[u/mdw/catacomb] / square-mktab.c

/* -*-c-*-
 *
 * $Id: square-mktab.c,v 1.3 2004/04/08 01:36:15 mdw Exp $
 *
 * Build precomputed tables for the Square block cipher
 *
 * (c) 2000 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>

#include <mLib/bits.h>

/*----- Magic variables ---------------------------------------------------*/

static octet s[256], si[256];
static uint32 t[4][256], ti[4][256];
static uint32 u[4][256];
static octet rc[32];

/*----- Main code ---------------------------------------------------------*/

/* --- @mul@ --- *
 *
 * Arguments:	@unsigned x, y@ = polynomials over %$\gf{2^8}$%
 *		@unsigned m@ = modulus
 *
 * Returns:	The product of two polynomials.
 *
 * Use:		Computes a product of polynomials, quite slowly.
 */

static unsigned mul(unsigned x, unsigned y, unsigned m)
{
  unsigned a = 0;
  unsigned i;

  for (i = 0; i < 8; i++) {
    if (y & 1)
      a ^= x;
    y >>= 1;
    x <<= 1;
    if (x & 0x100)
      x ^= m;
  }

  return (a);
}

/* --- @sbox@ --- *
 *
 * Build the S-box.
 *
 * This is built from inversion in the multiplicative group of
 * %$\gf{2^8}[x]/(p(x))$%, where %$p(x) = x^8+x^7+x^6+x^5+x^4+x^2+1$%,
 * followed by an affine transformation treating inputs as vectors over
 * %$\gf{2}$%.  The result is a horrible function.
 *
 * The inversion is done slightly sneakily, by building log and antilog
 * tables.  Let %$a$% be an element of the finite field.  If the inverse of
 * %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%.  Hence
 * %$\log a = -\log a^{-1}$%.  This saves fiddling about with Euclidean
 * algorithm.
 */

#define S_MOD 0x1f5

static void sbox(void)
{
  octet log[256], alog[256];
  unsigned x;
  unsigned i;
  unsigned g;

  /* --- Find a suitable generator, and build log tables --- */

  log[0] = 0;
  for (g = 2; g < 256; g++) {
    x = 1;
    for (i = 0; i < 256; i++) {
      log[x] = i;
      alog[i] = x;
      x = mul(x, g, S_MOD);
      if (x == 1 && i != 254)
	goto again;
    }
    goto done;
  again:;
  }
  fprintf(stderr, "couldn't find generator\n");
  exit(EXIT_FAILURE);
done:;

  /* --- Now grind through and do the affine transform --- *
   *
   * The matrix multiply is an AND and a parity op.  The add is an XOR.
   */

  for (i = 0; i < 256; i++) {
    unsigned j;
    octet m[] = { 0xd6, 0x7b, 0x3d, 0x1f, 0x0f, 0x05, 0x03, 0x01 };
    unsigned v = i ? alog[255 - log[i]] : 0;

    assert(i == 0 || mul(i, v, S_MOD) == 1);

    x = 0;
    for (j = 0; j < 8; j++) {
      unsigned r;
      r = v & m[j];
      r = (r >> 4) ^ r;
      r = (r >> 2) ^ r;
      r = (r >> 1) ^ r;
      x = (x << 1) | (r & 1);
    }
    x ^= 0xb1;
    s[i] = x;
    si[x] = i;
  }
}

/* --- @tbox@ --- *
 *
 * Construct the t tables for doing the round function efficiently.
 */

static void tbox(void)
{
  unsigned i;

  for (i = 0; i < 256; i++) {
    uint32 a, b, c, d;
    uint32 w;

    /* --- Build a forwards t-box entry --- */

    a = s[i];
    b = a << 1; if (b & 0x100) b ^= S_MOD;
    c = a ^ b;
    w = (b << 0) | (a << 8) | (a << 16) | (c << 24);
    t[0][i] = w;
    t[1][i] = ROL32(w, 8);
    t[2][i] = ROL32(w, 16);
    t[3][i] = ROL32(w, 24);

