d+t1
d=c
c=b
b=a
a=t1+t2
where t1, t2, h, g, f, e, d, c, b, a are all intermediate storage variables, the subscript t refers to the t-th iteration,
Figure BDA0001751917640000034
wherein&It is referred to as an and operation,
Figure BDA0001751917640000035
it refers to the operation of taking the inverse,
Figure BDA0001751917640000036
refers to an exclusive-or operation, K being a 64-word static constant matrix, KtThe method comprises the steps that the t-th element of a K array is taken for the t-th iteration to carry out correlation operation;
(3.3.4) outputting the hash digest information of sha256 as follows:
Figure BDA0001751917640000037
Figure BDA0001751917640000038
wherein, the upper corner mark 1 of H represents that H at the moment is the final operation result, and the lower corner mark is the serial number of the hash array;
(3.3.5) the summary information of the 8 words is merged as follows:
Figure BDA0001751917640000039
wherein: k refers to the key, sha256(k) refers to performing sha256 hash operation on k, | | | denotes a string join operation.
The key interception method in the step (4) specifically comprises the following steps:
(4.1) after an initial key is subjected to sha256 to generate a digest value, for the 128-bit key AES encryption algorithm, for the first round to the tenth round of expansion, respectively using the first byte to the tenth byte of the initial key and 255 to perform AND operation, modulo the operated number to 32, and corresponding the modulo result to the digest byte of the sha256 hash function, and then performing right circular interception to obtain the round key of 16 bytes and storing the round key;
(4.2) for the AES encryption algorithm of 192-bit keys, for the first round to the twelfth round of expansion, respectively using the first byte to the twelfth byte of the initial key and 255 to perform AND operation, modulo the operated number to 32, corresponding to the digest byte of the sha256 hash function, then performing right circular interception to obtain the round key of 24 bytes, and storing;
(4.3) using the data of the 24 th byte to the 13 th byte of the initial key as the judgment basis of the circular shift, performing AND operation by using the data of the 24 th byte to the 13 th byte and 255, and performing modulo operation on the result of the AND operation to 24, wherein the modulo result corresponds to the number of bytes of the shift required by the key, performing modulo operation on the data of the 24, and performing modulo operation on 2 to make the result correspond to 0 and 1 respectively, wherein 0 represents the circular shift to the right, and 1 represents the circular shift to the left;
and (4.4) performing corresponding circular shift processing on the round key as an input of a subsequent sha256 hash function.
The round key shifting method in the step (5) is specifically as follows:
(5.1) for the AES algorithm of 128-bit key, using the 16 th byte to 7 th byte data of the initial key as the judgment basis of the circular shift, performing AND operation by using the 16 th byte to 7 th byte data and 255 and performing modulo operation on the 16, wherein the modulo result corresponds to the number of bytes of shift required by the round key, performing modulo operation on the data after the modulo operation on the 16, then performing modulo operation on the 2, so that the results respectively correspond to 0 and 1, 0 represents the right circular shift, and 1 represents the left circular shift;
(5.2) for the AES algorithm of 192-bit key, using the data of the 24 th byte to the 12 th byte as the judgment basis of the circular shift, performing AND operation by using the data of the 24 th byte to the 12 th byte and 255, and performing modulo operation on the result of the AND operation to 24, wherein the modulo result corresponds to the number of bytes required to be shifted by the key, performing modulo operation on the data after the modulo operation on the 24, then performing modulo operation on 2, so that the results respectively correspond to 0 and 1, 0 represents the right circular shift, and 1 represents the left circular shift;
(5.3) for the AES algorithm of 256-bit key, using the data of the 32 th byte to the 19 th byte as the judgment basis of the circular shift, performing AND operation on the data of the 32 th byte to the 19 th byte and 255, and performing modulo operation on the result of the AND operation on the 32 th byte, wherein the modulo result corresponds to the number of bytes required to be shifted by the key, performing modulo operation on the data after the modulo operation on the 32 th byte, immediately performing modulo operation on the data, so that the results respectively correspond to 0 and 1, wherein 0 represents the circular shift to the right, and 1 represents the circular shift to the left;
(5.4) performing corresponding circular shift processing on the round key to serve as an input of a subsequent sha256 hash function.
