From dbae7afbbc13c39f167bad9c2d72d5d670c06c83 Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Wed, 13 Feb 2019 14:02:28 +0100
Subject: Renommage des fichiers implémentant les modes AE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pour qu'ils soient plus proches du nom donné dans la spécification.
---
 README.md                                 |   4 +-
 nist/make-package.sh                      |   3 +-
 src/add_tweakeysequences/lilliput-ae-i.c  |   1 -
 src/add_tweakeysequences/lilliput-ae-ii.c |   1 -
 src/add_tweakeysequences/lilliput-i.c     |   1 +
 src/add_tweakeysequences/lilliput-ii.c    |   1 +
 src/add_tweakeyunrolled/lilliput-ae-i.c   |   1 -
 src/add_tweakeyunrolled/lilliput-ae-ii.c  |   1 -
 src/add_tweakeyunrolled/lilliput-i.c      |   1 +
 src/add_tweakeyunrolled/lilliput-ii.c     |   1 +
 src/ref/lilliput-ae-i.c                   | 212 ------------------------------
 src/ref/lilliput-ae-ii.c                  | 177 -------------------------
 src/ref/lilliput-ae.h                     |   2 +-
 src/ref/lilliput-i.c                      | 212 ++++++++++++++++++++++++++++++
 src/ref/lilliput-ii.c                     | 177 +++++++++++++++++++++++++
 test/check-implementation.sh              |   3 +-
 test/common.mk                            |   6 +-
 test/felics/Makefile                      |   2 +-
 traces/traces-ae.patch                    |  12 +-
 19 files changed, 410 insertions(+), 408 deletions(-)
 delete mode 120000 src/add_tweakeysequences/lilliput-ae-i.c
 delete mode 120000 src/add_tweakeysequences/lilliput-ae-ii.c
 create mode 120000 src/add_tweakeysequences/lilliput-i.c
 create mode 120000 src/add_tweakeysequences/lilliput-ii.c
 delete mode 120000 src/add_tweakeyunrolled/lilliput-ae-i.c
 delete mode 120000 src/add_tweakeyunrolled/lilliput-ae-ii.c
 create mode 120000 src/add_tweakeyunrolled/lilliput-i.c
 create mode 120000 src/add_tweakeyunrolled/lilliput-ii.c
 delete mode 100644 src/ref/lilliput-ae-i.c
 delete mode 100644 src/ref/lilliput-ae-ii.c
 create mode 100644 src/ref/lilliput-i.c
 create mode 100644 src/ref/lilliput-ii.c

diff --git a/README.md b/README.md
index 92e90ef..cd59350 100644
--- a/README.md
+++ b/README.md
@@ -22,9 +22,9 @@ Contains two kinds of subfolders:
 Each implementation folder contains:
 
 - `lilliput-ae.h`: main API
-- `lilliput-ae-i.c`: implementation of Lilliput-Ⅰ (ΘCB3-based)
-- `lilliput-ae-ii.c`: implementation of Lilliput-Ⅱ (SCT-2-based)
 - `lilliput-ae-utils.h`: helper functions used by both AE schemes
+- `lilliput-i.c`: implementation of Lilliput-Ⅰ (ΘCB3-based)
+- `lilliput-ii.c`: implementation of Lilliput-Ⅱ (SCT-2-based)
 - `tweakey.*`: implementation of Lilliput-TBC's tweakey schedule
 - `cipher.*`: implementation of the tweakable block-cipher
   Lilliput-TBC
diff --git a/nist/make-package.sh b/nist/make-package.sh
index dd50f54..30debe3 100755
--- a/nist/make-package.sh
+++ b/nist/make-package.sh
@@ -46,7 +46,8 @@ add-variant ()
     source_files=(
         cipher.{c,h}
         constants.h
-        lilliput-ae{.h,-utils.h,-${mode}.c}
+        lilliput-ae{.h,-utils.h}
+        lilliput-${mode}.c
         tweakey.{c,h}
     )
 
diff --git a/src/add_tweakeysequences/lilliput-ae-i.c b/src/add_tweakeysequences/lilliput-ae-i.c
deleted file mode 120000
index 2ed1026..0000000
--- a/src/add_tweakeysequences/lilliput-ae-i.c
+++ /dev/null
@@ -1 +0,0 @@
-../ref/lilliput-ae-i.c
\ No newline at end of file
diff --git a/src/add_tweakeysequences/lilliput-ae-ii.c b/src/add_tweakeysequences/lilliput-ae-ii.c
deleted file mode 120000
index af141f8..0000000
--- a/src/add_tweakeysequences/lilliput-ae-ii.c
+++ /dev/null
@@ -1 +0,0 @@
-../ref/lilliput-ae-ii.c
\ No newline at end of file