    /* --- Build a backwards t-box entry --- */

    a = mul(si[i], 0x0e, S_MOD);
    b = mul(si[i], 0x09, S_MOD);
    c = mul(si[i], 0x0d, S_MOD);
    d = mul(si[i], 0x0b, S_MOD);
    w = (a << 0) | (b << 8) | (c << 16) | (d << 24);
    ti[0][i] = w;
    ti[1][i] = ROL32(w, 8);
    ti[2][i] = ROL32(w, 16);
    ti[3][i] = ROL32(w, 24);
  }
}

/* --- @ubox@ --- *
 *
 * Construct the tables for performing the key schedule.
 */

static void ubox(void)
{
  unsigned i;

  for (i = 0; i < 256; i++) {
    uint32 a, b, c;
    uint32 w;
    a = i;
    b = a << 1; if (b & 0x100) b ^= S_MOD;
    c = a ^ b;
    w = (b << 0) | (a << 8) | (a << 16) | (c << 24);
    u[0][i] = w;
    u[1][i] = ROL32(w, 8);
    u[2][i] = ROL32(w, 16);
    u[3][i] = ROL32(w, 24);
  }
}

/* --- Round constants --- */

void rcon(void)
{
  unsigned r = 1;
  int i;

  for (i = 0; i < sizeof(rc); i++) {
    rc[i] = r;
    r <<= 1;
    if (r & 0x100)
      r ^= S_MOD;
  }
}

/* --- @main@ --- */

int main(void)
{
  int i, j;

  puts("\
/* -*-c-*-\n\
 *\n\
 * Square tables [generated]\n\
 */\n\
\n\
#ifndef CATACOMB_SQUARE_TAB_H\n\
#define CATACOMB_SQUARE_TAB_H\n\
");

  /* --- Write out the S-box --- */

  sbox();
  fputs("\
/* --- The byte substitution and its inverse --- */\n\
\n\
#define SQUARE_S {							\\\n\
  ", stdout);
  for (i = 0; i < 256; i++) {
    printf("0x%02x", s[i]);
    if (i == 255)
      fputs("			\\\n}\n\n", stdout);
    else if (i % 8 == 7)
      fputs(",			\\\n  ", stdout);
    else
      fputs(", ", stdout);
  }

  fputs("\
#define SQUARE_SI {							\\\n\
  ", stdout);
  for (i = 0; i < 256; i++) {
    printf("0x%02x", si[i]);
    if (i == 255)
      fputs("			\\\n}\n\n", stdout);
    else if (i % 8 == 7)
      fputs(",			\\\n  ", stdout);
    else
      fputs(", ", stdout);
  }

  /* --- Write out the big t tables --- */

  tbox();
  fputs("\
/* --- The big round tables --- */\n\
\n\
#define SQUARE_T {							\\\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", t[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }			\\\n}\n\n", stdout);
	else
	  fputs(" },			\\\n\
									\\\n\
  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",			\\\n	", stdout);
      else
	fputs(", ", stdout);
    }
  }

  fputs("\
#define SQUARE_TI {							\\\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", ti[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }			\\\n}\n\n", stdout);
	else
	  fputs(" },			\\\n\
									\\\n\
  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",			\\\n	", stdout);
      else
	fputs(", ", stdout);
    }
  }

  /* --- Write out the big u tables --- */

  ubox();
  fputs("\
/* --- The key schedule tables --- */\n\
\n\
#define SQUARE_U {							\\\n\
  { ", stdout);
  for (j = 0; j < 4; j++) {
    for (i = 0; i < 256; i++) {
      printf("0x%08x", u[j][i]);
      if (i == 255) {
	if (j == 3)
	  fputs(" }			\\\n}\n\n", stdout);
	else
	  fputs(" },			\\\n\
									\\\n\
  { ", stdout);
      } else if (i % 4 == 3)
	fputs(",			\\\n	", stdout);
      else
	fputs(", ", stdout);
    }
  }

