1 /* $KAME$ */ 2 3 /* 4 * rijndael-alg-fst.c v2.3 April '2000 5 * 6 * Optimised ANSI C code 7 * 8 * authors: v1.0: Antoon Bosselaers 9 * v2.0: Vincent Rijmen 10 * v2.3: Paulo Barreto 11 * 12 * This code is placed in the public domain. 13 */ 14 15 #include <sys/cdefs.h> 16 #include <sys/types.h> 17 #include <crypto/rijndael/rijndael-alg-fst.h> 18 #include <crypto/rijndael/rijndael_local.h> 19 20 #include <crypto/rijndael/boxes-fst.dat> 21 22 int rijndaelKeySched(word8 k[MAXKC][4], word8 W[MAXROUNDS+1][4][4], int ROUNDS) { 23 /* Calculate the necessary round keys 24 * The number of calculations depends on keyBits and blockBits 25 */ 26 int j, r, t, rconpointer = 0; 27 word8 tk[MAXKC][4]; 28 int KC = ROUNDS - 6; 29 30 for (j = KC-1; j >= 0; j--) { 31 *((word32*)tk[j]) = *((word32*)k[j]); 32 } 33 r = 0; 34 t = 0; 35 /* copy values into round key array */ 36 for (j = 0; (j < KC) && (r < ROUNDS + 1); ) { 37 for (; (j < KC) && (t < 4); j++, t++) { 38 *((word32*)W[r][t]) = *((word32*)tk[j]); 39 } 40 if (t == 4) { 41 r++; 42 t = 0; 43 } 44 } 45 46 while (r < ROUNDS + 1) { /* while not enough round key material calculated */ 47 /* calculate new values */ 48 tk[0][0] ^= S[tk[KC-1][1]]; 49 tk[0][1] ^= S[tk[KC-1][2]]; 50 tk[0][2] ^= S[tk[KC-1][3]]; 51 tk[0][3] ^= S[tk[KC-1][0]]; 52 tk[0][0] ^= rcon[rconpointer++]; 53 54 if (KC != 8) { 55 for (j = 1; j < KC; j++) { 56 *((word32*)tk[j]) ^= *((word32*)tk[j-1]); 57 } 58 } else { 59 for (j = 1; j < KC/2; j++) { 60 *((word32*)tk[j]) ^= *((word32*)tk[j-1]); 61 } 62 tk[KC/2][0] ^= S[tk[KC/2 - 1][0]]; 63 tk[KC/2][1] ^= S[tk[KC/2 - 1][1]]; 64 tk[KC/2][2] ^= S[tk[KC/2 - 1][2]]; 65 tk[KC/2][3] ^= S[tk[KC/2 - 1][3]]; 66 for (j = KC/2 + 1; j < KC; j++) { 67 *((word32*)tk[j]) ^= *((word32*)tk[j-1]); 68 } 69 } 70 /* copy values into round key array */ 71 for (j = 0; (j < KC) && (r < ROUNDS + 1); ) { 72 for (; (j < KC) && (t < 4); j++, t++) { 73 *((word32*)W[r][t]) = *((word32*)tk[j]); 74 } 75 if (t == 4) { 76 r++; 77 t = 0; 78 } 79 } 80 } 81 return 0; 82 } 83 84 int rijndaelKeyEncToDec(word8 W[MAXROUNDS+1][4][4], int ROUNDS) { 85 int r; 86 word8 *w; 87 88 for (r = 1; r < ROUNDS; r++) { 89 w = W[r][0]; 90 *((word32*)w) = 91 *((word32*)U1[w[0]]) 92 ^ *((word32*)U2[w[1]]) 93 ^ *((word32*)U3[w[2]]) 94 ^ *((word32*)U4[w[3]]); 95 96 w = W[r][1]; 97 *((word32*)w) = 98 *((word32*)U1[w[0]]) 99 ^ *((word32*)U2[w[1]]) 100 ^ *((word32*)U3[w[2]]) 101 ^ *((word32*)U4[w[3]]); 102 103 w = W[r][2]; 104 *((word32*)w) = 105 *((word32*)U1[w[0]]) 106 ^ *((word32*)U2[w[1]]) 107 ^ *((word32*)U3[w[2]]) 108 ^ *((word32*)U4[w[3]]); 109 110 w = W[r][3]; 111 *((word32*)w) = 112 *((word32*)U1[w[0]]) 113 ^ *((word32*)U2[w[1]]) 114 ^ *((word32*)U3[w[2]]) 115 ^ *((word32*)U4[w[3]]); 116 } 117 return 0; 118 } 119 120 /** 121 * Encrypt a single block. 