diff options
| -rw-r--r-- | CHANGELOG.txt | 71 | ||||
| -rw-r--r-- | src/add_felicsref/tweakey.c | 9 | ||||
| -rw-r--r-- | src/add_python/lilliput/multiplications.py | 41 | ||||
| -rw-r--r-- | src/add_threshold/tweakey.c | 13 | ||||
| -rw-r--r-- | src/add_tweakeyloop/multiplications.h | 11 | ||||
| -rw-r--r-- | src/ref/multiplications.h | 20 | ||||
| -rw-r--r-- | src/ref/tweakey.c | 9 | ||||
| -rw-r--r-- | test/i-128/test-ae-decrypt.c | 42 | ||||
| -rw-r--r-- | test/i-128/test-ae-encrypt.c | 42 | ||||
| -rw-r--r-- | test/i-128/test-tbc-decrypt.c | 8 | ||||
| -rw-r--r-- | test/i-128/test-tbc-encrypt.c | 8 | ||||
| -rw-r--r-- | test/i-128/test-tweakey.c | 6 | ||||
| -rw-r--r-- | traces/traces-tbc.patch | 22 |
13 files changed, 212 insertions, 90 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt index d836ba6..cc38a27 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,8 +1,79 @@ v1.1 ==== +ref +--- + +### Fixes + +These modifications change the algorithm's output. + +- Change alpha coefficients in tweakey schedule to ensure lane 0 is updated between each round: + - lane 0: Id => M + - lane 1: M => M^2 + - lane 2: M^2 => M^3 + - lane 3: M^3 => M^4 + - lane 4: M_R (unchanged) + - lane 5: M_R^2 (unchanged) + - lane 6: M_R^3 (unchanged) + (multiplications.h, tweakey.c) + +### Cleanups + +These modifications are structural and/or stylistic and do not change the algorithm's ouptut. + +- Introduce helper function copy_block_index() to make tweak-building functions more legible. + (lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c) + +- Initialize ΘCB3 tweak with nonce instead of copying the latter into the latter repeatedly. + (lilliput-i.c) + +- Re-write _nonlinear_layer() and _linear_layer() functions to better resemble the specification. + (cipher.c) + +- Extract tweakey multiplications into their own header file, so that other implementations can make more targeted changes. + (constants.h, multiplications.h, tweakey.c) + +add_threshold +------------- + +### Fixes + +See reference implementation. + +### Cleanups + +See reference implementation. Further cleanups: + +- Use size_t to iterate on arrays in lilliput_tbc_encrypt() and lilliput_tbc_decrypt(). + (cipher.c) + +- Add constant macros KEY_LANES_NB and TWEAK_LANES_NB to make tweakey schedule code more legible. + (tweakey.c) + +add_tweakeyloop +--------------- + +See reference implementation. + +add_python +---------- + +### Fixes + +See reference implementation. + +### Cleanups + +- Re-write tweakey multiplications to better resemble the specification. + (multiplications.py) + +add_vhdl +-------- + TODO + v1.0 ==== diff --git a/src/add_felicsref/tweakey.c b/src/add_felicsref/tweakey.c index 18a7792..47badde 100644 --- a/src/add_felicsref/tweakey.c +++ b/src/add_felicsref/tweakey.c @@ -81,11 +81,10 @@ static void _multiply(uint8_t TKj[LANE_BYTES], matrix_multiplication