  /* --- Round constants --- */

  rcon();
  fputs("\
/* --- The round constants --- */\n\
\n\
#define SQUARE_RCON {							\\\n\
  ", stdout);
  for (i = 0; i < sizeof(rc); i++) {
    printf("0x%02x", rc[i]);
    if (i == sizeof(rc) - 1)
      fputs("			\\\n}\n\n", stdout);
    else if (i % 8 == 7)
      fputs(",			\\\n  ", stdout);
    else
      fputs(", ", stdout);
  }

  /* --- Done --- */

  puts("#endif");

  if (fclose(stdout)) {
    fprintf(stderr, "error writing data\n");
    exit(EXIT_FAILURE);
  }

  return (0);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
35682d2f	1	/* --c--
35682d2f	2	*
b817bfc6	3	* $Id: square-mktab.c,v 1.3 2004/04/08 01:36:15 mdw Exp $
35682d2f	4	*
	5	* Build precomputed tables for the Square block cipher
	6	*
	7	* (c) 2000 Straylight/Edgeware
	8	*/
	9
45c0fd36	10	/----- Licensing notice --------------------------------------------------
35682d2f	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
45c0fd36	18	*
35682d2f	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
45c0fd36	23	*
35682d2f	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
35682d2f	30	/----- Header files ------------------------------------------------------/
	31
	32	#include <assert.h>
	33	#include <stdio.h>
	34	#include <stdlib.h>
	35
	36	#include <mLib/bits.h>
	37
	38	/----- Magic variables ---------------------------------------------------/
	39
	40	static octet s[256], si[256];
	41	static uint32 t[4][256], ti[4][256];
	42	static uint32 u[4][256];
	43	static octet rc[32];
	44
	45	/----- Main code ---------------------------------------------------------/
	46
	47	/* --- @mul@ --- *
	48	*
	49	* Arguments: @unsigned x, y@ = polynomials over %$\gf{2^8}$%
	50	* @unsigned m@ = modulus
	51	*
	52	* Returns: The product of two polynomials.
	53	*
	54	* Use: Computes a product of polynomials, quite slowly.
	55	*/
	56
	57	static unsigned mul(unsigned x, unsigned y, unsigned m)
	58	{
	59	unsigned a = 0;
	60	unsigned i;
	61
	62	for (i = 0; i < 8; i++) {
	63	if (y & 1)
	64	a ^= x;
	65	y >>= 1;
	66	x <<= 1;
	67	if (x & 0x100)
	68	x ^= m;
	69	}
	70
	71	return (a);
	72	}
	73
	74	/* --- @sbox@ --- *
	75	*
	76	* Build the S-box.
	77	*
	78	* This is built from inversion in the multiplicative group of
ba74e11e	79	* %$\gf{2^8}[x]/(p(x))$%, where %$p(x) = x^8+x^7+x^6+x^5+x^4+x^2+1$%,
	80	* followed by an affine transformation treating inputs as vectors over
	81	* %$\gf{2}$%. The result is a horrible function.
35682d2f	82	*
	83	* The inversion is done slightly sneakily, by building log and antilog
	84	* tables. Let %$a$% be an element of the finite field. If the inverse of
	85	* %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%. Hence
	86	* %$\log a = -\log a^{-1}$%. This saves fiddling about with Euclidean
45c0fd36	87	* algorithm.
35682d2f	88	*/
	89
	90	#define S_MOD 0x1f5
	91
	92	static void sbox(void)
	93	{
	94	octet log[256], alog[256];
