[u/mdw/catacomb] / symm / square-mktab.c

/* -*-c-*-
 *
 * Build precomputed tables for the Square block cipher
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>

#include <mLib/bits.h>

/*----- Magic variables ---------------------------------------------------*/

static octet s[256], si[256];
static uint32 t[4][256], ti[4][256];
static uint32 u[4][256];
static octet rc[32];

/*----- Main code ---------------------------------------------------------*/

/* --- @mul@ --- *
 *
 * Arguments:	@unsigned x, y@ = polynomials over %$\gf{2^8}$%
 *		@unsigned m@ = modulus
 *
 * Returns:	The product of two polynomials.
 *
 * Use:		Computes a product of polynomials, quite slowly.
 */

static unsigned mul(unsigned x, unsigned y, unsigned m)
{
  unsigned a = 0;
  unsigned i;

  for (i = 0; i < 8; i++) {
    if (y & 1)
      a ^= x;
    y >>= 1;
    x <<= 1;
    if (x & 0x100)
      x ^= m;
  }

  return (a);
}

/* --- @sbox@ --- *
 *
 * Build the S-box.
 *
 * This is built from inversion in the multiplicative group of
 * %$\gf{2^8}[x]/(p(x))$%, where %$p(x) = x^8+x^7+x^6+x^5+x^4+x^2+1$%,
 * followed by an affine transformation treating inputs as vectors over
 * %$\gf{2}$%.  The result is a horrible function.
 *
 * The inversion is done slightly sneakily, by building log and antilog
 * tables.  Let %$a$% be an element of the finite field.  If the inverse of
 * %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%.  Hence
 * %$\log a = -\log a^{-1}$%.  This saves fiddling about with Euclidean
 * algorithm.
 */

#define S_MOD 0x1f5

static void sbox(void)
{
  octet log[256], alog[256];
  unsigned x;
  unsigned i;
  unsigned g;

  /* --- Find a suitable generator, and build log tables --- */

  log[0] = 0;
  for (g = 2; g < 256; g++) {
    x = 1;
    for (i = 0; i < 256; i++) {
      log[x] = i;
      alog[i] = x;
      x = mul(x, g, S_MOD);
      if (x == 1 && i != 254)
	goto again;
    }
    goto done;
  again:;
  }
  fprintf(stderr, "couldn't find generator\n");
  exit(EXIT_FAILURE);
done:;

  /* --- Now grind through and do the affine transform --- *
   *
   * The matrix multiply is an AND and a parity op.  The add is an XOR.
   */

  for (i = 0; i < 256; i++) {
    unsigned j;
    octet m[] = { 0xd6, 0x7b, 0x3d, 0x1f, 0x0f, 0x05, 0x03, 0x01 };
    unsigned v = i ? alog[255 - log[i]] : 0;

    assert(i == 0 || mul(i, v, S_MOD) == 1);

    x = 0;
    for (j = 0; j < 8; j++) {
      unsigned r;
      r = v & m[j];
      r = (r >> 4) ^ r;
      r = (r >> 2) ^ r;
      r = (r >> 1) ^ r;
      x = (x << 1) | (r & 1);
    }
    x ^= 0xb1;
    s[i] = x;
    si[x] = i;
  }
}

/* --- @tbox@ --- *
 *
 * Construct the t tables for doing the round function efficiently.
 */

static void tbox(void)
{
  unsigned i;

  for (i = 0; i < 256; i++) {
    uint32 a, b, c, d;
    uint32 w;

    /* --- Build a forwards t-box entry --- */

    a = s[i];
    b = a << 1; if (b & 0x100) b ^= S_MOD;
    c = a ^ b;
    w = (b << 0) | (a << 8) | (a << 16) | (c << 24);
    t[0][i] = w;
    t[1][i] = ROL32(w, 8);
    t[2][i] = ROL32(w, 16);
    t[3][i] = ROL32(w, 24);

