lilliput-ae-reference-implementation

Implementations of Lilliput-AE submitted to the NIST LWC standardization process
git clone https://git.kevinlegouguec.net/lilliput-ae-reference-implementation
Log | Files | Refs | README

CHANGELOG.txt (4604B)

      1 This document summarizes the modifications brought by each version. Some modifications are tagged as follows:
      2 
      3 - [spec] when the modification is brought by a new revision of the specification,
      4 - [break] when the modification changes the implementation's output.
      5 
      6 A modification that has no tag corresponds to stylistic and/or structural changes that have no impact on test vectors.
      7 
      8 
      9 v1.1
     10 ====
     11 
     12 ref
     13 ---
     14 
     15 - Introduce helper function copy_block_index() to make tweak-building functions more legible.
     16   (lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c)
     17 
     18 - Initialize ΘCB3 tweak with nonce instead of copying the latter into the former repeatedly.
     19   (lilliput-i.c)
     20 
     21 - Re-write _nonlinear_layer() and _linear_layer() functions to better resemble the specification.
     22   (cipher.c)
     23 
     24 - Extract tweakey multiplications into their own header file, so that other implementations can make more targeted changes.
     25   (constants.h, multiplications.h, tweakey.c)
     26 
     27 - Use size_t to iterate on arrays in lilliput_tbc_encrypt() and lilliput_tbc_decrypt().
     28   (cipher.c)
     29 
     30 [spec][break]
     31 - Change alpha coefficients in tweakey schedule to ensure lane 0 is updated between each round:
     32     - lane 0: Id  => M
     33     - lane 1: M   => M^2
     34     - lane 2: M^2 => M^3
     35     - lane 3: M^3 => M^4
     36     - lane 4: M_R   (unchanged)
     37     - lane 5: M_R^2 (unchanged)
     38     - lane 6: M_R^3 (unchanged)
     39   (multiplications.h, tweakey.c)
     40 
     41 [break]
     42 - Make byte string concatenation more consistent in AE modes:
     43 
     44     - v1 mixed two interpretations of concatenation:
     45         1. M_0 || M_1 was interpreted as { M[0], ... M[15] } || { M[16], ... M[31] },
     46         2. pad(10*) and tweak-building functions interpreted X||Y as { Y[0], ... Y[ylen-1] } || { X[0], ... X[xlen-1] }.
     47 
     48       This was potentially confusing, and also led to inefficient hardware implementations. E.g. a message M of length 34 bytes was padded as follows:
     49 
     50                   M_0                     M_1                     pad10*(M_*)
     51           { M[0], ... M[15] } || { M[16], ... M[31] } || { 0, ... 0, 0x80, M[32], M[33] }
     52 
     53     - v1.1 sticks to the first interpretation. The same message M is now padded as follows:
     54 
     55                   M_0                     M_1                     pad10*(M_*)
     56           { M[0], ... M[15] } || { M[16], ... M[31] } || { M[32], M[33], 0x80, 0, ... 0 }
     57 
     58   (lilliput-ae-utils.h, lilliput-i.c, lilliput-ii.c)
     59 
     60 add_felicsref
     61 -------------
     62 
     63 See reference implementation. Further changes:
     64 
     65 - Introduce helper function _multiply() to reduce code duplication.
     66   (tweakey.c)
     67 
     68 - Compute round-tweakeys on the fly to save on RAM, instead of storing all pre-computed round-tweakeys.
     69   (cipher.c)
     70 
     71 - Remove intermediate buffer X in lilliput_tbc_decrypt(), to resemble lilliput_tbc_encrypt().
     72   (cipher.c)
     73 
     74 add_threshold
     75 -------------
     76 
     77 See reference implementation. Further changes:
     78 
     79 - Add constant macros KEY_LANES_NB and TWEAK_LANES_NB to make tweakey schedule code more legible.
     80   (tweakey.c)
     81 
     82 add_tweakeyloop
     83 ---------------
     84 
     85 See reference implementation.
     86 
     87 add_python
     88 ----------
     89 
     90 See [spec] and [break] changes in reference implementation. Further changes:
     91 
     92 - Re-write tweakey multiplications to better resemble the specification.
     93   (multiplications.py)
     94 
     95 add_vhdltbc
     96 -----------
     97 
     98 See [spec] and [break] changes in reference implementation. Further changes:
     99 
    100 - Each algorithm variant now contains a single VHDL implementation, add_vhdltbc:
    101     - for Lilliput-I variants, add_vhdltbc corresponds to the former add_vhdltbcencryptdecrypt,
    102     - Lilliput-II variants do not need the decryption part of Lilliput-TBC, therefore add_vhdltbc corresponds to the former add_vdhltbcencrypt.
    103 
    104 - For Lilliput-I, the inverted multiplications have been updated to match changes to the encryption process:
    105     - lane 0: Id       => inv(M)
    106     - lane 1: inv(M)   => inv(M)^2
    107     - lane 2: inv(M)^2 => inv(M)^3
    108     - lane 3: inv(M)^3 => inv(M)^4
    109     - lane 4: inv(M_R)   (unchanged)
    110     - lane 5: inv(M_R)^2 (unchanged)
    111     - lane 6: inv(M_R)^3 (unchanged)
    112   (inv_multiplication.vhd)
    113 
    114 - Merge S-box in one file.
    115   (sbox.vhd, inner_sbox_a.vhd, inner_sbox_b, vhd,inner_sbox_c.vhd)
    116 
    117 - Create registers in file roundexe_lilliput.vhd.
    118   (state_key_register.vhd, state_register.vhd, roundexe_lilliput)
    119 
    120 - Reduce the number of signals.
    121   (chiffrement.vhd)
    122 
    123 - Add self-checking testbench.
    124   (top_tb.vhd)
    125 
    126 - Pipeline RoundTweakey extraction and round function.
    127   (roundexe_lilliput.vhd, machine_etat_chiffrement.vhd)
    128 
    129 - Isolate input and output from critical path.
    130   (roundexe_lilliput.vhd, machine_etat_chiffrement.vhd)
    131 
    132 
    133 v1
    134 ==
    135 
    136 Initial release to round 1 of the LWC standardization process.