	95	unsigned x;
	96	unsigned i;
	97	unsigned g;
	98
	99	/* --- Find a suitable generator, and build log tables --- */
	100
	101	log[0] = 0;
	102	for (g = 2; g < 256; g++) {
	103	x = 1;
	104	for (i = 0; i < 256; i++) {
	105	log[x] = i;
	106	alog[i] = x;
	107	x = mul(x, g, S_MOD);
	108	if (x == 1 && i != 254)
	109	goto again;
	110	}
	111	goto done;
	112	again:;
	113	}
	114	fprintf(stderr, "couldn't find generator\n");
	115	exit(EXIT_FAILURE);
	116	done:;
	117
	118	/* --- Now grind through and do the affine transform --- *
	119	*
	120	* The matrix multiply is an AND and a parity op. The add is an XOR.
	121	*/
	122
	123	for (i = 0; i < 256; i++) {
	124	unsigned j;
	125	octet m[] = { 0xd6, 0x7b, 0x3d, 0x1f, 0x0f, 0x05, 0x03, 0x01 };
	126	unsigned v = i ? alog[255 - log[i]] : 0;
	127
	128	assert(i == 0 \|\| mul(i, v, S_MOD) == 1);
	129
	130	x = 0;
	131	for (j = 0; j < 8; j++) {
	132	unsigned r;
	133	r = v & m[j];
	134	r = (r >> 4) ^ r;
	135	r = (r >> 2) ^ r;
	136	r = (r >> 1) ^ r;
	137	x = (x << 1) \| (r & 1);
	138	}
	139	x ^= 0xb1;
	140	s[i] = x;
	141	si[x] = i;
	142	}
	143	}
	144
	145	/* --- @tbox@ --- *
	146	*
	147	* Construct the t tables for doing the round function efficiently.
	148	*/
	149
	150	static void tbox(void)
	151	{
152	unsigned i;
153
154	for (i = 0; i < 256; i++) {
155	uint32 a, b, c, d;
156	uint32 w;
157
158	/* --- Build a forwards t-box entry --- */
159
160	a = s[i];
161	b = a << 1; if (b & 0x100) b ^= S_MOD;
162	c = a ^ b;
163	w = (b << 0) \| (a << 8) \| (a << 16) \| (c << 24);
164	t[0][i] = w;
165	t[1][i] = ROL32(w, 8);
166	t[2][i] = ROL32(w, 16);
167	t[3][i] = ROL32(w, 24);
168
169	/* --- Build a backwards t-box entry --- */
170
171	a = mul(si[i], 0x0e, S_MOD);
172	b = mul(si[i], 0x09, S_MOD);
173	c = mul(si[i], 0x0d, S_MOD);
174	d = mul(si[i], 0x0b, S_MOD);
175	w = (a << 0) \| (b << 8) \| (c << 16) \| (d << 24);
176	ti[0][i] = w;
177	ti[1][i] = ROL32(w, 8);
178	ti[2][i] = ROL32(w, 16);
179	ti[3][i] = ROL32(w, 24);
180	}
181	}
182
183	/* --- @ubox@ --- *
184	*
185	* Construct the tables for performing the key schedule.
186	*/
187
188	static void ubox(void)
189	{
190	unsigned i;
191
192	for (i = 0; i < 256; i++) {
193	uint32 a, b, c;
194	uint32 w;
195	a = i;
196	b = a << 1; if (b & 0x100) b ^= S_MOD;
197	c = a ^ b;
198	w = (b << 0) \| (a << 8) \| (a << 16) \| (c << 24);
199	u[0][i] = w;
200	u[1][i] = ROL32(w, 8);
201	u[2][i] = ROL32(w, 16);
202	u[3][i] = ROL32(w, 24);
203	}
204	}
205
206	/* --- Round constants --- */
207
208	void rcon(void)
209	{
210	unsigned r = 1;
211	int i;
212
213	for (i = 0; i < sizeof(rc); i++) {
214	rc[i] = r;
215	r <<= 1;
216	if (r & 0x100)
217	r ^= S_MOD;
218	}
219	}
220
221	/* --- @main@ --- */
222
223	int main(void)
224	{
225	int i, j;
226
227	puts("\
228	/* --c--\n\
229	*\n\
230	* Square tables [generated]\n\
231	*/\n\
232	\n\
233	#ifndef CATACOMB_SQUARE_TAB_H\n\
234	#define CATACOMB_SQUARE_TAB_H\n\