alpha) void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) { - /* Skip lane 0, as it is multiplied by the identity matrix. */ - - _multiply(TK + 1*LANE_BYTES, _multiply_M); - _multiply(TK + 2*LANE_BYTES, _multiply_M2); - _multiply(TK + 3*LANE_BYTES, _multiply_M3); + _multiply(TK + 0*LANE_BYTES, _multiply_M); + _multiply(TK + 1*LANE_BYTES, _multiply_M2); + _multiply(TK + 2*LANE_BYTES, _multiply_M3); + _multiply(TK + 3*LANE_BYTES, _multiply_M4); #if LANES_NB >= 5 _multiply(TK + 4*LANE_BYTES, _multiply_MR); diff --git a/src/add_python/lilliput/multiplications.py b/src/add_python/lilliput/multiplications.py index a5faa55..09eaa08 100644 --- a/src/add_python/lilliput/multiplications.py +++ b/src/add_python/lilliput/multiplications.py @@ -23,8 +23,11 @@ from functools import reduce from operator import xor +def _shl(xi, n): + return (xi << n) & 0xff + def _Sl(n): - return lambda xi: (xi<<n) & 0xff + return lambda xi: _shl(xi, n) def _Sr(n): return lambda xi: xi>>n @@ -36,16 +39,25 @@ def _0(xi): return 0 def _M1(xi): - return (xi<<3 ^ xi>>3) & 0xff + return _shl(xi, 3) ^ xi>>3 def _M2(xi): - return (xi<<6 ^ (xi&0b11111000) ^ xi>>6) & 0xff + return _shl(xi, 6) ^ xi&0b11111000 ^ xi>>6 def _M3(xi): - return xi & 0b00011111 + return _shl(xi>>3, 6) ^ xi>>6<<3 def _M4(xi): - return ((xi<<2) & 0xff) >> 3 + return _shl(xi, 2) >> 3 + +def _M5(xi): + return _shl(xi, 5) ^ xi>>3<<2 + +def _M6(xi): + return xi & 0b00011111 + +def _M7(xi): + return _shl(xi, 2) >> 3 M = ( @@ -81,6 +93,17 @@ M3 = ( ( _0, _0, _Id, _0, _0, _0, _0, _0), ) +M4 = ( + ( _0, _0, _Sl(6), _M1, _Id, _0, _0, _0), + ( _0, _0, _0, _M2, _M1, _Id, _0, _0), + ( _0, _Sl(2), _0, _M3, _M2, _M1, _Id, _0), + ( _0, _M4, _Sl(2), _0, _0, _Sr(6), _Sr(3), _Id), + (_Id, _0, _Sl(5), _Sl(2), _0, _0, _0, _0), + ( _0, _Id, _0, _M5, _Sl(2), _0, _0, _0), + ( _0, _0, _Id, _0, _0, _0, _0, _0), + ( _0, _0, _Sl(3), _Id, _0, _0, _0, _0), +) + # NB: shift directions are reversed with respect to the specification # for powers of M_R, since the specification reverses the byte order # for those matrices. @@ -99,7 +122,7 @@ MR = ( MR2 = ( ( _0, _0, _Id, _0, _0, _0, _0, _0), ( _0, _0, _0, _Id, _Sr(3), _0, _0, _0), - ( _0, _0, _0, _0, _Id, _Sr(3), _M3, _0), + ( _0, _0, _0, _0, _Id, _Sr(3), _M6, _0), ( _0, _0, _0, _0, _0, _Id, _Sl(3), _0), ( _0, _0, _0, _Sl(2), _0, _0, _Id, _Sl(3)), ( _0, _0, _0, _0, _Sl(2), _0, _0, _Id), @@ -109,8 +132,8 @@ MR2 = ( MR3 = ( ( _0, _0, _0, _Id, _Sr(3), _0, _0, _0), - ( _0, _0, _0, _0, _Id, _Sr(3), _M3, _0), - ( _0, _0, _0, _M4, _0, _Id, _M1, _M3), + ( _0, _0, _0, _0, _Id, _Sr(3), _M6, _0), + ( _0, _0, _0, _M7, _0, _Id, _M1, _M6), ( _0, _0, _0, _Sl(2), _0, _0, _Id, _Sl(3)), (_Sl(3), _0, _0, _0, _Sl(2), _0, _0, _Id), ( _Id, _0, _0, _0, _0, _Sl(2), _Sl(5), _0), @@ -135,10 +158,10 @@ def _multiplication(m, reverse=True): ALPHAS = ( - list, # Identity. _multiplication(M), _multiplication(M2), _multiplication(M3), + _multiplication(M4), _multiplication(MR, reverse=False), _multiplication(MR2, reverse=False), _multiplication(MR3, reverse=False) diff --git a/src/add_threshold/tweakey.c b/src/add_threshold/tweakey.c index 8f531d9..7822564 100644 --- a/src/add_threshold/tweakey.c +++ b/src/add_threshold/tweakey.c @@ -90,10 +90,11 @@ void tweakey_state_extract( typedef void (*matrix_multiplication)(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]); -static const matrix_multiplication ALPHAS[6] = { +static const matrix_multiplication ALPHAS[7] = { _multiply_M, _multiply_M2, _multiply_M3, + _multiply_M4, _multiply_MR, _multiply_MR2, _multiply_MR3 @@ -102,16 +103,14 @@ static const matrix_multiplication ALPHAS[6] = { void tweakey_state_update(uint8_t TK_X[TWEAKEY_BYTES], uint8_t TK_Y[KEY_BYTES]) { - /* Skip lane 0, as it is multiplied by the identity matrix. */ - - for (size_t j=1; j<TWEAK_LANES_NB; j++) + for (size_t j=0; j<TWEAK_LANES_NB; j++) { uint8_t *TKj_X = TK_X + j*LANE_BYTES; uint8_t TKj_old_X[LANE_BYTES]; memcpy(TKj_old_X, TKj_X, LANE_BYTES); - ALPHAS[j-1](TKj_old_X, TKj_X); + ALPHAS[j](TKj_old_X, TKj_X); } for (size_t j=0; j<KEY_LANES_NB; j++) @@ -124,7 +123,7 @@ void tweakey_state_update(uint8_t TK_X[TWEAKEY_BYTES], uint8_t TK_Y[KEY_BYTES]) memcpy(TKj_X_old, TKj_X, LANE_BYTES); memcpy(TKj_Y_old, TKj_Y, LANE_BYTES); - ALPHAS[j-1 + TWEAK_LANES_NB](TKj_X_old, TKj_X); - ALPHAS[j-1 + TWEAK_LANES_NB](TKj_Y_old, TKj_Y); + ALPHAS[j + TWEAK_LANES_NB](TKj_X_old, TKj_X); + ALPHAS[j + TWEAK_LANES_NB](TKj_Y_old, TKj_Y); } } diff --git a/src/add_tweakeyloop/multiplications.h b/src/add_tweakeyloop/multiplications.h index 45b9eaa..650373b 100644 --- a/src/add_tweakeyloop/multiplications.h +++ b/src/add_tweakeyloop/multiplications.h @@ -55,6 +55,17 @@ static void _multiply_M3(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) _multiply_M(M2_x, y); } +static void _multiply_M4(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) +{ + uint8_t M_x[LANE_BYTES]; + uint8_t M2_x[LANE_BYTES]; + uint8_t M3_x[LANE_BYTES]; + _multiply_M(x, M_x); + _multiply_M(M_x, M2_x); + _multiply_M(M2_x, M3_x); + _multiply_M(M3_x, y); +} + static void _multiply_MR(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) { y[0] = x[1]; diff --git a/src/ref/multiplications.h b/src/ref/multiplications.h index 4de1848..c0645b9 100644 --- a/src/ref/multiplications.h +++ b/src/ref/multiplications.h @@ -71,6 +71,26 @@ static void _multiply_M3(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) y[0] = x[5]; } +static void _multiply_M4(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) +{ + uint8_t a_5 = x[5]<<3 ^ x[4]; + uint8_t a_4 = x[4]>>3 ^ x[3]; + uint8_t b_5 = a_5<<3 ^ a_4; + uint8_t b_4 = a_4>>3 ^ x[2]; + + uint8_t c_4 = b_4>>3 ^ x[6]<<2 ^ x[1]; + uint8_t c_5 = b_5<<3 ^ b_4; + + y[7] = b_5; + y[6] = c_5; + y[5] = c_5<<3 ^ c_4; + y[4] = c_4>>3 ^ x[5]<<2 ^ x[0]; + y[3] = a_5<<2 ^ x[7]; + y[2] = b_5<<2 ^ x[6]; + y[1] = x[5]; + y[0] = a_5; +} + static void _multiply_MR(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]) { y[0] = x[1]; diff --git a/src/ref/tweakey.c b/src/ref/tweakey.c index 2f357ca..510f35a 100644 --- a/src/ref/tweakey.c +++ b/src/ref/tweakey.c @@ -63,10 +63,11 @@ void tweakey_state_extract( typedef void (*matrix_multiplication)(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]); -static const matrix_multiplication ALPHAS[6] = { +static const matrix_multiplication ALPHAS[7] = { _multiply_M, _multiply_M2, _multiply_M3, + _multiply_M4, _multiply_MR, _multiply_MR2, _multiply_MR3 @@ -75,15 +76,13 @@ static const matrix_multiplication ALPHAS[6] = { void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) { - /* Skip lane 0, as it is multiplied by the identity matrix. */ - - for (size_t j=1; j<LANES_NB; j++) + for (size_t j=0; j<LANES_NB; j++) { uint8_t *TKj = TK + j*LANE_BYTES; uint8_t TKj_old[LANE_BYTES]; memcpy(TKj_old, TKj, LANE_BYTES); - ALPHAS[j-1](TKj_old, TKj); + ALPHAS[j](TKj_old, TKj); } } diff --git a/test/i-128/test-ae-decrypt.c b/test/i-128/test-ae-decrypt.c index 043185b..0a5934a 100644 --- a/test/i-128/test-ae-decrypt.c +++ b/test/i-128/test-ae-decrypt.c @@ -47,18 +47,18 @@ const vector VECTORS[] = { }, .ciphertext_len = 64, .ciphertext = (uint8_t[]) { - 0x86, 0x09, 0xbe, 0x90, 0xa2, 0x9f, 0xa0, 0xed, - 0x9a, 0xf6, 0xeb, 0x8d, 0x96, 0x0e, 0x83, 0x81, - 0x0a, 0x6b, 0x00, 0xf4, 0x76, 0x99, 0xf4, 0x62, - 0x4e, 0x3d, 0x91, 0x4c, 0x95, 0x96, 0x56, 0x91, - 0x94, 0xf2, 0x29, 0x55, 0x20, 0x11, 0x2c, 0x93, - 0x15, 0x23, 0x59, 0xe2, 0xa3, 0xc4, 0xc4, 0x62, - 0xbb, 0xa3, 0x11, 0xf1, 0x39, 0xa2, 0xe2, 0xc9, - 0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87 + 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, + 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, + 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, + 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, + 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, + 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, + 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, + 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80 }, .tag = { - 0x2e, 0xe5, 0xbf, 0x50, 0x87, 0x71, 0x17, 0x40, - 0x1b, 0xa7, 0xe9, 0xed, 0xd5, 0xcb, 0xec, 0x6d + 0x47, 0x5b, 0x2c, 0x0e, 0x5f, 0xcf, 0x6f, 0xc0, + 0xab, 0x3c, 0x24, 0xc1, 0x66, 0x88, 0x83, 0x38 }, .message = (uint8_t[]) { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, @@ -95,19 +95,19 @@ const vector VECTORS[] = { }, .ciphertext_len = 66, .ciphertext = (uint8_t[]) { - 0x86, 0x09, 0xbe, 0x90, 0xa2, 0x9f, 0xa0, 0xed, - 0x9a, 0xf6, 0xeb, 0x8d, 0x96, 0x0e, 0x83, 0x81, - 0x0a, 0x6b, 0x00, 0xf4, 0x76, 0x99, 0xf4, 0x62, - 0x4e, 0x3d, 0x91, 0x4c, 0x95, 0x96, 0x56, 0x91, - 0x94, 0xf2, 0x29, 0x55, 0x20, 0x11, 0x2c, 0x93, - 0x15, 0x23, 0x59, 0xe2, 0xa3, 0xc4, 0xc4, 0x62, - 0xbb, 0xa3, 0x11, 0xf1, 0x39, 0xa2, 0xe2, 0xc9, - 0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87, - 0x4f, 0x09 + 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, + 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, + 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, + 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, + 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, + 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, + 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, + 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80, + 0x27, 0x3f }, .tag = { - 0x04, 0x10, 0xbc, 0x6f, 0xe5, 0x88, 0xe0, 0xd5, - 0x09, 0x59, 0x26, 0x17, 0x12, 0x49, 0x35, 0x9a + 0xd4, 0xef, 0x1f, 0x11, 0x81, 0x90, 0xbe, 0xfd, + 0x1e, 0xa7, 0x32, 0xbe, 0x63, 0xe2, 0x18, 0x90 }, .message = (uint8_t[]) { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, diff --git a/test/i-128/test-ae-encrypt.c b/test/i-128/test-ae-encrypt.c index 522a3e6..06f3b88 100644 --- a/test/i-128/test-ae-encrypt.c +++ b/test/i-128/test-ae-encrypt.c @@ -57,18 +57,18 @@ const vector VECTORS[] = { 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, }, .ciphertext = (uint8_t[]) { - 0x86, 0x09, 0xbe, 0x90, 0xa2, 0x9f, 0xa0, 0xed, - 0x9a, 0xf6, 0xeb, 0x8d, 0x96, 0x0e, 0x83, 0x81, - 0x0a, 0x6b, 0x00, 0xf4, 0x76, 0x99, 0xf4, 0x62, - 0x4e, 0x3d, 0x91, 0x4c, 0x95, 0x96, 0x56, 0x91, - 0x94, 0xf2, 0x29, 0x55, 0x20, 0x11, 0x2c, 0x93, - 0x15, 0x23, 0x59, 0xe2, 0xa3, 0xc4, 0xc4, 0x62, - 0xbb, 0xa3, 0x11, 0xf1, 0x39, 0xa2, 0xe2, 0xc9, - 0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87 + 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, + 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, + 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, + 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, + 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, + 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, + 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, + 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80 }, .tag = { - 0x2e, 0xe5, 0xbf, 0x50, 0x87, 0x71, 0x17, 0x40, - 0x1b, 0xa7, 0xe9, 0xed, 0xd5, 0xcb, 0xec, 0x6d + 0x47, 0x5b, 0x2c, 0x0e, 0x5f, 0xcf, 0x6f, 0xc0, + 0xab, 0x3c, 0x24, 0xc1, 0x66, 0x88, 0x83, 0x38 } }, { @@ -106,19 +106,19 @@ const vector VECTORS[] = { 0x40, 0x01 }, .ciphertext = (uint8_t[]) { - 0x86, 0x09, 0xbe, 0x90, 0xa2, 0x9f, 0xa0, 0xed, - 0x9a, 0xf6, 0xeb, 0x8d, 0x96, 0x0e, 0x83, 0x81, - 0x0a, 0x6b, 0x00, 0xf4, 0x76, 0x99, 0xf4, 0x62, - 0x4e, 0x3d, 0x91, 0x4c, 0x95, 0x96, 0x56, 0x91, - 0x94, 0xf2, 0x29, 0x55, 0x20, 0x11, 0x2c, 0x93, - 0x15, 0x23, 0x59, 0xe2, 0xa3, 0xc4, 0xc4, 0x62, - 0xbb, 0xa3, 0x11, 0xf1, 0x39, 0xa2, 0xe2, 0xc9, - 0x47, 0x6b, 0xe5, 