From dbae7afbbc13c39f167bad9c2d72d5d670c06c83 Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Wed, 13 Feb 2019 14:02:28 +0100
Subject: Renommage des fichiers implémentant les modes AE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pour qu'ils soient plus proches du nom donné dans la spécification.
---
 src/ref/lilliput-ae-i.c  | 212 -----------------------------------------------
 src/ref/lilliput-ae-ii.c | 177 ---------------------------------------
 src/ref/lilliput-ae.h    |   2 +-
 src/ref/lilliput-i.c     | 212 +++++++++++++++++++++++++++++++++++++++++++++++
 src/ref/lilliput-ii.c    | 177 +++++++++++++++++++++++++++++++++++++++
 5 files changed, 390 insertions(+), 390 deletions(-)
 delete mode 100644 src/ref/lilliput-ae-i.c
 delete mode 100644 src/ref/lilliput-ae-ii.c
 create mode 100644 src/ref/lilliput-i.c
 create mode 100644 src/ref/lilliput-ii.c

(limited to 'src/ref')

diff --git a/src/ref/lilliput-ae-i.c b/src/ref/lilliput-ae-i.c
deleted file mode 100644
index 5e91e4e..0000000
--- a/src/ref/lilliput-ae-i.c
+++ /dev/null
@@ -1,212 +0,0 @@
-/*
-Implementation of the Lilliput-AE tweakable block cipher.
-
-Author: Kévin Le Gouguec, 2019.
-
-For more information, feedback or questions, refer to our website:
-https://paclido.fr/lilliput-ae
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-
----
-
-This file implements Lilliput-AE's nonce-respecting mode based on ΘCB3.
-*/
-
-#include <stdbool.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "cipher.h"
-#include "lilliput-ae.h"
-#include "lilliput-ae-utils.h"
-
-
-static const uint8_t _0n[BLOCK_BYTES] = {
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-
-static void _fill_msg_tweak(
-    uint8_t       prefix,
-    const uint8_t N[NONCE_BYTES],
-    uint64_t      block_nb,
-    uint8_t       tweak[TWEAK_BYTES]
-)
-{
-    /* The 192-bit tweak is filled as follows:
-     *
-     * - bits   1- 68: block number
-     *          1- 64: actual 64-bit block number
-     *         64- 68: 0-padding
-     * - bits  67-188: nonce
-     * - bits 189-192: constant 4-bit prefix
-     */
-
-    for (size_t i=0; i<sizeof(block_nb); i++)
-    {
-        uint64_t mask = (uint64_t)0xff << 8*i;
-        uint8_t b = (mask & block_nb) >> 8*i;
-
-        tweak[i] = b;
-    }
-
-    tweak[sizeof(block_nb)] = lower_nibble(N[0]) << 4;
-
-    for (size_t i=1; i<NONCE_BYTES; i++)
-    {
-        tweak[sizeof(block_nb)+i] = lower_nibble(N[i]) << 4 ^ upper_nibble(N[i-1]);
-    }
-
-    tweak[TWEAK_BYTES-1] = prefix << 4 ^ upper_nibble(N[NONCE_BYTES-1]);
-}
-
-static void _encrypt_message(
-    const uint8_t key[KEY_BYTES],
-    size_t        M_len,
-    const uint8_t M[M_len],
-    const uint8_t N[NONCE_BYTES],
-    uint8_t       C[M_len+BLOCK_BYTES],
-    uint8_t       Final[BLOCK_BYTES]
-)
-{
-    size_t l = M_len / BLOCK_BYTES;
-    size_t rest = M_len % BLOCK_BYTES;
-
-    uint8_t tweak[TWEAK_BYTES];
-    uint8_t checksum[BLOCK_BYTES];
-
-    memset(tweak, 0, TWEAK_BYTES);
-    memset(checksum, 0, BLOCK_BYTES);
-
-    for (size_t j=0; j<l; j++)
-    {
-        xor_into(checksum, &M[j*BLOCK_BYTES]);
-        _fill_msg_tweak(0x0, N, j, tweak);
-        encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
-    }
-
-    if (rest == 0)
-    {
-        _fill_msg_tweak(0x1, N, l-1, tweak);
-        encrypt(key, tweak, checksum, Final);
-    }
-    else
-    {
-        uint8_t M_rest[BLOCK_BYTES];
