From 3a65506d4df316377c9b838ef5954b5d856215ee Mon Sep 17 00:00:00 2001 From: mdw Date: Sat, 17 Jun 2000 11:56:07 +0000 Subject: [PATCH] New cipher. --- rc2.c | 369 +++++++++++++++++++++++++++++++++++++++++++++++++++++ rc2.h | 138 ++++++++++++++++++++ rijndael-mktab.c | 378 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ rijndael.c | 265 ++++++++++++++++++++++++++++++++++++++ rijndael.h | 120 ++++++++++++++++++ 5 files changed, 1270 insertions(+) create mode 100644 rc2.c create mode 100644 rc2.h create mode 100644 rijndael-mktab.c create mode 100644 rijndael.c create mode 100644 rijndael.h diff --git a/rc2.c b/rc2.c new file mode 100644 index 0000000..9ced44c --- /dev/null +++ b/rc2.c @@ -0,0 +1,369 @@ +/* -*-c-*- + * + * $Id: rc2.c,v 1.1 2000/06/17 11:54:34 mdw Exp $ + * + * The RC2 block cipher + * + * (c) 2000 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rc2.c,v $ + * Revision 1.1 2000/06/17 11:54:34 mdw + * New cipher. + * + */ + +/*----- Header files ------------------------------------------------------*/ + +#include +#include + +#include + +#include "blkc.h" +#include "gcipher.h" +#include "paranoia.h" +#include "rc2.h" + +/*----- Global variables --------------------------------------------------*/ + +const octet rc2_keysz[] = { KSZ_RANGE, RC2_KEYSZ, 1, 128, 1 }; + +/*----- Important tables --------------------------------------------------*/ + +static const octet pi[] = { + 0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, + 0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d, + 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e, + 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, + 0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13, + 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32, + 0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, + 0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82, + 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c, + 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, + 0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1, + 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26, + 0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, + 0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03, + 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7, + 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, + 0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7, + 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a, + 0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, + 0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec, + 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc, + 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, + 0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a, + 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31, + 0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, + 0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9, + 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c, + 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, + 0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0, + 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e, + 0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, + 0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad +}; + +/*----- Main code ---------------------------------------------------------*/ + +/* --- @rc2_braindamage@ --- * + * + * Arguments: @rc2_ctx *k@ = pointer to context to initialize + * @const void *buf@ = pointer to key material + * @size_t sz@ = size of key material in bytes + * @unsigned eb@ = desired effective key size, in bits + * + * Returns: --- + * + * Use: Initializes an RC2 expanded key, and