Commit 1ce363fe authored by obronchain's avatar obronchain

fixing some bugs, cst addition on LS and bundels and avoid loop unrolling

parent 3ba6f927
......@@ -23,7 +23,7 @@
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
......@@ -39,7 +39,7 @@
(DEST)[1] ^= ((LFSR)>>2 & 0x1); \
(DEST)[2] ^= ((LFSR)>>1 & 0x1); \
(DEST)[3] ^= ((LFSR) & 0x1); } while (0)
// Apply a S-box layer to a Clyde-128 state.
void clyde128_encrypt(clyde128_state state, const clyde128_state t, const unsigned char* k) {
// Key schedule
clyde128_state k_st;
......
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
int crypto_aead_encrypt(unsigned char* c, unsigned int* clen,
const unsigned char* m, unsigned int mlen,
const unsigned char* ad, unsigned int adlen,
const unsigned char* nsec, const unsigned char* npub,
const unsigned char* k);
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
int crypto_aead_decrypt(unsigned char* m, unsigned int* mlen,
unsigned char* nsec, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
unsigned int clen, const unsigned char* ad,
unsigned int adlen, const unsigned char* npub,
const unsigned char* k);
......@@ -19,9 +19,9 @@
#endif
// Spook encryption.
int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
const unsigned char* m, unsigned long long mlen,
const unsigned char* ad, unsigned long long adlen,
int crypto_aead_encrypt(unsigned char* c, unsigned int* clen,
const unsigned char* m, unsigned int mlen,
const unsigned char* ad, unsigned int adlen,
const unsigned char* nsec UNUSED,
const unsigned char* npub, const unsigned char* k) {
unsigned char p[P_NBYTES];
......@@ -32,10 +32,10 @@ int crypto_aead_encrypt(unsigned char* c, unsigned long long* clen,
}
// Spook encryption.
int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
int crypto_aead_decrypt(unsigned char* m, unsigned int* mlen,
unsigned char* nsec UNUSED, const unsigned char* c,
unsigned long long clen, const unsigned char* ad,
unsigned long long adlen, const unsigned char* npub,
unsigned int clen, const unsigned char* ad,
unsigned int adlen, const unsigned char* npub,
const unsigned char* k) {
unsigned char p[P_NBYTES];
const unsigned char* k_priv;
......
#include "primitives.h"
// Apply a S-box layer to a Clyde-128 state.
void sbox_layer(uint32_t* state) {
static void sbox_layer(uint32_t* state) {
uint32_t y1 = (state[0] & state[1]) ^ state[2];
uint32_t y0 = (state[3] & state[0]) ^ state[1];
uint32_t y3 = (y1 & state[3]) ^ state[0];
......@@ -13,7 +13,7 @@ void sbox_layer(uint32_t* state) {
}
// Apply a L-box to a pair of Clyde-128 rows.
void lbox(uint32_t* x, uint32_t* y) {
static void lbox(uint32_t* x, uint32_t* y) {
uint32_t a, b, c, d;
a = *x ^ ROT32(*x, 12);
b = *y ^ ROT32(*y, 12);
......@@ -34,17 +34,19 @@ void lbox(uint32_t* x, uint32_t* y) {
#if (DBOX==8)
static uint32_t xtime(uint32_t x) {
uint32_t x_msk1 = x & 0x80808080;
uint32_t x_msk2 = x & 0xefefefef;
return ((x_msk2 << 1) | (x_msk1 >> 7)) ^ (x_msk1 >> (8-1));
uint32_t x_msk2 = x & 0x7f7f7f7f;
return ((x_msk2 << 1) | (x_msk1 >> 7)) ^ (x_msk1 >> (5));
}
#elif (DBOX==32)
static uint32_t xtime(uint32_t x) {
return ((x << 1) | (x >> 31)) ^ (x >> (31-8));
uint32_t tmp = ROTL(x,1);
return tmp ^ ((x >> (31-8))& ~0xff);
}
#endif
// Apply a D-box layer to a Shadow state.
void dbox_mls_layer(shadow_state state) {
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr) {
for (unsigned int row = 0; row < LS_ROWS; row++) {
#if SMALL_PERM
uint32_t x = state[0][row];
......@@ -91,7 +93,10 @@ void dbox_mls_layer(shadow_state state) {
state[1][row] = w2;
state[2][row] = w3 ^ w4;
state[3][row] = w4;
state[0][row] ^= ROTL(*lfsr,8*row);
#endif // DBOX
#endif // SMALL_PERM
}
}
......@@ -17,6 +17,15 @@
#define CLYDE128_NBYTES 16
#define ROTL(x, n) ((x << n) | (x >> ((32-n) & 31)))
#ifndef SHCST
#define SHCST -1
#endif
#ifndef DBOX
#define DBOX -1
#endif
#if SMALL_PERM
#define SHADOW_NBYTES 48
#else
......@@ -28,9 +37,6 @@
#define MLS_BUNDLES \
(SHADOW_NBYTES / (LS_ROWS* LS_ROW_BYTES)) // Bundles in the mLS design
#define CLYDE_TYPE "clyde_32bit.c"
#define SHADOW_TYPE "shadow_128bit.c"
#define ROT32(x,n) ((uint32_t)(((x)>>(n))|((x)<<(32-(n)))))
typedef __attribute__((aligned(16))) uint32_t clyde128_state[LS_ROWS];
typedef __attribute__((aligned(64))) clyde128_state shadow_state[MLS_BUNDLES];
......@@ -39,8 +45,8 @@ void clyde128_encrypt(clyde128_state state,
const clyde128_state t, const unsigned char* k);
void shadow(shadow_state state);
void sbox_layer(uint32_t* state);
void dbox_mls_layer(shadow_state state);
void lbox(uint32_t* x, uint32_t* y);
static void sbox_layer(uint32_t* state);
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr);
static void lbox(uint32_t* x, uint32_t* y);
#endif //_H_PRIMITIVES_H_
......@@ -40,19 +40,19 @@ typedef enum {
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n);
unsigned int offset, unsigned int n);
static unsigned long long compress_data(shadow_state state,
static unsigned int compress_data(shadow_state state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
unsigned int dlen,
compress_mode mode);
static void init_sponge_state(shadow_state state,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
static void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n);
const unsigned char* src2, unsigned int n);
void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
const unsigned char *k_glob) {
......@@ -80,9 +80,9 @@ static void init_sponge_state(shadow_state state,
shadow(state);
}
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
void s1p_encrypt(unsigned char *c, unsigned int *clen,
const unsigned char *ad, unsigned int adlen,
const unsigned char *m, unsigned int mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
......@@ -93,7 +93,7 @@ void s1p_encrypt(unsigned char *c, unsigned long long *clen,
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long c_bytes = 0;
unsigned int c_bytes = 0;
if (mlen > 0) {
state[RATE_BUNDLES][0] ^= 0x01;
c_bytes = compress_data(state, c, m, mlen, PLAINTEXT);
......@@ -106,9 +106,9 @@ void s1p_encrypt(unsigned char *c, unsigned long long *clen,
*clen = c_bytes + CLYDE128_NBYTES;
}
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
int s1p_decrypt(unsigned char *m, unsigned int *mlen,
const unsigned char *ad, unsigned int adlen,
const unsigned char *c, unsigned int clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// permutation state
......@@ -119,7 +119,7 @@ int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
compress_data(state, NULL, ad, adlen, AD);
// compress message
unsigned long long m_bytes = 0;
unsigned int m_bytes = 0;
if (clen > CLYDE128_NBYTES) {
state[RATE_BUNDLES][0] ^= 0x01;
m_bytes = compress_data(state, m, c, clen - CLYDE128_NBYTES, CIPHERTEXT);
......@@ -151,7 +151,7 @@ int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
// Only the XOR operation is performed, not XORing of padding constants.
static void compress_block(unsigned char *state, unsigned char *out,
const unsigned char *d, compress_mode mode,
unsigned long long offset, unsigned long long n) {
unsigned int offset, unsigned int n) {
if (mode == CIPHERTEXT) {
xor_bytes(out + offset, state, d + offset, n);
memcpy(state, d + offset, n);
......@@ -167,12 +167,12 @@ static void compress_block(unsigned char *state, unsigned char *out,
// Input data buffer is d with length dlen.
// Output is written into buffer out if mode is PLAINTEXT or CIPHERTEXT.
// Padding is handled if needed.
static unsigned long long compress_data(shadow_state state,
static unsigned int compress_data(shadow_state state,
unsigned char *out,
const unsigned char *d,
unsigned long long dlen,
unsigned int dlen,
compress_mode mode) {
unsigned long long i;
unsigned int i;
for (i = 0; i < dlen / RATE_BYTES; i++) {
compress_block((uint8_t *)state, out, d, mode, i * RATE_BYTES, RATE_BYTES);
shadow(state);
......@@ -189,8 +189,8 @@ static unsigned long long compress_data(shadow_state state,
// XOR buffers src1 and src2 into buffer dest (all buffers contain n bytes).
void xor_bytes(unsigned char* dest, const unsigned char* src1,
const unsigned char* src2, unsigned long long n) {
for (unsigned long long i = 0; i < n; i++) {
const unsigned char* src2, unsigned int n) {
for ( unsigned int i = 0; i < n; i++) {
dest[i] = src1[i] ^ src2[i];
}
}
......@@ -29,15 +29,15 @@
// Size of the P parameter
#define P_NBYTES 16
void s1p_encrypt(unsigned char *c, unsigned long long *clen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *m, unsigned long long mlen,
void s1p_encrypt(unsigned char *c, unsigned int *clen,
const unsigned char *ad, unsigned int adlen,
const unsigned char *m, unsigned int mlen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
int s1p_decrypt(unsigned char *m, unsigned long long *mlen,
const unsigned char *ad, unsigned long long adlen,
const unsigned char *c, unsigned long long clen,
int s1p_decrypt(unsigned char *m, unsigned int *mlen,
const unsigned char *ad, unsigned int adlen,
const unsigned char *c, unsigned int clen,
const unsigned char *k, const unsigned char *p,
const unsigned char *n);
......
/* MIT License
/* MIT
*
* Copyright (c) 2019 Gaëtan Cassiers
*
......@@ -24,13 +24,12 @@
#include <string.h>
#include <stdint.h>
#include "primitives.h"
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define SHADOW_NS 6 // Number of steps
#define SHADOW_NR 2 * SHADOW_NS // Number of rounds
#define ROTL(x, n) ((x << n) | (x >> ((32-n) & 32)))
#define SHADOW_NR 2 * SHADOW_NS // Number of roundsv
#if (SHCST==1)
#define XORCST(DEST, LFSR, SHIFT) do { \
......@@ -40,10 +39,11 @@
(DEST)[3] ^= ((LFSR) & 0x1)<< (SHIFT); } while (0)
#elif (SHCST==8)
#define XORCST(DEST, LFSR, SHIFT) do { \
(DEST)[0] ^= (LFSR) & (0xff << (8*(SHIFT))); } while (0)
(DEST)[0] ^= (LFSR) & (0xff << (8*(SHIFT))); } while(0)
#elif (SHCST==32)
#define XORCST(DEST, LFSR, SHIFT) do { \
(DEST)[0] ^= ROTL((LFSR), (8*(SHIFT))); } while (0)
(DEST)[0] ^= (LFSR); \
(LFSR) = ROTL((LFSR),8); } while (0)
#endif
static uint32_t update_lfsr(uint32_t lfsr) {
......@@ -55,6 +55,7 @@ static uint32_t update_lfsr(uint32_t lfsr) {
void shadow(shadow_state state) {
uint32_t lfsr = 0x8;
for (unsigned int s = 0; s < SHADOW_NS; s++) {
#pragma GCC unroll 0
for (unsigned int b = 0; b < MLS_BUNDLES; b++) {
sbox_layer(state[b]);
lbox(&state[b][0], &state[b][1]);
......@@ -65,10 +66,7 @@ void shadow(shadow_state state) {
lfsr = update_lfsr(lfsr);
dbox_mls_layer(state);
for (unsigned int b = 0; b < MLS_BUNDLES; b++) {
XORCST(state[b], lfsr, b);
}
dbox_mls_layer(state,&lfsr);
lfsr = update_lfsr(lfsr);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment