3 * $Id: twofish.c,v 1.1 2000/06/17 12:10:17 mdw Exp $
5 * Implementation of the Twofish cipher
7 * (c) 2000 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.1 2000/06/17 12:10:17 mdw
38 /*----- Header files ------------------------------------------------------*/
42 #include <mLib/bits.h>
47 #include "twofish-tab.h"
50 /*----- Global variables --------------------------------------------------*/
52 const octet twofish_keysz
[] = { KSZ_RANGE
, TWOFISH_KEYSZ
, 4, 32, 4 };
54 /*----- Important tables --------------------------------------------------*/
56 static const octet q0
[256] = TWOFISH_Q0
, q1
[256] = TWOFISH_Q1
;
57 static const uint32 qmds
[4][256] = TWOFISH_QMDS
;
58 static const octet rslog
[] = TWOFISH_RSLOG
, rsexp
[] = TWOFISH_RSEXP
;
59 static const octet rs
[32] = TWOFISH_RS
;
61 /*----- Key initialization ------------------------------------------------*/
65 * Arguments: @uint32 x@ = input to the function
66 * @const uint32 *l@ = key values to mix in
67 * @unsigned k@ = number of key values there are
69 * Returns: The output of the function @h@.
71 * Use: Implements the Twofish function @h@.
74 static uint32
h(uint32 x
, const uint32
*l
, unsigned k
)
76 /* --- Apply a series of @q@ tables to an integer --- */
78 # define Q(x, qa, qb, qc, qd) \
79 ((qa[((x) >> 0) & 0xff] << 0) | \
80 (qb[((x) >> 8) & 0xff] << 8) | \
81 (qc[((x) >> 16) & 0xff] << 16) | \
82 (qd[((x) >> 24) & 0xff] << 24))
84 /* --- Grind through the tables --- */
87 case 4: x
= Q(x
, q1
, q0
, q0
, q1
) ^ l
[3];
88 case 3: x
= Q(x
, q1
, q1
, q0
, q0
) ^ l
[2];
89 case 2: x
= Q(x
, q0
, q1
, q0
, q1
) ^ l
[1];
90 x
= Q(x
, q0
, q0
, q1
, q1
) ^ l
[0];
96 /* --- Apply the MDS matrix --- */
98 return (qmds
[0][U8(x
>> 0)] ^ qmds
[1][U8(x
>> 8)] ^
99 qmds
[2][U8(x
>> 16)] ^ qmds
[3][U8(x
>> 24)]);
102 /* --- @twofish_init@ --- *
104 * Arguments: @twofish_ctx *k@ = pointer to key block to fill in
105 * @const void *buf@ = pointer to buffer of key material
106 * @size_t sz@ = size of key material
110 * Use: Initializes a Twofish key buffer. Twofish accepts key sizes
111 * of up to 256 bits (32 bytes).
114 void twofish_init(twofish_ctx
*k
, const void *buf
, size_t sz
)
118 uint32 mo
[KMAX
], me
[KMAX
];
121 /* --- Expand the key into the three word arrays --- */
129 /* --- Sort out the key size --- */
131 KSZ_ASSERT(twofish
, sz
);
139 assert(((void)"This can't happen (bad key size in twofish_init)", 0));
141 /* --- Extend the key if necessary --- */
147 memset(b
+ sz
, 0, ssz
- sz
);
151 /* --- Finally get the word count --- */
155 /* --- Extract words from the key --- *
157 * The @s@ table, constructed using the Reed-Solomon matrix, is cut into
158 * sequences of bytes, since this is actually more useful for computing
163 for (i
= 0; i
< sz
; i
++) {
168 /* --- Extract the easy subkeys --- */
171 mo
[i
] = LOAD32_L(q
+ 4);
173 /* --- Now do the Reed-Solomon thing --- */
175 for (j
= 0; j
< 4; j
++) {
180 for (k
= 0; k
< 8; k
++) {
182 a
^= rsexp
[rslog
[*qq
] + *r
];
187 s
[j
][sz
- 1 - i
] = ss
[j
] = a
;
192 /* --- Clear away the temporary buffer --- */
198 /* --- Construct the expanded key --- */
201 uint32 p
= 0x01010101;
205 for (i
= 0; i
< 40; i
+= 2) {
208 b
= h(ip
+ p
, mo
, sz
);
212 k
->k
[i
+ 1] = ROL32(b
, 9);
217 /* --- Construct the S-box tables --- */
221 static const octet
*q
[4][KMAX
+ 1] = {
222 { q1
, q0
, q0
, q1
, q1
},
223 { q0
, q0
, q1
, q1
, q0
},
224 { q1
, q1
, q0
, q0
, q0
},
225 { q0
, q1
, q1
, q0
, q1
}
228 for (i
= 0; i
< 4; i
++) {
232 for (j
= 0; j
< 256; j
++) {
235 /* --- Push the byte through the q tables --- */