122 */ 123 int rijndaelEncrypt(word8 a[16], word8 b[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) { 124 int r; 125 word8 temp[4][4]; 126 127 *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[0][0]); 128 *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[0][1]); 129 *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[0][2]); 130 *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[0][3]); 131 *((word32*)(b )) = *((word32*)T1[temp[0][0]]) 132 ^ *((word32*)T2[temp[1][1]]) 133 ^ *((word32*)T3[temp[2][2]]) 134 ^ *((word32*)T4[temp[3][3]]); 135 *((word32*)(b + 4)) = *((word32*)T1[temp[1][0]]) 136 ^ *((word32*)T2[temp[2][1]]) 137 ^ *((word32*)T3[temp[3][2]]) 138 ^ *((word32*)T4[temp[0][3]]); 139 *((word32*)(b + 8)) = *((word32*)T1[temp[2][0]]) 140 ^ *((word32*)T2[temp[3][1]]) 141 ^ *((word32*)T3[temp[0][2]]) 142 ^ *((word32*)T4[temp[1][3]]); 143 *((word32*)(b +12)) = *((word32*)T1[temp[3][0]]) 144 ^ *((word32*)T2[temp[0][1]]) 145 ^ *((word32*)T3[temp[1][2]]) 146 ^ *((word32*)T4[temp[2][3]]); 147 for (r = 1; r < ROUNDS-1; r++) { 148 *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]); 149 *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]); 150 *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]); 151 *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]); 152 153 *((word32*)(b )) = *((word32*)T1[temp[0][0]]) 154 ^ *((word32*)T2[temp[1][1]]) 155 ^ *((word32*)T3[temp[2][2]]) 156 ^ *((word32*)T4[temp[3][3]]); 157 *((word32*)(b + 4)) = *((word32*)T1[temp[1][0]]) 158 ^ *((word32*)T2[temp[2][1]]) 159 ^ *((word32*)T3[temp[3][2]]) 160 ^ *((word32*)T4[temp[0][3]]); 161 *((word32*)(b + 8)) = *((word32*)T1[temp[2][0]]) 162 ^ *((word32*)T2[temp[3][1]]) 163 ^ *((word32*)T3[temp[0][2]]) 164 ^ *((word32*)T4[temp[1][3]]); 165 *((word32*)(b +12)) = *((word32*)T1[temp[3][0]]) 166 ^ *((word32*)T2[temp[0][1]]) 167 ^ *((word32*)T3[temp[1][2]]) 168 ^ *((word32*)T4[temp[2][3]]); 169 } 170 /* last round is special */ 171 *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[ROUNDS-1][0]); 172 *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[ROUNDS-1][1]); 173 *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[ROUNDS-1][2]); 174 *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[ROUNDS-1][3]); 175 b[ 0] = T1[temp[0][0]][1]; 176 b[ 1] = T1[temp[1][1]][1]; 177 b[ 2] = T1[temp[2][2]][1]; 178 b[ 3] = T1[temp[3][3]][1]; 179 b[ 4] = T1[temp[1][0]][1]; 180 b[ 5] = T1[temp[2][1]][1]; 181 b[ 6] = T1[temp[3][2]][1]; 182 b[ 7] = T1[temp[0][3]][1]; 183 b[ 8] = T1[temp[2][0]][1]; 184 b[ 9] = T1[temp[3][1]][1]; 185 b[10] = T1[temp[0][2]][1]; 186 b[11] = T1[temp[1][3]][1]; 187 b[12] = T1[temp[3][0]][1]; 188 b[13] = T1[temp[0][1]][1]; 189 b[14] = T1[temp[1][2]][1]; 190 b[15] = T1[temp[2][3]][1]; 191 *((word32*)(b )) ^= *((word32*)rk[ROUNDS][0]); 192 *((word32*)(b+ 4)) ^= *((word32*)rk[ROUNDS][1]); 193 *((word32*)(b+ 8)) ^= *((word32*)rk[ROUNDS][2]); 194 *((word32*)(b+12)) ^= *((word32*)rk[ROUNDS][3]); 195 196 return 0; 197 } 198 199 #ifdef INTERMEDIATE_VALUE_KAT 200 /** 201 * Encrypt only a certain number of rounds. 