[u/mdw/catacomb] / mars.c

/* -*-c-*-
 *
 * $Id: mars.c,v 1.1 2001/04/29 18:11:19 mdw Exp $
 *
 * The MARS block cipher
 *
 * (c) 2001 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: mars.c,v $
 * Revision 1.1  2001/04/29 18:11:19  mdw
 * New block cipher MARS.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include <assert.h>
#include <stdio.h>

#include <mLib/bits.h>

#include "blkc.h"
#include "gcipher.h"
#include "mars.h"
#include "mars-tab.h"
#include "paranoia.h"

/*----- Global variables --------------------------------------------------*/

const octet mars_keysz[] = { KSZ_RANGE, MARS_KEYSZ, 0, 56, 4 };

/*----- Useful tables -----------------------------------------------------*/

static const uint32 s[512] = MARS_S;
#define s0 (s +   0)
#define s1 (s + 256)
#define bb (s + 265)

/*----- Main code ---------------------------------------------------------*/

/* --- @mars_init@ --- *
 *
 * Arguments:	@mars_ctx *k@ = pointer to key block to fill in
 *		@const void *buf@ = pointer to buffer of key material
 *		@size_t sz@ = size of key material
 *
 * Returns:	---
 *
 * Use:		Initializes a MARS key buffer.  MARS accepts key sizes
 *		between 128 and 448 bits which are a multiple of 32 bits.
 */

void mars_init(mars_ctx *k, const void *buf, size_t sz)
{
  uint32 t[15];
  uint32 *kk = k->k;
  const octet *p;
  unsigned i, j, ii;

  KSZ_ASSERT(mars, sz);

  /* --- Copy the key into the temporary buffer --- */

  p = buf;
  for (i = 0; i < sz/4; i++) {
    t[i] = LOAD32_L(p);
    p += 4;
  }
  t[i++] = sz/4;
  for (; i < 15; i++)
    t[i] = 0;

  /* --- Now spit out the actual key material --- */

  for (j = 0; j < 4; j++) {
    uint32 x;

    /* --- Do the linear mixing stage --- */

    for (i = 0; i < 15; i++) {
      x = t[(i + 8)%15] ^ t[(i + 13)%15];
      t[i] ^= ROL32(x, 3) ^ ((i << 2) | j);
    }

    /* --- Now do the Feistel stirring stage --- */

    x = t[14];
    for (ii = 0; ii < 4; ii++) {
      for (i = 0; i < 15; i++) {
	x = t[i] + s[x & 511u];
	t[i] = x = ROL32(x, 9);
      }
    }

    /* --- And spit out the key material --- */

    for (i = 0; i < 10; i++)
      *kk++ = t[(4 * i)%15];
  }

  /* --- Finally, fix up the multiplicative entries --- */

  for (i = 5; i < 37; i += 2) {
    uint32 w, m, x;
    j = k->k[i] & 3u;
    w = k->k[i] | 3u;

    /* --- Compute the magic mask value --- */

    m = 0;
    for (ii = 0; ii <= 22; ii++) {
      x = w >> ii;
      if ((x & 0x3ff) == 0x3ff || (x & 0x3ff) == 0)
	m |= 0x3ff << ii;
    }
    m &= ~(((w ^ (w << 1)) | (w ^ (w >> 1))) | 0x80000003);

    /* --- Add in the bias entry to fix up the key --- */

    x = ROL32(bb[j], k->k[i - 1]);
    k->k[i] = w ^ (x & m);
  }
}

/* --- @mars_eblk@, @mars_dblk@ --- *
 *
 * Arguments:	@const mars_ctx *k@ = pointer to key block
 *		@const uint32 s[4]@ = pointer to source block
 *		@uint32 d[4]@ = pointer to destination block
 *
 * Returns:	---
 *
 * Use:		Low-level block encryption and decryption.
 */

#define KADD(k, a, b, c, d)  a += *k++, b += *k++, c += *k++, d += *k++
#define KSUB(k, a, b, c, d)  a -= *k++, b -= *k++, c -= *k++, d -= *k++
#define IKADD(k, a, b, c, d) d += *--k, c += *--k, b += *--k, a += *--k
#define IKSUB(k, a, b, c, d) d -= *--k, c -= *--k, b -= *--k, a -= *--k

