lilliput-ae-reference-implementation

Implementations of Lilliput-AE submitted to the NIST LWC standardization process
git clone https://git.kevinlegouguec.net/lilliput-ae-reference-implementation
Log | Files | Refs | README

traces-tbc.patch (4711B)

      1 diff --git a/src/ref/cipher.c b/src/ref/cipher.c
      2 index b6b309e..011bc70 100644
      3 --- a/src/ref/cipher.c
      4 +++ b/src/ref/cipher.c
      5 @@ -17,6 +17,8 @@ http://creativecommons.org/publicdomain/zero/1.0/
      6  This file provides the implementation for Lilliput-TBC.
      7  */
      8  
      9 +#include "debug.h"
     10 +
     11  #include <stdint.h>
     12  #include <string.h>
     13  
     14 @@ -71,33 +73,53 @@ static void _compute_round_tweakeys(
     15      uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES]
     16  )
     17  {
     18 +    fprintf(DUMP, "computing %zu round sub-tweakeys\n", (size_t)ROUNDS);
     19 +
     20      uint8_t TK[TWEAKEY_BYTES];
     21      tweakey_state_init(TK, key, tweak);
     22      tweakey_state_extract(TK, 0, RTK[0]);
     23  
     24 +    fprintf(DUMP, "    0\n");
     25 +    debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[0], 8);
     26 +
     27      for (size_t i=1; i<ROUNDS; i++)
     28      {
     29 +        fprintf(DUMP, "    %zu\n", (size_t)i);
     30 +
     31          tweakey_state_update(TK);
     32 +        debug_dump_buffer("TK", TWEAKEY_BYTES, TK, 8);
     33          tweakey_state_extract(TK, i, RTK[i]);
     34 +        debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, RTK[i], 8);
     35      }
     36  }
     37  
     38  
     39  static uint8_t _Fj(uint8_t Xj, uint8_t RTKj)
     40  {
     41 +    fprintf(DUMP, "            Xj: %02x; S[Xj]: %02x; RTKj: %02x; Fj: %02x\n", Xj, S[Xj], RTKj, S[Xj ^ RTKj]);
     42      return S[Xj ^ RTKj];
     43  }
     44  
     45  static void _nonlinear_layer(uint8_t X[BLOCK_BYTES], const uint8_t RTK[ROUND_TWEAKEY_BYTES])
     46  {
     47 +    fprintf(DUMP, "        nonlinear layer\n");
     48 +
     49 +    debug_dump_buffer("X", BLOCK_BYTES, X, 12);
     50 +
     51      for (size_t j=0; j<8; j++)
     52      {
     53 +        fprintf(DUMP, "            j=%zu\n", j);
     54          X[15-j] ^= _Fj(X[j], RTK[j]);
     55 +        fprintf(DUMP, "            X_{15-j} XOR Fj: %02x\n", X[15-j]);
     56      }
     57 +
     58 +    debug_dump_buffer("X", BLOCK_BYTES, X, 12);
     59  }
     60  
     61  static void _linear_layer(uint8_t X[BLOCK_BYTES])
     62  {
     63 +    fprintf(DUMP, "        linear layer\n");
     64 +
     65      for (size_t j=1; j<8; j++)
     66      {
     67          X[15] ^= X[j];
     68 @@ -107,6 +129,8 @@ static void _linear_layer(uint8_t X[BLOCK_BYTES])
     69      {
     70          X[j] ^= X[7];
     71      }
     72 +
     73 +    debug_dump_buffer("X", BLOCK_BYTES, X, 12);
     74  }
     75  
     76  static void _permutation_layer(uint8_t X[BLOCK_BYTES], permutation p)
     77 @@ -116,6 +140,8 @@ static void _permutation_layer(uint8_t X[BLOCK_BYTES], permutation p)
     78          return;
     79      }
     80  