-        uint8_t Pad[BLOCK_BYTES];
-
-        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-        xor_into(checksum, M_rest);
-
-        _fill_msg_tweak(0x4, N, l, tweak);
-        encrypt(key, tweak, _0n, Pad);
-        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
-
-        _fill_msg_tweak(0x5, N, l, tweak);
-        encrypt(key, tweak, checksum, Final);
-    }
-}
-
-static void _decrypt_message(
-    const uint8_t key[KEY_BYTES],
-    size_t        C_len,
-    const uint8_t C[C_len],
-    const uint8_t N[NONCE_BYTES],
-    uint8_t       M[C_len],
-    uint8_t       Final[BLOCK_BYTES]
-)
-{
-    size_t l = C_len / BLOCK_BYTES;
-    size_t rest = C_len % BLOCK_BYTES;
-
-    uint8_t tweak[TWEAK_BYTES];
-    uint8_t checksum[BLOCK_BYTES];
-
-    memset(tweak, 0, TWEAK_BYTES);
-    memset(checksum, 0, BLOCK_BYTES);
-
-    for (size_t j=0; j<l; j++)
-    {
-        _fill_msg_tweak(0x0, N, j, tweak);
-        decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
-        xor_into(checksum, &M[j*BLOCK_BYTES]);
-    }
-
-    if (rest == 0)
-    {
-        _fill_msg_tweak(0x1, N, l-1, tweak);
-        encrypt(key, tweak, checksum, Final);
-    }
-    else
-    {
-        uint8_t M_rest[BLOCK_BYTES];
-        uint8_t Pad[BLOCK_BYTES];
-
-        _fill_msg_tweak(0x4, N, l, tweak);
-        encrypt(key, tweak, _0n, Pad);
-        xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
-
-        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-        xor_into(checksum, M_rest);
-
-        _fill_msg_tweak(0x5, N, l, tweak);
-        encrypt(key, tweak, checksum, Final);
-    }
-}
-
-static void _generate_tag(
-    const uint8_t Final[BLOCK_BYTES],
-    const uint8_t Auth[BLOCK_BYTES],
-    uint8_t       tag[TAG_BYTES]
-)
-{
-    xor_arrays(TAG_BYTES, tag, Final, Auth);
-}
-
-
-void lilliput_ae_encrypt(
-    size_t        message_len,
-    const uint8_t message[message_len],
-    size_t        auth_data_len,
-    const uint8_t auth_data[auth_data_len],
-    const uint8_t key[KEY_BYTES],
-    const uint8_t nonce[NONCE_BYTES],
-    uint8_t       ciphertext[message_len],
-    uint8_t       tag[TAG_BYTES]
-)
-{
-    uint8_t auth[BLOCK_BYTES];
-    process_associated_data(key, auth_data_len, auth_data, auth);
-
-    uint8_t final[BLOCK_BYTES];
-    _encrypt_message(key, message_len, message, nonce, ciphertext, final);
-
-    _generate_tag(final, auth, tag);
-}
-
-bool lilliput_ae_decrypt(
-    size_t        ciphertext_len,
-    const uint8_t ciphertext[ciphertext_len],
-    size_t        auth_data_len,
-    const uint8_t auth_data[auth_data_len],
-    const uint8_t key[KEY_BYTES],
-    const uint8_t nonce[NONCE_BYTES],
-    const uint8_t tag[TAG_BYTES],
-    uint8_t       message[ciphertext_len]
-)
-{
-    uint8_t auth[BLOCK_BYTES];
-    process_associated_data(key, auth_data_len, auth_data, auth);
-
-    uint8_t final[BLOCK_BYTES];
-    _decrypt_message(key, ciphertext_len, ciphertext, nonce, message, final);
-
-    uint8_t effective_tag[TAG_BYTES];
-    _generate_tag(final, auth, effective_tag);
-
-    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
-}
diff --git a/src/ref/lilliput-ae-ii.c b/src/ref/lilliput-ae-ii.c
deleted file mode 100644
index 8238b08..0000000
--- a/src/ref/lilliput-ae-ii.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
-Implementation of the Lilliput-AE tweakable block cipher.
