Author: yangke

In the process of AI business development, we often need to encrypt model files.

Let’s talk about the encryption principle of AES and the engineering practice in AOE from the following aspects.

- Common encryption algorithms
- AOE’s requirements for model encryption
- Encryption principle of AES
- AOE engineering practice – combination of AES and aoe

## Common encryption algorithms

There are two common encryption algorithms:**Symmetric encryption**The same key can be used for encryption and decryption at the same time. The commonly used symmetric encryption algorithms are des, 3DES, AES, etc.**Asymmetric encryption**Two keys are needed for encryption and decryption. These two keys are public key and private key. The commonly used asymmetric encryption algorithms are RSA, ElGamal, ECC, etc.

Let’s use a metaphor to understand these two different encryption methods:

Symmetric encryption: suppose there is a password box. A sets a password to lock the box. B knows the password, and then enters the password to open the box. The password is the secret key. A and B use the same password.

Asymmetric encryption: there is a lock and a unique key. A uses the lock to lock the box, and B only uses the key to open the box. This lock can be understood as a public key, which is public. This key can be understood as a private key. It is not public and is not transmitted in the network. Only the owner of the private key can open this box.

Briefly compare their differences:

Functional characteristics | Symmetric encryption | Asymmetric encryption |
---|---|---|

Key characteristics | Encryption and decryption use the same key | Encryption and decryption use different keys |

Encryption efficiency | High efficiency and speed | Slow speed |

Key security | Easy to leak during transmission | High safety |

In practical applications, symmetric encryption and asymmetric encryption algorithms are generally combined, which can not only ensure the speed of encryption, but also ensure the security of secret key transmission. Taking the combination of AES and RSA as an example, there is a general approach. When sending a piece of data information to the server, first encrypt the data with AES algorithm, then encrypt the key of AES with RSA public key of the server, and finally upload the data and encrypted AES key to the server. In this way, only when you know the RSA private key of the server, you can get the correct AES key. Finally, you can use AES key to unlock this ciphertext.

## On the demand of model encryption

In depth learning, model training is the most critical and challenging. Not only need to have rich experience to define the appropriate model, but also need to have a large number of data sets, often need 3-4 days to train a model. For the protection of intellectual property or commercial protection, we often need to encrypt the trained model files. Think about our requirements for model encryption: fast speed, high security, and local encryption and decryption without relying on the server. In addition, a digest algorithm is needed to verify the integrity of the model. We initially consider AES algorithm and MD5 algorithm. Let’s see how the AES algorithm works.

## Encryption principle of AES

AES, advanced encryption standard, is one of the most classical algorithms of symmetric encryption and decryption algorithm. The standard AES encryption bit width is 128bit per block, and the key is divided into 128bit, 192bit, 256bit, which is generally called AES-128, aes-192, AES-256. Let’s take a look at AES encryption in several aspects.

- AES encryption process
- AES decryption process
- AES encryption mode and padding
- Why AOE encryption component chooses AES encryption algorithm

### AES encryption process

There are four main operations in AES algorithm: add round key, subbytes, shift rows and mix columns. AES encryption is not a simple operation of plaintext and key. Take aes128 for example, which performs 10 rounds of encryption. The actual execution process is as follows:

- In round 0, XOR the original data and the original key;
- In rounds 1-9, execute the complete process of subbytes, shiftrows, MixColumns and addroundkey;
- In the 10th round, execute subbytes, shiftrows, and do not execute MixColumns;

```
static void Cipher(state_t* state, const uint8_t* RoundKey)
{
uint8_t round = 0;
// Add the First round key
AddRoundKey(0, state, RoundKey);
// There will be Nr rounds.
for (round = 1; round < Nr; ++round)
{
SubBytes(state);
ShiftRows(state);
MixColumns(state);
AddRoundKey(round, state, RoundKey);
}
// The last round is given below.
SubBytes(state);
ShiftRows(state);
AddRoundKey(Nr, state, RoundKey);
}
```

#### SubBytes

Subbytes, byte obfuscation. The minimum unit of AES processing is 8-bit unsigned integer, which can correspond to an element in GF (2 ^ 8) of Galois domain. The confusing method is to calculate the multiplication inverse of each byte in GF (2 ^ 8) first, in order to provide nonlinear transformation. Another affine transformation of the result is made to change the structure of Galois domain.

Because every element in GF (2 ^ 8) can be expressed as a polynomial: a7x ^ 7 + a6x ^ 6 + a5x ^ 5 +… + a1x + A0, where a7-a0 can only be taken from GF (2). Therefore, to calculate the inverse of a byte can be converted into the inverse of a polynomial. Taking 0xac as an example, the binary is 10101100, and the polynomial is x ^ 7 + x ^ 5 + x ^ 3 + x ^ 2. Calculating the inverse element becomes calculating the inverse element of this polynomial. After getting the inverse of a polynomial, we can convert it to a hexadecimal value. The simple understanding of affine transformation is to get a new value through some calculation. We will not introduce more specific calculation methods. In practice, you can use the look-up table method to complete this step.

Because the value of each byte obtained by these steps is a fixed pair, we can calculate the corresponding value of each element in GF (2 ^ 8). Finally, we can get a 16 * 16 lookup table called substitution box, Sbox or s box for short. For each input byte, such a s the hexadecimal bit 0xab of the input byte, locate a in the vertical coordinate of the table, then locate B in the vertical coordinate, and finally replace the value of this byte with the value of S (a, b). Through this step, our input data d1-d16 becomes S1-S16.

#### ShiftRows

The 16 transformed bytes of S-box are written as a matrix from top to bottom, from left to right. The first line remains unchanged, the second line moves 1 grid to the left, the third line moves 2 grid to the left, and the fourth line moves 3 grid to the left, as shown in the figure:

#### MixColumns

Multiply the result after shiftrows with the following matrix. The column obfuscation operation obfuscates each column of the input matrix so that each byte of the input affects four output bytes. This part includes the knowledge of matrix multiplication, addition and multiplication in Galois domain. In general, the two steps of shiftrows and MixColumns provide the scalability of this cryptosystem.

The polynomials of 01, 02 and 03 in the left matrix are 1, x, x + 1. Let’s say that all the matrix inputs on the right are 0x 1 1, and the corresponding polynomials are x ^ 4 + 1. Use the addition and multiplication in GF (2 ^ 8), and the calculation process is as follows:

```
C(i) = (01 + 01 + 02 + 03) * 11
=(1 + 1 + x + x + 1) * (x^4 + 1)
= 1 * (x^4+1)
= x^4 + 1
```

There are two kinds of multiplication results:

- The highest power does not exceed x ^ 7, and the result is the result of multiplication.
- If it exceeds x ^ 8, we will modulate P (x), where p (x) = x ^ 8 + x ^ 4 + x ^ 3 + X + 1.

#### AddRoundKey

In the above steps, we confuse input with data. Each execution of addroundkey is called a round of encryption. This step will be executed multiple times. In short, XOR operation is performed on the key and the confused result, but the key used in each round is transformed according to the key of the last round.

How is the round key generated? Take AES-128 as an example. The key has 16 bytes in total. We divide the 4 bytes into a group and count them as w0-w3. In each round, the key of this round can be obtained by function g transformation and fixed formula. A total of 44 w (I) keys are generated, and 11 keys k0-k10 are generated for each group of 4, where K0 is the original key. The number of rounds depends on the key length. 16 byte key corresponds to 10 rounds, 24 byte key corresponds to 12 rounds and 32 byte key corresponds to 14 rounds. We will not describe the specific calculation process any more. It seems simple. In fact, there are a lot of mathematical knowledge and research behind it.

### AES decryption process

For decryption, the encryption process is reversed, such as the following reference code, where invshiftrows, invsubbytes, and invmixcolumns are respectively the inverse operations of the corresponding algorithm.

```
static void InvCipher(state_t* state, const uint8_t* RoundKey)
{
uint8_t round = 0;
// Add the First round key
AddRoundKey(Nr, state, RoundKey);
// There will be Nr rounds.
for (round = (Nr - 1); round > 0; --round)
{
InvShiftRows(state);
InvSubBytes(state);
AddRoundKey(round, state, RoundKey);
InvMixColumns(state);
}
// The last round is given below.
InvShiftRows(state);
InvSubBytes(state);
AddRoundKey(0, state, RoundKey);
}
```

In our daily work, we don’t recommend such mature and professional encryption algorithms as handwriting. It’s easy to write out loopholes or errors, which eventually causes serious security problems.

### Encryption mode and padding

AES can only encrypt the fixed length data. For the indefinite length data, we need to divide it into a number of fixed length data, and then encrypt and decrypt it. This is what we often call packet encryption. There are several encryption modes for packet encryption, such as ECB, CBC, CFB and OFB. Let’s introduce ECB mode and CBC mode, as well as the impact of padding on encryption and decryption.

**ECB mode**

ECB mode, also known as electronic codebook mode: ECB is the simplest block cipher encryption mode. Before encryption, it is divided into several blocks according to the size of encryption block (for example, AES is 128 bits), and then each block is encrypted separately with the same key. The same is true for decryption. See the figure below for details:

(picture from Wikipedia)

As the encryption of each block of data is independent, the ECB mode can be divided into blocks for parallel encryption or decryption. Its disadvantage is that the same plaintext block will be encrypted into the same ciphertext block, so the security of this method is relatively low under some conditions.

