Is this a valid AES instruction reordering?

Tarick Welling

10/7/22, 9:37 AM

I'm trying to understand a verilog AES implementation. I know the order of the AES encryption steps to be as shown:

However the code I see doesn't do this. They do the following flow graph: at the beginning of the encryption state is loaded with newstate or the plaintext. The round is set to max and is decremented each round.

They then do the following set of operations for each round until round reaches 0. The internal variables are inside brackets and the operations are without.

(state) -> (sbbi) -> sbox -> (sbbo) -> shift -> (shro) -> mix -> (mxco)

They select the output of each round based on the round variable, this is used to set the newstate which sets the new input state:

if round == 0:
    (state)
if round == max:
    (shro)
else
    (mxco)

The problem I'm having is I'm expecting to see the operations Sub, Shift, Keyadd for the last round (0 in this code). But that is not what it does and even taking the output of round 1 and seeing that as the 'last round' is wrong as that does a double key add.

1 + 5

encryption

aes

Maarten Bodewes

10/7/22, 11:32 AM

Can we presume that the AES code is running as intended (e.g. against another implementation / test vectors)? If I remember correctly the last round of AES *is* a bit different, I'm wondering if the diagram is correct, but I don't have the time to look it up right now.

Tarick Welling

10/7/22, 11:48 AM

@MaartenBodewes Yes when using this the ciphertext is checked and thus it works correctly. The last round is supposed to miss the Mix columns operation. The picture is from Understanding Cryptography by C Paar and identical pseudo code is given in the AES specification.

Fractalice

10/7/22, 2:18 PM

Are you sure `round` is getting decreased? maybe this is from the decryption setting? you also probably missed the add-key somewhere (hardcoded bitflips perhaps?). Otherwise looks legit

Tarick Welling

10/7/22, 2:34 PM

@Fractalice you are completely right. The encryption is done in the `KEYSCHED` state and not in the `DECRYPT` state (which I had interpreted as dual purpose with a terrible label). Thus the counter is indeed incrementing and thus the code is working as expected

Maarten Bodewes

10/8/22, 9:27 AM

This seems to be answering the question. If that's the case, @Fractalice could you make an answer out of your comment?

Score:1

Crypto

Fractalice

10/8/22, 7:16 PM

Are you sure round is getting decreased? The counter reminds the decryption setting. You also probably missed the AddRoundKey somewhere. Otherwise the description looks correct.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is this a valid AES instruction reordering?

TH: นี่เป็นการจัดลำดับคำสั่ง AES ใหม่ที่ถูกต้องหรือไม่

RO: Este aceasta o reordonare validă a instrucțiunilor AES?

RU: Является ли это допустимым изменением порядка инструкций AES?

VI: Đây có phải là sắp xếp lại hướng dẫn AES hợp lệ không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.