1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
6 * The library is free for all purposes without any express
10 /*******************************************************************************
14 * LTC_DESCRIPTION: block-cipher algorithm LTC_SAFER (Secure And Fast Encryption
15 * Routine) in its four versions: LTC_SAFER K-64, LTC_SAFER K-128,
16 * LTC_SAFER SK-64 and LTC_SAFER SK-128.
18 * AUTHOR: Richard De Moliner (demoliner@isi.ee.ethz.ch)
19 * Signal and Information Processing Laboratory
20 * Swiss Federal Institute of Technology
21 * CH-8092 Zuerich, Switzerland
23 * DATE: September 9, 1995
27 *******************************************************************************/
33 #define __LTC_SAFER_TAB_C__
34 #include "safer_tab.c"
36 const struct ltc_cipher_descriptor safer_k64_desc = {
38 8, 8, 8, 8, LTC_SAFER_K64_DEFAULT_NOF_ROUNDS,
45 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
50 9, 8, 8, 8, LTC_SAFER_SK64_DEFAULT_NOF_ROUNDS,
57 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
62 10, 16, 16, 8, LTC_SAFER_K128_DEFAULT_NOF_ROUNDS,
69 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
74 11, 16, 16, 8, LTC_SAFER_SK128_DEFAULT_NOF_ROUNDS,
81 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
84 /******************* Constants ************************************************/
85 /* #define TAB_LEN 256 */
87 /******************* Assertions ***********************************************/
89 /******************* Macros ***************************************************/
90 #define ROL8(x, n) ((unsigned char)((unsigned int)(x) << (n)\
91 |(unsigned int)((x) & 0xFF) >> (8 - (n))))
92 #define EXP(x) safer_ebox[(x) & 0xFF]
93 #define LOG(x) safer_lbox[(x) & 0xFF]
94 #define PHT(x, y) { y += x; x += y; }
95 #define IPHT(x, y) { x -= y; y -= x; }
97 /******************* Types ****************************************************/
99 #ifdef LTC_CLEAN_STACK
100 static void _Safer_Expand_Userkey(const unsigned char *userkey_1,
101 const unsigned char *userkey_2,
102 unsigned int nof_rounds,
106 static void Safer_Expand_Userkey(const unsigned char *userkey_1,
107 const unsigned char *userkey_2,
108 unsigned int nof_rounds,
112 { unsigned int i, j, k;
113 unsigned char ka[LTC_SAFER_BLOCK_LEN + 1];
114 unsigned char kb[LTC_SAFER_BLOCK_LEN + 1];
116 if (LTC_SAFER_MAX_NOF_ROUNDS < nof_rounds)
117 nof_rounds = LTC_SAFER_MAX_NOF_ROUNDS;
118 *key++ = (unsigned char)nof_rounds;
119 ka[LTC_SAFER_BLOCK_LEN] = (unsigned char)0;
120 kb[LTC_SAFER_BLOCK_LEN] = (unsigned char)0;
122 for (j = 0; j < LTC_SAFER_BLOCK_LEN; j++) {
123 ka[j] = ROL8(userkey_1[j], 5);
124 ka[LTC_SAFER_BLOCK_LEN] ^= ka[j];
125 kb[j] = *key++ = userkey_2[j];
126 kb[LTC_SAFER_BLOCK_LEN] ^= kb[j];
128 for (i = 1; i <= nof_rounds; i++) {
129 for (j = 0; j < LTC_SAFER_BLOCK_LEN + 1; j++) {
130 ka[j] = ROL8(ka[j], 6);
131 kb[j] = ROL8(kb[j], 6);
135 while (k >= (LTC_SAFER_BLOCK_LEN + 1)) { k -= LTC_SAFER_BLOCK_LEN + 1; }
137 for (j = 0; j < LTC_SAFER_BLOCK_LEN; j++) {
140 + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 1)&0xFF)]]) & 0xFF;
