[u/mdw/catacomb] / square-mktab.c

/* -*-c-*-
 *
 * $Id: square-mktab.c,v 1.2 2000/08/04 18:03:19 mdw Exp $
 *
 * Build precomputed tables for the Square block cipher
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: square-mktab.c,v $
 * Revision 1.2  2000/08/04 18:03:19  mdw
 * Fix comment describing the field in which inversion is done.
 *
 * Revision 1.1  2000/07/27 18:10:27  mdw
 * Build precomuted tables for Square.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>

#include <mLib/bits.h>

/*----- Magic variables ---------------------------------------------------*/

static octet s[256], si[256];
static uint32 t[4][256], ti[4][256];
static uint32 u[4][256];
static octet rc[32];

/*----- Main code ---------------------------------------------------------*/

/* --- @mul@ --- *
 *
 * Arguments:	@unsigned x, y@ = polynomials over %$\gf{2^8}$%
 *		@unsigned m@ = modulus
 *
 * Returns:	The product of two polynomials.
 *
 * Use:		Computes a product of polynomials, quite slowly.
 */

static unsigned mul(unsigned x, unsigned y, unsigned m)
{
  unsigned a = 0;
  unsigned i;

  for (i = 0; i < 8; i++) {
    if (y & 1)
      a ^= x;
    y >>= 1;
    x <<= 1;
    if (x & 0x100)
      x ^= m;
  }

  return (a);
}

/* --- @sbox@ --- *
 *
 * Build the S-box.
 *
 * This is built from inversion in the multiplicative group of
 * %$\gf{2^8}[x]/(p(x))$%, where %$p(x) = x^8+x^7+x^6+x^5+x^4+x^2+1$%,
 * followed by an affine transformation treating inputs as vectors over
 * %$\gf{2}$%.  The result is a horrible function.
 *
 * The inversion is done slightly sneakily, by building log and antilog
 * tables.  Let %$a$% be an element of the finite field.  If the inverse of
 * %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%.  Hence
 * %$\log a = -\log a^{-1}$%.  This saves fiddling about with Euclidean
 * algorithm. 
 */

#define S_MOD 0x1f5

static void sbox(void)
{
  octet log[256], alog[256];
  unsigned x;
  unsigned i;
  unsigned g;

  /* --- Find a suitable generator, and build log tables --- */

  log[0] = 0;
  for (g = 2; g < 256; g++) {
    x = 1;
    for (i = 0; i < 256; i++) {
      log[x] = i;
      alog[i] = x;
      x = mul(x, g, S_MOD);
      if (x == 1 && i != 254)
	goto again;
    }
    goto done;
  again:;
  }
  fprintf(stderr, "couldn't find generator\n");
  exit(EXIT_FAILURE);
done:;

  /* --- Now grind through and do the affine transform --- *
   *
   * The matrix multiply is an AND and a parity op.  The add is an XOR.
   */

  for (i = 0; i < 256; i++) {
    unsigned j;
    octet m[] = { 0xd6, 0x7b, 0x3d, 0x1f, 0x0f, 0x05, 0x03, 0x01 };
    unsigned v = i ? alog[255 - log[i]] : 0;

    assert(i == 0 || mul(i, v, S_MOD) == 1);

    x = 0;
    for (j = 0; j < 8; j++) {
      unsigned r;
      r = v & m[j];
      r = (r >> 4) ^ r;
      r = (r >> 2) ^ r;
      r = (r >> 1) ^ r;
      x = (x << 1) | (r & 1);
    }
    x ^= 0xb1;
    s[i] = x;
    si[x] = i;
  }
}

/* --- @tbox@ --- *
 *
 * Construct the t tables for doing the round function efficiently.
 */

static void tbox(void)
{
  unsigned i;

  for (i = 0; i < 256; i++) {
    uint32 a, b, c, d;
    uint32 w;

    /* --- Build a forwards t-box entry --- */

    a = s[i];
    b = a << 1; if (b & 0x100) b ^= S_MOD;
    c = a ^ b;
    w = (b << 0) | (a << 8) | (a << 16) | (c << 24);
    t[0][i] = w;
    t[1][i] = ROL32(w, 8);
    t[2][i] = ROL32(w, 16);
    t[3][i] = ROL32(w, 24);

    /* --- Build a backwards t-box entry --- */

    a = mul(si[i], 0x0e, S_MOD);
    b = mul(si[i], 0x09, S_MOD);
    c = mul(si[i], 0x0d, S_MOD);
    d = mul(si[i], 0x0b, S_MOD);
    w = (a << 0) | (b << 8) | (c << 16) | (d << 24);
    ti[0][i] = w;
    ti[1][i] = ROL32(w, 8);
    ti[2][i] = ROL32(w, 16);
    ti[3][i] = ROL32(w, 24);
  }
}

/* --- @ubox@ --- *
 *
 * Construct the tables for performing the key schedule.
 */

static void ubox(void)
{
  unsigned i;

  for (i = 0; i < 256; i++) {
    uint32 a, b, c;
    uint32 w;
    a = i;
    b = a << 1; if (b & 0x100) b ^= S_MOD;
    c = a ^ b;
    w = (b << 0) | (a << 8) | (a << 16) | (c << 24);
    u[0][i] = w;
    u[1][i] = ROL32(w, 8);
    u[2][i] = ROL32(w, 16);
    u[3][i] = ROL32(w, 24);
  }
}

/* --- Round constants --- */

void rcon(void)
{
  unsigned r = 1;
  int i;

  for (i = 0; i < sizeof(rc); i++) {
    rc[i] = r;
    r <<= 1;
    if (r & 0x100)
      r ^= S_MOD;
  }
}

/* --- @main@ --- */

int main(void)
{
  int i, j;

  puts("\
/* -*-c-*-\n\
 *\n\
 * Square tables [generated]\n\
 */\n\
\n\
#ifndef CATACOMB_SQUARE_TAB_H\n\
#define CATACOMB_SQUARE_TAB_H\n\
");

  /* --- Write out the S-box --- */

  sbox();
  fputs("\
/* --- The byte substitution and its inverse --- */\n\
\n\
#define SQUARE_S {							\\\n\
  ", stdout);
  for (i = 0; i < 256; i++) {
    printf("0x%02x", s[i]);
    if (i == 255)
      fputs("			\\\n}\n\n", stdout);
    else if (i % 8 == 7)
      fputs(",			\\\n  ", stdout);
    else
      fputs(", ", stdout);
  }

  fputs("\
#define SQUARE_SI {							\\\n\
  ", stdout);
  for (i = 0; i < 256; i++) {
    printf("0x%02x", si[i]);
    if (i == 255)
      fputs("			\\\n}\n\n", stdout);
    else if (i % 8 == 7)
      fputs(",			\\\n  ", stdout);
    else
      fputs(", ", stdout);
  }

  /* --- Write out the big t tables --- */

  tbox();
  fputs("\
/* --- The big round tables --- */\n\
\n\
#define SQUARE_T {							\\\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", t[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }			\\\n}\n\n", stdout);
	else
	  fputs(" },			\\\n\
									\\\n\
  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",			\\\n    ", stdout);
      else
	fputs(", ", stdout);
    }
  }  

  fputs("\
#define SQUARE_TI {							\\\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", ti[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }			\\\n}\n\n", stdout);
	else
	  fputs(" },			\\\n\
									\\\n\
  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",			\\\n    ", stdout);
      else
	fputs(", ", stdout);
    }
  }

  /* --- Write out the big u tables --- */

  ubox();
  fputs("\
/* --- The key schedule tables --- */\n\
\n\
#define SQUARE_U {							\\\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", u[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }			\\\n}\n\n", stdout);
	else
	  fputs(" },			\\\n\
									\\\n\
  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",			\\\n    ", stdout);
      else
	fputs(", ", stdout);
    }
  }  

  /* --- Round constants --- */

  rcon();
  fputs("\
/* --- The round constants --- */\n\
\n\
#define SQUARE_RCON {							\\\n\
  ", stdout);
  for (i = 0; i < sizeof(rc); i++) {
    printf("0x%02x", rc[i]);
    if (i == sizeof(rc) - 1)
      fputs("			\\\n}\n\n", stdout);
    else if (i % 8 == 7)
      fputs(",			\\\n  ", stdout);
    else
      fputs(", ", stdout);
  }  

  /* --- Done --- */

  puts("#endif");

  if (fclose(stdout)) {
    fprintf(stderr, "error writing data\n");
    exit(EXIT_FAILURE);
  }

  return (0);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
35682d2f	1	/* --c--
35682d2f	2	*
ba74e11e	3	* $Id: square-mktab.c,v 1.2 2000/08/04 18:03:19 mdw Exp $
35682d2f	4	*
	5	* Build precomputed tables for the Square block cipher
	6	*
	7	* (c) 2000 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
	30	/----- Revision history --------------------------------------------------
	31	*
	32	* $Log: square-mktab.c,v $
ba74e11e	33	* Revision 1.2 2000/08/04 18:03:19 mdw
	34	* Fix comment describing the field in which inversion is done.
	35	*
35682d2f	36	* Revision 1.1 2000/07/27 18:10:27 mdw
	37	* Build precomuted tables for Square.
	38	*
	39	*/
	40
	41	/----- Header files ------------------------------------------------------/
	42
	43	#include <assert.h>
	44	#include <stdio.h>
	45	#include <stdlib.h>
	46
	47	#include <mLib/bits.h>
	48
	49	/----- Magic variables ---------------------------------------------------/
	50
	51	static octet s[256], si[256];
	52	static uint32 t[4][256], ti[4][256];
	53	static uint32 u[4][256];
	54	static octet rc[32];
	55
	56	/----- Main code ---------------------------------------------------------/
	57
	58	/* --- @mul@ --- *
	59	*
	60	* Arguments: @unsigned x, y@ = polynomials over %$\gf{2^8}$%
	61	* @unsigned m@ = modulus
	62	*
	63	* Returns: The product of two polynomials.
	64	*
	65	* Use: Computes a product of polynomials, quite slowly.
	66	*/
	67
	68	static unsigned mul(unsigned x, unsigned y, unsigned m)
	69	{
	70	unsigned a = 0;
	71	unsigned i;
	72
	73	for (i = 0; i < 8; i++) {
	74	if (y & 1)
	75	a ^= x;
	76	y >>= 1;
	77	x <<= 1;
	78	if (x & 0x100)
	79	x ^= m;
	80	}
	81
	82	return (a);
	83	}
	84
	85	/* --- @sbox@ --- *
	86	*
	87	* Build the S-box.
	88	*
	89	* This is built from inversion in the multiplicative group of
ba74e11e	90	* %$\gf{2^8}[x]/(p(x))$%, where %$p(x) = x^8+x^7+x^6+x^5+x^4+x^2+1$%,
	91	* followed by an affine transformation treating inputs as vectors over
	92	* %$\gf{2}$%. The result is a horrible function.
35682d2f	93	*
	94	* The inversion is done slightly sneakily, by building log and antilog
	95	* tables. Let %$a$% be an element of the finite field. If the inverse of
	96	* %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%. Hence
	97	* %$\log a = -\log a^{-1}$%. This saves fiddling about with Euclidean
	98	* algorithm.
	99	*/
	100
