summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
l---------[-rw-r--r--]src/add_tweakeyloop/ae-common.h128
l---------[-rw-r--r--]src/add_tweakeyloop/cipher.c176
l---------[-rw-r--r--]src/add_tweakeyloop/cipher.h24
l---------[-rw-r--r--]src/add_tweakeyloop/lilliput-ae-i.c196
l---------[-rw-r--r--]src/add_tweakeyloop/lilliput-ae-ii.c161
l---------[-rw-r--r--]src/add_tweakeyloop/lilliput-ae.h35
l---------[-rw-r--r--]src/add_tweakeyloop/parameters.h21
l---------[-rw-r--r--]src/add_tweakeyloop/tweakey.h24
l---------[-rw-r--r--]src/add_tweakeysequences/ae-common.h128
l---------[-rw-r--r--]src/add_tweakeysequences/cipher.c176
l---------[-rw-r--r--]src/add_tweakeysequences/cipher.h24
l---------[-rw-r--r--]src/add_tweakeysequences/lilliput-ae-i.c196
l---------[-rw-r--r--]src/add_tweakeysequences/lilliput-ae-ii.c161
l---------[-rw-r--r--]src/add_tweakeysequences/lilliput-ae.h35
l---------[-rw-r--r--]src/add_tweakeysequences/parameters.h21
l---------[-rw-r--r--]src/add_tweakeysequences/tweakey.h24
16 files changed, 16 insertions, 1514 deletions
diff --git a/src/add_tweakeyloop/ae-common.h b/src/add_tweakeyloop/ae-common.h
index 561854e..73641f5 100644..120000
--- a/src/add_tweakeyloop/ae-common.h
+++ b/src/add_tweakeyloop/ae-common.h
@@ -1,127 +1 @@
-#ifndef AE_COMMON_H
-#define AE_COMMON_H
-
-#include <stddef.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "cipher.h"
-#include "parameters.h"
-
-
-static inline uint8_t upper_nibble(uint8_t i)
-{
- return i >> 4;
-}
-
-static inline uint8_t lower_nibble(uint8_t i)
-{
- return i & 0x0f;
-}
-
-static inline void encrypt(const uint8_t K[KEY_BYTES],
- const uint8_t T[TWEAK_BYTES],
- const uint8_t M[BLOCK_BYTES],
- uint8_t C[BLOCK_BYTES])
-{
- lilliput_tbc_encrypt(K, T, M, C);
-}
-
-static inline void decrypt(const uint8_t K[KEY_BYTES],
- const uint8_t T[TWEAK_BYTES],
- const uint8_t C[BLOCK_BYTES],
- uint8_t M[BLOCK_BYTES])
-{
- lilliput_tbc_decrypt(K, T, C, M);
-}
-
-static inline void xor_into(uint8_t dest[BLOCK_BYTES], const uint8_t src[BLOCK_BYTES])
-{
- for (size_t i=0; i<BLOCK_BYTES; i++)
- dest[i] ^= src[i];
-}
-
-static inline void xor_arrays(size_t len, uint8_t out[len], const uint8_t a[len], const uint8_t b[len])
-{
- for (size_t i=0; i<len; i++)
- out[i] = a[i] ^ b[i];
-}
-
-static inline void pad10(size_t X_len, const uint8_t X[X_len], uint8_t padded[BLOCK_BYTES])
-{
- /* pad10*(X) = X || 1 || 0^{n-|X|-1} */
-
- /* Assume that len<BLOCK_BYTES. */
-
- size_t pad_len = BLOCK_BYTES-X_len;
-
- memcpy(padded+pad_len, X, X_len);
-
- padded[pad_len-1] = 0x80;
-
- if (pad_len > 1)
- {
- memset(padded, 0, pad_len-1);
- }
-}
-
-static inline void fill_index_tweak(
- uint8_t prefix,
- uint64_t block_index,
- uint8_t tweak[TWEAK_BYTES]
-)
-{
- /* The t-bit tweak is filled as follows:
- *
- * - bits [ 1, t-4]: block index
- * [ 1, 64]: actual 64-bit block index
- * [ 65, t-4]: 0-padding
- * - bits [t-3, t]: constant 4-bit prefix
- */
-
- for (size_t i=0; i<sizeof(block_index); i++)
- {
- tweak[i] = block_index >> 8*i & 0xff;
- }
-
- /* Assume padding bytes have already been memset to 0. */
-
- tweak[TWEAK_BYTES-1] |= prefix << 4;
-}
-
-static void process_associated_data(
- const uint8_t key[KEY_BYTES],
- size_t A_len,
- const uint8_t A[A_len],
- uint8_t Auth[BLOCK_BYTES]
-)
-{
- uint8_t Ek_Ai[BLOCK_BYTES];
- uint8_t tweak[TWEAK_BYTES];
-
- memset(tweak, 0, TWEAK_BYTES);
- memset(Auth, 0, BLOCK_BYTES);
-
- size_t l_a = A_len / BLOCK_BYTES;
- size_t rest = A_len % BLOCK_BYTES;
-
- for (size_t i=0; i<l_a; i++)
- {
- fill_index_tweak(0x2, i, tweak);
- encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
- xor_into(Auth, Ek_Ai);
- }
-
- if (rest != 0)
- {
- uint8_t A_rest[BLOCK_BYTES];
- pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
- fill_index_tweak(0x6, l_a, tweak);
- encrypt(key, tweak, A_rest, Ek_Ai);
- xor_into(Auth, Ek_Ai);
- }
-}
-
-
-
-#endif /* AE_COMMON_H */
+../ref/ae-common.h \ No newline at end of file
diff --git a/src/add_tweakeyloop/cipher.c b/src/add_tweakeyloop/cipher.c
index e5ccd15..a2ac6a3 100644..120000
--- a/src/add_tweakeyloop/cipher.c
+++ b/src/add_tweakeyloop/cipher.c
@@ -1,175 +1 @@
-#include <stdint.h>
-#include <string.h>
-
-#include "cipher.h"
-#include "parameters.h"
-#include "tweakey.h"
-
-
-enum permutation
-{
- PERMUTATION_ENCRYPTION = 0, /* PI(i) */
- PERMUTATION_DECRYPTION = 1, /* PI^-1(i) */
- PERMUTATION_NONE
-};
-
-typedef enum permutation permutation;
-
-static const uint8_t PERMUTATIONS[2][BLOCK_BYTES] = {
- [PERMUTATION_ENCRYPTION] = { 13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6, 0, 7 },
- [PERMUTATION_DECRYPTION] = { 14, 11, 12, 10, 8, 9, 13, 15, 3, 1, 4, 5, 6, 0, 2, 7 }
-};
-
-static const uint8_t S[256] = {
- 0x20, 0x00, 0xB2, 0x85, 0x3B, 0x35, 0xA6, 0xA4, 0x30, 0xE4, 0x6A, 0x2C, 0xFF, 0x59, 0xE2, 0x0E,
- 0xF8, 0x1E, 0x7A, 0x80, 0x15, 0xBD, 0x3E, 0xB1, 0xE8, 0xF3, 0xA2, 0xC2, 0xDA, 0x51, 0x2A, 0x10,
- 0x21, 0x01, 0x23, 0x78, 0x5C, 0x24, 0x27, 0xB5, 0x37, 0xC7, 0x2B, 0x1F, 0xAE, 0x0A, 0x77, 0x5F,
- 0x6F, 0x09, 0x9D, 0x81, 0x04, 0x5A, 0x29, 0xDC, 0x39, 0x9C, 0x05, 0x57, 0x97, 0x74, 0x79, 0x17,
- 0x44, 0xC6, 0xE6, 0xE9, 0xDD, 0x41, 0xF2, 0x8A, 0x54, 0xCA, 0x6E, 0x4A, 0xE1, 0xAD, 0xB6, 0x88,
- 0x1C, 0x98, 0x7E, 0xCE, 0x63, 0x49, 0x3A, 0x5D, 0x0C, 0xEF, 0xF6, 0x34, 0x56, 0x25, 0x2E, 0xD6,
- 0x67, 0x75, 0x55, 0x76, 0xB8, 0xD2, 0x61, 0xD9, 0x71, 0x8B, 0xCD, 0x0B, 0x72, 0x6C, 0x31, 0x4B,
- 0x69, 0xFD, 0x7B, 0x6D, 0x60, 0x3C, 0x2F, 0x62, 0x3F, 0x22, 0x73, 0x13, 0xC9, 0x82, 0x7F, 0x53,
- 0x32, 0x12, 0xA0, 0x7C, 0x02, 0x87, 0x84, 0x86, 0x93, 0x4E, 0x68, 0x46, 0x8D, 0xC3, 0xDB, 0xEC,
- 0x9B, 0xB7, 0x89, 0x92, 0xA7, 0xBE, 0x3D, 0xD8, 0xEA, 0x50, 0x91, 0xF1, 0x33, 0x38, 0xE0, 0xA9,
- 0xA3, 0x83, 0xA1, 0x1B, 0xCF, 0x06, 0x95, 0x07, 0x9E, 0xED, 0xB9, 0xF5, 0x4C, 0xC0, 0xF4, 0x2D,
- 0x16, 0xFA, 0xB4, 0x03, 0x26, 0xB3, 0x90, 0x4F, 0xAB, 0x65, 0xFC, 0xFE, 0x14, 0xF7, 0xE3, 0x94,
- 0xEE, 0xAC, 0x8C, 0x1A, 0xDE, 0xCB, 0x28, 0x40, 0x7D, 0xC8, 0xC4, 0x48, 0x6B, 0xDF, 0xA5, 0x52,
- 0xE5, 0xFB, 0xD7, 0x64, 0xF9, 0xF0, 0xD3, 0x5E, 0x66, 0x96, 0x8F, 0x1D, 0x45, 0x36, 0xCC, 0xC5,
- 0x4D, 0x9F, 0xBF, 0x0F, 0xD1, 0x08, 0xEB, 0x43, 0x42, 0x19, 0xE7, 0x99, 0xA8, 0x8E, 0x58, 0xC1,
- 0x9A, 0xD4, 0x18, 0x47, 0xAA, 0xAF, 0xBC, 0x5B, 0xD5, 0x11, 0xD0, 0xB0, 0x70, 0xBB, 0x0D, 0xBA
-};
-
-
-static void _state_init(uint8_t X[BLOCK_BYTES], const uint8_t message[BLOCK_BYTES])
-{
- memcpy(X, message, BLOCK_BYTES);
-}
-
-
-static void _compute_round_tweakeys(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]
-)
-{
- uint8_t TK[TWEAKEY_BYTES];
- tweakey_state_init(TK, key, tweak);
- tweakey_state_extract(TK, 0, RTK[0]);
-
- for (uint8_t i=1; i<ROUNDS; i++)
- {
- tweakey_state_update(TK);
- tweakey_state_extract(TK, i, RTK[i]);
- }
-}
-
-
-static void _nonlinear_layer(uint8_t X[BLOCK_BYTES], const uint8_t RTK[ROUND_TWEAKEY_BYTES])
-{
- uint8_t F[ROUND_TWEAKEY_BYTES];
- for (size_t j=0; j<ROUND_TWEAKEY_BYTES; j++)
- {
- F[j] = X[j] ^ RTK[j];
- }
-
- for (size_t j=0; j<ROUND_TWEAKEY_BYTES; j++)
- {
- F[j] = S[F[j]];
- }
-
- for (size_t j=0; j<8; j++)
- {
- size_t dest_j = 15-j;
- X[dest_j] ^= F[j];
- }
-}
-
-static void _linear_layer(uint8_t X[BLOCK_BYTES])
-{
- X[15] ^= X[1];
- X[15] ^= X[2];
- X[15] ^= X[3];
- X[15] ^= X[4];
- X[15] ^= X[5];
- X[15] ^= X[6];
- X[15] ^= X[7];
-
- X[14] ^= X[7];
- X[13] ^= X[7];
- X[12] ^= X[7];
- X[11] ^= X[7];
- X[10] ^= X[7];
- X[9] ^= X[7];
-}
-
-static void _permutation_layer(uint8_t X[BLOCK_BYTES], permutation p)
-{
- if (p == PERMUTATION_NONE)
- {
- return;
- }
-
- uint8_t X_old[BLOCK_BYTES];
- memcpy(X_old, X, BLOCK_BYTES);
-
- const uint8_t *pi = PERMUTATIONS[p];
-
- for (size_t j=0; j<BLOCK_BYTES; j++)
- {
- X[pi[j]] = X_old[j];
- }
-}
-
-static void _one_round_egfn(uint8_t X[BLOCK_BYTES], const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p)
-{
- _nonlinear_layer(X, RTK);
- _linear_layer(X);
- _permutation_layer(X, p);
-}
-
-
-void lilliput_tbc_encrypt(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- const uint8_t message[BLOCK_BYTES],
- uint8_t ciphertext[BLOCK_BYTES]
-)
-{
- uint8_t X[BLOCK_BYTES];
- _state_init(X, message);
-
- uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
- _compute_round_tweakeys(key, tweak, RTK);
-
- for (uint8_t i=0; i<ROUNDS-1; i++)
- {
- _one_round_egfn(X, RTK[i], PERMUTATION_ENCRYPTION);
- }
-
- _one_round_egfn(X, RTK[ROUNDS-1], PERMUTATION_NONE);
-
- memcpy(ciphertext, X, BLOCK_BYTES);
-}
-
-void lilliput_tbc_decrypt(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- const uint8_t ciphertext[BLOCK_BYTES],
- uint8_t message[BLOCK_BYTES]
-)
-{
- uint8_t X[BLOCK_BYTES];
- _state_init(X, ciphertext);
-
- uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
- _compute_round_tweakeys(key, tweak, RTK);
-
- for (uint8_t i=0; i<ROUNDS-1; i++)
- {
- _one_round_egfn(X, RTK[ROUNDS-1-i], PERMUTATION_DECRYPTION);
- }
-
- _one_round_egfn(X, RTK[0], PERMUTATION_NONE);
-
- memcpy(message, X, BLOCK_BYTES);
-}
+../ref/cipher.c \ No newline at end of file
diff --git a/src/add_tweakeyloop/cipher.h b/src/add_tweakeyloop/cipher.h
index 06dfde5..eab258b 100644..120000
--- a/src/add_tweakeyloop/cipher.h
+++ b/src/add_tweakeyloop/cipher.h
@@ -1,23 +1 @@
-#ifndef CIPHER_H
-#define CIPHER_H
-
-#include <stdint.h>
-
-#include "parameters.h"
-
-
-void lilliput_tbc_encrypt(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- const uint8_t message[BLOCK_BYTES],
- uint8_t ciphertext[BLOCK_BYTES]
-);
-
-void lilliput_tbc_decrypt(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- const uint8_t ciphertext[BLOCK_BYTES],
- uint8_t message[BLOCK_BYTES]
-);
-
-#endif /* CIPHER_H */
+../ref/cipher.h \ No newline at end of file
diff --git a/src/add_tweakeyloop/lilliput-ae-i.c b/src/add_tweakeyloop/lilliput-ae-i.c
index b1758c9..2ed1026 100644..120000
--- a/src/add_tweakeyloop/lilliput-ae-i.c
+++ b/src/add_tweakeyloop/lilliput-ae-i.c
@@ -1,195 +1 @@
-#include <stdbool.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "ae-common.h"
-#include "cipher.h"
-#include "lilliput-ae.h"
-
-
-static const uint8_t _0n[BLOCK_BYTES] = {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-
-static void _fill_msg_tweak(
