Merge remote-tracking branch 'origin/master' into fix-vhdltbc

4 files changed, 66 insertions, 42 deletions

diff --git a/src/add_python/lilliput/ae_common.py b/src/add_python/lilliput/ae_common.py
index b94be1b..db14ec3 100644
--- a/src/add_python/lilliput/ae_common.py
+++ b/src/add_python/lilliput/ae_common.py
@@ -15,7 +15,7 @@
 """Helper functions used in both Lilliput-I and Lilliput-II."""
 
 
-from .constants import BLOCK_BITS, BLOCK_BYTES
+from .constants import BLOCK_BYTES
 from .helpers import xor
 from . import tbc
 
@@ -48,11 +48,11 @@ def block_matrix_to_bytes(matrix):
 
 def pad10(X):
     zeroes = [0] * (BLOCK_BYTES-len(X)-1)
-    return zeroes + [0b10000000] + X
+    return X + [0b10000000] + zeroes
 
 
 def integer_to_byte_array(i, n):
-    return list(i.to_bytes(n, 'little'))
+    return list(i.to_bytes(n, 'big'))
 
 
 def _tweak_associated_data(t, i, padded):
@@ -61,8 +61,8 @@ def _tweak_associated_data(t, i, padded):
     prefix = 0b0110 if padded else 0b0010
 
     # Clear upper 4 bits and set them to prefix.
-    tweak[-1] &= 0b00001111
-    tweak[-1] = prefix << 4
+    tweak[0] &= 0b00001111
+    tweak[0] |= prefix << 4
 
     return tweak
 
diff --git a/src/add_python/lilliput/ae_mode_1.py b/src/add_python/lilliput/ae_mode_1.py
index 4a40b78..197bf37 100644
--- a/src/add_python/lilliput/ae_mode_1.py
+++ b/src/add_python/lilliput/ae_mode_1.py
@@ -52,27 +52,26 @@ def _lower_nibble(i):
     return i & 0b00001111
 
 
-def _byte_from_nibbles(lower, upper):
-    return upper<<4 | lower
+def _byte(high, low):
+    return high<<4 ^ low
 
 
 def _tweak_message(N, j, prefix):
-    # j is encoded on 68 bits; get 72 and clear the upper 4.
-    j_len = (TWEAK_BITS-NONCE_BITS-4)//8 + 1
-    tweak = integer_to_byte_array(j, j_len)
-    tweak[-1] &= 0b00001111
+    tweak = [_byte(prefix.value, _upper_nibble(N[0]))]
 
-    # Add nonce.
-    tweak[-1] |= _lower_nibble(N[0]) << 4
     tweak.extend(
-        _byte_from_nibbles(_upper_nibble(N[i-1]), _lower_nibble(N[i]))
+        _byte(_lower_nibble(N[i-1]), _upper_nibble(N[i]))
         for i in range(1, NONCE_BITS//8)
     )
 
-    # Add last nibble from nonce and prefix.
-    tweak.append(
-        _byte_from_nibbles(_upper_nibble(N[-1]), prefix.value)
-    )
+    # j is encoded on 68 bits; get 72 then set the upper 4 to the
+    # nonce's lower 4.
+    j_len = (TWEAK_BITS-NONCE_BITS-4)//8 + 1
+    j_array = integer_to_byte_array(j, j_len)
+    j_array[0] &= 0b00001111
+    j_array[0] |= _lower_nibble(N[-1]) << 4
+
+    tweak.extend(j_array)
 
     return tweak
 
diff --git a/src/add_python/lilliput/ae_mode_2.py b/src/add_python/lilliput/ae_mode_2.py
index 79d1bcd..a55ecb8 100644
--- a/src/add_python/lilliput/ae_mode_2.py
+++ b/src/add_python/lilliput/ae_mode_2.py
@@ -18,6 +18,8 @@ This module provides the functions for authenticated encryption and decryption
 using Lilliput-AE's nonce-misuse-resistant mode based on SCT-2.
 """
 
+from enum import Enum
+
 from .constants import BLOCK_BYTES
 from .ae_common import (
     bytes_to_block_matrix,
@@ -35,22 +37,24 @@ TWEAK_BITS = 128
 TWEAK_BYTES = TWEAK_BITS//8
 
 
-def _tweak_tag(j, padded):
-    tweak = integer_to_byte_array(j, TWEAK_BYTES)
+class _TagTweak(Enum):
+    BLOCK = 0b0000
+    PAD = 0b0100
 
-    prefix = 0b0100 if padded else 0b0000
+
+def _tweak_tag(j, prefix):
+    tweak = integer_to_byte_array(j, TWEAK_BYTES)
 
     # Clear upper 4 bits and set them to prefix.
-    tweak[-1] &= 0b00001111
-    tweak[-1] = prefix << 4
+    tweak[0] &= 0b00001111
+    tweak[0] |= prefix.value << 4
 
     return tweak
 
 
 def _add_tag_j(tag, j):
-    array_j = integer_to_byte_array(j, TWEAK_BYTES)
-    tweak = xor(tag, array_j)
-    tweak[-1] |= 0b10000000
+    tweak = xor(tag, integer_to_byte_array(j, TWEAK_BYTES))
+    tweak[0] |= 0b10000000
 
     return tweak
 
@@ -63,18 +67,16 @@ def _message_auth_tag(M, N, Auth, key):
     M = bytes_to_block_matrix(M)
 
     for j in range(0, l):
-        tweak = _tweak_tag(j, False)
+        tweak = _tweak_tag(j, _TagTweak.BLOCK)
         encryption = tbc.encrypt(tweak, key, M[j])
         tag = xor(tag, encryption)
 
     if need_padding:
-        tweak = _tweak_tag(l, True)
+        tweak = _tweak_tag(l, _TagTweak.PAD)
         encryption = tbc.encrypt(tweak, key, pad10(M[l]))
         tag = xor(tag, encryption)
 
