projects / BearSSL / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Some documentation fixes.
[BearSSL] / src / symcipher / aes_ct.c
1 /*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 /* see inner.h */
28 void
29 br_aes_ct_bitslice_Sbox(uint32_t *q)
30 {
31 /*
32 * This S-box implementation is a straightforward translation of
33 * the circuit described by Boyar and Peralta in "A new
34 * combinational logic minimization technique with applications
35 * to cryptology" (https://eprint.iacr.org/2009/191.pdf).
36 *
37 * Note that variables x* (input) and s* (output) are numbered
38 * in "reverse" order (x0 is the high bit, x7 is the low bit).
39 */
40
41 uint32_t x0, x1, x2, x3, x4, x5, x6, x7;
42 uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9;
43 uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19;
44 uint32_t y20, y21;
45 uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9;
46 uint32_t z10, z11, z12, z13, z14, z15, z16, z17;
47 uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9;
48 uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19;
49 uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29;
50 uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39;
51 uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49;
52 uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59;
53 uint32_t t60, t61, t62, t63, t64, t65, t66, t67;
54 uint32_t s0, s1, s2, s3, s4, s5, s6, s7;
55
56 x0 = q[7];
57 x1 = q[6];
58 x2 = q[5];
59 x3 = q[4];
60 x4 = q[3];
61 x5 = q[2];
62 x6 = q[1];
63 x7 = q[0];
64
65 /*
66 * Top linear transformation.
67 */
68 y14 = x3 ^ x5;
69 y13 = x0 ^ x6;
70 y9 = x0 ^ x3;
71 y8 = x0 ^ x5;
72 t0 = x1 ^ x2;
73 y1 = t0 ^ x7;
74 y4 = y1 ^ x3;
75 y12 = y13 ^ y14;
76 y2 = y1 ^ x0;
77 y5 = y1 ^ x6;
78 y3 = y5 ^ y8;
79 t1 = x4 ^ y12;
80 y15 = t1 ^ x5;
81 y20 = t1 ^ x1;
82 y6 = y15 ^ x7;
83 y10 = y15 ^ t0;
84 y11 = y20 ^ y9;
85 y7 = x7 ^ y11;
86 y17 = y10 ^ y11;
87 y19 = y10 ^ y8;
88 y16 = t0 ^ y11;
89 y21 = y13 ^ y16;
90 y18 = x0 ^ y16;
91
92 /*
93 * Non-linear section.
94 */
95 t2 = y12 & y15;
96 t3 = y3 & y6;
97 t4 = t3 ^ t2;
98 t5 = y4 & x7;
99 t6 = t5 ^ t2;
100 t7 = y13 & y16;
101 t8 = y5 & y1;
102 t9 = t8 ^ t7;
103 t10 = y2 & y7;
104 t11 = t10 ^ t7;
105 t12 = y9 & y11;
106 t13 = y14 & y17;
107 t14 = t13 ^ t12;
108 t15 = y8 & y10;
109 t16 = t15 ^ t12;
110 t17 = t4 ^ t14;
111 t18 = t6 ^ t16;
112 t19 = t9 ^ t14;
113 t20 = t11 ^ t16;
114 t21 = t17 ^ y20;
115 t22 = t18 ^ y19;
116 t23 = t19 ^ y21;
117 t24 = t20 ^ y18;
118
119 t25 = t21 ^ t22;
120 t26 = t21 & t23;
121 t27 = t24 ^ t26;
122 t28 = t25 & t27;
123 t29 = t28 ^ t22;
124 t30 = t23 ^ t24;
125 t31 = t22 ^ t26;
126 t32 = t31 & t30;
127 t33 = t32 ^ t24;
128 t34 = t23 ^ t33;
129 t35 = t27 ^ t33;
130 t36 = t24 & t35;
131 t37 = t36 ^ t34;
132 t38 = t27 ^ t36;
133 t39 = t29 & t38;
134 t40 = t25 ^ t39;
135
136 t41 = t40 ^ t37;
137 t42 = t29 ^ t33;
138 t43 = t29 ^ t40;
139 t44 = t33 ^ t37;
140 t45 = t42 ^ t41;
141 z0 = t44 & y15;
142 z1 = t37 & y6;
143 z2 = t33 & x7;
144 z3 = t43 & y16;
145 z4 = t40 & y1;
146 z5 = t29 & y7;
147 z6 = t42 & y11;
148 z7 = t45 & y17;
149 z8 = t41 & y10;
150 z9 = t44 & y12;
151 z10 = t37 & y3;
152 z11 = t33 & y4;
153 z12 = t43 & y13;
154 z13 = t40 & y5;
155 z14 = t29 & y2;
156 z15 = t42 & y9;
157 z16 = t45 & y14;
158 z17 = t41 & y8;
159
160 /*
161 * Bottom linear transformation.
162 */
163 t46 = z15 ^ z16;
164 t47 = z10 ^ z11;
165 t48 = z5 ^ z13;
166 t49 = z9 ^ z10;
167 t50 = z2 ^ z12;
168 t51 = z2 ^ z5;
169 t52 = z7 ^ z8;
170 t53 = z0 ^ z3;
171 t54 = z6 ^ z7;
172 t55 = z16 ^ z17;
173 t56 = z12 ^ t48;
174 t57 = t50 ^ t53;
175 t58 = z4 ^ t46;
176 t59 = z3 ^ t54;
177 t60 = t46 ^ t57;
178 t61 = z14 ^ t57;
179 t62 = t52 ^ t58;
180 t63 = t49 ^ t58;
181 t64 = z4 ^ t59;
182 t65 = t61 ^ t62;
183 t66 = z1 ^ t63;
184 s0 = t59 ^ t63;
185 s6 = t56 ^ ~t62;
186 s7 = t48 ^ ~t60;
187 t67 = t64 ^ t65;
188 s3 = t53 ^ t66;
189 s4 = t51 ^ t66;
190 s5 = t47 ^ t65;
191 s1 = t64 ^ ~s3;
192 s2 = t55 ^ ~t67;
193
194 q[7] = s0;
195 q[6] = s1;
196 q[5] = s2;
197 q[4] = s3;
198 q[3] = s4;
199 q[2] = s5;
200 q[1] = s6;
201 q[0] = s7;
202 }
203
204 /* see inner.h */
205 void
206 br_aes_ct_ortho(uint32_t *q)
207 {
208 #define SWAPN(cl, ch, s, x, y) do { \
209 uint32_t a, b; \
210 a = (x); \
211 b = (y); \
212 (x) = (a & (uint32_t)cl) | ((b & (uint32_t)cl) << (s)); \
213 (y) = ((a & (uint32_t)ch) >> (s)) | (b & (uint32_t)ch); \
214 } while (0)
215
216 #define SWAP2(x, y) SWAPN(0x55555555, 0xAAAAAAAA, 1, x, y)
217 #define SWAP4(x, y) SWAPN(0x33333333, 0xCCCCCCCC, 2, x, y)
218 #define SWAP8(x, y) SWAPN(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y)
219
220 SWAP2(q[0], q[1]);
221 SWAP2(q[2], q[3]);
222 SWAP2(q[4], q[5]);
223 SWAP2(q[6], q[7]);
224
225 SWAP4(q[0], q[2]);
226 SWAP4(q[1], q[3]);
227 SWAP4(q[4], q[6]);
228 SWAP4(q[5], q[7]);
229
230 SWAP8(q[0], q[4]);
231 SWAP8(q[1], q[5]);
232 SWAP8(q[2], q[6]);
233 SWAP8(q[3], q[7]);
234 }
235
236 static const unsigned char Rcon[] = {
237 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36
238 };
239
240 static uint32_t
241 sub_word(uint32_t x)
242 {
243 uint32_t q[8];
244 int i;
245
246 for (i = 0; i < 8; i ++) {
247 q[i] = x;
248 }
249 br_aes_ct_ortho(q);
250 br_aes_ct_bitslice_Sbox(q);
251 br_aes_ct_ortho(q);
252 return q[0];
253 }
254
255 /* see inner.h */
256 unsigned
257 br_aes_ct_keysched(uint32_t *comp_skey, const void *key, size_t key_len)
258 {
259 unsigned num_rounds;
260 int i, j, k, nk, nkf;
261 uint32_t tmp;
262 uint32_t skey[120];
263
264 switch (key_len) {
265 case 16:
266 num_rounds = 10;
267 break;
268 case 24:
269 num_rounds = 12;
270 break;
271 case 32:
272 num_rounds = 14;
273 break;
274 default:
275 /* abort(); */
276 return 0;
277 }
278 nk = (int)(key_len >> 2);
279 nkf = (int)((num_rounds + 1) << 2);
280 tmp = 0;
281 for (i = 0; i < nk; i ++) {
282 tmp = br_dec32le((const unsigned char *)key + (i << 2));
283 skey[(i << 1) + 0] = tmp;
284 skey[(i << 1) + 1] = tmp;
285 }
286 for (i = nk, j = 0, k = 0; i < nkf; i ++) {
287 if (j == 0) {
288 tmp = (tmp << 24) | (tmp >> 8);
289 tmp = sub_word(tmp) ^ Rcon[k];
290 } else if (nk > 6 && j == 4) {
291 tmp = sub_word(tmp);
292 }
293 tmp ^= skey[(i - nk) << 1];
294 skey[(i << 1) + 0] = tmp;
295 skey[(i << 1) + 1] = tmp;
296 if (++ j == nk) {
297 j = 0;
298 k ++;
299 }
300 }
301 for (i = 0; i < nkf; i += 4) {
302 br_aes_ct_ortho(skey + (i << 1));
303 }
304 for (i = 0, j = 0; i < nkf; i ++, j += 2) {
305 comp_skey[i] = (skey[j + 0] & 0x55555555)
306 | (skey[j + 1] & 0xAAAAAAAA);
307 }
308 return num_rounds;
309 }
310
311 /* see inner.h */
312 void
313 br_aes_ct_skey_expand(uint32_t *skey,
314 unsigned num_rounds, const uint32_t *comp_skey)
315 {
316 unsigned u, v, n;
317
318 n = (num_rounds + 1) << 2;
319 for (u = 0, v = 0; u < n; u ++, v += 2) {
320 uint32_t x, y;
321
322 x = y = comp_skey[u];
323 x &= 0x55555555;
324 skey[v + 0] = x | (x << 1);
325 y &= 0xAAAAAAAA;
326 skey[v + 1] = y | (y >> 1);
327 }
328 }
The BearSSL library and tools.