- uint8_t prefix,
- const uint8_t N[NONCE_BYTES],
- uint64_t block_nb,
- uint8_t tweak[TWEAK_BYTES]
-)
-{
- /* The 192-bit tweak is filled as follows:
- *
- * - bits 1- 68: block number
- * 1- 64: actual 64-bit block number
- * 64- 68: 0-padding
- * - bits 67-188: nonce
- * - bits 189-192: constant 4-bit prefix
- */
-
- for (size_t i=0; i<sizeof(block_nb); i++)
- {
- uint64_t mask = (uint64_t)0xff << 8*i;
- uint8_t b = (mask & block_nb) >> 8*i;
-
- tweak[i] = b;
- }
-
- tweak[sizeof(block_nb)] = lower_nibble(N[0]) << 4;
-
- for (size_t i=1; i<NONCE_BYTES; i++)
- {
- tweak[sizeof(block_nb)+i] = lower_nibble(N[i]) << 4 ^ upper_nibble(N[i-1]);
- }
-
- tweak[TWEAK_BYTES-1] = prefix << 4 ^ upper_nibble(N[NONCE_BYTES-1]);
-}
-
-static void _encrypt_message(
- const uint8_t key[KEY_BYTES],
- size_t M_len,
- const uint8_t M[M_len],
- const uint8_t N[NONCE_BYTES],
- uint8_t C[M_len+BLOCK_BYTES],
- uint8_t Final[BLOCK_BYTES]
-)
-{
- size_t l = M_len / BLOCK_BYTES;
- size_t rest = M_len % BLOCK_BYTES;
-
- uint8_t tweak[TWEAK_BYTES];
- uint8_t checksum[BLOCK_BYTES];
-
- memset(tweak, 0, TWEAK_BYTES);
- memset(checksum, 0, BLOCK_BYTES);
-
- for (size_t j=0; j<l; j++)
- {
- xor_into(checksum, &M[j*BLOCK_BYTES]);
- _fill_msg_tweak(0x0, N, j, tweak);
- encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
- }
-
- if (rest == 0)
- {
- _fill_msg_tweak(0x1, N, l-1, tweak);
- encrypt(key, tweak, checksum, Final);
- }
- else
- {
- uint8_t M_rest[BLOCK_BYTES];
- uint8_t Pad[BLOCK_BYTES];
-
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
- xor_into(checksum, M_rest);
-
- _fill_msg_tweak(0x4, N, l, tweak);
- encrypt(key, tweak, _0n, Pad);
- xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
-
- _fill_msg_tweak(0x5, N, l, tweak);
- encrypt(key, tweak, checksum, Final);
- }
-}
-
-static void _decrypt_message(
- const uint8_t key[KEY_BYTES],
- size_t C_len,
- const uint8_t C[C_len],
- const uint8_t N[NONCE_BYTES],
- uint8_t M[C_len],
- uint8_t Final[BLOCK_BYTES]
-)
-{
- size_t l = C_len / BLOCK_BYTES;
- size_t rest = C_len % BLOCK_BYTES;
-
- uint8_t tweak[TWEAK_BYTES];
- uint8_t checksum[BLOCK_BYTES];
-
- memset(tweak, 0, TWEAK_BYTES);
- memset(checksum, 0, BLOCK_BYTES);
-
- for (size_t j=0; j<l; j++)
- {
- _fill_msg_tweak(0x0, N, j, tweak);
- decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
- xor_into(checksum, &M[j*BLOCK_BYTES]);
- }
-
- if (rest == 0)
- {
- _fill_msg_tweak(0x1, N, l-1, tweak);
- encrypt(key, tweak, checksum, Final);
- }
- else
- {
- uint8_t M_rest[BLOCK_BYTES];
- uint8_t Pad[BLOCK_BYTES];
-
- _fill_msg_tweak(0x4, N, l, tweak);
- encrypt(key, tweak, _0n, Pad);
- xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
-
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
- xor_into(checksum, M_rest);
-
- _fill_msg_tweak(0x5, N, l, tweak);
- encrypt(key, tweak, checksum, Final);
- }
-}
-
-static void _generate_tag(
- const uint8_t Final[BLOCK_BYTES],
- const uint8_t Auth[BLOCK_BYTES],
- uint8_t tag[TAG_BYTES]
-)
-{
- xor_arrays(TAG_BYTES, tag, Final, Auth);
-}
-
-
-void lilliput_ae_encrypt(
- size_t message_len,
- const uint8_t message[message_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- uint8_t ciphertext[message_len],
- uint8_t tag[TAG_BYTES]
-)
-{
- uint8_t auth[BLOCK_BYTES];
- process_associated_data(key, auth_data_len, auth_data, auth);
-
- uint8_t final[BLOCK_BYTES];
- _encrypt_message(key, message_len, message, nonce, ciphertext, final);
-
- _generate_tag(final, auth, tag);
-}
-
-bool lilliput_ae_decrypt(
- size_t ciphertext_len,
- const uint8_t ciphertext[ciphertext_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- const uint8_t tag[TAG_BYTES],
- uint8_t message[ciphertext_len]
-)
-{
- uint8_t auth[BLOCK_BYTES];
- process_associated_data(key, auth_data_len, auth_data, auth);
-
- uint8_t final[BLOCK_BYTES];
- _decrypt_message(key, ciphertext_len, ciphertext, nonce, message, final);
-
- uint8_t effective_tag[TAG_BYTES];
- _generate_tag(final, auth, effective_tag);
-
- return memcmp(tag, effective_tag, TAG_BYTES) == 0;
-}
+../ref/lilliput-ae-i.c \ No newline at end of file
diff --git a/src/add_tweakeyloop/lilliput-ae-ii.c b/src/add_tweakeyloop/lilliput-ae-ii.c
index 26885e5..af141f8 100644..120000
--- a/src/add_tweakeyloop/lilliput-ae-ii.c
+++ b/src/add_tweakeyloop/lilliput-ae-ii.c
@@ -1,160 +1 @@
-#include <stdbool.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "ae-common.h"
-#include "cipher.h"
-#include "lilliput-ae.h"
-
-
-static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES])
-{
- /* The t-bit tweak is filled as follows:
- *
- * - bits [ 1, t-1]: tag + block index
- * [ 1, 64]: tag[ 1.. 64] XOR block index
- * [ 65, t-1]: tag[65..t-1]
- * - bit t: 1
- */
-
- memcpy(tweak+sizeof(uint64_t), tag+sizeof(uint64_t), TAG_BYTES-sizeof(uint64_t));
- tweak[TWEAK_BYTES-1] |= 0x80;
-}
-
-static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], uint64_t block_index, uint8_t tweak[TWEAK_BYTES])
-{
- /* Assume bits 65 to t-1 are set. */
- for (size_t i=0; i<sizeof(block_index); i++)
- {
- uint8_t index_i = block_index >> i*8 & 0xff;
