1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
This document summarizes the modifications brought by each version. Some modifications are tagged as follows:
- [spec] when the modification is brought by a new revision of the specification,
- [break] when the modification changes the implementation's output.
A modification that has no tag corresponds to stylistic and/or structural changes that have no impact on test vectors.
v1.1
====
ref
---
- Introduce helper function copy_block_index() to make tweak-building functions more legible.
(lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c)
- Initialize ΘCB3 tweak with nonce instead of copying the latter into the latter repeatedly.
(lilliput-i.c)
- Re-write _nonlinear_layer() and _linear_layer() functions to better resemble the specification.
(cipher.c)
- Extract tweakey multiplications into their own header file, so that other implementations can make more targeted changes.
(constants.h, multiplications.h, tweakey.c)
- Use size_t to iterate on arrays in lilliput_tbc_encrypt() and lilliput_tbc_decrypt().
(cipher.c)
[spec][break]
- Change alpha coefficients in tweakey schedule to ensure lane 0 is updated between each round:
- lane 0: Id => M
- lane 1: M => M^2
- lane 2: M^2 => M^3
- lane 3: M^3 => M^4
- lane 4: M_R (unchanged)
- lane 5: M_R^2 (unchanged)
- lane 6: M_R^3 (unchanged)
(multiplications.h, tweakey.c)
[break]
- Make byte string concatenation more consistent in AE modes:
- v1 mixed two interpretations of concatenation:
1. M_0 || M_1 was interpreted as { M[0], ... M[15] } || { M[16], ... M[31] },
2. pad(10*) and tweak-building functions interpreted X||Y as { Y[0], ... Y[ylen-1] } || { X[0], ... X[xlen-1] }.
This was potentially confusing, and also led to inefficient hardware implementations. E.g. a message M of length 34 bytes was padded as follows:
M_0 M_1 pad10*(M_*)
{ M[0], ... M[15] } || { M[16], ... M[31] } || { 0, ... 0, 0x80, M[32], M[33] }
- v1.1 sticks to the first interpretation. The same message M is now padded as follows:
M_0 M_1 pad10*(M_*)
{ M[0], ... M[15] } || { M[16], ... M[31] } || { M[32], M[33], 0x80, 0, ... 0 }
(lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c)
add_felicsref
-------------
See reference implementation. Further changes:
- Introduce helper function _multiply() to reduce code duplication.
(tweakey.c)
- Compute round-tweakeys on the fly to save on RAM, instead of storing all pre-computed round-tweakeys.
(cipher.c)
add_threshold
-------------
See reference implementation. Further changes:
- Add constant macros KEY_LANES_NB and TWEAK_LANES_NB to make tweakey schedule code more legible.
(tweakey.c)
add_tweakeyloop
---------------
See reference implementation.
add_python
----------
See [spec] and [break] changes in reference implementation. Further changes:
- Re-write tweakey multiplications to better resemble the specification.
(multiplications.py)
add_vhdltbc
-----------
See [spec] and [break] changes in reference implementation. Further changes:
- Each algorithm variant now contains a single VHDL implementation, add_vhdltbc:
- for Lilliput-I variants, add_vhdltbc corresponds to the former add_vhdltbcencryptdecrypt,
- Lilliput-II variants do not need the decryption part of Lilliput-TBC, therefore add_vhdltbc corresponds to the former add_vdhltbcencrypt.
- For Lilliput-I, the inverted multiplications have been updated to match changes to the encryption process:
- lane 0: Id => inv(M)
- lane 1: inv(M) => inv(M)^2
- lane 2: inv(M)^2 => inv(M)^3
- lane 3: inv(M)^3 => inv(M)^4
- lane 4: inv(M_R) (unchanged)
- lane 5: inv(M_R)^2 (unchanged)
- lane 6: inv(M_R)^3 (unchanged)
(inv_multiplication.vhd)
- Merge Sbox in one file.
(sbox.vhd, inner_sbox_a.vhd, inner_sbox_b, vhd,inner_sbox_c.vhd)
- Create registers in file roundexe_lilliput.vhd.
(state_key_register.vhd, state_register.vhd, roundexe_lilliput)
- Reduction of the number of signals.
(chiffrement.vhd)
- Add self-checking testbench.
(top_tb.vhd)
- Pipeline RoundTweakey extraction and round function.
(roundexe_lilliput.vhd, machine_etat_chiffrement.vhd)
- Isolate input and output from critical path.
(roundexe_lilliput.vhd, machine_etat_chiffrement.vhd)
v1
==
Initial release to round 1 of the LWC standardization process.
|