**CBC mode**

CBC mode is also known as Cipher Block Chaining: for each cipher block to be encrypted, CBC mode will first XOR with the ciphertext of the previous cipher block before encryption, and then use the encryptor to encrypt. The first plaintext block and a data block called initialization vector IV are XOR. See the figure below for details:

(picture from Wikipedia)

After encryption or decryption, the initialization vector IV will be updated. CBC mode has higher security. However, since the encryption of each data block depends on the encryption of the previous data block, encryption cannot be parallel.

Using a picture to compare the effect of ECB and CBC encryption, we can find that CBC mode is better in dispersion and security.

(picture from Internet)

**Padding**

In the process of AES encryption and decryption, if the data to be encrypted is not a multiple of 16, the original data needs to be filled. The filling methods include pkcs7padding / zeropadding / nopadding, etc.

Let’s see how the different filling methods are filled. For example, set the initial data as ff ff ff ff ff ff ff ff

Pkcs7 filling: ff ff ff ff ff ff ff 07 07 07 07 07

Zeros fill: ff ff ff ff ff ff ff 00 00 00 00 00 00

Nopadding: no filling, you need to make sure that the data is a multiple of 16.

Obviously, different padding has an impact on encryption and decryption, so it is necessary to ensure that the way of padding is consistent when encrypting and decrypting.

### Why AOE encryption component chooses AES encryption algorithm

In theory, most algorithms can be cracked, but it may take a long time to solve. Under the current computing power, it is almost impossible to directly crack AES encryption algorithm. From the point of view of our purpose of protecting the model, AES-128 can meet our needs. In addition, after the AES algorithm is standardized, many hardware chips and software tools have realized the support of AES. Using AES algorithm to encrypt and decrypt, the performance is very high. Considering the performance and security, we use AES-128 / CBC algorithm to do encryption, and on this basis, we use MD5 digest algorithm to check the integrity of the file.

## AOE engineering practice – combination of AES and aoe

Let’s see how the encryption component of AOE is implemented from the following aspects:

- The encrypted file structure of aoe
- Encryption process of aoe
- The decryption process of aoe
- Use of AOE encryption components

**The encrypted file structure of aoe**

We have designed a new file structure. The encrypted file structure is as follows:

1byte | 4bytes | 16bytes | nbytes |
---|---|---|---|

Version Code | File Length | File MD5 | Encrypted model file data |

Before the encrypted model data, we add a head, which is 21 bytes in total:

- Version code, 1byte, indicates the encryption method index of the model, increasing from 1.

If the model encrypted version number > SDK can support the decrypted version number, the decryption fails and the SDK needs to be updated.

- File length, 4 bytes, representing the original length of the model file.
- File MD5, 16bytes, indicates the original MD5 of the model file. The decrypted MD5 needs to be consistent with this MD5.
- The encrypted model file data, nbytes, according to different encryption algorithms, the data length is also different.

The first version of AOE encryption algorithm (version code is 1), encryption and decryption can be completed locally, without interaction with the server, and the corresponding encryption and decryption process is as follows:

**Encryption process of aoe**

1. AES-128 / CBC / no padding is used to encrypt the model.

2. Add 21 byte file header to the file, version code + file length + file MD5.

3. Use file MD5 and encrypted model to do simple swap operation. Exchange 16 bytes of MD5 with the first byte of the first 16K data encrypted by the model.

Using AES encryption, we face a problem that the key is easy to leak. In order to solve this problem, we first choose the CBC mode, and then we do some confusion on the files after encryption. So even if others know our AES key, if they don’t know the confusion in our encryption component, because it’s CBC mode encryption, they can’t unlock our encrypted files.

**The decryption process of aoe**

The process of decryption is the opposite of that of encryption. The specific algorithm is as follows:

1. Read the first 21 bytes of the encrypted file to get the version code and the file length.

2. Read the first byte of the first 16K encrypted data and swap with the MD5 field in the head. After this step, you can get the MD5 of the file and the original encrypted data.

3. AES-128 / CBC / no padding is used to decrypt the model, and MD5 is used to check the integrity of the decrypted file.

**Use of AOE encryption components**

AOE encryption component provides C version and JNI encapsulation, java version and python version. On the end, we recommend C version. On the server background, we recommend java version or Python version to do some batch work. We provide two ways to decrypt to memory and file. We recommend decrypting directly to memory, so no temporary file will be generated, and the security is higher.

## Thinking and summary

Cryptography is very professional for most people, and requires a lot of mathematical knowledge. Encryption and decoding have always been the relationship between spear and shield. At present, AOE SDK stands on the shoulder of mature algorithm and combines AES algorithm to encrypt the model. In the future, we will expand some new encryption algorithms for your reference and use. Welcome to use and make suggestions. https://github.com/didi/aoe

(AOE (AI on edge, terminal intelligence, edge computing) is a terminal side AI integrated runtime environment (IRE) to help developers improve efficiency)