From: bg Date: Thu, 6 Aug 2009 13:31:40 +0000 (+0000) Subject: new makefile and modified build process X-Git-Url: https://git.cryptolib.org/?p=avr-crypto-lib.git;a=commitdiff_plain;h=4f50c75ee5a6cc88bf7ea71957ed509e298e6c25 new makefile and modified build process --- diff --git a/Makefile b/Makefile index 7afbe74..5a9090c 100644 --- a/Makefile +++ b/Makefile @@ -2,363 +2,261 @@ # author: Daniel Otte SHELL = sh -BLOCK_CIPHERS := -STREAM_CIPHERS := +BLOCK_CIPHERS := +STREAM_CIPHERS := HASHES := MACS := -PRNGS := +PRNGS := ENCODINGS := AUX := # we use the gnu make standard library include gmsl include avr-makefile.inc + +#------------------------------------------------------------------------------- +# inclusion of make stubs include mkfiles/*.mk -ALGORITHMS = $(BLOCK_CIPHERS) $(STREAM_CIPHERS) $(HASHES) $(PRNGS) $(MACS) $(ENCODINGS) $(AUX) +#------------------------------------------------------------------------------- +ALGORITHMS = $(BLOCK_CIPHERS) $(STREAM_CIPHERS) $(HASHES) $(PRNGS) $(MACS) \ + $(ENCODINGS) $(AUX) ALGORITHMS_OBJ = $(patsubst %,%_OBJ, $(ALGORITHMS)) ALGORITHMS_TEST_BIN = $(patsubst %,%_TEST_BIN, $(ALGORITHMS)) -define OBJinBINDIR_TEMPLATE +#------------------------------------------------------------------------------- +# define binary object in $(BIN_DIR)$(ALGO)/ +define Assert_Template $(1) = $(2) endef -$(foreach a, $(ALGORITHMS_OBJ), $(eval $(call OBJinBINDIR_TEMPLATE, $(a), $(patsubst %.o,$(BIN_DIR)%.o,$($(a)))))) - -$(foreach a, $(ALGORITHMS_TEST_BIN), $(eval $(call OBJinBINDIR_TEMPLATE, $(a), $(patsubst %.o,$(TESTBIN_DIR)%.o,$($(a)))))) - - -#ALGORITHMS_TEST_BIN_IMM = $(foreach a, $(ALGORITHMS_TEST_BIN), $($(a))) -ALGORITHMS_NESSIE_TEST = $(patsubst %,%_NESSIE_TEST, $(ALGORITHMS)) -ALGORITHMS_PERFORMANCE_TEST = $(patsubst %,%_PERORMANCE_TEST, $(ALGORITHMS)) - -ALGORITHMS_LC = $(call lc,$(ALGORITHMS)) - -ALGORITHMS_TEST_TARGET_ELF = $(patsubst %, $(TESTBIN_DIR)main-%-test.elf, $(ALGORITHMS_LC)) -ALGORITHMS_TEST_TARGET_HEX = $(patsubst %, $(TESTBIN_DIR)main-%-test.hex, $(ALGORITHMS_LC)) - +$(foreach a, $(ALGORITHMS), $(eval $(call Assert_Template, \ + $(a)_BINOBJ, \ + $(addprefix $(BIN_DIR)$(call lc,$(a))/,$($(a)_OBJ)) \ +))) + +$(foreach a, $(ALGORITHMS), $(eval $(call Assert_Template, \ + $(a)_TESTBINOBJ, \ + $(addprefix $(BIN_DIR)$(call lc,$(a))/$(TEST_DIR),$($(a)_TEST_BIN)) \ +))) + + +#$(foreach a, $(ALGORITHMS), \ +# $(if $(def $(a)_DIR), \ +# $(eval $(call Assert_Template, \ +# $(a)_DIR, \ +# . \ +# ) \ +# )) \ +#) +# +#$(foreach a, $(ALGORITHMS), \ +# $(if $(call seq($(strip($($(a)_DIR))),)), \ +# $(eval $(call Assert_Template, \ +# $(a)_DIR, \ +# . \ +# ) \ +# )) \ +#) #------------------------------------------------------------------------------- - -all: $(foreach algo, $(ALGORITHMS), $(algo)_OBJ) - -#------------------------------------------------------------------------------- - -define MAIN_OBJ_TEMPLATE -$(2): $(3) $(4) - @echo "[ld] : $$@" -# echo $$^ - @$(CC) $(CFLAGS) $(LDFLAGS)$(patsubst %.elf,%.map,$(2)) -o \ - $(2) \ - $(3) $(4) \ - $(LIBS) +# +### ifeq 'blafoo' '' +### $(error no source ($(2)) for $(1) in TargetSource_Template) +### endif + +define TargetSource_Template +$(1): $(2) + @echo "[cc]: $(1) <-- $(2)" + @mkdir -p $(dir $(1)) + @$(CC) $(CFLAGS_A) -I./$(strip $(3)) -c -o $(1) $(2) endef -$(foreach algo, $(ALGORITHMS), $(eval $(call MAIN_OBJ_TEMPLATE, \ - $(algo), \ - $(TESTBIN_DIR)main-$(call lc,$(algo))-test.elf, \ - $(patsubst %.o,%.o,$($(algo)_TEST_BIN)), \ - $(patsubst %.o,%.o,$($(algo)_OBJ)) ))) - - - - +$(foreach a, $(ALGORITHMS), \ + $(foreach b, $($(a)_OBJ), \ + $(eval $(call TargetSource_Template, \ + $(BIN_DIR)$(call lc, $(a))/$(b), \ + $(filter %.S %.c, $(wildcard $($(a)_DIR)$(notdir $(patsubst %.o,%,$(b))).*)), \ + $($(a)_DIR) \ + )) \ + ) \ +) + +$(foreach a, $(ALGORITHMS), \ + $(foreach b, $($(a)_TEST_BIN), \ + $(eval $(call TargetSource_Template, \ + $(BIN_DIR)$(call lc, $(a))/$(TEST_DIR)$(b), \ + $(if $(call sne,$(strip $(filter %.S %.c, $(wildcard $(TESTSRC_DIR)$(notdir $(patsubst %.o,%,$(b))).*))),), \ + $(filter %.S %.c, $(wildcard $(TESTSRC_DIR)$(notdir $(patsubst %.o,%,$(b))).*)), \ + $(filter %.S %.c, $(wildcard ./$(notdir $(patsubst %.o,%,$(b))).*))\ + ), \ + $($(a)_DIR) \ + )) \ + ) \ +) #------------------------------------------------------------------------------- -.PHONY: help -help: info - -info: - @echo "infos on AVR-Crypto-lib:" - @echo " block ciphers:" - @echo " $(BLOCK_CIPHERS)" - @echo " stream ciphers:" - @echo " $(STREAM_CIPHERS)" - @echo " hash functions:" - @echo " $(HASHES)" - @echo " MAC functions:" - @echo " $(MACS)" - @echo " PRNG functions:" - @echo " $(PRNGS)" - @echo " encodings:" - @echo " $(ENCODINGS)" -# @echo " ALGORITHMS_TEST_BIN:" -# @echo " $(ALGORITHMS_TEST_BIN)" -# @echo " ALGORITHMS_TEST_TARGET_ELF:" -# @echo " $(ALGORITHMS_TEST_TARGET_ELF)" - @echo " targets:" - @echo " all - all algorithm cores" - @echo " cores - all algorithm cores" - @echo " listings - all algorithm core listings" - @echo " tests - all algorithm test programs" - @echo " stats - all algorithm size statistics" - @echo " blockciphers - all blockcipher cores" - @echo " streamciphers - all streamcipher cores" - @echo " hashes - all hash cores" - @echo " macs - all MAC cores" - @echo " prngs - all PRNG cores" - @echo " all_testrun - testrun all algorithms" - @echo " docu - build doxygen documentation" - @echo " clean - remove a lot of builded files" - @echo " xclean - also remove dependency files" - @echo " *_TEST_BIN - build test program" - @echo " *_TESTRUN - run nessie test" - @echo " *_OBJ - build algorithm core" - @echo " *_FLASH - flash test program" - @echo " *_LIST - build assembler listing" -#------------------------------------------------------------------------------- - -define SOURCEFILE_TEMPLATE -$(BIN_DIR)$(1): $(2)/$(3).c - $(CC) $(CFLAGS) -c -o $@ $< +define MainTestElf_Template +$(1): $(2) $(3) + @echo "[ld]: $(1)" + @$(CC) $(CFLAGS_A) $(LDFLAGS)$(patsubst %.elf,%.map,$(1)) -o \ + $(1) \ + $(2) $(3) \ + $(LIBS) endef -#------------------------------------------------------------------------------- -$(BIN_DIR)%.o: %.c - @echo "[gcc]: $@" - @$(CC) $(CFLAGS) -c -o $@ $< - -$(BIN_DIR)%.o: %.S - @echo "[as] : $@" - @$(CC) $(ASFLAGS) -c -o $@ $< - -$(TESTBIN_DIR)%.o: $(TESTSRC_DIR)%.c - @echo "[gcc]: $@" - @$(CC) $(CFLAGS) -c -o $@ $< - -$(TESTBIN_DIR)%.o: $(TESTSRC_DIR)%.S - @echo "[as] : $@" - @$(CC) $(ASFLAGS) -c -o $@ $< - -$(TESTBIN_DIR)%.o: %.c - @echo "[gcc]: $@" - @$(CC) $(CFLAGS) -c -o $@ $< - -$(TESTBIN_DIR)%.o: %.S - @echo "[as] : $@" - @$(CC) $(ASFLAGS) -c -o $@ $< - - - -%.o: %.c - @echo "[gcc]: $@" - @$(CC) $(CFLAGS) -c -o $@ $< - -%.o: %.S - @echo "[as] : $@" - @$(CC) $(ASFLAGS) -c -o $@ $< +$(foreach a, $(ALGORITHMS), \ + $(eval $(call MainTestElf_Template, \ + $(BIN_DIR)$(call lc, $(a))/$(TEST_DIR)main-$(call lc, $(a))-test.elf, \ + $($(a)_BINOBJ), \ + $($(a)_TESTBINOBJ) \ + )) \ +) #------------------------------------------------------------------------------- - -define OBJ_TEMPLATE -$(1)_OBJ: $(2) -# @echo " ALGO: $(1)" -# @echo " REQ: $(2)" -endef - -$(foreach algo, $(ALGORITHMS), $(eval $(call OBJ_TEMPLATE, $(algo), $($(algo)_OBJ)))) +all: $(foreach algo, $(ALGORITHMS), $($(algo)_BINOBJ)) #------------------------------------------------------------------------------- -define TESTBIN_TEMPLATE +define TestBin_TEMPLATE $(1)_TEST_BIN: $(2) endef -$(foreach algo, $(ALGORITHMS), $(eval $(call TESTBIN_TEMPLATE, $(algo), $($(algo)_TEST_BIN)))) +$(foreach algo, $(ALGORITHMS), $(eval $(call TestBin_TEMPLATE, \ + $(algo), \ + $(BIN_DIR)$(call lc, $(algo))/$(TEST_DIR)main-$(call lc, $(algo))-test.elf \ +))) #------------------------------------------------------------------------------- -$(BLOCK_CIPHERS_OBJ): $(patsubst %,%_OBJ, $(BLOCK_CIPHERS)) -$(STREAM_CIPHERS_OBJ): $(patsubst %,%_OBJ, $(STREAM_CIPHERS)) -$(HASHES_OBJ): $(patsubst %,%_OBJ, $(HASHES)) -$(PRNGS_OBJ): $(patsubst %,%_OBJ, $(PRNGS)) -$(MACS_OBJ): $(patsubst %,%_OBJ, $(MACS)) -$(ENCODINGS_OBJ): $(patsubst %,%_OBJ, $(ENCODINGS)) - -#------------------------------------------------------------------------------- - -define SIZE_TEMPLATE -$(1)_size.txt: $(2) - @echo "[size]: $(1)_size.txt" - @$(SIZE) $(2) > $(1)_size.txt -endef - -$(foreach algo, $(ALGORITHMS), $(eval $(call SIZE_TEMPLATE, $(STAT_DIR)$(call lc,$(algo)), $($(algo)_OBJ)))) +%.hex: %.elf + @echo "[objcopy]: $@" + @$(OBJCOPY) -j .text -j .data -O ihex $< $@ #------------------------------------------------------------------------------- -define FLASH_TEMPLATE +define Flash_Template $(1)_FLASH: $(2) @echo "[flash]: $(2)" @$(FLASHCMD)$(call first,$(2)) endef -$(foreach algo, $(ALGORITHMS),$(eval $(call FLASH_TEMPLATE, $(algo), $(TESTBIN_DIR)main-$(call lc,$(algo))-test.hex) )) +$(foreach algo, $(ALGORITHMS), $(eval $(call Flash_Template, \ + $(algo), \ + $(BIN_DIR)$(call lc, $(algo))/$(TEST_DIR)main-$(call lc, $(algo))-test.hex \ +))) #------------------------------------------------------------------------------- -define TESTRUN_TEMPLATE +.PHONY: tests +tests: $(foreach a, $(ALGORITHMS), $(a)_TEST_BIN) + +#------------------------------------------------------------------------------- + +define TestRun_Template $(1)_TESTRUN: $(1)_FLASH @echo "[test]: $(1)" - $(RUBY) $(GET_TEST) $(TESTPORT) $(TESTPORTBAUDR) 8 1 nessie $(TESTLOG_DIR)$(TESTPREFIX) $(2) + $(RUBY) $(GET_TEST) $(TESTPORT) $(TESTPORTBAUDR) 8 1 nessie $(TESTLOG_DIR)$(TESTPREFIX) $(2) endef -$(foreach algo, $(ALGORITHMS),$(eval $(call TESTRUN_TEMPLATE, $(algo), $(call lc,$(algo)) ))) +$(foreach algo, $(ALGORITHMS),$(eval $(call TestRun_Template, $(algo), $(call lc,$(algo)) ))) all_testrun: $(foreach algo, $(ALGORITHMS), $(algo)_TESTRUN) #------------------------------------------------------------------------------- -define TESTSPEED_TEMPLATE -$(1)_TESTSPEED: $(1)_FLASH - @echo "[speed]: $(1)" - $(RUBY) $(GET_PERFORMANCE) $(TESTPORT) $(TESTPORTBAUDR) 8 1 performance $(SPEEDLOG_DIR)$(SPEEDPREFIX) $(2) +define Obj_Template +$(1)_OBJ: $(2) endef -$(foreach algo, $(ALGORITHMS),$(eval $(call TESTSPEED_TEMPLATE, $(algo), $(call lc,$(algo)) ))) - -all_testspeed: $(foreach algo, $(ALGORITHMS), $(algo)_TESTSPEED) -hash_testspeed: $(foreach algo, $(HASHES), $(algo)_TESTSPEED) +$(foreach algo, $(ALGORITHMS), \ + $(eval $(call Obj_Template, \ + $(algo), \ + $($(algo)_BINOBJ)\ + ))\ +) +.PHONY: cores +cores: $(foreach algo, $(ALGORITHMS), $(algo)_OBJ) -#------------------------------------------------------------------------------- +.PHONY: blockchiphers +blockciphers: $(foreach algo, $(BLOCK_CIPHERS), $(algo)_OBJ) -define LISTING_TEMPLATE -$(1)_LIST: $(2) -endef +.PHONY: streamchiphers +streamciphers: $(foreach algo, $(STREAM_CIPHERS), $(algo)_OBJ) -$(foreach algo, $(ALGORITHMS),$(eval $(call LISTING_TEMPLATE,$(call uc, $(algo)), \ - $(patsubst %,$(LIST_DIR)%, \ - $(patsubst $(BIN_DIR)%,%, \ - $(patsubst $(TESTBIN_DIR)%,%, \ - $(patsubst %.o,%.lst,$($(algo)_OBJ)))) )))) +.PHONY: hashes +hashes: $(foreach algo, $(HASHES), $(algo)_OBJ) -listings: $(patsubst %,%_LIST,$(ALGORITHMS)) +.PHONY: macs +macs: $(foreach algo, $(MACS), $(algo)_OBJ) +.PHONY: prngs +prngs: $(foreach algo, $(PRNGS), $(algo)_OBJ) -$(LIST_DIR)%.lst: $(TESTBIN_DIR)%.elf - $(OBJDUMP) -h -S $< > $@ +.PHONY: encodings +encodings: $(foreach algo, $(ENCODINGS), $(algo)_OBJ) -$(LIST_DIR)%.lst: $(BIN_DIR)%.o - $(OBJDUMP) -h -S $< > $@ +.PHONY: aux +aux: $(foreach algo, $(AUX), $(algo)_OBJ) -$(LIST_DIR)%.lst: $(TESTBIN_DIR)%.o - $(OBJDUMP) -h -S $< > $@ #------------------------------------------------------------------------------- -.PHONY: cores -cores: $(ALGORITHMS_OBJ) - -.PHONY: blockciphers -blockciphers: $(patsubst %, %_OBJ, $(BLOCK_CIPHERS)) - -.PHONY: streamciphers -streamciphers: $(patsubst %, %_OBJ, $(STREAM_CIPHERS)) - -.PHONY: hashes -hashes: $(patsubst %, %_OBJ, $(HASHES)) -.PHONY: macs -macs: $(patsubst %, %_OBJ, $(MACS)) - -.PHONY: prngs -prngs: $(patsubst %, %_OBJ, $(PRNGS)) - -.PHONY: encodings -encodings: $(patsubst %, %_OBJ, $(ENCODINGS)) - -tests: $(ALGORITHMS_TEST_BIN) \ - $(ALGORITHMS_TEST_TARGET_ELF) \ - $(ALGORITHMS_TEST_TARGET_HEX) +.PHONY: help +help: info +.PHONY: info +info: + @echo "infos on AVR-Crypto-lib:" + @echo " block ciphers:" + @echo " $(BLOCK_CIPHERS)" + @echo " stream ciphers:" + @echo " $(STREAM_CIPHERS)" + @echo " hash functions:" + @echo " $(HASHES)" + @echo " MAC functions:" + @echo " $(MACS)" + @echo " PRNG functions:" + @echo " $(PRNGS)" + @echo " encodings:" + @echo " $(ENCODINGS)" + @echo " targets:" + @echo " all - all algorithm cores" + @echo " cores - all algorithm cores" + @echo " listings - all algorithm core listings" + @echo " tests - all algorithm test programs" + @echo " stats - all algorithm size statistics" + @echo " blockciphers - all blockcipher cores" + @echo " streamciphers - all streamcipher cores" + @echo " hashes - all hash cores" + @echo " macs - all MAC cores" + @echo " prngs - all PRNG cores" + @echo " all_testrun - testrun all algorithms" + @echo " docu - build doxygen documentation" + @echo " clean - remove a lot of builded files" + @echo " depclean - also remove dependency files" + @echo " *_TEST_BIN - build test program" + @echo " *_TESTRUN - run nessie test" + @echo " *_OBJ - build algorithm core" + @echo " *_FLASH - flash test program" + @echo " *_LIST - build assembler listing" -.PHONY: stats -stats: $(SIZESTAT_FILE) - @cat $(STAT_DIR)$(SIZESTAT_FILE) - -$(SIZESTAT_FILE): $(patsubst %, $(STAT_DIR)%_size.txt, $(ALGORITHMS_LC)) - $(RUBY) sumsize.rb $^ > $(STAT_DIR)$(SIZESTAT_FILE) - -#------------------------------------------------------------------------------- +#------------------------------------------------------------------------------- .PHONY: clean clean: - rm -rf $(BIN_DIR)*.o *.o $(TESTBIN_DIR)*.elf $(TESTBIN_DIR)* *.elf *.eps *.png *.pdf *.bak - rm -rf *.lst *.map $(EXTRA_CLEAN_FILES) $(STAT_DIR)$(SIZESTAT_FILE) $(STAT_DIR)*_size.txt -xclean: clean - rm -rf $(DEP_DIR)*.d $(AUTOASM_DIR)*.s - -docu: - doxygen + rm -rf $(BIN_DIR)* -make.dump: Makefile - $(MAKE) -p -B -n -f $^ > $@ - -make.dot: make.dump - $(MAKE2GRAPH) $^ > $@ - -make.png: make.dot - $(TWOPI) -Tpng -o $@ $^ - -make.svg: make.dot - $(TWOPI) -Tsvg -o $@ $^ - -.PHONY: make-info -make-info: make.png make.svg - - -# Rules for building the .text rom images - -%.hex: %.elf - @echo "[objcopy]: $@" - @$(OBJCOPY) -j .text -j .data -O ihex $< $@ +.PHONY: depclean +depclean: clean + rm $(DEP_DIR)*.d -%.srec: %.elf - @echo "[objcopy]: $@" - @$(OBJCOPY) -j .text -j .data -O srec $< $@ - -%.bin: %.elf - @echo "[objcopy]: $@" - @$(OBJCOPY) -j .text -j .data -O binary $< $@ - -# Rules for building the .eeprom rom images - - -%_eeprom.hex: %.elf - @echo "[objcopy]: $@" - @$(OBJCOPY) -j .eeprom --change-section-lma .eeprom=0 -O ihex $< $@ - -%_eeprom.srec: %.elf - @echo "[objcopy]: $@" - @$(OBJCOPY) -j .eeprom --change-section-lma .eeprom=0 -O srec $< $@ - -%_eeprom.bin: %.elf - @echo "[objcopy]: $@" - @$(OBJCOPY) -j .eeprom --change-section-lma .eeprom=0 -O binary $< $@ - #------------------------------------------------------------------------------- -$(AUTOASM_DIR)%.s: %.c - $(CC) $(CFLAGS) $(AUTOASM_OPT) -o $@ $< - -%.s: %.c - $(CC) $(CFLAGS) $(AUTOASM_OPT) -o $@ $< - -#------------------------------------------------------------------------------- -FIG2DEV = fig2dev -EXTRA_CLEAN_FILES = *.hex *.bin *.srec - - -%.eps: %.fig - $(FIG2DEV) -L eps $< $@ - -%.pdf: %.fig - $(FIG2DEV) -L pdf $< $@ - -%.png: %.fig - $(FIG2DEV) -L png $< $@ - +# dependency inclusion +# DEPS := $(wildcard $(DEP_DIR)*.d) diff --git a/aes.h b/aes.h deleted file mode 100644 index 9d5b770..0000000 --- a/aes.h +++ /dev/null @@ -1,56 +0,0 @@ -/* aes.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ -#ifndef AES_H_ -#define AES_H_ - -#include - -typedef struct{ - uint8_t ks[16]; -} aes_roundkey_t; - -typedef struct{ - aes_roundkey_t key[10+1]; -} aes128_ctx_t; - -typedef struct{ - aes_roundkey_t key[12+1]; -} aes192_ctx_t; - -typedef struct{ - aes_roundkey_t key[14+1]; -} aes256_ctx_t; - -typedef struct{ - aes_roundkey_t key[1]; /* just to avoid the warning */ -} aes_genctx_t; - -typedef struct{ - uint8_t s[16]; -} aes_cipher_state_t; - -#endif diff --git a/aes/aes.h b/aes/aes.h new file mode 100644 index 0000000..9d5b770 --- /dev/null +++ b/aes/aes.h @@ -0,0 +1,56 @@ +/* aes.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ +#ifndef AES_H_ +#define AES_H_ + +#include + +typedef struct{ + uint8_t ks[16]; +} aes_roundkey_t; + +typedef struct{ + aes_roundkey_t key[10+1]; +} aes128_ctx_t; + +typedef struct{ + aes_roundkey_t key[12+1]; +} aes192_ctx_t; + +typedef struct{ + aes_roundkey_t key[14+1]; +} aes256_ctx_t; + +typedef struct{ + aes_roundkey_t key[1]; /* just to avoid the warning */ +} aes_genctx_t; + +typedef struct{ + uint8_t s[16]; +} aes_cipher_state_t; + +#endif diff --git a/aes/aes128_dec.c b/aes/aes128_dec.c new file mode 100644 index 0000000..f3746a7 --- /dev/null +++ b/aes/aes128_dec.c @@ -0,0 +1,34 @@ +/* aes128_dec.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes128_dec.c + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ + +#include "aes.h" +#include "aes_dec.h" + +void aes128_dec(void* buffer, aes128_ctx_t* ctx){ + aes_decrypt_core(buffer, (aes_genctx_t*)ctx, 10); +} + diff --git a/aes/aes128_dec.h b/aes/aes128_dec.h new file mode 100644 index 0000000..f6015d8 --- /dev/null +++ b/aes/aes128_dec.h @@ -0,0 +1,46 @@ +/* aes128_dec.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes128_dec.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * \ingroup AES + */ + +#ifndef AES128_DEC_H_ +#define AES128_DEC_H_ + +#include "aes.h" +#include "aes_dec.h" + +/** \fn void aes128_dec(void* buffer, aes128_ctx_t* ctx) + * \brief decrypt with 128 bit key. + * + * This function decrypts one block with the AES algorithm under control of + * a keyschedule produced from a 128 bit key. + * \param buffer pointer to the block to decrypt + * \param ctx pointer to the key schedule + */ +void aes128_dec(void* buffer, aes128_ctx_t* ctx); + + + +#endif /* AES128_DEC_H_ */ diff --git a/aes/aes128_enc.c b/aes/aes128_enc.c new file mode 100644 index 0000000..3790854 --- /dev/null +++ b/aes/aes128_enc.c @@ -0,0 +1,34 @@ +/* aes128_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes128_enc.c + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ + +#include "aes.h" +#include "aes_enc.h" + +void aes128_enc(void* buffer, aes128_ctx_t* ctx){ + aes_encrypt_core(buffer, (aes_genctx_t*)ctx, 10); +} + diff --git a/aes/aes128_enc.h b/aes/aes128_enc.h new file mode 100644 index 0000000..5cb4953 --- /dev/null +++ b/aes/aes128_enc.h @@ -0,0 +1,47 @@ +/* aes128_enc.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes128_enc.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * \ingroup AES + */ + +#ifndef AES128_ENC_H_ +#define AES128_ENC_H_ + +#include "aes.h" +#include "aes_enc.h" + + +/** \fn void aes128_enc(void* buffer, aes128_ctx_t* ctx) + * \brief encrypt with 128 bit key. + * + * This function encrypts one block with the AES algorithm under control of + * a keyschedule produced from a 128 bit key. + * \param buffer pointer to the block to encrypt + * \param ctx pointer to the key schedule + */ +void aes128_enc(void* buffer, aes128_ctx_t* ctx); + + + +#endif /* AES128_ENC_H_ */ diff --git a/aes/aes192_dec.c b/aes/aes192_dec.c new file mode 100644 index 0000000..99cc1b1 --- /dev/null +++ b/aes/aes192_dec.c @@ -0,0 +1,34 @@ +/* aes192_dec.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes192_dec.c + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-31 + * \license GPLv3 or later + * + */ + +#include "aes.h" +#include "aes_dec.h" + +void aes192_dec(void* buffer, aes192_ctx_t* ctx){ + aes_decrypt_core(buffer, (aes_genctx_t*)ctx, 12); +} + diff --git a/aes/aes192_dec.h b/aes/aes192_dec.h new file mode 100644 index 0000000..299edf9 --- /dev/null +++ b/aes/aes192_dec.h @@ -0,0 +1,46 @@ +/* aes192_dec.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes192_dec.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-31 + * \license GPLv3 or later + * \ingroup AES + */ + +#ifndef AES192_DEC_H_ +#define AES192_DEC_H_ + +#include "aes.h" +#include "aes_dec.h" + +/** \fn void aes192_dec(void* buffer, aes192_ctx_t* ctx) + * \brief decrypt with 192 bit key. + * + * This function decrypts one block with the AES algorithm under control of + * a keyschedule produced from a 192 bit key. + * \param buffer pointer to the block to decrypt + * \param ctx pointer to the key schedule + */ +void aes192_dec(void* buffer, aes192_ctx_t* ctx); + + + +#endif /* AES192_DEC_H_ */ diff --git a/aes/aes192_enc.c b/aes/aes192_enc.c new file mode 100644 index 0000000..05cb71b --- /dev/null +++ b/aes/aes192_enc.c @@ -0,0 +1,34 @@ +/* aes192_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes192_enc.c + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-31 + * \license GPLv3 or later + * + */ + +#include "aes.h" +#include "aes_enc.h" + +void aes192_enc(void* buffer, aes192_ctx_t* ctx){ + aes_encrypt_core(buffer, (aes_genctx_t*)ctx, 12); +} + diff --git a/aes/aes192_enc.h b/aes/aes192_enc.h new file mode 100644 index 0000000..30b79ec --- /dev/null +++ b/aes/aes192_enc.h @@ -0,0 +1,47 @@ +/* aes192_enc.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes192_enc.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-31 + * \license GPLv3 or later + * \ingroup AES + */ + +#ifndef AES192_ENC_H_ +#define AES192_ENC_H_ + +#include "aes.h" +#include "aes_enc.h" + + +/** \fn void aes192_enc(void* buffer, aes192_ctx_t* ctx) + * \brief encrypt with 192 bit key. + * + * This function encrypts one block with the AES algorithm under control of + * a keyschedule produced from a 192 bit key. + * \param buffer pointer to the block to encrypt + * \param ctx pointer to the key schedule + */ +void aes192_enc(void* buffer, aes192_ctx_t* ctx); + + + +#endif /* AES192_ENC_H_ */ diff --git a/aes/aes256_dec.c b/aes/aes256_dec.c new file mode 100644 index 0000000..9bbb016 --- /dev/null +++ b/aes/aes256_dec.c @@ -0,0 +1,34 @@ +/* aes256_dec.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes256_dec.c + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-31 + * \license GPLv3 or later + * + */ + +#include "aes.h" +#include "aes_dec.h" + +void aes256_dec(void* buffer, aes256_ctx_t* ctx){ + aes_decrypt_core(buffer, (aes_genctx_t*)ctx, 14); +} + diff --git a/aes/aes256_dec.h b/aes/aes256_dec.h new file mode 100644 index 0000000..3c77c7b --- /dev/null +++ b/aes/aes256_dec.h @@ -0,0 +1,46 @@ +/* aes256_dec.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes256_dec.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-31 + * \license GPLv3 or later + * \ingroup AES + */ + +#ifndef AES256_DEC_H_ +#define AES256_DEC_H_ + +#include "aes.h" +#include "aes_dec.h" + +/** \fn void aes256_dec(void* buffer, aes256_ctx_t* ctx) + * \brief decrypt with 256 bit key. + * + * This function decrypts one block with the AES algorithm under control of + * a keyschedule produced from a 256 bit key. + * \param buffer pointer to the block to decrypt + * \param ctx pointer to the key schedule + */ +void aes256_dec(void* buffer, aes256_ctx_t* ctx); + + + +#endif /* AES256_DEC_H_ */ diff --git a/aes/aes256_enc.c b/aes/aes256_enc.c new file mode 100644 index 0000000..cb2f3ff --- /dev/null +++ b/aes/aes256_enc.c @@ -0,0 +1,34 @@ +/* aes256_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes256_enc.c + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-31 + * \license GPLv3 or later + * + */ + +#include "aes.h" +#include "aes_enc.h" + +void aes256_enc(void* buffer, aes256_ctx_t* ctx){ + aes_encrypt_core(buffer, (aes_genctx_t*)ctx, 14); +} + diff --git a/aes/aes256_enc.h b/aes/aes256_enc.h new file mode 100644 index 0000000..b42b0f3 --- /dev/null +++ b/aes/aes256_enc.h @@ -0,0 +1,47 @@ +/* aes256_enc.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes256_enc.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-31 + * \license GPLv3 or later + * \ingroup AES + */ + +#ifndef AES256_ENC_H_ +#define AES256_ENC_H_ + +#include "aes.h" +#include "aes_enc.h" + + +/** \fn void aes256_enc(void* buffer, aes256_ctx_t* ctx) + * \brief encrypt with 256 bit key. + * + * This function encrypts one block with the AES algorithm under control of + * a keyschedule produced from a 256 bit key. + * \param buffer pointer to the block to encrypt + * \param ctx pointer to the key schedule + */ +void aes256_enc(void* buffer, aes256_ctx_t* ctx); + + + +#endif /* AES256_ENC_H_ */ diff --git a/aes/aes_dec-asm.S b/aes/aes_dec-asm.S new file mode 100644 index 0000000..78dffad --- /dev/null +++ b/aes/aes_dec-asm.S @@ -0,0 +1,425 @@ +/* aes_dec-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_dec-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2009-01-10 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" +A = 28 +B = 29 +P = 0 +xREDUCER = 25 +gf256mul: + clr P +1: + lsr A + breq 4f + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, xREDUCER +3: + rjmp 1b +4: + brcc 2f + eor P, B +2: + ret + +.global aes256_dec +aes256_dec: + ldi r20, 14 + rjmp aes_decrypt_core + +.global aes192_dec +aes192_dec: + ldi r20, 12 + rjmp aes_decrypt_core + +.global aes128_dec +aes128_dec: + ldi r20, 10 + + +/* + void aes_decrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds) +*/ +T0= 2 +T1= 3 +T2= 4 +T3= 5 +T4 = 6 +T5 = 7 +ST00 = 8 +ST01 = 9 +ST02 = 10 +ST03 = 11 +ST10 = 12 +ST11 = 13 +ST12 = 14 +ST13 = 15 +ST20 = 16 +ST21 = 17 +ST22 = 18 +ST23 = 19 +ST30 = 20 +ST31 = 21 +ST32 = 22 +ST33 = 23 +CTR = 24 +/* + * param state: r24:r25 + * param ks: r22:r23 + * param rounds: r20 + */ +.global aes_decrypt_core +aes_decrypt_core: + push_range 2, 17 + push r28 + push r29 + push r24 + push r25 + movw r26, r22 + movw r30, r24 + mov CTR, r20 + inc r20 + swap r20 /* r20*16 */ + add r26, r20 + adc r27, r1 + clt +; ldi CTR, 2 + .irp param, ST00, ST01, ST02, ST03, ST10, ST11, ST12, ST13, ST20, ST21, ST22, ST23, ST30, ST31, ST32, ST33 + ld \param, Z+ + .endr + + ldi xREDUCER, 0x1b /* load reducer */ + ldi r31, hi8(aes_invsbox) + + + .irp param, ST33, ST32, ST31, ST30, ST23, ST22, ST21, ST20, ST13, ST12, ST11, ST10, ST03, ST02, ST01, ST00 + ld r0, -X + eor \param, r0 + .endr +1: + dec CTR + brne 2f + set +2: + /* substitute and invShift */ + .irp param, ST00, ST10, ST20, ST30 + mov r30, \param + lpm \param, Z + .endr + mov r30, ST31 + lpm T0, Z + mov r30, ST21 + lpm ST31, Z + mov r30, ST11 + lpm ST21, Z + mov r30, ST01 + lpm ST11, Z + mov ST01, T0 + + mov r30, ST32 + lpm T0, Z + mov r30, ST22 + lpm T1,Z + mov r30, ST12 + lpm ST32, Z + mov r30, ST02 + lpm ST22, Z + mov ST12, T0 + mov ST02, T1 + + mov r30, ST03 + lpm T0, Z + mov r30, ST13 + lpm ST03, Z + mov r30, ST23 + lpm ST13, Z + mov r30, ST33 + lpm ST23, Z + mov ST33, T0 + + /* key addition */ + .irp param, ST33, ST32, ST31, ST30, ST23, ST22, ST21, ST20, ST13, ST12, ST11, ST10, ST03, ST02, ST01, ST00 + ld r0, -X + eor \param, r0 + .endr + brtc 2f +exit: + pop r31 + pop r30 + st Z+, ST00 + st Z+, ST01 + st Z+, ST02 + st Z+, ST03 + st Z+, ST10 + st Z+, ST11 + st Z+, ST12 + st Z+, ST13 + st Z+, ST20 + st Z+, ST21 + st Z+, ST22 + st Z+, ST23 + st Z+, ST30 + st Z+, ST31 + st Z+, ST32 + st Z+, ST33 + pop r29 + pop r28 + pop_range 2, 17 + ret +2: + /* inv column (row) mixing*/ + /* invMixCol (Row) 1 */ + /* preparing */ + mov T0, ST03 + eor T0, ST02 ; T0 = t + mov T1, ST00 + eor T1, ST01 ; T1 = u + mov T2, T0 + eor T2, T1 + + mov B, T2 + ldi A, 0x08 + rcall gf256mul + eor T2, P ; T2 = v' + + mov B, ST02 + eor B, ST00 + ldi A, 0x04 + rcall gf256mul + mov T3, P + eor T3, T2; T3 = w + + mov B, ST03 + eor B, ST01 + ldi A, 0x04 + rcall gf256mul + eor T2, P ; T2 = v + + /* now the big move */ + mov T4, ST00 + eor T4, ST03 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST03, T4 + + mov T4, ST02 + eor T4, ST01 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST01, T4 + + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, T3 + eor ST02, T0 + + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, T3 + eor ST00, T1 + + /* invMixCol (Row) 2 */ + /* preparing */ + mov T0, ST13 + eor T0, ST12 ; T0 = t + mov T1, ST10 + eor T1, ST11 ; T1 = u + mov T2, T0 + eor T2, T1 + + mov B, T2 + ldi A, 0x08 + rcall gf256mul + eor T2, P ; T2 = v' + + mov B, ST12 + eor B, ST10 + ldi A, 0x04 + rcall gf256mul + mov T3, P + eor T3, T2; T3 = w + + mov B, ST13 + eor B, ST11 + ldi A, 0x04 + rcall gf256mul + eor T2, P ; T2 = v + + /* now the big move */ + mov T4, ST10 + eor T4, ST13 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST13, T4 + + mov T4, ST12 + eor T4, ST11 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST11, T4 + + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, T3 + eor ST12, T0 + + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, T3 + eor ST10, T1 + + /* invMixCol (Row) 2 */ + /* preparing */ + mov T0, ST23 + eor T0, ST22 ; T0 = t + mov T1, ST20 + eor T1, ST21 ; T1 = u + mov T2, T0 + eor T2, T1 + + mov B, T2 + ldi A, 0x08 + rcall gf256mul + eor T2, P ; T2 = v' + + mov B, ST22 + eor B, ST20 + ldi A, 0x04 + rcall gf256mul + mov T3, P + eor T3, T2; T3 = w + + mov B, ST23 + eor B, ST21 + ldi A, 0x04 + rcall gf256mul + eor T2, P ; T2 = v + + /* now the big move */ + mov T4, ST20 + eor T4, ST23 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST23, T4 + + mov T4, ST22 + eor T4, ST21 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST21, T4 + + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, T3 + eor ST22, T0 + + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, T3 + eor ST20, T1 + + /* invMixCol (Row) 3 */ + /* preparing */ + mov T0, ST33 + eor T0, ST32 ; T0 = t + mov T1, ST30 + eor T1, ST31 ; T1 = u + mov T2, T0 + eor T2, T1 + + mov B, T2 + ldi A, 0x08 + rcall gf256mul + eor T2, P ; T2 = v' + + mov B, ST32 + eor B, ST30 + ldi A, 0x04 + rcall gf256mul + mov T3, P + eor T3, T2; T3 = w + + mov B, ST33 + eor B, ST31 + ldi A, 0x04 + rcall gf256mul + eor T2, P ; T2 = v + + /* now the big move */ + mov T4, ST30 + eor T4, ST33 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST33, T4 + + mov T4, ST32 + eor T4, ST31 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST31, T4 + + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, T3 + eor ST32, T0 + + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, T3 + eor ST30, T1 + + rjmp 1b + + + diff --git a/aes/aes_dec-asm_faster.S b/aes/aes_dec-asm_faster.S new file mode 100644 index 0000000..e743678 --- /dev/null +++ b/aes/aes_dec-asm_faster.S @@ -0,0 +1,457 @@ +/* aes_dec-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_dec-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2009-01-10 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" +A = 28 +B = 29 +P = 0 +xREDUCER = 25 + +.global aes256_dec +aes256_dec: + ldi r20, 14 + rjmp aes_decrypt_core + +.global aes192_dec +aes192_dec: + ldi r20, 12 + rjmp aes_decrypt_core + +.global aes128_dec +aes128_dec: + ldi r20, 10 + + +/* + void aes_decrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds) +*/ +T0= 2 +T1= 3 +T2= 4 +T3= 5 +T4 = 6 +T5 = 7 +ST00 = 8 +ST01 = 9 +ST02 = 10 +ST03 = 11 +ST10 = 12 +ST11 = 13 +ST12 = 14 +ST13 = 15 +ST20 = 16 +ST21 = 17 +ST22 = 18 +ST23 = 19 +ST30 = 20 +ST31 = 21 +ST32 = 22 +ST33 = 23 +CTR = 24 +/* + * param state: r24:r25 + * param ks: r22:r23 + * param rounds: r20 + */ +.global aes_decrypt_core +aes_decrypt_core: + push_range 2, 17 + push r28 + push r29 + push r24 + push r25 + movw r26, r22 + movw r30, r24 + mov CTR, r20 + inc r20 + swap r20 /* r20*16 */ + add r26, r20 + adc r27, r1 + clt + .irp param, ST00, ST01, ST02, ST03, ST10, ST11, ST12, ST13, ST20, ST21, ST22, ST23, ST30, ST31, ST32, ST33 + ld \param, Z+ + .endr + + ldi xREDUCER, 0x1b /* load reducer */ + + + .irp param, ST33, ST32, ST31, ST30, ST23, ST22, ST21, ST20, ST13, ST12, ST11, ST10, ST03, ST02, ST01, ST00 + ld r0, -X + eor \param, r0 + .endr +1: + dec CTR + brne 2f + set +2: + ldi r31, hi8(aes_invsbox) + /* substitute and invShift */ + .irp param, ST00, ST10, ST20, ST30 + mov r30, \param + lpm \param, Z + .endr + mov r30, ST31 + lpm T0, Z + mov r30, ST21 + lpm ST31, Z + mov r30, ST11 + lpm ST21, Z + mov r30, ST01 + lpm ST11, Z + mov ST01, T0 + + mov r30, ST32 + lpm T0, Z + mov r30, ST22 + lpm T1,Z + mov r30, ST12 + lpm ST32, Z + mov r30, ST02 + lpm ST22, Z + mov ST12, T0 + mov ST02, T1 + + mov r30, ST03 + lpm T0, Z + mov r30, ST13 + lpm ST03, Z + mov r30, ST23 + lpm ST13, Z + mov r30, ST33 + lpm ST23, Z + mov ST33, T0 + + /* key addition */ + .irp param, ST33, ST32, ST31, ST30, ST23, ST22, ST21, ST20, ST13, ST12, ST11, ST10, ST03, ST02, ST01, ST00 + ld r0, -X + eor \param, r0 + .endr + brtc 2f +exit: + pop r31 + pop r30 + st Z+, ST00 + st Z+, ST01 + st Z+, ST02 + st Z+, ST03 + st Z+, ST10 + st Z+, ST11 + st Z+, ST12 + st Z+, ST13 + st Z+, ST20 + st Z+, ST21 + st Z+, ST22 + st Z+, ST23 + st Z+, ST30 + st Z+, ST31 + st Z+, ST32 + st Z+, ST33 + pop r29 + pop r28 + pop_range 2, 17 + ret +2: + /* inv column (row) mixing*/ + /* invMixCol (Row) 1 */ + /* preparing */ + ldi r31, hi8(lut_gf256mul_0x09) + mov T0, ST03 + eor T0, ST02 ; T0 = t + mov T1, ST00 + eor T1, ST01 ; T1 = u + mov r30, T0 + eor r30, T1 + lpm T2, Z ; T2 = v' + + ldi r31, hi8(lut_gf256mul_0x04) + mov r30, ST02 + eor r30, ST00 + lpm T3, Z + eor T3, T2; T3 = w + + mov r30, ST03 + eor r30, ST01 + lpm P, Z ; T2 = v + eor T2, P + + /* now the big move */ + mov T4, ST00 + eor T4, ST03 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST03, T4 + + mov T4, ST02 + eor T4, ST01 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST01, T4 + + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, T3 + eor ST02, T0 + + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, T3 + eor ST00, T1 + + /* invMixCol (Row) 2 */ + /* preparing */ + ldi r31, hi8(lut_gf256mul_0x09) + mov T0, ST13 + eor T0, ST12 ; T0 = t + mov T1, ST10 + eor T1, ST11 ; T1 = u + mov r30, T0 + eor r30, T1 + + lpm T2, Z ; T2 = v' + + ldi r31, hi8(lut_gf256mul_0x04) + mov r30, ST12 + eor r30, ST10 + lpm T3, Z + eor T3, T2; T3 = w + + mov r30, ST13 + eor r30, ST11 + lpm P, Z + eor T2, P ; T2 = v + + /* now the big move */ + mov T4, ST10 + eor T4, ST13 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST13, T4 + + mov T4, ST12 + eor T4, ST11 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST11, T4 + + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, T3 + eor ST12, T0 + + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, T3 + eor ST10, T1 + + /* invMixCol (Row) 2 */ + /* preparing */ + ldi r31, hi8(lut_gf256mul_0x09) + mov T0, ST23 + eor T0, ST22 ; T0 = t + mov T1, ST20 + eor T1, ST21 ; T1 = u + mov r30, T0 + eor r30, T1 + + lpm T2, Z ; T2 = v' + + ldi r31, hi8(lut_gf256mul_0x04) + mov r30, ST22 + eor r30, ST20 + lpm T3, Z + eor T3, T2; T3 = w + + mov r30, ST23 + eor r30, ST21 + lpm P, Z + eor T2, P ; T2 = v + + /* now the big move */ + mov T4, ST20 + eor T4, ST23 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST23, T4 + + mov T4, ST22 + eor T4, ST21 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST21, T4 + + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, T3 + eor ST22, T0 + + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, T3 + eor ST20, T1 + + /* invMixCol (Row) 3 */ + /* preparing */ + ldi r31, hi8(lut_gf256mul_0x09) + mov T0, ST33 + eor T0, ST32 ; T0 = t + mov T1, ST30 + eor T1, ST31 ; T1 = u + mov r30, T0 + eor r30, T1 + + lpm T2, Z ; T2 = v' + + ldi r31, hi8(lut_gf256mul_0x04) + mov r30, ST32 + eor r30, ST30 + lpm T3, Z + eor T3, T2; T3 = w + + mov r30, ST33 + eor r30, ST31 + lpm P, Z + eor T2, P ; T2 = v + + /* now the big move */ + mov T4, ST30 + eor T4, ST33 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST33, T4 + + mov T4, ST32 + eor T4, ST31 + lsl T4 + brcc 3f + eor T4, xREDUCER +3: eor T4, T2 + eor ST31, T4 + + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, T3 + eor ST32, T0 + + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, T3 + eor ST30, T1 + + rjmp 1b + +.balign 256 + +lut_gf256mul_0x09: +.byte 0x00, 0x09, 0x12, 0x1B, 0x24, 0x2D, 0x36, 0x3F +.byte 0x48, 0x41, 0x5A, 0x53, 0x6C, 0x65, 0x7E, 0x77 +.byte 0x90, 0x99, 0x82, 0x8B, 0xB4, 0xBD, 0xA6, 0xAF +.byte 0xD8, 0xD1, 0xCA, 0xC3, 0xFC, 0xF5, 0xEE, 0xE7 +.byte 0x3B, 0x32, 0x29, 0x20, 0x1F, 0x16, 0x0D, 0x04 +.byte 0x73, 0x7A, 0x61, 0x68, 0x57, 0x5E, 0x45, 0x4C +.byte 0xAB, 0xA2, 0xB9, 0xB0, 0x8F, 0x86, 0x9D, 0x94 +.byte 0xE3, 0xEA, 0xF1, 0xF8, 0xC7, 0xCE, 0xD5, 0xDC +.byte 0x76, 0x7F, 0x64, 0x6D, 0x52, 0x5B, 0x40, 0x49 +.byte 0x3E, 0x37, 0x2C, 0x25, 0x1A, 0x13, 0x08, 0x01 +.byte 0xE6, 0xEF, 0xF4, 0xFD, 0xC2, 0xCB, 0xD0, 0xD9 +.byte 0xAE, 0xA7, 0xBC, 0xB5, 0x8A, 0x83, 0x98, 0x91 +.byte 0x4D, 0x44, 0x5F, 0x56, 0x69, 0x60, 0x7B, 0x72 +.byte 0x05, 0x0C, 0x17, 0x1E, 0x21, 0x28, 0x33, 0x3A +.byte 0xDD, 0xD4, 0xCF, 0xC6, 0xF9, 0xF0, 0xEB, 0xE2 +.byte 0x95, 0x9C, 0x87, 0x8E, 0xB1, 0xB8, 0xA3, 0xAA +.byte 0xEC, 0xE5, 0xFE, 0xF7, 0xC8, 0xC1, 0xDA, 0xD3 +.byte 0xA4, 0xAD, 0xB6, 0xBF, 0x80, 0x89, 0x92, 0x9B +.byte 0x7C, 0x75, 0x6E, 0x67, 0x58, 0x51, 0x4A, 0x43 +.byte 0x34, 0x3D, 0x26, 0x2F, 0x10, 0x19, 0x02, 0x0B +.byte 0xD7, 0xDE, 0xC5, 0xCC, 0xF3, 0xFA, 0xE1, 0xE8 +.byte 0x9F, 0x96, 0x8D, 0x84, 0xBB, 0xB2, 0xA9, 0xA0 +.byte 0x47, 0x4E, 0x55, 0x5C, 0x63, 0x6A, 0x71, 0x78 +.byte 0x0F, 0x06, 0x1D, 0x14, 0x2B, 0x22, 0x39, 0x30 +.byte 0x9A, 0x93, 0x88, 0x81, 0xBE, 0xB7, 0xAC, 0xA5 +.byte 0xD2, 0xDB, 0xC0, 0xC9, 0xF6, 0xFF, 0xE4, 0xED +.byte 0x0A, 0x03, 0x18, 0x11, 0x2E, 0x27, 0x3C, 0x35 +.byte 0x42, 0x4B, 0x50, 0x59, 0x66, 0x6F, 0x74, 0x7D +.byte 0xA1, 0xA8, 0xB3, 0xBA, 0x85, 0x8C, 0x97, 0x9E +.byte 0xE9, 0xE0, 0xFB, 0xF2, 0xCD, 0xC4, 0xDF, 0xD6 +.byte 0x31, 0x38, 0x23, 0x2A, 0x15, 0x1C, 0x07, 0x0E +.byte 0x79, 0x70, 0x6B, 0x62, 0x5D, 0x54, 0x4F, 0x46 + +lut_gf256mul_0x04: +.byte 0x00, 0x04, 0x08, 0x0C, 0x10, 0x14, 0x18, 0x1C +.byte 0x20, 0x24, 0x28, 0x2C, 0x30, 0x34, 0x38, 0x3C +.byte 0x40, 0x44, 0x48, 0x4C, 0x50, 0x54, 0x58, 0x5C +.byte 0x60, 0x64, 0x68, 0x6C, 0x70, 0x74, 0x78, 0x7C +.byte 0x80, 0x84, 0x88, 0x8C, 0x90, 0x94, 0x98, 0x9C +.byte 0xA0, 0xA4, 0xA8, 0xAC, 0xB0, 0xB4, 0xB8, 0xBC +.byte 0xC0, 0xC4, 0xC8, 0xCC, 0xD0, 0xD4, 0xD8, 0xDC +.byte 0xE0, 0xE4, 0xE8, 0xEC, 0xF0, 0xF4, 0xF8, 0xFC +.byte 0x1B, 0x1F, 0x13, 0x17, 0x0B, 0x0F, 0x03, 0x07 +.byte 0x3B, 0x3F, 0x33, 0x37, 0x2B, 0x2F, 0x23, 0x27 +.byte 0x5B, 0x5F, 0x53, 0x57, 0x4B, 0x4F, 0x43, 0x47 +.byte 0x7B, 0x7F, 0x73, 0x77, 0x6B, 0x6F, 0x63, 0x67 +.byte 0x9B, 0x9F, 0x93, 0x97, 0x8B, 0x8F, 0x83, 0x87 +.byte 0xBB, 0xBF, 0xB3, 0xB7, 0xAB, 0xAF, 0xA3, 0xA7 +.byte 0xDB, 0xDF, 0xD3, 0xD7, 0xCB, 0xCF, 0xC3, 0xC7 +.byte 0xFB, 0xFF, 0xF3, 0xF7, 0xEB, 0xEF, 0xE3, 0xE7 +.byte 0x36, 0x32, 0x3E, 0x3A, 0x26, 0x22, 0x2E, 0x2A +.byte 0x16, 0x12, 0x1E, 0x1A, 0x06, 0x02, 0x0E, 0x0A +.byte 0x76, 0x72, 0x7E, 0x7A, 0x66, 0x62, 0x6E, 0x6A +.byte 0x56, 0x52, 0x5E, 0x5A, 0x46, 0x42, 0x4E, 0x4A +.byte 0xB6, 0xB2, 0xBE, 0xBA, 0xA6, 0xA2, 0xAE, 0xAA +.byte 0x96, 0x92, 0x9E, 0x9A, 0x86, 0x82, 0x8E, 0x8A +.byte 0xF6, 0xF2, 0xFE, 0xFA, 0xE6, 0xE2, 0xEE, 0xEA +.byte 0xD6, 0xD2, 0xDE, 0xDA, 0xC6, 0xC2, 0xCE, 0xCA +.byte 0x2D, 0x29, 0x25, 0x21, 0x3D, 0x39, 0x35, 0x31 +.byte 0x0D, 0x09, 0x05, 0x01, 0x1D, 0x19, 0x15, 0x11 +.byte 0x6D, 0x69, 0x65, 0x61, 0x7D, 0x79, 0x75, 0x71 +.byte 0x4D, 0x49, 0x45, 0x41, 0x5D, 0x59, 0x55, 0x51 +.byte 0xAD, 0xA9, 0xA5, 0xA1, 0xBD, 0xB9, 0xB5, 0xB1 +.byte 0x8D, 0x89, 0x85, 0x81, 0x9D, 0x99, 0x95, 0x91 +.byte 0xED, 0xE9, 0xE5, 0xE1, 0xFD, 0xF9, 0xF5, 0xF1 +.byte 0xCD, 0xC9, 0xC5, 0xC1, 0xDD, 0xD9, 0xD5, 0xD1 + diff --git a/aes/aes_dec.c b/aes/aes_dec.c new file mode 100644 index 0000000..8c476de --- /dev/null +++ b/aes/aes_dec.c @@ -0,0 +1,131 @@ +/* aes.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include "gf256mul.h" +#include "aes.h" +#include "aes_invsbox.h" +#include "aes_dec.h" +#include + +void aes_invshiftrow(void* data, uint8_t shift){ + uint8_t tmp[4]; + tmp[0] = ((uint8_t*)data)[(4+0-shift)&3]; + tmp[1] = ((uint8_t*)data)[(4+1-shift)&3]; + tmp[2] = ((uint8_t*)data)[(4+2-shift)&3]; + tmp[3] = ((uint8_t*)data)[(4+3-shift)&3]; + memcpy(data, tmp, 4); +} + +void aes_invshiftcol(void* data, uint8_t shift){ + uint8_t tmp[4]; + tmp[0] = ((uint8_t*)data)[ 0]; + tmp[1] = ((uint8_t*)data)[ 4]; + tmp[2] = ((uint8_t*)data)[ 8]; + tmp[3] = ((uint8_t*)data)[12]; + ((uint8_t*)data)[ 0] = tmp[(4-shift+0)&3]; + ((uint8_t*)data)[ 4] = tmp[(4-shift+1)&3]; + ((uint8_t*)data)[ 8] = tmp[(4-shift+2)&3]; + ((uint8_t*)data)[12] = tmp[(4-shift+3)&3]; +} +static +void aes_dec_round(aes_cipher_state_t* state, const aes_roundkey_t* k){ + uint8_t tmp[16]; + uint8_t i; + uint8_t t,u,v,w; + /* keyAdd */ + for(i=0; i<16; ++i){ + tmp[i] = state->s[i] ^ k->ks[i]; + } + /* mixColums */ + for(i=0; i<4; ++i){ + t = tmp[4*i+3] ^ tmp[4*i+2]; + u = tmp[4*i+1] ^ tmp[4*i+0]; + v = t ^ u; + v = gf256mul(0x09, v, 0x1b); + w = v ^ gf256mul(0x04, tmp[4*i+2] ^ tmp[4*i+0], 0x1b); + v = v ^ gf256mul(0x04, tmp[4*i+3] ^ tmp[4*i+1], 0x1b); + state->s[4*i+3] = tmp[4*i+3] ^ v ^ gf256mul(0x02, tmp[4*i+0] ^ tmp[4*i+3], 0x1b); + state->s[4*i+2] = tmp[4*i+2] ^ w ^ gf256mul(0x02, t, 0x1b); + state->s[4*i+1] = tmp[4*i+1] ^ v ^ gf256mul(0x02, tmp[4*i+2] ^ tmp[4*i+1], 0x1b); + state->s[4*i+0] = tmp[4*i+0] ^ w ^ gf256mul(0x02, u, 0x1b); + + /* + state->s[4*i+0] = + gf256mul(0xe, tmp[4*i+0], 0x1b) + ^ gf256mul(0xb, tmp[4*i+1], 0x1b) + ^ gf256mul(0xd, tmp[4*i+2], 0x1b) + ^ gf256mul(0x9, tmp[4*i+3], 0x1b); + state->s[4*i+1] = + gf256mul(0x9, tmp[4*i+0], 0x1b) + ^ gf256mul(0xe, tmp[4*i+1], 0x1b) + ^ gf256mul(0xb, tmp[4*i+2], 0x1b) + ^ gf256mul(0xd, tmp[4*i+3], 0x1b); + state->s[4*i+2] = + gf256mul(0xd, tmp[4*i+0], 0x1b) + ^ gf256mul(0x9, tmp[4*i+1], 0x1b) + ^ gf256mul(0xe, tmp[4*i+2], 0x1b) + ^ gf256mul(0xb, tmp[4*i+3], 0x1b); + state->s[4*i+3] = + gf256mul(0xb, tmp[4*i+0], 0x1b) + ^ gf256mul(0xd, tmp[4*i+1], 0x1b) + ^ gf256mul(0x9, tmp[4*i+2], 0x1b) + ^ gf256mul(0xe, tmp[4*i+3], 0x1b); + */ + } + /* shiftRows */ + aes_invshiftcol(state->s+1, 1); + aes_invshiftcol(state->s+2, 2); + aes_invshiftcol(state->s+3, 3); + /* subBytes */ + for(i=0; i<16; ++i){ + state->s[i] = pgm_read_byte(aes_invsbox+state->s[i]); + } +} + + +static +void aes_dec_firstround(aes_cipher_state_t* state, const aes_roundkey_t* k){ + uint8_t i; + /* keyAdd */ + for(i=0; i<16; ++i){ + state->s[i] ^= k->ks[i]; + } + /* shiftRows */ + aes_invshiftcol(state->s+1, 1); + aes_invshiftcol(state->s+2, 2); + aes_invshiftcol(state->s+3, 3); + /* subBytes */ + for(i=0; i<16; ++i){ + state->s[i] = pgm_read_byte(aes_invsbox+state->s[i]); + } +} + +void aes_decrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds){ + uint8_t i; + aes_dec_firstround(state, &(ks->key[i=rounds])); + for(;rounds>1;--rounds){ + --i; + aes_dec_round(state, &(ks->key[i])); + } + for(i=0; i<16; ++i){ + state->s[i] ^= ks->key[0].ks[i]; + } +} diff --git a/aes/aes_dec.h b/aes/aes_dec.h new file mode 100644 index 0000000..631d953 --- /dev/null +++ b/aes/aes_dec.h @@ -0,0 +1,36 @@ +/* aes_dec.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_dec.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ +#ifndef AES_DEC_H_ +#define AES_DEC_H_ +#include "aes.h" +#include + + +void aes_decrypt_core(aes_cipher_state_t* state,const aes_genctx_t* ks, uint8_t rounds); + + +#endif diff --git a/aes/aes_enc-asm.S b/aes/aes_enc-asm.S new file mode 100644 index 0000000..5b46a2a --- /dev/null +++ b/aes/aes_enc-asm.S @@ -0,0 +1,341 @@ +/* aes_enc-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_enc-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2009-01-10 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" + + +/* + * param a: r24 + * param b: r22 + * param reducer: r0 + */ +A = 28 +B = 29 +P = 0 +xREDUCER = 25 + +.global aes256_enc +aes256_enc: + ldi r20, 14 + rjmp aes_encrypt_core + +.global aes192_enc +aes192_enc: + ldi r20, 12 + rjmp aes_encrypt_core + +.global aes128_enc +aes128_enc: + ldi r20, 10 + + +/* + void aes_encrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds) +*/ +T0= 2 +T1= 3 +T2= 4 +T3= 5 +SBOX_SAVE0 = 6 +SBOX_SAVE1 = 7 +ST00 = 8 +ST01 = 9 +ST02 = 10 +ST03 = 11 +ST10 = 12 +ST11 = 13 +ST12 = 14 +ST13 = 15 +ST20 = 16 +ST21 = 17 +ST22 = 18 +ST23 = 19 +ST30 = 20 +ST31 = 21 +ST32 = 22 +ST33 = 23 +CTR = 24 +/* + * param state: r24:r25 + * param ks: r22:r23 + * param rounds: r20 + */ +.global aes_encrypt_core +aes_encrypt_core: + push_range 2, 17 + push r28 + push r29 + push r24 + push r25 + movw r26, r22 + movw r30, r24 + mov CTR, r20 + clt + + .irp param,ST00, ST01, ST02, ST03, ST10, ST11, ST12, ST13, ST20, ST21, ST22, ST23, ST30, ST31, ST32, ST33 + ld \param, Z+ + .endr + + ldi xREDUCER, 0x1b /* load reducer */ + ldi r31, hi8(aes_sbox) + + /* key whitening */ +1: + .irp param,ST00, ST01, ST02, ST03, ST10, ST11, ST12, ST13, ST20, ST21, ST22, ST23, ST30, ST31, ST32, ST33 + ld r0, X+ + eor \param, r0 + .endr + + brtc 2f +exit: + pop r31 + pop r30 + st Z+, ST00 + st Z+, ST01 + st Z+, ST02 + st Z+, ST03 + st Z+, ST10 + st Z+, ST11 + st Z+, ST12 + st Z+, ST13 + st Z+, ST20 + st Z+, ST21 + st Z+, ST22 + st Z+, ST23 + st Z+, ST30 + st Z+, ST31 + st Z+, ST32 + st Z+, ST33 + pop r29 + pop r28 + pop_range 2, 17 + ret + +2: dec CTR + brne 3f + set +3: + + /* encryption loop */ + + /* SBOX substitution and shifting */ + mov r30, ST00 + lpm ST00, Z + mov r30, ST10 + lpm ST10, Z + mov r30, ST20 + lpm ST20, Z + mov r30, ST30 + lpm ST30, Z + + mov r30, ST01 + lpm T0, Z + mov r30, ST11 + lpm ST01, Z + mov r30, ST21 + lpm ST11, Z + mov r30, ST31 + lpm ST21, Z + mov ST31, T0 + + mov r30, ST02 + lpm T0, Z + mov r30, ST12 + lpm T1, Z + mov r30, ST22 + lpm ST02, Z + mov r30, ST32 + lpm ST12, Z + mov ST22, T0 + mov ST32, T1 + + mov r30, ST03 + lpm T0, Z + mov r30, ST33 + lpm ST03, Z + mov r30, ST23 + lpm ST33, Z + mov r30, ST13 + lpm ST23, Z + mov ST13, T0 + + /* mixcols (or rows in our case) */ + brtc 2f + rjmp 1b +2: + /* mixrow 1 */ + mov r0, ST02 + eor r0, ST03 + mov T2, r0 + + mov T0, ST00 + eor ST00, ST01 + eor r0, ST00 + lsl ST00 + brcc 3f + eor ST00, xREDUCER +3: eor ST00, r0 + eor ST00, T0 + + mov T1, ST01 + eor T1, ST02 + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, r0 + eor ST01, T1 + + lsl T2 + brcc 3f + eor T2, xREDUCER +3: eor T2, r0 + eor ST02, T2 + + eor T0, ST03 + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, r0 + eor ST03, T0 + + /* mixrow 2 */ + mov r0, ST12 + eor r0, ST13 + mov T2, r0 + + mov T0, ST10 + eor ST10, ST11 + eor r0, ST10 + lsl ST10 + brcc 3f + eor ST10, xREDUCER +3: eor ST10, r0 + eor ST10, T0 + + mov T1, ST11 + eor T1, ST12 + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, r0 + eor ST11, T1 + + lsl T2 + brcc 3f + eor T2, xREDUCER +3: eor T2, r0 + eor ST12, T2 + + eor T0, ST13 + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, r0 + eor ST13, T0 + + /* mixrow 3 */ + mov r0, ST22 + eor r0, ST23 + mov T2, r0 + + mov T0, ST20 + eor ST20, ST21 + eor r0, ST20 + lsl ST20 + brcc 3f + eor ST20, xREDUCER +3: eor ST20, r0 + eor ST20, T0 + + mov T1, ST21 + eor T1, ST22 + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, r0 + eor ST21, T1 + + lsl T2 + brcc 3f + eor T2, xREDUCER +3: eor T2, r0 + eor ST22, T2 + + eor T0, ST23 + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, r0 + eor ST23, T0 + + /* mixrow 4 */ + mov r0, ST32 + eor r0, ST33 + mov T2, r0 + + mov T0, ST30 + eor ST30, ST31 + eor r0, ST30 + lsl ST30 + brcc 3f + eor ST30, xREDUCER +3: eor ST30, r0 + eor ST30, T0 + + mov T1, ST31 + eor T1, ST32 + lsl T1 + brcc 3f + eor T1, xREDUCER +3: eor T1, r0 + eor ST31, T1 + + lsl T2 + brcc 3f + eor T2, xREDUCER +3: eor T2, r0 + eor ST32, T2 + + eor T0, ST33 + lsl T0 + brcc 3f + eor T0, xREDUCER +3: eor T0, r0 + eor ST33, T0 + /* mix colums (rows) done */ + + /* add key*/ + rjmp 1b + + + + + + + + + diff --git a/aes/aes_enc.c b/aes/aes_enc.c new file mode 100644 index 0000000..dadf9f4 --- /dev/null +++ b/aes/aes_enc.c @@ -0,0 +1,120 @@ +/* aes_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_enc.c + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ + +#include +#include +#include "aes.h" +#include "gf256mul.h" +#include "aes_sbox.h" +#include "aes_enc.h" +#include + +void aes_shiftcol(void* data, uint8_t shift){ + uint8_t tmp[4]; + tmp[0] = ((uint8_t*)data)[ 0]; + tmp[1] = ((uint8_t*)data)[ 4]; + tmp[2] = ((uint8_t*)data)[ 8]; + tmp[3] = ((uint8_t*)data)[12]; + ((uint8_t*)data)[ 0] = tmp[(shift+0)&3]; + ((uint8_t*)data)[ 4] = tmp[(shift+1)&3]; + ((uint8_t*)data)[ 8] = tmp[(shift+2)&3]; + ((uint8_t*)data)[12] = tmp[(shift+3)&3]; +} + +#define GF256MUL_1(a) (a) +#define GF256MUL_2(a) (gf256mul(2, (a), 0x1b)) +#define GF256MUL_3(a) (gf256mul(3, (a), 0x1b)) + +static +void aes_enc_round(aes_cipher_state_t* state, const aes_roundkey_t* k){ + uint8_t tmp[16], t; + uint8_t i; + /* subBytes */ + for(i=0; i<16; ++i){ + tmp[i] = pgm_read_byte(aes_sbox+state->s[i]); + } + /* shiftRows */ + aes_shiftcol(tmp+1, 1); + aes_shiftcol(tmp+2, 2); + aes_shiftcol(tmp+3, 3); + /* mixColums */ + for(i=0; i<4; ++i){ + t = tmp[4*i+0] ^ tmp[4*i+1] ^ tmp[4*i+2] ^ tmp[4*i+3]; + state->s[4*i+0] = + GF256MUL_2(tmp[4*i+0]^tmp[4*i+1]) + ^ tmp[4*i+0] + ^ t; + state->s[4*i+1] = + GF256MUL_2(tmp[4*i+1]^tmp[4*i+2]) + ^ tmp[4*i+1] + ^ t; + state->s[4*i+2] = + GF256MUL_2(tmp[4*i+2]^tmp[4*i+3]) + ^ tmp[4*i+2] + ^ t; + state->s[4*i+3] = + GF256MUL_2(tmp[4*i+3]^tmp[4*i+0]) + ^ tmp[4*i+3] + ^ t; + } + + /* addKey */ + for(i=0; i<16; ++i){ + state->s[i] ^= k->ks[i]; + } +} + + +static +void aes_enc_lastround(aes_cipher_state_t* state,const aes_roundkey_t* k){ + uint8_t i; + /* subBytes */ + for(i=0; i<16; ++i){ + state->s[i] = pgm_read_byte(aes_sbox+state->s[i]); + } + /* shiftRows */ + aes_shiftcol(state->s+1, 1); + aes_shiftcol(state->s+2, 2); + aes_shiftcol(state->s+3, 3); + /* keyAdd */ + for(i=0; i<16; ++i){ + state->s[i] ^= k->ks[i]; + } +} + +void aes_encrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds){ + uint8_t i; + for(i=0; i<16; ++i){ + state->s[i] ^= ks->key[0].ks[i]; + } + i=1; + for(;rounds>1;--rounds){ + aes_enc_round(state, &(ks->key[i])); + ++i; + } + aes_enc_lastround(state, &(ks->key[i])); +} diff --git a/aes/aes_enc.h b/aes/aes_enc.h new file mode 100644 index 0000000..f3c4dfa --- /dev/null +++ b/aes/aes_enc.h @@ -0,0 +1,36 @@ +/* aes_enc.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_enc.