- tweak[i] = tag[i] ^ index_i;
- }
-}
-
-static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES])
-{
- /* The t-bit tweak is filled as follows:
- *
- * - bits [ 1, t-7]: N
- * - bits [t-7, t]: 0001||0^4
- */
-
- memcpy(tweak, N, TWEAK_BYTES-1);
- tweak[TWEAK_BYTES-1] = 0x10;
-}
-
-static void _generate_tag(
- const uint8_t key[KEY_BYTES],
- size_t M_len,
- const uint8_t M[M_len],
- const uint8_t N[NONCE_BYTES],
- const uint8_t Auth[BLOCK_BYTES],
- uint8_t tag[TAG_BYTES]
-)
-{
- uint8_t Ek_Mj[BLOCK_BYTES];
- uint8_t tag_tmp[TAG_BYTES];
- uint8_t tweak[TWEAK_BYTES];
-
- memset(tweak, 0, TWEAK_BYTES);
- memcpy(tag_tmp, Auth, TAG_BYTES);
-
- size_t l = M_len / BLOCK_BYTES;
- size_t rest = M_len % BLOCK_BYTES;
-
- for (size_t j=0; j<l; j++)
- {
- fill_index_tweak(0x0, j, tweak);
- encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
- xor_into(tag_tmp, Ek_Mj);
- }
-
- if (rest != 0)
- {
- uint8_t M_rest[BLOCK_BYTES];
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
- fill_index_tweak(0x4, l, tweak);
- encrypt(key, tweak, M_rest, Ek_Mj);
- xor_into(tag_tmp, Ek_Mj);
- }
-
- _fill_tag_tweak(N, tweak);
- encrypt(key, tweak, tag_tmp, tag);
-}
-
-static void _encrypt_message(
- const uint8_t key[KEY_BYTES],
- size_t M_len,
- const uint8_t M[M_len],
- const uint8_t N[NONCE_BYTES],
- const uint8_t tag[TAG_BYTES],
- uint8_t C[M_len]
-)
-{
- uint8_t Ek_N[BLOCK_BYTES];
-
- uint8_t tweak[TWEAK_BYTES];
- _init_msg_tweak(tag, tweak);
-
- uint8_t padded_N[BLOCK_BYTES];
- memcpy(padded_N, N, NONCE_BYTES);
- padded_N[BLOCK_BYTES-1] = 0;
-
- size_t l = M_len / BLOCK_BYTES;
- size_t rest = M_len % BLOCK_BYTES;
-
- for (size_t j=0; j<l; j++)
- {
- _fill_msg_tweak(tag, j, tweak);
- encrypt(key, tweak, padded_N, Ek_N);
- xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
- }
-
- if (rest != 0)
- {
- _fill_msg_tweak(tag, l, tweak);
- encrypt(key, tweak, padded_N, Ek_N);
- xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
- }
-}
-
-void lilliput_ae_encrypt(
- size_t message_len,
- const uint8_t message[message_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- uint8_t ciphertext[message_len],
- uint8_t tag[TAG_BYTES]
-)
-{
- uint8_t auth[BLOCK_BYTES];
- process_associated_data(key, auth_data_len, auth_data, auth);
-
- _generate_tag(key, message_len, message, nonce, auth, tag);
-
- _encrypt_message(key, message_len, message, nonce, tag, ciphertext);
-}
-
-bool lilliput_ae_decrypt(
- size_t ciphertext_len,
- const uint8_t ciphertext[ciphertext_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- const uint8_t tag[TAG_BYTES],
- uint8_t message[ciphertext_len]
-)
-{
- _encrypt_message(key, ciphertext_len, ciphertext, nonce, tag, message);
-
- uint8_t auth[BLOCK_BYTES];
- process_associated_data(key, auth_data_len, auth_data, auth);
-
- uint8_t effective_tag[TAG_BYTES];
- _generate_tag(key, ciphertext_len, message, nonce, auth, effective_tag);
-
- return memcmp(tag, effective_tag, TAG_BYTES) == 0;
-}
+../ref/lilliput-ae-ii.c \ No newline at end of file
diff --git a/src/add_tweakeyloop/lilliput-ae.h b/src/add_tweakeyloop/lilliput-ae.h
index e2d5051..66c8314 100644..120000
--- a/src/add_tweakeyloop/lilliput-ae.h
+++ b/src/add_tweakeyloop/lilliput-ae.h
@@ -1,34 +1 @@
-#ifndef LILLIPUT_AE_H
-#define LILLIPUT_AE_H
-
-#include <stddef.h>
-#include <stdbool.h>
-#include <stdint.h>
-
-#include "parameters.h"
-
-
-void lilliput_ae_encrypt(
- size_t message_len,
- const uint8_t message[message_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- uint8_t ciphertext[message_len],
- uint8_t tag[TAG_BYTES]
-);
-
-bool lilliput_ae_decrypt(
- size_t ciphertext_len,
- const uint8_t ciphertext[ciphertext_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- const uint8_t tag[TAG_BYTES],
- uint8_t message[ciphertext_len]
-);
-
-
-#endif /* LILLIPUT_AE_H */
+../ref/lilliput-ae.h \ No newline at end of file
diff --git a/src/add_tweakeyloop/parameters.h b/src/add_tweakeyloop/parameters.h
index 681a152..8eff42f 100644..120000
--- a/src/add_tweakeyloop/parameters.h
+++ b/src/add_tweakeyloop/parameters.h
@@ -1,20 +1 @@
-#ifndef PARAMETERS_H
-#define PARAMETERS_H
-
-#include "_parameters.h"
-
-#define TWEAKEY_LENGTH_BITS (TWEAK_LENGTH_BITS+KEY_LENGTH_BITS)
-#define ROUND_TWEAKEY_LENGTH_BITS 64
-#define BLOCK_LENGTH_BITS 128
-#define NONCE_LENGTH_BITS 120
-#define TAG_LENGTH_BITS 128
-
-#define TWEAK_BYTES (TWEAK_LENGTH_BITS/8)
-#define KEY_BYTES (KEY_LENGTH_BITS/8)
-#define TWEAKEY_BYTES (TWEAKEY_LENGTH_BITS/8)
-#define ROUND_TWEAKEY_BYTES (ROUND_TWEAKEY_LENGTH_BITS/8)
-#define BLOCK_BYTES (BLOCK_LENGTH_BITS/8)
-#define NONCE_BYTES (NONCE_LENGTH_BITS/8)
-#define TAG_BYTES (TAG_LENGTH_BITS/8)
-
-#endif /* PARAMETERS_H */
+../ref/parameters.h \ No newline at end of file
diff --git a/src/add_tweakeyloop/tweakey.h b/src/add_tweakeyloop/tweakey.h
index 5470bc8..7f2415f 100644..120000
--- a/src/add_tweakeyloop/tweakey.h
+++ b/src/add_tweakeyloop/tweakey.h
@@ -1,23 +1 @@
-#ifndef TWEAKEY_H
-#define TWEAKEY_H
-
-#include <stdint.h>
-
-#include "parameters.h"
-
-
-void tweakey_state_init(
- uint8_t TK[TWEAKEY_BYTES],
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES]
-);
-
-void tweakey_state_extract(
- const uint8_t TK[TWEAKEY_BYTES],
- uint8_t round_constant,
- uint8_t round_tweakey[ROUND_TWEAKEY_BYTES] /* output */
-);
-
-void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]);
-
-#endif /* TWEAKEY_H */
+../ref/tweakey.h \ No newline at end of file
diff --git a/src/add_tweakeysequences/ae-common.h b/src/add_tweakeysequences/ae-common.h
index 561854e..73641f5 100644..120000
--- a/src/add_tweakeysequences/ae-common.h
+++ b/src/add_tweakeysequences/ae-common.h
@@ -1,127 +1 @@
-#ifndef AE_COMMON_H
-#define AE_COMMON_H
-
-#include <stddef.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "cipher.h"
-#include "parameters.h"
-
-
-static inline uint8_t upper_nibble(uint8_t i)
-{
- return i >> 4;
-}
-
-static inline uint8_t lower_nibble(uint8_t i)
-{
- return i & 0x0f;
-}
-
-static inline void encrypt(const uint8_t K[KEY_BYTES],
- const uint8_t T[TWEAK_BYTES],
- const uint8_t M[BLOCK_BYTES],
- uint8_t C[BLOCK_BYTES])
-{
- lilliput_tbc_encrypt(K, T, M, C);
-}
-
-static inline void decrypt(const uint8_t K[KEY_BYTES],
- const uint8_t T[TWEAK_BYTES],
- const uint8_t C[BLOCK_BYTES],
- uint8_t M[BLOCK_BYTES])
-{
- lilliput_tbc_decrypt(K, T, C, M);
-}
-
-static inline void xor_into(uint8_t dest[BLOCK_BYTES], const uint8_t src[BLOCK_BYTES])
-{
- for (size_t i=0; i<BLOCK_BYTES; i++)
- dest[i] ^= src[i];
-}
-
-static inline void xor_arrays(size_t len, uint8_t out[len], const uint8_t a[len], const uint8_t b[len])
-{
- for (size_t i=0; i<len; i++)
- out[i] = a[i] ^ b[i];
-}
-
-static inline void pad10(size_t X_len, const uint8_t X[X_len], uint8_t padded[BLOCK_BYTES])
-{
- /* pad10*(X) = X || 1 || 0^{n-|X|-1} */
-
- /* Assume that len<BLOCK_BYTES. */
-
- size_t pad_len = BLOCK_BYTES-X_len;
-
- memcpy(padded+pad_len, X, X_len);
-
- padded[pad_len-1] = 0x80;
-
- if (pad_len > 1)
- {
- memset(padded, 0, pad_len-1);
- }
-}
-
-static inline void fill_index_tweak(
- uint8_t prefix,
- uint64_t block_index,
- uint8_t tweak[TWEAK_BYTES]
-)
-{
- /* The t-bit tweak is filled as follows:
- *
- * - bits [ 1, t-4]: block index
- * [ 1, 64]: actual 64-bit block index
- * [ 65, t-4]: 0-padding
- * - bits [t-3, t]: constant 4-bit prefix
- */
-
- for (size_t i=0; i<sizeof(block_index); i++)
- {
- tweak[i] = block_index >> 8*i & 0xff;
- }
-
- /* Assume padding bytes have already been memset to 0. */
-
- tweak[TWEAK_BYTES-1] |= prefix << 4;
-}
-
-static void process_associated_data(
- const uint8_t key[KEY_BYTES],
- size_t A_len,
- const uint8_t A[A_len],
- uint8_t Auth[BLOCK_BYTES]
-)
-{
- uint8_t Ek_Ai[BLOCK_BYTES];
- uint8_t tweak[TWEAK_BYTES];
-
- memset(tweak, 0, TWEAK_BYTES);
- memset(Auth, 0, BLOCK_BYTES);
-
- size_t l_a = A_len / BLOCK_BYTES;
- size_t rest = A_len % BLOCK_BYTES;
-
- for (size_t i=0; i<l_a; i++)
- {
- fill_index_tweak(0x2, i, tweak);
- encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
- xor_into(Auth, Ek_Ai);
- }
-
- if (rest != 0)
- {
- uint8_t A_rest[BLOCK_BYTES];
- pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
- fill_index_tweak(0x6, l_a, tweak);
- encrypt(key, tweak, A_rest, Ek_Ai);
- xor_into(Auth, Ek_Ai);
- }
-}
-
-
-
-#endif /* AE_COMMON_H */
+../ref/ae-common.h \ No newline at end of file
diff --git a/src/add_tweakeysequences/cipher.c b/src/add_tweakeysequences/cipher.c
index e5ccd15..a2ac6a3 100644..120000
--- a/src/add_tweakeysequences/cipher.c
+++ b/src/add_tweakeysequences/cipher.c
@@ -1,175 +1 @@
-#include <stdint.h>
-#include <string.h>
-
-#include "cipher.h"
-#include "parameters.h"
-#include "tweakey.h"
-
-
-enum permutation
-{
- PERMUTATION_ENCRYPTION = 0, /* PI(i) */
- PERMUTATION_DECRYPTION = 1, /* PI^-1(i) */
- PERMUTATION_NONE
-};
-
-typedef enum permutation permutation;
-
-static const uint8_t PERMUTATIONS[2][BLOCK_BYTES] = {
- [PERMUTATION_ENCRYPTION] = { 13, 9, 14, 8, 10, 11, 12, 15, 4, 5, 3, 1, 2, 6, 0, 7 },
- [PERMUTATION_DECRYPTION] = { 14, 11, 12, 10, 8, 9, 13, 15, 3, 1, 4, 5, 6, 0, 2, 7 }
-};
-
-static const uint8_t S[256] = {
- 0x20, 0x00, 0xB2, 0x85, 0x3B, 0x35, 0xA6, 0xA4, 0x30, 0xE4, 0x6A, 0x2C, 0xFF, 0x59, 0xE2, 0x0E,
- 0xF8, 0x1E, 0x7A, 0x80, 0x15, 0xBD, 0x3E, 0xB1, 0xE8, 0xF3, 0xA2, 0xC2, 0xDA, 0x51, 0x2A, 0x10,
- 0x21, 0x01, 0x23, 0x78, 0x5C, 0x24, 0x27, 0xB5, 0x37, 0xC7, 0x2B, 0x1F, 0xAE, 0x0A, 0x77, 0x5F,
- 0x6F, 0x09, 0x9D, 0x81, 0x04, 0x5A, 0x29, 0xDC, 0x39, 0x9C, 0x05, 0x57, 0x97, 0x74, 0x79, 0x17,
- 0x44, 0xC6, 0xE6, 0xE9, 0xDD, 0x41, 0xF2, 0x8A, 0x54, 0xCA, 0x6E, 0x4A, 0xE1, 0xAD, 0xB6, 0x88,
- 0x1C, 0x98, 0x7E, 0xCE, 0x63, 0x49, 0x3A, 0x5D, 0x0C, 0xEF, 0xF6, 0x34, 0x56, 0x25, 0x2E, 0xD6,
- 0x67, 0x75, 0x55, 0x76, 0xB8, 0xD2, 0x61, 0xD9, 0x71, 0x8B, 0xCD, 0x0B, 0x72, 0x6C, 0x31, 0x4B,
- 0x69, 0xFD, 0x7B, 0x6D, 0x60, 0x3C, 0x2F, 0x62, 0x3F, 0x22, 0x73, 0x13, 0xC9, 0x82, 0x7F, 0x53,
- 0x32, 0x12, 0xA0, 0x7C, 0x02, 0x87, 0x84, 0x86, 0x93, 0x4E, 0x68, 0x46, 0x8D, 0xC3, 0xDB, 0xEC,
- 0x9B, 0xB7, 0x89, 0x92, 0xA7, 0xBE, 0x3D, 0xD8, 0xEA, 0x50, 0x91, 0xF1, 0x33, 0x38, 0xE0, 0xA9,
