Commit 9810871c authored by obronchain's avatar obronchain

Spook v2

parent 3bafc451
......@@ -26,8 +26,6 @@
#include "primitives.c"
#define CLYDE_128_NS 6 // Number of steps
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define XORLS(DEST, OP) do { \
(DEST)[0] ^= (OP)[0]; \
(DEST)[1] ^= (OP)[1]; \
......@@ -39,7 +37,7 @@
(DEST)[1] ^= ((LFSR)>>2 & 0x1); \
(DEST)[2] ^= ((LFSR)>>1 & 0x1); \
(DEST)[3] ^= ((LFSR) & 0x1); } while (0)
// Apply a S-box layer to a Clyde-128 state.
void clyde128_encrypt(clyde128_state state, const clyde128_state t, const unsigned char* k) {
// Key schedule
clyde128_state k_st;
......@@ -55,13 +53,13 @@ void clyde128_encrypt(clyde128_state state, const clyde128_state t, const unsign
// Datapath
XORLS(state, tk[0]);
uint32_t off = 0x924; // 2-bits describing the round key
uint32_t off = 0x924; // 2-bits describing the round key
uint32_t lfsr = 0x8; // LFSR for round constant
for (uint32_t s = 0; s < CLYDE_128_NS; s++) {
sbox_layer(state);
lbox(&state[0], &state[1]);
lbox(&state[0], &state[1]);
lbox(&state[2], &state[3]);
XORCST(state,lfsr);
XORCST(state,lfsr);
uint32_t b = lfsr & 0x1;
lfsr = (lfsr^(b<<3) | b<<4)>>1; // update LFSR
......
#include "primitives.h"
#ifdef SHADOW
static uint32_t lfsr_poly;
static uint32_t xtime_poly;
#endif
// Apply a S-box layer to a Clyde-128 state.
......@@ -35,54 +36,55 @@ static void lbox(uint32_t* x, uint32_t* y) {
}
#ifdef SHADOW
void set_poly(uint32_t lol){
lfsr_poly = lol;
void set_poly_lfsr(uint32_t l){
lfsr_poly = l;
}
void set_poly_xtime(uint32_t l){
xtime_poly = l;
}
static uint32_t update_lfsr(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & lfsr_poly;
return (x<<1) ^ tmp;
}
static uint32_t xtime(uint32_t x) {
int32_t tmp1 = x;
uint32_t tmp = (tmp1 >>31) & lfsr_poly;
uint32_t tmp = (tmp1 >>31) & xtime_poly;
return (x<<1) ^ tmp;
}
// Apply a D-box layer to a Shadow state.
static void dbox_mls_layer(shadow_state state,uint32_t *lfsr) {
for (unsigned int row = 0; row < LS_ROWS; row++) {
for (unsigned int row = 0; row < LS_ROWS; row++) {
#if SMALL_PERM
uint32_t x = state[0][row];
uint32_t y = state[1][row];
uint32_t z = state[2][row];
state[0][row] = x ^ y ^ z;
state[1][row] = x ^ z;
state[2][row] = x ^ y;
#else
uint32_t x1 = state[0][row];
uint32_t x2 = state[1][row];
uint32_t x3 = state[2][row];
uint32_t x4 = state[3][row];
uint32_t y1 = x2;
uint32_t y2 = x3 ^ x4;
uint32_t y3 = x4;
uint32_t y4 = x1 ^ x2;
uint32_t z1 = y2;
uint32_t z2 = y3 ^ xtime(y4);
uint32_t z3 = y4;
uint32_t z4 = y1 ^ y2;
uint32_t a = x1 ^ x3;
uint32_t b = a ^ x2;
uint32_t c = xtime(a) ^ (x1 ^ x2);
state[0][row] = a ^ c;
state[1][row] = b;
state[2][row] = c;
uint32_t t = xtime(z4);
uint32_t w1 = z2;
uint32_t w2 = z3 ^ t;
uint32_t w3 = t;
uint32_t w4 = z1 ^ xtime(z2);
state[0][row] ^= *lfsr;
*lfsr = update_lfsr(*lfsr);
state[0][row] = w1 ^ w2;
state[1][row] = w2;
state[2][row] = w3 ^ w4;
state[3][row] = w4;
#else
state[0][row] ^= state[1][row];
state[2][row] ^= state[3][row];
state[1][row] ^= state[2][row];
state[3][row] ^= xtime(state[0][row]);
state[2][row] ^= xtime(state[3][row]);
state[1][row] = xtime(state[1][row]);
state[0][row] ^= state[1][row];
state[3][row] ^= state[0][row];
state[1][row] ^= state[2][row];
state[0][row] ^= *lfsr;
*lfsr = xtime(*lfsr);
#endif // SMALL_PERM
......
......@@ -69,13 +69,14 @@ void init_keys(const unsigned char **k, unsigned char p[P_NBYTES],
static void init_sponge_state(shadow_state state,
const unsigned char *k, const unsigned char *p,
const unsigned char *n) {
// init state
// init state
memset(state, 0, SHADOW_NBYTES);
memcpy(state[0], p, P_NBYTES);
memcpy(state[1], n, CRYPTO_NPUBBYTES);
// TBC
memcpy(state[MLS_BUNDLES-1], n, CRYPTO_NPUBBYTES);
clyde128_encrypt(state[MLS_BUNDLES-1], state[0], k);
memcpy(state[0], n, P_NBYTES);
memcpy(state[1], p, CRYPTO_NPUBBYTES);
memcpy(state[2], n, CRYPTO_NPUBBYTES);
clyde128_encrypt(state[0], state[1], k);
// initial permutation
shadow(state);
}
......
......@@ -32,11 +32,10 @@
#define CLYDE_128_NR 2 * CLYDE_128_NS // Number of rounds
#define SHADOW_NS 6 // Number of steps
#define SHADOW_NR 2 * SHADOW_NS // Number of roundsv
// Shadow permutation. Updates state.
void shadow(shadow_state state) {
uint32_t lfsr = 0x0f0f0f0f;
set_poly(0x91);
uint32_t lfsr =0xf8737400; // LFSR for round constant
set_poly_xtime(0x101);
set_poly_lfsr(0xc5);
for (unsigned int s = 0; s < SHADOW_NS; s++) {
#pragma GCC unroll 0
for (unsigned int b = 0; b < MLS_BUNDLES; b++){
......@@ -44,12 +43,10 @@ void shadow(shadow_state state) {
lbox(&state[b][0], &state[b][1]);
lbox(&state[b][2], &state[b][3]);
state[b][0] ^= lfsr;
lfsr = xtime(lfsr);
state[b][1] ^= lfsr;
lfsr = update_lfsr(lfsr);
sbox_layer(state[b]);
}
dbox_mls_layer(state,&lfsr);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment