Initial revision

[silc.git] / lib / silccrypt / serpent.c

/* Modified for SILC. -Pekka */x\r
\r
/* This is an independent implementation of the encryption algorithm:   */\r
/*                                                                      */\r
/*         Serpent by Ross Anderson, Eli Biham and Lars Knudsen         */\r
/*                                                                      */\r
/* which is a candidate algorithm in the Advanced Encryption Standard   */\r
/* programme of the US National Institute of Standards and Technology.  */\r
/*                                                                      */\r
/* Copyright in this implementation is held by Dr B R Gladman but I     */\r
/* hereby give permission for its free direct or derivative use subject */\r
/* to acknowledgment of its origin and compliance with any conditions   */\r
/* that the originators of the algorithm place on its exploitation.     */\r
/*                                                                      */\r
/* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999     */\r
\r
/* Timing data for Serpent (serpent.c)\r
\r
Core timing without I/O endian conversion:\r
\r
128 bit key:\r
Key Setup:    2402 cycles\r
Encrypt:       952 cycles =    26.9 mbits/sec\r
Decrypt:       914 cycles =    28.0 mbits/sec\r
Mean:          933 cycles =    27.4 mbits/sec\r
\r
192 bit key:\r
Key Setup:    2449 cycles\r
Encrypt:       952 cycles =    26.9 mbits/sec\r
Decrypt:       914 cycles =    28.0 mbits/sec\r
Mean:          933 cycles =    27.4 mbits/sec\r
\r
256 bit key:\r
Key Setup:    2349 cycles\r
Encrypt:       952 cycles =    26.9 mbits/sec\r
Decrypt:       914 cycles =    28.0 mbits/sec\r
Mean:          933 cycles =    27.4 mbits/sec\r
\r
Full timing with I/O endian conversion:\r
\r
128 bit key:\r
Key Setup:    2415 cycles\r
Encrypt:       985 cycles =    26.0 mbits/sec\r
Decrypt:       954 cycles =    26.8 mbits/sec\r
Mean:          970 cycles =    26.4 mbits/sec\r
\r
192 bit key:\r
Key Setup:    2438 cycles\r
Encrypt:       985 cycles =    26.0 mbits/sec\r
Decrypt:       954 cycles =    26.8 mbits/sec\r
Mean:          970 cycles =    26.4 mbits/sec\r
\r
256 bit key:\r
Key Setup:    2463 cycles\r
Encrypt:       985 cycles =    26.0 mbits/sec\r
Decrypt:       954 cycles =    26.8 mbits/sec\r
Mean:          970 cycles =    26.4 mbits/sec\r
\r
*/\r
\r
#include <stdio.h>\r
#include <sys/types.h>\r
#include "serpent_internal.h"\r
\r
/* Partially optimised Serpent S Box boolean functions derived  */\r
/* using a recursive descent analyser but without a full search */\r
