projects / u / mdw / catacomb / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Build mLib test vector files from the AES files.
[u/mdw/catacomb] / twofish.c
1 /* -*-c-*-
2 *
3 * $Id: twofish.c,v 1.1 2000/06/17 12:10:17 mdw Exp $
4 *
5 * Implementation of the Twofish cipher
6 *
7 * (c) 2000 Straylight/Edgeware
8 */
9
10 /*----- Licensing notice --------------------------------------------------*
11 *
12 * This file is part of Catacomb.
13 *
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
18 *
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
23 *
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
27 * MA 02111-1307, USA.
28 */
29
30 /*----- Revision history --------------------------------------------------*
31 *
32 * $Log: twofish.c,v $
33 * Revision 1.1 2000/06/17 12:10:17 mdw
34 * New cipher.
35 *
36 */
37
38 /*----- Header files ------------------------------------------------------*/
39
40 #include <assert.h>
41
42 #include <mLib/bits.h>
43
44 #include "blkc.h"
45 #include "gcipher.h"
46 #include "twofish.h"
47 #include "twofish-tab.h"
48 #include "paranoia.h"
49
50 /*----- Global variables --------------------------------------------------*/
51
52 const octet twofish_keysz[] = { KSZ_RANGE, TWOFISH_KEYSZ, 4, 32, 4 };
53
54 /*----- Important tables --------------------------------------------------*/
55
56 static const octet q0[256] = TWOFISH_Q0, q1[256] = TWOFISH_Q1;
57 static const uint32 qmds[4][256] = TWOFISH_QMDS;
58 static const octet rslog[] = TWOFISH_RSLOG, rsexp[] = TWOFISH_RSEXP;
59 static const octet rs[32] = TWOFISH_RS;
60
61 /*----- Key initialization ------------------------------------------------*/
62
63 /* --- @h@ --- *
64 *
65 * Arguments: @uint32 x@ = input to the function
66 * @const uint32 *l@ = key values to mix in
67 * @unsigned k@ = number of key values there are
68 *
69 * Returns: The output of the function @h@.
70 *
71 * Use: Implements the Twofish function @h@.
72 */
73
74 static uint32 h(uint32 x, const uint32 *l, unsigned k)
75 {
76 /* --- Apply a series of @q@ tables to an integer --- */
77
78 # define Q(x, qa, qb, qc, qd) \
79 ((qa[((x) >> 0) & 0xff] << 0) | \
80 (qb[((x) >> 8) & 0xff] << 8) | \
81 (qc[((x) >> 16) & 0xff] << 16) | \
82 (qd[((x) >> 24) & 0xff] << 24))
83
84 /* --- Grind through the tables --- */
85
86 switch (k) {
87 case 4: x = Q(x, q1, q0, q0, q1) ^ l[3];
88 case 3: x = Q(x, q1, q1, q0, q0) ^ l[2];
89 case 2: x = Q(x, q0, q1, q0, q1) ^ l[1];
90 x = Q(x, q0, q0, q1, q1) ^ l[0];
91 break;
92 }
93
94 #undef Q
95
96 /* --- Apply the MDS matrix --- */
97
98 return (qmds[0][U8(x >> 0)] ^ qmds[1][U8(x >> 8)] ^
99 qmds[2][U8(x >> 16)] ^ qmds[3][U8(x >> 24)]);
100 }
101
102 /* --- @twofish_init@ --- *
103 *
104 * Arguments: @twofish_ctx *k@ = pointer to key block to fill in
105 * @const void *buf@ = pointer to buffer of key material
106 * @size_t sz@ = size of key material
107 *
108 * Returns: ---
109 *
110 * Use: Initializes a Twofish key buffer. Twofish accepts key sizes
111 * of up to 256 bits (32 bytes).
112 */
113
114 void twofish_init(twofish_ctx *k, const void *buf, size_t sz)
115 {
116 # define KMAX 4
117
118 uint32 mo[KMAX], me[KMAX];
119 octet s[4][KMAX];
120
121 /* --- Expand the key into the three word arrays --- */
122
123 {
124 size_t ssz;
125 const octet *p, *q;
126 octet b[32];
127 int i;
128
129 /* --- Sort out the key size --- */
130
131 KSZ_ASSERT(twofish, sz);
132 if (sz <= 16)
133 ssz = 16;
134 else if (sz <= 24)
135 ssz = 24;
136 else if (sz <= 32)
137 ssz = 32;
138 else
139 assert(((void)"This can't happen (bad key size in twofish_init)", 0));
140
141 /* --- Extend the key if necessary --- */
142
143 if (sz == ssz)
144 p = buf;
145 else {
146 memcpy(b, buf, sz);
147 memset(b + sz, 0, ssz - sz);
148 p = b;
149 }
150
151 /* --- Finally get the word count --- */
152
153 sz = ssz / 8;
154
155 /* --- Extract words from the key --- *
156 *
157 * The @s@ table, constructed using the Reed-Solomon matrix, is cut into
158 * sequences of bytes, since this is actually more useful for computing
159 * the S-boxes.
