1 /* Modified for SILC. -Pekka */
3 /* This is an independent implementation of the encryption algorithm: */
5 /* Twofish by Bruce Schneier and colleagues */
7 /* which is a candidate algorithm in the Advanced Encryption Standard */
8 /* programme of the US National Institute of Standards and Technology. */
10 /* Copyright in this implementation is held by Dr B R Gladman but I */
11 /* hereby give permission for its free direct or derivative use subject */
12 /* to acknowledgment of its origin and compliance with any conditions */
13 /* that the originators of t he algorithm place on its exploitation. */
15 /* My thanks to Doug Whiting and Niels Ferguson for comments that led */
16 /* to improvements in this implementation. */
18 /* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */
20 /* Timing data for Twofish (twofish.c)
23 Key Setup: 8414 cycles
24 Encrypt: 376 cycles = 68.1 mbits/sec
25 Decrypt: 374 cycles = 68.4 mbits/sec
26 Mean: 375 cycles = 68.3 mbits/sec
29 Key Setup: 11628 cycles
30 Encrypt: 376 cycles = 68.1 mbits/sec
31 Decrypt: 374 cycles = 68.4 mbits/sec
32 Mean: 375 cycles = 68.3 mbits/sec
35 Key Setup: 15457 cycles
36 Encrypt: 381 cycles = 67.2 mbits/sec
37 Decrypt: 374 cycles = 68.4 mbits/sec
38 Mean: 378 cycles = 67.8 mbits/sec
42 #include "silcincludes.h"
46 * SILC Crypto API for Twofish
49 /* Sets the key for the cipher. */
51 SILC_CIPHER_API_SET_KEY(twofish)
53 twofish_set_key((TwofishContext *)context, (uint32 *)key, keylen);
57 /* Sets the string as a new key for the cipher. The string is first
58 hashed and then used as a new key. */
60 SILC_CIPHER_API_SET_KEY_WITH_STRING(twofish)
62 /* unsigned char key[md5_hash_len];
63 SilcMarsContext *ctx = (SilcMarsContext *)context;
65 make_md5_hash(string, &key);
66 memcpy(&ctx->key, mars_set_key(&key, keylen), keylen);
67 memset(&key, 'F', sizeoof(key));
73 /* Returns the size of the cipher context. */
75 SILC_CIPHER_API_CONTEXT_LEN(twofish)
77 return sizeof(TwofishContext);
80 /* Encrypts with the cipher in CBC mode. Source and destination buffers
81 maybe one and same. */
83 SILC_CIPHER_API_ENCRYPT_CBC(twofish)
85 uint32 *in, *out, *tiv;
93 tmp[0] = in[0] ^ tiv[0];
94 tmp[1] = in[1] ^ tiv[1];
95 tmp[2] = in[2] ^ tiv[2];
96 tmp[3] = in[3] ^ tiv[3];
97 twofish_encrypt((TwofishContext *)context, tmp, out);
101 for (i = 16; i < len; i += 16) {
102 tmp[0] = in[0] ^ out[0 - 4];
103 tmp[1] = in[1] ^ out[1 - 4];
104 tmp[2] = in[2] ^ out[2 - 4];
105 tmp[3] = in[3] ^ out[3 - 4];
106 twofish_encrypt((TwofishContext *)context, tmp, out);
119 /* Decrypts with the cipher in CBC mode. Source and destination buffers
120 maybe one and same. */
122 SILC_CIPHER_API_DECRYPT_CBC(twofish)
124 uint32 *tiv, *in, *out;
125 uint32 tmp[4], tmp2[4];
136 twofish_decrypt((TwofishContext *)context, in, out);
144 for (i = 16; i < len; i += 16) {
153 twofish_decrypt((TwofishContext *)context, in, out);
177 /* finite field arithmetic for GF(2**8) with the modular */
178 /* polynomial x^8 + x^6 + x^5 + x^3 + 1 (0x169) */
182 u1byte tab_5b[4] = { 0, G_M >> 2, G_M >> 1, (G_M >> 1) ^ (G_M >> 2) };
183 u1byte tab_ef[4] = { 0, (G_M >> 1) ^ (G_M >> 2), G_M >> 1, G_M >> 2 };
185 #define ffm_01(x) (x)
186 #define ffm_5b(x) ((x) ^ ((x) >> 2) ^ tab_5b[(x) & 3])
187 #define ffm_ef(x) ((x) ^ ((x) >> 1) ^ ((x) >> 2) ^ tab_ef[(x) & 3])
189 u1byte ror4[16] = { 0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15 };
190 u1byte ashx[16] = { 0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12, 5, 14, 7 };
193 { { 8, 1, 7, 13, 6, 15, 3, 2, 0, 11, 5, 9, 14, 12, 10, 4 },
194 { 2, 8, 11, 13, 15, 7, 6, 14, 3, 1, 9, 4, 0, 10, 12, 5 }
198 { { 14, 12, 11, 8, 1, 2, 3, 5, 15, 4, 10, 6, 7, 0, 9, 13 },
199 { 1, 14, 2, 11, 4, 12, 3, 7, 6, 13, 10, 5, 15, 9, 0, 8 }
203 { { 11, 10, 5, 14, 6, 13, 9, 0, 12, 8, 15, 3, 2, 4, 7, 1 },
204 { 4, 12, 7, 5, 1, 6, 9, 10, 0, 14, 13, 8, 2, 11, 3, 15 }
208 { { 13, 7, 15, 4, 1, 2, 6, 14, 9, 11, 3, 0, 8, 5, 12, 10 },
209 { 11, 9, 5, 1, 12, 3, 13, 14, 6, 4, 7, 15, 2, 0, 8, 10 }
212 u1byte qp(const u4byte n, const u1byte x)
213 { u1byte a0, a1, a2, a3, a4, b0, b1, b2, b3, b4;
215 a0 = x >> 4; b0 = x & 15;
216 a1 = a0 ^ b0; b1 = ror4[b0] ^ ashx[a0];
217 a2 = qt0[n][a1]; b2 = qt1[n][b1];
218 a3 = a2 ^ b2; b3 = ror4[b2] ^ ashx[a2];
219 a4 = qt2[n][a3]; b4 = qt3[n][b3];
220 return (b4 << 4) | a4;
226 u1byte q_tab[2][256];
228 #define q(n,x) q_tab[n][x]
233 for(i = 0; i < 256; ++i)
235 q(0,i) = qp(0, (u1byte)i);
236 q(1,i) = qp(1, (u1byte)i);
242 #define q(n,x) qp(n, x)
249 u4byte m_tab[4][256];
252 { u4byte i, f01, f5b, fef;
254 for(i = 0; i < 256; ++i)
256 f01 = q(1,i); f5b = ffm_5b(f01); fef = ffm_ef(f01);
257 m_tab[0][i] = f01 + (f5b << 8) + (fef << 16) + (fef << 24);
258 m_tab[2][i] = f5b + (fef << 8) + (f01 << 16) + (fef << 24);
260 f01 = q(0,i); f5b = ffm_5b(f01); fef = ffm_ef(f01);
261 m_tab[1][i] = fef + (fef << 8) + (f5b << 16) + (f01 << 24);
262 m_tab[3][i] = f5b + (f01 << 8) + (fef << 16) + (f5b << 24);
266 #define mds(n,x) m_tab[n][x]
274 #define q_0(x) q(1,x)
280 #define q_1(x) q(0,x)
286 #define q_2(x) q(1,x)
292 #define q_3(x) q(0,x)
294 #define f_0(n,x) ((u4byte)fm_0##n(x))
295 #define f_1(n,x) ((u4byte)fm_1##n(x) << 8)
296 #define f_2(n,x) ((u4byte)fm_2##n(x) << 16)
297 #define f_3(n,x) ((u4byte)fm_3##n(x) << 24)
299 #define mds(n,x) f_0(n,q_##n(x)) ^ f_1(n,q_##n(x)) ^ f_2(n,q_##n(x)) ^ f_3(n,q_##n(x))
303 u4byte h_fun(TwofishContext *ctx, const u4byte x, const u4byte key[])
304 { u4byte b0, b1, b2, b3;
307 u4byte m5b_b0, m5b_b1, m5b_b2, m5b_b3;
308 u4byte mef_b0, mef_b1, mef_b2, mef_b3;
311 b0 = byte(x, 0); b1 = byte(x, 1); b2 = byte(x, 2); b3 = byte(x, 3);
315 case 4: b0 = q(1, b0) ^ byte(key[3],0);
316 b1 = q(0, b1) ^ byte(key[3],1);
317 b2 = q(0, b2) ^ byte(key[3],2);
318 b3 = q(1, b3) ^ byte(key[3],3);
319 case 3: b0 = q(1, b0) ^ byte(key[2],0);
320 b1 = q(1, b1) ^ byte(key[2],1);
321 b2 = q(0, b2) ^ byte(key[2],2);
322 b3 = q(0, b3) ^ byte(key[2],3);
323 case 2: b0 = q(0,q(0,b0) ^ byte(key[1],0)) ^ byte(key[0],0);
324 b1 = q(0,q(1,b1) ^ byte(key[1],1)) ^ byte(key[0],1);
325 b2 = q(1,q(0,b2) ^ byte(key[1],2)) ^ byte(key[0],2);
326 b3 = q(1,q(1,b3) ^ byte(key[1],3)) ^ byte(key[0],3);
330 return mds(0, b0) ^ mds(1, b1) ^ mds(2, b2) ^ mds(3, b3);
334 b0 = q(1, b0); b1 = q(0, b1); b2 = q(1, b2); b3 = q(0, b3);
335 m5b_b0 = ffm_5b(b0); m5b_b1 = ffm_5b(b1); m5b_b2 = ffm_5b(b2); m5b_b3 = ffm_5b(b3);
336 mef_b0 = ffm_ef(b0); mef_b1 = ffm_ef(b1); mef_b2 = ffm_ef(b2); mef_b3 = ffm_ef(b3);
337 b0 ^= mef_b1 ^ m5b_b2 ^ m5b_b3; b3 ^= m5b_b0 ^ mef_b1 ^ mef_b2;
338 b2 ^= mef_b0 ^ m5b_b1 ^ mef_b3; b1 ^= mef_b0 ^ mef_b2 ^ m5b_b3;
340 return b0 | (b3 << 8) | (b2 << 16) | (b1 << 24);
348 u4byte mk_tab[4][256];
353 #define q20(x) q(0,q(0,x) ^ byte(key[1],0)) ^ byte(key[0],0)
354 #define q21(x) q(0,q(1,x) ^ byte(key[1],1)) ^ byte(key[0],1)
355 #define q22(x) q(1,q(0,x) ^ byte(key[1],2)) ^ byte(key[0],2)
356 #define q23(x) q(1,q(1,x) ^ byte(key[1],3)) ^ byte(key[0],3)
358 #define q30(x) q(0,q(0,q(1, x) ^ byte(key[2],0)) ^ byte(key[1],0)) ^ byte(key[0],0)
359 #define q31(x) q(0,q(1,q(1, x) ^ byte(key[2],1)) ^ byte(key[1],1)) ^ byte(key[0],1)
360 #define q32(x) q(1,q(0,q(0, x) ^ byte(key[2],2)) ^ byte(key[1],2)) ^ byte(key[0],2)
361 #define q33(x) q(1,q(1,q(0, x) ^ byte(key[2],3)) ^ byte(key[1],3)) ^ byte(key[0],3)
363 #define q40(x) q(0,q(0,q(1, q(1, x) ^ byte(key[3],0)) ^ byte(key[2],0)) ^ byte(key[1],0)) ^ byte(key[0],0)
364 #define q41(x) q(0,q(1,q(1, q(0, x) ^ byte(key[3],1)) ^ byte(key[2],1)) ^ byte(key[1],1)) ^ byte(key[0],1)
365 #define q42(x) q(1,q(0,q(0, q(0, x) ^ byte(key[3],2)) ^ byte(key[2],2)) ^ byte(key[1],2)) ^ byte(key[0],2)
366 #define q43(x) q(1,q(1,q(0, q(1, x) ^ byte(key[3],3)) ^ byte(key[2],3)) ^ byte(key[1],3)) ^ byte(key[0],3)
368 void gen_mk_tab(TwofishContext *ctx, u4byte key[])
374 case 2: for(i = 0; i < 256; ++i)
378 mk_tab[0][i] = mds(0, q20(by)); mk_tab[1][i] = mds(1, q21(by));
379 mk_tab[2][i] = mds(2, q22(by)); mk_tab[3][i] = mds(3, q23(by));
381 sb[0][i] = q20(by); sb[1][i] = q21(by);
382 sb[2][i] = q22(by); sb[3][i] = q23(by);
387 case 3: for(i = 0; i < 256; ++i)
391 mk_tab[0][i] = mds(0, q30(by)); mk_tab[1][i] = mds(1, q31(by));
392 mk_tab[2][i] = mds(2, q32(by)); mk_tab[3][i] = mds(3, q33(by));
394 sb[0][i] = q30(by); sb[1][i] = q31(by);
395 sb[2][i] = q32(by); sb[3][i] = q33(by);
400 case 4: for(i = 0; i < 256; ++i)
404 mk_tab[0][i] = mds(0, q40(by)); mk_tab[1][i] = mds(1, q41(by));
405 mk_tab[2][i] = mds(2, q42(by)); mk_tab[3][i] = mds(3, q43(by));
407 sb[0][i] = q40(by); sb[1][i] = q41(by);
408 sb[2][i] = q42(by); sb[3][i] = q43(by);
415 # define g0_fun(x) ( mk_tab[0][byte(x,0)] ^ mk_tab[1][byte(x,1)] \
416 ^ mk_tab[2][byte(x,2)] ^ mk_tab[3][byte(x,3)] )
417 # define g1_fun(x) ( mk_tab[0][byte(x,3)] ^ mk_tab[1][byte(x,0)] \
418 ^ mk_tab[2][byte(x,1)] ^ mk_tab[3][byte(x,2)] )
420 # define g0_fun(x) ( mds(0, sb[0][byte(x,0)]) ^ mds(1, sb[1][byte(x,1)]) \
421 ^ mds(2, sb[2][byte(x,2)]) ^ mds(3, sb[3][byte(x,3)]) )
422 # define g1_fun(x) ( mds(0, sb[0][byte(x,3)]) ^ mds(1, sb[1][byte(x,0)]) \
423 ^ mds(2, sb[2][byte(x,1)]) ^ mds(3, sb[3][byte(x,2)]) )
428 #define g0_fun(x) h_fun(ctx,x,s_key)
429 #define g1_fun(x) h_fun(ctx,rotl(x,8),s_key)
433 /* The (12,8) Reed Soloman code has the generator polynomial
435 g(x) = x^4 + (a + 1/a) * x^3 + a * x^2 + (a + 1/a) * x + 1
437 where the coefficients are in the finite field GF(2^8) with a
438 modular polynomial a^8 + a^6 + a^3 + a^2 + 1. To generate the
439 remainder we have to start with a 12th order polynomial with our
440 eight input bytes as the coefficients of the 4th to 11th terms.
443 m[7] * x^11 + m[6] * x^10 ... + m[0] * x^4 + 0 * x^3 +... + 0
445 We then multiply the generator polynomial by m[7] * x^7 and subtract
446 it - xor in GF(2^8) - from the above to eliminate the x^7 term (the
447 artihmetic on the coefficients is done in GF(2^8). We then multiply
448 the generator polynomial by x^6 * coeff(x^10) and use this to remove
449 the x^10 term. We carry on in this way until the x^4 term is removed
450 so that we are left with:
452 r[3] * x^3 + r[2] * x^2 + r[1] 8 x^1 + r[0]
454 which give the resulting 4 bytes of the remainder. This is equivalent
455 to the matrix multiplication in the Twofish description but much faster
460 #define G_MOD 0x0000014d
462 u4byte mds_rem(u4byte p0, u4byte p1)
465 for(i = 0; i < 8; ++i)
467 t = p1 >> 24; // get most significant coefficient
469 p1 = (p1 << 8) | (p0 >> 24); p0 <<= 8; // shift others up
471 // multiply t by a (the primitive element - i.e. left shift)
475 if(t & 0x80) // subtract modular polynomial on overflow
479 p1 ^= t ^ (u << 16); // remove t * (a * x^2 + 1)
481 u ^= (t >> 1); // form u = a * t + t / a = t * (a + 1 / a);
483 if(t & 0x01) // add the modular polynomial on underflow