/* of all subtrees. This set of S boxes is the result of work   */\r
/* by Sam Simpson and Brian Gladman using the spare time on a   */\r
/* cluster of high capacity servers to search for S boxes with  */\r
/* this customised search engine.                               */\r
/*                                                              */\r
/* Copyright:   Dr B. R Gladman (gladman@seven77.demon.co.uk)   */\r
/*              and Sam Simpson (s.simpson@mia.co.uk)           */ \r
/*              17th December 1998                              */\r
/*                                                              */\r
/* We hereby give permission for information in this file to be */\r
/* used freely subject only to acknowledgement of its origin    */\r
\r
/* 15 terms */\r
\r
#define sb0(a,b,c,d,e,f,g,h)    \\r
    t1 = a ^ d;     \\r
    t2 = a & d;     \\r
    t3 = c ^ t1;    \\r
    t6 = b & t1;    \\r
    t4 = b ^ t3;    \\r
    t10 = ~t3;      \\r
    h = t2 ^ t4;    \\r
    t7 = a ^ t6;    \\r
    t14 = ~t7;      \\r
    t8 = c | t7;    \\r
    t11 = t3 ^ t7;  \\r
    g = t4 ^ t8;    \\r
    t12 = h & t11;  \\r
    f = t10 ^ t12;  \\r
    e = t12 ^ t14\r
\r
/* 15 terms */\r
\r
#define ib0(a,b,c,d,e,f,g,h)    \\r
    t1 = ~a;        \\r
    t2 = a ^ b;     \\r
    t3 = t1 | t2;   \\r
    t4 = d ^ t3;    \\r
    t7 = d & t2;    \\r
    t5 = c ^ t4;    \\r
    t8 = t1 ^ t7;   \\r
    g = t2 ^ t5;    \\r
    t11 = a & t4;   \\r
    t9 = g & t8;    \\r
    t14 = t5 ^ t8;  \\r
    f = t4 ^ t9;    \\r
    t12 = t5 | f;   \\r
    h = t11 ^ t12;  \\r
    e = h ^ t14\r
\r
/* 14 terms!  */\r
\r
#define sb1(a,b,c,d,e,f,g,h)    \\r
    t1 = ~a;        \\r
    t2 = b ^ t1;    \\r
    t3 = a | t2;    \\r
    t4 = d | t2;    \\r
    t5 = c ^ t3;    \\r
    g = d ^ t5;     \\r
    t7 = b ^ t4;    \\r
    t8 = t2 ^ g;    \\r
    t9 = t5 & t7;   \\r
    h = t8 ^ t9;    \\r
    t11 = t5 ^ t7;  \\r
    f = h ^ t11;    \\r
    t13 = t8 & t11; \\r
    e = t5 ^ t13\r
\r
/* 17 terms */\r
\r
#define ib1(a,b,c,d,e,f,g,h)    \\r
    t1 = a ^ d;     \\r
    t2 = a & b;     \\r
    t3 = b ^ c;     \\r
    t4 = a ^ t3;    \\r
    t5 = b | d;     \\r
    t7 = c | t1;    \\r
    h = t4 ^ t5;    \\r
    t8 = b ^ t7;    \\r
    t11 = ~t2;      \\r
    t9 = t4 & t8;   \\r
    f = t1 ^ t9;    \\r
    t13 = t9 ^ t11; \\r
    t12 = h & f;    \\r
    g = t12 ^ t13;  \\r
    t15 = a & d;    \\r
    t16 = c ^ t13;  \\r
    e = t15 ^ t16\r
\r
/* 16 terms */\r
\r
#define sb2(a,b,c,d,e,f,g,h)    \\r
    t1 = ~a;        \\r
    t2 = b ^ d;     \\r
    t3 = c & t1;    \\r
    t13 = d | t1;   \\r
    e = t2 ^ t3;    \\r
    t5 = c ^ t1;    \\r
    t6 = c ^ e;     \\r
    t7 = b & t6;    \\r
    t10 = e | t5;   \\r
    h = t5 ^ t7;    \\r
    t9 = d | t7;    \\r
    t11 = t9 & t10; \\r
    t14 = t2 ^ h;   \\r
    g = a ^ t11;    \\r
    t15 = g ^ t13;  \\r
    f = t14 ^ t15\r
\r
/* 16 terms */\r
\r
#define ib2(a,b,c,d,e,f,g,h)    \\r
    t1 = b ^ d;     \\r
    t2 = ~t1;       \\r
    t3 = a ^ c;     \\r
    t4 = c ^ t1;    \\r
    t7 = a | t2;    \\r
    t5 = b & t4;    \\r
    t8 = d ^ t7;    \\r
    t11 = ~t4;      \\r
    e = t3 ^ t5;    \\r
    t9 = t3 | t8;   \\r
    t14 = d & t11;  \\r
    h = t1 ^ t9;    \\r
    t12 = e | h;    \\r
    f = t11 ^ t12;  \\r
    t15 = t3 ^ t12; \\r
    g = t14 ^ t15\r
\r
/* 17 terms */\r
\r
#define sb3(a,b,c,d,e,f,g,h)    \\r
    t1 = a ^ c;     \\r
    t2 = d ^ t1;    \\r
    t3 = a & t2;    \\r
    t4 = d ^ t3;    \\r
    t5 = b & t4;    \\r
    g = t2 ^ t5;    \\r
    t7 = a | g;     \\r
    t8 = b | d;     \\r
    t11 = a | d;    \\r
    t9 = t4 & t7;   \\r
    f = t8 ^ t9;    \\r
    t12 = b ^ t11;  \\r
    t13 = g ^ t9;   \\r
    t15 = t3 ^ t8;  \\r
    h = t12 ^ t13;  \\r
    t16 = c & t15;  \\r
    e = t12 ^ t16\r
\r
/* 16 term solution that performs less well than 17 term one\r
   in my environment (PPro/PII)                                  \r
\r
#define sb3(a,b,c,d,e,f,g,h)    \\r
    t1 = a ^ b;     \\r
    t2 = a & c;     \\r
    t3 = a | d;     \\r
    t4 = c ^ d;     \\r
    t5 = t1 & t3;   \\r
    t6 = t2 | t5;   \\r
    g = t4 ^ t6;    \\r
    t8 = b ^ t3;    \\r
    t9 = t6 ^ t8;   \\r
    t10 = t4 & t9;  \\r
    e = t1 ^ t10;   \\r
    t12 = g & e;    \\r
    f = t9 ^ t12;   \\r
    t14 = b | d;    \\r
    t15 = t4 ^ t12; \\r
    h = t14 ^ t15\r
*/\r
\r
/* 17 terms */\r
\r
#define ib3(a,b,c,d,e,f,g,h)    \\r
    t1 = b ^ c;     \\r
    t2 = b | c;     \\r
    t3 = a ^ c;     \\r
    t7 = a ^ d;     \\r
    t4 = t2 ^ t3;   \\r
    t5 = d | t4;    \\r
    t9 = t2 ^ t7;   \\r
    e = t1 ^ t5;    \\r
    t8 = t1 | t5;   \\r
    t11 = a & t4;   \\r
    g = t8 ^ t9;    \\r
    t12 = e | t9;   \\r
    f = t11 ^ t12;  \\r
    t14 = a & g;    \\r
    t15 = t2 ^ t14; \\r
    t16 = e & t15;  \\r
    h = t4 ^ t16\r
\r
/* 15 terms */\r
\r
#define sb4(a,b,c,d,e,f,g,h)    \\r
    t1 = a ^ d;     \\r
    t2 = d & t1;    \\r
    t3 = c ^ t2;    \\r
    t4 = b | t3;    \\r
    h = t1 ^ t4;    \\r
    t6 = ~b;        \\r
    t7 = t1 | t6;   \\r
    e = t3 ^ t7;    \\r
    t9 = a & e;     \\r
    t10 = t1 ^ t6;  \\r
    t11 = t4 & t10; \\r
    g = t9 ^ t11;   \\r
    t13 = a ^ t3;   \\r
    t14 = t10 & g;  \\r
    f = t13 ^ t14\r
\r
/* 17 terms */\r
\r
#define ib4(a,b,c,d,e,f,g,h)    \\r