202 * Only used in the Intermediate Value Known Answer Test. 203 */ 204 int rijndaelEncryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) { 205 int r; 206 word8 temp[4][4]; 207 208 /* make number of rounds sane */ 209 if (rounds > ROUNDS) { 210 rounds = ROUNDS; 211 } 212 213 *((word32*)a[0]) = *((word32*)a[0]) ^ *((word32*)rk[0][0]); 214 *((word32*)a[1]) = *((word32*)a[1]) ^ *((word32*)rk[0][1]); 215 *((word32*)a[2]) = *((word32*)a[2]) ^ *((word32*)rk[0][2]); 216 *((word32*)a[3]) = *((word32*)a[3]) ^ *((word32*)rk[0][3]); 217 218 for (r = 1; (r <= rounds) && (r < ROUNDS); r++) { 219 *((word32*)temp[0]) = *((word32*)T1[a[0][0]]) 220 ^ *((word32*)T2[a[1][1]]) 221 ^ *((word32*)T3[a[2][2]]) 222 ^ *((word32*)T4[a[3][3]]); 223 *((word32*)temp[1]) = *((word32*)T1[a[1][0]]) 224 ^ *((word32*)T2[a[2][1]]) 225 ^ *((word32*)T3[a[3][2]]) 226 ^ *((word32*)T4[a[0][3]]); 227 *((word32*)temp[2]) = *((word32*)T1[a[2][0]]) 228 ^ *((word32*)T2[a[3][1]]) 229 ^ *((word32*)T3[a[0][2]]) 230 ^ *((word32*)T4[a[1][3]]); 231 *((word32*)temp[3]) = *((word32*)T1[a[3][0]]) 232 ^ *((word32*)T2[a[0][1]]) 233 ^ *((word32*)T3[a[1][2]]) 234 ^ *((word32*)T4[a[2][3]]); 235 *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[r][0]); 236 *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[r][1]); 237 *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[r][2]); 238 *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[r][3]); 239 } 240 if (rounds == ROUNDS) { 241 /* last round is special */ 242 temp[0][0] = T1[a[0][0]][1]; 243 temp[0][1] = T1[a[1][1]][1]; 244 temp[0][2] = T1[a[2][2]][1]; 245 temp[0][3] = T1[a[3][3]][1]; 246 temp[1][0] = T1[a[1][0]][1]; 247 temp[1][1] = T1[a[2][1]][1]; 248 temp[1][2] = T1[a[3][2]][1]; 249 temp[1][3] = T1[a[0][3]][1]; 250 temp[2][0] = T1[a[2][0]][1]; 251 temp[2][1] = T1[a[3][1]][1]; 252 temp[2][2] = T1[a[0][2]][1]; 253 temp[2][3] = T1[a[1][3]][1]; 254 temp[3][0] = T1[a[3][0]][1]; 255 temp[3][1] = T1[a[0][1]][1]; 256 temp[3][2] = T1[a[1][2]][1]; 257 temp[3][3] = T1[a[2][3]][1]; 258 *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[ROUNDS][0]); 259 *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[ROUNDS][1]); 260 *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[ROUNDS][2]); 261 *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[ROUNDS][3]); 262 } 263 264 return 0; 265 } 266 #endif /* INTERMEDIATE_VALUE_KAT */ 267 268 /** 269 * Decrypt a single block. 