141 if (++k == (LTC_SAFER_BLOCK_LEN + 1)) { k = 0; }
143 *key++ = (ka[j] + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 1)&0xFF)]]) & 0xFF;
148 while (k >= (LTC_SAFER_BLOCK_LEN + 1)) { k -= LTC_SAFER_BLOCK_LEN + 1; }
150 for (j = 0; j < LTC_SAFER_BLOCK_LEN; j++) {
153 + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 10)&0xFF)]]) & 0xFF;
154 if (++k == (LTC_SAFER_BLOCK_LEN + 1)) { k = 0; }
156 *key++ = (kb[j] + safer_ebox[(int)safer_ebox[(int)((18 * i + j + 10)&0xFF)]]) & 0xFF;
161 #ifdef LTC_CLEAN_STACK
162 zeromem(ka, sizeof(ka));
163 zeromem(kb, sizeof(kb));
167 #ifdef LTC_CLEAN_STACK
168 static void Safer_Expand_Userkey(const unsigned char *userkey_1,
169 const unsigned char *userkey_2,
170 unsigned int nof_rounds,
174 _Safer_Expand_Userkey(userkey_1, userkey_2, nof_rounds, strengthened, key);
175 burn_stack(sizeof(unsigned char) * (2 * (LTC_SAFER_BLOCK_LEN + 1)) + sizeof(unsigned int)*2);
179 int safer_k64_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
181 LTC_ARGCHK(key != NULL);
182 LTC_ARGCHK(skey != NULL);
184 if (numrounds != 0 && (numrounds < 6 || numrounds > LTC_SAFER_MAX_NOF_ROUNDS)) {
185 return CRYPT_INVALID_ROUNDS;
189 return CRYPT_INVALID_KEYSIZE;
192 Safer_Expand_Userkey(key, key, (unsigned int)(numrounds != 0 ?numrounds:LTC_SAFER_K64_DEFAULT_NOF_ROUNDS), 0, skey->safer.key);
196 int safer_sk64_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
198 LTC_ARGCHK(key != NULL);
199 LTC_ARGCHK(skey != NULL);
201 if (numrounds != 0 && (numrounds < 6 || numrounds > LTC_SAFER_MAX_NOF_ROUNDS)) {
202 return CRYPT_INVALID_ROUNDS;
206 return CRYPT_INVALID_KEYSIZE;
209 Safer_Expand_Userkey(key, key, (unsigned int)(numrounds != 0 ?numrounds:LTC_SAFER_SK64_DEFAULT_NOF_ROUNDS), 1, skey->safer.key);
213 int safer_k128_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
215 LTC_ARGCHK(key != NULL);
216 LTC_ARGCHK(skey != NULL);
218 if (numrounds != 0 && (numrounds < 6 || numrounds > LTC_SAFER_MAX_NOF_ROUNDS)) {
219 return CRYPT_INVALID_ROUNDS;
223 return CRYPT_INVALID_KEYSIZE;
226 Safer_Expand_Userkey(key, key+8, (unsigned int)(numrounds != 0 ?numrounds:LTC_SAFER_K128_DEFAULT_NOF_ROUNDS), 0, skey->safer.key);
230 int safer_sk128_setup(const unsigned char *key, int keylen, int numrounds, symmetric_key *skey)
232 LTC_ARGCHK(key != NULL);
233 LTC_ARGCHK(skey != NULL);
235 if (numrounds != 0 && (numrounds < 6 || numrounds > LTC_SAFER_MAX_NOF_ROUNDS)) {
236 return CRYPT_INVALID_ROUNDS;
240 return CRYPT_INVALID_KEYSIZE;
243 Safer_Expand_Userkey(key, key+8, (unsigned int)(numrounds != 0?numrounds:LTC_SAFER_SK128_DEFAULT_NOF_ROUNDS), 1, skey->safer.key);
247 #ifdef LTC_CLEAN_STACK
248 static int _safer_ecb_encrypt(const unsigned char *block_in,
249 unsigned char *block_out,
252 int safer_ecb_encrypt(const unsigned char *block_in,
253 unsigned char *block_out,
256 { unsigned char a, b, c, d, e, f, g, h, t;
260 LTC_ARGCHK(block_in != NULL);
261 LTC_ARGCHK(block_out != NULL);
262 LTC_ARGCHK(skey != NULL);
264 key = skey->safer.key;
