File Coverage

src/symcipher/aes_ct.c

Criterion	Covered	Total	%
statement	0	201	0.0
branch	0	20	0.0
condition			n/a
subroutine			n/a
pod			n/a
total	0	221	0.0

line	stmt	bran	code
1			/*
2			* Copyright (c) 2016 Thomas Pornin
3			*
4			* Permission is hereby granted, free of charge, to any person obtaining
5			* a copy of this software and associated documentation files (the
6			* "Software"), to deal in the Software without restriction, including
7			* without limitation the rights to use, copy, modify, merge, publish,
8			* distribute, sublicense, and/or sell copies of the Software, and to
9			* permit persons to whom the Software is furnished to do so, subject to
10			* the following conditions:
11			*
12			* The above copyright notice and this permission notice shall be
13			* included in all copies or substantial portions of the Software.
14			*
15			* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16			* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17			* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18			* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19			* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20			* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21			* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22			* SOFTWARE.
23			*/
24
25			#include "inner.h"
26
27			/* see inner.h */
28			void
29	0		br_aes_ct_bitslice_Sbox(uint32_t *q)
30			{
31			/*
32			* This S-box implementation is a straightforward translation of
33			* the circuit described by Boyar and Peralta in "A new
34			* combinational logic minimization technique with applications
35			* to cryptology" (https://eprint.iacr.org/2009/191.pdf).
36			*
37			* Note that variables x* (input) and s* (output) are numbered
38			* in "reverse" order (x0 is the high bit, x7 is the low bit).
39			*/
40
41			uint32_t x0, x1, x2, x3, x4, x5, x6, x7;
42			uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9;
43			uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19;
44			uint32_t y20, y21;
45			uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9;
46			uint32_t z10, z11, z12, z13, z14, z15, z16, z17;
47			uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9;
48			uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19;
49			uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29;
50			uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39;
51			uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49;
52			uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59;
53			uint32_t t60, t61, t62, t63, t64, t65, t66, t67;
54			uint32_t s0, s1, s2, s3, s4, s5, s6, s7;
55
56	0		x0 = q[7];
57	0		x1 = q[6];
58	0		x2 = q[5];
59	0		x3 = q[4];
60	0		x4 = q[3];
61	0		x5 = q[2];
62	0		x6 = q[1];
63	0		x7 = q[0];
64
65			/*
66			* Top linear transformation.
67			*/
68	0		y14 = x3 ^ x5;
69	0		y13 = x0 ^ x6;
70	0		y9 = x0 ^ x3;
71	0		y8 = x0 ^ x5;
72	0		t0 = x1 ^ x2;
73	0		y1 = t0 ^ x7;
74	0		y4 = y1 ^ x3;
75	0		y12 = y13 ^ y14;
76	0		y2 = y1 ^ x0;
77	0		y5 = y1 ^ x6;
78	0		y3 = y5 ^ y8;
79	0		t1 = x4 ^ y12;
80	0		y15 = t1 ^ x5;
81	0		y20 = t1 ^ x1;
82	0		y6 = y15 ^ x7;
83	0		y10 = y15 ^ t0;
84	0		y11 = y20 ^ y9;
85	0		y7 = x7 ^ y11;
86	0		y17 = y10 ^ y11;
87	0		y19 = y10 ^ y8;
88	0		y16 = t0 ^ y11;
89	0		y21 = y13 ^ y16;
90	0		y18 = x0 ^ y16;
91
92			/*
93			* Non-linear section.
94			*/
95	0		t2 = y12 & y15;
96	0		t3 = y3 & y6;
97	0		t4 = t3 ^ t2;
98	0		t5 = y4 & x7;
99	0		t6 = t5 ^ t2;
100	0		t7 = y13 & y16;
101	0		t8 = y5 & y1;
102	0		t9 = t8 ^ t7;
103	0		t10 = y2 & y7;
104	0		t11 = t10 ^ t7;
105	0		t12 = y9 & y11;
106	0		t13 = y14 & y17;
107	0		t14 = t13 ^ t12;
108	0		t15 = y8 & y10;
109	0		t16 = t15 ^ t12;
110	0		t17 = t4 ^ t14;
111	0		t18 = t6 ^ t16;
112	0		t19 = t9 ^ t14;
113	0		t20 = t11 ^ t16;
114	0		t21 = t17 ^ y20;
115	0		t22 = t18 ^ y19;
116	0		t23 = t19 ^ y21;
117	0		t24 = t20 ^ y18;
118
119	0		t25 = t21 ^ t22;
120	0		t26 = t21 & t23;
121	0		t27 = t24 ^ t26;
122	0		t28 = t25 & t27;
123	0		t29 = t28 ^ t22;
124	0		t30 = t23 ^ t24;
125	0		t31 = t22 ^ t26;
126	0		t32 = t31 & t30;
127	0		t33 = t32 ^ t24;
128	0		t34 = t23 ^ t33;
129	0		t35 = t27 ^ t33;
130	0		t36 = t24 & t35;
131	0		t37 = t36 ^ t34;
132	0		t38 = t27 ^ t36;
133	0		t39 = t29 & t38;
134	0		t40 = t25 ^ t39;
135
136	0		t41 = t40 ^ t37;
137	0		t42 = t29 ^ t33;
138	0		t43 = t29 ^ t40;
139	0		t44 = t33 ^ t37;
140	0		t45 = t42 ^ t41;
141	0		z0 = t44 & y15;
142	0		z1 = t37 & y6;
143	0		z2 = t33 & x7;
144	0		z3 = t43 & y16;
145	0		z4 = t40 & y1;
146	0		z5 = t29 & y7;
147	0		z6 = t42 & y11;
148	0		z7 = t45 & y17;
149	0		z8 = t41 & y10;
150	0		z9 = t44 & y12;
151	0		z10 = t37 & y3;
152	0		z11 = t33 & y4;
153	0		z12 = t43 & y13;
154	0		z13 = t40 & y5;
155	0		z14 = t29 & y2;
156	0		z15 = t42 & y9;
157	0		z16 = t45 & y14;
158	0		z17 = t41 & y8;
159
160			/*
161			* Bottom linear transformation.
162			*/
163	0		t46 = z15 ^ z16;
164	0		t47 = z10 ^ z11;
165	0		t48 = z5 ^ z13;
166	0		t49 = z9 ^ z10;
167	0		t50 = z2 ^ z12;
168	0		t51 = z2 ^ z5;
169	0		t52 = z7 ^ z8;
170	0		t53 = z0 ^ z3;
171	0		t54 = z6 ^ z7;
172	0		t55 = z16 ^ z17;
173	0		t56 = z12 ^ t48;
174	0		t57 = t50 ^ t53;
175	0		t58 = z4 ^ t46;
176	0		t59 = z3 ^ t54;
177	0		t60 = t46 ^ t57;
178	0		t61 = z14 ^ t57;
179	0		t62 = t52 ^ t58;
180	0		t63 = t49 ^ t58;
181	0		t64 = z4 ^ t59;
182	0		t65 = t61 ^ t62;
183	0		t66 = z1 ^ t63;
184	0		s0 = t59 ^ t63;
185	0		s6 = t56 ^ ~t62;
186	0		s7 = t48 ^ ~t60;
187	0		t67 = t64 ^ t65;
188	0		s3 = t53 ^ t66;
189	0		s4 = t51 ^ t66;
190	0		s5 = t47 ^ t65;
191	0		s1 = t64 ^ ~s3;
192	0		s2 = t55 ^ ~t67;
193
194	0		q[7] = s0;
195	0		q[6] = s1;
196	0		q[5] = s2;
197	0		q[4] = s3;
198	0		q[3] = s4;
199	0		q[2] = s5;
200	0		q[1] = s6;
201	0		q[0] = s7;
202	0		}
203
204			/* see inner.h */
205			void
206	0		br_aes_ct_ortho(uint32_t *q)
207			{
208			#define SWAPN(cl, ch, s, x, y) do { \
209			uint32_t a, b; \
210			a = (x); \
211			b = (y); \
212			(x) = (a & (uint32_t)cl) \| ((b & (uint32_t)cl) << (s)); \
213			(y) = ((a & (uint32_t)ch) >> (s)) \| (b & (uint32_t)ch); \
214			} while (0)
215
216			#define SWAP2(x, y) SWAPN(0x55555555, 0xAAAAAAAA, 1, x, y)
217			#define SWAP4(x, y) SWAPN(0x33333333, 0xCCCCCCCC, 2, x, y)
218			#define SWAP8(x, y) SWAPN(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y)
219
220	0		SWAP2(q[0], q[1]);
221	0		SWAP2(q[2], q[3]);
222	0		SWAP2(q[4], q[5]);
223	0		SWAP2(q[6], q[7]);
224
225	0		SWAP4(q[0], q[2]);
226	0		SWAP4(q[1], q[3]);
227	0		SWAP4(q[4], q[6]);
228	0		SWAP4(q[5], q[7]);
229
230	0		SWAP8(q[0], q[4]);
231	0		SWAP8(q[1], q[5]);
232	0		SWAP8(q[2], q[6]);
233	0		SWAP8(q[3], q[7]);
234	0		}
235
236			static const unsigned char Rcon[] = {
237			0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36
238			};
239
240			static uint32_t
241	0		sub_word(uint32_t x)
242			{
243			uint32_t q[8];
244			int i;
245
246	0	0	for (i = 0; i < 8; i ++) {
247	0		q[i] = x;
248			}
249	0		br_aes_ct_ortho(q);
250	0		br_aes_ct_bitslice_Sbox(q);
251	0		br_aes_ct_ortho(q);
252	0		return q[0];
253			}
254
255			/* see inner.h */
256			unsigned
257	0		br_aes_ct_keysched(uint32_t comp_skey, const void key, size_t key_len)
258			{
259			unsigned num_rounds;
260			int i, j, k, nk, nkf;
261			uint32_t tmp;
262			uint32_t skey[120];
263
264	0		switch (key_len) {
265	0		case 16:
266	0		num_rounds = 10;
267	0		break;
268	0		case 24:
269	0		num_rounds = 12;
270	0		break;
271	0		case 32:
272	0		num_rounds = 14;
273	0		break;
274	0		default:
275			/* abort(); */
276	0		return 0;
277			}
278	0		nk = (int)(key_len >> 2);
279	0		nkf = (int)((num_rounds + 1) << 2);
280	0		tmp = 0;
281	0	0	for (i = 0; i < nk; i ++) {
282	0		tmp = br_dec32le((const unsigned char *)key + (i << 2));
283	0		skey[(i << 1) + 0] = tmp;
284	0		skey[(i << 1) + 1] = tmp;
285			}
286	0	0	for (i = nk, j = 0, k = 0; i < nkf; i ++) {
287	0	0	if (j == 0) {
288	0		tmp = (tmp << 24) \| (tmp >> 8);
289	0		tmp = sub_word(tmp) ^ Rcon[k];
290	0	0	} else if (nk > 6 && j == 4) {
		0
291	0		tmp = sub_word(tmp);
292			}
293	0		tmp ^= skey[(i - nk) << 1];
294	0		skey[(i << 1) + 0] = tmp;
295	0		skey[(i << 1) + 1] = tmp;
296	0	0	if (++ j == nk) {
297	0		j = 0;
298	0		k ++;
299			}
300			}
301	0	0	for (i = 0; i < nkf; i += 4) {
302	0		br_aes_ct_ortho(skey + (i << 1));
303			}
304	0	0	for (i = 0, j = 0; i < nkf; i ++, j += 2) {
305	0		comp_skey[i] = (skey[j + 0] & 0x55555555)
306	0		\| (skey[j + 1] & 0xAAAAAAAA);
307			}
308	0		return num_rounds;
309			}
310
311			/* see inner.h */
312			void
313	0		br_aes_ct_skey_expand(uint32_t *skey,
314			unsigned num_rounds, const uint32_t *comp_skey)
315			{
316			unsigned u, v, n;
317
318	0		n = (num_rounds + 1) << 2;
319	0	0	for (u = 0, v = 0; u < n; u ++, v += 2) {
320			uint32_t x, y;
321
322	0		x = y = comp_skey[u];
323	0		x &= 0x55555555;
324	0		skey[v + 0] = x \| (x << 1);
325	0		y &= 0xAAAAAAAA;
326	0		skey[v + 1] = y \| (y >> 1);
327			}
328	0		}