projects / BearSSL / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Some documentation fixes.
[BearSSL] / src / symcipher / aes_ct64.c
1 /*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 /* see inner.h */
28 void
29 br_aes_ct64_bitslice_Sbox(uint64_t *q)
30 {
31 /*
32 * This S-box implementation is a straightforward translation of
33 * the circuit described by Boyar and Peralta in "A new
34 * combinational logic minimization technique with applications
35 * to cryptology" (https://eprint.iacr.org/2009/191.pdf).
36 *
37 * Note that variables x* (input) and s* (output) are numbered
38 * in "reverse" order (x0 is the high bit, x7 is the low bit).
39 */
40
41 uint64_t x0, x1, x2, x3, x4, x5, x6, x7;
42 uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9;
43 uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19;
44 uint64_t y20, y21;
45 uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9;
46 uint64_t z10, z11, z12, z13, z14, z15, z16, z17;
47 uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9;
48 uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19;
49 uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29;
50 uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39;
51 uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49;
52 uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59;
53 uint64_t t60, t61, t62, t63, t64, t65, t66, t67;
54 uint64_t s0, s1, s2, s3, s4, s5, s6, s7;
55
56 x0 = q[7];
57 x1 = q[6];
58 x2 = q[5];
59 x3 = q[4];
60 x4 = q[3];
61 x5 = q[2];
62 x6 = q[1];
63 x7 = q[0];
64
65 /*
66 * Top linear transformation.
67 */
68 y14 = x3 ^ x5;
69 y13 = x0 ^ x6;
70 y9 = x0 ^ x3;
71 y8 = x0 ^ x5;
72 t0 = x1 ^ x2;
73 y1 = t0 ^ x7;
74 y4 = y1 ^ x3;
75 y12 = y13 ^ y14;
76 y2 = y1 ^ x0;
77 y5 = y1 ^ x6;
78 y3 = y5 ^ y8;
79 t1 = x4 ^ y12;
80 y15 = t1 ^ x5;
81 y20 = t1 ^ x1;
82 y6 = y15 ^ x7;
83 y10 = y15 ^ t0;
84 y11 = y20 ^ y9;
85 y7 = x7 ^ y11;
86 y17 = y10 ^ y11;
87 y19 = y10 ^ y8;
88 y16 = t0 ^ y11;
89 y21 = y13 ^ y16;
90 y18 = x0 ^ y16;
91
92 /*
93 * Non-linear section.
94 */
95 t2 = y12 & y15;
96 t3 = y3 & y6;
97 t4 = t3 ^ t2;
98 t5 = y4 & x7;
99 t6 = t5 ^ t2;
100 t7 = y13 & y16;
101 t8 = y5 & y1;
102 t9 = t8 ^ t7;
103 t10 = y2 & y7;
104 t11 = t10 ^ t7;
105 t12 = y9 & y11;
106 t13 = y14 & y17;
107 t14 = t13 ^ t12;
108 t15 = y8 & y10;
109 t16 = t15 ^ t12;
110 t17 = t4 ^ t14;
111 t18 = t6 ^ t16;
112 t19 = t9 ^ t14;
113 t20 = t11 ^ t16;
114 t21 = t17 ^ y20;
115 t22 = t18 ^ y19;
116 t23 = t19 ^ y21;
117 t24 = t20 ^ y18;
118
119 t25 = t21 ^ t22;
120 t26 = t21 & t23;
121 t27 = t24 ^ t26;
122 t28 = t25 & t27;
123 t29 = t28 ^ t22;
124 t30 = t23 ^ t24;
125 t31 = t22 ^ t26;
126 t32 = t31 & t30;
127 t33 = t32 ^ t24;
128 t34 = t23 ^ t33;
129 t35 = t27 ^ t33;
130 t36 = t24 & t35;
131 t37 = t36 ^ t34;
132 t38 = t27 ^ t36;
133 t39 = t29 & t38;
134 t40 = t25 ^ t39;
135
136 t41 = t40 ^ t37;
137 t42 = t29 ^ t33;
138 t43 = t29 ^ t40;
139 t44 = t33 ^ t37;
140 t45 = t42 ^ t41;
141 z0 = t44 & y15;
142 z1 = t37 & y6;
143 z2 = t33 & x7;
144 z3 = t43 & y16;
145 z4 = t40 & y1;
146 z5 = t29 & y7;
147 z6 = t42 & y11;
148 z7 = t45 & y17;
149 z8 = t41 & y10;
150 z9 = t44 & y12;
151 z10 = t37 & y3;
152 z11 = t33 & y4;
153 z12 = t43 & y13;
154 z13 = t40 & y5;
155 z14 = t29 & y2;
156 z15 = t42 & y9;
157 z16 = t45 & y14;
158 z17 = t41 & y8;
159
160 /*
161 * Bottom linear transformation.
162 */
163 t46 = z15 ^ z16;
164 t47 = z10 ^ z11;
165 t48 = z5 ^ z13;
166 t49 = z9 ^ z10;
167 t50 = z2 ^ z12;
168 t51 = z2 ^ z5;
169 t52 = z7 ^ z8;
170 t53 = z0 ^ z3;
171 t54 = z6 ^ z7;
172 t55 = z16 ^ z17;
173 t56 = z12 ^ t48;
174 t57 = t50 ^ t53;
175 t58 = z4 ^ t46;
176 t59 = z3 ^ t54;
177 t60 = t46 ^ t57;
178 t61 = z14 ^ t57;
179 t62 = t52 ^ t58;
180 t63 = t49 ^ t58;
181 t64 = z4 ^ t59;
182 t65 = t61 ^ t62;
183 t66 = z1 ^ t63;
184 s0 = t59 ^ t63;
185 s6 = t56 ^ ~t62;
186 s7 = t48 ^ ~t60;
187 t67 = t64 ^ t65;
188 s3 = t53 ^ t66;
189 s4 = t51 ^ t66;
190 s5 = t47 ^ t65;
191 s1 = t64 ^ ~s3;
192 s2 = t55 ^ ~t67;
193
194 q[7] = s0;
195 q[6] = s1;
196 q[5] = s2;
197 q[4] = s3;
198 q[3] = s4;
199 q[2] = s5;
200 q[1] = s6;
201 q[0] = s7;
202 }
203
204 /* see inner.h */
205 void
206 br_aes_ct64_ortho(uint64_t *q)
207 {
208 #define SWAPN(cl, ch, s, x, y) do { \
209 uint64_t a, b; \
210 a = (x); \
211 b = (y); \
212 (x) = (a & (uint64_t)cl) | ((b & (uint64_t)cl) << (s)); \
213 (y) = ((a & (uint64_t)ch) >> (s)) | (b & (uint64_t)ch); \
214 } while (0)
215
216 #define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y)
217 #define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y)
218 #define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y)
219
220 SWAP2(q[0], q[1]);
221 SWAP2(q[2], q[3]);
222 SWAP2(q[4], q[5]);
223 SWAP2(q[6], q[7]);
224
225 SWAP4(q[0], q[2]);
226 SWAP4(q[1], q[3]);
227 SWAP4(q[4], q[6]);
228 SWAP4(q[5], q[7]);
229
230 SWAP8(q[0], q[4]);
231 SWAP8(q[1], q[5]);
232 SWAP8(q[2], q[6]);
233 SWAP8(q[3], q[7]);
234 }
235
236 /* see inner.h */
237 void
238 br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w)
239 {
240 uint64_t x0, x1, x2, x3;
241
242 x0 = w[0];
243 x1 = w[1];
244 x2 = w[2];
245 x3 = w[3];
246 x0 |= (x0 << 16);
247 x1 |= (x1 << 16);
248 x2 |= (x2 << 16);
249 x3 |= (x3 << 16);
250 x0 &= (uint64_t)0x0000FFFF0000FFFF;
251 x1 &= (uint64_t)0x0000FFFF0000FFFF;
252 x2 &= (uint64_t)0x0000FFFF0000FFFF;
253 x3 &= (uint64_t)0x0000FFFF0000FFFF;
254 x0 |= (x0 << 8);
255 x1 |= (x1 << 8);
256 x2 |= (x2 << 8);
257 x3 |= (x3 << 8);
258 x0 &= (uint64_t)0x00FF00FF00FF00FF;
259 x1 &= (uint64_t)0x00FF00FF00FF00FF;
260 x2 &= (uint64_t)0x00FF00FF00FF00FF;
261 x3 &= (uint64_t)0x00FF00FF00FF00FF;
262 *q0 = x0 | (x2 << 8);
263 *q1 = x1 | (x3 << 8);
264 }
265
266 /* see inner.h */
267 void
268 br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1)
269 {
270 uint64_t x0, x1, x2, x3;
271
272 x0 = q0 & (uint64_t)0x00FF00FF00FF00FF;
273 x1 = q1 & (uint64_t)0x00FF00FF00FF00FF;
274 x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF;
275 x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF;
276 x0 |= (x0 >> 8);
277 x1 |= (x1 >> 8);
278 x2 |= (x2 >> 8);
279 x3 |= (x3 >> 8);
280 x0 &= (uint64_t)0x0000FFFF0000FFFF;
281 x1 &= (uint64_t)0x0000FFFF0000FFFF;
282 x2 &= (uint64_t)0x0000FFFF0000FFFF;
283 x3 &= (uint64_t)0x0000FFFF0000FFFF;