    t1 = c ^ d;     \\r
    t2 = c | d;     \\r
    t3 = b ^ t2;    \\r
    t4 = a & t3;    \\r
    f = t1 ^ t4;    \\r
    t6 = a ^ d;     \\r
    t7 = b | d;     \\r
    t8 = t6 & t7;   \\r
    h = t3 ^ t8;    \\r
    t10 = ~a;       \\r
    t11 = c ^ h;    \\r
    t12 = t10 | t11;\\r
    e = t3 ^ t12;   \\r
    t14 = c | t4;   \\r
    t15 = t7 ^ t14; \\r
    t16 = h | t10;  \\r
    g = t15 ^ t16\r
\r
/* 16 terms */\r
\r
#define sb5(a,b,c,d,e,f,g,h)    \\r
    t1 = ~a;        \\r
    t2 = a ^ b;     \\r
    t3 = a ^ d;     \\r
    t4 = c ^ t1;    \\r
    t5 = t2 | t3;   \\r
    e = t4 ^ t5;    \\r
    t7 = d & e;     \\r
    t8 = t2 ^ e;    \\r
    t10 = t1 | e;   \\r
    f = t7 ^ t8;    \\r
    t11 = t2 | t7;  \\r
    t12 = t3 ^ t10; \\r
    t14 = b ^ t7;   \\r
    g = t11 ^ t12;  \\r
    t15 = f & t12;  \\r
    h = t14 ^ t15\r
\r
/* 16 terms */\r
\r
#define ib5(a,b,c,d,e,f,g,h)    \\r
    t1 = ~c;        \\r
    t2 = b & t1;    \\r
    t3 = d ^ t2;    \\r
    t4 = a & t3;    \\r
    t5 = b ^ t1;    \\r
    h = t4 ^ t5;    \\r
    t7 = b | h;     \\r
    t8 = a & t7;    \\r
    f = t3 ^ t8;    \\r
    t10 = a | d;    \\r
    t11 = t1 ^ t7;  \\r
    e = t10 ^ t11;  \\r
    t13 = a ^ c;    \\r
    t14 = b & t10;  \\r
    t15 = t4 | t13; \\r
    g = t14 ^ t15\r
\r
/* 15 terms */\r
\r
#define sb6(a,b,c,d,e,f,g,h)    \\r
    t1 = ~a;        \\r
    t2 = a ^ d;     \\r
    t3 = b ^ t2;    \\r
    t4 = t1 | t2;   \\r
    t5 = c ^ t4;    \\r
    f = b ^ t5;     \\r
    t13 = ~t5;      \\r
    t7 = t2 | f;    \\r
    t8 = d ^ t7;    \\r
    t9 = t5 & t8;   \\r
    g = t3 ^ t9;    \\r
    t11 = t5 ^ t8;  \\r
    e = g ^ t11;    \\r
    t14 = t3 & t11; \\r
    h = t13 ^ t14\r
\r
/* 15 terms */\r
\r
#define ib6(a,b,c,d,e,f,g,h)    \\r
    t1 = ~a;        \\r
    t2 = a ^ b;     \\r
    t3 = c ^ t2;    \\r
    t4 = c | t1;    \\r
    t5 = d ^ t4;    \\r
    t13 = d & t1;   \\r
    f = t3 ^ t5;    \\r
    t7 = t3 & t5;   \\r
    t8 = t2 ^ t7;   \\r
    t9 = b | t8;    \\r
    h = t5 ^ t9;    \\r
    t11 = b | h;    \\r
    e = t8 ^ t11;   \\r
    t14 = t3 ^ t11; \\r
    g = t13 ^ t14\r
\r
/* 17 terms */\r
\r
#define sb7(a,b,c,d,e,f,g,h)    \\r
    t1 = ~c;        \\r
    t2 = b ^ c;     \\r
    t3 = b | t1;    \\r
    t4 = d ^ t3;    \\r
    t5 = a & t4;    \\r
    t7 = a ^ d;     \\r
    h = t2 ^ t5;    \\r
    t8 = b ^ t5;    \\r
    t9 = t2 | t8;   \\r
    t11 = d & t3;   \\r
    f = t7 ^ t9;    \\r
    t12 = t5 ^ f;   \\r
    t15 = t1 | t4;  \\r
    t13 = h & t12;  \\r
    g = t11 ^ t13;  \\r
    t16 = t12 ^ g;  \\r
    e = t15 ^ t16\r
\r
/* 17 terms */\r
\r
#define ib7(a,b,c,d,e,f,g,h)    \\r