diff --git a/src/add_tweakeysequences/lilliput-i.c b/src/add_tweakeysequences/lilliput-i.c
new file mode 120000
index 0000000..46688d4
--- /dev/null
+++ b/src/add_tweakeysequences/lilliput-i.c
@@ -0,0 +1 @@
+../ref/lilliput-i.c
\ No newline at end of file
diff --git a/src/add_tweakeysequences/lilliput-ii.c b/src/add_tweakeysequences/lilliput-ii.c
new file mode 120000
index 0000000..09abf10
--- /dev/null
+++ b/src/add_tweakeysequences/lilliput-ii.c
@@ -0,0 +1 @@
+../ref/lilliput-ii.c
\ No newline at end of file
diff --git a/src/add_tweakeyunrolled/lilliput-ae-i.c b/src/add_tweakeyunrolled/lilliput-ae-i.c
deleted file mode 120000
index 2ed1026..0000000
--- a/src/add_tweakeyunrolled/lilliput-ae-i.c
+++ /dev/null
@@ -1 +0,0 @@
-../ref/lilliput-ae-i.c
\ No newline at end of file
diff --git a/src/add_tweakeyunrolled/lilliput-ae-ii.c b/src/add_tweakeyunrolled/lilliput-ae-ii.c
deleted file mode 120000
index af141f8..0000000
--- a/src/add_tweakeyunrolled/lilliput-ae-ii.c
+++ /dev/null
@@ -1 +0,0 @@
-../ref/lilliput-ae-ii.c
\ No newline at end of file
diff --git a/src/add_tweakeyunrolled/lilliput-i.c b/src/add_tweakeyunrolled/lilliput-i.c
new file mode 120000
index 0000000..46688d4
--- /dev/null
+++ b/src/add_tweakeyunrolled/lilliput-i.c
@@ -0,0 +1 @@
+../ref/lilliput-i.c
\ No newline at end of file
diff --git a/src/add_tweakeyunrolled/lilliput-ii.c b/src/add_tweakeyunrolled/lilliput-ii.c
new file mode 120000
index 0000000..09abf10
--- /dev/null
+++ b/src/add_tweakeyunrolled/lilliput-ii.c
@@ -0,0 +1 @@
+../ref/lilliput-ii.c
\ No newline at end of file
diff --git a/src/ref/lilliput-ae-i.c b/src/ref/lilliput-ae-i.c
deleted file mode 100644
index 5e91e4e..0000000
--- a/src/ref/lilliput-ae-i.c
+++ /dev/null
@@ -1,212 +0,0 @@
-/*
-Implementation of the Lilliput-AE tweakable block cipher.
-
-Author: Kévin Le Gouguec, 2019.
-
-For more information, feedback or questions, refer to our website:
-https://paclido.fr/lilliput-ae
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-
----
-
-This file implements Lilliput-AE's nonce-respecting mode based on ΘCB3.
-*/
-
-#include <stdbool.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "cipher.h"
-#include "lilliput-ae.h"
-#include "lilliput-ae-utils.h"
-
-
-static const uint8_t _0n[BLOCK_BYTES] = {
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-
-static void _fill_msg_tweak(
-    uint8_t       prefix,
-    const uint8_t N[NONCE_BYTES],
-    uint64_t      block_nb,
-    uint8_t       tweak[TWEAK_BYTES]
-)
-{
-    /* The 192-bit tweak is filled as follows:
-     *
-     * - bits   1- 68: block number
-     *          1- 64: actual 64-bit block number
-     *         64- 68: 0-padding
-     * - bits  67-188: nonce
-     * - bits 189-192: constant 4-bit prefix
-     */
-
-    for (size_t i=0; i<sizeof(block_nb); i++)
-    {
-        uint64_t mask = (uint64_t)0xff << 8*i;
-        uint8_t b = (mask & block_nb) >> 8*i;
-
-        tweak[i] = b;
-    }
-
-    tweak[sizeof(block_nb)] = lower_nibble(N[0]) << 4;
-
-    for (size_t i=1; i<NONCE_BYTES; i++)
-    {
-        tweak[sizeof(block_nb)+i] = lower_nibble(N[i]) << 4 ^ upper_nibble(N[i-1]);
-    }
-
-    tweak[TWEAK_BYTES-1] = prefix << 4 ^ upper_nibble(N[NONCE_BYTES-1]);
-}
-
-static void _encrypt_message(
-    const uint8_t key[KEY_BYTES],
-    size_t        M_len,
-    const uint8_t M[M_len],
-    const uint8_t N[NONCE_BYTES],
-    uint8_t       C[M_len+BLOCK_BYTES],
-    uint8_t       Final[BLOCK_BYTES]
-)
-{
-    size_t l = M_len / BLOCK_BYTES;
-    size_t rest = M_len % BLOCK_BYTES;
-
-    uint8_t tweak[TWEAK_BYTES];
-    uint8_t checksum[BLOCK_BYTES];
-
-    memset(tweak, 0, TWEAK_BYTES);
-    memset(checksum, 0, BLOCK_BYTES);
-
-    for (size_t j=0; j<l; j++)
-    {
