From d14739644394986cb584acb45ed9b214dff1c501 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Tue, 27 Nov 2018 08:58:46 +0100 Subject: Mise en commun du code TBC et ΘCB3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Il ne devrait pas varier selon les paramètres AFAICT. --- crypto_aead/lilliputaei128v1/ref/Makefile | 36 +-- crypto_aead/lilliputaei128v1/ref/api.h | 13 - crypto_aead/lilliputaei128v1/ref/cipher.c | 170 ------------- crypto_aead/lilliputaei128v1/ref/cipher.h | 23 -- crypto_aead/lilliputaei128v1/ref/constants.c | 248 ------------------ crypto_aead/lilliputaei128v1/ref/constants.h | 16 -- crypto_aead/lilliputaei128v1/ref/debug.h | 50 ---- crypto_aead/lilliputaei128v1/ref/encrypt.c | 25 -- crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c | 310 ----------------------- crypto_aead/lilliputaei128v1/ref/lilliput-ae.h | 35 --- crypto_aead/lilliputaei128v1/ref/src | 1 + crypto_aead/lilliputaei128v1/ref/tweakey.c | 83 ------ crypto_aead/lilliputaei128v1/ref/tweakey.h | 31 --- src/cipher.c | 170 +++++++++++++ src/cipher.h | 23 ++ src/constants.c | 248 ++++++++++++++++++ src/constants.h | 16 ++ src/debug.h | 50 ++++ src/lilliput-ae-i.c | 310 +++++++++++++++++++++++ src/lilliput-ae.h | 35 +++ src/tweakey.c | 83 ++++++ src/tweakey.h | 31 +++ 22 files changed, 985 insertions(+), 1022 deletions(-) delete mode 100644 crypto_aead/lilliputaei128v1/ref/api.h delete mode 100644 crypto_aead/lilliputaei128v1/ref/cipher.c delete mode 100644 crypto_aead/lilliputaei128v1/ref/cipher.h delete mode 100644 crypto_aead/lilliputaei128v1/ref/constants.c delete mode 100644 crypto_aead/lilliputaei128v1/ref/constants.h delete mode 100644 crypto_aead/lilliputaei128v1/ref/debug.h delete mode 100644 crypto_aead/lilliputaei128v1/ref/encrypt.c delete mode 100644 crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c delete mode 100644 crypto_aead/lilliputaei128v1/ref/lilliput-ae.h create mode 120000 crypto_aead/lilliputaei128v1/ref/src delete mode 100644 crypto_aead/lilliputaei128v1/ref/tweakey.c delete mode 100644 crypto_aead/lilliputaei128v1/ref/tweakey.h create mode 100644 src/cipher.c create mode 100644 src/cipher.h create mode 100644 src/constants.c create mode 100644 src/constants.h create mode 100644 src/debug.h create mode 100644 src/lilliput-ae-i.c create mode 100644 src/lilliput-ae.h create mode 100644 src/tweakey.c create mode 100644 src/tweakey.h diff --git a/crypto_aead/lilliputaei128v1/ref/Makefile b/crypto_aead/lilliputaei128v1/ref/Makefile index 31167b0..75754d4 100644 --- a/crypto_aead/lilliputaei128v1/ref/Makefile +++ b/crypto_aead/lilliputaei128v1/ref/Makefile @@ -3,7 +3,7 @@ test-tbc-encrypt test-tbc-decrypt \ test-ae-roundtrip test-ae-encrypt test-ae-decrypt nist_flags = -std=c99 -Wall -Wextra -Wshadow -fsanitize=address,undefined -O2 -CFLAGS += -I. $(nist_flags) -Werror +CFLAGS += -I. -Isrc $(nist_flags) -Werror LDFLAGS += $(nist_flags) @@ -28,25 +28,25 @@ test: $(tests) $(tests): %: results/% ./results/$@ -results/test-ae-decrypt: results/lilliput-ae-i.o results/cipher.o results/tweakey.o results/constants.o | results -results/test-ae-encrypt: results/lilliput-ae-i.o results/cipher.o results/tweakey.o results/constants.o | results -results/test-ae-roundtrip: results/lilliput-ae-i.o results/cipher.o results/tweakey.o results/constants.o | results -results/test-tbc-decrypt: results/cipher.o results/tweakey.o results/constants.o | results -results/test-tbc-encrypt: results/cipher.o results/tweakey.o results/constants.o | results -results/test-tweakey: results/tweakey.o results/constants.o | results +results/test-ae-decrypt: results/src/lilliput-ae-i.o results/src/cipher.o results/src/tweakey.o results/src/constants.o | results +results/test-ae-encrypt: results/src/lilliput-ae-i.o results/src/cipher.o results/src/tweakey.o results/src/constants.o | results +results/test-ae-roundtrip: results/src/lilliput-ae-i.o results/src/cipher.o results/src/tweakey.o results/src/constants.o | results +results/test-tbc-decrypt: results/src/cipher.o results/src/tweakey.o results/src/constants.o | results +results/test-tbc-encrypt: results/src/cipher.o results/src/tweakey.o results/src/constants.o | results +results/test-tweakey: results/src/tweakey.o results/src/constants.o | results results/test-*.o: test/helpers.h parameters.h -results/test-ae-decrypt.o: lilliput-ae.h -results/test-ae-encrypt.o: lilliput-ae.h -results/test-ae-roundtrip.o: lilliput-ae.h -results/test-tbc-decrypt.o: cipher.h -results/test-tbc-encrypt.o: cipher.h -results/test-tweakey.o: tweakey.h - -results/cipher.o: cipher.h tweakey.h constants.h parameters.h -results/constants.o: constants.h -results/lilliput-ae-i.o: lilliput-ae.h cipher.h constants.h -results/tweakey.o: tweakey.h constants.h parameters.h +results/test-ae-decrypt.o: src/lilliput-ae.h +results/test-ae-encrypt.o: src/lilliput-ae.h +results/test-ae-roundtrip.o: src/lilliput-ae.h +results/test-tbc-decrypt.o: src/cipher.h +results/test-tbc-encrypt.o: src/cipher.h +results/test-tweakey.o: src/tweakey.h + +results/src/cipher.o: src/cipher.h src/tweakey.h src/constants.h parameters.h +results/src/constants.o: src/constants.h +results/src/lilliput-ae-i.o: src/lilliput-ae.h src/cipher.h src/constants.h +results/src/tweakey.o: src/tweakey.h src/constants.h parameters.h # TODO: should add order-only prerequisites to remove mkdirs inside recipes # TODO: add valgrind, although it does not seem to play well with ASAN diff --git a/crypto_aead/lilliputaei128v1/ref/api.h b/crypto_aead/lilliputaei128v1/ref/api.h deleted file mode 100644 index 80dc20c..0000000 --- a/crypto_aead/lilliputaei128v1/ref/api.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef API_H -#define API_H - -#include "parameters.h" - - -#define CRYPTO_KEYBYTES KEY_BYTES -#define CRYPTO_NSECBYTES 0 -#define CRYPTO_NPUBBYTES NONCE_BYTES -#define CRYPTO_ABYTES BLOCK_BYTES -#define CRYPTO_NOOVERLAP 1 - -#endif /* API_H */ diff --git a/crypto_aead/lilliputaei128v1/ref/cipher.c b/crypto_aead/lilliputaei128v1/ref/cipher.c deleted file mode 100644 index 7f1152a..0000000 --- a/crypto_aead/lilliputaei128v1/ref/cipher.c +++ /dev/null @@ -1,170 +0,0 @@ -#include -#include - -#include "cipher.h" -#include "constants.h" -#include "parameters.h" -#include "tweakey.h" - - -enum permutation -{ - PERMUTATION_ENCRYPTION = 0, - PERMUTATION_DECRYPTION = 1, - PERMUTATION_NONE -}; - -typedef enum permutation permutation; - -const uint8_t PERMUTATIONS[2][BLOCK_BYTES] = { - /* PI(i) */ - [0] = { 13, 9, 14, 8, 10, 11, 12, 15, - 4, 5, 3, 1, 2, 6, 0, 7 }, - /* PI^-1(i) */ - [1] = { 14, 11, 12, 10, 8, 9, 13, 15, - 3, 1, 4, 5, 6, 0, 2, 7 } -}; - - -struct cipher_state -{ - uint8_t X[BLOCK_BYTES]; -}; - - -typedef struct cipher_state cipher_state; - - -static void _state_init(cipher_state *X, const uint8_t message[BLOCK_BYTES]) -{ - memcpy(X->X, message, sizeof(X->X)); -} - - -static void _compute_round_tweakeys( - const uint8_t key[KEY_BYTES], - const uint8_t tweak[TWEAK_BYTES], - uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES] -) -{ - tweakey_state TK; - tweakey_state_init(&TK, key, tweak); - tweakey_state_extract(&TK, RTK[0], 0); - - for (uint8_t i=1; iX[j] ^ RTK[j]; - } - - for (size_t j=0; jX[dest_j] ^= F[j]; - } -} - -static void _linear_layer(cipher_state *X) -{ - X->X[15] ^= X->X[1]; - X->X[15] ^= X->X[2]; - X->X[15] ^= X->X[3]; - X->X[15] ^= X->X[4]; - X->X[15] ^= X->X[5]; - X->X[15] ^= X->X[6]; - X->X[15] ^= X->X[7]; - - X->X[14] ^= X->X[7]; - X->X[13] ^= X->X[7]; - X->X[12] ^= X->X[7]; - X->X[11] ^= X->X[7]; - X->X[10] ^= X->X[7]; - X->X[9] ^= X->X[7]; -} - -static void _permutation_layer(cipher_state *X, permutation p) -{ - if (p == PERMUTATION_NONE) - { - return; - } - - uint8_t X_old[BLOCK_BYTES]; - memcpy(X_old, X, sizeof(X_old)); - - const uint8_t *pi = PERMUTATIONS[p]; - - for (size_t j=0; jX[pi[j]] = X_old[j]; - } -} - -static void _one_round_egfn(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p) -{ - _nonlinear_layer(X, RTK); - _linear_layer(X); - _permutation_layer(X, p); -} - - -void lilliput_tbc_encrypt( - const uint8_t key[KEY_BYTES], - const uint8_t tweak[TWEAK_BYTES], - const uint8_t message[BLOCK_BYTES], - uint8_t ciphertext[BLOCK_BYTES] -) -{ - cipher_state X; - _state_init(&X, message); - - uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]; - _compute_round_tweakeys(key, tweak, RTK); - - for (uint8_t i=0; i - -#include "parameters.h" - - -void lilliput_tbc_encrypt( - const uint8_t key[KEY_BYTES], - const uint8_t tweak[TWEAK_BYTES], - const uint8_t message[BLOCK_BYTES], - uint8_t ciphertext[BLOCK_BYTES] -); - -void lilliput_tbc_decrypt( - const uint8_t key[KEY_BYTES], - const uint8_t tweak[TWEAK_BYTES], - const uint8_t ciphertext[BLOCK_BYTES], - uint8_t message[BLOCK_BYTES] -); - -#endif /* CIPHER_H */ diff --git a/crypto_aead/lilliputaei128v1/ref/constants.c b/crypto_aead/lilliputaei128v1/ref/constants.c deleted file mode 100644 index 29da1d8..0000000 --- a/crypto_aead/lilliputaei128v1/ref/constants.c +++ /dev/null @@ -1,248 +0,0 @@ -#include "constants.h" - - -const uint8_t h[8] = { - 1, 5, 3, 0, 4, 7, 2, 6 -}; - -const uint8_t P[6][256] = { - [0] = { - 0, 2, 4, 6, 8, 10, 12, 14, - 16, 18, 20, 22, 24, 26, 28, 30, - 32, 34, 36, 38, 40, 42, 44, 46, - 48, 50, 52, 54, 56, 58, 60, 62, - 64, 66, 68, 70, 72, 74, 76, 78, - 80, 82, 84, 86, 88, 90, 92, 94, - 96, 98, 100, 102, 104, 106, 108, 110, - 112, 114, 116, 118, 120, 122, 124, 126, - 132, 134, 128, 130, 140, 142, 136, 138, - 148, 150, 144, 146, 156, 158, 152, 154, - 164, 166, 160, 162, 172, 174, 168, 170, - 180, 182, 176, 178, 188, 190, 184, 186, - 196, 198, 192, 194, 204, 206, 200, 202, - 212, 214, 208, 210, 220, 222, 216, 218, - 228, 230, 224, 226, 236, 238, 232, 234, - 244, 246, 240, 242, 252, 254, 248, 250, - 129, 131, 133, 135, 137, 139, 141, 143, - 145, 147, 149, 151, 153, 155, 157, 159, - 161, 163, 165, 167, 169, 171, 173, 175, - 177, 179, 181, 183, 185, 187, 189, 191, - 193, 195, 197, 199, 201, 203, 205, 207, - 209, 211, 213, 215, 217, 219, 221, 223, - 225, 227, 229, 231, 233, 235, 237, 239, - 241, 243, 245, 247, 249, 251, 253, 255, - 5, 7, 1, 3, 13, 15, 9, 11, - 21, 23, 17, 19, 29, 31, 25, 27, - 37, 39, 33, 35, 45, 47, 41, 43, - 