1 files changed, 60 insertions, 19 deletions

diff --git a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
index a464196..96b0505 100644
--- a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
+++ b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
@@ -6,14 +6,6 @@
 #include "lilliput-ae.h"
 
 
-/* Most-significant nibbles for tweak values */
-#define TWEAK_AD                 0x2
-#define TWEAK_AD_PADDING         0x6
-#define TWEAK_MESSAGE            0x0
-#define TWEAK_MESSAGE_NO_PADDING 0x1
-#define TWEAK_MESSAGE_PADDING    0x5
-
-
 static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
                           const uint8_t tweak[TWEAK_BYTES],
                           const uint8_t message[BLOCK_BYTES],
@@ -22,12 +14,18 @@ static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
     lilliput_tbc_encrypt(key, tweak, message, ciphertext, NULL);
 }
 
-static void _xor_into(uint8_t dest[BLOCK_BYTES], uint8_t src[BLOCK_BYTES])
+static void _xor_into(uint8_t dest[BLOCK_BYTES], const uint8_t src[BLOCK_BYTES])
 {
     for (size_t i=0; i<BLOCK_BYTES; i++)
         dest[i] ^= src[i];
 }
 
+static void _xor_arrays(size_t len, uint8_t out[len], const uint8_t a[len], const uint8_t b[len])
+{
+    for (size_t i=0; i<len; i++)
+        out[i] = a[i] ^ b[i];
+}
+
 static void _pad10(size_t len, const uint8_t buf[len], uint8_t padded[BLOCK_BYTES])
 {
     /* Assume that len<BLOCK_BYTES. */
@@ -63,6 +61,11 @@ static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEA
     tweak[TWEAK_BYTES-1] ^= prefix << 4;
 }
 
+static void _fill_msg_tweak(uint8_t prefix, const uint8_t N[NONCE_BYTES],
+                            uint64_t block_nb, uint8_t tweak[TWEAK_BYTES])
+{
+}
+
 static void _process_associated_data(
     const uint8_t key[KEY_BYTES],
     size_t A_len, const uint8_t A[A_len],
@@ -80,7 +83,7 @@ static void _process_associated_data(
 
     for (size_t i=0; i<l_a; i++)
     {
-        _fill_ad_tweak(TWEAK_AD, i, tweak);
+        _fill_ad_tweak(0x2, i, tweak);
         _lilliput_tbc(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
         _xor_into(Auth, Ek_Ai);
     }
@@ -89,7 +92,7 @@ static void _process_associated_data(
     {
         uint8_t A_rest[BLOCK_BYTES];
         _pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
-        _fill_ad_tweak(TWEAK_AD_PADDING, l_a, tweak);
+        _fill_ad_tweak(0x6, l_a, tweak);
         _lilliput_tbc(key, tweak, A_rest, Ek_Ai);
         _xor_into(Auth, Ek_Ai);
     }
@@ -97,22 +100,60 @@ static void _process_associated_data(
 
 static void _encrypt_message(
     const uint8_t key[KEY_BYTES],
-    size_t message_len, const uint8_t message[message_len],
-    const uint8_t nonce[NONCE_BYTES],
+    size_t M_len, const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
 
-    size_t *ciphertext_len, uint8_t ciphertext[message_len+BLOCK_BYTES],
-    uint8_t final[BLOCK_BYTES]
+    size_t *C_len, uint8_t C[M_len+BLOCK_BYTES],
+    uint8_t Final[BLOCK_BYTES]
 )
 {
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    uint8_t tweak[TWEAK_BYTES];
+    uint8_t checksum[BLOCK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memset(checksum, 0, BLOCK_BYTES);
+
+    for (size_t j=0; j<l; j++)
+    {
+        _xor_into(checksum, &M[j*BLOCK_BYTES]);
+        _fill_msg_tweak(0x0, N, j, tweak);
+        _lilliput_tbc(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
+    }
+
+    if (rest == 0)
+    {
+        _fill_msg_tweak(0x1, N, l-1, tweak);
+        _lilliput_tbc(key, tweak, checksum, Final);
+    }
+    else
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        uint8_t Pad[BLOCK_BYTES];
+        uint8_t _0n[BLOCK_BYTES] = {
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+        };
+
+        _pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        _fill_msg_tweak(0x4, N, l, tweak);
+        _lilliput_tbc(key, tweak, _0n, Pad);
+        _xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
+
+        _fill_msg_tweak(0x5, N, l, tweak);
+        _lilliput_tbc(key, tweak, checksum, Final);
+    }
 }
 
 static void _decrypt_message(
     const uint8_t key[KEY_BYTES],
-    size_t ciphertext_len, const uint8_t ciphertext[ciphertext_len],
-    const uint8_t nonce[NONCE_BYTES],
+    size_t C_len, const uint8_t C[C_len],
+    const uint8_t N[NONCE_BYTES],
 
-    size_t *message_len, uint8_t message[ciphertext_len],
-    uint8_t final[BLOCK_BYTES]
+    size_t *M_len, uint8_t M[C_len],
+    uint8_t Final[BLOCK_BYTES]
 )
 {
 }