487 p1 ^= (u << 24) | (u << 8); // remove t * (a + 1/a) * (x^3 + x)
493 /* initialise the key schedule from the user supplied key */
495 u4byte *twofish_set_key(TwofishContext *ctx,
496 const u4byte in_key[], const u4byte key_len)
498 u4byte i, a, b, me_key[4], mo_key[4];
499 u4byte *l_key = ctx->l_key;
500 u4byte *s_key = ctx->s_key;
505 gen_qtab(); qt_gen = 1;
512 gen_mtab(); mt_gen = 1;
516 ctx->k_len = ctx->k_len = key_len / 64; /* 2, 3 or 4 */
518 for(i = 0; i < ctx->k_len; ++i)
520 a = in_key[i + i]; me_key[i] = a;
521 b = in_key[i + i + 1]; mo_key[i] = b;
522 s_key[ctx->k_len - i - 1] = mds_rem(a, b);
525 for(i = 0; i < 40; i += 2)
527 a = 0x01010101 * i; b = a + 0x01010101;
528 a = h_fun(ctx,a, me_key);
529 b = rotl(h_fun(ctx,b, mo_key), 8);
531 l_key[i + 1] = rotl(a + 2 * b, 9);
535 gen_mk_tab(ctx,s_key);
541 /* encrypt a block of text */
544 t1 = g1_fun(blk[1]); t0 = g0_fun(blk[0]); \
545 blk[2] = rotr(blk[2] ^ (t0 + t1 + l_key[4 * (i) + 8]), 1); \
546 blk[3] = rotl(blk[3], 1) ^ (t0 + 2 * t1 + l_key[4 * (i) + 9]); \
547 t1 = g1_fun(blk[3]); t0 = g0_fun(blk[2]); \
548 blk[0] = rotr(blk[0] ^ (t0 + t1 + l_key[4 * (i) + 10]), 1); \
549 blk[1] = rotl(blk[1], 1) ^ (t0 + 2 * t1 + l_key[4 * (i) + 11])
551 void twofish_encrypt(TwofishContext *ctx,
552 const u4byte in_blk[4], u4byte out_blk[])
554 u4byte t0, t1, blk[4];
555 u4byte *l_key = ctx->l_key;
556 u4byte *s_key = ctx->s_key;
558 blk[0] = in_blk[0] ^ l_key[0];
559 blk[1] = in_blk[1] ^ l_key[1];
560 blk[2] = in_blk[2] ^ l_key[2];
561 blk[3] = in_blk[3] ^ l_key[3];
563 f_rnd(0); f_rnd(1); f_rnd(2); f_rnd(3);
564 f_rnd(4); f_rnd(5); f_rnd(6); f_rnd(7);
566 out_blk[0] = blk[2] ^ l_key[4];
567 out_blk[1] = blk[3] ^ l_key[5];
568 out_blk[2] = blk[0] ^ l_key[6];
569 out_blk[3] = blk[1] ^ l_key[7];
572 /* decrypt a block of text */
575 t1 = g1_fun(blk[1]); t0 = g0_fun(blk[0]); \
576 blk[2] = rotl(blk[2], 1) ^ (t0 + t1 + l_key[4 * (i) + 10]); \
577 blk[3] = rotr(blk[3] ^ (t0 + 2 * t1 + l_key[4 * (i) + 11]), 1); \
578 t1 = g1_fun(blk[3]); t0 = g0_fun(blk[2]); \
579 blk[0] = rotl(blk[0], 1) ^ (t0 + t1 + l_key[4 * (i) + 8]); \
580 blk[1] = rotr(blk[1] ^ (t0 + 2 * t1 + l_key[4 * (i) + 9]), 1)
582 void twofish_decrypt(TwofishContext *ctx,
583 const u4byte in_blk[4], u4byte out_blk[4])
585 u4byte t0, t1, blk[4];
586 u4byte *l_key = ctx->l_key;
587 u4byte *s_key = ctx->s_key;
589 blk[0] = in_blk[0] ^ l_key[4];
590 blk[1] = in_blk[1] ^ l_key[5];
591 blk[2] = in_blk[2] ^ l_key[6];
592 blk[3] = in_blk[3] ^ l_key[7];
594 i_rnd(7); i_rnd(6); i_rnd(5); i_rnd(4);
595 i_rnd(3); i_rnd(2); i_rnd(1); i_rnd(0);
597 out_blk[0] = blk[2] ^ l_key[0];
598 out_blk[1] = blk[3] ^ l_key[1];
599 out_blk[2] = blk[0] ^ l_key[2];
600 out_blk[3] = blk[1] ^ l_key[3];