53, 55, 49, 51, 61, 63, 57, 59, - 69, 71, 65, 67, 77, 79, 73, 75, - 85, 87, 81, 83, 93, 95, 89, 91, - 101, 103, 97, 99, 109, 111, 105, 107, - 117, 119, 113, 115, 125, 127, 121, 123 - }, - [1] = { - 0, 4, 8, 12, 16, 20, 24, 28, - 32, 36, 40, 44, 48, 52, 56, 60, - 64, 68, 72, 76, 80, 84, 88, 92, - 96, 100, 104, 108, 112, 116, 120, 124, - 132, 128, 140, 136, 148, 144, 156, 152, - 164, 160, 172, 168, 180, 176, 188, 184, - 196, 192, 204, 200, 212, 208, 220, 216, - 228, 224, 236, 232, 244, 240, 252, 248, - 137, 141, 129, 133, 153, 157, 145, 149, - 169, 173, 161, 165, 185, 189, 177, 181, - 201, 205, 193, 197, 217, 221, 209, 213, - 233, 237, 225, 229, 249, 253, 241, 245, - 13, 9, 5, 1, 29, 25, 21, 17, - 45, 41, 37, 33, 61, 57, 53, 49, - 77, 73, 69, 65, 93, 89, 85, 81, - 109, 105, 101, 97, 125, 121, 117, 113, - 131, 135, 139, 143, 147, 151, 155, 159, - 163, 167, 171, 175, 179, 183, 187, 191, - 195, 199, 203, 207, 211, 215, 219, 223, - 227, 231, 235, 239, 243, 247, 251, 255, - 7, 3, 15, 11, 23, 19, 31, 27, - 39, 35, 47, 43, 55, 51, 63, 59, - 71, 67, 79, 75, 87, 83, 95, 91, - 103, 99, 111, 107, 119, 115, 127, 123, - 10, 14, 2, 6, 26, 30, 18, 22, - 42, 46, 34, 38, 58, 62, 50, 54, - 74, 78, 66, 70, 90, 94, 82, 86, - 106, 110, 98, 102, 122, 126, 114, 118, - 142, 138, 134, 130, 158, 154, 150, 146, - 174, 170, 166, 162, 190, 186, 182, 178, - 206, 202, 198, 194, 222, 218, 214, 210, - 238, 234, 230, 226, 254, 250, 246, 242 - }, - [2] = { - 0, 8, 16, 24, 32, 40, 48, 56, - 64, 72, 80, 88, 96, 104, 112, 120, - 132, 140, 148, 156, 164, 172, 180, 188, - 196, 204, 212, 220, 228, 236, 244, 252, - 137, 129, 153, 145, 169, 161, 185, 177, - 201, 193, 217, 209, 233, 225, 249, 241, - 13, 5, 29, 21, 45, 37, 61, 53, - 77, 69, 93, 85, 109, 101, 125, 117, - 147, 155, 131, 139, 179, 187, 163, 171, - 211, 219, 195, 203, 243, 251, 227, 235, - 23, 31, 7, 15, 55, 63, 39, 47, - 87, 95, 71, 79, 119, 127, 103, 111, - 26, 18, 10, 2, 58, 50, 42, 34, - 90, 82, 74, 66, 122, 114, 106, 98, - 158, 150, 142, 134, 190, 182, 174, 166, - 222, 214, 206, 198, 254, 246, 238, 230, - 135, 143, 151, 159, 167, 175, 183, 191, - 199, 207, 215, 223, 231, 239, 247, 255, - 3, 11, 19, 27, 35, 43, 51, 59, - 67, 75, 83, 91, 99, 107, 115, 123, - 14, 6, 30, 22, 46, 38, 62, 54, - 78, 70, 94, 86, 110, 102, 126, 118, - 138, 130, 154, 146, 170, 162, 186, 178, - 202, 194, 218, 210, 234, 226, 250, 242, - 20, 28, 4, 12, 52, 60, 36, 44, - 84, 92, 68, 76, 116, 124, 100, 108, - 144, 152, 128, 136, 176, 184, 160, 168, - 208, 216, 192, 200, 240, 248, 224, 232, - 157, 149, 141, 133, 189, 181, 173, 165, - 221, 213, 205, 197, 253, 245, 237, 229, - 25, 17, 9, 1, 57, 49, 41, 33, - 89, 81, 73, 65, 121, 113, 105, 97 - }, - [3] = { - 0, 132, 1, 133, 3, 135, 2, 134, - 4, 128, 5, 129, 7, 131, 6, 130, - 8, 140, 9, 141, 11, 143, 10, 142, - 12, 136, 13, 137, 15, 139, 14, 138, - 16, 148, 17, 149, 19, 151, 18, 150, - 20, 144, 21, 145, 23, 147, 22, 146, - 24, 156, 25, 157, 27, 159, 26, 158, - 28, 152, 29, 153, 31, 155, 30, 154, - 32, 164, 33, 165, 35, 167, 34, 166, - 36, 160, 37, 161, 39, 163, 38, 162, - 40, 172, 41, 173, 43, 175, 42, 174, - 44, 168, 45, 169, 47, 171, 46, 170, - 48, 180, 49, 181, 51, 183, 50, 182, - 52, 176, 53, 177, 55, 179, 54, 178, - 56, 188, 57, 189, 59, 191, 58, 190, - 60, 184, 61, 185, 63, 187, 62, 186, - 64, 196, 65, 197, 67, 199, 66, 198, - 68, 192, 69, 193, 71, 195, 70, 194, - 72, 204, 73, 205, 75, 207, 74, 206, - 76, 200, 77, 201, 79, 203, 78, 202, - 80, 212, 81, 213, 83, 215, 82, 214, - 84, 208, 85, 209, 87, 211, 86, 210, - 88, 220, 89, 221, 91, 223, 90, 222, - 92, 216, 93, 217, 95, 219, 94, 218, - 96, 228, 97, 229, 99, 231, 98, 230, - 100, 224, 101, 225, 103, 227, 102, 226, - 104, 236, 105, 237, 107, 239, 106, 238, - 108, 232, 109, 233, 111, 235, 110, 234, - 112, 244, 113, 245, 115, 247, 114, 246, - 116, 240, 117, 241, 119, 243, 118, 242, - 120, 252, 121, 253, 123, 255, 122, 254, - 124, 248, 125, 249, 127, 251, 126, 250 - }, - [4] = { - 0, 165, 67, 230, 199, 98, 132, 33, - 133, 32, 198, 99, 66, 231, 1, 164, - 3, 166, 64, 229, 196, 97, 135, 34, - 134, 35, 197, 96, 65, 228, 2, 167, - 4, 161, 71, 226, 195, 102, 128, 37, - 129, 36, 194, 103, 70, 227, 5, 160, - 7, 162, 68, 225, 192, 101, 131, 38, - 130, 39, 193, 100, 69, 224, 6, 163, - 8, 173, 75, 238, 207, 106, 140, 41, - 141, 40, 206, 107, 74, 239, 9, 172, - 11, 174, 72, 237, 204, 105, 143, 42, - 142, 43, 205, 104, 73, 236, 10, 175, - 12, 169, 79, 234, 203, 110, 136, 45, - 137, 44, 202, 111, 78, 235, 13, 168, - 15, 170, 76, 233, 200, 109, 139, 46, - 138, 47, 201, 108, 77, 232, 14, 171, - 16, 181, 83, 246, 215, 114, 148, 49, - 149, 48, 214, 115, 82, 247, 17, 180, - 19, 182, 80, 245, 212, 113, 151, 50, - 150, 51, 213, 112, 81, 244, 18, 183, - 20, 177, 87, 242, 211, 118, 144, 53, - 145, 52, 210, 119, 86, 243, 21, 176, - 23, 178, 84, 241, 208, 117, 147, 54, - 146, 55, 209, 116, 85, 240, 22, 179, - 24, 189, 91, 254, 223, 122, 156, 57, - 157, 56, 222, 123, 90, 255, 25, 188, - 27, 190, 88, 253, 220, 121, 159, 58, - 158, 59, 221, 120, 89, 252, 26, 191, - 28, 185, 95, 250, 219, 126, 152, 61, - 153, 60, 218, 127, 94, 251, 29, 184, - 31, 186, 92, 249, 216, 125, 155, 62, - 154, 63, 217, 124, 93, 248, 30, 187 - }, - [5] = { - 0, 215, 165, 114, 230, 49, 67, 148, - 199, 16, 98, 181, 33, 246, 132, 83, - 133, 82, 32, 247, 99, 180, 198, 17, - 66, 149, 231, 48, 164, 115, 1, 214, - 3, 212, 166, 113, 229, 50, 64, 151, - 196, 19, 97, 182, 34, 245, 135, 80, - 134, 81, 35, 244, 96, 183, 197, 18, - 65, 150, 228, 51, 167, 112, 2, 213, - 4, 211, 161, 118, 226, 53, 71, 144, - 195, 20, 102, 177, 37, 242, 128, 87, - 129, 86, 36, 243, 103, 176, 194, 21, - 70, 145, 227, 52, 160, 119, 5, 210, - 7, 208, 162, 117, 225, 54, 68, 147, - 192, 23, 101, 178, 38, 241, 131, 84, - 130, 85, 39, 240, 100, 179, 193, 22, - 69, 146, 224, 55, 163, 116, 6, 209, - 8, 223, 173, 122, 238, 57, 75, 156, - 207, 24, 106, 189, 41, 254, 140, 91, - 141, 90, 40, 255, 107, 188, 206, 25, - 74, 157, 239, 56, 172, 123, 9, 222, - 11, 220, 174, 121, 237, 58, 72, 159, - 204, 27, 105, 190, 42, 253, 143, 88, - 142, 89, 43, 252, 104, 191, 205, 26, - 73, 158, 236, 59, 175, 120, 10, 221, - 12, 219, 169, 126, 234, 61, 79, 152, - 203, 28, 110, 185, 45, 250, 136, 95, - 137, 94, 44, 251, 111, 184, 202, 29, - 78, 153, 235, 60, 168, 127, 13, 218, - 15, 216, 170, 125, 233, 62, 76, 155, - 200, 31, 109, 186, 46, 249, 139, 92, - 138, 93, 47, 248, 108, 187, 201, 30, - 77, 154, 232, 63, 171, 124, 14, 217 - }, -}; - -const uint8_t S[256] = { - 32, 0, 178, 133, 59, 53, 166, 164, - 48, 228, 106, 44, 255, 89, 226, 14, - 248, 30, 122, 128, 21, 189, 62, 177, - 232, 243, 162, 194, 218, 81, 42, 16, - 33, 1, 35, 120, 92, 36, 39, 181, - 55, 199, 43, 31, 174, 10, 119, 95, - 111, 9, 157, 129, 4, 90, 41, 220, - 57, 156, 5, 87, 151, 116, 121, 23, - 68, 198, 230, 233, 221, 65, 242, 138, - 84, 202, 110, 74, 225, 173, 182, 136, - 28, 152, 126, 206, 99, 73, 58, 93, - 12, 239, 246, 52, 86, 37, 46, 214, - 103, 117, 85, 118, 184, 210, 97, 217, - 113, 139, 205, 11, 114, 108, 49, 75, - 105, 253, 123, 109, 96, 60, 47, 98, - 63, 34, 115, 19, 201, 130, 127, 83, - 50, 18, 160, 124, 2, 135, 132, 134, - 147, 78, 104, 70, 141, 195, 219, 236, - 155, 183, 137, 146, 167, 190, 61, 216, - 234, 80, 145, 241, 51, 56, 224, 169, - 163, 131, 161, 27, 207, 6, 149, 7, - 158, 237, 185, 245, 76, 192, 244, 45, - 22, 250, 180, 3, 38, 179, 144, 79, - 171, 101, 252, 254, 20, 247, 227, 148, - 238, 172, 140, 26, 222, 203, 40, 64, - 125, 200, 196, 72, 107, 223, 165, 82, - 229, 251, 215, 100, 249, 240, 211, 94, - 102, 150, 143, 29, 69, 54, 204, 197, - 77, 159, 191, 15, 209, 8, 235, 67, - 66, 25, 231, 153, 168, 142, 88, 193, - 154, 212, 24, 71, 170, 175, 188, 91, - 213, 17, 208, 176, 112, 187, 13, 186 -}; diff --git a/crypto_aead/lilliputaei128v1/ref/constants.h b/crypto_aead/lilliputaei128v1/ref/constants.h deleted file mode 100644 index a786023..0000000 --- a/crypto_aead/lilliputaei128v1/ref/constants.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef CONSTANTS_H -#define CONSTANTS_H - -#include - - -/* Tweakey permutation */ -extern const uint8_t h[8]; - -/* Tweakey multiplication */ -extern const uint8_t P[6][256]; - -/* Lilliput S-box */ -extern const uint8_t S[256]; - -#endif /* CONSTANTS_H */ diff --git a/crypto_aead/lilliputaei128v1/ref/debug.h b/crypto_aead/lilliputaei128v1/ref/debug.h deleted file mode 100644 index 87140e5..0000000 --- a/crypto_aead/lilliputaei128v1/ref/debug.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef DEBUG_H -#define DEBUG_H - -#include -#include - - -static inline void debug_dump_lanes(FILE *output, const char *header, size_t len, const uint8_t buf[len], int indent) -{ - if (!output) - { - return; - } - - fprintf(output, "%s\n", header); - - for (size_t line=0; line -#include -#include - -#include "cipher.h" -#include "lilliput-ae.h" - - -static const uint8_t _0n[BLOCK_BYTES] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; - - -static uint8_t _upper_nibble(uint8_t i) -{ - return i >> 4; -} - -static uint8_t _lower_nibble(uint8_t i) -{ - return i & 0x0f; -} - -static void _encrypt(const uint8_t K[KEY_BYTES], - const uint8_t T[TWEAK_BYTES], - const uint8_t M[BLOCK_BYTES], - uint8_t C[BLOCK_BYTES]) -{ - lilliput_tbc_encrypt(K, T, M, C); -} - -static void _decrypt(const uint8_t K[KEY_BYTES], - const uint8_t T[TWEAK_BYTES], - const uint8_t C[BLOCK_BYTES], - uint8_t M[BLOCK_BYTES]) -{ - lilliput_tbc_decrypt(K, T, C, M); -} - -static void _xor_into(uint8_t dest[BLOCK_BYTES], const uint8_t src[BLOCK_BYTES]) -{ - for (size_t i=0; i 1) - { - memset(padded, 0, pad_len-1); - } -} - -static void _fill_ad_tweak( - uint8_t prefix, - uint64_t block_nb, - uint8_t tweak[TWEAK_BYTES] -) -{ - /* The 192-bit tweak is filled as follows: - * - * - bits 1-188: block number - * 1- 64: actual 64-bit block number - * 65-188: 0-padding - * - bits 189-192: constant 4-bit prefix - */ - - for (size_t i=0; i> 8*i; - - tweak[i] = b; - } - - /* Assume padding bytes have already been memset to 0. */ - - tweak[TWEAK_BYTES-1] |= prefix << 4; -} - -static void _fill_msg_tweak( - uint8_t prefix, - const uint8_t N[NONCE_BYTES], - uint64_t block_nb, - uint8_t tweak[TWEAK_BYTES] -) -{ - /* The 192-bit tweak is filled as follows: - * - * - bits 1- 68: block number - * 1- 64: actual 64-bit block number - * 64- 68: 0-padding - * - bits 67-188: nonce - * - bits 189-192: constant 4-bit prefix - */ - - for (size_t i=0; i> 8*i; - - tweak[i] = b; - } - - tweak[sizeof(block_nb)] = _lower_nibble(N[0]) << 4; - - for (size_t i=1; i -#include -#include - -#include "parameters.h" - - -/* TODO: replace c_len with m_len */ -void lilliput_ae_encrypt( - size_t message_len, - const uint8_t message[message_len], - size_t auth_data_len, - const uint8_t auth_data[auth_data_len], - const uint8_t key[KEY_BYTES], - const uint8_t nonce[NONCE_BYTES], - uint8_t ciphertext[message_len], - uint8_t tag[TAG_BYTES] -); - -bool lilliput_ae_decrypt( - size_t ciphertext_len, - const uint8_t ciphertext[ciphertext_len], - size_t auth_data_len, - const uint8_t auth_data[auth_data_len], - const uint8_t key[KEY_BYTES], - const uint8_t nonce[NONCE_BYTES], - const uint8_t tag[TAG_BYTES], - uint8_t message[ciphertext_len] -); - - -#endif /* LILLIPUT_AE_H */ diff --git a/crypto_aead/lilliputaei128v1/ref/src b/crypto_aead/lilliputaei128v1/ref/src new file mode 120000 index 0000000..006f0fe --- /dev/null +++ b/crypto_aead/lilliputaei128v1/ref/src @@ -0,0 +1 @@ +/home/klegouguec/projects/paclido/sp3/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src \ No newline at end of file diff --git a/crypto_aead/lilliputaei128v1/ref/tweakey.c b/crypto_aead/lilliputaei128v1/ref/tweakey.c deleted file mode 100644 index da97019..0000000 --- a/crypto_aead/lilliputaei128v1/ref/tweakey.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "constants.h" -#include "parameters.h" -#include "tweakey.h" - - -#define LANE_BITS 64 -#define LANE_BYTES (LANE_BITS/8) -#define LANES_NB (TWEAKEY_BYTES/LANE_BYTES) - - -void tweakey_state_init( - tweakey_state *TK, - const uint8_t key[KEY_BYTES], - const uint8_t tweak[TWEAK_BYTES] -) -{ - memcpy(TK->TK, tweak, TWEAK_BYTES); - memcpy(TK->TK+TWEAK_BYTES, key, KEY_BYTES); -} - - -void tweakey_state_extract( - const tweakey_state *TK, - uint8_t round_tweakey[ROUND_TWEAKEY_BYTES], /* output */ - uint8_t i /* round constant */ -) -{ - memset(round_tweakey, 0, ROUND_TWEAKEY_BYTES); - - for (const uint8_t *lane=TK->TK; laneTK+TWEAKEY_BYTES; lane+=LANE_BYTES) - { - for (size_t j=0; jTK, sizeof(TK_old)); - - /* TODO: homogenize indices; here j=lane; k=byte */ - - for (size_t j=0; jTK[j+h[k]] = TK_old[j+k]; - } - } -} - -static void _multiply_state(tweakey_state *TK) -{ - /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */ - - for (size_t lane=1; laneTK[offset] = P_lane[TK->TK[offset]]; - } - } -} - -void tweakey_state_update(tweakey_state *TK) -{ - _permute_state(TK); - _multiply_state(TK); -} diff --git a/crypto_aead/lilliputaei128v1/ref/tweakey.h b/crypto_aead/lilliputaei128v1/ref/tweakey.h deleted file mode 100644 index 0642724..0000000 --- a/crypto_aead/lilliputaei128v1/ref/tweakey.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef TWEAKEY_H -#define TWEAKEY_H - -#include - -#include "parameters.h" - - -struct tweakey_state -{ - uint8_t TK[TWEAKEY_BYTES]; -}; - -typedef struct tweakey_state tweakey_state; - - -void tweakey_state_init( - tweakey_state *TK, - const uint8_t key[KEY_BYTES], - const uint8_t tweak[TWEAK_BYTES] -); - -void tweakey_state_extract( - const tweakey_state *TK, - uint8_t round_tweakey[ROUND_TWEAKEY_BYTES], /* output */ - uint8_t i /* round constant */ -); - -void tweakey_state_update(tweakey_state *TK); - -#endif /* TWEAKEY_H */ diff --git a/src/cipher.c b/src/cipher.c new file mode 100644 index 0000000..7f1152a --- /dev/null +++ b/src/cipher.c @@ -0,0 +1,170 @@ +#include +#include + +#include "cipher.h" +#include "constants.h" +#include "parameters.h" +#include "tweakey.h" + + +enum permutation +{ + PERMUTATION_ENCRYPTION = 0, + PERMUTATION_DECRYPTION = 1, + PERMUTATION_NONE +}; + +typedef enum permutation permutation; + +const uint8_t PERMUTATIONS[2][BLOCK_BYTES] = { + /* PI(i) */ + [0] = { 13, 9, 14, 8, 10, 11, 12, 15, + 4, 5, 3, 1, 2, 6, 0, 7 }, + /* PI^-1(i) */ + [1] = { 14, 11, 12, 10, 8, 9, 13, 15, + 3, 1, 4, 5, 6, 0, 2, 7 } +}; + + +struct cipher_state +{ + uint8_t X[BLOCK_BYTES]; +}; + + +typedef struct cipher_state cipher_state; + + +static void _state_init(cipher_state *X, const uint8_t message[BLOCK_BYTES]) +{ + memcpy(X->X, message, sizeof(X->X)); +} + + +static void _compute_round_tweakeys( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES] +) +{ + tweakey_state TK; + tweakey_state_init(&TK, key, tweak); + tweakey_state_extract(&TK, RTK[0], 0); + + for (uint8_t i=1; iX[j] ^ RTK[j]; + } + + for (size_t j=0; jX[dest_j] ^= F[j]; + } +} + +static void _linear_layer(cipher_state *X) +{ + X->X[15] ^= X->X[1]; + X->X[15] ^= X->X[2]; + X->X[15] ^= X->X[3]; + X->X[15] ^= X->X[4]; + X->X[15] ^= X->X[5]; + X->X[15] ^= X->X[6]; + X->X[15] ^= X->X[7]; + + X->X[14] ^= X->X[7]; + X->X[13] ^= X->X[7]; + X->X[12] ^= X->X[7]; + X->X[11] ^= X->X[7]; + X->X[10] ^= X->X[7]; + X->X[9] ^= X->X[7]; +} + +static void _permutation_layer(cipher_state *X, permutation p) +{ + if (p == PERMUTATION_NONE) + { + return; + } + + uint8_t X_old[BLOCK_BYTES]; + memcpy(X_old, X, sizeof(X_old)); + + const uint8_t *pi = PERMUTATIONS[p]; + + for (size_t j=0; jX[pi[j]] = X_old[j]; + } +} + +static void _one_round_egfn(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p) +{ + _nonlinear_layer(X, RTK); + _linear_layer(X); + _permutation_layer(X, p); +} + + +void lilliput_tbc_encrypt( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + const uint8_t message[BLOCK_BYTES], + uint8_t ciphertext[BLOCK_BYTES] +) +{ + cipher_state X; + _state_init(&X, message); + + uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]; + _compute_round_tweakeys(key, tweak, RTK); + + for (uint8_t i=0; i + +#include "parameters.h" + + +void lilliput_tbc_encrypt( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + const uint8_t message[BLOCK_BYTES], + uint8_t ciphertext[BLOCK_BYTES] +); + +void lilliput_tbc_decrypt( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + const uint8_t ciphertext[BLOCK_BYTES], + uint8_t message[BLOCK_BYTES] +); + +#endif /* CIPHER_H */ diff --git a/src/constants.c b/src/constants.c new file mode 100644 index 0000000..29da1d8 --- /dev/null +++ b/src/constants.c @@ -0,0 +1,248 @@ +#include "constants.h" + + +const uint8_t h[8] = { + 1, 5, 3, 0, 4, 7, 2, 6 +}; + +const uint8_t P[6][256] = { + [0] = { + 0, 2, 4, 6, 8, 10, 12, 14, + 16, 18, 20, 22, 24, 26, 28, 30, + 32, 34, 36, 38, 40, 42, 44, 46, + 48, 50, 52, 54, 56, 58, 60, 62, + 64, 66, 68, 70, 72, 74, 76, 78, + 80, 82, 84, 86, 88, 90, 92, 94, + 96, 98, 100, 102, 104, 106, 108, 110, + 112, 114, 116, 118, 120, 122, 124, 126, + 132, 134, 128, 130, 140, 142, 136, 138, + 148, 150, 144, 146, 156, 158, 152, 154, + 164, 166, 160, 162, 172, 174, 168, 170, + 180, 182, 176, 178, 188, 190, 184, 186, + 196, 198, 192, 194, 204, 206, 200, 202, + 212, 214, 208, 210, 220, 222, 216, 218, + 228, 230, 224, 226, 236, 238, 232, 234, + 244, 246, 240, 242, 252, 254, 248, 250, + 129, 131, 133, 135, 137, 139, 141, 143, + 145, 147, 149, 151, 153, 155, 157, 159, + 161, 163, 165, 167, 169, 171, 173, 175, + 177, 179, 181, 183, 185, 187, 189, 191, + 193, 195, 197, 199, 201, 203, 205, 207, + 209, 211, 213, 215, 217, 219, 221, 223, + 225, 227, 229, 231, 233, 235, 237, 239, + 241, 243, 245, 247, 249, 251, 253, 255, + 5, 7, 1, 3, 13, 15, 9, 11, + 21, 23, 17, 19, 29, 31, 25, 27, + 37, 39, 33, 35, 45, 47, 41, 43, + 53, 55, 49, 51, 61, 63, 57, 59, + 69, 71, 65, 67, 77, 79, 73, 75, + 85, 87, 81, 83, 93, 95, 89, 91, + 101, 103, 97, 99, 109, 111, 105, 107, + 117, 119, 113, 115, 125, 127, 121, 123 + }, + [1] = { + 0, 4, 8, 12, 16, 20, 24, 28, + 32, 36, 40, 44, 48, 52, 56, 60, + 64, 68, 72, 76, 80, 84, 88, 92, + 96, 100, 104, 108, 112, 116, 120, 124, + 132, 128, 140, 136, 148, 144, 156, 152, + 164, 160, 172, 168, 180, 176, 188, 184, + 196, 192, 204, 200, 212, 208, 220, 216, + 228, 224, 236, 232, 244, 240, 252, 248, + 137, 141, 129, 133, 153, 157, 145, 149, + 169, 173, 161, 165, 185, 189, 177, 181, + 201, 205, 193, 197, 217, 221, 209, 213, + 233, 237, 225, 229, 249, 253, 241, 245, + 13, 9, 5, 1, 29, 25, 21, 17, + 45, 41, 37, 33, 61, 57, 53, 49, + 77, 73, 69, 65, 93, 89, 85, 81, + 109, 105, 101, 97, 125, 121, 117, 113, + 131, 135, 139, 143, 147, 151, 155, 159, + 163, 167, 171, 175, 179, 183, 187, 191, + 195, 199, 203, 207, 211, 215, 219, 223, + 227, 231, 235, 239, 243, 247, 251, 255, + 7, 3, 15, 11, 23, 19, 31, 27, + 39, 35, 47, 43, 55, 51, 63, 59, + 71, 67, 79, 75, 87, 83, 95, 91, + 103, 99, 111, 107, 119, 115, 127, 123, + 10, 14, 2, 6, 26, 30, 18, 22, + 42, 46, 34, 38, 58, 62, 50, 54, + 74, 78, 66, 70, 90, 94, 82, 86, + 106, 110, 98, 102, 122, 126, 114, 118, + 142, 138, 134, 130, 158, 154, 150, 146, + 174, 170, 166, 162, 190, 186, 182, 178, + 206, 202, 198, 194, 222, 218, 214, 210, + 238, 234, 230, 226, 254, 250, 246, 242 + }, + [2] = { + 0, 8, 16, 24, 32, 40, 48, 56, + 64, 72, 80, 88, 96, 104, 112, 120, + 132, 140, 148, 156, 164, 172, 180, 188, + 196, 204, 212, 220, 228, 236, 244, 252, + 137, 129, 153, 145, 169, 161, 185, 177, + 201, 193, 217, 209, 233, 225, 249, 241, + 13, 5, 29, 21, 45, 37, 61, 53, + 77, 69, 93, 85, 109, 101, 125, 117, + 147, 155, 131, 139, 179, 187, 163, 171, + 211, 219, 195, 203, 243, 251, 227, 235, + 23, 31, 7, 15, 55, 63, 39, 47, + 87, 95, 71, 79, 119, 127, 103, 111, + 26, 18, 10, 2, 58, 50, 42, 34, + 90, 82, 74, 66, 122, 114, 106, 98, + 158, 150, 142, 134, 190, 182, 174, 166, + 222, 214, 206, 198, 254, 246, 238, 230, + 135, 143, 151, 159, 167, 175, 183, 191, + 199, 207, 215, 223, 231, 239, 247, 255, + 3, 11, 19, 27, 35, 43, 51, 59, + 67, 75, 83, 91, 99, 107, 115, 123, + 14, 6, 30, 22, 46, 38, 62, 54, + 78, 70, 94, 86, 110, 102, 126, 118, + 138, 130, 154, 146, 170, 162, 186, 178, + 202, 194, 218, 210, 234, 226, 250, 242, + 20, 28, 4, 12, 52, 60, 36, 44, + 84, 92, 68, 76, 116, 124, 100, 108, + 144, 152, 128, 136, 176, 184, 160, 168, + 208, 216, 192, 200, 240, 248, 224, 232, + 157, 149, 141, 133, 189, 181, 173, 165, + 221, 213, 205, 197, 253, 245, 237, 229, + 25, 17, 9, 1, 57, 49, 41, 33, + 89, 81, 73, 65, 121, 113, 105, 97 + }, + [3] = { + 0, 132, 1, 133, 3, 135, 2, 134, + 4, 128, 5, 129, 7, 131, 6, 130, + 8, 140, 9, 141, 11, 143, 10, 142, + 12, 136, 13, 137, 15, 139, 14, 138, + 16, 148, 17, 149, 19, 151, 18, 150, + 20, 144, 21, 145, 23, 147, 22, 146, + 24, 156, 25, 157, 27, 159, 26, 158, + 28, 152, 29, 153, 31, 155, 30, 154, + 32, 164, 33, 165, 35, 167, 34, 166, + 36, 160, 37, 161, 39, 163, 38, 162, + 40, 172, 41, 173, 43, 175, 42, 174, + 44, 168, 45, 169, 47, 171, 46, 170, + 48, 180, 49, 181, 51, 183, 50, 182, + 52, 176, 53, 177, 55, 179, 54, 178, + 56, 188, 57, 189, 59, 191, 58, 190, + 60, 184, 61, 185, 63, 187, 62, 186, + 64, 196, 65, 197, 67, 199, 66, 198, + 68, 192, 69, 193, 71, 195, 70, 194, + 72, 204, 73, 205, 75, 207, 74, 206, + 76, 200, 77, 201, 79, 203, 78, 202, + 80, 212, 81, 213, 83, 215, 82, 214, + 84, 208, 85, 209, 87, 211, 86, 210, + 88, 220, 89, 221, 91, 223, 90, 222, + 92, 216, 93, 217, 95, 219, 94, 218, + 96, 228, 97, 229, 99, 231, 98, 230, + 100, 224, 101, 225, 103, 227, 102, 226, + 104, 236, 105, 237, 107, 239, 106, 238, + 108, 232, 109, 233, 111, 235, 110, 234, + 112, 244, 113, 245, 115, 247, 114, 246, + 116, 240, 117, 241, 119, 243, 118, 242, + 120, 252, 121, 253, 123, 255, 122, 254, + 124, 248, 125, 249, 127, 251, 126, 250 + }, + [4] = { + 0, 165, 67, 230, 199, 98, 132, 33, + 133, 32, 198, 99, 66, 231, 1, 164, + 3, 166, 64, 229, 196, 97, 135, 34, + 134, 35, 197, 96, 65, 228, 2, 167, + 4, 161, 71, 226, 195, 102, 128, 37, + 129, 36, 194, 103, 70, 227, 5, 160, + 7, 162, 68, 225, 192, 101, 131, 38, + 130, 39, 193, 100, 69, 224, 6, 163, + 8, 173, 75, 238, 207, 106, 140, 41, + 141, 40, 206, 107, 74, 239, 9, 172, + 11, 174, 72, 237, 204, 105, 143, 42, + 142, 43, 205, 104, 73, 236, 10, 175, + 12, 169, 79, 234, 203, 110, 136, 45, + 137, 44, 202, 111, 78, 235, 13, 168, + 15, 170, 76, 233, 200, 109, 139, 46, + 138, 47, 201, 108, 77, 232, 14, 171, + 16, 181, 83, 246, 215, 114, 148, 49, + 149, 48, 214, 115, 82, 247, 17, 180, + 19, 182, 80, 245, 212, 113, 151, 50, + 150, 51, 213, 112, 81, 244, 18, 183, + 20, 177, 87, 242, 211, 118, 144, 53, + 145, 52, 210, 119, 86, 243, 21, 176, + 23, 178, 84, 241, 208, 117, 147, 54, + 146, 55, 209, 116, 85, 240, 22, 179, + 24, 189, 91, 254, 223, 122, 156, 57, + 157, 56, 222, 123, 90, 255, 25, 188, + 27, 190, 88, 253, 220, 121, 159, 58, + 158, 59, 221, 120, 89, 252, 26, 191, + 28, 185, 95, 250, 219, 126, 152, 61, + 153, 60, 218, 127, 94, 251, 29, 184, + 31, 186, 92, 249, 216, 125, 155, 62, + 154, 63, 217, 124, 93, 248, 30, 187 + }, + [5] = { + 0, 215, 165, 114, 230, 49, 67, 148, + 199, 16, 98, 181, 33, 246, 132, 83, + 133, 82, 32, 247, 99, 180, 198, 17, + 66, 149, 231, 48, 164, 115, 1, 214, + 3, 212, 166, 113, 229, 50, 64, 151, + 196, 19, 97, 182, 34, 245, 135, 80, + 134, 81, 35, 244, 96, 183, 197, 18, + 65, 150, 228, 51, 167, 112, 2, 213, + 4, 211, 161, 118, 226, 53, 71, 144, + 195, 20, 102, 177, 37, 242, 128, 87, + 129, 86, 36, 243, 103, 176, 194, 21, + 70, 145, 227, 52, 160, 119, 5, 210, + 7, 208, 162, 117, 225, 54, 68, 147, + 192, 23, 101, 178, 38, 241, 131, 84, + 130, 85, 39, 240, 100, 179, 193, 22, + 69, 146, 224, 55, 163, 116, 6, 209, + 8, 223, 173, 122, 238, 57, 75, 156, + 207, 24, 106, 189, 41, 254, 140, 91, + 141, 90, 40, 255, 107, 188, 206, 25, + 74, 157, 239, 56, 172, 123, 9, 222, + 11, 220, 174, 121, 237, 58, 72, 159, + 204, 27, 105, 190, 42, 253, 143, 88, + 142, 89, 43, 252, 104, 191, 205, 26, + 73, 158, 236, 59, 175, 120, 10, 221, + 12, 219, 169, 126, 234, 61, 79, 152, + 203, 28, 110, 185, 45, 250, 136, 95, + 137, 94, 44, 251, 111, 184, 202, 29, + 78, 153, 235, 60, 168, 127, 13, 218, + 15, 216, 170, 125, 233, 62, 76, 155, + 200, 31, 109, 186, 46, 249, 139, 92, + 138, 93, 47, 248, 108, 187, 201, 30, + 77, 154, 232, 63, 171, 124, 14, 217 + }, +}; + +const uint8_t S[256] = { + 32, 0, 178, 133, 59, 53, 166, 164, + 48, 228, 106, 44, 255, 89, 226, 14, + 248, 30, 122, 128, 21, 189, 62, 177, + 232, 243, 162, 194, 218, 81, 42, 16, + 33, 1, 35, 120, 92, 36, 39, 181, + 55, 199, 43, 31, 174, 10, 119, 95, + 111, 9, 157, 129, 4, 90, 41, 220, + 57, 156, 5, 87, 151, 116, 121, 23, + 68, 198, 230, 233, 221, 65, 242, 138, + 84, 202, 110, 74, 225, 173, 182, 136, + 28, 152, 126, 206, 99, 73, 58, 93, + 12, 239, 246, 52, 86, 37, 46, 214, + 103, 117, 85, 118, 184, 210, 97, 217, + 113, 139, 205, 11, 114, 108, 49, 75, + 105, 253, 123, 109, 96, 60, 47, 98, + 63, 34, 115, 19, 201, 130, 127, 83, + 50, 18, 160, 124, 2, 135, 132, 134, + 147, 78, 104, 70, 141, 195, 219, 236, + 155, 183, 137, 146, 167, 190, 61, 216, + 234, 80, 145, 241, 51, 56, 224, 169, + 163, 131, 161, 27, 207, 6, 149, 7, + 158, 237, 185, 245, 76, 192, 244, 45, + 22, 250, 180, 3, 38, 179, 144, 79, + 171, 101, 252, 254, 20, 247, 227, 148, + 238, 172, 140, 26, 222, 203, 40, 64, + 125, 200, 196, 72, 107, 223, 165, 82, + 229, 251, 215, 100, 249, 240, 211, 94, + 102, 150, 143, 29, 69, 54, 204, 197, + 77, 159, 191, 15, 209, 8, 235, 67, + 66, 25, 231, 153, 168, 142, 88, 193, + 154, 212, 24, 71, 170, 175, 188, 91, + 213, 17, 208, 176, 112, 187, 13, 186 +}; diff --git a/src/constants.h b/src/constants.h new file mode 100644 index 0000000..a786023 --- /dev/null +++ b/src/constants.h @@ -0,0 +1,16 @@ +#ifndef CONSTANTS_H +#define CONSTANTS_H + +#include + + +/* Tweakey permutation */ +extern const uint8_t h[8]; + +/* Tweakey multiplication */ +extern const uint8_t P[6][256]; + +/* Lilliput S-box */ +extern const uint8_t S[256]; + +#endif /* CONSTANTS_H */ diff --git a/src/debug.h b/src/debug.h new file mode 100644 index 0000000..87140e5 --- /dev/null +++ b/src/debug.h @@ -0,0 +1,50 @@ +#ifndef DEBUG_H +#define DEBUG_H + +#include +#include + + +static inline void debug_dump_lanes(FILE *output, const char *header, size_t len, const uint8_t buf[len], int indent) +{ + if (!output) + { + return; + } + + fprintf(output, "%s\n", header); + + for (size_t line=0; line +#include +#include + +#include "cipher.h" +#include "lilliput-ae.h" + + +static const uint8_t _0n[BLOCK_BYTES] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + + +static uint8_t _upper_nibble(uint8_t i) +{ + return i >> 4; +} + +static uint8_t _lower_nibble(uint8_t i) +{ + return i & 0x0f; +} + +static void _encrypt(const uint8_t K[KEY_BYTES], + const uint8_t T[TWEAK_BYTES], + const uint8_t M[BLOCK_BYTES], + uint8_t C[BLOCK_BYTES]) +{ + lilliput_tbc_encrypt(K, T, M, C); +} + +static void _decrypt(const uint8_t K[KEY_BYTES], + const uint8_t T[TWEAK_BYTES], + const uint8_t C[BLOCK_BYTES], + uint8_t M[BLOCK_BYTES]) +{ + lilliput_tbc_decrypt(K, T, C, M); +} + +static void _xor_into(uint8_t dest[BLOCK_BYTES], const uint8_t src[BLOCK_BYTES]) +{ + for (size_t i=0; i 1) + { + memset(padded, 0, pad_len-1); + } +} + +static void _fill_ad_tweak( + uint8_t prefix, + uint64_t block_nb, + uint8_t tweak[TWEAK_BYTES] +) +{ + /* The 192-bit tweak is filled as follows: + * + * - bits 1-188: block number + * 1- 64: actual 64-bit block number + * 65-188: 0-padding + * - bits 189-192: constant 4-bit prefix + */ + + for (size_t i=0; i> 8*i; + + tweak[i] = b; + } + + /* Assume padding bytes have already been memset to 0. */ + + tweak[TWEAK_BYTES-1] |= prefix << 4; +} + +static void _fill_msg_tweak( + uint8_t prefix, + const uint8_t N[NONCE_BYTES], + uint64_t block_nb, + uint8_t tweak[TWEAK_BYTES] +) +{ + /* The 192-bit tweak is filled as follows: + * + * - bits 1- 68: block number + * 1- 64: actual 64-bit block number + * 64- 68: 0-padding + * - bits 67-188: nonce + * - bits 189-192: constant 4-bit prefix + */ + + for (size_t i=0; i> 8*i; + + tweak[i] = b; + } + + tweak[sizeof(block_nb)] = _lower_nibble(N[0]) << 4; + + for (size_t i=1; i +#include +#include + +#include "parameters.h" + + +/* TODO: replace c_len with m_len */ +void lilliput_ae_encrypt( + size_t message_len, + const uint8_t message[message_len], + size_t auth_data_len, + const uint8_t auth_data[auth_data_len], + const uint8_t key[KEY_BYTES], + const uint8_t nonce[NONCE_BYTES], + uint8_t ciphertext[message_len], + uint8_t tag[TAG_BYTES] +); + +bool lilliput_ae_decrypt( + size_t ciphertext_len, + const uint8_t ciphertext[ciphertext_len], + size_t auth_data_len, + const uint8_t auth_data[auth_data_len], + const uint8_t key[KEY_BYTES], + const uint8_t nonce[NONCE_BYTES], + const uint8_t tag[TAG_BYTES], + uint8_t message[ciphertext_len] +); + + +#endif /* LILLIPUT_AE_H */ diff --git a/src/tweakey.c b/src/tweakey.c new file mode 100644 index 0000000..da97019 --- /dev/null +++ b/src/tweakey.c @@ -0,0 +1,83 @@ +#include +#include + +#include "constants.h" +#include "parameters.h" +#include "tweakey.h" + + +#define LANE_BITS 64 +#define LANE_BYTES (LANE_BITS/8) +#define LANES_NB (TWEAKEY_BYTES/LANE_BYTES) + + +void tweakey_state_init( + tweakey_state *TK, + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES] +) +{ + memcpy(TK->TK, tweak, TWEAK_BYTES); + memcpy(TK->TK+TWEAK_BYTES, key, KEY_BYTES); +} + + +void tweakey_state_extract( + const tweakey_state *TK, + uint8_t round_tweakey[ROUND_TWEAKEY_BYTES], /* output */ + uint8_t i /* round constant */ +) +{ + memset(round_tweakey, 0, ROUND_TWEAKEY_BYTES); + + for (const uint8_t *lane=TK->TK; laneTK+TWEAKEY_BYTES; lane+=LANE_BYTES) + { + for (size_t j=0; jTK, sizeof(TK_old)); + + /* TODO: homogenize indices; here j=lane; k=byte */ + + for (size_t j=0; jTK[j+h[k]] = TK_old[j+k]; + } + } +} + +static void _multiply_state(tweakey_state *TK) +{ + /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */ + + for (size_t lane=1; laneTK[offset] = P_lane[TK->TK[offset]]; + } + } +} + +void tweakey_state_update(tweakey_state *TK) +{ + _permute_state(TK); + _multiply_state(TK); +} diff --git a/src/tweakey.h b/src/tweakey.h new file mode 100644 index 0000000..0642724 --- /dev/null +++ b/src/tweakey.h @@ -0,0 +1,31 @@ +#ifndef TWEAKEY_H +#define TWEAKEY_H + +#include + +#include "parameters.h" + + +struct tweakey_state +{ + uint8_t TK[TWEAKEY_BYTES]; +}; + +typedef struct tweakey_state tweakey_state; + + +void tweakey_state_init( + tweakey_state *TK, + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES] +); + +void tweakey_state_extract( + const tweakey_state *TK, + uint8_t round_tweakey[ROUND_TWEAKEY_BYTES], /* output */ + uint8_t i /* round constant */ +); + +void tweakey_state_update(tweakey_state *TK); + +#endif /* TWEAKEY_H */ -- cgit v1.2.3