270 */ 271 int rijndaelDecrypt(word8 a[16], word8 b[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) { 272 int r; 273 word8 temp[4][4]; 274 275 *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[ROUNDS][0]); 276 *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[ROUNDS][1]); 277 *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[ROUNDS][2]); 278 *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[ROUNDS][3]); 279 280 *((word32*)(b )) = *((word32*)T5[temp[0][0]]) 281 ^ *((word32*)T6[temp[3][1]]) 282 ^ *((word32*)T7[temp[2][2]]) 283 ^ *((word32*)T8[temp[1][3]]); 284 *((word32*)(b+ 4)) = *((word32*)T5[temp[1][0]]) 285 ^ *((word32*)T6[temp[0][1]]) 286 ^ *((word32*)T7[temp[3][2]]) 287 ^ *((word32*)T8[temp[2][3]]); 288 *((word32*)(b+ 8)) = *((word32*)T5[temp[2][0]]) 289 ^ *((word32*)T6[temp[1][1]]) 290 ^ *((word32*)T7[temp[0][2]]) 291 ^ *((word32*)T8[temp[3][3]]); 292 *((word32*)(b+12)) = *((word32*)T5[temp[3][0]]) 293 ^ *((word32*)T6[temp[2][1]]) 294 ^ *((word32*)T7[temp[1][2]]) 295 ^ *((word32*)T8[temp[0][3]]); 296 for (r = ROUNDS-1; r > 1; r--) { 297 *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]); 298 *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]); 299 *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]); 300 *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]); 301 *((word32*)(b )) = *((word32*)T5[temp[0][0]]) 302 ^ *((word32*)T6[temp[3][1]]) 303 ^ *((word32*)T7[temp[2][2]]) 304 ^ *((word32*)T8[temp[1][3]]); 305 *((word32*)(b+ 4)) = *((word32*)T5[temp[1][0]]) 306 ^ *((word32*)T6[temp[0][1]]) 307 ^ *((word32*)T7[temp[3][2]]) 308 ^ *((word32*)T8[temp[2][3]]); 309 *((word32*)(b+ 8)) = *((word32*)T5[temp[2][0]]) 310 ^ *((word32*)T6[temp[1][1]]) 311 ^ *((word32*)T7[temp[0][2]]) 312 ^ *((word32*)T8[temp[3][3]]); 313 *((word32*)(b+12)) = *((word32*)T5[temp[3][0]]) 314 ^ *((word32*)T6[temp[2][1]]) 315 ^ *((word32*)T7[temp[1][2]]) 316 ^ *((word32*)T8[temp[0][3]]); 317 } 318 /* last round is special */ 319 *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[1][0]); 320 *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[1][1]); 321 *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[1][2]); 322 *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[1][3]); 323 b[ 0] = S5[temp[0][0]]; 324 b[ 1] = S5[temp[3][1]]; 325 b[ 2] = S5[temp[2][2]]; 326 b[ 3] = S5[temp[1][3]]; 327 b[ 4] = S5[temp[1][0]]; 328 b[ 5] = S5[temp[0][1]]; 329 b[ 6] = S5[temp[3][2]]; 330 b[ 7] = S5[temp[2][3]]; 331 b[ 8] = S5[temp[2][0]]; 332 b[ 9] = S5[temp[1][1]]; 333 b[10] = S5[temp[0][2]]; 334 b[11] = S5[temp[3][3]]; 335 b[12] = S5[temp[3][0]]; 336 b[13] = S5[temp[2][1]]; 337 b[14] = S5[temp[1][2]]; 338 b[15] = S5[temp[0][3]]; 339 *((word32*)(b )) ^= *((word32*)rk[0][0]); 340 *((word32*)(b+ 4)) ^= *((word32*)rk[0][1]); 341 *((word32*)(b+ 8)) ^= *((word32*)rk[0][2]); 342 *((word32*)(b+12)) ^= *((word32*)rk[0][3]); 343 344 return 0; 345 } 346 347 348 #ifdef INTERMEDIATE_VALUE_KAT 349 /** 350 * Decrypt only a certain number of rounds. 