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ +#ifndef AES_ENC_H_ +#define AES_ENC_H_ +#include "aes.h" +#include + + +void aes_encrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds); + + +#endif diff --git a/aes/aes_invsbox-asm.S b/aes/aes_invsbox-asm.S new file mode 100644 index 0000000..9ab899f --- /dev/null +++ b/aes/aes_invsbox-asm.S @@ -0,0 +1,45 @@ +/* aes_sbox-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_dec-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2009-01-10 + * \license GPLv3 or later + * + */ +.balign 256 +.global aes_invsbox +aes_invsbox: +.byte 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb +.byte 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb +.byte 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e +.byte 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25 +.byte 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92 +.byte 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84 +.byte 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06 +.byte 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b +.byte 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73 +.byte 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e +.byte 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b +.byte 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4 +.byte 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f +.byte 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef +.byte 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61 +.byte 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d diff --git a/aes/aes_invsbox.c b/aes/aes_invsbox.c new file mode 100644 index 0000000..921ff49 --- /dev/null +++ b/aes/aes_invsbox.c @@ -0,0 +1,22 @@ +/* aes inverted sbox */ + +#include +#include +uint8_t aes_invsbox[256] PROGMEM = { + 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, + 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, + 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, + 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, + 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, + 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, + 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, + 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, + 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, + 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, + 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, + 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, + 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, + 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, + 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, + 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d +}; diff --git a/aes/aes_invsbox.h b/aes/aes_invsbox.h new file mode 100644 index 0000000..42fe9a8 --- /dev/null +++ b/aes/aes_invsbox.h @@ -0,0 +1,33 @@ +/* aes_invsbox.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_invsbox.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ +#ifndef AES_INVSBOX_H_ +#define AES_INVSBOX_H_ +#include + +extern uint8_t aes_invsbox[]; + +#endif diff --git a/aes/aes_keyschedule-asm.S b/aes/aes_keyschedule-asm.S new file mode 100644 index 0000000..c5d69ea --- /dev/null +++ b/aes/aes_keyschedule-asm.S @@ -0,0 +1,225 @@ +/* aes_keyschedule-asm */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_keyschedule-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2009-01-09 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" + +.global aes256_init +aes256_init: + movw r20, r22 + ldi r23, hi8(256) + ldi r22, lo8(256) + rjmp aes_init + +.global aes192_init +aes192_init: + movw r20, r22 + ldi r23, hi8(192) + ldi r22, lo8(192) + rjmp aes_init + +.global aes128_init +aes128_init: + movw r20, r22 + clr r23 + ldi r22, 128 + +/* +void aes_init(const void* key, uint16_t keysize_b, aes_genctx_t* ctx){ + uint8_t hi,i,nk, next_nk; + uint8_t rc=1; + uint8_t tmp[4]; + nk=keysize_b>>5; / * 4, 6, 8 * / + hi=4*(nk+6+1); + memcpy(ctx, key, keysize_b/8); + next_nk = nk; + for(i=nk;ikey[0].ks))[i-1]; + if(i!=next_nk){ + if(nk==8 && i%8==4){ + tmp[0] = pgm_read_byte(aes_sbox+tmp[0]); + tmp[1] = pgm_read_byte(aes_sbox+tmp[1]); + tmp[2] = pgm_read_byte(aes_sbox+tmp[2]); + tmp[3] = pgm_read_byte(aes_sbox+tmp[3]); + } + } else { + next_nk += nk; + aes_rotword(tmp); + tmp[0] = pgm_read_byte(aes_sbox+tmp[0]); + tmp[1] = pgm_read_byte(aes_sbox+tmp[1]); + tmp[2] = pgm_read_byte(aes_sbox+tmp[2]); + tmp[3] = pgm_read_byte(aes_sbox+tmp[3]); + tmp[0] ^= rc; + rc<<=1; + } + ((uint32_t*)(ctx->key[0].ks))[i] = ((uint32_t*)(ctx->key[0].ks))[i-nk] + ^ *((uint32_t*)tmp); + } +} +*/ + +SBOX_SAVE0 = 14 +SBOX_SAVE1 = 15 +XRC = 17 +NK = 22 +C1 = 18 +NEXT_NK = 19 +HI = 23 +T0 = 20 +T1 = 21 +T2 = 24 +T3 = 25 +/* + * param key: r24:r25 + * param keysize_b: r22:r23 + * param ctx: r20:r21 + */ +.global aes_init +aes_init: + push_range 14, 17 + push r28 + push r29 + movw r30, r20 + movw r28, r20 + movw r26, r24 + lsr r23 + ror r22 + lsr r22 + lsr r22 /* r22 contains keysize_b/8 */ + mov C1, r22 + +1: /* copy key to ctx */ + ld r0, X+ + st Z+, r0 + dec C1 + brne 1b + + lsr NK + lsr NK + bst NK,3 /* set T if NK==8 */ + mov NEXT_NK, NK + mov HI, NK + subi HI, -7 + lsl HI + lsl HI + movw r26, r30 + sbiw r26, 4 + mov C1, NK + ldi r30, lo8(aes_sbox) + ldi r31, hi8(aes_sbox) + movw SBOX_SAVE0, r30 + ldi XRC, 1 +1: + ld T0, X+ + ld T1, X+ + ld T2, X+ + ld T3, X+ + cp NEXT_NK, C1 + breq 2f + brtc 5f + mov r16, C1 + andi r16, 0x07 + cpi r16, 0x04 + brne 5f + movw r30, SBOX_SAVE0 + add r30, T0 + adc r31, r1 + lpm T0, Z + movw r30, SBOX_SAVE0 + add r30, T1 + adc r31, r1 + lpm T1, Z + movw r30, SBOX_SAVE0 + add r30, T2 + adc r31, r1 + lpm T2, Z + movw r30, SBOX_SAVE0 + add r30, T3 + adc r31, r1 + lpm T3, Z + rjmp 5f +2: + add NEXT_NK, NK + movw r30, SBOX_SAVE0 + add r30, T0 + adc r31, r1 + lpm r16, Z + movw r30, SBOX_SAVE0 + add r30, T1 + adc r31, r1 + lpm T0, Z + movw r30, SBOX_SAVE0 + add r30, T2 + adc r31, r1 + lpm T1, Z + movw r30, SBOX_SAVE0 + add r30, T3 + adc r31, r1 + lpm T2, Z + mov T3, r16 + eor T0, XRC + lsl XRC + brcc 3f + ldi XRC, 0x1b +3: +5: + movw r30, r26 + + ld r0, Y+ + eor r0, T0 + st Z+, r0 + ld r0, Y+ + eor r0 ,T1 + st Z+, r0 + ld r0, Y+ + eor r0, T2 + st Z+, r0 + ld r0, Y+ + eor r0, T3 + st Z+, r0 + +/* + st Z+, T0 + st Z+, T1 + st Z+, T2 + st Z+, T3 +*/ + + inc C1 + cp C1, HI + breq 6f + rjmp 1b +6: + + clt + pop r29 + pop r28 + pop_range 14, 17 + ret + + + + diff --git a/aes/aes_keyschedule.c b/aes/aes_keyschedule.c new file mode 100644 index 0000000..9e58eb5 --- /dev/null +++ b/aes/aes_keyschedule.c @@ -0,0 +1,91 @@ +/* aes_keyschedule.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_keyschedule.c + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ + +#include +#include "aes.h" +#include "aes_keyschedule.h" +#include "aes_sbox.h" +#include +#include + +static +void aes_rotword(void* a){ + uint8_t t; + t=((uint8_t*)a)[0]; + ((uint8_t*)a)[0] = ((uint8_t*)a)[1]; + ((uint8_t*)a)[1] = ((uint8_t*)a)[2]; + ((uint8_t*)a)[2] = ((uint8_t*)a)[3]; + ((uint8_t*)a)[3] = t; +} + +uint8_t rc_tab[] PROGMEM = { 0x01, 0x02, 0x04, 0x08, + 0x10, 0x20, 0x40, 0x80, + 0x1b, 0x36 }; + +void aes_init(const void* key, uint16_t keysize_b, aes_genctx_t* ctx){ + uint8_t hi,i,nk, next_nk; + uint8_t rc=0; + uint8_t tmp[4]; + nk=keysize_b>>5; /* 4, 6, 8 */ + hi=4*(nk+6+1); + memcpy(ctx, key, keysize_b/8); + next_nk = nk; + for(i=nk;ikey[0].ks))[i-1]; + if(i!=next_nk){ + if(nk==8 && i%8==4){ + tmp[0] = pgm_read_byte(aes_sbox+tmp[0]); + tmp[1] = pgm_read_byte(aes_sbox+tmp[1]); + tmp[2] = pgm_read_byte(aes_sbox+tmp[2]); + tmp[3] = pgm_read_byte(aes_sbox+tmp[3]); + } + } else { + next_nk += nk; + aes_rotword(tmp); + tmp[0] = pgm_read_byte(aes_sbox+tmp[0]); + tmp[1] = pgm_read_byte(aes_sbox+tmp[1]); + tmp[2] = pgm_read_byte(aes_sbox+tmp[2]); + tmp[3] = pgm_read_byte(aes_sbox+tmp[3]); + tmp[0] ^= pgm_read_byte(rc_tab+rc); + rc++; + } + ((uint32_t*)(ctx->key[0].ks))[i] = ((uint32_t*)(ctx->key[0].ks))[i-nk] + ^ *((uint32_t*)tmp); + } +} + +void aes128_init(const void* key, aes128_ctx_t* ctx){ + aes_init(key, 128, (aes_genctx_t*)ctx); +} + +void aes192_init(const void* key, aes192_ctx_t* ctx){ + aes_init(key, 192, (aes_genctx_t*)ctx); +} + +void aes256_init(const void* key, aes256_ctx_t* ctx){ + aes_init(key, 256, (aes_genctx_t*)ctx); +} diff --git a/aes/aes_keyschedule.h b/aes/aes_keyschedule.h new file mode 100644 index 0000000..b013971 --- /dev/null +++ b/aes/aes_keyschedule.h @@ -0,0 +1,75 @@ +/* aes_keyschedule.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_keyschedule.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * \ingroup AES + */ + + +#ifndef AES_KEYSCHEDULE_H_ +#define AES_KEYSCHEDULE_H_ + +#include "aes.h" +/** \fn void aes_init(const void* key, uint16_t keysize_b, aes_genctx_t* ctx) + * \brief initialize the keyschedule + * + * This function computes the keyschedule from a given key with a given length + * and stores it in the context variable + * \param key pointer to the key material + * \param keysize_b length of the key in bits (valid are 128, 192 and 256) + * \param ctx pointer to the context where the keyschedule should be stored + */ +void aes_init(const void* key, uint16_t keysize_b, aes_genctx_t* ctx); + +/** \fn void aes128_init(const void* key, aes128_ctx_t* ctx) + * \brief initialize the keyschedule for 128 bit key + * + * This function computes the keyschedule from a given 128 bit key + * and stores it in the context variable + * \param key pointer to the key material + * \param ctx pointer to the context where the keyschedule should be stored + */ +void aes128_init(const void* key, aes128_ctx_t* ctx); + +/** \fn void aes192_init(const void* key, aes192_ctx_t* ctx) + * \brief initialize the keyschedule for 192 bit key + * + * This function computes the keyschedule from a given 192 bit key + * and stores it in the context variable + * \param key pointer to the key material + * \param ctx pointer to the context where the keyschedule should be stored + */ +void aes192_init(const void* key, aes192_ctx_t* ctx); + +/** \fn void aes256_init(const void* key, aes256_ctx_t* ctx) + * \brief initialize the keyschedule for 256 bit key + * + * This function computes the keyschedule from a given 256 bit key + * and stores it in the context variable + * \param key pointer to the key material + * \param ctx pointer to the context where the keyschedule should be stored + */ +void aes256_init(const void* key, aes256_ctx_t* ctx); + +#endif /* AES_KEYSCHEDULE_H_ */ + diff --git a/aes/aes_sbox-asm.S b/aes/aes_sbox-asm.S new file mode 100644 index 0000000..e609698 --- /dev/null +++ b/aes/aes_sbox-asm.S @@ -0,0 +1,47 @@ +/* aes_sbox-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_dec-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2009-01-10 + * \license GPLv3 or later + * + */ + +.balign 256 +.global aes_sbox +aes_sbox: +.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 +.byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 +.byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 +.byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 +.byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 +.byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf +.byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 +.byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 +.byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 +.byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb +.byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 +.byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 +.byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a +.byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e +.byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf +.byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 + diff --git a/aes/aes_sbox.c b/aes/aes_sbox.c new file mode 100644 index 0000000..85b08de --- /dev/null +++ b/aes/aes_sbox.c @@ -0,0 +1,23 @@ +/* aes sbox */ + +#include +#include +uint8_t aes_sbox[256] PROGMEM = { + 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, + 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, + 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, + 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, + 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, + 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, + 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, + 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, + 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, + 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, + 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, + 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, + 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, + 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, + 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, + 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 +}; + diff --git a/aes/aes_sbox.h b/aes/aes_sbox.h new file mode 100644 index 0000000..5bc03b7 --- /dev/null +++ b/aes/aes_sbox.h @@ -0,0 +1,33 @@ +/* aes_sbox.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_sbox.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ +#ifndef AES_SBOX_H_ +#define AES_SBOX_H_ +#include + +extern uint8_t aes_sbox[]; + +#endif diff --git a/aes/gf256mul.S b/aes/gf256mul.S new file mode 100644 index 0000000..b269d3a --- /dev/null +++ b/aes/gf256mul.S @@ -0,0 +1,82 @@ +/* gf256mul.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * File: gf256mul.S + * Author: Daniel Otte + * Date: 2008-12-19 + * License: GPLv3 or later + * Description: peasant's algorithm for multiplication in GF(2^8) + * + */ + +#include +#define OPTIMIZE_SMALL_A + +/* + * param a: r24 + * param b: r22 + * param reducer: r20 + */ +A = 23 +B = 22 +P = 24 +.global gf256mul + +#ifdef OPTIMIZE_SMALL_A +gf256mul: + mov A, r24 + clr r24 +1: + lsr A + breq 4f + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + rjmp 1b +4: + brcc 2f + eor P, B +2: + ret + +#else + +gf256mul: + mov r21, r24 + clr r24 + ldi r25, 8 +1: + lsr A + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + dec r25 + brne 1b + ret + +#endif diff --git a/aes/gf256mul.h b/aes/gf256mul.h new file mode 100644 index 0000000..87f1cb3 --- /dev/null +++ b/aes/gf256mul.h @@ -0,0 +1,37 @@ +/* gf256mul.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef GF256MUL_H_ +#define GF256MUL_H_ + +/** + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2008-12-19 + * \license GPLv3 + * \brief + * + * + */ + +#include + +uint8_t gf256mul(uint8_t a, uint8_t b, uint8_t reducer); + +#endif /* GF256MUL_H_ */ + diff --git a/aes128_dec.c b/aes128_dec.c deleted file mode 100644 index f3746a7..0000000 --- a/aes128_dec.c +++ /dev/null @@ -1,34 +0,0 @@ -/* aes128_dec.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes128_dec.c - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ - -#include "aes.h" -#include "aes_dec.h" - -void aes128_dec(void* buffer, aes128_ctx_t* ctx){ - aes_decrypt_core(buffer, (aes_genctx_t*)ctx, 10); -} - diff --git a/aes128_dec.h b/aes128_dec.h deleted file mode 100644 index f6015d8..0000000 --- a/aes128_dec.h +++ /dev/null @@ -1,46 +0,0 @@ -/* aes128_dec.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes128_dec.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * \ingroup AES - */ - -#ifndef AES128_DEC_H_ -#define AES128_DEC_H_ - -#include "aes.h" -#include "aes_dec.h" - -/** \fn void aes128_dec(void* buffer, aes128_ctx_t* ctx) - * \brief decrypt with 128 bit key. - * - * This function decrypts one block with the AES algorithm under control of - * a keyschedule produced from a 128 bit key. - * \param buffer pointer to the block to decrypt - * \param ctx pointer to the key schedule - */ -void aes128_dec(void* buffer, aes128_ctx_t* ctx); - - - -#endif /* AES128_DEC_H_ */ diff --git a/aes128_enc.c b/aes128_enc.c deleted file mode 100644 index 3790854..0000000 --- a/aes128_enc.c +++ /dev/null @@ -1,34 +0,0 @@ -/* aes128_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes128_enc.c - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ - -#include "aes.h" -#include "aes_enc.h" - -void aes128_enc(void* buffer, aes128_ctx_t* ctx){ - aes_encrypt_core(buffer, (aes_genctx_t*)ctx, 10); -} - diff --git a/aes128_enc.h b/aes128_enc.h deleted file mode 100644 index 5cb4953..0000000 --- a/aes128_enc.h +++ /dev/null @@ -1,47 +0,0 @@ -/* aes128_enc.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes128_enc.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * \ingroup AES - */ - -#ifndef AES128_ENC_H_ -#define AES128_ENC_H_ - -#include "aes.h" -#include "aes_enc.h" - - -/** \fn void aes128_enc(void* buffer, aes128_ctx_t* ctx) - * \brief encrypt with 128 bit key. - * - * This function encrypts one block with the AES algorithm under control of - * a keyschedule produced from a 128 bit key. - * \param buffer pointer to the block to encrypt - * \param ctx pointer to the key schedule - */ -void aes128_enc(void* buffer, aes128_ctx_t* ctx); - - - -#endif /* AES128_ENC_H_ */ diff --git a/aes192_dec.c b/aes192_dec.c deleted file mode 100644 index 99cc1b1..0000000 --- a/aes192_dec.c +++ /dev/null @@ -1,34 +0,0 @@ -/* aes192_dec.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes192_dec.c - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-31 - * \license GPLv3 or later - * - */ - -#include "aes.h" -#include "aes_dec.h" - -void aes192_dec(void* buffer, aes192_ctx_t* ctx){ - aes_decrypt_core(buffer, (aes_genctx_t*)ctx, 12); -} - diff --git a/aes192_dec.h b/aes192_dec.h deleted file mode 100644 index 299edf9..0000000 --- a/aes192_dec.h +++ /dev/null @@ -1,46 +0,0 @@ -/* aes192_dec.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes192_dec.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-31 - * \license GPLv3 or later - * \ingroup AES - */ - -#ifndef AES192_DEC_H_ -#define AES192_DEC_H_ - -#include "aes.h" -#include "aes_dec.h" - -/** \fn void aes192_dec(void* buffer, aes192_ctx_t* ctx) - * \brief decrypt with 192 bit key. - * - * This function decrypts one block with the AES algorithm under control of - * a keyschedule produced from a 192 bit key. - * \param buffer pointer to the block to decrypt - * \param ctx pointer to the key schedule - */ -void aes192_dec(void* buffer, aes192_ctx_t* ctx); - - - -#endif /* AES192_DEC_H_ */ diff --git a/aes192_enc.c b/aes192_enc.c deleted file mode 100644 index 05cb71b..0000000 --- a/aes192_enc.c +++ /dev/null @@ -1,34 +0,0 @@ -/* aes192_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes192_enc.c - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-31 - * \license GPLv3 or later - * - */ - -#include "aes.h" -#include "aes_enc.h" - -void aes192_enc(void* buffer, aes192_ctx_t* ctx){ - aes_encrypt_core(buffer, (aes_genctx_t*)ctx, 12); -} - diff --git a/aes192_enc.h b/aes192_enc.h deleted file mode 100644 index 30b79ec..0000000 --- a/aes192_enc.h +++ /dev/null @@ -1,47 +0,0 @@ -/* aes192_enc.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes192_enc.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-31 - * \license GPLv3 or later - * \ingroup AES - */ - -#ifndef AES192_ENC_H_ -#define AES192_ENC_H_ - -#include "aes.h" -#include "aes_enc.h" - - -/** \fn void aes192_enc(void* buffer, aes192_ctx_t* ctx) - * \brief encrypt with 192 bit key. - * - * This function encrypts one block with the AES algorithm under control of - * a keyschedule produced from a 192 bit key. - * \param buffer pointer to the block to encrypt - * \param ctx pointer to the key schedule - */ -void aes192_enc(void* buffer, aes192_ctx_t* ctx); - - - -#endif /* AES192_ENC_H_ */ diff --git a/aes256_dec.c b/aes256_dec.c deleted file mode 100644 index 9bbb016..0000000 --- a/aes256_dec.c +++ /dev/null @@ -1,34 +0,0 @@ -/* aes256_dec.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes256_dec.c - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-31 - * \license GPLv3 or later - * - */ - -#include "aes.h" -#include "aes_dec.h" - -void aes256_dec(void* buffer, aes256_ctx_t* ctx){ - aes_decrypt_core(buffer, (aes_genctx_t*)ctx, 14); -} - diff --git a/aes256_dec.h b/aes256_dec.h deleted file mode 100644 index 3c77c7b..0000000 --- a/aes256_dec.h +++ /dev/null @@ -1,46 +0,0 @@ -/* aes256_dec.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes256_dec.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-31 - * \license GPLv3 or later - * \ingroup AES - */ - -#ifndef AES256_DEC_H_ -#define AES256_DEC_H_ - -#include "aes.h" -#include "aes_dec.h" - -/** \fn void aes256_dec(void* buffer, aes256_ctx_t* ctx) - * \brief decrypt with 256 bit key. - * - * This function decrypts one block with the AES algorithm under control of - * a keyschedule produced from a 256 bit key. - * \param buffer pointer to the block to decrypt - * \param ctx pointer to the key schedule - */ -void aes256_dec(void* buffer, aes256_ctx_t* ctx); - - - -#endif /* AES256_DEC_H_ */ diff --git a/aes256_enc.c b/aes256_enc.c deleted file mode 100644 index cb2f3ff..0000000 --- a/aes256_enc.c +++ /dev/null @@ -1,34 +0,0 @@ -/* aes256_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes256_enc.c - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-31 - * \license GPLv3 or later - * - */ - -#include "aes.h" -#include "aes_enc.h" - -void aes256_enc(void* buffer, aes256_ctx_t* ctx){ - aes_encrypt_core(buffer, (aes_genctx_t*)ctx, 14); -} - diff --git a/aes256_enc.h b/aes256_enc.h deleted file mode 100644 index b42b0f3..0000000 --- a/aes256_enc.h +++ /dev/null @@ -1,47 +0,0 @@ -/* aes256_enc.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes256_enc.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-31 - * \license GPLv3 or later - * \ingroup AES - */ - -#ifndef AES256_ENC_H_ -#define AES256_ENC_H_ - -#include "aes.h" -#include "aes_enc.h" - - -/** \fn void aes256_enc(void* buffer, aes256_ctx_t* ctx) - * \brief encrypt with 256 bit key. - * - * This function encrypts one block with the AES algorithm under control of - * a keyschedule produced from a 256 bit key. - * \param buffer pointer to the block to encrypt - * \param ctx pointer to the key schedule - */ -void aes256_enc(void* buffer, aes256_ctx_t* ctx); - - - -#endif /* AES256_ENC_H_ */ diff --git a/aes_dec-asm.S b/aes_dec-asm.S deleted file mode 100644 index 78dffad..0000000 --- a/aes_dec-asm.S +++ /dev/null @@ -1,425 +0,0 @@ -/* aes_dec-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_dec-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2009-01-10 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" -A = 28 -B = 29 -P = 0 -xREDUCER = 25 -gf256mul: - clr P -1: - lsr A - breq 4f - brcc 2f - eor P, B -2: - lsl B - brcc 3f - eor B, xREDUCER -3: - rjmp 1b -4: - brcc 2f - eor P, B -2: - ret - -.global aes256_dec -aes256_dec: - ldi r20, 14 - rjmp aes_decrypt_core - -.global aes192_dec -aes192_dec: - ldi r20, 12 - rjmp aes_decrypt_core - -.global aes128_dec -aes128_dec: - ldi r20, 10 - - -/* - void aes_decrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds) -*/ -T0= 2 -T1= 3 -T2= 4 -T3= 5 -T4 = 6 -T5 = 7 -ST00 = 8 -ST01 = 9 -ST02 = 10 -ST03 = 11 -ST10 = 12 -ST11 = 13 -ST12 = 14 -ST13 = 15 -ST20 = 16 -ST21 = 17 -ST22 = 18 -ST23 = 19 -ST30 = 20 -ST31 = 21 -ST32 = 22 -ST33 = 23 -CTR = 24 -/* - * param state: r24:r25 - * param ks: r22:r23 - * param rounds: r20 - */ -.global aes_decrypt_core -aes_decrypt_core: - push_range 2, 17 - push r28 - push r29 - push r24 - push r25 - movw r26, r22 - movw r30, r24 - mov CTR, r20 - inc r20 - swap r20 /* r20*16 */ - add r26, r20 - adc r27, r1 - clt -; ldi CTR, 2 - .irp param, ST00, ST01, ST02, ST03, ST10, ST11, ST12, ST13, ST20, ST21, ST22, ST23, ST30, ST31, ST32, ST33 - ld \param, Z+ - .endr - - ldi xREDUCER, 0x1b /* load reducer */ - ldi r31, hi8(aes_invsbox) - - - .irp param, ST33, ST32, ST31, ST30, ST23, ST22, ST21, ST20, ST13, ST12, ST11, ST10, ST03, ST02, ST01, ST00 - ld r0, -X - eor \param, r0 - .endr -1: - dec CTR - brne 2f - set -2: - /* substitute and invShift */ - .irp param, ST00, ST10, ST20, ST30 - mov r30, \param - lpm \param, Z - .endr - mov r30, ST31 - lpm T0, Z - mov r30, ST21 - lpm ST31, Z - mov r30, ST11 - lpm ST21, Z - mov r30, ST01 - lpm ST11, Z - mov ST01, T0 - - mov r30, ST32 - lpm T0, Z - mov r30, ST22 - lpm T1,Z - mov r30, ST12 - lpm ST32, Z - mov r30, ST02 - lpm ST22, Z - mov ST12, T0 - mov ST02, T1 - - mov r30, ST03 - lpm T0, Z - mov r30, ST13 - lpm ST03, Z - mov r30, ST23 - lpm ST13, Z - mov r30, ST33 - lpm ST23, Z - mov ST33, T0 - - /* key addition */ - .irp param, ST33, ST32, ST31, ST30, ST23, ST22, ST21, ST20, ST13, ST12, ST11, ST10, ST03, ST02, ST01, ST00 - ld r0, -X - eor \param, r0 - .endr - brtc 2f -exit: - pop r31 - pop r30 - st Z+, ST00 - st Z+, ST01 - st Z+, ST02 - st Z+, ST03 - st Z+, ST10 - st Z+, ST11 - st Z+, ST12 - st Z+, ST13 - st Z+, ST20 - st Z+, ST21 - st Z+, ST22 - st Z+, ST23 - st Z+, ST30 - st Z+, ST31 - st Z+, ST32 - st Z+, ST33 - pop r29 - pop r28 - pop_range 2, 17 - ret -2: - /* inv column (row) mixing*/ - /* invMixCol (Row) 1 */ - /* preparing */ - mov T0, ST03 - eor T0, ST02 ; T0 = t - mov T1, ST00 - eor T1, ST01 ; T1 = u - mov T2, T0 - eor T2, T1 - - mov B, T2 - ldi A, 0x08 - rcall gf256mul - eor T2, P ; T2 = v' - - mov B, ST02 - eor B, ST00 - ldi A, 0x04 - rcall gf256mul - mov T3, P - eor T3, T2; T3 = w - - mov B, ST03 - eor B, ST01 - ldi A, 0x04 - rcall gf256mul - eor T2, P ; T2 = v - - /* now the big move */ - mov T4, ST00 - eor T4, ST03 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST03, T4 - - mov T4, ST02 - eor T4, ST01 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST01, T4 - - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, T3 - eor ST02, T0 - - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, T3 - eor ST00, T1 - - /* invMixCol (Row) 2 */ - /* preparing */ - mov T0, ST13 - eor T0, ST12 ; T0 = t - mov T1, ST10 - eor T1, ST11 ; T1 = u - mov T2, T0 - eor T2, T1 - - mov B, T2 - ldi A, 0x08 - rcall gf256mul - eor T2, P ; T2 = v' - - mov B, ST12 - eor B, ST10 - ldi A, 0x04 - rcall gf256mul - mov T3, P - eor T3, T2; T3 = w - - mov B, ST13 - eor B, ST11 - ldi A, 0x04 - rcall gf256mul - eor T2, P ; T2 = v - - /* now the big move */ - mov T4, ST10 - eor T4, ST13 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST13, T4 - - mov T4, ST12 - eor T4, ST11 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST11, T4 - - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, T3 - eor ST12, T0 - - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, T3 - eor ST10, T1 - - /* invMixCol (Row) 2 */ - /* preparing */ - mov T0, ST23 - eor T0, ST22 ; T0 = t - mov T1, ST20 - eor T1, ST21 ; T1 = u - mov T2, T0 - eor T2, T1 - - mov B, T2 - ldi A, 0x08 - rcall gf256mul - eor T2, P ; T2 = v' - - mov B, ST22 - eor B, ST20 - ldi A, 0x04 - rcall gf256mul - mov T3, P - eor T3, T2; T3 = w - - mov B, ST23 - eor B, ST21 - ldi A, 0x04 - rcall gf256mul - eor T2, P ; T2 = v - - /* now the big move */ - mov T4, ST20 - eor T4, ST23 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST23, T4 - - mov T4, ST22 - eor T4, ST21 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST21, T4 - - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, T3 - eor ST22, T0 - - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, T3 - eor ST20, T1 - - /* invMixCol (Row) 3 */ - /* preparing */ - mov T0, ST33 - eor T0, ST32 ; T0 = t - mov T1, ST30 - eor T1, ST31 ; T1 = u - mov T2, T0 - eor T2, T1 - - mov B, T2 - ldi A, 0x08 - rcall gf256mul - eor T2, P ; T2 = v' - - mov B, ST32 - eor B, ST30 - ldi A, 0x04 - rcall gf256mul - mov T3, P - eor T3, T2; T3 = w - - mov B, ST33 - eor B, ST31 - ldi A, 0x04 - rcall gf256mul - eor T2, P ; T2 = v - - /* now the big move */ - mov T4, ST30 - eor T4, ST33 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST33, T4 - - mov T4, ST32 - eor T4, ST31 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST31, T4 - - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, T3 - eor ST32, T0 - - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, T3 - eor ST30, T1 - - rjmp 1b - - - diff --git a/aes_dec-asm_faster.S b/aes_dec-asm_faster.S deleted file mode 100644 index e743678..0000000 --- a/aes_dec-asm_faster.S +++ /dev/null @@ -1,457 +0,0 @@ -/* aes_dec-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_dec-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2009-01-10 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" -A = 28 -B = 29 -P = 0 -xREDUCER = 25 - -.global aes256_dec -aes256_dec: - ldi r20, 14 - rjmp aes_decrypt_core - -.global aes192_dec -aes192_dec: - ldi r20, 12 - rjmp aes_decrypt_core - -.global aes128_dec -aes128_dec: - ldi r20, 10 - - -/* - void aes_decrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds) -*/ -T0= 2 -T1= 3 -T2= 4 -T3= 5 -T4 = 6 -T5 = 7 -ST00 = 8 -ST01 = 9 -ST02 = 10 -ST03 = 11 -ST10 = 12 -ST11 = 13 -ST12 = 14 -ST13 = 15 -ST20 = 16 -ST21 = 17 -ST22 = 18 -ST23 = 19 -ST30 = 20 -ST31 = 21 -ST32 = 22 -ST33 = 23 -CTR = 24 -/* - * param state: r24:r25 - * param ks: r22:r23 - * param rounds: r20 - */ -.global aes_decrypt_core -aes_decrypt_core: - push_range 2, 17 - push r28 - push r29 - push r24 - push r25 - movw r26, r22 - movw r30, r24 - mov CTR, r20 - inc r20 - swap r20 /* r20*16 */ - add r26, r20 - adc r27, r1 - clt - .irp param, ST00, ST01, ST02, ST03, ST10, ST11, ST12, ST13, ST20, ST21, ST22, ST23, ST30, ST31, ST32, ST33 - ld \param, Z+ - .endr - - ldi xREDUCER, 0x1b /* load reducer */ - - - .irp param, ST33, ST32, ST31, ST30, ST23, ST22, ST21, ST20, ST13, ST12, ST11, ST10, ST03, ST02, ST01, ST00 - ld r0, -X - eor \param, r0 - .endr -1: - dec CTR - brne 2f - set -2: - ldi r31, hi8(aes_invsbox) - /* substitute and invShift */ - .irp param, ST00, ST10, ST20, ST30 - mov r30, \param - lpm \param, Z - .endr - mov r30, ST31 - lpm T0, Z - mov r30, ST21 - lpm ST31, Z - mov r30, ST11 - lpm ST21, Z - mov r30, ST01 - lpm ST11, Z - mov ST01, T0 - - mov r30, ST32 - lpm T0, Z - mov r30, ST22 - lpm T1,Z - mov r30, ST12 - lpm ST32, Z - mov r30, ST02 - lpm ST22, Z - mov ST12, T0 - mov ST02, T1 - - mov r30, ST03 - lpm T0, Z - mov r30, ST13 - lpm ST03, Z - mov r30, ST23 - lpm ST13, Z - mov r30, ST33 - lpm ST23, Z - mov ST33, T0 - - /* key addition */ - .irp param, ST33, ST32, ST31, ST30, ST23, ST22, ST21, ST20, ST13, ST12, ST11, ST10, ST03, ST02, ST01, ST00 - ld r0, -X - eor \param, r0 - .endr - brtc 2f -exit: - pop r31 - pop r30 - st Z+, ST00 - st Z+, ST01 - st Z+, ST02 - st Z+, ST03 - st Z+, ST10 - st Z+, ST11 - st Z+, ST12 - st Z+, ST13 - st Z+, ST20 - st Z+, ST21 - st Z+, ST22 - st Z+, ST23 - st Z+, ST30 - st Z+, ST31 - st Z+, ST32 - st Z+, ST33 - pop r29 - pop r28 - pop_range 2, 17 - ret -2: - /* inv column (row) mixing*/ - /* invMixCol (Row) 1 */ - /* preparing */ - ldi r31, hi8(lut_gf256mul_0x09) - mov T0, ST03 - eor T0, ST02 ; T0 = t - mov T1, ST00 - eor T1, ST01 ; T1 = u - mov r30, T0 - eor r30, T1 - lpm T2, Z ; T2 = v' - - ldi r31, hi8(lut_gf256mul_0x04) - mov r30, ST02 - eor r30, ST00 - lpm T3, Z - eor T3, T2; T3 = w - - mov r30, ST03 - eor r30, ST01 - lpm P, Z ; T2 = v - eor T2, P - - /* now the big move */ - mov T4, ST00 - eor T4, ST03 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST03, T4 - - mov T4, ST02 - eor T4, ST01 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST01, T4 - - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, T3 - eor ST02, T0 - - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, T3 - eor ST00, T1 - - /* invMixCol (Row) 2 */ - /* preparing */ - ldi r31, hi8(lut_gf256mul_0x09) - mov T0, ST13 - eor T0, ST12 ; T0 = t - mov T1, ST10 - eor T1, ST11 ; T1 = u - mov r30, T0 - eor r30, T1 - - lpm T2, Z ; T2 = v' - - ldi r31, hi8(lut_gf256mul_0x04) - mov r30, ST12 - eor r30, ST10 - lpm T3, Z - eor T3, T2; T3 = w - - mov r30, ST13 - eor r30, ST11 - lpm P, Z - eor T2, P ; T2 = v - - /* now the big move */ - mov T4, ST10 - eor T4, ST13 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST13, T4 - - mov T4, ST12 - eor T4, ST11 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST11, T4 - - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, T3 - eor ST12, T0 - - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, T3 - eor ST10, T1 - - /* invMixCol (Row) 2 */ - /* preparing */ - ldi r31, hi8(lut_gf256mul_0x09) - mov T0, ST23 - eor T0, ST22 ; T0 = t - mov T1, ST20 - eor T1, ST21 ; T1 = u - mov r30, T0 - eor r30, T1 - - lpm T2, Z ; T2 = v' - - ldi r31, hi8(lut_gf256mul_0x04) - mov r30, ST22 - eor r30, ST20 - lpm T3, Z - eor T3, T2; T3 = w - - mov r30, ST23 - eor r30, ST21 - lpm P, Z - eor T2, P ; T2 = v - - /* now the big move */ - mov T4, ST20 - eor T4, ST23 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST23, T4 - - mov T4, ST22 - eor T4, ST21 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST21, T4 - - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, T3 - eor ST22, T0 - - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, T3 - eor ST20, T1 - - /* invMixCol (Row) 3 */ - /* preparing */ - ldi r31, hi8(lut_gf256mul_0x09) - mov T0, ST33 - eor T0, ST32 ; T0 = t - mov T1, ST30 - eor T1, ST31 ; T1 = u - mov r30, T0 - eor r30, T1 - - lpm T2, Z ; T2 = v' - - ldi r31, hi8(lut_gf256mul_0x04) - mov r30, ST32 - eor r30, ST30 - lpm T3, Z - eor T3, T2; T3 = w - - mov r30, ST33 - eor r30, ST31 - lpm P, Z - eor T2, P ; T2 = v - - /* now the big move */ - mov T4, ST30 - eor T4, ST33 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST33, T4 - - mov T4, ST32 - eor T4, ST31 - lsl T4 - brcc 3f - eor T4, xREDUCER -3: eor T4, T2 - eor ST31, T4 - - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, T3 - eor ST32, T0 - - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, T3 - eor ST30, T1 - - rjmp 1b - -.balign 256 - -lut_gf256mul_0x09: -.byte 0x00, 0x09, 0x12, 0x1B, 0x24, 0x2D, 0x36, 0x3F -.byte 0x48, 0x41, 0x5A, 0x53, 0x6C, 0x65, 0x7E, 0x77 -.byte 0x90, 0x99, 0x82, 0x8B, 0xB4, 0xBD, 0xA6, 0xAF -.byte 0xD8, 0xD1, 0xCA, 0xC3, 0xFC, 0xF5, 0xEE, 0xE7 -.byte 0x3B, 0x32, 0x29, 0x20, 0x1F, 0x16, 0x0D, 0x04 -.byte 0x73, 0x7A, 0x61, 0x68, 0x57, 0x5E, 0x45, 0x4C -.byte 0xAB, 0xA2, 0xB9, 0xB0, 0x8F, 0x86, 0x9D, 0x94 -.byte 0xE3, 0xEA, 0xF1, 0xF8, 0xC7, 0xCE, 0xD5, 0xDC -.byte 0x76, 0x7F, 0x64, 0x6D, 0x52, 0x5B, 0x40, 0x49 -.byte 0x3E, 0x37, 0x2C, 0x25, 0x1A, 0x13, 0x08, 0x01 -.byte 0xE6, 0xEF, 0xF4, 0xFD, 0xC2, 0xCB, 0xD0, 0xD9 -.byte 0xAE, 0xA7, 0xBC, 0xB5, 0x8A, 0x83, 0x98, 0x91 -.byte 0x4D, 0x44, 0x5F, 0x56, 0x69, 0x60, 0x7B, 0x72 -.byte 0x05, 0x0C, 0x17, 0x1E, 0x21, 0x28, 0x33, 0x3A -.byte 0xDD, 0xD4, 0xCF, 0xC6, 0xF9, 0xF0, 0xEB, 0xE2 -.byte 0x95, 0x9C, 0x87, 0x8E, 0xB1, 0xB8, 0xA3, 0xAA -.byte 0xEC, 0xE5, 0xFE, 0xF7, 0xC8, 0xC1, 0xDA, 0xD3 -.byte 0xA4, 0xAD, 0xB6, 0xBF, 0x80, 0x89, 0x92, 0x9B -.byte 0x7C, 0x75, 0x6E, 0x67, 0x58, 0x51, 0x4A, 0x43 -.byte 0x34, 0x3D, 0x26, 0x2F, 0x10, 0x19, 0x02, 0x0B -.byte 0xD7, 0xDE, 0xC5, 0xCC, 0xF3, 0xFA, 0xE1, 0xE8 -.byte 0x9F, 0x96, 0x8D, 0x84, 0xBB, 0xB2, 0xA9, 0xA0 -.byte 0x47, 0x4E, 0x55, 0x5C, 0x63, 0x6A, 0x71, 0x78 -.byte 0x0F, 0x06, 0x1D, 0x14, 0x2B, 0x22, 0x39, 0x30 -.byte 0x9A, 0x93, 0x88, 0x81, 0xBE, 0xB7, 0xAC, 0xA5 -.byte 0xD2, 0xDB, 0xC0, 0xC9, 0xF6, 0xFF, 0xE4, 0xED -.byte 0x0A, 0x03, 0x18, 0x11, 0x2E, 0x27, 0x3C, 0x35 -.byte 0x42, 0x4B, 0x50, 0x59, 0x66, 0x6F, 0x74, 0x7D -.byte 0xA1, 0xA8, 0xB3, 0xBA, 0x85, 0x8C, 0x97, 0x9E -.byte 0xE9, 0xE0, 0xFB, 0xF2, 0xCD, 0xC4, 0xDF, 0xD6 -.byte 0x31, 0x38, 0x23, 0x2A, 0x15, 0x1C, 0x07, 0x0E -.byte 0x79, 0x70, 0x6B, 0x62, 0x5D, 0x54, 0x4F, 0x46 - -lut_gf256mul_0x04: -.byte 0x00, 0x04, 0x08, 0x0C, 0x10, 0x14, 0x18, 0x1C -.byte 0x20, 0x24, 0x28, 0x2C, 0x30, 0x34, 0x38, 0x3C -.byte 0x40, 0x44, 0x48, 0x4C, 0x50, 0x54, 0x58, 0x5C -.byte 0x60, 0x64, 0x68, 0x6C, 0x70, 0x74, 0x78, 0x7C -.byte 0x80, 0x84, 0x88, 0x8C, 0x90, 0x94, 0x98, 0x9C -.byte 0xA0, 0xA4, 0xA8, 0xAC, 0xB0, 0xB4, 0xB8, 0xBC -.byte 0xC0, 0xC4, 0xC8, 0xCC, 0xD0, 0xD4, 0xD8, 0xDC -.byte 0xE0, 0xE4, 0xE8, 0xEC, 0xF0, 0xF4, 0xF8, 0xFC -.byte 0x1B, 0x1F, 0x13, 0x17, 0x0B, 0x0F, 0x03, 0x07 -.byte 0x3B, 0x3F, 0x33, 0x37, 0x2B, 0x2F, 0x23, 0x27 -.byte 0x5B, 0x5F, 0x53, 0x57, 0x4B, 0x4F, 0x43, 0x47 -.byte 0x7B, 0x7F, 0x73, 0x77, 0x6B, 0x6F, 0x63, 0x67 -.byte 0x9B, 0x9F, 0x93, 0x97, 0x8B, 0x8F, 0x83, 0x87 -.byte 0xBB, 0xBF, 0xB3, 0xB7, 0xAB, 0xAF, 0xA3, 0xA7 -.byte 0xDB, 0xDF, 0xD3, 0xD7, 0xCB, 0xCF, 0xC3, 0xC7 -.byte 0xFB, 0xFF, 0xF3, 0xF7, 0xEB, 0xEF, 0xE3, 0xE7 -.byte 0x36, 0x32, 0x3E, 0x3A, 0x26, 0x22, 0x2E, 0x2A -.byte 0x16, 0x12, 0x1E, 0x1A, 0x06, 0x02, 0x0E, 0x0A -.byte 0x76, 0x72, 0x7E, 0x7A, 0x66, 0x62, 0x6E, 0x6A -.byte 0x56, 0x52, 0x5E, 0x5A, 0x46, 0x42, 0x4E, 0x4A -.byte 0xB6, 0xB2, 0xBE, 0xBA, 0xA6, 0xA2, 0xAE, 0xAA -.byte 0x96, 0x92, 0x9E, 0x9A, 0x86, 0x82, 0x8E, 0x8A -.byte 0xF6, 0xF2, 0xFE, 0xFA, 0xE6, 0xE2, 0xEE, 0xEA -.byte 0xD6, 0xD2, 0xDE, 0xDA, 0xC6, 0xC2, 0xCE, 0xCA -.byte 0x2D, 0x29, 0x25, 0x21, 0x3D, 0x39, 0x35, 0x31 -.byte 0x0D, 0x09, 0x05, 0x01, 0x1D, 0x19, 0x15, 0x11 -.byte 0x6D, 0x69, 0x65, 0x61, 0x7D, 0x79, 0x75, 0x71 -.byte 0x4D, 0x49, 0x45, 0x41, 0x5D, 0x59, 0x55, 0x51 -.byte 0xAD, 0xA9, 0xA5, 0xA1, 0xBD, 0xB9, 0xB5, 0xB1 -.byte 0x8D, 0x89, 0x85, 0x81, 0x9D, 0x99, 0x95, 0x91 -.byte 0xED, 0xE9, 0xE5, 0xE1, 0xFD, 0xF9, 0xF5, 0xF1 -.byte 0xCD, 0xC9, 0xC5, 0xC1, 0xDD, 0xD9, 0xD5, 0xD1 - diff --git a/aes_dec.c b/aes_dec.c deleted file mode 100644 index 8c476de..0000000 --- a/aes_dec.c +++ /dev/null @@ -1,131 +0,0 @@ -/* aes.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include -#include -#include "gf256mul.h" -#include "aes.h" -#include "aes_invsbox.h" -#include "aes_dec.h" -#include - -void aes_invshiftrow(void* data, uint8_t shift){ - uint8_t tmp[4]; - tmp[0] = ((uint8_t*)data)[(4+0-shift)&3]; - tmp[1] = ((uint8_t*)data)[(4+1-shift)&3]; - tmp[2] = ((uint8_t*)data)[(4+2-shift)&3]; - tmp[3] = ((uint8_t*)data)[(4+3-shift)&3]; - memcpy(data, tmp, 4); -} - -void aes_invshiftcol(void* data, uint8_t shift){ - uint8_t tmp[4]; - tmp[0] = ((uint8_t*)data)[ 0]; - tmp[1] = ((uint8_t*)data)[ 4]; - tmp[2] = ((uint8_t*)data)[ 8]; - tmp[3] = ((uint8_t*)data)[12]; - ((uint8_t*)data)[ 0] = tmp[(4-shift+0)&3]; - ((uint8_t*)data)[ 4] = tmp[(4-shift+1)&3]; - ((uint8_t*)data)[ 8] = tmp[(4-shift+2)&3]; - ((uint8_t*)data)[12] = tmp[(4-shift+3)&3]; -} -static -void aes_dec_round(aes_cipher_state_t* state, const aes_roundkey_t* k){ - uint8_t tmp[16]; - uint8_t i; - uint8_t t,u,v,w; - /* keyAdd */ - for(i=0; i<16; ++i){ - tmp[i] = state->s[i] ^ k->ks[i]; - } - /* mixColums */ - for(i=0; i<4; ++i){ - t = tmp[4*i+3] ^ tmp[4*i+2]; - u = tmp[4*i+1] ^ tmp[4*i+0]; - v = t ^ u; - v = gf256mul(0x09, v, 0x1b); - w = v ^ gf256mul(0x04, tmp[4*i+2] ^ tmp[4*i+0], 0x1b); - v = v ^ gf256mul(0x04, tmp[4*i+3] ^ tmp[4*i+1], 0x1b); - state->s[4*i+3] = tmp[4*i+3] ^ v ^ gf256mul(0x02, tmp[4*i+0] ^ tmp[4*i+3], 0x1b); - state->s[4*i+2] = tmp[4*i+2] ^ w ^ gf256mul(0x02, t, 0x1b); - state->s[4*i+1] = tmp[4*i+1] ^ v ^ gf256mul(0x02, tmp[4*i+2] ^ tmp[4*i+1], 0x1b); - state->s[4*i+0] = tmp[4*i+0] ^ w ^ gf256mul(0x02, u, 0x1b); - - /* - state->s[4*i+0] = - gf256mul(0xe, tmp[4*i+0], 0x1b) - ^ gf256mul(0xb, tmp[4*i+1], 0x1b) - ^ gf256mul(0xd, tmp[4*i+2], 0x1b) - ^ gf256mul(0x9, tmp[4*i+3], 0x1b); - state->s[4*i+1] = - gf256mul(0x9, tmp[4*i+0], 0x1b) - ^ gf256mul(0xe, tmp[4*i+1], 0x1b) - ^ gf256mul(0xb, tmp[4*i+2], 0x1b) - ^ gf256mul(0xd, tmp[4*i+3], 0x1b); - state->s[4*i+2] = - gf256mul(0xd, tmp[4*i+0], 0x1b) - ^ gf256mul(0x9, tmp[4*i+1], 0x1b) - ^ gf256mul(0xe, tmp[4*i+2], 0x1b) - ^ gf256mul(0xb, tmp[4*i+3], 0x1b); - state->s[4*i+3] = - gf256mul(0xb, tmp[4*i+0], 0x1b) - ^ gf256mul(0xd, tmp[4*i+1], 0x1b) - ^ gf256mul(0x9, tmp[4*i+2], 0x1b) - ^ gf256mul(0xe, tmp[4*i+3], 0x1b); - */ - } - /* shiftRows */ - aes_invshiftcol(state->s+1, 1); - aes_invshiftcol(state->s+2, 2); - aes_invshiftcol(state->s+3, 3); - /* subBytes */ - for(i=0; i<16; ++i){ - state->s[i] = pgm_read_byte(aes_invsbox+state->s[i]); - } -} - - -static -void aes_dec_firstround(aes_cipher_state_t* state, const aes_roundkey_t* k){ - uint8_t i; - /* keyAdd */ - for(i=0; i<16; ++i){ - state->s[i] ^= k->ks[i]; - } - /* shiftRows */ - aes_invshiftcol(state->s+1, 1); - aes_invshiftcol(state->s+2, 2); - aes_invshiftcol(state->s+3, 3); - /* subBytes */ - for(i=0; i<16; ++i){ - state->s[i] = pgm_read_byte(aes_invsbox+state->s[i]); - } -} - -void aes_decrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds){ - uint8_t i; - aes_dec_firstround(state, &(ks->key[i=rounds])); - for(;rounds>1;--rounds){ - --i; - aes_dec_round(state, &(ks->key[i])); - } - for(i=0; i<16; ++i){ - state->s[i] ^= ks->key[0].ks[i]; - } -} diff --git a/aes_dec.h b/aes_dec.h deleted file mode 100644 index 631d953..0000000 --- a/aes_dec.h +++ /dev/null @@ -1,36 +0,0 @@ -/* aes_dec.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_dec.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ -#ifndef AES_DEC_H_ -#define AES_DEC_H_ -#include "aes.h" -#include - - -void aes_decrypt_core(aes_cipher_state_t* state,const aes_genctx_t* ks, uint8_t rounds); - - -#endif diff --git a/aes_enc-asm.S b/aes_enc-asm.S deleted file mode 100644 index 5b46a2a..0000000 --- a/aes_enc-asm.S +++ /dev/null @@ -1,341 +0,0 @@ -/* aes_enc-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_enc-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2009-01-10 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" - - -/* - * param a: r24 - * param b: r22 - * param reducer: r0 - */ -A = 28 -B = 29 -P = 0 -xREDUCER = 25 - -.global aes256_enc -aes256_enc: - ldi r20, 14 - rjmp aes_encrypt_core - -.global aes192_enc -aes192_enc: - ldi r20, 12 - rjmp aes_encrypt_core - -.global aes128_enc -aes128_enc: - ldi r20, 10 - - -/* - void aes_encrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds) -*/ -T0= 2 -T1= 3 -T2= 4 -T3= 5 -SBOX_SAVE0 = 6 -SBOX_SAVE1 = 7 -ST00 = 8 -ST01 = 9 -ST02 = 10 -ST03 = 11 -ST10 = 12 -ST11 = 13 -ST12 = 14 -ST13 = 15 -ST20 = 16 -ST21 = 17 -ST22 = 18 -ST23 = 19 -ST30 = 20 -ST31 = 21 -ST32 = 22 -ST33 = 23 -CTR = 24 -/* - * param state: r24:r25 - * param ks: r22:r23 - * param rounds: r20 - */ -.global aes_encrypt_core -aes_encrypt_core: - push_range 2, 17 - push r28 - push r29 - push r24 - push r25 - movw r26, r22 - movw r30, r24 - mov CTR, r20 - clt - - .irp param,ST00, ST01, ST02, ST03, ST10, ST11, ST12, ST13, ST20, ST21, ST22, ST23, ST30, ST31, ST32, ST33 - ld \param, Z+ - .endr - - ldi xREDUCER, 0x1b /* load reducer */ - ldi r31, hi8(aes_sbox) - - /* key whitening */ -1: - .irp param,ST00, ST01, ST02, ST03, ST10, ST11, ST12, ST13, ST20, ST21, ST22, ST23, ST30, ST31, ST32, ST33 - ld r0, X+ - eor \param, r0 - .endr - - brtc 2f -exit: - pop r31 - pop r30 - st Z+, ST00 - st Z+, ST01 - st Z+, ST02 - st Z+, ST03 - st Z+, ST10 - st Z+, ST11 - st Z+, ST12 - st Z+, ST13 - st Z+, ST20 - st Z+, ST21 - st Z+, ST22 - st Z+, ST23 - st Z+, ST30 - st Z+, ST31 - st Z+, ST32 - st Z+, ST33 - pop r29 - pop r28 - pop_range 2, 17 - ret - -2: dec CTR - brne 3f - set -3: - - /* encryption loop */ - - /* SBOX substitution and shifting */ - mov r30, ST00 - lpm ST00, Z - mov r30, ST10 - lpm ST10, Z - mov r30, ST20 - lpm ST20, Z - mov r30, ST30 - lpm ST30, Z - - mov r30, ST01 - lpm T0, Z - mov r30, ST11 - lpm ST01, Z - mov r30, ST21 - lpm ST11, Z - mov r30, ST31 - lpm ST21, Z - mov ST31, T0 - - mov r30, ST02 - lpm T0, Z - mov r30, ST12 - lpm T1, Z - mov r30, ST22 - lpm ST02, Z - mov r30, ST32 - lpm ST12, Z - mov ST22, T0 - mov ST32, T1 - - mov r30, ST03 - lpm T0, Z - mov r30, ST33 - lpm ST03, Z - mov r30, ST23 - lpm ST33, Z - mov r30, ST13 - lpm ST23, Z - mov ST13, T0 - - /* mixcols (or rows in our case) */ - brtc 2f - rjmp 1b -2: - /* mixrow 1 */ - mov r0, ST02 - eor r0, ST03 - mov T2, r0 - - mov T0, ST00 - eor ST00, ST01 - eor r0, ST00 - lsl ST00 - brcc 3f - eor ST00, xREDUCER -3: eor ST00, r0 - eor ST00, T0 - - mov T1, ST01 - eor T1, ST02 - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, r0 - eor ST01, T1 - - lsl T2 - brcc 3f - eor T2, xREDUCER -3: eor T2, r0 - eor ST02, T2 - - eor T0, ST03 - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, r0 - eor ST03, T0 - - /* mixrow 2 */ - mov r0, ST12 - eor r0, ST13 - mov T2, r0 - - mov T0, ST10 - eor ST10, ST11 - eor r0, ST10 - lsl ST10 - brcc 3f - eor ST10, xREDUCER -3: eor ST10, r0 - eor ST10, T0 - - mov T1, ST11 - eor T1, ST12 - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, r0 - eor ST11, T1 - - lsl T2 - brcc 3f - eor T2, xREDUCER -3: eor T2, r0 - eor ST12, T2 - - eor T0, ST13 - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, r0 - eor ST13, T0 - - /* mixrow 3 */ - mov r0, ST22 - eor r0, ST23 - mov T2, r0 - - mov T0, ST20 - eor ST20, ST21 - eor r0, ST20 - lsl ST20 - brcc 3f - eor ST20, xREDUCER -3: eor ST20, r0 - eor ST20, T0 - - mov T1, ST21 - eor T1, ST22 - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, r0 - eor ST21, T1 - - lsl T2 - brcc 3f - eor T2, xREDUCER -3: eor T2, r0 - eor ST22, T2 - - eor T0, ST23 - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, r0 - eor ST23, T0 - - /* mixrow 4 */ - mov r0, ST32 - eor r0, ST33 - mov T2, r0 - - mov T0, ST30 - eor ST30, ST31 - eor r0, ST30 - lsl ST30 - brcc 3f - eor ST30, xREDUCER -3: eor ST30, r0 - eor ST30, T0 - - mov T1, ST31 - eor T1, ST32 - lsl T1 - brcc 3f - eor T1, xREDUCER -3: eor T1, r0 - eor ST31, T1 - - lsl T2 - brcc 3f - eor T2, xREDUCER -3: eor T2, r0 - eor ST32, T2 - - eor T0, ST33 - lsl T0 - brcc 3f - eor T0, xREDUCER -3: eor T0, r0 - eor ST33, T0 - /* mix colums (rows) done */ - - /* add key*/ - rjmp 1b - - - - - - - - - diff --git a/aes_enc.c b/aes_enc.c deleted file mode 100644 index dadf9f4..0000000 --- a/aes_enc.c +++ /dev/null @@ -1,120 +0,0 @@ -/* aes_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_enc.c - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ - -#include -#include -#include "aes.h" -#include "gf256mul.h" -#include "aes_sbox.h" -#include "aes_enc.h" -#include - -void aes_shiftcol(void* data, uint8_t shift){ - uint8_t tmp[4]; - tmp[0] = ((uint8_t*)data)[ 0]; - tmp[1] = ((uint8_t*)data)[ 4]; - tmp[2] = ((uint8_t*)data)[ 8]; - tmp[3] = ((uint8_t*)data)[12]; - ((uint8_t*)data)[ 0] = tmp[(shift+0)&3]; - ((uint8_t*)data)[ 4] = tmp[(shift+1)&3]; - ((uint8_t*)data)[ 8] = tmp[(shift+2)&3]; - ((uint8_t*)data)[12] = tmp[(shift+3)&3]; -} - -#define GF256MUL_1(a) (a) -#define GF256MUL_2(a) (gf256mul(2, (a), 0x1b)) -#define GF256MUL_3(a) (gf256mul(3, (a), 0x1b)) - -static -void aes_enc_round(aes_cipher_state_t* state, const aes_roundkey_t* k){ - uint8_t tmp[16], t; - uint8_t i; - /* subBytes */ - for(i=0; i<16; ++i){ - tmp[i] = pgm_read_byte(aes_sbox+state->s[i]); - } - /* shiftRows */ - aes_shiftcol(tmp+1, 1); - aes_shiftcol(tmp+2, 2); - aes_shiftcol(tmp+3, 3); - /* mixColums */ - for(i=0; i<4; ++i){ - t = tmp[4*i+0] ^ tmp[4*i+1] ^ tmp[4*i+2] ^ tmp[4*i+3]; - state->s[4*i+0] = - GF256MUL_2(tmp[4*i+0]^tmp[4*i+1]) - ^ tmp[4*i+0] - ^ t; - state->s[4*i+1] = - GF256MUL_2(tmp[4*i+1]^tmp[4*i+2]) - ^ tmp[4*i+1] - ^ t; - state->s[4*i+2] = - GF256MUL_2(tmp[4*i+2]^tmp[4*i+3]) - ^ tmp[4*i+2] - ^ t; - state->s[4*i+3] = - GF256MUL_2(tmp[4*i+3]^tmp[4*i+0]) - ^ tmp[4*i+3] - ^ t; - } - - /* addKey */ - for(i=0; i<16; ++i){ - state->s[i] ^= k->ks[i]; - } -} - - -static -void aes_enc_lastround(aes_cipher_state_t* state,const aes_roundkey_t* k){ - uint8_t i; - /* subBytes */ - for(i=0; i<16; ++i){ - state->s[i] = pgm_read_byte(aes_sbox+state->s[i]); - } - /* shiftRows */ - aes_shiftcol(state->s+1, 1); - aes_shiftcol(state->s+2, 2); - aes_shiftcol(state->s+3, 3); - /* keyAdd */ - for(i=0; i<16; ++i){ - state->s[i] ^= k->ks[i]; - } -} - -void aes_encrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds){ - uint8_t i; - for(i=0; i<16; ++i){ - state->s[i] ^= ks->key[0].ks[i]; - } - i=1; - for(;rounds>1;--rounds){ - aes_enc_round(state, &(ks->key[i])); - ++i; - } - aes_enc_lastround(state, &(ks->key[i])); -} diff --git a/aes_enc.h b/aes_enc.h deleted file mode 100644 index f3c4dfa..0000000 --- a/aes_enc.h +++ /dev/null @@ -1,36 +0,0 @@ -/* aes_enc.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_enc.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ -#ifndef AES_ENC_H_ -#define AES_ENC_H_ -#include "aes.h" -#include - - -void aes_encrypt_core(aes_cipher_state_t* state, const aes_genctx_t* ks, uint8_t rounds); - - -#endif diff --git a/aes_invsbox-asm.S b/aes_invsbox-asm.S deleted file mode 100644 index 9ab899f..0000000 --- a/aes_invsbox-asm.S +++ /dev/null @@ -1,45 +0,0 @@ -/* aes_sbox-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_dec-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2009-01-10 - * \license GPLv3 or later - * - */ -.balign 256 -.global aes_invsbox -aes_invsbox: -.byte 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb -.byte 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb -.byte 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e -.byte 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25 -.byte 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92 -.byte 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84 -.byte 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06 -.byte 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b -.byte 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73 -.byte 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e -.byte 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b -.byte 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4 -.byte 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f -.byte 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef -.byte 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61 -.byte 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d diff --git a/aes_invsbox.c b/aes_invsbox.c deleted file mode 100644 index 921ff49..0000000 --- a/aes_invsbox.c +++ /dev/null @@ -1,22 +0,0 @@ -/* aes inverted sbox */ - -#include -#include -uint8_t aes_invsbox[256] PROGMEM = { - 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, - 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, - 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, - 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, - 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, - 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, - 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, - 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, - 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, - 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, - 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, - 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, - 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, - 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, - 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, - 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d -}; diff --git a/aes_invsbox.h b/aes_invsbox.h deleted file mode 100644 index 42fe9a8..0000000 --- a/aes_invsbox.h +++ /dev/null @@ -1,33 +0,0 @@ -/* aes_invsbox.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_invsbox.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ -#ifndef AES_INVSBOX_H_ -#define AES_INVSBOX_H_ -#include - -extern uint8_t aes_invsbox[]; - -#endif diff --git a/aes_keyschedule-asm.S b/aes_keyschedule-asm.S deleted file mode 100644 index c5d69ea..0000000 --- a/aes_keyschedule-asm.S +++ /dev/null @@ -1,225 +0,0 @@ -/* aes_keyschedule-asm */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_keyschedule-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2009-01-09 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" - -.global aes256_init -aes256_init: - movw r20, r22 - ldi r23, hi8(256) - ldi r22, lo8(256) - rjmp aes_init - -.global aes192_init -aes192_init: - movw r20, r22 - ldi r23, hi8(192) - ldi r22, lo8(192) - rjmp aes_init - -.global aes128_init -aes128_init: - movw r20, r22 - clr r23 - ldi r22, 128 - -/* -void aes_init(const void* key, uint16_t keysize_b, aes_genctx_t* ctx){ - uint8_t hi,i,nk, next_nk; - uint8_t rc=1; - uint8_t tmp[4]; - nk=keysize_b>>5; / * 4, 6, 8 * / - hi=4*(nk+6+1); - memcpy(ctx, key, keysize_b/8); - next_nk = nk; - for(i=nk;ikey[0].ks))[i-1]; - if(i!=next_nk){ - if(nk==8 && i%8==4){ - tmp[0] = pgm_read_byte(aes_sbox+tmp[0]); - tmp[1] = pgm_read_byte(aes_sbox+tmp[1]); - tmp[2] = pgm_read_byte(aes_sbox+tmp[2]); - tmp[3] = pgm_read_byte(aes_sbox+tmp[3]); - } - } else { - next_nk += nk; - aes_rotword(tmp); - tmp[0] = pgm_read_byte(aes_sbox+tmp[0]); - tmp[1] = pgm_read_byte(aes_sbox+tmp[1]); - tmp[2] = pgm_read_byte(aes_sbox+tmp[2]); - tmp[3] = pgm_read_byte(aes_sbox+tmp[3]); - tmp[0] ^= rc; - rc<<=1; - } - ((uint32_t*)(ctx->key[0].ks))[i] = ((uint32_t*)(ctx->key[0].ks))[i-nk] - ^ *((uint32_t*)tmp); - } -} -*/ - -SBOX_SAVE0 = 14 -SBOX_SAVE1 = 15 -XRC = 17 -NK = 22 -C1 = 18 -NEXT_NK = 19 -HI = 23 -T0 = 20 -T1 = 21 -T2 = 24 -T3 = 25 -/* - * param key: r24:r25 - * param keysize_b: r22:r23 - * param ctx: r20:r21 - */ -.global aes_init -aes_init: - push_range 14, 17 - push r28 - push r29 - movw r30, r20 - movw r28, r20 - movw r26, r24 - lsr r23 - ror r22 - lsr r22 - lsr r22 /* r22 contains keysize_b/8 */ - mov C1, r22 - -1: /* copy key to ctx */ - ld r0, X+ - st Z+, r0 - dec C1 - brne 1b - - lsr NK - lsr NK - bst NK,3 /* set T if NK==8 */ - mov NEXT_NK, NK - mov HI, NK - subi HI, -7 - lsl HI - lsl HI - movw r26, r30 - sbiw r26, 4 - mov C1, NK - ldi r30, lo8(aes_sbox) - ldi r31, hi8(aes_sbox) - movw SBOX_SAVE0, r30 - ldi XRC, 1 -1: - ld T0, X+ - ld T1, X+ - ld T2, X+ - ld T3, X+ - cp NEXT_NK, C1 - breq 2f - brtc 5f - mov r16, C1 - andi r16, 0x07 - cpi r16, 0x04 - brne 5f - movw r30, SBOX_SAVE0 - add r30, T0 - adc r31, r1 - lpm T0, Z - movw r30, SBOX_SAVE0 - add r30, T1 - adc r31, r1 - lpm T1, Z - movw r30, SBOX_SAVE0 - add r30, T2 - adc r31, r1 - lpm T2, Z - movw r30, SBOX_SAVE0 - add r30, T3 - adc r31, r1 - lpm T3, Z - rjmp 5f -2: - add NEXT_NK, NK - movw r30, SBOX_SAVE0 - add r30, T0 - adc r31, r1 - lpm r16, Z - movw r30, SBOX_SAVE0 - add r30, T1 - adc r31, r1 - lpm T0, Z - movw r30, SBOX_SAVE0 - add r30, T2 - adc r31, r1 - lpm T1, Z - movw r30, SBOX_SAVE0 - add r30, T3 - adc r31, r1 - lpm T2, Z - mov T3, r16 - eor T0, XRC - lsl XRC - brcc 3f - ldi XRC, 0x1b -3: -5: - movw r30, r26 - - ld r0, Y+ - eor r0, T0 - st Z+, r0 - ld r0, Y+ - eor r0 ,T1 - st Z+, r0 - ld r0, Y+ - eor r0, T2 - st Z+, r0 - ld r0, Y+ - eor r0, T3 - st Z+, r0 - -/* - st Z+, T0 - st Z+, T1 - st Z+, T2 - st Z+, T3 -*/ - - inc C1 - cp C1, HI - breq 6f - rjmp 1b -6: - - clt - pop r29 - pop r28 - pop_range 14, 17 - ret - - - - diff --git a/aes_keyschedule.c b/aes_keyschedule.c deleted file mode 100644 index 9e58eb5..0000000 --- a/aes_keyschedule.c +++ /dev/null @@ -1,91 +0,0 @@ -/* aes_keyschedule.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_keyschedule.c - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ - -#include -#include "aes.h" -#include "aes_keyschedule.h" -#include "aes_sbox.h" -#include -#include - -static -void aes_rotword(void* a){ - uint8_t t; - t=((uint8_t*)a)[0]; - ((uint8_t*)a)[0] = ((uint8_t*)a)[1]; - ((uint8_t*)a)[1] = ((uint8_t*)a)[2]; - ((uint8_t*)a)[2] = ((uint8_t*)a)[3]; - ((uint8_t*)a)[3] = t; -} - -uint8_t rc_tab[] PROGMEM = { 0x01, 0x02, 0x04, 0x08, - 0x10, 0x20, 0x40, 0x80, - 0x1b, 0x36 }; - -void aes_init(const void* key, uint16_t keysize_b, aes_genctx_t* ctx){ - uint8_t hi,i,nk, next_nk; - uint8_t rc=0; - uint8_t tmp[4]; - nk=keysize_b>>5; /* 4, 6, 8 */ - hi=4*(nk+6+1); - memcpy(ctx, key, keysize_b/8); - next_nk = nk; - for(i=nk;ikey[0].ks))[i-1]; - if(i!=next_nk){ - if(nk==8 && i%8==4){ - tmp[0] = pgm_read_byte(aes_sbox+tmp[0]); - tmp[1] = pgm_read_byte(aes_sbox+tmp[1]); - tmp[2] = pgm_read_byte(aes_sbox+tmp[2]); - tmp[3] = pgm_read_byte(aes_sbox+tmp[3]); - } - } else { - next_nk += nk; - aes_rotword(tmp); - tmp[0] = pgm_read_byte(aes_sbox+tmp[0]); - tmp[1] = pgm_read_byte(aes_sbox+tmp[1]); - tmp[2] = pgm_read_byte(aes_sbox+tmp[2]); - tmp[3] = pgm_read_byte(aes_sbox+tmp[3]); - tmp[0] ^= pgm_read_byte(rc_tab+rc); - rc++; - } - ((uint32_t*)(ctx->key[0].ks))[i] = ((uint32_t*)(ctx->key[0].ks))[i-nk] - ^ *((uint32_t*)tmp); - } -} - -void aes128_init(const void* key, aes128_ctx_t* ctx){ - aes_init(key, 128, (aes_genctx_t*)ctx); -} - -void aes192_init(const void* key, aes192_ctx_t* ctx){ - aes_init(key, 192, (aes_genctx_t*)ctx); -} - -void aes256_init(const void* key, aes256_ctx_t* ctx){ - aes_init(key, 256, (aes_genctx_t*)ctx); -} diff --git a/aes_keyschedule.h b/aes_keyschedule.h deleted file mode 100644 index b013971..0000000 --- a/aes_keyschedule.h +++ /dev/null @@ -1,75 +0,0 @@ -/* aes_keyschedule.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_keyschedule.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * \ingroup AES - */ - - -#ifndef AES_KEYSCHEDULE_H_ -#define AES_KEYSCHEDULE_H_ - -#include "aes.h" -/** \fn void aes_init(const void* key, uint16_t keysize_b, aes_genctx_t* ctx) - * \brief initialize the keyschedule - * - * This function computes the keyschedule from a given key with a given length - * and stores it in the context variable - * \param key pointer to the key material - * \param keysize_b length of the key in bits (valid are 128, 192 and 256) - * \param ctx pointer to the context where the keyschedule should be stored - */ -void aes_init(const void* key, uint16_t keysize_b, aes_genctx_t* ctx); - -/** \fn void aes128_init(const void* key, aes128_ctx_t* ctx) - * \brief initialize the keyschedule for 128 bit key - * - * This function computes the keyschedule from a given 128 bit key - * and stores it in the context variable - * \param key pointer to the key material - * \param ctx pointer to the context where the keyschedule should be stored - */ -void aes128_init(const void* key, aes128_ctx_t* ctx); - -/** \fn void aes192_init(const void* key, aes192_ctx_t* ctx) - * \brief initialize the keyschedule for 192 bit key - * - * This function computes the keyschedule from a given 192 bit key - * and stores it in the context variable - * \param key pointer to the key material - * \param ctx pointer to the context where the keyschedule should be stored - */ -void aes192_init(const void* key, aes192_ctx_t* ctx); - -/** \fn void aes256_init(const void* key, aes256_ctx_t* ctx) - * \brief initialize the keyschedule for 256 bit key - * - * This function computes the keyschedule from a given 256 bit key - * and stores it in the context variable - * \param key pointer to the key material - * \param ctx pointer to the context where the keyschedule should be stored - */ -void aes256_init(const void* key, aes256_ctx_t* ctx); - -#endif /* AES_KEYSCHEDULE_H_ */ - diff --git a/aes_sbox-asm.S b/aes_sbox-asm.S deleted file mode 100644 index e609698..0000000 --- a/aes_sbox-asm.S +++ /dev/null @@ -1,47 +0,0 @@ -/* aes_sbox-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008, 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_dec-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2009-01-10 - * \license GPLv3 or later - * - */ - -.balign 256 -.global aes_sbox -aes_sbox: -.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 -.byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 -.byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 -.byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 -.byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 -.byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf -.byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 -.byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 -.byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 -.byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb -.byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 -.byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 -.byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a -.byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e -.byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf -.byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 - diff --git a/aes_sbox.c b/aes_sbox.c deleted file mode 100644 index 85b08de..0000000 --- a/aes_sbox.c +++ /dev/null @@ -1,23 +0,0 @@ -/* aes sbox */ - -#include -#include -uint8_t aes_sbox[256] PROGMEM = { - 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 -}; - diff --git a/aes_sbox.h b/aes_sbox.h deleted file mode 100644 index 5bc03b7..0000000 --- a/aes_sbox.h +++ /dev/null @@ -1,33 +0,0 @@ -/* aes_sbox.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file aes_sbox.h - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-30 - * \license GPLv3 or later - * - */ -#ifndef AES_SBOX_H_ -#define AES_SBOX_H_ -#include - -extern uint8_t aes_sbox[]; - -#endif diff --git a/avr-makefile.inc b/avr-makefile.inc index 323786a..9b6ea71 100644 --- a/avr-makefile.inc +++ b/avr-makefile.inc @@ -6,11 +6,12 @@ DEFS = -D$(call uc, $(MCU_TARGET)) FLASHCMD = avrdude -p $(MCU_TARGET) -P /dev/ttyUSB0 -c $(PROGRAMMER) -U flash:w:# no space at the end #FLASHCMD = avrdude -p $(MCU_TARGET) -c usbasp -U flash:w:# no space at the end DEP_DIR = deps/ +TEST_DIR = test/ BIN_DIR = bin/ TESTBIN_DIR = test_bin/ TESTSRC_DIR = test_src/ #uisp -dprog=bsd -dlpt=/dev/parport1 --upload if=$(PRG).hex -ERASECMD = +ERASECMD = TESTPORT = /dev/ttyUSB1 TESTPORTBAUDR = 38400 TESTLOG_DIR = testlog/ @@ -24,7 +25,8 @@ AUTOASM_OPT = -S CC = avr-gcc CSTD = c99 -override CFLAGS = -MMD -MF$(DEP_DIR)$(patsubst %.c,%.d,$(patsubst $(TESTSRC_DIR)%,%,$<)) -I. -Itest_src -gdwarf-2 -pedantic -std=$(CSTD) -Wall -Wstrict-prototypes $(OPTIMIZE) -mmcu=$(MCU_TARGET) $(DEFS) +override CFLAGS_A = -MMD -MF$(DEP_DIR)$(patsubst %.o,%.d,$(notdir $(1))) -I. -Itest_src -gdwarf-2 -pedantic -std=$(CSTD) -Wall -Wstrict-prototypes $(OPTIMIZE) -mmcu=$(MCU_TARGET) $(DEFS) +override CFLAGS = -MMD -MF$(DEP_DIR)$(patsubst %.o,%.d,$(notdir $@)) -I. -Itest_src -gdwarf-2 -pedantic -std=$(CSTD) -Wall -Wstrict-prototypes $(OPTIMIZE) -mmcu=$(MCU_TARGET) $(DEFS) override LDFLAGS = -gdwarf-2 -Wl,-Map, override ASFLAGS = -mmcu=$(MCU_TARGET) -Wa,--gdwarf-2 diff --git a/blake/blake_common.c b/blake/blake_common.c new file mode 100644 index 0000000..a715980 --- /dev/null +++ b/blake/blake_common.c @@ -0,0 +1,53 @@ +/* blake_common.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file blake_common.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-05-08 + * \license GPLv3 or later + * + */ + +#include +#include + +uint8_t blake_sigma[] PROGMEM = { + 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF, + 0xE, 0xA, 0x4, 0x8, 0x9, 0xF, 0xD, 0x6, 0x1, 0xC, 0x0, 0x2, 0xB, 0x7, 0x5, 0x3, + 0xB, 0x8, 0xC, 0x0, 0x5, 0x2, 0xF, 0xD, 0xA, 0xE, 0x3, 0x6, 0x7, 0x1, 0x9, 0x4, + 0x7, 0x9, 0x3, 0x1, 0xD, 0xC, 0xB, 0xE, 0x2, 0x6, 0x5, 0xA, 0x4, 0x0, 0xF, 0x8, + 0x9, 0x0, 0x5, 0x7, 0x2, 0x4, 0xA, 0xF, 0xE, 0x1, 0xB, 0xC, 0x6, 0x8, 0x3, 0xD, + 0x2, 0xC, 0x6, 0xA, 0x0, 0xB, 0x8, 0x3, 0x4, 0xD, 0x7, 0x5, 0xF, 0xE, 0x1, 0x9, + 0xC, 0x5, 0x1, 0xF, 0xE, 0xD, 0x4, 0xA, 0x0, 0x7, 0x6, 0x3, 0x9, 0x2, 0x8, 0xB, + 0xD, 0xB, 0x7, 0xE, 0xC, 0x1, 0x3, 0x9, 0x5, 0x0, 0xF, 0x4, 0x8, 0x6, 0x2, 0xA, + 0x6, 0xF, 0xE, 0x9, 0xB, 0x3, 0x0, 0x8, 0xC, 0x2, 0xD, 0x7, 0x1, 0x4, 0xA, 0x5, + 0xA, 0x2, 0x8, 0x4, 0x7, 0x6, 0x1, 0x5, 0xF, 0xB, 0x9, 0xE, 0x3, 0xC, 0xD, 0x0 +}; + +uint8_t blake_index_lut[] PROGMEM = { + 0x0, 0x4, 0x8, 0xC, + 0x1, 0x5, 0x9, 0xD, + 0x2, 0x6, 0xA, 0xE, + 0x3, 0x7, 0xB, 0xF, + 0x0, 0x5, 0xA, 0xF, + 0x1, 0x6, 0xB, 0xC, + 0x2, 0x7, 0x8, 0xD, + 0x3, 0x4, 0x9, 0xE +}; diff --git a/blake/blake_common.h b/blake/blake_common.h new file mode 100644 index 0000000..3c424a8 --- /dev/null +++ b/blake/blake_common.h @@ -0,0 +1,38 @@ +/* blake_common.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file blake_common.h + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-05-08 + * \license GPLv3 or later + * + */ + + +#ifndef BLAKE_COMMON_H_ +#define BLAKE_COMMON_H_ + +#include +#include + +extern uint8_t blake_sigma[]; +extern uint8_t blake_index_lut[]; + +#endif /* BLAKE_COMMON_H_ */ diff --git a/blake/blake_large.c b/blake/blake_large.c new file mode 100644 index 0000000..43b0fa7 --- /dev/null +++ b/blake/blake_large.c @@ -0,0 +1,273 @@ +/* blake_large.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file blake_large.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-05-08 + * \license GPLv3 or later + * + */ + +#include +#include +#include +#include "memxor.h" +#include "blake_large.h" +#include "blake_common.h" + +#define BUG_3 1 /* bug compatibility with reference code */ +#define BUG_4 1 /* bug compatibility with reference code */ + +uint64_t pgm_read_qword(void* p){ + union{ + uint64_t v64; + uint32_t v32[2]; + }r; + r.v32[0] = pgm_read_dword(p); + r.v32[1] = pgm_read_dword((uint8_t*)p+4); + return r.v64; +} + +static +uint64_t blake_c[] PROGMEM = { + 0x243F6A8885A308D3LL, 0x13198A2E03707344LL, + 0xA4093822299F31D0LL, 0x082EFA98EC4E6C89LL, + 0x452821E638D01377LL, 0xBE5466CF34E90C6CLL, + 0xC0AC29B7C97C50DDLL, 0x3F84D5B5B5470917LL, + 0x9216D5D98979FB1BLL, 0xD1310BA698DFB5ACLL, + 0x2FFD72DBD01ADFB7LL, 0xB8E1AFED6A267E96LL, + 0xBA7C9045F12C7F99LL, 0x24A19947B3916CF7LL, + 0x0801F2E2858EFC16LL, 0x636920D871574E69LL + +}; + + + +#define ROTL64(a, n) (((a)<<(n))|((a)>>(64-(n)))) +#define ROTR64(a, n) (((a)>>(n))|((a)<<(64-(n)))) +#define CHANGE_ENDIAN32(a) (((a)<<24)| \ + ((0x0000ff00&(a))<<8)| \ + ((0x00ff0000&(a))>>8)| \ + (a)>>24 ) + +void blake_large_expand(uint64_t* v, const blake_large_ctx_t* ctx){ + uint8_t i; + memcpy(v, ctx->h, 8*8); + for(i=0; i<8; ++i){ + v[8+i] = pgm_read_qword(&(blake_c[i])); + } + memxor((uint8_t*)v+8, ctx->s, 4*8); + +} + +void blake_large_changeendian(void* dest, const void* src){ + uint8_t i; + uint32_t tmp; + for(i=0; i<32; i+=2){ + tmp = CHANGE_ENDIAN32(((uint32_t*)src)[i]); + ((uint32_t*)dest)[i] = CHANGE_ENDIAN32(((uint32_t*)src)[i+1]); + ((uint32_t*)dest)[i+1] = tmp; + } +} + +void blake_large_compress(uint64_t* v,const void* m){ + uint8_t r,i; + uint8_t a,b,c,d, s0, s1; + for(r=0; r<14; ++r){ + for(i=0; i<8; ++i){ + // blake_large_g(r%10, i, v, (uint64_t*)m); + a = pgm_read_byte(blake_index_lut+4*i+0); + b = pgm_read_byte(blake_index_lut+4*i+1); + c = pgm_read_byte(blake_index_lut+4*i+2); + d = pgm_read_byte(blake_index_lut+4*i+3); + s0 = pgm_read_byte(blake_sigma+16*r+2*i+0); + s1 = pgm_read_byte(blake_sigma+16*r+2*i+1); + v[a] += v[b] + (((uint64_t*)m)[s0] ^ pgm_read_qword(&(blake_c[s1]))); + v[d] = ROTR64(v[d]^v[a], 32); + v[c] += v[d]; + v[b] = ROTR64(v[b]^v[c], 25); + v[a] += v[b] + (((uint64_t*)m)[s1] ^ pgm_read_qword(&(blake_c[s0]))); + v[d] = ROTR64(v[d]^v[a], 16); + v[c] += v[d]; + v[b] = ROTR64(v[b]^v[c], 11); + } + } +} + +void blake_large_collapse(blake_large_ctx_t* ctx, uint64_t* v){ + uint8_t i; + for(i=0; i<8; ++i){ + ctx->h[i] ^= ctx->s[i%4] ^ v[i] ^ v[8+i]; + } +} + +void blake_large_nextBlock(blake_large_ctx_t* ctx, const void* msg){ + uint64_t v[16]; + uint64_t m[16]; + union { + uint64_t v64; + uint32_t v32[2]; + }ctr; + blake_large_expand(v,ctx); + ctx->counter++; + ctr.v64 = ctx->counter*1024; + v[12] ^= ctr.v64; + v[13] ^= ctr.v64; + blake_large_changeendian(m, msg); + blake_large_compress(v, m); + blake_large_collapse(ctx, v); +} + +void blake_large_lastBlock(blake_large_ctx_t* ctx, const void* msg, uint16_t length_b){ + while(length_b>=BLAKE_LARGE_BLOCKSIZE){ + blake_large_nextBlock(ctx, msg); + msg = (uint8_t*)msg + BLAKE_LARGE_BLOCKSIZE_B; + length_b -= BLAKE_LARGE_BLOCKSIZE; + } + uint8_t buffer[128]; + uint64_t v[16]; + uint64_t ctr; + ctr = ctx->counter*1024+length_b; + memset(buffer, 0, 128); + memcpy(buffer, msg, (length_b+7)/8); + buffer[length_b/8] |= 0x80 >> (length_b%8); + blake_large_changeendian(buffer, buffer); + blake_large_expand(v, ctx); +#if BUG_3 + uint8_t x=0; + if(length_b%1024<895 && length_b%8) + x=0x40; + v[12] ^= ctr + x; + v[13] ^= ctr + x; + +#else + v[12] ^= ctr; + v[13] ^= ctr; +#endif + if(length_b>1024-128-2){ +#if BUG_4 + if(length_b<1017){ + blake_large_compress(v, buffer); + blake_large_collapse(ctx, v); + } +#else + blake_large_compress(v, buffer); + blake_large_collapse(ctx, v); +#endif + memset(buffer, 0, 128-8); + blake_large_expand(v, ctx); + } + if(ctx->appendone) + buffer[128-16-8] |= 0x01; + *((uint64_t*)(&(buffer[128-8]))) = ctr; + blake_large_compress(v, buffer); + blake_large_collapse(ctx, v); + +} + +uint64_t blake64_iv[] PROGMEM = { + 0x6A09E667F3BCC908LL, 0xBB67AE8584CAA73BLL, + 0x3C6EF372FE94F82BLL, 0xA54FF53A5F1D36F1LL, + 0x510E527FADE682D1LL, 0x9B05688C2B3E6C1FLL, + 0x1F83D9ABFB41BD6BLL, 0x5BE0CD19137E2179LL +}; + +void blake64_init(blake64_ctx_t* ctx){ + uint8_t i; + for(i=0; i<8; ++i){ + ctx->h[i] = pgm_read_qword(&(blake64_iv[i])); + } + memset(ctx->s, 0, 4*8); + ctx->counter = 0; + ctx->appendone = 1; +} + +uint64_t blake48_iv[] PROGMEM = { + 0xCBBB9D5DC1059ED8LL, 0x629A292A367CD507LL, + 0x9159015A3070DD17LL, 0x152FECD8F70E5939LL, + 0x67332667FFC00B31LL, 0x8EB44A8768581511LL, + 0xDB0C2E0D64F98FA7LL, 0x47B5481DBEFA4FA4LL +}; + +void blake48_init(blake48_ctx_t* ctx){ + uint8_t i; + for(i=0; i<8; ++i){ + ctx->h[i] = pgm_read_qword(&(blake48_iv[i])); + } + memset(ctx->s, 0, 4*8); + ctx->counter = 0; + ctx->appendone = 0; +} + +void blake64_ctx2hash(void* dest, const blake64_ctx_t* ctx){ + uint8_t i; + for(i=0; i<8; ++i){ + ((uint32_t*)dest)[2*i+0] = CHANGE_ENDIAN32((ctx->h[i])>>32); + ((uint32_t*)dest)[2*i+1] = CHANGE_ENDIAN32((uint32_t)ctx->h[i]); + } +} + +void blake48_ctx2hash(void* dest, const blake48_ctx_t* ctx){ + uint8_t i; + for(i=0; i<6; ++i){ + ((uint32_t*)dest)[2*i+0] = CHANGE_ENDIAN32((ctx->h[i])>>32); + ((uint32_t*)dest)[2*i+1] = CHANGE_ENDIAN32((uint32_t)ctx->h[i]); + } +} + +void blake64_nextBlock(blake64_ctx_t* ctx, const void* block){ + blake_large_nextBlock(ctx, block); +} + +void blake48_nextBlock(blake48_ctx_t* ctx, const void* block){ + blake_large_nextBlock(ctx, block); +} + +void blake64_lastBlock(blake64_ctx_t* ctx, const void* block, uint16_t length_b){ + blake_large_lastBlock(ctx, block, length_b); +} + +void blake48_lastBlock(blake48_ctx_t* ctx, const void* block, uint16_t length_b){ + blake_large_lastBlock(ctx, block, length_b); +} + +void blake64(void* dest, const void* msg, uint32_t length_b){ + blake_large_ctx_t ctx; + blake64_init(&ctx); + while(length_b>=BLAKE_LARGE_BLOCKSIZE){ + blake_large_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + BLAKE_LARGE_BLOCKSIZE_B; + length_b -= BLAKE_LARGE_BLOCKSIZE; + } + blake_large_lastBlock(&ctx, msg, length_b); + blake64_ctx2hash(dest, &ctx); +} + +void blake48(void* dest, const void* msg, uint32_t length_b){ + blake_large_ctx_t ctx; + blake48_init(&ctx); + while(length_b>=BLAKE_LARGE_BLOCKSIZE){ + blake_large_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + BLAKE_LARGE_BLOCKSIZE_B; + length_b -= BLAKE_LARGE_BLOCKSIZE; + } + blake_large_lastBlock(&ctx, msg, length_b); + blake48_ctx2hash(dest, &ctx); +} diff --git a/blake/blake_large.h b/blake/blake_large.h new file mode 100644 index 0000000..3556f2c --- /dev/null +++ b/blake/blake_large.h @@ -0,0 +1,67 @@ +/* blake_large.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file blake_large.h + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-05-08 + * \license GPLv3 or later + * + */ +#ifndef BLAKE_LARGE_H_ +#define BLAKE_LARGE_H_ + +#include + +#define BLAKE_LARGE_BLOCKSIZE 1024 +#define BLAKE_LARGE_BLOCKSIZE_B ((BLAKE_LARGE_BLOCKSIZE+7)/8) +#define BLAKE48_BLOCKSIZE BLAKE_LARGE_BLOCKSIZE +#define BLAKE48_BLOCKSIZE_B BLAKE_LARGE_BLOCKSIZE_B +#define BLAKE64_BLOCKSIZE BLAKE_LARGE_BLOCKSIZE +#define BLAKE64_BLOCKSIZE_B BLAKE_LARGE_BLOCKSIZE_B + +typedef struct { + uint64_t h[8]; + uint64_t s[4]; + uint32_t counter; + uint8_t appendone; +} blake_large_ctx_t; + +typedef blake_large_ctx_t blake48_ctx_t; +typedef blake_large_ctx_t blake64_ctx_t; + +void blake48_init(blake48_ctx_t* ctx); +void blake64_init(blake64_ctx_t* ctx); + +void blake_large_nextBlock(blake_large_ctx_t* ctx, const void* block); +void blake_large_lastBlock(blake_large_ctx_t* ctx, const void* block, uint16_t length_b); + +void blake48_nextBlock(blake48_ctx_t* ctx, const void* block); +void blake48_lastBlock(blake48_ctx_t* ctx, const void* block, uint16_t length_b); + +void blake64_nextBlock(blake64_ctx_t* ctx, const void* block); +void blake64_lastBlock(blake64_ctx_t* ctx, const void* block, uint16_t length_b); + +void blake48_ctx2hash(void* dest, const blake48_ctx_t* ctx); +void blake64_ctx2hash(void* dest, const blake64_ctx_t* ctx); + +void blake48(void* dest, const void* msg, uint32_t length_b); +void blake64(void* dest, const void* msg, uint32_t length_b); + +#endif /* BLAKE_LARGE_H_ */ diff --git a/blake/blake_small.c b/blake/blake_small.c new file mode 100644 index 0000000..75a2837 --- /dev/null +++ b/blake/blake_small.c @@ -0,0 +1,279 @@ +/* blake_small.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file blake_small.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-05-04 + * \license GPLv3 or later + * + */ + +#include +#include +#include +#include "memxor.h" +#include "blake_small.h" +#include "blake_common.h" + +#define BUG_1 1 /* bug compatibility for zero length message */ +#define BUG_2 1 /* bug compatibility for messages of length%512=505...511 */ + + +uint32_t blake_c[] PROGMEM = { + 0x243F6A88, 0x85A308D3, + 0x13198A2E, 0x03707344, + 0xA4093822, 0x299F31D0, + 0x082EFA98, 0xEC4E6C89, + 0x452821E6, 0x38D01377, + 0xBE5466CF, 0x34E90C6C, + 0xC0AC29B7, 0xC97C50DD, + 0x3F84D5B5, 0xB5470917 +}; + +#define ROTL32(a, n) (((a)<<(n))|((a)>>(32-(n)))) +#define ROTR32(a, n) (((a)>>(n))|((a)<<(32-(n)))) +#define CHANGE_ENDIAN32(a) (((a)<<24)| \ + ((0x0000ff00&(a))<<8)| \ + ((0x00ff0000&(a))>>8)| \ + (a)>>24 ) + +void blake_small_expand(uint32_t* v, const blake_small_ctx_t* ctx){ + uint8_t i; + memcpy(v, ctx->h, 8*4); + for(i=0; i<8; ++i){ + v[8+i] = pgm_read_dword(&(blake_c[i])); + } + memxor((uint8_t*)v+8, ctx->s, 4*4); + +} + +void blake_small_changeendian(void* dest, const void* src){ + uint8_t i; + for(i=0; i<16; ++i){ + ((uint32_t*)dest)[i] = CHANGE_ENDIAN32(((uint32_t*)src)[i]); + } +} + +void blake_small_compress(uint32_t* v,const void* m){ + uint8_t r,i; + uint8_t a,b,c,d, s0, s1; + uint32_t lv[4]; + for(r=0; r<10; ++r){ + for(i=0; i<8; ++i){ + // blake_small_g(r, i, v, (uint32_t*)m); + a = pgm_read_byte(blake_index_lut+4*i+0); + b = pgm_read_byte(blake_index_lut+4*i+1); + c = pgm_read_byte(blake_index_lut+4*i+2); + d = pgm_read_byte(blake_index_lut+4*i+3); + s0 = pgm_read_byte(blake_sigma+16*r+2*i+0); + s1 = pgm_read_byte(blake_sigma+16*r+2*i+1); + lv[0] = v[a]; + lv[1] = v[b]; + lv[2] = v[c]; + lv[3] = v[d]; + + lv[0] += lv[1] + (((uint32_t*)m)[s0] ^ pgm_read_dword(&(blake_c[s1]))); + lv[3] = ROTR32(lv[3]^lv[0], 16); + lv[2] += lv[3]; + lv[1] = ROTR32(lv[1]^lv[2], 12); + lv[0] += lv[1] + (((uint32_t*)m)[s1] ^ pgm_read_dword(&(blake_c[s0]))); + lv[3] = ROTR32(lv[3]^lv[0], 8); + lv[2] += lv[3]; + lv[1] = ROTR32(lv[1]^lv[2], 7); + + v[a] = lv[0]; + v[b] = lv[1]; + v[c] = lv[2]; + v[d] = lv[3]; + + } + } +} + +void blake_small_collapse(blake_small_ctx_t* ctx, uint32_t* v){ + uint8_t i; + for(i=0; i<8; ++i){ + ctx->h[i] ^= ctx->s[i%4] ^ v[i] ^ v[8+i]; + } +} + +void blake_small_nextBlock(blake_small_ctx_t* ctx, const void* msg){ + uint32_t v[16]; + uint32_t m[16]; + union { + uint64_t v64; + uint32_t v32[2]; + }ctr; + blake_small_expand(v,ctx); + ctx->counter++; + ctr.v64 = ctx->counter*512; + v[12] ^= ctr.v32[0]; + v[13] ^= ctr.v32[0]; + v[14] ^= ctr.v32[1]; + v[15] ^= ctr.v32[1]; + blake_small_changeendian(m, msg); + blake_small_compress(v, m); + blake_small_collapse(ctx, v); +} + +void blake_small_lastBlock(blake_small_ctx_t* ctx, const void* msg, uint16_t length_b){ + while(length_b>=BLAKE_SMALL_BLOCKSIZE){ + blake_small_nextBlock(ctx, msg); + msg = (uint8_t*)msg + BLAKE_SMALL_BLOCKSIZE_B; + length_b -= BLAKE_SMALL_BLOCKSIZE; + } + uint8_t buffer[64]; + uint32_t v[16]; +#if BUG_2 + uint32_t tmp=0; +#endif + union { + uint64_t v64; + uint32_t v32[2]; + }ctr; + ctr.v64 = ctx->counter*512+length_b; +#if BUG_2 + if(length_b>=505){ + tmp =ctr.v32[0]; + ctr.v32[0] = ctx->counter*512; + ctr.v32[0] |= 0x40+length_b-504; + } +#endif + memset(buffer, 0, 64); + memcpy(buffer, msg, (length_b+7)/8); + buffer[length_b/8] |= 0x80 >> (length_b%8); + blake_small_changeendian(buffer, buffer); + blake_small_expand(v, ctx); + v[12] ^= ctr.v32[0]; + v[13] ^= ctr.v32[0]; + v[14] ^= ctr.v32[1]; + v[15] ^= ctr.v32[1]; +#if BUG_2 + if(length_b>=505) + ctr.v32[0] = tmp; +#endif +#if BUG_1 + if(length_b==0 && ctx->counter==0){ + v[14] ^= 1; + v[15] ^= 1; + } +#endif + if(length_b>512-64-2){ + blake_small_compress(v, buffer); + blake_small_collapse(ctx, v); + memset(buffer, 0, 64-8); + blake_small_expand(v, ctx); + } + if(ctx->appendone) + buffer[64-8-4] |= 0x01; + *((uint32_t*)(&(buffer[64-8]))) = ctr.v32[1]; + *((uint32_t*)(&(buffer[64-4]))) = ctr.v32[0]; + blake_small_compress(v, buffer); + blake_small_collapse(ctx, v); + +} + +uint32_t blake32_iv[] PROGMEM = { + 0x6A09E667L, 0xBB67AE85, + 0x3C6EF372L, 0xA54FF53A, + 0x510E527FL, 0x9B05688C, + 0x1F83D9ABL, 0x5BE0CD19 +}; + +void blake32_init(blake32_ctx_t* ctx){ + uint8_t i; + for(i=0; i<8; ++i){ + ctx->h[i] = pgm_read_dword(&(blake32_iv[i])); + } + memset(ctx->s, 0, 4*4); + ctx->counter = 0; + ctx->appendone = 1; +} + +uint32_t blake28_iv[] PROGMEM = { + 0xC1059ED8, 0x367CD507, + 0x3070DD17, 0xF70E5939, + 0xFFC00B31, 0x68581511, + 0x64F98FA7, 0xBEFA4FA4 +}; + +void blake28_init(blake28_ctx_t* ctx){ + uint8_t i; + for(i=0; i<8; ++i){ + ctx->h[i] = pgm_read_dword(&(blake28_iv[i])); + } + memset(ctx->s, 0, 4*4); + ctx->counter = 0; + ctx->appendone = 0; +} + +void blake32_ctx2hash(void* dest, const blake32_ctx_t* ctx){ + uint8_t i; + for(i=0; i<8; ++i){ + ((uint32_t*)dest)[i] = CHANGE_ENDIAN32(ctx->h[i]); + } +} + +void blake28_ctx2hash(void* dest, const blake28_ctx_t* ctx){ + uint8_t i; + for(i=0; i<7; ++i){ + ((uint32_t*)dest)[i] = CHANGE_ENDIAN32(ctx->h[i]); + } +} + +void blake32_nextBlock(blake32_ctx_t* ctx, const void* block){ + blake_small_nextBlock(ctx, block); +} + +void blake28_nextBlock(blake28_ctx_t* ctx, const void* block){ + blake_small_nextBlock(ctx, block); +} + +void blake32_lastBlock(blake32_ctx_t* ctx, const void* block, uint16_t length_b){ + blake_small_lastBlock(ctx, block, length_b); +} + +void blake28_lastBlock(blake28_ctx_t* ctx, const void* block, uint16_t length_b){ + blake_small_lastBlock(ctx, block, length_b); +} + +void blake32(void* dest, const void* msg, uint32_t length_b){ + blake_small_ctx_t ctx; + blake32_init(&ctx); + while(length_b>=BLAKE_SMALL_BLOCKSIZE){ + blake_small_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + BLAKE_SMALL_BLOCKSIZE_B; + length_b -= BLAKE_SMALL_BLOCKSIZE; + } + blake_small_lastBlock(&ctx, msg, length_b); + blake32_ctx2hash(dest, &ctx); +} + +void blake28(void* dest, const void* msg, uint32_t length_b){ + blake_small_ctx_t ctx; + blake28_init(&ctx); + while(length_b>=BLAKE_SMALL_BLOCKSIZE){ + blake_small_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + BLAKE_SMALL_BLOCKSIZE_B; + length_b -= BLAKE_SMALL_BLOCKSIZE; + } + blake_small_lastBlock(&ctx, msg, length_b); + blake28_ctx2hash(dest, &ctx); +} diff --git a/blake/blake_small.h b/blake/blake_small.h new file mode 100644 index 0000000..9502344 --- /dev/null +++ b/blake/blake_small.h @@ -0,0 +1,67 @@ +/* blake_small.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file blake_small.h + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + * + */ +#ifndef BLAKE_SMALL_H_ +#define BLAKE_SMALL_H_ + +#include + +#define BLAKE_SMALL_BLOCKSIZE 512 +#define BLAKE_SMALL_BLOCKSIZE_B ((BLAKE_SMALL_BLOCKSIZE+7)/8) +#define BLAKE28_BLOCKSIZE BLAKE_SMALL_BLOCKSIZE +#define BLAKE28_BLOCKSIZE_B BLAKE_SMALL_BLOCKSIZE_B +#define BLAKE32_BLOCKSIZE BLAKE_SMALL_BLOCKSIZE +#define BLAKE32_BLOCKSIZE_B BLAKE_SMALL_BLOCKSIZE_B + +typedef struct { + uint32_t h[8]; + uint32_t s[4]; + uint32_t counter; + uint8_t appendone; +} blake_small_ctx_t; + +typedef blake_small_ctx_t blake28_ctx_t; +typedef blake_small_ctx_t blake32_ctx_t; + +void blake28_init(blake28_ctx_t* ctx); +void blake32_init(blake32_ctx_t* ctx); + +void blake_small_nextBlock(blake_small_ctx_t* ctx, const void* block); +void blake_small_lastBlock(blake_small_ctx_t* ctx, const void* block, uint16_t length_b); + +void blake28_nextBlock(blake28_ctx_t* ctx, const void* block); +void blake28_lastBlock(blake28_ctx_t* ctx, const void* block, uint16_t length_b); + +void blake32_nextBlock(blake32_ctx_t* ctx, const void* block); +void blake32_lastBlock(blake32_ctx_t* ctx, const void* block, uint16_t length_b); + +void blake28_ctx2hash(void* dest, const blake28_ctx_t* ctx); +void blake32_ctx2hash(void* dest, const blake32_ctx_t* ctx); + +void blake28(void* dest, const void* msg, uint32_t length_b); +void blake32(void* dest, const void* msg, uint32_t length_b); + +#endif /* BLAKE_SMALL_H_ */ diff --git a/blake/memxor.S b/blake/memxor.S new file mode 100644 index 0000000..a32058b --- /dev/null +++ b/blake/memxor.S @@ -0,0 +1,66 @@ +/* memxor.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * File: memxor.S + * Author: Daniel Otte + * Date: 2008-08-07 + * License: GPLv3 or later + * Description: memxor, XORing one block into another + * + */ + +/* + * void memxor(void* dest, const void* src, uint16_t n); + */ + /* + * param dest is passed in r24:r25 + * param src is passed in r22:r23 + * param n is passed in r20:r21 + */ +.global memxor +memxor: + movw r30, r24 + movw r26, r22 + movw r24, r20 + adiw r24, 0 + breq 2f +1: + ld r20, X+ + ld r21, Z + eor r20, r21 + st Z+, r20 + sbiw r24, 1 + brne 1b +2: + ret + + + + + + + + + + + + + + diff --git a/blake/memxor.h b/blake/memxor.h new file mode 100644 index 0000000..a62a616 --- /dev/null +++ b/blake/memxor.h @@ -0,0 +1,7 @@ +#ifndef MEMXOR_H_ +#define MEMXOR_H_ +#include + +void memxor(void* dest, const void* src, uint16_t n); + +#endif diff --git a/blake_common.c b/blake_common.c deleted file mode 100644 index a715980..0000000 --- a/blake_common.c +++ /dev/null @@ -1,53 +0,0 @@ -/* blake_common.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file blake_common.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-05-08 - * \license GPLv3 or later - * - */ - -#include -#include - -uint8_t blake_sigma[] PROGMEM = { - 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB, 0xC, 0xD, 0xE, 0xF, - 0xE, 0xA, 0x4, 0x8, 0x9, 0xF, 0xD, 0x6, 0x1, 0xC, 0x0, 0x2, 0xB, 0x7, 0x5, 0x3, - 0xB, 0x8, 0xC, 0x0, 0x5, 0x2, 0xF, 0xD, 0xA, 0xE, 0x3, 0x6, 0x7, 0x1, 0x9, 0x4, - 0x7, 0x9, 0x3, 0x1, 0xD, 0xC, 0xB, 0xE, 0x2, 0x6, 0x5, 0xA, 0x4, 0x0, 0xF, 0x8, - 0x9, 0x0, 0x5, 0x7, 0x2, 0x4, 0xA, 0xF, 0xE, 0x1, 0xB, 0xC, 0x6, 0x8, 0x3, 0xD, - 0x2, 0xC, 0x6, 0xA, 0x0, 0xB, 0x8, 0x3, 0x4, 0xD, 0x7, 0x5, 0xF, 0xE, 0x1, 0x9, - 0xC, 0x5, 0x1, 0xF, 0xE, 0xD, 0x4, 0xA, 0x0, 0x7, 0x6, 0x3, 0x9, 0x2, 0x8, 0xB, - 0xD, 0xB, 0x7, 0xE, 0xC, 0x1, 0x3, 0x9, 0x5, 0x0, 0xF, 0x4, 0x8, 0x6, 0x2, 0xA, - 0x6, 0xF, 0xE, 0x9, 0xB, 0x3, 0x0, 0x8, 0xC, 0x2, 0xD, 0x7, 0x1, 0x4, 0xA, 0x5, - 0xA, 0x2, 0x8, 0x4, 0x7, 0x6, 0x1, 0x5, 0xF, 0xB, 0x9, 0xE, 0x3, 0xC, 0xD, 0x0 -}; - -uint8_t blake_index_lut[] PROGMEM = { - 0x0, 0x4, 0x8, 0xC, - 0x1, 0x5, 0x9, 0xD, - 0x2, 0x6, 0xA, 0xE, - 0x3, 0x7, 0xB, 0xF, - 0x0, 0x5, 0xA, 0xF, - 0x1, 0x6, 0xB, 0xC, - 0x2, 0x7, 0x8, 0xD, - 0x3, 0x4, 0x9, 0xE -}; diff --git a/blake_common.h b/blake_common.h deleted file mode 100644 index 3c424a8..0000000 --- a/blake_common.h +++ /dev/null @@ -1,38 +0,0 @@ -/* blake_common.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file blake_common.h - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-05-08 - * \license GPLv3 or later - * - */ - - -#ifndef BLAKE_COMMON_H_ -#define BLAKE_COMMON_H_ - -#include -#include - -extern uint8_t blake_sigma[]; -extern uint8_t blake_index_lut[]; - -#endif /* BLAKE_COMMON_H_ */ diff --git a/blake_large.c b/blake_large.c deleted file mode 100644 index 43b0fa7..0000000 --- a/blake_large.c +++ /dev/null @@ -1,273 +0,0 @@ -/* blake_large.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file blake_large.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-05-08 - * \license GPLv3 or later - * - */ - -#include -#include -#include -#include "memxor.h" -#include "blake_large.h" -#include "blake_common.h" - -#define BUG_3 1 /* bug compatibility with reference code */ -#define BUG_4 1 /* bug compatibility with reference code */ - -uint64_t pgm_read_qword(void* p){ - union{ - uint64_t v64; - uint32_t v32[2]; - }r; - r.v32[0] = pgm_read_dword(p); - r.v32[1] = pgm_read_dword((uint8_t*)p+4); - return r.v64; -} - -static -uint64_t blake_c[] PROGMEM = { - 0x243F6A8885A308D3LL, 0x13198A2E03707344LL, - 0xA4093822299F31D0LL, 0x082EFA98EC4E6C89LL, - 0x452821E638D01377LL, 0xBE5466CF34E90C6CLL, - 0xC0AC29B7C97C50DDLL, 0x3F84D5B5B5470917LL, - 0x9216D5D98979FB1BLL, 0xD1310BA698DFB5ACLL, - 0x2FFD72DBD01ADFB7LL, 0xB8E1AFED6A267E96LL, - 0xBA7C9045F12C7F99LL, 0x24A19947B3916CF7LL, - 0x0801F2E2858EFC16LL, 0x636920D871574E69LL - -}; - - - -#define ROTL64(a, n) (((a)<<(n))|((a)>>(64-(n)))) -#define ROTR64(a, n) (((a)>>(n))|((a)<<(64-(n)))) -#define CHANGE_ENDIAN32(a) (((a)<<24)| \ - ((0x0000ff00&(a))<<8)| \ - ((0x00ff0000&(a))>>8)| \ - (a)>>24 ) - -void blake_large_expand(uint64_t* v, const blake_large_ctx_t* ctx){ - uint8_t i; - memcpy(v, ctx->h, 8*8); - for(i=0; i<8; ++i){ - v[8+i] = pgm_read_qword(&(blake_c[i])); - } - memxor((uint8_t*)v+8, ctx->s, 4*8); - -} - -void blake_large_changeendian(void* dest, const void* src){ - uint8_t i; - uint32_t tmp; - for(i=0; i<32; i+=2){ - tmp = CHANGE_ENDIAN32(((uint32_t*)src)[i]); - ((uint32_t*)dest)[i] = CHANGE_ENDIAN32(((uint32_t*)src)[i+1]); - ((uint32_t*)dest)[i+1] = tmp; - } -} - -void blake_large_compress(uint64_t* v,const void* m){ - uint8_t r,i; - uint8_t a,b,c,d, s0, s1; - for(r=0; r<14; ++r){ - for(i=0; i<8; ++i){ - // blake_large_g(r%10, i, v, (uint64_t*)m); - a = pgm_read_byte(blake_index_lut+4*i+0); - b = pgm_read_byte(blake_index_lut+4*i+1); - c = pgm_read_byte(blake_index_lut+4*i+2); - d = pgm_read_byte(blake_index_lut+4*i+3); - s0 = pgm_read_byte(blake_sigma+16*r+2*i+0); - s1 = pgm_read_byte(blake_sigma+16*r+2*i+1); - v[a] += v[b] + (((uint64_t*)m)[s0] ^ pgm_read_qword(&(blake_c[s1]))); - v[d] = ROTR64(v[d]^v[a], 32); - v[c] += v[d]; - v[b] = ROTR64(v[b]^v[c], 25); - v[a] += v[b] + (((uint64_t*)m)[s1] ^ pgm_read_qword(&(blake_c[s0]))); - v[d] = ROTR64(v[d]^v[a], 16); - v[c] += v[d]; - v[b] = ROTR64(v[b]^v[c], 11); - } - } -} - -void blake_large_collapse(blake_large_ctx_t* ctx, uint64_t* v){ - uint8_t i; - for(i=0; i<8; ++i){ - ctx->h[i] ^= ctx->s[i%4] ^ v[i] ^ v[8+i]; - } -} - -void blake_large_nextBlock(blake_large_ctx_t* ctx, const void* msg){ - uint64_t v[16]; - uint64_t m[16]; - union { - uint64_t v64; - uint32_t v32[2]; - }ctr; - blake_large_expand(v,ctx); - ctx->counter++; - ctr.v64 = ctx->counter*1024; - v[12] ^= ctr.v64; - v[13] ^= ctr.v64; - blake_large_changeendian(m, msg); - blake_large_compress(v, m); - blake_large_collapse(ctx, v); -} - -void blake_large_lastBlock(blake_large_ctx_t* ctx, const void* msg, uint16_t length_b){ - while(length_b>=BLAKE_LARGE_BLOCKSIZE){ - blake_large_nextBlock(ctx, msg); - msg = (uint8_t*)msg + BLAKE_LARGE_BLOCKSIZE_B; - length_b -= BLAKE_LARGE_BLOCKSIZE; - } - uint8_t buffer[128]; - uint64_t v[16]; - uint64_t ctr; - ctr = ctx->counter*1024+length_b; - memset(buffer, 0, 128); - memcpy(buffer, msg, (length_b+7)/8); - buffer[length_b/8] |= 0x80 >> (length_b%8); - blake_large_changeendian(buffer, buffer); - blake_large_expand(v, ctx); -#if BUG_3 - uint8_t x=0; - if(length_b%1024<895 && length_b%8) - x=0x40; - v[12] ^= ctr + x; - v[13] ^= ctr + x; - -#else - v[12] ^= ctr; - v[13] ^= ctr; -#endif - if(length_b>1024-128-2){ -#if BUG_4 - if(length_b<1017){ - blake_large_compress(v, buffer); - blake_large_collapse(ctx, v); - } -#else - blake_large_compress(v, buffer); - blake_large_collapse(ctx, v); -#endif - memset(buffer, 0, 128-8); - blake_large_expand(v, ctx); - } - if(ctx->appendone) - buffer[128-16-8] |= 0x01; - *((uint64_t*)(&(buffer[128-8]))) = ctr; - blake_large_compress(v, buffer); - blake_large_collapse(ctx, v); - -} - -uint64_t blake64_iv[] PROGMEM = { - 0x6A09E667F3BCC908LL, 0xBB67AE8584CAA73BLL, - 0x3C6EF372FE94F82BLL, 0xA54FF53A5F1D36F1LL, - 0x510E527FADE682D1LL, 0x9B05688C2B3E6C1FLL, - 0x1F83D9ABFB41BD6BLL, 0x5BE0CD19137E2179LL -}; - -void blake64_init(blake64_ctx_t* ctx){ - uint8_t i; - for(i=0; i<8; ++i){ - ctx->h[i] = pgm_read_qword(&(blake64_iv[i])); - } - memset(ctx->s, 0, 4*8); - ctx->counter = 0; - ctx->appendone = 1; -} - -uint64_t blake48_iv[] PROGMEM = { - 0xCBBB9D5DC1059ED8LL, 0x629A292A367CD507LL, - 0x9159015A3070DD17LL, 0x152FECD8F70E5939LL, - 0x67332667FFC00B31LL, 0x8EB44A8768581511LL, - 0xDB0C2E0D64F98FA7LL, 0x47B5481DBEFA4FA4LL -}; - -void blake48_init(blake48_ctx_t* ctx){ - uint8_t i; - for(i=0; i<8; ++i){ - ctx->h[i] = pgm_read_qword(&(blake48_iv[i])); - } - memset(ctx->s, 0, 4*8); - ctx->counter = 0; - ctx->appendone = 0; -} - -void blake64_ctx2hash(void* dest, const blake64_ctx_t* ctx){ - uint8_t i; - for(i=0; i<8; ++i){ - ((uint32_t*)dest)[2*i+0] = CHANGE_ENDIAN32((ctx->h[i])>>32); - ((uint32_t*)dest)[2*i+1] = CHANGE_ENDIAN32((uint32_t)ctx->h[i]); - } -} - -void blake48_ctx2hash(void* dest, const blake48_ctx_t* ctx){ - uint8_t i; - for(i=0; i<6; ++i){ - ((uint32_t*)dest)[2*i+0] = CHANGE_ENDIAN32((ctx->h[i])>>32); - ((uint32_t*)dest)[2*i+1] = CHANGE_ENDIAN32((uint32_t)ctx->h[i]); - } -} - -void blake64_nextBlock(blake64_ctx_t* ctx, const void* block){ - blake_large_nextBlock(ctx, block); -} - -void blake48_nextBlock(blake48_ctx_t* ctx, const void* block){ - blake_large_nextBlock(ctx, block); -} - -void blake64_lastBlock(blake64_ctx_t* ctx, const void* block, uint16_t length_b){ - blake_large_lastBlock(ctx, block, length_b); -} - -void blake48_lastBlock(blake48_ctx_t* ctx, const void* block, uint16_t length_b){ - blake_large_lastBlock(ctx, block, length_b); -} - -void blake64(void* dest, const void* msg, uint32_t length_b){ - blake_large_ctx_t ctx; - blake64_init(&ctx); - while(length_b>=BLAKE_LARGE_BLOCKSIZE){ - blake_large_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + BLAKE_LARGE_BLOCKSIZE_B; - length_b -= BLAKE_LARGE_BLOCKSIZE; - } - blake_large_lastBlock(&ctx, msg, length_b); - blake64_ctx2hash(dest, &ctx); -} - -void blake48(void* dest, const void* msg, uint32_t length_b){ - blake_large_ctx_t ctx; - blake48_init(&ctx); - while(length_b>=BLAKE_LARGE_BLOCKSIZE){ - blake_large_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + BLAKE_LARGE_BLOCKSIZE_B; - length_b -= BLAKE_LARGE_BLOCKSIZE; - } - blake_large_lastBlock(&ctx, msg, length_b); - blake48_ctx2hash(dest, &ctx); -} diff --git a/blake_large.h b/blake_large.h deleted file mode 100644 index 3556f2c..0000000 --- a/blake_large.h +++ /dev/null @@ -1,67 +0,0 @@ -/* blake_large.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file blake_large.h - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-05-08 - * \license GPLv3 or later - * - */ -#ifndef BLAKE_LARGE_H_ -#define BLAKE_LARGE_H_ - -#include - -#define BLAKE_LARGE_BLOCKSIZE 1024 -#define BLAKE_LARGE_BLOCKSIZE_B ((BLAKE_LARGE_BLOCKSIZE+7)/8) -#define BLAKE48_BLOCKSIZE BLAKE_LARGE_BLOCKSIZE -#define BLAKE48_BLOCKSIZE_B BLAKE_LARGE_BLOCKSIZE_B -#define BLAKE64_BLOCKSIZE BLAKE_LARGE_BLOCKSIZE -#define BLAKE64_BLOCKSIZE_B BLAKE_LARGE_BLOCKSIZE_B - -typedef struct { - uint64_t h[8]; - uint64_t s[4]; - uint32_t counter; - uint8_t appendone; -} blake_large_ctx_t; - -typedef blake_large_ctx_t blake48_ctx_t; -typedef blake_large_ctx_t blake64_ctx_t; - -void blake48_init(blake48_ctx_t* ctx); -void blake64_init(blake64_ctx_t* ctx); - -void blake_large_nextBlock(blake_large_ctx_t* ctx, const void* block); -void blake_large_lastBlock(blake_large_ctx_t* ctx, const void* block, uint16_t length_b); - -void blake48_nextBlock(blake48_ctx_t* ctx, const void* block); -void blake48_lastBlock(blake48_ctx_t* ctx, const void* block, uint16_t length_b); - -void blake64_nextBlock(blake64_ctx_t* ctx, const void* block); -void blake64_lastBlock(blake64_ctx_t* ctx, const void* block, uint16_t length_b); - -void blake48_ctx2hash(void* dest, const blake48_ctx_t* ctx); -void blake64_ctx2hash(void* dest, const blake64_ctx_t* ctx); - -void blake48(void* dest, const void* msg, uint32_t length_b); -void blake64(void* dest, const void* msg, uint32_t length_b); - -#endif /* BLAKE_LARGE_H_ */ diff --git a/blake_small.c b/blake_small.c deleted file mode 100644 index 75a2837..0000000 --- a/blake_small.c +++ /dev/null @@ -1,279 +0,0 @@ -/* blake_small.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file blake_small.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-05-04 - * \license GPLv3 or later - * - */ - -#include -#include -#include -#include "memxor.h" -#include "blake_small.h" -#include "blake_common.h" - -#define BUG_1 1 /* bug compatibility for zero length message */ -#define BUG_2 1 /* bug compatibility for messages of length%512=505...511 */ - - -uint32_t blake_c[] PROGMEM = { - 0x243F6A88, 0x85A308D3, - 0x13198A2E, 0x03707344, - 0xA4093822, 0x299F31D0, - 0x082EFA98, 0xEC4E6C89, - 0x452821E6, 0x38D01377, - 0xBE5466CF, 0x34E90C6C, - 0xC0AC29B7, 0xC97C50DD, - 0x3F84D5B5, 0xB5470917 -}; - -#define ROTL32(a, n) (((a)<<(n))|((a)>>(32-(n)))) -#define ROTR32(a, n) (((a)>>(n))|((a)<<(32-(n)))) -#define CHANGE_ENDIAN32(a) (((a)<<24)| \ - ((0x0000ff00&(a))<<8)| \ - ((0x00ff0000&(a))>>8)| \ - (a)>>24 ) - -void blake_small_expand(uint32_t* v, const blake_small_ctx_t* ctx){ - uint8_t i; - memcpy(v, ctx->h, 8*4); - for(i=0; i<8; ++i){ - v[8+i] = pgm_read_dword(&(blake_c[i])); - } - memxor((uint8_t*)v+8, ctx->s, 4*4); - -} - -void blake_small_changeendian(void* dest, const void* src){ - uint8_t i; - for(i=0; i<16; ++i){ - ((uint32_t*)dest)[i] = CHANGE_ENDIAN32(((uint32_t*)src)[i]); - } -} - -void blake_small_compress(uint32_t* v,const void* m){ - uint8_t r,i; - uint8_t a,b,c,d, s0, s1; - uint32_t lv[4]; - for(r=0; r<10; ++r){ - for(i=0; i<8; ++i){ - // blake_small_g(r, i, v, (uint32_t*)m); - a = pgm_read_byte(blake_index_lut+4*i+0); - b = pgm_read_byte(blake_index_lut+4*i+1); - c = pgm_read_byte(blake_index_lut+4*i+2); - d = pgm_read_byte(blake_index_lut+4*i+3); - s0 = pgm_read_byte(blake_sigma+16*r+2*i+0); - s1 = pgm_read_byte(blake_sigma+16*r+2*i+1); - lv[0] = v[a]; - lv[1] = v[b]; - lv[2] = v[c]; - lv[3] = v[d]; - - lv[0] += lv[1] + (((uint32_t*)m)[s0] ^ pgm_read_dword(&(blake_c[s1]))); - lv[3] = ROTR32(lv[3]^lv[0], 16); - lv[2] += lv[3]; - lv[1] = ROTR32(lv[1]^lv[2], 12); - lv[0] += lv[1] + (((uint32_t*)m)[s1] ^ pgm_read_dword(&(blake_c[s0]))); - lv[3] = ROTR32(lv[3]^lv[0], 8); - lv[2] += lv[3]; - lv[1] = ROTR32(lv[1]^lv[2], 7); - - v[a] = lv[0]; - v[b] = lv[1]; - v[c] = lv[2]; - v[d] = lv[3]; - - } - } -} - -void blake_small_collapse(blake_small_ctx_t* ctx, uint32_t* v){ - uint8_t i; - for(i=0; i<8; ++i){ - ctx->h[i] ^= ctx->s[i%4] ^ v[i] ^ v[8+i]; - } -} - -void blake_small_nextBlock(blake_small_ctx_t* ctx, const void* msg){ - uint32_t v[16]; - uint32_t m[16]; - union { - uint64_t v64; - uint32_t v32[2]; - }ctr; - blake_small_expand(v,ctx); - ctx->counter++; - ctr.v64 = ctx->counter*512; - v[12] ^= ctr.v32[0]; - v[13] ^= ctr.v32[0]; - v[14] ^= ctr.v32[1]; - v[15] ^= ctr.v32[1]; - blake_small_changeendian(m, msg); - blake_small_compress(v, m); - blake_small_collapse(ctx, v); -} - -void blake_small_lastBlock(blake_small_ctx_t* ctx, const void* msg, uint16_t length_b){ - while(length_b>=BLAKE_SMALL_BLOCKSIZE){ - blake_small_nextBlock(ctx, msg); - msg = (uint8_t*)msg + BLAKE_SMALL_BLOCKSIZE_B; - length_b -= BLAKE_SMALL_BLOCKSIZE; - } - uint8_t buffer[64]; - uint32_t v[16]; -#if BUG_2 - uint32_t tmp=0; -#endif - union { - uint64_t v64; - uint32_t v32[2]; - }ctr; - ctr.v64 = ctx->counter*512+length_b; -#if BUG_2 - if(length_b>=505){ - tmp =ctr.v32[0]; - ctr.v32[0] = ctx->counter*512; - ctr.v32[0] |= 0x40+length_b-504; - } -#endif - memset(buffer, 0, 64); - memcpy(buffer, msg, (length_b+7)/8); - buffer[length_b/8] |= 0x80 >> (length_b%8); - blake_small_changeendian(buffer, buffer); - blake_small_expand(v, ctx); - v[12] ^= ctr.v32[0]; - v[13] ^= ctr.v32[0]; - v[14] ^= ctr.v32[1]; - v[15] ^= ctr.v32[1]; -#if BUG_2 - if(length_b>=505) - ctr.v32[0] = tmp; -#endif -#if BUG_1 - if(length_b==0 && ctx->counter==0){ - v[14] ^= 1; - v[15] ^= 1; - } -#endif - if(length_b>512-64-2){ - blake_small_compress(v, buffer); - blake_small_collapse(ctx, v); - memset(buffer, 0, 64-8); - blake_small_expand(v, ctx); - } - if(ctx->appendone) - buffer[64-8-4] |= 0x01; - *((uint32_t*)(&(buffer[64-8]))) = ctr.v32[1]; - *((uint32_t*)(&(buffer[64-4]))) = ctr.v32[0]; - blake_small_compress(v, buffer); - blake_small_collapse(ctx, v); - -} - -uint32_t blake32_iv[] PROGMEM = { - 0x6A09E667L, 0xBB67AE85, - 0x3C6EF372L, 0xA54FF53A, - 0x510E527FL, 0x9B05688C, - 0x1F83D9ABL, 0x5BE0CD19 -}; - -void blake32_init(blake32_ctx_t* ctx){ - uint8_t i; - for(i=0; i<8; ++i){ - ctx->h[i] = pgm_read_dword(&(blake32_iv[i])); - } - memset(ctx->s, 0, 4*4); - ctx->counter = 0; - ctx->appendone = 1; -} - -uint32_t blake28_iv[] PROGMEM = { - 0xC1059ED8, 0x367CD507, - 0x3070DD17, 0xF70E5939, - 0xFFC00B31, 0x68581511, - 0x64F98FA7, 0xBEFA4FA4 -}; - -void blake28_init(blake28_ctx_t* ctx){ - uint8_t i; - for(i=0; i<8; ++i){ - ctx->h[i] = pgm_read_dword(&(blake28_iv[i])); - } - memset(ctx->s, 0, 4*4); - ctx->counter = 0; - ctx->appendone = 0; -} - -void blake32_ctx2hash(void* dest, const blake32_ctx_t* ctx){ - uint8_t i; - for(i=0; i<8; ++i){ - ((uint32_t*)dest)[i] = CHANGE_ENDIAN32(ctx->h[i]); - } -} - -void blake28_ctx2hash(void* dest, const blake28_ctx_t* ctx){ - uint8_t i; - for(i=0; i<7; ++i){ - ((uint32_t*)dest)[i] = CHANGE_ENDIAN32(ctx->h[i]); - } -} - -void blake32_nextBlock(blake32_ctx_t* ctx, const void* block){ - blake_small_nextBlock(ctx, block); -} - -void blake28_nextBlock(blake28_ctx_t* ctx, const void* block){ - blake_small_nextBlock(ctx, block); -} - -void blake32_lastBlock(blake32_ctx_t* ctx, const void* block, uint16_t length_b){ - blake_small_lastBlock(ctx, block, length_b); -} - -void blake28_lastBlock(blake28_ctx_t* ctx, const void* block, uint16_t length_b){ - blake_small_lastBlock(ctx, block, length_b); -} - -void blake32(void* dest, const void* msg, uint32_t length_b){ - blake_small_ctx_t ctx; - blake32_init(&ctx); - while(length_b>=BLAKE_SMALL_BLOCKSIZE){ - blake_small_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + BLAKE_SMALL_BLOCKSIZE_B; - length_b -= BLAKE_SMALL_BLOCKSIZE; - } - blake_small_lastBlock(&ctx, msg, length_b); - blake32_ctx2hash(dest, &ctx); -} - -void blake28(void* dest, const void* msg, uint32_t length_b){ - blake_small_ctx_t ctx; - blake28_init(&ctx); - while(length_b>=BLAKE_SMALL_BLOCKSIZE){ - blake_small_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + BLAKE_SMALL_BLOCKSIZE_B; - length_b -= BLAKE_SMALL_BLOCKSIZE; - } - blake_small_lastBlock(&ctx, msg, length_b); - blake28_ctx2hash(dest, &ctx); -} diff --git a/blake_small.h b/blake_small.h deleted file mode 100644 index 9502344..0000000 --- a/blake_small.h +++ /dev/null @@ -1,67 +0,0 @@ -/* blake_small.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file blake_small.h - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - * - */ -#ifndef BLAKE_SMALL_H_ -#define BLAKE_SMALL_H_ - -#include - -#define BLAKE_SMALL_BLOCKSIZE 512 -#define BLAKE_SMALL_BLOCKSIZE_B ((BLAKE_SMALL_BLOCKSIZE+7)/8) -#define BLAKE28_BLOCKSIZE BLAKE_SMALL_BLOCKSIZE -#define BLAKE28_BLOCKSIZE_B BLAKE_SMALL_BLOCKSIZE_B -#define BLAKE32_BLOCKSIZE BLAKE_SMALL_BLOCKSIZE -#define BLAKE32_BLOCKSIZE_B BLAKE_SMALL_BLOCKSIZE_B - -typedef struct { - uint32_t h[8]; - uint32_t s[4]; - uint32_t counter; - uint8_t appendone; -} blake_small_ctx_t; - -typedef blake_small_ctx_t blake28_ctx_t; -typedef blake_small_ctx_t blake32_ctx_t; - -void blake28_init(blake28_ctx_t* ctx); -void blake32_init(blake32_ctx_t* ctx); - -void blake_small_nextBlock(blake_small_ctx_t* ctx, const void* block); -void blake_small_lastBlock(blake_small_ctx_t* ctx, const void* block, uint16_t length_b); - -void blake28_nextBlock(blake28_ctx_t* ctx, const void* block); -void blake28_lastBlock(blake28_ctx_t* ctx, const void* block, uint16_t length_b); - -void blake32_nextBlock(blake32_ctx_t* ctx, const void* block); -void blake32_lastBlock(blake32_ctx_t* ctx, const void* block, uint16_t length_b); - -void blake28_ctx2hash(void* dest, const blake28_ctx_t* ctx); -void blake32_ctx2hash(void* dest, const blake32_ctx_t* ctx); - -void blake28(void* dest, const void* msg, uint32_t length_b); -void blake32(void* dest, const void* msg, uint32_t length_b); - -#endif /* BLAKE_SMALL_H_ */ diff --git a/camellia-asm.S b/camellia-asm.S deleted file mode 100644 index c743997..0000000 --- a/camellia-asm.S +++ /dev/null @@ -1,996 +0,0 @@ -/* camellia-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * File: camellis-asm.S - * Author: Daniel Otte - * Date: 2006-11-10 - * License: GPLv3 or later - * Description: Implementation of the camellia block cipher algorithm. - * - */ - -.macro SWAP_R A, B - eor \A, \B - eor \B, \A - eor \A, \B -.endm - -.macro precall - /* push r18 - r27, r30 - r31*/ - push r0 - push r1 - push r18 - push r19 - push r20 - push r21 - push r22 - push r23 - push r24 - push r25 - push r26 - push r27 - push r30 - push r31 - clr r1 -.endm - -.macro postcall - pop r31 - pop r30 - pop r27 - pop r26 - pop r25 - pop r24 - pop r23 - pop r22 - pop r21 - pop r20 - pop r19 - pop r18 - pop r1 - pop r0 -.endm - - -.macro hexdump length - push r27 - push r26 - ldi r25, '\r' - mov r24, r25 - call uart_putc - ldi r25, '\n' - mov r24, r25 - call uart_putc - pop r26 - pop r27 - movw r24, r26 -.if \length > 16 - ldi r22, lo8(16) - ldi r23, hi8(16) - push r27 - push r26 - call uart_hexdump - pop r26 - pop r27 - adiw r26, 16 - hexdump \length-16 -.else - ldi r22, lo8(\length) - ldi r23, hi8(\length) - call uart_hexdump -.endif -.endm - -/* X points to Block */ -.macro dbg_hexdump length - precall - hexdump \length - postcall -.endm - -SPL = 0x3D -SPH = 0x3E -SREG = 0x3F -NULLr = 1 - - -camellia_sbox: -.byte 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65 -.byte 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189 -.byte 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26 -.byte 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77 -.byte 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153 -.byte 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215 -.byte 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34 -.byte 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80 -.byte 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210 -.byte 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148 -.byte 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226 -.byte 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46 -.byte 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89 -.byte 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250 -.byte 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164 -.byte 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 - -//.global camellia_sigma -/* -camellia_sigma: -.quad 0xA09E667F3BCC908B -.quad 0xB67AE8584CAA73B2 -.quad 0xC6EF372FE94F82BE -.quad 0x54FF53A5F1D36F1C -.quad 0x10E527FADE682D1D -.quad 0xB05688C2B3E6C1FD -*/ - - - -/* uint8_t camellia_s1(uint8_t b) */ -.global camellia_s1 -camellia_s1: - ldi r30, lo8(camellia_sbox) - ldi r31, hi8(camellia_sbox) - add r30, r24 - adc r31, NULLr - lpm r24, Z - clr r25 - ret - -.global camellia_s2 -camellia_s2: - ldi r30, lo8(camellia_sbox) - ldi r31, hi8(camellia_sbox) - add r30, r24 - adc r31, NULLr - lpm r24, Z - lsl r24 - adc r24, NULLr - clr r25 - ret - -.global camellia_s3 -camellia_s3: - ldi r30, lo8(camellia_sbox) - ldi r31, hi8(camellia_sbox) - add r30, r24 - adc r31, NULLr - lpm r24, Z - bst r24, 0 - lsr r24 - bld r24, 7 - clr r25 - ret - -.global camellia_s4 -camellia_s4: - ldi r30, lo8(camellia_sbox) - ldi r31, hi8(camellia_sbox) - lsl r24 - adc r24, NULLr - add r30, r24 - adc r31, NULLr - lpm r24, Z - clr r25 - ret - -.global camellia_s -/* uint64_t camellia_s(uint64_t d){ - #define D ((uint8_t*)(&d)) - D[7] = camellia_s1(D[7]); // MSB - D[6] = camellia_s2(D[6]); - D[5] = camellia_s3(D[5]); - D[4] = camellia_s4(D[4]); - - D[3] = camellia_s2(D[3]); - D[2] = camellia_s3(D[2]); - D[1] = camellia_s4(D[1]); - D[0] = camellia_s1(D[0]); // LSB - #undef D - return d; -}*/ -; parameters -; d: r18-r25 (r18 is LSB) -camellia_s: - movw r26, r24 ; backup r24,r25 -> X - clr r25 - rcall camellia_s2 - mov r26, r24 - - mov r24, r27 - rcall camellia_s1 - mov r27, r24 - - mov r24, r23 - rcall camellia_s3 - mov r23, r24 - - mov r24, r22 - rcall camellia_s4 - mov r22, r24 - - mov r24, r21 - rcall camellia_s2 - mov r21, r24 - - mov r24, r20 - rcall camellia_s3 - mov r20, r24 - - mov r24, r19 - rcall camellia_s4 - mov r19, r24 - - - mov r24, r18 - rcall camellia_s1 - mov r18, r24 - - movw r24, r26 - ret - -;############################################################################## -/* uint64_t camellia_p(uint64_t d) */ -; param: r18-r25 (r18 is LSB) -z1 = 25 -z2 = 24 -z3 = 23 -z4 = 22 -z5 = 21 -z6 = 20 -z7 = 19 -z8 = 18 - -.global camellia_p -camellia_p: - eor z1, z6 - eor z2, z7 - eor z3, z8 - eor z4, z5 - eor z5, z3 - eor z6, z4 - eor z7, z1 - eor z8, z2 - ;--------- - eor z1, z8 - eor z2, z5 - eor z3, z6 - eor z4, z7 - eor z5, z4 - eor z6, z1 - eor z7, z2 - eor z8, z3 - ;--------- - movw r26, z8 - movw r30, z6 ; backup z5 bis z8 - movw z8, z4 - movw z6, z2 - movw z4, r26 - movw z2, r30 - ret - - -;############################################################################## - -/* uint64_t camellia_f(uint64_t x, uint64_t k) */ -; param x: r18-r25 -; param k: r10-r17 -.global camellia_f -camellia_f: - eor r18, r10 - eor r19, r11 - eor r20, r12 - eor r21, r13 - eor r22, r14 - eor r23, r15 - eor r24, r16 - eor r25, r17 - rcall camellia_s - rcall camellia_p - ret - -;############################################################################## - -/* uint64_t camellia_fl(uint64_t x, uint64_t k) */ -; param x: r18-r25 xl: r22-r25, xr: r18-r21 -; param k: r10-r17 kl: r14-r17, kr: r10-r13 -kl1 = 14 -kl2 = 15 -kl3 = 16 -kl4 = 17 -kr1 = 10 -kr2 = 11 -kr3 = 12 -kr4 = 13 -xr1 = 18 -xr2 = 19 -xr3 = 20 -xr4 = 21 -xl1 = 22 -xl2 = 23 -xl3 = 24 -xl4 = 25 -.global camellia_fl -camellia_fl: - and kl1, xl1 - and kl2, xl2 - and kl3, xl3 - and kl4, xl4 - mov r26, kl4 - rol r26 - rol kl1 - rol kl2 - rol kl3 - rol kl4 - eor xr1, kl1 - eor xr2, kl2 - eor xr3, kl3 - eor xr4, kl4 - // that was part one - or kr1, xr1 - or kr2, xr2 - or kr3, xr3 - or kr4, xr4 - eor xl1, kr1 - eor xl2, kr2 - eor xl3, kr3 - eor xl4, kr4 - ret - -;############################################################################## - -/* uint64_t camellia_fl_inv(uint64_t y, uint64_t k) */ -; param y: r18-r25 yl: r22-r25, yr: r18-r21 -; param k: r10-r17 kl: r14-r17, kr: r10-r13 -kl1 = 14 -kl2 = 15 -kl3 = 16 -kl4 = 17 -kr1 = 10 -kr2 = 11 -kr3 = 12 -kr4 = 13 -yr1 = 18 -yr2 = 19 -yr3 = 20 -yr4 = 21 -yl1 = 22 -yl2 = 23 -yl3 = 24 -yl4 = 25 -.global camellia_fl_inv -camellia_fl_inv: - or kr1, yr1 - or kr2, yr2 - or kr3, yr3 - or kr4, yr4 - eor yl1, kr1 - eor yl2, kr2 - eor yl3, kr3 - eor yl4, kr4 - // the first one is done - and kl1, yl1 - and kl2, yl2 - and kl3, yl3 - and kl4, yl4 - mov r26, kl4 - rol r26 - rol kl1 - rol kl2 - rol kl3 - rol kl4 - eor yr1, kl1 - eor yr2, kl2 - eor yr3, kl3 - eor yr4, kl4 - ret - -;############################################################################## -; param s: r24-r25 -; param q: r22 -B1 = 18 -B2 = 19 -.global camellia128_keyop_rot15 -camellia128_keyop_rot15: - movw r30, r24 ; Z points at LSB of kl ;-- 0 - ldi r22, 2 -2: adiw r30, 15 ;-- 15 - ld r21, Z - ld r20, -Z ;-- 14 - movw B1, r20 ; store Backup of the 2 MSB of kl - ror r20 - - ldi r21, 14 -1: ld r20, -Z ;-- 13..0 - ror r20 - std Z+2, r20 ;-- (15..2) - dec r21 - brne 1b - - ror B2 - ror B1 - st Z+, B1 ;-- 1 - st Z, B2 - adiw r30, 15 ;-- 16 - - dec r22 - brne 2b - ret - -;############################################################################## -; param s: r24-r25 -; param q: r22 -.global camellia128_keyop_rot17 -camellia128_keyop_rot17: - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - clt - movw r30, r24 - clr r27 -2: ldi r26, 8 - mov r1, r26 - lsl r1 ; r1=16 - ;push r1 - ; load 128bit value - ldd r0, Z+15 - rol r0 -1: ld r0, Z+ - rol r0 - st X+, r0 - dec r1 - brne 1b - - st -Z, 21 - st -Z, 20 - st -Z, 19 - st -Z, 18 - st -Z, 17 - st -Z, 16 - st -Z, 15 - st -Z, 14 ;-- - st -Z, 13 - st -Z, 12 - st -Z, 11 - st -Z, 10 - st -Z, 9 - st -Z, 8 - st -Z, 23 - st -Z, 22 - - brts 2f - set - adiw r30, 16 - rjmp 2b -2: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - ret - -;############################################################################## -; param s: r24-r25 -; param q: r22 -.global camellia128_keyop -camellia128_keyop: - cpi r22, 1 - breq camellia128_keyop_rot17 - rjmp camellia128_keyop_rot15 - -;############################################################################## -; param s: r24-r25 -; param q: r22 -B1 = 18 -B2 = 19 -.global camellia128_keyop_inv_rot15 -camellia128_keyop_inv_rot15: - movw r30, r24 ; Z points at LSB of kl ;-- 0 - movw r26, r24 ; X also - ldi r22, 2 -2: ;-- 0 - ld r20, Z+ ;-- 0/1 - ld r21, Z+ ;-- 1/2 - movw B1, r20 ; store Backup of the 2 LSB of kl - rol r21 - - ldi r20, 14 -1: ld r21, Z+ ;-- 2/14..3/16 - rol r21 - st X+, r21 ;-- (0..13)/(1..14) - dec r20 - brne 1b - - rol B1 - rol B2 - st X+, B1 ;-- 14/15 - st X+, B2 ;-- 15/16 - - dec r22 - brne 2b - ret - -;############################################################################## -; param s: r24-r25 -; param q: r22 -.global camellia128_keyop_inv_rot17 -camellia128_keyop_inv_rot17: - push r8 - push r9 - push r10 - push r11 - push r12 - push r13 - push r14 - push r15 - push r16 - push r17 - clt - movw r30, r24 - clr r27 -2: ldi r26, 8 - mov r1, r26 - lsl r1 ; r1=16 - ; load 128bit value - - ld r0, Z - adiw r30, 16 - ror r0 -1: ld r0, -Z - ror r0 - st X+, r0 - dec r1 - brne 1b - - st Z+, 21 - st Z+, 20 - st Z+, 19 - st Z+, 18 - st Z+, 17 - st Z+, 16 - st Z+, 15 - st Z+, 14 ;-- - st Z+, 13 - st Z+, 12 - st Z+, 11 - st Z+, 10 - st Z+, 9 - st Z+, 8 - st Z+, 23 - st Z+, 22 - - brts 2f - set -; adiw r30, 16 - rjmp 2b -2: - pop r17 - pop r16 - pop r15 - pop r14 - pop r13 - pop r12 - pop r11 - pop r10 - pop r9 - pop r8 - ret - -;############################################################################## -; param s: r24-r25 -; param q: r22 -.global camellia128_keyop_inv -camellia128_keyop_inv: - cpi r22, 1 - breq camellia128_keyop_inv_rot17 - rjmp camellia128_keyop_inv_rot15 - -;############################################################################## -; param p: r24-r25 pointer to data -; param l: r22 length of word -.global change_endian -change_endian: - movw r26, r24 - movw r30, r24 - add r30, r22 - adc r31, r1 - lsr r22 -1: - ld r20, X - ld r21, -Z - st X+, r21 - st Z, r20 - dec r22 - brne 1b - ret - -;############################################################################## - -#define SEL_KA 1 -#define SEL_KL 0 -#define KEY_POSTC1 0x00 -#define KEY_POSTC2 0x01 -#define KEY_INC2 0x02 -#define KEY_DIR 0x04 -#define KEY_DIR_NORM 0x00 -#define KEY_DIR_INV 0x04 -#define KEY_AMMOUNT 0x08 -#define KEY_ROL17 0x08 -#define KEY_ROL15 0x00 -/* -void camellia_6rounds(camellia128_ctx_t* s, uint64_t* bl, uint64_t* br, uint8_t roundop, uint8_t keychoice){ - uint8_t i; - uint64_t* k[4]; - k[0] = &(s->kll); - k[1] = &(s->klr); - k[2] = &(s->kal); - k[3] = &(s->kar); - for(i=0; i<3; ++i){ / * each cycle * / - br[0] ^= camellia_f(bl[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?1:0)])); - keychoice >>= 1; - - if((i == 1) && (roundop&KEY_INC2)){ - ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(s,(roundop&KEY_AMMOUNT)?1:-1); - } - - bl[0] ^= camellia_f(br[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?0:1)])); - keychoice >>= 1; - - / * check if we should do some keyop * / - if((i == (roundop&1)) && (!(roundop&KEY_INC2)) ){ - ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(s,(roundop&KEY_AMMOUNT)?1:-1); - / * isn't it fuckin nice what we can do in C?! * / - } - } -} -*/ -; param s: r24-r25 -; param bl: r22-r23 -; param br: r20-r21 -; param roundop: r18 -; param keychoice: r16 -s1 = 24 -s2 = 25 -bl1 = 22 -bl2 = 23 -br1 = 20 -br2 = 22 -xro = 18 -kc = 16 -xro_sec = 17 -br1_sec = 10 -br2_sec = 11 -bl1_sec = 12 -bl2_sec = 13 -s1_sec = 14 -t = 9 -loop_cnt = 8 -keyop_time = 7 - -.global camellia_6rounds -camellia_6rounds: - push r17 - push r16 - push r15 - push r14 - push r13 - push r12 - push r11 - push r10 - push r9 - push r8 - push r7 - - ldi r17, 6 - mov loop_cnt, r17 - mov xro_sec, xro - movw br1_sec, br1 - movw bl1_sec, bl1 - movw s1_sec, s1 - clr keyop_time - inc keyop_time - sec - rol keyop_time // keyop_time == 3 - SBRC xro, 1 // KEY_INC2 - rjmp 1f - SBRS xro, 0 // KEY_POSTC1 - inc keyop_time - SBRS xro, 0 // KEY_POSTC1 - inc keyop_time - rjmp 2f -1: inc keyop_time -2: -main_loop: - /* now we load the key to r18-r25 */ - movw r26, s1_sec - SBRC kc, 0 /* select between KA and KL */ - adiw r26, 16 - SBRC xro_sec, 2 // KEY_DIR - rjmp 2f - SBRS loop_cnt, 0 /* enc */ - adiw r26, 8 - rjmp 3f -2: SBRC loop_cnt, 0 /* dec */ - adiw r26, 8 - rjmp 3f -3: - lsr kc - ld r18, X+ - ld r19, X+ - ld r20, X+ - ld r21, X+ - ld r22, X+ - ld r23, X+ - ld r24, X+ - ld r25, X+ - /* now we xor bl in */ - movw r26, bl1_sec - ld r0, X+ - eor r18, r0 - ld r0, X+ - eor r19, r0 - ld r0, X+ - eor r20, r0 - ld r0, X+ - eor r21, r0 - ld r0, X+ - eor r22, r0 - ld r0, X+ - eor r23, r0 - ld r0, X+ - eor r24, r0 - ld r0, X+ - eor r25, r0 - /* f(x,k) = p(s(x xor k)) ; xor is done */ - call camellia_s; - call camellia_p; - -// in r26, SPL -// in r27, SPH -// sbiw r26, 9 -// dbg_hexdump 10 - /* now we have to xor the result into br */ - clr r31 - ldi r30, 18 - movw r26, br1_sec -; ldi r1, 8 ;-- this won't work - clr r1 - sec - ror r1 - swap r1 -1: ld r0, X - ld t, Z+ - eor r0, t - st X+, r0 - dec r1 - brne 1b - - /* check for keyop */ - cp loop_cnt, keyop_time - brne 3f - movw s1, s1_sec - ldi r22, 1 - SBRS xro_sec, 3 // KEY_ROL17 - neg r22 - SBRS xro_sec, 2 // KEY_DIR - rjmp 2f - rcall camellia128_keyop_inv - rjmp 3f -2: rcall camellia128_keyop -3: /* loop back */ - SWAP_R br1_sec, bl1_sec - SWAP_R br2_sec, bl2_sec - dec loop_cnt - breq 2f - rjmp main_loop -2: - pop r7 - pop r8 - pop r9 - pop r10 - pop r11 - pop r12 - pop r13 - pop r14 - pop r15 - pop r16 - pop r17 - ret - -;############################################################################## -/* -void camellia128_init(camellia128_ctx_t* s, uint8_t* key){ - uint8_t i; - s->kll = 0; //((uint64_t*)key)[0]; - - / * load the key, endian-adjusted, to kll,klr * / - for(i=0; i<8; ++i){ - s->kll <<= 8; - s->kll |= *key++; - } - for(i=0; i<8; ++i){ - s->klr <<= 8; - s->klr |= *key++; - } - - s->kal = s->kll; - s->kar = s->klr; - - s->kar ^= camellia_f(s->kal, camellia_sigma[0]); - s->kal ^= camellia_f(s->kar, camellia_sigma[1]); - - s->kal ^= s->kll; - s->kar ^= s->klr; - - s->kar ^= camellia_f(s->kal, camellia_sigma[2]); - s->kal ^= camellia_f(s->kar, camellia_sigma[3]); - / * * / -// uart_putstr("\n\r----------------init finished--------------------"); -} -*/ -/* -X64_xor_in: - ld r0, X+ - eor r18, r0 - ld r0, X+ - eor r19, r0 - ld r0, X+ - eor r20, r0 - ld r0, X+ - eor r21, r0 - ld r0, X+ - eor r22, r0 - ld r0, X+ - eor r23, r0 - ld r0, X+ - eor r24, r0 - ld r0, X+ - eor r25, r0 - ret - -X64_load: - ld r18, X+ - ld r19, X+ - ld r20, X+ - ld r21, X+ - ld r22, X+ - ld r23, X+ - ld r24, X+ - ld r25, X+ - ret - -Y64_load_xor_store: - ld r0, Y - eor r18, r0 - st Y+, r18 - ld r0, Y - eor r19, r0 - st Y+, r19 - ld r0, Y - eor r20, r0 - st Y+, r20 - ld r0, Y - eor r21, r0 - st Y+, r21 - ld r0, Y - eor r22, r0 - st Y+, r22 - ld r0, Y - eor r23, r0 - st Y+, r23 - ld r0, Y - eor r24, r0 - st Y+, r24 - ld r0, Y - eor r25, r0 - st Y+, r25 - ret - -; param s: r24-r25 -; param *k: r22-r23 -//.global camellia128_init -camellia128_init: - push r29 - push r28 - movw r30, r24 ; Z is statepointer - movw r26, r22 ; X is keypointer - clr r29 - ldi r28, 18 -// / * load key into kl, ka and kal to r18:r25 * / - adiw r26, 128/8 ;-- 16 - ldi r16, (128/8)-1 -1: ld r17, -X - std Z+(128/8), r17 - st Z+, r17 - sbrs r16, 3 - st Y+, r17 ; this should only be done the last 8 rounds 0<=r16<=7 - dec r16 - brpl 1b -// / * step 1 * / - ldi r26, lo8(camellia_sigma) - ldi r27, hi8(camellia_sigma) - rcall X64_xor_in - rcall camellia_s - rcall camellia_p // / * f(x,k) is done * / - sbiw r30, 128/8 - movw r28, r30 ; Z&Y point on kar now - call Y64_load_xor_store - -// / * step 2 now * / - rcall X64_xor_in - rcall camellia_s - rcall camellia_p // / * f(x,k) is done * / - rcall Y64_load_xor_store - -// / * now the xor part (kl and kr) * / - sbiw r30, 128/8 ; Z points to klr - ldi r16, 128/8 -1: ld r0, Z+ - ldd r1, Z+(128/8)-1 - eor r0, r1 - std Z+(128/8)-1, r0 - dec r16 - brne 1b - -// / * now s->kar ^= camellia_f(s->kal, camellia_sigma[2]); * / - rcall X64_load ; load sigma[2] - movw r26, r28 ; X&Y point at kal - rcall X64_xor_in - rcall camellia_s - rcall camellia_p - sbiw r28, 128/8/2 ; Y points at kar - rcall Y64_load_xor_store - -// / * now s->kal ^= camellia_f(s->kar, camellia_sigma[3]); * / - sbiw r26, 128/8 ; - rcall X64_load ; load kar - ldi r26, lo8(camellia_sigma+3*8) - ldi r27, hi8(camellia_sigma+3*8) - rcall X64_xor_in ; xor sigma[3] in - rcall camellia_s - rcall camellia_p - rcall Y64_load_xor_store - - pop r28 - pop r29 - ret - -//*/ - - - - - - - - - - diff --git a/camellia.h b/camellia.h deleted file mode 100644 index 7609613..0000000 --- a/camellia.h +++ /dev/null @@ -1,37 +0,0 @@ -/* camellia.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -#ifndef CAMELLIA_H_ -#define CAMELLIA_H_ - -#include - -typedef struct camellia128_ctx_s{ - uint64_t klr; - uint64_t kll; - uint64_t kar; - uint64_t kal; -}camellia128_ctx_t; - - -void camellia128_init(const void* key, camellia128_ctx_t* s); -void camellia128_enc(void* block, const camellia128_ctx_t* s); -void camellia128_dec(void* block, const camellia128_ctx_t* s); - - -#endif /*CAMELLIA_H_*/ diff --git a/camellia/camellia-asm.S b/camellia/camellia-asm.S new file mode 100644 index 0000000..c743997 --- /dev/null +++ b/camellia/camellia-asm.S @@ -0,0 +1,996 @@ +/* camellia-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * File: camellis-asm.S + * Author: Daniel Otte + * Date: 2006-11-10 + * License: GPLv3 or later + * Description: Implementation of the camellia block cipher algorithm. + * + */ + +.macro SWAP_R A, B + eor \A, \B + eor \B, \A + eor \A, \B +.endm + +.macro precall + /* push r18 - r27, r30 - r31*/ + push r0 + push r1 + push r18 + push r19 + push r20 + push r21 + push r22 + push r23 + push r24 + push r25 + push r26 + push r27 + push r30 + push r31 + clr r1 +.endm + +.macro postcall + pop r31 + pop r30 + pop r27 + pop r26 + pop r25 + pop r24 + pop r23 + pop r22 + pop r21 + pop r20 + pop r19 + pop r18 + pop r1 + pop r0 +.endm + + +.macro hexdump length + push r27 + push r26 + ldi r25, '\r' + mov r24, r25 + call uart_putc + ldi r25, '\n' + mov r24, r25 + call uart_putc + pop r26 + pop r27 + movw r24, r26 +.if \length > 16 + ldi r22, lo8(16) + ldi r23, hi8(16) + push r27 + push r26 + call uart_hexdump + pop r26 + pop r27 + adiw r26, 16 + hexdump \length-16 +.else + ldi r22, lo8(\length) + ldi r23, hi8(\length) + call uart_hexdump +.endif +.endm + +/* X points to Block */ +.macro dbg_hexdump length + precall + hexdump \length + postcall +.endm + +SPL = 0x3D +SPH = 0x3E +SREG = 0x3F +NULLr = 1 + + +camellia_sbox: +.byte 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65 +.byte 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189 +.byte 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26 +.byte 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77 +.byte 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153 +.byte 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215 +.byte 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34 +.byte 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80 +.byte 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210 +.byte 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148 +.byte 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226 +.byte 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46 +.byte 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89 +.byte 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250 +.byte 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164 +.byte 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 + +//.global camellia_sigma +/* +camellia_sigma: +.quad 0xA09E667F3BCC908B +.quad 0xB67AE8584CAA73B2 +.quad 0xC6EF372FE94F82BE +.quad 0x54FF53A5F1D36F1C +.quad 0x10E527FADE682D1D +.quad 0xB05688C2B3E6C1FD +*/ + + + +/* uint8_t camellia_s1(uint8_t b) */ +.global camellia_s1 +camellia_s1: + ldi r30, lo8(camellia_sbox) + ldi r31, hi8(camellia_sbox) + add r30, r24 + adc r31, NULLr + lpm r24, Z + clr r25 + ret + +.global camellia_s2 +camellia_s2: + ldi r30, lo8(camellia_sbox) + ldi r31, hi8(camellia_sbox) + add r30, r24 + adc r31, NULLr + lpm r24, Z + lsl r24 + adc r24, NULLr + clr r25 + ret + +.global camellia_s3 +camellia_s3: + ldi r30, lo8(camellia_sbox) + ldi r31, hi8(camellia_sbox) + add r30, r24 + adc r31, NULLr + lpm r24, Z + bst r24, 0 + lsr r24 + bld r24, 7 + clr r25 + ret + +.global camellia_s4 +camellia_s4: + ldi r30, lo8(camellia_sbox) + ldi r31, hi8(camellia_sbox) + lsl r24 + adc r24, NULLr + add r30, r24 + adc r31, NULLr + lpm r24, Z + clr r25 + ret + +.global camellia_s +/* uint64_t camellia_s(uint64_t d){ + #define D ((uint8_t*)(&d)) + D[7] = camellia_s1(D[7]); // MSB + D[6] = camellia_s2(D[6]); + D[5] = camellia_s3(D[5]); + D[4] = camellia_s4(D[4]); + + D[3] = camellia_s2(D[3]); + D[2] = camellia_s3(D[2]); + D[1] = camellia_s4(D[1]); + D[0] = camellia_s1(D[0]); // LSB + #undef D + return d; +}*/ +; parameters +; d: r18-r25 (r18 is LSB) +camellia_s: + movw r26, r24 ; backup r24,r25 -> X + clr r25 + rcall camellia_s2 + mov r26, r24 + + mov r24, r27 + rcall camellia_s1 + mov r27, r24 + + mov r24, r23 + rcall camellia_s3 + mov r23, r24 + + mov r24, r22 + rcall camellia_s4 + mov r22, r24 + + mov r24, r21 + rcall camellia_s2 + mov r21, r24 + + mov r24, r20 + rcall camellia_s3 + mov r20, r24 + + mov r24, r19 + rcall camellia_s4 + mov r19, r24 + + + mov r24, r18 + rcall camellia_s1 + mov r18, r24 + + movw r24, r26 + ret + +;############################################################################## +/* uint64_t camellia_p(uint64_t d) */ +; param: r18-r25 (r18 is LSB) +z1 = 25 +z2 = 24 +z3 = 23 +z4 = 22 +z5 = 21 +z6 = 20 +z7 = 19 +z8 = 18 + +.global camellia_p +camellia_p: + eor z1, z6 + eor z2, z7 + eor z3, z8 + eor z4, z5 + eor z5, z3 + eor z6, z4 + eor z7, z1 + eor z8, z2 + ;--------- + eor z1, z8 + eor z2, z5 + eor z3, z6 + eor z4, z7 + eor z5, z4 + eor z6, z1 + eor z7, z2 + eor z8, z3 + ;--------- + movw r26, z8 + movw r30, z6 ; backup z5 bis z8 + movw z8, z4 + movw z6, z2 + movw z4, r26 + movw z2, r30 + ret + + +;############################################################################## + +/* uint64_t camellia_f(uint64_t x, uint64_t k) */ +; param x: r18-r25 +; param k: r10-r17 +.global camellia_f +camellia_f: + eor r18, r10 + eor r19, r11 + eor r20, r12 + eor r21, r13 + eor r22, r14 + eor r23, r15 + eor r24, r16 + eor r25, r17 + rcall camellia_s + rcall camellia_p + ret + +;############################################################################## + +/* uint64_t camellia_fl(uint64_t x, uint64_t k) */ +; param x: r18-r25 xl: r22-r25, xr: r18-r21 +; param k: r10-r17 kl: r14-r17, kr: r10-r13 +kl1 = 14 +kl2 = 15 +kl3 = 16 +kl4 = 17 +kr1 = 10 +kr2 = 11 +kr3 = 12 +kr4 = 13 +xr1 = 18 +xr2 = 19 +xr3 = 20 +xr4 = 21 +xl1 = 22 +xl2 = 23 +xl3 = 24 +xl4 = 25 +.global camellia_fl +camellia_fl: + and kl1, xl1 + and kl2, xl2 + and kl3, xl3 + and kl4, xl4 + mov r26, kl4 + rol r26 + rol kl1 + rol kl2 + rol kl3 + rol kl4 + eor xr1, kl1 + eor xr2, kl2 + eor xr3, kl3 + eor xr4, kl4 + // that was part one + or kr1, xr1 + or kr2, xr2 + or kr3, xr3 + or kr4, xr4 + eor xl1, kr1 + eor xl2, kr2 + eor xl3, kr3 + eor xl4, kr4 + ret + +;############################################################################## + +/* uint64_t camellia_fl_inv(uint64_t y, uint64_t k) */ +; param y: r18-r25 yl: r22-r25, yr: r18-r21 +; param k: r10-r17 kl: r14-r17, kr: r10-r13 +kl1 = 14 +kl2 = 15 +kl3 = 16 +kl4 = 17 +kr1 = 10 +kr2 = 11 +kr3 = 12 +kr4 = 13 +yr1 = 18 +yr2 = 19 +yr3 = 20 +yr4 = 21 +yl1 = 22 +yl2 = 23 +yl3 = 24 +yl4 = 25 +.global camellia_fl_inv +camellia_fl_inv: + or kr1, yr1 + or kr2, yr2 + or kr3, yr3 + or kr4, yr4 + eor yl1, kr1 + eor yl2, kr2 + eor yl3, kr3 + eor yl4, kr4 + // the first one is done + and kl1, yl1 + and kl2, yl2 + and kl3, yl3 + and kl4, yl4 + mov r26, kl4 + rol r26 + rol kl1 + rol kl2 + rol kl3 + rol kl4 + eor yr1, kl1 + eor yr2, kl2 + eor yr3, kl3 + eor yr4, kl4 + ret + +;############################################################################## +; param s: r24-r25 +; param q: r22 +B1 = 18 +B2 = 19 +.global camellia128_keyop_rot15 +camellia128_keyop_rot15: + movw r30, r24 ; Z points at LSB of kl ;-- 0 + ldi r22, 2 +2: adiw r30, 15 ;-- 15 + ld r21, Z + ld r20, -Z ;-- 14 + movw B1, r20 ; store Backup of the 2 MSB of kl + ror r20 + + ldi r21, 14 +1: ld r20, -Z ;-- 13..0 + ror r20 + std Z+2, r20 ;-- (15..2) + dec r21 + brne 1b + + ror B2 + ror B1 + st Z+, B1 ;-- 1 + st Z, B2 + adiw r30, 15 ;-- 16 + + dec r22 + brne 2b + ret + +;############################################################################## +; param s: r24-r25 +; param q: r22 +.global camellia128_keyop_rot17 +camellia128_keyop_rot17: + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + clt + movw r30, r24 + clr r27 +2: ldi r26, 8 + mov r1, r26 + lsl r1 ; r1=16 + ;push r1 + ; load 128bit value + ldd r0, Z+15 + rol r0 +1: ld r0, Z+ + rol r0 + st X+, r0 + dec r1 + brne 1b + + st -Z, 21 + st -Z, 20 + st -Z, 19 + st -Z, 18 + st -Z, 17 + st -Z, 16 + st -Z, 15 + st -Z, 14 ;-- + st -Z, 13 + st -Z, 12 + st -Z, 11 + st -Z, 10 + st -Z, 9 + st -Z, 8 + st -Z, 23 + st -Z, 22 + + brts 2f + set + adiw r30, 16 + rjmp 2b +2: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + ret + +;############################################################################## +; param s: r24-r25 +; param q: r22 +.global camellia128_keyop +camellia128_keyop: + cpi r22, 1 + breq camellia128_keyop_rot17 + rjmp camellia128_keyop_rot15 + +;############################################################################## +; param s: r24-r25 +; param q: r22 +B1 = 18 +B2 = 19 +.global camellia128_keyop_inv_rot15 +camellia128_keyop_inv_rot15: + movw r30, r24 ; Z points at LSB of kl ;-- 0 + movw r26, r24 ; X also + ldi r22, 2 +2: ;-- 0 + ld r20, Z+ ;-- 0/1 + ld r21, Z+ ;-- 1/2 + movw B1, r20 ; store Backup of the 2 LSB of kl + rol r21 + + ldi r20, 14 +1: ld r21, Z+ ;-- 2/14..3/16 + rol r21 + st X+, r21 ;-- (0..13)/(1..14) + dec r20 + brne 1b + + rol B1 + rol B2 + st X+, B1 ;-- 14/15 + st X+, B2 ;-- 15/16 + + dec r22 + brne 2b + ret + +;############################################################################## +; param s: r24-r25 +; param q: r22 +.global camellia128_keyop_inv_rot17 +camellia128_keyop_inv_rot17: + push r8 + push r9 + push r10 + push r11 + push r12 + push r13 + push r14 + push r15 + push r16 + push r17 + clt + movw r30, r24 + clr r27 +2: ldi r26, 8 + mov r1, r26 + lsl r1 ; r1=16 + ; load 128bit value + + ld r0, Z + adiw r30, 16 + ror r0 +1: ld r0, -Z + ror r0 + st X+, r0 + dec r1 + brne 1b + + st Z+, 21 + st Z+, 20 + st Z+, 19 + st Z+, 18 + st Z+, 17 + st Z+, 16 + st Z+, 15 + st Z+, 14 ;-- + st Z+, 13 + st Z+, 12 + st Z+, 11 + st Z+, 10 + st Z+, 9 + st Z+, 8 + st Z+, 23 + st Z+, 22 + + brts 2f + set +; adiw r30, 16 + rjmp 2b +2: + pop r17 + pop r16 + pop r15 + pop r14 + pop r13 + pop r12 + pop r11 + pop r10 + pop r9 + pop r8 + ret + +;############################################################################## +; param s: r24-r25 +; param q: r22 +.global camellia128_keyop_inv +camellia128_keyop_inv: + cpi r22, 1 + breq camellia128_keyop_inv_rot17 + rjmp camellia128_keyop_inv_rot15 + +;############################################################################## +; param p: r24-r25 pointer to data +; param l: r22 length of word +.global change_endian +change_endian: + movw r26, r24 + movw r30, r24 + add r30, r22 + adc r31, r1 + lsr r22 +1: + ld r20, X + ld r21, -Z + st X+, r21 + st Z, r20 + dec r22 + brne 1b + ret + +;############################################################################## + +#define SEL_KA 1 +#define SEL_KL 0 +#define KEY_POSTC1 0x00 +#define KEY_POSTC2 0x01 +#define KEY_INC2 0x02 +#define KEY_DIR 0x04 +#define KEY_DIR_NORM 0x00 +#define KEY_DIR_INV 0x04 +#define KEY_AMMOUNT 0x08 +#define KEY_ROL17 0x08 +#define KEY_ROL15 0x00 +/* +void camellia_6rounds(camellia128_ctx_t* s, uint64_t* bl, uint64_t* br, uint8_t roundop, uint8_t keychoice){ + uint8_t i; + uint64_t* k[4]; + k[0] = &(s->kll); + k[1] = &(s->klr); + k[2] = &(s->kal); + k[3] = &(s->kar); + for(i=0; i<3; ++i){ / * each cycle * / + br[0] ^= camellia_f(bl[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?1:0)])); + keychoice >>= 1; + + if((i == 1) && (roundop&KEY_INC2)){ + ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(s,(roundop&KEY_AMMOUNT)?1:-1); + } + + bl[0] ^= camellia_f(br[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?0:1)])); + keychoice >>= 1; + + / * check if we should do some keyop * / + if((i == (roundop&1)) && (!(roundop&KEY_INC2)) ){ + ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(s,(roundop&KEY_AMMOUNT)?1:-1); + / * isn't it fuckin nice what we can do in C?! * / + } + } +} +*/ +; param s: r24-r25 +; param bl: r22-r23 +; param br: r20-r21 +; param roundop: r18 +; param keychoice: r16 +s1 = 24 +s2 = 25 +bl1 = 22 +bl2 = 23 +br1 = 20 +br2 = 22 +xro = 18 +kc = 16 +xro_sec = 17 +br1_sec = 10 +br2_sec = 11 +bl1_sec = 12 +bl2_sec = 13 +s1_sec = 14 +t = 9 +loop_cnt = 8 +keyop_time = 7 + +.global camellia_6rounds +camellia_6rounds: + push r17 + push r16 + push r15 + push r14 + push r13 + push r12 + push r11 + push r10 + push r9 + push r8 + push r7 + + ldi r17, 6 + mov loop_cnt, r17 + mov xro_sec, xro + movw br1_sec, br1 + movw bl1_sec, bl1 + movw s1_sec, s1 + clr keyop_time + inc keyop_time + sec + rol keyop_time // keyop_time == 3 + SBRC xro, 1 // KEY_INC2 + rjmp 1f + SBRS xro, 0 // KEY_POSTC1 + inc keyop_time + SBRS xro, 0 // KEY_POSTC1 + inc keyop_time + rjmp 2f +1: inc keyop_time +2: +main_loop: + /* now we load the key to r18-r25 */ + movw r26, s1_sec + SBRC kc, 0 /* select between KA and KL */ + adiw r26, 16 + SBRC xro_sec, 2 // KEY_DIR + rjmp 2f + SBRS loop_cnt, 0 /* enc */ + adiw r26, 8 + rjmp 3f +2: SBRC loop_cnt, 0 /* dec */ + adiw r26, 8 + rjmp 3f +3: + lsr kc + ld r18, X+ + ld r19, X+ + ld r20, X+ + ld r21, X+ + ld r22, X+ + ld r23, X+ + ld r24, X+ + ld r25, X+ + /* now we xor bl in */ + movw r26, bl1_sec + ld r0, X+ + eor r18, r0 + ld r0, X+ + eor r19, r0 + ld r0, X+ + eor r20, r0 + ld r0, X+ + eor r21, r0 + ld r0, X+ + eor r22, r0 + ld r0, X+ + eor r23, r0 + ld r0, X+ + eor r24, r0 + ld r0, X+ + eor r25, r0 + /* f(x,k) = p(s(x xor k)) ; xor is done */ + call camellia_s; + call camellia_p; + +// in r26, SPL +// in r27, SPH +// sbiw r26, 9 +// dbg_hexdump 10 + /* now we have to xor the result into br */ + clr r31 + ldi r30, 18 + movw r26, br1_sec +; ldi r1, 8 ;-- this won't work + clr r1 + sec + ror r1 + swap r1 +1: ld r0, X + ld t, Z+ + eor r0, t + st X+, r0 + dec r1 + brne 1b + + /* check for keyop */ + cp loop_cnt, keyop_time + brne 3f + movw s1, s1_sec + ldi r22, 1 + SBRS xro_sec, 3 // KEY_ROL17 + neg r22 + SBRS xro_sec, 2 // KEY_DIR + rjmp 2f + rcall camellia128_keyop_inv + rjmp 3f +2: rcall camellia128_keyop +3: /* loop back */ + SWAP_R br1_sec, bl1_sec + SWAP_R br2_sec, bl2_sec + dec loop_cnt + breq 2f + rjmp main_loop +2: + pop r7 + pop r8 + pop r9 + pop r10 + pop r11 + pop r12 + pop r13 + pop r14 + pop r15 + pop r16 + pop r17 + ret + +;############################################################################## +/* +void camellia128_init(camellia128_ctx_t* s, uint8_t* key){ + uint8_t i; + s->kll = 0; //((uint64_t*)key)[0]; + + / * load the key, endian-adjusted, to kll,klr * / + for(i=0; i<8; ++i){ + s->kll <<= 8; + s->kll |= *key++; + } + for(i=0; i<8; ++i){ + s->klr <<= 8; + s->klr |= *key++; + } + + s->kal = s->kll; + s->kar = s->klr; + + s->kar ^= camellia_f(s->kal, camellia_sigma[0]); + s->kal ^= camellia_f(s->kar, camellia_sigma[1]); + + s->kal ^= s->kll; + s->kar ^= s->klr; + + s->kar ^= camellia_f(s->kal, camellia_sigma[2]); + s->kal ^= camellia_f(s->kar, camellia_sigma[3]); + / * * / +// uart_putstr("\n\r----------------init finished--------------------"); +} +*/ +/* +X64_xor_in: + ld r0, X+ + eor r18, r0 + ld r0, X+ + eor r19, r0 + ld r0, X+ + eor r20, r0 + ld r0, X+ + eor r21, r0 + ld r0, X+ + eor r22, r0 + ld r0, X+ + eor r23, r0 + ld r0, X+ + eor r24, r0 + ld r0, X+ + eor r25, r0 + ret + +X64_load: + ld r18, X+ + ld r19, X+ + ld r20, X+ + ld r21, X+ + ld r22, X+ + ld r23, X+ + ld r24, X+ + ld r25, X+ + ret + +Y64_load_xor_store: + ld r0, Y + eor r18, r0 + st Y+, r18 + ld r0, Y + eor r19, r0 + st Y+, r19 + ld r0, Y + eor r20, r0 + st Y+, r20 + ld r0, Y + eor r21, r0 + st Y+, r21 + ld r0, Y + eor r22, r0 + st Y+, r22 + ld r0, Y + eor r23, r0 + st Y+, r23 + ld r0, Y + eor r24, r0 + st Y+, r24 + ld r0, Y + eor r25, r0 + st Y+, r25 + ret + +; param s: r24-r25 +; param *k: r22-r23 +//.global camellia128_init +camellia128_init: + push r29 + push r28 + movw r30, r24 ; Z is statepointer + movw r26, r22 ; X is keypointer + clr r29 + ldi r28, 18 +// / * load key into kl, ka and kal to r18:r25 * / + adiw r26, 128/8 ;-- 16 + ldi r16, (128/8)-1 +1: ld r17, -X + std Z+(128/8), r17 + st Z+, r17 + sbrs r16, 3 + st Y+, r17 ; this should only be done the last 8 rounds 0<=r16<=7 + dec r16 + brpl 1b +// / * step 1 * / + ldi r26, lo8(camellia_sigma) + ldi r27, hi8(camellia_sigma) + rcall X64_xor_in + rcall camellia_s + rcall camellia_p // / * f(x,k) is done * / + sbiw r30, 128/8 + movw r28, r30 ; Z&Y point on kar now + call Y64_load_xor_store + +// / * step 2 now * / + rcall X64_xor_in + rcall camellia_s + rcall camellia_p // / * f(x,k) is done * / + rcall Y64_load_xor_store + +// / * now the xor part (kl and kr) * / + sbiw r30, 128/8 ; Z points to klr + ldi r16, 128/8 +1: ld r0, Z+ + ldd r1, Z+(128/8)-1 + eor r0, r1 + std Z+(128/8)-1, r0 + dec r16 + brne 1b + +// / * now s->kar ^= camellia_f(s->kal, camellia_sigma[2]); * / + rcall X64_load ; load sigma[2] + movw r26, r28 ; X&Y point at kal + rcall X64_xor_in + rcall camellia_s + rcall camellia_p + sbiw r28, 128/8/2 ; Y points at kar + rcall Y64_load_xor_store + +// / * now s->kal ^= camellia_f(s->kar, camellia_sigma[3]); * / + sbiw r26, 128/8 ; + rcall X64_load ; load kar + ldi r26, lo8(camellia_sigma+3*8) + ldi r27, hi8(camellia_sigma+3*8) + rcall X64_xor_in ; xor sigma[3] in + rcall camellia_s + rcall camellia_p + rcall Y64_load_xor_store + + pop r28 + pop r29 + ret + +//*/ + + + + + + + + + + diff --git a/camellia/camellia.h b/camellia/camellia.h new file mode 100644 index 0000000..7609613 --- /dev/null +++ b/camellia/camellia.h @@ -0,0 +1,37 @@ +/* camellia.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef CAMELLIA_H_ +#define CAMELLIA_H_ + +#include + +typedef struct camellia128_ctx_s{ + uint64_t klr; + uint64_t kll; + uint64_t kar; + uint64_t kal; +}camellia128_ctx_t; + + +void camellia128_init(const void* key, camellia128_ctx_t* s); +void camellia128_enc(void* block, const camellia128_ctx_t* s); +void camellia128_dec(void* block, const camellia128_ctx_t* s); + + +#endif /*CAMELLIA_H_*/ diff --git a/camellia/camellia128-stub.c b/camellia/camellia128-stub.c new file mode 100644 index 0000000..a09223a --- /dev/null +++ b/camellia/camellia128-stub.c @@ -0,0 +1,249 @@ +/* camellia128-stub.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * + * + * + * + */ + +#include +#include +#include +#include "camellia.h" +#if 0 + #include "cli.h" + #include "debug.h" + #include +#endif +/*****************************************************************************/ +uint64_t camellia_f(uint64_t x, uint64_t k); +/*****************************************************************************/ +uint64_t camellia_fl(uint64_t x, uint64_t k); +/*****************************************************************************/ +uint64_t camellia_fl_inv(uint64_t y, uint64_t k); +/*****************************************************************************/ +void change_endian(void* data, uint8_t length); +/* +uint64_t PROGMEM camellia_sigma[6]={ / * 64 byte table * / + 0xA09E667F3BCC908BLL, + 0xB67AE8584CAA73B2LL, + 0xC6EF372FE94F82BELL, + 0x54FF53A5F1D36F1CLL, + 0x10E527FADE682D1DLL, + 0xB05688C2B3E6C1FDLL +}; +*/ +uint32_t PROGMEM camellia_sigma[12]={ /* 48 byte table */ + 0x3BCC908BL, 0xA09E667FL, + 0x4CAA73B2L, 0xB67AE858L, + 0xE94F82BEL, 0xC6EF372FL, + 0xF1D36F1CL, 0x54FF53A5L, + 0xDE682D1DL, 0x10E527FAL, + 0xB3E6C1FDL, 0xB05688C2L +}; + +/* an ugly macro to load an entry form the table above */ +/* +#define SIGMA(p) (( ((uint64_t)(pgm_read_dword((prog_uint32_t*)camellia_sigma+2*(p)+1)))<<32) | \ + ((uint64_t)(pgm_read_dword((prog_uint32_t*)camellia_sigma+2*(p)+0))) ) +*/ +#define SIGMA(p) (( ((uint64_t)(pgm_read_dword(&(((prog_uint32_t*)camellia_sigma)[2*(p)+1]))))<<32) | \ + ((uint64_t)(pgm_read_dword(&(((prog_uint32_t*)camellia_sigma)[2*(p)+0])))) ) + + + +/*****************************************************************************/ +/* +void camellia128_ctx_dump(camellia128_ctx_t *s){ + cli_putstr_P(PSTR("\r\n==State Dump==")); + cli_putstr_P(PSTR("\n\rKAl: ")); cli_hexdump(&(s->kal), 8); + cli_putstr_P(PSTR("\n\rKAr: ")); cli_hexdump(&(s->kar), 8); + cli_putstr_P(PSTR("\n\rKLl: ")); cli_hexdump(&(s->kll), 8); + cli_putstr_P(PSTR("\n\rKLr: ")); cli_hexdump(&(s->klr), 8); + return; +} +*/ +/*****************************************************************************/ +/* extern prog_uint64_t camellia_sigma[6]; */ + +void camellia128_init(const void* key, camellia128_ctx_t* s){ + uint8_t i; + s->kll = 0; /* ((uint64_t*)key)[0]; */ + + /* load the key, endian-adjusted, to kll,klr */ + for(i=0; i<8; ++i){ + s->kll <<= 8; + s->kll |= *((uint8_t*)key); + key = (uint8_t*)key+1; + } + for(i=0; i<8; ++i){ + s->klr <<= 8; + s->klr |= *((uint8_t*)key); + key = (uint8_t*)key+1; + } + + s->kal = s->kll; + s->kar = s->klr; + + s->kar ^= camellia_f(s->kal, SIGMA(0)); + s->kal ^= camellia_f(s->kar, SIGMA(1)); + + s->kal ^= s->kll; + s->kar ^= s->klr; + + s->kar ^= camellia_f(s->kal, SIGMA(2)); + s->kal ^= camellia_f(s->kar, SIGMA(3)); +} + +/*****************************************************************************/ +void camellia128_keyop(camellia128_ctx_t* s, int8_t q); +/*****************************************************************************/ +void camellia128_keyop_inv(camellia128_ctx_t* s, int8_t q); +/*****************************************************************************/ + +#define SEL_KA 1 +#define SEL_KL 0 + +#define KEY_POSTC1 0x00 +#define KEY_POSTC2 0x01 +#define KEY_INC2 0x02 + +#define KEY_DIR 0x04 +#define KEY_DIR_NORM 0x00 +#define KEY_DIR_INV 0x04 + +#define KEY_AMMOUNT 0x08 +#define KEY_ROL17 0x08 +#define KEY_ROL15 0x00 + +void camellia_6rounds(const camellia128_ctx_t* s, uint64_t* bl, uint64_t* br, + uint8_t roundop, uint8_t keychoice); +/*****************************************************************************/ + + +void camellia128_enc(void* block, const camellia128_ctx_t* s){ + + #define BL (((uint64_t*)block)[0]) + #define BR (((uint64_t*)block)[1]) + /* endian adjustment */ + /*BL*/ + /* 1 2 3 4 5 6 7 8 + * 8 7 6 5 4 3 2 1 + */ + + uint64_t temp64; + + change_endian(&BL, 64/8); + change_endian(&BR, 64/8); + + /* Prewhitening */ + BL ^= s->kll; + BR ^= s->klr; + + /* the first 6 */ + camellia_6rounds(s, &BL, &BR, KEY_ROL15 | KEY_DIR_NORM | KEY_POSTC1 , 0x33); + /* FL injection */ + camellia128_keyop((camellia128_ctx_t*)s, -1); + BL = camellia_fl(BL, s->kal); + BR = camellia_fl_inv(BR, s->kar); + camellia128_keyop((camellia128_ctx_t*)s, -1); + /* middle 6 */ + camellia_6rounds(s, &BL, &BR, KEY_ROL15 | KEY_DIR_NORM | KEY_INC2 , 0x34); + /* FL injection */ + camellia128_keyop((camellia128_ctx_t*)s, 1); + BL = camellia_fl(BL, s->kll); + BR = camellia_fl_inv(BR, s->klr); + camellia128_keyop((camellia128_ctx_t*)s, 1); + /* last 6 */ + camellia_6rounds(s, &BL, &BR, KEY_ROL17 | KEY_DIR_NORM | KEY_POSTC2 , 0x0C); + /* Postwhitening */ + BR ^= s->kal; + BL ^= s->kar; + + temp64 = BR; + BR = BL; + BL = temp64; + + camellia128_keyop((camellia128_ctx_t*)s,1); + + change_endian(&BL, 64/8); + change_endian(&BR, 64/8); + + #undef BL + #undef BR +} + +/*****************************************************************************/ + +void camellia128_dec(void* block, const camellia128_ctx_t* s){ + + #define BL (((uint64_t*)block)[1]) + #define BR (((uint64_t*)block)[0]) + /* endian adjustment */ + /*BL*/ + /* 1 2 3 4 5 6 7 8 + * 8 7 6 5 4 3 2 1 + */ + + uint64_t temp64; + + change_endian(&BL, 64/8); + change_endian(&BR, 64/8); + + camellia128_keyop_inv((camellia128_ctx_t*)s, 1); + /* Prewhitening */ + BR ^= s->kal; /* kw3 */ + BL ^= s->kar; /* kw4 */ + /* the first 6 */ + camellia_6rounds(s, &BR, &BL, KEY_ROL17 | KEY_DIR_INV | KEY_POSTC1 , 0x0C); + /* FL injection */ + camellia128_keyop_inv((camellia128_ctx_t*)s, 1); + BR = camellia_fl(BR, s->klr); + BL = camellia_fl_inv(BL, s->kll); + camellia128_keyop_inv((camellia128_ctx_t*)s, 1); + /* middle 6 */ + camellia_6rounds(s, &BR, &BL, KEY_ROL15 | KEY_DIR_INV | KEY_INC2 , 0x0B); + /* FL injection */ + camellia128_keyop_inv((camellia128_ctx_t*)s, -1); + BR = camellia_fl(BR, s->kar); + BL = camellia_fl_inv(BL, s->kal); + camellia128_keyop_inv((camellia128_ctx_t*)s, -1); + /* last 6 */ + camellia_6rounds(s, &BR, &BL, KEY_ROL15 | KEY_DIR_INV | KEY_POSTC2 , 0x33); + + /* Postwhitening */ + BL ^= s->kll; /* kw1 */ + BR ^= s->klr; /* kw2 */ + + temp64 = BR; + BR = BL; + BL = temp64; + + change_endian(&BL, 64/8); + change_endian(&BR, 64/8); + +} + +/*****************************************************************************/ +/*****************************************************************************/ + + + +/* EOF */ diff --git a/camellia/camellia_C.c b/camellia/camellia_C.c new file mode 100644 index 0000000..c8cf450 --- /dev/null +++ b/camellia/camellia_C.c @@ -0,0 +1,473 @@ +/* camellia_C.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * + * + * + * + */ + +#include +#include +#include +#include "camellia.h" +#if 0 + #include "cli.h" + #include "debug.h" + #include +#endif +/*****************************************************************************/ + +uint8_t rol(uint8_t a, uint8_t n){return ((a<>(8-n)));} + +/*****************************************************************************/ + +uint8_t ror(uint8_t a, uint8_t n){return ((a<<(8-n)) | (a>>n));} + +/*****************************************************************************/ + +uint32_t rol32(uint32_t a, uint8_t n){ + return ((a<>(32-n))); +} + +/*****************************************************************************/ + +uint64_t rol64(uint64_t a, uint8_t n){ + return ((a<>(64-n))); +} + +/*****************************************************************************/ + +uint8_t camellia_s1_table[256] PROGMEM = { + 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, + 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, + 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, + 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, + 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, + 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, + 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, + 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, + 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, + 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, + 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, + 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, + 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, + 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, + 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, + 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 +}; + +/*****************************************************************************/ + +uint8_t camellia_s1(uint8_t b){ + return pgm_read_byte_near(&(camellia_s1_table[b])); +} + +/*****************************************************************************/ + +uint8_t camellia_s2(uint8_t b){ + return rol(pgm_read_byte_near(&(camellia_s1_table[b])),1); +} + +/*****************************************************************************/ + +uint8_t camellia_s3(uint8_t b){ + return ror(pgm_read_byte_near(&(camellia_s1_table[b])),1); +} + +/*****************************************************************************/ + +uint8_t camellia_s4(uint8_t b){ + return pgm_read_byte_near(&(camellia_s1_table[rol(b,1)])); +} + +/*****************************************************************************/ + +uint64_t camellia_s(uint64_t d){ +// cli_putstr("\n\r S von "); cli_hexdump(&(d), 8); + #define D ((uint8_t*)(&d)) + D[7] = camellia_s1(D[7]); + D[6] = camellia_s2(D[6]); + D[5] = camellia_s3(D[5]); + D[4] = camellia_s4(D[4]); + + D[3] = camellia_s2(D[3]); + D[2] = camellia_s3(D[2]); + D[1] = camellia_s4(D[1]); + D[0] = camellia_s1(D[0]); + #undef D +// cli_putstr(" ist "); cli_hexdump(&(d), 8); + return d; +} + +/*****************************************************************************/ + +uint64_t camellia_p(uint64_t d){ + uint64_t z=0; + #define D ((uint8_t*)(&d)) + #define Z ((uint8_t*)(&z)) +/* + Z[0] = D[4] ^ D[3] ^ D[1]; + Z[1] = D[5] ^ D[0] ^ D[2]; + Z[2] = D[6] ^ D[1] ^ D[3]; + Z[3] = D[7] ^ D[2] ^ D[0]; + Z[4] = D[0] ^ D[6] ^ D[5]; + Z[5] = D[1] ^ D[7] ^ D[6]; + Z[6] = D[2] ^ D[4] ^ D[7]; + Z[7] = D[3] ^ D[5] ^ D[4]; +*/ +// Z[7] = z1 z3 z4 z6 z7 z8 +// cli_putstr("\n\r P von "); cli_hexdump(&(d), 8); + + Z[7] = D[7] ^ D[5] ^ D[4] ^ D[2] ^ D[1] ^ D[0]; + Z[6] = D[7] ^ D[6] ^ D[4] ^ D[3] ^ D[1] ^ D[0]; + Z[5] = D[7] ^ D[6] ^ D[5] ^ D[3] ^ D[2] ^ D[0]; + Z[4] = D[6] ^ D[5] ^ D[4] ^ D[3] ^ D[2] ^ D[1] ; + Z[3] = D[7] ^ D[6] ^ D[2] ^ D[1] ^ D[0]; + Z[2] = D[6] ^ D[5] ^ D[3] ^ D[1] ^ D[0]; + Z[1] = D[5] ^ D[4] ^ D[3] ^ D[2] ^ D[0]; + Z[0] = D[7] ^ D[4] ^ D[3] ^ D[2] ^ D[1] ; + +// cli_putstr(" ist "); cli_hexdump(&(z), 8); + + #undef Z + #undef D + return z; +} + +/*****************************************************************************/ + +uint64_t camellia_f(uint64_t x, uint64_t k){ + uint64_t y; + y = camellia_p(camellia_s(x ^ k)); + return y; +} + +/*****************************************************************************/ + +uint64_t camellia_fl(uint64_t x, uint64_t k){ +// uint64_t lx, lk, y; + uint32_t lx[2], lk[2], yr, yl; + lx[0]=(uint32_t)x; + lx[1]=(uint32_t)(x>>32); + lk[0]=(uint32_t)k; + lk[1]=(uint32_t)(k>>32); + #define Y ((uint32_t*)y) + #define X ((uint32_t*)lx) + #define K ((uint32_t*)lk) + + yr = rol32((X[1]) & (K[1]) ,1) ^ (X[0]); /* Yr */ + yl = (yr | K[0]) ^ (X[1]); /* Yl */ + +/* + cli_putstr("\r\nFL("); + cli_hexdump(&(x), 8); + cli_putstr(", "); + cli_hexdump(&(k), 8); + cli_putstr(") = "); + cli_hexdump(y, 8); +*/ + #undef K + #undef X + #undef Y + return (((uint64_t)yl)<<32 | yr); +} + +/*****************************************************************************/ + +uint64_t camellia_fl_inv(uint64_t y, uint64_t k){ +//volatile uint32_t xl, xr; + uint32_t ly[2], lk[2], x[2]; + ly[0]=(uint32_t)y; + ly[1]=(uint32_t)(y>>32); + lk[0]=(uint32_t)k; + lk[1]=(uint32_t)(k>>32); + #define Y ((uint32_t*)ly) + #define X ((uint32_t*)x) + #define K ((uint32_t*)lk) + + X[1]=(Y[0] | K[0]) ^ Y[1]; + X[0]=rol32((X[1] & K[1]),1) ^ Y[0]; + +/* + cli_putstr("\r\nFL_inv("); + cli_hexdump(&(y), 8); + cli_putstr(", "); + cli_hexdump(&(k), 8); + cli_putstr(") = "); +*/ + #undef K + #undef X + #undef Y + return ((uint64_t)(x[1]))<<32 | x[0]; +} + +/*****************************************************************************/ + +uint64_t camellia_sigma[6]={ + 0xA09E667F3BCC908BLL, + 0xB67AE8584CAA73B2LL, + 0xC6EF372FE94F82BELL, + 0x54FF53A5F1D36F1CLL, + 0x10E527FADE682D1DLL, + 0xB05688C2B3E6C1FDLL +}; + +/*****************************************************************************/ +#if 0 +void camellia128_ctx_dump(camellia128_ctx_t *s){ + cli_putstr("\r\n==State Dump=="); + cli_putstr("\n\rKAl: "); cli_hexdump(&(s->kal), 8); + cli_putstr("\n\rKAr: "); cli_hexdump(&(s->kar), 8); + cli_putstr("\n\rKLl: "); cli_hexdump(&(s->kll), 8); + cli_putstr("\n\rKLr: "); cli_hexdump(&(s->klr), 8); + return; +} +#endif +/*****************************************************************************/ + +void camellia128_init(const void* key, camellia128_ctx_t* s){ + uint8_t i; + s->kll = 0; //((uint64_t*)key)[0]; + + /* load the key, endian-adjusted, to kll,klr */ + for(i=0; i<8; ++i){ + s->kll <<= 8; + s->kll |= *((uint8_t*)key); + key = (uint8_t*)key+1; + } + for(i=0; i<8; ++i){ + s->klr <<= 8; + s->klr |= *((uint8_t*)key); + key = (uint8_t*)key+1; + } + + s->kal = s->kll; + s->kar = s->klr; + + s->kar ^= camellia_f(s->kal, camellia_sigma[0]); + s->kal ^= camellia_f(s->kar, camellia_sigma[1]); + + s->kal ^= s->kll; + s->kar ^= s->klr; + + s->kar ^= camellia_f(s->kal, camellia_sigma[2]); + s->kal ^= camellia_f(s->kar, camellia_sigma[3]); + /**/ +// cli_putstr("\n\r----------------init finished--------------------"); +} + +/*****************************************************************************/ + +void camellia128_keyop(camellia128_ctx_t* s, int8_t q){ + /* first we do 16 bit left-rols for kl and ka (128bit each) */ + uint32_t temp; + + temp = (s->kal)>>(64-16-q); + s->kal = s->kal<<(16+q) | s->kar>>(64-16-q); + s->kar = s->kar<<(16+q) | temp; + + temp = (s->kll)>>(64-16-q); + s->kll = s->kll<<(16+q) | s->klr>>(64-16-q); + s->klr = s->klr<<(16+q) | temp; + /* after doing the 16-bit rol we have to rol 1 bit left or rigth depending on q */ +} + +/*****************************************************************************/ + +void camellia128_keyop_inv(camellia128_ctx_t* s, int8_t q){ + /* first we do 16 bit right-rols for kl and ka (128bit each) */ + uint32_t temp; + + temp = (s->kar)&(0xffffff>>(24-16-q)); + s->kar = s->kar>>(16+q) | s->kal<<(64-16-q); + s->kal = s->kal>>(16+q) | ((uint64_t)temp)<<(64-16-q); + + temp = (s->klr)&(0xffffff>>(24-16-q)); + s->klr = s->klr>>(16+q) | s->kll<<(64-16-q); + s->kll = s->kll>>(16+q) | ((uint64_t)temp)<<(64-16-q); + /* after doing the 16-bit rol we have to rol 1 bit left or rigth depending on q */ +} + +/*****************************************************************************/ + +#define SEL_KA 1 +#define SEL_KL 0 + +#define KEY_POSTC1 0x00 +#define KEY_POSTC2 0x01 +#define KEY_INC2 0x02 + +#define KEY_DIR 0x04 +#define KEY_DIR_NORM 0x00 +#define KEY_DIR_INV 0x04 + +#define KEY_AMMOUNT 0x08 +#define KEY_ROL17 0x08 +#define KEY_ROL15 0x00 + +void camellia_6rounds(const camellia128_ctx_t* s, uint64_t* bl, uint64_t* br, uint8_t roundop, uint8_t keychoice){ + uint8_t i; + uint64_t* k[4]; + k[0] = &(((camellia128_ctx_t*)s)->kll); + k[1] = &(((camellia128_ctx_t*)s)->klr); + k[2] = &(((camellia128_ctx_t*)s)->kal); + k[3] = &(((camellia128_ctx_t*)s)->kar); + for(i=0; i<3; ++i){ /* each cycle */ + br[0] ^= camellia_f(bl[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?1:0)])); + keychoice >>= 1; + + if((i == 1) && (roundop&KEY_INC2)){ + ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(((camellia128_ctx_t*)s),(roundop&KEY_AMMOUNT)?1:-1); + } + + bl[0] ^= camellia_f(br[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?0:1)])); + keychoice >>= 1; + + /* check if we should do some keyop */ + if((i == (roundop&1)) && (!(roundop&KEY_INC2)) ){ + ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(((camellia128_ctx_t*)s),(roundop&KEY_AMMOUNT)?1:-1); + /* isn't it fuckin nice what we can do in C?! */ + } + } +} + +/*****************************************************************************/ + +void change_endian(void* data, uint8_t length){ + uint8_t i,a; + for(i=0; ikll; + BR ^= s->klr; + + /* the first 6 */ + camellia_6rounds(s, &BL, &BR, KEY_ROL15 | KEY_DIR_NORM | KEY_POSTC1 , 0x33); + /* FL injection */ + camellia128_keyop((camellia128_ctx_t*)s, -1); + BL = camellia_fl(BL, s->kal); + BR = camellia_fl_inv(BR, s->kar); + camellia128_keyop((camellia128_ctx_t*)s, -1); + /* middle 6 */ + camellia_6rounds(s, &BL, &BR, KEY_ROL15 | KEY_DIR_NORM | KEY_INC2 , 0x34); + /* FL injection */ + camellia128_keyop((camellia128_ctx_t*)s, 1); + BL = camellia_fl(BL, s->kll); + BR = camellia_fl_inv(BR, s->klr); + camellia128_keyop((camellia128_ctx_t*)s, 1); + /* last 6 */ + camellia_6rounds(s, &BL, &BR, KEY_ROL17 | KEY_DIR_NORM | KEY_POSTC2 , 0x0C); + /* Postwhitening */ + BR ^= s->kal; + BL ^= s->kar; + + temp64 = BR; + BR = BL; + BL = temp64; + + camellia128_keyop((camellia128_ctx_t*)s,1); + + change_endian(&BL, 64/8); + change_endian(&BR, 64/8); + + #undef BL + #undef BR +} + +/*****************************************************************************/ + +void camellia128_dec(void* block, const camellia128_ctx_t* s){ + + #define BL (((uint64_t*)block)[1]) + #define BR (((uint64_t*)block)[0]) + /* endian adjustment */ + /*BL*/ + /* 1 2 3 4 5 6 7 8 + * 8 7 6 5 4 3 2 1 + */ + + uint64_t temp64; + change_endian(&BL, 64/8); + change_endian(&BR, 64/8); + + camellia128_keyop_inv((camellia128_ctx_t*)s, 1); + /* Prewhitening */ + BR ^= s->kal; /* kw3 */ + BL ^= s->kar; /* kw4 */ + /* the first 6 */ + camellia_6rounds(s, &BR, &BL, KEY_ROL17 | KEY_DIR_INV | KEY_POSTC1 , 0x0C); + /* FL injection */ + camellia128_keyop_inv((camellia128_ctx_t*)s, 1); + BR = camellia_fl(BR, s->klr); + BL = camellia_fl_inv(BL, s->kll); + camellia128_keyop_inv((camellia128_ctx_t*)s, 1); + /* middle 6 */ + camellia_6rounds(s, &BR, &BL, KEY_ROL15 | KEY_DIR_INV | KEY_INC2 , 0x0B); + /* FL injection */ + camellia128_keyop_inv((camellia128_ctx_t*)s, -1); + BR = camellia_fl(BR, s->kar); + BL = camellia_fl_inv(BL, s->kal); + camellia128_keyop_inv((camellia128_ctx_t*)s, -1); + /* last 6 */ + camellia_6rounds(s, &BR, &BL, KEY_ROL15 | KEY_DIR_INV | KEY_POSTC2 , 0x33); + + /* Postwhitening */ + BL ^= s->kll; /* kw1 */ + BR ^= s->klr; /* kw2 */ + + temp64 = BR; + BR = BL; + BL = temp64; + + change_endian(&BL, 64/8); + change_endian(&BR, 64/8); + +} + + + +/*****************************************************************************/ +/*****************************************************************************/ + + + +/* EOF */ diff --git a/camellia128-stub.c b/camellia128-stub.c deleted file mode 100644 index a09223a..0000000 --- a/camellia128-stub.c +++ /dev/null @@ -1,249 +0,0 @@ -/* camellia128-stub.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * - * - * - * - */ - -#include -#include -#include -#include "camellia.h" -#if 0 - #include "cli.h" - #include "debug.h" - #include -#endif -/*****************************************************************************/ -uint64_t camellia_f(uint64_t x, uint64_t k); -/*****************************************************************************/ -uint64_t camellia_fl(uint64_t x, uint64_t k); -/*****************************************************************************/ -uint64_t camellia_fl_inv(uint64_t y, uint64_t k); -/*****************************************************************************/ -void change_endian(void* data, uint8_t length); -/* -uint64_t PROGMEM camellia_sigma[6]={ / * 64 byte table * / - 0xA09E667F3BCC908BLL, - 0xB67AE8584CAA73B2LL, - 0xC6EF372FE94F82BELL, - 0x54FF53A5F1D36F1CLL, - 0x10E527FADE682D1DLL, - 0xB05688C2B3E6C1FDLL -}; -*/ -uint32_t PROGMEM camellia_sigma[12]={ /* 48 byte table */ - 0x3BCC908BL, 0xA09E667FL, - 0x4CAA73B2L, 0xB67AE858L, - 0xE94F82BEL, 0xC6EF372FL, - 0xF1D36F1CL, 0x54FF53A5L, - 0xDE682D1DL, 0x10E527FAL, - 0xB3E6C1FDL, 0xB05688C2L -}; - -/* an ugly macro to load an entry form the table above */ -/* -#define SIGMA(p) (( ((uint64_t)(pgm_read_dword((prog_uint32_t*)camellia_sigma+2*(p)+1)))<<32) | \ - ((uint64_t)(pgm_read_dword((prog_uint32_t*)camellia_sigma+2*(p)+0))) ) -*/ -#define SIGMA(p) (( ((uint64_t)(pgm_read_dword(&(((prog_uint32_t*)camellia_sigma)[2*(p)+1]))))<<32) | \ - ((uint64_t)(pgm_read_dword(&(((prog_uint32_t*)camellia_sigma)[2*(p)+0])))) ) - - - -/*****************************************************************************/ -/* -void camellia128_ctx_dump(camellia128_ctx_t *s){ - cli_putstr_P(PSTR("\r\n==State Dump==")); - cli_putstr_P(PSTR("\n\rKAl: ")); cli_hexdump(&(s->kal), 8); - cli_putstr_P(PSTR("\n\rKAr: ")); cli_hexdump(&(s->kar), 8); - cli_putstr_P(PSTR("\n\rKLl: ")); cli_hexdump(&(s->kll), 8); - cli_putstr_P(PSTR("\n\rKLr: ")); cli_hexdump(&(s->klr), 8); - return; -} -*/ -/*****************************************************************************/ -/* extern prog_uint64_t camellia_sigma[6]; */ - -void camellia128_init(const void* key, camellia128_ctx_t* s){ - uint8_t i; - s->kll = 0; /* ((uint64_t*)key)[0]; */ - - /* load the key, endian-adjusted, to kll,klr */ - for(i=0; i<8; ++i){ - s->kll <<= 8; - s->kll |= *((uint8_t*)key); - key = (uint8_t*)key+1; - } - for(i=0; i<8; ++i){ - s->klr <<= 8; - s->klr |= *((uint8_t*)key); - key = (uint8_t*)key+1; - } - - s->kal = s->kll; - s->kar = s->klr; - - s->kar ^= camellia_f(s->kal, SIGMA(0)); - s->kal ^= camellia_f(s->kar, SIGMA(1)); - - s->kal ^= s->kll; - s->kar ^= s->klr; - - s->kar ^= camellia_f(s->kal, SIGMA(2)); - s->kal ^= camellia_f(s->kar, SIGMA(3)); -} - -/*****************************************************************************/ -void camellia128_keyop(camellia128_ctx_t* s, int8_t q); -/*****************************************************************************/ -void camellia128_keyop_inv(camellia128_ctx_t* s, int8_t q); -/*****************************************************************************/ - -#define SEL_KA 1 -#define SEL_KL 0 - -#define KEY_POSTC1 0x00 -#define KEY_POSTC2 0x01 -#define KEY_INC2 0x02 - -#define KEY_DIR 0x04 -#define KEY_DIR_NORM 0x00 -#define KEY_DIR_INV 0x04 - -#define KEY_AMMOUNT 0x08 -#define KEY_ROL17 0x08 -#define KEY_ROL15 0x00 - -void camellia_6rounds(const camellia128_ctx_t* s, uint64_t* bl, uint64_t* br, - uint8_t roundop, uint8_t keychoice); -/*****************************************************************************/ - - -void camellia128_enc(void* block, const camellia128_ctx_t* s){ - - #define BL (((uint64_t*)block)[0]) - #define BR (((uint64_t*)block)[1]) - /* endian adjustment */ - /*BL*/ - /* 1 2 3 4 5 6 7 8 - * 8 7 6 5 4 3 2 1 - */ - - uint64_t temp64; - - change_endian(&BL, 64/8); - change_endian(&BR, 64/8); - - /* Prewhitening */ - BL ^= s->kll; - BR ^= s->klr; - - /* the first 6 */ - camellia_6rounds(s, &BL, &BR, KEY_ROL15 | KEY_DIR_NORM | KEY_POSTC1 , 0x33); - /* FL injection */ - camellia128_keyop((camellia128_ctx_t*)s, -1); - BL = camellia_fl(BL, s->kal); - BR = camellia_fl_inv(BR, s->kar); - camellia128_keyop((camellia128_ctx_t*)s, -1); - /* middle 6 */ - camellia_6rounds(s, &BL, &BR, KEY_ROL15 | KEY_DIR_NORM | KEY_INC2 , 0x34); - /* FL injection */ - camellia128_keyop((camellia128_ctx_t*)s, 1); - BL = camellia_fl(BL, s->kll); - BR = camellia_fl_inv(BR, s->klr); - camellia128_keyop((camellia128_ctx_t*)s, 1); - /* last 6 */ - camellia_6rounds(s, &BL, &BR, KEY_ROL17 | KEY_DIR_NORM | KEY_POSTC2 , 0x0C); - /* Postwhitening */ - BR ^= s->kal; - BL ^= s->kar; - - temp64 = BR; - BR = BL; - BL = temp64; - - camellia128_keyop((camellia128_ctx_t*)s,1); - - change_endian(&BL, 64/8); - change_endian(&BR, 64/8); - - #undef BL - #undef BR -} - -/*****************************************************************************/ - -void camellia128_dec(void* block, const camellia128_ctx_t* s){ - - #define BL (((uint64_t*)block)[1]) - #define BR (((uint64_t*)block)[0]) - /* endian adjustment */ - /*BL*/ - /* 1 2 3 4 5 6 7 8 - * 8 7 6 5 4 3 2 1 - */ - - uint64_t temp64; - - change_endian(&BL, 64/8); - change_endian(&BR, 64/8); - - camellia128_keyop_inv((camellia128_ctx_t*)s, 1); - /* Prewhitening */ - BR ^= s->kal; /* kw3 */ - BL ^= s->kar; /* kw4 */ - /* the first 6 */ - camellia_6rounds(s, &BR, &BL, KEY_ROL17 | KEY_DIR_INV | KEY_POSTC1 , 0x0C); - /* FL injection */ - camellia128_keyop_inv((camellia128_ctx_t*)s, 1); - BR = camellia_fl(BR, s->klr); - BL = camellia_fl_inv(BL, s->kll); - camellia128_keyop_inv((camellia128_ctx_t*)s, 1); - /* middle 6 */ - camellia_6rounds(s, &BR, &BL, KEY_ROL15 | KEY_DIR_INV | KEY_INC2 , 0x0B); - /* FL injection */ - camellia128_keyop_inv((camellia128_ctx_t*)s, -1); - BR = camellia_fl(BR, s->kar); - BL = camellia_fl_inv(BL, s->kal); - camellia128_keyop_inv((camellia128_ctx_t*)s, -1); - /* last 6 */ - camellia_6rounds(s, &BR, &BL, KEY_ROL15 | KEY_DIR_INV | KEY_POSTC2 , 0x33); - - /* Postwhitening */ - BL ^= s->kll; /* kw1 */ - BR ^= s->klr; /* kw2 */ - - temp64 = BR; - BR = BL; - BL = temp64; - - change_endian(&BL, 64/8); - change_endian(&BR, 64/8); - -} - -/*****************************************************************************/ -/*****************************************************************************/ - - - -/* EOF */ diff --git a/camellia_C.c b/camellia_C.c deleted file mode 100644 index c8cf450..0000000 --- a/camellia_C.c +++ /dev/null @@ -1,473 +0,0 @@ -/* camellia_C.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * - * - * - * - */ - -#include -#include -#include -#include "camellia.h" -#if 0 - #include "cli.h" - #include "debug.h" - #include -#endif -/*****************************************************************************/ - -uint8_t rol(uint8_t a, uint8_t n){return ((a<>(8-n)));} - -/*****************************************************************************/ - -uint8_t ror(uint8_t a, uint8_t n){return ((a<<(8-n)) | (a>>n));} - -/*****************************************************************************/ - -uint32_t rol32(uint32_t a, uint8_t n){ - return ((a<>(32-n))); -} - -/*****************************************************************************/ - -uint64_t rol64(uint64_t a, uint8_t n){ - return ((a<>(64-n))); -} - -/*****************************************************************************/ - -uint8_t camellia_s1_table[256] PROGMEM = { - 112, 130, 44, 236, 179, 39, 192, 229, 228, 133, 87, 53, 234, 12, 174, 65, - 35, 239, 107, 147, 69, 25, 165, 33, 237, 14, 79, 78, 29, 101, 146, 189, - 134, 184, 175, 143, 124, 235, 31, 206, 62, 48, 220, 95, 94, 197, 11, 26, - 166, 225, 57, 202, 213, 71, 93, 61, 217, 1, 90, 214, 81, 86, 108, 77, - 139, 13, 154, 102, 251, 204, 176, 45, 116, 18, 43, 32, 240, 177, 132, 153, - 223, 76, 203, 194, 52, 126, 118, 5, 109, 183, 169, 49, 209, 23, 4, 215, - 20, 88, 58, 97, 222, 27, 17, 28, 50, 15, 156, 22, 83, 24, 242, 34, - 254, 68, 207, 178, 195, 181, 122, 145, 36, 8, 232, 168, 96, 252, 105, 80, - 170, 208, 160, 125, 161, 137, 98, 151, 84, 91, 30, 149, 224, 255, 100, 210, - 16, 196, 0, 72, 163, 247, 117, 219, 138, 3, 230, 218, 9, 63, 221, 148, - 135, 92, 131, 2, 205, 74, 144, 51, 115, 103, 246, 243, 157, 127, 191, 226, - 82, 155, 216, 38, 200, 55, 198, 59, 129, 150, 111, 75, 19, 190, 99, 46, - 233, 121, 167, 140, 159, 110, 188, 142, 41, 245, 249, 182, 47, 253, 180, 89, - 120, 152, 6, 106, 231, 70, 113, 186, 212, 37, 171, 66, 136, 162, 141, 250, - 114, 7, 185, 85, 248, 238, 172, 10, 54, 73, 42, 104, 60, 56, 241, 164, - 64, 40, 211, 123, 187, 201, 67, 193, 21, 227, 173, 244, 119, 199, 128, 158 -}; - -/*****************************************************************************/ - -uint8_t camellia_s1(uint8_t b){ - return pgm_read_byte_near(&(camellia_s1_table[b])); -} - -/*****************************************************************************/ - -uint8_t camellia_s2(uint8_t b){ - return rol(pgm_read_byte_near(&(camellia_s1_table[b])),1); -} - -/*****************************************************************************/ - -uint8_t camellia_s3(uint8_t b){ - return ror(pgm_read_byte_near(&(camellia_s1_table[b])),1); -} - -/*****************************************************************************/ - -uint8_t camellia_s4(uint8_t b){ - return pgm_read_byte_near(&(camellia_s1_table[rol(b,1)])); -} - -/*****************************************************************************/ - -uint64_t camellia_s(uint64_t d){ -// cli_putstr("\n\r S von "); cli_hexdump(&(d), 8); - #define D ((uint8_t*)(&d)) - D[7] = camellia_s1(D[7]); - D[6] = camellia_s2(D[6]); - D[5] = camellia_s3(D[5]); - D[4] = camellia_s4(D[4]); - - D[3] = camellia_s2(D[3]); - D[2] = camellia_s3(D[2]); - D[1] = camellia_s4(D[1]); - D[0] = camellia_s1(D[0]); - #undef D -// cli_putstr(" ist "); cli_hexdump(&(d), 8); - return d; -} - -/*****************************************************************************/ - -uint64_t camellia_p(uint64_t d){ - uint64_t z=0; - #define D ((uint8_t*)(&d)) - #define Z ((uint8_t*)(&z)) -/* - Z[0] = D[4] ^ D[3] ^ D[1]; - Z[1] = D[5] ^ D[0] ^ D[2]; - Z[2] = D[6] ^ D[1] ^ D[3]; - Z[3] = D[7] ^ D[2] ^ D[0]; - Z[4] = D[0] ^ D[6] ^ D[5]; - Z[5] = D[1] ^ D[7] ^ D[6]; - Z[6] = D[2] ^ D[4] ^ D[7]; - Z[7] = D[3] ^ D[5] ^ D[4]; -*/ -// Z[7] = z1 z3 z4 z6 z7 z8 -// cli_putstr("\n\r P von "); cli_hexdump(&(d), 8); - - Z[7] = D[7] ^ D[5] ^ D[4] ^ D[2] ^ D[1] ^ D[0]; - Z[6] = D[7] ^ D[6] ^ D[4] ^ D[3] ^ D[1] ^ D[0]; - Z[5] = D[7] ^ D[6] ^ D[5] ^ D[3] ^ D[2] ^ D[0]; - Z[4] = D[6] ^ D[5] ^ D[4] ^ D[3] ^ D[2] ^ D[1] ; - Z[3] = D[7] ^ D[6] ^ D[2] ^ D[1] ^ D[0]; - Z[2] = D[6] ^ D[5] ^ D[3] ^ D[1] ^ D[0]; - Z[1] = D[5] ^ D[4] ^ D[3] ^ D[2] ^ D[0]; - Z[0] = D[7] ^ D[4] ^ D[3] ^ D[2] ^ D[1] ; - -// cli_putstr(" ist "); cli_hexdump(&(z), 8); - - #undef Z - #undef D - return z; -} - -/*****************************************************************************/ - -uint64_t camellia_f(uint64_t x, uint64_t k){ - uint64_t y; - y = camellia_p(camellia_s(x ^ k)); - return y; -} - -/*****************************************************************************/ - -uint64_t camellia_fl(uint64_t x, uint64_t k){ -// uint64_t lx, lk, y; - uint32_t lx[2], lk[2], yr, yl; - lx[0]=(uint32_t)x; - lx[1]=(uint32_t)(x>>32); - lk[0]=(uint32_t)k; - lk[1]=(uint32_t)(k>>32); - #define Y ((uint32_t*)y) - #define X ((uint32_t*)lx) - #define K ((uint32_t*)lk) - - yr = rol32((X[1]) & (K[1]) ,1) ^ (X[0]); /* Yr */ - yl = (yr | K[0]) ^ (X[1]); /* Yl */ - -/* - cli_putstr("\r\nFL("); - cli_hexdump(&(x), 8); - cli_putstr(", "); - cli_hexdump(&(k), 8); - cli_putstr(") = "); - cli_hexdump(y, 8); -*/ - #undef K - #undef X - #undef Y - return (((uint64_t)yl)<<32 | yr); -} - -/*****************************************************************************/ - -uint64_t camellia_fl_inv(uint64_t y, uint64_t k){ -//volatile uint32_t xl, xr; - uint32_t ly[2], lk[2], x[2]; - ly[0]=(uint32_t)y; - ly[1]=(uint32_t)(y>>32); - lk[0]=(uint32_t)k; - lk[1]=(uint32_t)(k>>32); - #define Y ((uint32_t*)ly) - #define X ((uint32_t*)x) - #define K ((uint32_t*)lk) - - X[1]=(Y[0] | K[0]) ^ Y[1]; - X[0]=rol32((X[1] & K[1]),1) ^ Y[0]; - -/* - cli_putstr("\r\nFL_inv("); - cli_hexdump(&(y), 8); - cli_putstr(", "); - cli_hexdump(&(k), 8); - cli_putstr(") = "); -*/ - #undef K - #undef X - #undef Y - return ((uint64_t)(x[1]))<<32 | x[0]; -} - -/*****************************************************************************/ - -uint64_t camellia_sigma[6]={ - 0xA09E667F3BCC908BLL, - 0xB67AE8584CAA73B2LL, - 0xC6EF372FE94F82BELL, - 0x54FF53A5F1D36F1CLL, - 0x10E527FADE682D1DLL, - 0xB05688C2B3E6C1FDLL -}; - -/*****************************************************************************/ -#if 0 -void camellia128_ctx_dump(camellia128_ctx_t *s){ - cli_putstr("\r\n==State Dump=="); - cli_putstr("\n\rKAl: "); cli_hexdump(&(s->kal), 8); - cli_putstr("\n\rKAr: "); cli_hexdump(&(s->kar), 8); - cli_putstr("\n\rKLl: "); cli_hexdump(&(s->kll), 8); - cli_putstr("\n\rKLr: "); cli_hexdump(&(s->klr), 8); - return; -} -#endif -/*****************************************************************************/ - -void camellia128_init(const void* key, camellia128_ctx_t* s){ - uint8_t i; - s->kll = 0; //((uint64_t*)key)[0]; - - /* load the key, endian-adjusted, to kll,klr */ - for(i=0; i<8; ++i){ - s->kll <<= 8; - s->kll |= *((uint8_t*)key); - key = (uint8_t*)key+1; - } - for(i=0; i<8; ++i){ - s->klr <<= 8; - s->klr |= *((uint8_t*)key); - key = (uint8_t*)key+1; - } - - s->kal = s->kll; - s->kar = s->klr; - - s->kar ^= camellia_f(s->kal, camellia_sigma[0]); - s->kal ^= camellia_f(s->kar, camellia_sigma[1]); - - s->kal ^= s->kll; - s->kar ^= s->klr; - - s->kar ^= camellia_f(s->kal, camellia_sigma[2]); - s->kal ^= camellia_f(s->kar, camellia_sigma[3]); - /**/ -// cli_putstr("\n\r----------------init finished--------------------"); -} - -/*****************************************************************************/ - -void camellia128_keyop(camellia128_ctx_t* s, int8_t q){ - /* first we do 16 bit left-rols for kl and ka (128bit each) */ - uint32_t temp; - - temp = (s->kal)>>(64-16-q); - s->kal = s->kal<<(16+q) | s->kar>>(64-16-q); - s->kar = s->kar<<(16+q) | temp; - - temp = (s->kll)>>(64-16-q); - s->kll = s->kll<<(16+q) | s->klr>>(64-16-q); - s->klr = s->klr<<(16+q) | temp; - /* after doing the 16-bit rol we have to rol 1 bit left or rigth depending on q */ -} - -/*****************************************************************************/ - -void camellia128_keyop_inv(camellia128_ctx_t* s, int8_t q){ - /* first we do 16 bit right-rols for kl and ka (128bit each) */ - uint32_t temp; - - temp = (s->kar)&(0xffffff>>(24-16-q)); - s->kar = s->kar>>(16+q) | s->kal<<(64-16-q); - s->kal = s->kal>>(16+q) | ((uint64_t)temp)<<(64-16-q); - - temp = (s->klr)&(0xffffff>>(24-16-q)); - s->klr = s->klr>>(16+q) | s->kll<<(64-16-q); - s->kll = s->kll>>(16+q) | ((uint64_t)temp)<<(64-16-q); - /* after doing the 16-bit rol we have to rol 1 bit left or rigth depending on q */ -} - -/*****************************************************************************/ - -#define SEL_KA 1 -#define SEL_KL 0 - -#define KEY_POSTC1 0x00 -#define KEY_POSTC2 0x01 -#define KEY_INC2 0x02 - -#define KEY_DIR 0x04 -#define KEY_DIR_NORM 0x00 -#define KEY_DIR_INV 0x04 - -#define KEY_AMMOUNT 0x08 -#define KEY_ROL17 0x08 -#define KEY_ROL15 0x00 - -void camellia_6rounds(const camellia128_ctx_t* s, uint64_t* bl, uint64_t* br, uint8_t roundop, uint8_t keychoice){ - uint8_t i; - uint64_t* k[4]; - k[0] = &(((camellia128_ctx_t*)s)->kll); - k[1] = &(((camellia128_ctx_t*)s)->klr); - k[2] = &(((camellia128_ctx_t*)s)->kal); - k[3] = &(((camellia128_ctx_t*)s)->kar); - for(i=0; i<3; ++i){ /* each cycle */ - br[0] ^= camellia_f(bl[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?1:0)])); - keychoice >>= 1; - - if((i == 1) && (roundop&KEY_INC2)){ - ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(((camellia128_ctx_t*)s),(roundop&KEY_AMMOUNT)?1:-1); - } - - bl[0] ^= camellia_f(br[0],*(k[(keychoice&1)*2+((roundop&KEY_DIR)?0:1)])); - keychoice >>= 1; - - /* check if we should do some keyop */ - if((i == (roundop&1)) && (!(roundop&KEY_INC2)) ){ - ((roundop&KEY_DIR)?camellia128_keyop_inv:camellia128_keyop)(((camellia128_ctx_t*)s),(roundop&KEY_AMMOUNT)?1:-1); - /* isn't it fuckin nice what we can do in C?! */ - } - } -} - -/*****************************************************************************/ - -void change_endian(void* data, uint8_t length){ - uint8_t i,a; - for(i=0; ikll; - BR ^= s->klr; - - /* the first 6 */ - camellia_6rounds(s, &BL, &BR, KEY_ROL15 | KEY_DIR_NORM | KEY_POSTC1 , 0x33); - /* FL injection */ - camellia128_keyop((camellia128_ctx_t*)s, -1); - BL = camellia_fl(BL, s->kal); - BR = camellia_fl_inv(BR, s->kar); - camellia128_keyop((camellia128_ctx_t*)s, -1); - /* middle 6 */ - camellia_6rounds(s, &BL, &BR, KEY_ROL15 | KEY_DIR_NORM | KEY_INC2 , 0x34); - /* FL injection */ - camellia128_keyop((camellia128_ctx_t*)s, 1); - BL = camellia_fl(BL, s->kll); - BR = camellia_fl_inv(BR, s->klr); - camellia128_keyop((camellia128_ctx_t*)s, 1); - /* last 6 */ - camellia_6rounds(s, &BL, &BR, KEY_ROL17 | KEY_DIR_NORM | KEY_POSTC2 , 0x0C); - /* Postwhitening */ - BR ^= s->kal; - BL ^= s->kar; - - temp64 = BR; - BR = BL; - BL = temp64; - - camellia128_keyop((camellia128_ctx_t*)s,1); - - change_endian(&BL, 64/8); - change_endian(&BR, 64/8); - - #undef BL - #undef BR -} - -/*****************************************************************************/ - -void camellia128_dec(void* block, const camellia128_ctx_t* s){ - - #define BL (((uint64_t*)block)[1]) - #define BR (((uint64_t*)block)[0]) - /* endian adjustment */ - /*BL*/ - /* 1 2 3 4 5 6 7 8 - * 8 7 6 5 4 3 2 1 - */ - - uint64_t temp64; - change_endian(&BL, 64/8); - change_endian(&BR, 64/8); - - camellia128_keyop_inv((camellia128_ctx_t*)s, 1); - /* Prewhitening */ - BR ^= s->kal; /* kw3 */ - BL ^= s->kar; /* kw4 */ - /* the first 6 */ - camellia_6rounds(s, &BR, &BL, KEY_ROL17 | KEY_DIR_INV | KEY_POSTC1 , 0x0C); - /* FL injection */ - camellia128_keyop_inv((camellia128_ctx_t*)s, 1); - BR = camellia_fl(BR, s->klr); - BL = camellia_fl_inv(BL, s->kll); - camellia128_keyop_inv((camellia128_ctx_t*)s, 1); - /* middle 6 */ - camellia_6rounds(s, &BR, &BL, KEY_ROL15 | KEY_DIR_INV | KEY_INC2 , 0x0B); - /* FL injection */ - camellia128_keyop_inv((camellia128_ctx_t*)s, -1); - BR = camellia_fl(BR, s->kar); - BL = camellia_fl_inv(BL, s->kal); - camellia128_keyop_inv((camellia128_ctx_t*)s, -1); - /* last 6 */ - camellia_6rounds(s, &BR, &BL, KEY_ROL15 | KEY_DIR_INV | KEY_POSTC2 , 0x33); - - /* Postwhitening */ - BL ^= s->kll; /* kw1 */ - BR ^= s->klr; /* kw2 */ - - temp64 = BR; - BR = BL; - BL = temp64; - - change_endian(&BL, 64/8); - change_endian(&BR, 64/8); - -} - - - -/*****************************************************************************/ -/*****************************************************************************/ - - - -/* EOF */ diff --git a/config.h b/config.h index b501bab..5fb1011 100644 --- a/config.h +++ b/config.h @@ -37,7 +37,7 @@ #define UART0_DATABITS UART_DATABITS_8 #define UART0_RXBUFFER_SIZE 64 #define UART0_TXBUFFER_SIZE 64 -#define UART0_SWFLOWCTRL 0 +#define UART0_SWFLOWCTRL 1 #define UART0_THRESH_LOW 10 #define UART0_THRESH_HIGH 48 diff --git a/groestl/aes_sbox.c b/groestl/aes_sbox.c new file mode 100644 index 0000000..85b08de --- /dev/null +++ b/groestl/aes_sbox.c @@ -0,0 +1,23 @@ +/* aes sbox */ + +#include +#include +uint8_t aes_sbox[256] PROGMEM = { + 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, + 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, + 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, + 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, + 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, + 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, + 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, + 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, + 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, + 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, + 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, + 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, + 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, + 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, + 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, + 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 +}; + diff --git a/groestl/aes_sbox.h b/groestl/aes_sbox.h new file mode 100644 index 0000000..5bc03b7 --- /dev/null +++ b/groestl/aes_sbox.h @@ -0,0 +1,33 @@ +/* aes_sbox.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_sbox.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ +#ifndef AES_SBOX_H_ +#define AES_SBOX_H_ +#include + +extern uint8_t aes_sbox[]; + +#endif diff --git a/groestl/gf256mul.S b/groestl/gf256mul.S new file mode 100644 index 0000000..b269d3a --- /dev/null +++ b/groestl/gf256mul.S @@ -0,0 +1,82 @@ +/* gf256mul.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * File: gf256mul.S + * Author: Daniel Otte + * Date: 2008-12-19 + * License: GPLv3 or later + * Description: peasant's algorithm for multiplication in GF(2^8) + * + */ + +#include +#define OPTIMIZE_SMALL_A + +/* + * param a: r24 + * param b: r22 + * param reducer: r20 + */ +A = 23 +B = 22 +P = 24 +.global gf256mul + +#ifdef OPTIMIZE_SMALL_A +gf256mul: + mov A, r24 + clr r24 +1: + lsr A + breq 4f + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + rjmp 1b +4: + brcc 2f + eor P, B +2: + ret + +#else + +gf256mul: + mov r21, r24 + clr r24 + ldi r25, 8 +1: + lsr A + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + dec r25 + brne 1b + ret + +#endif diff --git a/groestl/gf256mul.h b/groestl/gf256mul.h new file mode 100644 index 0000000..87f1cb3 --- /dev/null +++ b/groestl/gf256mul.h @@ -0,0 +1,37 @@ +/* gf256mul.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef GF256MUL_H_ +#define GF256MUL_H_ + +/** + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2008-12-19 + * \license GPLv3 + * \brief + * + * + */ + +#include + +uint8_t gf256mul(uint8_t a, uint8_t b, uint8_t reducer); + +#endif /* GF256MUL_H_ */ + diff --git a/groestl/groestl_large.c b/groestl/groestl_large.c new file mode 100644 index 0000000..bcfd8e5 --- /dev/null +++ b/groestl/groestl_large.c @@ -0,0 +1,242 @@ +/* groestl_large.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file groestl_large.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-06-11 + * \license GPLv3 or later + * + */ + +#include "groestl_large.h" +#include "aes_sbox.h" +#include "gf256mul.h" +#include "memxor.h" +#include +#include +#include + +#define ROUNDS 14 +#define POLYNOM 0x1b + +#define DEBUG 0 + +#if DEBUG + #include "cli.h" + void dump_m(const uint8_t* m){ + uint8_t i,j; + for(i=0; i<16; ++i){ + cli_putstr_P(PSTR("\r\n")); + for(j=0; j<8; ++j){ + cli_putc(' '); + cli_hexdump(m+8*i+j, 1); + } + } + } +#else + #define dump_m(m) +#endif + +static uint8_t matrix[] PROGMEM = { + 2, 2, 3, 4, 5, 3, 5, 7, + 7, 2, 2, 3, 4, 5, 3, 5, + 5, 7, 2, 2, 3, 4, 5, 3, + 3, 5, 7, 2, 2, 3, 4, 5, + 5, 3, 5, 7, 2, 2, 3, 4, + 4, 5, 3, 5, 7, 2, 2, 3, + 3, 4, 5, 3, 5, 7, 2, 2, + 2, 3, 4, 5, 3, 5, 7, 2 +}; + +void groestl_large_rounds(uint8_t *m, uint8_t q){ + uint8_t r,i,j; + uint8_t tmp[16]; + for(r=0; rh, 0, 16*8); + ctx->h[8*16-1] = (uint8_t)384; + ctx->h[8*16-2] = (uint8_t)(384>>8); + ctx->counter = 0; +} + +void groestl512_init(groestl512_ctx_t* ctx){ + memset(ctx->h, 0, 16*8); + ctx->h[8*16-2] = 2; + ctx->counter = 0; +} + +void groestl_large_nextBlock(groestl_large_ctx_t* ctx, const void* block){ + uint8_t tmp1[128], tmp2[128]; +/* + for(i=0; i<8; ++i){ + for(j=0; j<8; ++j){ + tmp1[j*8+i] = ((uint8_t*)block)[i*8+j]; + } + } +*/ + memcpy(tmp1, block, 128); + memcpy(tmp2, tmp1, 128); + memxor(tmp1, ctx->h, 128); + groestl_large_rounds(tmp1, 0); + groestl_large_rounds(tmp2, 1); + memxor(ctx->h, tmp1, 128); + memxor(ctx->h, tmp2, 128); + ctx->counter++; +} + +void groestl_large_lastBlock(groestl_large_ctx_t* ctx, const void* block, uint16_t length_b){ + uint8_t buffer[128]; + while(length_b>=GROESTL_LARGE_BLOCKSIZE){ + groestl_large_nextBlock(ctx, block); + length_b -= GROESTL_LARGE_BLOCKSIZE; + block = (uint8_t*)block + GROESTL_LARGE_BLOCKSIZE_B; + } + memset(buffer, 0, 128); + memcpy(buffer, block, (length_b+7)/8); + buffer[length_b/8] |= 0x80>>(length_b%8); + if(length_b>1024-65){ + groestl_large_nextBlock(ctx, buffer); + memset(buffer, 0, 128-4); + } + ctx->counter++; + buffer[128-1] = (uint8_t)(ctx->counter); + buffer[128-2] = (uint8_t)((ctx->counter)>>8); + buffer[128-3] = (uint8_t)((ctx->counter)>>16); + buffer[128-4] = (uint8_t)((ctx->counter)>>24); + groestl_large_nextBlock(ctx, buffer); +} + +void groestl_large_ctx2hash(void* dest, const groestl_large_ctx_t* ctx, uint16_t outlength_b){ + uint8_t tmp[128]; + memcpy(tmp, ctx->h, 128); + groestl_large_rounds(tmp, 0); + memxor(tmp, ctx->h, 128); +#if DEBUG + cli_putstr_P(PSTR("\r\npost finalisation")); + dump_m(tmp); +#endif + memcpy(dest, tmp+128-outlength_b/8, outlength_b/8); +} + +void groestl384_ctx2hash(void* dest, const groestl384_ctx_t* ctx){ + groestl_large_ctx2hash(dest, ctx, 384); +} + +void groestl512_ctx2hash(void* dest, const groestl512_ctx_t* ctx){ + groestl_large_ctx2hash(dest, ctx, 512); +} + +void groestl384_nextBlock(groestl384_ctx_t* ctx, const void* block){ + groestl_large_nextBlock(ctx, block); +} + +void groestl512_nextBlock(groestl512_ctx_t* ctx, const void* block){ + groestl_large_nextBlock(ctx, block); +} + +void groestl384_lastBlock(groestl384_ctx_t* ctx, const void* block, uint16_t length_b){ + groestl_large_lastBlock(ctx, block, length_b); +} + +void groestl512_lastBlock(groestl512_ctx_t* ctx, const void* block, uint16_t length_b){ + groestl_large_lastBlock(ctx, block, length_b); +} + +void groestl384(void* dest, const void* msg, uint32_t length_b){ + groestl_large_ctx_t ctx; + groestl384_init(&ctx); + while(length_b>=GROESTL_LARGE_BLOCKSIZE){ + groestl_large_nextBlock(&ctx, msg); + length_b -= GROESTL_LARGE_BLOCKSIZE; + msg = (uint8_t*)msg + GROESTL_LARGE_BLOCKSIZE_B; + } + groestl_large_lastBlock(&ctx, msg, length_b); + groestl_large_ctx2hash(dest, &ctx, 384); +} + +void groestl512(void* dest, const void* msg, uint32_t length_b){ + groestl_large_ctx_t ctx; + groestl512_init(&ctx); + while(length_b>=GROESTL_LARGE_BLOCKSIZE){ + groestl_large_nextBlock(&ctx, msg); + length_b -= GROESTL_LARGE_BLOCKSIZE; + msg = (uint8_t*)msg + GROESTL_LARGE_BLOCKSIZE_B; + } + groestl_large_lastBlock(&ctx, msg, length_b); + groestl_large_ctx2hash(dest, &ctx, 512); +} + + + diff --git a/groestl/groestl_large.h b/groestl/groestl_large.h new file mode 100644 index 0000000..c932fb7 --- /dev/null +++ b/groestl/groestl_large.h @@ -0,0 +1,65 @@ +/* groestl_large.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file groestl_large.h + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-05-19 + * \license GPLv3 or later + * + */ +#ifndef GROESTL_LARGE_H_ +#define GROESTL_LARGE_H_ + +#include + +#define GROESTL_LARGE_BLOCKSIZE 1024 +#define GROESTL_LARGE_BLOCKSIZE_B ((GROESTL_LARGE_BLOCKSIZE+7)/8) +#define GROESTL384_BLOCKSIZE GROESTL_LARGE_BLOCKSIZE +#define GROESTL384_BLOCKSIZE_B GROESTL_LARGE_BLOCKSIZE_B +#define GROESTL512_BLOCKSIZE GROESTL_LARGE_BLOCKSIZE +#define GROESTL512_BLOCKSIZE_B GROESTL_LARGE_BLOCKSIZE_B + +typedef struct { + uint8_t h[8*16]; + uint32_t counter; +} groestl_large_ctx_t; + +typedef groestl_large_ctx_t groestl384_ctx_t; +typedef groestl_large_ctx_t groestl512_ctx_t; + +void groestl384_init(groestl384_ctx_t* ctx); +void groestl512_init(groestl512_ctx_t* ctx); + +void groestl_large_nextBlock(groestl_large_ctx_t* ctx, const void* block); +void groestl_large_lastBlock(groestl_large_ctx_t* ctx, const void* block, uint16_t length_b); + +void groestl384_nextBlock(groestl384_ctx_t* ctx, const void* block); +void groestl384_lastBlock(groestl384_ctx_t* ctx, const void* block, uint16_t length_b); + +void groestl512_nextBlock(groestl512_ctx_t* ctx, const void* block); +void groestl512_lastBlock(groestl512_ctx_t* ctx, const void* block, uint16_t length_b); + +void groestl384_ctx2hash(void* dest, const groestl384_ctx_t* ctx); +void groestl512_ctx2hash(void* dest, const groestl512_ctx_t* ctx); + +void groestl384(void* dest, const void* msg, uint32_t length_b); +void groestl512(void* dest, const void* msg, uint32_t length_b); + +#endif /* GROESTL_GROESTL_H_ */ diff --git a/groestl/groestl_small.c b/groestl/groestl_small.c new file mode 100644 index 0000000..e5a3d94 --- /dev/null +++ b/groestl/groestl_small.c @@ -0,0 +1,234 @@ +/* groestl_small.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file groestl_small.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-05-19 + * \license GPLv3 or later + * + */ + +#include "groestl_small.h" +#include "aes_sbox.h" +#include "gf256mul.h" +#include "memxor.h" +#include +#include +#include + +#define ROUNDS 10 +#define POLYNOM 0x1b + +#define DEBUG 0 + +#if DEBUG + #include "cli.h" + void dump_m(const uint8_t* m){ + uint8_t i,j; + for(i=0; i<8; ++i){ + cli_putstr_P(PSTR("\r\n")); + for(j=0; j<8; ++j){ + cli_putc(' '); + cli_hexdump(m+8*i+j, 1); + } + } + } +#else + #define dump_m(m) +#endif + +static uint8_t matrix[] PROGMEM = { + 2, 2, 3, 4, 5, 3, 5, 7, + 7, 2, 2, 3, 4, 5, 3, 5, + 5, 7, 2, 2, 3, 4, 5, 3, + 3, 5, 7, 2, 2, 3, 4, 5, + 5, 3, 5, 7, 2, 2, 3, 4, + 4, 5, 3, 5, 7, 2, 2, 3, + 3, 4, 5, 3, 5, 7, 2, 2, + 2, 3, 4, 5, 3, 5, 7, 2 +}; + +void groestl_small_rounds(uint8_t *m, uint8_t q){ + uint8_t r,i,j; + uint8_t tmp[8]; + for(r=0; rh, 0, 8*8); + ctx->h[8*8-1] = 224; + ctx->counter = 0; +} + +void groestl256_init(groestl256_ctx_t* ctx){ + memset(ctx->h, 0, 8*8); + ctx->h[8*8-2] = 1; + ctx->counter = 0; +} + +void groestl_small_nextBlock(groestl_small_ctx_t* ctx, const void* block){ + uint8_t tmp1[64], tmp2[64]; +/* for(i=0; i<8; ++i){ + for(j=0; j<8; ++j){ + tmp1[j*8+i] = ((uint8_t*)block)[i*8+j]; + } + } +*/ + memcpy(tmp1, block, 64); + memcpy(tmp2, tmp1, 64); + memxor(tmp1, ctx->h, 64); + groestl_small_rounds(tmp1, 0); + groestl_small_rounds(tmp2, 1); + memxor(ctx->h, tmp1, 64); + memxor(ctx->h, tmp2, 64); + ctx->counter++; +} + +void groestl_small_lastBlock(groestl_small_ctx_t* ctx, const void* block, uint16_t length_b){ + uint8_t buffer[64]; + while(length_b>=GROESTL_SMALL_BLOCKSIZE){ + groestl_small_nextBlock(ctx, block); + length_b -= GROESTL_SMALL_BLOCKSIZE; + block = (uint8_t*)block + GROESTL_SMALL_BLOCKSIZE_B; + } + memset(buffer, 0, 64); + memcpy(buffer, block, (length_b+7)/8); + buffer[length_b/8] |= 0x80>>(length_b%8); + if(length_b>512-65){ + groestl_small_nextBlock(ctx, buffer); + memset(buffer, 0, 64-4); + } + ctx->counter++; + buffer[64-1] = (uint8_t)(ctx->counter); + buffer[64-2] = (uint8_t)((ctx->counter)>>8); + buffer[64-3] = (uint8_t)((ctx->counter)>>16); + buffer[64-4] = (uint8_t)((ctx->counter)>>24); + groestl_small_nextBlock(ctx, buffer); +} + +void groestl_small_ctx2hash(void* dest, const groestl_small_ctx_t* ctx, uint16_t outlength_b){ + uint8_t tmp[64]; + memcpy(tmp, ctx->h, 64); + groestl_small_rounds(tmp, 0); + memxor(tmp, ctx->h, 64); +#if DEBUG + cli_putstr_P(PSTR("\r\npost finalisation")); + dump_m(tmp); +#endif + memcpy(dest, tmp+64-outlength_b/8, outlength_b/8); +} + +void groestl224_ctx2hash(void* dest, const groestl224_ctx_t* ctx){ + groestl_small_ctx2hash(dest, ctx, 224); +} + +void groestl256_ctx2hash(void* dest, const groestl256_ctx_t* ctx){ + groestl_small_ctx2hash(dest, ctx, 256); +} + +void groestl224_nextBlock(groestl224_ctx_t* ctx, const void* block){ + groestl_small_nextBlock(ctx, block); +} + +void groestl256_nextBlock(groestl256_ctx_t* ctx, const void* block){ + groestl_small_nextBlock(ctx, block); +} + +void groestl224_lastBlock(groestl224_ctx_t* ctx, const void* block, uint16_t length_b){ + groestl_small_lastBlock(ctx, block, length_b); +} + +void groestl256_lastBlock(groestl256_ctx_t* ctx, const void* block, uint16_t length_b){ + groestl_small_lastBlock(ctx, block, length_b); +} + +void groestl224(void* dest, const void* msg, uint32_t length_b){ + groestl_small_ctx_t ctx; + groestl224_init(&ctx); + while(length_b>=GROESTL_SMALL_BLOCKSIZE){ + groestl_small_nextBlock(&ctx, msg); + length_b -= GROESTL_SMALL_BLOCKSIZE; + msg = (uint8_t*)msg + GROESTL_SMALL_BLOCKSIZE_B; + } + groestl_small_lastBlock(&ctx, msg, length_b); + groestl_small_ctx2hash(dest, &ctx, 224); +} + +void groestl256(void* dest, const void* msg, uint32_t length_b){ + groestl_small_ctx_t ctx; + groestl256_init(&ctx); + while(length_b>=GROESTL_SMALL_BLOCKSIZE){ + groestl_small_nextBlock(&ctx, msg); + length_b -= GROESTL_SMALL_BLOCKSIZE; + msg = (uint8_t*)msg + GROESTL_SMALL_BLOCKSIZE_B; + } + groestl_small_lastBlock(&ctx, msg, length_b); + groestl_small_ctx2hash(dest, &ctx, 256); +} + + + diff --git a/groestl/groestl_small.h b/groestl/groestl_small.h new file mode 100644 index 0000000..819cc4c --- /dev/null +++ b/groestl/groestl_small.h @@ -0,0 +1,65 @@ +/* groestl_small.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file groestl_small.h + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-05-19 + * \license GPLv3 or later + * + */ +#ifndef GROESTL_SMALL_H_ +#define GROESTL_SMALL_H_ + +#include + +#define GROESTL_SMALL_BLOCKSIZE 512 +#define GROESTL_SMALL_BLOCKSIZE_B ((GROESTL_SMALL_BLOCKSIZE+7)/8) +#define GROESTL224_BLOCKSIZE GROESTL_SMALL_BLOCKSIZE +#define GROESTL224_BLOCKSIZE_B GROESTL_SMALL_BLOCKSIZE_B +#define GROESTL256_BLOCKSIZE GROESTL_SMALL_BLOCKSIZE +#define GROESTL256_BLOCKSIZE_B GROESTL_SMALL_BLOCKSIZE_B + +typedef struct { + uint8_t h[8*8]; + uint32_t counter; +} groestl_small_ctx_t; + +typedef groestl_small_ctx_t groestl224_ctx_t; +typedef groestl_small_ctx_t groestl256_ctx_t; + +void groestl224_init(groestl224_ctx_t* ctx); +void groestl256_init(groestl256_ctx_t* ctx); + +void groestl_small_nextBlock(groestl_small_ctx_t* ctx, const void* block); +void groestl_small_lastBlock(groestl_small_ctx_t* ctx, const void* block, uint16_t length_b); + +void groestl224_nextBlock(groestl224_ctx_t* ctx, const void* block); +void groestl224_lastBlock(groestl224_ctx_t* ctx, const void* block, uint16_t length_b); + +void groestl256_nextBlock(groestl256_ctx_t* ctx, const void* block); +void groestl256_lastBlock(groestl256_ctx_t* ctx, const void* block, uint16_t length_b); + +void groestl224_ctx2hash(void* dest, const groestl224_ctx_t* ctx); +void groestl256_ctx2hash(void* dest, const groestl256_ctx_t* ctx); + +void groestl224(void* dest, const void* msg, uint32_t length_b); +void groestl256(void* dest, const void* msg, uint32_t length_b); + +#endif /* GROESTL_GROESTL_H_ */ diff --git a/groestl/memxor.S b/groestl/memxor.S new file mode 100644 index 0000000..a32058b --- /dev/null +++ b/groestl/memxor.S @@ -0,0 +1,66 @@ +/* memxor.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * File: memxor.S + * Author: Daniel Otte + * Date: 2008-08-07 + * License: GPLv3 or later + * Description: memxor, XORing one block into another + * + */ + +/* + * void memxor(void* dest, const void* src, uint16_t n); + */ + /* + * param dest is passed in r24:r25 + * param src is passed in r22:r23 + * param n is passed in r20:r21 + */ +.global memxor +memxor: + movw r30, r24 + movw r26, r22 + movw r24, r20 + adiw r24, 0 + breq 2f +1: + ld r20, X+ + ld r21, Z + eor r20, r21 + st Z+, r20 + sbiw r24, 1 + brne 1b +2: + ret + + + + + + + + + + + + + + diff --git a/groestl/memxor.h b/groestl/memxor.h new file mode 100644 index 0000000..a62a616 --- /dev/null +++ b/groestl/memxor.h @@ -0,0 +1,7 @@ +#ifndef MEMXOR_H_ +#define MEMXOR_H_ +#include + +void memxor(void* dest, const void* src, uint16_t n); + +#endif diff --git a/groestl_large.c b/groestl_large.c deleted file mode 100644 index bcfd8e5..0000000 --- a/groestl_large.c +++ /dev/null @@ -1,242 +0,0 @@ -/* groestl_large.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file groestl_large.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-06-11 - * \license GPLv3 or later - * - */ - -#include "groestl_large.h" -#include "aes_sbox.h" -#include "gf256mul.h" -#include "memxor.h" -#include -#include -#include - -#define ROUNDS 14 -#define POLYNOM 0x1b - -#define DEBUG 0 - -#if DEBUG - #include "cli.h" - void dump_m(const uint8_t* m){ - uint8_t i,j; - for(i=0; i<16; ++i){ - cli_putstr_P(PSTR("\r\n")); - for(j=0; j<8; ++j){ - cli_putc(' '); - cli_hexdump(m+8*i+j, 1); - } - } - } -#else - #define dump_m(m) -#endif - -static uint8_t matrix[] PROGMEM = { - 2, 2, 3, 4, 5, 3, 5, 7, - 7, 2, 2, 3, 4, 5, 3, 5, - 5, 7, 2, 2, 3, 4, 5, 3, - 3, 5, 7, 2, 2, 3, 4, 5, - 5, 3, 5, 7, 2, 2, 3, 4, - 4, 5, 3, 5, 7, 2, 2, 3, - 3, 4, 5, 3, 5, 7, 2, 2, - 2, 3, 4, 5, 3, 5, 7, 2 -}; - -void groestl_large_rounds(uint8_t *m, uint8_t q){ - uint8_t r,i,j; - uint8_t tmp[16]; - for(r=0; rh, 0, 16*8); - ctx->h[8*16-1] = (uint8_t)384; - ctx->h[8*16-2] = (uint8_t)(384>>8); - ctx->counter = 0; -} - -void groestl512_init(groestl512_ctx_t* ctx){ - memset(ctx->h, 0, 16*8); - ctx->h[8*16-2] = 2; - ctx->counter = 0; -} - -void groestl_large_nextBlock(groestl_large_ctx_t* ctx, const void* block){ - uint8_t tmp1[128], tmp2[128]; -/* - for(i=0; i<8; ++i){ - for(j=0; j<8; ++j){ - tmp1[j*8+i] = ((uint8_t*)block)[i*8+j]; - } - } -*/ - memcpy(tmp1, block, 128); - memcpy(tmp2, tmp1, 128); - memxor(tmp1, ctx->h, 128); - groestl_large_rounds(tmp1, 0); - groestl_large_rounds(tmp2, 1); - memxor(ctx->h, tmp1, 128); - memxor(ctx->h, tmp2, 128); - ctx->counter++; -} - -void groestl_large_lastBlock(groestl_large_ctx_t* ctx, const void* block, uint16_t length_b){ - uint8_t buffer[128]; - while(length_b>=GROESTL_LARGE_BLOCKSIZE){ - groestl_large_nextBlock(ctx, block); - length_b -= GROESTL_LARGE_BLOCKSIZE; - block = (uint8_t*)block + GROESTL_LARGE_BLOCKSIZE_B; - } - memset(buffer, 0, 128); - memcpy(buffer, block, (length_b+7)/8); - buffer[length_b/8] |= 0x80>>(length_b%8); - if(length_b>1024-65){ - groestl_large_nextBlock(ctx, buffer); - memset(buffer, 0, 128-4); - } - ctx->counter++; - buffer[128-1] = (uint8_t)(ctx->counter); - buffer[128-2] = (uint8_t)((ctx->counter)>>8); - buffer[128-3] = (uint8_t)((ctx->counter)>>16); - buffer[128-4] = (uint8_t)((ctx->counter)>>24); - groestl_large_nextBlock(ctx, buffer); -} - -void groestl_large_ctx2hash(void* dest, const groestl_large_ctx_t* ctx, uint16_t outlength_b){ - uint8_t tmp[128]; - memcpy(tmp, ctx->h, 128); - groestl_large_rounds(tmp, 0); - memxor(tmp, ctx->h, 128); -#if DEBUG - cli_putstr_P(PSTR("\r\npost finalisation")); - dump_m(tmp); -#endif - memcpy(dest, tmp+128-outlength_b/8, outlength_b/8); -} - -void groestl384_ctx2hash(void* dest, const groestl384_ctx_t* ctx){ - groestl_large_ctx2hash(dest, ctx, 384); -} - -void groestl512_ctx2hash(void* dest, const groestl512_ctx_t* ctx){ - groestl_large_ctx2hash(dest, ctx, 512); -} - -void groestl384_nextBlock(groestl384_ctx_t* ctx, const void* block){ - groestl_large_nextBlock(ctx, block); -} - -void groestl512_nextBlock(groestl512_ctx_t* ctx, const void* block){ - groestl_large_nextBlock(ctx, block); -} - -void groestl384_lastBlock(groestl384_ctx_t* ctx, const void* block, uint16_t length_b){ - groestl_large_lastBlock(ctx, block, length_b); -} - -void groestl512_lastBlock(groestl512_ctx_t* ctx, const void* block, uint16_t length_b){ - groestl_large_lastBlock(ctx, block, length_b); -} - -void groestl384(void* dest, const void* msg, uint32_t length_b){ - groestl_large_ctx_t ctx; - groestl384_init(&ctx); - while(length_b>=GROESTL_LARGE_BLOCKSIZE){ - groestl_large_nextBlock(&ctx, msg); - length_b -= GROESTL_LARGE_BLOCKSIZE; - msg = (uint8_t*)msg + GROESTL_LARGE_BLOCKSIZE_B; - } - groestl_large_lastBlock(&ctx, msg, length_b); - groestl_large_ctx2hash(dest, &ctx, 384); -} - -void groestl512(void* dest, const void* msg, uint32_t length_b){ - groestl_large_ctx_t ctx; - groestl512_init(&ctx); - while(length_b>=GROESTL_LARGE_BLOCKSIZE){ - groestl_large_nextBlock(&ctx, msg); - length_b -= GROESTL_LARGE_BLOCKSIZE; - msg = (uint8_t*)msg + GROESTL_LARGE_BLOCKSIZE_B; - } - groestl_large_lastBlock(&ctx, msg, length_b); - groestl_large_ctx2hash(dest, &ctx, 512); -} - - - diff --git a/groestl_large.h b/groestl_large.h deleted file mode 100644 index c932fb7..0000000 --- a/groestl_large.h +++ /dev/null @@ -1,65 +0,0 @@ -/* groestl_large.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file groestl_large.h - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-05-19 - * \license GPLv3 or later - * - */ -#ifndef GROESTL_LARGE_H_ -#define GROESTL_LARGE_H_ - -#include - -#define GROESTL_LARGE_BLOCKSIZE 1024 -#define GROESTL_LARGE_BLOCKSIZE_B ((GROESTL_LARGE_BLOCKSIZE+7)/8) -#define GROESTL384_BLOCKSIZE GROESTL_LARGE_BLOCKSIZE -#define GROESTL384_BLOCKSIZE_B GROESTL_LARGE_BLOCKSIZE_B -#define GROESTL512_BLOCKSIZE GROESTL_LARGE_BLOCKSIZE -#define GROESTL512_BLOCKSIZE_B GROESTL_LARGE_BLOCKSIZE_B - -typedef struct { - uint8_t h[8*16]; - uint32_t counter; -} groestl_large_ctx_t; - -typedef groestl_large_ctx_t groestl384_ctx_t; -typedef groestl_large_ctx_t groestl512_ctx_t; - -void groestl384_init(groestl384_ctx_t* ctx); -void groestl512_init(groestl512_ctx_t* ctx); - -void groestl_large_nextBlock(groestl_large_ctx_t* ctx, const void* block); -void groestl_large_lastBlock(groestl_large_ctx_t* ctx, const void* block, uint16_t length_b); - -void groestl384_nextBlock(groestl384_ctx_t* ctx, const void* block); -void groestl384_lastBlock(groestl384_ctx_t* ctx, const void* block, uint16_t length_b); - -void groestl512_nextBlock(groestl512_ctx_t* ctx, const void* block); -void groestl512_lastBlock(groestl512_ctx_t* ctx, const void* block, uint16_t length_b); - -void groestl384_ctx2hash(void* dest, const groestl384_ctx_t* ctx); -void groestl512_ctx2hash(void* dest, const groestl512_ctx_t* ctx); - -void groestl384(void* dest, const void* msg, uint32_t length_b); -void groestl512(void* dest, const void* msg, uint32_t length_b); - -#endif /* GROESTL_GROESTL_H_ */ diff --git a/groestl_small.c b/groestl_small.c deleted file mode 100644 index e5a3d94..0000000 --- a/groestl_small.c +++ /dev/null @@ -1,234 +0,0 @@ -/* groestl_small.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file groestl_small.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-05-19 - * \license GPLv3 or later - * - */ - -#include "groestl_small.h" -#include "aes_sbox.h" -#include "gf256mul.h" -#include "memxor.h" -#include -#include -#include - -#define ROUNDS 10 -#define POLYNOM 0x1b - -#define DEBUG 0 - -#if DEBUG - #include "cli.h" - void dump_m(const uint8_t* m){ - uint8_t i,j; - for(i=0; i<8; ++i){ - cli_putstr_P(PSTR("\r\n")); - for(j=0; j<8; ++j){ - cli_putc(' '); - cli_hexdump(m+8*i+j, 1); - } - } - } -#else - #define dump_m(m) -#endif - -static uint8_t matrix[] PROGMEM = { - 2, 2, 3, 4, 5, 3, 5, 7, - 7, 2, 2, 3, 4, 5, 3, 5, - 5, 7, 2, 2, 3, 4, 5, 3, - 3, 5, 7, 2, 2, 3, 4, 5, - 5, 3, 5, 7, 2, 2, 3, 4, - 4, 5, 3, 5, 7, 2, 2, 3, - 3, 4, 5, 3, 5, 7, 2, 2, - 2, 3, 4, 5, 3, 5, 7, 2 -}; - -void groestl_small_rounds(uint8_t *m, uint8_t q){ - uint8_t r,i,j; - uint8_t tmp[8]; - for(r=0; rh, 0, 8*8); - ctx->h[8*8-1] = 224; - ctx->counter = 0; -} - -void groestl256_init(groestl256_ctx_t* ctx){ - memset(ctx->h, 0, 8*8); - ctx->h[8*8-2] = 1; - ctx->counter = 0; -} - -void groestl_small_nextBlock(groestl_small_ctx_t* ctx, const void* block){ - uint8_t tmp1[64], tmp2[64]; -/* for(i=0; i<8; ++i){ - for(j=0; j<8; ++j){ - tmp1[j*8+i] = ((uint8_t*)block)[i*8+j]; - } - } -*/ - memcpy(tmp1, block, 64); - memcpy(tmp2, tmp1, 64); - memxor(tmp1, ctx->h, 64); - groestl_small_rounds(tmp1, 0); - groestl_small_rounds(tmp2, 1); - memxor(ctx->h, tmp1, 64); - memxor(ctx->h, tmp2, 64); - ctx->counter++; -} - -void groestl_small_lastBlock(groestl_small_ctx_t* ctx, const void* block, uint16_t length_b){ - uint8_t buffer[64]; - while(length_b>=GROESTL_SMALL_BLOCKSIZE){ - groestl_small_nextBlock(ctx, block); - length_b -= GROESTL_SMALL_BLOCKSIZE; - block = (uint8_t*)block + GROESTL_SMALL_BLOCKSIZE_B; - } - memset(buffer, 0, 64); - memcpy(buffer, block, (length_b+7)/8); - buffer[length_b/8] |= 0x80>>(length_b%8); - if(length_b>512-65){ - groestl_small_nextBlock(ctx, buffer); - memset(buffer, 0, 64-4); - } - ctx->counter++; - buffer[64-1] = (uint8_t)(ctx->counter); - buffer[64-2] = (uint8_t)((ctx->counter)>>8); - buffer[64-3] = (uint8_t)((ctx->counter)>>16); - buffer[64-4] = (uint8_t)((ctx->counter)>>24); - groestl_small_nextBlock(ctx, buffer); -} - -void groestl_small_ctx2hash(void* dest, const groestl_small_ctx_t* ctx, uint16_t outlength_b){ - uint8_t tmp[64]; - memcpy(tmp, ctx->h, 64); - groestl_small_rounds(tmp, 0); - memxor(tmp, ctx->h, 64); -#if DEBUG - cli_putstr_P(PSTR("\r\npost finalisation")); - dump_m(tmp); -#endif - memcpy(dest, tmp+64-outlength_b/8, outlength_b/8); -} - -void groestl224_ctx2hash(void* dest, const groestl224_ctx_t* ctx){ - groestl_small_ctx2hash(dest, ctx, 224); -} - -void groestl256_ctx2hash(void* dest, const groestl256_ctx_t* ctx){ - groestl_small_ctx2hash(dest, ctx, 256); -} - -void groestl224_nextBlock(groestl224_ctx_t* ctx, const void* block){ - groestl_small_nextBlock(ctx, block); -} - -void groestl256_nextBlock(groestl256_ctx_t* ctx, const void* block){ - groestl_small_nextBlock(ctx, block); -} - -void groestl224_lastBlock(groestl224_ctx_t* ctx, const void* block, uint16_t length_b){ - groestl_small_lastBlock(ctx, block, length_b); -} - -void groestl256_lastBlock(groestl256_ctx_t* ctx, const void* block, uint16_t length_b){ - groestl_small_lastBlock(ctx, block, length_b); -} - -void groestl224(void* dest, const void* msg, uint32_t length_b){ - groestl_small_ctx_t ctx; - groestl224_init(&ctx); - while(length_b>=GROESTL_SMALL_BLOCKSIZE){ - groestl_small_nextBlock(&ctx, msg); - length_b -= GROESTL_SMALL_BLOCKSIZE; - msg = (uint8_t*)msg + GROESTL_SMALL_BLOCKSIZE_B; - } - groestl_small_lastBlock(&ctx, msg, length_b); - groestl_small_ctx2hash(dest, &ctx, 224); -} - -void groestl256(void* dest, const void* msg, uint32_t length_b){ - groestl_small_ctx_t ctx; - groestl256_init(&ctx); - while(length_b>=GROESTL_SMALL_BLOCKSIZE){ - groestl_small_nextBlock(&ctx, msg); - length_b -= GROESTL_SMALL_BLOCKSIZE; - msg = (uint8_t*)msg + GROESTL_SMALL_BLOCKSIZE_B; - } - groestl_small_lastBlock(&ctx, msg, length_b); - groestl_small_ctx2hash(dest, &ctx, 256); -} - - - diff --git a/groestl_small.h b/groestl_small.h deleted file mode 100644 index 819cc4c..0000000 --- a/groestl_small.h +++ /dev/null @@ -1,65 +0,0 @@ -/* groestl_small.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file groestl_small.h - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-05-19 - * \license GPLv3 or later - * - */ -#ifndef GROESTL_SMALL_H_ -#define GROESTL_SMALL_H_ - -#include - -#define GROESTL_SMALL_BLOCKSIZE 512 -#define GROESTL_SMALL_BLOCKSIZE_B ((GROESTL_SMALL_BLOCKSIZE+7)/8) -#define GROESTL224_BLOCKSIZE GROESTL_SMALL_BLOCKSIZE -#define GROESTL224_BLOCKSIZE_B GROESTL_SMALL_BLOCKSIZE_B -#define GROESTL256_BLOCKSIZE GROESTL_SMALL_BLOCKSIZE -#define GROESTL256_BLOCKSIZE_B GROESTL_SMALL_BLOCKSIZE_B - -typedef struct { - uint8_t h[8*8]; - uint32_t counter; -} groestl_small_ctx_t; - -typedef groestl_small_ctx_t groestl224_ctx_t; -typedef groestl_small_ctx_t groestl256_ctx_t; - -void groestl224_init(groestl224_ctx_t* ctx); -void groestl256_init(groestl256_ctx_t* ctx); - -void groestl_small_nextBlock(groestl_small_ctx_t* ctx, const void* block); -void groestl_small_lastBlock(groestl_small_ctx_t* ctx, const void* block, uint16_t length_b); - -void groestl224_nextBlock(groestl224_ctx_t* ctx, const void* block); -void groestl224_lastBlock(groestl224_ctx_t* ctx, const void* block, uint16_t length_b); - -void groestl256_nextBlock(groestl256_ctx_t* ctx, const void* block); -void groestl256_lastBlock(groestl256_ctx_t* ctx, const void* block, uint16_t length_b); - -void groestl224_ctx2hash(void* dest, const groestl224_ctx_t* ctx); -void groestl256_ctx2hash(void* dest, const groestl256_ctx_t* ctx); - -void groestl224(void* dest, const void* msg, uint32_t length_b); -void groestl256(void* dest, const void* msg, uint32_t length_b); - -#endif /* GROESTL_GROESTL_H_ */ diff --git a/host/shavs_test.rb b/host/shavs_test.rb index 3d6ea06..4c8589d 100644 --- a/host/shavs_test.rb +++ b/host/shavs_test.rb @@ -133,6 +133,7 @@ $algo_select = ARGV[4] init_system() +errors = 0 for i in (5..