-
-Author: Kévin Le Gouguec, 2019.
-
-For more information, feedback or questions, refer to our website:
-https://paclido.fr/lilliput-ae
-
-To the extent possible under law, the implementer has waived all copyright
-and related or neighboring rights to the source code in this file.
-http://creativecommons.org/publicdomain/zero/1.0/
-
----
-
-This file implements Lilliput-AE's nonce-misuse-resistant mode based on SCT-2.
-*/
-
-#include <stdbool.h>
-#include <stdint.h>
-#include <string.h>
-
-#include "cipher.h"
-#include "lilliput-ae.h"
-#include "lilliput-ae-utils.h"
-
-
-static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES])
-{
-    /* The t-bit tweak is filled as follows:
-     *
-     * - bits [  1, t-1]: tag + block index
-     *        [  1,  64]: tag[ 1.. 64] XOR block index
-     *        [ 65, t-1]: tag[65..t-1]
-     * - bit t: 1
-     */
-
-    memcpy(tweak+sizeof(uint64_t), tag+sizeof(uint64_t), TAG_BYTES-sizeof(uint64_t));
-    tweak[TWEAK_BYTES-1] |= 0x80;
-}
-
-static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], uint64_t block_index, uint8_t tweak[TWEAK_BYTES])
-{
-    /* Assume bits 65 to t-1 are set. */
-    for (size_t i=0; i<sizeof(block_index); i++)
-    {
-        uint8_t index_i = block_index >> i*8 & 0xff;
-        tweak[i] = tag[i] ^ index_i;
-    }
-}
-
-static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES])
-{
-    /* The t-bit tweak is filled as follows:
-     *
-     * - bits [  1, t-7]: N
-     * - bits [t-7,   t]: 0001||0^4
-     */
-
-    memcpy(tweak, N, TWEAK_BYTES-1);
-    tweak[TWEAK_BYTES-1] = 0x10;
-}
-
-static void _generate_tag(
-    const uint8_t key[KEY_BYTES],
-    size_t        M_len,
-    const uint8_t M[M_len],
-    const uint8_t N[NONCE_BYTES],
-    const uint8_t Auth[BLOCK_BYTES],
-    uint8_t       tag[TAG_BYTES]
-)
-{
-    uint8_t Ek_Mj[BLOCK_BYTES];
-    uint8_t tag_tmp[TAG_BYTES];
-    uint8_t tweak[TWEAK_BYTES];
-
-    memset(tweak, 0, TWEAK_BYTES);
-    memcpy(tag_tmp, Auth, TAG_BYTES);
-
-    size_t l = M_len / BLOCK_BYTES;
-    size_t rest = M_len % BLOCK_BYTES;
-
-    for (size_t j=0; j<l; j++)
-    {
-        fill_index_tweak(0x0, j, tweak);
-        encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
-        xor_into(tag_tmp, Ek_Mj);
-    }
-
-    if (rest != 0)
-    {
-        uint8_t M_rest[BLOCK_BYTES];
-        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
-        fill_index_tweak(0x4, l, tweak);
-        encrypt(key, tweak, M_rest, Ek_Mj);
-        xor_into(tag_tmp, Ek_Mj);
-    }
-
-    _fill_tag_tweak(N, tweak);
-    encrypt(key, tweak, tag_tmp, tag);
-}
-
-static void _encrypt_message(
-    const uint8_t key[KEY_BYTES],
-    size_t        M_len,
-    const uint8_t M[M_len],
-    const uint8_t N[NONCE_BYTES],
-    const uint8_t tag[TAG_BYTES],
-    uint8_t       C[M_len]
-)
-{
-    uint8_t Ek_N[BLOCK_BYTES];
-
