CODEWITHSUNDEEP
javaencryptionaesbouncycastle
The Shoe Shiner
The Shoe Shiner

Reputation: 756

Need to "expand" AES 256 key into 10 round keys in Java using bouncycastle

Im trying to implement the Cryptonight algorithm in java (without using JNI wrappers). One of the early steps is to "expand" an AES 256 bit key into 10 round keys. I can't seem to understand the terminology here. I'm guessing I dont need to implement that expansion from scratch, as AES seems to already be implemented by bouncycastle. But I can't find an operation in their code or via google that specifically speaks of "expansion" and how that is done. How can I accomplish this, ideally by simply calling into part of the bouncycastle API.

Im not necessarily trying to learn cryptography, though I appreciate any details, im more trying to understand how to accomplish this task using existing libraries if possible, but willing to do it manually if necessary.

Upvotes: 3

Views: 1221

Answers (2)

Crypto Explained
Crypto Explained

Reputation: 9

For CryptoNight modified AES you need produce only 10 round keys from 256-bits input key. You can use a standard AES key expansion and take only first 10 keys. Here is my article with Java code examples that describe the CryptoNight specific for AES key schedule: http://cryptoexplained.tech/hash-algorithms/aes-key-schedule

Upvotes: -2

Alexandre Fenyo
Alexandre Fenyo

Reputation: 4819

AES-128 uses 10 rounds, AES-192 uses 12 rounds and AES-256 uses 14 rounds.

With BouncyCastle, it is implemented in class org.bouncycastle.crypto.engines.AESEngine, in the private method named generateWorkingKey(). This is not a generic implementation:

The method starts with:

[...]
int KC = keyLen >>> 2;
ROUNDS = KC + 6;  // This is not always true for the generalized Rijndael that allows larger block sizes
int[][] W = new int[ROUNDS+1][4];   // 4 words in a block
switch (KC) {
  case 4:
[...]
for (int i = 1; i <= 10; ++i)

Reading this code, it's easy to see that if your key length is 128 bits, then keyLen value is 16 (bytes), thus KC is 4, then ROUNDS is 10 (this is the upper limit of the loop). But it is hardcoded. For other key lengths, it is also hardcoded the same way, in a switch case that contains a loop for which upper limit is the number of rounds.

So, for your Cryptonight implementation, with a Key length of 256 bits but with 10 rounds, the hardcoded values in the BouncyCastle implementation do not match your needs.

Therefore, you need to fork BouncyCastle and modify this code to achieve your goals.

Upvotes: 5

Related Questions