160 */
161
162 q = p;
163 for (i = 0; i < sz; i++) {
164 octet ss[4];
165 const octet *r = rs;
166 int j;
167
168 /* --- Extract the easy subkeys --- */
169
170 me[i] = LOAD32_L(q);
171 mo[i] = LOAD32_L(q + 4);
172
173 /* --- Now do the Reed-Solomon thing --- */
174
175 for (j = 0; j < 4; j++) {
176 const octet *qq = q;
177 unsigned a = 0;
178 int k;
179
180 for (k = 0; k < 8; k++) {
181 if (*qq)
182 a ^= rsexp[rslog[*qq] + *r];
183 qq++;
184 r++;
185 }
186
187 s[j][sz - 1 - i] = ss[j] = a;
188 }
189 q += 8;
190 }
191
192 /* --- Clear away the temporary buffer --- */
193
194 if (p == b)
195 BURN(b);
196 }
197
198 /* --- Construct the expanded key --- */
199
200 {
201 uint32 p = 0x01010101;
202 uint32 ip = 0;
203 int i;
204
205 for (i = 0; i < 40; i += 2) {
206 uint32 a, b;
207 a = h(ip, me, sz);
208 b = h(ip + p, mo, sz);
209 b = ROL32(b, 8);
210 a += b; b += a;
211 k->k[i] = U32(a);
212 k->k[i + 1] = ROL32(b, 9);
213 ip += 2 * p;
214 }
215 }
216
217 /* --- Construct the S-box tables --- */
218
219 {
220 unsigned i;
221 static const octet *q[4][KMAX + 1] = {
222 { q1, q0, q0, q1, q1 },
223 { q0, q0, q1, q1, q0 },
224 { q1, q1, q0, q0, q0 },
225 { q0, q1, q1, q0, q1 }
226 };
227
228 for (i = 0; i < 4; i++) {
229 unsigned j;
230 uint32 x;
231
232 for (j = 0; j < 256; j++) {
233 x = j;
234
235 /* --- Push the byte through the q tables --- */
236
237 switch (sz) {
238 case 4: x = q[i][4][x] ^ s[i][3];
239 case 3: x = q[i][3][x] ^ s[i][2];
240 case 2: x = q[i][2][x] ^ s[i][1];
241 x = q[i][1][x] ^ s[i][0];
242 break;
243 }
244
245 /* --- Write it in the key schedule --- */
246
247 k->g[i][j] = qmds[i][x];
248 }
249 }
250 }
251
252 /* --- Clear everything away --- */
253
254 BURN(me);
255 BURN(mo);
256 BURN(s);
257 }
258
259 /*----- Main encryption ---------------------------------------------------*/
260
261 /* --- Feistel function --- */
262
263 #define GG(k, t0, t1, x, y, kk) do { \
264 t0 = (k->g[0][U8(x >> 0)] ^ \
265 k->g[1][U8(x >> 8)] ^ \
266 k->g[2][U8(x >> 16)] ^ \
267 k->g[3][U8(x >> 24)]); \
268 t1 = (k->g[1][U8(y >> 0)] ^ \
269 k->g[2][U8(y >> 8)] ^ \
270 k->g[3][U8(y >> 16)] ^ \
271 k->g[0][U8(y >> 24)]); \
272 t0 += t1; \
273 t1 += t0; \
274 t0 += kk[0]; \
275 t1 += kk[1]; \
276 } while (0)
277
278 /* --- Round operations --- */
279
280 #define EROUND(k, w, x, y, z, kk) do { \
281 uint32 _t0, _t1; \
282 GG(k, _t0, _t1, w, x, kk); \
283 kk += 2; \
284 y ^= _t0; y = ROR32(y, 1); \
285 z = ROL32(z, 1); z ^= _t1; \
286 } while (0)
287
288 #define DROUND(k, w, x, y, z, kk) do { \
289 uint32 _t0, _t1; \
290 kk -= 2; \
291 GG(k, _t0, _t1, w, x, kk); \
292 y = ROL32(y, 1); y ^= _t0; \
293 z ^= _t1; z = ROR32(z, 1); \
294 } while (0)
295
296 /* --- Complete encryption functions --- */
