一、AES 算法介绍

AES 的全称是 Advanced Encryption Standard,意思是高级加密标准。它的出现主要是为了取代 DES 加密算法的,因为我们都知道 DES 算法的密钥长度是 56Bit,因此算法的理论安全强度是 256 次方。但二十世纪中后期正是计算机飞速发展的阶段,元器件制造工艺的进步使得计算机的处理能力越来越强,虽然出现了 3DES 的加密方法,但由于它的加密时间是 DES 算法的 3 倍多,64Bit 的分组大小相对较小,所以还是不能满足人们对安全性的要求。于是 1997 年 1 月 2 号,美国国家标准技术研究所宣布希望征集高级加密标准,用以取代 DES。AES 也得到了全世界很多密码工作者的响应,先后有很多人提交了自己设计的算法。最终有 5 个候选算法进入最后一轮:RijndaelSerpentTwofishRC6 MARS。最终经过安全性分析、软硬件性能评估等严格的步骤,Rijndael 算法获胜。

在密码标准征集中,所有 AES 候选提交方案都必须满足以下标准:

  • 分组大小为 128 位的分组密码。
  • 必须支持三种密码标准:128 位、192 位和 256 位。
  • 比提交的其他算法更安全。
  • 在软件和硬件实现上都很高效。

AES 密码与分组密码 Rijndael 基本上完全一致,Rijndael 分组大小和密钥大小都可以为 128 位、192 位和 256 位。然而 AES 只要求分组大小为 128 位,因此只有分组长度为 128Bit 的 Rijndael 才称为 AES 算法。本文只对分组大小 128 位,密钥长度也为 128 位的 Rijndael 算法进行分析。密钥长度为 192 位和 256 位的处理方式和 128 位的处理方式类似,只不过密钥长度每增加 64 位,算法的循环次数就增加 2 轮,128 位循环 10 轮、192 位循环 12 轮、256 位循环 14 轮。

二、原理

1.流程

AES 算法(即 Rijndael 算法)是一个对称分组密码算法。数据分组长度必须是 128 bits,使用的密钥长度为 128,192 或 256 bits。对于三种不同密钥长度的 AES 算法,分别称为“AES-128”、“AES-192”、“AES-256”。(Rijndael 的设计还可以处理其它的分组长度和密钥长度,但 AES 标准中没有采用)

下图是 AES 加密解密的整体流程图:
2.jpg

2.注意

  1. 这里用的是AES-128,因此密钥长度128AES迭代次数10

  2. AES 的处理单位是字节,128 位的输入明文分组 P 和输入密钥 K 都被分成 16 个字节,一般地,明文分组用以字节为单位的正方形矩阵描述,称为状态(State)矩阵
    4.jpg

    注意矩阵中字节的排序顺序是从上到下,从左到右

  3. 这里我们需要知道 3 个符号:Nb—— 状态 State 包含的列(32-bit 字)的个数,也就是说 Nb=4Nk—— 密钥包含的 32-bit 字的个数,也就是说 Nk=4,6 或 8Nr—— 加密的轮数,对于不同密钥长度,轮数不一样,具体如下图所示:
    3.jpg

    注意只有Nr - 1次是相同的,最后一轮都少了列混合

下面分为密钥扩展分组加密分组解密三个部分来讲 AES 算法,C++代码在后面

三、AES 算法

1.密钥扩展

1.1 流程

AES 算法通过密钥扩展程序(Key Expansion)将用户输入的密钥 K 扩展生成 Nb(Nr+1)个字,存放在一个线性数组w[Nb*(Nr+1)]中。具体如下:

  1. 位置变换函数RotWord(),接受一个字 [a0, a1, a2, a3] 作为输入,循环左移一个字节后输出 [a1, a2, a3, a0]

  2. S盒变换函数SubWord(),接受一个字 [a0, a1, a2, a3] 作为输入。S盒是一个 16x16 的表,其中每一个元素是一个字节。对于输入的每一个字节,前四位组成十六进制数 x 作为行号,后四位组成的十六进制数 y 作为列号,查找表中对应的值。最后函数输出 4 个新字节组成的 32-bit 字。

  3. 轮常数Rcon[],如何计算的就不说了,直接把它当做常量数组。

  4. 扩展密钥数组w[]的前 Nk 个元素就是外部密钥 K,以后的元素w[i]等于它前一个元素w[i-1]与前第 Nk 个元素w[i-Nk]的异或,即w[i] = w[i-1] XOR w[i-Nk];但若 i Nk 的倍数,则w[i] = w[i-Nk] XOR SubWord(RotWord(w[i-1])) XOR Rcon[i/Nk-1]
    2.png
    3.png

1.2 伪代码

1.2.1 $ N_k <= 6$(主)

即适合 AES-128 和 AES-192,这里只以 AES-128 为例子

1
2
3
4
5
6
7
8
9
10
11

KeyExpansion(byteKey[4 * Nk], W[Nb * (Nr + 1)]) {
    for (i = 0; i < Nk; i++)
        W[i] = (Key[4 * i], Key[4 * i + 1], Key[4 * i + 2], Key[4 * i + 3]);
    for (i = Nk; i < Nb * (Nr + 1); i++) {
        temp = W[i - 1];
        if (i % Nk = = 0)
            temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];
        W[i] = W[i - Nk] ^ temp;
    }
}
1.2.2 $ N_k > 6$(略)

即适合 AES-256,本篇文章不予实现,但给出伪代码

1
2
3
4
5
6
7
8
9
10
11
12
KeyExpansion(byte Key[4 * Nk], W[Nb * (Nr + 1)]) {
    for (i = 0; i < Nk; i++)
        W[i] = (Key[4 * i], Key[4 * i + 1], Key[4 * i + 2], Key[4 * i + 3]);
    for (i = Nk; i < Nb * (Nr + 1); i++) {
        temp = W[i - 1];
        if (i % Nk = = 0)
            temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];
        else if (i % Nk == 4)
            temp = SubByte(temp);
        W[i] = W[i - Nk] ^ temp;
    }
}
1.2.3 $ N_k $大小的区别区别