-        xor_into(checksum, &M[j*BLOCK_BYTES]);
-        _fill_msg_tweak(0x0, N, j, tweak);
-        encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
-    }
-
-    if (rest == 0)
-    {
-        _fill_msg_tweak(0x1, N, l-1, tweak);
-        encrypt(key, tweak, checksum, Final);
-    }
-    else
-    {
-        uint8_t M_rest[BLOCK_BYTES];
-        uint8_t Pad[BLOCK_BYTES];
-
-        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-        xor_into(checksum, M_rest);
-
-        _fill_msg_tweak(0x4, N, l, tweak);
-        encrypt(key, tweak, _0n, Pad);
-        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
-
-        _fill_msg_tweak(0x5, N, l, tweak);
-        encrypt(key, tweak, checksum, Final);
-    }
-}
-
-static void _decrypt_message(
-    const uint8_t key[KEY_BYTES],
-    size_t        C_len,
-    const uint8_t C[C_len],
-    const uint8_t N[NONCE_BYTES],
-    uint8_t       M[C_len],
-    uint8_t       Final[BLOCK_BYTES]
-)
-{
-    size_t l = C_len / BLOCK_BYTES;
-    size_t rest = C_len % BLOCK_BYTES;
-
-    uint8_t tweak[TWEAK_BYTES];
-    uint8_t checksum[BLOCK_BYTES];
-
-    memset(tweak, 0, TWEAK_BYTES);
-    memset(checksum, 0, BLOCK_BYTES);
-
-    for (size_t j=0; j<l; j++)
-    {
-        _fill_msg_tweak(0x0, N, j, tweak);
-        decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
-        xor_into(checksum, &M[j*BLOCK_BYTES]);
-    }
-
-    if (rest == 0)
-    {
-        _fill_msg_tweak(0x1, N, l-1, tweak);
-        encrypt(key, tweak, checksum, Final);
-    }
-    else
-    {
-        uint8_t M_rest[BLOCK_BYTES];
-        uint8_t Pad[BLOCK_BYTES];
-
-        _fill_msg_tweak(0x4, N, l, tweak);
-        encrypt(key, tweak, _0n, Pad);
-        xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
-
-        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-        xor_into(checksum, M_rest);
-
-        _fill_msg_tweak(0x5, N, l, tweak);
-        encrypt(key, tweak, checksum, Final);
-    }
-}
-
-static void _generate_tag(
-    const uint8_t Final[BLOCK_BYTES],
-    const uint8_t Auth[BLOCK_BYTES],
-    uint8_t       tag[TAG_BYTES]
-)
-{
-    xor_arrays(TAG_BYTES, tag, Final, Auth);
-}
-
-
-void lilliput_ae_encrypt(
-    size_t        message_len,
-    const uint8_t message[message_len],
-    size_t        auth_data_len,
-    const uint8_t auth_data[auth_data_len],
-    const uint8_t key[KEY_BYTES],
-    const uint8_t nonce[NONCE_BYTES],
-    uint8_t       ciphertext[message_len],
-    uint8_t       tag[TAG_BYTES]
-)
-{
-    uint8_t auth[BLOCK_BYTES];
-    process_associated_data(key, auth_data_len, auth_data, auth);
-
-    uint8_t final[BLOCK_BYTES];
-    _encrypt_message(key, message_len, message, nonce, ciphertext, final);
-
-    _generate_tag(final, auth, tag);
-}
-
-bool lilliput_ae_decrypt(
-    size_t        ciphertext_len,
-    const uint8_t ciphertext[ciphertext_len],
-    size_t        auth_data_len,
-    const uint8_t auth_data[auth_data_len],
-    const uint8_t key[KEY_BYTES],
-    const uint8_t nonce[NONCE_BYTES],
-    const uint8_t tag[TAG_BYTES],
-    uint8_t       message[ciphertext_len]
-)
-{
-    uint8_t auth[BLOCK_BYTES];
-    process_associated_data(key, auth_data_len, auth_data, auth);
-
-    uint8_t final[BLOCK_BYTES];
-    _decrypt_message(key, ciphertext_len, ciphertext, nonce, message, final);
-
-    uint8_t effective_tag[TAG_BYTES];
-    _generate_tag(final, auth, effective_tag);
-
-    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
-}
diff --git a/src/ref/lilliput-ae-ii.c b/src/ref/lilliput-ae-ii.c
deleted file mode 100644
index 8238b08..0000000
--- a/src/ref/lilliput-ae-ii.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
-Implementation of the Lilliput-AE tweakable block cipher.