351 * Only used in the Intermediate Value Known Answer Test. 352 * Operations rearranged such that the intermediate values 353 * of decryption correspond with the intermediate values 354 * of encryption. 355 */ 356 int rijndaelDecryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) { 357 int r, i; 358 word8 temp[4], shift; 359 360 /* make number of rounds sane */ 361 if (rounds > ROUNDS) { 362 rounds = ROUNDS; 363 } 364 /* first round is special: */ 365 *(word32 *)a[0] ^= *(word32 *)rk[ROUNDS][0]; 366 *(word32 *)a[1] ^= *(word32 *)rk[ROUNDS][1]; 367 *(word32 *)a[2] ^= *(word32 *)rk[ROUNDS][2]; 368 *(word32 *)a[3] ^= *(word32 *)rk[ROUNDS][3]; 369 for (i = 0; i < 4; i++) { 370 a[i][0] = Si[a[i][0]]; 371 a[i][1] = Si[a[i][1]]; 372 a[i][2] = Si[a[i][2]]; 373 a[i][3] = Si[a[i][3]]; 374 } 375 for (i = 1; i < 4; i++) { 376 shift = (4 - i) & 3; 377 temp[0] = a[(0 + shift) & 3][i]; 378 temp[1] = a[(1 + shift) & 3][i]; 379 temp[2] = a[(2 + shift) & 3][i]; 380 temp[3] = a[(3 + shift) & 3][i]; 381 a[0][i] = temp[0]; 382 a[1][i] = temp[1]; 383 a[2][i] = temp[2]; 384 a[3][i] = temp[3]; 385 } 386 /* ROUNDS-1 ordinary rounds */ 387 for (r = ROUNDS-1; r > rounds; r--) { 388 *(word32 *)a[0] ^= *(word32 *)rk[r][0]; 389 *(word32 *)a[1] ^= *(word32 *)rk[r][1]; 390 *(word32 *)a[2] ^= *(word32 *)rk[r][2]; 391 *(word32 *)a[3] ^= *(word32 *)rk[r][3]; 392 393 *((word32*)a[0]) = 394 *((word32*)U1[a[0][0]]) 395 ^ *((word32*)U2[a[0][1]]) 396 ^ *((word32*)U3[a[0][2]]) 397 ^ *((word32*)U4[a[0][3]]); 398 399 *((word32*)a[1]) = 400 *((word32*)U1[a[1][0]]) 401 ^ *((word32*)U2[a[1][1]]) 402 ^ *((word32*)U3[a[1][2]]) 403 ^ *((word32*)U4[a[1][3]]); 404 405 *((word32*)a[2]) = 406 *((word32*)U1[a[2][0]]) 407 ^ *((word32*)U2[a[2][1]]) 408 ^ *((word32*)U3[a[2][2]]) 409 ^ *((word32*)U4[a[2][3]]); 410 411 *((word32*)a[3]) = 412 *((word32*)U1[a[3][0]]) 413 ^ *((word32*)U2[a[3][1]]) 414 ^ *((word32*)U3[a[3][2]]) 415 ^ *((word32*)U4[a[3][3]]); 416 for (i = 0; i < 4; i++) { 417 a[i][0] = Si[a[i][0]]; 418 a[i][1] = Si[a[i][1]]; 419 a[i][2] = Si[a[i][2]]; 420 a[i][3] = Si[a[i][3]]; 421 } 422 for (i = 1; i < 4; i++) { 423 shift = (4 - i) & 3; 424 temp[0] = a[(0 + shift) & 3][i]; 425 temp[1] = a[(1 + shift) & 3][i]; 426 temp[2] = a[(2 + shift) & 3][i]; 427 temp[3] = a[(3 + shift) & 3][i]; 428 a[0][i] = temp[0]; 429 a[1][i] = temp[1]; 430 a[2][i] = temp[2]; 431 a[3][i] = temp[3]; 432 } 433 } 434 if (rounds == 0) { 435 /* End with the extra key addition */ 436 *(word32 *)a[0] ^= *(word32 *)rk[0][0]; 437 *(word32 *)a[1] ^= *(word32 *)rk[0][1]; 438 *(word32 *)a[2] ^= *(word32 *)rk[0][2]; 439 *(word32 *)a[3] ^= *(word32 *)rk[0][3]; 440 } 441 return 0; 442 } 443 #endif /* INTERMEDIATE_VALUE_KAT */ 444