当$ i - 4 $为$ N_k $的整数倍时,须先将前一个子$ W[i - 1]$经过 SubByte变换(S 盒变换)

1.3 代码实现

1.3.1 代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#include <iostream>
#include <bitset>
using namespace std;
typedef bitset<8> byte;
typedef bitset<32> word;

const int Nr = 10;  // AES-128需要 10 轮加密
const int Nk = 4;   // Nk 表示输入密钥的 word 个数
const int Nb = 4;   // Nb 表示状态 State 包含的列(32-bit 字)的个数,也就是说 Nb=4

byte S_Box[16][16] = {
	{0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76},
	{0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0},
	{0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15},
	{0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75},
	{0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84},
	{0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF},
	{0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8},
	{0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2},
	{0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73},
	{0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB},
	{0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79},
	{0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08},
	{0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A},
	{0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E},
	{0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF},
	{0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16}
};

// 轮常数,密钥扩展中用到。(AES-128只需要10轮)
word Rcon[10] = {0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
				 0x20000000, 0x40000000, 0x80000000, 0x1b000000, 0x36000000};

/**
 * 将4个 byte 转换为一个 word.
 * 比如k1 包含十六进制值 0x12,k2 包含 0x34,k3 包含 0x56,k4 包含 0x78。
 * Word 函数将这些字节按照指定的顺序合并成一个 word 对象 result,其十六进制表示为 0x12345678。
 */
word Word(byte& k1, byte& k2, byte& k3, byte& k4)
{
	word result(0x00000000);
	word temp;
	temp = k1.to_ulong();  // K1
	temp <<= 24;
	result |= temp;
	temp = k2.to_ulong();  // K2
	temp <<= 16;
	result |= temp;
	temp = k3.to_ulong();  // K3
	temp <<= 8;
	result |= temp;
	temp = k4.to_ulong();  // K4
	result |= temp;
	return result;
}

/**
 *  按字节 循环左移一位
 */
word RotWord(const word& rw)
{
    //因为word为32位,所以{a2, a3, a4, 00} | {00, 00, 00, a1},即把[a0, a1, a2, a3]变成[a1, a2, a3, a0]
	word high = rw << 8;
	word low = rw >> 24;
	return high | low;
}

/**
 *  对输入word中的每一个字节进行S-盒变换
 */
word SubWord(const word& sw)
{
	word temp;
	for(int i=0; i<32; i+=8)
	{
		int row = sw[i+7]*8 + sw[i+6]*4 + sw[i+5]*2 + sw[i+4];
		int col = sw[i+3]*8 + sw[i+2]*4 + sw[i+1]*2 + sw[i];
		byte val = S_Box[row][col];
		for(int j=0; j<8; ++j)
			temp[i+j] = val[j];
	}
	return temp;
}

/**
 *  密钥扩展函数 - 对128位密钥进行扩展得到 w[4*(Nr+1)]
 */
void KeyExpansion(byte key[4*Nk], word w[Nb*(Nr+1)])
{
	word temp;
	int i = 0;
	// w[]的前4个就是输入的key(注意矩阵里面的排序是从上到下,从左到右
	while(i < Nk)
	{
		w[i] = Word(key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]);
		++i;
	}

	i = Nk;

	while(i < 4*(Nr+1))
	{
		temp = w[i-1]; // 记录前一个word
		if(i % Nk == 0)
			w[i] = w[i-Nk] ^ SubWord(RotWord(temp)) ^ Rcon[i/Nk-1];
		else
			w[i] = w[i-Nk] ^ temp;
		++i;
	}
}

int main()
{
	byte key[16] = {0x2b, 0x7e, 0x15, 0x16,
				    0x28, 0xae, 0xd2, 0xa6,
				    0xab, 0xf7, 0x15, 0x88,
				    0x09, 0xcf, 0x4f, 0x3c};

	word w[4*(Nr+1)];

	cout << "KEY IS: ";
	for(int i=0; i<16; ++i)
        //cout << hex: 这是用于输出的C++代码,它将后续输出的整数以十六进制形式打印。
        //key[i].to_ulong(): 这一部分访问密钥 key 的第 i 个字节,然后使用 to_ulong() 函数将这个字节的二进制值转换为十进制值。
		cout << hex << key[i].to_ulong() << " ";
	cout << endl;

	KeyExpansion(key, w);
	// 测试
	for(int i=0; i<4*(Nr+1); ++i)
        //dec 是一个输出控制符,它告诉 cout 在输出 i(索引)时使用十进制表示
		cout << "w[" << dec << i << "] = " << hex << w[i].to_ulong() << endl;

	return 0;
}

1.3.2 结果
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
KEY IS: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 9 cf 4f 3c
w[0] = 2b7e1516
w[1] = 28aed2a6
w[2] = abf71588
w[3] = 9cf4f3c
w[4] = a0fafe17
w[5] = 88542cb1
w[6] = 23a33939
w[7] = 2a6c7605
w[8] = f2c295f2
w[9] = 7a96b943
w[10] = 5935807a
w[11] = 7359f67f
w[12] = 3d80477d
w[13] = 4716fe3e
w[14] = 1e237e44
w[15] = 6d7a883b
w[16] = ef44a541
w[17] = a8525b7f
w[18] = b671253b
w[19] = db0bad00
w[20] = d4d1c6f8
w[21] = 7c839d87
w[22] = caf2b8bc
w[23] = 11f915bc
w[24] = 6d88a37a
w[25] = 110b3efd
w[26] = dbf98641
w[27] = ca0093fd
w[28] = 4e54f70e
w[29] = 5f5fc9f3
w[30] = 84a64fb2
w[31] = 4ea6dc4f
w[32] = ead27321
w[33] = b58dbad2
w[34] = 312bf560
w[35] = 7f8d292f
w[36] = ac7766f3
w[37] = 19fadc21
w[38] = 28d12941
w[39] = 575c006e
w[40] = d014f9a8
w[41] = c9ee2589
w[42] = e13f0cc8
w[43] = b6630ca6

