Implement Spook v2

596f9077 · Gaëtan Cassiers · 8ce57cc6 · 596f9077 · 596f9077 · 596f9077
Commit 596f9077 authored Mar 10, 2020 by Gaëtan Cassiers
5 changed files
--- a/spook.py
+++ b/spook.py
@@ -97,10 +97,10 @@ def lbox_inv(x, y):
    return (a, b)

 def lbox_layer(x):
-    return (*lbox(x[0], x[1]), *lbox(x[2], x[3]))
+    return [*lbox(x[0], x[1]), *lbox(x[2], x[3])]

 def lbox_layer_inv(x):
-    return (*lbox_inv(x[0], x[1]), *lbox_inv(x[2], x[3]))
+    return [*lbox_inv(x[0], x[1]), *lbox_inv(x[2], x[3])]

 def sbox_layer(x):
    y1 = (x[0] & x[1]) ^ x[2]
@@ -116,8 +116,8 @@ def sbox_layer_inv(x):
    y2 = (y0 & y1) ^ x[1]
    return [y0, y1, y2, y3]

-def add_rc(x, r, s=0):
-    return list(row ^ (RC[r][i] << s) for i, row in enumerate(x))
+def add_rc(x, r):
+    return list(row ^ RC[r][i] for i, row in enumerate(x))

 def xor_states(x, y):
    return list(xr ^ yr for xr, yr in zip(x, y))
@@ -127,20 +127,38 @@ def tweakey(key, tweak):
    tk = [tweak, (*tx , tweak[0], tweak[1]), (tweak[2], tweak[3], *tx)]
    return [list(k^t for k, t in zip(key, tk_r)) for tk_r in tk]

+def xtime(x):
+    """Multiplication by polynomial x modulo x^32+x^8+1."""
+    b = x >> 31
+    return  ((x << 1) & 0xffffffff) ^ b ^ (b << 8)
+
 def dbox(x):
    if SMALL_PERM:
        y = [[0, 0, 0, 0] for _ in range(3)]
        for i in range(4):
-            y[0][i] = x[0][i]^x[1][i]^x[2][i]
-            y[1][i] = x[0][i]^x[2][i]
-            y[2][i] = x[0][i]^x[1][i]
+            a = x[0][i] ^ x[1][i]
+            b = x[0][i] ^ x[2][i]
+            c = x[1][i] ^ b
+            d = a ^ xtime(b)
+            y[0][i] = b ^ d;
+            y[1][i] = c;
+            y[2][i] = d;
    else:
        y = [[0, 0, 0, 0] for _ in range(4)]
        for i in range(4):
-            y[0][i] = x[1][i]^x[2][i]^x[3][i]
-            y[1][i] = x[0][i]^x[2][i]^x[3][i]
-            y[2][i] = x[0][i]^x[1][i]^x[3][i]
-            y[3][i] = x[0][i]^x[1][i]^x[2][i]
+            y[0][i] = x[0][i]
+            y[1][i] = x[1][i]
+            y[2][i] = x[2][i]
+            y[3][i] = x[3][i]
+            y[0][i] ^= y[1][i]
+            y[2][i] ^= y[3][i]
+            y[1][i] ^= y[2][i]
+            y[3][i] ^= xtime(y[0][i])
+            y[1][i]  = xtime(y[1][i])
+            y[0][i] ^= y[1][i]
+            y[2][i] ^= xtime(y[3][i])
+            y[1][i] ^= y[2][i]
+            y[3][i] ^= y[0][i]
    return y

 def clyde_encrypt(m, t, k):
@@ -174,17 +192,24 @@ def bytes2state(x):
 def state2bytes(x):
    return bytes((r >> 8*i) & 0xFF for r in x for i in range(4))

-def app4(f, x):
-    return list(f(xi) for xi in x)
+CST_LFSR_POLY_MASK = 0xc5
+CST_LFSR_INIT_VALUE = 0xf8737400
+SHADOW_RA_CST_ROW = 1
+def update_lfsr(lfsr):
+    return ((lfsr << 1) & 0xffffffff) ^ (CST_LFSR_POLY_MASK if lfsr & 0x80000000 else 0)

 def shadow(x):
+    lfsr = CST_LFSR_INIT_VALUE
    for s in range(N_STEPS):
-        x = app4(sbox_layer, x)
-        x = app4(lbox_layer, x)
-        x = list(add_rc(xi, 2*s, i) for i, xi in enumerate(x))
-        x = app4(sbox_layer, x)
+        x = [lbox_layer(sbox_layer(xi)) for xi in x]
+        for xi in x:
+            xi[SHADOW_RA_CST_ROW] ^= lfsr
+            lfsr = update_lfsr(lfsr)
+        x = [sbox_layer(xi) for xi in x]
        x = dbox(x)
-        x = list(add_rc(xi, 2*s+1, i) for i, xi in enumerate(x))
+        for i in range(len(x[0])):
+            x[0][i] ^= lfsr
+            lfsr = update_lfsr(lfsr)
    return x

 def pad_bytes(b,n=LS_SIZE):
@@ -203,9 +228,9 @@ def init_sponge_state(k, n):
    n = bytes2state(n)
    b = clyde_encrypt(n, p, bytes2state(k))
    if SMALL_PERM:
-        x = [p, n, b]
+        x = [b, p, n]
    else:
-        x = [p, n, (0, 0, 0, 0), b]
+        x = [b, p, n, [0, 0, 0, 0]]
    return shadow(x)

 def compress_block(x, block, mode, nbytes,pad):

--- a/tv_spook128mu384.txt
+++ b/tv_spook128mu384.txt
--- a/tv_spook128mu512.txt
+++ b/tv_spook128mu512.txt
--- a/tv_spook128su384.txt
+++ b/tv_spook128su384.txt
--- a/tv_spook128su512.txt
+++ b/tv_spook128su512.txt