#define MIX(a, b, c, d) do {						\
  b ^= s0[(a >>  0) & 0xff];						\
  b += s1[(a >>  8) & 0xff];						\
  c += s0[(a >> 16) & 0xff];						\
  d ^= s1[(a >> 24) & 0xff];						\
  a = ROL32(a, 8);							\
} while (0)

#define IMIX(a, b, c, d) do {						\
  a = ROR32(a, 8);							\
  d ^= s1[(a >> 24) & 0xff];						\
  c -= s0[(a >> 16) & 0xff];						\
  b -= s1[(a >>  8) & 0xff];						\
  b ^= s0[(a >>  0) & 0xff];						\
} while (0)

#define E(x, y, z, k, a) do {						\
  uint32 kx = *k++, ky = *k++;						\
  y = a + kx;								\
  a = ROL32(a, 13); z = a * ky; z = ROL32(z, 5);			\
  x = s[y & 511u] ^ z; y = ROL32(y, z);					\
  z = ROL32(z, 5); x ^= z; x = ROL32(x, z);				\
} while (0)

#define IE(x, y, z, k, a) do {						\
  uint32 ky = *--k, kx = *--k;						\
  z = a * ky;								\
  a = ROR32(a, 13); y = a + kx; z = ROL32(z, 5);			\
  x = s[y & 511u] ^ z; y = ROL32(y, z);					\
  z = ROL32(z, 5); x ^= z; x = ROL32(x, z);				\
} while (0)

#define ROUND(k, a, b, c, d) do {					\
  uint32 x, y, z;							\
  E(x, y, z, k, a);							\
  b += x; c += y; d ^= z;						\
} while (0)
  
#define IROUND(k, a, b, c, d) do {					\
  uint32 x, y, z;							\
  IE(x, y, z, k, a);							\
  b -= x; c -= y; d ^= z;						\
} while (0)

void mars_eblk(const mars_ctx *k, const uint32 *src, uint32 *dst)
{
  uint32 a, b, c, d;
  const uint32 *kk = k->k;

  a = src[0], b = src[1], c = src[2], d = src[3];
  KADD(kk, a, b, c, d);

  MIX(a, b, c, d); a += d; MIX(b, c, d, a); b += c;
  MIX(c, d, a, b); MIX(d, a, b, c);
  MIX(a, b, c, d); a += d; MIX(b, c, d, a); b += c;
  MIX(c, d, a, b); MIX(d, a, b, c);

  ROUND(kk, a, b, c, d); ROUND(kk, b, c, d, a);
  ROUND(kk, c, d, a, b); ROUND(kk, d, a, b, c);
  ROUND(kk, a, b, c, d); ROUND(kk, b, c, d, a);
  ROUND(kk, c, d, a, b); ROUND(kk, d, a, b, c);

  ROUND(kk, a, d, c, b); ROUND(kk, b, a, d, c);
  ROUND(kk, c, b, a, d); ROUND(kk, d, c, b, a);
  ROUND(kk, a, d, c, b); ROUND(kk, b, a, d, c);
  ROUND(kk, c, b, a, d); ROUND(kk, d, c, b, a);

  IMIX(a, d, c, b); IMIX(b, a, d, c);
  c -= b; IMIX(c, b, a, d); d -= a; IMIX(d, c, b, a);
  IMIX(a, d, c, b); IMIX(b, a, d, c);
  c -= b; IMIX(c, b, a, d); d -= a; IMIX(d, c, b, a);

  KSUB(kk, a, b, c, d);
  dst[0] = a; dst[1] = b; dst[2] = c; dst[3] = d;
}

void mars_dblk(const mars_ctx *k, const uint32 *src, uint32 *dst)
{
  uint32 a, b, c, d;
  const uint32 *kk = k->k + 40;

  a = src[0], b = src[1], c = src[2], d = src[3];
  IKADD(kk, a, b, c, d);

