[英]Does ARM and Intel intrinsics use the same subkey schedule for AES?
我正在嘗試使用內在函數在ARMv8上實現AES實現。 我有一個C ++實現,我有一個Intel內在實現。
實現應該是等效的,所以我試圖使用Intel作為ARMv8的藍圖。 存在一些差異,但它們被考慮在內。 問題是,我得到了不同的結果。
void AES_encrypt(const Byte *in, Byte *out, const RoundKey *rdkeys, unsigned int rounds)
{
#if defined(__ARM_FEATURE_CRYPTO)
uint8x16_t data = vld1q_u8(in);
// AES encryption with ARM intrinsics:
// rnds-1 (9 for AES128) cycles of AES:
// (Add, Shift, Sub) plus Mix Columns
unsigned int i;
for (i=0; i<rounds; ++i)
{
// AES single round encryption
data = vaeseq_u8(data, rdkeys[i]);
// AES mix columns
data = vaesmcq_u8(data);
}
// One round of encryption: AES, no Mix Columns
data = vaeseq_u8(data, rdkeys[i++]);
// Final Add (bitwise Xor)
data = veorq_u8(data, rdkeys[i]);
vst1q_u8(out, data);
#elif defined(__AES__)
__m128i data = _mm_loadu_si128((const __m128i*)in);
data = _mm_xor_si128(data, rdkeys[0]);
for (unsigned int i=1; i<rounds-1; ++i)
{
data = _mm_aesenc_si128(data, rdkeys[i]);
}
data = _mm_aesenc_si128(data, rdkeys[rounds-1]);
data = _mm_aesenclast_si128(data, rdkeys[rounds]);
_mm_storeu_si128((__m128i*)out, data);
#endif
}
此時,我正在嘗試側步子鍵計算。 我為這兩種實現使用相同的圓鍵集:
#if defined(__ARM_FEATURE_CRYPTO)
typedef uint8x16_t RoundKey;
typedef uint8_t Byte;
#elif defined(__AES__)
typedef __m128i RoundKey;
typedef uint8_t Byte;
#endif
// Avoid subkey scheduling at this point
RoundKey rdkeys[ROUNDS+1];
for (size_t i=0; i<COUNTOF(rdkeys); ++i)
memset(&rdkeys[i], (i<<4)|i, sizeof(RoundKey));
但是,我得到了不同的結果。 以下是轉儲產生的內容:
英特爾AES-NI :
In: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
...
Key: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
Data: 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07
...
Key: 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99
Data: 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33
Key: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
Data: 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69
...
Out: 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69
ARMv8 AES :
In: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
...
Key: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
Data: C5 C5 C5 C5 C5 C5 C5 C5 C5 C5 C5 C5 C5 C5 C5 C5
...
Key: 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99
Data: C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3
Key: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
Data: F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9
...
Out: F9 F9 F9 F9 F9 F9 F9 F9 B1 FF B9 F9 F9 F9 F9 F9
我一直在摸索結果。 添加更多printf無助於識別問題。 我開始認為英特爾和ARM內在函數使用不同的子鍵表。
ARM和Intel內在函數是否對AES使用相同的子密鑰計划?
下圖來自Cynthia Crutchfield的一篇論文 。 它研究了英特爾內在函數和ARM內在函數的映射。
以下是完整的計划。 還列出了構建它們的命令行。
英特爾 :
g++ -Wall -maes aes-test.cxx -o aes-test.exe
AEMv8 :
g++ -Wall -march=armv8-a+crc+crypto -mtune=cortex-a53 aes-test.cxx -o aes-test.exe
計划 :
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#if defined(__ARM_FEATURE_CRYPTO)
# include <arm_neon.h>
# include <arm_acle.h>
#elif defined(__AES__)
# include <wmmintrin.h>
# include <emmintrin.h>
#endif
#if defined(__ARM_FEATURE_CRYPTO)
typedef uint8x16_t RoundKey;
typedef uint8_t Byte;
#elif defined(__AES__)
typedef __m128i RoundKey;
typedef uint8_t Byte;
#endif
#define COUNTOF(x) (sizeof(x)/(sizeof(x)[0]))
static const unsigned int ROUNDS=10;
void AES_encrypt(const Byte *in, Byte *out, const RoundKey *rdkeys, unsigned int rounds);