-    tweak = N + [0b00010000]
-    encryption = tbc.encrypt(tweak, key, tag)
-    tag = encryption
+    tag = tbc.encrypt([0b00010000]+N, key, tag)
 
     return tag
 
@@ -88,12 +90,12 @@ def _message_encryption(M, N, tag, key):
 
     for j in range(0, l):
         tweak = _add_tag_j(tag, j)
-        encryption = tbc.encrypt(tweak, key, N+[0b00000000])
+        encryption = tbc.encrypt(tweak, key, [0b00000000]+N)
         C.append(xor(M[j], encryption))
 
     if need_padding:
         tweak = _add_tag_j(tag, l)
-        encryption = tbc.encrypt(tweak, key, N+[0b00000000])
+        encryption = tbc.encrypt(tweak, key, [0b00000000]+N)
         C.append(xor(M[l], encryption))
 
     return C
diff --git a/src/add_python/lilliput/multiplications.py b/src/add_python/lilliput/multiplications.py
index a5faa55..09eaa08 100644
--- a/src/add_python/lilliput/multiplications.py
+++ b/src/add_python/lilliput/multiplications.py
@@ -23,8 +23,11 @@ from functools import reduce
 from operator import xor
 
 
+def _shl(xi, n):
+    return (xi << n) & 0xff
+
 def _Sl(n):
-    return lambda xi: (xi<<n) & 0xff
+    return lambda xi: _shl(xi, n)
 
 def _Sr(n):
     return lambda xi: xi>>n
@@ -36,16 +39,25 @@ def _0(xi):
     return 0
 
 def _M1(xi):
-    return (xi<<3 ^ xi>>3) & 0xff
+    return _shl(xi, 3) ^ xi>>3
 
 def _M2(xi):
-    return (xi<<6 ^ (xi&0b11111000) ^ xi>>6) & 0xff
+    return _shl(xi, 6) ^ xi&0b11111000 ^ xi>>6
 
 def _M3(xi):
-    return xi & 0b00011111
+    return _shl(xi>>3, 6) ^ xi>>6<<3
 
 def _M4(xi):
-    return ((xi<<2) & 0xff) >> 3
+    return _shl(xi, 2) >> 3
+
+def _M5(xi):
+    return _shl(xi, 5) ^ xi>>3<<2
+
+def _M6(xi):
+    return xi & 0b00011111
+
+def _M7(xi):
+    return _shl(xi, 2) >> 3
 
 
 M = (
@@ -81,6 +93,17 @@ M3 = (
     ( _0,     _0,    _Id,     _0,     _0,     _0,  _0,  _0),
 )
 
+M4 = (
+    ( _0,     _0, _Sl(6),    _M1,    _Id,     _0,     _0,  _0),
+    ( _0,     _0,     _0,    _M2,    _M1,    _Id,     _0,  _0),
+    ( _0, _Sl(2),     _0,    _M3,    _M2,    _M1,    _Id,  _0),
+    ( _0,    _M4, _Sl(2),     _0,     _0, _Sr(6), _Sr(3), _Id),
+    (_Id,     _0, _Sl(5), _Sl(2),     _0,     _0,     _0,  _0),
+    ( _0,    _Id,     _0,    _M5, _Sl(2),     _0,     _0,  _0),
+    ( _0,     _0,    _Id,     _0,     _0,     _0,     _0,  _0),
+    ( _0,     _0, _Sl(3),    _Id,     _0,     _0,     _0,  _0),
+)
+
 # NB: shift directions are reversed with respect to the specification
 # for powers of M_R, since the specification reverses the byte order
 # for those matrices.
@@ -99,7 +122,7 @@ MR = (
 MR2 = (
     ( _0,  _0, _Id,     _0,     _0,     _0,     _0,     _0),
     ( _0,  _0,  _0,    _Id, _Sr(3),     _0,     _0,     _0),
-    ( _0,  _0,  _0,     _0,    _Id, _Sr(3),    _M3,     _0),
+    ( _0,  _0,  _0,     _0,    _Id, _Sr(3),    _M6,     _0),
     ( _0,  _0,  _0,     _0,     _0,    _Id, _Sl(3),     _0),
     ( _0,  _0,  _0, _Sl(2),     _0,     _0,    _Id, _Sl(3)),
     ( _0,  _0,  _0,     _0, _Sl(2),     _0,     _0,    _Id),
@@ -109,8 +132,8 @@ MR2 = (
 
 MR3 = (
     (    _0,  _0,  _0,    _Id, _Sr(3),     _0,     _0,     _0),
-    (    _0,  _0,  _0,     _0,    _Id, _Sr(3),    _M3,     _0),
-    (    _0,  _0,  _0,    _M4,     _0,    _Id,    _M1,    _M3),
+    (    _0,  _0,  _0,     _0,    _Id, _Sr(3),    _M6,     _0),
+    (    _0,  _0,  _0,    _M7,     _0,    _Id,    _M1,    _M6),
     (    _0,  _0,  _0, _Sl(2),     _0,     _0,    _Id, _Sl(3)),
     (_Sl(3),  _0,  _0,     _0, _Sl(2),     _0,     _0,    _Id),
     (   _Id,  _0,  _0,     _0,     _0, _Sl(2), _Sl(5),     _0),
@@ -135,10 +158,10 @@ def _multiplication(m, reverse=True):
 
 
 ALPHAS = (
-    list,                       # Identity.
     _multiplication(M),
     _multiplication(M2),
     _multiplication(M3),
+    _multiplication(M4),
     _multiplication(MR, reverse=False),
     _multiplication(MR2, reverse=False),
     _multiplication(MR3, reverse=False)