(ARGV.size-1)) errors = run_test(ARGV[i]) if errors == 0 diff --git a/memxor.S b/memxor.S index 885dad5..a32058b 100644 --- a/memxor.S +++ b/memxor.S @@ -17,15 +17,15 @@ along with this program. If not, see . */ -/* +/* * File: memxor.S * Author: Daniel Otte * Date: 2008-08-07 * License: GPLv3 or later * Description: memxor, XORing one block into another - * + * */ - + /* * void memxor(void* dest, const void* src, uint16_t n); */ @@ -39,9 +39,7 @@ memxor: movw r30, r24 movw r26, r22 movw r24, r20 - tst r24 - brne 1f - tst r25 + adiw r24, 0 breq 2f 1: ld r20, X+ @@ -52,17 +50,17 @@ memxor: brne 1b 2: ret - - - - - - - - - - - - - + + + + + + + + + + + + + diff --git a/mkfiles/aes.mk b/mkfiles/aes.mk index f19a1c6..d687c74 100644 --- a/mkfiles/aes.mk +++ b/mkfiles/aes.mk @@ -4,9 +4,9 @@ ALGO_NAME := AES # comment out the following line for removement of AES from the build process BLOCK_CIPHERS += $(ALGO_NAME) - +$(ALGO_NAME)_DIR := aes/ $(ALGO_NAME)_OBJ := aes_enc-asm.o aes_dec-asm.o aes_sbox-asm.o aes_invsbox-asm.o \ - aes_keyschedule-asm.o + aes_keyschedule-asm.o $(ALGO_NAME)_TEST_BIN := main-aes-test.o $(CLI_STD) \ nessie_bc_test.o nessie_common.o performance_test.o $(ALGO_NAME)_NESSIE_TEST := test nessie diff --git a/mkfiles/aes_asm_faster.mk b/mkfiles/aes_asm_faster.mk index 18ba9d8..44ced8d 100644 --- a/mkfiles/aes_asm_faster.mk +++ b/mkfiles/aes_asm_faster.mk @@ -5,8 +5,9 @@ ALGO_NAME := AES_FASTER BLOCK_CIPHERS += $(ALGO_NAME) +$(ALGO_NAME)_DIR := aes/ $(ALGO_NAME)_OBJ := aes_enc-asm.o aes_dec-asm_faster.o aes_sbox-asm.o aes_invsbox-asm.o \ - aes_keyschedule-asm.o + aes_keyschedule-asm.o $(ALGO_NAME)_TEST_BIN := main-aes-test.o $(CLI_STD) \ nessie_bc_test.o nessie_common.o performance_test.o $(ALGO_NAME)_NESSIE_TEST := test nessie diff --git a/mkfiles/aes_c.mk b/mkfiles/aes_c.mk index 8f0a4e1..f030136 100644 --- a/mkfiles/aes_c.mk +++ b/mkfiles/aes_c.mk @@ -5,6 +5,7 @@ ALGO_NAME := AES_C BLOCK_CIPHERS += $(ALGO_NAME) +$(ALGO_NAME)_DIR := aes/ $(ALGO_NAME)_OBJ := aes_enc.o aes_dec.o aes_sbox.o aes_invsbox.o \ aes_keyschedule.o gf256mul.o \ aes128_enc.o aes128_dec.o aes192_enc.o aes192_dec.o \ diff --git a/mkfiles/blake_c.mk b/mkfiles/blake_c.mk index cee2547..c79b89b 100644 --- a/mkfiles/blake_c.mk +++ b/mkfiles/blake_c.mk @@ -4,7 +4,7 @@ ALGO_NAME := BLAKE_C # comment out the following line for removement of Blake from the build process HASHES += $(ALGO_NAME) - +$(ALGO_NAME)_DIR := blake/ $(ALGO_NAME)_OBJ := blake_small.o blake_large.o blake_common.o memxor.o $(ALGO_NAME)_TEST_BIN := main-blake-test.o hfal_blake_small.o hfal_blake_large.o $(CLI_STD) $(HFAL_STD) $(ALGO_NAME)_NESSIE_TEST := test nessie diff --git a/mkfiles/camellia.mk b/mkfiles/camellia.mk index 0a7fbc5..4b0213c 100644 --- a/mkfiles/camellia.mk +++ b/mkfiles/camellia.mk @@ -4,6 +4,7 @@ ALGO_NAME := CAMELLIA # comment out the following line for removement of Camellia from the build process BLOCK_CIPHERS += $(ALGO_NAME) +$(ALGO_NAME)_DIR := camellia/ $(ALGO_NAME)_OBJ := camellia128-stub.o camellia-asm.o $(ALGO_NAME)_TEST_BIN := main-camellia-test.o $(CLI_STD) nessie_bc_test.o \ nessie_common.o performance_test.o diff --git a/mkfiles/groestl_c.mk b/mkfiles/groestl_c.mk index 4fb6e96..7d63a0d 100644 --- a/mkfiles/groestl_c.mk +++ b/mkfiles/groestl_c.mk @@ -4,7 +4,7 @@ ALGO_NAME := GROESTL_C # comment out the following line for removement of Grøstl from the build process HASHES += $(ALGO_NAME) - +$(ALGO_NAME)_DIR := groestl/ $(ALGO_NAME)_OBJ := groestl_small.o groestl_large.o memxor.o aes_sbox.o gf256mul.o $(ALGO_NAME)_TEST_BIN := hfal_groestl_large.o hfal_groestl_small.o main-groestl-test.o $(CLI_STD) $(HFAL_STD) $(ALGO_NAME)_NESSIE_TEST := test nessie diff --git a/mkfiles/mugi.mk b/mkfiles/mugi.mk index 7bcb92f..36f4a04 100644 --- a/mkfiles/mugi.mk +++ b/mkfiles/mugi.mk @@ -4,6 +4,7 @@ ALGO_NAME := MUGI_C # comment out the following line for removement of MUGI_C from the build process STREAM_CIPHERS += $(ALGO_NAME) +$(ALGO_NAME)_DIR := mugi/ $(ALGO_NAME)_OBJ := mugi.o gf256mul.o aes_sbox.o $(ALGO_NAME)_TEST_BIN := main-mugi-test.o $(CLI_STD) \ nessie_stream_test.o nessie_common.o \ diff --git a/mkfiles/shabal.mk b/mkfiles/shabal.mk index 15ed875..e2600d4 100644 --- a/mkfiles/shabal.mk +++ b/mkfiles/shabal.mk @@ -4,7 +4,7 @@ ALGO_NAME := SHABAL # comment out the following line for removement of Skein from the build process HASHES += $(ALGO_NAME) - +$(ALGO_NAME)_DIR := shabal/ $(ALGO_NAME)_OBJ := shabal-asm.o shabal192-asm.o shabal224-asm.o \ shabal256-asm.o shabal384-asm.o shabal512-asm.o $(ALGO_NAME)_TEST_BIN := main-shabal-test.o hfal_shabal.o $(CLI_STD) $(HFAL_STD) diff --git a/mkfiles/shabal_c.mk b/mkfiles/shabal_c.mk index 427afa7..5e8082c 100644 --- a/mkfiles/shabal_c.mk +++ b/mkfiles/shabal_c.mk @@ -4,7 +4,7 @@ ALGO_NAME := SHABAL_C # comment out the following line for removement of Skein from the build process HASHES += $(ALGO_NAME) - +$(ALGO_NAME)_DIR := shabal/ $(ALGO_NAME)_OBJ := shabal.o shabal192.o shabal224.o shabal256.o shabal384.o shabal512.o $(ALGO_NAME)_TEST_BIN := main-shabal-test.o hfal_shabal.o $(CLI_STD) $(HFAL_STD) $(ALGO_NAME)_NESSIE_TEST := test nessie diff --git a/mkfiles/skein.mk b/mkfiles/skein.mk index 537988e..123e6a0 100644 --- a/mkfiles/skein.mk +++ b/mkfiles/skein.mk @@ -4,7 +4,7 @@ ALGO_NAME := SKEIN # comment out the following line for removement of Skein from the build process HASHES += $(ALGO_NAME) - +$(ALGO_NAME)_DIR := skein/ $(ALGO_NAME)_OBJ := threefish_mix.o \ threefish256_enc_asm.o ubi256_asm.o skein256_asm.o \ threefish512_enc_asm.o ubi512_asm.o skein512_asm.o \ diff --git a/mkfiles/threefish.mk b/mkfiles/threefish.mk index 7781f37..4e7abc3 100644 --- a/mkfiles/threefish.mk +++ b/mkfiles/threefish.mk @@ -4,7 +4,7 @@ ALGO_NAME := THREEFISH # comment out the following line for removement of threefish from the build process BLOCK_CIPHERS += $(ALGO_NAME) - +$(ALGO_NAME)_DIR := skein/ $(ALGO_NAME)_OBJ := threefish256_enc_asm.o threefish512_enc_asm.o threefish1024_enc_asm.o\ threefish_mix.o threefish_invmix.o \ threefish256_dec_asm.o threefish512_dec_asm.o threefish1024_dec_asm.o diff --git a/mkfiles/twister.mk b/mkfiles/twister.mk index f6196ef..758f33c 100644 --- a/mkfiles/twister.mk +++ b/mkfiles/twister.mk @@ -4,6 +4,7 @@ ALGO_NAME := TWISTER # comment out the following line for removement of TWISTER from the build process HASHES += $(ALGO_NAME) +$(ALGO_NAME)_DIR := twister/ $(ALGO_NAME)_OBJ := twister-small-asm.o twister-large-asm.o twister-asm.o \ twister224.o twister256.o twister384.o twister512.o $(ALGO_NAME)_TEST_BIN := main-twister-test.o hfal_twister224.o hfal_twister256.o \ diff --git a/mkfiles/twister_c.mk b/mkfiles/twister_c.mk index 7d6ec36..eb62653 100644 --- a/mkfiles/twister_c.mk +++ b/mkfiles/twister_c.mk @@ -4,6 +4,7 @@ ALGO_NAME := TWISTER_C # comment out the following line for removement of TWISTER from the build process HASHES += $(ALGO_NAME) +$(ALGO_NAME)_DIR := twister/ $(ALGO_NAME)_OBJ := twister.o twister-small.o twister-large.o memxor.o gf256mul.o $(ALGO_NAME)_TEST_BIN := main-twister-test.o hfal_twister224.o hfal_twister256.o \ hfal_twister384.o hfal_twister512.o $(CLI_STD) $(HFAL_STD) diff --git a/mkfiles/ubi.mk b/mkfiles/ubi.mk index 4c1965e..80a94e0 100644 --- a/mkfiles/ubi.mk +++ b/mkfiles/ubi.mk @@ -4,7 +4,7 @@ ALGO_NAME := UBI # comment out the following line for removement of ubi from the build process AUX += $(ALGO_NAME) - +$(ALGO_NAME)_DIR := skein/ $(ALGO_NAME)_OBJ := threefish_mix.o threefish256_enc_asm.o ubi256_asm.o \ threefish512_enc_asm.o ubi512_asm.o threefish1024_enc_asm.o \ ubi1024_asm.o memxor.o diff --git a/mugi.c b/mugi.c deleted file mode 100644 index d196c6e..0000000 --- a/mugi.c +++ /dev/null @@ -1,216 +0,0 @@ -/* mugi.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file mugi.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-02-15 - * \brief implementation of the MUGI key stream generator - * \license GPLv3 or later - */ - -#include -#include -#include -#include -#include "aes_sbox.h" -#include "mugi.h" -#include "gf256mul.h" - -/* -#include "test_src/cli.h" / * only for debugging * / - -void dump_mugi_ctx(mugi_ctx_t* ctx){ - uint8_t i; - cli_putstr_P(PSTR("\r\n== MUGI CTX DUMP==\r\n a:")); - cli_hexdump(&(ctx->a[0]), 8); - cli_putc(' '); - cli_hexdump(&(ctx->a[1]), 8); - cli_putc(' '); - cli_hexdump(&(ctx->a[2]), 8); - cli_putstr_P(PSTR("\r\n b: ")); - for(i=0; i<4; ++i){ - cli_putstr_P(PSTR("\r\n ")); - cli_hexdump(&(ctx->b[i*4+0]), 8); - cli_putc(' '); - cli_hexdump(&(ctx->b[i*4+1]), 8); - cli_putc(' '); - cli_hexdump(&(ctx->b[i*4+2]), 8); - cli_putc(' '); - cli_hexdump(&(ctx->b[i*4+3]), 8); - } -} -*/ - -#define C0 0x08c9bcf367e6096all -#define C1 0x3ba7ca8485ae67bbll -#define C2 0x2bf894fe72f36e3cll - -#define GF256MUL_2(a) (gf256mul(2, (a), 0x1b)) - -uint64_t changeendian64(uint64_t a){ - uint8_t r[8]; - r[0] = ((uint8_t*)&a)[7]; - r[1] = ((uint8_t*)&a)[6]; - r[2] = ((uint8_t*)&a)[5]; - r[3] = ((uint8_t*)&a)[4]; - r[4] = ((uint8_t*)&a)[3]; - r[5] = ((uint8_t*)&a)[2]; - r[6] = ((uint8_t*)&a)[1]; - r[7] = ((uint8_t*)&a)[0]; - return *((uint64_t*)r); -} - -static -uint64_t rotl64(uint64_t a, uint8_t i){ - uint64_t r; - r=changeendian64(a); - r=(r<>(64-i)); - r=changeendian64(r); - return r; -} - -static -uint64_t rotr64(uint64_t a, uint8_t i){ - uint64_t r; - r=changeendian64(a); - r=(r>>i | r<<(64-i)); - r=changeendian64(r); - return r; -} - - -#define T(x) (((uint8_t*)&t)[(x)]) -#define D(y) (((uint8_t*)dest)[(y)]) -static void mugi_f(uint64_t* dest, uint64_t* a, uint64_t* b){ - uint64_t t; - uint8_t i,x; - t = (*a); - if(b) - t ^= (*b); - for(i=0; i<8; ++i) - T(i) = pgm_read_byte(aes_sbox+T(i)); - - x = T(0) ^ T(1) ^ T(2) ^ T(3); - D(4) = - GF256MUL_2(T(0)^T(1)) - ^ T(0) - ^ x; - D(5) = - GF256MUL_2(T(1)^T(2)) - ^ T(1) - ^ x; - D(2) = - GF256MUL_2(T(2)^T(3)) - ^ T(2) - ^ x; - D(3) = - GF256MUL_2(T(3)^T(0)) - ^ T(3) - ^ x; - x = T(4) ^ T(5) ^ T(6) ^ T(7); - D(0) = - GF256MUL_2(T(4)^T(5)) - ^ T(4) - ^ x; - D(1) = - GF256MUL_2(T(5)^T(6)) - ^ T(5) - ^ x; - D(6) = - GF256MUL_2(T(6)^T(7)) - ^ T(6) - ^ x; - D(7) = - GF256MUL_2(T(7)^T(4)) - ^ T(7) - ^ x; -} - -static -void mugi_rho(mugi_ctx_t* ctx){ - uint64_t t,bx; - t = ctx->a[1]; - ctx->a[1] = ctx->a[2]; - ctx->a[2] = ctx->a[0]; - ctx->a[0] = t; - mugi_f(&t, &(ctx->a[0]), &(ctx->b[4])); - ctx->a[1] ^= t ^ C1; - bx = rotl64(ctx->b[10], 17); - mugi_f(&t, &(ctx->a[0]), &bx); - ctx->a[2] ^= t ^ C2; -} - -static -void mugi_rho_init(uint64_t* a){ - uint64_t t; - t = a[1]; - a[1] = a[2]; - a[2] = a[0]; - a[0] = t; - mugi_f(&t, &(a[0]), NULL); - a[1] ^= t ^ C1; - mugi_f(&t, &(a[0]), NULL); - a[2] ^= t ^ C2; -} - -static -void mugi_lambda(uint64_t* b, uint64_t *a){ - uint8_t i; - uint64_t t; - t=b[15]; - for(i=15; i!=0; --i){ - b[i]=b[i-1]; - } - b[0] = t ^ *a; - b[4] ^= b[8]; - b[10] ^= rotl64(b[14], 32); -} - -void mugi_init(const void* key, const void* iv, mugi_ctx_t* ctx){ - uint8_t i; - uint64_t a0; - memcpy(ctx->a, key, 128/8); - ctx->a[2] = rotl64(ctx->a[0], 7) ^ rotr64(ctx->a[1], 7) ^ C0; - for(i=0; i<16;i++){ - mugi_rho_init(ctx->a); - ctx->b[15-i] = ctx->a[0]; - } - ctx->a[0] ^= ((uint64_t*)iv)[0]; - ctx->a[1] ^= ((uint64_t*)iv)[1]; - ctx->a[2] ^= rotl64(((uint64_t*)iv)[0], 7) ^ rotr64(((uint64_t*)iv)[1], 7) ^ C0; - for(i=0; i<16;i++){ - mugi_rho_init(ctx->a); - } - for(i=0; i<15;i++){ - a0 = ctx->a[0]; - mugi_rho(ctx); - mugi_lambda(ctx->b, &a0); - } - a0=0x00; -} - -uint64_t mugi_gen(mugi_ctx_t* ctx){ - uint64_t r; - r=ctx->a[0]; - mugi_rho(ctx); - mugi_lambda(ctx->b, &r); - r=ctx->a[2]; - return r; -} diff --git a/mugi.h b/mugi.h deleted file mode 100644 index 809b9fd..0000000 --- a/mugi.h +++ /dev/null @@ -1,41 +0,0 @@ -/* mugi.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file mugi.h - * \author Daniel Otte - * \date 2009-02-15 - * \brief implementation of the MUGI key stream generator - * \license GPLv3 or later - */ - -#ifndef MUGI_H_ -#define MUGI_H_ - -#include - -typedef struct{ - uint64_t a[3]; - uint64_t b[16]; -}mugi_ctx_t; /* 152 bytes in total */ - -void mugi_init(const void* key, const void* iv, mugi_ctx_t* ctx); -uint64_t mugi_gen(mugi_ctx_t* ctx); - - -#endif /* MUGI_H_ */ diff --git a/mugi/aes_sbox.c b/mugi/aes_sbox.c new file mode 100644 index 0000000..85b08de --- /dev/null +++ b/mugi/aes_sbox.c @@ -0,0 +1,23 @@ +/* aes sbox */ + +#include +#include +uint8_t aes_sbox[256] PROGMEM = { + 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, + 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, + 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, + 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, + 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, + 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, + 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, + 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, + 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, + 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, + 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, + 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, + 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, + 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, + 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, + 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 +}; + diff --git a/mugi/aes_sbox.h b/mugi/aes_sbox.h new file mode 100644 index 0000000..5bc03b7 --- /dev/null +++ b/mugi/aes_sbox.h @@ -0,0 +1,33 @@ +/* aes_sbox.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file aes_sbox.h + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-30 + * \license GPLv3 or later + * + */ +#ifndef AES_SBOX_H_ +#define AES_SBOX_H_ +#include + +extern uint8_t aes_sbox[]; + +#endif diff --git a/mugi/gf256mul.S b/mugi/gf256mul.S new file mode 100644 index 0000000..b269d3a --- /dev/null +++ b/mugi/gf256mul.S @@ -0,0 +1,82 @@ +/* gf256mul.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * File: gf256mul.S + * Author: Daniel Otte + * Date: 2008-12-19 + * License: GPLv3 or later + * Description: peasant's algorithm for multiplication in GF(2^8) + * + */ + +#include +#define OPTIMIZE_SMALL_A + +/* + * param a: r24 + * param b: r22 + * param reducer: r20 + */ +A = 23 +B = 22 +P = 24 +.global gf256mul + +#ifdef OPTIMIZE_SMALL_A +gf256mul: + mov A, r24 + clr r24 +1: + lsr A + breq 4f + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + rjmp 1b +4: + brcc 2f + eor P, B +2: + ret + +#else + +gf256mul: + mov r21, r24 + clr r24 + ldi r25, 8 +1: + lsr A + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + dec r25 + brne 1b + ret + +#endif diff --git a/mugi/gf256mul.h b/mugi/gf256mul.h new file mode 100644 index 0000000..87f1cb3 --- /dev/null +++ b/mugi/gf256mul.h @@ -0,0 +1,37 @@ +/* gf256mul.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef GF256MUL_H_ +#define GF256MUL_H_ + +/** + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2008-12-19 + * \license GPLv3 + * \brief + * + * + */ + +#include + +uint8_t gf256mul(uint8_t a, uint8_t b, uint8_t reducer); + +#endif /* GF256MUL_H_ */ + diff --git a/mugi/mugi.c b/mugi/mugi.c new file mode 100644 index 0000000..d196c6e --- /dev/null +++ b/mugi/mugi.c @@ -0,0 +1,216 @@ +/* mugi.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file mugi.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-02-15 + * \brief implementation of the MUGI key stream generator + * \license GPLv3 or later + */ + +#include +#include +#include +#include +#include "aes_sbox.h" +#include "mugi.h" +#include "gf256mul.h" + +/* +#include "test_src/cli.h" / * only for debugging * / + +void dump_mugi_ctx(mugi_ctx_t* ctx){ + uint8_t i; + cli_putstr_P(PSTR("\r\n== MUGI CTX DUMP==\r\n a:")); + cli_hexdump(&(ctx->a[0]), 8); + cli_putc(' '); + cli_hexdump(&(ctx->a[1]), 8); + cli_putc(' '); + cli_hexdump(&(ctx->a[2]), 8); + cli_putstr_P(PSTR("\r\n b: ")); + for(i=0; i<4; ++i){ + cli_putstr_P(PSTR("\r\n ")); + cli_hexdump(&(ctx->b[i*4+0]), 8); + cli_putc(' '); + cli_hexdump(&(ctx->b[i*4+1]), 8); + cli_putc(' '); + cli_hexdump(&(ctx->b[i*4+2]), 8); + cli_putc(' '); + cli_hexdump(&(ctx->b[i*4+3]), 8); + } +} +*/ + +#define C0 0x08c9bcf367e6096all +#define C1 0x3ba7ca8485ae67bbll +#define C2 0x2bf894fe72f36e3cll + +#define GF256MUL_2(a) (gf256mul(2, (a), 0x1b)) + +uint64_t changeendian64(uint64_t a){ + uint8_t r[8]; + r[0] = ((uint8_t*)&a)[7]; + r[1] = ((uint8_t*)&a)[6]; + r[2] = ((uint8_t*)&a)[5]; + r[3] = ((uint8_t*)&a)[4]; + r[4] = ((uint8_t*)&a)[3]; + r[5] = ((uint8_t*)&a)[2]; + r[6] = ((uint8_t*)&a)[1]; + r[7] = ((uint8_t*)&a)[0]; + return *((uint64_t*)r); +} + +static +uint64_t rotl64(uint64_t a, uint8_t i){ + uint64_t r; + r=changeendian64(a); + r=(r<>(64-i)); + r=changeendian64(r); + return r; +} + +static +uint64_t rotr64(uint64_t a, uint8_t i){ + uint64_t r; + r=changeendian64(a); + r=(r>>i | r<<(64-i)); + r=changeendian64(r); + return r; +} + + +#define T(x) (((uint8_t*)&t)[(x)]) +#define D(y) (((uint8_t*)dest)[(y)]) +static void mugi_f(uint64_t* dest, uint64_t* a, uint64_t* b){ + uint64_t t; + uint8_t i,x; + t = (*a); + if(b) + t ^= (*b); + for(i=0; i<8; ++i) + T(i) = pgm_read_byte(aes_sbox+T(i)); + + x = T(0) ^ T(1) ^ T(2) ^ T(3); + D(4) = + GF256MUL_2(T(0)^T(1)) + ^ T(0) + ^ x; + D(5) = + GF256MUL_2(T(1)^T(2)) + ^ T(1) + ^ x; + D(2) = + GF256MUL_2(T(2)^T(3)) + ^ T(2) + ^ x; + D(3) = + GF256MUL_2(T(3)^T(0)) + ^ T(3) + ^ x; + x = T(4) ^ T(5) ^ T(6) ^ T(7); + D(0) = + GF256MUL_2(T(4)^T(5)) + ^ T(4) + ^ x; + D(1) = + GF256MUL_2(T(5)^T(6)) + ^ T(5) + ^ x; + D(6) = + GF256MUL_2(T(6)^T(7)) + ^ T(6) + ^ x; + D(7) = + GF256MUL_2(T(7)^T(4)) + ^ T(7) + ^ x; +} + +static +void mugi_rho(mugi_ctx_t* ctx){ + uint64_t t,bx; + t = ctx->a[1]; + ctx->a[1] = ctx->a[2]; + ctx->a[2] = ctx->a[0]; + ctx->a[0] = t; + mugi_f(&t, &(ctx->a[0]), &(ctx->b[4])); + ctx->a[1] ^= t ^ C1; + bx = rotl64(ctx->b[10], 17); + mugi_f(&t, &(ctx->a[0]), &bx); + ctx->a[2] ^= t ^ C2; +} + +static +void mugi_rho_init(uint64_t* a){ + uint64_t t; + t = a[1]; + a[1] = a[2]; + a[2] = a[0]; + a[0] = t; + mugi_f(&t, &(a[0]), NULL); + a[1] ^= t ^ C1; + mugi_f(&t, &(a[0]), NULL); + a[2] ^= t ^ C2; +} + +static +void mugi_lambda(uint64_t* b, uint64_t *a){ + uint8_t i; + uint64_t t; + t=b[15]; + for(i=15; i!=0; --i){ + b[i]=b[i-1]; + } + b[0] = t ^ *a; + b[4] ^= b[8]; + b[10] ^= rotl64(b[14], 32); +} + +void mugi_init(const void* key, const void* iv, mugi_ctx_t* ctx){ + uint8_t i; + uint64_t a0; + memcpy(ctx->a, key, 128/8); + ctx->a[2] = rotl64(ctx->a[0], 7) ^ rotr64(ctx->a[1], 7) ^ C0; + for(i=0; i<16;i++){ + mugi_rho_init(ctx->a); + ctx->b[15-i] = ctx->a[0]; + } + ctx->a[0] ^= ((uint64_t*)iv)[0]; + ctx->a[1] ^= ((uint64_t*)iv)[1]; + ctx->a[2] ^= rotl64(((uint64_t*)iv)[0], 7) ^ rotr64(((uint64_t*)iv)[1], 7) ^ C0; + for(i=0; i<16;i++){ + mugi_rho_init(ctx->a); + } + for(i=0; i<15;i++){ + a0 = ctx->a[0]; + mugi_rho(ctx); + mugi_lambda(ctx->b, &a0); + } + a0=0x00; +} + +uint64_t mugi_gen(mugi_ctx_t* ctx){ + uint64_t r; + r=ctx->a[0]; + mugi_rho(ctx); + mugi_lambda(ctx->b, &r); + r=ctx->a[2]; + return r; +} diff --git a/mugi/mugi.h b/mugi/mugi.h new file mode 100644 index 0000000..809b9fd --- /dev/null +++ b/mugi/mugi.h @@ -0,0 +1,41 @@ +/* mugi.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file mugi.h + * \author Daniel Otte + * \date 2009-02-15 + * \brief implementation of the MUGI key stream generator + * \license GPLv3 or later + */ + +#ifndef MUGI_H_ +#define MUGI_H_ + +#include + +typedef struct{ + uint64_t a[3]; + uint64_t b[16]; +}mugi_ctx_t; /* 152 bytes in total */ + +void mugi_init(const void* key, const void* iv, mugi_ctx_t* ctx); +uint64_t mugi_gen(mugi_ctx_t* ctx); + + +#endif /* MUGI_H_ */ diff --git a/shabal-asm.S b/shabal-asm.S deleted file mode 100644 index 31879b3..0000000 --- a/shabal-asm.S +++ /dev/null @@ -1,739 +0,0 @@ -/* shabal-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal-asm.S - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void shabal_p(shabal_ctx_t* ctx, const void* m){ - uint8_t i,j; - for(i=0;i<16;++i){ - ctx->b[i] = ROTL32(ctx->b[i],17); - } - for(j=0;ja[(i+16*j)%SHABAL_R] = - shabal_u(ctx->a[(i+16*j)%SHABAL_R] - ^ shabal_v(ROTL32(ctx->a[(i+16*j+SHABAL_R-1)%SHABAL_R],15)) - ^ ctx->c[(8-i+16)%16]) - ^ ctx->b[(i+SHABAL_O1)%16] - ^ ((ctx->b[(i+SHABAL_O2)%16]) & ~(ctx->b[(i+SHABAL_O3)%16])) - ^ ((uint32_t*)m)[i]; - ctx->b[i] = ROTL32(ctx->b[i], 1) ^ ~(ctx->a[(i+16*j)%SHABAL_R]); - } - } - - for(j=0;j<36;++j){ - ctx->a[j%SHABAL_R] += ctx->c[(j+3)%16]; - } -} -*/ -MB0 = 2 -MB1 = 3 -AB0 = 4 -AB1 = 5 -BB0 = 6 -BB1 = 7 -CB0 = 8 -CB1 = 9 -AL0 = 10 -AL1 = 11 -AL2 = 12 -AL3 = 13 -A0 = 14 -A1 = 15 -A2 = 16 -A3 = 17 -B0 = 18 -B1 = 19 -B2 = 20 -B3 = 21 -I = 22 -J = 23 -T0 = 26 -T1 = 27 -T2 = 28 -T3 = 29 -/* - * param ctx: r24:r25 - * param m: r22:r23 - */ -; .global shabal_p -shabal_p: - push_range 2, 17 - push r28 - push r29 - movw MB0, r22 - movw r30, r24 - adiw r30, 8 - ld BB0, Z+ - ld BB1, Z+ - ld CB0, Z+ - ld CB1, Z+ - movw AB0, r30 - movw r30, BB0 - adiw r30, 16*4-1 - adiw r30, 1 - ldi r24, 16 -1: - ld A3, -Z - ld A2, -Z - ld A1, -Z - ld A0, -Z - mov r0, A3 - rol r0 - rol A0 - rol A1 - rol A2 - rol A3 - std Z+0, A2 - std Z+1, A3 - std Z+2, A0 - std Z+3, A1 - dec r24 - brne 1b - movw B0, A2 - movw B2, A0 - /* load ctx->a[(i+16*j-1)%12]*/ - movw r26, AB0 - adiw r26, 4*11 - ld AL0, X+ - ld AL1, X+ - ld AL2, X+ - ld AL3, X+ - clr I - clr J -1: - /* ROTL32(AL, 15)*/ - movw T0, AL2 - movw T2, AL0 - mov r0, T0 - ror r0 - ror T3 - ror T2 - ror T1 - ror T0 - movw AL0, T0 - movw AL2, T2 - /* apply V to AL */ - movw A0, AL0 - movw A2, AL2 - lsl A0 - rol A1 - rol A2 - rol A3 - lsl A0 - rol A1 - rol A2 - rol A3 - add A0, AL0 - adc A1, AL1 - adc A2, AL2 - adc A3, AL3 - /* xor in ctx->c[(8-i+16)%16] */ - ldi T0, 24 - sub T0, I - andi T0, 0x0f - lsl T0 - lsl T0 - movw r30, CB0 - add r30, T0 - adc r31, r1 - ld r0, Z+ - eor A0, r0 - ld r0, Z+ - eor A1, r0 - ld r0, Z+ - eor A2, r0 - ld r0, Z+ - eor A3, r0 - /* xor in ctx->a[(i+16*j)%12] */ - mov T0, J - swap T0 /* *=16 */ - add T0, I - ldi r30, lo8(mod12table) - ldi r31, hi8(mod12table) - add r30, T0 - adc r31, r1 - lpm T0, Z - movw r30, AB0 - add r30, T0 - adc r31, r1 - movw T2, r30 - ld r0, Z+ - eor A0, r0 - ld r0, Z+ - eor A1, r0 - ld r0, Z+ - eor A2, r0 - ld r0, Z+ - eor A3, r0 - /* AL = 3*A */ - movw AL0, A0 - movw AL2, A2 - lsl AL0 - rol AL1 - rol AL2 - rol AL3 - add AL0, A0 - adc AL1, A1 - adc AL2, A2 - adc AL3, A3 - /* xor in ctx->b[(i+13)%16] */ - ldi T0, 13 - add T0, I - andi T0, 0x0f - lsl T0 - lsl T0 - movw r30, BB0 - add r30, T0 - adc r31, r1 - ld r0, Z+ - eor AL0, r0 - ld r0, Z+ - eor AL1, r0 - ld r0, Z+ - eor AL2, r0 - ld r0, Z+ - eor AL3, r0 - /* load ctx->b[(i+9)%16] into A */ - ldi T0, 9 - add T0, I - andi T0, 0x0f - lsl T0 - lsl T0 - movw r30, BB0 - add r30, T0 - adc r31, r1 - ld A0, Z+ - ld A1, Z+ - ld A2, Z+ - ld A3, Z+ - /* and in ~(ctx->b[(i+6)%16]) */ - ldi T0, 6 - add T0, I - andi T0, 0x0f - lsl T0 - lsl T0 - movw r30, BB0 - add r30, T0 - adc r31, r1 - ld r0, Z+ - com r0 - and A0, r0 - ld r0, Z+ - com r0 - and A1, r0 - ld r0, Z+ - com r0 - and A2, r0 - ld r0, Z+ - com r0 - and A3, r0 - /* xor A into AL */ - eor AL0, A0 - eor AL1, A1 - eor AL2, A2 - eor AL3, A3 - /* xor m[i] into AL */ - mov T0, I - lsl T0 - lsl T0 - movw r30, MB0 - add r30, T0 - adc r31, r1 - ld r0, Z+ - eor AL0, r0 - ld r0, Z+ - eor AL1, r0 - ld r0, Z+ - eor AL2, r0 - ld r0, Z+ - eor AL3, r0 - /* A (AL) is done, now store it */ - movw r30, T2 - st Z+, AL0 - st Z+, AL1 - st Z+, AL2 - st Z+, AL3 - /* process ctx->b[i] */ - /* ROTL32(b, 1)*/ - mov r0, B3 - rol r0 - rol B0 - rol B1 - rol B2 - rol B3 - /* xor in ~(ctx->a[(i+16*j)%SHABAL_R]) */ - movw A0, AL0 - movw A2, AL2 - com A0 - com A1 - com A2 - com A3 - eor B0, A0 - eor B1, A1 - eor B2, A2 - eor B3, A3 - /* store B */ - movw r30, BB0 - mov T0, I - lsl T0 - lsl T0 - add r30, T0 - adc r31, r1 - st Z+, B0 - st Z+, B1 - st Z+, B2 - st Z+, B3 - inc I - cpi I, 16 - brne local_reload - inc J - cpi J, 3 - brne global_reload - rjmp addition -global_reload: - clr I -local_reload: - mov T0, I - lsl T0 - lsl T0 - movw r30, BB0 - add r30, T0 - adc r31, r1 - ld B0, Z+ - ld B1, Z+ - ld B2, Z+ - ld B3, Z+ - - rjmp 1b -addition: - clr J - movw r30, AB0 - movw r26, CB0 - adiw r26, 3*4 -1: - /* J = 0..11 */ - ld AL0, X+ - ld A0, Z - add A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - inc J - cpi J, 12 - brne 1b - /* J = 12 */ - movw r30, AB0 - ld AL0, X+ - ld A0, Z - add A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - inc J - /* J= 13..23*/ - movw r26, CB0 -1: - ld AL0, X+ - ld A0, Z - add A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - inc J - cpi J, 24 - brne 1b - /* J= 24..28*/ - movw r30, AB0 -1: - ld AL0, X+ - ld A0, Z - add A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - inc J - cpi J, 29 - brne 1b - - /* J= 29..35*/ - movw r26, CB0 -1: - ld AL0, X+ - ld A0, Z - add A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - ld AL0, X+ - ld A0, Z - adc A0, AL0 - st Z+, A0 - inc J - cpi J, 36 - brne 1b -exit: - pop r29 - pop r28 - pop_range 2, 17 - ret - -mod12table: - .byte 0, 4, 8, 12, 16, 20, 24, 28 - .byte 32, 36, 40, 44, 0, 4, 8, 12 - .byte 16, 20, 24, 28, 32, 36, 40, 44 - .byte 0, 4, 8, 12, 16, 20, 24, 28 - .byte 32, 36, 40, 44, 0, 4, 8, 12 - .byte 16, 20, 24, 28, 32, 36, 40, 44 - -/******************************************************************************/ -/* -void shabal_nextBlock(shabal_ctx_t* ctx, const void* block){ - uint8_t i; - uint32_t* t; - for(i=0;i<16;++i){ - ctx->b[i] += ((uint32_t*)block)[i]; - } - ctx->a[0] ^= ctx->w.w32[0]; - ctx->a[1] ^= ctx->w.w32[1]; - shabal_p(ctx, block); - for(i=0;i<16;++i){ - ctx->c[i] -= ((uint32_t*)block)[i]; - } - ctx->w.w64++; - t = ctx->c; - ctx->c = ctx->b; - ctx->b = t; -} -*/ -/* - * param ctx: r24:r25 - * param block: r22:r23 - */ -MB0 = 14 -MB1 = 15 -CTX0 = 16 -CTX1 = 17 -.global shabal_nextBlock -shabal_nextBlock: - push_range 14, 17 - movw CTX0, r24 - movw MB0, r22 - /* xor W into A and increment W */ - movw r30, CTX0 - ldi r19, 8 - sec -1: - ld r20, Z - ldd r21, Z+(8+4) - eor r21, r20 - std Z+(8+4), r21 - adc r20, r1 - st Z+, r20 - dec r19 - brne 1b - /* add block to ctx->b */ - ld r26, Z+ - ld r27, Z - movw r30, MB0 - ldi r19, 16 -1: - ld r0, X - ld r18, Z+ - add r0, r18 - st X+, r0 - ld r0, X - ld r18, Z+ - adc r0, r18 - st X+, r0 - ld r0, X - ld r18, Z+ - adc r0, r18 - st X+, r0 - ld r0, X - ld r18, Z+ - adc r0, r18 - st X+, r0 - dec r19 - brne 1b - /* call shbal_p */ - rcall shabal_p - /* sub block from ctx->c */ - movw r30, CTX0 - adiw r30, 8+2 - ld r26, Z+ - ld r27, Z - movw r30, MB0 - ldi r19, 16 -1: - ld r0, X - ld r18, Z+ - sub r0, r18 - st X+, r0 - ld r0, X - ld r18, Z+ - sbc r0, r18 - st X+, r0 - ld r0, X - ld r18, Z+ - sbc r0, r18 - st X+, r0 - ld r0, X - ld r18, Z+ - sbc r0, r18 - st X+, r0 - dec r19 - brne 1b - /* xchange ctx->b with ctx->c*/ - movw r30, CTX0 - ldd r22, Z+8 - ldd r23, Z+9 - ldd r24, Z+10 - ldd r25, Z+11 - std Z+10, r22 - std Z+11, r23 - std Z+8, r24 - std Z+9, r25 - pop_range 14, 17 - ret - -/******************************************************************************/ -/* -void shabal_lastBlock(shabal_ctx_t* ctx, const void* block, uint16_t length_b){ - uint8_t i,j; - uint32_t* t; - uint8_t buffer[64]; - while(length_b>=SHABAL_BLOCKSIZE){ - shabal_nextBlock(ctx, block); - block = (uint8_t*)block + SHABAL_BLOCKSIZE_B; - length_b -= SHABAL_BLOCKSIZE; - } - memset(buffer, 0, 64); - memcpy(buffer, block, (length_b+7)/8); - buffer[length_b/8] |= 0x80>>(length_b%8); - for(i=0;i<16;++i){ - ctx->b[i] += ((uint32_t*)buffer)[i]; - } - for(j=0; j<4;++j){ - ctx->a[0] ^= ctx->w.w32[0]; - ctx->a[1] ^= ctx->w.w32[1]; - shabal_p(ctx, buffer); - t = ctx->c; - ctx->c = ctx->b; - ctx->b = t; - } -} -*/ -I = 16 -LEN0 = 16 -LEN1 = 17 -CTX0 = 14 -CTX1 = 15 -MB0 = 12 -MB1 = 13 -/* - * param ctx: r24:r25 - * param block: r22:r23 - * param length_b: r20:r21 - */ -.global shabal_lastBlock -shabal_lastBlock: - push_range 12, 17 - movw CTX0, r24 - movw MB0, r22 - movw LEN0, r20 -1: - cpi LEN1, 0x02 - brlo 2f - movw r24, CTX0 - movw r22, MB0 - rcall shabal_nextBlock - subi LEN1, 0x02 - ldi r18, 64 - add MB0, r18 - adc MB1, r1 - rjmp 1b -2: - stack_alloc_large 64 - adiw r30, 1 /* Z points at buffer */ - movw r26, MB0 - /* r24 = LEN/8*/ - movw r24, LEN0 - lsr r25 - ror r24 - lsr r24 - lsr r24 - ldi r25, 64-1 - sub r25, r24 - tst r24 - breq 32f -31: - ld r0, X+ - st Z+, r0 - dec r24 - brne 31b -32: - ldi r18, 0x80 - andi LEN0, 0x07 - breq append_0x80 - ld r0, X+ -33: - lsr r18 - dec LEN0 - brne 33b - or r0, r18 - st Z+, r0 - rjmp append_zeros -append_0x80: - st Z+, r18 -append_zeros: - tst r25 - breq 4f -34: st Z+, r1 - dec r25 - brne 34b -4: - sbiw r30, 63 - sbiw r30, 1 - movw MB0, r30 - movw r26, CTX0 - adiw r26, 8 - ld r24, X+ - ld r25, X - movw r26, r24 - ldi r18, 16 -41: - ld r24, X - ld r25, Z+ - add r24, r25 - st X+, r24 - ld r24, X - ld r25, Z+ - adc r24, r25 - st X+, r24 - ld r24, X - ld r25, Z+ - adc r24, r25 - st X+, r24 - ld r24, X - ld r25, Z+ - adc r24, r25 - st X+, r24 - dec r18 - brne 41b - /* final loop */ - ldi I, 4 -5: - /* xor W into A */ - movw r30, CTX0 - ldi r19, 8 -51: - ld r24, Z+ - ldd r25, Z+(8+4-1) - eor r24, r25 - std Z+(8+4-1), r24 - dec r19 - brne 51b - movw r24, CTX0 - movw r22, MB0 - rcall shabal_p - movw r30, CTX0 - ldd r22, Z+8 - ldd r23, Z+9 - ldd r24, Z+10 - ldd r25, Z+11 - std Z+10, r22 - std Z+11, r23 - std Z+8, r24 - std Z+9, r25 - dec I - brne 5b - - stack_free_large 64 - pop_range 12, 17 - ret - - - - - - - - - - - - - - diff --git a/shabal.c b/shabal.c deleted file mode 100644 index f18908a..0000000 --- a/shabal.c +++ /dev/null @@ -1,121 +0,0 @@ -/* shabal.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-17 - * \license GPLv3 or later - * - */ - -#include -#include "shabal.h" -#include - -#define SHABAL_O1 13 -#define SHABAL_O2 9 -#define SHABAL_O3 6 - - -static inline -uint32_t shabal_u(uint32_t a){ - return (a<<1)+a; /* a*3 */ -} - -static inline -uint32_t shabal_v(uint32_t a){ - return (a<<2)+a; /* a*5 */ -} - -#define ROTL32(a,n) (((a)<<(n))|((a)>>(32-(n)))) - -static -void shabal_p(shabal_ctx_t* ctx, const void* m){ - uint8_t i,j; - for(i=0;i<16;++i){ - ctx->b[i] = ROTL32(ctx->b[i],17); - } - for(j=0;ja[(i+j*16)%SHABAL_R] = - shabal_u(ctx->a[(i+j*16)%SHABAL_R] - ^ shabal_v(ROTL32(ctx->a[(i+j*16+SHABAL_R-1)%SHABAL_R],15)) - ^ ctx->c[(8-i+16)%16]) - ^ ctx->b[(i+SHABAL_O1)%16] - ^ ((ctx->b[(i+SHABAL_O2)%16]) & ~(ctx->b[(i+SHABAL_O3)%16])) - ^ ((uint32_t*)m)[i]; - ctx->b[i] = ROTL32(ctx->b[i], 1) ^ ~(ctx->a[(i+j*16)%SHABAL_R]); - } - } - - for(j=0;j<36;++j){ - ctx->a[j%SHABAL_R] += ctx->c[(j+3)%16]; - } -} - -void shabal_nextBlock(shabal_ctx_t* ctx, const void* block){ - uint8_t i; - uint32_t* t; - for(i=0;i<16;++i){ - ctx->b[i] += ((uint32_t*)block)[i]; - } - ctx->a[0] ^= ctx->w.w32[0]; - ctx->a[1] ^= ctx->w.w32[1]; - shabal_p(ctx, block); - for(i=0;i<16;++i){ - ctx->c[i] -= ((uint32_t*)block)[i]; - } - ctx->w.w64++; - t = ctx->c; - ctx->c = ctx->b; - ctx->b = t; -} - -void shabal_lastBlock(shabal_ctx_t* ctx, const void* block, uint16_t length_b){ - uint8_t i,j; - uint32_t* t; - uint8_t buffer[64]; - while(length_b>=SHABAL_BLOCKSIZE){ - shabal_nextBlock(ctx, block); - block = (uint8_t*)block + SHABAL_BLOCKSIZE_B; - length_b -= SHABAL_BLOCKSIZE; - } - memset(buffer, 0, 64); - memcpy(buffer, block, (length_b+7)/8); - buffer[length_b/8] |= 0x80>>(length_b%8); - - for(i=0;i<16;++i){ - ctx->b[i] += ((uint32_t*)buffer)[i]; - } - - for(j=0; j<4;++j){ - ctx->a[0] ^= ctx->w.w32[0]; - ctx->a[1] ^= ctx->w.w32[1]; - shabal_p(ctx, buffer); - t = ctx->c; - ctx->c = ctx->b; - ctx->b = t; - } - -} - -void shabal_ctx2hash(void* dest, const shabal_ctx_t* ctx, uint16_t outlength_b){ - memcpy(dest, &(ctx->c[16-outlength_b/32]), outlength_b/8); -} diff --git a/shabal.h b/shabal.h deleted file mode 100644 index fab23a1..0000000 --- a/shabal.h +++ /dev/null @@ -1,75 +0,0 @@ -/* shabal.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal.h - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-17 - * \license GPLv3 or later - * - */ - -#ifndef SHABAL_H_ -#define SHABAL_H_ - -#include - -#define SHABAL_BLOCKSIZE 512 -#define SHABAL_BLOCKSIZE_B ((SHABAL_BLOCKSIZE+7)/8) - -#define SHABAL_R 12 -#define SHABAL_P 3 - -typedef struct{ - union{ - uint64_t w64; - uint32_t w32[2]; - } w; /* the counter */ - uint32_t *b; - uint32_t *c; - uint32_t a[SHABAL_R]; - uint32_t b_buffer[16]; - uint32_t c_buffer[16]; -}shabal_ctx_t; - - -void shabal192_init(shabal_ctx_t* ctx); -void shabal224_init(shabal_ctx_t* ctx); -void shabal256_init(shabal_ctx_t* ctx); -void shabal384_init(shabal_ctx_t* ctx); -void shabal512_init(shabal_ctx_t* ctx); - -void shabal_nextBlock(shabal_ctx_t* ctx, const void* block); -void shabal_lastBlock(shabal_ctx_t* ctx, const void* block, uint16_t length_b); - -void shabal192_ctx2hash(void* dest, const shabal_ctx_t* ctx); -void shabal224_ctx2hash(void* dest, const shabal_ctx_t* ctx); -void shabal256_ctx2hash(void* dest, const shabal_ctx_t* ctx); -void shabal384_ctx2hash(void* dest, const shabal_ctx_t* ctx); -void shabal512_ctx2hash(void* dest, const shabal_ctx_t* ctx); - -void shabal192(void* dest, void* msg, uint32_t length_b); -void shabal224(void* dest, void* msg, uint32_t length_b); -void shabal256(void* dest, void* msg, uint32_t length_b); -void shabal384(void* dest, void* msg, uint32_t length_b); -void shabal512(void* dest, void* msg, uint32_t length_b); - -void shabal_ctx2hash(void* dest, const shabal_ctx_t* ctx, uint16_t outlength_b); - -#endif /* SHABAL_H_ */ diff --git a/shabal/shabal-asm.S b/shabal/shabal-asm.S new file mode 100644 index 0000000..31879b3 --- /dev/null +++ b/shabal/shabal-asm.S @@ -0,0 +1,739 @@ +/* shabal-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal-asm.S + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void shabal_p(shabal_ctx_t* ctx, const void* m){ + uint8_t i,j; + for(i=0;i<16;++i){ + ctx->b[i] = ROTL32(ctx->b[i],17); + } + for(j=0;ja[(i+16*j)%SHABAL_R] = + shabal_u(ctx->a[(i+16*j)%SHABAL_R] + ^ shabal_v(ROTL32(ctx->a[(i+16*j+SHABAL_R-1)%SHABAL_R],15)) + ^ ctx->c[(8-i+16)%16]) + ^ ctx->b[(i+SHABAL_O1)%16] + ^ ((ctx->b[(i+SHABAL_O2)%16]) & ~(ctx->b[(i+SHABAL_O3)%16])) + ^ ((uint32_t*)m)[i]; + ctx->b[i] = ROTL32(ctx->b[i], 1) ^ ~(ctx->a[(i+16*j)%SHABAL_R]); + } + } + + for(j=0;j<36;++j){ + ctx->a[j%SHABAL_R] += ctx->c[(j+3)%16]; + } +} +*/ +MB0 = 2 +MB1 = 3 +AB0 = 4 +AB1 = 5 +BB0 = 6 +BB1 = 7 +CB0 = 8 +CB1 = 9 +AL0 = 10 +AL1 = 11 +AL2 = 12 +AL3 = 13 +A0 = 14 +A1 = 15 +A2 = 16 +A3 = 17 +B0 = 18 +B1 = 19 +B2 = 20 +B3 = 21 +I = 22 +J = 23 +T0 = 26 +T1 = 27 +T2 = 28 +T3 = 29 +/* + * param ctx: r24:r25 + * param m: r22:r23 + */ +; .global shabal_p +shabal_p: + push_range 2, 17 + push r28 + push r29 + movw MB0, r22 + movw r30, r24 + adiw r30, 8 + ld BB0, Z+ + ld BB1, Z+ + ld CB0, Z+ + ld CB1, Z+ + movw AB0, r30 + movw r30, BB0 + adiw r30, 16*4-1 + adiw r30, 1 + ldi r24, 16 +1: + ld A3, -Z + ld A2, -Z + ld A1, -Z + ld A0, -Z + mov r0, A3 + rol r0 + rol A0 + rol A1 + rol A2 + rol A3 + std Z+0, A2 + std Z+1, A3 + std Z+2, A0 + std Z+3, A1 + dec r24 + brne 1b + movw B0, A2 + movw B2, A0 + /* load ctx->a[(i+16*j-1)%12]*/ + movw r26, AB0 + adiw r26, 4*11 + ld AL0, X+ + ld AL1, X+ + ld AL2, X+ + ld AL3, X+ + clr I + clr J +1: + /* ROTL32(AL, 15)*/ + movw T0, AL2 + movw T2, AL0 + mov r0, T0 + ror r0 + ror T3 + ror T2 + ror T1 + ror T0 + movw AL0, T0 + movw AL2, T2 + /* apply V to AL */ + movw A0, AL0 + movw A2, AL2 + lsl A0 + rol A1 + rol A2 + rol A3 + lsl A0 + rol A1 + rol A2 + rol A3 + add A0, AL0 + adc A1, AL1 + adc A2, AL2 + adc A3, AL3 + /* xor in ctx->c[(8-i+16)%16] */ + ldi T0, 24 + sub T0, I + andi T0, 0x0f + lsl T0 + lsl T0 + movw r30, CB0 + add r30, T0 + adc r31, r1 + ld r0, Z+ + eor A0, r0 + ld r0, Z+ + eor A1, r0 + ld r0, Z+ + eor A2, r0 + ld r0, Z+ + eor A3, r0 + /* xor in ctx->a[(i+16*j)%12] */ + mov T0, J + swap T0 /* *=16 */ + add T0, I + ldi r30, lo8(mod12table) + ldi r31, hi8(mod12table) + add r30, T0 + adc r31, r1 + lpm T0, Z + movw r30, AB0 + add r30, T0 + adc r31, r1 + movw T2, r30 + ld r0, Z+ + eor A0, r0 + ld r0, Z+ + eor A1, r0 + ld r0, Z+ + eor A2, r0 + ld r0, Z+ + eor A3, r0 + /* AL = 3*A */ + movw AL0, A0 + movw AL2, A2 + lsl AL0 + rol AL1 + rol AL2 + rol AL3 + add AL0, A0 + adc AL1, A1 + adc AL2, A2 + adc AL3, A3 + /* xor in ctx->b[(i+13)%16] */ + ldi T0, 13 + add T0, I + andi T0, 0x0f + lsl T0 + lsl T0 + movw r30, BB0 + add r30, T0 + adc r31, r1 + ld r0, Z+ + eor AL0, r0 + ld r0, Z+ + eor AL1, r0 + ld r0, Z+ + eor AL2, r0 + ld r0, Z+ + eor AL3, r0 + /* load ctx->b[(i+9)%16] into A */ + ldi T0, 9 + add T0, I + andi T0, 0x0f + lsl T0 + lsl T0 + movw r30, BB0 + add r30, T0 + adc r31, r1 + ld A0, Z+ + ld A1, Z+ + ld A2, Z+ + ld A3, Z+ + /* and in ~(ctx->b[(i+6)%16]) */ + ldi T0, 6 + add T0, I + andi T0, 0x0f + lsl T0 + lsl T0 + movw r30, BB0 + add r30, T0 + adc r31, r1 + ld r0, Z+ + com r0 + and A0, r0 + ld r0, Z+ + com r0 + and A1, r0 + ld r0, Z+ + com r0 + and A2, r0 + ld r0, Z+ + com r0 + and A3, r0 + /* xor A into AL */ + eor AL0, A0 + eor AL1, A1 + eor AL2, A2 + eor AL3, A3 + /* xor m[i] into AL */ + mov T0, I + lsl T0 + lsl T0 + movw r30, MB0 + add r30, T0 + adc r31, r1 + ld r0, Z+ + eor AL0, r0 + ld r0, Z+ + eor AL1, r0 + ld r0, Z+ + eor AL2, r0 + ld r0, Z+ + eor AL3, r0 + /* A (AL) is done, now store it */ + movw r30, T2 + st Z+, AL0 + st Z+, AL1 + st Z+, AL2 + st Z+, AL3 + /* process ctx->b[i] */ + /* ROTL32(b, 1)*/ + mov r0, B3 + rol r0 + rol B0 + rol B1 + rol B2 + rol B3 + /* xor in ~(ctx->a[(i+16*j)%SHABAL_R]) */ + movw A0, AL0 + movw A2, AL2 + com A0 + com A1 + com A2 + com A3 + eor B0, A0 + eor B1, A1 + eor B2, A2 + eor B3, A3 + /* store B */ + movw r30, BB0 + mov T0, I + lsl T0 + lsl T0 + add r30, T0 + adc r31, r1 + st Z+, B0 + st Z+, B1 + st Z+, B2 + st Z+, B3 + inc I + cpi I, 16 + brne local_reload + inc J + cpi J, 3 + brne global_reload + rjmp addition +global_reload: + clr I +local_reload: + mov T0, I + lsl T0 + lsl T0 + movw r30, BB0 + add r30, T0 + adc r31, r1 + ld B0, Z+ + ld B1, Z+ + ld B2, Z+ + ld B3, Z+ + + rjmp 1b +addition: + clr J + movw r30, AB0 + movw r26, CB0 + adiw r26, 3*4 +1: + /* J = 0..11 */ + ld AL0, X+ + ld A0, Z + add A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + inc J + cpi J, 12 + brne 1b + /* J = 12 */ + movw r30, AB0 + ld AL0, X+ + ld A0, Z + add A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + inc J + /* J= 13..23*/ + movw r26, CB0 +1: + ld AL0, X+ + ld A0, Z + add A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + inc J + cpi J, 24 + brne 1b + /* J= 24..28*/ + movw r30, AB0 +1: + ld AL0, X+ + ld A0, Z + add A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + inc J + cpi J, 29 + brne 1b + + /* J= 29..35*/ + movw r26, CB0 +1: + ld AL0, X+ + ld A0, Z + add A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + ld AL0, X+ + ld A0, Z + adc A0, AL0 + st Z+, A0 + inc J + cpi J, 36 + brne 1b +exit: + pop r29 + pop r28 + pop_range 2, 17 + ret + +mod12table: + .byte 0, 4, 8, 12, 16, 20, 24, 28 + .byte 32, 36, 40, 44, 0, 4, 8, 12 + .byte 16, 20, 24, 28, 32, 36, 40, 44 + .byte 0, 4, 8, 12, 16, 20, 24, 28 + .byte 32, 36, 40, 44, 0, 4, 8, 12 + .byte 16, 20, 24, 28, 32, 36, 40, 44 + +/******************************************************************************/ +/* +void shabal_nextBlock(shabal_ctx_t* ctx, const void* block){ + uint8_t i; + uint32_t* t; + for(i=0;i<16;++i){ + ctx->b[i] += ((uint32_t*)block)[i]; + } + ctx->a[0] ^= ctx->w.w32[0]; + ctx->a[1] ^= ctx->w.w32[1]; + shabal_p(ctx, block); + for(i=0;i<16;++i){ + ctx->c[i] -= ((uint32_t*)block)[i]; + } + ctx->w.w64++; + t = ctx->c; + ctx->c = ctx->b; + ctx->b = t; +} +*/ +/* + * param ctx: r24:r25 + * param block: r22:r23 + */ +MB0 = 14 +MB1 = 15 +CTX0 = 16 +CTX1 = 17 +.global shabal_nextBlock +shabal_nextBlock: + push_range 14, 17 + movw CTX0, r24 + movw MB0, r22 + /* xor W into A and increment W */ + movw r30, CTX0 + ldi r19, 8 + sec +1: + ld r20, Z + ldd r21, Z+(8+4) + eor r21, r20 + std Z+(8+4), r21 + adc r20, r1 + st Z+, r20 + dec r19 + brne 1b + /* add block to ctx->b */ + ld r26, Z+ + ld r27, Z + movw r30, MB0 + ldi r19, 16 +1: + ld r0, X + ld r18, Z+ + add r0, r18 + st X+, r0 + ld r0, X + ld r18, Z+ + adc r0, r18 + st X+, r0 + ld r0, X + ld r18, Z+ + adc r0, r18 + st X+, r0 + ld r0, X + ld r18, Z+ + adc r0, r18 + st X+, r0 + dec r19 + brne 1b + /* call shbal_p */ + rcall shabal_p + /* sub block from ctx->c */ + movw r30, CTX0 + adiw r30, 8+2 + ld r26, Z+ + ld r27, Z + movw r30, MB0 + ldi r19, 16 +1: + ld r0, X + ld r18, Z+ + sub r0, r18 + st X+, r0 + ld r0, X + ld r18, Z+ + sbc r0, r18 + st X+, r0 + ld r0, X + ld r18, Z+ + sbc r0, r18 + st X+, r0 + ld r0, X + ld r18, Z+ + sbc r0, r18 + st X+, r0 + dec r19 + brne 1b + /* xchange ctx->b with ctx->c*/ + movw r30, CTX0 + ldd r22, Z+8 + ldd r23, Z+9 + ldd r24, Z+10 + ldd r25, Z+11 + std Z+10, r22 + std Z+11, r23 + std Z+8, r24 + std Z+9, r25 + pop_range 14, 17 + ret + +/******************************************************************************/ +/* +void shabal_lastBlock(shabal_ctx_t* ctx, const void* block, uint16_t length_b){ + uint8_t i,j; + uint32_t* t; + uint8_t buffer[64]; + while(length_b>=SHABAL_BLOCKSIZE){ + shabal_nextBlock(ctx, block); + block = (uint8_t*)block + SHABAL_BLOCKSIZE_B; + length_b -= SHABAL_BLOCKSIZE; + } + memset(buffer, 0, 64); + memcpy(buffer, block, (length_b+7)/8); + buffer[length_b/8] |= 0x80>>(length_b%8); + for(i=0;i<16;++i){ + ctx->b[i] += ((uint32_t*)buffer)[i]; + } + for(j=0; j<4;++j){ + ctx->a[0] ^= ctx->w.w32[0]; + ctx->a[1] ^= ctx->w.w32[1]; + shabal_p(ctx, buffer); + t = ctx->c; + ctx->c = ctx->b; + ctx->b = t; + } +} +*/ +I = 16 +LEN0 = 16 +LEN1 = 17 +CTX0 = 14 +CTX1 = 15 +MB0 = 12 +MB1 = 13 +/* + * param ctx: r24:r25 + * param block: r22:r23 + * param length_b: r20:r21 + */ +.global shabal_lastBlock +shabal_lastBlock: + push_range 12, 17 + movw CTX0, r24 + movw MB0, r22 + movw LEN0, r20 +1: + cpi LEN1, 0x02 + brlo 2f + movw r24, CTX0 + movw r22, MB0 + rcall shabal_nextBlock + subi LEN1, 0x02 + ldi r18, 64 + add MB0, r18 + adc MB1, r1 + rjmp 1b +2: + stack_alloc_large 64 + adiw r30, 1 /* Z points at buffer */ + movw r26, MB0 + /* r24 = LEN/8*/ + movw r24, LEN0 + lsr r25 + ror r24 + lsr r24 + lsr r24 + ldi r25, 64-1 + sub r25, r24 + tst r24 + breq 32f +31: + ld r0, X+ + st Z+, r0 + dec r24 + brne 31b +32: + ldi r18, 0x80 + andi LEN0, 0x07 + breq append_0x80 + ld r0, X+ +33: + lsr r18 + dec LEN0 + brne 33b + or r0, r18 + st Z+, r0 + rjmp append_zeros +append_0x80: + st Z+, r18 +append_zeros: + tst r25 + breq 4f +34: st Z+, r1 + dec r25 + brne 34b +4: + sbiw r30, 63 + sbiw r30, 1 + movw MB0, r30 + movw r26, CTX0 + adiw r26, 8 + ld r24, X+ + ld r25, X + movw r26, r24 + ldi r18, 16 +41: + ld r24, X + ld r25, Z+ + add r24, r25 + st X+, r24 + ld r24, X + ld r25, Z+ + adc r24, r25 + st X+, r24 + ld r24, X + ld r25, Z+ + adc r24, r25 + st X+, r24 + ld r24, X + ld r25, Z+ + adc r24, r25 + st X+, r24 + dec r18 + brne 41b + /* final loop */ + ldi I, 4 +5: + /* xor W into A */ + movw r30, CTX0 + ldi r19, 8 +51: + ld r24, Z+ + ldd r25, Z+(8+4-1) + eor r24, r25 + std Z+(8+4-1), r24 + dec r19 + brne 51b + movw r24, CTX0 + movw r22, MB0 + rcall shabal_p + movw r30, CTX0 + ldd r22, Z+8 + ldd r23, Z+9 + ldd r24, Z+10 + ldd r25, Z+11 + std Z+10, r22 + std Z+11, r23 + std Z+8, r24 + std Z+9, r25 + dec I + brne 5b + + stack_free_large 64 + pop_range 12, 17 + ret + + + + + + + + + + + + + + diff --git a/shabal/shabal.c b/shabal/shabal.c new file mode 100644 index 0000000..f18908a --- /dev/null +++ b/shabal/shabal.c @@ -0,0 +1,121 @@ +/* shabal.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-17 + * \license GPLv3 or later + * + */ + +#include +#include "shabal.h" +#include + +#define SHABAL_O1 13 +#define SHABAL_O2 9 +#define SHABAL_O3 6 + + +static inline +uint32_t shabal_u(uint32_t a){ + return (a<<1)+a; /* a*3 */ +} + +static inline +uint32_t shabal_v(uint32_t a){ + return (a<<2)+a; /* a*5 */ +} + +#define ROTL32(a,n) (((a)<<(n))|((a)>>(32-(n)))) + +static +void shabal_p(shabal_ctx_t* ctx, const void* m){ + uint8_t i,j; + for(i=0;i<16;++i){ + ctx->b[i] = ROTL32(ctx->b[i],17); + } + for(j=0;ja[(i+j*16)%SHABAL_R] = + shabal_u(ctx->a[(i+j*16)%SHABAL_R] + ^ shabal_v(ROTL32(ctx->a[(i+j*16+SHABAL_R-1)%SHABAL_R],15)) + ^ ctx->c[(8-i+16)%16]) + ^ ctx->b[(i+SHABAL_O1)%16] + ^ ((ctx->b[(i+SHABAL_O2)%16]) & ~(ctx->b[(i+SHABAL_O3)%16])) + ^ ((uint32_t*)m)[i]; + ctx->b[i] = ROTL32(ctx->b[i], 1) ^ ~(ctx->a[(i+j*16)%SHABAL_R]); + } + } + + for(j=0;j<36;++j){ + ctx->a[j%SHABAL_R] += ctx->c[(j+3)%16]; + } +} + +void shabal_nextBlock(shabal_ctx_t* ctx, const void* block){ + uint8_t i; + uint32_t* t; + for(i=0;i<16;++i){ + ctx->b[i] += ((uint32_t*)block)[i]; + } + ctx->a[0] ^= ctx->w.w32[0]; + ctx->a[1] ^= ctx->w.w32[1]; + shabal_p(ctx, block); + for(i=0;i<16;++i){ + ctx->c[i] -= ((uint32_t*)block)[i]; + } + ctx->w.w64++; + t = ctx->c; + ctx->c = ctx->b; + ctx->b = t; +} + +void shabal_lastBlock(shabal_ctx_t* ctx, const void* block, uint16_t length_b){ + uint8_t i,j; + uint32_t* t; + uint8_t buffer[64]; + while(length_b>=SHABAL_BLOCKSIZE){ + shabal_nextBlock(ctx, block); + block = (uint8_t*)block + SHABAL_BLOCKSIZE_B; + length_b -= SHABAL_BLOCKSIZE; + } + memset(buffer, 0, 64); + memcpy(buffer, block, (length_b+7)/8); + buffer[length_b/8] |= 0x80>>(length_b%8); + + for(i=0;i<16;++i){ + ctx->b[i] += ((uint32_t*)buffer)[i]; + } + + for(j=0; j<4;++j){ + ctx->a[0] ^= ctx->w.w32[0]; + ctx->a[1] ^= ctx->w.w32[1]; + shabal_p(ctx, buffer); + t = ctx->c; + ctx->c = ctx->b; + ctx->b = t; + } + +} + +void shabal_ctx2hash(void* dest, const shabal_ctx_t* ctx, uint16_t outlength_b){ + memcpy(dest, &(ctx->c[16-outlength_b/32]), outlength_b/8); +} diff --git a/shabal/shabal.h b/shabal/shabal.h new file mode 100644 index 0000000..fab23a1 --- /dev/null +++ b/shabal/shabal.h @@ -0,0 +1,75 @@ +/* shabal.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal.h + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-17 + * \license GPLv3 or later + * + */ + +#ifndef SHABAL_H_ +#define SHABAL_H_ + +#include + +#define SHABAL_BLOCKSIZE 512 +#define SHABAL_BLOCKSIZE_B ((SHABAL_BLOCKSIZE+7)/8) + +#define SHABAL_R 12 +#define SHABAL_P 3 + +typedef struct{ + union{ + uint64_t w64; + uint32_t w32[2]; + } w; /* the counter */ + uint32_t *b; + uint32_t *c; + uint32_t a[SHABAL_R]; + uint32_t b_buffer[16]; + uint32_t c_buffer[16]; +}shabal_ctx_t; + + +void shabal192_init(shabal_ctx_t* ctx); +void shabal224_init(shabal_ctx_t* ctx); +void shabal256_init(shabal_ctx_t* ctx); +void shabal384_init(shabal_ctx_t* ctx); +void shabal512_init(shabal_ctx_t* ctx); + +void shabal_nextBlock(shabal_ctx_t* ctx, const void* block); +void shabal_lastBlock(shabal_ctx_t* ctx, const void* block, uint16_t length_b); + +void shabal192_ctx2hash(void* dest, const shabal_ctx_t* ctx); +void shabal224_ctx2hash(void* dest, const shabal_ctx_t* ctx); +void shabal256_ctx2hash(void* dest, const shabal_ctx_t* ctx); +void shabal384_ctx2hash(void* dest, const shabal_ctx_t* ctx); +void shabal512_ctx2hash(void* dest, const shabal_ctx_t* ctx); + +void shabal192(void* dest, void* msg, uint32_t length_b); +void shabal224(void* dest, void* msg, uint32_t length_b); +void shabal256(void* dest, void* msg, uint32_t length_b); +void shabal384(void* dest, void* msg, uint32_t length_b); +void shabal512(void* dest, void* msg, uint32_t length_b); + +void shabal_ctx2hash(void* dest, const shabal_ctx_t* ctx, uint16_t outlength_b); + +#endif /* SHABAL_H_ */ diff --git a/shabal/shabal192-asm.S b/shabal/shabal192-asm.S new file mode 100644 index 0000000..09b41d5 --- /dev/null +++ b/shabal/shabal192-asm.S @@ -0,0 +1,191 @@ +/* shabal192-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal192-asm.S + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +shabal192_iv: + /* A */ +.long 0xFD749ED4, 0xB798E530, 0x33904B6F, 0x46BDA85E +.long 0x076934B4, 0x454B4058, 0x77F74527, 0xFB4CF465 +.long 0x62931DA9, 0xE778C8DB, 0x22B3998E, 0xAC15CFB9 + /* B */ +.long 0x58BCBAC4, 0xEC47A08E, 0xAEE933B2, 0xDFCBC824 +.long 0xA7944804, 0xBF65BDB0, 0x5A9D4502, 0x59979AF7 +.long 0xC5CEA54E, 0x4B6B8150, 0x16E71909, 0x7D632319 +.long 0x930573A0, 0xF34C63D1, 0xCAF914B4, 0xFDD6612C + /* C */ +.long 0x61550878, 0x89EF2B75, 0xA1660C46, 0x7EF3855B +.long 0x7297B58C, 0x1BC67793, 0x7FB1C723, 0xB66FC640 +.long 0x1A48B71C, 0xF0976D17, 0x088CE80A, 0xA454EDF3 +.long 0x1C096BF4, 0xAC76224B, 0x5215781C, 0xCD5D2669 + + +/******************************************************************************/ +/* +void shabal192_init(shabal_ctx_t* ctx){ + uint8_t i; + ctx->b = ctx->b_buffer; + ctx->c = ctx->c_buffer; + ctx->w.w64 = 1LL; + for(i=0;ia[i] = pgm_read_dword(&(shabal192_iv[i])); + } + for(i=0;i<16;++i){ + ctx->b[i] = pgm_read_dword(&(shabal192_iv[SHABAL_R+i])); + } + for(i=0;i<16;++i){ + ctx->c[i] = pgm_read_dword(&(shabal192_iv[SHABAL_R+16+i])); + } +} +*/ +/* + * param ctx: r24,r25 + */ +.global shabal192_init +shabal192_init: + movw r26, r24 + ldi r24, 1 + st X+, r24 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + movw r24, r26 + adiw r24, 12*4+2+2 + st X+, r24 + st X+, r25 + adiw r24, 4*16-1 + adiw r24, 1 + st X+, r24 + st X+, r25 + ldi r24, (12+16+16) + ldi r30, lo8(shabal192_iv) + ldi r31, hi8(shabal192_iv) +1: lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ +/* + * param dest: r24:r25 + * param ctx: r22:r23 + */ +.global shabal192_ctx2hash +shabal192_ctx2hash: + movw r26, r24 + movw r30, r22 + ldd r24, Z+(8+2) + ldd r25, Z+(8+2+1) + movw r30, r24 + adiw r30, (16-192/32)*4 + ldi r24, 192/8 +1: ld r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ +/* +void shabal192(void* dest, void* msg, uint32_t length_b){ + shabal_ctx_t ctx; + shabal192_init(&ctx); + while(length_b>=SHABAL_BLOCKSIZE){ + shabal_nextBlock(&ctx, msg); + msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; + length_b -= SHABAL_BLOCKSIZE; + } + shabal_lastBlock(&ctx, msg, length_b); + shabal192_ctx2hash(dest, &ctx); +} +*/ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param length_b: r18:r21 + */ +DST0 = 8 +DST1 = 9 +CTX0 = 10 +CTX1 = 11 +MSG0 = 12 +MSG1 = 13 +LEN2 = 14 +LEN3 = 15 +LEN0 = 16 +LEN1 = 17 +.global shabal192 +shabal192: + push_range 8, 17 + stack_alloc_large 188 + adiw r30, 1 /* Z points to stack space (ctx) */ + movw CTX0, r30 + movw DST0, r24 + movw MSG0, r22 + movw LEN0, r18 + movw LEN2, r20 + movw r24, r30 + rcall shabal192_init +2: + tst LEN2 + brne 3f + tst LEN3 + breq 4f +3: + movw r24, CTX0 + movw r22, MSG0 + rcall shabal_nextBlock + subi LEN1, 0x02 + sbc LEN2, r1 + sbc LEN3, r1 + ldi r18, 64 + add MSG0, r18 + adc MSG1, r1 + rjmp 2b +4: + movw r24, CTX0 + movw r22, MSG0 + movw r20, LEN0 + rcall shabal_lastBlock + movw r24, DST0 + movw r22, CTX0 + rcall shabal192_ctx2hash + stack_free_large2 188 + pop_range 8, 17 + ret + + diff --git a/shabal/shabal192.c b/shabal/shabal192.c new file mode 100644 index 0000000..5540dc8 --- /dev/null +++ b/shabal/shabal192.c @@ -0,0 +1,80 @@ +/* shabal192.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal192.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + * + */ + +#include +#include "shabal.h" +#include +#include + +uint32_t shabal192_iv[] PROGMEM = { + /* A */ + 0xFD749ED4, 0xB798E530, 0x33904B6F, 0x46BDA85E, + 0x076934B4, 0x454B4058, 0x77F74527, 0xFB4CF465, + 0x62931DA9, 0xE778C8DB, 0x22B3998E, 0xAC15CFB9, + /* B */ + 0x58BCBAC4, 0xEC47A08E, 0xAEE933B2, 0xDFCBC824, + 0xA7944804, 0xBF65BDB0, 0x5A9D4502, 0x59979AF7, + 0xC5CEA54E, 0x4B6B8150, 0x16E71909, 0x7D632319, + 0x930573A0, 0xF34C63D1, 0xCAF914B4, 0xFDD6612C, + /* C */ + 0x61550878, 0x89EF2B75, 0xA1660C46, 0x7EF3855B, + 0x7297B58C, 0x1BC67793, 0x7FB1C723, 0xB66FC640, + 0x1A48B71C, 0xF0976D17, 0x088CE80A, 0xA454EDF3, + 0x1C096BF4, 0xAC76224B, 0x5215781C, 0xCD5D2669 +}; + +void shabal192_init(shabal_ctx_t* ctx){ + uint8_t i; + ctx->b = ctx->b_buffer; + ctx->c = ctx->c_buffer; + ctx->w.w64 = 1LL; + for(i=0;ia[i] = pgm_read_dword(&(shabal192_iv[i])); + } + for(i=0;i<16;++i){ + ctx->b[i] = pgm_read_dword(&(shabal192_iv[SHABAL_R+i])); + } + for(i=0;i<16;++i){ + ctx->c[i] = pgm_read_dword(&(shabal192_iv[SHABAL_R+16+i])); + } +} + +void shabal192_ctx2hash(void* dest, const shabal_ctx_t* ctx){ + shabal_ctx2hash(dest, ctx, 192); +} + +void shabal192(void* dest, void* msg, uint32_t length_b){ + shabal_ctx_t ctx; + shabal192_init(&ctx); + while(length_b>=SHABAL_BLOCKSIZE){ + shabal_nextBlock(&ctx, msg); + msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; + length_b -= SHABAL_BLOCKSIZE; + } + shabal_lastBlock(&ctx, msg, length_b); + shabal192_ctx2hash(dest, &ctx); +} diff --git a/shabal/shabal224-asm.S b/shabal/shabal224-asm.S new file mode 100644 index 0000000..1168d1b --- /dev/null +++ b/shabal/shabal224-asm.S @@ -0,0 +1,160 @@ +/* shabal224-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal224-asm.S + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ + +shabal224_iv: + /* A */ +.long 0xA5201467, 0xA9B8D94A, 0xD4CED997, 0x68379D7B +.long 0xA7FC73BA, 0xF1A2546B, 0x606782BF, 0xE0BCFD0F +.long 0x2F25374E, 0x069A149F, 0x5E2DFF25, 0xFAECF061 + /* B */ +.long 0xEC9905D8, 0xF21850CF, 0xC0A746C8, 0x21DAD498 +.long 0x35156EEB, 0x088C97F2, 0x26303E40, 0x8A2D4FB5 +.long 0xFEEE44B6, 0x8A1E9573, 0x7B81111A, 0xCBC139F0 +.long 0xA3513861, 0x1D2C362E, 0x918C580E, 0xB58E1B9C + /* C */ +.long 0xE4B573A1, 0x4C1A0880, 0x1E907C51, 0x04807EFD +.long 0x3AD8CDE5, 0x16B21302, 0x02512C53, 0x2204CB18 +.long 0x99405F2D, 0xE5B648A1, 0x70AB1D43, 0xA10C25C2 +.long 0x16F1AC05, 0x38BBEB56, 0x9B01DC60, 0xB1096D83 + + +/******************************************************************************/ +/* + * param ctx: r24,r25 + */ +.global shabal224_init +shabal224_init: + movw r26, r24 + ldi r24, 1 + st X+, r24 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + movw r24, r26 + adiw r24, 12*4+4 + st X+, r24 + st X+, r25 + adiw r24, 4*16-1 + adiw r24, 1 + st X+, r24 + st X+, r25 + ldi r24, (12+16+16) + ldi r30, lo8(shabal224_iv) + ldi r31, hi8(shabal224_iv) +1: lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ + +.global shabal224_ctx2hash +shabal224_ctx2hash: + movw r26, r24 + movw r30, r22 + ldd r24, Z+(8+2) + ldd r25, Z+(8+2+1) + movw r30, r24 + adiw r30, (16-224/32)*4 + ldi r24, 224/8 +1: ld r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param length_b: r18:r21 + */ +DST0 = 8 +DST1 = 9 +CTX0 = 10 +CTX1 = 11 +MSG0 = 12 +MSG1 = 13 +LEN2 = 14 +LEN3 = 15 +LEN0 = 16 +LEN1 = 17 +.global shabal224 +shabal224: + push_range 8, 17 + stack_alloc_large 188 + adiw r30, 1 /* Z points to stack space (ctx) */ + movw CTX0, r30 + movw DST0, r24 + movw MSG0, r22 + movw LEN0, r18 + movw LEN2, r20 + movw r24, r30 + rcall shabal224_init +2: + tst LEN2 + brne 3f + tst LEN3 + breq 4f +3: + movw r24, CTX0 + movw r22, MSG0 + rcall shabal_nextBlock + subi LEN1, 0x02 + sbc LEN2, r1 + sbc LEN3, r1 + ldi r18, 64 + add MSG0, r18 + adc MSG1, r1 + rjmp 2b +4: + movw r24, CTX0 + movw r22, MSG0 + movw r20, LEN0 + rcall shabal_lastBlock + movw r24, DST0 + movw r22, CTX0 + rcall shabal224_ctx2hash + stack_free_large2 188 + pop_range 8, 17 + ret + + diff --git a/shabal/shabal224.c b/shabal/shabal224.c new file mode 100644 index 0000000..db01d3c --- /dev/null +++ b/shabal/shabal224.c @@ -0,0 +1,80 @@ +/* shabal224.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal224.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + * + */ + +#include +#include "shabal.h" +#include +#include + +uint32_t shabal224_iv[] PROGMEM = { + /* A */ + 0xA5201467, 0xA9B8D94A, 0xD4CED997, 0x68379D7B, + 0xA7FC73BA, 0xF1A2546B, 0x606782BF, 0xE0BCFD0F, + 0x2F25374E, 0x069A149F, 0x5E2DFF25, 0xFAECF061, + /* B */ + 0xEC9905D8, 0xF21850CF, 0xC0A746C8, 0x21DAD498, + 0x35156EEB, 0x088C97F2, 0x26303E40, 0x8A2D4FB5, + 0xFEEE44B6, 0x8A1E9573, 0x7B81111A, 0xCBC139F0, + 0xA3513861, 0x1D2C362E, 0x918C580E, 0xB58E1B9C, + /* C */ + 0xE4B573A1, 0x4C1A0880, 0x1E907C51, 0x04807EFD, + 0x3AD8CDE5, 0x16B21302, 0x02512C53, 0x2204CB18, + 0x99405F2D, 0xE5B648A1, 0x70AB1D43, 0xA10C25C2, + 0x16F1AC05, 0x38BBEB56, 0x9B01DC60, 0xB1096D83 +}; + +void shabal224_init(shabal_ctx_t* ctx){ + uint8_t i; + ctx->b = ctx->b_buffer; + ctx->c = ctx->c_buffer; + ctx->w.w64 = 1LL; + for(i=0;ia[i] = pgm_read_dword(&(shabal224_iv[i])); + } + for(i=0;i<16;++i){ + ctx->b[i] = pgm_read_dword(&(shabal224_iv[SHABAL_R+i])); + } + for(i=0;i<16;++i){ + ctx->c[i] = pgm_read_dword(&(shabal224_iv[SHABAL_R+16+i])); + } +} + +void shabal224_ctx2hash(void* dest, const shabal_ctx_t* ctx){ + shabal_ctx2hash(dest, ctx, 224); +} + +void shabal224(void* dest, void* msg, uint32_t length_b){ + shabal_ctx_t ctx; + shabal224_init(&ctx); + while(length_b>=SHABAL_BLOCKSIZE){ + shabal_nextBlock(&ctx, msg); + msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; + length_b -= SHABAL_BLOCKSIZE; + } + shabal_lastBlock(&ctx, msg, length_b); + shabal224_ctx2hash(dest, &ctx); +} diff --git a/shabal/shabal256-asm.S b/shabal/shabal256-asm.S new file mode 100644 index 0000000..f95e6c7 --- /dev/null +++ b/shabal/shabal256-asm.S @@ -0,0 +1,159 @@ +/* shabal256-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal256-asm.S + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ + +shabal256_iv: + /* A */ +.long 0x52F84552, 0xE54B7999, 0x2D8EE3EC, 0xB9645191 +.long 0xE0078B86, 0xBB7C44C9, 0xD2B5C1CA, 0xB0D2EB8C +.long 0x14CE5A45, 0x22AF50DC, 0xEFFDBC6B, 0xEB21B74A + /* B */ +.long 0xB555C6EE, 0x3E710596, 0xA72A652F, 0x9301515F +.long 0xDA28C1FA, 0x696FD868, 0x9CB6BF72, 0x0AFE4002 +.long 0xA6E03615, 0x5138C1D4, 0xBE216306, 0xB38B8890 +.long 0x3EA8B96B, 0x3299ACE4, 0x30924DD4, 0x55CB34A5 + /* C */ +.long 0xB405F031, 0xC4233EBA, 0xB3733979, 0xC0DD9D55 +.long 0xC51C28AE, 0xA327B8E1, 0x56C56167, 0xED614433 +.long 0x88B59D60, 0x60E2CEBA, 0x758B4B8B, 0x83E82A7F +.long 0xBC968828, 0xE6E00BF7, 0xBA839E55, 0x9B491C60 + +/******************************************************************************/ +/* + * param ctx: r24,r25 + */ +.global shabal256_init +shabal256_init: + movw r26, r24 + ldi r24, 1 + st X+, r24 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + movw r24, r26 + adiw r24, 12*4+4 + st X+, r24 + st X+, r25 + adiw r24, 4*16-1 + adiw r24, 1 + st X+, r24 + st X+, r25 + ldi r24, (12+16+16) + ldi r30, lo8(shabal256_iv) + ldi r31, hi8(shabal256_iv) +1: lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ + +.global shabal256_ctx2hash +shabal256_ctx2hash: + movw r26, r24 + movw r30, r22 + ldd r24, Z+(8+2) + ldd r25, Z+(8+2+1) + movw r30, r24 + adiw r30, (16-256/32)*4 + ldi r24, 256/8 +1: ld r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param length_b: r18:r21 + */ +DST0 = 8 +DST1 = 9 +CTX0 = 10 +CTX1 = 11 +MSG0 = 12 +MSG1 = 13 +LEN2 = 14 +LEN3 = 15 +LEN0 = 16 +LEN1 = 17 +.global shabal256 +shabal256: + push_range 8, 17 + stack_alloc_large 188 + adiw r30, 1 /* Z points to stack space (ctx) */ + movw CTX0, r30 + movw DST0, r24 + movw MSG0, r22 + movw LEN0, r18 + movw LEN2, r20 + movw r24, r30 + rcall shabal256_init +2: + tst LEN2 + brne 3f + tst LEN3 + breq 4f +3: + movw r24, CTX0 + movw r22, MSG0 + rcall shabal_nextBlock + subi LEN1, 0x02 + sbc LEN2, r1 + sbc LEN3, r1 + ldi r18, 64 + add MSG0, r18 + adc MSG1, r1 + rjmp 2b +4: + movw r24, CTX0 + movw r22, MSG0 + movw r20, LEN0 + rcall shabal_lastBlock + movw r24, DST0 + movw r22, CTX0 + rcall shabal256_ctx2hash + stack_free_large2 188 + pop_range 8, 17 + ret + + diff --git a/shabal/shabal256.c b/shabal/shabal256.c new file mode 100644 index 0000000..6f5ca19 --- /dev/null +++ b/shabal/shabal256.c @@ -0,0 +1,80 @@ +/* shabal256.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal256.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + * + */ + +#include +#include "shabal.h" +#include +#include + +uint32_t shabal256_iv[] PROGMEM = { + /* A */ + 0x52F84552, 0xE54B7999, 0x2D8EE3EC, 0xB9645191, + 0xE0078B86, 0xBB7C44C9, 0xD2B5C1CA, 0xB0D2EB8C, + 0x14CE5A45, 0x22AF50DC, 0xEFFDBC6B, 0xEB21B74A, + /* B */ + 0xB555C6EE, 0x3E710596, 0xA72A652F, 0x9301515F, + 0xDA28C1FA, 0x696FD868, 0x9CB6BF72, 0x0AFE4002, + 0xA6E03615, 0x5138C1D4, 0xBE216306, 0xB38B8890, + 0x3EA8B96B, 0x3299ACE4, 0x30924DD4, 0x55CB34A5, + /* C */ + 0xB405F031, 0xC4233EBA, 0xB3733979, 0xC0DD9D55, + 0xC51C28AE, 0xA327B8E1, 0x56C56167, 0xED614433, + 0x88B59D60, 0x60E2CEBA, 0x758B4B8B, 0x83E82A7F, + 0xBC968828, 0xE6E00BF7, 0xBA839E55, 0x9B491C60 +}; + +void shabal256_init(shabal_ctx_t* ctx){ + uint8_t i; + ctx->b = ctx->b_buffer; + ctx->c = ctx->c_buffer; + ctx->w.w64 = 1LL; + for(i=0;ia[i] = pgm_read_dword(&(shabal256_iv[i])); + } + for(i=0;i<16;++i){ + ctx->b[i] = pgm_read_dword(&(shabal256_iv[SHABAL_R+i])); + } + for(i=0;i<16;++i){ + ctx->c[i] = pgm_read_dword(&(shabal256_iv[SHABAL_R+16+i])); + } +} + +void shabal256_ctx2hash(void* dest, const shabal_ctx_t* ctx){ + shabal_ctx2hash(dest, ctx, 256); +} + +void shabal256(void* dest, void* msg, uint32_t length_b){ + shabal_ctx_t ctx; + shabal256_init(&ctx); + while(length_b>=SHABAL_BLOCKSIZE){ + shabal_nextBlock(&ctx, msg); + msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; + length_b -= SHABAL_BLOCKSIZE; + } + shabal_lastBlock(&ctx, msg, length_b); + shabal256_ctx2hash(dest, &ctx); +} diff --git a/shabal/shabal384-asm.S b/shabal/shabal384-asm.S new file mode 100644 index 0000000..e9a053d --- /dev/null +++ b/shabal/shabal384-asm.S @@ -0,0 +1,158 @@ +/* shabal384-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal384-asm.S + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ + +shabal384_iv: + /* A */ +.long 0xC8FCA331, 0xE55C504E, 0x003EBF26, 0xBB6B8D83 +.long 0x7B0448C1, 0x41B82789, 0x0A7C9601, 0x8D659CFF +.long 0xB6E2673E, 0xCA54C77B, 0x1460FD7E, 0x3FCB8F2D + /* B */ +.long 0x527291FC, 0x2A16455F, 0x78E627E5, 0x944F169F +.long 0x1CA6F016, 0xA854EA25, 0x8DB98ABE, 0xF2C62641 +.long 0x30117DCB, 0xCF5C4309, 0x93711A25, 0xF9F671B8 +.long 0xB01D2116, 0x333F4B89, 0xB285D165, 0x86829B36 + /* C */ +.long 0xF764B11A, 0x76172146, 0xCEF6934D, 0xC6D28399 +.long 0xFE095F61, 0x5E6018B4, 0x5048ECF5, 0x51353261 +.long 0x6E6E36DC, 0x63130DAD, 0xA9C69BD6, 0x1E90EA0C +.long 0x7C35073B, 0x28D95E6D, 0xAA340E0D, 0xCB3DEE70 + +/******************************************************************************/ +/* + * param ctx: r24,r25 + */ +.global shabal384_init +shabal384_init: + movw r26, r24 + ldi r24, 1 + st X+, r24 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + movw r24, r26 + adiw r24, 12*4+4 + st X+, r24 + st X+, r25 + adiw r24, 4*16-1 + adiw r24, 1 + st X+, r24 + st X+, r25 + ldi r24, (12+16+16) + ldi r30, lo8(shabal384_iv) + ldi r31, hi8(shabal384_iv) +1: lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ + +.global shabal384_ctx2hash +shabal384_ctx2hash: + movw r26, r24 + movw r30, r22 + ldd r24, Z+(8+2) + ldd r25, Z+(8+2+1) + movw r30, r24 + adiw r30, (16-384/32)*4 + ldi r24, 384/8 +1: ld r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param length_b: r18:r21 + */ +DST0 = 8 +DST1 = 9 +CTX0 = 10 +CTX1 = 11 +MSG0 = 12 +MSG1 = 13 +LEN2 = 14 +LEN3 = 15 +LEN0 = 16 +LEN1 = 17 +.global shabal384 +shabal384: + push_range 8, 17 + stack_alloc_large 188 + adiw r30, 1 /* Z points to stack space (ctx) */ + movw CTX0, r30 + movw DST0, r24 + movw MSG0, r22 + movw LEN0, r18 + movw LEN2, r20 + movw r24, r30 + rcall shabal384_init +2: + tst LEN2 + brne 3f + tst LEN3 + breq 4f +3: + movw r24, CTX0 + movw r22, MSG0 + rcall shabal_nextBlock + subi LEN1, 0x02 + sbc LEN2, r1 + sbc LEN3, r1 + ldi r18, 64 + add MSG0, r18 + adc MSG1, r1 + rjmp 2b +4: + movw r24, CTX0 + movw r22, MSG0 + movw r20, LEN0 + rcall shabal_lastBlock + movw r24, DST0 + movw r22, CTX0 + rcall shabal384_ctx2hash + stack_free_large2 188 + pop_range 8, 17 + ret + diff --git a/shabal/shabal384.c b/shabal/shabal384.c new file mode 100644 index 0000000..11ab06e --- /dev/null +++ b/shabal/shabal384.c @@ -0,0 +1,80 @@ +/* shabal384.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal384.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + * + */ + +#include +#include "shabal.h" +#include +#include + +uint32_t shabal384_iv[] PROGMEM = { + /* A */ + 0xC8FCA331, 0xE55C504E, 0x003EBF26, 0xBB6B8D83, + 0x7B0448C1, 0x41B82789, 0x0A7C9601, 0x8D659CFF, + 0xB6E2673E, 0xCA54C77B, 0x1460FD7E, 0x3FCB8F2D, + /* B */ + 0x527291FC, 0x2A16455F, 0x78E627E5, 0x944F169F, + 0x1CA6F016, 0xA854EA25, 0x8DB98ABE, 0xF2C62641, + 0x30117DCB, 0xCF5C4309, 0x93711A25, 0xF9F671B8, + 0xB01D2116, 0x333F4B89, 0xB285D165, 0x86829B36, + /* C */ + 0xF764B11A, 0x76172146, 0xCEF6934D, 0xC6D28399, + 0xFE095F61, 0x5E6018B4, 0x5048ECF5, 0x51353261, + 0x6E6E36DC, 0x63130DAD, 0xA9C69BD6, 0x1E90EA0C, + 0x7C35073B, 0x28D95E6D, 0xAA340E0D, 0xCB3DEE70 +}; + +void shabal384_init(shabal_ctx_t* ctx){ + uint8_t i; + ctx->b = ctx->b_buffer; + ctx->c = ctx->c_buffer; + ctx->w.w64 = 1LL; + for(i=0;ia[i] = pgm_read_dword(&(shabal384_iv[i])); + } + for(i=0;i<16;++i){ + ctx->b[i] = pgm_read_dword(&(shabal384_iv[SHABAL_R+i])); + } + for(i=0;i<16;++i){ + ctx->c[i] = pgm_read_dword(&(shabal384_iv[SHABAL_R+16+i])); + } +} + +void shabal384_ctx2hash(void* dest, const shabal_ctx_t* ctx){ + shabal_ctx2hash(dest, ctx, 384); +} + +void shabal384(void* dest, void* msg, uint32_t length_b){ + shabal_ctx_t ctx; + shabal384_init(&ctx); + while(length_b>=SHABAL_BLOCKSIZE){ + shabal_nextBlock(&ctx, msg); + msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; + length_b -= SHABAL_BLOCKSIZE; + } + shabal_lastBlock(&ctx, msg, length_b); + shabal384_ctx2hash(dest, &ctx); +} diff --git a/shabal/shabal512-asm.S b/shabal/shabal512-asm.S new file mode 100644 index 0000000..0d412ff --- /dev/null +++ b/shabal/shabal512-asm.S @@ -0,0 +1,158 @@ +/* shabal512-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal512-asm.S + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ + +shabal512_iv: + /* A */ +.long 0x20728DFD, 0x46C0BD53, 0xE782B699, 0x55304632 +.long 0x71B4EF90, 0x0EA9E82C, 0xDBB930F1, 0xFAD06B8B +.long 0xBE0CAE40, 0x8BD14410, 0x76D2ADAC, 0x28ACAB7F + /* B */ +.long 0xC1099CB7, 0x07B385F3, 0xE7442C26, 0xCC8AD640 +.long 0xEB6F56C7, 0x1EA81AA9, 0x73B9D314, 0x1DE85D08 +.long 0x48910A5A, 0x893B22DB, 0xC5A0DF44, 0xBBC4324E +.long 0x72D2F240, 0x75941D99, 0x6D8BDE82, 0xA1A7502B + /* C */ +.long 0xD9BF68D1, 0x58BAD750, 0x56028CB2, 0x8134F359 +.long 0xB5D469D8, 0x941A8CC2, 0x418B2A6E, 0x04052780 +.long 0x7F07D787, 0x5194358F, 0x3C60D665, 0xBE97D79A +.long 0x950C3434, 0xAED9A06D, 0x2537DC8D, 0x7CDB5969 + +/******************************************************************************/ +/* + * param ctx: r24,r25 + */ +.global shabal512_init +shabal512_init: + movw r26, r24 + ldi r24, 1 + st X+, r24 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + st X+, r1 + movw r24, r26 + adiw r24, 12*4+4 + st X+, r24 + st X+, r25 + adiw r24, 4*16-1 + adiw r24, 1 + st X+, r24 + st X+, r25 + ldi r24, (12+16+16) + ldi r30, lo8(shabal512_iv) + ldi r31, hi8(shabal512_iv) +1: lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + lpm r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ + +.global shabal512_ctx2hash +shabal512_ctx2hash: + movw r26, r24 + movw r30, r22 + ldd r24, Z+(8+2) + ldd r25, Z+(8+2+1) + movw r30, r24 + ; adiw r30, (16-512/32)*4 + ldi r24, 512/8 +1: ld r0, Z+ + st X+, r0 + dec r24 + brne 1b + ret + +/******************************************************************************/ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param length_b: r18:r21 + */ +DST0 = 8 +DST1 = 9 +CTX0 = 10 +CTX1 = 11 +MSG0 = 12 +MSG1 = 13 +LEN2 = 14 +LEN3 = 15 +LEN0 = 16 +LEN1 = 17 +.global shabal512 +shabal512: + push_range 8, 17 + stack_alloc_large 188 + adiw r30, 1 /* Z points to stack space (ctx) */ + movw CTX0, r30 + movw DST0, r24 + movw MSG0, r22 + movw LEN0, r18 + movw LEN2, r20 + movw r24, r30 + rcall shabal512_init +2: + tst LEN2 + brne 3f + tst LEN3 + breq 4f +3: + movw r24, CTX0 + movw r22, MSG0 + rcall shabal_nextBlock + subi LEN1, 0x02 + sbc LEN2, r1 + sbc LEN3, r1 + ldi r18, 64 + add MSG0, r18 + adc MSG1, r1 + rjmp 2b +4: + movw r24, CTX0 + movw r22, MSG0 + movw r20, LEN0 + rcall shabal_lastBlock + movw r24, DST0 + movw r22, CTX0 + rcall shabal512_ctx2hash + stack_free_large2 188 + pop_range 8, 17 + ret + diff --git a/shabal/shabal512.c b/shabal/shabal512.c new file mode 100644 index 0000000..caad571 --- /dev/null +++ b/shabal/shabal512.c @@ -0,0 +1,80 @@ +/* shabal512.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file shabal512.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-04-27 + * \license GPLv3 or later + * + */ + +#include +#include "shabal.h" +#include +#include + +uint32_t shabal512_iv[] PROGMEM = { + /* A */ + 0x20728DFD, 0x46C0BD53, 0xE782B699, 0x55304632, + 0x71B4EF90, 0x0EA9E82C, 0xDBB930F1, 0xFAD06B8B, + 0xBE0CAE40, 0x8BD14410, 0x76D2ADAC, 0x28ACAB7F, + /* B */ + 0xC1099CB7, 0x07B385F3, 0xE7442C26, 0xCC8AD640, + 0xEB6F56C7, 0x1EA81AA9, 0x73B9D314, 0x1DE85D08, + 0x48910A5A, 0x893B22DB, 0xC5A0DF44, 0xBBC4324E, + 0x72D2F240, 0x75941D99, 0x6D8BDE82, 0xA1A7502B, + /* C */ + 0xD9BF68D1, 0x58BAD750, 0x56028CB2, 0x8134F359, + 0xB5D469D8, 0x941A8CC2, 0x418B2A6E, 0x04052780, + 0x7F07D787, 0x5194358F, 0x3C60D665, 0xBE97D79A, + 0x950C3434, 0xAED9A06D, 0x2537DC8D, 0x7CDB5969, +}; + +void shabal512_init(shabal_ctx_t* ctx){ + uint8_t i; + ctx->b = ctx->b_buffer; + ctx->c = ctx->c_buffer; + ctx->w.w64 = 1LL; + for(i=0;ia[i] = pgm_read_dword(&(shabal512_iv[i])); + } + for(i=0;i<16;++i){ + ctx->b[i] = pgm_read_dword(&(shabal512_iv[SHABAL_R+i])); + } + for(i=0;i<16;++i){ + ctx->c[i] = pgm_read_dword(&(shabal512_iv[SHABAL_R+16+i])); + } +} + +void shabal512_ctx2hash(void* dest, const shabal_ctx_t* ctx){ + shabal_ctx2hash(dest, ctx, 512); +} + +void shabal512(void* dest, void* msg, uint32_t length_b){ + shabal_ctx_t ctx; + shabal512_init(&ctx); + while(length_b>=SHABAL_BLOCKSIZE){ + shabal_nextBlock(&ctx, msg); + msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; + length_b -= SHABAL_BLOCKSIZE; + } + shabal_lastBlock(&ctx, msg, length_b); + shabal512_ctx2hash(dest, &ctx); +} diff --git a/shabal/shabal_shorttest.log b/shabal/shabal_shorttest.log new file mode 100644 index 0000000..faef503 --- /dev/null +++ b/shabal/shabal_shorttest.log @@ -0,0 +1,123 @@ +test + +Test vectors for Shabal (192 bits): +message: + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +hash: + 0F 70 6E CB 97 CF 4D CE 00 BF BB D2 FB 64 53 0C + 32 87 0C B4 48 39 73 0D + +Test vectors for Shabal (192 bits): +message: + 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 + 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 + 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A + 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A + 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 + 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 + 75 76 77 78 79 7A +hash: + 69 0F AE 79 22 6D 95 76 0A E8 FD B4 F5 8C 05 37 + 11 17 56 55 7D 30 7B 15 + +Test vectors for Shabal (224 bits): +message: + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +hash: + 99 DD A6 14 F9 07 D2 E8 81 76 18 F7 30 69 6F 32 + 00 AE CA 8B 5F 85 F4 25 43 BA 20 31 + +Test vectors for Shabal (224 bits): +message: + 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 + 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 + 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A + 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A + 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 + 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 + 75 76 77 78 79 7A +hash: + C7 D6 2D 8D 2A 34 74 B4 F4 A9 D1 1A 52 DB 3D 43 + 5B F1 58 CF 45 4C 5D 56 1D 71 25 F5 + +Test vectors for Shabal (256 bits): +message: + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +hash: + DA 8F 08 C0 2A 67 BA 9A 56 BD D0 79 8E 48 AE 07 + 14 21 5E 09 3B 5B 85 06 49 A3 77 18 99 3F 54 A2 + +Test vectors for Shabal (256 bits): +message: + 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 + 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 + 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A + 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A + 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 + 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 + 75 76 77 78 79 7A +hash: + B4 9F 34 BF 51 86 4C 30 53 3C C4 6C C2 54 2B DE + C2 F9 6F D0 6F 5C 53 9A FF 6E AD 58 83 F7 32 7A + +Test vectors for Shabal (384 bits): +message: + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +hash: + 9D DE 12 33 91 0D 85 DA 3A 5C 78 03 12 B1 11 C6 + FC CA 1B 5D D2 55 37 03 5E E0 8E 3B 4E 1E 25 15 + 4F 72 6A 63 84 E5 A8 F0 AF EA AB 4A C4 C0 2F 12 + +Test vectors for Shabal (384 bits): +message: + 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 + 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 + 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A + 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A + 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 + 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 + 75 76 77 78 79 7A +hash: + 30 01 2C 0E 3E DC 46 0B D7 86 27 C2 C3 09 44 D2 + A1 89 66 9A FA 2D 7A 97 13 EF 2F 77 4C 44 74 A4 + 3A F1 CB CE C5 FA B4 24 8C 08 73 F0 38 FB EB A0 + +Test vectors for Shabal (512 bits): +message: + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +hash: + 15 80 16 C6 C8 1F 3F 0A 52 D9 8D 68 ED 2F 9E 8E + 78 95 EF 23 CB A7 E2 BC 61 09 D8 A5 32 E6 C9 E6 + A6 A5 01 97 9F B8 37 F0 4E C4 C6 20 E7 31 79 DC + 82 AB B5 2B 32 CD AD B3 56 50 E2 9C 98 5E 30 22 + +Test vectors for Shabal (512 bits): +message: + 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 + 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 + 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A + 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A + 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 + 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 + 75 76 77 78 79 7A +hash: + 67 7E 6F 7F 12 D7 0A F0 B3 35 66 2F 59 B5 68 51 + F3 65 3E 66 64 7D 33 86 DF DA 01 43 25 4C C8 A5 + DB 3E 21 94 06 8C 6F 71 59 7D 7B 60 98 4D 22 B4 + 7A 1F 60 D9 1C A8 DF CB 17 5D 65 B9 73 59 CE CF +> \ No newline at end of file diff --git a/shabal/shabal_shorttest.log.ps b/shabal/shabal_shorttest.log.ps new file mode 100644 index 0000000..ecb1048 --- /dev/null +++ b/shabal/shabal_shorttest.log.ps @@ -0,0 +1,713 @@ +%!PS-Adobe-3.0 +%%BoundingBox: 24 24 571 818 +%%Title: Enscript Output +%%For: +%%Creator: GNU enscript 1.6.4 +%%CreationDate: Mon Apr 27 00:59:17 2009 +%%Orientation: Portrait +%%Pages: (atend) +%%DocumentMedia: A4 595 842 0 () () +%%DocumentNeededResources: (atend) +%%EndComments +%%BeginProlog +%%BeginResource: procset Enscript-Prolog 1.6 4 +% +% Procedures. +% + +/_S { % save current state + /_s save def +} def +/_R { % restore from saved state + _s restore +} def + +/S { % showpage protecting gstate + gsave + showpage + grestore +} bind def + +/MF { % fontname newfontname -> - make a new encoded font + /newfontname exch def + /fontname exch def + + /fontdict fontname findfont def + /newfont fontdict maxlength dict def + + fontdict { + exch + dup /FID eq { + % skip FID pair + pop pop + } { + % copy to the new font dictionary + exch newfont 3 1 roll put + } ifelse + } forall + + newfont /FontName newfontname put + + % insert only valid encoding vectors + encoding_vector length 256 eq { + newfont /Encoding encoding_vector put + } if + + newfontname newfont definefont pop +} def + +/MF_PS { % fontname newfontname -> - make a new font preserving its enc + /newfontname exch def + /fontname exch def + + /fontdict fontname findfont def + /newfont fontdict maxlength dict def + + fontdict { + exch + dup /FID eq { + % skip FID pair + pop pop + } { + % copy to the new font dictionary + exch newfont 3 1 roll put + } ifelse + } forall + + newfont /FontName newfontname put + + newfontname newfont definefont pop +} def + +/SF { % fontname width height -> - set a new font + /height exch def + /width exch def + + findfont + [width 0 0 height 0 0] makefont setfont +} def + +/SUF { % fontname width height -> - set a new user font + /height exch def + /width exch def + + /F-gs-user-font MF + /F-gs-user-font width height SF +} def + +/SUF_PS { % fontname width height -> - set a new user font preserving its enc + /height exch def + /width exch def + + /F-gs-user-font MF_PS + /F-gs-user-font width height SF +} def + +/M {moveto} bind def +/s {show} bind def + +/Box { % x y w h -> - define box path + /d_h exch def /d_w exch def /d_y exch def /d_x exch def + d_x d_y moveto + d_w 0 rlineto + 0 d_h rlineto + d_w neg 0 rlineto + closepath +} def + +/bgs { % x y height blskip gray str -> - show string with bg color + /str exch def + /gray exch def + /blskip exch def + /height exch def + /y exch def + /x exch def + + gsave + x y blskip sub str stringwidth pop height Box + gray setgray + fill + grestore + x y M str s +} def + +/bgcs { % x y height blskip red green blue str -> - show string with bg color + /str exch def + /blue exch def + /green exch def + /red exch def + /blskip exch def + /height exch def + /y exch def + /x exch def + + gsave + x y blskip sub str stringwidth pop height Box + red green blue setrgbcolor + fill + grestore + x y M str s +} def + +% Highlight bars. +/highlight_bars { % nlines lineheight output_y_margin gray -> - + gsave + setgray + /ymarg exch def + /lineheight exch def + /nlines exch def + + % This 2 is just a magic number to sync highlight lines to text. + 0 d_header_y ymarg sub 2 sub translate + + /cw d_output_w cols div def + /nrows d_output_h ymarg 2 mul sub lineheight div cvi def + + % for each column + 0 1 cols 1 sub { + cw mul /xp exch def + + % for each rows + 0 1 nrows 1 sub { + /rn exch def + rn lineheight mul neg /yp exch def + rn nlines idiv 2 mod 0 eq { + % Draw highlight bar. 4 is just a magic indentation. + xp 4 add yp cw 8 sub lineheight neg Box fill + } if + } for + } for + + grestore +} def + +% Line highlight bar. +/line_highlight { % x y width height gray -> - + gsave + /gray exch def + Box gray setgray fill + grestore +} def + +% Column separator lines. +/column_lines { + gsave + .1 setlinewidth + 0 d_footer_h translate + /cw d_output_w cols div def + 1 1 cols 1 sub { + cw mul 0 moveto + 0 d_output_h rlineto stroke + } for + grestore +} def + +% Column borders. +/column_borders { + gsave + .1 setlinewidth + 0 d_footer_h moveto + 0 d_output_h rlineto + d_output_w 0 rlineto + 0 d_output_h neg rlineto + closepath stroke + grestore +} def + +% Do the actual underlay drawing +/draw_underlay { + ul_style 0 eq { + ul_str true charpath stroke + } { + ul_str show + } ifelse +} def + +% Underlay +/underlay { % - -> - + gsave + 0 d_page_h translate + d_page_h neg d_page_w atan rotate + + ul_gray setgray + ul_font setfont + /dw d_page_h dup mul d_page_w dup mul add sqrt def + ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto + draw_underlay + grestore +} def + +/user_underlay { % - -> - + gsave + ul_x ul_y translate + ul_angle rotate + ul_gray setgray + ul_font setfont + 0 0 ul_h_ptsize 2 div sub moveto + draw_underlay + grestore +} def + +% Page prefeed +/page_prefeed { % bool -> - + statusdict /prefeed known { + statusdict exch /prefeed exch put + } { + pop + } ifelse +} def + +% Wrapped line markers +/wrapped_line_mark { % x y charwith charheight type -> - + /type exch def + /h exch def + /w exch def + /y exch def + /x exch def + + type 2 eq { + % Black boxes (like TeX does) + gsave + 0 setlinewidth + x w 4 div add y M + 0 h rlineto w 2 div 0 rlineto 0 h neg rlineto + closepath fill + grestore + } { + type 3 eq { + % Small arrows + gsave + .2 setlinewidth + x w 2 div add y h 2 div add M + w 4 div 0 rlineto + x w 4 div add y lineto stroke + + x w 4 div add w 8 div add y h 4 div add M + x w 4 div add y lineto + w 4 div h 8 div rlineto stroke + grestore + } { + % do nothing + } ifelse + } ifelse +} def + +% EPSF import. + +/BeginEPSF { + /b4_Inc_state save def % Save state for cleanup + /dict_count countdictstack def % Count objects on dict stack + /op_count count 1 sub def % Count objects on operand stack + userdict begin + /showpage { } def + 0 setgray 0 setlinecap + 1 setlinewidth 0 setlinejoin + 10 setmiterlimit [ ] 0 setdash newpath + /languagelevel where { + pop languagelevel + 1 ne { + false setstrokeadjust false setoverprint + } if + } if +} bind def + +/EndEPSF { + count op_count sub { pos } repeat % Clean up stacks + countdictstack dict_count sub { end } repeat + b4_Inc_state restore +} bind def + +% Check PostScript language level. +/languagelevel where { + pop /gs_languagelevel languagelevel def +} { + /gs_languagelevel 1 def +} ifelse +%%EndResource +%%BeginResource: procset Enscript-Encoding-88591 1.6 4 +/encoding_vector [ +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/space /exclam /quotedbl /numbersign +/dollar /percent /ampersand /quoteright +/parenleft /parenright /asterisk /plus +/comma /hyphen /period /slash +/zero /one /two /three +/four /five /six /seven +/eight /nine /colon /semicolon +/less /equal /greater /question +/at /A /B /C +/D /E /F /G +/H /I /J /K +/L /M /N /O +/P /Q /R /S +/T /U /V /W +/X /Y /Z /bracketleft +/backslash /bracketright /asciicircum /underscore +/quoteleft /a /b /c +/d /e /f /g +/h /i /j /k +/l /m /n /o +/p /q /r /s +/t /u /v /w +/x /y /z /braceleft +/bar /braceright /tilde /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/.notdef /.notdef /.notdef /.notdef +/space /exclamdown /cent /sterling +/currency /yen /brokenbar /section +/dieresis /copyright /ordfeminine /guillemotleft +/logicalnot /hyphen /registered /macron +/degree /plusminus /twosuperior /threesuperior +/acute /mu /paragraph /bullet +/cedilla /onesuperior /ordmasculine /guillemotright +/onequarter /onehalf /threequarters /questiondown +/Agrave /Aacute /Acircumflex /Atilde +/Adieresis /Aring /AE /Ccedilla +/Egrave /Eacute /Ecircumflex /Edieresis +/Igrave /Iacute /Icircumflex /Idieresis +/Eth /Ntilde /Ograve /Oacute +/Ocircumflex /Otilde /Odieresis /multiply +/Oslash /Ugrave /Uacute /Ucircumflex +/Udieresis /Yacute /Thorn /germandbls +/agrave /aacute /acircumflex /atilde +/adieresis /aring /ae /ccedilla +/egrave /eacute /ecircumflex /edieresis +/igrave /iacute /icircumflex /idieresis +/eth /ntilde /ograve /oacute +/ocircumflex /otilde /odieresis /divide +/oslash /ugrave /uacute /ucircumflex +/udieresis /yacute /thorn /ydieresis +] def +%%EndResource +%%EndProlog +%%BeginSetup +%%IncludeResource: font Courier-Bold +%%IncludeResource: font Courier +/HFpt_w 10 def +/HFpt_h 10 def +/Courier-Bold /HF-gs-font MF +/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def +/Courier /F-gs-font MF +/F-gs-font 10 10 SF +/#copies 1 def +% Pagedevice definitions: +gs_languagelevel 1 gt { + << + /PageSize [595 842] + >> setpagedevice +} if +%%BeginResource: procset Enscript-Header-simple 1.6 4 + +/do_header { % print default simple header + gsave + d_header_x d_header_y HFpt_h 3 div add translate + + HF setfont + user_header_p { + 5 0 moveto user_header_left_str show + + d_header_w user_header_center_str stringwidth pop sub 2 div + 0 moveto user_header_center_str show + + d_header_w user_header_right_str stringwidth pop sub 5 sub + 0 moveto user_header_right_str show + } { + 5 0 moveto fname show + 45 0 rmoveto fmodstr show + 45 0 rmoveto pagenumstr show + } ifelse + + grestore +} def +%%EndResource +/d_page_w 547 def +/d_page_h 794 def +/d_header_x 0 def +/d_header_y 779 def +/d_header_w 547 def +/d_header_h 15 def +/d_footer_x 0 def +/d_footer_y 0 def +/d_footer_w 547 def +/d_footer_h 0 def +/d_output_w 547 def +/d_output_h 779 def +/cols 1 def +%%EndSetup +%%Page: (1) 1 +%%BeginPageSetup +_S +24 24 translate +/pagenum 1 def +/fname (shabal_shorttest.log) def +/fdir () def +/ftail (shabal_shorttest.log) def +% User defined strings: +/fmodstr (Mon Apr 27 00:58:21 2009) def +/pagenumstr (1) def +/user_header_p false def +/user_footer_p false def +%%EndPageSetup +do_header +5 766 M +(test) s +5 744 M +(Test vectors for Shabal \(192 bits\):) s +5 733 M +(message:) s +5 722 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 711 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 700 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 689 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 678 M +(hash:) s +5 667 M +( 0F 70 6E CB 97 CF 4D CE 00 BF BB D2 FB 64 53 0C ) s +5 656 M +( 32 87 0C B4 48 39 73 0D ) s +5 634 M +(Test vectors for Shabal \(192 bits\):) s +5 623 M +(message:) s +5 612 M +( 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 ) s +5 601 M +( 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 ) s +5 590 M +( 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A ) s +5 579 M +( 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A ) s +5 568 M +( 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 ) s +5 557 M +( 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 ) s +5 546 M +( 75 76 77 78 79 7A ) s +5 535 M +(hash:) s +5 524 M +( 69 0F AE 79 22 6D 95 76 0A E8 FD B4 F5 8C 05 37 ) s +5 513 M +( 11 17 56 55 7D 30 7B 15 ) s +5 491 M +(Test vectors for Shabal \(224 bits\):) s +5 480 M +(message:) s +5 469 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 458 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 447 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 436 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 425 M +(hash:) s +5 414 M +( 99 DD A6 14 F9 07 D2 E8 81 76 18 F7 30 69 6F 32 ) s +5 403 M +( 00 AE CA 8B 5F 85 F4 25 43 BA 20 31 ) s +5 381 M +(Test vectors for Shabal \(224 bits\):) s +5 370 M +(message:) s +5 359 M +( 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 ) s +5 348 M +( 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 ) s +5 337 M +( 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A ) s +5 326 M +( 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A ) s +5 315 M +( 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 ) s +5 304 M +( 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 ) s +5 293 M +( 75 76 77 78 79 7A ) s +5 282 M +(hash:) s +5 271 M +( C7 D6 2D 8D 2A 34 74 B4 F4 A9 D1 1A 52 DB 3D 43 ) s +5 260 M +( 5B F1 58 CF 45 4C 5D 56 1D 71 25 F5 ) s +5 238 M +(Test vectors for Shabal \(256 bits\):) s +5 227 M +(message:) s +5 216 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 205 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 194 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 183 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 172 M +(hash:) s +5 161 M +( DA 8F 08 C0 2A 67 BA 9A 56 BD D0 79 8E 48 AE 07 ) s +5 150 M +( 14 21 5E 09 3B 5B 85 06 49 A3 77 18 99 3F 54 A2 ) s +5 128 M +(Test vectors for Shabal \(256 bits\):) s +5 117 M +(message:) s +5 106 M +( 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 ) s +5 95 M +( 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 ) s +5 84 M +( 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A ) s +5 73 M +( 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A ) s +5 62 M +( 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 ) s +5 51 M +( 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 ) s +5 40 M +( 75 76 77 78 79 7A ) s +5 29 M +(hash:) s +5 18 M +( B4 9F 34 BF 51 86 4C 30 53 3C C4 6C C2 54 2B DE ) s +5 7 M +( C2 F9 6F D0 6F 5C 53 9A FF 6E AD 58 83 F7 32 7A ) s +_R +S +%%Page: (2) 2 +%%BeginPageSetup +_S +24 24 translate +/pagenum 2 def +/fname (shabal_shorttest.log) def +/fdir () def +/ftail (shabal_shorttest.log) def +% User defined strings: +/fmodstr (Mon Apr 27 00:58:21 2009) def +/pagenumstr (2) def +/user_header_p false def +/user_footer_p false def +%%EndPageSetup +do_header +5 755 M +(Test vectors for Shabal \(384 bits\):) s +5 744 M +(message:) s +5 733 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 722 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 711 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 700 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 689 M +(hash:) s +5 678 M +( 9D DE 12 33 91 0D 85 DA 3A 5C 78 03 12 B1 11 C6 ) s +5 667 M +( FC CA 1B 5D D2 55 37 03 5E E0 8E 3B 4E 1E 25 15 ) s +5 656 M +( 4F 72 6A 63 84 E5 A8 F0 AF EA AB 4A C4 C0 2F 12 ) s +5 634 M +(Test vectors for Shabal \(384 bits\):) s +5 623 M +(message:) s +5 612 M +( 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 ) s +5 601 M +( 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 ) s +5 590 M +( 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A ) s +5 579 M +( 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A ) s +5 568 M +( 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 ) s +5 557 M +( 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 ) s +5 546 M +( 75 76 77 78 79 7A ) s +5 535 M +(hash:) s +5 524 M +( 30 01 2C 0E 3E DC 46 0B D7 86 27 C2 C3 09 44 D2 ) s +5 513 M +( A1 89 66 9A FA 2D 7A 97 13 EF 2F 77 4C 44 74 A4 ) s +5 502 M +( 3A F1 CB CE C5 FA B4 24 8C 08 73 F0 38 FB EB A0 ) s +5 480 M +(Test vectors for Shabal \(512 bits\):) s +5 469 M +(message:) s +5 458 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 447 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 436 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 425 M +( 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ) s +5 414 M +(hash:) s +5 403 M +( 15 80 16 C6 C8 1F 3F 0A 52 D9 8D 68 ED 2F 9E 8E ) s +5 392 M +( 78 95 EF 23 CB A7 E2 BC 61 09 D8 A5 32 E6 C9 E6 ) s +5 381 M +( A6 A5 01 97 9F B8 37 F0 4E C4 C6 20 E7 31 79 DC ) s +5 370 M +( 82 AB B5 2B 32 CD AD B3 56 50 E2 9C 98 5E 30 22 ) s +5 348 M +(Test vectors for Shabal \(512 bits\):) s +5 337 M +(message:) s +5 326 M +( 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 ) s +5 315 M +( 71 72 73 74 75 76 77 78 79 7A 2D 30 31 32 33 34 ) s +5 304 M +( 35 36 37 38 39 2D 41 42 43 44 45 46 47 48 49 4A ) s +5 293 M +( 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A ) s +5 282 M +( 2D 30 31 32 33 34 35 36 37 38 39 2D 61 62 63 64 ) s +5 271 M +( 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 ) s +5 260 M +( 75 76 77 78 79 7A ) s +5 249 M +(hash:) s +5 238 M +( 67 7E 6F 7F 12 D7 0A F0 B3 35 66 2F 59 B5 68 51 ) s +5 227 M +( F3 65 3E 66 64 7D 33 86 DF DA 01 43 25 4C C8 A5 ) s +5 216 M +( DB 3E 21 94 06 8C 6F 71 59 7D 7B 60 98 4D 22 B4 ) s +5 205 M +( 7A 1F 60 D9 1C A8 DF CB 17 5D 65 B9 73 59 CE CF ) s +5 194 M +(>) s +_R +S +%%Trailer +%%Pages: 2 +%%DocumentNeededResources: font Courier-Bold Courier +%%EOF diff --git a/shabal192-asm.S b/shabal192-asm.S deleted file mode 100644 index 09b41d5..0000000 --- a/shabal192-asm.S +++ /dev/null @@ -1,191 +0,0 @@ -/* shabal192-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal192-asm.S - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -shabal192_iv: - /* A */ -.long 0xFD749ED4, 0xB798E530, 0x33904B6F, 0x46BDA85E -.long 0x076934B4, 0x454B4058, 0x77F74527, 0xFB4CF465 -.long 0x62931DA9, 0xE778C8DB, 0x22B3998E, 0xAC15CFB9 - /* B */ -.long 0x58BCBAC4, 0xEC47A08E, 0xAEE933B2, 0xDFCBC824 -.long 0xA7944804, 0xBF65BDB0, 0x5A9D4502, 0x59979AF7 -.long 0xC5CEA54E, 0x4B6B8150, 0x16E71909, 0x7D632319 -.long 0x930573A0, 0xF34C63D1, 0xCAF914B4, 0xFDD6612C - /* C */ -.long 0x61550878, 0x89EF2B75, 0xA1660C46, 0x7EF3855B -.long 0x7297B58C, 0x1BC67793, 0x7FB1C723, 0xB66FC640 -.long 0x1A48B71C, 0xF0976D17, 0x088CE80A, 0xA454EDF3 -.long 0x1C096BF4, 0xAC76224B, 0x5215781C, 0xCD5D2669 - - -/******************************************************************************/ -/* -void shabal192_init(shabal_ctx_t* ctx){ - uint8_t i; - ctx->b = ctx->b_buffer; - ctx->c = ctx->c_buffer; - ctx->w.w64 = 1LL; - for(i=0;ia[i] = pgm_read_dword(&(shabal192_iv[i])); - } - for(i=0;i<16;++i){ - ctx->b[i] = pgm_read_dword(&(shabal192_iv[SHABAL_R+i])); - } - for(i=0;i<16;++i){ - ctx->c[i] = pgm_read_dword(&(shabal192_iv[SHABAL_R+16+i])); - } -} -*/ -/* - * param ctx: r24,r25 - */ -.global shabal192_init -shabal192_init: - movw r26, r24 - ldi r24, 1 - st X+, r24 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - movw r24, r26 - adiw r24, 12*4+2+2 - st X+, r24 - st X+, r25 - adiw r24, 4*16-1 - adiw r24, 1 - st X+, r24 - st X+, r25 - ldi r24, (12+16+16) - ldi r30, lo8(shabal192_iv) - ldi r31, hi8(shabal192_iv) -1: lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ -/* - * param dest: r24:r25 - * param ctx: r22:r23 - */ -.global shabal192_ctx2hash -shabal192_ctx2hash: - movw r26, r24 - movw r30, r22 - ldd r24, Z+(8+2) - ldd r25, Z+(8+2+1) - movw r30, r24 - adiw r30, (16-192/32)*4 - ldi r24, 192/8 -1: ld r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ -/* -void shabal192(void* dest, void* msg, uint32_t length_b){ - shabal_ctx_t ctx; - shabal192_init(&ctx); - while(length_b>=SHABAL_BLOCKSIZE){ - shabal_nextBlock(&ctx, msg); - msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; - length_b -= SHABAL_BLOCKSIZE; - } - shabal_lastBlock(&ctx, msg, length_b); - shabal192_ctx2hash(dest, &ctx); -} -*/ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param length_b: r18:r21 - */ -DST0 = 8 -DST1 = 9 -CTX0 = 10 -CTX1 = 11 -MSG0 = 12 -MSG1 = 13 -LEN2 = 14 -LEN3 = 15 -LEN0 = 16 -LEN1 = 17 -.global shabal192 -shabal192: - push_range 8, 17 - stack_alloc_large 188 - adiw r30, 1 /* Z points to stack space (ctx) */ - movw CTX0, r30 - movw DST0, r24 - movw MSG0, r22 - movw LEN0, r18 - movw LEN2, r20 - movw r24, r30 - rcall shabal192_init -2: - tst LEN2 - brne 3f - tst LEN3 - breq 4f -3: - movw r24, CTX0 - movw r22, MSG0 - rcall shabal_nextBlock - subi LEN1, 0x02 - sbc LEN2, r1 - sbc LEN3, r1 - ldi r18, 64 - add MSG0, r18 - adc MSG1, r1 - rjmp 2b -4: - movw r24, CTX0 - movw r22, MSG0 - movw r20, LEN0 - rcall shabal_lastBlock - movw r24, DST0 - movw r22, CTX0 - rcall shabal192_ctx2hash - stack_free_large2 188 - pop_range 8, 17 - ret - - diff --git a/shabal192.c b/shabal192.c deleted file mode 100644 index 5540dc8..0000000 --- a/shabal192.c +++ /dev/null @@ -1,80 +0,0 @@ -/* shabal192.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal192.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - * - */ - -#include -#include "shabal.h" -#include -#include - -uint32_t shabal192_iv[] PROGMEM = { - /* A */ - 0xFD749ED4, 0xB798E530, 0x33904B6F, 0x46BDA85E, - 0x076934B4, 0x454B4058, 0x77F74527, 0xFB4CF465, - 0x62931DA9, 0xE778C8DB, 0x22B3998E, 0xAC15CFB9, - /* B */ - 0x58BCBAC4, 0xEC47A08E, 0xAEE933B2, 0xDFCBC824, - 0xA7944804, 0xBF65BDB0, 0x5A9D4502, 0x59979AF7, - 0xC5CEA54E, 0x4B6B8150, 0x16E71909, 0x7D632319, - 0x930573A0, 0xF34C63D1, 0xCAF914B4, 0xFDD6612C, - /* C */ - 0x61550878, 0x89EF2B75, 0xA1660C46, 0x7EF3855B, - 0x7297B58C, 0x1BC67793, 0x7FB1C723, 0xB66FC640, - 0x1A48B71C, 0xF0976D17, 0x088CE80A, 0xA454EDF3, - 0x1C096BF4, 0xAC76224B, 0x5215781C, 0xCD5D2669 -}; - -void shabal192_init(shabal_ctx_t* ctx){ - uint8_t i; - ctx->b = ctx->b_buffer; - ctx->c = ctx->c_buffer; - ctx->w.w64 = 1LL; - for(i=0;ia[i] = pgm_read_dword(&(shabal192_iv[i])); - } - for(i=0;i<16;++i){ - ctx->b[i] = pgm_read_dword(&(shabal192_iv[SHABAL_R+i])); - } - for(i=0;i<16;++i){ - ctx->c[i] = pgm_read_dword(&(shabal192_iv[SHABAL_R+16+i])); - } -} - -void shabal192_ctx2hash(void* dest, const shabal_ctx_t* ctx){ - shabal_ctx2hash(dest, ctx, 192); -} - -void shabal192(void* dest, void* msg, uint32_t length_b){ - shabal_ctx_t ctx; - shabal192_init(&ctx); - while(length_b>=SHABAL_BLOCKSIZE){ - shabal_nextBlock(&ctx, msg); - msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; - length_b -= SHABAL_BLOCKSIZE; - } - shabal_lastBlock(&ctx, msg, length_b); - shabal192_ctx2hash(dest, &ctx); -} diff --git a/shabal224-asm.S b/shabal224-asm.S deleted file mode 100644 index 1168d1b..0000000 --- a/shabal224-asm.S +++ /dev/null @@ -1,160 +0,0 @@ -/* shabal224-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal224-asm.S - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ - -shabal224_iv: - /* A */ -.long 0xA5201467, 0xA9B8D94A, 0xD4CED997, 0x68379D7B -.long 0xA7FC73BA, 0xF1A2546B, 0x606782BF, 0xE0BCFD0F -.long 0x2F25374E, 0x069A149F, 0x5E2DFF25, 0xFAECF061 - /* B */ -.long 0xEC9905D8, 0xF21850CF, 0xC0A746C8, 0x21DAD498 -.long 0x35156EEB, 0x088C97F2, 0x26303E40, 0x8A2D4FB5 -.long 0xFEEE44B6, 0x8A1E9573, 0x7B81111A, 0xCBC139F0 -.long 0xA3513861, 0x1D2C362E, 0x918C580E, 0xB58E1B9C - /* C */ -.long 0xE4B573A1, 0x4C1A0880, 0x1E907C51, 0x04807EFD -.long 0x3AD8CDE5, 0x16B21302, 0x02512C53, 0x2204CB18 -.long 0x99405F2D, 0xE5B648A1, 0x70AB1D43, 0xA10C25C2 -.long 0x16F1AC05, 0x38BBEB56, 0x9B01DC60, 0xB1096D83 - - -/******************************************************************************/ -/* - * param ctx: r24,r25 - */ -.global shabal224_init -shabal224_init: - movw r26, r24 - ldi r24, 1 - st X+, r24 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - movw r24, r26 - adiw r24, 12*4+4 - st X+, r24 - st X+, r25 - adiw r24, 4*16-1 - adiw r24, 1 - st X+, r24 - st X+, r25 - ldi r24, (12+16+16) - ldi r30, lo8(shabal224_iv) - ldi r31, hi8(shabal224_iv) -1: lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ - -.global shabal224_ctx2hash -shabal224_ctx2hash: - movw r26, r24 - movw r30, r22 - ldd r24, Z+(8+2) - ldd r25, Z+(8+2+1) - movw r30, r24 - adiw r30, (16-224/32)*4 - ldi r24, 224/8 -1: ld r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param length_b: r18:r21 - */ -DST0 = 8 -DST1 = 9 -CTX0 = 10 -CTX1 = 11 -MSG0 = 12 -MSG1 = 13 -LEN2 = 14 -LEN3 = 15 -LEN0 = 16 -LEN1 = 17 -.global shabal224 -shabal224: - push_range 8, 17 - stack_alloc_large 188 - adiw r30, 1 /* Z points to stack space (ctx) */ - movw CTX0, r30 - movw DST0, r24 - movw MSG0, r22 - movw LEN0, r18 - movw LEN2, r20 - movw r24, r30 - rcall shabal224_init -2: - tst LEN2 - brne 3f - tst LEN3 - breq 4f -3: - movw r24, CTX0 - movw r22, MSG0 - rcall shabal_nextBlock - subi LEN1, 0x02 - sbc LEN2, r1 - sbc LEN3, r1 - ldi r18, 64 - add MSG0, r18 - adc MSG1, r1 - rjmp 2b -4: - movw r24, CTX0 - movw r22, MSG0 - movw r20, LEN0 - rcall shabal_lastBlock - movw r24, DST0 - movw r22, CTX0 - rcall shabal224_ctx2hash - stack_free_large2 188 - pop_range 8, 17 - ret - - diff --git a/shabal224.c b/shabal224.c deleted file mode 100644 index db01d3c..0000000 --- a/shabal224.c +++ /dev/null @@ -1,80 +0,0 @@ -/* shabal224.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal224.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - * - */ - -#include -#include "shabal.h" -#include -#include - -uint32_t shabal224_iv[] PROGMEM = { - /* A */ - 0xA5201467, 0xA9B8D94A, 0xD4CED997, 0x68379D7B, - 0xA7FC73BA, 0xF1A2546B, 0x606782BF, 0xE0BCFD0F, - 0x2F25374E, 0x069A149F, 0x5E2DFF25, 0xFAECF061, - /* B */ - 0xEC9905D8, 0xF21850CF, 0xC0A746C8, 0x21DAD498, - 0x35156EEB, 0x088C97F2, 0x26303E40, 0x8A2D4FB5, - 0xFEEE44B6, 0x8A1E9573, 0x7B81111A, 0xCBC139F0, - 0xA3513861, 0x1D2C362E, 0x918C580E, 0xB58E1B9C, - /* C */ - 0xE4B573A1, 0x4C1A0880, 0x1E907C51, 0x04807EFD, - 0x3AD8CDE5, 0x16B21302, 0x02512C53, 0x2204CB18, - 0x99405F2D, 0xE5B648A1, 0x70AB1D43, 0xA10C25C2, - 0x16F1AC05, 0x38BBEB56, 0x9B01DC60, 0xB1096D83 -}; - -void shabal224_init(shabal_ctx_t* ctx){ - uint8_t i; - ctx->b = ctx->b_buffer; - ctx->c = ctx->c_buffer; - ctx->w.w64 = 1LL; - for(i=0;ia[i] = pgm_read_dword(&(shabal224_iv[i])); - } - for(i=0;i<16;++i){ - ctx->b[i] = pgm_read_dword(&(shabal224_iv[SHABAL_R+i])); - } - for(i=0;i<16;++i){ - ctx->c[i] = pgm_read_dword(&(shabal224_iv[SHABAL_R+16+i])); - } -} - -void shabal224_ctx2hash(void* dest, const shabal_ctx_t* ctx){ - shabal_ctx2hash(dest, ctx, 224); -} - -void shabal224(void* dest, void* msg, uint32_t length_b){ - shabal_ctx_t ctx; - shabal224_init(&ctx); - while(length_b>=SHABAL_BLOCKSIZE){ - shabal_nextBlock(&ctx, msg); - msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; - length_b -= SHABAL_BLOCKSIZE; - } - shabal_lastBlock(&ctx, msg, length_b); - shabal224_ctx2hash(dest, &ctx); -} diff --git a/shabal256-asm.S b/shabal256-asm.S deleted file mode 100644 index f95e6c7..0000000 --- a/shabal256-asm.S +++ /dev/null @@ -1,159 +0,0 @@ -/* shabal256-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal256-asm.S - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ - -shabal256_iv: - /* A */ -.long 0x52F84552, 0xE54B7999, 0x2D8EE3EC, 0xB9645191 -.long 0xE0078B86, 0xBB7C44C9, 0xD2B5C1CA, 0xB0D2EB8C -.long 0x14CE5A45, 0x22AF50DC, 0xEFFDBC6B, 0xEB21B74A - /* B */ -.long 0xB555C6EE, 0x3E710596, 0xA72A652F, 0x9301515F -.long 0xDA28C1FA, 0x696FD868, 0x9CB6BF72, 0x0AFE4002 -.long 0xA6E03615, 0x5138C1D4, 0xBE216306, 0xB38B8890 -.long 0x3EA8B96B, 0x3299ACE4, 0x30924DD4, 0x55CB34A5 - /* C */ -.long 0xB405F031, 0xC4233EBA, 0xB3733979, 0xC0DD9D55 -.long 0xC51C28AE, 0xA327B8E1, 0x56C56167, 0xED614433 -.long 0x88B59D60, 0x60E2CEBA, 0x758B4B8B, 0x83E82A7F -.long 0xBC968828, 0xE6E00BF7, 0xBA839E55, 0x9B491C60 - -/******************************************************************************/ -/* - * param ctx: r24,r25 - */ -.global shabal256_init -shabal256_init: - movw r26, r24 - ldi r24, 1 - st X+, r24 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - movw r24, r26 - adiw r24, 12*4+4 - st X+, r24 - st X+, r25 - adiw r24, 4*16-1 - adiw r24, 1 - st X+, r24 - st X+, r25 - ldi r24, (12+16+16) - ldi r30, lo8(shabal256_iv) - ldi r31, hi8(shabal256_iv) -1: lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ - -.global shabal256_ctx2hash -shabal256_ctx2hash: - movw r26, r24 - movw r30, r22 - ldd r24, Z+(8+2) - ldd r25, Z+(8+2+1) - movw r30, r24 - adiw r30, (16-256/32)*4 - ldi r24, 256/8 -1: ld r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param length_b: r18:r21 - */ -DST0 = 8 -DST1 = 9 -CTX0 = 10 -CTX1 = 11 -MSG0 = 12 -MSG1 = 13 -LEN2 = 14 -LEN3 = 15 -LEN0 = 16 -LEN1 = 17 -.global shabal256 -shabal256: - push_range 8, 17 - stack_alloc_large 188 - adiw r30, 1 /* Z points to stack space (ctx) */ - movw CTX0, r30 - movw DST0, r24 - movw MSG0, r22 - movw LEN0, r18 - movw LEN2, r20 - movw r24, r30 - rcall shabal256_init -2: - tst LEN2 - brne 3f - tst LEN3 - breq 4f -3: - movw r24, CTX0 - movw r22, MSG0 - rcall shabal_nextBlock - subi LEN1, 0x02 - sbc LEN2, r1 - sbc LEN3, r1 - ldi r18, 64 - add MSG0, r18 - adc MSG1, r1 - rjmp 2b -4: - movw r24, CTX0 - movw r22, MSG0 - movw r20, LEN0 - rcall shabal_lastBlock - movw r24, DST0 - movw r22, CTX0 - rcall shabal256_ctx2hash - stack_free_large2 188 - pop_range 8, 17 - ret - - diff --git a/shabal256.c b/shabal256.c deleted file mode 100644 index 6f5ca19..0000000 --- a/shabal256.c +++ /dev/null @@ -1,80 +0,0 @@ -/* shabal256.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal256.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - * - */ - -#include -#include "shabal.h" -#include -#include - -uint32_t shabal256_iv[] PROGMEM = { - /* A */ - 0x52F84552, 0xE54B7999, 0x2D8EE3EC, 0xB9645191, - 0xE0078B86, 0xBB7C44C9, 0xD2B5C1CA, 0xB0D2EB8C, - 0x14CE5A45, 0x22AF50DC, 0xEFFDBC6B, 0xEB21B74A, - /* B */ - 0xB555C6EE, 0x3E710596, 0xA72A652F, 0x9301515F, - 0xDA28C1FA, 0x696FD868, 0x9CB6BF72, 0x0AFE4002, - 0xA6E03615, 0x5138C1D4, 0xBE216306, 0xB38B8890, - 0x3EA8B96B, 0x3299ACE4, 0x30924DD4, 0x55CB34A5, - /* C */ - 0xB405F031, 0xC4233EBA, 0xB3733979, 0xC0DD9D55, - 0xC51C28AE, 0xA327B8E1, 0x56C56167, 0xED614433, - 0x88B59D60, 0x60E2CEBA, 0x758B4B8B, 0x83E82A7F, - 0xBC968828, 0xE6E00BF7, 0xBA839E55, 0x9B491C60 -}; - -void shabal256_init(shabal_ctx_t* ctx){ - uint8_t i; - ctx->b = ctx->b_buffer; - ctx->c = ctx->c_buffer; - ctx->w.w64 = 1LL; - for(i=0;ia[i] = pgm_read_dword(&(shabal256_iv[i])); - } - for(i=0;i<16;++i){ - ctx->b[i] = pgm_read_dword(&(shabal256_iv[SHABAL_R+i])); - } - for(i=0;i<16;++i){ - ctx->c[i] = pgm_read_dword(&(shabal256_iv[SHABAL_R+16+i])); - } -} - -void shabal256_ctx2hash(void* dest, const shabal_ctx_t* ctx){ - shabal_ctx2hash(dest, ctx, 256); -} - -void shabal256(void* dest, void* msg, uint32_t length_b){ - shabal_ctx_t ctx; - shabal256_init(&ctx); - while(length_b>=SHABAL_BLOCKSIZE){ - shabal_nextBlock(&ctx, msg); - msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; - length_b -= SHABAL_BLOCKSIZE; - } - shabal_lastBlock(&ctx, msg, length_b); - shabal256_ctx2hash(dest, &ctx); -} diff --git a/shabal384-asm.S b/shabal384-asm.S deleted file mode 100644 index e9a053d..0000000 --- a/shabal384-asm.S +++ /dev/null @@ -1,158 +0,0 @@ -/* shabal384-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal384-asm.S - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ - -shabal384_iv: - /* A */ -.long 0xC8FCA331, 0xE55C504E, 0x003EBF26, 0xBB6B8D83 -.long 0x7B0448C1, 0x41B82789, 0x0A7C9601, 0x8D659CFF -.long 0xB6E2673E, 0xCA54C77B, 0x1460FD7E, 0x3FCB8F2D - /* B */ -.long 0x527291FC, 0x2A16455F, 0x78E627E5, 0x944F169F -.long 0x1CA6F016, 0xA854EA25, 0x8DB98ABE, 0xF2C62641 -.long 0x30117DCB, 0xCF5C4309, 0x93711A25, 0xF9F671B8 -.long 0xB01D2116, 0x333F4B89, 0xB285D165, 0x86829B36 - /* C */ -.long 0xF764B11A, 0x76172146, 0xCEF6934D, 0xC6D28399 -.long 0xFE095F61, 0x5E6018B4, 0x5048ECF5, 0x51353261 -.long 0x6E6E36DC, 0x63130DAD, 0xA9C69BD6, 0x1E90EA0C -.long 0x7C35073B, 0x28D95E6D, 0xAA340E0D, 0xCB3DEE70 - -/******************************************************************************/ -/* - * param ctx: r24,r25 - */ -.global shabal384_init -shabal384_init: - movw r26, r24 - ldi r24, 1 - st X+, r24 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - movw r24, r26 - adiw r24, 12*4+4 - st X+, r24 - st X+, r25 - adiw r24, 4*16-1 - adiw r24, 1 - st X+, r24 - st X+, r25 - ldi r24, (12+16+16) - ldi r30, lo8(shabal384_iv) - ldi r31, hi8(shabal384_iv) -1: lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ - -.global shabal384_ctx2hash -shabal384_ctx2hash: - movw r26, r24 - movw r30, r22 - ldd r24, Z+(8+2) - ldd r25, Z+(8+2+1) - movw r30, r24 - adiw r30, (16-384/32)*4 - ldi r24, 384/8 -1: ld r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param length_b: r18:r21 - */ -DST0 = 8 -DST1 = 9 -CTX0 = 10 -CTX1 = 11 -MSG0 = 12 -MSG1 = 13 -LEN2 = 14 -LEN3 = 15 -LEN0 = 16 -LEN1 = 17 -.global shabal384 -shabal384: - push_range 8, 17 - stack_alloc_large 188 - adiw r30, 1 /* Z points to stack space (ctx) */ - movw CTX0, r30 - movw DST0, r24 - movw MSG0, r22 - movw LEN0, r18 - movw LEN2, r20 - movw r24, r30 - rcall shabal384_init -2: - tst LEN2 - brne 3f - tst LEN3 - breq 4f -3: - movw r24, CTX0 - movw r22, MSG0 - rcall shabal_nextBlock - subi LEN1, 0x02 - sbc LEN2, r1 - sbc LEN3, r1 - ldi r18, 64 - add MSG0, r18 - adc MSG1, r1 - rjmp 2b -4: - movw r24, CTX0 - movw r22, MSG0 - movw r20, LEN0 - rcall shabal_lastBlock - movw r24, DST0 - movw r22, CTX0 - rcall shabal384_ctx2hash - stack_free_large2 188 - pop_range 8, 17 - ret - diff --git a/shabal384.c b/shabal384.c deleted file mode 100644 index 11ab06e..0000000 --- a/shabal384.c +++ /dev/null @@ -1,80 +0,0 @@ -/* shabal384.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal384.