void AES_decrypt(const Byte *in, Byte *out, const RoundKey *rdkeys, unsigned int rounds);
void Print(const char* label, const Byte *in, size_t len, bool lf=false)
{
if (label)
printf("%s: ", label);
for (size_t i=0; in && i<len; ++i)
printf("%02X ", in[i]);
printf("\n");
if (lf)
printf("\n");
}
int main(int argc, char* argv[])
{
Byte cipher[16], recover[16];
const Byte plain[16] = {
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
};
// Avoid subkey scheduling at this point
RoundKey rdkeys[ROUNDS+1];
for (size_t i=0; i<COUNTOF(rdkeys); ++i)
memset(&rdkeys[i], (i<<4)|i, sizeof(rdkeys[i]));
AES_encrypt(plain, cipher, rdkeys, ROUNDS);
return 0;
}
void AES_encrypt(const Byte *in, Byte *out, const RoundKey *rdkeys, unsigned int rounds)
{
Print("In", in, 16);
#if defined(__ARM_FEATURE_CRYPTO)
// Load the block
uint8x16_t data = vld1q_u8(in);
Print("Data (in)", (Byte*)&data, 16, true);
// AES encryption with ARM intrinsics:
// rnds-1 (9 for AES128) cycles of AES:
// (Add, Shift, Sub) plus Mix Columns
unsigned int i;
for (i=0; i<rounds; ++i)
{
// AES single round encryption
data = vaeseq_u8(data, rdkeys[i]);
// AES mix columns
data = vaesmcq_u8(data);
Print("Key", (Byte*)&rdkeys[i], 16);
Print("Data", (Byte*)&data, 16, true);
}
Print("Key", (Byte*)&rdkeys[i], 16);
// One round of encryption: AES, no Mix Columns
data = vaeseq_u8(data, rdkeys[i++]);
Print("Data", (Byte*)&data, 16, true);
// Final Add (bitwise Xor)
data = veorq_u8(data, rdkeys[i]);
Print("Data (xor)", (Byte*)&data, 16);
// Store the output data
vst1q_u8(out, data);
#elif defined(__AES__)
__m128i data = _mm_loadu_si128((const __m128i*)in);
Print("Data (in)", (Byte*)&data, 16);
data = _mm_xor_si128(data, rdkeys[0]);
Print("Key", (Byte*)&rdkeys[0], 16);
Print("Data (xor)", (Byte*)&data, 16, true);
for (unsigned int i=1; i<rounds-1; ++i)
{
data = _mm_aesenc_si128(data, rdkeys[i]);
Print("Key", (Byte*)&rdkeys[i], 16);
Print("Data", (Byte*)&data, 16, true);
}
data = _mm_aesenc_si128(data, rdkeys[rounds-1]);
Print("Key", (Byte*)&rdkeys[rounds-1], 16);
Print("Data", (Byte*)&data, 16, true);
data = _mm_aesenclast_si128(data, rdkeys[rounds]);
Print("Key", (Byte*)&rdkeys[rounds], 16);
Print("Data", (Byte*)&data, 16, true);
_mm_storeu_si128((__m128i*)out, data);
#endif
Print("Out", out, 16);
}
ARM和Intel內在函數是否對AES使用相同的子密鑰計划?
看來答案是肯定的。 我仍然需要針對真正的密鑰調度進行測試,但是我能夠使用相同的密鑰調度來生成與Intel和ARMv8內部函數相同的結果。
在Crutchfield的參考實現中看起來有一個一個接一個。 它應該使用rounds-1
,而不是rounds
作為循環控制。 這意味着我正在測試ARMv8的11輪,而不是10.當ARMv8代碼生成F9 F9 F9 F9 F9 F9 F9 F9 B1 FF B9 F9 F9 F9 F9 F9
代替F9 F9 ... F9 F9
時,我應該懷疑它。
這是更新的代碼:
void AES_encrypt(const Byte *in, Byte *out, const RoundKey *rdkeys, unsigned int rounds)
{
#if defined(__ARM_FEATURE_CRYPTO)
uint8x16_t data = vld1q_u8(in);
unsigned int i;
for (i=0; i<rounds-1; ++i)
{
data = vaeseq_u8(data, rdkeys[i]);
data = vaesmcq_u8(data);
}
data = vaeseq_u8(data, rdkeys[i++]);
data = veorq_u8(data, rdkeys[i]);
vst1q_u8(out, data);
#elif defined(__AES__)
__m128i data = _mm_loadu_si128((const __m128i*)in);
data = _mm_xor_si128(data, rdkeys[0]);
unsigned int i;
for (i=1; i<rounds-1; ++i)
{
data = _mm_aesenc_si128(data, rdkeys[i]);
}
data = _mm_aesenc_si128(data, rdkeys[i++]);
data = _mm_aesenclast_si128(data, rdkeys[i]);
_mm_storeu_si128((__m128i*)out, data);
#endif
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.