  MIX(d, c, b, a); d += a; MIX(c, b, a, d); c += b;
  MIX(b, a, d, c); MIX(a, d, c, b);
  MIX(d, c, b, a); d += a; MIX(c, b, a, d); c += b;
  MIX(b, a, d, c); MIX(a, d, c, b);

  IROUND(kk, d, c, b, a); IROUND(kk, c, b, a, d);
  IROUND(kk, b, a, d, c); IROUND(kk, a, d, c, b);
  IROUND(kk, d, c, b, a); IROUND(kk, c, b, a, d);
  IROUND(kk, b, a, d, c); IROUND(kk, a, d, c, b);

  IROUND(kk, d, a, b, c); IROUND(kk, c, d, a, b);
  IROUND(kk, b, c, d, a); IROUND(kk, a, b, c, d);
  IROUND(kk, d, a, b, c); IROUND(kk, c, d, a, b);
  IROUND(kk, b, c, d, a); IROUND(kk, a, b, c, d);

  IMIX(d, a, b, c); IMIX(c, d, a, b);
  b -= c; IMIX(b, c, d, a); a -= d; IMIX(a, b, c, d);
  IMIX(d, a, b, c); IMIX(c, d, a, b);
  b -= c; IMIX(b, c, d, a); a -= d; IMIX(a, b, c, d);

  IKSUB(kk, a, b, c, d);
  dst[0] = a; dst[1] = b; dst[2] = c; dst[3] = d;
}

BLKC_TEST(MARS, mars)

