1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
/*
Implementation of the Lilliput-AE tweakable block cipher.
Authors, hereby denoted as "the implementer":
Alexandre Adomnicai,
Kévin Le Gouguec,
Léo Reynaud,
2019.
For more information, feedback or questions, refer to our website:
https://paclido.fr/lilliput-ae
To the extent possible under law, the implementer has waived all copyright
and related or neighboring rights to the source code in this file.
http://creativecommons.org/publicdomain/zero/1.0/
---
This file provides a first-order threshold implementation of Lilliput-TBC's
tweakey schedule, where the tweak and the key are split into two shares.
*/
#include <stdint.h>
#include <string.h>
#include "constants.h"
#include "multiplications.h"
#include "random.h"
#include "tweakey.h"
#define LANES_NB (TWEAKEY_BYTES/LANE_BYTES)
void tweakey_state_init(
uint8_t TK_X[TWEAKEY_BYTES],
uint8_t TK_Y[KEY_BYTES],
const uint8_t key[KEY_BYTES],
const uint8_t tweak[TWEAK_BYTES]
)
{
uint8_t SHARES_0[KEY_BYTES];
randombytes(sizeof(SHARES_0), SHARES_0);
memcpy(TK_Y, SHARES_0, KEY_BYTES);
memcpy(TK_X, tweak, TWEAK_BYTES);
for (size_t i=0; i<KEY_BYTES; i++){
TK_X[i+TWEAK_BYTES] = key[i] ^ SHARES_0[i];
}
}
void tweakey_state_extract(
const uint8_t TK_X[TWEAKEY_BYTES],
const uint8_t TK_Y[KEY_BYTES],
uint8_t round_constant,
uint8_t round_tweakey_X[ROUND_TWEAKEY_BYTES],
uint8_t round_tweakey_Y[ROUND_TWEAKEY_BYTES]
)
{
memset(round_tweakey_X, 0, ROUND_TWEAKEY_BYTES);
memset(round_tweakey_Y, 0, ROUND_TWEAKEY_BYTES);
for (size_t j=0; j<LANES_NB; j++)
{
const uint8_t *TKj_X = TK_X + j*LANE_BYTES;
for (size_t k=0; k<LANE_BYTES; k++)
{
round_tweakey_X[k] ^= TKj_X[k];
}
}
for (size_t j=0; j<(KEY_BYTES / LANE_BYTES); j++)
{
const uint8_t *TKj_Y = TK_Y + j*LANE_BYTES;
for (size_t k=0; k<LANE_BYTES; k++)
{
round_tweakey_Y[k] ^= TKj_Y[k];
}
}
round_tweakey_X[0] ^= round_constant;
}
typedef void (*matrix_multiplication)(const uint8_t x[LANE_BYTES], uint8_t y[LANE_BYTES]);
static const matrix_multiplication ALPHAS[6] = {
_multiply_M,
_multiply_M2,
_multiply_M3,
_multiply_MR,
_multiply_MR2,
_multiply_MR3
};
void tweakey_state_update(uint8_t TK_X[TWEAKEY_BYTES], uint8_t TK_Y[KEY_BYTES])
{
/* Skip lane 0, as it is multiplied by the identity matrix. */
for (size_t j=1; j<(TWEAK_BYTES/LANE_BYTES); j++)
{
uint8_t *TKj_X = TK_X + j*LANE_BYTES;
uint8_t TKj_old_X[LANE_BYTES];
memcpy(TKj_old_X, TKj_X, LANE_BYTES);
ALPHAS[j-1](TKj_old_X, TKj_X);
}
for (size_t j=0; j<(KEY_BYTES/LANE_BYTES); j++)
{
uint8_t *TKj_X = TK_X + (j + (TWEAK_BYTES/LANE_BYTES))*LANE_BYTES;
uint8_t *TKj_Y = TK_Y + j*LANE_BYTES;
uint8_t TKj_X_old[LANE_BYTES];
uint8_t TKj_Y_old[LANE_BYTES];
memcpy(TKj_X_old, TKj_X, LANE_BYTES);
memcpy(TKj_Y_old, TKj_Y, LANE_BYTES);
ALPHAS[j-1 + (TWEAK_BYTES/LANE_BYTES)](TKj_X_old, TKj_X);
ALPHAS[j-1 + (TWEAK_BYTES/LANE_BYTES)](TKj_Y_old, TKj_Y);
}
}
|