    t1 = a & b;     \\r
    t2 = a | b;     \\r
    t3 = c | t1;    \\r
    t4 = d & t2;    \\r
    h = t3 ^ t4;    \\r
    t6 = ~d;        \\r
    t7 = b ^ t4;    \\r
    t8 = h ^ t6;    \\r
    t11 = c ^ t7;   \\r
    t9 = t7 | t8;   \\r
    f = a ^ t9;     \\r
    t12 = d | f;    \\r
    e = t11 ^ t12;  \\r
    t14 = a & h;    \\r
    t15 = t3 ^ f;   \\r
    t16 = e ^ t14;  \\r
    g = t15 ^ t16\r
\r
#define k_xor(r,a,b,c,d)    \\r
    a ^= l_key[4 * r +  8]; \\r
    b ^= l_key[4 * r +  9]; \\r
    c ^= l_key[4 * r + 10]; \\r
    d ^= l_key[4 * r + 11]\r
\r
#define k_set(r,a,b,c,d)    \\r
    a = l_key[4 * r +  8];  \\r
    b = l_key[4 * r +  9];  \\r
    c = l_key[4 * r + 10];  \\r
    d = l_key[4 * r + 11]\r
\r
#define k_get(r,a,b,c,d)    \\r
    l_key[4 * r +  8] = a;  \\r
    l_key[4 * r +  9] = b;  \\r
    l_key[4 * r + 10] = c;  \\r
    l_key[4 * r + 11] = d\r
\r
/* the linear transformation and its inverse    */\r
\r
#define rot(a,b,c,d)    \\r
    a = rotl(a, 13);    \\r
    c = rotl(c, 3);     \\r
    d ^= c ^ (a << 3);  \\r
    b ^= a ^ c;         \\r
    d = rotl(d, 7);     \\r
    b = rotl(b, 1);     \\r
    a ^= b ^ d;         \\r
    c ^= d ^ (b << 7);  \\r
    a = rotl(a, 5);     \\r
    c = rotl(c, 22)\r
\r
#define irot(a,b,c,d)   \\r
    c = rotr(c, 22);    \\r
    a = rotr(a, 5);     \\r
    c ^= d ^ (b << 7);  \\r
    a ^= b ^ d;         \\r
    d = rotr(d, 7);     \\r
    b = rotr(b, 1);     \\r
    d ^= c ^ (a << 3);  \\r
    b ^= a ^ c;         \\r
    c = rotr(c, 3);     \\r
    a = rotr(a, 13)\r
\r
/* initialise the key schedule from the user supplied key   */\r
\r
u4byte *serpent_set_key(SerpentContext *ctx,\r
                        const u4byte in_key[], const u4byte key_len)\r
{   \r
    u4byte  i,lk,a,b,c,d,e,f,g,h;\r
    u4byte  t1,t2,t3,t4,t5,t6,t7,t8,t9,t10,t11,t12,t13,t14,t15,t16;\r
    u4byte *l_key = ctx->l_key;\r
\r
    if(key_len < 0 || key_len > 256)\r
\r
        return (u4byte*)0;\r
\r
    i = 0; lk = (key_len + 31) / 32;\r
    \r
    while(i < lk)\r
    {\r
#ifdef  BLOCK_SWAP\r
        l_key[i] = io_swap(in_key[lk - i - 1]);\r
#else\r
        l_key[i] = in_key[i];\r
#endif  \r
        i++;\r
    }\r
\r
    if(key_len < 256)\r
    {\r
        while(i < 8)\r
\r
            l_key[i++] = 0;\r
\r
        i = key_len / 32; lk = 1 << key_len % 32; \r
\r
        l_key[i] = l_key[i] & (lk - 1) | lk;\r
    }\r
\r
    for(i = 0; i < 132; ++i)\r
    {\r
        lk = l_key[i] ^ l_key[i + 3] ^ l_key[i + 5] \r
                                ^ l_key[i + 7] ^ 0x9e3779b9 ^ i;\r
\r
        l_key[i + 8] = (lk << 11) | (lk >> 21); \r
    }\r
\r