2.分组加密

2.1 伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Cipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*Nr+1])
begin
    byte state[4,Nb]
    state = in
    AddRoundKey(state, w[0, Nb-1])
    for round = 1 step 1 to Nr-1
        SubBytes(state)
        ShiftRows(state)
        MixColumns(state)
        AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])
    end for
    SubBytes(state)
    ShiftRows(state)
    AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
    Out = state
  end

从伪代码描述中可以看出,AES 加密时涉及到的子程序有SubBytes()ShiftRows()MixColumns()AddRoundKey(),即字节替换,位位移,列混合,密钥轮加。不清楚请自动移步到右侧二、原理的流程图中

2.2 字节替换-SubBytes()

9.jpg
在密钥扩展部分已经讲过了,S盒是一个 16 行 16 列的表,表中每个元素都是一个字节。S盒变换很简单:函数SubBytes()接受一个 4x4 的字节矩阵作为输入,对其中的每个字节,前四位组成十六进制数x作为行号,后四位组成的十六进制数 y 作为列号,查找表中对应的值替换原来位置上的字节。

2.3 行位移-ShiftRows()

AES 的行移位也是一个简单的左循环移位操作。当密钥长度为128比特时,状态矩阵的第0行左移0字节,第1行左移1字节,第2行左移2字节,第3行左移3字节
10.png

2.4 列混合-MixColumns()

列混合变换是通过矩阵相乘来实现的,经行移位后的状态矩阵与固定的矩阵(即下图左乘后面的矩阵)相乘,得到混淆后的状态矩阵。
5.png
这里需要注意的是矩阵元素中的乘法和加法都是定义在居于$Z_2[x]$中不可约多项式$ m(x) = x^8 + x^4 + x^3 + x + 1 $ 构造的$ GF(2^8) $ 上的二元运算。加法等价于两个字节的异或,乘法运算比较复杂,是伽罗华域(GF,有限域)上的乘法
请仔细阅读下面例子,获取计算·2·3
10.jpg
11.jpg

2.5 轮密钥加-AddRoundKey()

扩展密钥只参与了这一步。根据当前加密的轮数,用w[]中的4个扩展密钥与矩阵的 4 个列进行按位异或,即将128位轮密钥Ki同状态矩阵中的数据进行逐位异或操作。
6.png

3. 分组解密

3.1 伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
InvCipher(byte in[4*Nb], byte out[4*Nb], word w[Nb*Nr+1])
begin
    byte state[4,Nb]
    state = in
    AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
    for round = Nr-1 step -1 downto 1
        InvShiftRows(state)
        InvSubBytes(state)
        AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])
        InvMixColumns(state)
    end for
    SubBytes(state)
    ShiftRows(state)
    AddRoundKey(state, w[0, Nb-1])
    Out = state
end

从伪代码描述中可以看出,AES 加密时涉及到的子程序有SubBytes()ShiftRows()MixColumns()AddRoundKey()。下面我们一个一个进行介绍:

3.2 逆行变换-InvShiftRows()

上面讲到ShiftRows()是对矩阵的每一行进行循环左移,所以InvShiftRows()是对矩阵每一行进行循环右移。
7.png

3.3 逆 S 盒变换-InvSubBytes()

与 S 盒变换一样,也是查表,查表的方式也一样,只不过查的是另外一个置换表(S-Box 的逆表,下面 C++代码中有)。

3.4 逆列变换-InvMixColumns()

与列变换的方式一样,只不过计算公式的系数矩阵发生了变化。详细知识请自行去了解,这里我们只需要记住总结的函数即可,如下图:
8.png

四、C++代码

1. 代码

有些函数的注释我咋上面密钥扩展中已经写过了,还有解密的过程和加密十分相似,看懂加密解密自然不在话下,这些竹丝便不再重复,若有其他问题请评论提问( ̄︶ ̄)↗  先看懂上面一步一步来 ╰(‵□′)╯

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
//超详细注释来袭  ψ(`∇´)ψ


#include <iostream>
#include <bitset>
#include <string>

using namespace std;

//因为代码中大量使用bit的计算,所以直接typedef,一个字节为8位,一个字32
typedef bitset<8> byte;
typedef bitset<32> word;

const int Nr = 10;  // AES-128需要 10 轮加密
const int Nk = 4;   // Nk 表示输入密钥的 word 个数

byte S_Box[16][16] = {
	{0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76},
	{0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0},
	{0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15},
	{0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75},
	{0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84},
	{0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF},
	{0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8},
	{0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2},
	{0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73},
	{0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB},
	{0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79},
	{0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08},
	{0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A},
	{0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E},
	{0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF},
	{0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16}
};

byte Inv_S_Box[16][16] = {
	{0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB},
	{0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB},
	{0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E},
	{0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25},
	{0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92},
	{0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84},
	{0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06},
	{0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B},
	{0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73},
	{0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E},
	{0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B},
	{0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4},
	{0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F},
	{0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF},
	{0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61},
	{0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D}
};

// 轮常数,密钥扩展中用到。(AES-128只需要10轮)
word Rcon[10] = {0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
				 0x20000000, 0x40000000, 0x80000000, 0x1b000000, 0x36000000};

/**********************************************************************/
/*                                                                    */
/*                              AES算法实现                           */
/*                                                                    */
/**********************************************************************/

/******************************下面是加密的变换函数**********************/
/**
 *  S盒变换 - SubBytes()接受一个 4x4 的字节矩阵作为输入,
 *  对其中的每个字节,前四位组成十六进制数x作为行号,后四位组成的十六进制数 y 作为列号,
 *  查找表中对应的值替换原来位置上的字节。
 */
 // mtx 是一个包含 16byte 元素的一维数组,每个 byte 是一个 bitset,它有 8 个位。
 //因此,通过使用 mtx[i][j] 的方式,您可以访问 byte 中的单个位
void SubBytes(byte mtx[4*4])
{
	for(int i=0; i<16; ++i)
	{
		int row = mtx[i][7]*8 + mtx[i][6]*4 + mtx[i][5]*2 + mtx[i][4];
		int col = mtx[i][3]*8 + mtx[i][2]*4 + mtx[i][1]*2 + mtx[i][0];
		mtx[i] = S_Box[row][col];
	}
}

/**
 *  行变换 - 按字节循环移位
 */
void ShiftRows(byte mtx[4*4])
{
	// 第二行循环左移一位
	byte temp = mtx[4];
	for(int i=0; i<3; ++i)
		mtx[i+4] = mtx[i+5];
	mtx[7] = temp;
	// 第三行循环左移两位
	for(int i=0; i<2; ++i)
	{
		temp = mtx[i+8];
		mtx[i+8] = mtx[i+10];
		mtx[i+10] = temp;
	}
	// 第四行循环左移三位
	temp = mtx[15];
	for(int i=3; i>0; --i)
		mtx[i+12] = mtx[i+11];
	mtx[12] = temp;
}

/**
 *  有限域上的乘法 GF(2^8)
 */
byte GFMul(byte a, byte b) {
	byte p = 0;
	byte hi_bit_set;
	for (int counter = 0; counter < 8; counter++) {
		if ((b & byte(1)) != 0) {
			p ^= a;
		}
		hi_bit_set = (byte) (a & byte(0x80));
		a <<= 1;
		if (hi_bit_set != 0) {
			a ^= 0x1b; /* x^8 + x^4 + x^3 + x + 1 */
		}
		b >>= 1;
	}
	return p;
}

/**
 *  列混合,用上面说过的公式
 */
void MixColumns(byte mtx[4*4])
{
	byte arr[4]; // 作为未位移的矩阵
	for(int i=0; i<4; ++i)
	{
		for(int j=0; j<4; ++j)
			arr[j] = mtx[i+j*4];

		mtx[i] = GFMul(0x02, arr[0]) ^ GFMul(0x03, arr[1]) ^ arr[2] ^ arr[3];
		mtx[i+4] = arr[0] ^ GFMul(0x02, arr[1]) ^ GFMul(0x03, arr[2]) ^ arr[3];
		mtx[i+8] = arr[0] ^ arr[1] ^ GFMul(0x02, arr[2]) ^ GFMul(0x03, arr[3]);
		mtx[i+12] = GFMul(0x03, arr[0]) ^ arr[1] ^ arr[2] ^ GFMul(0x02, arr[3]);
	}
}

/**
 *  轮密钥加变换 - 将每一列与扩展密钥进行异或
 *  注意wordbyte左移和右移是同普通的没有限制长度的二进制的左移和右移的区别
 */
 /**
 *  实例
 *  假设 k[i] 的二进制表示如下: k[i] = 11011010101100110011011001101100

 *  k1 = k[i] >> 24:这将 k[i] 右移24位,保留最高的8位。

 *  原始 k[i]: 11011010101100110011011001101100
 *  k[i] 右移24位: 0000000011011010
 *  k2 = (k[i] << 8) >> 24:这将 k[i] 左移8位(在之前的基础上左移),然后再右移24位,以保留接下来的8位。

 *  原始 k[i]: 11011010101100110011011001101100
 *  k[i] 左移8位: 10110011011011001101100000000000
 *  k[i] 左移8位后右移24位: 0000000010110011
 *  k3 = (k[i] << 16) >> 24:这将 k[i] 左移16位,然后再右移24位,以保留接下来的8位。

 *  原始 k[i]: 11011010101100110011011001101100
 *  k[i] 左移16位: 01100110011011000000000000000000
 *  k[i] 左移16位后右移24位: 0000000001100110
 *  k4 = (k[i] << 24) >> 24:这将 k[i] 左移24位,然后再右移24位,以保留最低的8位。

 *  原始 k[i]: 11011010101100110011011001101100
 *  k[i] 左移24位: 00110011011011000000000000000000
 *  k[i] 左移24位后右移24位: 0000000000110011
 */

void AddRoundKey(byte mtx[4*4], word k[4])
{
	for(int i=0; i<4; ++i)
	{
		word k1 = k[i] >> 24; // 最高的8位
		word k2 = (k[i] << 8) >> 24;
		word k3 = (k[i] << 16) >> 24;
		word k4 = (k[i] << 24) >> 24;

		mtx[i] = mtx[i] ^ byte(k1.to_ulong());
		mtx[i+4] = mtx[i+4] ^ byte(k2.to_ulong());
		mtx[i+8] = mtx[i+8] ^ byte(k3.to_ulong());
		mtx[i+12] = mtx[i+12] ^ byte(k4.to_ulong());
	}
}

/**************************下面是解密的逆变换函数***********************/
/**
 *  逆S盒变换
 */
void InvSubBytes(byte mtx[4*4])
{
	for(int i=0; i<16; ++i)
	{
		int row = mtx[i][7]*8 + mtx[i][6]*4 + mtx[i][5]*2 + mtx[i][4];
		int col = mtx[i][3]*8 + mtx[i][2]*4 + mtx[i][1]*2 + mtx[i][0];
		mtx[i] = Inv_S_Box[row][col];
	}
}

/**
 *  逆行变换 - 以字节为单位循环右移
 */
void InvShiftRows(byte mtx[4*4])
{
	// 第二行循环右移一位
	byte temp = mtx[7];
	for(int i=3; i>0; --i)
		mtx[i+4] = mtx[i+3];
	mtx[4] = temp;
	// 第三行循环右移两位
	for(int i=0; i<2; ++i)
	{
		temp = mtx[i+8];
		mtx[i+8] = mtx[i+10];
		mtx[i+10] = temp;
	}
	// 第四行循环右移三位
	temp = mtx[12];
	for(int i=0; i<3; ++i)
		mtx[i+12] = mtx[i+13];
	mtx[15] = temp;
}

void InvMixColumns(byte mtx[4*4])
{
	byte arr[4];
	for(int i=0; i<4; ++i)
	{
		for(int j=0; j<4; ++j)
			arr[j] = mtx[i+j*4];

		mtx[i] = GFMul(0x0e, arr[0]) ^ GFMul(0x0b, arr[1]) ^ GFMul(0x0d, arr[2]) ^ GFMul(0x09, arr[3]);
		mtx[i+4] = GFMul(0x09, arr[0]) ^ GFMul(0x0e, arr[1]) ^ GFMul(0x0b, arr[2]) ^ GFMul(0x0d, arr[3]);
		mtx[i+8] = GFMul(0x0d, arr[0]) ^ GFMul(0x09, arr[1]) ^ GFMul(0x0e, arr[2]) ^ GFMul(0x0b, arr[3]);
		mtx[i+12] = GFMul(0x0b, arr[0]) ^ GFMul(0x0d, arr[1]) ^ GFMul(0x09, arr[2]) ^ GFMul(0x0e, arr[3]);
	}
}

/******************************下面是密钥扩展部分***********************/
/**
 * 将4byte 转换为一个 word.
 */
word Word(byte& k1, byte& k2, byte& k3, byte& k4)
{
	word result(0x00000000);
	word temp;
	temp = k1.to_ulong();  // K1
	temp <<= 24;
	result |= temp;
	temp = k2.to_ulong();  // K2
	temp <<= 16;
	result |= temp;
	temp = k3.to_ulong();  // K3
	temp <<= 8;
	result |= temp;
	temp = k4.to_ulong();  // K4
	result |= temp;
	return result;
}

/**
 *  按字节 循环左移一位
 *  即把[a0, a1, a2, a3]变成[a1, a2, a3, a0]
 */
word RotWord(const word& rw)
{
	word high = rw << 8;
	word low = rw >> 24;
	return high | low;
}

/**
 *  对输入word中的每一个字节进行S-盒变换
 */
word SubWord(const word& sw)
{
	word temp;
	for(int i=0; i<32; i+=8)
	{
		int row = sw[i+7]*8 + sw[i+6]*4 + sw[i+5]*2 + sw[i+4];
		int col = sw[i+3]*8 + sw[i+2]*4 + sw[i+1]*2 + sw[i];
		byte val = S_Box[row][col];
		for(int j=0; j<8; ++j)
			temp[i+j] = val[j];
	}
	return temp;
}

/**
 *  密钥扩展函数 - 对128位密钥进行扩展得到 w[4*(Nr+1)]
 */
void KeyExpansion(byte key[4*Nk], word w[4*(Nr+1)])
{
	word temp;
	int i = 0;
	// w[]的前4个就是输入的key
	while(i < Nk)
	{
		w[i] = Word(key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]);
		++i;
	}

	i = Nk;

	while(i < 4*(Nr+1))
	{
		temp = w[i-1]; // 记录前一个word
		if(i % Nk == 0)
			w[i] = w[i-Nk] ^ SubWord(RotWord(temp)) ^ Rcon[i/Nk-1];
		else
			w[i] = w[i-Nk] ^ temp;
		++i;
	}
}

/******************************下面是加密和解密函数**************************/
/**
 *  加密
 */
void encrypt(byte in[4*4], word w[4*(Nr+1)]) // 输入的是明文和扩展密钥
{
	word key[4]; // 前四个key是w[1-4]
	for(int i=0; i<4; ++i)
		key[i] = w[i];
	AddRoundKey(in, key); // 第一次密钥轮加

	for(int round=1; round<Nr; ++round) //需要Nr-1次
	{
		SubBytes(in); //字节替换
		ShiftRows(in); //位移位
		MixColumns(in); //列混合
		for(int i=0; i<4; ++i) // 每四个w[]作为密钥轮加的key
			key[i] = w[4*round+i];
		AddRoundKey(in, key); //密钥轮加
	}

	// 最后一次不需要列混合
	SubBytes(in);
	ShiftRows(in);
	for(int i=0; i<4; ++i)
		key[i] = w[4*Nr+i];
	AddRoundKey(in, key);
}

/**
 *  解密
 */
void decrypt(byte in[4*4], word w[4*(Nr+1)])
{
	word key[4];
	for(int i=0; i<4; ++i)
		key[i] = w[4*Nr+i];
	AddRoundKey(in, key);

	for(int round=Nr-1; round>0; --round)
	{
		InvShiftRows(in);
		InvSubBytes(in);
		for(int i=0; i<4; ++i)
			key[i] = w[4*round+i];
		AddRoundKey(in, key);
		InvMixColumns(in);
	}

	InvShiftRows(in);
	InvSubBytes(in);
	for(int i=0; i<4; ++i)
		key[i] = w[i];
	AddRoundKey(in, key);
}

/**********************************************************************/
/*                                                                    */
/*                              测试                                  */
/*                                                                    */
/**********************************************************************/
int main()
{
	byte key[16] = {0x2b, 0x7e, 0x15, 0x16,
					0x28, 0xae, 0xd2, 0xa6,
					0xab, 0xf7, 0x15, 0x88,
					0x09, 0xcf, 0x4f, 0x3c};

	byte plain[16] = {0x32, 0x88, 0x31, 0xe0,
					0x43, 0x5a, 0x31, 0x37,
					0xf6, 0x30, 0x98, 0x07,
					0xa8, 0x8d, 0xa2, 0x34};
	// 输出密钥
	cout << "密钥是:";
	for(int i=0; i<16; ++i)
		cout << hex << key[i].to_ulong() << " ";
	cout << endl;

	word w[4*(Nr+1)];
	KeyExpansion(key, w);

	// 输出待加密的明文
	cout << endl << "待加密的明文:"<<endl;
	for(int i=0; i<16; ++i)
	{
		cout << hex << plain[i].to_ulong() << " ";
		if((i+1)%4 == 0)
			cout << endl;
	}
	cout << endl;

	// 加密,输出密文
	encrypt(plain, w);
	cout << "加密后的密文:"<<endl;
	for(int i=0; i<16; ++i)
	{
		cout << hex << plain[i].to_ulong() << " ";
		if((i+1)%4 == 0)
			cout << endl;
	}
	cout << endl;

	// 解密,输出明文
	decrypt(plain, w);
	cout << "解密后的明文:"<<endl;
	for(int i=0; i<16; ++i)
	{
		cout << hex << plain[i].to_ulong() << " ";
		if((i+1)%4 == 0)
			cout << endl;
	}
	cout << endl;
	return 0;
}

2. 注意

有限域$ GF(2^8) $上的乘法改用查表的方式实现,AES的加密速度马上提升 80% 以上,所以建议最好使用查表的方式。下面是 AES 算法中用到的 6个乘法结果表:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
byte Mul_02[256] = {
	0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e,0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e,
	0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e,0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e,
	0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e,0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e,
	0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e,0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e,
	0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e,0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e,
	0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae,0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe,
	0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce,0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde,
	0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee,0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe,
	0x1b,0x19,0x1f,0x1d,0x13,0x11,0x17,0x15,0x0b,0x09,0x0f,0x0d,0x03,0x01,0x07,0x05,
	0x3b,0x39,0x3f,0x3d,0x33,0x31,0x37,0x35,0x2b,0x29,0x2f,0x2d,0x23,0x21,0x27,0x25,
	0x5b,0x59,0x5f,0x5d,0x53,0x51,0x57,0x55,0x4b,0x49,0x4f,0x4d,0x43,0x41,0x47,0x45,
	0x7b,0x79,0x7f,0x7d,0x73,0x71,0x77,0x75,0x6b,0x69,0x6f,0x6d,0x63,0x61,0x67,0x65,
	0x9b,0x99,0x9f,0x9d,0x93,0x91,0x97,0x95,0x8b,0x89,0x8f,0x8d,0x83,0x81,0x87,0x85,
	0xbb,0xb9,0xbf,0xbd,0xb3,0xb1,0xb7,0xb5,0xab,0xa9,0xaf,0xad,0xa3,0xa1,0xa7,0xa5,
	0xdb,0xd9,0xdf,0xdd,0xd3,0xd1,0xd7,0xd5,0xcb,0xc9,0xcf,0xcd,0xc3,0xc1,0xc7,0xc5,
	0xfb,0xf9,0xff,0xfd,0xf3,0xf1,0xf7,0xf5,0xeb,0xe9,0xef,0xed,0xe3,0xe1,0xe7,0xe5
};

byte Mul_03[256] = {
	0x00,0x03,0x06,0x05,0x0c,0x0f,0x0a,0x09,0x18,0x1b,0x1e,0x1d,0x14,0x17,0x12,0x11,
	0x30,0x33,0x36,0x35,0x3c,0x3f,0x3a,0x39,0x28,0x2b,0x2e,0x2d,0x24,0x27,0x22,0x21,
	0x60,0x63,0x66,0x65,0x6c,0x6f,0x6a,0x69,0x78,0x7b,0x7e,0x7d,0x74,0x77,0x72,0x71,
	0x50,0x53,0x56,0x55,0x5c,0x5f,0x5a,0x59,0x48,0x4b,0x4e,0x4d,0x44,0x47,0x42,0x41,
	0xc0,0xc3,0xc6,0xc5,0xcc,0xcf,0xca,0xc9,0xd8,0xdb,0xde,0xdd,0xd4,0xd7,0xd2,0xd1,
	0xf0,0xf3,0xf6,0xf5,0xfc,0xff,0xfa,0xf9,0xe8,0xeb,0xee,0xed,0xe4,0xe7,0xe2,0xe1,
	0xa0,0xa3,0xa6,0xa5,0xac,0xaf,0xaa,0xa9,0xb8,0xbb,0xbe,0xbd,0xb4,0xb7,0xb2,0xb1,
	0x90,0x93,0x96,0x95,0x9c,0x9f,0x9a,0x99,0x88,0x8b,0x8e,0x8d,0x84,0x87,0x82,0x81,
	0x9b,0x98,0x9d,0x9e,0x97,0x94,0x91,0x92,0x83,0x80,0x85,0x86,0x8f,0x8c,0x89,0x8a,
	0xab,0xa8,0xad,0xae,0xa7,0xa4,0xa1,0xa2,0xb3,0xb0,0xb5,0xb6,0xbf,0xbc,0xb9,0xba,
	0xfb,0xf8,0xfd,0xfe,0xf7,0xf4,0xf1,0xf2,0xe3,0xe0,0xe5,0xe6,0xef,0xec,0xe9,0xea,
	0xcb,0xc8,0xcd,0xce,0xc7,0xc4,0xc1,0xc2,0xd3,0xd0,0xd5,0xd6,0xdf,0xdc,0xd9,0xda,
	0x5b,0x58,0x5d,0x5e,0x57,0x54,0x51,0x52,0x43,0x40,0x45,0x46,0x4f,0x4c,0x49,0x4a,
	0x6b,0x68,0x6d,0x6e,0x67,0x64,0x61,0x62,0x73,0x70,0x75,0x76,0x7f,0x7c,0x79,0x7a,
	0x3b,0x38,0x3d,0x3e,0x37,0x34,0x31,0x32,0x23,0x20,0x25,0x26,0x2f,0x2c,0x29,0x2a,
	0x0b,0x08,0x0d,0x0e,0x07,0x04,0x01,0x02,0x13,0x10,0x15,0x16,0x1f,0x1c,0x19,0x1a
};

byte Mul_09[256] = {
	0x00,0x09,0x12,0x1b,0x24,0x2d,0x36,0x3f,0x48,0x41,0x5a,0x53,0x6c,0x65,0x7e,0x77,
	0x90,0x99,0x82,0x8b,0xb4,0xbd,0xa6,0xaf,0xd8,0xd1,0xca,0xc3,0xfc,0xf5,0xee,0xe7,
	0x3b,0x32,0x29,0x20,0x1f,0x16,0x0d,0x04,0x73,0x7a,0x61,0x68,0x57,0x5e,0x45,0x4c,
	0xab,0xa2,0xb9,0xb0,0x8f,0x86,0x9d,0x94,0xe3,0xea,0xf1,0xf8,0xc7,0xce,0xd5,0xdc,
	0x76,0x7f,0x64,0x6d,0x52,0x5b,0x40,0x49,0x3e,0x37,0x2c,0x25,0x1a,0x13,0x08,0x01,
	0xe6,0xef,0xf4,0xfd,0xc2,0xcb,0xd0,0xd9,0xae,0xa7,0xbc,0xb5,0x8a,0x83,0x98,0x91,
	0x4d,0x44,0x5f,0x56,0x69,0x60,0x7b,0x72,0x05,0x0c,0x17,0x1e,0x21,0x28,0x33,0x3a,
	0xdd,0xd4,0xcf,0xc6,0xf9,0xf0,0xeb,0xe2,0x95,0x9c,0x87,0x8e,0xb1,0xb8,0xa3,0xaa,
	0xec,0xe5,0xfe,0xf7,0xc8,0xc1,0xda,0xd3,0xa4,0xad,0xb6,0xbf,0x80,0x89,0x92,0x9b,
	0x7c,0x75,0x6e,0x67,0x58,0x51,0x4a,0x43,0x34,0x3d,0x26,0x2f,0x10,0x19,0x02,0x0b,
	0xd7,0xde,0xc5,0xcc,0xf3,0xfa,0xe1,0xe8,0x9f,0x96,0x8d,0x84,0xbb,0xb2,0xa9,0xa0,
	0x47,0x4e,0x55,0x5c,0x63,0x6a,0x71,0x78,0x0f,0x06,0x1d,0x14,0x2b,0x22,0x39,0x30,
	0x9a,0x93,0x88,0x81,0xbe,0xb7,0xac,0xa5,0xd2,0xdb,0xc0,0xc9,0xf6,0xff,0xe4,0xed,
	0x0a,0x03,0x18,0x11,0x2e,0x27,0x3c,0x35,0x42,0x4b,0x50,0x59,0x66,0x6f,0x74,0x7d,
	0xa1,0xa8,0xb3,0xba,0x85,0x8c,0x97,0x9e,0xe9,0xe0,0xfb,0xf2,0xcd,0xc4,0xdf,0xd6,
	0x31,0x38,0x23,0x2a,0x15,0x1c,0x07,0x0e,0x79,0x70,0x6b,0x62,0x5d,0x54,0x4f,0x46
};

byte Mul_0b[256] = {
	0x00,0x0b,0x16,0x1d,0x2c,0x27,0x3a,0x31,0x58,0x53,0x4e,0x45,0x74,0x7f,0x62,0x69,
	0xb0,0xbb,0xa6,0xad,0x9c,0x97,0x8a,0x81,0xe8,0xe3,0xfe,0xf5,0xc4,0xcf,0xd2,0xd9,
	0x7b,0x70,0x6d,0x66,0x57,0x5c,0x41,0x4a,0x23,0x28,0x35,0x3e,0x0f,0x04,0x19,0x12,
	0xcb,0xc0,0xdd,0xd6,0xe7,0xec,0xf1,0xfa,0x93,0x98,0x85,0x8e,0xbf,0xb4,0xa9,0xa2,
	0xf6,0xfd,0xe0,0xeb,0xda,0xd1,0xcc,0xc7,0xae,0xa5,0xb8,0xb3,0x82,0x89,0x94,0x9f,
	0x46,0x4d,0x50,0x5b,0x6a,0x61,0x7c,0x77,0x1e,0x15,0x08,0x03,0x32,0x39,0x24,0x2f,
	0x8d,0x86,0x9b,0x90,0xa1,0xaa,0xb7,0xbc,0xd5,0xde,0xc3,0xc8,0xf9,0xf2,0xef,0xe4,
	0x3d,0x36,0x2b,0x20,0x11,0x1a,0x07,0x0c,0x65,0x6e,0x73,0x78,0x49,0x42,0x5f,0x54,
	0xf7,0xfc,0xe1,0xea,0xdb,0xd0,0xcd,0xc6,0xaf,0xa4,0xb9,0xb2,0x83,0x88,0x95,0x9e,
	0x47,0x4c,0x51,0x5a,0x6b,0x60,0x7d,0x76,0x1f,0x14,0x09,0x02,0x33,0x38,0x25,0x2e,
	0x8c,0x87,0x9a,0x91,0xa0,0xab,0xb6,0xbd,0xd4,0xdf,0xc2,0xc9,0xf8,0xf3,0xee,0xe5,
	0x3c,0x37,0x2a,0x21,0x10,0x1b,0x06,0x0d,0x64,0x6f,0x72,0x79,0x48,0x43,0x5e,0x55,
	0x01,0x0a,0x17,0x1c,0x2d,0x26,0x3b,0x30,0x59,0x52,0x4f,0x44,0x75,0x7e,0x63,0x68,
	0xb1,0xba,0xa7,0xac,0x9d,0x96,0x8b,0x80,0xe9,0xe2,0xff,0xf4,0xc5,0xce,0xd3,0xd8,
	0x7a,0x71,0x6c,0x67,0x56,0x5d,0x40,0x4b,0x22,0x29,0x34,0x3f,0x0e,0x05,0x18,0x13,
	0xca,0xc1,0xdc,0xd7,0xe6,0xed,0xf0,0xfb,0x92,0x99,0x84,0x8f,0xbe,0xb5,0xa8,0xa3
};

