Okay, I am a little bit puzzled. I have been working with AES/Rijndael for a couple months now, and I have just run into something interesting.
I have written two AES 128-bit implementations, one in C and one for a microcontroller. I have carefully studied various references, including FIPS-197 and its test vectors. I have tested the C-language encryption and decryption functions with untold millions of pseudo-random blocks, checking that the encrypted blocks decrypt back to the originals, and also using the FreeBSD rijndael functions (in libssh) as an arms-length comparison. I have also compared the results from my assembly language functions with those on my FreeBSD box, but not as extensively. So with three different code implementations seemingly in agreement, I _thought_ things were just fine. Now I have run across an "interesting" situation. It appears that I have two different plaintext blocks that encrypt into the same cipher text. Obviously, decryption will only provide one of the two original blocks. It was my understanding that one (and only) one plaintext will encrypt into a particular cipher text, and vice versa. So that is why I am puzzled. It also appears that I may have many more examples, if one is not enough. Here is my AES 128 bit key: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c Here is plaintext #1: 920F0CE0A9A96BB9D8416962BDBBAA7C Here is plaintext #2: c74601001001000000000054006b51FF With my two implementations and the FreeBSD SSH library, I get: Encrypted result: c93d42187034cea8671b88431000d18c I have attached a test program that demonstrates this with the FreeBSD Rijndael library. I have tested this on 6.0/AMD64 and 6.2/I386 with the same results. For 6.0, the ssh_ prefix is removed from the rijndael function calls. > cc -Wall -O2 aes_test.c -o aes_test -l ssh aes_test.c: In function `encrypt_1': aes_test.c:136: warning: implicit declaration of function `ssh_rijndael_set_key' aes_test.c:137: warning: implicit declaration of function `ssh_rijndael_encrypt' > ./aes_test Using key: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c 920F0CE0A9A96BB9D8416962BDBBAA7C decr: 92 0f 0c e0 a9 a9 6b b9 d8 41 69 62 bd bb aa 7c encr: c9 3d 42 18 70 34 ce a8 67 1b 88 43 10 00 d1 8c c74601001001000000000054006b51FF decr: c7 46 01 00 10 01 00 00 00 00 00 54 00 6b 51 ff encr: c9 3d 42 18 70 34 ce a8 67 1b 88 43 10 a2 d1 8c So I am asking if anyone can point out if I made an "obvious mistake", duplicate my results on your own system, or provide some other useful information on this. Many thanks! -Richard
pgpQCiBkQtTtQ.pgp
Description: PGP signature