    /* --- Build a backwards t-box entry --- */

    a = mul(si[i], 0x0e, S_MOD);
    b = mul(si[i], 0x09, S_MOD);
    c = mul(si[i], 0x0d, S_MOD);
    d = mul(si[i], 0x0b, S_MOD);
    w = (a << 0) | (b << 8) | (c << 16) | (d << 24);
    ti[0][i] = w;
    ti[1][i] = ROL32(w, 8);
    ti[2][i] = ROL32(w, 16);
    ti[3][i] = ROL32(w, 24);
  }
}

/* --- @ubox@ --- *
 *
 * Construct the tables for performing the key schedule.
 */

static void ubox(void)
{
  unsigned i;

  for (i = 0; i < 256; i++) {
    uint32 a, b, c;
    uint32 w;
    a = i;
    b = a << 1; if (b & 0x100) b ^= S_MOD;
    c = a ^ b;
    w = (b << 0) | (a << 8) | (a << 16) | (c << 24);
    u[0][i] = w;
    u[1][i] = ROL32(w, 8);
    u[2][i] = ROL32(w, 16);
    u[3][i] = ROL32(w, 24);
  }
}

/* --- Round constants --- */

void rcon(void)
{
  unsigned r = 1;
  int i;

  for (i = 0; i < sizeof(rc); i++) {
    rc[i] = r;
    r <<= 1;
    if (r & 0x100)
      r ^= S_MOD;
  }
}

/* --- @main@ --- */

int main(void)
{
  int i, j;

  puts("\
/* -*-c-*-\n\
 *\n\
 * Square tables [generated]\n\
 */\n\
\n\
#include <mLib/bits.h>\n\
\n\
");

  /* --- Write out the S-box --- */

  sbox();
  fputs("\
/* --- The byte substitution and its inverse --- */\n\
\n\
const octet square_s[256] = {\n\
  ", stdout);
  for (i = 0; i < 256; i++) {
    printf("0x%02x", s[i]);
    if (i == 255)
      fputs("\n};\n\n", stdout);
    else if (i % 8 == 7)
      fputs(",\n  ", stdout);
    else
      fputs(", ", stdout);
  }

  fputs("\
const octet square_si[256] = {\n\
  ", stdout);
  for (i = 0; i < 256; i++) {
    printf("0x%02x", si[i]);
    if (i == 255)
      fputs("\n};\n\n", stdout);
    else if (i % 8 == 7)
      fputs(",\n  ", stdout);
    else
      fputs(", ", stdout);
  }

  /* --- Write out the big t tables --- */

  tbox();
  fputs("\
/* --- The big round tables --- */\n\
\n\
const uint32 square_t[4][256] = {\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", t[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }\n};\n\n", stdout);
	else
	  fputs(" },\n\n  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",\n    ", stdout);
      else
	fputs(", ", stdout);
    }
  }

  fputs("\
const uint32 square_ti[4][256] = {\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", ti[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }\n};\n\n", stdout);
	else
	  fputs(" },\n\n  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",\n    ", stdout);
      else
	fputs(", ", stdout);
    }
  }

  /* --- Write out the big u tables --- */

  ubox();
  fputs("\
/* --- The key schedule tables --- */\n\
\n\
const uint32 square_u[4][256] = {\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", u[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }\n};\n\n", stdout);
	else
	  fputs(" },\n\n  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",\n    ", stdout);
      else
	fputs(", ", stdout);
    }
  }

  /* --- Round constants --- */

  rcon();
  fputs("\
/* --- The round constants --- */\n\
\n\
const octet square_rcon[32] = {\n\
  ", stdout);
  for (i = 0; i < sizeof(rc); i++) {
    printf("0x%02x", rc[i]);
    if (i == sizeof(rc) - 1)
      fputs("\n};\n", stdout);
    else if (i % 8 == 7)
      fputs(",\n  ", stdout);
    else
      fputs(", ", stdout);
  }

  /* --- Done --- */

  if (fclose(stdout)) {
    fprintf(stderr, "error writing data\n");
    exit(EXIT_FAILURE);
  }

  return (0);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
35682d2f	1	/* --c--
35682d2f	2	*
35682d2f	3	* Build precomputed tables for the Square block cipher
	4	*
	5	* (c) 2000 Straylight/Edgeware
	6	*/
	7
45c0fd36	8	/----- Licensing notice --------------------------------------------------
35682d2f	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
45c0fd36	16	*
35682d2f	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
45c0fd36	21	*
35682d2f	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
35682d2f	28	/----- Header files ------------------------------------------------------/
	29
	30	#include <assert.h>
	31	#include <stdio.h>
	32	#include <stdlib.h>
	33
	34	#include <mLib/bits.h>
	35
	36	/----- Magic variables ---------------------------------------------------/
	37
	38	static octet s[256], si[256];
	39	static uint32 t[4][256], ti[4][256];
	40	static uint32 u[4][256];
	41	static octet rc[32];
	42
	43	/----- Main code ---------------------------------------------------------/
	44
	45	/* --- @mul@ --- *
	46	*
	47	* Arguments: @unsigned x, y@ = polynomials over %$\gf{2^8}$%
	48	* @unsigned m@ = modulus
	49	*
	50	* Returns: The product of two polynomials.
	51	*
	52	* Use: Computes a product of polynomials, quite slowly.
	53	*/
	54
	55	static unsigned mul(unsigned x, unsigned y, unsigned m)
	56	{
	57	unsigned a = 0;
	58	unsigned i;
	59
	60	for (i = 0; i < 8; i++) {
	61	if (y & 1)
	62	a ^= x;
	63	y >>= 1;
	64	x <<= 1;
	65	if (x & 0x100)
	66	x ^= m;
	67	}
	68
	69	return (a);
	70	}
	71
	72	/* --- @sbox@ --- *
	73	*
	74	* Build the S-box.
	75	*
	76	* This is built from inversion in the multiplicative group of
ba74e11e	77	* %$\gf{2^8}[x]/(p(x))$%, where %$p(x) = x^8+x^7+x^6+x^5+x^4+x^2+1$%,
	78	* followed by an affine transformation treating inputs as vectors over
	79	* %$\gf{2}$%. The result is a horrible function.
35682d2f	80	*
	81	* The inversion is done slightly sneakily, by building log and antilog
	82	* tables. Let %$a$% be an element of the finite field. If the inverse of
	83	* %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%. Hence
	84	* %$\log a = -\log a^{-1}$%. This saves fiddling about with Euclidean
45c0fd36	85	* algorithm.
35682d2f	86	*/
	87
	88	#define S_MOD 0x1f5
	89
	90	static void sbox(void)
	91	{
	92	octet log[256], alog[256];
	93	unsigned x;
	94	unsigned i;
	95	unsigned g;
	96
	97	/* --- Find a suitable generator, and build log tables --- */
	98
	99	log[0] = 0;
	100	for (g = 2; g < 256; g++) {
	101	x = 1;
	102	for (i = 0; i < 256; i++) {
	103	log[x] = i;
	104	alog[i] = x;
	105	x = mul(x, g, S_MOD);
	106	if (x == 1 && i != 254)
	107	goto again;
	108	}
	109	goto done;
	110	again:;
	111	}
	112	fprintf(stderr, "couldn't find generator\n");
	113	exit(EXIT_FAILURE);
	114	done:;
	115
	116	/* --- Now grind through and do the affine transform --- *
	117	*
	118	* The matrix multiply is an AND and a parity op. The add is an XOR.
	119	*/
	120
	121	for (i = 0; i < 256; i++) {
	122	unsigned j;
	123	octet m[] = { 0xd6, 0x7b, 0x3d, 0x1f, 0x0f, 0x05, 0x03, 0x01 };
	124	unsigned v = i ? alog[255 - log[i]] : 0;
	125
	126	assert(i == 0 \|\| mul(i, v, S_MOD) == 1);
	127
	128	x = 0;
	129	for (j = 0; j < 8; j++) {
	130	unsigned r;
	131	r = v & m[j];
	132	r = (r >> 4) ^ r;
	133	r = (r >> 2) ^ r;
	134	r = (r >> 1) ^ r;
	135	x = (x << 1) \| (r & 1);
	136	}
	137	x ^= 0xb1;
	138	s[i] = x;
	139	si[x] = i;
	140	}
	141	}
	142
	143	/* --- @tbox@ --- *
	144	*
	145	* Construct the t tables for doing the round function efficiently.
	146	*/
	147
	148	static void tbox(void)
	149	{
150	unsigned i;
151
152	for (i = 0; i < 256; i++) {
153	uint32 a, b, c, d;
154	uint32 w;
155
156	/* --- Build a forwards t-box entry --- */
157
158	a = s[i];
159	b = a << 1; if (b & 0x100) b ^= S_MOD;
160	c = a ^ b;
161	w = (b << 0) \| (a << 8) \| (a << 16) \| (c << 24);
162	t[0][i] = w;
163	t[1][i] = ROL32(w, 8);
164	t[2][i] = ROL32(w, 16);
165	t[3][i] = ROL32(w, 24);
166
167	/* --- Build a backwards t-box entry --- */
168
169	a = mul(si[i], 0x0e, S_MOD);
170	b = mul(si[i], 0x09, S_MOD);
171	c = mul(si[i], 0x0d, S_MOD);
172	d = mul(si[i], 0x0b, S_MOD);
173	w = (a << 0) \| (b << 8) \| (c << 16) \| (d << 24);
174	ti[0][i] = w;
175	ti[1][i] = ROL32(w, 8);
176	ti[2][i] = ROL32(w, 16);
177	ti[3][i] = ROL32(w, 24);
178	}
179	}
180
181	/* --- @ubox@ --- *
182	*
183	* Construct the tables for performing the key schedule.
184	*/
185
186	static void ubox(void)
187	{
188	unsigned i;
189
190	for (i = 0; i < 256; i++) {
191	uint32 a, b, c;
192	uint32 w;
193	a = i;
194	b = a << 1; if (b & 0x100) b ^= S_MOD;
195	c = a ^ b;
196	w = (b << 0) \| (a << 8) \| (a << 16) \| (c << 24);
197	u[0][i] = w;
198	u[1][i] = ROL32(w, 8);
199	u[2][i] = ROL32(w, 16);
200	u[3][i] = ROL32(w, 24);
201	}
202	}
203
204	/* --- Round constants --- */
205
206	void rcon(void)
207	{
208	unsigned r = 1;
209	int i;
210
211	for (i = 0; i < sizeof(rc); i++) {
212	rc[i] = r;
213	r <<= 1;
214	if (r & 0x100)
215	r ^= S_MOD;
216	}
217	}
218
219	/* --- @main@ --- */
220
221	int main(void)
222	{
223	int i, j;
224
225	puts("\
226	/* --c--\n\
227	*\n\
228	* Square tables [generated]\n\
229	*/\n\
230	\n\
e5b61a8d MW	231	#include <mLib/bits.h>\n\
e5b61a8d MW	232	\n\
35682d2f	233	");
	234
	235	/* --- Write out the S-box --- */
	236
	237	sbox();
	238	fputs("\
	239	/* --- The byte substitution and its inverse --- */\n\
	240	\n\
e5b61a8d	241	const octet square_s[256] = {\n\
35682d2f	242	", stdout);
	243	for (i = 0; i < 256; i++) {
	244	printf("0x%02x", s[i]);
	245	if (i == 255)
e5b61a8d	246	fputs("\n};\n\n", stdout);
35682d2f	247	else if (i % 8 == 7)
e5b61a8d	248	fputs(",\n ", stdout);
35682d2f	249	else
	250	fputs(", ", stdout);
	251	}
	252
	253	fputs("\
e5b61a8d	254	const octet square_si[256] = {\n\
35682d2f	255	", stdout);
	256	for (i = 0; i < 256; i++) {
	257	printf("0x%02x", si[i]);
	258	if (i == 255)
e5b61a8d	259	fputs("\n};\n\n", stdout);
35682d2f	260	else if (i % 8 == 7)
e5b61a8d	261	fputs(",\n ", stdout);
35682d2f	262	else
	263	fputs(", ", stdout);
	264	}
	265
	266	/* --- Write out the big t tables --- */
	267
	268	tbox();
	269	fputs("\
	270	/* --- The big round tables --- */\n\
	271	\n\
e5b61a8d	272	const uint32 square_t[4][256] = {\n\
35682d2f	273	{ ", stdout);
	274	for (j = 0; j < 4; j++) {
	275	for (i = 0; i < 256; i++) {
	276	printf("0x%08x", t[j][i]);
	277	if (i == 255) {
	278	if (j == 3)
e5b61a8d	279	fputs(" }\n};\n\n", stdout);
35682d2f	280	else
e5b61a8d	281	fputs(" },\n\n { ", stdout);
35682d2f	282	} else if (i % 4 == 3)
e5b61a8d	283	fputs(",\n ", stdout);
35682d2f	284	else
	285	fputs(", ", stdout);
	286	}
45c0fd36	287	}
35682d2f	288
35682d2f	289	fputs("\
e5b61a8d	290	const uint32 square_ti[4][256] = {\n\
35682d2f	291	{ ", stdout);
	292	for (j = 0; j < 4; j++) {
	293	for (i = 0; i < 256; i++) {
	294	printf("0x%08x", ti[j][i]);
	295	if (i == 255) {
	296	if (j == 3)
e5b61a8d	297	fputs(" }\n};\n\n", stdout);
35682d2f	298	else
e5b61a8d	299	fputs(" },\n\n { ", stdout);
35682d2f	300	} else if (i % 4 == 3)
e5b61a8d	301	fputs(",\n ", stdout);
35682d2f	302	else
	303	fputs(", ", stdout);
	304	}
	305	}
	306
	307	/* --- Write out the big u tables --- */
	308
	309	ubox();
	310	fputs("\
	311	/* --- The key schedule tables --- */\n\
	312	\n\
e5b61a8d	313	const uint32 square_u[4][256] = {\n\
35682d2f	314	{ ", stdout);
	315	for (j = 0; j < 4; j++) {
	316	for (i = 0; i < 256; i++) {
	317	printf("0x%08x", u[j][i]);
	318	if (i == 255) {
	319	if (j == 3)
e5b61a8d	320	fputs(" }\n};\n\n", stdout);
35682d2f	321	else
e5b61a8d	322	fputs(" },\n\n { ", stdout);
35682d2f	323	} else if (i % 4 == 3)
e5b61a8d	324	fputs(",\n ", stdout);
35682d2f	325	else
	326	fputs(", ", stdout);
	327	}
45c0fd36	328	}
35682d2f	329
	330	/* --- Round constants --- */
	331
	332	rcon();
	333	fputs("\
	334	/* --- The round constants --- */\n\
	335	\n\
e5b61a8d	336	const octet square_rcon[32] = {\n\
35682d2f	337	", stdout);
	338	for (i = 0; i < sizeof(rc); i++) {
	339	printf("0x%02x", rc[i]);
	340	if (i == sizeof(rc) - 1)
e5b61a8d	341	fputs("\n};\n", stdout);
35682d2f	342	else if (i % 8 == 7)
e5b61a8d	343	fputs(",\n ", stdout);
35682d2f	344	else
35682d2f	345	fputs(", ", stdout);
45c0fd36	346	}
35682d2f	347
	348	/* --- Done --- */
	349
35682d2f	350	if (fclose(stdout)) {
	351	fprintf(stderr, "error writing data\n");
	352	exit(EXIT_FAILURE);
	353	}
	354
	355	return (0);
	356	}
	357
	358	/----- That's all, folks -------------------------------------------------/