The key content of the invention is that the sha256 hash function is used for realizing the expansion of the round key, and the unidirectionality of the hash function is used for ensuring the irreversibility of AES key expansion, thereby improving the security of the key expansion algorithm.
The main contents of the round key expansion mode of the AES in the invention are as follows: firstly, the initial key is used to obtain its digest value by using sha256 hash function, for sha256 hash function, its output is 256 bits, 32 bytes of data, however, for AES128 and AES192, because its corresponding key bits are 128 bits and 192 bits, respectively, which are less than 256 bits, corresponding interception work needs to be performed. For a 128-bit round key, 16 bytes of hash digest data need to be intercepted, for a 192-bit round key, 24 bytes of hash digest data need to be intercepted, and for a 256-bit round key, all the hash digest data are taken as the round key, so that the key interception step is omitted. The key interception method comprises the following steps: selecting relevant bytes of an initial key from the lowest bit to the highest bit of the key array and 255 for AND operation to obtain a corresponding shaping number, then performing modular operation, namely performing modular operation on the obtained number 32 to ensure that the size of the obtained number after the modular operation is between 0 and 31, performing circular interception to the right according to the size of the obtained number, and intercepting the number of bytes with corresponding size from the lowest bit to the back until the number of bytes of the round key is met for the part exceeding the limit of the array. After the key is intercepted, the key needs to be shifted to serve as the input of a subsequent hash function, and the number of shifted bytes is determined by the following method: selecting relevant bytes and 255 of the initial key from the highest bit to the lowest bit of the key array to perform AND operation to obtain a corresponding shaping number, and then performing modular operation, namely performing modular operation on the byte length of the obtained number to the round key to ensure that the size of the obtained number after the modular operation is smaller than the byte number of the round key, thereby obtaining the byte number of the shift required by each round key. And then, carrying out modulus on the pair 2 of the results obtained by modulus on the byte length of the round key to control the direction of cyclic shift, wherein if the modulus number is zero, the obtained round key is circularly shifted to the right, and if the modulus number is one, the obtained round key is circularly shifted to the left. The shifted round key is used as the input of the hash function of the next round sha 256.
The invention has the beneficial effects that:
the invention has the advantages that the sha256 hash function is used for processing the round key, so that the risk that the key is possibly leaked through forward or backward derivation of certain bytes of the known round key in the original AES round key expansion algorithm is solved, the safety of the AES round key expansion algorithm is greatly improved, and the safety of the whole AES encryption and decryption algorithm is further improved.
Drawings
Fig. 1 is an AES key expansion flow based on sha 256;
fig. 2 is a block diagram of sha256 processing of data.
Detailed Description
The following further describes embodiments of the present invention with reference to the accompanying drawings:
the specific flow of round key expansion of the present invention is shown in fig. 1, and the specific steps include the following 6 steps.
1. And generating a random number with required bit number by using a pseudo-random number generator according to the key length of the selected AES algorithm so as to obtain an initial key, and storing the initial key as an encryption and decryption key.
2. Since AES has different key lengths and requires different rounds of key expansion, the number of rounds of key expansion i needs to be initialized to 1 after the initial key is obtained, and the numbers of rounds of key expansion are 10, 12 and 14 for a 128-bit length key, a 192-bit length key and a 256-bit length key, respectively.
3. After an initial key is obtained, the key can be processed by using a sha256 hash function to obtain a hash digest of the key, the sha256 hash function generates a 256-bit data digest for input data with any length according to the characteristics of the sha256 hash function, the input data is changed by one bit, and output data can be changed to meet the avalanche effect after 64 rounds of transformation of the sha256 hash function, so that the safety of the key is ensured. Referring now to sha256 knowledge for a better understanding of the method, we will describe the sha256 data processing with reference to fig. 2, where the operation steps of fig. 2 are respectively denoted by step 3.1, step 3.2 and step 3.3, and the following 3 steps are described in detail.
In step 3.1, firstly, the key needs to be padded, and the padded data length according to the characteristics of the sha256 hash function needs to satisfy the following formula:
l+1+k=448mod512 (1)
where l in formula (1) is the length of the key, 1 refers to the number 1, and according to the data padding rule of sha256, it is necessary to pad 1 of one bit first after the key bit, and the rest of the bits are padded with 0, so k in the above formula is the number of bits of 0 that needs to be padded.
In step 3.2, an initial hash value needs to be set first, and the hash value is composed of 8 word arrays, so that it can be seen that the length of the 8 word array is exactly 256 bits, and usually the eight word arrays are respectively:
Figure RE-GDA0001918737760000061
Figure RE-GDA0001918737760000062
Figure RE-GDA0001918737760000063
the upper corner mark 0 of H represents that H at this time is initialized, and the lower corner mark is the serial number of the hash array, and after the hash array is initialized, the 512-bit data block can be processed to obtain a corresponding hash value.
In step 3.3, iterative processing needs to be performed on the expanded key data to obtain a hash value, and since only 1 data block of 512 bits is filled in the key, the digest value of the data can be output only by one iteration of 64 rounds, and the calculation process needs to initialize an intermediate storage variable of 8 words, that is:
Figure BDA0001751917640000064
and then performing the following processing on the data after the key expansion:
for the initial sixteen rounds of data processing, the procedure is as follows:
Wt=Mt (2)
for the subsequent 48 rounds of treatment, the treatment method is shown as follows:
Wt=EP1(Wt-2)+Wt-7+EP0(Wt-5)+Wt-16 (3)
wherein M in formula (2)tRepresenting the data word after the original key expansion, it can be seen that for 512-bit data after expansion, the storage unit corresponding to 16 words is exactly 512 bits, WtThe data storage method represents storage units after data preprocessing, each unit is 32 bits of a word and comprises 64 units, the subscript t of M and W refers to the serial number of a storage variable between M and W, the processing process can be divided into two steps, t is different in value in the formulas (2) and (3), t is in the value range of 1-16, t is in the value range of 17-64, and therefore M can be seen to be 16 words in size and W is 64 words in size more clearly. In formula (3)
Figure BDA0001751917640000071
Figure BDA0001751917640000072
ROTight in EP0 and EP1i(x) Refer to shifting x by i bits, SHIFTRight, cyclicallyi(x) Indicating that for x the shift is i bits to the right,
Figure BDA0001751917640000073
representing a bit exclusive or operation.
After preprocessing the expanded key data, the hash iterative computation can be executed, and for 64 rounds of iterative operations, the processing of the operation variables is shown in equations (4) to (12):
t1=h+EP1(e)+CH(e,f,g)+Kt+Wt (4)
t2=EP0(a)+MAJ(a,b,c) (5)
h=g (6)
g=f (7)
f=e (8)
e=d+t1 (9)
d=c (10)
c=b (11)
b=a (12)
a=t1+t2 (13)
t1, t2, h, g, f, e, d, c, b, a in equations (4) to (12) are all intermediate storage variables, and the lower corner t indicates the t-th iteration.
Figure BDA0001751917640000074
Wherein&It is referred to as an and operation,
Figure BDA0001751917640000075
it refers to the operation of taking the inverse,
Figure BDA0001751917640000076
is an exclusive OR operation, K is a 64-word static constant matrix, KtRefers to the correlation operation of the t element of the K array taken in the t iteration.
After the above operation is completed, the hash digest information of sha256 can be output, as follows:
Figure BDA0001751917640000077
Figure BDA0001751917640000078
wherein, the upper corner of H is marked with 1 to represent that H at this time is the final operation result, and the lower corner is marked with the serial number of the hash array.
Finally, the summary information of the 8 words is merged as follows:
Figure BDA0001751917640000081
wherein: k refers to the key, sha256(k) refers to performing sha256 hash operation on k, | | | denotes a string join operation.
4. After obtaining the hash value of the round key, the hash value needs to be truncated to obtain the round key with the required length. The key interception method of the method comprises the following steps: after an initial key is subjected to sha256 to generate a digest value, for an AES encryption algorithm of a 128-bit key, the length of the key is 16 bytes, for the first round to the tenth round of expansion, the first byte to the tenth byte and 255 of the initial key are respectively used for and operation, the modulo-operated number is 32, the modulo-operated number is corresponding to the digest byte of the sha256 hash function, and then the round key of 16 bytes is obtained and stored by performing circular truncation to the right. For the AES encryption algorithm with 192-bit keys, the length of the key is 24 bytes, and for the first round to the twelfth round of expansion, the first byte to the twelfth byte of the initial key and 255 are used respectively for and operation, the modulo operation is