diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/cipher.c | 170 | ||||
| -rw-r--r-- | src/cipher.h | 23 | ||||
| -rw-r--r-- | src/constants.c | 248 | ||||
| -rw-r--r-- | src/constants.h | 16 | ||||
| -rw-r--r-- | src/debug.h | 50 | ||||
| -rw-r--r-- | src/lilliput-ae-i.c | 310 | ||||
| -rw-r--r-- | src/lilliput-ae.h | 35 | ||||
| -rw-r--r-- | src/tweakey.c | 83 | ||||
| -rw-r--r-- | src/tweakey.h | 31 |
9 files changed, 966 insertions, 0 deletions
diff --git a/src/cipher.c b/src/cipher.c new file mode 100644 index 0000000..7f1152a --- /dev/null +++ b/src/cipher.c @@ -0,0 +1,170 @@ +#include <stdint.h> +#include <string.h> + +#include "cipher.h" +#include "constants.h" +#include "parameters.h" +#include "tweakey.h" + + +enum permutation +{ + PERMUTATION_ENCRYPTION = 0, + PERMUTATION_DECRYPTION = 1, + PERMUTATION_NONE +}; + +typedef enum permutation permutation; + +const uint8_t PERMUTATIONS[2][BLOCK_BYTES] = { + /* PI(i) */ + [0] = { 13, 9, 14, 8, 10, 11, 12, 15, + 4, 5, 3, 1, 2, 6, 0, 7 }, + /* PI^-1(i) */ + [1] = { 14, 11, 12, 10, 8, 9, 13, 15, + 3, 1, 4, 5, 6, 0, 2, 7 } +}; + + +struct cipher_state +{ + uint8_t X[BLOCK_BYTES]; +}; + + +typedef struct cipher_state cipher_state; + + +static void _state_init(cipher_state *X, const uint8_t message[BLOCK_BYTES]) +{ + memcpy(X->X, message, sizeof(X->X)); +} + + +static void _compute_round_tweakeys( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES] +) +{ + tweakey_state TK; + tweakey_state_init(&TK, key, tweak); + tweakey_state_extract(&TK, RTK[0], 0); + + for (uint8_t i=1; i<ROUNDS; i++) + { + tweakey_state_update(&TK); + tweakey_state_extract(&TK, RTK[i], i); + } +} + + +static void _nonlinear_layer(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES]) +{ + uint8_t F[ROUND_TWEAKEY_BYTES]; + for (size_t j=0; j<sizeof(F); j++) + { + F[j] = X->X[j] ^ RTK[j]; + } + + for (size_t j=0; j<sizeof(F); j++) + { + F[j] = S[F[j]]; + } + + for (size_t j=0; j<8; j++) + { + size_t dest_j = 15-j; + X->X[dest_j] ^= F[j]; + } +} + +static void _linear_layer(cipher_state *X) +{ + X->X[15] ^= X->X[1]; + X->X[15] ^= X->X[2]; + X->X[15] ^= X->X[3]; + X->X[15] ^= X->X[4]; + X->X[15] ^= X->X[5]; + X->X[15] ^= X->X[6]; + X->X[15] ^= X->X[7]; + + X->X[14] ^= X->X[7]; + X->X[13] ^= X->X[7]; + X->X[12] ^= X->X[7]; + X->X[11] ^= X->X[7]; + X->X[10] ^= X->X[7]; + X->X[9] ^= X->X[7]; +} + +static void _permutation_layer(cipher_state *X, permutation p) +{ + if (p == PERMUTATION_NONE) + { + return; + } + + uint8_t X_old[BLOCK_BYTES]; + memcpy(X_old, X, sizeof(X_old)); + + const uint8_t *pi = PERMUTATIONS[p]; + + for (size_t j=0; j<BLOCK_BYTES; j++) + { + X->X[pi[j]] = X_old[j]; + } +} + +static void _one_round_egfn(cipher_state *X, const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p) +{ + _nonlinear_layer(X, RTK); + _linear_layer(X); + _permutation_layer(X, p); +} + + +void lilliput_tbc_encrypt( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + const uint8_t message[BLOCK_BYTES], + uint8_t ciphertext[BLOCK_BYTES] +) +{ + cipher_state X; + _state_init(&X, message); + + uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]; + _compute_round_tweakeys(key, tweak, RTK); + + for (uint8_t