-    uint8_t tweak[TWEAK_BYTES];
-    _init_msg_tweak(tag, tweak);
-
-    uint8_t padded_N[BLOCK_BYTES];
-    memcpy(padded_N, N, NONCE_BYTES);
-    padded_N[BLOCK_BYTES-1] = 0;
-
-    size_t l = M_len / BLOCK_BYTES;
-    size_t rest = M_len % BLOCK_BYTES;
-
-    for (size_t j=0; j<l; j++)
-    {
-        _fill_msg_tweak(tag, j, tweak);
-        encrypt(key, tweak, padded_N, Ek_N);
-        xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
-    }
-
-    if (rest != 0)
-    {
-        _fill_msg_tweak(tag, l, tweak);
-        encrypt(key, tweak, padded_N, Ek_N);
-        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
-    }
-}
-
-void lilliput_ae_encrypt(
-    size_t        message_len,
-    const uint8_t message[message_len],
-    size_t        auth_data_len,
-    const uint8_t auth_data[auth_data_len],
-    const uint8_t key[KEY_BYTES],
-    const uint8_t nonce[NONCE_BYTES],
-    uint8_t       ciphertext[message_len],
-    uint8_t       tag[TAG_BYTES]
-)
-{
-    uint8_t auth[BLOCK_BYTES];
-    process_associated_data(key, auth_data_len, auth_data, auth);
-
-    _generate_tag(key, message_len, message, nonce, auth, tag);
-
-    _encrypt_message(key, message_len, message, nonce, tag, ciphertext);
-}
-
-bool lilliput_ae_decrypt(
-    size_t        ciphertext_len,
-    const uint8_t ciphertext[ciphertext_len],
-    size_t        auth_data_len,
-    const uint8_t auth_data[auth_data_len],
-    const uint8_t key[KEY_BYTES],
-    const uint8_t nonce[NONCE_BYTES],
-    const uint8_t tag[TAG_BYTES],
-    uint8_t       message[ciphertext_len]
-)
-{
-    _encrypt_message(key, ciphertext_len, ciphertext, nonce, tag, message);
-
-    uint8_t auth[BLOCK_BYTES];
-    process_associated_data(key, auth_data_len, auth_data, auth);
-
-    uint8_t effective_tag[TAG_BYTES];
-    _generate_tag(key, ciphertext_len, message, nonce, auth, effective_tag);
-
-    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
-}
diff --git a/src/ref/lilliput-ae.h b/src/ref/lilliput-ae.h
index f2d7c82..48721fe 100644
--- a/src/ref/lilliput-ae.h
+++ b/src/ref/lilliput-ae.h
@@ -13,7 +13,7 @@ http://creativecommons.org/publicdomain/zero/1.0/
 ---
 
 This file provides the interface for both Lilliput-I and Lilliput-II,
-implemented by lilliput-ae-i.c and lilliput-ae-ii.c respectively.
+implemented by lilliput-i.c and lilliput-ii.c respectively.
 */
 
 #ifndef LILLIPUT_AE_H
diff --git a/src/ref/lilliput-i.c b/src/ref/lilliput-i.c
new file mode 100644
index 0000000..5e91e4e
--- /dev/null
+++ b/src/ref/lilliput-i.c
@@ -0,0 +1,212 @@
+/*
+Implementation of the Lilliput-AE tweakable block cipher.
+
+Author: Kévin Le Gouguec, 2019.
+
+For more information, feedback or questions, refer to our website:
+https://paclido.fr/lilliput-ae
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+
+---
+
+This file implements Lilliput-AE's nonce-respecting mode based on ΘCB3.