	101	#define S_MOD 0x1f5
	102
	103	static void sbox(void)
	104	{
	105	octet log[256], alog[256];
	106	unsigned x;
	107	unsigned i;
	108	unsigned g;
	109
	110	/* --- Find a suitable generator, and build log tables --- */
	111
	112	log[0] = 0;
	113	for (g = 2; g < 256; g++) {
	114	x = 1;
	115	for (i = 0; i < 256; i++) {
	116	log[x] = i;
	117	alog[i] = x;
	118	x = mul(x, g, S_MOD);
	119	if (x == 1 && i != 254)
	120	goto again;
	121	}
	122	goto done;
	123	again:;
	124	}
	125	fprintf(stderr, "couldn't find generator\n");
	126	exit(EXIT_FAILURE);
	127	done:;
	128
	129	/* --- Now grind through and do the affine transform --- *
	130	*
	131	* The matrix multiply is an AND and a parity op. The add is an XOR.
	132	*/
	133
	134	for (i = 0; i < 256; i++) {
	135	unsigned j;
	136	octet m[] = { 0xd6, 0x7b, 0x3d, 0x1f, 0x0f, 0x05, 0x03, 0x01 };
	137	unsigned v = i ? alog[255 - log[i]] : 0;
	138
	139	assert(i == 0 \|\| mul(i, v, S_MOD) == 1);
	140
	141	x = 0;
	142	for (j = 0; j < 8; j++) {
	143	unsigned r;
	144	r = v & m[j];
	145	r = (r >> 4) ^ r;
	146	r = (r >> 2) ^ r;
	147	r = (r >> 1) ^ r;
	148	x = (x << 1) \| (r & 1);
	149	}
	150	x ^= 0xb1;
	151	s[i] = x;
	152	si[x] = i;
	153	}
	154	}
	155
	156	/* --- @tbox@ --- *
157	*
158	* Construct the t tables for doing the round function efficiently.
159	*/
160
161	static void tbox(void)
162	{
163	unsigned i;
164
165	for (i = 0; i < 256; i++) {
166	uint32 a, b, c, d;
167	uint32 w;
168
169	/* --- Build a forwards t-box entry --- */
170
171	a = s[i];
172	b = a << 1; if (b & 0x100) b ^= S_MOD;
173	c = a ^ b;
174	w = (b << 0) \| (a << 8) \| (a << 16) \| (c << 24);
175	t[0][i] = w;
176	t[1][i] = ROL32(w, 8);
177	t[2][i] = ROL32(w, 16);
178	t[3][i] = ROL32(w, 24);
179
180	/* --- Build a backwards t-box entry --- */
181
182	a = mul(si[i], 0x0e, S_MOD);
183	b = mul(si[i], 0x09, S_MOD);
184	c = mul(si[i], 0x0d, S_MOD);
185	d = mul(si[i], 0x0b, S_MOD);
186	w = (a << 0) \| (b << 8) \| (c << 16) \| (d << 24);
187	ti[0][i] = w;
188	ti[1][i] = ROL32(w, 8);
189	ti[2][i] = ROL32(w, 16);
190	ti[3][i] = ROL32(w, 24);
191	}
192	}
193
194	/* --- @ubox@ --- *
195	*
196	* Construct the tables for performing the key schedule.
197	*/
198
199	static void ubox(void)
200	{
201	unsigned i;
202
203	for (i = 0; i < 256; i++) {
204	uint32 a, b, c;
205	uint32 w;
206	a = i;
207	b = a << 1; if (b & 0x100) b ^= S_MOD;
208	c = a ^ b;
209	w = (b << 0) \| (a << 8) \| (a << 16) \| (c << 24);
210	u[0][i] = w;
211	u[1][i] = ROL32(w, 8);
212	u[2][i] = ROL32(w, 16);
213	u[3][i] = ROL32(w, 24);
214	}
215	}
216
217	/* --- Round constants --- */
218
219	void rcon(void)
220	{
221	unsigned r = 1;
222	int i;
223
224	for (i = 0; i < sizeof(rc); i++) {
225	rc[i] = r;
226	r <<= 1;
227	if (r & 0x100)
228	r ^= S_MOD;
229	}
230	}
231
232	/* --- @main@ --- */
233
234	int main(void)
235	{
236	int i, j;
237
238	puts("\
239	/* --c--\n\
240	*\n\
241	* Square tables [generated]\n\
242	*/\n\
243	\n\
244	#ifndef CATACOMB_SQUARE_TAB_H\n\
245	#define CATACOMB_SQUARE_TAB_H\n\
246	");
247
248	/* --- Write out the S-box --- */
249
250	sbox();
251	fputs("\
252	/* --- The byte substitution and its inverse --- */\n\
253	\n\
254	#define SQUARE_S { \\\n\
255	", stdout);
256	for (i = 0; i < 256; i++) {
257	printf("0x%02x", s[i]);
258	if (i == 255)
259	fputs(" \\\n}\n\n", stdout);
260	else if (i % 8 == 7)
261	fputs(", \\\n ", stdout);
262	else
263	fputs(", ", stdout);
264	}
265
266	fputs("\
267	#define SQUARE_SI { \\\n\
268	", stdout);
269	for (i = 0; i < 256; i++) {
270	printf("0x%02x", si[i]);
271	if (i == 255)
272	fputs(" \\\n}\n\n", stdout);
273	else if (i % 8 == 7)
274	fputs(", \\\n ", stdout);
275	else
276	fputs(", ", stdout);
277	}
278
279	/* --- Write out the big t tables --- */
280
281	tbox();
282	fputs("\
283	/* --- The big round tables --- */\n\
284	\n\
285	#define SQUARE_T { \\\n\
286	{ ", stdout);
287	for (j = 0; j < 4; j++) {
288	for (i = 0; i < 256; i++) {
289	printf("0x%08x", t[j][i]);
290	if (i == 255) {
291	if (j == 3)
292	fputs(" } \\\n}\n\n", stdout);
293	else
294	fputs(" }, \\\n\
295	\\\n\
296	{ ", stdout);
297	} else if (i % 4 == 3)
298	fputs(", \\\n ", stdout);
299	else
300	fputs(", ", stdout);
301	}
302	}
303
304	fputs("\
305	#define SQUARE_TI { \\\n\
306	{ ", stdout);
307	for (j = 0; j < 4; j++) {
308	for (i = 0; i < 256; i++) {
309	printf("0x%08x", ti[j][i]);
310	if (i == 255) {
311	if (j == 3)
312	fputs(" } \\\n}\n\n", stdout);
313	else
314	fputs(" }, \\\n\
315	\\\n\
316	{ ", stdout);
317	} else if (i % 4 == 3)
318	fputs(", \\\n ", stdout);
319	else
320	fputs(", ", stdout);
321	}
322	}
323
324	/* --- Write out the big u tables --- */
325
326	ubox();
327	fputs("\
328	/* --- The key schedule tables --- */\n\
329	\n\
330	#define SQUARE_U { \\\n\
331	{ ", stdout);
332	for (j = 0; j < 4; j++) {
333	for (i = 0; i < 256; i++) {
334	printf("0x%08x", u[j][i]);
335	if (i == 255) {
336	if (j == 3)
337	fputs(" } \\\n}\n\n", stdout);
338	else
339	fputs(" }, \\\n\
340	\\\n\
341	{ ", stdout);
342	} else if (i % 4 == 3)
343	fputs(", \\\n ", stdout);
344	else
345	fputs(", ", stdout);
346	}
347	}
348
349	/* --- Round constants --- */
350
351	rcon();
352	fputs("\
353	/* --- The round constants --- */\n\
354	\n\
355	#define SQUARE_RCON { \\\n\
356	", stdout);
357	for (i = 0; i < sizeof(rc); i++) {
358	printf("0x%02x", rc[i]);
359	if (i == sizeof(rc) - 1)
360	fputs(" \\\n}\n\n", stdout);
361	else if (i % 8 == 7)
362	fputs(", \\\n ", stdout);
363	else
364	fputs(", ", stdout);
365	}
366
367	/* --- Done --- */
368
369	puts("#endif");
370
371	if (fclose(stdout)) {
372	fprintf(stderr, "error writing data\n");
373	exit(EXIT_FAILURE);
374	}
375
376	return (0);
377	}
378
379	/----- That's all, folks -------------------------------------------------/