- 0xA3, 0x83, 0xA1, 0x1B, 0xCF, 0x06, 0x95, 0x07, 0x9E, 0xED, 0xB9, 0xF5, 0x4C, 0xC0, 0xF4, 0x2D,
- 0x16, 0xFA, 0xB4, 0x03, 0x26, 0xB3, 0x90, 0x4F, 0xAB, 0x65, 0xFC, 0xFE, 0x14, 0xF7, 0xE3, 0x94,
- 0xEE, 0xAC, 0x8C, 0x1A, 0xDE, 0xCB, 0x28, 0x40, 0x7D, 0xC8, 0xC4, 0x48, 0x6B, 0xDF, 0xA5, 0x52,
- 0xE5, 0xFB, 0xD7, 0x64, 0xF9, 0xF0, 0xD3, 0x5E, 0x66, 0x96, 0x8F, 0x1D, 0x45, 0x36, 0xCC, 0xC5,
- 0x4D, 0x9F, 0xBF, 0x0F, 0xD1, 0x08, 0xEB, 0x43, 0x42, 0x19, 0xE7, 0x99, 0xA8, 0x8E, 0x58, 0xC1,
- 0x9A, 0xD4, 0x18, 0x47, 0xAA, 0xAF, 0xBC, 0x5B, 0xD5, 0x11, 0xD0, 0xB0, 0x70, 0xBB, 0x0D, 0xBA
-};
-
-
-static void _state_init(uint8_t X[BLOCK_BYTES], const uint8_t message[BLOCK_BYTES])
-{
- memcpy(X, message, BLOCK_BYTES);
-}
-
-
-static void _compute_round_tweakeys(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]
-)
-{
- uint8_t TK[TWEAKEY_BYTES];
- tweakey_state_init(TK, key, tweak);
- tweakey_state_extract(TK, 0, RTK[0]);
-
- for (uint8_t i=1; i<ROUNDS; i++)
- {
- tweakey_state_update(TK);
- tweakey_state_extract(TK, i, RTK[i]);
- }
-}
-
-
-static void _nonlinear_layer(uint8_t X[BLOCK_BYTES], const uint8_t RTK[ROUND_TWEAKEY_BYTES])
-{
- uint8_t F[ROUND_TWEAKEY_BYTES];
- for (size_t j=0; j<ROUND_TWEAKEY_BYTES; j++)
- {
- F[j] = X[j] ^ RTK[j];
- }
-
- for (size_t j=0; j<ROUND_TWEAKEY_BYTES; j++)
- {
- F[j] = S[F[j]];
- }
-
- for (size_t j=0; j<8; j++)
- {
- size_t dest_j = 15-j;
- X[dest_j] ^= F[j];
- }
-}
-
-static void _linear_layer(uint8_t X[BLOCK_BYTES])
-{
- X[15] ^= X[1];
- X[15] ^= X[2];
- X[15] ^= X[3];
- X[15] ^= X[4];
- X[15] ^= X[5];
- X[15] ^= X[6];
- X[15] ^= X[7];
-
- X[14] ^= X[7];
- X[13] ^= X[7];
- X[12] ^= X[7];
- X[11] ^= X[7];
- X[10] ^= X[7];
- X[9] ^= X[7];
-}
-
-static void _permutation_layer(uint8_t X[BLOCK_BYTES], permutation p)
-{
- if (p == PERMUTATION_NONE)
- {
- return;
- }
-
- uint8_t X_old[BLOCK_BYTES];
- memcpy(X_old, X, BLOCK_BYTES);
-
- const uint8_t *pi = PERMUTATIONS[p];
-
- for (size_t j=0; j<BLOCK_BYTES; j++)
- {
- X[pi[j]] = X_old[j];
- }
-}
-
-static void _one_round_egfn(uint8_t X[BLOCK_BYTES], const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p)
-{
- _nonlinear_layer(X, RTK);
- _linear_layer(X);
- _permutation_layer(X, p);
-}
-
-
-void lilliput_tbc_encrypt(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- const uint8_t message[BLOCK_BYTES],
- uint8_t ciphertext[BLOCK_BYTES]
-)
-{
- uint8_t X[BLOCK_BYTES];
- _state_init(X, message);
-
- uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
- _compute_round_tweakeys(key, tweak, RTK);
-
- for (uint8_t i=0; i<ROUNDS-1; i++)
- {
- _one_round_egfn(X, RTK[i], PERMUTATION_ENCRYPTION);
- }
-
- _one_round_egfn(X, RTK[ROUNDS-1], PERMUTATION_NONE);
-
- memcpy(ciphertext, X, BLOCK_BYTES);
-}
-
-void lilliput_tbc_decrypt(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- const uint8_t ciphertext[BLOCK_BYTES],
- uint8_t message[BLOCK_BYTES]
-)
-{
- uint8_t X[BLOCK_BYTES];
- _state_init(X, ciphertext);
-
- uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
- _compute_round_tweakeys(key, tweak, RTK);
-
- for (uint8_t i=0; i<ROUNDS-1; i++)
- {
- _one_round_egfn(X, RTK[ROUNDS-1-i], PERMUTATION_DECRYPTION);
- }
-
- _one_round_egfn(X, RTK[0], PERMUTATION_NONE);
-
- memcpy(message, X, BLOCK_BYTES);
-}
+../ref/cipher.c \ No newline at end of file
diff --git a/src/add_tweakeysequences/cipher.h b/src/add_tweakeysequences/cipher.h
index 06dfde5..eab258b 100644..120000
--- a/src/add_tweakeysequences/cipher.h
+++ b/src/add_tweakeysequences/cipher.h
@@ -1,23 +1 @@
-#ifndef CIPHER_H
-#define CIPHER_H
-
-#include <stdint.h>
-
-#include "parameters.h"
-
-
-void lilliput_tbc_encrypt(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- const uint8_t message[BLOCK_BYTES],
- uint8_t ciphertext[BLOCK_BYTES]
-);
-
-void lilliput_tbc_decrypt(
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES],
- const uint8_t ciphertext[BLOCK_BYTES],
- uint8_t message[BLOCK_BYTES]
-);
-
-#endif /* CIPHER_H */
+../ref/cipher.h \ No newline at end of file
diff --git a/src/add_tweakeysequences/lilliput-ae-i.c b/src/add_tweakeysequences/lilliput-ae-i.c
index b1758c9..2ed1026 100644..120000
--- a/src/add_tweakeysequences/lilliput-ae-i.c
+++ b/src/add_tweakeysequences/lilliput-ae-i.c
@@ -1,195 +1 @@
-#include <stdbool.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "ae-common.h"
-#include "cipher.h"
-#include "lilliput-ae.h"
-
-
-static const uint8_t _0n[BLOCK_BYTES] = {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-
-static void _fill_msg_tweak(
- uint8_t prefix,
- const uint8_t N[NONCE_BYTES],
- uint64_t block_nb,
- uint8_t tweak[TWEAK_BYTES]
-)
-{
- /* The 192-bit tweak is filled as follows:
- *
- * - bits 1- 68: block number
- * 1- 64: actual 64-bit block number
- * 64- 68: 0-padding
- * - bits 67-188: nonce
- * - bits 189-192: constant 4-bit prefix
- */
-
- for (size_t i=0; i<sizeof(block_nb); i++)
- {
- uint64_t mask = (uint64_t)0xff << 8*i;
- uint8_t b = (mask & block_nb) >> 8*i;
-
- tweak[i] = b;
- }
-
- tweak[sizeof(block_nb)] = lower_nibble(N[0]) << 4;
-
- for (size_t i=1; i<NONCE_BYTES; i++)
- {