+*/
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "cipher.h"
+#include "lilliput-ae.h"
+#include "lilliput-ae-utils.h"
+
+
+static const uint8_t _0n[BLOCK_BYTES] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+
+static void _fill_msg_tweak(
+    uint8_t       prefix,
+    const uint8_t N[NONCE_BYTES],
+    uint64_t      block_nb,
+    uint8_t       tweak[TWEAK_BYTES]
+)
+{
+    /* The 192-bit tweak is filled as follows:
+     *
+     * - bits   1- 68: block number
+     *          1- 64: actual 64-bit block number
+     *         64- 68: 0-padding
+     * - bits  67-188: nonce
+     * - bits 189-192: constant 4-bit prefix
+     */
+
+    for (size_t i=0; i<sizeof(block_nb); i++)
+    {
+        uint64_t mask = (uint64_t)0xff << 8*i;
+        uint8_t b = (mask & block_nb) >> 8*i;
+
+        tweak[i] = b;
+    }
+
+    tweak[sizeof(block_nb)] = lower_nibble(N[0]) << 4;
+
+    for (size_t i=1; i<NONCE_BYTES; i++)
+    {
+        tweak[sizeof(block_nb)+i] = lower_nibble(N[i]) << 4 ^ upper_nibble(N[i-1]);
+    }
+
+    tweak[TWEAK_BYTES-1] = prefix << 4 ^ upper_nibble(N[NONCE_BYTES-1]);
+}
+
+static void _encrypt_message(
+    const uint8_t key[KEY_BYTES],
+    size_t        M_len,
+    const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
+    uint8_t       C[M_len+BLOCK_BYTES],
+    uint8_t       Final[BLOCK_BYTES]
+)
+{
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    uint8_t tweak[TWEAK_BYTES];
+    uint8_t checksum[BLOCK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memset(checksum, 0, BLOCK_BYTES);
+
+    for (size_t j=0; j<l; j++)
+    {
+        xor_into(checksum, &M[j*BLOCK_BYTES]);
+        _fill_msg_tweak(0x0, N, j, tweak);
+        encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
+    }
+
+    if (rest == 0)
+    {
+        _fill_msg_tweak(0x1, N, l-1, tweak);
+        encrypt(key, tweak, checksum, Final);
+    }
+    else
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        uint8_t Pad[BLOCK_BYTES];
+
+        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        xor_into(checksum, M_rest);
+
+        _fill_msg_tweak(0x4, N, l, tweak);
+        encrypt(key, tweak, _0n, Pad);
+        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
+
+        _fill_msg_tweak(0x5, N, l, tweak);
+        encrypt(key, tweak, checksum, Final);
+    }
+}
+
+static void _decrypt_message(
+    const uint8_t key[KEY_BYTES],
+    size_t        C_len,
+    const uint8_t C[C_len],
+    const uint8_t N[NONCE_BYTES],
+    uint8_t       M[C_len],
+    uint8_t       Final[BLOCK_BYTES]
+)
+{
+    size_t l = C_len / BLOCK_BYTES;
+    size_t rest = C_len % BLOCK_BYTES;
+
+    uint8_t tweak[TWEAK_BYTES];
+    uint8_t checksum[BLOCK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memset(checksum, 0, BLOCK_BYTES);
+
+    for (size_t j=0; j<l; j++)
+    {
+        _fill_msg_tweak(0x0, N, j, tweak);
+        decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
+        xor_into(checksum, &M[j*BLOCK_BYTES]);
+    }
+
+    if (rest == 0)
+    {
+        _fill_msg_tweak(0x1, N, l-1, tweak);
+        encrypt(key, tweak, checksum, Final);
+    }
+    else
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        uint8_t Pad[BLOCK_BYTES];
+
+        _fill_msg_tweak(0x4, N, l, tweak);
+        encrypt(key, tweak, _0n, Pad);
+        xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
