In [None]:
import random
import struct
from copy import copy
random.seed(5)

# Advanced Encryption Standard

The more popular and widely adopted symmetric encryption algorithm likely to be encountered nowadays is the Advanced Encryption Standard (AES). It is found at least six time faster than triple DES.

A replacement for DES was needed as its key size was too small. With increasing computing power, it was considered vulnerable against exhaustive key search attack. Triple DES was designed to overcome this drawback but it was found slow.

The features of AES are as follows:

    - Symmetric key symmetric block cipher
    - 128-bit data, 128/192/256-bit keys
    - Stronger and faster than Triple-DES
    - Provide full specification and design details


## Operation of AES

AES is an iterative rather than Feistel cipher. It is based on **substitution–permutation network**. It comprises of a series of linked operations, some of which involve replacing inputs by specific outputs (substitutions) and others involve shuffling bits around (permutations).

Interestingly, AES performs all its computations on *bytes* rather than *bits*. Hence, AES treats the 128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing as a matrix

Unlike DES, the number of rounds in AES is variable and depends on the length of the key. AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. Each of these rounds uses a different 128-bit round key, which is calculated from the original AES key.

<img src='aes_images/aes_structure.jpg' width=35%>


All operations in a round of AES are invertible:

- **AddRoundKey: **each byte of the round key is combined with the corresponding byte in the state using XOR
- **SubBytes:  **each byte in the state is replaced with a different byte according to the S-Box lookup table
- **ShiftRows: **each row in the state table is shifted by a varying number of bytes
- **MixColumns: **each column in the state table is multiplied with a fixed polynomial

<img src='aes_images/aes_encryption_round.png' width=50%>


## Encryption Process

Here, we restrict to description of a typical round of AES encryption. Each round comprise of four sub-processes.

<img src='aes_images/first_round_process.jpg' width=35%>



AES operates on a 4×4 matrix referred to as the state, therefore `16 bytes = 128 bits = block size`

<img src='aes_images/aes_data_structure.png' width=50%>


### Addroundkey

The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128 bits are interpreted as 16 bytes and we begin another similar round- 

- Each byte of the round key is XORed with the corresponding byte in the state table
- Inverse operation is identical since XOR a second time returns the original values

** Exercise: ** Implement `add_round_key(state, round_key)` 

In [None]:
def add_round_key(input_state, round_key):
    
    None
    
    
    return state

In [None]:
state = bytearray()
round_key = bytearray()
for i in range(16):
    state.append(random.randint(0,16))
    round_key.append(random.randint(0,16))
print(len(round_key)) 
add_round_key(state, round_key)

### Byte Substitution (SubBytes)

The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The result is in a matrix of four rows and four columns.

 - Each byte of the state table is substituted with the value in the S-Box whose index is the value of the state table byte
 - Provides non-linearity (algorithm not equal to the sum of its parts)
 - Inverse operation is performed using the inverted S-Box
 
 <img src='aes_images/aes_byte_level_op.png' width=50%>
 
 
#### S_BOX and S_BOX Inverse

<img src='aes_images/aes_sbox.png' width=50%>




In [None]:
def get_sbox():
    
    Sbox = (0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
            0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
            0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
            0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
            0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
            0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
            0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
            0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
            0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
            0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
            0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
            0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
            0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
            0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
            0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
            0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16)
    return Sbox
        

#### S_BOX Inverse
<img src='aes_images/aes_sbox_inv.png' width=50%>


In [None]:
def get_sbox_inverse():
    Sbox_inv = (
            0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
            0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
            0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
            0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
            0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
            0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
            0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
            0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
            0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
            0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
            0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
            0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
            0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
            0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
            0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
            0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
    )
    return Sbox_inv

** Exercise: ** Implement Byte substitution `sub_bytes(state)`.

In [None]:
def sub_bytes(input_state, sbox):
    
    None
    
    return output_state

In [None]:
state = bytearray()
for i in range(16):
    state.append(random.randint(0,16))
sbox = get_sbox()
state = sub_bytes(state, sbox)
print(state)

## Shiftrows

Each of the four rows of the matrix is shifted to the left. Any entries that fall off are re-inserted on the right side of row (circular shift). Shift is carried out as follows:

   - First row is not shifted.

   - Second row is shifted one (byte) position to the left.

   - Third row is shifted two positions to the left.

   - Fourth row is shifted three positions to the left.
   
In summary:
- Each row in the state table is shifted left by the number of bytes represented by the row number
- Inverse operation simply shifts each row to the right by the number of bytes as the row number

The result is a new matrix consisting of the same 16 bytes but shifted with respect to each other.

** Exercise: ** Implement `shift_rows(state)`. To do that, first implement a utility function `rotate(word, n)` that returns a copy of the word:
        - circular left shifted n bytes (chars) positive values for n 
        - circular right shifted n bytes (chars) positive values for n
then use the `rotate(word, n)` function to implement the `shift_rows(state)`

In [None]:
def rotate(word, n):
    None


In [None]:
def shift_rows(state):
    shifted_state = bytearray(len(state))
    # iterate over each "virtual" row in the state table
    None
    
    return shifted_state



In [None]:
state = bytearray()
for i in range(16):
    state.append(random.randint(0,16))

print(state)
shift_rows(state)

## MixColumns

Each column of four bytes is now transformed using a special mathematical function. This function takes as input the four bytes of one column and outputs four completely new bytes, which replace the original column. The result is another new matrix consisting of 16 new bytes. *It should be noted that this step is not performed in the last round.*


<img src='aes_images/aes_row_column_op.png' width=50%>

MixColumns is performed by multiplying each column (within the Galois finite field) by the following matrix:


\begin{bmatrix}
2 & 3 & 1 & 1 \\
1 & 2 & 3 & 1 \\
1 & 1 & 2 & 3 \\
3 & 1 & 1 & 2
\end{bmatrix}


The inverse operation is performed by multiplying each column by the following inverse matrix:


\begin{bmatrix}
14 & 11 & 13 & 9 \\
9 & 14 & 11 & 13 \\
13 & 9 & 14 & 11 \\
11 & 13 & 9 & 14
\end{bmatrix}

We use Galois multiplication to multiple perform mix column.