performed on the number pair 32, the modulo operation is corresponding to the digest byte of the sha256 hash function, and then the round key with 24 bytes is obtained and stored by performing circular truncation to the right. Then, the data of the 24 th byte to the 13 th byte of the initial key is used as the judgment basis of the circular shift, the data of the 24 th byte to the 13 th byte and 255 are used for carrying out AND operation, the result of the AND operation is subjected to modulus 24, the modulus result corresponds to the number of bytes required to be shifted by the round key, the modulus result of the data after the modulus 24 is subjected to modulus 2, the results correspond to 0 and 1 respectively, 0 represents the circular shift to the right, and 1 represents the circular shift to the left. According to the above operation, the round key is subjected to corresponding circular shift processing to be used as an input of a subsequent sha256 hash function. For the 256-bit AES encryption algorithm, the data interception step is omitted, and the digest value obtained by the previous round of key through sha256 processing is directly used as the round key of the round and stored, and then the key is circularly shifted and used as the input of the next round of sha256 processing.
5. After acquiring the round key, the method shifts the round key for key expansion with high diffusivity. The round key shifting method of the method comprises the following steps: for the AES algorithm with 128-bit key, the 16 th to 7 th bytes of data of the initial key are used as the judgment basis for circular shift, and the result of the and operation is modulo 16 by using the 16 th to 7 th bytes of data and 255, the modulo result corresponds to the number of bytes of shift required by the key, and modulo 2 is performed after the modulo operation is performed on the data after the modulo 16 is performed, so that the result corresponds to 0 and 1 respectively, 0 represents circular shift to the right, and 1 represents circular shift to the left. For the AES algorithm with 192-bit key, data of 24 th byte to 12 th byte is used as the judgment basis of the circular shift, and the data of 24 th byte to 12 th byte and 255 are used to perform and operation and the result of the and operation is modulo 24, the modulo result corresponds to the number of bytes required to shift by the round key, the modulo operation is performed on the data after the modulo 24 is performed and then modulo 2 is performed, so that the result corresponds to 0 and 1 respectively, 0 represents the circular shift to the right, and 1 represents the circular shift to the left. For the AES algorithm with 256-bit keys, data of 32 th byte to 19 th byte is used as the judgment basis of circular shift, and the data of 32 th byte to 19 th byte and 255 are used for performing and operation, and the result of the and operation is modulo 32, the modulo result corresponds to the number of bytes required to be shifted by the round key, and modulo 2 is performed after the modulo operation is performed on the data of 32 th byte to 19 th byte, so that the result corresponds to 0 and 1 respectively, 0 represents circular shift to the right, and 1 represents circular shift to the left. According to the above operation, the round key is subjected to corresponding circular shift processing so as to be used as the input of the subsequent sha256 hash function.
6. And (4) judging whether the number of expansion rounds is reached, if so, outputting a final round key matrix, and otherwise, jumping to the step (3) to continue to expand the key.
By the method, a new AES key expansion method based on the sha256 hash function can be obtained, the method maps each round of keys into 256-bit abstract data by using the sha256 hash function, a third party is supposed to guess the keys and know the interception rule of the keys, the third party needs to know the whole abstract information first to obtain the abstract information of the keys, and unless the original key information is known, the time complexity of obtaining the abstract information through traversal collision tends to be infinite, and the complexity of directly traversing and cracking the 128-bit AES keys is 2^127, so that the scheme has higher safety obviously. Depending on the unidirectionality of sha256, even if the round key of a certain round is known to be derived upwards to obtain the round key of the previous round, the forward and reverse security of the AES key expansion based on the method is guaranteed. Compared with the original method, the method of the invention is slightly complex in operation, each round of key expansion needs 64 rounds of iteration, so that a key storage method can be adopted, namely, the key expansion is stored after each round of key expansion, so that the subsequent encryption is convenient, and the security of the round key expansion in the method is equal to that of the sha256 Hash algorithm as long as the original key is not leaked.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (5)

