# Exercise sheet 07

AES key scheduling in `SageMath`.

In [20]:
# first we define the field GF(2^8) with 
# as a modulus of the irreducible polynomial x^8 + x^4 + x^3 + x + 1
F8.<a> = GF(2**8, modulus=x**8 + x**4 + x**3 + x + 1)
R.<x> = GF(2)[]
a**8

a^4 + a^3 + a + 1

In [21]:
# field inversion
def phi1(z, out = True):
    if z == 0:
        zz = 0
    else:
        zz = z**-1
    if out:
        print(f"phi1 : in  = {z},\n       out = {zz}")
    return zz

# nibble shifting
def L(z, out = True):
    p = R(z.list())
    p = (x**4 + x**3 + x**2 + x + 1) * p
    p %= (x**8 - 1)
    zz = F8(p.list())
    if out:
        print(f"L    : out = {zz}")
    return zz

# affine transformation
def phi3(z, out = True):
    zz = z + a**6 + a**5 + a + 1
    if out:
        print(f"phi3 : out = {zz}\n")
    return zz

# composition
def phi(z, out = True):
    return phi3(L(phi1(z, out = out), out = out), out = out)

    

In [22]:
k0 = a**6 + a**5 + 1
k1 = phi(k0, out = True)


phi1 : in  = a^6 + a^5 + 1,
       out = a^6 + a^4 + a^3 + a^2 + a
L    : out = a^7 + a^3 + a^2
phi3 : out = a^7 + a^6 + a^5 + a^3 + a^2 + a + 1



In [23]:
key_zero = [ [ F8(0) for _ in range(4) ] for _ in range(4) ]
print(key_zero)

[[0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0], [0, 0, 0, 0]]


In [24]:
def key_schedule(key, round, out = True):
    if out:
        print(f"key_schedule : round = {round} starting")
    key_new = [ [ k for k in kk ] for kk in key ]
    for i in range(4):
        if out:
            print(f"key_schedule : round = {round}, i = {i}")
        if i == 0:
            for j in range(4):
                if j == 0:
                    key_new[0][0] += phi(key[3][1]) + a**(round)
                else:
                    key_new[0][j] += phi(key[3][(j + 1) % 4])
        else:
            for j in range(4):
                key_new[i][j] += key_new[i-1][j]
    return key_new
    

In [25]:
key_round_1 = key_schedule(key_zero, 0, out = True)
# for k in key_round_1:
#   print(k)
for k in key_round_1:
    for kk in k:
        print(kk, end = " , ")
        # print(list(reversed(kk.list())), end = " | ")
    print()

key_schedule : round = 0 starting
key_schedule : round = 0, i = 0
phi1 : in  = 0,
       out = 0
L    : out = 0
phi3 : out = a^6 + a^5 + a + 1

phi1 : in  = 0,
       out = 0
L    : out = 0
phi3 : out = a^6 + a^5 + a + 1

phi1 : in  = 0,
       out = 0
L    : out = 0
phi3 : out = a^6 + a^5 + a + 1

phi1 : in  = 0,
       out = 0
L    : out = 0
phi3 : out = a^6 + a^5 + a + 1

key_schedule : round = 0, i = 1
key_schedule : round = 0, i = 2
key_schedule : round = 0, i = 3
a^6 + a^5 + a , a^6 + a^5 + a + 1 , a^6 + a^5 + a + 1 , a^6 + a^5 + a + 1 , 
a^6 + a^5 + a , a^6 + a^5 + a + 1 , a^6 + a^5 + a + 1 , a^6 + a^5 + a + 1 , 
a^6 + a^5 + a , a^6 + a^5 + a + 1 , a^6 + a^5 + a + 1 , a^6 + a^5 + a + 1 , 
a^6 + a^5 + a , a^6 + a^5 + a + 1 , a^6 + a^5 + a + 1 , a^6 + a^5 + a + 1 , 


In [26]:
key_round_2 = key_schedule(key_round_1, 1, out = False)
print()
i = 0
for k in key_round_2:
    print(f"k_{i}^(2) =", end = " ")
    i += 1
    for kk in k:
        print(kk, end = " , ")
        # print(list(reversed(kk.list())), end = " | ")
    print()

phi1 : in  = a^6 + a^5 + a + 1,
       out = a^7 + a^6 + a^4 + a + 1
L    : out = a^7 + a^4 + a^3
phi3 : out = a^7 + a^6 + a^5 + a^4 + a^3 + a + 1

phi1 : in  = a^6 + a^5 + a + 1,
       out = a^7 + a^6 + a^4 + a + 1
L    : out = a^7 + a^4 + a^3
phi3 : out = a^7 + a^6 + a^5 + a^4 + a^3 + a + 1

phi1 : in  = a^6 + a^5 + a + 1,
       out = a^7 + a^6 + a^4 + a + 1
L    : out = a^7 + a^4 + a^3
phi3 : out = a^7 + a^6 + a^5 + a^4 + a^3 + a + 1

phi1 : in  = a^6 + a^5 + a,
       out = a^7 + a^5 + a^3 + a^2 + a + 1
L    : out = a^7 + a^6 + a^3 + 1
phi3 : out = a^7 + a^5 + a^3 + a


k_0^(2) = a^7 + a^4 + a^3 + a + 1 , a^7 + a^4 + a^3 , a^7 + a^4 + a^3 , a^7 + a^6 + a^3 + 1 , 
k_1^(2) = a^7 + a^6 + a^5 + a^4 + a^3 + 1 , a^7 + a^6 + a^5 + a^4 + a^3 + a + 1 , a^7 + a^6 + a^5 + a^4 + a^3 + a + 1 , a^7 + a^5 + a^3 + a , 
k_2^(2) = a^7 + a^4 + a^3 + a + 1 , a^7 + a^4 + a^3 , a^7 + a^4 + a^3 , a^7 + a^6 + a^3 + 1 , 
k_3^(2) = a^7 + a^6 + a^5 + a^4 + a^3 + 1 , a^7 + a^6 + a^5 + a^4 + a^3 + a + 1 , a^

## Elliptic formulas
from https://hyperelliptic.org/EFD/g1p/auto-shortw.html

In [27]:
def add_proj(P1, P2):
    """
    https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-add-1998-cmo-2
    """
    X1, Y1, Z1 = P1
    X2, Y2, Z2 = P2
    
    Z1Z1 = Z1**2
    print(f"Z1Z1 = {Z1Z1}")
    Z2Z2 = Z2**2
    print(f"Z2Z2 = {Z2Z2}")
    U1 = X1*Z2Z2
    print(f"U1 = {U1}")
    U2 = X2*Z1Z1
    print(f"U2 = {U2}")
    S1 = Y1*Z2*Z2Z2
    print(f"S1 = {S1}")
    S2 = Y2*Z1*Z1Z1
    print(f"S2 = {S2}")
    H = U2-U1
    print(f"H = {H}")
    HH = H**2
    print(f"HH = {HH}")
    HHH = H*HH
    print(f"HHH = {HHH}")
    r = S2-S1
    print(f"r = {r}")
    V = U1*HH
    print(f"V = {V}")
    X3 = r**2-HHH-2*V
    Y3 = r*(V-X3)-S1*HHH
    Z3 = Z1*Z2*H

    return (X3, Y3, Z3)

In [28]:
def double_proj(P, a = 1):
    """
    https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl
    """
    X1, Y1, Z1 = P
    XX = X1**2
    print(f"XX = {XX}")
    YY = Y1**2
    print(f"YY = {YY}")
    YYYY = YY**2
    print(f"YYYY = {YYYY}")
    ZZ = Z1**2
    print(f"ZZ = {ZZ}")
    S = 2*((X1+YY)**2-XX-YYYY)
    print(f"S = {S}")
    M = 3*XX+a*ZZ**2
    print(f"M = {M}")
    T = M**2-2*S
    print(f"T = {T}")
    X3 = T
    Y3 = M*(S-T)-8*YYYY
    Z3 = (Y1+Z1)**2-YY-ZZ

    return (X3, Y3, Z3)

In [None]:
F = GF(103)
X1 = F(1)
Y1 = F(38)
Z1 = F(1)

X2 = F(3)
Y2 = F(37)
Z2 = F(1)


X3, Y3, Z3 = add_proj((X1, Y1, Z1), (X2, Y2, Z2))

print(f"X3 = {X3}, Y3 = {Y3}, Z3 = {Z3}")
print(f"x3 = {X3/(Z3**2)}, y3 = {Y3/(Z3**3)}")
print('-'*20)
X4, Y4, Z4 = add_proj((X3, Y3, Z3), (0, 0, 1))
print(f"X4 = {X4}, Y4 = {Y4}, Z4 = {Z4}")
print(f"x4 = {X4/(Z4**2)}, y4 = {Y4/(Z4**3)}")

Z1Z1 = 1
Z2Z2 = 1
U1 = 1
U2 = 3
S1 = 38
S2 = 37
H = 2
HH = 4
HHH = 8
r = 102
V = 4
X3 = 88, Y3 = 89, Z3 = 2
x3 = 22, y3 = 24
--------------------
Z1Z1 = 4
Z2Z2 = 1
U1 = 88
U2 = 0
S1 = 89
S2 = 0
H = 15
HH = 19
HHH = 79
r = 14
V = 24
X4 = 69, Y4 = 64, Z4 = 30
x4 = 89, y4 = 34


In [31]:
F = GF(103)
X2 = F(3)
Y2 = F(37)
Z2 = F(1)

X3, Y3, Z3 = double_proj((X2, Y2, Z2))
print(f"X3 = {X3}, Y3 = {Y3}, Z3 = {Z3}")
print(f"x3 = {X3/(Z3**2)}, y3 = {Y3/(Z3**3)}")
print('-'*20)
X3, Y3, Z3 = double_proj((X3, Y3, Z3))
print(f"X3 = {X3}, Y3 = {Y3}, Z3 = {Z3}")
print(f"x3 = {X3/(Z3**2)}, y3 = {Y3/(Z3**3)}")

XX = 9
YY = 30
YYYY = 76
ZZ = 1
S = 51
M = 28
T = 64
X3 = 64, Y3 = 58, Z3 = 74
x3 = 28, y3 = 12
--------------------
XX = 79
YY = 68
YYYY = 92
ZZ = 17
S = 1
M = 11
T = 16
X3 = 16, Y3 = 26, Z3 = 35
x3 = 36, y3 = 62
