/* LibTomCrypt, modular cryptographic library -- Tom St Denis * * LibTomCrypt is a library that provides various cryptographic * algorithms in a highly modular and flexible manner. * * The library is free for all purposes without any express * guarantee it works. */ #include "tomcrypt.h" /** @file sober128_stream.c Implementation of SOBER-128 by Tom St Denis. Based on s128fast.c reference code supplied by Greg Rose of QUALCOMM. */ #ifdef LTC_SOBER128 #define __LTC_SOBER128TAB_C__ #include "sober128tab.c" /* don't change these... */ #define N 17 #define FOLD N /* how many iterations of folding to do */ #define INITKONST 0x6996c53a /* value of KONST to use during key loading */ #define KEYP 15 /* where to insert key words */ #define FOLDP 4 /* where to insert non-linear feedback */ #define B(x,i) ((unsigned char)(((x) >> (8*i)) & 0xFF)) static ulong32 BYTE2WORD(unsigned char *b) { ulong32 t; LOAD32L(t, b); return t; } static void XORWORD(ulong32 w, const unsigned char *in, unsigned char *out) { ulong32 t; LOAD32L(t, in); t ^= w; STORE32L(t, out); } /* give correct offset for the current position of the register, * where logically R[0] is at position "zero". */ #define OFF(zero, i) (((zero)+(i)) % N) /* step the LFSR */ /* After stepping, "zero" moves right one place */ #define STEP(R,z) \ R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF]; static void cycle(ulong32 *R) { ulong32 t; int i; STEP(R,0); t = R[0]; for (i = 1; i < N; ++i) { R[i-1] = R[i]; } R[N-1] = t; } /* Return a non-linear function of some parts of the register. */ #define NLFUNC(c,z) \ { \ t = c->R[OFF(z,0)] + c->R[OFF(z,16)]; \ t ^= Sbox[(t >> 24) & 0xFF]; \ t = RORc(t, 8); \ t = ((t + c->R[OFF(z,1)]) ^ c->konst) + c->R[OFF(z,6)]; \ t ^= Sbox[(t >> 24) & 0xFF]; \ t = t + c->R[OFF(z,13)]; \ } static ulong32 nltap(sober128_state *c) { ulong32 t; NLFUNC(c, 0); return t; } /* Save the current register state */ static void s128_savestate(sober128_state *c) { int i; for (i = 0; i < N; ++i) { c->initR[i] = c->R[i]; } } /* initialise to previously saved register state */ static void s128_reloadstate(sober128_state *c) { int i; for (i = 0; i < N; ++i) { c->R[i] = c->initR[i]; } } /* Initialise "konst" */ static void s128_genkonst(sober128_state *c) { ulong32 newkonst; do { cycle(c->R); newkonst = nltap(c); } while ((newkonst & 0xFF000000) == 0); c->konst = newkonst; } /* Load key material into the register */ #define ADDKEY(k) \ c->R[KEYP] += (k); #define XORNL(nl) \ c->R[FOLDP] ^= (nl); /* nonlinear diffusion of register for key */ #define DROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); c->R[OFF((z+1),FOLDP)] ^= t; static void s128_diffuse(sober128_state *c) { ulong32 t; /* relies on FOLD == N == 17! */ DROUND(0); DROUND(1); DROUND(2); DROUND(3); DROUND(4); DROUND(5); DROUND(6); DROUND(7); DROUND(8); DROUND(9); DROUND(10); DROUND(11); DROUND(12); DROUND(13); DROUND(14); DROUND(15); DROUND(16); } /** Initialize an Sober128 context (only the key) @param c [out] The destination of the Sober128 state @param key The secret key @param keylen The length of the secret key (octets) @return CRYPT_OK if successful */ int sober128_stream_setup(sober128_state *c, const unsigned char *key, unsigned long keylen) { ulong32 i, k; LTC_ARGCHK(c != NULL); LTC_ARGCHK(key != NULL); LTC_ARGCHK(keylen > 0); /* keylen must be multiple of 4 bytes */ if ((keylen & 3) != 0) { return CRYPT_INVALID_KEYSIZE; } /* Register initialised to Fibonacci numbers */ c->R[0] = 1; c->R[1] = 1; for (i = 2; i < N; ++i) { c->R[i] = c->R[i-1] + c->R[i-2]; } c->konst = INITKONST; for (i = 0; i < keylen; i += 4) { k = BYTE2WORD((unsigned char *)&key[i]); ADDKEY(k); cycle(c->R); XORNL(nltap(c)); } /* also fold in the length of the key */ ADDKEY(keylen); /* now diffuse */ s128_diffuse(c); s128_genkonst(c); s128_savestate(c); c->nbuf = 0; return CRYPT_OK; } /** Set IV to the Sober128 state @param c The Sober12820 state @param iv The IV data to add @param ivlen The length of the IV (must be 12) @return CRYPT_OK on success */ int sober128_stream_setiv(sober128_state *c, const unsigned char *iv, unsigned long ivlen) { ulong32 i, k; LTC_ARGCHK(c != NULL); LTC_ARGCHK(iv != NULL); LTC_ARGCHK(ivlen > 0); /* ok we are adding an IV then... */ s128_reloadstate(c); /* ivlen must be multiple of 4 bytes */ if ((ivlen & 3) != 0) { return CRYPT_INVALID_KEYSIZE; } for (i = 0; i < ivlen; i += 4) { k = BYTE2WORD((unsigned char *)&iv[i]); ADDKEY(k); cycle(c->R); XORNL(nltap(c)); } /* also fold in the length of the key */ ADDKEY(ivlen); /* now diffuse */ s128_diffuse(c); c->nbuf = 0; return CRYPT_OK; } /* XOR pseudo-random bytes into buffer */ #define SROUND(z) STEP(c->R,z); NLFUNC(c,(z+1)); XORWORD(t, in+(z*4), out+(z*4)); /** Encrypt (or decrypt) bytes of ciphertext (or plaintext) with Sober128 @param c The Sober128 state @param in The plaintext (or ciphertext) @param inlen The length of the input (octets) @param out [out] The ciphertext (or plaintext), length inlen @return CRYPT_OK if successful */ int sober128_stream_crypt(sober128_state *c, const unsigned char *in, unsigned long inlen, unsigned char *out) { ulong32 t; if (inlen == 0) return CRYPT_OK; /* nothing to do */ LTC_ARGCHK(out != NULL); LTC_ARGCHK(c != NULL); /* handle any previously buffered bytes */ while (c->nbuf != 0 && inlen != 0) { *out++ = *in++ ^ (unsigned char)(c->sbuf & 0xFF); c->sbuf >>= 8; c->nbuf -= 8; --inlen; } #ifndef LTC_SMALL_CODE /* do lots at a time, if there's enough to do */ while (inlen >= N*4) { SROUND(0); SROUND(1); SROUND(2); SROUND(3); SROUND(4); SROUND(5); SROUND(6); SROUND(7); SROUND(8); SROUND(9); SROUND(10); SROUND(11); SROUND(12); SROUND(13); SROUND(14); SROUND(15); SROUND(16); out += 4*N; in += 4*N; inlen -= 4*N; } #endif /* do small or odd size buffers the slow way */ while (4 <= inlen) { cycle(c->R); t = nltap(c); XORWORD(t, in, out); out += 4; in += 4; inlen -= 4; } /* handle any trailing bytes */ if (inlen != 0) { cycle(c->R); c->sbuf = nltap(c); c->nbuf = 32; while (c->nbuf != 0 && inlen != 0) { *out++ = *in++ ^ (unsigned char)(c->sbuf & 0xFF); c->sbuf >>= 8; c->nbuf -= 8; --inlen; } } return CRYPT_OK; } int sober128_stream_keystream(sober128_state *c, unsigned char *out, unsigned long outlen) { if (outlen == 0) return CRYPT_OK; /* nothing to do */ LTC_ARGCHK(out != NULL); XMEMSET(out, 0, outlen); return sober128_stream_crypt(c, out, outlen, out); } /** Terminate and clear Sober128 state @param c The Sober128 state @return CRYPT_OK on success */ int sober128_stream_done(sober128_state *c) { LTC_ARGCHK(c != NULL); XMEMSET(c, 0, sizeof(sober128_state)); return CRYPT_OK; } #endif /* ref: $Format:%D$ */ /* git commit: $Format:%H$ */ /* commit time: $Format:%ai$ */