+
+        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        xor_into(checksum, M_rest);
+
+        _fill_msg_tweak(0x5, N, l, tweak);
+        encrypt(key, tweak, checksum, Final);
+    }
+}
+
+static void _generate_tag(
+    const uint8_t Final[BLOCK_BYTES],
+    const uint8_t Auth[BLOCK_BYTES],
+    uint8_t       tag[TAG_BYTES]
+)
+{
+    xor_arrays(TAG_BYTES, tag, Final, Auth);
+}
+
+
+void lilliput_ae_encrypt(
+    size_t        message_len,
+    const uint8_t message[message_len],
+    size_t        auth_data_len,
+    const uint8_t auth_data[auth_data_len],
+    const uint8_t key[KEY_BYTES],
+    const uint8_t nonce[NONCE_BYTES],
+    uint8_t       ciphertext[message_len],
+    uint8_t       tag[TAG_BYTES]
+)
+{
+    uint8_t auth[BLOCK_BYTES];
+    process_associated_data(key, auth_data_len, auth_data, auth);
+
+    uint8_t final[BLOCK_BYTES];
+    _encrypt_message(key, message_len, message, nonce, ciphertext, final);
+
+    _generate_tag(final, auth, tag);
+}
+
+bool lilliput_ae_decrypt(
+    size_t        ciphertext_len,
+    const uint8_t ciphertext[ciphertext_len],
+    size_t        auth_data_len,
+    const uint8_t auth_data[auth_data_len],
+    const uint8_t key[KEY_BYTES],
+    const uint8_t nonce[NONCE_BYTES],
+    const uint8_t tag[TAG_BYTES],
+    uint8_t       message[ciphertext_len]
+)
+{
+    uint8_t auth[BLOCK_BYTES];
+    process_associated_data(key, auth_data_len, auth_data, auth);
+
+    uint8_t final[BLOCK_BYTES];
+    _decrypt_message(key, ciphertext_len, ciphertext, nonce, message, final);
+
+    uint8_t effective_tag[TAG_BYTES];
+    _generate_tag(final, auth, effective_tag);
+
+    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
+}
diff --git a/src/ref/lilliput-ii.c b/src/ref/lilliput-ii.c
new file mode 100644
index 0000000..8238b08
--- /dev/null
+++ b/src/ref/lilliput-ii.c
@@ -0,0 +1,177 @@
+/*
+Implementation of the Lilliput-AE tweakable block cipher.
+
+Author: Kévin Le Gouguec, 2019.
+
+For more information, feedback or questions, refer to our website:
+https://paclido.fr/lilliput-ae
+
+To the extent possible under law, the implementer has waived all copyright
+and related or neighboring rights to the source code in this file.
+http://creativecommons.org/publicdomain/zero/1.0/
+
+---
+
+This file implements Lilliput-AE's nonce-misuse-resistant mode based on SCT-2.
+*/
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "cipher.h"
+#include "lilliput-ae.h"
+#include "lilliput-ae-utils.h"
+
+
+static void _init_msg_tweak(const uint8_t tag[TAG_BYTES], uint8_t tweak[TWEAK_BYTES])
+{
+    /* The t-bit tweak is filled as follows:
+     *
+     * - bits [  1, t-1]: tag + block index
+     *        [  1,  64]: tag[ 1.. 64] XOR block index
+     *        [ 65, t-1]: tag[65..t-1]
+     * - bit t: 1
+     */
+
+    memcpy(tweak+sizeof(uint64_t), tag+sizeof(uint64_t), TAG_BYTES-sizeof(uint64_t));
+    tweak[TWEAK_BYTES-1] |= 0x80;
+}
+
+static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], uint64_t block_index, uint8_t tweak[TWEAK_BYTES])
+{
+    /* Assume bits 65 to t-1 are set. */
+    for (size_t i=0; i<sizeof(block_index); i++)
+    {
+        uint8_t index_i = block_index >> i*8 & 0xff;
+        tweak[i] = tag[i] ^ index_i;
+    }
+}
+
+static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES])
+{