    k_set( 0,a,b,c,d);sb3(a,b,c,d,e,f,g,h);k_get( 0,e,f,g,h);\r
    k_set( 1,a,b,c,d);sb2(a,b,c,d,e,f,g,h);k_get( 1,e,f,g,h);\r
    k_set( 2,a,b,c,d);sb1(a,b,c,d,e,f,g,h);k_get( 2,e,f,g,h);\r
    k_set( 3,a,b,c,d);sb0(a,b,c,d,e,f,g,h);k_get( 3,e,f,g,h);\r
    k_set( 4,a,b,c,d);sb7(a,b,c,d,e,f,g,h);k_get( 4,e,f,g,h);\r
    k_set( 5,a,b,c,d);sb6(a,b,c,d,e,f,g,h);k_get( 5,e,f,g,h);\r
    k_set( 6,a,b,c,d);sb5(a,b,c,d,e,f,g,h);k_get( 6,e,f,g,h);\r
    k_set( 7,a,b,c,d);sb4(a,b,c,d,e,f,g,h);k_get( 7,e,f,g,h);\r
    k_set( 8,a,b,c,d);sb3(a,b,c,d,e,f,g,h);k_get( 8,e,f,g,h);\r
    k_set( 9,a,b,c,d);sb2(a,b,c,d,e,f,g,h);k_get( 9,e,f,g,h);\r
    k_set(10,a,b,c,d);sb1(a,b,c,d,e,f,g,h);k_get(10,e,f,g,h);\r
    k_set(11,a,b,c,d);sb0(a,b,c,d,e,f,g,h);k_get(11,e,f,g,h);\r
    k_set(12,a,b,c,d);sb7(a,b,c,d,e,f,g,h);k_get(12,e,f,g,h);\r
    k_set(13,a,b,c,d);sb6(a,b,c,d,e,f,g,h);k_get(13,e,f,g,h);\r
    k_set(14,a,b,c,d);sb5(a,b,c,d,e,f,g,h);k_get(14,e,f,g,h);\r
    k_set(15,a,b,c,d);sb4(a,b,c,d,e,f,g,h);k_get(15,e,f,g,h);\r
    k_set(16,a,b,c,d);sb3(a,b,c,d,e,f,g,h);k_get(16,e,f,g,h);\r
    k_set(17,a,b,c,d);sb2(a,b,c,d,e,f,g,h);k_get(17,e,f,g,h);\r
    k_set(18,a,b,c,d);sb1(a,b,c,d,e,f,g,h);k_get(18,e,f,g,h);\r
    k_set(19,a,b,c,d);sb0(a,b,c,d,e,f,g,h);k_get(19,e,f,g,h);\r
    k_set(20,a,b,c,d);sb7(a,b,c,d,e,f,g,h);k_get(20,e,f,g,h);\r
    k_set(21,a,b,c,d);sb6(a,b,c,d,e,f,g,h);k_get(21,e,f,g,h);\r
    k_set(22,a,b,c,d);sb5(a,b,c,d,e,f,g,h);k_get(22,e,f,g,h);\r
    k_set(23,a,b,c,d);sb4(a,b,c,d,e,f,g,h);k_get(23,e,f,g,h);\r
    k_set(24,a,b,c,d);sb3(a,b,c,d,e,f,g,h);k_get(24,e,f,g,h);\r
    k_set(25,a,b,c,d);sb2(a,b,c,d,e,f,g,h);k_get(25,e,f,g,h);\r
    k_set(26,a,b,c,d);sb1(a,b,c,d,e,f,g,h);k_get(26,e,f,g,h);\r
    k_set(27,a,b,c,d);sb0(a,b,c,d,e,f,g,h);k_get(27,e,f,g,h);\r
    k_set(28,a,b,c,d);sb7(a,b,c,d,e,f,g,h);k_get(28,e,f,g,h);\r
    k_set(29,a,b,c,d);sb6(a,b,c,d,e,f,g,h);k_get(29,e,f,g,h);\r
    k_set(30,a,b,c,d);sb5(a,b,c,d,e,f,g,h);k_get(30,e,f,g,h);\r
    k_set(31,a,b,c,d);sb4(a,b,c,d,e,f,g,h);k_get(31,e,f,g,h);\r
    k_set(32,a,b,c,d);sb3(a,b,c,d,e,f,g,h);k_get(32,e,f,g,h);\r
\r
    return l_key;\r
};\r
\r
/* encrypt a block of text  */\r
\r
void serpent_encrypt(SerpentContext *ctx,\r
                     const u4byte in_blk[4], u4byte out_blk[])\r
{   \r
    u4byte  a,b,c,d,e,f,g,h;\r
    u4byte  t1,t2,t3,t4,t5,t6,t7,t8,t9,t10,t11,t12,t13,t14,t15,t16;\r
    u4byte *l_key = ctx->l_key;\r
\r
#ifdef  BLOCK_SWAP\r
    a = io_swap(in_blk[3]); b = io_swap(in_blk[2]); \r
    c = io_swap(in_blk[1]); d = io_swap(in_blk[0]);\r
#else\r
    a = in_blk[0]; b = in_blk[1]; c = in_blk[2]; d = in_blk[3];\r