0x6a, 0x97, 0x07, 0xc0, 0x87, - 0x4f, 0x09 + 0xca, 0x16, 0x03, 0x71, 0x0c, 0xca, 0x10, 0x2f, + 0xac, 0x46, 0x0c, 0xb4, 0x13, 0x2a, 0x55, 0x0d, + 0xc0, 0x59, 0x90, 0xb7, 0xca, 0xf2, 0x17, 0x9f, + 0x8f, 0xd6, 0x5a, 0x73, 0x49, 0x65, 0x14, 0xec, + 0x3e, 0xf4, 0xc5, 0xd0, 0x08, 0x3d, 0x85, 0x5c, + 0x11, 0x70, 0x42, 0x3b, 0x91, 0x61, 0xa7, 0xf2, + 0x7a, 0xbf, 0x51, 0x2c, 0xe3, 0x88, 0xc9, 0x97, + 0x34, 0x92, 0xed, 0xf9, 0x5b, 0xb4, 0x2a, 0x80, + 0x27, 0x3f }, .tag = { - 0x04, 0x10, 0xbc, 0x6f, 0xe5, 0x88, 0xe0, 0xd5, - 0x09, 0x59, 0x26, 0x17, 0x12, 0x49, 0x35, 0x9a + 0xd4, 0xef, 0x1f, 0x11, 0x81, 0x90, 0xbe, 0xfd, + 0x1e, 0xa7, 0x32, 0xbe, 0x63, 0xe2, 0x18, 0x90 } } }; diff --git a/test/i-128/test-tbc-decrypt.c b/test/i-128/test-tbc-decrypt.c index 6b558cb..b76f6c0 100644 --- a/test/i-128/test-tbc-decrypt.c +++ b/test/i-128/test-tbc-decrypt.c @@ -33,8 +33,8 @@ const vector VECTORS[] = { 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, .ciphertext = { - 0x8d, 0x95, 0xa2, 0x10, 0xe6, 0xb2, 0xce, 0xc2, - 0x52, 0x0b, 0x06, 0xaf, 0x26, 0x00, 0xce, 0xe5 + 0x03, 0xb0, 0x31, 0x5e, 0xd8, 0x98, 0x43, 0x7e, + 0xc5, 0x06, 0x4a, 0x83, 0x64, 0x11, 0xf8, 0x02 }, .message = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, @@ -53,8 +53,8 @@ const vector VECTORS[] = { 0x7f, 0xf4, 0x23, 0x4d, 0x3d, 0xd5, 0xf9, 0x9b }, .ciphertext = { - 0x5b, 0x5a, 0x1c, 0xfe, 0x25, 0x6e, 0x85, 0x69, - 0x3e, 0x71, 0x3e, 0x43, 0x30, 0xa8, 0x4c, 0x82 + 0x97, 0xff, 0x85, 0x27, 0xb6, 0x09, 0x1f, 0x51, + 0xf3, 0xcb, 0xfd, 0xd0, 0xf2, 0x72, 0xa5, 0x90 }, .message = { 0xbc, 0xd7, 0xf0, 0x29, 0x84, 0xb6, 0xc8, 0xf9, diff --git a/test/i-128/test-tbc-encrypt.c b/test/i-128/test-tbc-encrypt.c index c83754b..6503455 100644 --- a/test/i-128/test-tbc-encrypt.c +++ b/test/i-128/test-tbc-encrypt.c @@ -37,8 +37,8 @@ const vector VECTORS[] = { 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, }, .ciphertext = { - 0x8d, 0x95, 0xa2, 0x10, 0xe6, 0xb2, 0xce, 0xc2, - 0x52, 0x0b, 0x06, 0xaf, 0x26, 0x00, 0xce, 0xe5 + 0x03, 0xb0, 0x31, 0x5e, 0xd8, 0x98, 0x43, 0x7e, + 0xc5, 0x06, 0x4a, 0x83, 0x64, 0x11, 0xf8, 0x02 } }, { @@ -57,8 +57,8 @@ const vector VECTORS[] = { 0x9c, 0x9d, 0x1d, 0xbd, 0x0d, 0x30, 0x94, 0x0b }, .ciphertext = { - 0x5b, 0x5a, 0x1c, 0xfe, 0x25, 0x6e, 0x85, 0x69, - 0x3e, 0x71, 0x3e, 0x43, 0x30, 0xa8, 0x4c, 0x82 + 0x97, 0xff, 0x85, 0x27, 0xb6, 0x09, 0x1f, 0x51, + 0xf3, 0xcb, 0xfd, 0xd0, 0xf2, 0x72, 0xa5, 0x90 } } }; diff --git a/test/i-128/test-tweakey.c b/test/i-128/test-tweakey.c index a9b8b5f..ba27340 100644 --- a/test/i-128/test-tweakey.c +++ b/test/i-128/test-tweakey.c @@ -32,7 +32,7 @@ const vector VECTORS[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, .last_rtk = { - 0xec, 0xb3, 0x30, 0xd0, 0xe2, 0x90, 0xc8, 0x56 + 0x53, 0x40, 0x95, 0x96, 0xea, 0x82, 0x2b, 0x28 } }, { @@ -63,7 +63,7 @@ const vector VECTORS[] = { 