Initial revision

[crypto.git] / lib / silccrypt / loki.c

/* Modified for SILC. -Pekka */\r
\r
/* This is an independent implementation of the encryption algorithm:   */\r
/*                                                                      */\r
/*         LOKI97 by Brown and Pieprzyk                                 */\r
/*                                                                      */\r
/* which is a candidate algorithm in the Advanced Encryption Standard   */\r
/* programme of the US National Institute of Standards and Technology.  */\r
/*                                                                      */\r
/* Copyright in this implementation is held by Dr B R Gladman but I     */\r
/* hereby give permission for its free direct or derivative use subject */\r
/* to acknowledgment of its origin and compliance with any conditions   */\r
/* that the originators of the algorithm place on its exploitation.     */\r
/*                                                                      */\r
/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999     */\r
\r
/* Timing data for LOKI97 (loki.c)\r
\r
Core timing without I/O endian conversion:\r
\r
128 bit key:\r
Key Setup:    7430 cycles\r
Encrypt:      2134 cycles =    12.0 mbits/sec\r
Decrypt:      2192 cycles =    11.7 mbits/sec\r
Mean:         2163 cycles =    11.8 mbits/sec\r
\r
192 bit key:\r
Key Setup:    7303 cycles\r
Encrypt:      2138 cycles =    12.0 mbits/sec\r
Decrypt:      2189 cycles =    11.7 mbits/sec\r
Mean:         2164 cycles =    11.8 mbits/sec\r
\r
256 bit key:\r
Key Setup:    7166 cycles\r
Encrypt:      2131 cycles =    12.0 mbits/sec\r
Decrypt:      2184 cycles =    11.7 mbits/sec\r
Mean:         2158 cycles =    11.9 mbits/sec\r
\r
Full timing with I/O endian conversion:\r
\r
128 bit key:\r
Key Setup:    7582 cycles\r
Encrypt:      2174 cycles =    11.8 mbits/sec\r
Decrypt:      2235 cycles =    11.5 mbits/sec\r
Mean:         2205 cycles =    11.6 mbits/sec\r
\r
192 bit key:\r
Key Setup:    7477 cycles\r
Encrypt:      2167 cycles =    11.8 mbits/sec\r
Decrypt:      2223 cycles =    11.5 mbits/sec\r
Mean:         2195 cycles =    11.7 mbits/sec\r
\r
256 bit key:\r
Key Setup:    7365 cycles\r
Encrypt:      2177 cycles =    11.8 mbits/sec\r
Decrypt:      2194 cycles =    11.7 mbits/sec\r
Mean:         2186 cycles =    11.7 mbits/sec\r
\r
*/\r
\r
#include <stdio.h>\r
#include <sys/types.h>\r
#include "loki_internal.h"\r
\r
#define S1_SIZE     13\r
#define S1_LEN      (1 << S1_SIZE)\r
#define S1_MASK     (S1_LEN - 1)\r
#define S1_HMASK    (S1_MASK & ~0xff)\r
#define S1_POLY     0x2911\r
\r
#define S2_SIZE     11\r
#define S2_LEN      (1 << S2_SIZE)\r
#define S2_MASK     (S2_LEN - 1)\r
#define S2_HMASK    (S2_MASK & ~0xff)\r
#define S2_POLY     0x0aa7\r
\r
#define io_swap(x)  ((x))\r
\r
u4byte  delta[2] = { 0x7f4a7c15, 0x9e3779b9 };\r
\r
u1byte  sb1[S1_LEN];    // GF(2^11) S box\r
u1byte  sb2[S2_LEN];    // GF(2^11) S box\r
u4byte  prm[256][2];\r
u4byte  init_done = 0;\r
\r
#define add_eq(x,y)    (x)[1] += (y)[1] + (((x)[0] += (y)[0]) < (y)[0] ? 1 : x)\r
#define sub_eq(x,y)    xs = (x)[0]; (x)[1] -= (y)[1] + (((x)[0] -= (y)[0]) > xs ? 1 : 0)   \r
\r
u4byte ff_mult(u4byte a, u4byte b, u4byte tpow, u4byte mpol)\r
{   u4byte  r, s, m;\r
\r
    r = s = 0; m = (1 << tpow); \r
\r
    while(b)\r
    {\r
        if(b & 1)\r
        \r
            s ^= a;\r
            \r
        b >>= 1; a <<= 1;\r
        \r
        if(a & m)\r
        \r
            a ^= mpol;\r
    }\r
\r
    return s;\r
};\r
\r
void init_tables(void)\r
{   u4byte  i, j, v;\r
\r
    // initialise S box 1\r
\r
    for(i = 0; i < S1_LEN; ++i)\r
    {\r
        j = v = i ^ S1_MASK; v = ff_mult(v, j, S1_SIZE, S1_POLY);\r
        sb1[i] = (u1byte)ff_mult(v, j, S1_SIZE, S1_POLY);\r
    } \r
    // initialise S box 2\r
\r
    for(i = 0; i < S2_LEN; ++i)\r
    {\r
        j = v = i ^ S2_MASK; v = ff_mult(v, j, S2_SIZE, S2_POLY);\r
        sb2[i] = (u1byte)ff_mult(v, j, S2_SIZE, S2_POLY);\r
    }\r
\r
    // initialise permutation table\r
\r
    for(i = 0; i < 256; ++i)\r
    {\r
        prm[i][0] = ((i &  1) << 7) | ((i &  2) << 14) | ((i &  4) << 21) | ((i &   8) << 28);\r
        prm[i][1] = ((i & 16) << 3) | ((i & 32) << 10) | ((i & 64) << 17) | ((i & 128) << 24);\r
    }\r
};\r
\r
void f_fun(u4byte res[2], const u4byte in[2], const u4byte key[2])\r
{   u4byte  i, tt[2], pp[2];\r
\r
    tt[0] = (in[0] & ~key[0]) | (in[1] & key[0]);\r
    tt[1] = (in[1] & ~key[0]) | (in[0] & key[0]);\r
\r
    i = sb1[((tt[1] >> 24) | (tt[0] << 8)) & S1_MASK];\r
    pp[0]  = prm[i][0] >> 7; pp[1]  = prm[i][1] >> 7;\r
    i = sb2[(tt[1] >> 16) & S2_MASK];\r
    pp[0] |= prm[i][0] >> 6; pp[1] |= prm[i][1] >> 6;\r
    i = sb1[(tt[1] >>  8) & S1_MASK];\r
    pp[0] |= prm[i][0] >> 5; pp[1] |= prm[i][1] >> 5;\r
    i = sb2[tt[1] & S2_MASK]; \r
    pp[0] |= prm[i][0] >> 4; pp[1] |= prm[i][1] >> 4;\r
    i = sb2[((tt[0] >> 24) | (tt[1] << 8)) & S2_MASK];\r
    pp[0] |= prm[i][0] >> 3; pp[1] |= prm[i][1] >> 3;\r
    i = sb1[(tt[0] >> 16) & S1_MASK]; \r
    pp[0] |= prm[i][0] >> 2; pp[1] |= prm[i][1] >> 2;\r
    i = sb2[(tt[0] >>  8) & S2_MASK];      \r
    pp[0] |= prm[i][0] >> 1; pp[1] |= prm[i][1] >> 1;\r
    i = sb1[tt[0] & S1_MASK];          \r
    pp[0] |= prm[i][0];      pp[1] |= prm[i][1];\r
\r
    res[0] ^=  sb1[byte(pp[0], 0) | (key[1] <<  8) & S1_HMASK]\r
            | (sb1[byte(pp[0], 1) | (key[1] <<  3) & S1_HMASK] << 8)\r
            | (sb2[byte(pp[0], 2) | (key[1] >>  2) & S2_HMASK] << 16)\r
            | (sb2[byte(pp[0], 3) | (key[1] >>  5) & S2_HMASK] << 24);\r
    res[1] ^=  sb1[byte(pp[1], 0) | (key[1] >>  8) & S1_HMASK]\r
            | (sb1[byte(pp[1], 1) | (key[1] >> 13) & S1_HMASK] << 8)\r
            | (sb2[byte(pp[1], 2) | (key[1] >> 18) & S2_HMASK] << 16)\r
            | (sb2[byte(pp[1], 3) | (key[1] >> 21) & S2_HMASK] << 24);\r
};\r
\r
u4byte *loki_set_key(LokiContext *ctx,\r
                     const u4byte in_key[], const u4byte key_len)\r
{   \r
    u4byte  i, k1[2], k2[2], k3[2], k4[2], del[2], tt[2], sk[2];\r
    u4byte *l_key = ctx->l_key;\r
\r
    if(!init_done)\r
    {\r
        init_tables(); init_done = 1;\r
    }\r
\r
    k4[0] = io_swap(in_key[1]); k4[1] = io_swap(in_key[0]);\r
    k3[0] = io_swap(in_key[3]); k3[1] = io_swap(in_key[2]);\r
\r
    switch ((key_len + 63) / 64)\r
    {\r
    case 2:\r
        k2[0] = 0; k2[1] = 0; f_fun(k2, k3, k4);\r
        k1[0] = 0; k1[1] = 0; f_fun(k1, k4, k3);\r
        break;\r
    case 3:\r
        k2[0] = io_swap(in_key[5]); k2[1] = io_swap(in_key[4]);\r
        k1[0] = 0; k1[1] = 0; f_fun(k1, k4, k3);\r
        break;\r
    case 4: \r
        k2[0] = in_key[5]; k2[1] = in_key[4];\r
        k1[0] = in_key[7]; k1[1] = in_key[6];\r
        k2[0] = io_swap(in_key[5]); k2[1] = io_swap(in_key[4]);\r
        k1[0] = io_swap(in_key[7]); k1[1] = io_swap(in_key[6]);\r
    }\r
\r
    del[0] = delta[0]; del[1] = delta[1];\r
\r
    for(i = 0; i < 48; ++i)\r
    {\r
        tt[0] = k1[0]; tt[1] = k1[1]; \r
        add_eq(tt, k3); add_eq(tt, del); add_eq(del, delta);\r
        sk[0] = k4[0]; sk[1] = k4[1];\r
        k4[0] = k3[0]; k4[1] = k3[1];\r
        k3[0] = k2[0]; k3[1] = k2[1];\r
        k2[0] = k1[0]; k2[1] = k1[1];\r
        k1[0] = sk[0]; k1[1] = sk[1];\r
        f_fun(k1, tt, k3);\r
        l_key[i + i] = k1[0]; l_key[i + i + 1] = k1[1];\r
    }\r
\r
    return l_key;\r
};\r
\r
#define r_fun(l,r,k)        \\r
    add_eq((l),(k));        \\r
    f_fun((r),(l),(k) + 2); \\r
    add_eq((l), (k) + 4)\r
\r
void loki_encrypt(LokiContext *ctx,\r
                  const u4byte in_blk[4], u4byte out_blk[4])\r
{   \r
    u4byte  blk[4];\r
    u4byte *l_key = ctx->l_key;\r
\r
    blk[3] = io_swap(in_blk[0]); blk[2] = io_swap(in_blk[1]);\r
    blk[1] = io_swap(in_blk[2]); blk[0] = io_swap(in_blk[3]);\r
\r
    r_fun(blk, blk + 2, l_key +  0);\r
    r_fun(blk + 2, blk, l_key +  6);\r
    r_fun(blk, blk + 2, l_key + 12);\r
    r_fun(blk + 2, blk, l_key + 18);\r
    r_fun(blk, blk + 2, l_key + 24);\r
    r_fun(blk + 2, blk, l_key + 30);\r
    r_fun(blk, blk + 2, l_key + 36);\r
    r_fun(blk + 2, blk, l_key + 42);\r
    r_fun(blk, blk + 2, l_key + 48);\r
    r_fun(blk + 2, blk, l_key + 54);\r
    r_fun(blk, blk + 2, l_key + 60);\r
    r_fun(blk + 2, blk, l_key + 66);\r
    r_fun(blk, blk + 2, l_key + 72);\r
    r_fun(blk + 2, blk, l_key + 78);\r
    r_fun(blk, blk + 2, l_key + 84);\r
    r_fun(blk + 2, blk, l_key + 90);\r
\r
    out_blk[3] = io_swap(blk[2]); out_blk[2] = io_swap(blk[3]);\r
    out_blk[1] = io_swap(blk[0]); out_blk[0] = io_swap(blk[1]);\r
};\r
\r
#define ir_fun(l,r,k)       \\r
    sub_eq((l),(k) + 4);    \\r
    f_fun((r),(l),(k) + 2); \\r
    sub_eq((l),(k))\r
\r
void loki_decrypt(LokiContext *ctx,\r
                  const u4byte in_blk[4], u4byte out_blk[4])\r
{   \r
    u4byte  blk[4], xs;\r
    u4byte *l_key = ctx->l_key;\r
\r
    blk[3] = io_swap(in_blk[0]); blk[2] = io_swap(in_blk[1]);\r
    blk[1] = io_swap(in_blk[2]); blk[0] = io_swap(in_blk[3]);\r
\r
    ir_fun(blk, blk + 2, l_key + 90); \r
    ir_fun(blk + 2, blk, l_key + 84);\r
    ir_fun(blk, blk + 2, l_key + 78); \r
    ir_fun(blk + 2, blk, l_key + 72);\r
    ir_fun(blk, blk + 2, l_key + 66); \r
    ir_fun(blk + 2, blk, l_key + 60);\r
    ir_fun(blk, blk + 2, l_key + 54); \r
    ir_fun(blk + 2, blk, l_key + 48);\r
    ir_fun(blk, blk + 2, l_key + 42); \r
    ir_fun(blk + 2, blk, l_key + 36);\r
    ir_fun(blk, blk + 2, l_key + 30); \r
    ir_fun(blk + 2, blk, l_key + 24);\r
    ir_fun(blk, blk + 2, l_key + 18); \r
    ir_fun(blk + 2, blk, l_key + 12);\r
    ir_fun(blk, blk + 2, l_key +  6); \r
    ir_fun(blk + 2, blk, l_key);\r
\r
    out_blk[3] = io_swap(blk[2]); out_blk[2] = io_swap(blk[3]);\r
    out_blk[1] = io_swap(blk[0]); out_blk[0] = io_swap(blk[1]);   \r
};\r