-
-Author: Kévin Le Gouguec, 2019.
-
-For more information, feedback or questions, refer to our website:
-https://paclido.fr/lilliput-ae
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-
----
-
-This file implements Lilliput-AE's nonce-misuse-resistant mode based on SCT-2.
-*/
-
-#include <stdbool.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "cipher.h"
-#include "lilliput-ae.h"
-#include "lilliput-ae-utils.h"
-
-
-static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES])
-{
-    /* The t-bit tweak is filled as follows:
-     *
-     * - bits [  1, t-1]: tag + block index
-     *        [  1,  64]: tag[ 1.. 64] XOR block index
-     *        [ 65, t-1]: tag[65..t-1]
-     * - bit t: 1
-     */
-
-    memcpy(tweak+sizeof(uint64_t), tag+sizeof(uint64_t), TAG_BYTES-sizeof(uint64_t));
-    tweak[TWEAK_BYTES-1] |= 0x80;
-}
-
-static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], uint64_t block_index, uint8_t tweak[TWEAK_BYTES])
-{
-    /* Assume bits 65 to t-1 are set. */
-    for (size_t i=0; i<sizeof(block_index); i++)
-    {
-        uint8_t index_i = block_index >> i*8 & 0xff;
-        tweak[i] = tag[i] ^ index_i;
-    }
-}
-
-static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES])
-{
-    /* The t-bit tweak is filled as follows:
-     *
-     * - bits [  1, t-7]: N
-     * - bits [t-7,   t]: 0001||0^4
-     */
-
-    memcpy(tweak, N, TWEAK_BYTES-1);
-    tweak[TWEAK_BYTES-1] = 0x10;
-}
-
-static void _generate_tag(
-    const uint8_t key[KEY_BYTES],
-    size_t        M_len,
-    const uint8_t M[M_len],
-    const uint8_t N[NONCE_BYTES],
-    const uint8_t Auth[BLOCK_BYTES],
-    uint8_t       tag[TAG_BYTES]
-)
-{
-    uint8_t Ek_Mj[BLOCK_BYTES];
-    uint8_t tag_tmp[TAG_BYTES];
-    uint8_t tweak[TWEAK_BYTES];
-
-    memset(tweak, 0, TWEAK_BYTES);
-    memcpy(tag_tmp, Auth, TAG_BYTES);
-
-    size_t l = M_len / BLOCK_BYTES;
-    size_t rest = M_len % BLOCK_BYTES;
-
-    for (size_t j=0; j<l; j++)
-    {
-        fill_index_tweak(0x0, j, tweak);
-        encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
-        xor_into(tag_tmp, Ek_Mj);
-    }
-
-    if (rest != 0)
-    {
-        uint8_t M_rest[BLOCK_BYTES];
-        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-        fill_index_tweak(0x4, l, tweak);
-        encrypt(key, tweak, M_rest, Ek_Mj);
-        xor_into(tag_tmp, Ek_Mj);
-    }
-
-    _fill_tag_tweak(N, tweak);
-    encrypt(key, tweak, tag_tmp, tag);
-}
-
-static void _encrypt_message(
-    const uint8_t key[KEY_BYTES],
-    size_t        M_len,
-    const uint8_t M[M_len],
-    const uint8_t N[NONCE_BYTES],
-    const uint8_t tag[TAG_BYTES],
-    uint8_t       C[M_len]
-)
-{
-    uint8_t Ek_N[BLOCK_BYTES];
-
-    uint8_t tweak[TWEAK_BYTES];
-    _init_msg_tweak(tag, tweak);
-
-    uint8_t padded_N[BLOCK_BYTES];
-    memcpy(padded_N, N, NONCE_BYTES);
-    padded_N[BLOCK_BYTES-1] = 0;
-
-    size_t l = M_len / BLOCK_BYTES;
-    size_t rest = M_len % BLOCK_BYTES;
-
-    for (size_t j=0; j<l; j++)
-    {
-        _fill_msg_tweak(tag, j, tweak);
-        encrypt(key, tweak, padded_N, Ek_N);
-        xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
-    }
-
-    if (rest != 0)
-    {
-        _fill_msg_tweak(tag, l, tweak);
-        encrypt(key, tweak, padded_N, Ek_N);
-        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
-    }
-}
-
-void lilliput_ae_encrypt(
-    size_t        message_len,
-    const uint8_t message[message_len],
-    size_t        auth_data_len,
-    const uint8_t auth_data[auth_data_len],
-    const uint8_t key[KEY_BYTES],
-    const uint8_t nonce[NONCE_BYTES],
-    uint8_t       ciphertext[message_len],
-    uint8_t       tag[TAG_BYTES]
-)
-{
-    uint8_t auth[BLOCK_BYTES];