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
3bef8c14	1	/* --c--
	2	*
	3	* $Id: mars.c,v 1.1 2001/04/29 18:11:19 mdw Exp $
	4	*
	5	* The MARS block cipher
	6	*
	7	* (c) 2001 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
	30	/----- Revision history --------------------------------------------------
	31	*
	32	* $Log: mars.c,v $
	33	* Revision 1.1 2001/04/29 18:11:19 mdw
	34	* New block cipher MARS.
	35	*
	36	*/
	37
	38	/----- Header files ------------------------------------------------------/
	39
	40	#include <assert.h>
	41	#include <stdio.h>
	42
	43	#include <mLib/bits.h>
	44
	45	#include "blkc.h"
	46	#include "gcipher.h"
	47	#include "mars.h"
	48	#include "mars-tab.h"
	49	#include "paranoia.h"
	50
	51	/----- Global variables --------------------------------------------------/
	52
	53	const octet mars_keysz[] = { KSZ_RANGE, MARS_KEYSZ, 0, 56, 4 };
	54
	55	/----- Useful tables -----------------------------------------------------/
	56
	57	static const uint32 s[512] = MARS_S;
	58	#define s0 (s + 0)
	59	#define s1 (s + 256)
	60	#define bb (s + 265)
	61
	62	/----- Main code ---------------------------------------------------------/
	63
	64	/* --- @mars_init@ --- *
65	*
66	* Arguments: @mars_ctx *k@ = pointer to key block to fill in
67	* @const void *buf@ = pointer to buffer of key material
68	* @size_t sz@ = size of key material
69	*
70	* Returns: ---
71	*
72	* Use: Initializes a MARS key buffer. MARS accepts key sizes
73	* between 128 and 448 bits which are a multiple of 32 bits.
74	*/
75
76	void mars_init(mars_ctx k, const void buf, size_t sz)
77	{
78	uint32 t[15];
79	uint32 *kk = k->k;
80	const octet *p;
81	unsigned i, j, ii;
82
83	KSZ_ASSERT(mars, sz);
84
85	/* --- Copy the key into the temporary buffer --- */
86
87	p = buf;
88	for (i = 0; i < sz/4; i++) {
89	t[i] = LOAD32_L(p);
90	p += 4;
91	}
92	t[i++] = sz/4;
93	for (; i < 15; i++)
94	t[i] = 0;
95
96	/* --- Now spit out the actual key material --- */
97
98	for (j = 0; j < 4; j++) {
99	uint32 x;
100
101	/* --- Do the linear mixing stage --- */
102
103	for (i = 0; i < 15; i++) {
104	x = t[(i + 8)%15] ^ t[(i + 13)%15];
105	t[i] ^= ROL32(x, 3) ^ ((i << 2) \| j);
106	}
107
108	/* --- Now do the Feistel stirring stage --- */
109
110	x = t[14];
111	for (ii = 0; ii < 4; ii++) {
112	for (i = 0; i < 15; i++) {
113	x = t[i] + s[x & 511u];
114	t[i] = x = ROL32(x, 9);
115	}
116	}
117
118	/* --- And spit out the key material --- */
119
120	for (i = 0; i < 10; i++)
121	kk++ = t[(4 i)%15];
122	}
123
124	/* --- Finally, fix up the multiplicative entries --- */
125
126	for (i = 5; i < 37; i += 2) {
127	uint32 w, m, x;
128	j = k->k[i] & 3u;
129	w = k->k[i] \| 3u;
130
131	/* --- Compute the magic mask value --- */
132
133	m = 0;
134	for (ii = 0; ii <= 22; ii++) {
135	x = w >> ii;
136	if ((x & 0x3ff) == 0x3ff \|\| (x & 0x3ff) == 0)
137	m \|= 0x3ff << ii;
138	}
139	m &= ~(((w ^ (w << 1)) \| (w ^ (w >> 1))) \| 0x80000003);
140
141	/* --- Add in the bias entry to fix up the key --- */
142
143	x = ROL32(bb[j], k->k[i - 1]);
144	k->k[i] = w ^ (x & m);
145	}
146	}
147
148	/* --- @mars_eblk@, @mars_dblk@ --- *
149	*
150	* Arguments: @const mars_ctx *k@ = pointer to key block
151	* @const uint32 s[4]@ = pointer to source block
152	* @uint32 d[4]@ = pointer to destination block
153	*
154	* Returns: ---
155	*
156	* Use: Low-level block encryption and decryption.
157	*/
158
159	#define KADD(k, a, b, c, d) a += k++, b += k++, c += k++, d += k++
160	#define KSUB(k, a, b, c, d) a -= k++, b -= k++, c -= k++, d -= k++
161	#define IKADD(k, a, b, c, d) d += --k, c += --k, b += --k, a += --k
162	#define IKSUB(k, a, b, c, d) d -= --k, c -= --k, b -= --k, a -= --k
163
164	#define MIX(a, b, c, d) do { \
165	b ^= s0[(a >> 0) & 0xff]; \
166	b += s1[(a >> 8) & 0xff]; \
167	c += s0[(a >> 16) & 0xff]; \
168	d ^= s1[(a >> 24) & 0xff]; \
169	a = ROL32(a, 8); \
170	} while (0)
171
172	#define IMIX(a, b, c, d) do { \
173	a = ROR32(a, 8); \
174	d ^= s1[(a >> 24) & 0xff]; \
175	c -= s0[(a >> 16) & 0xff]; \
176	b -= s1[(a >> 8) & 0xff]; \
177	b ^= s0[(a >> 0) & 0xff]; \
178	} while (0)
179
180	#define E(x, y, z, k, a) do { \
181	uint32 kx = k++, ky = k++; \
182	y = a + kx; \
183	a = ROL32(a, 13); z = a * ky; z = ROL32(z, 5); \
184	x = s[y & 511u] ^ z; y = ROL32(y, z); \
185	z = ROL32(z, 5); x ^= z; x = ROL32(x, z); \
186	} while (0)
187
188	#define IE(x, y, z, k, a) do { \
189	uint32 ky = --k, kx = --k; \
190	z = a * ky; \
191	a = ROR32(a, 13); y = a + kx; z = ROL32(z, 5); \
192	x = s[y & 511u] ^ z; y = ROL32(y, z); \
193	z = ROL32(z, 5); x ^= z; x = ROL32(x, z); \
194	} while (0)
195
196	#define ROUND(k, a, b, c, d) do { \
197	uint32 x, y, z; \
198	E(x, y, z, k, a); \
199	b += x; c += y; d ^= z; \
200	} while (0)
201
202	#define IROUND(k, a, b, c, d) do { \
203	uint32 x, y, z; \
204	IE(x, y, z, k, a); \
205	b -= x; c -= y; d ^= z; \
206	} while (0)
207
208	void mars_eblk(const mars_ctx k, const uint32 src, uint32 *dst)
209	{
210	uint32 a, b, c, d;
211	const uint32 *kk = k->k;
212
213	a = src[0], b = src[1], c = src[2], d = src[3];
214	KADD(kk, a, b, c, d);
215
216	MIX(a, b, c, d); a += d; MIX(b, c, d, a); b += c;
217	MIX(c, d, a, b); MIX(d, a, b, c);
218	MIX(a, b, c, d); a += d; MIX(b, c, d, a); b += c;
219	MIX(c, d, a, b); MIX(d, a, b, c);
220
221	ROUND(kk, a, b, c, d); ROUND(kk, b, c, d, a);
222	ROUND(kk, c, d, a, b); ROUND(kk, d, a, b, c);
223	ROUND(kk, a, b, c, d); ROUND(kk, b, c, d, a);
224	ROUND(kk, c, d, a, b); ROUND(kk, d, a, b, c);
225
226	ROUND(kk, a, d, c, b); ROUND(kk, b, a, d, c);
227	ROUND(kk, c, b, a, d); ROUND(kk, d, c, b, a);
228	ROUND(kk, a, d, c, b); ROUND(kk, b, a, d, c);
229	ROUND(kk, c, b, a, d); ROUND(kk, d, c, b, a);
230
231	IMIX(a, d, c, b); IMIX(b, a, d, c);
232	c -= b; IMIX(c, b, a, d); d -= a; IMIX(d, c, b, a);
233	IMIX(a, d, c, b); IMIX(b, a, d, c);
234	c -= b; IMIX(c, b, a, d); d -= a; IMIX(d, c, b, a);
235
236	KSUB(kk, a, b, c, d);
237	dst[0] = a; dst[1] = b; dst[2] = c; dst[3] = d;
238	}
239
240	void mars_dblk(const mars_ctx k, const uint32 src, uint32 *dst)
241	{
242	uint32 a, b, c, d;
243	const uint32 *kk = k->k + 40;
244
245	a = src[0], b = src[1], c = src[2], d = src[3];
246	IKADD(kk, a, b, c, d);
247
248	MIX(d, c, b, a); d += a; MIX(c, b, a, d); c += b;
249	MIX(b, a, d, c); MIX(a, d, c, b);
250	MIX(d, c, b, a); d += a; MIX(c, b, a, d); c += b;
251	MIX(b, a, d, c); MIX(a, d, c, b);
252
253	IROUND(kk, d, c, b, a); IROUND(kk, c, b, a, d);
254	IROUND(kk, b, a, d, c); IROUND(kk, a, d, c, b);
255	IROUND(kk, d, c, b, a); IROUND(kk, c, b, a, d);
256	IROUND(kk, b, a, d, c); IROUND(kk, a, d, c, b);
257
258	IROUND(kk, d, a, b, c); IROUND(kk, c, d, a, b);
259	IROUND(kk, b, c, d, a); IROUND(kk, a, b, c, d);
260	IROUND(kk, d, a, b, c); IROUND(kk, c, d, a, b);
261	IROUND(kk, b, c, d, a); IROUND(kk, a, b, c, d);
262
263	IMIX(d, a, b, c); IMIX(c, d, a, b);
264	b -= c; IMIX(b, c, d, a); a -= d; IMIX(a, b, c, d);
265	IMIX(d, a, b, c); IMIX(c, d, a, b);
266	b -= c; IMIX(b, c, d, a); a -= d; IMIX(a, b, c, d);
267
268	IKSUB(kk, a, b, c, d);
269	dst[0] = a; dst[1] = b; dst[2] = c; dst[3] = d;
270	}
271
272	BLKC_TEST(MARS, mars)
273
274	/----- That's all, folks -------------------------------------------------/