i=0; i<ROUNDS-1; i++) + { + _one_round_egfn(&X, RTK[i], PERMUTATION_ENCRYPTION); + } + + _one_round_egfn(&X, RTK[ROUNDS-1], PERMUTATION_NONE); + + memcpy(ciphertext, X.X, BLOCK_BYTES); +} + +void lilliput_tbc_decrypt( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + const uint8_t ciphertext[BLOCK_BYTES], + uint8_t message[BLOCK_BYTES] +) +{ + cipher_state X; + _state_init(&X, ciphertext); + + uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]; + _compute_round_tweakeys(key, tweak, RTK); + + for (uint8_t i=0; i<ROUNDS-1; i++) + { + _one_round_egfn(&X, RTK[ROUNDS-1-i], PERMUTATION_DECRYPTION); + } + + _one_round_egfn(&X, RTK[0], PERMUTATION_NONE); + + memcpy(message, X.X, BLOCK_BYTES); +} diff --git a/src/cipher.h b/src/cipher.h new file mode 100644 index 0000000..06dfde5 --- /dev/null +++ b/src/cipher.h @@ -0,0 +1,23 @@ +#ifndef CIPHER_H +#define CIPHER_H + +#include <stdint.h> + +#include "parameters.h" + + +void lilliput_tbc_encrypt( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + const uint8_t message[BLOCK_BYTES], + uint8_t ciphertext[BLOCK_BYTES] +); + +void lilliput_tbc_decrypt( + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES], + const uint8_t ciphertext[BLOCK_BYTES], + uint8_t message[BLOCK_BYTES] +); + +#endif /* CIPHER_H */ diff --git a/src/constants.c b/src/constants.c new file mode 100644 index 0000000..29da1d8 --- /dev/null +++ b/src/constants.c @@ -0,0 +1,248 @@ +#include "constants.h" + + +const uint8_t h[8] = { + 1, 5, 3, 0, 4, 7, 2, 6 +}; + +const uint8_t P[6][256] = { + [0] = { + 0, 2, 4, 6, 8, 10, 12, 14, + 16, 18, 20, 22, 24, 26, 28, 30, + 32, 34, 36, 38, 40, 42, 44, 46, + 48, 50, 52, 54, 56, 58, 60, 62, + 64, 66, 68, 70, 72, 74, 76, 78, + 80, 82, 84, 86, 88, 90, 92, 94, + 96, 98, 100, 102, 104, 106, 108, 110, + 112, 114, 116, 118, 120, 122, 124, 126, + 132, 134, 128, 130, 140, 142, 136, 138, + 148, 150, 144, 146, 156, 158, 152, 154, + 164, 166, 160, 162, 172, 174, 168, 170, + 180, 182, 176, 178, 188, 190, 184, 186, + 196, 198, 192, 194, 204, 206, 200, 202, + 212, 214, 208, 210, 220, 222, 216, 218, + 228, 230, 224, 226, 236, 238, 232, 234, + 244, 246, 240, 242, 252, 254, 248, 250, + 129, 131, 133, 135, 137, 139, 141, 143, + 145, 147, 149, 151, 153, 155, 157, 159, + 161, 163, 165, 167, 169, 171, 173, 175, + 177, 179, 181, 183, 185, 187, 189, 191, + 193, 195, 197, 199, 201, 203, 205, 207, + 209, 211, 213, 215, 217, 219, 221, 223, + 225, 227, 229, 231, 233, 235, 237, 239, + 241, 243, 245, 247, 249, 251, 253, 255, + 5, 7, 1, 3, 13, 15, 9, 11, + 21, 23, 17, 19, 29, 31, 25, 27, + 37, 39, 33, 35, 45, 47, 41, 43, + 53, 55, 49, 51, 61, 63, 57, 59, + 69, 71, 65, 67, 77, 79, 73, 75, + 85, 87, 81, 83, 93, 95, 89, 91, + 101, 103, 97, 99, 109, 111, 105, 107, + 117, 119, 113, 115, 125, 127, 121, 123 + }, + [1] = { + 0, 4, 8, 12, 16, 20, 24, 28, + 32, 36, 40, 44, 48, 52, 56, 60, + 64, 68, 72, 76, 80, 84, 88, 92, + 96, 100, 104, 108, 112, 116, 120, 124, + 132, 128, 140, 136, 148, 144, 156, 152, + 164, 160, 172, 168, 180, 176, 188, 184, + 196, 192, 204, 200, 212, 208, 220, 216, + 228, 224, 236, 232, 244, 240, 252, 248, + 137, 141, 129, 133, 153, 157, 145, 149, + 169, 173, 161, 165, 185, 189, 177, 181, + 201, 205, 193, 197, 217, 221, 209, 213, + 233, 237, 225, 229, 249, 253, 241, 245, + 13, 9, 5, 1, 29, 25, 21, 17, + 45, 41, 37, 33, 61, 57, 53, 49, + 77, 73, 69, 65, 93, 89, 85, 81, + 109, 105, 101, 97, 125, 121, 117, 113, + 131, 135, 139, 143, 147, 151, 155, 159, + 163, 167, 171, 175, 179, 183, 187, 191, + 195, 199, 203, 207, 211, 215, 219, 223, + 227, 231, 235, 239, 243, 247, 251, 255, + 7, 3, 15, 11, 23, 19, 31, 27, + 39, 35, 47, 43, 55, 51, 63, 59, + 71, 67, 79, 75, 87, 83, 95, 91, + 103, 99, 111, 107, 119, 115, 127, 123, + 10, 14, 2, 6, 26, 30, 18, 22, + 42, 46, 34, 38, 58, 62, 50, 54, + 74, 78, 66, 70, 90, 94, 82, 86, + 106, 110, 98, 102, 122, 126, 114, 118, + 142, 138, 134, 130, 158, 154, 150, 146, + 174, 170, 166, 162, 190, 186, 182, 178, + 206, 202, 198, 194, 222, 218, 214, 210, + 238, 234, 230, 226, 254, 250, 246, 242 + }, + [2] = { + 0, 8, 16, 24, 32, 40, 48, 56, + 64, 72, 80, 88, 96, 104, 112, 120, + 132, 140, 148, 156, 164, 172, 180, 188, + 196, 204, 212, 220, 228, 236, 244, 252, + 137, 129, 153, 145, 169, 161, 185, 177, + 201, 193, 217, 209, 233, 225, 249, 241, + 13, 5, 29, 21, 45, 37, 61, 53, + 77, 69, 93, 85, 109, 101, 125, 117, + 147, 155, 131, 139, 179, 187, 163, 171, + 211, 219, 195, 203, 243, 251, 227, 235, + 23, 31, 7, 15, 55, 63, 39, 47, + 87, 95, 71, 79, 119, 127, 103, 111, + 26, 18, 10, 2, 58, 50, 42, 34, + 90, 82, 74, 66, 122, 114, 106, 98, + 158, 150, 142, 134, 190, 182, 174, 166, + 222, 214, 206, 198, 254, 246, 238, 230, + 135, 143, 151, 159, 167, 175, 183, 191, + 199, 207, 215, 223, 231, 239, 247, 255, + 3, 11, 19, 27, 35, 43, 51, 59, + 67, 75, 83, 91, 99, 107, 115, 123, + 14, 6, 30, 22, 46, 38, 62, 54, + 78, 70, 94, 86, 110, 102, 126, 118, + 138, 130, 154, 146, 170, 162, 186, 178, + 202, 194, 218, 210, 234, 226, 250, 242, + 20, 28, 4, 12, 52, 60, 36, 44, + 84, 92, 68, 76, 116, 124, 100, 108, + 144, 152, 128, 136, 176, 184, 160, 168, + 208, 216, 192, 200, 240, 248, 224, 232, + 157, 149, 141, 133, 189, 181, 173, 165, + 221, 213, 205, 197, 253, 245, 237, 229, + 25, 17, 9, 1, 57, 49, 41, 33, + 89, 81, 73, 65, 121, 113, 105, 97 + }, + [3] = { + 0, 132, 1, 133, 3, 135, 2, 134, + 4, 128, 5, 129, 7, 131, 6, 130, + 8, 140, 9, 141, 11, 143, 10, 142, + 12, 136, 13, 137, 15, 139, 14, 138, + 16, 148, 17, 149, 19, 151, 18, 150, + 20, 144, 21, 145, 23, 147, 22, 146, + 24, 156, 25, 157, 27, 159, 26, 158, + 28, 152, 29, 153, 31, 155, 30, 154, + 32, 164, 33, 165, 35, 167, 34, 166, + 36, 160, 37, 161, 39, 163, 38, 162, + 40, 172, 41, 173, 43, 175, 42, 174, + 44, 168, 45, 169, 47, 171, 46, 170, + 48, 180, 49, 181, 51, 183, 50, 182, + 52, 176, 53, 177, 55, 179, 54, 178, + 56, 188, 57, 189, 59, 191, 58, 190, + 60, 184, 61, 185, 63, 187, 62, 186, + 64, 196, 65, 197, 67, 199, 66, 198, + 68, 192, 69, 193, 71, 195, 70, 194, + 72, 204, 73, 205, 75, 207, 74, 206, + 76, 200, 77, 201, 79, 203, 78, 202, + 80, 212, 81, 213, 83, 215, 82, 214, + 84, 208, 85, 209, 87, 211, 86, 210, + 88, 220, 89, 221, 91, 223, 90, 222, + 92, 216, 93, 217, 95, 219, 94, 218, + 96, 228, 97, 229, 99, 231, 98, 230, + 100, 224, 101, 225, 103, 227, 102, 226, + 104, 236, 105, 237, 107, 239, 106, 238, + 108, 232, 109, 233, 111, 235, 110, 234, + 112, 244, 113, 245, 