-    process_associated_data(key, auth_data_len, auth_data, auth);
-
-    _generate_tag(key, message_len, message, nonce, auth, tag);
-
-    _encrypt_message(key, message_len, message, nonce, tag, ciphertext);
-}
-
-bool lilliput_ae_decrypt(
-    size_t        ciphertext_len,
-    const uint8_t ciphertext[ciphertext_len],
-    size_t        auth_data_len,
-    const uint8_t auth_data[auth_data_len],
-    const uint8_t key[KEY_BYTES],
-    const uint8_t nonce[NONCE_BYTES],
-    const uint8_t tag[TAG_BYTES],
-    uint8_t       message[ciphertext_len]
-)
-{
-    _encrypt_message(key, ciphertext_len, ciphertext, nonce, tag, message);
-
-    uint8_t auth[BLOCK_BYTES];
-    process_associated_data(key, auth_data_len, auth_data, auth);
-
-    uint8_t effective_tag[TAG_BYTES];
-    _generate_tag(key, ciphertext_len, message, nonce, auth, effective_tag);
-
-    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
-}
diff --git a/src/ref/lilliput-ae.h b/src/ref/lilliput-ae.h
index f2d7c82..48721fe 100644
--- a/src/ref/lilliput-ae.h
+++ b/src/ref/lilliput-ae.h
@@ -13,7 +13,7 @@ http://creativecommons.org/publicdomain/zero/1.0/
 ---
 
 This file provides the interface for both Lilliput-I and Lilliput-II,
-implemented by lilliput-ae-i.c and lilliput-ae-ii.c respectively.
+implemented by lilliput-i.c and lilliput-ii.c respectively.
 */
 
 #ifndef LILLIPUT_AE_H
diff --git a/src/ref/lilliput-i.c b/src/ref/lilliput-i.c
new file mode 100644
index 0000000..5e91e4e
--- /dev/null
+++ b/src/ref/lilliput-i.c
@@ -0,0 +1,212 @@
+/*
+Implementation of the Lilliput-AE tweakable block cipher.
+
+Author: Kévin Le Gouguec, 2019.
+
+For more information, feedback or questions, refer to our website:
+https://paclido.fr/lilliput-ae
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+
+---
+
+This file implements Lilliput-AE's nonce-respecting mode based on ΘCB3.
+*/
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "cipher.h"
+#include "lilliput-ae.h"
+#include "lilliput-ae-utils.h"
+
+
+static const uint8_t _0n[BLOCK_BYTES] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+
+static void _fill_msg_tweak(
+    uint8_t       prefix,
+    const uint8_t N[NONCE_BYTES],
+    uint64_t      block_nb,
+    uint8_t       tweak[TWEAK_BYTES]
+)
+{
+    /* The 192-bit tweak is filled as follows:
+     *
+     * - bits   1- 68: block number
+     *          1- 64: actual 64-bit block number
+     *         64- 68: 0-padding
+     * - bits  67-188: nonce
+     * - bits 189-192: constant 4-bit prefix
+     */
+
+    for (size_t i=0; i<sizeof(block_nb); i++)
+    {
+        uint64_t mask = (uint64_t)0xff << 8*i;
+        uint8_t b = (mask & block_nb) >> 8*i;
+
+        tweak[i] = b;
+    }
+
+    tweak[sizeof(block_nb)] = lower_nibble(N[0]) << 4;
+
+    for (size_t i=1; i<NONCE_BYTES; i++)
+    {
+        tweak[sizeof(block_nb)+i] = lower_nibble(N[i]) << 4 ^ upper_nibble(N[i-1]);
+    }
+
+    tweak[TWEAK_BYTES-1] = prefix << 4 ^ upper_nibble(N[NONCE_BYTES-1]);
+}
+
+static void _encrypt_message(
+    const uint8_t key[KEY_BYTES],
+    size_t        M_len,
+    const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
+    uint8_t       C[M_len+BLOCK_BYTES],
+    uint8_t       Final[BLOCK_BYTES]
+)
+{
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    uint8_t tweak[TWEAK_BYTES];
+    uint8_t checksum[BLOCK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memset(checksum, 0, BLOCK_BYTES);
+
+    for (size_t j=0; j<l; j++)
+    {
+        xor_into(checksum, &M[j*BLOCK_BYTES]);
+        _fill_msg_tweak(0x0, N, j, tweak);
+        encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
+    }
+
+    if (rest == 0)
+    {
+        _fill_msg_tweak(0x1, N, l-1, tweak);
+        encrypt(key, tweak, checksum, Final);