- tweak[sizeof(block_nb)+i] = lower_nibble(N[i]) << 4 ^ upper_nibble(N[i-1]);
- }
-
- tweak[TWEAK_BYTES-1] = prefix << 4 ^ upper_nibble(N[NONCE_BYTES-1]);
-}
-
-static void _encrypt_message(
- const uint8_t key[KEY_BYTES],
- size_t M_len,
- const uint8_t M[M_len],
- const uint8_t N[NONCE_BYTES],
- uint8_t C[M_len+BLOCK_BYTES],
- uint8_t Final[BLOCK_BYTES]
-)
-{
- size_t l = M_len / BLOCK_BYTES;
- size_t rest = M_len % BLOCK_BYTES;
-
- uint8_t tweak[TWEAK_BYTES];
- uint8_t checksum[BLOCK_BYTES];
-
- memset(tweak, 0, TWEAK_BYTES);
- memset(checksum, 0, BLOCK_BYTES);
-
- for (size_t j=0; j<l; j++)
- {
- xor_into(checksum, &M[j*BLOCK_BYTES]);
- _fill_msg_tweak(0x0, N, j, tweak);
- encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
- }
-
- if (rest == 0)
- {
- _fill_msg_tweak(0x1, N, l-1, tweak);
- encrypt(key, tweak, checksum, Final);
- }
- else
- {
- uint8_t M_rest[BLOCK_BYTES];
- uint8_t Pad[BLOCK_BYTES];
-
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
- xor_into(checksum, M_rest);
-
- _fill_msg_tweak(0x4, N, l, tweak);
- encrypt(key, tweak, _0n, Pad);
- xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
-
- _fill_msg_tweak(0x5, N, l, tweak);
- encrypt(key, tweak, checksum, Final);
- }
-}
-
-static void _decrypt_message(
- const uint8_t key[KEY_BYTES],
- size_t C_len,
- const uint8_t C[C_len],
- const uint8_t N[NONCE_BYTES],
- uint8_t M[C_len],
- uint8_t Final[BLOCK_BYTES]
-)
-{
- size_t l = C_len / BLOCK_BYTES;
- size_t rest = C_len % BLOCK_BYTES;
-
- uint8_t tweak[TWEAK_BYTES];
- uint8_t checksum[BLOCK_BYTES];
-
- memset(tweak, 0, TWEAK_BYTES);
- memset(checksum, 0, BLOCK_BYTES);
-
- for (size_t j=0; j<l; j++)
- {
- _fill_msg_tweak(0x0, N, j, tweak);
- decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
- xor_into(checksum, &M[j*BLOCK_BYTES]);
- }
-
- if (rest == 0)
- {
- _fill_msg_tweak(0x1, N, l-1, tweak);
- encrypt(key, tweak, checksum, Final);
- }
- else
- {
- uint8_t M_rest[BLOCK_BYTES];
- uint8_t Pad[BLOCK_BYTES];
-
- _fill_msg_tweak(0x4, N, l, tweak);
- encrypt(key, tweak, _0n, Pad);
- xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
-
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
- xor_into(checksum, M_rest);
-
- _fill_msg_tweak(0x5, N, l, tweak);
- encrypt(key, tweak, checksum, Final);
- }
-}
-
-static void _generate_tag(
- const uint8_t Final[BLOCK_BYTES],
- const uint8_t Auth[BLOCK_BYTES],
- uint8_t tag[TAG_BYTES]
-)
-{
- xor_arrays(TAG_BYTES, tag, Final, Auth);
-}
-
-
-void lilliput_ae_encrypt(
- size_t message_len,
- const uint8_t message[message_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- uint8_t ciphertext[message_len],
- uint8_t tag[TAG_BYTES]
-)
-{
- uint8_t auth[BLOCK_BYTES];
- process_associated_data(key, auth_data_len, auth_data, auth);
-
- uint8_t final[BLOCK_BYTES];
- _encrypt_message(key, message_len, message, nonce, ciphertext, final);
-
- _generate_tag(final, auth, tag);
-}
-
-bool lilliput_ae_decrypt(
- size_t ciphertext_len,
- const uint8_t ciphertext[ciphertext_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- const uint8_t tag[TAG_BYTES],
- uint8_t message[ciphertext_len]
-)
-{
- uint8_t auth[BLOCK_BYTES];
- process_associated_data(key, auth_data_len, auth_data, auth);
-
- uint8_t final[BLOCK_BYTES];
- _decrypt_message(key, ciphertext_len, ciphertext, nonce, message, final);
-
- uint8_t effective_tag[TAG_BYTES];
- _generate_tag(final, auth, effective_tag);
-
- return memcmp(tag, effective_tag, TAG_BYTES) == 0;
-}
+../ref/lilliput-ae-i.c \ No newline at end of file
diff --git a/src/add_tweakeysequences/lilliput-ae-ii.c b/src/add_tweakeysequences/lilliput-ae-ii.c
index 26885e5..af141f8 100644..120000
--- a/src/add_tweakeysequences/lilliput-ae-ii.c
+++ b/src/add_tweakeysequences/lilliput-ae-ii.c
@@ -1,160 +1 @@
-#include <stdbool.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "ae-common.h"
-#include "cipher.h"
-#include "lilliput-ae.h"
-
-
-static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES])
-{
- /* The t-bit tweak is filled as follows:
- *
- * - bits [ 1, t-1]: tag + block index
- * [ 1, 64]: tag[ 1.. 64] XOR block index
- * [ 65, t-1]: tag[65..t-1]
- * - bit t: 1
- */
-
- memcpy(tweak+sizeof(uint64_t), tag+sizeof(uint64_t), TAG_BYTES-sizeof(uint64_t));
- tweak[TWEAK_BYTES-1] |= 0x80;
-}
-
-static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], uint64_t block_index, uint8_t tweak[TWEAK_BYTES])
-{
- /* Assume bits 65 to t-1 are set. */
- for (size_t i=0; i<sizeof(block_index); i++)
- {
- uint8_t index_i = block_index >> i*8 & 0xff;
- tweak[i] = tag[i] ^ index_i;
- }
-}
-
-static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES])
-{
- /* The t-bit tweak is filled as follows:
- *
- * - bits [ 1, t-7]: N
- * - bits [t-7, t]: 0001||0^4
- */
-
- memcpy(tweak, N, TWEAK_BYTES-1);
- tweak[TWEAK_BYTES-1] = 0x10;
-}
-
-static void _generate_tag(
- const uint8_t key[KEY_BYTES],
- size_t M_len,
- const uint8_t M[M_len],
- const uint8_t N[NONCE_BYTES],
- const uint8_t Auth[BLOCK_BYTES],
- uint8_t tag[TAG_BYTES]
-)
-{
- uint8_t Ek_Mj[BLOCK_BYTES];
- uint8_t tag_tmp[TAG_BYTES];