115, 247, 114, 246, + 116, 240, 117, 241, 119, 243, 118, 242, + 120, 252, 121, 253, 123, 255, 122, 254, + 124, 248, 125, 249, 127, 251, 126, 250 + }, + [4] = { + 0, 165, 67, 230, 199, 98, 132, 33, + 133, 32, 198, 99, 66, 231, 1, 164, + 3, 166, 64, 229, 196, 97, 135, 34, + 134, 35, 197, 96, 65, 228, 2, 167, + 4, 161, 71, 226, 195, 102, 128, 37, + 129, 36, 194, 103, 70, 227, 5, 160, + 7, 162, 68, 225, 192, 101, 131, 38, + 130, 39, 193, 100, 69, 224, 6, 163, + 8, 173, 75, 238, 207, 106, 140, 41, + 141, 40, 206, 107, 74, 239, 9, 172, + 11, 174, 72, 237, 204, 105, 143, 42, + 142, 43, 205, 104, 73, 236, 10, 175, + 12, 169, 79, 234, 203, 110, 136, 45, + 137, 44, 202, 111, 78, 235, 13, 168, + 15, 170, 76, 233, 200, 109, 139, 46, + 138, 47, 201, 108, 77, 232, 14, 171, + 16, 181, 83, 246, 215, 114, 148, 49, + 149, 48, 214, 115, 82, 247, 17, 180, + 19, 182, 80, 245, 212, 113, 151, 50, + 150, 51, 213, 112, 81, 244, 18, 183, + 20, 177, 87, 242, 211, 118, 144, 53, + 145, 52, 210, 119, 86, 243, 21, 176, + 23, 178, 84, 241, 208, 117, 147, 54, + 146, 55, 209, 116, 85, 240, 22, 179, + 24, 189, 91, 254, 223, 122, 156, 57, + 157, 56, 222, 123, 90, 255, 25, 188, + 27, 190, 88, 253, 220, 121, 159, 58, + 158, 59, 221, 120, 89, 252, 26, 191, + 28, 185, 95, 250, 219, 126, 152, 61, + 153, 60, 218, 127, 94, 251, 29, 184, + 31, 186, 92, 249, 216, 125, 155, 62, + 154, 63, 217, 124, 93, 248, 30, 187 + }, + [5] = { + 0, 215, 165, 114, 230, 49, 67, 148, + 199, 16, 98, 181, 33, 246, 132, 83, + 133, 82, 32, 247, 99, 180, 198, 17, + 66, 149, 231, 48, 164, 115, 1, 214, + 3, 212, 166, 113, 229, 50, 64, 151, + 196, 19, 97, 182, 34, 245, 135, 80, + 134, 81, 35, 244, 96, 183, 197, 18, + 65, 150, 228, 51, 167, 112, 2, 213, + 4, 211, 161, 118, 226, 53, 71, 144, + 195, 20, 102, 177, 37, 242, 128, 87, + 129, 86, 36, 243, 103, 176, 194, 21, + 70, 145, 227, 52, 160, 119, 5, 210, + 7, 208, 162, 117, 225, 54, 68, 147, + 192, 23, 101, 178, 38, 241, 131, 84, + 130, 85, 39, 240, 100, 179, 193, 22, + 69, 146, 224, 55, 163, 116, 6, 209, + 8, 223, 173, 122, 238, 57, 75, 156, + 207, 24, 106, 189, 41, 254, 140, 91, + 141, 90, 40, 255, 107, 188, 206, 25, + 74, 157, 239, 56, 172, 123, 9, 222, + 11, 220, 174, 121, 237, 58, 72, 159, + 204, 27, 105, 190, 42, 253, 143, 88, + 142, 89, 43, 252, 104, 191, 205, 26, + 73, 158, 236, 59, 175, 120, 10, 221, + 12, 219, 169, 126, 234, 61, 79, 152, + 203, 28, 110, 185, 45, 250, 136, 95, + 137, 94, 44, 251, 111, 184, 202, 29, + 78, 153, 235, 60, 168, 127, 13, 218, + 15, 216, 170, 125, 233, 62, 76, 155, + 200, 31, 109, 186, 46, 249, 139, 92, + 138, 93, 47, 248, 108, 187, 201, 30, + 77, 154, 232, 63, 171, 124, 14, 217 + }, +}; + +const uint8_t S[256] = { + 32, 0, 178, 133, 59, 53, 166, 164, + 48, 228, 106, 44, 255, 89, 226, 14, + 248, 30, 122, 128, 21, 189, 62, 177, + 232, 243, 162, 194, 218, 81, 42, 16, + 33, 1, 35, 120, 92, 36, 39, 181, + 55, 199, 43, 31, 174, 10, 119, 95, + 111, 9, 157, 129, 4, 90, 41, 220, + 57, 156, 5, 87, 151, 116, 121, 23, + 68, 198, 230, 233, 221, 65, 242, 138, + 84, 202, 110, 74, 225, 173, 182, 136, + 28, 152, 126, 206, 99, 73, 58, 93, + 12, 239, 246, 52, 86, 37, 46, 214, + 103, 117, 85, 118, 184, 210, 97, 217, + 113, 139, 205, 11, 114, 108, 49, 75, + 105, 253, 123, 109, 96, 60, 47, 98, + 63, 34, 115, 19, 201, 130, 127, 83, + 50, 18, 160, 124, 2, 135, 132, 134, + 147, 78, 104, 70, 141, 195, 219, 236, + 155, 183, 137, 146, 167, 190, 61, 216, + 234, 80, 145, 241, 51, 56, 224, 169, + 163, 131, 161, 27, 207, 6, 149, 7, + 158, 237, 185, 245, 76, 192, 244, 45, + 22, 250, 180, 3, 38, 179, 144, 79, + 171, 101, 252, 254, 20, 247, 227, 148, + 238, 172, 140, 26, 222, 203, 40, 64, + 125, 200, 196, 72, 107, 223, 165, 82, + 229, 251, 215, 100, 249, 240, 211, 94, + 102, 150, 143, 29, 69, 54, 204, 197, + 77, 159, 191, 15, 209, 8, 235, 67, + 66, 25, 231, 153, 168, 142, 88, 193, + 154, 212, 24, 71, 170, 175, 188, 91, + 213, 17, 208, 176, 112, 187, 13, 186 +}; diff --git a/src/constants.h b/src/constants.h new file mode 100644 index 0000000..a786023 --- /dev/null +++ b/src/constants.h @@ -0,0 +1,16 @@ +#ifndef CONSTANTS_H +#define CONSTANTS_H + +#include <stdint.h> + + +/* Tweakey permutation */ +extern const uint8_t h[8]; + +/* Tweakey multiplication */ +extern const uint8_t P[6][256]; + +/* Lilliput S-box */ +extern const uint8_t S[256]; + +#endif /* CONSTANTS_H */ diff --git a/src/debug.h b/src/debug.h new file mode 100644 index 0000000..87140e5 --- /dev/null +++ b/src/debug.h @@ -0,0 +1,50 @@ +#ifndef DEBUG_H +#define DEBUG_H + +#include <inttypes.h> +#include <stdio.h> + + +static inline void debug_dump_lanes(FILE *output, const char *header, size_t len, const uint8_t buf[len], int indent) +{ + if (!output) + { + return; + } + + fprintf(output, "%s\n", header); + + for (size_t line=0; line<len/8; line++) + { + fprintf(output, "%*s", indent, ""); + for (size_t b=0; b<8; b++) + { + /* start with MSB */ + size_t byte_index = len-(1+line*8+b); + fprintf(output, "%*s%02x", 5, "", buf[byte_index]); + } + fprintf(output, "\n"); + } + fprintf(output, "\n"); +} + +static inline void debug_dump_buffer(FILE *output, const char *header, size_t len, const uint8_t buf[len], int indent) +{ + if (!output) + { + return; + } + + fprintf(output, "%s\n", header); + + fprintf(output, "%*s", indent, ""); + for (size_t b=0; b<len; b++) + { + /* start with MSB */ + size_t byte_index = len-1-b; + fprintf(output, "%*s%02x", 5, "", buf[byte_index]); + } + fprintf(output, "\n"); +} + +#endif /* DEBUG_H */ diff --git a/src/lilliput-ae-i.c b/src/lilliput-ae-i.c new file mode 100644 index 0000000..60a916b --- /dev/null +++ b/src/lilliput-ae-i.c @@ -0,0 +1,310 @@ +#include <stdbool.h> +#include <stdint.h> +#include <string.h> + +#include "cipher.h" +#include "lilliput-ae.h" + + +static const uint8_t _0n[BLOCK_BYTES] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + + +static uint8_t _upper_nibble(uint8_t i) +{ + return i >> 4; +} + +static uint8_t _lower_nibble(uint8_t i) +{ + return i & 0x0f; +} + +static void _encrypt(const uint8_t K[KEY_BYTES], + const uint8_t T[TWEAK_BYTES], + const uint8_t M[BLOCK_BYTES], + uint8_t C[BLOCK_BYTES]) +{ + lilliput_tbc_encrypt(K, T, M, C); +} + +static void _decrypt(const uint8_t K[KEY_BYTES], + const uint8_t T[TWEAK_BYTES], + const uint8_t C[BLOCK_BYTES], + uint8_t M[BLOCK_BYTES]) +{ + lilliput_tbc_decrypt(K, T, C, M); +} + +static void _xor_into(uint8_t dest[BLOCK_BYTES], const uint8_t src[BLOCK_BYTES]) +{ + for (size_t i=0; i<BLOCK_BYTES; i++) + dest[i] ^= src[i]; +} + +static void _xor_arrays(size_t len, uint8_t out[len], const uint8_t a[len], const uint8_t b[len]) +{ + for (size_t i=0; i<len; i++) + out[i] = a[i] ^ b[i]; +} + +static void _pad10(size_t X_len, const uint8_t X[X_len], uint8_t padded[BLOCK_BYTES]) +{ + /* pad10*(X) = X || 1 || 0^{n-|X|-1} */ + + /* Assume that len<BLOCK_BYTES. */ + + size_t pad_len = BLOCK_BYTES-X_len; + + memcpy(padded+pad_len, X, X_len); + + padded[pad_len-1] = 0x80; + + if (pad_len > 1) + { + memset(padded, 0, pad_len-1); + } +} + +static void _fill_ad_tweak( + uint8_t prefix, + uint64_t block_nb, + uint8_t tweak[TWEAK_BYTES] +) +{ + /* The 192-bit tweak is filled as follows: + * + * - bits 1-188: block number + * 1- 64: actual 64-bit block number + * 65-188: 0-padding + * - bits 189-192: constant 4-bit prefix + */ + + for (size_t i=0; i<sizeof(block_nb); i++) + { + uint64_t mask = (uint64_t)0xff << 8*i; + uint8_t b = (mask & block_nb) >> 8*i; + + tweak[i] = b; + } + + /* Assume padding bytes have already been memset to 0. */ + + tweak[TWEAK_BYTES-1] |= prefix << 4; +} + +static void _fill_msg_tweak( + uint8_t prefix, + const uint8_t N[NONCE_BYTES], + uint64_t block_nb, + uint8_t tweak[TWEAK_BYTES] +) +{ + /* The 192-bit tweak is filled as follows: + * + * - bits 1- 68: block number + * 1- 64: actual 64-bit block number + * 64- 68: 0-padding + * - bits 67-188: nonce + * - bits 189-192: constant 4-bit prefix + */ + + for (size_t i=0; i<sizeof(block_nb); i++) + { + uint64_t mask = (uint64_t)0xff << 8*i; + uint8_t b = (mask & block_nb) >> 8*i; + + tweak[i] = b; + } + + tweak[sizeof(block_nb)] = _lower_nibble(N[0]) << 4; + + for (size_t i=1; i<NONCE_BYTES; i++) + { + tweak[sizeof(block_nb)+i] = _lower_nibble(N[i]) << 4 ^ _upper_nibble(N[i-1]); + } + + tweak[TWEAK_BYTES-1] = prefix << 4 ^ _upper_nibble(N[NONCE_BYTES-1]); +} + +static void _process_associated_data( + const uint8_t key[KEY_BYTES], + size_t A_len, + const uint8_t A[A_len], + uint8_t Auth[BLOCK_BYTES] +) +{ + uint8_t Ek_Ai[BLOCK_BYTES]; + uint8_t tweak[TWEAK_BYTES]; + + memset(tweak, 0, TWEAK_BYTES); + memset(Auth, 0, BLOCK_BYTES); + + size_t l_a = A_len / BLOCK_BYTES; + size_t rest = A_len % BLOCK_BYTES; + + for (size_t i=0; i<l_a; i++) + { + _fill_ad_tweak(0x2, i, tweak); + _encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai); + _xor_into(Auth, Ek_Ai); + } + + if (rest != 0) + { + uint8_t A_rest[BLOCK_BYTES]; + _pad10(rest, &A[l_a*BLOCK_BYTES], A_rest); + _fill_ad_tweak(0x6, l_a, tweak); + _encrypt(key, tweak, A_rest, Ek_Ai); + _xor_into(Auth, Ek_Ai); + } +} + +static void _encrypt_message( + const uint8_t key[KEY_BYTES], + size_t M_len, + const uint8_t M[M_len], + const uint8_t N[NONCE_BYTES], + uint8_t C[M_len+BLOCK_BYTES], + uint8_t Final[BLOCK_BYTES] +) +{ + size_t l = M_len / BLOCK_BYTES; + size_t rest = M_len % BLOCK_BYTES; + + uint8_t tweak[TWEAK_BYTES]; + uint8_t checksum[BLOCK_BYTES]; + + memset(tweak, 0, TWEAK_BYTES); + memset(checksum, 0, BLOCK_BYTES); + + for (size_t j=0; j<l; j++) + { + _xor_into(checksum, &M[j*BLOCK_BYTES]); + _fill_msg_tweak(0x0, N, j, tweak); + _encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]); + } + + if (rest == 0) + { + _fill_msg_tweak(0x1, N, l-1, tweak); + _encrypt(key, tweak, checksum, Final); + } + else + { + uint8_t M_rest[BLOCK_BYTES]; + uint8_t Pad[BLOCK_BYTES]; + + _pad10(rest, &M[l*BLOCK_BYTES], M_rest); + _xor_into(checksum, M_rest); + + _fill_msg_tweak(0x4, N, l, tweak); + _encrypt(key, tweak, _0n, Pad); + _xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad); + + _fill_msg_tweak(0x5, N, l, tweak); + _encrypt(key, tweak, checksum, Final); + } +} + +static void _decrypt_message( + const uint8_t key[KEY_BYTES], + size_t C_len, + const uint8_t C[C_len], + const uint8_t N[NONCE_BYTES], + uint8_t M[C_len], + uint8_t Final[BLOCK_BYTES] +) +{ + size_t l = C_len / BLOCK_BYTES; + size_t rest = C_len % BLOCK_BYTES; + + uint8_t tweak[TWEAK_BYTES]; + uint8_t checksum[BLOCK_BYTES]; + + memset(tweak, 0, TWEAK_BYTES); + memset(checksum, 0, BLOCK_BYTES); + + for (size_t j=0; j<l; j++) + { + _fill_msg_tweak(0x0, N, j, tweak); + _decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]); + _xor_into(checksum, &M[j*BLOCK_BYTES]); + } + + if (rest == 0) + { + _fill_msg_tweak(0x1, N, l-1, tweak); + _encrypt(key, tweak, checksum, Final); + } + else + { + uint8_t M_rest[BLOCK_BYTES]; + uint8_t Pad[BLOCK_BYTES]; + + _fill_msg_tweak(0x4, N, l, tweak); + _encrypt(key, tweak, _0n, Pad); + _xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad); + + _pad10(rest, &M[l*BLOCK_BYTES], M_rest); + _xor_into(checksum, M_rest); + + _fill_msg_tweak(0x5, N, l, tweak); + _encrypt(key, tweak, checksum, Final); + } +} + +static void _generate_tag( + const uint8_t Final[BLOCK_BYTES], + const uint8_t Auth[BLOCK_BYTES], + uint8_t tag[TAG_BYTES] +) +{ + _xor_arrays(TAG_BYTES, tag, Final, Auth); +} + + +void lilliput_ae_encrypt( + size_t message_len, + const uint8_t message[message_len], + size_t auth_data_len, + const uint8_t auth_data[auth_data_len], + const uint8_t key[KEY_BYTES], + const uint8_t nonce[NONCE_BYTES], + uint8_t ciphertext[message_len], + uint8_t tag[TAG_BYTES] +) +{ + uint8_t auth[BLOCK_BYTES]; + _process_associated_data(key, auth_data_len, auth_data, auth); + + uint8_t final[BLOCK_BYTES]; + _encrypt_message(key, message_len, message, nonce, ciphertext, final); + + _generate_tag(final, auth, tag); +} + +bool lilliput_ae_decrypt( + size_t ciphertext_len, + const uint8_t ciphertext[ciphertext_len], + size_t auth_data_len, + const uint8_t auth_data[auth_data_len], + const uint8_t key[KEY_BYTES], + const uint8_t nonce[NONCE_BYTES], + const uint8_t tag[TAG_BYTES], + uint8_t message[ciphertext_len] +) +{ + uint8_t auth[BLOCK_BYTES]; + _process_associated_data(key, auth_data_len, auth_data, auth); + + uint8_t final[BLOCK_BYTES]; + _decrypt_message(key, ciphertext_len, ciphertext, nonce, message, final); + + uint8_t effective_tag[TAG_BYTES]; + _generate_tag(final, auth, effective_tag); + + return memcmp(tag, effective_tag, TAG_BYTES) == 0; +} diff --git a/src/lilliput-ae.h b/src/lilliput-ae.h new file mode 100644 index 0000000..062c71c --- /dev/null +++ b/src/lilliput-ae.h @@ -0,0 +1,35 @@ +#ifndef LILLIPUT_AE_H +#define LILLIPUT_AE_H + +#include <stddef.h> +#include <stdbool.h> +#include <stdint.h> + +#include "parameters.h" + + +/* TODO: replace c_len with m_len */ +void lilliput_ae_encrypt( + size_t message_len, + const uint8_t message[message_len], + size_t auth_data_len, + const uint8_t auth_data[auth_data_len], + const uint8_t key[KEY_BYTES], + const uint8_t nonce[NONCE_BYTES], + uint8_t ciphertext[message_len], + uint8_t tag[TAG_BYTES] +); + +bool lilliput_ae_decrypt( + size_t ciphertext_len, + const uint8_t ciphertext[ciphertext_len], + size_t auth_data_len, + const uint8_t auth_data[auth_data_len], + const uint8_t key[KEY_BYTES], + const uint8_t nonce[NONCE_BYTES], + const uint8_t tag[TAG_BYTES], + uint8_t message[ciphertext_len] +); + + +#endif /* LILLIPUT_AE_H */ diff --git a/src/tweakey.c b/src/tweakey.c new file mode 100644 index 0000000..da97019 --- /dev/null +++ b/src/tweakey.c @@ -0,0 +1,83 @@ +#include <stdint.h> +#include <string.h> + +#include "constants.h" +#include "parameters.h" +#include "tweakey.h" + + +#define LANE_BITS 64 +#define LANE_BYTES (LANE_BITS/8) +#define LANES_NB (TWEAKEY_BYTES/LANE_BYTES) + + +void tweakey_state_init( + tweakey_state *TK, + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES] +) +{ + memcpy(TK->TK, tweak, TWEAK_BYTES); + memcpy(TK->TK+TWEAK_BYTES, key, KEY_BYTES); +} + + +void tweakey_state_extract( + const tweakey_state *TK, + uint8_t round_tweakey[ROUND_TWEAKEY_BYTES], /* output */ + uint8_t i /* round constant */ +) +{ + memset(round_tweakey, 0, ROUND_TWEAKEY_BYTES); + + for (const uint8_t *lane=TK->TK; lane<TK->TK+TWEAKEY_BYTES; lane+=LANE_BYTES) + { + for (size_t j=0; j<LANE_BYTES; j++) + { + round_tweakey[j] ^= lane[j]; + } + } + + round_tweakey[0] ^= i; +} + + +static void _permute_state(tweakey_state *TK) +{ + uint8_t TK_old[TWEAKEY_BYTES]; + memcpy(TK_old, TK->TK, sizeof(TK_old)); + + /* TODO: homogenize indices; here j=lane; k=byte */ + + for (size_t j=0; j<TWEAKEY_BYTES; j+=LANE_BYTES) + { + for (size_t k=0; k<LANE_BYTES; k++) + { + TK->TK[j+h[k]] = TK_old[j+k]; + } + } +} + +static void _multiply_state(tweakey_state *TK) +{ + /* Lane 0 is multiplied by Id; lane 1 by P_0, lane 2 by P_1... */ + + for (size_t lane=1; lane<LANES_NB; lane++) + { + const uint8_t* P_lane = P[lane-1]; + + /* TODO: homogenize indices; here b=byte */ + + for (size_t b=0; b<LANE_BYTES; b++) + { + size_t offset = lane*LANE_BYTES + b; + TK->TK[offset] = P_lane[TK->TK[offset]]; + } + } +} + +void tweakey_state_update(tweakey_state *TK) +{ + _permute_state(TK); + _multiply_state(TK); +} diff --git a/src/tweakey.h b/src/tweakey.h new file mode 100644 index 0000000..0642724 --- /dev/null +++ b/src/tweakey.h @@ -0,0 +1,31 @@ +#ifndef TWEAKEY_H +#define TWEAKEY_H + +#include <stdint.h> + +#include "parameters.h" + + +struct tweakey_state +{ + uint8_t TK[TWEAKEY_BYTES]; +}; + +typedef struct tweakey_state tweakey_state; + + +void tweakey_state_init( + tweakey_state *TK, + const uint8_t key[KEY_BYTES], + const uint8_t tweak[TWEAK_BYTES] +); + +void tweakey_state_extract( + const tweakey_state *TK, + uint8_t round_tweakey[ROUND_TWEAKEY_BYTES], /* output */ + uint8_t i /* round constant */ +); + +void tweakey_state_update(tweakey_state *TK); + +#endif /* TWEAKEY_H */ |