From e83abe9fdbab07e6df80443240d4d649303a3dd4 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Fri, 22 Mar 2019 16:41:34 +0100 Subject: [implem-python] Déplacement dans le dossier SOUMISSION_NIST MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Et ajout d'un métascript pour vérifier la conformité. Il ne reste plus qu'à… (bis) --- src/add_python/lilliput/tbc.py | 178 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 src/add_python/lilliput/tbc.py (limited to 'src/add_python/lilliput/tbc.py') diff --git a/src/add_python/lilliput/tbc.py b/src/add_python/lilliput/tbc.py new file mode 100644 index 0000000..5291994 --- /dev/null +++ b/src/add_python/lilliput/tbc.py @@ -0,0 +1,178 @@ +""" + Lilliput TBC +""" +from .constants import BLOCK_BYTES, Sbox +from .multiplications import ALPHAS + + +permutation = [14, 11, 12, 10, 8, 9, 13, 15, 3, 1, 4, 5, 6, 0, 2, 7] +permutationInv = [13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6 ,0 ,7] + +################################################################################ + +def BuildTweakey(tweak, key): + return tweak+key + +############################# + +def _lane(TK, j): + return TK[j*8:(j+1)*8] + +def RoundTweakeySchedule(tweakey): + p = len(tweakey)//8 + + multiplied_lanes = ( + ALPHAS[j](_lane(tweakey, j)) for j in range(p) + ) + + return [byte for lane in multiplied_lanes for byte in lane] + + +def SubTweakeyExtract(tweakey, Ci): + RTKi = [0]*8 + + for j, byte in enumerate(tweakey): + RTKi[j%8] ^= byte + + RTKi[0] ^= Ci + + return RTKi + + +def TweakeyScheduleWhole(tweakey, r): + # store main tweakey in TKs[0] + # and corresponding round tweakey in RTKs[0] + TKs = [tweakey] + RTKs = [SubTweakeyExtract(TKs[0], 0)] + + for i in range(1, r): + TKs.append(RoundTweakeySchedule(TKs[i-1])) + RTKs.append(SubTweakeyExtract(TKs[i], i)) + + return RTKs + + +################################################################################ + +def NonLinearLayer(state, subtweakey): + + variables_xored = [0 for byte in range(0, 8)] + for byte in range(0,8): + variables_xored[byte] = state[byte] ^ subtweakey[byte] + + variables_sboxed = [0 for byte in range(0, 8)] + for byte in range(0, 8): + variables_sboxed[byte] = Sbox[variables_xored[byte]] + + state_output = [0 for byte in range(0, BLOCK_BYTES)] + for byte in range(0,BLOCK_BYTES): + state_output[byte] = state[byte] + for byte in range(0, 8): + state_output[15 - byte] ^= variables_sboxed[byte] + + return state_output + + +def LinearLayer(state): + state_output = [0 for byte in range(0, BLOCK_BYTES)] + for byte in range(0, BLOCK_BYTES): + state_output[byte] = state[byte] + + for byte in range(1, 8): + state_output[15] ^= state[byte] + + for byte in range(9, 15): + state_output[byte] ^= state[7] + + return state_output + + +def PermutationLayerEnc(state): + state_output = [0 for byte in range(0, BLOCK_BYTES)] + for byte in range(0, BLOCK_BYTES): + state_output[byte] = state[permutation[byte]] + + return state_output + +def PermutationLayerDec(state): + state_output = [0 for byte in range(0, BLOCK_BYTES)] + for byte in range(0, BLOCK_BYTES): + state_output[byte] = state[permutationInv[byte]] + + return state_output + + +def OneRoundEGFNEnc(state, subtweakey): + state_non_linear = NonLinearLayer(state, subtweakey) + state_linear = LinearLayer(state_non_linear) + state_permutation = PermutationLayerEnc(state_linear) + + return state_permutation + +def LastRoundEGFN(state, subtweakey): + state_non_linear = NonLinearLayer(state, subtweakey) + state_linear = LinearLayer(state_non_linear) + + return state_linear + + +def OneRoundEGFNDec(state, subtweakey): + state_non_linear = NonLinearLayer(state, subtweakey) + state_linear = LinearLayer(state_non_linear) + state_permutation = PermutationLayerDec(state_linear) + + return state_permutation + + +def _rounds(key_bytes): + rounds = { + 128: 32, + 192: 36, + 256: 42 + } + return rounds[key_bytes*8] + + +################################################################################ +# Lilliput TBC + +def encrypt(tweak, key, message): + r = _rounds(len(key)) + + tweakey = BuildTweakey(tweak, key) + RTKs = TweakeyScheduleWhole(tweakey, r) + + state = [0 for byte in range(0, BLOCK_BYTES)] + for byte in range(0, BLOCK_BYTES): + state[byte] = message[byte] + + for i in range(0, r-1): + state_output = OneRoundEGFNEnc(state, RTKs[i]) + + for byte in range(0, BLOCK_BYTES): + state[byte] = state_output[byte] + + state_output = LastRoundEGFN(state, RTKs[r-1]) + + return state_output + + +def decrypt(tweak, key, cipher): + r = _rounds(len(key)) + + tweakey = BuildTweakey(tweak, key) + RTKs = TweakeyScheduleWhole(tweakey, r) + + state = [0 for byte in range(0, BLOCK_BYTES)] + for byte in range(0, BLOCK_BYTES): + state[byte] = cipher[byte] + + for i in range(0, r-1): + state_output = OneRoundEGFNDec(state, RTKs[r-i-1]) + + for byte in range(0, BLOCK_BYTES): + state[byte] = state_output[byte] + + state_output = LastRoundEGFN(state, RTKs[0]) + + return state_output -- cgit v1.2.3 From b46dd7acc86295d3072945f4a8098649d87504a2 Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Sat, 23 Mar 2019 23:54:35 +0100 Subject: [implem-python] Documentation de Lilliput-Ⅰ et Lilliput-TBC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Idem, renommage des fonctions privées avec un souligné pour que l'API soit plus simple à comprendre. ⚠ Pas testé, ça prend littéralement 20 minutes à l'implémentation Python de générer les vecteurs de test, et c'est l'heure du dodo… --- src/add_python/lilliput/lilliput_ae_1.py | 52 +++++++++------ src/add_python/lilliput/tbc.py | 105 ++++++++++++++++++------------- 2 files changed, 95 insertions(+), 62 deletions(-) (limited to 'src/add_python/lilliput/tbc.py') diff --git a/src/add_python/lilliput/lilliput_ae_1.py b/src/add_python/lilliput/lilliput_ae_1.py index 0da2a95..1429002 100644 --- a/src/add_python/lilliput/lilliput_ae_1.py +++ b/src/add_python/lilliput/lilliput_ae_1.py @@ -1,5 +1,21 @@ -""" - OCB 3 for lilliput ae i +# Implementation of the Lilliput-AE tweakable block cipher. +# +# Authors, hereby denoted as "the implementer": +# Kévin Le Gouguec, +# Léo Reynaud +# 2019. +# +# For more information, feedback or questions, refer to our website: +# https://paclido.fr/lilliput-ae +# +# To the extent possible under law, the implementer has waived all copyright +# and related or neighboring rights to the source code in this file. +# http://creativecommons.org/publicdomain/zero/1.0/ + +"""Lilliput-I Authenticated Encryption mode. + +This module provides the functions for authenticated encryption and decryption +using Lilliput-AE's nonce-misuse-resistant mode based on ΘCB3. """ from enum import Enum @@ -20,7 +36,7 @@ TWEAK_BITS = 192 TWEAK_BYTES = TWEAK_BITS//8 -def LowPart(array, number_bits): +def _LowPart(array, number_bits): shifted = 0 for byte in range(0, len(array)): shifted |= (array[byte] << (8 * byte)) @@ -51,7 +67,7 @@ class _MessageTweak(Enum): FINAL = 0b0101 -def TweakMessage(N, j, padding): +def _TweakMessage(N, j, padding): tweak = [0 for byte in range(0, TWEAK_BYTES)] for byte in range(NONCE_BYTES-1, -1, -1): tweak[byte + (TWEAK_BYTES-NONCE_BYTES)] |= (N[byte] & 0xf0) >> 4 @@ -66,7 +82,7 @@ def TweakMessage(N, j, padding): return tweak -def TreatMessageEnc(M, N, key): +def _TreatMessageEnc(M, N, key): checksum = [0 for byte in range(0, BLOCK_BYTES)] l = len(M)//BLOCK_BYTES @@ -77,28 +93,28 @@ def TreatMessageEnc(M, N, key): for j in range(0, l): checksum = XorState(checksum, M[j]) - tweak = TweakMessage(N, j, _MessageTweak.BLOCK) + tweak = _TweakMessage(N, j, _MessageTweak.BLOCK) C.append(tbc.encrypt(tweak, key, M[j])) if padding_bytes == 0: - tweak = TweakMessage(N, l, _MessageTweak.NO_PADDING) + tweak = _TweakMessage(N, l, _MessageTweak.NO_PADDING) Final = tbc.encrypt(tweak, key, checksum) else: m_padded = Padding10LSB(M[l]) checksum = XorState(checksum, m_padded) - tweak = TweakMessage(N, l, _MessageTweak.PAD) + tweak = _TweakMessage(N, l, _MessageTweak.PAD) pad = tbc.encrypt(tweak, key, [0 for byte in range(0, BLOCK_BYTES)]) - lower_part = LowPart(pad, padding_bytes*8) + lower_part = _LowPart(pad, padding_bytes*8) C.append(XorState(M[l], lower_part)) - tweak_final = TweakMessage(N, l+1, _MessageTweak.FINAL) + tweak_final = _TweakMessage(N, l+1, _MessageTweak.FINAL) Final = tbc.encrypt(tweak_final, key, checksum) return (Final, C) -def TreatMessageDec(C, N, key): +def _TreatMessageDec(C, N, key): checksum = [0 for byte in range(0, BLOCK_BYTES)] l = len(C)//BLOCK_BYTES @@ -108,23 +124,23 @@ def TreatMessageDec(C, N, key): M = [] for j in range(0, l): - tweak = TweakMessage(N, j, _MessageTweak.BLOCK) + tweak = _TweakMessage(N, j, _MessageTweak.BLOCK) M.append(tbc.decrypt(tweak, key, C[j])) checksum = XorState(checksum, M[j]) if padding_bytes == 0: - tweak = TweakMessage(N, l, _MessageTweak.NO_PADDING) + tweak = _TweakMessage(N, l, _MessageTweak.NO_PADDING) Final = tbc.encrypt(tweak, key, checksum) else: - tweak = TweakMessage(N, l, _MessageTweak.PAD) + tweak = _TweakMessage(N, l, _MessageTweak.PAD) pad = tbc.encrypt(tweak, key, [0 for byte in range(0, BLOCK_BYTES)]) - lower_part = LowPart(pad, padding_bytes*8) + lower_part = _LowPart(pad, padding_bytes*8) M.append(XorState(C[l], lower_part)) m_padded = Padding10LSB(M[l]) checksum = XorState(checksum, m_padded) - tweak_final = TweakMessage(N, l+1, _MessageTweak.FINAL) + tweak_final = _TweakMessage(N, l+1, _MessageTweak.FINAL) Final = tbc.encrypt(tweak_final, key, checksum) return (Final, M) @@ -135,7 +151,7 @@ def encrypt(A, M, N, key): K = list(key) Auth = BuildAuth(TWEAK_BITS, A, K) - (Final, C) = TreatMessageEnc(M, N, K) + (Final, C) = _TreatMessageEnc(M, N, K) tag = XorState(Auth, Final) return BlockbytesMatrixToBytes(C), bytes(tag) @@ -146,7 +162,7 @@ def decrypt(A, C, N, tag, key): tag = list(tag) Auth = BuildAuth(TWEAK_BITS, A, K) - (Final, M) = TreatMessageDec(C, N, K) + (Final, M) = _TreatMessageDec(C, N, K) tag2 = XorState(Auth, Final) if tag != tag2: diff --git a/src/add_python/lilliput/tbc.py b/src/add_python/lilliput/tbc.py index 5291994..50f9e2f 100644 --- a/src/add_python/lilliput/tbc.py +++ b/src/add_python/lilliput/tbc.py @@ -1,34 +1,51 @@ +# Implementation of the Lilliput-AE tweakable block cipher. +# +# Authors, hereby denoted as "the implementer": +# Kévin Le Gouguec, +# Léo Reynaud +# 2019. +# +# For more information, feedback or questions, refer to our website: +# https://paclido.fr/lilliput-ae +# +# To the extent possible under law, the implementer has waived all copyright +# and related or neighboring rights to the source code in this file. +# http://creativecommons.org/publicdomain/zero/1.0/ + +"""Lilliput-TBC tweakable block cipher. + +This module provides functions to encrypt and decrypt blocks of 128 bits. """ - Lilliput TBC -""" + from .constants import BLOCK_BYTES, Sbox from .multiplications import ALPHAS -permutation = [14, 11, 12, 10, 8, 9, 13, 15, 3, 1, 4, 5, 6, 0, 2, 7] -permutationInv = [13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6 ,0 ,7] +_permutation = [14, 11, 12, 10, 8, 9, 13, 15, 3, 1, 4, 5, 6, 0, 2, 7] +_permutationInv = [13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6 ,0 ,7] ################################################################################ -def BuildTweakey(tweak, key): +def _BuildTweakey(tweak, key): return tweak+key ############################# -def _lane(TK, j): +def _Lane(TK, j): return TK[j*8:(j+1)*8] -def RoundTweakeySchedule(tweakey): + +def _RoundTweakeySchedule(tweakey): p = len(tweakey)//8 multiplied_lanes = ( - ALPHAS[j](_lane(tweakey, j)) for j in range(p) + ALPHAS[j](_Lane(tweakey, j)) for j in range(p) ) return [byte for lane in multiplied_lanes for byte in lane] -def SubTweakeyExtract(tweakey, Ci): +def _SubTweakeyExtract(tweakey, Ci): RTKi = [0]*8 for j, byte in enumerate(tweakey): @@ -39,22 +56,22 @@ def SubTweakeyExtract(tweakey, Ci): return RTKi -def TweakeyScheduleWhole(tweakey, r): - # store main tweakey in TKs[0] - # and corresponding round tweakey in RTKs[0] +def _TweakeyScheduleWhole(tweakey, r): + # Store the initial tweakey in TKs[0], and the corresponding round tweakey + # in RTKs[0]. TKs = [tweakey] - RTKs = [SubTweakeyExtract(TKs[0], 0)] + RTKs = [_SubTweakeyExtract(TKs[0], 0)] for i in range(1, r): - TKs.append(RoundTweakeySchedule(TKs[i-1])) - RTKs.append(SubTweakeyExtract(TKs[i], i)) + TKs.append(_RoundTweakeySchedule(TKs[i-1])) + RTKs.append(_SubTweakeyExtract(TKs[i], i)) return RTKs ################################################################################ -def NonLinearLayer(state, subtweakey): +def _NonLinearLayer(state, subtweakey): variables_xored = [0 for byte in range(0, 8)] for byte in range(0,8): @@ -73,7 +90,7 @@ def NonLinearLayer(state, subtweakey): return state_output -def LinearLayer(state): +def _LinearLayer(state): state_output = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): state_output[byte] = state[byte] @@ -87,44 +104,44 @@ def LinearLayer(state): return state_output -def PermutationLayerEnc(state): +def _PermutationLayerEnc(state): state_output = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): - state_output[byte] = state[permutation[byte]] + state_output[byte] = state[_permutation[byte]] return state_output -def PermutationLayerDec(state): +def _PermutationLayerDec(state): state_output = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): - state_output[byte] = state[permutationInv[byte]] + state_output[byte] = state[_permutationInv[byte]] return state_output -def OneRoundEGFNEnc(state, subtweakey): - state_non_linear = NonLinearLayer(state, subtweakey) - state_linear = LinearLayer(state_non_linear) - state_permutation = PermutationLayerEnc(state_linear) +def _OneRoundEGFNEnc(state, subtweakey): + state_non_linear = _NonLinearLayer(state, subtweakey) + state_linear = _LinearLayer(state_non_linear) + state_permutation = _PermutationLayerEnc(state_linear) return state_permutation -def LastRoundEGFN(state, subtweakey): - state_non_linear = NonLinearLayer(state, subtweakey) - state_linear = LinearLayer(state_non_linear) +def _LastRoundEGFN(state, subtweakey): + state_non_linear = _NonLinearLayer(state, subtweakey) + state_linear = _LinearLayer(state_non_linear) return state_linear -def OneRoundEGFNDec(state, subtweakey): - state_non_linear = NonLinearLayer(state, subtweakey) - state_linear = LinearLayer(state_non_linear) - state_permutation = PermutationLayerDec(state_linear) +def _OneRoundEGFNDec(state, subtweakey): + state_non_linear = _NonLinearLayer(state, subtweakey) + state_linear = _LinearLayer(state_non_linear) + state_permutation = _PermutationLayerDec(state_linear) return state_permutation -def _rounds(key_bytes): +def _Rounds(key_bytes): rounds = { 128: 32, 192: 36, @@ -134,45 +151,45 @@ def _rounds(key_bytes): ################################################################################ -# Lilliput TBC + def encrypt(tweak, key, message): - r = _rounds(len(key)) + r = _Rounds(len(key)) - tweakey = BuildTweakey(tweak, key) - RTKs = TweakeyScheduleWhole(tweakey, r) + tweakey = _BuildTweakey(tweak, key) + RTKs = _TweakeyScheduleWhole(tweakey, r) state = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): state[byte] = message[byte] for i in range(0, r-1): - state_output = OneRoundEGFNEnc(state, RTKs[i]) + state_output = _OneRoundEGFNEnc(state, RTKs[i]) for byte in range(0, BLOCK_BYTES): state[byte] = state_output[byte] - state_output = LastRoundEGFN(state, RTKs[r-1]) + state_output = _LastRoundEGFN(state, RTKs[r-1]) return state_output def decrypt(tweak, key, cipher): - r = _rounds(len(key)) + r = _Rounds(len(key)) - tweakey = BuildTweakey(tweak, key) - RTKs = TweakeyScheduleWhole(tweakey, r) + tweakey = _BuildTweakey(tweak, key) + RTKs = _TweakeyScheduleWhole(tweakey, r) state = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): state[byte] = cipher[byte] for i in range(0, r-1): - state_output = OneRoundEGFNDec(state, RTKs[r-i-1]) + state_output = _OneRoundEGFNDec(state, RTKs[r-i-1]) for byte in range(0, BLOCK_BYTES): state[byte] = state_output[byte] - state_output = LastRoundEGFN(state, RTKs[0]) + state_output = _LastRoundEGFN(state, RTKs[0]) return state_output -- cgit v1.2.3 From 1b6e1eb38927633292e934ac314b10e7acc28e3d Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Sun, 24 Mar 2019 14:17:25 +0100 Subject: [implem-python] Conformité PEP8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Surtout la capitalisation des noms de fonction. Retrait des lignes de '#' ; si il y a des séparations à faire, autant ajouter des modules. Correction de _MessageTweak.BLOCK en passant. --- src/add_python/lilliput/ae_mode_1.py | 77 +++++++++++++------------ src/add_python/lilliput/ae_mode_2.py | 62 ++++++++++---------- src/add_python/lilliput/constants.py | 2 +- src/add_python/lilliput/helpers.py | 24 ++++---- src/add_python/lilliput/multiplications.py | 28 ++++----- src/add_python/lilliput/tbc.py | 91 ++++++++++++++---------------- 6 files changed, 140 insertions(+), 144 deletions(-) (limited to 'src/add_python/lilliput/tbc.py') diff --git a/src/add_python/lilliput/ae_mode_1.py b/src/add_python/lilliput/ae_mode_1.py index c2fdd9e..cc550e8 100644 --- a/src/add_python/lilliput/ae_mode_1.py +++ b/src/add_python/lilliput/ae_mode_1.py @@ -22,12 +22,12 @@ from enum import Enum from .constants import BLOCK_BYTES, NONCE_BYTES from .helpers import ( - ArrayToBlockbytesMatrix, - BlockbytesMatrixToBytes, - BuildAuth, - Padding10LSB, + bytes_to_block_matrix, + block_matrix_to_bytes, + build_auth, + pad10, TagValidationError, - XorState + xor_state ) from . import tbc @@ -36,7 +36,7 @@ TWEAK_BITS = 192 TWEAK_BYTES = TWEAK_BITS//8 -def _LowPart(array, number_bits): +def _low_part(array, number_bits): shifted = 0 for byte in range(0, len(array)): shifted |= (array[byte] << (8 * byte)) @@ -61,13 +61,13 @@ def _LowPart(array, number_bits): class _MessageTweak(Enum): - BLOCK = 0b000 + BLOCK = 0b0000 NO_PADDING = 0b0001 PAD = 0b0100 FINAL = 0b0101 -def _TweakMessage(N, j, padding): +def _tweak_message(N, j, padding): tweak = [0 for byte in range(0, TWEAK_BYTES)] for byte in range(NONCE_BYTES-1, -1, -1): tweak[byte + (TWEAK_BYTES-NONCE_BYTES)] |= (N[byte] & 0xf0) >> 4 @@ -82,90 +82,89 @@ def _TweakMessage(N, j, padding): return tweak -def _TreatMessageEnc(M, N, key): +def _treat_message_enc(M, N, key): checksum = [0 for byte in range(0, BLOCK_BYTES)] l = len(M)//BLOCK_BYTES padding_bytes = len(M)%BLOCK_BYTES - M = ArrayToBlockbytesMatrix(M) + M = bytes_to_block_matrix(M) C = [] for j in range(0, l): - checksum = XorState(checksum, M[j]) - tweak = _TweakMessage(N, j, _MessageTweak.BLOCK) + checksum = xor_state(checksum, M[j]) + tweak = _tweak_message(N, j, _MessageTweak.BLOCK) C.append(tbc.encrypt(tweak, key, M[j])) if padding_bytes == 0: - tweak = _TweakMessage(N, l, _MessageTweak.NO_PADDING) + tweak = _tweak_message(N, l, _MessageTweak.NO_PADDING) Final = tbc.encrypt(tweak, key, checksum) else: - m_padded = Padding10LSB(M[l]) - checksum = XorState(checksum, m_padded) - tweak = _TweakMessage(N, l, _MessageTweak.PAD) + m_padded = pad10(M[l]) + checksum = xor_state(checksum, m_padded) + tweak = _tweak_message(N, l, _MessageTweak.PAD) pad = tbc.encrypt(tweak, key, [0 for byte in range(0, BLOCK_BYTES)]) - lower_part = _LowPart(pad, padding_bytes*8) - C.append(XorState(M[l], lower_part)) - tweak_final = _TweakMessage(N, l+1, _MessageTweak.FINAL) + lower_part = _low_part(pad, padding_bytes*8) + C.append(xor_state(M[l], lower_part)) + tweak_final = _tweak_message(N, l+1, _MessageTweak.FINAL) Final = tbc.encrypt(tweak_final, key, checksum) return (Final, C) -def _TreatMessageDec(C, N, key): +def _treat_message_dec(C, N, key): checksum = [0 for byte in range(0, BLOCK_BYTES)] l = len(C)//BLOCK_BYTES padding_bytes = len(C)%BLOCK_BYTES - C = ArrayToBlockbytesMatrix(C) + C = bytes_to_block_matrix(C) M = [] for j in range(0, l): - tweak = _TweakMessage(N, j, _MessageTweak.BLOCK) + tweak = _tweak_message(N, j, _MessageTweak.BLOCK) M.append(tbc.decrypt(tweak, key, C[j])) - checksum = XorState(checksum, M[j]) + checksum = xor_state(checksum, M[j]) if padding_bytes == 0: - tweak = _TweakMessage(N, l, _MessageTweak.NO_PADDING) + tweak = _tweak_message(N, l, _MessageTweak.NO_PADDING) Final = tbc.encrypt(tweak, key, checksum) else: - tweak = _TweakMessage(N, l, _MessageTweak.PAD) + tweak = _tweak_message(N, l, _MessageTweak.PAD) pad = tbc.encrypt(tweak, key, [0 for byte in range(0, BLOCK_BYTES)]) - lower_part = _LowPart(pad, padding_bytes*8) - M.append(XorState(C[l], lower_part)) + lower_part = _low_part(pad, padding_bytes*8) + M.append(xor_state(C[l], lower_part)) - m_padded = Padding10LSB(M[l]) - checksum = XorState(checksum, m_padded) - tweak_final = _TweakMessage(N, l+1, _MessageTweak.FINAL) + m_padded = pad10(M[l]) + checksum = xor_state(checksum, m_padded) + tweak_final = _tweak_message(N, l+1, _MessageTweak.FINAL) Final = tbc.encrypt(tweak_final, key, checksum) return (Final, M) -################################################################################ def encrypt(A, M, N, key): K = list(key) - Auth = BuildAuth(TWEAK_BITS, A, K) - (Final, C) = _TreatMessageEnc(M, N, K) - tag = XorState(Auth, Final) + Auth = build_auth(TWEAK_BITS, A, K) + (Final, C) = _treat_message_enc(M, N, K) + tag = xor_state(Auth, Final) - return BlockbytesMatrixToBytes(C), bytes(tag) + return block_matrix_to_bytes(C), bytes(tag) def decrypt(A, C, N, tag, key): K = list(key) tag = list(tag) - Auth = BuildAuth(TWEAK_BITS, A, K) - (Final, M) = _TreatMessageDec(C, N, K) - tag2 = XorState(Auth, Final) + Auth = build_auth(TWEAK_BITS, A, K) + (Final, M) = _treat_message_dec(C, N, K) + tag2 = xor_state(Auth, Final) if tag != tag2: raise TagValidationError(tag, tag2) - return BlockbytesMatrixToBytes(M) + return block_matrix_to_bytes(M) diff --git a/src/add_python/lilliput/ae_mode_2.py b/src/add_python/lilliput/ae_mode_2.py index fb6feff..4d5e499 100644 --- a/src/add_python/lilliput/ae_mode_2.py +++ b/src/add_python/lilliput/ae_mode_2.py @@ -20,12 +20,12 @@ using Lilliput-AE's nonce-misuse-resistant mode based on SCT-2. from .constants import BLOCK_BYTES from .helpers import ( - ArrayToBlockbytesMatrix, - BlockbytesMatrixToBytes, - BuildAuth, - Padding10LSB, + bytes_to_block_matrix, + block_matrix_to_bytes, + build_auth, + pad10, TagValidationError, - XorState + xor_state ) from . import tbc @@ -34,7 +34,7 @@ TWEAK_BITS = 128 TWEAK_BYTES = TWEAK_BITS//8 -def _TweakTag(j, padded): +def _tweak_tag(j, padded): tweak = [0 for byte in range(0, TWEAK_BYTES)] tweak[TWEAK_BYTES - 1] |= ((j >> 120) & 0xf) @@ -47,7 +47,7 @@ def _TweakTag(j, padded): return tweak -def _TweakTagEnd(N): +def _tweak_tag_end(N): tweak = [0 for byte in range(0, TWEAK_BYTES)] for byte in range(0, TWEAK_BYTES - 1): @@ -57,61 +57,61 @@ def _TweakTagEnd(N): return tweak -def _AddTagJ(tag, j): +def _add_tag_j(tag, j): array_j = [0 for byte in range(0, TWEAK_BYTES)] for byte in range(0, TWEAK_BYTES): array_j[byte] = (j >> (byte * 8)) - xorr = XorState(tag, array_j) + xorr = xor_state(tag, array_j) xorr[TWEAK_BYTES - 1] |= 0x80 return xorr -def _MesssageAuthTag(M, N, Auth, key): +def _message_auth_tag(M, N, Auth, key): l = len(M)//BLOCK_BYTES need_padding = len(M)%BLOCK_BYTES > 0 tag = list(Auth) - M = ArrayToBlockbytesMatrix(M) + M = bytes_to_block_matrix(M) for j in range(0, l): - tweak = _TweakTag(j, False) + tweak = _tweak_tag(j, False) encryption = tbc.encrypt(tweak, key, M[j]) - tag = XorState(tag, encryption) + tag = xor_state(tag, encryption) if need_padding: - tweak = _TweakTag(l, True) - m_padded = Padding10LSB(M[l]) + tweak = _tweak_tag(l, True) + m_padded = pad10(M[l]) encryption = tbc.encrypt(tweak, key, m_padded) - tag = XorState(tag, encryption) + tag = xor_state(tag, encryption) - tweak = _TweakTagEnd(N) + tweak = _tweak_tag_end(N) encryption = tbc.encrypt(tweak, key, tag) tag = encryption return tag -def _MessageEncryption(M, N, tag, key): +def _message_encryption(M, N, tag, key): l = len(M)//BLOCK_BYTES need_padding = len(M)%BLOCK_BYTES > 0 - M = ArrayToBlockbytesMatrix(M) + M = bytes_to_block_matrix(M) C = [] for j in range(0, l): - tweak = _AddTagJ(tag, j) + tweak = _add_tag_j(tag, j) padded_nonce = list(N) + [0x00] encryption = tbc.encrypt(tweak, key, padded_nonce) - C.append(XorState(M[j], encryption)) + C.append(xor_state(M[j], encryption)) if need_padding: - tweak = _AddTagJ(tag, l) + tweak = _add_tag_j(tag, l) padded_nonce = list(N) + [0x00] encryption = tbc.encrypt(tweak, key, padded_nonce) - C.append(XorState(M[l], encryption)) + C.append(xor_state(M[l], encryption)) return C @@ -120,22 +120,22 @@ def _MessageEncryption(M, N, tag, key): def encrypt(A, M, N, key): K = list(key) - Auth = BuildAuth(TWEAK_BITS, A, K) - tag = _MesssageAuthTag(M, N, Auth, K) - C = _MessageEncryption(M, N, tag, K) + Auth = build_auth(TWEAK_BITS, A, K) + tag = _message_auth_tag(M, N, Auth, K) + C = _message_encryption(M, N, tag, K) - return BlockbytesMatrixToBytes(C), bytes(tag) + return block_matrix_to_bytes(C), bytes(tag) def decrypt(A, C, N, tag, key): K = list(key) tag = list(tag) - M = BlockbytesMatrixToBytes( - _MessageEncryption(C, N, tag, K) + M = block_matrix_to_bytes( + _message_encryption(C, N, tag, K) ) - Auth = BuildAuth(TWEAK_BITS, A, K) - tag2 = _MesssageAuthTag(M, N, Auth, K) + Auth = build_auth(TWEAK_BITS, A, K) + tag2 = _message_auth_tag(M, N, Auth, K) if tag != tag2: raise TagValidationError(tag, tag2) diff --git a/src/add_python/lilliput/constants.py b/src/add_python/lilliput/constants.py index 0c9b89f..5e07e96 100644 --- a/src/add_python/lilliput/constants.py +++ b/src/add_python/lilliput/constants.py @@ -4,7 +4,7 @@ NONCE_BYTES = 15 TAG_BYTES = 16 -Sbox = [ +SBOX = [ 0x20, 0x00, 0xb2, 0x85, 0x3b, 0x35, 0xa6, 0xa4, 0x30, 0xe4, 0x6a, 0x2c, 0xff, 0x59, 0xe2, 0x0e, 0xf8, 0x1e, 0x7a, 0x80, 0x15, 0xbd, 0x3e, 0xb1, diff --git a/src/add_python/lilliput/helpers.py b/src/add_python/lilliput/helpers.py index 8677f06..65989d0 100644 --- a/src/add_python/lilliput/helpers.py +++ b/src/add_python/lilliput/helpers.py @@ -2,7 +2,7 @@ from .constants import BLOCK_BITS, BLOCK_BYTES from . import tbc -def ArrayToBlockbytesMatrix(array): +def bytes_to_block_matrix(array): vector = list(array) blocks_nb = len(vector)//BLOCK_BYTES @@ -24,20 +24,20 @@ def ArrayToBlockbytesMatrix(array): return matrix -def BlockbytesMatrixToBytes(matrix): +def block_matrix_to_bytes(matrix): return bytes(byte for block in matrix for byte in block) -def XorState(state1, state2): +def xor_state(state1, state2): return [s1^s2 for (s1, s2) in zip(state1, state2)] -def Padding10LSB(X): +def pad10(X): zeroes = [0] * (BLOCK_BYTES-len(X)-1) return zeroes + [0b10000000] + X -def _tweakAssociatedData(t, i, padded): +def _tweak_associated_data(t, i, padded): t_bytes = t//8 tweak = [0]*(t_bytes) @@ -56,25 +56,25 @@ def _tweakAssociatedData(t, i, padded): return tweak -def BuildAuth(t, A, key): +def build_auth(t, A, key): Auth = [0 for byte in range(0, BLOCK_BYTES)] l_a = len(A)//BLOCK_BYTES need_padding = len(A)%BLOCK_BYTES > 0 - A = ArrayToBlockbytesMatrix(A) + A = bytes_to_block_matrix(A) for i in range(0, l_a): - tweak = _tweakAssociatedData(t, i, padded=False) + tweak = _tweak_associated_data(t, i, padded=False) enc = tbc.encrypt(tweak, key, A[i]) - Auth = XorState(Auth, enc) + Auth = xor_state(Auth, enc) if not need_padding: return Auth - tweak = _tweakAssociatedData(t, l_a, padded=True) - ad_padded = Padding10LSB(A[l_a]) + tweak = _tweak_associated_data(t, l_a, padded=True) + ad_padded = pad10(A[l_a]) enc = tbc.encrypt(tweak, key, ad_padded) - Auth = XorState(Auth, enc) + Auth = xor_state(Auth, enc) return Auth diff --git a/src/add_python/lilliput/multiplications.py b/src/add_python/lilliput/multiplications.py index c5f1e44..dfdc3cb 100644 --- a/src/add_python/lilliput/multiplications.py +++ b/src/add_python/lilliput/multiplications.py @@ -1,6 +1,6 @@ -# Multiply by matrix M -def _multiplyM(lane): + +def _multiply_M(lane): multiplied_lane = [lane[(byte-1) % 8] for byte in range(0, 8)] multiplied_lane[2] ^= ((lane[6] << 2) & 0xff) @@ -9,7 +9,8 @@ def _multiplyM(lane): return multiplied_lane -def _multiplyM2(lane): + +def _multiply_M2(lane): multiplied_lane = [lane[(byte-2) % 8] for byte in range(0, 8)] multiplied_lane[2] ^= ((lane[5] << 2) & 0xff) @@ -35,7 +36,7 @@ def _multiplyM2(lane): return multiplied_lane -def _multiplyM3(lane): +def _multiply_M3(lane): multiplied_lane = [lane[(byte-3) % 8] for byte in range(0, 8)] multiplied_lane[2] ^= ((lane[4] << 2) & 0xff) ^ ((lane[5] << 5) & 0xff) @@ -86,7 +87,7 @@ def _multiplyM3(lane): return multiplied_lane -def _multiplyMR(lane): +def _multiply_MR(lane): multiplied_lane = [lane[(byte+1) % 8] for byte in range(0, 8)] multiplied_lane[2] ^= ((lane[4] >> 3) & 0xff) @@ -96,7 +97,7 @@ def _multiplyMR(lane): return multiplied_lane -def _multiplyMR2(lane): +def _multiply_MR2(lane): multiplied_lane = [lane[(byte+2) % 8] for byte in range(0, 8)] multiplied_lane[1] ^= ((lane[4] >> 3) & 0xff) @@ -120,7 +121,8 @@ def _multiplyMR2(lane): return multiplied_lane -def _multiplyMR3(lane): + +def _multiply_MR3(lane): multiplied_lane = [lane[(byte+3) % 8] for byte in range(0, 8)] multiplied_lane[0] ^= ((lane[4] >> 3) & 0xff) @@ -177,10 +179,10 @@ def _multiplyMR3(lane): ALPHAS = ( list, # Identity. - _multiplyM, - _multiplyM2, - _multiplyM3, - _multiplyMR, - _multiplyMR2, - _multiplyMR3 + _multiply_M, + _multiply_M2, + _multiply_M3, + _multiply_MR, + _multiply_MR2, + _multiply_MR3 ) diff --git a/src/add_python/lilliput/tbc.py b/src/add_python/lilliput/tbc.py index 50f9e2f..c607e45 100644 --- a/src/add_python/lilliput/tbc.py +++ b/src/add_python/lilliput/tbc.py @@ -17,35 +17,33 @@ This module provides functions to encrypt and decrypt blocks of 128 bits. """ -from .constants import BLOCK_BYTES, Sbox +from .constants import BLOCK_BYTES, SBOX from .multiplications import ALPHAS -_permutation = [14, 11, 12, 10, 8, 9, 13, 15, 3, 1, 4, 5, 6, 0, 2, 7] -_permutationInv = [13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6 ,0 ,7] +_PERMUTATION = [14, 11, 12, 10, 8, 9, 13, 15, 3, 1, 4, 5, 6, 0, 2, 7] +_PERMUTATION_INV = [13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6 ,0 ,7] -################################################################################ -def _BuildTweakey(tweak, key): +def _build_tweakey(tweak, key): return tweak+key -############################# -def _Lane(TK, j): +def _lane(TK, j): return TK[j*8:(j+1)*8] -def _RoundTweakeySchedule(tweakey): +def _round_tweakey_schedule(tweakey): p = len(tweakey)//8 multiplied_lanes = ( - ALPHAS[j](_Lane(tweakey, j)) for j in range(p) + ALPHAS[j](_lane(tweakey, j)) for j in range(p) ) return [byte for lane in multiplied_lanes for byte in lane] -def _SubTweakeyExtract(tweakey, Ci): +def _subtweakey_extract(tweakey, Ci): RTKi = [0]*8 for j, byte in enumerate(tweakey): @@ -56,22 +54,20 @@ def _SubTweakeyExtract(tweakey, Ci): return RTKi -def _TweakeyScheduleWhole(tweakey, r): +def _tweakey_schedule_whole(tweakey, r): # Store the initial tweakey in TKs[0], and the corresponding round tweakey # in RTKs[0]. TKs = [tweakey] - RTKs = [_SubTweakeyExtract(TKs[0], 0)] + RTKs = [_subtweakey_extract(TKs[0], 0)] for i in range(1, r): - TKs.append(_RoundTweakeySchedule(TKs[i-1])) - RTKs.append(_SubTweakeyExtract(TKs[i], i)) + TKs.append(_round_tweakey_schedule(TKs[i-1])) + RTKs.append(_subtweakey_extract(TKs[i], i)) return RTKs -################################################################################ - -def _NonLinearLayer(state, subtweakey): +def _non_linear_layer(state, subtweakey): variables_xored = [0 for byte in range(0, 8)] for byte in range(0,8): @@ -79,7 +75,7 @@ def _NonLinearLayer(state, subtweakey): variables_sboxed = [0 for byte in range(0, 8)] for byte in range(0, 8): - variables_sboxed[byte] = Sbox[variables_xored[byte]] + variables_sboxed[byte] = SBOX[variables_xored[byte]] state_output = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0,BLOCK_BYTES): @@ -90,7 +86,7 @@ def _NonLinearLayer(state, subtweakey): return state_output -def _LinearLayer(state): +def _linear_layer(state): state_output = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): state_output[byte] = state[byte] @@ -104,44 +100,46 @@ def _LinearLayer(state): return state_output -def _PermutationLayerEnc(state): +def _permutation_layer_enc(state): state_output = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): - state_output[byte] = state[_permutation[byte]] + state_output[byte] = state[_PERMUTATION[byte]] return state_output -def _PermutationLayerDec(state): + +def _permutation_layer_dec(state): state_output = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): - state_output[byte] = state[_permutationInv[byte]] + state_output[byte] = state[_PERMUTATION_INV[byte]] return state_output -def _OneRoundEGFNEnc(state, subtweakey): - state_non_linear = _NonLinearLayer(state, subtweakey) - state_linear = _LinearLayer(state_non_linear) - state_permutation = _PermutationLayerEnc(state_linear) +def _one_round_egfn_enc(state, subtweakey): + state_non_linear = _non_linear_layer(state, subtweakey) + state_linear = _linear_layer(state_non_linear) + state_permutation = _permutation_layer_enc(state_linear) return state_permutation -def _LastRoundEGFN(state, subtweakey): - state_non_linear = _NonLinearLayer(state, subtweakey) - state_linear = _LinearLayer(state_non_linear) + +def _last_round_egfn(state, subtweakey): + state_non_linear = _non_linear_layer(state, subtweakey) + state_linear = _linear_layer(state_non_linear) return state_linear -def _OneRoundEGFNDec(state, subtweakey): - state_non_linear = _NonLinearLayer(state, subtweakey) - state_linear = _LinearLayer(state_non_linear) - state_permutation = _PermutationLayerDec(state_linear) +def _one_round_egfn_dec(state, subtweakey): + state_non_linear = _non_linear_layer(state, subtweakey) + state_linear = _linear_layer(state_non_linear) + state_permutation = _permutation_layer_dec(state_linear) return state_permutation -def _Rounds(key_bytes): +def _rounds(key_bytes): rounds = { 128: 32, 192: 36, @@ -150,46 +148,43 @@ def _Rounds(key_bytes): return rounds[key_bytes*8] -################################################################################ - - def encrypt(tweak, key, message): - r = _Rounds(len(key)) + r = _rounds(len(key)) - tweakey = _BuildTweakey(tweak, key) - RTKs = _TweakeyScheduleWhole(tweakey, r) + tweakey = _build_tweakey(tweak, key) + RTKs = _tweakey_schedule_whole(tweakey, r) state = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): state[byte] = message[byte] for i in range(0, r-1): - state_output = _OneRoundEGFNEnc(state, RTKs[i]) + state_output = _one_round_egfn_enc(state, RTKs[i]) for byte in range(0, BLOCK_BYTES): state[byte] = state_output[byte] - state_output = _LastRoundEGFN(state, RTKs[r-1]) + state_output = _last_round_egfn(state, RTKs[r-1]) return state_output def decrypt(tweak, key, cipher): - r = _Rounds(len(key)) + r = _rounds(len(key)) - tweakey = _BuildTweakey(tweak, key) - RTKs = _TweakeyScheduleWhole(tweakey, r) + tweakey = _build_tweakey(tweak, key) + RTKs = _tweakey_schedule_whole(tweakey, r) state = [0 for byte in range(0, BLOCK_BYTES)] for byte in range(0, BLOCK_BYTES): state[byte] = cipher[byte] for i in range(0, r-1): - state_output = _OneRoundEGFNDec(state, RTKs[r-i-1]) + state_output = _one_round_egfn_dec(state, RTKs[r-i-1]) for byte in range(0, BLOCK_BYTES): state[byte] = state_output[byte] - state_output = _LastRoundEGFN(state, RTKs[0]) + state_output = _last_round_egfn(state, RTKs[0]) return state_output -- cgit v1.2.3 From 33c615feaaf148c099ee4299ad2c8a6f7e1778cf Mon Sep 17 00:00:00 2001 From: Kévin Le Gouguec Date: Sun, 24 Mar 2019 15:19:15 +0100 Subject: [implem-python] Réécriture de certains range() dans tbc.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit IME, itérer sur un range() est rarement la façon la plus expressive de faire les choses ; les alternatives imposent une structure qui rendent l'intention plus claire. E.g. quand on voit une compréhension, on comprend que l'auteur cherche à filtrer et/ou transformer ce sur quoi il itère. Réutilisation de xor_state(), renommé xor() puisqu'il sert dans plusieurs situations. Séparation de ce xor() et des fonctions communes aux modes authentifiés pour éviter un import circulaire. --- src/add_python/lilliput/ae_common.py | 89 ++++++++++++++++++++++++++++++++ src/add_python/lilliput/ae_mode_1.py | 20 ++++---- src/add_python/lilliput/ae_mode_2.py | 14 +++--- src/add_python/lilliput/helpers.py | 94 +--------------------------------- src/add_python/lilliput/tbc.py | 98 ++++++++++++------------------------ 5 files changed, 140 insertions(+), 175 deletions(-) create mode 100644 src/add_python/lilliput/ae_common.py (limited to 'src/add_python/lilliput/tbc.py') diff --git a/src/add_python/lilliput/ae_common.py b/src/add_python/lilliput/ae_common.py new file mode 100644 index 0000000..f212353 --- /dev/null +++ b/src/add_python/lilliput/ae_common.py @@ -0,0 +1,89 @@ +from .constants import BLOCK_BITS, BLOCK_BYTES +from .helpers import xor +from . import tbc + + +def bytes_to_block_matrix(array): + vector = list(array) + + blocks_nb = len(vector)//BLOCK_BYTES + + block_starts = ( + i*BLOCK_BYTES for i in range(blocks_nb) + ) + + matrix = [ + vector[start:start+BLOCK_BYTES] for start in block_starts + ] + + padding_len = len(vector)%BLOCK_BYTES + + if padding_len > 0: + padding = vector[-padding_len:] + matrix.append(padding) + + return matrix + + +def block_matrix_to_bytes(matrix): + return bytes(byte for block in matrix for byte in block) + + +def pad10(X): + zeroes = [0] * (BLOCK_BYTES-len(X)-1) + return zeroes + [0b10000000] + X + + +def _tweak_associated_data(t, i, padded): + t_bytes = t//8 + tweak = [0]*(t_bytes) + + mask = 0xff + for byte in range(t_bytes-1): + tweak[byte] = (i & mask) >> (byte * 8) + mask = mask << 8 + + mask = (0xf << (8 * t_bytes-1)) + tweak[-1] = (i & mask) >> ((t_bytes-1)*8) + if not padded: + tweak[-1] |= 0x20 + else: + tweak[-1] |= 0x60 + + return tweak + + +def build_auth(t, A, key): + Auth = [0 for byte in range(0, BLOCK_BYTES)] + l_a = len(A)//BLOCK_BYTES + need_padding = len(A)%BLOCK_BYTES > 0 + + A = bytes_to_block_matrix(A) + + for i in range(0, l_a): + tweak = _tweak_associated_data(t, i, padded=False) + enc = tbc.encrypt(tweak, key, A[i]) + Auth = xor(Auth, enc) + + if not need_padding: + return Auth + + tweak = _tweak_associated_data(t, l_a, padded=True) + ad_padded = pad10(A[l_a]) + enc = tbc.encrypt(tweak, key, ad_padded) + Auth = xor(Auth, enc) + + return Auth + + +class TagValidationError(Exception): + def __init__(self, announced, computed): + msg = '\n'.join(( + 'Invalid tag:', + announced.hex().upper()+' (announced)', + computed.hex().upper()+' (computed)' + )) + + super().__init__(msg) + self._announced = announced + self._computed = computed diff --git a/src/add_python/lilliput/ae_mode_1.py b/src/add_python/lilliput/ae_mode_1.py index cc550e8..efa0b6f 100644 --- a/src/add_python/lilliput/ae_mode_1.py +++ b/src/add_python/lilliput/ae_mode_1.py @@ -21,13 +21,13 @@ using Lilliput-AE's nonce-respecting mode based on ΘCB3. from enum import Enum from .constants import BLOCK_BYTES, NONCE_BYTES -from .helpers import ( +from .ae_common import ( bytes_to_block_matrix, block_matrix_to_bytes, build_auth, pad10, TagValidationError, - xor_state + xor ) from . import tbc @@ -92,7 +92,7 @@ def _treat_message_enc(M, N, key): C = [] for j in range(0, l): - checksum = xor_state(checksum, M[j]) + checksum = xor(checksum, M[j]) tweak = _tweak_message(N, j, _MessageTweak.BLOCK) C.append(tbc.encrypt(tweak, key, M[j])) @@ -102,12 +102,12 @@ def _treat_message_enc(M, N, key): else: m_padded = pad10(M[l]) - checksum = xor_state(checksum, m_padded) + checksum = xor(checksum, m_padded) tweak = _tweak_message(N, l, _MessageTweak.PAD) pad = tbc.encrypt(tweak, key, [0 for byte in range(0, BLOCK_BYTES)]) lower_part = _low_part(pad, padding_bytes*8) - C.append(xor_state(M[l], lower_part)) + C.append(xor(M[l], lower_part)) tweak_final = _tweak_message(N, l+1, _MessageTweak.FINAL) Final = tbc.encrypt(tweak_final, key, checksum) @@ -126,7 +126,7 @@ def _treat_message_dec(C, N, key): for j in range(0, l): tweak = _tweak_message(N, j, _MessageTweak.BLOCK) M.append(tbc.decrypt(tweak, key, C[j])) - checksum = xor_state(checksum, M[j]) + checksum = xor(checksum, M[j]) if padding_bytes == 0: tweak = _tweak_message(N, l, _MessageTweak.NO_PADDING) @@ -136,10 +136,10 @@ def _treat_message_dec(C, N, key): tweak = _tweak_message(N, l, _MessageTweak.PAD) pad = tbc.encrypt(tweak, key, [0 for byte in range(0, BLOCK_BYTES)]) lower_part = _low_part(pad, padding_bytes*8) - M.append(xor_state(C[l], lower_part)) + M.append(xor(C[l], lower_part)) m_padded = pad10(M[l]) - checksum = xor_state(checksum, m_padded) + checksum = xor(checksum, m_padded) tweak_final = _tweak_message(N, l+1, _MessageTweak.FINAL) Final = tbc.encrypt(tweak_final, key, checksum) @@ -151,7 +151,7 @@ def encrypt(A, M, N, key): Auth = build_auth(TWEAK_BITS, A, K) (Final, C) = _treat_message_enc(M, N, K) - tag = xor_state(Auth, Final) + tag = xor(Auth, Final) return block_matrix_to_bytes(C), bytes(tag) @@ -162,7 +162,7 @@ def decrypt(A, C, N, tag, key): Auth = build_auth(TWEAK_BITS, A, K) (Final, M) = _treat_message_dec(C, N, K) - tag2 = xor_state(Auth, Final) + tag2 = xor(Auth, Final) if tag != tag2: raise TagValidationError(tag, tag2) diff --git a/src/add_python/lilliput/ae_mode_2.py b/src/add_python/lilliput/ae_mode_2.py index 4d5e499..91c53f3 100644 --- a/src/add_python/lilliput/ae_mode_2.py +++ b/src/add_python/lilliput/ae_mode_2.py @@ -19,13 +19,13 @@ using Lilliput-AE's nonce-misuse-resistant mode based on SCT-2. """ from .constants import BLOCK_BYTES -from .helpers import ( +from .ae_common import ( bytes_to_block_matrix, block_matrix_to_bytes, build_auth, pad10, TagValidationError, - xor_state + xor ) from . import tbc @@ -62,7 +62,7 @@ def _add_tag_j(tag, j): for byte in range(0, TWEAK_BYTES): array_j[byte] = (j >> (byte * 8)) - xorr = xor_state(tag, array_j) + xorr = xor(tag, array_j) xorr[TWEAK_BYTES - 1] |= 0x80 @@ -79,13 +79,13 @@ def _message_auth_tag(M, N, Auth, key): for j in range(0, l): tweak = _tweak_tag(j, False) encryption = tbc.encrypt(tweak, key, M[j]) - tag = xor_state(tag, encryption) + tag = xor(tag, encryption) if need_padding: tweak = _tweak_tag(l, True) m_padded = pad10(M[l]) encryption = tbc.encrypt(tweak, key, m_padded) - tag = xor_state(tag, encryption) + tag = xor(tag, encryption) tweak = _tweak_tag_end(N) encryption = tbc.encrypt(tweak, key, tag) @@ -105,13 +105,13 @@ def _message_encryption(M, N, tag, key): tweak = _add_tag_j(tag, j) padded_nonce = list(N) + [0x00] encryption = tbc.encrypt(tweak, key, padded_nonce) - C.append(xor_state(M[j], encryption)) + C.append(xor(M[j], encryption)) if need_padding: tweak = _add_tag_j(tag, l) padded_nonce = list(N) + [0x00] encryption = tbc.encrypt(tweak, key, padded_nonce) - C.append(xor_state(M[l], encryption)) + C.append(xor(M[l], encryption)) return C diff --git a/src/add_python/lilliput/helpers.py b/src/add_python/lilliput/helpers.py index 65989d0..048aac7 100644 --- a/src/add_python/lilliput/helpers.py +++ b/src/add_python/lilliput/helpers.py @@ -1,92 +1,2 @@ -from .constants import BLOCK_BITS, BLOCK_BYTES -from . import tbc - - -def bytes_to_block_matrix(array): - vector = list(array) - - blocks_nb = len(vector)//BLOCK_BYTES - - block_starts = ( - i*BLOCK_BYTES for i in range(blocks_nb) - ) - - matrix = [ - vector[start:start+BLOCK_BYTES] for start in block_starts - ] - - padding_len = len(vector)%BLOCK_BYTES - - if padding_len > 0: - padding = vector[-padding_len:] - matrix.append(padding) - - return matrix - - -def block_matrix_to_bytes(matrix): - return bytes(byte for block in matrix for byte in block) - - -def xor_state(state1, state2): - return [s1^s2 for (s1, s2) in zip(state1, state2)] - - -def pad10(X): - zeroes = [0] * (BLOCK_BYTES-len(X)-1) - return zeroes + [0b10000000] + X - - -def _tweak_associated_data(t, i, padded): - t_bytes = t//8 - tweak = [0]*(t_bytes) - - mask = 0xff - for byte in range(t_bytes-1): - tweak[byte] = (i & mask) >> (byte * 8) - mask = mask << 8 - - mask = (0xf << (8 * t_bytes-1)) - tweak[-1] = (i & mask) >> ((t_bytes-1)*8) - if not padded: - tweak[-1] |= 0x20 - else: - tweak[-1] |= 0x60 - - return tweak - - -def build_auth(t, A, key): - Auth = [0 for byte in range(0, BLOCK_BYTES)] - l_a = len(A)//BLOCK_BYTES - need_padding = len(A)%BLOCK_BYTES > 0 - - A = bytes_to_block_matrix(A) - - for i in range(0, l_a): - tweak = _tweak_associated_data(t, i, padded=False) - enc = tbc.encrypt(tweak, key, A[i]) - Auth = xor_state(Auth, enc) - - if not need_padding: - return Auth - - tweak = _tweak_associated_data(t, l_a, padded=True) - ad_padded = pad10(A[l_a]) - enc = tbc.encrypt(tweak, key, ad_padded) - Auth = xor_state(Auth, enc) - - return Auth - - -class TagValidationError(Exception): - def __init__(self, announced, computed): - msg = '\n'.join(( - 'Invalid tag:', - announced.hex().upper()+' (announced)', - computed.hex().upper()+' (computed)' - )) - - super().__init__(msg) - self._announced = announced - self._computed = computed +def xor(array1, array2): + return [a1^a2 for (a1, a2) in zip(array1, array2)] diff --git a/src/add_python/lilliput/tbc.py b/src/add_python/lilliput/tbc.py index c607e45..0772853 100644 --- a/src/add_python/lilliput/tbc.py +++ b/src/add_python/lilliput/tbc.py @@ -18,6 +18,7 @@ This module provides functions to encrypt and decrypt blocks of 128 bits. """ from .constants import BLOCK_BYTES, SBOX +from .helpers import xor from .multiplications import ALPHAS @@ -25,6 +26,13 @@ _PERMUTATION = [14, 11, 12, 10, 8, 9, 13, 15, 3, 1, 4, 5, 6, 0, 2, 7] _PERMUTATION_INV = [13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6 ,0 ,7] +_ROUNDS = { + 128: 32, + 192: 36, + 256: 42 +} + + def _build_tweakey(tweak, key): return tweak+key @@ -55,8 +63,6 @@ def _subtweakey_extract(tweakey, Ci): def _tweakey_schedule_whole(tweakey, r): - # Store the initial tweakey in TKs[0], and the corresponding round tweakey - # in RTKs[0]. TKs = [tweakey] RTKs = [_subtweakey_extract(TKs[0], 0)] @@ -68,28 +74,21 @@ def _tweakey_schedule_whole(tweakey, r): def _non_linear_layer(state, subtweakey): + variables_xored = xor(state, subtweakey) - variables_xored = [0 for byte in range(0, 8)] - for byte in range(0,8): - variables_xored[byte] = state[byte] ^ subtweakey[byte] - - variables_sboxed = [0 for byte in range(0, 8)] - for byte in range(0, 8): - variables_sboxed[byte] = SBOX[variables_xored[byte]] + variables_sboxed = [ + SBOX[variables_xored[i]] for i in range(8) + ] - state_output = [0 for byte in range(0, BLOCK_BYTES)] - for byte in range(0,BLOCK_BYTES): - state_output[byte] = state[byte] - for byte in range(0, 8): - state_output[15 - byte] ^= variables_sboxed[byte] + state_output = state + for i in range(8): + state_output[15-i] ^= variables_sboxed[i] return state_output def _linear_layer(state): - state_output = [0 for byte in range(0, BLOCK_BYTES)] - for byte in range(0, BLOCK_BYTES): - state_output[byte] = state[byte] + state_output = state for byte in range(1, 8): state_output[15] ^= state[byte] @@ -100,26 +99,16 @@ def _linear_layer(state): return state_output -def _permutation_layer_enc(state): - state_output = [0 for byte in range(0, BLOCK_BYTES)] - for byte in range(0, BLOCK_BYTES): - state_output[byte] = state[_PERMUTATION[byte]] - - return state_output - - -def _permutation_layer_dec(state): - state_output = [0 for byte in range(0, BLOCK_BYTES)] - for byte in range(0, BLOCK_BYTES): - state_output[byte] = state[_PERMUTATION_INV[byte]] - - return state_output +def _permutation_layer(state, p): + return [ + state[p[i]] for i in range(BLOCK_BYTES) + ] def _one_round_egfn_enc(state, subtweakey): state_non_linear = _non_linear_layer(state, subtweakey) state_linear = _linear_layer(state_non_linear) - state_permutation = _permutation_layer_enc(state_linear) + state_permutation = _permutation_layer(state_linear, _PERMUTATION) return state_permutation @@ -134,57 +123,34 @@ def _last_round_egfn(state, subtweakey): def _one_round_egfn_dec(state, subtweakey): state_non_linear = _non_linear_layer(state, subtweakey) state_linear = _linear_layer(state_non_linear) - state_permutation = _permutation_layer_dec(state_linear) + state_permutation = _permutation_layer(state_linear, _PERMUTATION_INV) return state_permutation -def _rounds(key_bytes): - rounds = { - 128: 32, - 192: 36, - 256: 42 - } - return rounds[key_bytes*8] - - def encrypt(tweak, key, message): - r = _rounds(len(key)) + r = _ROUNDS[8*len(key)] tweakey = _build_tweakey(tweak, key) RTKs = _tweakey_schedule_whole(tweakey, r) - state = [0 for byte in range(0, BLOCK_BYTES)] - for byte in range(0, BLOCK_BYTES): - state[byte] = message[byte] - - for i in range(0, r-1): - state_output = _one_round_egfn_enc(state, RTKs[i]) - - for byte in range(0, BLOCK_BYTES): - state[byte] = state_output[byte] + state = message - state_output = _last_round_egfn(state, RTKs[r-1]) + for i in range(r-1): + state = _one_round_egfn_enc(state, RTKs[i]) - return state_output + return _last_round_egfn(state, RTKs[r-1]) def decrypt(tweak, key, cipher): - r = _rounds(len(key)) + r = _ROUNDS[8*len(key)] tweakey = _build_tweakey(tweak, key) RTKs = _tweakey_schedule_whole(tweakey, r) - state = [0 for byte in range(0, BLOCK_BYTES)] - for byte in range(0, BLOCK_BYTES): - state[byte] = cipher[byte] - - for i in range(0, r-1): - state_output = _one_round_egfn_dec(state, RTKs[r-i-1]) + state = cipher - for byte in range(0, BLOCK_BYTES): - state[byte] = state_output[byte] + for i in range(r-1): + state = _one_round_egfn_dec(state, RTKs[r-i-1]) - state_output = _last_round_egfn(state, RTKs[0]) - - return state_output + return _last_round_egfn(state, RTKs[0]) -- cgit v1.2.3