1. An AES key expansion method, comprising the steps of:
(1) generating a random number with a required bit number by using a pseudo-random number generator according to the key length of the selected AES algorithm so as to obtain an initial key, and storing the initial key as an encryption and decryption key;
(2) initializing a key round number i to be 1, wherein the key expansion round numbers of the key round number i are respectively 10 rounds, 12 rounds and 14 rounds for a key with a length of 128 bits, a key with a length of 192 bits and a key with a length of 256 bits;
(3) processing the key by using a sha256 hash function to obtain a hash abstract of the key;
(4) intercepting the hash value to obtain a round key with a required length;
(5) after the round key is obtained, the round key is shifted;
(6) and (4) judging whether the number of expansion rounds is reached, if so, outputting a final round key matrix, and otherwise, jumping to the step (3) to continue key expansion.
2. The AES key expansion method according to claim 1, wherein the step (3) includes:
(3.1) filling the key, wherein the data length after filling meets the following formula according to the characteristics of the sha256 hash function:
l+1+m=448 mod 512
in the formula, l is the length of the key, 1 refers to the number 1, and m is the number of bits of 0 to be filled;
(3.2) processing the data block after the hash array is initialized to obtain a corresponding hash value;
and (3.3) carrying out iterative processing on the expanded key data to obtain a hash value.
3. The AES key expansion method according to claim 2, wherein the step (3.3) includes:
(3.3.1) initialize 8 words of intermediate storage variables, namely:
Figure FDA0003235229570000011
(3.3.2) performing the following processing on the data after the key expansion:
for the initial 16 rounds of data processing, the procedure is as follows:
Wt=Mt
for the subsequent 48 rounds of treatment, the treatment method is shown as follows:
Wt=EP1(Wt-2)+Wt-7+EP0(Wt-5)+Wt-16
wherein M istRepresented by the data word after expansion of the original key, WtRepresenting the memory cell after data preprocessing, the lower subscript t of M and W refers to the sequence number of its intermediate storage variable,
Figure FDA0003235229570000012
Figure FDA0003235229570000021
ROTight in EP0 and EP1i(x) Refer to shifting x by i bits, SHIFTRight, cyclicallyi(x) Indicating that for x the shift is i bits to the right,
Figure FDA0003235229570000022
representing a bit exclusive or operation;
(3.3.3) after preprocessing the expanded key data, the hash iterative computation can be executed, and the processing of the operation variables is as follows:
t1=h+EP1(e)+CH(e,f,g)+Kt+Wt
t2=EP0(a)+MAJ(a,b,c)
h=g
g=f
f=e
e=d+t1
d=c
c=b
b=a
a=t1+t2
wherein t1, t2, h, g, f, e, d, c, b, a are all intermediate storage variables, the lower subscript t refers to the t-th iteration,
Figure FDA0003235229570000023
wherein&It is referred to as an and operation,
Figure FDA0003235229570000024
it refers to the operation of taking the inverse,
Figure FDA0003235229570000025
refers to an exclusive-or operation, K being a 64-word static constant matrix, KtPerforming correlation operation on the t-th element of the K array taken by the t-th iteration;
(3.3.4) outputting the hash digest information of sha256 as follows:
Figure FDA0003235229570000026
Figure FDA0003235229570000027
wherein, the upper corner mark 1 of H represents that H at the moment is the final operation result, and the lower corner mark is the serial number of the hash array;
(3.3.5) the summary information of the 8 words is merged as follows:
Figure FDA0003235229570000028
wherein: k refers to the key, sha256(k) refers to performing sha256 hash operation on k, | | | denotes a string join operation.
4. The AES key expansion method according to claim 1, wherein the key interception method in step (4) is specifically:
(4.1) after an initial key is subjected to sha256 to generate a digest value, for an AES encryption algorithm of a 128-bit key, for the first round to the tenth round of expansion, respectively using the first byte to the tenth byte of the initial key and 255 to perform AND operation, modulo the operated number pair 32, and corresponding the modulo result to the digest byte of the sha256 hash function, and then performing right circular interception to obtain the round key of 16 bytes and storing the round key;
(4.2) for the AES encryption algorithm of 192-bit keys, performing AND operation on the first byte to the twelfth byte of the initial key and 255 respectively for the first round to the twelfth round of expansion, performing modulo operation on the 32 number after AND operation, corresponding to the digest byte of the sha256 hash function, performing right circular interception to obtain the round key of 24 bytes, and storing the round key;
(4.3) using the data of the 24 th byte to the 13 th byte of the initial key as the judgment basis of the circular shift, performing AND operation by using the data of the 24 th byte to the 13 th byte and 255, and performing modulus operation on the result of the AND operation to 24, wherein the modulus result corresponds to the number of bytes required to be shifted by the round key, performing modulus operation on the data after the modulus operation to 24, and enabling the result to respectively correspond to 0 and 1, wherein 0 represents the circular shift to the right, and 1 represents the circular shift to the left;
and (4.4) performing corresponding circular shift processing on the round key as an input of a subsequent sha256 hash function.
5. The AES key expansion method of claim 1, wherein the round key shift method of step (5) is specifically as follows:
(5.1) for the AES algorithm of 128-bit key, using the 16 th byte to 7 th byte data of the initial key as the judgment basis of the circular shift, performing AND operation by using the 16 th byte to 7 th byte data and 255 and performing modulo operation on the 16, wherein the modulo result corresponds to the number of bytes of shift required by the round key, performing modulo operation on the data after the modulo operation on the 16, then performing modulo operation on the 2, so that the results respectively correspond to 0 and 1, 0 represents the right circular shift, and 1 represents the left circular shift;
(5.2) for the AES algorithm of 192-bit key, using the data of the 24 th byte to the 12 th byte as the judgment basis of the circular shift, performing AND operation by using the data of the 24 th byte to the 12 th byte and 255, and performing modulo operation on the result of the AND operation to 24, wherein the modulo result corresponds to the number of bytes required to be shifted by the key, performing modulo operation on the data after the modulo operation on the 24, then performing modulo operation on 2, so that the results respectively correspond to 0 and 1, 0 represents the right circular shift, and 1 represents the left circular shift;
(5.3) for the AES algorithm of 256-bit key, using the data of the 32 th byte to the 19 th byte as the judgment basis of the circular shift, performing AND operation by using the data of the 32 th byte to the 19 th byte and 255, and performing modulo operation on the result of the AND operation on the 32 th byte, wherein the modulo result corresponds to the number of bytes required to be shifted by the key, performing modulo operation on the data after the modulo operation on the 32 th byte, and then performing modulo operation on the data, so that the results respectively correspond to 0 and 1, wherein 0 represents the circular shift to the right, and 1 represents the circular shift to the left;
(5.4) performing corresponding circular shift processing on the round key to serve as an input of a subsequent sha256 hash function.
CN201810870149.3A 2018-08-02 2018-08-02 AES key expansion method Active CN109302280B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810870149.3A CN109302280B (en) 2018-08-02 2018-08-02 AES key expansion method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810870149.3A CN109302280B (en) 2018-08-02 2018-08-02 AES key expansion method

Publications (2)

Publication Number Publication Date
CN109302280A CN109302280A (en) 2019-02-01
CN109302280B true CN109302280B (en) 2021-11-23

Family

ID=65172369

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810870149.3A Active CN109302280B (en) 2018-08-02 2018-08-02 AES key expansion method

Country Status (1)

Country Link
CN (1) CN109302280B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262835B (en) * 2020-01-09 2022-06-14 青岛海尔科技有限公司 Desensitization storage method and device for sensitive data
CN111262685B (en) * 2020-01-17 2021-02-19 衡阳师范学院 Novel method and device for realizing Shield block cipher generated by secret key and readable storage medium
CN111400730B (en) * 2020-03-11 2022-03-08 西南石油大学 AES key expansion method based on weak correlation
CN111368322B (en) * 2020-03-11 2022-04-12 中电科(天津)网络信息安全有限公司 File decryption method and device, electronic equipment and storage medium
CN112488577B (en) * 2020-12-17 2024-05-24 多点(深圳)数字科技有限公司 Information generation method, device, electronic equipment and computer readable medium
CN117579254B (en) * 2024-01-16 2024-03-12 金财数科(北京)信息技术有限公司 Encryption method, system and device for data transmission

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7840003B2 (en) * 2004-12-13 2010-11-23 Electronics And Telecommunications Research Institute High-speed GCM-AES block cipher apparatus and method
CN102624520A (en) * 2012-05-02 2012-08-01 西安电子科技大学 192 bit key expansion system and method based on AES (Advanced Encryption Standard)
CN105099672A (en) * 2015-08-04 2015-11-25 东南大学 Hybrid encryption method and device for realizing the same
CN108206735A (en) * 2016-12-16 2018-06-26 波音公司 The method and system of password round key is generated by bit mixer

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7840003B2 (en) * 2004-12-13 2010-11-23 Electronics And Telecommunications Research Institute High-speed GCM-AES block cipher apparatus and method
CN102624520A (en) * 2012-05-02 2012-08-01 西安电子科技大学 192 bit key expansion system and method based on AES (Advanced Encryption Standard)
CN105099672A (en) * 2015-08-04 2015-11-25 东南大学 Hybrid encryption method and device for realizing the same
CN108206735A (en) * 2016-12-16 2018-06-26 波音公司 The method and system of password round key is generated by bit mixer

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Comparative Analysis of Different Techniques of Encryption for Secured Data Transmission;Aquino Valentim Mota et al.;《ICPCSI-2017》;20171231;全文 *
基于椭圆曲线密码体制和AES的混合加密技术研究;刘恒壮;《中国优秀硕士学位论文全文数据库 工程科技辑》;20190915(第9期);正文第5章 *

Also Published As

Publication number Publication date
CN109302280A (en) 2019-02-01

Similar Documents

Publication Publication Date Title
CN109302280B (en) AES key expansion method
US10361842B2 (en) Encryption function and decryption function generating method, encryption and decryption method and related apparatuses
US10009171B2 (en) Construction and uses of variable-input-length tweakable ciphers
CN106656475B (en) Novel symmetric key encryption method for high-speed encryption
US5745577A (en) Symmetric cryptographic system for data encryption
US8290148B2 (en) Encryption processing apparatus, encryption processing method, and computer program
US8041031B2 (en) Cryptographic primitives, error coding, and pseudo-random number improvement methods using quasigroups
KR101324351B1 (en) Method for generating a cipher-based message authentication code
Zhao et al. Generalized related-key rectangle attacks on block ciphers with linear key schedule: applications to SKINNY and GIFT
Delfs et al. Symmetric-key encryption
US9787475B2 (en) Device, method, and program for message authentication tag generation
JPH08505275A (en) Device and method for generating a cipher stream
CN111400730B (en) AES key expansion method based on weak correlation
US10148425B2 (en) System and method for secure communications and data storage using multidimensional encryption
CN109981249B (en) Encryption and decryption method and device based on zipper type dynamic hash and NLFSR
JP2008513811A (en) Calculation conversion method and system
Paar et al. More about block ciphers
Islam et al. Data encryption standard
Jagetiya et al. Evolution of Information Security Algorithms
CN110247754A (en) A kind of implementation method and device of block cipher FBC
Pandey et al. An Improved AES Cryptosystem Based Genetic Method on S-Box, With, 256 Key Sizes and 14-Rounds
US11502818B2 (en) System to secure encoding and mapping on elliptic curve cryptography (ECC)
Naik et al. Comparison of Different Encryption Algorithm and Proposing an Encryption Algorithm
Usman et al. A data specific comparative study for choosing best cryptographic technique
Pethe et al. Comparative Study of Symmetric Key Cryptographic Algorithms CAST, IDEA, RC, Camellia and SAFER

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant