22df2e7fcb
Renamed a variable Implemented a custom AES function as "Rijndael128" - Built in key derivation at the moment (PBKDF2-HMAC-SHA1) - Added built-in string encryption/decryption - All encryption functions compute the results using the underlying mathematical models instead of using tables, simply to demonstrate the inner workings of AES Simplified some methods for readability and convenience Removed unnecessary use of BigInteger Replaced manually (and terribly) calculated Galois field arithmetic with Galois2 methods to make the code simpler and more understandable
765 lines
32 KiB
C#
765 lines
32 KiB
C#
using System;
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
|
|
namespace Tofvesson.Crypto
|
|
{
|
|
public sealed class AES
|
|
{
|
|
public static readonly byte[] DEFAULT_SALT = new byte[] { 3, 1, 4, 1, 5, 9, 2, 6, 5, 3, 5 };
|
|
public static readonly Encoding DEFAULT_ENCODING = Encoding.UTF8;
|
|
public static readonly CryptoPadding DEFAULT_PADDING = new PassthroughPadding();
|
|
private const int BUFFER_SIZE = 2048;
|
|
|
|
public byte[] Key { get; private set; }
|
|
public byte[] IV { get; private set; }
|
|
|
|
public AES() {
|
|
using (RijndaelManaged r = new RijndaelManaged()) {
|
|
r.GenerateKey();
|
|
r.GenerateIV();
|
|
Key = r.Key;
|
|
IV = r.IV;
|
|
}
|
|
if (Key.Length == 0 || IV.Length == 0) throw new SystemException("Invalid parameter length!");
|
|
}
|
|
|
|
public AES(byte[] seed, byte[] salt)
|
|
{
|
|
var keyGenerator = new Rfc2898DeriveBytes(seed, salt, 300);
|
|
using (RijndaelManaged r = new RijndaelManaged())
|
|
{
|
|
r.GenerateIV();
|
|
Key = keyGenerator.GetBytes(32);
|
|
IV = r.IV;
|
|
}
|
|
if (Key.Length == 0 || IV.Length == 0) throw new SystemException("Invalid parameter length!");
|
|
}
|
|
public static AES Load(byte[] key, byte[] iv) => new AES(key, iv, false);
|
|
public AES(byte[] seed) : this(seed, DEFAULT_SALT) { }
|
|
public AES(string password, Encoding e) : this(e.GetBytes(password)) { }
|
|
public AES(string password) : this(DEFAULT_ENCODING.GetBytes(password), DEFAULT_SALT) { }
|
|
private AES(byte[] k, byte[] i, bool b)
|
|
{
|
|
Key = k;
|
|
IV = i;
|
|
if (Key.Length == 0 || IV.Length == 0) throw new SystemException("Invalid parameter length!");
|
|
}
|
|
|
|
|
|
public byte[] Encrypt(string message) => Encrypt(message, DEFAULT_ENCODING, DEFAULT_PADDING);
|
|
public byte[] Encrypt(string message, Encoding e, CryptoPadding padding) => Encrypt(e.GetBytes(message), padding);
|
|
public byte[] Encrypt(byte[] data, CryptoPadding padding)
|
|
{
|
|
data = padding.Pad(data);
|
|
if (data.Length == 0) throw new SystemException("Invalid message length");
|
|
byte[] result;
|
|
using (RijndaelManaged rijAlg = new RijndaelManaged())
|
|
{
|
|
rijAlg.Key = Key;
|
|
rijAlg.IV = IV;
|
|
|
|
using (MemoryStream msEncrypt = new MemoryStream())
|
|
{
|
|
using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, rijAlg.CreateEncryptor(rijAlg.Key, rijAlg.IV), CryptoStreamMode.Write))
|
|
{
|
|
using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
|
|
{
|
|
swEncrypt.Write(DEFAULT_ENCODING.GetChars(data));
|
|
}
|
|
result = msEncrypt.ToArray();
|
|
}
|
|
}
|
|
}
|
|
return result;
|
|
}
|
|
|
|
public string DecryptString(byte[] data) => DecryptString(data, DEFAULT_ENCODING, DEFAULT_PADDING);
|
|
public string DecryptString(byte[] data, Encoding e, CryptoPadding padding) => new string(e.GetChars(Decrypt(data, padding)));
|
|
public byte[] Decrypt(byte[] data, CryptoPadding padding)
|
|
{
|
|
if (data.Length == 0) throw new SystemException("Invalid message length");
|
|
List<byte> read = new List<byte>();
|
|
using (RijndaelManaged rijAlg = new RijndaelManaged())
|
|
{
|
|
rijAlg.Key = Key;
|
|
rijAlg.IV = IV;
|
|
using (MemoryStream msDecrypt = new MemoryStream(data))
|
|
{
|
|
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, rijAlg.CreateDecryptor(Key, IV), CryptoStreamMode.Read))
|
|
{
|
|
byte[] buf = new byte[BUFFER_SIZE];
|
|
int test;
|
|
int count;
|
|
do
|
|
{
|
|
count = csDecrypt.Read(buf, 0, buf.Length);
|
|
if (count == 0)
|
|
{
|
|
if ((test = csDecrypt.ReadByte()) == -1) break;
|
|
read.Add((byte)test);
|
|
}
|
|
else for (int i = 0; i < count; ++i) read.Add(buf[i]);
|
|
} while (true);
|
|
}
|
|
}
|
|
}
|
|
return padding.Unpad(read.ToArray());
|
|
}
|
|
|
|
public void Save(string baseName, bool force = false)
|
|
{
|
|
if (force || !File.Exists(baseName + ".key")) File.WriteAllBytes(baseName + ".key", Key);
|
|
if (force || !File.Exists(baseName + ".iv")) File.WriteAllBytes(baseName + ".iv", IV);
|
|
}
|
|
|
|
public byte[] Serialize() => Support.SerializeBytes(new byte[][] { Key, IV });
|
|
public static AES Deserialize(byte[] message, out int read)
|
|
{
|
|
byte[][] output = Support.DeserializeBytes(message, 2);
|
|
read = output[0].Length + output[1].Length + 8;
|
|
return new AES(output[0], output[1], false);
|
|
}
|
|
|
|
public static AES Load(string baseName)
|
|
{
|
|
if (!File.Exists(baseName + ".iv") || !File.Exists(baseName + ".key")) throw new SystemException("Required files could not be located");
|
|
return new AES(File.ReadAllBytes(baseName + ".key"), File.ReadAllBytes(baseName + ".iv"), false);
|
|
}
|
|
}
|
|
|
|
public class Rijndael128
|
|
{
|
|
protected readonly byte[] roundKeys;
|
|
protected readonly byte[] key;
|
|
protected readonly byte[] iv;
|
|
|
|
public Rijndael128(string key)
|
|
{
|
|
// Derive a proper key
|
|
var t = DeriveKey(key);
|
|
this.key = t.Item1;
|
|
this.iv = t.Item2;
|
|
|
|
// Expand the derived key
|
|
roundKeys = KeySchedule(this.key, BitMode.Bit128);
|
|
}
|
|
protected Rijndael128(byte[] key, byte[] iv)
|
|
{
|
|
this.key = key;
|
|
this.iv = iv;
|
|
|
|
// Expand the derived key
|
|
roundKeys = KeySchedule(this.key, BitMode.Bit128);
|
|
}
|
|
|
|
public byte[] EncryptString(string message) => Encrypt(Encoding.UTF8.GetBytes(message));
|
|
public string DecryptString(byte[] message, int length) => new string(Encoding.UTF8.GetChars(Decrypt(message, length, false))).Substring(0, length);
|
|
|
|
public byte[] Encrypt(byte[] message)
|
|
{
|
|
byte[] result = new byte[message.Length + ((16 - (message.Length % 16))%16)];
|
|
Array.Copy(message, result, message.Length);
|
|
for(int i = 0; i<result.Length/16; ++i)
|
|
Array.Copy(AES128_Encrypt(result.SubArray(i * 16, i * 16 + 16)), 0, result, i * 16, 16);
|
|
return result;
|
|
}
|
|
|
|
public byte[] Decrypt(byte[] message, int messageLength) => Decrypt(message, messageLength, true);
|
|
protected byte[] Decrypt(byte[] message, int messageLength, bool doTruncate)
|
|
{
|
|
if (message.Length % 16 != 0) throw new SystemException("Invalid encrypted message length!");
|
|
byte[] result = new byte[message.Length];
|
|
Array.Copy(message, result, message.Length);
|
|
for (int i = 0; i < result.Length / 16; ++i)
|
|
Array.Copy(AES128_Decrypt(result.SubArray(i * 16, i * 16 + 16)), 0, result, i * 16, 16);
|
|
return doTruncate ? result.SubArray(0, messageLength) : result;
|
|
}
|
|
|
|
protected virtual byte[] AES128_Encrypt(byte[] state)
|
|
{
|
|
// Initial round
|
|
state = AddRoundKey(state, roundKeys, 0);
|
|
|
|
// Rounds 1 - 9
|
|
for (int rounds = 1; rounds < 10; ++rounds)
|
|
{
|
|
state = ShiftRows(SubBytes(state, false));
|
|
if (rounds != 9) state = MixColumns(state, true);
|
|
state = AddRoundKey(state, roundKeys, rounds * 16);
|
|
}
|
|
|
|
return state;
|
|
}
|
|
|
|
protected virtual byte[] AES128_Decrypt(byte[] state)
|
|
{
|
|
for (int rounds = 9; rounds > 0; --rounds)
|
|
{
|
|
state = AddRoundKey(state, roundKeys, rounds * 16);
|
|
if (rounds != 9) state = MixColumns(state, false);
|
|
state = SubBytes(UnShiftRows(state), true);
|
|
}
|
|
|
|
return AddRoundKey(state, roundKeys, 0);
|
|
}
|
|
|
|
public void Save(string baseName, bool force = false)
|
|
{
|
|
if (force || !File.Exists(baseName + ".key")) File.WriteAllBytes(baseName + ".key", key);
|
|
if (force || !File.Exists(baseName + ".iv")) File.WriteAllBytes(baseName + ".iv", iv);
|
|
}
|
|
|
|
public byte[] Serialize() => Support.SerializeBytes(new byte[][] { key, iv });
|
|
public static Rijndael128 Deserialize(byte[] message, out int read)
|
|
{
|
|
byte[][] output = Support.DeserializeBytes(message, 2);
|
|
read = output[0].Length + output[1].Length + 8;
|
|
return new Rijndael128(output[0], output[1]);
|
|
}
|
|
|
|
public static Rijndael128 Load(string baseName)
|
|
{
|
|
if (!File.Exists(baseName + ".iv") || !File.Exists(baseName + ".key")) throw new SystemException("Required files could not be located");
|
|
return new Rijndael128(File.ReadAllBytes(baseName + ".key"), File.ReadAllBytes(baseName + ".iv"));
|
|
}
|
|
|
|
|
|
// Internal methods for encryption :)
|
|
private static uint KSchedCore(uint input, int iteration)
|
|
{
|
|
input = Rotate(input);
|
|
byte[] bytes = Support.WriteToArray(new byte[4], input, 0);
|
|
for (int i = 0; i < bytes.Length; ++i) bytes[i] = SBox(bytes[i]);
|
|
bytes[bytes.Length - 1] ^= RCON(iteration);
|
|
return (uint)Support.ReadInt(bytes, 0);
|
|
}
|
|
|
|
public enum BitMode { Bit128, Bit192, Bit256 }
|
|
private static byte[] KeySchedule(byte[] key, BitMode mode)
|
|
{
|
|
int n = mode == BitMode.Bit128 ? 16 : mode == BitMode.Bit192 ? 24 : 32;
|
|
int b = mode == BitMode.Bit128 ? 176 : mode == BitMode.Bit192 ? 208 : 240;
|
|
|
|
byte[] output = new byte[b];
|
|
Array.Copy(key, output, n);
|
|
|
|
int rcon_iter = 1;
|
|
|
|
int accruedBytes = n;
|
|
while (accruedBytes < b)
|
|
{
|
|
// Generate 4 new bytes of extended key
|
|
byte[] t = Support.WriteToArray(new byte[4], KSchedCore((uint)Support.ReadInt(output, accruedBytes - 4), rcon_iter), 0);
|
|
++rcon_iter;
|
|
for (int i = 0; i < 4; ++i) t[i] ^= output[accruedBytes - n + i];
|
|
Array.Copy(t, 0, output, accruedBytes, 4);
|
|
accruedBytes += 4;
|
|
|
|
// Generate 12 new bytes of extended key
|
|
for (int i = 0; i < 3; ++i)
|
|
{
|
|
Array.Copy(output, accruedBytes - 4, t, 0, 4);
|
|
for (int j = 0; j < 4; ++j) t[j] ^= output[accruedBytes - n + j];
|
|
Array.Copy(t, 0, output, accruedBytes, 4);
|
|
accruedBytes += 4;
|
|
}
|
|
|
|
// Special processing for 256-bit key schedule
|
|
if (mode == BitMode.Bit256)
|
|
{
|
|
Array.Copy(output, accruedBytes - 4, t, 0, 4);
|
|
for (int j = 0; j < 4; ++j) t[j] = (byte)(SBox(t[j]) ^ output[accruedBytes - n + j]);
|
|
Array.Copy(t, 0, output, accruedBytes, 4);
|
|
accruedBytes += 4;
|
|
}
|
|
// Special processing for 192-bit key schedule
|
|
if (mode != BitMode.Bit128)
|
|
for (int i = mode == BitMode.Bit192 ? 1 : 2; i >= 0; --i)
|
|
{
|
|
Array.Copy(output, accruedBytes - 4, t, 0, 4);
|
|
for (int j = 0; j < 4; ++j) t[j] ^= output[accruedBytes - n + j];
|
|
Array.Copy(t, 0, output, accruedBytes, 4);
|
|
accruedBytes += 4;
|
|
}
|
|
}
|
|
|
|
Console.WriteLine(Support.ArrayToString(output));
|
|
|
|
return output;
|
|
}
|
|
|
|
// MixColumns matrix basis. Used for multiplication over the rijndael field
|
|
private static readonly byte[] mix_matrix = new byte[] { 2, 3, 1, 1 };
|
|
private static readonly byte[] unmix_matrix = new byte[] { 14, 11, 13, 9 };
|
|
|
|
/// <summary>
|
|
/// Rijndael substitution step in the encryption (first thing that happens). This supplies confusion for the algorithm
|
|
/// </summary>
|
|
/// <param name="b">The value (most likely from the AES state) that should be substituted</param>
|
|
/// <returns>The substituted byte</returns>
|
|
private static byte SBox(byte b) => Affine(new Galois2(new byte[] { b }).InvMul().ToByteArray()[0]);
|
|
|
|
// Inverse SBox-function
|
|
private static byte ISBox(byte b) => new Galois2(new byte[] { Rffine(b) }).InvMul().ToByteArray()[0];
|
|
|
|
// Replaces GF(2^8) matrix multiplication for the affine and reverse affine functions
|
|
private static byte Affine(byte value) => (byte)(value ^ Rot(value, 1) ^ Rot(value, 2) ^ Rot(value, 3) ^ Rot(value, 4) ^ 0b0110_0011);
|
|
private static byte Rffine(byte value) => (byte)(Rot(value, 1) ^ Rot(value, 3) ^ Rot(value, 6) ^ 0b0000_0101);
|
|
|
|
// Rotate bitss
|
|
private static byte Rot(byte value, int by) => (byte)((value << by) | (value >> (8 - by)));
|
|
|
|
private delegate byte SBOXFunc(byte b);
|
|
private static byte[] SubBytes(byte[] state, bool reverse)
|
|
{
|
|
SBOXFunc v;
|
|
if (reverse) v = ISBox;
|
|
else v = SBox;
|
|
for (int i = 0; i < state.Length; ++i) state[i] = v(state[i]);
|
|
return state;
|
|
}
|
|
|
|
// The AES state is a column-major 4x4 matrix (for AES-128). Demonstrated below are the decimal indices, as would be represented in the state:
|
|
// 00 04 08 12
|
|
// 01 05 09 13
|
|
// 02 06 10 14
|
|
// 03 07 11 15
|
|
|
|
// Shiftrows applied to state above:
|
|
// 00 04 08 12 - No change
|
|
// 05 09 13 01 - Shifted 1 to the left
|
|
// 10 14 02 06 - Shifted 2 to the left
|
|
// 15 03 07 11 - Shifted 3 to the left
|
|
|
|
/// <summary>
|
|
/// Shifts the rows of the column-major matrix
|
|
/// </summary>
|
|
/// <param name="state"></param>
|
|
/// <returns>The shifted matrix</returns>
|
|
public static byte[] ShiftRows(byte[] state)
|
|
{
|
|
for (int i = 1; i < 4; ++i)
|
|
{
|
|
uint value = GetRow(state, i);
|
|
for (int j = 0; j < i; ++j) value = Rotate(value);
|
|
WriteToRow(value, state, i);
|
|
}
|
|
return state;
|
|
}
|
|
|
|
private static byte[] UnShiftRows(byte[] state)
|
|
{
|
|
for (int i = 1; i < 4; ++i)
|
|
{
|
|
uint value = GetRow(state, i);
|
|
for (int j = 3; j >= i; --j) value = Rotate(value);
|
|
WriteToRow(value, state, i);
|
|
}
|
|
return state;
|
|
}
|
|
|
|
private static void WriteToRow(uint value, byte[] to, int row)
|
|
{
|
|
to[row] = (byte)(value & 255);
|
|
to[row + 4] = (byte)((value >> 8) & 255);
|
|
to[row + 8] = (byte)((value >> 16) & 255);
|
|
to[row + 12] = (byte)((value >> 24) & 255);
|
|
}
|
|
|
|
private static uint GetRow(byte[] from, int row) => (uint)(from[row] | (from[row + 4] << 8) | (from[row + 8] << 16) | (from[row + 12] << 24));
|
|
|
|
/// <summary>
|
|
/// MixColumns adds diffusion to the algorithm. Performs matrix multiplication under GF(2^8) with the irreducible prime 0x11B (x^8 + x^4 + x^3 + x + 1)
|
|
/// </summary>
|
|
/// <param name="state"></param>
|
|
/// <returns>A matrix-multiplied and limited state (mixed)</returns>
|
|
private static byte[] MixColumns(byte[] state, bool mix)
|
|
{
|
|
byte[] res = new byte[16];
|
|
byte[] rowGenerator = mix ? mix_matrix : unmix_matrix;
|
|
|
|
// Simplified matrix multiplication under GF(2^8)
|
|
for (int i = 0; i < 4; ++i)
|
|
{
|
|
for (int j = 0; j < 4; ++j)
|
|
{
|
|
for (int k = 0; k < 4; ++k)
|
|
{
|
|
int idx = 4 - j;
|
|
Galois2 g = Galois2.FromValue(state[k + i * 4]);
|
|
res[j + i * 4] ^= g.Multiply(Galois2.FromValue(rowGenerator[(k + idx) % 4])).ToByteArray()[0];
|
|
//int r = ((state[k + i * 4] * (mix_matrix[(k + idx) % 4] & 1)) ^ ((state[k + i * 4] << 1) * ((mix_matrix[(k + idx) % 4]>>1)&1)));
|
|
//if (r > 0b100011011) r ^= 0b100011011;
|
|
//res[j + i * 4] ^= (byte) r;
|
|
}
|
|
}
|
|
}
|
|
return res;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Introduces the subkey for this round to the state
|
|
/// </summary>
|
|
/// <param name="state">The state to introduce the roundkey to</param>
|
|
/// <param name="subkey">The subkey</param>
|
|
/// <returns>The state where the roundkey has been added</returns>
|
|
private static byte[] AddRoundKey(byte[] state, byte[] subkey, int offset)
|
|
{
|
|
for (int i = 0; i < state.Length; ++i) state[i] ^= subkey[i + offset];
|
|
return state;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Rotate bits to the left by 8 bits. This means that, for example, "0F AB 09 16" becomes "AB 09 16 0F"
|
|
/// </summary>
|
|
/// <param name="i"></param>
|
|
/// <returns>Rotated value</returns>
|
|
private static uint Rotate(uint i) => (uint)(((i >> 24) & 255) | ((i << 8) & ~255));
|
|
|
|
/// <summary>
|
|
/// KDF for a given input string.
|
|
/// </summary>
|
|
/// <param name="message">Input string to derive key from</param>
|
|
/// <returns>A key and an IV</returns>
|
|
private static Tuple<byte[], byte[]> DeriveKey(string message)
|
|
{
|
|
byte[] salt = new CryptoRandomProvider().GetBytes(16); // Get a random 16-byte salt
|
|
byte[] key = KDF.PBKDF2(KDF.HMAC_SHA1, Encoding.UTF8.GetBytes(message), salt, 4096, 16); // Generate a 16-byte (128-bit) key from salt over 4096 iterations of HMAC-SHA1
|
|
return new Tuple<byte[], byte[]>(key, salt);
|
|
}
|
|
|
|
private static byte RCON(int i) => i <= 0 ? (byte)0x8d : new Galois2(i - 1).ToByteArray()[0];
|
|
}
|
|
|
|
/// <summary>
|
|
/// Object representation of a Galois Field with characteristic 2
|
|
/// </summary>
|
|
public class Galois2
|
|
{
|
|
private static readonly byte[] ZERO = new byte[1] { 0 };
|
|
private static readonly byte[] ONE = new byte[1] { 1 };
|
|
|
|
public static byte[] RijndaelIP
|
|
{ get { return new byte[] { 0b0001_1011, 0b0000_0001 }; } }
|
|
|
|
protected readonly byte[] value;
|
|
protected readonly byte[] ip;
|
|
|
|
/// <summary>
|
|
/// Create a new Galois2 instance representing the given polynomial using the given irreducible polynomial. The given value will be reduced if possible
|
|
/// </summary>
|
|
/// <param name="value">Value to represent</param>
|
|
/// <param name="ip">Irreducible polynomial</param>
|
|
public Galois2(byte[] value, byte[] ip)
|
|
{
|
|
this.value = _ClipZeroes(_FieldMod(value, this.ip = ip));
|
|
}
|
|
|
|
public Galois2(int pow, byte[] ip) : this(_FlipBit(new byte[0], pow), ip)
|
|
{ }
|
|
|
|
public Galois2(byte[] value) : this(value, RijndaelIP)
|
|
{ }
|
|
|
|
public Galois2(int pow) : this(pow, RijndaelIP)
|
|
{ }
|
|
|
|
public static Galois2 FromValue(int value, byte[] ip) => new Galois2(Support.WriteToArray(new byte[4], value, 0), ip);
|
|
public static Galois2 FromValue(int value) => FromValue(value, Galois2.RijndaelIP);
|
|
|
|
public Galois2 Multiply(Galois2 factor) => new Galois2(_Mul(value, factor.value), ip);
|
|
public Galois2 Add(Galois2 val) => new Galois2(_Add(value, val.value), ip);
|
|
public Galois2 Subtract(Galois2 val) => new Galois2(_Sub(value, val.value), ip);
|
|
public Galois2 XOR(Galois2 val) => new Galois2(_XOR(value, val.value), ip);
|
|
|
|
/// <summary>
|
|
/// Perform inverse multiplication on this Galois2 object. This is done by performing the extended euclidean algorithm (two-variable linear diophantine equations).
|
|
/// </summary>
|
|
/// <param name="value"></param>
|
|
/// <returns></returns>
|
|
public Galois2 InvMul()
|
|
{
|
|
if (_ArraysEquals(value, ZERO)) return FromValue(0, ip);
|
|
Stack<byte[]> factors = new Stack<byte[]>();
|
|
byte[] val = value;
|
|
byte[] mod = ip;
|
|
ModResult res;
|
|
while (!_ArraysEquals((res = _Mod(val, mod)).rem, ZERO))
|
|
{
|
|
factors.Push(res.div);
|
|
val = mod;
|
|
mod = res.rem;
|
|
}
|
|
|
|
// Values are not coprime. There is no solution!
|
|
if (!_ArraysEquals(mod, ONE)) return new Galois2(new byte[0], ip);
|
|
|
|
byte[] useful = new byte[1] { 1 };
|
|
byte[] theOtherOne = factors.Pop();
|
|
byte[] tmp;
|
|
while (factors.Count > 0)
|
|
{
|
|
tmp = theOtherOne;
|
|
theOtherOne = _Add(useful, _Mul(theOtherOne, factors.Pop()));
|
|
useful = tmp;
|
|
}
|
|
return new Galois2(useful, ip);
|
|
}
|
|
|
|
public byte[] ToByteArray() => (byte[])value.Clone();
|
|
public override string ToString()
|
|
{
|
|
StringBuilder builder = new StringBuilder();
|
|
for (int i = _GetFirstSetBit(value); i >= 0; --i)
|
|
if (_BitAt(value, i))
|
|
builder.Append("x^").Append(i).Append(" + ");
|
|
if (builder.Length == 0) builder.Append("0 ");
|
|
else builder.Remove(builder.Length - 2, 2);
|
|
builder.Append("(mod ");
|
|
int j;
|
|
for(int i = j = _GetFirstSetBit(ip); i>=0; --i)
|
|
if (_BitAt(ip, i))
|
|
builder.Append("x^").Append(i).Append(" + ");
|
|
if (j == -1) builder.Append('0');
|
|
else builder.Remove(builder.Length - 3, 3);
|
|
|
|
return builder.Append(')').ToString();
|
|
}
|
|
|
|
// Overrides
|
|
public override bool Equals(object obj)
|
|
{
|
|
if (obj == null || !(obj is Galois2 || obj is byte[])) return false;
|
|
|
|
byte[] val = obj is Galois2 ? ((Galois2)obj).value : (byte[])obj;
|
|
|
|
bool cmp = val.Length > value.Length;
|
|
byte[] bigger = cmp ? val : value;
|
|
byte[] smaller = cmp ? value : val;
|
|
for (int i = bigger.Length - 1; i >= 0; --i)
|
|
if (i >= smaller.Length)
|
|
{
|
|
if (bigger[i] != 0) return false;
|
|
}
|
|
else if (bigger[i] != smaller[i]) return false;
|
|
|
|
// If the value supplied was a byte array, ignore the irreducible prime, otherwise, make sure the irreducible primes are the same
|
|
return obj is byte[] || ((Galois2)obj).ip.Equals(ip);
|
|
}
|
|
|
|
public override int GetHashCode()
|
|
{
|
|
var hashCode = -579181322;
|
|
hashCode = hashCode * -1521134295 + EqualityComparer<byte[]>.Default.GetHashCode(value);
|
|
hashCode = hashCode * -1521134295 + EqualityComparer<byte[]>.Default.GetHashCode(ip);
|
|
return hashCode;
|
|
}
|
|
|
|
|
|
|
|
protected static bool _ArraysEquals(byte[] v1, byte[] v2)
|
|
{
|
|
bool cmp = v1.Length > v2.Length;
|
|
byte[] bigger = cmp ? v1 : v2;
|
|
byte[] smaller = cmp ? v2 : v1;
|
|
for (int i = bigger.Length - 1; i >= 0; --i)
|
|
if (i >= smaller.Length)
|
|
{
|
|
if (bigger[i] != 0) return false;
|
|
}
|
|
else if (bigger[i] != smaller[i]) return false;
|
|
return true;
|
|
}
|
|
|
|
// Internal methods for certain calculations
|
|
protected static byte[] _FieldMod(byte[] applyTo, byte[] fieldIP)
|
|
{
|
|
byte[] CA_l;
|
|
int fsb = _GetFirstSetBit(fieldIP);
|
|
while (_GetFirstSetBit(applyTo) >= fsb) // In GF(2^8), polynomials may not exceed x^7. This means that a value containing a bit representing x^8 or higher is invalid
|
|
{
|
|
CA_l = _GetFirstSetBit(applyTo) >= _GetFirstSetBit(fieldIP) ? _Align((byte[])fieldIP.Clone(), applyTo) : fieldIP;
|
|
byte[] res = new byte[CA_l.Length];
|
|
for (int i = 0; i < CA_l.Length; ++i) res[i] = (byte)(applyTo[i] ^ CA_l[i]);
|
|
applyTo = _ClipZeroes(res);
|
|
}
|
|
return applyTo;
|
|
}
|
|
|
|
|
|
/// <summary>
|
|
/// Remove preceding zero-bytes
|
|
/// </summary>
|
|
/// <param name="val">Value to remove preceding zeroes from</param>
|
|
/// <returns>Truncated value (if truncation was necessary)</returns>
|
|
protected static byte[] _ClipZeroes(byte[] val)
|
|
{
|
|
int i = 0;
|
|
for (int j = val.Length - 1; j >= 0; --j) if (val[j] != 0) { i = j; break; }
|
|
byte[] res = new byte[i + 1];
|
|
Array.Copy(val, res, res.Length);
|
|
return res;
|
|
}
|
|
|
|
|
|
|
|
/// <summary>
|
|
/// Get the bit index of the highest bit. This will get the value of the exponent, i.e. index 8 represents x^8
|
|
/// </summary>
|
|
/// <param name="b">Value to get the highest set bit from</param>
|
|
/// <returns>Index of the highest set bit. -1 if no bits are set</returns>
|
|
protected static int _GetFirstSetBit(byte[] b)
|
|
{
|
|
for (int i = (b.Length * 8) - 1; i >= 0; --i)
|
|
if (b[i / 8] == 0) i -= i % 8; // Speeds up searches through blank bytes
|
|
else if ((b[i / 8] & (1 << (i % 8))) != 0)
|
|
return i;
|
|
return -1;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Get the state of a bit in the supplied value.
|
|
/// </summary>
|
|
/// <param name="value">Value to get bit from</param>
|
|
/// <param name="index">Bit index to get bit from. (Not byte index)</param>
|
|
/// <returns></returns>
|
|
protected static bool _BitAt(byte[] value, int index) => (value[index / 8] & (1 << (index % 8))) != 0;
|
|
|
|
protected static byte _ShiftedBitmask(int start)
|
|
{
|
|
byte res = 0;
|
|
for (int i = start; i > 0; --i) res = (byte)((res >> 1) | 128);
|
|
return res;
|
|
}
|
|
|
|
|
|
protected static byte[] _Align(byte[] value, byte[] to) => _SHL(value, _GetFirstSetBit(to) - _GetFirstSetBit(value));
|
|
protected static bool _NeedsAlignment(byte[] value, byte[] comp) => _GetFirstSetBit(value) > _GetFirstSetBit(comp);
|
|
protected static bool _GT(byte[] v1, byte[] v2, bool eq)
|
|
{
|
|
byte[] bigger = v1.Length > v2.Length ? v1 : v2;
|
|
byte[] smaller = v1.Length > v2.Length ? v2 : v1;
|
|
for (int i = bigger.Length - 1; i >= 0; --i)
|
|
if (i >= smaller.Length && bigger[i] != 0)
|
|
return bigger == v1;
|
|
else if (i < smaller.Length && bigger[i] != smaller[i])
|
|
return (bigger[i] > smaller[i]) ^ (bigger != v1);
|
|
return eq;
|
|
}
|
|
|
|
|
|
|
|
/// <summary>
|
|
/// Shifts bit in the array by 'shift' bits to the left. This means that 0b0010_0000_1000_1111 shited by 2 becomes 0b1000_0010_0011_1100.