297
298 #define EBLK(k, a, b, c, d, w, x, y, z) do { \
299 const uint32 *_kk = k->k + 8; \
300 uint32 _a = a, _b = b, _c = c, _d = d; \
301 _a ^= k->k[0]; _b ^= k->k[1]; _c ^= k->k[2]; _d ^= k->k[3]; \
302 EROUND(k, _a, _b, _c, _d, _kk); \
303 EROUND(k, _c, _d, _a, _b, _kk); \
304 EROUND(k, _a, _b, _c, _d, _kk); \
305 EROUND(k, _c, _d, _a, _b, _kk); \
306 EROUND(k, _a, _b, _c, _d, _kk); \
307 EROUND(k, _c, _d, _a, _b, _kk); \
308 EROUND(k, _a, _b, _c, _d, _kk); \
309 EROUND(k, _c, _d, _a, _b, _kk); \
310 EROUND(k, _a, _b, _c, _d, _kk); \
311 EROUND(k, _c, _d, _a, _b, _kk); \
312 EROUND(k, _a, _b, _c, _d, _kk); \
313 EROUND(k, _c, _d, _a, _b, _kk); \
314 EROUND(k, _a, _b, _c, _d, _kk); \
315 EROUND(k, _c, _d, _a, _b, _kk); \
316 EROUND(k, _a, _b, _c, _d, _kk); \
317 EROUND(k, _c, _d, _a, _b, _kk); \
318 _c ^= k->k[4]; _d ^= k->k[5]; _a ^= k->k[6]; _b ^= k->k[7]; \
319 w = U32(_c); x = U32(_d); y = U32(_a); z = U32(_b); \
320 } while (0)
321
322 #define DBLK(k, a, b, c, d, w, x, y, z) do { \
323 const uint32 *_kk = k->k + 40; \
324 uint32 _a = a, _b = b, _c = c, _d = d; \
325 _a ^= k->k[4]; _b ^= k->k[5]; _c ^= k->k[6]; _d ^= k->k[7]; \
326 DROUND(k, _a, _b, _c, _d, _kk); \
327 DROUND(k, _c, _d, _a, _b, _kk); \
328 DROUND(k, _a, _b, _c, _d, _kk); \
329 DROUND(k, _c, _d, _a, _b, _kk); \
330 DROUND(k, _a, _b, _c, _d, _kk); \
331 DROUND(k, _c, _d, _a, _b, _kk); \
332 DROUND(k, _a, _b, _c, _d, _kk); \
333 DROUND(k, _c, _d, _a, _b, _kk); \
334 DROUND(k, _a, _b, _c, _d, _kk); \
335 DROUND(k, _c, _d, _a, _b, _kk); \
336 DROUND(k, _a, _b, _c, _d, _kk); \
337 DROUND(k, _c, _d, _a, _b, _kk); \
338 DROUND(k, _a, _b, _c, _d, _kk); \
339 DROUND(k, _c, _d, _a, _b, _kk); \
340 DROUND(k, _a, _b, _c, _d, _kk); \
341 DROUND(k, _c, _d, _a, _b, _kk); \
342 _c ^= k->k[0]; _d ^= k->k[1]; _a ^= k->k[2]; _b ^= k->k[3]; \
343 w = U32(_c); x = U32(_d); y = U32(_a); z = U32(_b); \
344 } while (0)
345
346 /* --- @twofish_eblk@, @twofish_dblk@ --- *
347 *
348 * Arguments: @const twofish_ctx *k@ = pointer to key block
349 * @const uint32 s[4]@ = pointer to source block
350 * @uint32 d[4]@ = pointer to destination block
351 *
352 * Returns: ---
353 *
354 * Use: Low-level block encryption and decryption.
355 */
356
357 void twofish_eblk(const twofish_ctx *k, const uint32 *s, uint32 *d)
358 {
359 EBLK(k, s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
360 }
361
362 void twofish_dblk(const twofish_ctx *k, const uint32 *s, uint32 *d)
363 {
364 DBLK(k, s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
365 }
366
367 BLKC_TEST(TWOFISH, twofish)
368
369 /*----- That's all, folks -------------------------------------------------*/
Catacomb cryptographic library (downstream of http://git.distorted.org.uk/~mdw/catacomb/)