From 949fb3df2f18173b579ef3417d82581d48cf495f Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Fri, 3 May 2019 15:05:32 +0200
Subject: Ajustement de la gestion du nonce pour ΘCB3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ajout   du  nonce   dans  le   tweak   une  bonne   fois  pour   toute
à l'initialisation  de l'algorithme, au  lieu de le rajouter  à chaque
tour de boucle.

Similaire à  notre implémentation de  SCT-2, et à  l'implémentation de
référence de Deoxys-I.
---
 src/ref/lilliput-i.c | 67 ++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 46 insertions(+), 21 deletions(-)

(limited to 'src/ref')

diff --git a/src/ref/lilliput-i.c b/src/ref/lilliput-i.c
index 404abea..6f869c3 100644
--- a/src/ref/lilliput-i.c
+++ b/src/ref/lilliput-i.c
@@ -32,12 +32,7 @@ static const uint8_t _0n[BLOCK_BYTES] = {
 };
 
 
-static void _fill_msg_tweak(
-    uint8_t       prefix,
-    const uint8_t N[NONCE_BYTES],
-    size_t        block_index,
-    uint8_t       tweak[TWEAK_BYTES]
-)
+static void _init_msg_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES])
 {
     /* With an s-bit block index, the t-bit tweak is filled as follows:
      *
@@ -46,11 +41,17 @@ static void _fill_msg_tweak(
      *        [    s+1, t-|N|-4]: 0-padding
      * - bits [t-|N|-3,     t-4]: nonce
      * - bits [    t-3,       t]: 4-bit prefix
+     *
+     * This function sets bits s+1 to t-4 once and for all.
      */
 
-    copy_block_index(block_index, tweak);
-
     size_t N_start = TWEAK_BYTES - NONCE_BYTES - 1;
+
+    for (size_t i=sizeof(size_t); i<N_start; i++)
+    {
+        tweak[i] = 0;
+    }
+
     tweak[N_start] = lower_nibble(N[0]) << 4;
 
     for (size_t i=1; i<NONCE_BYTES; i++)
@@ -58,7 +59,31 @@ static void _fill_msg_tweak(
         tweak[N_start+i] = lower_nibble(N[i]) << 4 ^ upper_nibble(N[i-1]);
     }
 
-    tweak[TWEAK_BYTES-1] = prefix << 4 ^ upper_nibble(N[NONCE_BYTES-1]);
+    tweak[TWEAK_BYTES-1] = upper_nibble(N[NONCE_BYTES-1]);
+}
+
+static void _fill_msg_tweak(
+    uint8_t       prefix,
+    size_t        block_index,
+    uint8_t       tweak[TWEAK_BYTES]
+)
+{
+    /* With an s-bit block index, the t-bit tweak is filled as follows:
+     *
+     * - bits [      1, t-|N|-4]: block index
+     *        [      1,       s]: actual block index
+     *        [    s+1, t-|N|-4]: 0-padding
+     * - bits [t-|N|-3,     t-4]: nonce
+     * - bits [    t-3,       t]: 4-bit prefix
+     *
+     * This function assumes bits s+1 to t-3 have already been set,
+     * and only sets bits 1 to s and t-3 to t.
+     */
+
+    copy_block_index(block_index, tweak);
+
+    uint8_t *msb = &tweak[TWEAK_BYTES-1];
+    *msb = prefix<<4 ^ lower_nibble(*msb);
 }
 
 static void _encrypt_message(
@@ -74,21 +99,21 @@ static void _encrypt_message(
     size_t rest = M_len % BLOCK_BYTES;
 
     uint8_t tweak[TWEAK_BYTES];
-    uint8_t checksum[BLOCK_BYTES];
+    _init_msg_tweak(N, tweak);
 
-    memset(tweak, 0, TWEAK_BYTES);
+    uint8_t checksum[BLOCK_BYTES];
     memset(checksum, 0, BLOCK_BYTES);
 
     for (size_t j=0; j<l; j++)
     {
         xor_into(checksum, &M[j*BLOCK_BYTES]);
-        _fill_msg_tweak(0x0, N, j, tweak);
+        _fill_msg_tweak(0x0, j, tweak);
         encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
     }
 
     if (rest == 0)
     {
-        _fill_msg_tweak(0x1, N, l, tweak);
+        _fill_msg_tweak(0x1, l, tweak);
         encrypt(key, tweak, checksum, Final);
     }
     else
@@ -99,11 +124,11 @@ static void _encrypt_message(
         pad10(rest, &M[l*BLOCK_BYTES], M_rest);
         xor_into(checksum, M_rest);
 
-        _fill_msg_tweak(0x4, N, l, tweak);
+        _fill_msg_tweak(0x4, l, tweak);
         encrypt(key, tweak, _0n, Pad);
         xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
 
-        _fill_msg_tweak(0x5, N, l+1, tweak);
+        _fill_msg_tweak(0x5, l+1, tweak);
         encrypt(key, tweak, checksum, Final);
     }
 }
@@ -121,21 +146,21 @@ static void _decrypt_message(
     size_t rest = C_len % BLOCK_BYTES;
 
     uint8_t tweak[TWEAK_BYTES];
-    uint8_t checksum[BLOCK_BYTES];
+    _init_msg_tweak(N, tweak);
 
-    memset(tweak, 0, TWEAK_BYTES);
+    uint8_t checksum[BLOCK_BYTES];
     memset(checksum, 0, BLOCK_BYTES);
 
     for (size_t j=0; j<l; j++)
     {
-        _fill_msg_tweak(0x0, N, j, tweak);
+        _fill_msg_tweak(0x0, j, tweak);
         decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
         xor_into(checksum, &M[j*BLOCK_BYTES]);
     }
 
     if (rest == 0)
     {
-        _fill_msg_tweak(0x1, N, l, tweak);
+        _fill_msg_tweak(0x1, l, tweak);
         encrypt(key, tweak, checksum, Final);
     }
     else
@@ -143,14 +168,14 @@ static void _decrypt_message(
         uint8_t M_rest[BLOCK_BYTES];
         uint8_t Pad[BLOCK_BYTES];
 
-        _fill_msg_tweak(0x4, N, l, tweak);
+        _fill_msg_tweak(0x4, l, tweak);
         encrypt(key, tweak, _0n, Pad);
         xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
 
         pad10(rest, &M[l*BLOCK_BYTES], M_rest);
         xor_into(checksum, M_rest);
 
-        _fill_msg_tweak(0x5, N, l+1, tweak);
+        _fill_msg_tweak(0x5, l+1, tweak);
         encrypt(key, tweak, checksum, Final);
     }
 }
-- 
cgit v1.2.3