+    }
+    else
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        uint8_t Pad[BLOCK_BYTES];
+
+        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        xor_into(checksum, M_rest);
+
+        _fill_msg_tweak(0x4, N, l, tweak);
+        encrypt(key, tweak, _0n, Pad);
+        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
+
+        _fill_msg_tweak(0x5, N, l, tweak);
+        encrypt(key, tweak, checksum, Final);
+    }
+}
+
+static void _decrypt_message(
+    const uint8_t key[KEY_BYTES],
+    size_t        C_len,
+    const uint8_t C[C_len],
+    const uint8_t N[NONCE_BYTES],
+    uint8_t       M[C_len],
+    uint8_t       Final[BLOCK_BYTES]
+)
+{
+    size_t l = C_len / BLOCK_BYTES;
+    size_t rest = C_len % BLOCK_BYTES;
+
+    uint8_t tweak[TWEAK_BYTES];
+    uint8_t checksum[BLOCK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memset(checksum, 0, BLOCK_BYTES);
+
+    for (size_t j=0; j<l; j++)
+    {
+        _fill_msg_tweak(0x0, N, j, tweak);
+        decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
+        xor_into(checksum, &M[j*BLOCK_BYTES]);
+    }
+
+    if (rest == 0)
+    {
+        _fill_msg_tweak(0x1, N, l-1, tweak);
+        encrypt(key, tweak, checksum, Final);
+    }
+    else
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        uint8_t Pad[BLOCK_BYTES];
+
+        _fill_msg_tweak(0x4, N, l, tweak);
+        encrypt(key, tweak, _0n, Pad);
+        xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
+
+        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        xor_into(checksum, M_rest);
+
+        _fill_msg_tweak(0x5, N, l, tweak);
+        encrypt(key, tweak, checksum, Final);
+    }
+}
+
+static void _generate_tag(
+    const uint8_t Final[BLOCK_BYTES],
+    const uint8_t Auth[BLOCK_BYTES],
+    uint8_t       tag[TAG_BYTES]
+)
+{
+    xor_arrays(TAG_BYTES, tag, Final, Auth);
+}
+
+
+void lilliput_ae_encrypt(
+    size_t        message_len,
+    const uint8_t message[message_len],
+    size_t        auth_data_len,
+    const uint8_t auth_data[auth_data_len],
+    const uint8_t key[KEY_BYTES],
+    const uint8_t nonce[NONCE_BYTES],
+    uint8_t       ciphertext[message_len],
+    uint8_t       tag[TAG_BYTES]
+)
+{
+    uint8_t auth[BLOCK_BYTES];
+    process_associated_data(key, auth_data_len, auth_data, auth);
+
+    uint8_t final[BLOCK_BYTES];
+    _encrypt_message(key, message_len, message, nonce, ciphertext, final);
+
+    _generate_tag(final, auth, tag);
+}
+
+bool lilliput_ae_decrypt(
+    size_t        ciphertext_len,
+    const uint8_t ciphertext[ciphertext_len],
+    size_t        auth_data_len,
+    const uint8_t auth_data[auth_data_len],
+    const uint8_t key[KEY_BYTES],
+    const uint8_t nonce[NONCE_BYTES],
+    const uint8_t tag[TAG_BYTES],
+    uint8_t       message[ciphertext_len]
+)
+{
+    uint8_t auth[BLOCK_BYTES];
+    process_associated_data(key, auth_data_len, auth_data, auth);
+
+    uint8_t final[BLOCK_BYTES];
+    _decrypt_message(key, ciphertext_len, ciphertext, nonce, message, final);
+
+    uint8_t effective_tag[TAG_BYTES];
+    _generate_tag(final, auth, effective_tag);
+
+    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
+}
diff --git a/src/ref/lilliput-ii.c b/src/ref/lilliput-ii.c
new file mode 100644
index 0000000..8238b08
--- /dev/null
+++ b/src/ref/lilliput-ii.c
@@ -0,0 +1,177 @@
+/*
+Implementation of the Lilliput-AE tweakable block cipher.
+
+Author: Kévin Le Gouguec, 2019.
+
+For more information, feedback or questions, refer to our website:
+https://paclido.fr/lilliput-ae
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+
+---
+
+This file implements Lilliput-AE's nonce-misuse-resistant mode based on SCT-2.