+    /* The t-bit tweak is filled as follows:
+     *
+     * - bits [  1, t-7]: N
+     * - bits [t-7,   t]: 0001||0^4
+     */
+
+    memcpy(tweak, N, TWEAK_BYTES-1);
+    tweak[TWEAK_BYTES-1] = 0x10;
+}
+
+static void _generate_tag(
+    const uint8_t key[KEY_BYTES],
+    size_t        M_len,
+    const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
+    const uint8_t Auth[BLOCK_BYTES],
+    uint8_t       tag[TAG_BYTES]
+)
+{
+    uint8_t Ek_Mj[BLOCK_BYTES];
+    uint8_t tag_tmp[TAG_BYTES];
+    uint8_t tweak[TWEAK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memcpy(tag_tmp, Auth, TAG_BYTES);
+
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    for (size_t j=0; j<l; j++)
+    {
+        fill_index_tweak(0x0, j, tweak);
+        encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
+        xor_into(tag_tmp, Ek_Mj);
+    }
+
+    if (rest != 0)
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        fill_index_tweak(0x4, l, tweak);
+        encrypt(key, tweak, M_rest, Ek_Mj);
+        xor_into(tag_tmp, Ek_Mj);
+    }
+
+    _fill_tag_tweak(N, tweak);
+    encrypt(key, tweak, tag_tmp, tag);
+}
+
+static void _encrypt_message(
+    const uint8_t key[KEY_BYTES],
+    size_t        M_len,
+    const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
+    const uint8_t tag[TAG_BYTES],
+    uint8_t       C[M_len]
+)
+{
+    uint8_t Ek_N[BLOCK_BYTES];
+
+    uint8_t tweak[TWEAK_BYTES];
+    _init_msg_tweak(tag, tweak);
+
+    uint8_t padded_N[BLOCK_BYTES];
+    memcpy(padded_N, N, NONCE_BYTES);
+    padded_N[BLOCK_BYTES-1] = 0;
+
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    for (size_t j=0; j<l; j++)
+    {
+        _fill_msg_tweak(tag, j, tweak);
+        encrypt(key, tweak, padded_N, Ek_N);
+        xor_arrays(BLOCK_BYTES, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES], Ek_N);
+    }
+
+    if (rest != 0)
+    {
+        _fill_msg_tweak(tag, l, tweak);
+        encrypt(key, tweak, padded_N, Ek_N);
+        xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Ek_N);
+    }
+}
+
+void lilliput_ae_encrypt(
+    size_t        message_len,
+    const uint8_t message[message_len],
+    size_t        auth_data_len,
+    const uint8_t auth_data[auth_data_len],
+    const uint8_t key[KEY_BYTES],
+    const uint8_t nonce[NONCE_BYTES],
+    uint8_t       ciphertext[message_len],
+    uint8_t       tag[TAG_BYTES]
+)
+{
+    uint8_t auth[BLOCK_BYTES];
+    process_associated_data(key, auth_data_len, auth_data, auth);
+
+    _generate_tag(key, message_len, message, nonce, auth, tag);
+
+    _encrypt_message(key, message_len, message, nonce, tag, ciphertext);
+}
+
+bool lilliput_ae_decrypt(
+    size_t        ciphertext_len,
+    const uint8_t ciphertext[ciphertext_len],
+    size_t        auth_data_len,
+    const uint8_t auth_data[auth_data_len],
+    const uint8_t key[KEY_BYTES],
+    const uint8_t nonce[NONCE_BYTES],
+    const uint8_t tag[TAG_BYTES],
+    uint8_t       message[ciphertext_len]
+)
+{
+    _encrypt_message(key, ciphertext_len, ciphertext, nonce, tag, message);
+
+    uint8_t auth[BLOCK_BYTES];
+    process_associated_data(key, auth_data_len, auth_data, auth);
+
+    uint8_t effective_tag[TAG_BYTES];
+    _generate_tag(key, ciphertext_len, message, nonce, auth, effective_tag);
+
+    return memcmp(tag, effective_tag, TAG_BYTES) == 0;
+}
-- 
cgit v1.2.3