     81 +    fprintf(DUMP, "        permutation layer\n");
     82 +
     83      uint8_t X_old[BLOCK_BYTES];
     84      memcpy(X_old, X, BLOCK_BYTES);
     85  
     86 @@ -125,6 +151,8 @@ static void _permutation_layer(uint8_t X[BLOCK_BYTES], permutation p)
     87      {
     88          X[pi[j]] = X_old[j];
     89      }
     90 +
     91 +    debug_dump_buffer("X", BLOCK_BYTES, X, 12);
     92  }
     93  
     94  static void _one_round_egfn(uint8_t X[BLOCK_BYTES], const uint8_t RTK[ROUND_TWEAKEY_BYTES], permutation p)
     95 @@ -148,11 +176,15 @@ void lilliput_tbc_encrypt(
     96      uint8_t RTK[ROUNDS][ROUND_TWEAKEY_BYTES];
     97      _compute_round_tweakeys(key, tweak, RTK);
     98  
     99 +    fprintf(DUMP, "running EGFN %zu times\n", (size_t)ROUNDS);
    100 +
    101      for (size_t i=0; i<ROUNDS-1; i++)
    102      {
    103 +        fprintf(DUMP, "    round %zu\n", i);
    104          _one_round_egfn(X, RTK[i], PERMUTATION_ENCRYPTION);
    105      }
    106  
    107 +    fprintf(DUMP, "    round %zu\n", (size_t)(ROUNDS-1));
    108      _one_round_egfn(X, RTK[ROUNDS-1], PERMUTATION_NONE);
    109  
    110      memcpy(ciphertext, X, BLOCK_BYTES);
    111 diff --git a/src/ref/tweakey.c b/src/ref/tweakey.c
    112 index 510f35a..4bf027c 100644
    113 --- a/src/ref/tweakey.c
    114 +++ b/src/ref/tweakey.c
    115 @@ -17,6 +17,8 @@ http://creativecommons.org/publicdomain/zero/1.0/
    116  This file provides the implementation of Lilliput-TBC's tweakey schedule.
    117  */
    118  
    119 +#include "debug.h"
    120 +
    121  #include <stdint.h>
    122  #include <string.h>
    123  
    124 @@ -51,10 +53,16 @@ void tweakey_state_extract(
    125      {
    126          const uint8_t *TKj = TK + j*LANE_BYTES;
    127  
    128 +        fprintf(DUMP, "        XORing lane %zu/%zu\n", 1+j, (size_t)LANES_NB);
    129 +        debug_dump_buffer("RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
    130 +        debug_dump_buffer("lane[j]", LANE_BYTES, TKj, 12);
    131 +
    132          for (size_t k=0; k<LANE_BYTES; k++)
    133          {
    134              round_tweakey[k] ^= TKj[k];
    135          }
    136 +
    137 +        debug_dump_buffer("=> RTK", ROUND_TWEAKEY_BYTES, round_tweakey, 12);
    138      }
    139  
    140      round_tweakey[0] ^= round_constant;
    141 @@ -73,6 +81,10 @@ static const matrix_multiplication ALPHAS[7] = {
    142      _multiply_MR3
    143  };
    144  
    145 +static char const * const ALPHAS_STR[7] = {
    146 +    "M", "M²", "M³", "M⁴", "MR", "MR²", "MR³"
    147 +};
    148 +
    149  
    150  void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES])
    151  {
    152 @@ -84,5 +96,9 @@ void tweakey_state_update(uint8_t TK[TWEAKEY_BYTES])
    153          memcpy(TKj_old, TKj, LANE_BYTES);
    154  
    155          ALPHAS[j](TKj_old, TKj);
    156 +
    157 +        fprintf(DUMP, "        multiplying lane %zu/%zu by %s\n", 1+j, (size_t)LANES_NB, ALPHAS_STR[j]);
    158 +        debug_dump_buffer("TK_j^i-1", LANE_BYTES, TKj_old, 12);
    159 +        debug_dump_buffer("TK_j^i", LANE_BYTES, TKj, 12);
    160      }
    161  }