Created April 26, 2017 14:56
AES implementations in Python3, PHP and JavaScript

Python3: AES / Rijndael

Usually, you should use PyCrypto from the python-crypto package. But if you want to code in Python3, there's no fast hybrid((i.e. mostly C-code, partly Python-code)) implementation of such a library.

Using Google, you will most probably stumble on Bram Cohen's Rijndael implementation in pure Python. I took his code and made it Python3 ready by replacing all xrange() by range(), all divisions (/) by integer-divisions (//) and made the string.join() working. There were no more changes neccessary.

Another Rijndael implementation I found was pyRijndael. After changing the two long() to int() and adding parentheses to all the prints at the end of the file, it worked fine with Python3.


Python3: AESEncryptCtr / AESDecryptCtr

Chris Veness had created a JavaScript implementation of AES in counter operation mode some time ago. He also ported this script to PHP so that you can interchange information between those two systems.

I ported the same library to Python to let Python talk to a PHP server in an encrypted way.



import aes
text = "Hello, world!"
password = "itsmysecret"
blocksize = 256   # can be 128, 192 or 256
crypted = aes.encrypt( text, password, blocksize )
# do something
decrypted = aes.decrypt( crypted, password, blocksize )


Chris Veness has ported his JavaScript AES implementation to PHP code. I wrapped the whole thing into a class for easier use.

See: aes.class.php




$text = 'Hello, world!';
$password = 'itsmysecret';
$blocksize = 256;  // can be 128, 192 or 256

$crypted = AES::encrypt( $text, $password, $blocksize );
// do something ...
$decrypted =  AES::decrypt( $crypted, $password, $blocksize );

JavaScript: AES

Chris Veness has written a JavaScript implementation of AES in counter operation mode some time ago. I wrapped the code up into a class for easier use.

See: aes.class.js


var text = 'Hello, world!';
var password = 'itsmysecret';
var blocksize = 256;   // can be 128, 192 or 256

var crypted = AES.encrypt( text, password, blocksize );
// do something...
var decrypted = AES.decrypt( crypted, password, blocksize );
* AES Cipher function: encrypt 'input' with Rijndael algorithm
* takes byte-array 'input' (16 bytes)
* 2D byte-array key schedule 'w' (Nr+1 x Nb bytes)
* applies Nr rounds (10/12/14) using key schedule w for 'add round key' stage
* returns byte-array encrypted value (16 bytes)
AES = {
/** Sbox is pre-computed multiplicative inverse in GF(2^8) used in SubBytes and KeyExpansion [§5.1.1] */
Sbox : [
/** Rcon is Round Constant used for the Key Expansion [1st col is 2^(r-1) in GF(2^8)] [§5.2] */
Rcon : [
[0x00, 0x00, 0x00, 0x00],
[0x01, 0x00, 0x00, 0x00],
[0x02, 0x00, 0x00, 0x00],
[0x04, 0x00, 0x00, 0x00],
[0x08, 0x00, 0x00, 0x00],
[0x10, 0x00, 0x00, 0x00],
[0x20, 0x00, 0x00, 0x00],
[0x40, 0x00, 0x00, 0x00],
[0x80, 0x00, 0x00, 0x00],
[0x1b, 0x00, 0x00, 0x00],
[0x36, 0x00, 0x00, 0x00]
/** main Cipher function [§5.1] */
Cipher : function(input, w) {
var Nb = 4; // block size (in words): no of columns in state (fixed at 4 for AES)
var Nr = w.length/Nb - 1; // no of rounds: 10/12/14 for 128/192/256-bit keys
var state = [[],[],[],[]]; // initialise 4xNb byte-array 'state' with input [§3.4]
for (var i=0; i<4*Nb; i++) state[i%4][Math.floor(i/4)] = input[i];
state = this.AddRoundKey(state, w, 0, Nb);
for (var round=1; round<Nr; round++) {
state = this.SubBytes(state, Nb);
state = this.ShiftRows(state, Nb);
state = this.MixColumns(state, Nb);
state = this.AddRoundKey(state, w, round, Nb);
state = this.SubBytes(state, Nb);
state = this.ShiftRows(state, Nb);
state = this.AddRoundKey(state, w, Nr, Nb);
var output = new Array(4*Nb); // convert state to 1-d array before returning [§3.4]
for (var i=0; i<4*Nb; i++) output[i] = state[i%4][Math.floor(i/4)];
return output;
/** apply SBox to state S [§5.1.1] */
SubBytes : function(s, Nb) {
for (var r=0; r<4; r++) {
for (var c=0; c<Nb; c++) s[r][c] = this.Sbox[s[r][c]];
return s;
/** shift row r of state S left by r bytes [§5.1.2] */
ShiftRows : function(s, Nb) {
var t = new Array(4);
for (var r=1; r<4; r++) {
for (var c=0; c<4; c++) t[c] = s[r][(c+r)%Nb]; // shift into temp copy
for (var c=0; c<4; c++) s[r][c] = t[c]; // and copy back
} // note that this will work for Nb=4,5,6, but not 7,8 (always 4 for AES):
return s; // see
/** combine bytes of each col of state S [§5.1.3] */
MixColumns : function(s, Nb) {
for (var c=0; c<4; c++) {
var a = new Array(4); // 'a' is a copy of the current column from 's'
var b = new Array(4); // 'b' is a•{02} in GF(2^8)
for (var i=0; i<4; i++) {
a[i] = s[i][c];
b[i] = s[i][c]&0x80 ? s[i][c]<<1 ^ 0x011b : s[i][c]<<1;
// a[n] ^ b[n] is a•{03} in GF(2^8)
s[0][c] = b[0] ^ a[1] ^ b[1] ^ a[2] ^ a[3]; // 2*a0 + 3*a1 + a2 + a3
s[1][c] = a[0] ^ b[1] ^ a[2] ^ b[2] ^ a[3]; // a0 * 2*a1 + 3*a2 + a3
s[2][c] = a[0] ^ a[1] ^ b[2] ^ a[3] ^ b[3]; // a0 + a1 + 2*a2 + 3*a3
s[3][c] = a[0] ^ b[0] ^ a[1] ^ a[2] ^ b[3]; // 3*a0 + a1 + a2 + 2*a3
return s;
/** xor Round Key into state S [§5.1.4] */
AddRoundKey : function(state, w, rnd, Nb) {
for (var r=0; r<4; r++) {
for (var c=0; c<Nb; c++) state[r][c] ^= w[rnd*4+c][r];
return state;
/** generate Key Schedule (byte-array Nr+1 x Nb) from Key [§5.2] */
KeyExpansion : function(key) {
var Nb = 4; // block size (in words): no of columns in state (fixed at 4 for AES)
var Nk = key.length/4 // key length (in words): 4/6/8 for 128/192/256-bit keys
var Nr = Nk + 6; // no of rounds: 10/12/14 for 128/192/256-bit keys
var w = new Array(Nb*(Nr+1));
var temp = new Array(4);
for (var i=0; i<Nk; i++) {
var r = [key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]];
w[i] = r;
for (var i=Nk; i<(Nb*(Nr+1)); i++) {
w[i] = new Array(4);
for (var t=0; t<4; t++) temp[t] = w[i-1][t];
if (i % Nk == 0) {
temp = this.SubWord(this.RotWord(temp));
for (var t=0; t<4; t++) temp[t] ^= this.Rcon[i/Nk][t];
} else if (Nk > 6 && i%Nk == 4) {
temp = this.SubWord(temp);
for (var t=0; t<4; t++) w[i][t] = w[i-Nk][t] ^ temp[t];
return w;
/** apply SBox to 4-byte word w */
SubWord : function(w) {
for (var i=0; i<4; i++) w[i] = this.Sbox[w[i]];
return w;
/** rotate 4-byte word w left by one byte */
RotWord : function(w) {
var tmp = w[0];
for (var i=0; i<3; i++) w[i] = w[i+1];
w[3] = tmp;
return w;
* Encrypt a text using AES encryption in Counter mode of operation
* - see
* Unicode multi-byte character safe
* @param plaintext source text to be encrypted
* @param password the password to use to generate a key
* @param nBits number of bits to be used in the key (128, 192, or 256)
* @return encrypted text
encrypt : function(plaintext, password, nBits) {
var blockSize = 16; // block size fixed at 16 bytes / 128 bits (Nb=4) for AES
if (!(nBits==128 || nBits==192 || nBits==256)) return ''; // standard allows 128/192/256 bit keys
plaintext = plaintext.encodeUTF8();
password = password.encodeUTF8();
//var t = new Date(); // timer
// use AES itself to encrypt password to get cipher key (using plain password as source for key
// expansion) - gives us well encrypted key
var nBytes = nBits/8; // no bytes in key
var pwBytes = new Array(nBytes);
for (var i=0; i<nBytes; i++) {
pwBytes[i] = isNaN(password.charCodeAt(i)) ? 0 : password.charCodeAt(i);
var key = this.Cipher(pwBytes, this.KeyExpansion(pwBytes)); // gives us 16-byte key
key = key.concat(key.slice(0, nBytes-16)); // expand key to 16/24/32 bytes long
// initialise counter block (NIST SP800-38A §B.2): millisecond time-stamp for nonce in 1st 8 bytes,
// block counter in 2nd 8 bytes
var counterBlock = new Array(blockSize);
var nonce = (new Date()).getTime(); // timestamp: milliseconds since 1-Jan-1970
var nonceSec = Math.floor(nonce/1000);
var nonceMs = nonce%1000;
// encode nonce with seconds in 1st 4 bytes, and (repeated) ms part filling 2nd 4 bytes
for (var i=0; i<4; i++) counterBlock[i] = (nonceSec >>> i*8) & 0xff;
for (var i=0; i<4; i++) counterBlock[i+4] = nonceMs & 0xff;
// and convert it to a string to go on the front of the ciphertext
var ctrTxt = '';
for (var i=0; i<8; i++) ctrTxt += String.fromCharCode(counterBlock[i]);
// generate key schedule - an expansion of the key into distinct Key Rounds for each round
var keySchedule = this.KeyExpansion(key);
var blockCount = Math.ceil(plaintext.length/blockSize);
var ciphertxt = new Array(blockCount); // ciphertext as array of strings
for (var b=0; b<blockCount; b++) {
// set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)
// done in two stages for 32-bit ops: using two words allows us to go past 2^32 blocks (68GB)
for (var c=0; c<4; c++) counterBlock[15-c] = (b >>> c*8) & 0xff;
for (var c=0; c<4; c++) counterBlock[15-c-4] = (b/0x100000000 >>> c*8)
var cipherCntr = this.Cipher(counterBlock, keySchedule); // -- encrypt counter block --
// block size is reduced on final block
var blockLength = b<blockCount-1 ? blockSize : (plaintext.length-1)%blockSize+1;
var cipherChar = new Array(blockLength);
for (var i=0; i<blockLength; i++) { // -- xor plaintext with ciphered counter char-by-char --
cipherChar[i] = cipherCntr[i] ^ plaintext.charCodeAt(b*blockSize+i);
cipherChar[i] = String.fromCharCode(cipherChar[i]);
ciphertxt[b] = cipherChar.join('');
// Array.join is more efficient than repeated string concatenation
var ciphertext = ctrTxt + ciphertxt.join('');
ciphertext = ciphertext.encodeBase64(); // encode in base64
//alert((new Date()) - t);
return ciphertext;
* Decrypt a text encrypted by AES in counter mode of operation
* @param ciphertext source text to be encrypted
* @param password the password to use to generate a key
* @param nBits number of bits to be used in the key (128, 192, or 256)
* @return decrypted text
decrypt : function(ciphertext, password, nBits) {
var blockSize = 16; // block size fixed at 16 bytes / 128 bits (Nb=4) for AES
if (!(nBits==128 || nBits==192 || nBits==256)) return ''; // standard allows 128/192/256 bit keys
ciphertext = ciphertext.decodeBase64();
password = password.encodeUTF8();
//var t = new Date(); // timer
// use AES to encrypt password (mirroring encrypt routine)
var nBytes = nBits/8; // no bytes in key
var pwBytes = new Array(nBytes);
for (var i=0; i<nBytes; i++) {
pwBytes[i] = isNaN(password.charCodeAt(i)) ? 0 : password.charCodeAt(i);
var key = this.Cipher(pwBytes, this.KeyExpansion(pwBytes));
key = key.concat(key.slice(0, nBytes-16)); // expand key to 16/24/32 bytes long
// recover nonce from 1st 8 bytes of ciphertext
var counterBlock = new Array(8);
var ctrTxt = ciphertext.slice(0, 8);
for (var i=0; i<8; i++) counterBlock[i] = ctrTxt.charCodeAt(i);
// generate key schedule
var keySchedule = this.KeyExpansion(key);
// separate ciphertext into blocks (skipping past initial 8 bytes)
var nBlocks = Math.ceil((ciphertext.length-8) / blockSize);
var ct = new Array(nBlocks);
for (var b=0; b<nBlocks; b++) ct[b] = ciphertext.slice(8+b*blockSize, 8+b*blockSize+blockSize);
ciphertext = ct; // ciphertext is now array of block-length strings
// plaintext will get generated block-by-block into array of block-length strings
var plaintxt = new Array(ciphertext.length);
for (var b=0; b<nBlocks; b++) {
// set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)
for (var c=0; c<4; c++) counterBlock[15-c] = ((b) >>> c*8) & 0xff;
for (var c=0; c<4; c++) counterBlock[15-c-4] = (((b+1)/0x100000000-1) >>> c*8) & 0xff;
var cipherCntr = this.Cipher(counterBlock, keySchedule); // encrypt counter block
var plaintxtByte = new Array(ciphertext[b].length);
for (var i=0; i<ciphertext[b].length; i++) {
// -- xor plaintxt with ciphered counter byte-by-byte --
plaintxtByte[i] = cipherCntr[i] ^ ciphertext[b].charCodeAt(i);
plaintxtByte[i] = String.fromCharCode(plaintxtByte[i]);
plaintxt[b] = plaintxtByte.join('');
// join array of blocks into single plaintext string
var plaintext = plaintxt.join('');
plaintext = plaintext.decodeUTF8(); // decode from UTF8 back to Unicode multi-byte chars
//alert((new Date()) - t);
return plaintext;
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
* Encode string into Base64, as defined by RFC 4648 []
* (instance method extending String object). As per RFC 4648, no newlines are added.
* @param utf8encode optional parameter, if set to true Unicode string is encoded to UTF8 before
* conversion to base64; otherwise string is assumed to be 8-bit characters
* @return base64-encoded string
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
String.prototype.encodeBase64 = function(utf8encode) { //
utf8encode = (typeof utf8encode == 'undefined') ? false : utf8encode;
var o1, o2, o3, bits, h1, h2, h3, h4, e=[], pad = '', c, plain, coded;
plain = utf8encode ? this.encodeUTF8() : this;
c = plain.length % 3; // pad string to length of multiple of 3
if (c > 0) {
while (c++ < 3) {
pad += '='; plain += '\0';
// note: doing padding here saves us doing special-case packing for trailing 1 or 2 chars
for (c=0; c<plain.length; c+=3) { // pack three octets into four hexets
o1 = plain.charCodeAt(c);
o2 = plain.charCodeAt(c+1);
o3 = plain.charCodeAt(c+2);
bits = o1<<16 | o2<<8 | o3;
h1 = bits>>18 & 0x3f;
h2 = bits>>12 & 0x3f;
h3 = bits>>6 & 0x3f;
h4 = bits & 0x3f;
// use hextets to index into b64 string
e[c/3] = b64.charAt(h1) + b64.charAt(h2) + b64.charAt(h3) + b64.charAt(h4);
coded = e.join(''); // join() is far faster than repeated string concatenation
// replace 'A's from padded nulls with '='s
coded = coded.slice(0, coded.length-pad.length) + pad;
return coded;
* Decode string from Base64, as defined by RFC 4648 []
* (instance method extending String object). As per RFC 4648, newlines are not catered for.
* @param utf8decode optional parameter, if set to true UTF8 string is decoded back to Unicode
* after conversion from base64
* @return decoded string
String.prototype.decodeBase64 = function(utf8decode) {
utf8decode = (typeof utf8decode == 'undefined') ? false : utf8decode;
var o1, o2, o3, h1, h2, h3, h4, bits, d=[], plain, coded;
coded = utf8decode ? this.decodeUTF8() : this;
for (var c=0; c<coded.length; c+=4) { // unpack four hexets into three octets
h1 = b64.indexOf(coded.charAt(c));
h2 = b64.indexOf(coded.charAt(c+1));
h3 = b64.indexOf(coded.charAt(c+2));
h4 = b64.indexOf(coded.charAt(c+3));
bits = h1<<18 | h2<<12 | h3<<6 | h4;
o1 = bits>>>16 & 0xff;
o2 = bits>>>8 & 0xff;
o3 = bits & 0xff;
d[c/4] = String.fromCharCode(o1, o2, o3);
// check for padding
if (h4 == 0x40) d[c/4] = String.fromCharCode(o1, o2);
if (h3 == 0x40) d[c/4] = String.fromCharCode(o1);
plain = d.join(''); // join() is far faster than repeated string concatenation
return utf8decode ? plain.decodeUTF8() : plain;
* Encode multi-byte Unicode string into utf-8 multiple single-byte characters
* (BMP / basic multilingual plane only) (instance method extending String object).
* Chars in range U+0080 - U+07FF are encoded in 2 chars, U+0800 - U+FFFF in 3 chars
* @return encoded string
String.prototype.encodeUTF8 = function() {
// use regular expressions & String.replace callback function for better efficiency
// than procedural approaches
var str = this.replace(
/[\u0080-\u07ff]/g, // U+0080 - U+07FF => 2 bytes 110yyyyy, 10zzzzzz
function(c) {
var cc = c.charCodeAt(0);
return String.fromCharCode(0xc0 | cc>>6, 0x80 | cc&0x3f);
str = str.replace(
/[\u0800-\uffff]/g, // U+0800 - U+FFFF => 3 bytes 1110xxxx, 10yyyyyy, 10zzzzzz
function(c) {
var cc = c.charCodeAt(0);
return String.fromCharCode(0xe0 | cc>>12, 0x80 | cc>>6&0x3F, 0x80 | cc&0x3f);
return str;
* Decode utf-8 encoded string back into multi-byte Unicode characters
* (instance method extending String object).
* @return decoded string
String.prototype.decodeUTF8 = function() {
var str = this.replace(
/[\u00c0-\u00df][\u0080-\u00bf]/g, // 2-byte chars
function(c) { // (note parentheses for precence)
var cc = (c.charCodeAt(0)&0x1f)<<6 | c.charCodeAt(1)&0x3f;
return String.fromCharCode(cc);
str = str.replace(
/[\u00e0-\u00ef][\u0080-\u00bf][\u0080-\u00bf]/g, // 3-byte chars
function(c) { // (note parentheses for precence)
var cc = ((c.charCodeAt(0)&0x0f)<<12) | ((c.charCodeAt(1)&0x3f)<<6) | ( c.charCodeAt(2)&0x3f);
return String.fromCharCode(cc);
return str;
/* aes.php Copyright © 2005-2008 Chris Veness. Right of free use is granted for all
* commercial or non-commercial use. No warranty of any form is offered.
class AES {
/** Sbox is pre-computed multiplicative inverse in GF(2^8) used in SubBytes and KeyExpansion [§5.1.1] */
protected static $Sbox = array(
/** Rcon is Round Constant used for the Key Expansion [1st col is 2^(r-1) in GF(2^8)] [§5.2] */
protected static $Rcon = array(
array(0x00, 0x00, 0x00, 0x00),
array(0x01, 0x00, 0x00, 0x00),
array(0x02, 0x00, 0x00, 0x00),
array(0x04, 0x00, 0x00, 0x00),
array(0x08, 0x00, 0x00, 0x00),
array(0x10, 0x00, 0x00, 0x00),
array(0x20, 0x00, 0x00, 0x00),
array(0x40, 0x00, 0x00, 0x00),
array(0x80, 0x00, 0x00, 0x00),
array(0x1b, 0x00, 0x00, 0x00),
array(0x36, 0x00, 0x00, 0x00),
* AES Cipher function: encrypt 'input' with Rijndael algorithm
* @param input message as byte-array (16 bytes)
* @param w key schedule as 2D byte-array (Nr+1 x Nb bytes) -
* generated from the cipher key by KeyExpansion()
* @return ciphertext as byte-array (16 bytes)
protected static function Cipher($input, $w) { // main Cipher function [§5.1]
$Nb = 4; // block size (in words): no of columns in state (fixed at 4 for AES)
$Nr = count($w)/$Nb - 1; // no of rounds: 10/12/14 for 128/192/256-bit keys
$state = array(); // initialise 4xNb byte-array 'state' with input [§3.4]
for ($i=0; $i<4*$Nb; $i++) $state[$i%4][floor($i/4)] = $input[$i];
$state = self::AddRoundKey($state, $w, 0, $Nb);
for ($round=1; $round<$Nr; $round++) { // apply Nr rounds
$state = self::SubBytes($state, $Nb);
$state = self::ShiftRows($state, $Nb);
$state = self::MixColumns($state, $Nb);
$state = self::AddRoundKey($state, $w, $round, $Nb);
$state = self::SubBytes($state, $Nb);
$state = self::ShiftRows($state, $Nb);
$state = self::AddRoundKey($state, $w, $Nr, $Nb);
$output = array(4*$Nb); // convert state to 1-d array before returning [§3.4]
for ($i=0; $i<4*$Nb; $i++) $output[$i] = $state[$i%4][floor($i/4)];
return $output;
protected static function AddRoundKey($state, $w, $rnd, $Nb) { // xor Round Key into state S [§5.1.4]
for ($r=0; $r<4; $r++) {
for ($c=0; $c<$Nb; $c++) $state[$r][$c] ^= $w[$rnd*4+$c][$r];
return $state;
protected static function SubBytes($s, $Nb) { // apply SBox to state S [§5.1.1]
for ($r=0; $r<4; $r++) {
for ($c=0; $c<$Nb; $c++) $s[$r][$c] = self::$Sbox[$s[$r][$c]];
return $s;
* shift row r of state S left by r bytes [§5.1.2]
* @param $s
* @param $Nb
* @return
protected static function ShiftRows($s, $Nb) {
$t = array(4);
for ($r=1; $r<4; $r++) {
for ($c=0; $c<4; $c++) $t[$c] = $s[$r][($c+$r)%$Nb]; // shift into temp copy
for ($c=0; $c<4; $c++) $s[$r][$c] = $t[$c]; // and copy back
} // note that this will work for Nb=4,5,6, but not 7,8 (always 4 for AES):
return $s; // see
* combine bytes of each col of state S [§5.1.3]
* @param $s
* @param $Nb
* @return
protected static function MixColumns($s, $Nb) {
for ($c=0; $c<4; $c++) {
$a = array(4); // 'a' is a copy of the current column from 's'
$b = array(4); // 'b' is a•{02} in GF(2^8)
for ($i=0; $i<4; $i++) {
$a[$i] = $s[$i][$c];
$b[$i] = $s[$i][$c]&0x80 ? $s[$i][$c]<<1 ^ 0x011b : $s[$i][$c]<<1;
// a[n] ^ b[n] is a•{03} in GF(2^8)
$s[0][$c] = $b[0] ^ $a[1] ^ $b[1] ^ $a[2] ^ $a[3]; // 2*a0 + 3*a1 + a2 + a3
$s[1][$c] = $a[0] ^ $b[1] ^ $a[2] ^ $b[2] ^ $a[3]; // a0 * 2*a1 + 3*a2 + a3
$s[2][$c] = $a[0] ^ $a[1] ^ $b[2] ^ $a[3] ^ $b[3]; // a0 + a1 + 2*a2 + 3*a3
$s[3][$c] = $a[0] ^ $b[0] ^ $a[1] ^ $a[2] ^ $b[3]; // 3*a0 + a1 + a2 + 2*a3
return $s;
* Key expansion for Rijndael Cipher(): performs key expansion on cipher key
* to generate a key schedule
* @param key cipher key byte-array (16 bytes)
* @return key schedule as 2D byte-array (Nr+1 x Nb bytes)
protected static function KeyExpansion($key) { // generate Key Schedule from Cipher Key [§5.2]
$Nb = 4; // block size (in words): no of columns in state (fixed at 4 for AES)
$Nk = count($key)/4; // key length (in words): 4/6/8 for 128/192/256-bit keys
$Nr = $Nk + 6; // no of rounds: 10/12/14 for 128/192/256-bit keys
$w = array();
$temp = array();
for ($i=0; $i<$Nk; $i++) {
$r = array($key[4*$i], $key[4*$i+1], $key[4*$i+2], $key[4*$i+3]);
$w[$i] = $r;
for ($i=$Nk; $i<($Nb*($Nr+1)); $i++) {
$w[$i] = array();
for ($t=0; $t<4; $t++) $temp[$t] = $w[$i-1][$t];
if ($i % $Nk == 0) {
$temp = self::SubWord( self::RotWord($temp) );
for ($t=0; $t<4; $t++) $temp[$t] ^= self::$Rcon[$i/$Nk][$t];
} else if ($Nk > 6 && $i%$Nk == 4) {
$temp = self::SubWord($temp);
for ($t=0; $t<4; $t++) $w[$i][$t] = $w[$i-$Nk][$t] ^ $temp[$t];
return $w;
protected static function SubWord($w) { // apply SBox to 4-byte word w
for ($i=0; $i<4; $i++) $w[$i] = self::$Sbox[$w[$i]];
return $w;
protected static function RotWord($w) { // rotate 4-byte word w left by one byte
$w[4] = $w[0];
for ($i=0; $i<4; $i++) $w[$i] = $w[$i+1];
return $w;
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
* Encrypt a text using AES encryption in Counter mode of operation
* - see
* Unicode multi-byte character safe
* @param plaintext source text to be encrypted
* @param password the password to use to generate a key
* @param nBits number of bits to be used in the key (128, 192, or 256)
* @return encrypted text
public static function encrypt($plaintext, $password, $nBits) {
$blockSize = 16; // block size fixed at 16 bytes / 128 bits (Nb=4) for AES
if (!($nBits==128 || $nBits==192 || $nBits==256)) return ''; // standard allows 128/192/256 bit keys
// note PHP (5) gives us plaintext and password in UTF8 encoding!
// use AES itself to encrypt password to get cipher key (using plain password as source for key
// expansion) - gives us well encrypted key
$nBytes = $nBits/8; // no bytes in key
$pwBytes = array();
for ($i=0; $i<$nBytes; $i++) $pwBytes[$i] = ord(substr($password,$i,1)) & 0xff;
$key = self::Cipher($pwBytes, self::KeyExpansion($pwBytes));
$key = array_merge($key, array_slice($key, 0, $nBytes-16)); // expand key to 16/24/32 bytes long
// initialise counter block (NIST SP800-38A §B.2): millisecond time-stamp for nonce in
// 1st 8 bytes, block counter in 2nd 8 bytes
$counterBlock = array();
$nonce = floor(microtime(true)*1000); // timestamp: milliseconds since 1-Jan-1970
$nonceSec = floor($nonce/1000);
$nonceMs = $nonce%1000;
// encode nonce with seconds in 1st 4 bytes, and (repeated) ms part filling 2nd 4 bytes
for ($i=0; $i<4; $i++) $counterBlock[$i] = self::urs($nonceSec, $i*8) & 0xff;
for ($i=0; $i<4; $i++) $counterBlock[$i+4] = $nonceMs & 0xff;
// and convert it to a string to go on the front of the ciphertext
$ctrTxt = '';
for ($i=0; $i<8; $i++) $ctrTxt .= chr($counterBlock[$i]);
// generate key schedule - an expansion of the key into distinct Key Rounds for each round
$keySchedule = self::KeyExpansion($key);
$blockCount = ceil(strlen($plaintext)/$blockSize);
$ciphertxt = array(); // ciphertext as array of strings
for ($b=0; $b<$blockCount; $b++) {
// set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)
// done in two stages for 32-bit ops: using two words allows us to go past 2^32 blocks (68GB)
for ($c=0; $c<4; $c++) $counterBlock[15-$c] = self::urs($b, $c*8) & 0xff;
for ($c=0; $c<4; $c++) $counterBlock[15-$c-4] = self::urs($b/0x100000000, $c*8);
$cipherCntr = self::Cipher($counterBlock, $keySchedule); // -- encrypt counter block --
// block size is reduced on final block
$blockLength = $b<$blockCount-1 ? $blockSize : (strlen($plaintext)-1)%$blockSize+1;
$cipherByte = array();
for ($i=0; $i<$blockLength; $i++) { // -- xor plaintext with ciphered counter byte-by-byte --
$cipherByte[$i] = $cipherCntr[$i] ^ ord(substr($plaintext, $b*$blockSize+$i, 1));
$cipherByte[$i] = chr($cipherByte[$i]);
$ciphertxt[$b] = implode('', $cipherByte); // escape troublesome characters in ciphertext
// implode is more efficient than repeated string concatenation
$ciphertext = $ctrTxt . implode('', $ciphertxt);
$ciphertext = base64_encode($ciphertext);
return $ciphertext;
* Decrypt a text encrypted by AES in counter mode of operation
* @param ciphertext source text to be decrypted
* @param password the password to use to generate a key
* @param nBits number of bits to be used in the key (128, 192, or 256)
* @return decrypted text
public static function decrypt($ciphertext, $password, $nBits) {
$blockSize = 16; // block size fixed at 16 bytes / 128 bits (Nb=4) for AES
if (!($nBits==128 || $nBits==192 || $nBits==256)) return ''; // standard allows 128/192/256 bit keys
$ciphertext = base64_decode($ciphertext);
// use AES to encrypt password (mirroring encrypt routine)
$nBytes = $nBits/8; // no bytes in key
$pwBytes = array();
for ($i=0; $i<$nBytes; $i++) $pwBytes[$i] = ord(substr($password,$i,1)) & 0xff;
$key = self::Cipher($pwBytes, self::KeyExpansion($pwBytes));
$key = array_merge($key, array_slice($key, 0, $nBytes-16)); // expand key to 16/24/32 bytes long
// recover nonce from 1st element of ciphertext
$counterBlock = array();
for ($i=0; $i<$blockSize; $i++) $counterBlock[] = 0;
$ctrTxt = substr($ciphertext, 0, 8);
for ($i=0; $i<8; $i++) $counterBlock[$i] = ord(substr($ctrTxt,$i,1));
// generate key schedule
$keySchedule = self::KeyExpansion($key);
// separate ciphertext into blocks (skipping past initial 8 bytes)
$nBlocks = ceil((strlen($ciphertext)-8) / $blockSize);
$ct = array();
for ($b=0; $b<$nBlocks; $b++) $ct[$b] = substr($ciphertext, 8+$b*$blockSize, $blockSize);
$ciphertext = $ct; // ciphertext is now array of block-length strings
// plaintext will get generated block-by-block into array of block-length strings
$plaintxt = array();
for ($b=0; $b<$nBlocks; $b++) {
// set counter (block #) in last 8 bytes of counter block (leaving nonce in 1st 8 bytes)
for ($c=0; $c<4; $c++) $counterBlock[15-$c] = self::urs($b, $c*8) & 0xff;
for ($c=0; $c<4; $c++) $counterBlock[15-$c-4] = self::urs(($b+1)/0x100000000-1, $c*8) & 0xff;
$cipherCntr = self::Cipher($counterBlock, $keySchedule); // encrypt counter block
$plaintxtByte = array();
for ($i=0; $i<strlen($ciphertext[$b]); $i++) {
// -- xor plaintext with ciphered counter byte-by-byte --
$plaintxtByte[$i] = $cipherCntr[$i] ^ ord(substr($ciphertext[$b],$i,1));
$plaintxtByte[$i] = chr($plaintxtByte[$i]);
$plaintxt[$b] = implode('', $plaintxtByte);
// join array of blocks into single plaintext string
$plaintext = implode('',$plaintxt);
return $plaintext;
* Unsigned right shift function, since PHP has neither >>> operator nor unsigned ints
* @param a number to be shifted (32-bit integer)
* @param b number of bits to shift a to the right (0..31)
* @return a right-shifted and zero-filled by b bits
protected static function urs($a, $b) {
$a &= 0xffffffff; $b &= 0x1f; // (bounds check)
if ($a&0x80000000 && $b>0) { // if left-most bit set
$a = ($a>>1) & 0x7fffffff; // right-shift one bit & clear left-most bit
$a = $a >> ($b-1); // remaining right-shifts
} else { // otherwise
$a = ($a>>$b); // use normal right-shift
return $a;
# -*- coding: utf8 -*-
This is a port of Chris Veness' AES implementation:
Copyright ©2005-2008 Chris Veness. Right of free use is granted for all
commercial or non-commercial use. No warranty of any form is offered.
Ported in 2009 by Markus Birth <>
import base64
import datetime
import math
import time
"""Sbox is pre-computed multiplicative inverse in GF(2^8) used in SubBytes and KeyExpansion [§5.1.1]"""
Sbox = [
"""Rcon is Round Constant used for the Key Expansion [1st col is 2^(r-1) in GF(2^8)] [§5.2]"""
Rcon = [
[0x00, 0x00, 0x00, 0x00],
[0x01, 0x00, 0x00, 0x00],
[0x02, 0x00, 0x00, 0x00],
[0x04, 0x00, 0x00, 0x00],
[0x08, 0x00, 0x00, 0x00],
[0x10, 0x00, 0x00, 0x00],
[0x20, 0x00, 0x00, 0x00],
[0x40, 0x00, 0x00, 0x00],
[0x80, 0x00, 0x00, 0x00],
[0x1b, 0x00, 0x00, 0x00],
[0x36, 0x00, 0x00, 0x00]
def Cipher(input, w):
Nb = 4
Nr = len(w)/Nb - 1
state = [ [0] * Nb, [0] * Nb, [0] * Nb, [0] * Nb ]
for i in range(0, 4*Nb): state[i%4][i//4] = input[i]
state = AddRoundKey(state, w, 0, Nb)
for round in range(1, Nr):
state = SubBytes(state, Nb)
state = ShiftRows(state, Nb)
state = MixColumns(state, Nb)
state = AddRoundKey(state, w, round, Nb)
state = SubBytes(state, Nb)
state = ShiftRows(state, Nb)
state = AddRoundKey(state, w, Nr, Nb)
output = [0] * 4*Nb
for i in range(4*Nb): output[i] = state[i%4][i//4]
return output
def SubBytes(s, Nb):
for r in range(4):
for c in range(Nb):
s[r][c] = Sbox[s[r][c]]
return s
def ShiftRows(s, Nb):
t = [0] * 4
for r in range (1,4):
for c in range(4): t[c] = s[r][(c+r)%Nb]
for c in range(4): s[r][c] = t[c]
return s
def MixColumns(s, Nb):
for c in range(4):
a = [0] * 4
b = [0] * 4
for i in range(4):
a[i] = s[i][c]
b[i] = s[i][c]<<1 ^ 0x011b if s[i][c]&0x80 else s[i][c]<<1
s[0][c] = b[0] ^ a[1] ^ b[1] ^ a[2] ^ a[3]
s[1][c] = a[0] ^ b[1] ^ a[2] ^ b[2] ^ a[3]
s[2][c] = a[0] ^ a[1] ^ b[2] ^ a[3] ^ b[3]
s[3][c] = a[0] ^ b[0] ^ a[1] ^ a[2] ^ b[3]
return s
def AddRoundKey(state, w, rnd, Nb):
for r in range(4):
for c in range(Nb):
state[r][c] ^= w[rnd*4+c][r]
return state
def KeyExpansion(key):
Nb = 4
Nk = len(key)/4
Nr = Nk + 6
w = [0] * Nb*(Nr+1)
temp = [0] * 4
for i in range(Nk):
r = [key[4*i], key[4*i+1], key[4*i+2], key[4*i+3]]
w[i] = r
for i in range(Nk, Nb*(Nr+1)):
w[i] = [0] * 4
for t in range(4): temp[t] = w[i-1][t]
if i%Nk == 0:
temp = SubWord(RotWord(temp))
for t in range(4): temp[t] ^= Rcon[i/Nk][t]
elif Nk>6 and i%Nk == 4:
temp = SubWord(temp)
for t in range(4): w[i][t] = w[i-Nk][t] ^ temp[t]
return w
def SubWord(w):
for i in range(4): w[i] = Sbox[w[i]]
return w
def RotWord(w):
tmp = w[0]
for i in range(3): w[i] = w[i+1]
w[3] = tmp
return w
def encrypt(plaintext, password, nBits):
blockSize = 16
if not nBits in (128, 192, 256): return ""
# plaintext = plaintext.encode("utf-8")
# password = password.encode("utf-8")
nBytes = nBits//8
pwBytes = [0] * nBytes
for i in range(nBytes): pwBytes[i] = 0 if i>=len(password) else ord(password[i])
key = Cipher(pwBytes, KeyExpansion(pwBytes))
key += key[:nBytes-16]
counterBlock = [0] * blockSize
now =
nonce = time.mktime( now.timetuple() )*1000 + now.microsecond//1000
nonceSec = int(nonce // 1000)
nonceMs = int(nonce % 1000)
for i in range(4): counterBlock[i] = urs(nonceSec, i*8) & 0xff
for i in range(4): counterBlock[i+4] = nonceMs & 0xff
ctrTxt = ""
for i in range(8): ctrTxt += chr(counterBlock[i])
keySchedule = KeyExpansion(key)
blockCount = int(math.ceil(float(len(plaintext))/float(blockSize)))
ciphertxt = [0] * blockCount
for b in range(blockCount):
for c in range(4): counterBlock[15-c] = urs(b, c*8) & 0xff
for c in range(4): counterBlock[15-c-4] = urs(b/0x100000000, c*8)
cipherCntr = Cipher(counterBlock, keySchedule)
blockLength = blockSize if b<blockCount-1 else (len(plaintext)-1)%blockSize+1
cipherChar = [0] * blockLength
for i in range(blockLength):
cipherChar[i] = cipherCntr[i] ^ ord(plaintext[b*blockSize+i])
cipherChar[i] = chr( cipherChar[i] )
ciphertxt[b] = ''.join(cipherChar)
ciphertext = ctrTxt + ''.join(ciphertxt)
ciphertext = base64.b64encode(ciphertext)
return ciphertext
def decrypt(ciphertext, password, nBits):
blockSize = 16
if not nBits in (128, 192, 256): return ""
ciphertext = base64.b64decode(ciphertext)
# password = password.encode("utf-8")
nBytes = nBits//8
pwBytes = [0] * nBytes
for i in range(nBytes): pwBytes[i] = 0 if i>=len(password) else ord(password[i])
key = Cipher(pwBytes, KeyExpansion(pwBytes))
key += key[:nBytes-16]
counterBlock = [0] * blockSize
ctrTxt = ciphertext[:8]
for i in range(8): counterBlock[i] = ord(ctrTxt[i])
keySchedule = KeyExpansion(key)
nBlocks = int( math.ceil( float(len(ciphertext)-8) / float(blockSize) ) )
ct = [0] * nBlocks
for b in range(nBlocks):
ct[b] = ciphertext[8+b*blockSize : 8+b*blockSize+blockSize]
ciphertext = ct
plaintxt = [0] * len(ciphertext)
for b in range(nBlocks):
for c in range(4): counterBlock[15-c] = urs(b, c*8) & 0xff
for c in range(4): counterBlock[15-c-4] = urs( int( float(b+1)/0x100000000-1 ), c*8) & 0xff
cipherCntr = Cipher(counterBlock, keySchedule)
plaintxtByte = [0] * len(ciphertext[b])
for i in range(len(ciphertext[b])):
plaintxtByte[i] = cipherCntr[i] ^ ord(ciphertext[b][i])
plaintxtByte[i] = chr(plaintxtByte[i])
plaintxt[b] = "".join(plaintxtByte)
plaintext = "".join(plaintxt)
# plaintext = plaintext.decode("utf-8")
return plaintext
def urs(a, b):
a &= 0xffffffff
b &= 0x1f
if a&0x80000000 and b>0:
a = (a>>1) & 0x7fffffff
a = a >> (b-1)
a = (a >> b)
return a
A pure python (slow) implementation of rijndael with a decent interface
To include -
from rijndael import rijndael
To do a key setup -
r = rijndael(key, block_size = 16)
key must be a string of length 16, 24, or 32
blocksize must be 16, 24, or 32. Default is 16
To use -
ciphertext = r.encrypt(plaintext)
plaintext = r.decrypt(ciphertext)
If any strings are of the wrong length a ValueError is thrown
# ported from the Java reference code by Bram Cohen, April 2001
# this code is public domain, unless someone makes
# an intellectual property claim against the reference
# code, in which case it can be made public domain by
# deleting all the comments and renaming all the variables
import copy
import string
shifts = [[[0, 0], [1, 3], [2, 2], [3, 1]],
[[0, 0], [1, 5], [2, 4], [3, 3]],
[[0, 0], [1, 7], [3, 5], [4, 4]]]
# [keysize][block_size]
num_rounds = {16: {16: 10, 24: 12, 32: 14}, 24: {16: 12, 24: 12, 32: 14}, 32: {16: 14, 24: 14, 32: 14}}
A = [[1, 1, 1, 1, 1, 0, 0, 0],
[0, 1, 1, 1, 1, 1, 0, 0],
[0, 0, 1, 1, 1, 1, 1, 0],
[0, 0, 0, 1, 1, 1, 1, 1],
[1, 0, 0, 0, 1, 1, 1, 1],
[1, 1, 0, 0, 0, 1, 1, 1],
[1, 1, 1, 0, 0, 0, 1, 1],
[1, 1, 1, 1, 0, 0, 0, 1]]
# produce log and alog tables, needed for multiplying in the
# field GF(2^m) (generator = 3)
alog = [1]
for i in range(255):
j = (alog[-1] << 1) ^ alog[-1]
if j & 0x100 != 0:
j ^= 0x11B
log = [0] * 256
for i in range(1, 255):
log[alog[i]] = i
# multiply two elements of GF(2^m)
def mul(a, b):
if a == 0 or b == 0:
return 0
return alog[(log[a & 0xFF] + log[b & 0xFF]) % 255]
# substitution box based on F^{-1}(x)
box = [[0] * 8 for i in range(256)]
box[1][7] = 1
for i in range(2, 256):
j = alog[255 - log[i]]
for t in range(8):
box[i][t] = (j >> (7 - t)) & 0x01
B = [0, 1, 1, 0, 0, 0, 1, 1]
# affine transform: box[i] <- B + A*box[i]
cox = [[0] * 8 for i in range(256)]
for i in range(256):
for t in range(8):
cox[i][t] = B[t]
for j in range(8):
cox[i][t] ^= A[t][j] * box[i][j]
# S-boxes and inverse S-boxes
S = [0] * 256
Si = [0] * 256
for i in range(256):
S[i] = cox[i][0] << 7
for t in range(1, 8):
S[i] ^= cox[i][t] << (7-t)
Si[S[i] & 0xFF] = i
# T-boxes
G = [[2, 1, 1, 3],
[3, 2, 1, 1],
[1, 3, 2, 1],
[1, 1, 3, 2]]
AA = [[0] * 8 for i in range(4)]
for i in range(4):
for j in range(4):
AA[i][j] = G[i][j]
AA[i][i+4] = 1
for i in range(4):
pivot = AA[i][i]
if pivot == 0:
t = i + 1
while AA[t][i] == 0 and t < 4:
t += 1
assert t != 4, 'G matrix must be invertible'
for j in range(8):
AA[i][j], AA[t][j] = AA[t][j], AA[i][j]
pivot = AA[i][i]
for j in range(8):
if AA[i][j] != 0:
AA[i][j] = alog[(255 + log[AA[i][j] & 0xFF] - log[pivot & 0xFF]) % 255]
for t in range(4):
if i != t:
for j in range(i+1, 8):
AA[t][j] ^= mul(AA[i][j], AA[t][i])
AA[t][i] = 0
iG = [[0] * 4 for i in range(4)]
for i in range(4):
for j in range(4):
iG[i][j] = AA[i][j + 4]
def mul4(a, bs):
if a == 0:
return 0
r = 0
for b in bs:
r <<= 8
if b != 0:
r = r | mul(a, b)
return r
T1 = []
T2 = []
T3 = []
T4 = []
T5 = []
T6 = []
T7 = []
T8 = []
U1 = []
U2 = []
U3 = []
U4 = []
for t in range(256):
s = S[t]
T1.append(mul4(s, G[0]))
T2.append(mul4(s, G[1]))
T3.append(mul4(s, G[2]))
T4.append(mul4(s, G[3]))
s = Si[t]
T5.append(mul4(s, iG[0]))
T6.append(mul4(s, iG[1]))
T7.append(mul4(s, iG[2]))
T8.append(mul4(s, iG[3]))
U1.append(mul4(t, iG[0]))
U2.append(mul4(t, iG[1]))
U3.append(mul4(t, iG[2]))
U4.append(mul4(t, iG[3]))
# round constants
rcon = [1]
r = 1
for t in range(1, 30):
r = mul(2, r)
del A
del AA
del pivot
del B
del G
del box
del log
del alog
del i
del j
del r
del s
del t
del mul
del mul4
del cox
del iG
class rijndael:
def __init__(self, key, block_size = 16):
if block_size != 16 and block_size != 24 and block_size != 32:
raise ValueError('Invalid block size: ' + str(block_size))
if len(key) != 16 and len(key) != 24 and len(key) != 32:
raise ValueError('Invalid key size: ' + str(len(key)))
self.block_size = block_size
ROUNDS = num_rounds[len(key)][block_size]
BC = block_size // 4
# encryption round keys
Ke = [[0] * BC for i in range(ROUNDS + 1)]
# decryption round keys
Kd = [[0] * BC for i in range(ROUNDS + 1)]
KC = len(key) // 4
# copy user material bytes into temporary ints
tk = []
for i in range(0, KC):
tk.append((ord(key[i * 4]) << 24) | (ord(key[i * 4 + 1]) << 16) |
(ord(key[i * 4 + 2]) << 8) | ord(key[i * 4 + 3]))
# copy values into round key arrays
t = 0
j = 0
while j < KC and t < ROUND_KEY_COUNT:
Ke[t // BC][t % BC] = tk[j]
Kd[ROUNDS - (t // BC)][t % BC] = tk[j]
j += 1
t += 1
tt = 0
rconpointer = 0
while t < ROUND_KEY_COUNT:
# extrapolate using phi (the round key evolution function)
tt = tk[KC - 1]
tk[0] ^= (S[(tt >> 16) & 0xFF] & 0xFF) << 24 ^ \
(S[(tt >> 8) & 0xFF] & 0xFF) << 16 ^ \
(S[ tt & 0xFF] & 0xFF) << 8 ^ \
(S[(tt >> 24) & 0xFF] & 0xFF) ^ \
(rcon[rconpointer] & 0xFF) << 24
rconpointer += 1
if KC != 8:
for i in range(1, KC):
tk[i] ^= tk[i-1]
for i in range(1, KC // 2):
tk[i] ^= tk[i-1]
tt = tk[KC // 2 - 1]
tk[KC // 2] ^= (S[ tt & 0xFF] & 0xFF) ^ \
(S[(tt >> 8) & 0xFF] & 0xFF) << 8 ^ \
(S[(tt >> 16) & 0xFF] & 0xFF) << 16 ^ \
(S[(tt >> 24) & 0xFF] & 0xFF) << 24
for i in range(KC // 2 + 1, KC):
tk[i] ^= tk[i-1]
# copy values into round key arrays
j = 0
while j < KC and t < ROUND_KEY_COUNT:
Ke[t // BC][t % BC] = tk[j]
Kd[ROUNDS - (t // BC)][t % BC] = tk[j]
j += 1
t += 1
# inverse MixColumn where needed
for r in range(1, ROUNDS):
for j in range(BC):
tt = Kd[r][j]
Kd[r][j] = U1[(tt >> 24) & 0xFF] ^ \
U2[(tt >> 16) & 0xFF] ^ \
U3[(tt >> 8) & 0xFF] ^ \
U4[ tt & 0xFF]
self.Ke = Ke
self.Kd = Kd
def encrypt(self, plaintext):
if len(plaintext) != self.block_size:
raise ValueError('wrong block length, expected ' + str(self.block_size) + ' got ' + str(len(plaintext)))
Ke = self.Ke
BC = self.block_size // 4
ROUNDS = len(Ke) - 1
if BC == 4:
SC = 0
elif BC == 6:
SC = 1
SC = 2
s1 = shifts[SC][1][0]
s2 = shifts[SC][2][0]
s3 = shifts[SC][3][0]
a = [0] * BC
# temporary work array
t = []
# plaintext to ints + key
for i in range(BC):
t.append((ord(plaintext[i * 4 ]) << 24 |
ord(plaintext[i * 4 + 1]) << 16 |
ord(plaintext[i * 4 + 2]) << 8 |
ord(plaintext[i * 4 + 3]) ) ^ Ke[0][i])
# apply round transforms
for r in range(1, ROUNDS):
for i in range(BC):
a[i] = (T1[(t[ i ] >> 24) & 0xFF] ^
T2[(t[(i + s1) % BC] >> 16) & 0xFF] ^
T3[(t[(i + s2) % BC] >> 8) & 0xFF] ^
T4[ t[(i + s3) % BC] & 0xFF] ) ^ Ke[r][i]
t = copy.copy(a)
# last round is special
result = []
for i in range(BC):
tt = Ke[ROUNDS][i]
result.append((S[(t[ i ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
result.append((S[(t[(i + s1) % BC] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
result.append((S[(t[(i + s2) % BC] >> 8) & 0xFF] ^ (tt >> 8)) & 0xFF)
result.append((S[ t[(i + s3) % BC] & 0xFF] ^ tt ) & 0xFF)
return ''.join(map(chr, result))
def decrypt(self, ciphertext):
if len(ciphertext) != self.block_size:
raise ValueError('wrong block length, expected ' + str(self.block_size) + ' got ' + str(len(ciphertext)))
Kd = self.Kd
BC = self.block_size // 4
ROUNDS = len(Kd) - 1
if BC == 4:
SC = 0
elif BC == 6:
SC = 1
SC = 2
s1 = shifts[SC][1][1]
s2 = shifts[SC][2][1]
s3 = shifts[SC][3][1]
a = [0] * BC
# temporary work array
t = [0] * BC
# ciphertext to ints + key
for i in range(BC):
t[i] = (ord(ciphertext[i * 4 ]) << 24 |
ord(ciphertext[i * 4 + 1]) << 16 |
ord(ciphertext[i * 4 + 2]) << 8 |
ord(ciphertext[i * 4 + 3]) ) ^ Kd[0][i]
# apply round transforms
for r in range(1, ROUNDS):
for i in range(BC):
a[i] = (T5[(t[ i ] >> 24) & 0xFF] ^
T6[(t[(i + s1) % BC] >> 16) & 0xFF] ^
T7[(t[(i + s2) % BC] >> 8) & 0xFF] ^
T8[ t[(i + s3) % BC] & 0xFF] ) ^ Kd[r][i]
t = copy.copy(a)
# last round is special
result = []
for i in range(BC):
tt = Kd[ROUNDS][i]
result.append((Si[(t[ i ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
result.append((Si[(t[(i + s1) % BC] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
result.append((Si[(t[(i + s2) % BC] >> 8) & 0xFF] ^ (tt >> 8)) & 0xFF)
result.append((Si[ t[(i + s3) % BC] & 0xFF] ^ tt ) & 0xFF)
return ''.join(map(chr, result))
def encrypt(key, block):
return rijndael(key, len(block)).encrypt(block)
def decrypt(key, block):
return rijndael(key, len(block)).decrypt(block)
def test():
def t(kl, bl):
b = 'b' * bl
r = rijndael('a' * kl, bl)
assert r.decrypt(r.encrypt(b)) == b
t(16, 16)
t(16, 24)
t(16, 32)
t(24, 16)
t(24, 24)
t(24, 32)
t(32, 16)
t(32, 24)
t(32, 32)