238 case 4: x
= q
[i
][4][x
] ^ s
[i
][3];
239 case 3: x
= q
[i
][3][x
] ^ s
[i
][2];
240 case 2: x
= q
[i
][2][x
] ^ s
[i
][1];
241 x
= q
[i
][1][x
] ^ s
[i
][0];
245 /* --- Write it in the key schedule --- */
247 k
->g
[i
][j
] = qmds
[i
][x
];
252 /* --- Clear everything away --- */
259 /*----- Main encryption ---------------------------------------------------*/
261 /* --- Feistel function --- */
263 #define GG(k, t0, t1, x, y, kk) do { \
264 t0 = (k->g[0][U8(x >> 0)] ^ \
265 k->g[1][U8(x >> 8)] ^ \
266 k->g[2][U8(x >> 16)] ^ \
267 k->g[3][U8(x >> 24)]); \
268 t1 = (k->g[1][U8(y >> 0)] ^ \
269 k->g[2][U8(y >> 8)] ^ \
270 k->g[3][U8(y >> 16)] ^ \
271 k->g[0][U8(y >> 24)]); \
278 /* --- Round operations --- */
280 #define EROUND(k, w, x, y, z, kk) do { \
282 GG(k, _t0, _t1, w, x, kk); \
284 y ^= _t0; y = ROR32(y, 1); \
285 z = ROL32(z, 1); z ^= _t1; \
288 #define DROUND(k, w, x, y, z, kk) do { \
291 GG(k, _t0, _t1, w, x, kk); \
292 y = ROL32(y, 1); y ^= _t0; \
293 z ^= _t1; z = ROR32(z, 1); \
296 /* --- Complete encryption functions --- */
298 #define EBLK(k, a, b, c, d, w, x, y, z) do { \
299 const uint32 *_kk = k->k + 8; \
300 uint32 _a = a, _b = b, _c = c, _d = d; \
301 _a ^= k->k[0]; _b ^= k->k[1]; _c ^= k->k[2]; _d ^= k->k[3]; \
302 EROUND(k, _a, _b, _c, _d, _kk); \
303 EROUND(k, _c, _d, _a, _b, _kk); \
304 EROUND(k, _a, _b, _c, _d, _kk); \
305 EROUND(k, _c, _d, _a, _b, _kk); \
306 EROUND(k, _a, _b, _c, _d, _kk); \
307 EROUND(k, _c, _d, _a, _b, _kk); \
308 EROUND(k, _a, _b, _c, _d, _kk); \
309 EROUND(k, _c, _d, _a, _b, _kk); \
310 EROUND(k, _a, _b, _c, _d, _kk); \
311 EROUND(k, _c, _d, _a, _b, _kk); \
312 EROUND(k, _a, _b, _c, _d, _kk); \
313 EROUND(k, _c, _d, _a, _b, _kk); \
314 EROUND(k, _a, _b, _c, _d, _kk); \
315 EROUND(k, _c, _d, _a, _b, _kk); \
316 EROUND(k, _a, _b, _c, _d, _kk); \
317 EROUND(k, _c, _d, _a, _b, _kk); \
318 _c ^= k->k[4]; _d ^= k->k[5]; _a ^= k->k[6]; _b ^= k->k[7]; \
319 w = U32(_c); x = U32(_d); y = U32(_a); z = U32(_b); \
322 #define DBLK(k, a, b, c, d, w, x, y, z) do { \
323 const uint32 *_kk = k->k + 40; \
324 uint32 _a = a, _b = b, _c = c, _d = d; \
325 _a ^= k->k[4]; _b ^= k->k[5]; _c ^= k->k[6]; _d ^= k->k[7]; \
326 DROUND(k, _a, _b, _c, _d, _kk); \
327 DROUND(k, _c, _d, _a, _b, _kk); \
328 DROUND(k, _a, _b, _c, _d, _kk); \
329 DROUND(k, _c, _d, _a, _b, _kk); \
330 DROUND(k, _a, _b, _c, _d, _kk); \
331 DROUND(k, _c, _d, _a, _b, _kk); \
332 DROUND(k, _a, _b, _c, _d, _kk); \
333 DROUND(k, _c, _d, _a, _b, _kk); \
334 DROUND(k, _a, _b, _c, _d, _kk); \
335 DROUND(k, _c, _d, _a, _b, _kk); \
336 DROUND(k, _a, _b, _c, _d, _kk); \
337 DROUND(k, _c, _d, _a, _b, _kk); \
338 DROUND(k, _a, _b, _c, _d, _kk); \
339 DROUND(k, _c, _d, _a, _b, _kk); \
340 DROUND(k, _a, _b, _c, _d, _kk); \
341 DROUND(k, _c, _d, _a, _b, _kk); \
342 _c ^= k->k[0]; _d ^= k->k[1]; _a ^= k->k[2]; _b ^= k->k[3]; \
343 w = U32(_c); x = U32(_d); y = U32(_a); z = U32(_b); \
346 /* --- @twofish_eblk@, @twofish_dblk@ --- *
348 * Arguments: @const twofish_ctx *k@ = pointer to key block
349 * @const uint32 s[4]@ = pointer to source block
350 * @uint32 d[4]@ = pointer to destination block
354 * Use: Low-level block encryption and decryption.
357 void twofish_eblk(const twofish_ctx
*k
, const uint32
*s
, uint32
*d
)
359 EBLK(k
, s
[0], s
[1], s
[2], s
[3], d
[0], d
[1], d
[2], d
[3]);
362 void twofish_dblk(const twofish_ctx
*k
, const uint32
*s
, uint32
*d
)
364 DBLK(k
, s
[0], s
[1], s
[2], s
[3], d
[0], d
[1], d
[2], d
[3]);
367 BLKC_TEST(TWOFISH
, twofish
)
369 /*----- That's all, folks -------------------------------------------------*/