265 a = block_in[0]; b = block_in[1]; c = block_in[2]; d = block_in[3];
266 e = block_in[4]; f = block_in[5]; g = block_in[6]; h = block_in[7];
267 if (LTC_SAFER_MAX_NOF_ROUNDS < (round = *key)) round = LTC_SAFER_MAX_NOF_ROUNDS;
270 a ^= *++key; b += *++key; c += *++key; d ^= *++key;
271 e ^= *++key; f += *++key; g += *++key; h ^= *++key;
272 a = EXP(a) + *++key; b = LOG(b) ^ *++key;
273 c = LOG(c) ^ *++key; d = EXP(d) + *++key;
274 e = EXP(e) + *++key; f = LOG(f) ^ *++key;
275 g = LOG(g) ^ *++key; h = EXP(h) + *++key;
276 PHT(a, b); PHT(c, d); PHT(e, f); PHT(g, h);
277 PHT(a, c); PHT(e, g); PHT(b, d); PHT(f, h);
278 PHT(a, e); PHT(b, f); PHT(c, g); PHT(d, h);
279 t = b; b = e; e = c; c = t; t = d; d = f; f = g; g = t;
281 a ^= *++key; b += *++key; c += *++key; d ^= *++key;
282 e ^= *++key; f += *++key; g += *++key; h ^= *++key;
283 block_out[0] = a & 0xFF; block_out[1] = b & 0xFF;
284 block_out[2] = c & 0xFF; block_out[3] = d & 0xFF;
285 block_out[4] = e & 0xFF; block_out[5] = f & 0xFF;
286 block_out[6] = g & 0xFF; block_out[7] = h & 0xFF;
290 #ifdef LTC_CLEAN_STACK
291 int safer_ecb_encrypt(const unsigned char *block_in,
292 unsigned char *block_out,
295 int err = _safer_ecb_encrypt(block_in, block_out, skey);
296 burn_stack(sizeof(unsigned char) * 9 + sizeof(unsigned int) + sizeof(unsigned char *));
301 #ifdef LTC_CLEAN_STACK
302 static int _safer_ecb_decrypt(const unsigned char *block_in,
303 unsigned char *block_out,
306 int safer_ecb_decrypt(const unsigned char *block_in,
307 unsigned char *block_out,
310 { unsigned char a, b, c, d, e, f, g, h, t;
314 LTC_ARGCHK(block_in != NULL);
315 LTC_ARGCHK(block_out != NULL);
316 LTC_ARGCHK(skey != NULL);
318 key = skey->safer.key;
319 a = block_in[0]; b = block_in[1]; c = block_in[2]; d = block_in[3];
320 e = block_in[4]; f = block_in[5]; g = block_in[6]; h = block_in[7];
321 if (LTC_SAFER_MAX_NOF_ROUNDS < (round = *key)) round = LTC_SAFER_MAX_NOF_ROUNDS;
322 key += LTC_SAFER_BLOCK_LEN * (1 + 2 * round);
323 h ^= *key; g -= *--key; f -= *--key; e ^= *--key;
324 d ^= *--key; c -= *--key; b -= *--key; a ^= *--key;
327 t = e; e = b; b = c; c = t; t = f; f = d; d = g; g = t;
328 IPHT(a, e); IPHT(b, f); IPHT(c, g); IPHT(d, h);
329 IPHT(a, c); IPHT(e, g); IPHT(b, d); IPHT(f, h);
330 IPHT(a, b); IPHT(c, d); IPHT(e, f); IPHT(g, h);
331 h -= *--key; g ^= *--key; f ^= *--key; e -= *--key;
332 d -= *--key; c ^= *--key; b ^= *--key; a -= *--key;
333 h = LOG(h) ^ *--key; g = EXP(g) - *--key;
334 f = EXP(f) - *--key; e = LOG(e) ^ *--key;
335 d = LOG(d) ^ *--key; c = EXP(c) - *--key;
336 b = EXP(b) - *--key; a = LOG(a) ^ *--key;
338 block_out[0] = a & 0xFF; block_out[1] = b & 0xFF;
339 block_out[2] = c & 0xFF; block_out[3] = d & 0xFF;
340 block_out[4] = e & 0xFF; block_out[5] = f & 0xFF;
341 block_out[6] = g & 0xFF; block_out[7] = h & 0xFF;
345 #ifdef LTC_CLEAN_STACK
346 int safer_ecb_decrypt(const unsigned char *block_in,
347 unsigned char *block_out,
350 int err = _safer_ecb_decrypt(block_in, block_out, skey);
351 burn_stack(sizeof(unsigned char) * 9 + sizeof(unsigned int) + sizeof(unsigned char *));
356 int safer_64_keysize(int *keysize)
358 LTC_ARGCHK(keysize != NULL);
360 return CRYPT_INVALID_KEYSIZE;
367 int safer_128_keysize(int *keysize)
369 LTC_ARGCHK(keysize != NULL);
371 return CRYPT_INVALID_KEYSIZE;
378 int safer_k64_test(void)
383 static const unsigned char k64_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
384 k64_key[] = { 8, 7, 6, 5, 4, 3, 2, 1 },
385 k64_ct[] = { 200, 242, 156, 221, 135, 120, 62, 217 };
388 unsigned char buf[2][8];
392 if ((err = safer_k64_setup(k64_key, 8, 6, &skey)) != CRYPT_OK) {
395 safer_ecb_encrypt(k64_pt, buf[0], &skey);
396 safer_ecb_decrypt(buf[0], buf[1], &skey);
398 if (compare_testvector(buf[0], 8, k64_ct, 8, "Safer K64 Encrypt", 0) != 0 ||
399 compare_testvector(buf[1], 8, k64_pt, 8, "Safer K64 Decrypt", 0) != 0) {
400 return CRYPT_FAIL_TESTVECTOR;
408 int safer_sk64_test(void)
413 static const unsigned char sk64_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
414 sk64_key[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
415 sk64_ct[] = { 95, 206, 155, 162, 5, 132, 56, 199 };
418 unsigned char buf[2][8];
422 if ((err = safer_sk64_setup(sk64_key, 8, 6, &skey)) != CRYPT_OK) {
426 safer_ecb_encrypt(sk64_pt, buf[0], &skey);
427 safer_ecb_decrypt(buf[0], buf[1], &skey);
429 if (compare_testvector(buf[0], 8, sk64_ct, 8, "Safer SK64 Encrypt", 0) != 0 ||
430 compare_testvector(buf[1], 8, sk64_pt, 8, "Safer SK64 Decrypt", 0) != 0) {
431 return CRYPT_FAIL_TESTVECTOR;
434 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
435 for (y = 0; y < 8; y++) buf[0][y] = 0;
436 for (y = 0; y < 1000; y++) safer_ecb_encrypt(buf[0], buf[0], &skey);
437 for (y = 0; y < 1000; y++) safer_ecb_decrypt(buf[0], buf[0], &skey);
438 for (y = 0; y < 8; y++) if (buf[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;
444 /** Terminate the context
445 @param skey The scheduled key
447 void safer_done(symmetric_key *skey)
449 LTC_UNUSED_PARAM(skey);
452 int safer_sk128_test(void)
457 static const unsigned char sk128_pt[] = { 1, 2, 3, 4, 5, 6, 7, 8 },
458 sk128_key[] = { 1, 2, 3, 4, 5, 6, 7, 8,
459 0, 0, 0, 0, 0, 0, 0, 0 },
460 sk128_ct[] = { 255, 120, 17, 228, 179, 167, 46, 113 };
463 unsigned char buf[2][8];
467 if ((err = safer_sk128_setup(sk128_key, 16, 0, &skey)) != CRYPT_OK) {
470 safer_ecb_encrypt(sk128_pt, buf[0], &skey);
471 safer_ecb_decrypt(buf[0], buf[1], &skey);
473 if (compare_testvector(buf[0], 8, sk128_ct, 8, "Safer SK128 Encrypt", 0) != 0 ||
474 compare_testvector(buf[1], 8, sk128_pt, 8, "Safer SK128 Decrypt", 0) != 0) {
475 return CRYPT_FAIL_TESTVECTOR;
478 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
479 for (y = 0; y < 8; y++) buf[0][y] = 0;
480 for (y = 0; y < 1000; y++) safer_ecb_encrypt(buf[0], buf[0], &skey);
481 for (y = 0; y < 1000; y++) safer_ecb_decrypt(buf[0], buf[0], &skey);
482 for (y = 0; y < 8; y++) if (buf[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;
493 /* ref: $Format:%D$ */
494 /* git commit: $Format:%H$ */
495 /* commit time: $Format:%ai$ */