#endif\r
\r
    k_xor( 0,a,b,c,d); sb0(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor( 1,e,f,g,h); sb1(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor( 2,a,b,c,d); sb2(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor( 3,e,f,g,h); sb3(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor( 4,a,b,c,d); sb4(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor( 5,e,f,g,h); sb5(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor( 6,a,b,c,d); sb6(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor( 7,e,f,g,h); sb7(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor( 8,a,b,c,d); sb0(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor( 9,e,f,g,h); sb1(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(10,a,b,c,d); sb2(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(11,e,f,g,h); sb3(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(12,a,b,c,d); sb4(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(13,e,f,g,h); sb5(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(14,a,b,c,d); sb6(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(15,e,f,g,h); sb7(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(16,a,b,c,d); sb0(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(17,e,f,g,h); sb1(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(18,a,b,c,d); sb2(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(19,e,f,g,h); sb3(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(20,a,b,c,d); sb4(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(21,e,f,g,h); sb5(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(22,a,b,c,d); sb6(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(23,e,f,g,h); sb7(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(24,a,b,c,d); sb0(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(25,e,f,g,h); sb1(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(26,a,b,c,d); sb2(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(27,e,f,g,h); sb3(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(28,a,b,c,d); sb4(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(29,e,f,g,h); sb5(e,f,g,h,a,b,c,d); rot(a,b,c,d); \r
    k_xor(30,a,b,c,d); sb6(a,b,c,d,e,f,g,h); rot(e,f,g,h); \r
    k_xor(31,e,f,g,h); sb7(e,f,g,h,a,b,c,d); k_xor(32,a,b,c,d); \r
    \r
#ifdef  BLOCK_SWAP\r
    out_blk[3] = io_swap(a); out_blk[2] = io_swap(b); \r
    out_blk[1] = io_swap(c); out_blk[0] = io_swap(d);\r
#else\r
    out_blk[0] = a; out_blk[1] = b; out_blk[2] = c; out_blk[3] = d;\r
#endif\r
};\r
\r
/* decrypt a block of text  */\r
\r
void serpent_decrypt(SerpentContext *ctx,\r