235	");
236
237	/* --- Write out the S-box --- */
238
239	sbox();
240	fputs("\
241	/* --- The byte substitution and its inverse --- */\n\
242	\n\
243	#define SQUARE_S { \\\n\
244	", stdout);
245	for (i = 0; i < 256; i++) {
246	printf("0x%02x", s[i]);
247	if (i == 255)
248	fputs(" \\\n}\n\n", stdout);
249	else if (i % 8 == 7)
250	fputs(", \\\n ", stdout);
251	else
252	fputs(", ", stdout);
253	}
254
255	fputs("\
256	#define SQUARE_SI { \\\n\
257	", stdout);
258	for (i = 0; i < 256; i++) {
259	printf("0x%02x", si[i]);
260	if (i == 255)
261	fputs(" \\\n}\n\n", stdout);
262	else if (i % 8 == 7)
263	fputs(", \\\n ", stdout);
264	else
265	fputs(", ", stdout);
266	}
267
268	/* --- Write out the big t tables --- */
269
270	tbox();
271	fputs("\
272	/* --- The big round tables --- */\n\
273	\n\
274	#define SQUARE_T { \\\n\
275	{ ", stdout);
276	for (j = 0; j < 4; j++) {
277	for (i = 0; i < 256; i++) {
278	printf("0x%08x", t[j][i]);
279	if (i == 255) {
280	if (j == 3)
281	fputs(" } \\\n}\n\n", stdout);
282	else
283	fputs(" }, \\\n\
284	\\\n\
285	{ ", stdout);
286	} else if (i % 4 == 3)
45c0fd36	287	fputs(", \\\n ", stdout);
35682d2f	288	else
	289	fputs(", ", stdout);
	290	}
45c0fd36	291	}
35682d2f	292
	293	fputs("\
	294	#define SQUARE_TI { \\\n\
	295	{ ", stdout);
	296	for (j = 0; j < 4; j++) {
	297	for (i = 0; i < 256; i++) {
	298	printf("0x%08x", ti[j][i]);
	299	if (i == 255) {
	300	if (j == 3)
	301	fputs(" } \\\n}\n\n", stdout);
	302	else
	303	fputs(" }, \\\n\
	304	\\\n\
	305	{ ", stdout);
	306	} else if (i % 4 == 3)
45c0fd36	307	fputs(", \\\n ", stdout);
35682d2f	308	else
	309	fputs(", ", stdout);
	310	}
	311	}
	312
	313	/* --- Write out the big u tables --- */
	314
	315	ubox();
	316	fputs("\
	317	/* --- The key schedule tables --- */\n\
	318	\n\
	319	#define SQUARE_U { \\\n\
	320	{ ", stdout);
	321	for (j = 0; j < 4; j++) {
	322	for (i = 0; i < 256; i++) {
	323	printf("0x%08x", u[j][i]);
	324	if (i == 255) {
	325	if (j == 3)
	326	fputs(" } \\\n}\n\n", stdout);
	327	else
	328	fputs(" }, \\\n\
	329	\\\n\
	330	{ ", stdout);
	331	} else if (i % 4 == 3)
45c0fd36	332	fputs(", \\\n ", stdout);
35682d2f	333	else
	334	fputs(", ", stdout);
	335	}
45c0fd36	336	}
35682d2f	337
	338	/* --- Round constants --- */
	339
	340	rcon();
	341	fputs("\
	342	/* --- The round constants --- */\n\
	343	\n\
	344	#define SQUARE_RCON { \\\n\
	345	", stdout);
	346	for (i = 0; i < sizeof(rc); i++) {
	347	printf("0x%02x", rc[i]);
	348	if (i == sizeof(rc) - 1)
	349	fputs(" \\\n}\n\n", stdout);
	350	else if (i % 8 == 7)
	351	fputs(", \\\n ", stdout);
	352	else
	353	fputs(", ", stdout);
45c0fd36	354	}
35682d2f	355
	356	/* --- Done --- */
	357
	358	puts("#endif");
	359
	360	if (fclose(stdout)) {
	361	fprintf(stderr, "error writing data\n");
	362	exit(EXIT_FAILURE);
	363	}
	364
	365	return (0);
	366	}
	367
	368	/----- That's all, folks -------------------------------------------------/