- uint8_t tweak[TWEAK_BYTES];
-
- memset(tweak, 0, TWEAK_BYTES);
- memcpy(tag_tmp, Auth, TAG_BYTES);
-
- size_t l = M_len / BLOCK_BYTES;
- size_t rest = M_len % BLOCK_BYTES;
-
- for (size_t j=0; j<l; j++)
- {
- fill_index_tweak(0x0, j, tweak);
- encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
- xor_into(tag_tmp, Ek_Mj);
- }
-
- if (rest != 0)
- {
- uint8_t M_rest[BLOCK_BYTES];
- pad10(rest, &M[l*BLOCK_BYTES], M_rest);
- fill_index_tweak(0x4, l, tweak);
- encrypt(key, tweak, M_rest, Ek_Mj);
- xor_into(tag_tmp, Ek_Mj);
- }
-
- _fill_tag_tweak(N, tweak);
- encrypt(key, tweak, tag_tmp, tag);
-}
-
-static void _encrypt_message(
- const uint8_t key[KEY_BYTES],
- size_t M_len,
- const uint8_t M[M_len],
- const uint8_t N[NONCE_BYTES],
- const uint8_t tag[TAG_BYTES],
- uint8_t C[M_len]
-)
-{
- uint8_t Ek_N[BLOCK_BYTES];
-
- uint8_t tweak[TWEAK_BYTES];
- _init_msg_tweak(tag, tweak);
-
- uint8_t padded_N[BLOCK_BYTES];
- memcpy(padded_N, N, NONCE_BYTES);
- padded_N[BLOCK_BYTES-1] = 0;
-
- size_t l = M_len / BLOCK_BYTES;
- size_t rest = M_len % BLOCK_BYTES;
-
- for (size_t j=0; j<l; j++)
- {
- _fill_msg_tweak(tag, j, tweak);
- encrypt(key, tweak, padded_N, Ek_N);
- xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
- }
-
- if (rest != 0)
- {
- _fill_msg_tweak(tag, l, tweak);
- encrypt(key, tweak, padded_N, Ek_N);
- xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
- }
-}
-
-void lilliput_ae_encrypt(
- size_t message_len,
- const uint8_t message[message_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- uint8_t ciphertext[message_len],
- uint8_t tag[TAG_BYTES]
-)
-{
- uint8_t auth[BLOCK_BYTES];
- process_associated_data(key, auth_data_len, auth_data, auth);
-
- _generate_tag(key, message_len, message, nonce, auth, tag);
-
- _encrypt_message(key, message_len, message, nonce, tag, ciphertext);
-}
-
-bool lilliput_ae_decrypt(
- size_t ciphertext_len,
- const uint8_t ciphertext[ciphertext_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- const uint8_t tag[TAG_BYTES],
- uint8_t message[ciphertext_len]
-)
-{
- _encrypt_message(key, ciphertext_len, ciphertext, nonce, tag, message);
-
- uint8_t auth[BLOCK_BYTES];
- process_associated_data(key, auth_data_len, auth_data, auth);
-
- uint8_t effective_tag[TAG_BYTES];
- _generate_tag(key, ciphertext_len, message, nonce, auth, effective_tag);
-
- return memcmp(tag, effective_tag, TAG_BYTES) == 0;
-}
+../ref/lilliput-ae-ii.c \ No newline at end of file
diff --git a/src/add_tweakeysequences/lilliput-ae.h b/src/add_tweakeysequences/lilliput-ae.h
index e2d5051..66c8314 100644..120000
--- a/src/add_tweakeysequences/lilliput-ae.h
+++ b/src/add_tweakeysequences/lilliput-ae.h
@@ -1,34 +1 @@
-#ifndef LILLIPUT_AE_H
-#define LILLIPUT_AE_H
-
-#include <stddef.h>
-#include <stdbool.h>
-#include <stdint.h>
-
-#include "parameters.h"
-
-
-void lilliput_ae_encrypt(
- size_t message_len,
- const uint8_t message[message_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- uint8_t ciphertext[message_len],
- uint8_t tag[TAG_BYTES]
-);
-
-bool lilliput_ae_decrypt(
- size_t ciphertext_len,
- const uint8_t ciphertext[ciphertext_len],
- size_t auth_data_len,
- const uint8_t auth_data[auth_data_len],
- const uint8_t key[KEY_BYTES],
- const uint8_t nonce[NONCE_BYTES],
- const uint8_t tag[TAG_BYTES],
- uint8_t message[ciphertext_len]
-);
-
-
-#endif /* LILLIPUT_AE_H */
+../ref/lilliput-ae.h \ No newline at end of file
diff --git a/src/add_tweakeysequences/parameters.h b/src/add_tweakeysequences/parameters.h
index 681a152..8eff42f 100644..120000
--- a/src/add_tweakeysequences/parameters.h
+++ b/src/add_tweakeysequences/parameters.h
@@ -1,20 +1 @@
-#ifndef PARAMETERS_H
-#define PARAMETERS_H
-
-#include "_parameters.h"
-
-#define TWEAKEY_LENGTH_BITS (TWEAK_LENGTH_BITS+KEY_LENGTH_BITS)
-#define ROUND_TWEAKEY_LENGTH_BITS 64
-#define BLOCK_LENGTH_BITS 128
-#define NONCE_LENGTH_BITS 120
-#define TAG_LENGTH_BITS 128
-
-#define TWEAK_BYTES (TWEAK_LENGTH_BITS/8)
-#define KEY_BYTES (KEY_LENGTH_BITS/8)
-#define TWEAKEY_BYTES (TWEAKEY_LENGTH_BITS/8)
-#define ROUND_TWEAKEY_BYTES (ROUND_TWEAKEY_LENGTH_BITS/8)
-#define BLOCK_BYTES (BLOCK_LENGTH_BITS/8)
-#define NONCE_BYTES (NONCE_LENGTH_BITS/8)
-#define TAG_BYTES (TAG_LENGTH_BITS/8)
-
-#endif /* PARAMETERS_H */
+../ref/parameters.h \ No newline at end of file
diff --git a/src/add_tweakeysequences/tweakey.h b/src/add_tweakeysequences/tweakey.h
index 5470bc8..7f2415f 100644..120000
--- a/src/add_tweakeysequences/tweakey.h
+++ b/src/add_tweakeysequences/tweakey.h
@@ -1,23 +1 @@
-#ifndef TWEAKEY_H
-#define TWEAKEY_H
-
-#include <stdint.h>
-
-#include "parameters.h"
-
-
-void tweakey_state_init(
- uint8_t TK[TWEAKEY_BYTES],
- const uint8_t key[KEY_BYTES],
- const uint8_t tweak[TWEAK_BYTES]
-);
-
-void tweakey_state_extract(
- const uint8_t TK[TWEAKEY_BYTES],
- uint8_t round_constant,
- uint8_t round_tweakey[ROUND_TWEAKEY_BYTES] /* output */
-);
-
-void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES]);
-
-#endif /* TWEAKEY_H */
+../ref/tweakey.h \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-06 11:23:46 +0000