|
|
/// Note: A shift of 0 just acts like a slow value.Clone()
|
|
/// </summary>
|
|
/// <param name="value"></param>
|
|
/// <param name="shift"></param>
|
|
/// <returns></returns>
|
|
protected static byte[] _SHL(byte[] value, int shift)
|
|
{
|
|
int set = shift / 8;
|
|
int sub = shift % 8;
|
|
byte bm = _ShiftedBitmask(sub);
|
|
byte ibm = (byte)~bm;
|
|
byte carry = 0;
|
|
int fsb1 = _GetFirstSetBit(value);
|
|
if (fsb1 == -1) return value;
|
|
byte fsb = (byte)(fsb1 % 8);
|
|
byte[] create = new byte[value.Length + set + (fsb + sub >= 7 ? 1 : 0)];
|
|
for (int i = set; i - set < value.Length; ++i)
|
|
{
|
|
create[i] = (byte)(((value[i - set] & ibm) << sub) | carry);
|
|
carry = (byte)((value[i - set] & bm) >> (8 - sub));
|
|
}
|
|
create[create.Length - 1] |= carry;
|
|
return create;
|
|
}
|
|
|
|
|
|
/// <summary>
|
|
/// Flips the bit at the given binary index in the supplied value. For example, flipping bit 5 in the number 0b0010_0011 would result in 0b0000_0011, whereas flipping index 7 would result in 0b1010_0011.
|
|
/// </summary>
|
|
/// <param name="value">Value to manipulate bits of</param>
|
|
/// <param name="bitIndex">Index (in bits) of the bit to flip.</param>
|
|
/// <returns>An array (may be the same object as the one given) with a bit flipped.</returns>
|
|
protected static byte[] _FlipBit(byte[] value, int bitIndex)
|
|
{
|
|
if (bitIndex >= value.Length * 8)
|
|
{
|
|
byte[] intermediate = new byte[(bitIndex / 8) + 1];
|
|
Array.Copy(value, intermediate, value.Length);
|
|
value = intermediate;
|
|
}
|
|
value[bitIndex / 8] ^= (byte)(1 << (bitIndex % 8));
|
|
return value;
|
|
}
|
|
|
|
|
|
|
|
|
|
// Addition, Subtraction and XOR are all equivalent under GF(2^8) due to the modular nature of the field
|
|
protected static byte[] _Add(byte[] v1, byte[] v2) => _XOR(v1, v2);
|
|
protected static byte[] _Sub(byte[] v1, byte[] v2) => _XOR(v1, v2);
|
|
protected static byte[] _XOR(byte[] v1, byte[] v2)
|
|
{
|
|
bool size = v1.Length > v2.Length;
|
|
byte[] bigger = size ? v1 : v2;
|
|
byte[] smaller = size ? v2 : v1;
|
|
byte[] res = new byte[bigger.Length];
|
|
Array.Copy(bigger, res, bigger.Length);
|
|
for (int i = 0; i < smaller.Length; ++i) res[i] ^= smaller[i];
|
|
return _ClipZeroes(res);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Perform polynomial multiplication under a galois field with characteristic 2
|
|
/// </summary>
|
|
/// <param name="value">Factor to multiply</param>
|
|
/// <param name="by">Factor to multiply other value by</param>
|
|
/// <returns>The product of the multiplication</returns>
|
|
protected static byte[] _Mul(byte[] value, byte[] by)
|
|
{
|
|
byte[] result = new byte[0];
|
|
for (int i = _GetFirstSetBit(by); i >= 0; --i)
|
|
if (_BitAt(by, i))
|
|
result = _Add(result, _SHL(value, i));
|
|
return result;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Performs modulus on a given value by a certain value (mod) over a Galois Field with characteristic 2. This method performs both modulus and division.
|
|
/// </summary>
|
|
/// <param name="value">Value to perform modular aithmetic on</param>
|
|
/// <param name="mod">Modular value</param>
|
|
/// <returns>The result of the polynomial division and the result of the modulus</returns>
|
|
protected static ModResult _Mod(byte[] value, byte[] mod)
|
|
{
|
|
byte[] divRes = new byte[1];
|
|
while (_GT(value, mod, true))
|
|
{
|
|
divRes = _FlipBit(divRes, _GetFirstSetBit(value) - _GetFirstSetBit(mod)); // Notes the bit shift in the division tracker
|
|
value = _Sub(value, _Align(mod, value));
|
|
}
|
|
return new ModResult(divRes, value);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Used to store the result of a polynomial division/modulus in GF(2^m)
|
|
/// </summary>
|
|
protected struct ModResult
|
|
{
|
|
public ModResult(byte[] div, byte[] rem)
|
|
{
|
|
this.div = div;
|
|
this.rem = rem;
|
|
}
|
|
public byte[] div;
|
|
public byte[] rem;
|
|
}
|
|
}
|
|
}
|