byte Mul_0d[256] = {
	0x00,0x0d,0x1a,0x17,0x34,0x39,0x2e,0x23,0x68,0x65,0x72,0x7f,0x5c,0x51,0x46,0x4b,
	0xd0,0xdd,0xca,0xc7,0xe4,0xe9,0xfe,0xf3,0xb8,0xb5,0xa2,0xaf,0x8c,0x81,0x96,0x9b,
	0xbb,0xb6,0xa1,0xac,0x8f,0x82,0x95,0x98,0xd3,0xde,0xc9,0xc4,0xe7,0xea,0xfd,0xf0,
	0x6b,0x66,0x71,0x7c,0x5f,0x52,0x45,0x48,0x03,0x0e,0x19,0x14,0x37,0x3a,0x2d,0x20,
	0x6d,0x60,0x77,0x7a,0x59,0x54,0x43,0x4e,0x05,0x08,0x1f,0x12,0x31,0x3c,0x2b,0x26,
	0xbd,0xb0,0xa7,0xaa,0x89,0x84,0x93,0x9e,0xd5,0xd8,0xcf,0xc2,0xe1,0xec,0xfb,0xf6,
	0xd6,0xdb,0xcc,0xc1,0xe2,0xef,0xf8,0xf5,0xbe,0xb3,0xa4,0xa9,0x8a,0x87,0x90,0x9d,
	0x06,0x0b,0x1c,0x11,0x32,0x3f,0x28,0x25,0x6e,0x63,0x74,0x79,0x5a,0x57,0x40,0x4d,
	0xda,0xd7,0xc0,0xcd,0xee,0xe3,0xf4,0xf9,0xb2,0xbf,0xa8,0xa5,0x86,0x8b,0x9c,0x91,
	0x0a,0x07,0x10,0x1d,0x3e,0x33,0x24,0x29,0x62,0x6f,0x78,0x75,0x56,0x5b,0x4c,0x41,
	0x61,0x6c,0x7b,0x76,0x55,0x58,0x4f,0x42,0x09,0x04,0x13,0x1e,0x3d,0x30,0x27,0x2a,
	0xb1,0xbc,0xab,0xa6,0x85,0x88,0x9f,0x92,0xd9,0xd4,0xc3,0xce,0xed,0xe0,0xf7,0xfa,
	0xb7,0xba,0xad,0xa0,0x83,0x8e,0x99,0x94,0xdf,0xd2,0xc5,0xc8,0xeb,0xe6,0xf1,0xfc,
	0x67,0x6a,0x7d,0x70,0x53,0x5e,0x49,0x44,0x0f,0x02,0x15,0x18,0x3b,0x36,0x21,0x2c,
	0x0c,0x01,0x16,0x1b,0x38,0x35,0x22,0x2f,0x64,0x69,0x7e,0x73,0x50,0x5d,0x4a,0x47,
	0xdc,0xd1,0xc6,0xcb,0xe8,0xe5,0xf2,0xff,0xb4,0xb9,0xae,0xa3,0x80,0x8d,0x9a,0x97
};

byte Mul_0e[256] = {
	0x00,0x0e,0x1c,0x12,0x38,0x36,0x24,0x2a,0x70,0x7e,0x6c,0x62,0x48,0x46,0x54,0x5a,
	0xe0,0xee,0xfc,0xf2,0xd8,0xd6,0xc4,0xca,0x90,0x9e,0x8c,0x82,0xa8,0xa6,0xb4,0xba,
	0xdb,0xd5,0xc7,0xc9,0xe3,0xed,0xff,0xf1,0xab,0xa5,0xb7,0xb9,0x93,0x9d,0x8f,0x81,
	0x3b,0x35,0x27,0x29,0x03,0x0d,0x1f,0x11,0x4b,0x45,0x57,0x59,0x73,0x7d,0x6f,0x61,
	0xad,0xa3,0xb1,0xbf,0x95,0x9b,0x89,0x87,0xdd,0xd3,0xc1,0xcf,0xe5,0xeb,0xf9,0xf7,
	0x4d,0x43,0x51,0x5f,0x75,0x7b,0x69,0x67,0x3d,0x33,0x21,0x2f,0x05,0x0b,0x19,0x17,
	0x76,0x78,0x6a,0x64,0x4e,0x40,0x52,0x5c,0x06,0x08,0x1a,0x14,0x3e,0x30,0x22,0x2c,
	0x96,0x98,0x8a,0x84,0xae,0xa0,0xb2,0xbc,0xe6,0xe8,0xfa,0xf4,0xde,0xd0,0xc2,0xcc,
	0x41,0x4f,0x5d,0x53,0x79,0x77,0x65,0x6b,0x31,0x3f,0x2d,0x23,0x09,0x07,0x15,0x1b,
	0xa1,0xaf,0xbd,0xb3,0x99,0x97,0x85,0x8b,0xd1,0xdf,0xcd,0xc3,0xe9,0xe7,0xf5,0xfb,
	0x9a,0x94,0x86,0x88,0xa2,0xac,0xbe,0xb0,0xea,0xe4,0xf6,0xf8,0xd2,0xdc,0xce,0xc0,
	0x7a,0x74,0x66,0x68,0x42,0x4c,0x5e,0x50,0x0a,0x04,0x16,0x18,0x32,0x3c,0x2e,0x20,
	0xec,0xe2,0xf0,0xfe,0xd4,0xda,0xc8,0xc6,0x9c,0x92,0x80,0x8e,0xa4,0xaa,0xb8,0xb6,
	0x0c,0x02,0x10,0x1e,0x34,0x3a,0x28,0x26,0x7c,0x72,0x60,0x6e,0x44,0x4a,0x58,0x56,
	0x37,0x39,0x2b,0x25,0x0f,0x01,0x13,0x1d,0x47,0x49,0x5b,0x55,0x7f,0x71,0x63,0x6d,
	0xd7,0xd9,0xcb,0xc5,0xef,0xe1,0xf3,0xfd,0xa7,0xa9,0xbb,0xb5,0x9f,0x91,0x83,0x8d
};

五、总结

AES 的优势

  • 更高的安全性: AES 提供了更高的安全性,因为它支持更长的密钥长度(128 比特、192 比特和 256 比特),这使得密码破解更加困难。相比之下,DES 使用 56 位密钥,相对容易受到暴力破解攻击。

  • 更快的加密速度: AES 的算法结构允许更高效的硬件和软件实现,因此它通常比 DES 更快。这是由于其更简单的替代和置换结构,以及较长的密钥长度。

  • 更好的密码学设计: AES 的设计经过了广泛的密码学研究和审查,以确保其强大的安全性。相比之下,DES 已经过时,已经受到多种攻击的影响,包括差分攻击和线性攻击。

  • 支持多种密钥长度: AES 允许选择不同长度的密钥,以适应不同安全需求。这样,可以根据具体应用选择 128 位、192 位或 256 位密钥长度。

  • 广泛采用: AES 已经被广泛采用,被许多组织和国家用作数据加密的标准,包括美国政府。

AES 的缺点

  • 高硬件成本: 虽然 AES 的算法结构更高效,但实现硬件版本仍然可能比 DES 更昂贵。这可能会对资源有限的嵌入式系统造成一定负担。

  • 不支持较长的块长度: AES 只支持 128 位的块长度,而某些应用需要更长的块长度。这可能需要进行分组加密,增加了复杂性。

总的来说,AES 是一安全、高效且现代的对称加密算法,相对于 DES 具有更多的优势。虽然它可能不是完美的,但它是当前广泛应用的加密标准之一,可满足多种安全需求。