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }, .last_rtk = { - 0xda, 0xcd, 0xb4, 0x0b, 0x7b, 0x80, 0x1e, 0x9a + 0xfa, 0xd6, 0x9e, 0x4d, 0x08, 0x9a, 0x46, 0x5b } }, { @@ -78,7 +78,7 @@ const vector VECTORS[] = { 0x7f, 0xf4, 0x23, 0x4d, 0x3d, 0xd5, 0xf9, 0x9b }, .last_rtk = { - 0xdd, 0xc6, 0x4e, 0xd7, 0x1a, 0x82, 0x11, 0xf3 + 0xc2, 0xd1, 0xb0, 0x98, 0xf3, 0x74, 0x8a, 0xc0 } } }; diff --git a/traces/traces-tbc.patch b/traces/traces-tbc.patch index 2b81a6b..f03cdfc 100644 --- a/traces/traces-tbc.patch +++ b/traces/traces-tbc.patch @@ -1,5 +1,5 @@ diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c -index 6f1b4b5..7a2ae05 100644 +index 8ebbbc3..c622374 100644 --- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c +++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/cipher.c @@ -17,6 +17,8 @@ http://creativecommons.org/publicdomain/zero/1.0/ @@ -109,11 +109,11 @@ index 6f1b4b5..7a2ae05 100644 memcpy(ciphertext, X, BLOCK_BYTES); diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/tweakey.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/tweakey.c -index 78c6060..75e9290 100644 +index 510f35a..4bf027c 100644 --- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/tweakey.c +++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/tweakey.c -@@ -19,6 +19,8 @@ where multiplications by matrices M and M_R to the power n are performed - by functions expressing the exponentiated matrices with shifts and XORs. +@@ -17,6 +17,8 @@ http://creativecommons.org/publicdomain/zero/1.0/ + This file provides the implementation of Lilliput-TBC's tweakey schedule. */ +#include "debug.h" @@ -121,7 +121,7 @@ index 78c6060..75e9290 100644 #include <stdint.h> #include <string.h> -@@ -54,10 +56,16 @@ void tweakey_state_extract( +@@ -51,10 +53,16 @@ void tweakey_state_extract( { const uint8_t *TKj = TK + j*LANE_BYTES; @@ -138,23 +138,23 @@ index 78c6060..75e9290 100644 } round_tweakey[0] ^= round_constant; -@@ -160,6 +168,10 @@ static const matrix_multiplication ALPHAS[6] = { +@@ -73,6 +81,10 @@ static const matrix_multiplication ALPHAS[7] = { _multiply_MR3 }; -+static char const * const ALPHAS_STR[6] = { -+ "M", "M²", "M³", "MR", "MR²", "MR³" ++static char const * const ALPHAS_STR[7] = { ++ "M", "M²", "M³", "M⁴", "MR", "MR²", "MR³" +}; + void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) { -@@ -173,5 +185,9 @@ void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) +@@ -84,5 +96,9 @@ void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]) memcpy(TKj_old, TKj, LANE_BYTES); - ALPHAS[j-1](TKj_old, TKj); + ALPHAS[j](TKj_old, TKj); + -+ fprintf(DUMP, " multiplying lane %zu/%zu by %s\n", 1+j, (size_t)LANES_NB, ALPHAS_STR[j-1]); ++ fprintf(DUMP, " multiplying lane %zu/%zu by %s\n", 1+j, (size_t)LANES_NB, ALPHAS_STR[j]); + debug_dump_buffer("TK_j^i-1", LANE_BYTES, TKj_old, 12); + debug_dump_buffer("TK_j^i", LANE_BYTES, TKj, 12); } |