+*/
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "cipher.h"
+#include "lilliput-ae.h"
+#include "lilliput-ae-utils.h"
+
+
+static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES])
+{
+    /* The t-bit tweak is filled as follows:
+     *
+     * - bits [  1, t-1]: tag + block index
+     *        [  1,  64]: tag[ 1.. 64] XOR block index
+     *        [ 65, t-1]: tag[65..t-1]
+     * - bit t: 1
+     */
+
+    memcpy(tweak+sizeof(uint64_t), tag+sizeof(uint64_t), TAG_BYTES-sizeof(uint64_t));
+    tweak[TWEAK_BYTES-1] |= 0x80;
+}
+
+static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], uint64_t block_index, uint8_t tweak[TWEAK_BYTES])
+{
+    /* Assume bits 65 to t-1 are set. */
+    for (size_t i=0; i<sizeof(block_index); i++)
+    {
+        uint8_t index_i = block_index >> i*8 & 0xff;
+        tweak[i] = tag[i] ^ index_i;
+    }
+}
+
+static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES])
+{
+    /* The t-bit tweak is filled as follows:
+     *
+     * - bits [  1, t-7]: N
+     * - bits [t-7,   t]: 0001||0^4
+     */
+
+    memcpy(tweak, N, TWEAK_BYTES-1);
+    tweak[TWEAK_BYTES-1] = 0x10;
+}
+
+static void _generate_tag(
+    const uint8_t key[KEY_BYTES],
+    size_t        M_len,
+    const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
+    const uint8_t Auth[BLOCK_BYTES],
+    uint8_t       tag[TAG_BYTES]
+)
+{
+    uint8_t Ek_Mj[BLOCK_BYTES];
+    uint8_t tag_tmp[TAG_BYTES];
+    uint8_t tweak[TWEAK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memcpy(tag_tmp, Auth, TAG_BYTES);
+
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    for (size_t j=0; j<l; j++)
+    {
+        fill_index_tweak(0x0, j, tweak);
+        encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
+        xor_into(tag_tmp, Ek_Mj);
+    }
+
+    if (rest != 0)
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        fill_index_tweak(0x4, l, tweak);
+        encrypt(key, tweak, M_rest, Ek_Mj);
+        xor_into(tag_tmp, Ek_Mj);
+    }
+
+    _fill_tag_tweak(N, tweak);
+    encrypt(key, tweak, tag_tmp, tag);
+}
+
+static void _encrypt_message(
+    const uint8_t key[KEY_BYTES],
+    size_t        M_len,
+    const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
+    const uint8_t tag[TAG_BYTES],
+    uint8_t       C[M_len]
+)
+{
+    uint8_t Ek_N[BLOCK_BYTES];
+
+    uint8_t tweak[TWEAK_BYTES];
+    _init_msg_tweak(tag, tweak);
+
+    uint8_t padded_N[BLOCK_BYTES];
+    memcpy(padded_N, N, NONCE_BYTES);
+    padded_N[BLOCK_BYTES-1] = 0;
+
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    for (size_t j=0; j<l; j++)
+    {
+        _fill_msg_tweak(tag, j, tweak);
+        encrypt(key, tweak, padded_N, Ek_N);
+        xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
+    }
+
+    if (rest != 0)
+    {
+        _fill_msg_tweak(tag, l, tweak);
+        encrypt(key, tweak, padded_N, Ek_N);
+        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
+    }
+}
+
+void lilliput_ae_encrypt(
+    size_t        message_len,
+    const uint8_t message[message_len],
+    size_t        auth_data_len,
+    const uint8_t auth_data[auth_data_len],
+    const uint8_t key[KEY_BYTES],
+    const uint8_t nonce[NONCE_BYTES],
+    uint8_t       ciphertext[message_len],
+    uint8_t       tag[TAG_BYTES]
+)
+{
+    uint8_t auth[BLOCK_BYTES];
+    process_associated_data(key, auth_data_len, auth_data, auth);
+
+    _generate_tag(key, message_len, message, nonce, auth, tag);
+
+    _encrypt_message(key, message_len, message, nonce, tag, ciphertext);
+}
+
+bool lilliput_ae_decrypt(
+    size_t        ciphertext_len,
+    const uint8_t ciphertext[ciphertext_len],
+    size_t        auth_data_len,
+    const uint8_t auth_data[auth_data_len],
+    const uint8_t key[KEY_BYTES],
+    const uint8_t nonce[NONCE_BYTES],
+    const uint8_t tag[TAG_BYTES],
+    uint8_t       message[ciphertext_len]
+)
+{
+    _encrypt_message(key, ciphertext_len, ciphertext, nonce, tag, message);
+
+    uint8_t auth[BLOCK_BYTES];
+    process_associated_data(key, auth_data_len, auth_data, auth);
+
+    uint8_t effective_tag[TAG_BYTES];