284 w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16);
285 w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16);
286 w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16);
287 w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16);
288 }
289
290 static const unsigned char Rcon[] = {
291 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36
292 };
293
294 static uint32_t
295 sub_word(uint32_t x)
296 {
297 uint64_t q[8];
298
299 memset(q, 0, sizeof q);
300 q[0] = x;
301 br_aes_ct64_ortho(q);
302 br_aes_ct64_bitslice_Sbox(q);
303 br_aes_ct64_ortho(q);
304 return (uint32_t)q[0];
305 }
306
307 /* see inner.h */
308 unsigned
309 br_aes_ct64_keysched(uint64_t *comp_skey, const void *key, size_t key_len)
310 {
311 unsigned num_rounds;
312 int i, j, k, nk, nkf;
313 uint32_t tmp;
314 uint32_t skey[60];
315
316 switch (key_len) {
317 case 16:
318 num_rounds = 10;
319 break;
320 case 24:
321 num_rounds = 12;
322 break;
323 case 32:
324 num_rounds = 14;
325 break;
326 default:
327 /* abort(); */
328 return 0;
329 }
330 nk = (int)(key_len >> 2);
331 nkf = (int)((num_rounds + 1) << 2);
332 br_range_dec32le(skey, (key_len >> 2), key);
333 tmp = skey[(key_len >> 2) - 1];
334 for (i = nk, j = 0, k = 0; i < nkf; i ++) {
335 if (j == 0) {
336 tmp = (tmp << 24) | (tmp >> 8);
337 tmp = sub_word(tmp) ^ Rcon[k];
338 } else if (nk > 6 && j == 4) {
339 tmp = sub_word(tmp);
340 }
341 tmp ^= skey[i - nk];
342 skey[i] = tmp;
343 if (++ j == nk) {
344 j = 0;
345 k ++;
346 }
347 }
348
349 for (i = 0, j = 0; i < nkf; i += 4, j += 2) {
350 uint64_t q[8];
351
352 br_aes_ct64_interleave_in(&q[0], &q[4], skey + i);
353 q[1] = q[0];
354 q[2] = q[0];
355 q[3] = q[0];
356 q[5] = q[4];
357 q[6] = q[4];
358 q[7] = q[4];
359 br_aes_ct64_ortho(q);
360 comp_skey[j + 0] =
361 (q[0] & (uint64_t)0x1111111111111111)
362 | (q[1] & (uint64_t)0x2222222222222222)
363 | (q[2] & (uint64_t)0x4444444444444444)
364 | (q[3] & (uint64_t)0x8888888888888888);
365 comp_skey[j + 1] =
366 (q[4] & (uint64_t)0x1111111111111111)
367 | (q[5] & (uint64_t)0x2222222222222222)
368 | (q[6] & (uint64_t)0x4444444444444444)
369 | (q[7] & (uint64_t)0x8888888888888888);
370 }
371 return num_rounds;
372 }
373
374 /* see inner.h */
375 void
376 br_aes_ct64_skey_expand(uint64_t *skey,
377 unsigned num_rounds, const uint64_t *comp_skey)
378 {
379 unsigned u, v, n;
380
381 n = (num_rounds + 1) << 1;
382 for (u = 0, v = 0; u < n; u ++, v += 4) {
383 uint64_t x0, x1, x2, x3;
384
385 x0 = x1 = x2 = x3 = comp_skey[u];
386 x0 &= (uint64_t)0x1111111111111111;
387 x1 &= (uint64_t)0x2222222222222222;
388 x2 &= (uint64_t)0x4444444444444444;
389 x3 &= (uint64_t)0x8888888888888888;
390 x1 >>= 1;
391 x2 >>= 2;
392 x3 >>= 3;
393 skey[v + 0] = (x0 << 4) - x0;
394 skey[v + 1] = (x1 << 4) - x1;
395 skey[v + 2] = (x2 << 4) - x2;
396 skey[v + 3] = (x3 << 4) - x3;
397 }
398 }
The BearSSL library and tools.