braindamages it to the + * requested effective key size. This is here for compatibility + * reasons. You should be using @rc2_init@ in normal code, + * which doesn't actually apply braindamage. + */ + +void rc2_braindamage(rc2_ctx *k, const void *buf, size_t sz, unsigned eb) +{ + unsigned t8; + uint16 tm; + unsigned i; + uint16 *kk; + octet l[128]; + + KSZ_ASSERT(rc2, sz); + + /* --- Compute the braindamage parameters --- */ + + t8 = (eb + 7) / 8; + tm = 0xff & ((1 << (8 + eb - 8 * t8)) - 1); + + /* --- Copy and expand the initial key --- */ + + if (sz > sizeof(l)) + sz = sizeof(l); + memcpy(l, buf, sz); + + for (i = sz; i < sizeof(l); i++) + l[i] = pi[U8(l[i - 1] + l[i - sz])]; + + /* --- Braindamage the key --- */ + + i = sizeof(l) - t8; + l[i] = pi[l[i] & tm]; + while (i) { + i--; + l[i] = pi[U8(l[i + 1] ^ l[i + t8])]; + } + + /* --- Write it to the key block --- */ + + kk = k->k; + for (i = 0; i < sizeof(l); i += 2) + *kk++ = LOAD16_L(l + i); + BURN(l); +} + +/* --- @rc2_init@ --- * + * + * Arguments: @rc2_ctx *k@ = pointer to context to initialize + * @const void *buf@ = pointer to key material + * @size_t sz@ = size of key material in bytes + * + * Returns: --- + * + * Use: Initializes an RC2 expanded key. The effective key size is + * set to be equal to the real key size, in bits. + */ + +void rc2_init(rc2_ctx *k, const void *buf, size_t sz) +{ + rc2_braindamage(k, buf, sz, sz * 8); +} + +/*----- Encryption and decryption -----------------------------------------*/ + +#define MIX(a, b, c, d, r, kk) do { \ + a += *kk++ + (d & c) + (~d & b); \ + a = ROL16(a, r); \ +} while (0) + +#define MASH(a, d, k) do { \ + a += k[d & 63]; \ +} while (0) + +#define UNMIX(a, b, c, d, r, kk) do { \ + a = ROR16(a, r); \ + a -= *--kk + (d & c) + (~d & b); \ +} while (0) + +#define UNMASH(a, d, k) do { \ + a -= k[d & 63]; \ +} while (0) + +/* --- @rc2_eblk@, @rc2_dblk@ --- * + * + * Arguments: @const rc2_ctx *k@ = pointer to RC2 context + * @const uint32 s[2]@ = pointer to source block + * @const uint32 d[2]@ = pointer to destination block + * + * Returns: --- + * + * Use: Low-level block encryption and decryption. + */ + +void rc2_eblk(const rc2_ctx *k, const uint32 *s, uint32 *dst) +{ + uint16 a = U16(s[0] >> 0), b = U16(s[0] >> 16); + uint16 c = U16(s[1] >> 0), d = U16(s[1] >> 16); + const uint16 *kk = k->k; + + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MASH(a, d, k->k); MASH(b, a, k->k); + MASH(c, b, k->k); MASH(d, c, k->k); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MASH(a, d, k->k); MASH(b, a, k->k); + MASH(c, b, k->k); MASH(d, c, k->k); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + MIX(a, b, c, d, 1, kk); MIX(b, c, d, a, 2, kk); + MIX(c, d, a, b, 3, kk); MIX(d, a, b, c, 5, kk); + + dst[0] = a | (b << 16); dst[1] = c | (d << 16); +} + +void rc2_dblk(const rc2_ctx *k, const uint32 *s, uint32 *dst) +{ + uint16 a = U16(s[0] >> 0), b = U16(s[0] >> 16); + uint16 c = U16(s[1] >> 0), d = U16(s[1] >> 16); + const uint16 *kk = k->k + 64; + + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMASH(d, c, k->k); UNMASH(c, b, k->k); + UNMASH(b, a, k->k); UNMASH(a, d, k->k); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMASH(d, c, k->k); UNMASH(c, b, k->k); + UNMASH(b, a, k->k); UNMASH(a, d, k->k); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + UNMIX(d, a, b, c, 5, kk); UNMIX(c, d, a, b, 3, kk); + UNMIX(b, c, d, a, 2, kk); UNMIX(a, b, c, d, 1, kk); + + dst[0] = a | (b << 16); dst[1] = c | (d << 16); +} + +/*----- Custom test rig ---------------------------------------------------* + * + * I need to test the braindamage feature. + */ + +#ifdef TEST_RIG + +#include +#include + +static int verify(dstr *v) +{ + rc2_ctx k; + uint32 p[RC2_BLKSZ / 4]; + uint32 c[RC2_BLKSZ / 4]; + uint32 d[RC2_BLKSZ / 4]; + dstr b = DSTR_INIT; + unsigned bd = *(unsigned *)v[1].buf; + int ok = 1; + + /* --- Initialize the key buffer --- */ + + dstr_ensure(&b, RC2_BLKSZ); + b.len = RC2_BLKSZ; + rc2_braindamage(&k, v[0].buf, v[0].len, bd); + BLKC_LOAD(RC2, p, v[2].buf); + BLKC_LOAD(RC2, c, v[3].buf); + + /* --- Test encryption --- */ + + BLKC_MOVE(RC2, d, p); + rc2_eblk(&k, d, d); + BLKC_STORE(RC2, b.buf, d); + if (memcmp(b.buf, v[3].buf, RC2_BLKSZ)) { + ok = 0; + printf("\nfail encryption:" + "\n\tkey = "); + type_hex.dump(&v[0], stdout); + printf("\n\tbraindamage= %u", bd); + printf("\n\tplaintext = "); type_hex.dump(&v[2], stdout); + printf("\n\texpected = "); type_hex.dump(&v[3], stdout); + printf("\n\tcalculated = "); type_hex.dump(&b, stdout); + putchar('\n'); + } + + /* --- Test decryption --- */ + + BLKC_MOVE(RC2, d, c); + rc2_dblk(&k, d, d); + BLKC_STORE(RC2, b.buf, d); + if (memcmp(b.buf, v[2].buf, RC2_BLKSZ)) { + ok = 0; + printf("\nfail decryption:" + "\n\tkey = "); + type_hex.dump(&v[0], stdout); + printf("\n\tbraindamage= %u", bd); + printf("\n\tciphertext = "); type_hex.dump(&v[3], stdout); + printf("\n\texpected = "); type_hex.dump(&v[2], stdout); + printf("\n\tcalculated = "); type_hex.dump(&b, stdout); + putchar('\n'); + } + + /* --- Return --- */ + + return (ok); +} + +static test_chunk defs[] = { + { "rc2", verify, { &type_hex, &type_int, &type_hex, &type_hex, 0 } }, + { 0, 0, { 0 } } +}; + +int main(int argc, char *argv[]) +{ + test_run(argc, argv, defs, SRCDIR"/tests/rc2"); + return (0); +} + +#endif + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/rc2.h b/rc2.h new file mode 100644 index 0000000..5217a33 --- /dev/null +++ b/rc2.h @@ -0,0 +1,138 @@ +/* -*-c-*- + * + * $Id: rc2.h,v 1.1 2000/06/17 11:54:34 mdw Exp $ + * + * The RC2 block cipher + * + * (c) 2000 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rc2.h,v $ + * Revision 1.1 2000/06/17 11:54:34 mdw + * New cipher. + * + */ + +/*----- Notes on the RC2 block cipher -------------------------------------* + * + * RC2 was designed by Ron Rivest, and for a long time was a trade secret of + * RSA Data Security Inc. Like RC4, it leaked out, and has now been + * described in RFC2268. The RC2 key schedule is known to have some + * weaknesses, although I'm not aware of any major results against the cipher + * itself. I'm also not aware of any legal problems with using the RC2 + * cipher. + * + * The oddest feature in the cipher is the key schedule. It expands the + * initial key material to 128 bytes, and then `brain-damages' it, according + * to a supplied `effective key-bits' parameter, before expanding the + * remaining key material back into the buffer. + * + * The key schedule allows second preimages to be computed trivially. + */ + +#ifndef CATACOMB_RC2_H +#define CATACOMB_RC2_H + +#ifdef __cplusplus + extern "C" { +#endif + +/*----- Header files ------------------------------------------------------*/ + +#include + +#include + +/*----- Magical numbers ---------------------------------------------------*/ + +#define RC2_BLKSZ 8 +#define RC2_KEYSZ 16 +#define RC2_CLASS (N, L, 64) + +extern const octet rc2_keysz[]; + +/*----- Data structures ---------------------------------------------------*/ + +typedef struct rc2_ctx { + uint16 k[64]; +} rc2_ctx; + +/*----- Functions provided ------------------------------------------------*/ + +/* --- @rc2_braindamage@ --- * + * + * Arguments: @rc2_ctx *k@ = pointer to context to initialize + * @const void *buf@ = pointer to key material + * @size_t sz@ = size of key material in bytes + * @unsigned eb@ = desired effective key size, in bits + * + * Returns: --- + * + * Use: Initializes an RC2 expanded key, and braindamages it to the + * requested effective key size. This is here for compatibility + * reasons. You should be using @rc2_init@ in normal code, + * which doesn't actually apply braindamage. + */ + +extern void rc2_braindamage(rc2_ctx */*k*/, const void */*buf*/, + size_t /*sz*/, unsigned /*eb*/); + +/* --- @rc2_init@ --- * + * + * Arguments: @rc2_ctx *k@ = pointer to context to initialize + * @const void *buf@ = pointer to key material + * @size_t sz@ = size of key material in bytes + * + * Returns: --- + * + * Use: Initializes an RC2 expanded key. The effective key size is + * set to be equal to the real key size, in bits. + */ + +extern void rc2_init(rc2_ctx */*k*/, const void */*buf*/, size_t /*sz*/); + +/* --- @rc2_eblk@, @rc2_dblk@ --- * + * + * Arguments: @const rc2_ctx *k@ = pointer to RC2 context + * @const uint32 s[2]@ = pointer to source block + * @const uint32 d[2]@ = pointer to destination block + * + * Returns: --- + * + * Use: Low-level block encryption and decryption. + */ + +extern void rc2_eblk(const rc2_ctx */*k*/, + const uint32 */*s*/, uint32 */*dst*/); +extern void rc2_dblk(const rc2_ctx */*k*/, + const uint32 */*s*/, uint32 */*dst*/); + +/*----- That's all, folks -------------------------------------------------*/ + +#ifdef __cplusplus + } +#endif + +#endif diff --git a/rijndael-mktab.c b/rijndael-mktab.c new file mode 100644 index 0000000..f5df965 --- /dev/null +++ b/rijndael-mktab.c @@ -0,0 +1,378 @@ +/* -*-c-*- + * + * $Id: rijndael-mktab.c,v 1.1 2000/06/17 11:56:07 mdw Exp $ + * + * Build precomputed tables for the Rijndael block cipher + * + * (c) 2000 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rijndael-mktab.c,v $ + * Revision 1.1 2000/06/17 11:56:07 mdw + * New cipher. + * + */ + +/*----- Header files ------------------------------------------------------*/ + +#include +#include +#include + +#include + +/*----- Magic variables ---------------------------------------------------*/ + +static octet s[256], si[256]; +static uint32 t[4][256], ti[4][256]; +static uint32 u[4][256]; +static octet rc[32]; + +/*----- Main code ---------------------------------------------------------*/ + +/* --- @mul@ --- * + * + * Arguments: @unsigned x, y@ = polynomials over %$\mathrm{GF}(2^8)$% + * @unsigned m@ = modulus + * + * Returns: The product of two polynomials. + * + * Use: Computes a product of polynomials, quite slowly. + */ + +static unsigned mul(unsigned x, unsigned y, unsigned m) +{ + unsigned a = 0; + unsigned i; + + for (i = 0; i < 8; i++) { + if (y & 1) + a ^= x; + y >>= 1; + x <<= 1; + if (x & 0x100) + x ^= m; + } + + return (a); +} + +/* --- @sbox@ --- * + * + * Build the S-box. + * + * This is built from multiplicative inversion in the group + * %$\mathrm{GF}(2^8)[x]/p(x)$%, where %$p(x) = x^8 + x^4 + x^3 + x + 1$%, + * followed by an affine transformation treating inputs as vectors over + * %$\mathrm{GF}(2)$%. The result is a horrible function. + * + * The inversion is done slightly sneakily, by building log and antilog + * tables. Let %$a$% be an element of the finite field. If the inverse of + * %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%. Hence + * %$\log a = -\log a^{-1}$%. This saves fiddling about with Euclidean + * algorithm. + */ + +#define S_MOD 0x11b + +static void sbox(void) +{ + octet log[256], alog[256]; + unsigned x; + unsigned i; + unsigned g; + + /* --- Find a suitable generator, and build log tables --- */ + + log[0] = 0; + for (g = 2; g < 256; g++) { + x = 1; + for (i = 0; i < 256; i++) { + log[x] = i; + alog[i] = x; + x = mul(x, g, S_MOD); + if (x == 1 && i != 254) + goto again; + } + goto done; + again:; + } + fprintf(stderr, "couldn't find generator\n"); + exit(EXIT_FAILURE); +done:; + + /* --- Now grind through and do the affine transform --- * + * + * The matrix multiply is an AND and a parity op. The add is an XOR. + */ + + for (i = 0; i < 256; i++) { + unsigned j; + unsigned m = 0xf8; + unsigned v = i ? alog[255 - log[i]] : 0; + + assert(i == 0 || mul(i, v, S_MOD) == 1); + + x = 0; + for (j = 0; j < 8; j++) { + unsigned r; + r = v & m; + r = (r >> 4) ^ r; + r = (r >> 2) ^ r; + r = (r >> 1) ^ r; + x = (x << 1) | (r & 1); + m = ROR8(m, 1); + } + x ^= 0x63; + s[i] = x; + si[x] = i; + } +} + +/* --- @tbox@ --- * + * + * Construct the t tables for doing the round function efficiently. + */ + +static void tbox(void) +{ + unsigned i; + + for (i = 0; i < 256; i++) { + uint32 a, b, c, d; + uint32 w; + + /* --- Build a forwards t-box entry --- */ + + a = s[i]; + b = a << 1; if (b & 0x100) b ^= S_MOD; + c = a ^ b; + w = (b << 0) | (a << 8) | (a << 16) | (c << 24); + t[0][i] = w; + t[1][i] = ROL32(w, 8); + t[2][i] = ROL32(w, 16); + t[3][i] = ROL32(w, 24); + + /* --- Build a backwards t-box entry --- */ + + a = mul(si[i], 0x0e, S_MOD); + b = mul(si[i], 0x09, S_MOD); + c = mul(si[i], 0x0d, S_MOD); + d = mul(si[i], 0x0b, S_MOD); + w = (a << 0) | (b << 8) | (c << 16) | (d << 24); + ti[0][i] = w; + ti[1][i] = ROL32(w, 8); + ti[2][i] = ROL32(w, 16); + ti[3][i] = ROL32(w, 24); + } +} + +/* --- @ubox@ --- * + * + * Construct the tables for performing the decryption key schedule. + */ + +static void ubox(void) +{ + unsigned i; + + for (i = 0; i < 256; i++) { + uint32 a, b, c, d; + uint32 w; + a = mul(i, 0x0e, S_MOD); + b = mul(i, 0x09, S_MOD); + c = mul(i, 0x0d, S_MOD); + d = mul(i, 0x0b, S_MOD); + w = (a << 0) | (b << 8) | (c << 16) | (d << 24); + u[0][i] = w; + u[1][i] = ROL32(w, 8); + u[2][i] = ROL32(w, 16); + u[3][i] = ROL32(w, 24); + } +} + +/* --- Round constants --- */ + +void rcon(void) +{ + unsigned r = 1; + int i; + + for (i = 0; i < sizeof(rc); i++) { + rc[i] = r; + r <<= 1; + if (r & 0x100) + r ^= S_MOD; + } +} + +/* --- @main@ --- */ + +int main(void) +{ + int i, j; + + puts("\ +/* -*-c-*-\n\ + *\n\ + * Rijndael tables [generated]\n\ + */\n\ +\n\ +#ifndef CATACOMB_RIJNDAEL_TAB_H\n\ +#define CATACOMB_RIJNDAEL_TAB_H\n\ +"); + + /* --- Write out the S-box --- */ + + sbox(); + fputs("\ +/* --- The byte substitution and its inverse --- */\n\ +\n\ +#define RIJNDAEL_S { \\\n\ + ", stdout); + for (i = 0; i < 256; i++) { + printf("0x%02x", s[i]); + if (i == 255) + fputs(" \\\n}\n\n", stdout); + else if (i % 8 == 7) + fputs(", \\\n ", stdout); + else + fputs(", ", stdout); + } + + fputs("\ +#define RIJNDAEL_SI { \\\n\ + ", stdout); + for (i = 0; i < 256; i++) { + printf("0x%02x", si[i]); + if (i == 255) + fputs(" \\\n}\n\n", stdout); + else if (i % 8 == 7) + fputs(", \\\n ", stdout); + else + fputs(", ", stdout); + } + + /* --- Write out the big t tables --- */ + + tbox(); + fputs("\ +/* --- The big round tables --- */\n\ +\n\ +#define RIJNDAEL_T { \\\n\ + { ", stdout); + for (j = 0; j < 4; j++) { + for (i = 0; i < 256; i++) { + printf("0x%08x", t[j][i]); + if (i == 255) { + if (j == 3) + fputs(" } \\\n}\n\n", stdout); + else + fputs(" }, \\\n\ + \\\n\ + { ", stdout); + } else if (i % 4 == 3) + fputs(", \\\n ", stdout); + else + fputs(", ", stdout); + } + } + + fputs("\ +#define RIJNDAEL_TI { \\\n\ + { ", stdout); + for (j = 0; j < 4; j++) { + for (i = 0; i < 256; i++) { + printf("0x%08x", ti[j][i]); + if (i == 255) { + if (j == 3) + fputs(" } \\\n}\n\n", stdout); + else + fputs(" }, \\\n\ + \\\n\ + { ", stdout); + } else if (i % 4 == 3) + fputs(", \\\n ", stdout); + else + fputs(", ", stdout); + } + } + + /* --- Write out the big u tables --- */ + + ubox(); + fputs("\ +/* --- The decryption key schedule tables --- */\n\ +\n\ +#define RIJNDAEL_U { \\\n\ + { ", stdout); + for (j = 0; j < 4; j++) { + for (i = 0; i < 256; i++) { + printf("0x%08x", u[j][i]); + if (i == 255) { + if (j == 3) + fputs(" } \\\n}\n\n", stdout); + else + fputs(" }, \\\n\ + \\\n\ + { ", stdout); + } else if (i % 4 == 3) + fputs(", \\\n ", stdout); + else + fputs(", ", stdout); + } + } + + /* --- Round constants --- */ + + rcon(); + fputs("\ +/* --- The round constants --- */\n\ +\n\ +#define RIJNDAEL_RCON { \\\n\ + ", stdout); + for (i = 0; i < sizeof(rc); i++) { + printf("0x%02x", rc[i]); + if (i == sizeof(rc) - 1) + fputs(" \\\n}\n\n", stdout); + else if (i % 8 == 7) + fputs(", \\\n ", stdout); + else + fputs(", ", stdout); + } + + /* --- Done --- */ + + puts("#endif"); + + if (fclose(stdout)) { + fprintf(stderr, "error writing data\n"); + exit(EXIT_FAILURE); + } + + return (0); +} + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/rijndael.c b/rijndael.c new file mode 100644 index 0000000..66797d5 --- /dev/null +++ b/rijndael.c @@ -0,0 +1,265 @@ +/* -*-c-*- + * + * $Id: rijndael.c,v 1.1 2000/06/17 11:56:07 mdw Exp $ + * + * The Rijndael block cipher + * + * (c) 2000 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rijndael.c,v $ + * Revision 1.1 2000/06/17 11:56:07 mdw + * New cipher. + * + */ + +/*----- Header files ------------------------------------------------------*/ + +#include +#include + +#include + +#include "blkc.h" +#include "gcipher.h" +#include "rijndael.h" +#include "rijndael-tab.h" + +/*----- Global variables --------------------------------------------------*/ + +const octet rijndael_keysz[] = { KSZ_RANGE, RIJNDAEL_KEYSZ, 4, 32, 4 }; + +/*----- Constant tables ---------------------------------------------------*/ + +static const octet S[256] = RIJNDAEL_S, SI[256] = RIJNDAEL_SI; +static const uint32 T[4][256] = RIJNDAEL_T, TI[4][256] = RIJNDAEL_TI; +static const uint32 U[4][256] = RIJNDAEL_U; +static const octet rcon[] = RIJNDAEL_RCON; + +/*----- Main code ---------------------------------------------------------*/ + +#define BYTESUB(x, s) \ + (s[U8((x) >> 24)] << 24 | s[U8((x) >> 16)] << 16 | \ + s[U8((x) >> 8)] << 8 | s[U8((x) >> 0)] << 0) + +/* --- @rijndael_init@ --- * + * + * Arguments: @rijndael_ctx *k@ = pointer to context to initialize + * @const void *buf@ = pointer to buffer of key material + * @size_t sz@ = size of the key material + * + * Returns: --- + * + * Use: Initializes a Rijndael context with a particular key. This + * implementation of Rijndael doesn't impose any particular + * limits on the key size except that it must be multiple of 4 + * bytes long. 256 bits seems sensible, though. + */ + +void rijndael_init(rijndael_ctx *k, const void *buf, size_t sz) +{ + unsigned nk, nr, nw; + unsigned i, j, jj; + const octet *p; + uint32 ww; + + /* --- Sort out the key size --- */ + + KSZ_ASSERT(rijndael, sz); + nk = sz / 4; + + /* --- Select the number of rounds --- */ + + if (nk < 5) + nr = 10; + else if (nk > 7) + nr = 14; + else + nr = 12; + k->nr = nr; + + /* --- Fetch the first key words out --- */ + + p = buf; + for (i = 0; i < nk; i++) { + k->w[i] = LOAD32_L(p); + p += 4; + } + + /* --- Expand this material to fill the rest of the table --- */ + + nw = (nr + 1) * (RIJNDAEL_BLKSZ / 4); + ww = k->w[i - 1]; + p = rcon; + for (; i < nw; i++) { + uint32 w = k->w[i - nk]; + if (i % nk == 0) { + ww = ROR32(ww, 8); + w ^= BYTESUB(ww, S) ^ *p++; + } else if (nk > 6 && i % nk == 4) + w ^= BYTESUB(ww, S); + else + w ^= ww; + k->w[i] = ww = w; + } + + /* --- Make the decryption keys --- */ + + j = nw; + + j -= RIJNDAEL_BLKSZ / 4; jj = 0; + for (i = 0; i < RIJNDAEL_BLKSZ / 4; i++) + k->wi[i] = k->w[j + jj++]; + + for (; i < nw - RIJNDAEL_BLKSZ / 4; i += RIJNDAEL_BLKSZ / 4) { + j -= RIJNDAEL_BLKSZ / 4; + for (jj = 0; jj < RIJNDAEL_BLKSZ / 4; jj++) { + uint32 w = k->w[j + jj]; + k->wi[i + jj] = (U[0][U8(w >> 0)] ^ U[1][U8(w >> 8)] ^ + U[2][U8(w >> 16)] ^ U[3][U8(w >> 24)]); + } + } + + j -= RIJNDAEL_BLKSZ / 4; jj = 0; + for (; i < nw; i++) + k->wi[i] = k->w[j + jj++]; +} + +/* --- @rijndael_eblk@, @rijndael_dblk@ --- * + * + * Arguments: @const rijndael_ctx *k@ = pointer to Rijndael context + * @const uint32 s[4]@ = pointer to source block + * @uint32 d[4]@ = pointer to destination block + * + * Returns: --- + * + * Use: Low-level block encryption and decryption. + */ + +#define EROUND(aa, bb, cc, dd, a, b, c, d, w) do { \ + aa = (T[0][U8(a >> 0)] ^ T[1][U8(b >> 8)] ^ \ + T[2][U8(c >> 16)] ^ T[3][U8(d >> 24)]) ^ *w++; \ + bb = (T[0][U8(b >> 0)] ^ T[1][U8(c >> 8)] ^ \ + T[2][U8(d >> 16)] ^ T[3][U8(a >> 24)]) ^ *w++; \ + cc = (T[0][U8(c >> 0)] ^ T[1][U8(d >> 8)] ^ \ + T[2][U8(a >> 16)] ^ T[3][U8(b >> 24)]) ^ *w++; \ + dd = (T[0][U8(d >> 0)] ^ T[1][U8(a >> 8)] ^ \ + T[2][U8(b >> 16)] ^ T[3][U8(c >> 24)]) ^ *w++; \ +} while (0) + +#define DROUND(aa, bb, cc, dd, a, b, c, d, w) do { \ + aa = (TI[0][U8(a >> 0)] ^ TI[1][U8(d >> 8)] ^ \ + TI[2][U8(c >> 16)] ^ TI[3][U8(b >> 24)]) ^ *w++; \ + bb = (TI[0][U8(b >> 0)] ^ TI[1][U8(a >> 8)] ^ \ + TI[2][U8(d >> 16)] ^ TI[3][U8(c >> 24)]) ^ *w++; \ + cc = (TI[0][U8(c >> 0)] ^ TI[1][U8(b >> 8)] ^ \ + TI[2][U8(a >> 16)] ^ TI[3][U8(d >> 24)]) ^ *w++; \ + dd = (TI[0][U8(d >> 0)] ^ TI[1][U8(c >> 8)] ^ \ + TI[2][U8(b >> 16)] ^ TI[3][U8(a >> 24)]) ^ *w++; \ +} while (0) + +void rijndael_eblk(const rijndael_ctx *k, const uint32 *s, uint32 *dst) +{ + uint32 a = s[0], b = s[1], c = s[2], d = s[3]; + uint32 aa, bb, cc, dd; + uint32 *w = k->w; + + a ^= *w++; b ^= *w++; c ^= *w++; d ^= *w++; + + switch (k->nr) { + case 14: + EROUND(aa, bb, cc, dd, a, b, c, d, w); + EROUND(a, b, c, d, aa, bb, cc, dd, w); + case 12: + EROUND(aa, bb, cc, dd, a, b, c, d, w); + EROUND(a, b, c, d, aa, bb, cc, dd, w); + case 10: + default: + EROUND(aa, bb, cc, dd, a, b, c, d, w); + EROUND(a, b, c, d, aa, bb, cc, dd, w); + EROUND(aa, bb, cc, dd, a, b, c, d, w); + EROUND(a, b, c, d, aa, bb, cc, dd, w); + EROUND(aa, bb, cc, dd, a, b, c, d, w); + EROUND(a, b, c, d, aa, bb, cc, dd, w); + EROUND(aa, bb, cc, dd, a, b, c, d, w); + EROUND(a, b, c, d, aa, bb, cc, dd, w); + EROUND(aa, bb, cc, dd, a, b, c, d, w); + } + + a = ((S[U8(aa >> 0)] << 0) ^ (S[U8(bb >> 8)] << 8) ^ + (S[U8(cc >> 16)] << 16) ^ (S[U8(dd >> 24)] << 24)) ^ *w++; + b = ((S[U8(bb >> 0)] << 0) ^ (S[U8(cc >> 8)] << 8) ^ + (S[U8(dd >> 16)] << 16) ^ (S[U8(aa >> 24)] << 24)) ^ *w++; + c = ((S[U8(cc >> 0)] << 0) ^ (S[U8(dd >> 8)] << 8) ^ + (S[U8(aa >> 16)] << 16) ^ (S[U8(bb >> 24)] << 24)) ^ *w++; + d = ((S[U8(dd >> 0)] << 0) ^ (S[U8(aa >> 8)] << 8) ^ + (S[U8(bb >> 16)] << 16) ^ (S[U8(cc >> 24)] << 24)) ^ *w++; + + dst[0] = a; dst[1] = b; dst[2] = c; dst[3] = d; +} + +void rijndael_dblk(const rijndael_ctx *k, const uint32 *s, uint32 *dst) +{ + uint32 a = s[0], b = s[1], c = s[2], d = s[3]; + uint32 aa, bb, cc, dd; + uint32 *w = k->wi; + + a ^= *w++; b ^= *w++; c ^= *w++; d ^= *w++; + + switch (k->nr) { + case 14: + DROUND(aa, bb, cc, dd, a, b, c, d, w); + DROUND(a, b, c, d, aa, bb, cc, dd, w); + case 12: + DROUND(aa, bb, cc, dd, a, b, c, d, w); + DROUND(a, b, c, d, aa, bb, cc, dd, w); + case 10: + default: + DROUND(aa, bb, cc, dd, a, b, c, d, w); + DROUND(a, b, c, d, aa, bb, cc, dd, w); + DROUND(aa, bb, cc, dd, a, b, c, d, w); + DROUND(a, b, c, d, aa, bb, cc, dd, w); + DROUND(aa, bb, cc, dd, a, b, c, d, w); + DROUND(a, b, c, d, aa, bb, cc, dd, w); + DROUND(aa, bb, cc, dd, a, b, c, d, w); + DROUND(a, b, c, d, aa, bb, cc, dd, w); + DROUND(aa, bb, cc, dd, a, b, c, d, w); + } + + a = ((SI[U8(aa >> 0)] << 0) ^ (SI[U8(dd >> 8)] << 8) ^ + (SI[U8(cc >> 16)] << 16) ^ (SI[U8(bb >> 24)] << 24)) ^ *w++; + b = ((SI[U8(bb >> 0)] << 0) ^ (SI[U8(aa >> 8)] << 8) ^ + (SI[U8(dd >> 16)] << 16) ^ (SI[U8(cc >> 24)] << 24)) ^ *w++; + c = ((SI[U8(cc >> 0)] << 0) ^ (SI[U8(bb >> 8)] << 8) ^ + (SI[U8(aa >> 16)] << 16) ^ (SI[U8(dd >> 24)] << 24)) ^ *w++; + d = ((SI[U8(dd >> 0)] << 0) ^ (SI[U8(cc >> 8)] << 8) ^ + (SI[U8(bb >> 16)] << 16) ^ (SI[U8(aa >> 24)] << 24)) ^ *w++; + + dst[0] = a; dst[1] = b; dst[2] = c; dst[3] = d; +} + +BLKC_TEST(RIJNDAEL, rijndael) + +/*----- That's all, folks -------------------------------------------------*/ diff --git a/rijndael.h b/rijndael.h new file mode 100644 index 0000000..155f7a6 --- /dev/null +++ b/rijndael.h @@ -0,0 +1,120 @@ +/* -*-c-*- + * + * $Id: rijndael.h,v 1.1 2000/06/17 11:56:07 mdw Exp $ + * + * The Rijndael block cipher + * + * (c) 2000 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Revision history --------------------------------------------------* + * + * $Log: rijndael.h,v $ + * Revision 1.1 2000/06/17 11:56:07 mdw + * New cipher. + * + */ + +/*----- Notes on the Rijndael block cipher --------------------------------* + * + * Invented by Joan Daemen and Vincent Rijmen, Rijndael is a fast and + * relatively simple 128-bit block cipher proposed by the designers as an AES + * candidate. At the time of writing, the AES winner hasn't been decided. + * Rijnadel is fast, but has a low security margin. I recommend waiting + * before using Rijndael for any sensitive applications. + */ + +#ifndef CATACOMB_RIJNDAEL_H +#define CATACOMB_RIJNDAEL_H + +#ifdef __cplusplus + extern "C" { +#endif + +/*----- Header files ------------------------------------------------------*/ + +#include + +#include + +/*----- Magical numbers ---------------------------------------------------*/ + +#define RIJNDAEL_BLKSZ 16 +#define RIJNDAEL_KEYSZ 32 +#define RIJNDAEL_CLASS (N, L, 128) + +extern const octet rijndael_keysz[]; + +/*----- Data structures ---------------------------------------------------*/ + +#define RIJNDAEL_MAXROUNDS 32 +#define RIJNDAEL_KWORDS ((RIJNDAEL_MAXROUNDS + 1) * (RIJNDAEL_BLKSZ / 4)) + +typedef struct rijndael_ctx { + unsigned nr; + uint32 w[RIJNDAEL_KWORDS]; + uint32 wi[RIJNDAEL_KWORDS]; +} rijndael_ctx; + +/*----- Functions provided ------------------------------------------------*/ + +/* --- @rijndael_init@ --- * + * + * Arguments: @rijndael_ctx *k@ = pointer to context to initialize + * @const void *buf@ = pointer to buffer of key material + * @size_t sz@ = size of the key material + * + * Returns: --- + * + * Use: Initializes a Rijndael context with a particular key. This + * implementation of Rijndael doesn't impose any particular + * limits on the key size except that it must be multiple of 4 + * bytes long. 256 bits seems sensible, though. + */ + +extern void rijndael_init(rijndael_ctx */*k*/, + const void */*buf*/, size_t /*sz*/); + +/* --- @rijndael_eblk@, @rijndael_dblk@ --- * + * + * Arguments: @const rijndael_ctx *k@ = pointer to Rijndael context + * @const uint32 s[4]@ = pointer to source block + * @uint32 d[4]@ = pointer to destination block + * + * Returns: --- + * + * Use: Low-level block encryption and decryption. + */ + +extern void rijndael_eblk(const rijndael_ctx */*k*/, + const uint32 */*s*/, uint32 */*dst*/); +extern void rijndael_dblk(const rijndael_ctx */*k*/, + const uint32 */*s*/, uint32 */*dst*/); + +/*----- That's all, folks -------------------------------------------------*/ + +#ifdef __cplusplus + } +#endif + +#endif -- 2.11.0