+    _generate_tag(key, ciphertext_len, message, nonce, auth, effective_tag);
+
+    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
+}
diff --git a/test/check-implementation.sh b/test/check-implementation.sh
index 76616e2..4113637 100755
--- a/test/check-implementation.sh
+++ b/test/check-implementation.sh
@@ -27,7 +27,8 @@ run-genkat ()
     local source_files=(
         cipher.{c,h}
         constants.h
-        lilliput-ae{.h,-utils.h,-${mode}.c}
+        lilliput-ae{.h,-utils.h}
+        lilliput-${mode}.c
         tweakey.{c,h}
     )
 
diff --git a/test/common.mk b/test/common.mk
index c3182cb..677dcbe 100644
--- a/test/common.mk
+++ b/test/common.mk
@@ -70,7 +70,7 @@ $(results_dir)/test-tbc-decrypt $(results_dir)/test-tbc-encrypt $(results_dir)/t
 $(results_dir)/src/cipher.o $(results_dir)/src/tweakey.o
 
 $(results_dir)/test-ae-decrypt $(results_dir)/test-ae-encrypt $(results_dir)/test-ae-roundtrip $(results_dir)/traces-ae: \
-$(results_dir)/src/lilliput-ae-$(mode).o $(results_dir)/src/cipher.o                                                     \
+$(results_dir)/src/lilliput-$(mode).o $(results_dir)/src/cipher.o                                                     \
 $(results_dir)/src/tweakey.o
 
 $(results_dir)/test-tweakey: $(results_dir)/src/tweakey.o
@@ -80,8 +80,8 @@ $(results_dir)/test-tweakey: $(results_dir)/src/tweakey.o
 $(results_dir)/$(src_dir)/cipher.o: $(src_dir)/cipher.h                 \
 $(src_dir)/tweakey.h $(variant_dir)/parameters.h
 
-$(results_dir)/$(src_dir)/lilliput-ae-i.o $(results_dir)/$(src_dir)/lilliput-ae-ii.o:   \
-$(src_dir)/lilliput-ae.h $(src_dir)/cipher.h $(src_dir)/constants.h                     \
+$(results_dir)/$(src_dir)/lilliput-i.o $(results_dir)/$(src_dir)/lilliput-ii.o: \
+$(src_dir)/lilliput-ae.h $(src_dir)/cipher.h $(src_dir)/constants.h             \
 $(variant_dir)/parameters.h
 
 $(results_dir)/$(src_dir)/tweakey.o: $(src_dir)/tweakey.h       \
diff --git a/test/felics/Makefile b/test/felics/Makefile
index 7a7a672..e6a2e91 100644
--- a/test/felics/Makefile
+++ b/test/felics/Makefile
@@ -19,7 +19,7 @@ vector: $(results_dir)/felics-make-vector | $(results_dir)
 
 
 $(results_dir)/felics-make-vector: $(results_dir)/felics-make-vector.o \
-$(results_dir)/src/lilliput-ae-$(mode).o $(results_dir)/src/cipher.o   \
+$(results_dir)/src/lilliput-$(mode).o $(results_dir)/src/cipher.o   \
 $(results_dir)/src/tweakey.o | $(results_dir)
 
 $(results_dir)/felics-make-vector.o: $(test_dir)/felics/make-vector.c | $(results_dir)
diff --git a/traces/traces-ae.patch b/traces/traces-ae.patch
index cfe6cdb..9822a35 100644
--- a/traces/traces-ae.patch
+++ b/traces/traces-ae.patch
@@ -1,7 +1,7 @@
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ae-i.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ae-i.c
+diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-i.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-i.c
 index 2754fbb..061a24e 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ae-i.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ae-i.c
+--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-i.c
++++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-i.c
 @@ -15,6 +15,8 @@ http://creativecommons.org/publicdomain/zero/1.0/
  This file implements Lilliput-AE's nonce-respecting mode based on ΘCB3.
  */
@@ -135,10 +135,10 @@ index 2754fbb..061a24e 100644
  }
  
  
-diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ae-ii.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ae-ii.c
+diff --git a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ii.c b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ii.c
 index 862892c..7dfb38e 100644
---- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ae-ii.c
-+++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ae-ii.c
+--- a/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ii.c
++++ b/SOUMISSION_NIST/REFERENCE_IMPLEMENTATION/src/ref/lilliput-ii.c
 @@ -15,6 +15,8 @@ http://creativecommons.org/publicdomain/zero/1.0/
  This file implements Lilliput-AE's nonce-misuse-resistant mode based on SCT-2.
  */
-- 
cgit v1.2.3