                     const u4byte in_blk[4], u4byte out_blk[4])\r
{   \r
    u4byte  a,b,c,d,e,f,g,h;\r
    u4byte  t1,t2,t3,t4,t5,t6,t7,t8,t9,t10,t11,t12,t13,t14,t15,t16;\r
    u4byte *l_key = ctx->l_key;\r
    \r
#ifdef  BLOCK_SWAP\r
    a = io_swap(in_blk[3]); b = io_swap(in_blk[2]); \r
    c = io_swap(in_blk[1]); d = io_swap(in_blk[0]);\r
#else\r
    a = in_blk[0]; b = in_blk[1]; c = in_blk[2]; d = in_blk[3];\r
#endif\r
\r
    k_xor(32,a,b,c,d); ib7(a,b,c,d,e,f,g,h); k_xor(31,e,f,g,h);\r
    irot(e,f,g,h); ib6(e,f,g,h,a,b,c,d); k_xor(30,a,b,c,d);\r
    irot(a,b,c,d); ib5(a,b,c,d,e,f,g,h); k_xor(29,e,f,g,h);\r
    irot(e,f,g,h); ib4(e,f,g,h,a,b,c,d); k_xor(28,a,b,c,d);\r
    irot(a,b,c,d); ib3(a,b,c,d,e,f,g,h); k_xor(27,e,f,g,h);\r
    irot(e,f,g,h); ib2(e,f,g,h,a,b,c,d); k_xor(26,a,b,c,d);\r
    irot(a,b,c,d); ib1(a,b,c,d,e,f,g,h); k_xor(25,e,f,g,h);\r
    irot(e,f,g,h); ib0(e,f,g,h,a,b,c,d); k_xor(24,a,b,c,d);\r
    irot(a,b,c,d); ib7(a,b,c,d,e,f,g,h); k_xor(23,e,f,g,h);\r
    irot(e,f,g,h); ib6(e,f,g,h,a,b,c,d); k_xor(22,a,b,c,d);\r
    irot(a,b,c,d); ib5(a,b,c,d,e,f,g,h); k_xor(21,e,f,g,h);\r
    irot(e,f,g,h); ib4(e,f,g,h,a,b,c,d); k_xor(20,a,b,c,d);\r
    irot(a,b,c,d); ib3(a,b,c,d,e,f,g,h); k_xor(19,e,f,g,h);\r
    irot(e,f,g,h); ib2(e,f,g,h,a,b,c,d); k_xor(18,a,b,c,d);\r
    irot(a,b,c,d); ib1(a,b,c,d,e,f,g,h); k_xor(17,e,f,g,h);\r
    irot(e,f,g,h); ib0(e,f,g,h,a,b,c,d); k_xor(16,a,b,c,d);\r
    irot(a,b,c,d); ib7(a,b,c,d,e,f,g,h); k_xor(15,e,f,g,h);\r
    irot(e,f,g,h); ib6(e,f,g,h,a,b,c,d); k_xor(14,a,b,c,d);\r
    irot(a,b,c,d); ib5(a,b,c,d,e,f,g,h); k_xor(13,e,f,g,h);\r
    irot(e,f,g,h); ib4(e,f,g,h,a,b,c,d); k_xor(12,a,b,c,d);\r
    irot(a,b,c,d); ib3(a,b,c,d,e,f,g,h); k_xor(11,e,f,g,h);\r
    irot(e,f,g,h); ib2(e,f,g,h,a,b,c,d); k_xor(10,a,b,c,d);\r
    irot(a,b,c,d); ib1(a,b,c,d,e,f,g,h); k_xor( 9,e,f,g,h);\r
    irot(e,f,g,h); ib0(e,f,g,h,a,b,c,d); k_xor( 8,a,b,c,d);\r
    irot(a,b,c,d); ib7(a,b,c,d,e,f,g,h); k_xor( 7,e,f,g,h);\r
    irot(e,f,g,h); ib6(e,f,g,h,a,b,c,d); k_xor( 6,a,b,c,d);\r
    irot(a,b,c,d); ib5(a,b,c,d,e,f,g,h); k_xor( 5,e,f,g,h);\r
    irot(e,f,g,h); ib4(e,f,g,h,a,b,c,d); k_xor( 4,a,b,c,d);\r
    irot(a,b,c,d); ib3(a,b,c,d,e,f,g,h); k_xor( 3,e,f,g,h);\r
    irot(e,f,g,h); ib2(e,f,g,h,a,b,c,d); k_xor( 2,a,b,c,d);\r
    irot(a,b,c,d); ib1(a,b,c,d,e,f,g,h); k_xor( 1,e,f,g,h);\r
    irot(e,f,g,h); ib0(e,f,g,h,a,b,c,d); k_xor( 0,a,b,c,d);\r
    \r
#ifdef  BLOCK_SWAP\r
    out_blk[3] = io_swap(a); out_blk[2] = io_swap(b); \r
    out_blk[1] = io_swap(c); out_blk[0] = io_swap(d);\r
#else\r
    out_blk[0] = a; out_blk[1] = b; out_blk[2] = c; out_blk[3] = d;\r
#endif\r
};\r