In [None]:
# Galois Multiplication
def galoisMult(a, b):
    # the product of the multiplication 
    p = 0
    hiBitSet = 0
    for i in range(8):
    
        # if b is odd, then add the corresponding a to p 
        # (final product = sum of all a's corresponding to odd b's)
        if b & 1 == 1:
            # since we're in GF(2^m), addition is an XOR
            p ^= a
    
            # GF modulo: if a >= 128, then it will overflow when shifted left, so reduce
            hiBitSet = a & 0x80
            # equivalent to a*2
            a <<= 1
            if (hiBitSet == 0x80):
                # XOR with the primitive polynomial x^8 + x^4 + x^3 + x + 1 (0b1_0001_1011) 
                a ^=0x1b
            # equivalent to b // 2
            b >>= 1
    return p % 256
        


In [None]:
a = 400
b = 1
galoisMult(a, b)

** Exercise: ** Implement `mix_column(state_column)` that multiples each state column with mix column matrix. 

In [None]:
# mixColumn does Galois multiplication on a state column
def mix_column(column):
    res = bytearray(len(column))
    
    res[0] = None
    res[1] = None
    res[2] = None
    res[3] = None
    return res



In [None]:
state = bytearray()
for i in range(16):
    state.append(random.randint(0,16))
column = state[0:4]
print(column)
mix_column(column)

## Key Expansion

AES key expansion uses a `g(.)` function that performs the following operations on a given word:
    
- **Rotate: **takes a 4-byte word and rotates everything one byte to the left, e.g. rotate([1,2,3,4]) → [2, 3, 4, 1]
- **SubBytes: **each byte of a word is substituted with the value in the S-Box whose index is the value of the original byte
- **Rcon: ** the first byte of a word is XORed with the round constant. Each value of the Rcon table is a member of the Rinjdael finite field.


<img src='aes_images/aes_key_expansion.png' width=50%>


In [None]:
def get_rcon():
    Rcon = ( 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a )
    return Rcon

# takes 4-byte word and iteration number
def key_schedule_core(word, i):
    rcon = get_rcon()
    sbox = get_sbox()
    # rotate word 1 byte to the left
    word = None
    newWord = bytearray(len(word))
    # apply sbox substitution on all bytes of word
    None
    # XOR the output of the rcon[i] transformation with the first part
    # of the word
    None
    return newWord

In [None]:
state = bytearray()
for i in range(16):
    state.append(random.randint(0,16))
word = state[0:4]
key_schedule_core(word, i=3)

## Expanding a 256-bit key

This is similar to the 128-bit and 192-bit key schedule, but includes an extra application of the s-box.

1. The first 32 bytes of the expanded key are simply the encryption key
2. The rcon iteration value i is set to 1
3. Until we have 240 bytes of expanded key, we do the following to generate 32 more bytes of expanded key:
     3.1. We do the following to create the first four bytes of expanded key:
        3.1.1. We create a 4-byte temporary variable, `temp`
        3.1.2. We assign the value of the previous four bytes in the temporary key to `temp`
        3.1.3. We perform schedule_core (see above) on `temp`, with i as the rcon iteration value.
        3.1.4. We increment i by one.
        3.1.5. We exclusive-or `temp` with the four-byte block 32 bytes before the new expanded key. This becomes the next four bytes in the expanded key. 
    3.2. We then do the following three times to create the next twelve bytes of expanded key:
        3.2.1. We assign the value of the previous four bytes in the temporary key to `temp`
        3.2.2. We exclusive-or `temp` with the four-byte block 32 bytes before the new expanded key. This becomes the next four bytes in the expanded key. 
    3.3. We then do the following to create the next four bytes of expanded key:
        3.3.1. We assign the value of the previous four bytes in the temporary key to `temp`
        3.3.2. We run each of the four bytes in `temp` through Rijndael's S-box
        3.3.3. We exclusive-or `temp` with the four-byte block 32 bytes before the new expanded key. This becomes the next four bytes in the expanded key. 
    3.4. We then do the following three times to create the next twelve bytes of expanded key:
        3.4.1. We assign the value of the previous four bytes in the temporary key to `temp`
        3.4.2. We exclusive-or `temp` with the four-byte block 32 bytes before the new expanded key. This becomes the next four bytes in the expanded key. 
4. We now have 240 bytes of expanded key generated. 

In [None]:
def key_exanstion(cipherKey):
    
    # copy first 32 bytes of cipher key to expanded key
    None
    # 
    i = None  # Rcon iterator
    temp = bytearray(4)  # 4-byte container for temp storage
    while size(expandedKey) < 240:
        
        
        # temp → last 4 bytes of expandedKey
        temp = None

        # every 32 bytes apply core schedule to temp
        if size(expandedKey)% 32 == 0:
            temp = None
            i =  None

        # since 256-bit key -> add an extra sbox transformation to each new byte
        for j in range(4):
            temp[j] = None

        # XOR temp with the 4-byte block 32 bytes before the end of the current expanded key.
        # These 4 bytes become the next bytes in the expanded key
        None
    
    return expandedKey
                           