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - * - */ - -#include -#include "shabal.h" -#include -#include - -uint32_t shabal384_iv[] PROGMEM = { - /* A */ - 0xC8FCA331, 0xE55C504E, 0x003EBF26, 0xBB6B8D83, - 0x7B0448C1, 0x41B82789, 0x0A7C9601, 0x8D659CFF, - 0xB6E2673E, 0xCA54C77B, 0x1460FD7E, 0x3FCB8F2D, - /* B */ - 0x527291FC, 0x2A16455F, 0x78E627E5, 0x944F169F, - 0x1CA6F016, 0xA854EA25, 0x8DB98ABE, 0xF2C62641, - 0x30117DCB, 0xCF5C4309, 0x93711A25, 0xF9F671B8, - 0xB01D2116, 0x333F4B89, 0xB285D165, 0x86829B36, - /* C */ - 0xF764B11A, 0x76172146, 0xCEF6934D, 0xC6D28399, - 0xFE095F61, 0x5E6018B4, 0x5048ECF5, 0x51353261, - 0x6E6E36DC, 0x63130DAD, 0xA9C69BD6, 0x1E90EA0C, - 0x7C35073B, 0x28D95E6D, 0xAA340E0D, 0xCB3DEE70 -}; - -void shabal384_init(shabal_ctx_t* ctx){ - uint8_t i; - ctx->b = ctx->b_buffer; - ctx->c = ctx->c_buffer; - ctx->w.w64 = 1LL; - for(i=0;ia[i] = pgm_read_dword(&(shabal384_iv[i])); - } - for(i=0;i<16;++i){ - ctx->b[i] = pgm_read_dword(&(shabal384_iv[SHABAL_R+i])); - } - for(i=0;i<16;++i){ - ctx->c[i] = pgm_read_dword(&(shabal384_iv[SHABAL_R+16+i])); - } -} - -void shabal384_ctx2hash(void* dest, const shabal_ctx_t* ctx){ - shabal_ctx2hash(dest, ctx, 384); -} - -void shabal384(void* dest, void* msg, uint32_t length_b){ - shabal_ctx_t ctx; - shabal384_init(&ctx); - while(length_b>=SHABAL_BLOCKSIZE){ - shabal_nextBlock(&ctx, msg); - msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; - length_b -= SHABAL_BLOCKSIZE; - } - shabal_lastBlock(&ctx, msg, length_b); - shabal384_ctx2hash(dest, &ctx); -} diff --git a/shabal512-asm.S b/shabal512-asm.S deleted file mode 100644 index 0d412ff..0000000 --- a/shabal512-asm.S +++ /dev/null @@ -1,158 +0,0 @@ -/* shabal512-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal512-asm.S - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ - -shabal512_iv: - /* A */ -.long 0x20728DFD, 0x46C0BD53, 0xE782B699, 0x55304632 -.long 0x71B4EF90, 0x0EA9E82C, 0xDBB930F1, 0xFAD06B8B -.long 0xBE0CAE40, 0x8BD14410, 0x76D2ADAC, 0x28ACAB7F - /* B */ -.long 0xC1099CB7, 0x07B385F3, 0xE7442C26, 0xCC8AD640 -.long 0xEB6F56C7, 0x1EA81AA9, 0x73B9D314, 0x1DE85D08 -.long 0x48910A5A, 0x893B22DB, 0xC5A0DF44, 0xBBC4324E -.long 0x72D2F240, 0x75941D99, 0x6D8BDE82, 0xA1A7502B - /* C */ -.long 0xD9BF68D1, 0x58BAD750, 0x56028CB2, 0x8134F359 -.long 0xB5D469D8, 0x941A8CC2, 0x418B2A6E, 0x04052780 -.long 0x7F07D787, 0x5194358F, 0x3C60D665, 0xBE97D79A -.long 0x950C3434, 0xAED9A06D, 0x2537DC8D, 0x7CDB5969 - -/******************************************************************************/ -/* - * param ctx: r24,r25 - */ -.global shabal512_init -shabal512_init: - movw r26, r24 - ldi r24, 1 - st X+, r24 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - st X+, r1 - movw r24, r26 - adiw r24, 12*4+4 - st X+, r24 - st X+, r25 - adiw r24, 4*16-1 - adiw r24, 1 - st X+, r24 - st X+, r25 - ldi r24, (12+16+16) - ldi r30, lo8(shabal512_iv) - ldi r31, hi8(shabal512_iv) -1: lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - lpm r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ - -.global shabal512_ctx2hash -shabal512_ctx2hash: - movw r26, r24 - movw r30, r22 - ldd r24, Z+(8+2) - ldd r25, Z+(8+2+1) - movw r30, r24 - ; adiw r30, (16-512/32)*4 - ldi r24, 512/8 -1: ld r0, Z+ - st X+, r0 - dec r24 - brne 1b - ret - -/******************************************************************************/ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param length_b: r18:r21 - */ -DST0 = 8 -DST1 = 9 -CTX0 = 10 -CTX1 = 11 -MSG0 = 12 -MSG1 = 13 -LEN2 = 14 -LEN3 = 15 -LEN0 = 16 -LEN1 = 17 -.global shabal512 -shabal512: - push_range 8, 17 - stack_alloc_large 188 - adiw r30, 1 /* Z points to stack space (ctx) */ - movw CTX0, r30 - movw DST0, r24 - movw MSG0, r22 - movw LEN0, r18 - movw LEN2, r20 - movw r24, r30 - rcall shabal512_init -2: - tst LEN2 - brne 3f - tst LEN3 - breq 4f -3: - movw r24, CTX0 - movw r22, MSG0 - rcall shabal_nextBlock - subi LEN1, 0x02 - sbc LEN2, r1 - sbc LEN3, r1 - ldi r18, 64 - add MSG0, r18 - adc MSG1, r1 - rjmp 2b -4: - movw r24, CTX0 - movw r22, MSG0 - movw r20, LEN0 - rcall shabal_lastBlock - movw r24, DST0 - movw r22, CTX0 - rcall shabal512_ctx2hash - stack_free_large2 188 - pop_range 8, 17 - ret - diff --git a/shabal512.c b/shabal512.c deleted file mode 100644 index caad571..0000000 --- a/shabal512.c +++ /dev/null @@ -1,80 +0,0 @@ -/* shabal512.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file shabal512.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-04-27 - * \license GPLv3 or later - * - */ - -#include -#include "shabal.h" -#include -#include - -uint32_t shabal512_iv[] PROGMEM = { - /* A */ - 0x20728DFD, 0x46C0BD53, 0xE782B699, 0x55304632, - 0x71B4EF90, 0x0EA9E82C, 0xDBB930F1, 0xFAD06B8B, - 0xBE0CAE40, 0x8BD14410, 0x76D2ADAC, 0x28ACAB7F, - /* B */ - 0xC1099CB7, 0x07B385F3, 0xE7442C26, 0xCC8AD640, - 0xEB6F56C7, 0x1EA81AA9, 0x73B9D314, 0x1DE85D08, - 0x48910A5A, 0x893B22DB, 0xC5A0DF44, 0xBBC4324E, - 0x72D2F240, 0x75941D99, 0x6D8BDE82, 0xA1A7502B, - /* C */ - 0xD9BF68D1, 0x58BAD750, 0x56028CB2, 0x8134F359, - 0xB5D469D8, 0x941A8CC2, 0x418B2A6E, 0x04052780, - 0x7F07D787, 0x5194358F, 0x3C60D665, 0xBE97D79A, - 0x950C3434, 0xAED9A06D, 0x2537DC8D, 0x7CDB5969, -}; - -void shabal512_init(shabal_ctx_t* ctx){ - uint8_t i; - ctx->b = ctx->b_buffer; - ctx->c = ctx->c_buffer; - ctx->w.w64 = 1LL; - for(i=0;ia[i] = pgm_read_dword(&(shabal512_iv[i])); - } - for(i=0;i<16;++i){ - ctx->b[i] = pgm_read_dword(&(shabal512_iv[SHABAL_R+i])); - } - for(i=0;i<16;++i){ - ctx->c[i] = pgm_read_dword(&(shabal512_iv[SHABAL_R+16+i])); - } -} - -void shabal512_ctx2hash(void* dest, const shabal_ctx_t* ctx){ - shabal_ctx2hash(dest, ctx, 512); -} - -void shabal512(void* dest, void* msg, uint32_t length_b){ - shabal_ctx_t ctx; - shabal512_init(&ctx); - while(length_b>=SHABAL_BLOCKSIZE){ - shabal_nextBlock(&ctx, msg); - msg = (uint8_t*)msg+SHABAL_BLOCKSIZE_B; - length_b -= SHABAL_BLOCKSIZE; - } - shabal_lastBlock(&ctx, msg, length_b); - shabal512_ctx2hash(dest, &ctx); -} diff --git a/skein.h b/skein.h deleted file mode 100644 index 0fd5b51..0000000 --- a/skein.h +++ /dev/null @@ -1,76 +0,0 @@ -/* skein.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file skein.c - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - */ - -#ifndef SKEIN_H_ -#define SKEIN_H_ - -#include -#include "ubi.h" - -#define SKEIN256_BLOCKSIZE UBI256_BLOCKSIZE -#define SKEIN256_BLOCKSIZE_B UBI256_BLOCKSIZE_B - -#define SKEIN512_BLOCKSIZE UBI512_BLOCKSIZE -#define SKEIN512_BLOCKSIZE_B UBI512_BLOCKSIZE_B - -#define SKEIN1024_BLOCKSIZE UBI1024_BLOCKSIZE -#define SKEIN1024_BLOCKSIZE_B UBI1024_BLOCKSIZE_B - -typedef struct{ - uint16_t outsize_b; - ubi256_ctx_t ubictx; -}skein256_ctx_t; - -void skein256_init(skein256_ctx_t* ctx, uint16_t outsize_b); -void skein256_nextBlock(skein256_ctx_t* ctx, const void* block); -void skein256_lastBlock(skein256_ctx_t* ctx, const void* block, uint16_t length_b); -void skein256_ctx2hash(void* dest, skein256_ctx_t* ctx); -void skein256(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b); - -typedef struct{ - uint16_t outsize_b; - ubi512_ctx_t ubictx; -}skein512_ctx_t; - -void skein512_init(skein512_ctx_t* ctx, uint16_t outsize_b); -void skein512_nextBlock(skein512_ctx_t* ctx, const void* block); -void skein512_lastBlock(skein512_ctx_t* ctx, const void* block, uint16_t length_b); -void skein512_ctx2hash(void* dest, skein512_ctx_t* ctx); -void skein512(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b); - -typedef struct{ - uint16_t outsize_b; - ubi1024_ctx_t ubictx; -}skein1024_ctx_t; - -void skein1024_init(skein1024_ctx_t* ctx, uint16_t outsize_b); -void skein1024_nextBlock(skein1024_ctx_t* ctx, const void* block); -void skein1024_lastBlock(skein1024_ctx_t* ctx, const void* block, uint16_t length_b); -void skein1024_ctx2hash(void* dest, skein1024_ctx_t* ctx); -void skein1024(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b); - -#endif /* SKEIN_H_ */ diff --git a/skein/memxor.S b/skein/memxor.S new file mode 100644 index 0000000..a32058b --- /dev/null +++ b/skein/memxor.S @@ -0,0 +1,66 @@ +/* memxor.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * File: memxor.S + * Author: Daniel Otte + * Date: 2008-08-07 + * License: GPLv3 or later + * Description: memxor, XORing one block into another + * + */ + +/* + * void memxor(void* dest, const void* src, uint16_t n); + */ + /* + * param dest is passed in r24:r25 + * param src is passed in r22:r23 + * param n is passed in r20:r21 + */ +.global memxor +memxor: + movw r30, r24 + movw r26, r22 + movw r24, r20 + adiw r24, 0 + breq 2f +1: + ld r20, X+ + ld r21, Z + eor r20, r21 + st Z+, r20 + sbiw r24, 1 + brne 1b +2: + ret + + + + + + + + + + + + + + diff --git a/skein/memxor.h b/skein/memxor.h new file mode 100644 index 0000000..a62a616 --- /dev/null +++ b/skein/memxor.h @@ -0,0 +1,7 @@ +#ifndef MEMXOR_H_ +#define MEMXOR_H_ +#include + +void memxor(void* dest, const void* src, uint16_t n); + +#endif diff --git a/skein/skein-speed.log b/skein/skein-speed.log new file mode 100644 index 0000000..deae3de --- /dev/null +++ b/skein/skein-speed.log @@ -0,0 +1,202 @@ +performance + + === Skein-256-128 performance === + type: hashfunction + hashsize (bits): 128 + ctxsize (bytes): 50 + blocksize (bits): 256 + init (cycles): 42999 + nextBlock (cycles): 42003 + lastBlock (cycles): 41706 + ctx2hash (cycles): 42912 + + === Skein-256-160 performance === + type: hashfunction + hashsize (bits): 160 + ctxsize (bytes): 50 + blocksize (bits): 256 + init (cycles): 42999 + nextBlock (cycles): 42003 + lastBlock (cycles): 41713 + ctx2hash (cycles): 42940 + + === Skein-256-224 performance === + type: hashfunction + hashsize (bits): 224 + ctxsize (bytes): 50 + blocksize (bits): 256 + init (cycles): 43006 + nextBlock (cycles): 42003 + lastBlock (cycles): 41713 + ctx2hash (cycles): 42996 + + === Skein-256-256 performance === + type: hashfunction + hashsize (bits): 256 + ctxsize (bytes): 50 + blocksize (bits): 256 + init (cycles): 43006 + nextBlock (cycles): 42003 + lastBlock (cycles): 41706 + ctx2hash (cycles): 43026 + + === Skein-256-384 performance === + type: hashfunction + hashsize (bits): 384 + ctxsize (bytes): 50 + blocksize (bits): 256 + init (cycles): 42999 + nextBlock (cycles): 42003 + lastBlock (cycles): 41706 + ctx2hash (cycles): 20054 + + === Skein-256-512 performance === + type: hashfunction + hashsize (bits): 512 + ctxsize (bytes): 50 + blocksize (bits): 256 + init (cycles): 42999 + nextBlock (cycles): 42003 + lastBlock (cycles): 41706 + ctx2hash (cycles): 20165 + + === Skein-512-128 performance === + type: hashfunction + hashsize (bits): 128 + ctxsize (bytes): 82 + blocksize (bits): 512 + init (cycles): 30522 + nextBlock (cycles): 29183 + lastBlock (cycles): 28526 + ctx2hash (cycles): 30515 + + === Skein-512-160 performance === + type: hashfunction + hashsize (bits): 160 + ctxsize (bytes): 82 + blocksize (bits): 512 + init (cycles): 30522 + nextBlock (cycles): 29183 + lastBlock (cycles): 28526 + ctx2hash (cycles): 30536 + + === Skein-512-224 performance === + type: hashfunction + hashsize (bits): 224 + ctxsize (bytes): 82 + blocksize (bits): 512 + init (cycles): 30522 + nextBlock (cycles): 29176 + lastBlock (cycles): 28526 + ctx2hash (cycles): 30592 + + === Skein-512-256 performance === + type: hashfunction + hashsize (bits): 256 + ctxsize (bytes): 82 + blocksize (bits): 512 + init (cycles): 30522 + nextBlock (cycles): 29176 + lastBlock (cycles): 28533 + ctx2hash (cycles): 30620 + + === Skein-512-384 performance === + type: hashfunction + hashsize (bits): 384 + ctxsize (bytes): 82 + blocksize (bits): 512 + init (cycles): 30529 + nextBlock (cycles): 29176 + lastBlock (cycles): 28533 + ctx2hash (cycles): 30732 + + === Skein-512-512 performance === + type: hashfunction + hashsize (bits): 512 + ctxsize (bytes): 82 + blocksize (bits): 512 + init (cycles): 30529 + nextBlock (cycles): 29176 + lastBlock (cycles): 28533 + ctx2hash (cycles): 30846 + + === Skein-512-1024 performance === + type: hashfunction + hashsize (bits): 1024 + ctxsize (bytes): 82 + blocksize (bits): 512 + init (cycles): 30529 + nextBlock (cycles): 29176 + lastBlock (cycles): 28526 + ctx2hash (cycles): 61119 + + === Skein-1024-128 performance === + type: hashfunction + hashsize (bits): 128 + ctxsize (bytes): 146 + blocksize (bits): 1024 + init (cycles): 28976 + nextBlock (cycles): 26263 + lastBlock (cycles): 23978 + ctx2hash (cycles): 27216 + + === Skein-1024-160 performance === + type: hashfunction + hashsize (bits): 160 + ctxsize (bytes): 146 + blocksize (bits): 1024 + init (cycles): 28983 + nextBlock (cycles): 26256 + lastBlock (cycles): 23978 + ctx2hash (cycles): 27244 + + === Skein-1024-224 performance === + type: hashfunction + hashsize (bits): 224 + ctxsize (bytes): 146 + blocksize (bits): 1024 + init (cycles): 28983 + nextBlock (cycles): 26256 + lastBlock (cycles): 23978 + ctx2hash (cycles): 27307 + + === Skein-1024-256 performance === + type: hashfunction + hashsize (bits): 256 + ctxsize (bytes): 146 + blocksize (bits): 1024 + init (cycles): 28983 + nextBlock (cycles): 26263 + lastBlock (cycles): 23971 + ctx2hash (cycles): 27335 + + === Skein-1024-384 performance === + type: hashfunction + hashsize (bits): 384 + ctxsize (bytes): 146 + blocksize (bits): 1024 + init (cycles): 28983 + nextBlock (cycles): 26263 + lastBlock (cycles): 23971 + ctx2hash (cycles): 27447 + + === Skein-1024-512 performance === + type: hashfunction + hashsize (bits): 512 + ctxsize (bytes): 146 + blocksize (bits): 1024 + init (cycles): 28983 + nextBlock (cycles): 26263 + lastBlock (cycles): 23971 + ctx2hash (cycles): 27559 + + === Skein-1024-1024 performance === + type: hashfunction + hashsize (bits): 1024 + ctxsize (bytes): 146 + blocksize (bits): 1024 + init (cycles): 28983 + nextBlock (cycles): 26263 + lastBlock (cycles): 23971 + ctx2hash (cycles): 28002 +> \ No newline at end of file diff --git a/skein/skein.h b/skein/skein.h new file mode 100644 index 0000000..0fd5b51 --- /dev/null +++ b/skein/skein.h @@ -0,0 +1,76 @@ +/* skein.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file skein.c + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + */ + +#ifndef SKEIN_H_ +#define SKEIN_H_ + +#include +#include "ubi.h" + +#define SKEIN256_BLOCKSIZE UBI256_BLOCKSIZE +#define SKEIN256_BLOCKSIZE_B UBI256_BLOCKSIZE_B + +#define SKEIN512_BLOCKSIZE UBI512_BLOCKSIZE +#define SKEIN512_BLOCKSIZE_B UBI512_BLOCKSIZE_B + +#define SKEIN1024_BLOCKSIZE UBI1024_BLOCKSIZE +#define SKEIN1024_BLOCKSIZE_B UBI1024_BLOCKSIZE_B + +typedef struct{ + uint16_t outsize_b; + ubi256_ctx_t ubictx; +}skein256_ctx_t; + +void skein256_init(skein256_ctx_t* ctx, uint16_t outsize_b); +void skein256_nextBlock(skein256_ctx_t* ctx, const void* block); +void skein256_lastBlock(skein256_ctx_t* ctx, const void* block, uint16_t length_b); +void skein256_ctx2hash(void* dest, skein256_ctx_t* ctx); +void skein256(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b); + +typedef struct{ + uint16_t outsize_b; + ubi512_ctx_t ubictx; +}skein512_ctx_t; + +void skein512_init(skein512_ctx_t* ctx, uint16_t outsize_b); +void skein512_nextBlock(skein512_ctx_t* ctx, const void* block); +void skein512_lastBlock(skein512_ctx_t* ctx, const void* block, uint16_t length_b); +void skein512_ctx2hash(void* dest, skein512_ctx_t* ctx); +void skein512(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b); + +typedef struct{ + uint16_t outsize_b; + ubi1024_ctx_t ubictx; +}skein1024_ctx_t; + +void skein1024_init(skein1024_ctx_t* ctx, uint16_t outsize_b); +void skein1024_nextBlock(skein1024_ctx_t* ctx, const void* block); +void skein1024_lastBlock(skein1024_ctx_t* ctx, const void* block, uint16_t length_b); +void skein1024_ctx2hash(void* dest, skein1024_ctx_t* ctx); +void skein1024(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b); + +#endif /* SKEIN_H_ */ diff --git a/skein/skein1024.c b/skein/skein1024.c new file mode 100644 index 0000000..ac3162e --- /dev/null +++ b/skein/skein1024.c @@ -0,0 +1,93 @@ +/* skein1024.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + */ + +#include +#include +#include "ubi.h" +#include "skein.h" + + +void skein1024_init(skein1024_ctx_t* ctx, uint16_t outsize_b){ + skein_config_t conf; + uint8_t null[UBI1024_BLOCKSIZE_B]; + memset(null, 0, UBI1024_BLOCKSIZE_B); + memset(&conf, 0, sizeof(skein_config_t)); + conf.schema[0] = 'S'; + conf.schema[1] = 'H'; + conf.schema[2] = 'A'; + conf.schema[3] = '3'; + conf.version = 1; + conf.out_length = outsize_b; + ctx->outsize_b = outsize_b; + ubi1024_init(&(ctx->ubictx), null, UBI_TYPE_CFG); + ubi1024_lastBlock(&(ctx->ubictx), &conf, 256); + ubi1024_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); +} + +void skein1024_nextBlock(skein1024_ctx_t* ctx, const void* block){ + ubi1024_nextBlock(&(ctx->ubictx), block); +} + +void skein1024_lastBlock(skein1024_ctx_t* ctx, const void* block, uint16_t length_b){ + ubi1024_lastBlock(&(ctx->ubictx), block, length_b); +} + +void skein1024_ctx2hash(void* dest, skein1024_ctx_t* ctx){ + ubi1024_ctx_t uctx; + uint16_t outsize_b; + + uint64_t counter=0; + uint8_t outbuffer[UBI1024_BLOCKSIZE_B]; + ubi1024_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); + + outsize_b = ctx->outsize_b; + while(1){ + memcpy(&uctx, &(ctx->ubictx), sizeof(ubi1024_ctx_t)); + ubi1024_lastBlock(&uctx, &counter, 64); + ubi1024_ctx2hash(outbuffer, &uctx); + if(outsize_b<=UBI1024_BLOCKSIZE){ + memcpy(dest, outbuffer, (ctx->outsize_b+7)/8); + break; + }else{ + memcpy(dest, outbuffer, UBI1024_BLOCKSIZE_B); + dest = (uint8_t*)dest + UBI1024_BLOCKSIZE_B; + outsize_b -= UBI1024_BLOCKSIZE; + counter++; + } + } +} + +void skein1024(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b){ + skein1024_ctx_t ctx; + skein1024_init(&ctx, outlength_b); + while(length_b>SKEIN1024_BLOCKSIZE){ + skein1024_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + SKEIN1024_BLOCKSIZE_B; + length_b -= SKEIN1024_BLOCKSIZE; + } + skein1024_lastBlock(&ctx, msg, length_b); + skein1024_ctx2hash(dest, &ctx); +} diff --git a/skein/skein1024_asm.S b/skein/skein1024_asm.S new file mode 100644 index 0000000..8983f6a --- /dev/null +++ b/skein/skein1024_asm.S @@ -0,0 +1,358 @@ +/* skein1024_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-25 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void skein1024_init(skein1024_ctx_t* ctx, uint16_t outsize_b){ + skein_config_t conf; + uint8_t null[UBI1024_BLOCKSIZE_B]; + memset(null, 0, UBI1024_BLOCKSIZE_B); + memset(&conf, 0, sizeof(skein_config_t)); + conf.schema[0] = 'S'; + conf.schema[1] = 'H'; + conf.schema[2] = 'A'; + conf.schema[3] = '3'; + conf.version = 1; + conf.out_length = outsize_b; + ctx->outsize_b = outsize_b; + ubi1024_init(&(ctx->ubictx), null, UBI_TYPE_CFG); + ubi1024_lastBlock(&(ctx->ubictx), &conf, 256); + ubi1024_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); +} +*/ +/* + * param ctx: r24:r25 + * param outsize_b: r22:r23 + */ +UBICTX0 = 2 +UBICTX1 = 3 +CONF0 = 4 +CONF1 = 5 +.global skein1024_init +skein1024_init: + push_range 2, 5 + stack_alloc_large 32+128-22 ; |<- 22 ->| + adiw r30, 1 ; | CONF (32) | + movw CONF0, r30 ; | null (128) | + movw r26, r24 + st X+, r22 + st X+, r23 + movw UBICTX0, r26 + ldi r24, 'S' + st Z+, r24 + ldi r24, 'H' + st Z+, r24 + ldi r24, 'A' + st Z+, r24 + ldi r24, '3' + st Z+, r24 + ldi r24, 1 + st Z+, r24 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r22 + st Z+, r23 + ldi 24, 128 +1: st Z+, r1 + dec r24 + brne 1b + /* call ubi1024_init*/ + subi r30, lo8(128) + sbci r31, hi8(128) + movw r24, UBICTX0 + movw r22, r30 + ldi r20, 4 + rcall ubi1024_init + /* call ubi1024_lastBlock*/ + movw r24, UBICTX0 + movw r22, CONF0 + ldi r21, 1 + clr r20 + rcall ubi1024_lastBlock + /* call ubi1024_init*/ + movw r24, UBICTX0 + adiw r24, 16 + movw r22, r24 + movw r24, UBICTX0 + ldi r20, 48 + rcall ubi1024_init + stack_free_large2 32+128-22 + pop_range 2, 5 + ret + +/******************************************************************************/ +.global skein1024_nextBlock +skein1024_nextBlock: + adiw r24, 2 + rjmp ubi1024_nextBlock + +/******************************************************************************/ +.global skein1024_lastBlock +skein1024_lastBlock: + adiw r24, 2 + rjmp ubi1024_lastBlock + +/******************************************************************************/ +/* +void skein1024_ctx2hash(void* dest, skein1024_ctx_t* ctx){ + ubi1024_ctx_t uctx; + uint16_t outsize_b; + + uint64_t counter=0; + uint8_t outbuffer[UBI1024_BLOCKSIZE_B]; + ubi1024_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); + + outsize_b = ctx->outsize_b; + while(1){ + memcpy(&uctx, &(ctx->ubictx), sizeof(ubi1024_ctx_t)); + ubi1024_lastBlock(&uctx, &counter, 64); + ubi1024_ctx2hash(outbuffer, &uctx); + if(outsize_b<=UBI1024_BLOCKSIZE){ + memcpy(dest, outbuffer, (ctx->outsize_b+7)/8); + break; + }else{ + memcpy(dest, outbuffer, UBI1024_BLOCKSIZE_B); + dest = (uint8_t*)dest + UBI1024_BLOCKSIZE_B; + outsize_b -= UBI1024_BLOCKSIZE; + counter++; + } + } +} +*/ +/* + * param dest: r24:r25 + * param ctx: r22:r23 + */ + OUTSIZE_B0 = 16 + OUTSIZE_B1 = 17 + UCTX0 = 14 + UCTX1 = 15 + UBICTX0 = 12 + UBICTX1 = 13 + DEST0 = 10 + DEST1 = 11 +.global skein1024_ctx2hash +skein1024_ctx2hash: + push_range 10, 17 + /* 144 || 8 || 128 */ + stack_alloc_large 144+8+128 /* uctx || counter || outbuffer */ + movw DEST0, r24 + adiw r30, 1 + movw UCTX0, r30 + ldi r16, 144 + add r30, r16 + adc r31, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + movw r26, 22 + ld OUTSIZE_B0, X+ + ld OUTSIZE_B1, X+ + movw UBICTX0, r26 + /* call ubi1024_init */ + movw r24, UBICTX0 + adiw r24, 16 + movw r22, r24 + movw r24, UBICTX0 + ldi r20, 63 + rcall ubi1024_init + + /* main loop */ + /* copy ubictx in uctx*/ +1: movw r30, UCTX0 + movw r26, UBICTX0 + ldi r24, 144 +2: ld r25, X+ + st Z+, r25 + dec r24 + brne 2b + /* call ubi1024_lastBlock */ + movw r24, UCTX0 + adiw r24, 63 + adiw r24, 63 + adiw r24, 18 + movw r22, r24 + movw r24, UCTX0 + clr r21 + ldi r20, 64 + rcall ubi1024_lastBlock + /* copy uctx->g to outbuffer */ + movw r26, UCTX0 + adiw r26, 16 + movw r30, UCTX0 + adiw r30, 63 + adiw r30, 63 + adiw r30, 18+8 + ldi r24, 128 +2: ld r25, X+ + st Z+, r25 + dec r24 + brne 2b + /* compare outsize_b with 1024*/ + cpi OUTSIZE_B1, 5 + brge 5f + cpi OUTSIZE_B1, 4 + brlo 3f + tst OUTSIZE_B0 + breq 3f +5: /* copy outbuffer to dest */ + movw r30, DEST0 + movw r26, UCTX0 + adiw r26, 63 + adiw r26, 63 + adiw r26, 18+8 + ldi r24, 128 +6: ld r25, X+ + st Z+, r25 + dec r24 + brne 6b + /* store new dest */ + movw DEST0, r30 + /* adjust counter and outsize_b*/ + subi OUTSIZE_B1, 2 + movw r30, UCTX0 + adiw r30, 63 + adiw r30, 63 + adiw r30, 18 + ldi r24, 1 + ld r25, Z + add r25, r24 + st Z+, r25 + ldi r24, 7 +6: ld r25, Z + adc r25, r1 + st Z+, r25 + dec r24 + brne 6b + rjmp 1b +3: /* last iteraton */ + movw r24, OUTSIZE_B0 + adiw r24, 7 + lsr r25 + ror r24 + lsr r25 + ror r24 + lsr r25 + ror r24 + movw r30, DEST0 + movw r26, UCTX0 + adiw r26, 63 + adiw r26, 63 + adiw r26, 18+8 + tst r24 + breq 8f +7: ld r25, X+ + st Z+, r25 + dec r24 + brne 7b +8: + stack_free_large3 144+8+128 + pop_range 10, 17 + ret + +/******************************************************************************/ +/* +void skein1024(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b){ + skein1024_ctx_t ctx; + skein1024_init(&ctx, outlength_b); + while(length_b>SKEIN1024_BLOCKSIZE){ + skein1024_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + SKEIN1024_BLOCKSIZE_B; + length_b -= SKEIN1024_BLOCKSIZE; + } + skein1024_lastBlock(&ctx, msg, length_b); + skein1024_ctx2hash(dest, &ctx); +} +*/ +/* + * param dest: r24:r25 + * param outlength_b: r22:r23 + * param msg: r20:r21 + * param length_b: r16:r19 + */ +LENGTH_B0 = 2 +LENGTH_B1 = 3 +LENGTH_B2 = 4 +LENGTH_B3 = 5 +DEST0 = 6 +DEST1 = 7 +MSG0 = 8 +MSG1 = 9 +CTX0 = 10 +CTX1 = 11 +.global skein1024 +skein1024: + push_range 2, 11 + stack_alloc_large 146 + adiw r30, 1 + movw CTX0, r30 + movw DEST0, r24 + movw MSG0, r20 + movw LENGTH_B0, r16 + movw LENGTH_B2, r18 + /* call skein1024_init */ + movw r24, r30 + rcall skein1024_init +1: tst LENGTH_B2 + brne 4f + tst LENGTH_B3 + brne 4f + /* call skein1024_lastBlock */ + movw r24, CTX0 + movw r22, MSG0 + movw r20, LENGTH_B0 + rcall skein1024_lastBlock + /* call skein1024_ctx2hash */ + movw r24, DEST0 + movw r22, CTX0 + rcall skein1024_ctx2hash + /* return */ + stack_free_large2 146 + pop_range 2, 11 + ret + +4: /* process preceeding blocks */ + movw r24, CTX0 + movw r22, MSG0 + rcall skein1024_nextBlock + ldi r24, 128 + add MSG0, r24 + adc MSG0, r1 + mov r24, LENGTH_B1 + mov r25, LENGTH_B2 + sbiw r24, 4 + sbc LENGTH_B3, r1 + mov LENGTH_B1, r24 + mov LENGTH_B2, r25 + rjmp 1b + diff --git a/skein/skein256.c b/skein/skein256.c new file mode 100644 index 0000000..dfe6ef3 --- /dev/null +++ b/skein/skein256.c @@ -0,0 +1,94 @@ +/* skein256.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + */ + +#include +#include +#include "ubi.h" +#include "skein.h" + +#include "cli.h" + +void skein256_init(skein256_ctx_t* ctx, uint16_t outsize_b){ + skein_config_t conf; + uint8_t null[UBI256_BLOCKSIZE_B]; + memset(null, 0, UBI256_BLOCKSIZE_B); + memset(&conf, 0, sizeof(skein_config_t)); + conf.schema[0] = 'S'; + conf.schema[1] = 'H'; + conf.schema[2] = 'A'; + conf.schema[3] = '3'; + conf.version = 1; + conf.out_length = outsize_b; + ctx->outsize_b = outsize_b; + ubi256_init(&(ctx->ubictx), null, UBI_TYPE_CFG); + ubi256_lastBlock(&(ctx->ubictx), &conf, 256); + ubi256_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); +} + +void skein256_nextBlock(skein256_ctx_t* ctx, const void* block){ + ubi256_nextBlock(&(ctx->ubictx), block); +} + +void skein256_lastBlock(skein256_ctx_t* ctx, const void* block, uint16_t length_b){ + ubi256_lastBlock(&(ctx->ubictx), block, length_b); +} + +void skein256_ctx2hash(void* dest, skein256_ctx_t* ctx){ + ubi256_ctx_t uctx; + uint16_t outsize_b; + + uint64_t counter=0; + uint8_t outbuffer[UBI256_BLOCKSIZE_B]; + ubi256_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); + + outsize_b = ctx->outsize_b; + while(1){ + memcpy(&uctx, &(ctx->ubictx), sizeof(ubi256_ctx_t)); + ubi256_lastBlock(&uctx, &counter, 64); + ubi256_ctx2hash(outbuffer, &uctx); + if(outsize_b<=UBI256_BLOCKSIZE){ + memcpy(dest, outbuffer, (outsize_b+7)/8); + break; + }else{ + memcpy(dest, outbuffer, UBI256_BLOCKSIZE_B); + dest = (uint8_t*)dest + UBI256_BLOCKSIZE_B; + outsize_b -= UBI256_BLOCKSIZE; + counter++; + } + } +} + +void skein256(void* dest, uint16_t outlength_b,const void* msg, uint32_t length_b){ + skein256_ctx_t ctx; + skein256_init(&ctx, outlength_b); + while(length_b>SKEIN256_BLOCKSIZE){ + skein256_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + SKEIN256_BLOCKSIZE_B; + length_b -= SKEIN256_BLOCKSIZE; + } + skein256_lastBlock(&ctx, msg, length_b); + skein256_ctx2hash(dest, &ctx); +} diff --git a/skein/skein256_asm.S b/skein/skein256_asm.S new file mode 100644 index 0000000..0c6c2d0 --- /dev/null +++ b/skein/skein256_asm.S @@ -0,0 +1,343 @@ +/* skein256_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void skein256_init(skein256_ctx_t* ctx, uint16_t outsize_b){ + skein_config_t conf; + uint8_t null[UBI256_BLOCKSIZE_B]; + memset(null, 0, UBI256_BLOCKSIZE_B); + memset(&conf, 0, sizeof(skein_config_t)); + conf.schema[0] = 'S'; + conf.schema[1] = 'H'; + conf.schema[2] = 'A'; + conf.schema[3] = '3'; + conf.version = 1; + conf.out_length = outsize_b; + ctx->outsize_b = outsize_b; + ubi256_init(&(ctx->ubictx), null, UBI_TYPE_CFG); + ubi256_lastBlock(&(ctx->ubictx), &conf, 256); + ubi256_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); +} +*/ +/* + * param ctx: r24:r25 + * param outsize_b: r22:r23 + */ +UBICTX0 = 2 +UBICTX1 = 3 +CONF0 = 4 +CONF1 = 5 +.global skein256_init +skein256_init: + push_range 2, 5 + stack_alloc 64-22 + adiw r30, 1 + movw CONF0, r30 + movw r26, r24 + st X+, r22 + st X+, r23 + movw UBICTX0, r26 + ldi r24, 'S' + st Z+, r24 + ldi r24, 'H' + st Z+, r24 + ldi r24, 'A' + st Z+, r24 + ldi r24, '3' + st Z+, r24 + ldi r24, 1 + st Z+, r24 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r22 + st Z+, r23 + ldi 24, 22+10 +1: st Z+, r1 + dec r24 + brne 1b + /* call ubi256_init*/ + sbiw r30, 32 + movw r24, UBICTX0 + movw r22, r30 + ldi r20, 4 + rcall ubi256_init + /* call ubi256_lastBlock*/ + movw r24, UBICTX0 + movw r22, CONF0 + ldi r21, 1 + clr r20 + rcall ubi256_lastBlock + /* call ubi256_init*/ + movw r24, UBICTX0 + adiw r24, 16 + movw r22, r24 + movw r24, UBICTX0 + ldi r20, 48 + rcall ubi256_init + stack_free 64-22 + pop_range 2, 5 + ret + +/******************************************************************************/ +.global skein256_nextBlock +skein256_nextBlock: + adiw r24, 2 + rjmp ubi256_nextBlock + +/******************************************************************************/ +.global skein256_lastBlock +skein256_lastBlock: + adiw r24, 2 + rjmp ubi256_lastBlock + +/******************************************************************************/ +/* +void skein256_ctx2hash(void* dest, skein256_ctx_t* ctx){ + ubi256_ctx_t uctx; + uint16_t outsize_b; + + uint64_t counter=0; + uint8_t outbuffer[UBI256_BLOCKSIZE_B]; + ubi256_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); + + outsize_b = ctx->outsize_b; + while(1){ + memcpy(&uctx, &(ctx->ubictx), sizeof(ubi256_ctx_t)); + ubi256_lastBlock(&uctx, &counter, 64); + ubi256_ctx2hash(outbuffer, &uctx); + if(outsize_b<=UBI256_BLOCKSIZE){ + memcpy(dest, outbuffer, (outsize_b+7)/8); + break; + }else{ + memcpy(dest, outbuffer, UBI256_BLOCKSIZE_B); + dest = (uint8_t*)dest + UBI256_BLOCKSIZE_B; + outsize_b -= UBI256_BLOCKSIZE; + counter++; + } + } +} +*/ +/* + * param dest: r24:r25 + * param ctx: r22:r23 + */ + OUTSIZE_B0 = 16 + OUTSIZE_B1 = 17 + UCTX0 = 14 + UCTX1 = 15 + UBICTX0 = 12 + UBICTX1 = 13 + DEST0 = 10 + DEST1 = 11 +.global skein256_ctx2hash +skein256_ctx2hash: + push_range 10, 17 + /* 48 || 8 || 32 */ + stack_alloc_large 88 /* uctx || counter || outbuffer */ + movw DEST0, r24 + adiw r30, 1 + movw UCTX0, r30 + adiw r30, 48 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + movw r26, 22 + ld OUTSIZE_B0, X+ + ld OUTSIZE_B1, X+ + movw UBICTX0, r26 + /* call ubi256_init */ + movw r24, UBICTX0 + adiw r24, 16 + movw r22, r24 + movw r24, UBICTX0 + ldi r20, 63 + rcall ubi256_init + + /* main loop */ + /* copy ubictx in uctx*/ +1: movw r30, UCTX0 + movw r26, UBICTX0 + ldi r24, 48 +2: ld r25, X+ + st Z+, r25 + dec r24 + brne 2b + /* call ubi256_lastBlock */ + movw r24, UCTX0 + adiw r24, 48 + movw r22, r24 + movw r24, UCTX0 + clr r21 + ldi r20, 64 + rcall ubi256_lastBlock + /* copy uctx->g to outbuffer */ + movw r26, UCTX0 + adiw r26, 16 + movw r30, UCTX0 + adiw r30, 56 + ldi r24, 32 +2: ld r25, X+ + st Z+, r25 + dec r24 + brne 2b + /* compare outsize_b with 256*/ + cpi OUTSIZE_B1, 2 + brge 5f + cpi OUTSIZE_B1, 1 + brlo 3f + tst OUTSIZE_B0 + breq 3f +5: /* copy outbuffer to dest */ + movw r30, DEST0 + movw r26, UCTX0 + adiw r26, 56 + ldi r24, 32 +6: ld r25, X+ + st Z+, r25 + dec r24 + brne 6b + /* store new dest */ + movw DEST0, r30 ;XXX r26 + /* adjust counter and outsize_b*/ + dec OUTSIZE_B1 + movw r30, UCTX0 + adiw r30, 48 + ldi r24, 1 + ld r25, Z + add r25, r24 + st Z+, r25 + ldi r24, 7 +6: ld r25, Z + adc r25, r1 + st Z+, r25 + dec r24 + brne 6b + rjmp 1b +3: /* last iteraton */ + movw r24, OUTSIZE_B0 + adiw r24, 7 + lsr r25 + ror r24 + lsr r24 + lsr r24 + movw r30, DEST0 + movw r26, UCTX0 + adiw r26, 56 + tst r24 + breq 8f +7: ld r25, X+ + st Z+, r25 + dec r24 + brne 7b +8: + stack_free_large 88 + pop_range 10, 17 + ret + +/******************************************************************************/ +/* +void skein256(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b){ + skein256_ctx_t ctx; + skein256_init(&ctx, outlength_b); + while(length_b>SKEIN256_BLOCKSIZE){ + skein256_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + SKEIN256_BLOCKSIZE_B; + length_b -= SKEIN256_BLOCKSIZE; + } + skein256_lastBlock(&ctx, msg, length_b); + skein256_ctx2hash(dest, &ctx); +} +*/ +/* + * param dest: r24:r25 + * param outlength_b: r22:r23 + * param msg: r20:r21 + * param length_b: r16:r19 + */ +LENGTH_B0 = 2 +LENGTH_B1 = 3 +LENGTH_B2 = 4 +LENGTH_B3 = 5 +DEST0 = 6 +DEST1 = 7 +MSG0 = 8 +MSG1 = 9 +CTX0 = 10 +CTX1 = 11 +.global skein256 +skein256: + push_range 2, 11 + stack_alloc 50 + adiw r30, 1 + movw CTX0, r30 + movw DEST0, r24 + movw MSG0, r20 + movw LENGTH_B0, r16 + movw LENGTH_B2, r18 + /* call skein256_init */ + movw r24, r30 + rcall skein256_init +1: tst LENGTH_B2 + brne 4f + tst LENGTH_B3 + brne 4f + /* call skein256_lastBlock */ + movw r24, CTX0 + movw r22, MSG0 + movw r20, LENGTH_B0 + rcall skein256_lastBlock + /* call skein256_ctx2hash */ + movw r24, DEST0 + movw r22, CTX0 + rcall skein256_ctx2hash + /* return */ + stack_free 50 + pop_range 2, 11 + ret + +4: /* process preceeding blocks */ + movw r24, CTX0 + movw r22, MSG0 + rcall skein256_nextBlock + movw r24, MSG0 + adiw r24, 32 + movw MSG0, r24 + mov r24, LENGTH_B1 + mov r25, LENGTH_B2 + sbiw r24, 1 + sbc LENGTH_B3, r1 + mov LENGTH_B1, r24 + mov LENGTH_B2, r25 + rjmp 1b + diff --git a/skein/skein512.c b/skein/skein512.c new file mode 100644 index 0000000..2558f34 --- /dev/null +++ b/skein/skein512.c @@ -0,0 +1,94 @@ +/* skein512.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + */ + +#include +#include +#include "ubi.h" +#include "skein.h" + + +void skein512_init(skein512_ctx_t* ctx, uint16_t outsize_b){ + skein_config_t conf; + uint8_t null[UBI512_BLOCKSIZE_B]; + memset(null, 0, UBI512_BLOCKSIZE_B); + memset(&conf, 0, sizeof(skein_config_t)); + conf.schema[0] = 'S'; + conf.schema[1] = 'H'; + conf.schema[2] = 'A'; + conf.schema[3] = '3'; + conf.version = 1; + conf.out_length = outsize_b; + ctx->outsize_b = outsize_b; + ubi512_init(&(ctx->ubictx), null, UBI_TYPE_CFG); + ubi512_lastBlock(&(ctx->ubictx), &conf, 256); + ubi512_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); +} + +void skein512_nextBlock(skein512_ctx_t* ctx, const void* block){ + ubi512_nextBlock(&(ctx->ubictx), block); +} + +void skein512_lastBlock(skein512_ctx_t* ctx, const void* block, uint16_t length_b){ + ubi512_lastBlock(&(ctx->ubictx), block, length_b); +} + +void skein512_ctx2hash(void* dest, skein512_ctx_t* ctx){ + ubi512_ctx_t uctx; + uint16_t outsize_b; + + uint64_t counter=0; + uint8_t outbuffer[UBI512_BLOCKSIZE_B]; + ubi512_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); + + outsize_b = ctx->outsize_b; + while(1){ + memcpy(&uctx, &(ctx->ubictx), sizeof(ubi512_ctx_t)); + ubi512_lastBlock(&uctx, &counter, 64); + ubi512_ctx2hash(outbuffer, &uctx); + if(outsize_b<=UBI512_BLOCKSIZE){ + memcpy(dest, outbuffer, (ctx->outsize_b+7)/8); + break; + }else{ + memcpy(dest, outbuffer, UBI512_BLOCKSIZE_B); + dest = (uint8_t*)dest + UBI512_BLOCKSIZE_B; + outsize_b -= UBI512_BLOCKSIZE; + counter++; + } + } +} + +void skein512(void* dest, uint16_t outlength_b,const void* msg, uint32_t length_b){ + skein512_ctx_t ctx; + skein512_init(&ctx, outlength_b); + while(length_b>SKEIN512_BLOCKSIZE){ + skein512_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + SKEIN512_BLOCKSIZE_B; + length_b -= SKEIN512_BLOCKSIZE; + } + skein512_lastBlock(&ctx, msg, length_b); + skein512_ctx2hash(dest, &ctx); +} + diff --git a/skein/skein512_asm.S b/skein/skein512_asm.S new file mode 100644 index 0000000..8f6229d --- /dev/null +++ b/skein/skein512_asm.S @@ -0,0 +1,351 @@ +/* skein512_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void skein512_init(skein512_ctx_t* ctx, uint16_t outsize_b){ + skein_config_t conf; + uint8_t null[UBI512_BLOCKSIZE_B]; + memset(null, 0, UBI512_BLOCKSIZE_B); + memset(&conf, 0, sizeof(skein_config_t)); + conf.schema[0] = 'S'; + conf.schema[1] = 'H'; + conf.schema[2] = 'A'; + conf.schema[3] = '3'; + conf.version = 1; + conf.out_length = outsize_b; + ctx->outsize_b = outsize_b; + ubi512_init(&(ctx->ubictx), null, UBI_TYPE_CFG); + ubi512_lastBlock(&(ctx->ubictx), &conf, 256); + ubi512_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); +} +*/ +/* + * param ctx: r24:r25 + * param outsize_b: r22:r23 + */ +UBICTX0 = 2 +UBICTX1 = 3 +CONF0 = 4 +CONF1 = 5 +.global skein512_init +skein512_init: + push_range 2, 5 + stack_alloc_large 32+64-22 ; |<- 22 ->| + adiw r30, 1 ; | CONF (32) | + movw CONF0, r30 ; | null (64) | + movw r26, r24 + st X+, r22 + st X+, r23 + movw UBICTX0, r26 + ldi r24, 'S' + st Z+, r24 + ldi r24, 'H' + st Z+, r24 + ldi r24, 'A' + st Z+, r24 + ldi r24, '3' + st Z+, r24 + ldi r24, 1 + st Z+, r24 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r22 + st Z+, r23 + ldi 24, 64 +1: st Z+, r1 + dec r24 + brne 1b + /* call ubi512_init*/ + sbiw r30, 63 + sbiw r30, 1 + movw r24, UBICTX0 + movw r22, r30 + ldi r20, 4 + rcall ubi512_init + /* call ubi512_lastBlock*/ + movw r24, UBICTX0 + movw r22, CONF0 + ldi r21, 1 + clr r20 + rcall ubi512_lastBlock + /* call ubi512_init*/ + movw r24, UBICTX0 + adiw r24, 16 + movw r22, r24 + movw r24, UBICTX0 + ldi r20, 48 + rcall ubi512_init + stack_free_large 32+64-22 + pop_range 2, 5 + ret + +/******************************************************************************/ +.global skein512_nextBlock +skein512_nextBlock: + adiw r24, 2 + rjmp ubi512_nextBlock + +/******************************************************************************/ +.global skein512_lastBlock +skein512_lastBlock: + adiw r24, 2 + rjmp ubi512_lastBlock + +/******************************************************************************/ +/* +void skein512_ctx2hash(void* dest, skein512_ctx_t* ctx){ + ubi512_ctx_t uctx; + uint16_t outsize_b; + + uint64_t counter=0; + uint8_t outbuffer[UBI512_BLOCKSIZE_B]; + ubi512_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); + + outsize_b = ctx->outsize_b; + while(1){ + memcpy(&uctx, &(ctx->ubictx), sizeof(ubi512_ctx_t)); + ubi512_lastBlock(&uctx, &counter, 64); + ubi512_ctx2hash(outbuffer, &uctx); + if(outsize_b<=UBI512_BLOCKSIZE){ + memcpy(dest, outbuffer, (ctx->outsize_b+7)/8); + break; + }else{ + memcpy(dest, outbuffer, UBI512_BLOCKSIZE_B); + dest = (uint8_t*)dest + UBI512_BLOCKSIZE_B; + outsize_b -= UBI512_BLOCKSIZE; + counter++; + } + } +} +*/ +/* + * param dest: r24:r25 + * param ctx: r22:r23 + */ + OUTSIZE_B0 = 16 + OUTSIZE_B1 = 17 + UCTX0 = 14 + UCTX1 = 15 + UBICTX0 = 12 + UBICTX1 = 13 + DEST0 = 10 + DEST1 = 11 +.global skein512_ctx2hash +skein512_ctx2hash: + push_range 10, 17 + /* 80 || 8 || 64 */ + stack_alloc_large 80+8+64 /* uctx || counter || outbuffer */ + movw DEST0, r24 + adiw r30, 1 + movw UCTX0, r30 + adiw r30, 63 + adiw r30, 17 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + st Z+, r1 + movw r26, 22 + ld OUTSIZE_B0, X+ + ld OUTSIZE_B1, X+ + movw UBICTX0, r26 + /* call ubi512_init */ + movw r24, UBICTX0 + adiw r24, 16 + movw r22, r24 + movw r24, UBICTX0 + ldi r20, 63 + rcall ubi512_init + + /* main loop */ + /* copy ubictx in uctx*/ +1: movw r30, UCTX0 + movw r26, UBICTX0 + ldi r24, 80 +2: ld r25, X+ + st Z+, r25 + dec r24 + brne 2b + /* call ubi512_lastBlock */ + movw r24, UCTX0 + adiw r24, 63 + adiw r24, 17 + movw r22, r24 + movw r24, UCTX0 + clr r21 + ldi r20, 64 + rcall ubi512_lastBlock + /* copy uctx->g to outbuffer */ + movw r26, UCTX0 + adiw r26, 16 + movw r30, UCTX0 + adiw r30, 63 + adiw r30, 17+8 + ldi r24, 64 +2: ld r25, X+ + st Z+, r25 + dec r24 + brne 2b + /* compare outsize_b with 512*/ + cpi OUTSIZE_B1, 3 + brge 5f + cpi OUTSIZE_B1, 2 + brlo 3f + tst OUTSIZE_B0 + breq 3f +5: /* copy outbuffer to dest */ + movw r30, DEST0 + movw r26, UCTX0 + adiw r26, 63 + adiw r26, 17+8 + ldi r24, 64 +6: ld r25, X+ + st Z+, r25 + dec r24 + brne 6b + /* store new dest */ + movw DEST0, r30 + /* adjust counter and outsize_b*/ + subi OUTSIZE_B1, 2 + movw r30, UCTX0 + adiw r30, 63 + adiw r30, 17 + ldi r24, 1 + ld r25, Z + add r25, r24 + st Z+, r25 + ldi r24, 7 +6: ld r25, Z + adc r25, r1 + st Z+, r25 + dec r24 + brne 6b + rjmp 1b +3: /* last iteraton */ + movw r24, OUTSIZE_B0 + adiw r24, 7 + lsr r25 + ror r24 + lsr r25 + ror r24 + lsr r24 + movw r30, DEST0 + movw r26, UCTX0 + adiw r26, 63 + adiw r26, 17+8 + tst r24 + breq 8f +7: ld r25, X+ + st Z+, r25 + dec r24 + brne 7b +8: + stack_free_large2 80+8+64 + pop_range 10, 17 + ret + +/******************************************************************************/ +/* +void skein512(void* dest, uint16_t outlength_b,const void* msg, uint32_t length_b){ + skein512_ctx_t ctx; + skein512_init(&ctx, outlength_b); + while(length_b>SKEIN512_BLOCKSIZE){ + skein512_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + SKEIN512_BLOCKSIZE_B; + length_b -= SKEIN512_BLOCKSIZE; + } + skein512_lastBlock(&ctx, msg, length_b); + skein512_ctx2hash(dest, &ctx); +} +*/ +/* + * param dest: r24:r25 + * param outlength_b: r22:r23 + * param msg: r20:r21 + * param length_b: r16:r19 + */ +LENGTH_B0 = 2 +LENGTH_B1 = 3 +LENGTH_B2 = 4 +LENGTH_B3 = 5 +DEST0 = 6 +DEST1 = 7 +MSG0 = 8 +MSG1 = 9 +CTX0 = 10 +CTX1 = 11 +.global skein512 +skein512: + push_range 2, 11 + stack_alloc_large 82 + adiw r30, 1 + movw CTX0, r30 + movw DEST0, r24 + movw MSG0, r20 + movw LENGTH_B0, r16 + movw LENGTH_B2, r18 + /* call skein512_init */ + movw r24, r30 + rcall skein512_init +1: tst LENGTH_B2 + brne 4f + tst LENGTH_B3 + brne 4f + /* call skein512_lastBlock */ + movw r24, CTX0 + movw r22, MSG0 + movw r20, LENGTH_B0 + rcall skein512_lastBlock + /* call skein512_ctx2hash */ + movw r24, DEST0 + movw r22, CTX0 + rcall skein512_ctx2hash + /* return */ + stack_free_large 82 + pop_range 2, 11 + ret + +4: /* process preceeding blocks */ + movw r24, CTX0 + movw r22, MSG0 + rcall skein512_nextBlock + ldi r24, 64 + add MSG0, r24 + adc MSG0, r1 + mov r24, LENGTH_B1 + mov r25, LENGTH_B2 + sbiw r24, 2 + sbc LENGTH_B3, r1 + mov LENGTH_B1, r24 + mov LENGTH_B2, r25 + rjmp 1b + diff --git a/skein/skein_algo_list.txt b/skein/skein_algo_list.txt new file mode 100644 index 0000000..5b25e73 --- /dev/null +++ b/skein/skein_algo_list.txt @@ -0,0 +1,20 @@ + a: Skein-256-128 + b: Skein-256-160 + c: Skein-256-224 + *d: Skein-256-256 + e: Skein-256-384 + f: Skein-256-512 + g: Skein-512-128 + h: Skein-512-160 + i: Skein-512-224 + j: Skein-512-256 + k: Skein-512-384 + l: Skein-512-512 + m: Skein-512-1024 + n: Skein-1024-128 + o: Skein-1024-160 + p: Skein-1024-224 + q: Skein-1024-256 + r: Skein-1024-384 + s: Skein-1024-512 + t: Skein-1024-1024 diff --git a/skein/threefish.h b/skein/threefish.h new file mode 100644 index 0000000..3b4cc99 --- /dev/null +++ b/skein/threefish.h @@ -0,0 +1,90 @@ +/* threefish.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \file threefish.h + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * \brief Implementation of the Threefish block cipher + * \ingroup Threefish + */ + +#ifndef THREEFISH_H_ +#define THREEFISH_H_ + +#include + +#define THREEFISH256_BLOCKSIZE 256 +#define THREEFISH256_BLOCKSIZE_B ((THREEFISH256_BLOCKSIZE+7)/8) +#define THREEFISH512_BLOCKSIZE 512 +#define THREEFISH512_BLOCKSIZE_B ((THREEFISH512_BLOCKSIZE+7)/8) +#define THREEFISH1024_BLOCKSIZE 1024 +#define THREEFISH1024_BLOCKSIZE_B ((THREEFISH1024_BLOCKSIZE+7)/8) + +/** \typedef threefish256_ctx_t + * \brief holds key data for Threefish-256 + * + * A variable of this type may hold the key data for Threefish-256 encryption + * or decryption.. + */ +typedef struct{ + uint64_t k[5]; + uint64_t t[3]; +} threefish256_ctx_t; + +/** \typedef threefish512_ctx_t + * \brief holds key data for Threefish-512 + * + * A variable of this type may hold the key data for Threefish-512 encryption + * or decryption.. + */ +typedef struct{ + uint64_t k[9]; + uint64_t t[3]; +} threefish512_ctx_t; + +/** \typedef threefish1024_ctx_t + * \brief holds key data for Threefish-1024 + * + * A variable of this type may hold the key data for Threefish-1024 encryption + * or decryption.. + */ +typedef struct{ + uint64_t k[17]; + uint64_t t[3]; +} threefish1024_ctx_t; + + +void threefish_mix(void* data, uint8_t rot); +void threefish_invmix(void* data, uint8_t rot); + +void threefish256_init(const void* key, const void* tweak, threefish256_ctx_t* ctx); +void threefish512_init(const void* key, const void* tweak, threefish512_ctx_t* ctx); +void threefish1024_init(const void* key, const void* tweak, threefish1024_ctx_t* ctx); + +void threefish256_enc(void* data, const threefish256_ctx_t* ctx); +void threefish512_enc(void* data, const threefish512_ctx_t* ctx); +void threefish1024_enc(void* data, const threefish1024_ctx_t* ctx); + +void threefish256_dec(void* data, const threefish256_ctx_t* ctx); +void threefish512_dec(void* data, const threefish512_ctx_t* ctx); +void threefish1024_dec(void* data, const threefish1024_ctx_t* ctx); + +#endif /* THREEFISH_H_ */ diff --git a/skein/threefish1024_dec.c b/skein/threefish1024_dec.c new file mode 100644 index 0000000..edb46d4 --- /dev/null +++ b/skein/threefish1024_dec.c @@ -0,0 +1,96 @@ +/* threefish1024_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + +#define X(a) (((uint64_t*)data)[(a)]) + +static +void permute_inv16(void* data){ + uint64_t t; + t = X(15); + X(15) = X(7); + X(7) = X(9); + X(9) = X(1); + X(1) = t; + t = X(11); + X(11) = X(5); + X(5) = X(13); + X(13) = X(3); + X(3) = t; + t = X(4); + X(4) = X(6); + X(6) = t; + t = X(14); + X(14) = X(12); + X(12) = X(10); + X(10) = X(8); + X(8) = t; +} + +static +void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<13; ++i){ + X(i) -= ctx->k[(s+i)%17]; + } + X(13) -= ctx->k[(s+13)%17] + ctx->t[s%3]; + X(14) -= ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; + X(15) -= ctx->k[(s+15)%17] + s; +} + +void threefish1024_dec(void* data, const threefish1024_ctx_t* ctx){ + uint8_t i=0,s=20; + uint8_t r0[8] = {47, 58, 17, 28, 34, 33, 25, 55}; + uint8_t r1[8] = {49, 7, 6, 7, 43, 8, 25, 43}; + uint8_t r2[8] = {27, 32, 18, 47, 25, 18, 46, 37}; + uint8_t r3[8] = {58, 45, 25, 48, 60, 57, 13, 40}; + uint8_t r4[8] = {37, 19, 43, 51, 44, 21, 14, 16}; + uint8_t r5[8] = {48, 18, 42, 9, 9, 12, 13, 22}; + uint8_t r6[8] = {53, 2, 40, 35, 59, 32, 52, 38}; + uint8_t r7[8] = {56, 56, 15, 41, 34, 54, 57, 12}; + do{ + if(i%4==0){ + add_key_16(data, ctx, s); + --s; + } + permute_inv16(data); + threefish_invmix((uint8_t*)data + 0, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + threefish_invmix((uint8_t*)data + 32, r2[i%8]); + threefish_invmix((uint8_t*)data + 48, r3[i%8]); + threefish_invmix((uint8_t*)data + 64, r4[i%8]); + threefish_invmix((uint8_t*)data + 80, r5[i%8]); + threefish_invmix((uint8_t*)data + 96, r6[i%8]); + threefish_invmix((uint8_t*)data +112, r7[i%8]); + ++i; + }while(i!=80); + add_key_16(data, ctx, s); +} diff --git a/skein/threefish1024_dec_asm.S b/skein/threefish1024_dec_asm.S new file mode 100644 index 0000000..5743829 --- /dev/null +++ b/skein/threefish1024_dec_asm.S @@ -0,0 +1,474 @@ +/* threefish1024_enc_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-24 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void permute_inv16(void* data){ + uint64_t t; + t = X(15); + X(15) = X(7); + X(7) = X(9); + X(9) = X(1); + X(1) = t; + t = X(11); + X(11) = X(5); + X(5) = X(13); + X(13) = X(3); + X(3) = t; + t = X(4); + X(4) = X(6); + X(6) = t; + t = X(14); + X(14) = X(12); + X(12) = X(10); + X(10) = X(8); + X(8) = t; +} +void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<13; ++i){ + X(i) -= ctx->k[(s+i)%17]; + } + X(13) -= ctx->k[(s+13)%17] + ctx->t[s%3]; + X(14) -= ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; + X(15) -= ctx->k[(s+15)%17] + s; +} +void threefish1024_dec(void* data, const threefish1024_ctx_t* ctx){ + uint8_t i=0,s=20; + uint8_t r0[8] = {0x69, 0x72, 0x21, 0x34, 0x42, 0x41, 0x31, 0x79}; + uint8_t r1[8] = {0x61, 0x19, 0x1a, 0x19, 0x53, 0x10, 0x31, 0x53}; + uint8_t r2[8] = {0x33, 0x40, 0x22, 0x69, 0x31, 0x22, 0x6a, 0x5b}; + uint8_t r3[8] = {0x72, 0x6b, 0x31, 0x60, 0x74, 0x71, 0x2b, 0x50}; + uint8_t r4[8] = {0x5b, 0x23, 0x53, 0x63, 0x54, 0x3b, 0x2a, 0x20}; + uint8_t r5[8] = {0x60, 0x22, 0x52, 0x11, 0x11, 0x14, 0x2b, 0x3a}; + uint8_t r6[8] = {0x7b, 0x02, 0x50, 0x43, 0x73, 0x40, 0x64, 0x5a}; + uint8_t r7[8] = {0x70, 0x70, 0x29, 0x51, 0x42, 0x7a, 0x71, 0x14}; + + do{ + if(i%4==0){ + add_key_16(data, ctx, s); + --s; + } + permute_inv16(data); + threefish_invmix((uint8_t*)data + 0, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + threefish_invmix((uint8_t*)data + 32, r2[i%8]); + threefish_invmix((uint8_t*)data + 48, r3[i%8]); + threefish_invmix((uint8_t*)data + 64, r4[i%8]); + threefish_invmix((uint8_t*)data + 80, r5[i%8]); + threefish_invmix((uint8_t*)data + 96, r6[i%8]); + threefish_invmix((uint8_t*)data +112, r7[i%8]); + ++i; + }while(i!=80); + add_key_16(data, ctx, s); +} +*/ +I = 2 +S = 3 +DATA0 = 4 +DATA1 = 5 +CTX0 = 6 +CTX1 = 7 +IDX0 = 8 +IDX1 = 9 +IDX2 = 10 +IDX3 = 11 +IDX4 = 12 +IDX5 = 13 +IDX6 = 14 +IDX7 = 15 + +/* + * param data: r24:r25 + * param ctx: r22:r23 + */ +.global threefish1024_dec +threefish1024_dec: + push r28 + push r29 + push_range 2, 17 + movw DATA0, r24 + movw CTX0, r22 + clr I + ldi r26, 20 + mov S, r26 +1: + mov r30, I + andi r30, 0x03 + breq 2f + rjmp 4f +2: + ldi r30, lo8(threefish1024_slut17) + ldi r31, hi8(threefish1024_slut17) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z+ + lpm IDX4, Z+ + lpm IDX5, Z+ + lpm IDX6, Z+ + lpm IDX7, Z + movw r30, CTX0 + movw r26, DATA0 + add r30, IDX0 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX4 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX5 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX6 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX7 + adc r31, r1 + rcall sub_z_from_x8 + /* second half */ + ldi r30, lo8(threefish1024_slut17) + ldi r31, hi8(threefish1024_slut17) + add r30, S + adc r31, r1 + adiw r30, 8 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z+ + lpm IDX4, Z+ + lpm IDX5, Z+ + lpm IDX6, Z+ + lpm IDX7, Z + movw r30, CTX0 + add r30, IDX0 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX4 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX5 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX6 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX7 + adc r31, r1 + rcall sub_z_from_x8 + /* now the remaining key */ + sbiw r26, 3*8 + ldi r30, lo8(threefish1024_slut3) + ldi r31, hi8(threefish1024_slut3) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z + movw r30, CTX0 + adiw r30, 7*8 /* make Z pointing to (extended tweak) */ + adiw r30, 7*8 + adiw r30, 3*8 + movw IDX2, r30 + add r30, IDX0 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, IDX2 + add r30, IDX1 + adc r31, r1 + rcall sub_z_from_x8 + ld r0, X + sub r0, S + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + tst S + brne 3f +exit: + pop_range 2, 17 + pop r29 + pop r28 + ret +3: + dec S +4: + /* now the permutation */ + movw r26, DATA0 /* X1 <-> X15 */ + adiw r26, 1*8 + movw r30, DATA0 + adiw r30, 7*8+4 + adiw r30, 7*8+4 + rcall xchg_zx8 + movw r26, DATA0 /* X15 <-> X7 */ + adiw r26, 7*8+4 + adiw r26, 7*8+4 + movw r30, DATA0 + adiw r30, 7*8 + rcall xchg_zx8 + movw r26, DATA0 /* X9 <-> X7 */ + adiw r26, 7*8 + adiw r26, 2*8 + movw r30, DATA0 + adiw r30, 7*8 + rcall xchg_zx8 + /* --- */ + movw r26, DATA0 /* X3 <-> X11 */ + adiw r26, 3*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 4*8 + rcall xchg_zx8 + movw r26, DATA0 /* X11 <-> X5 */ + adiw r26, 7*8 + adiw r26, 4*8 + movw r30, DATA0 + adiw r30, 5*8 + rcall xchg_zx8 + movw r26, DATA0 /* X13 <-> X5 */ + adiw r26, 7*8 + adiw r26, 6*8 + movw r30, DATA0 + adiw r30, 5*8 + rcall xchg_zx8 + /* --- */ + movw r26, DATA0 /* X8 <-> X14 */ + adiw r26, 7*8 + adiw r26, 1*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 7*8 + rcall xchg_zx8 + movw r26, DATA0 /* X14 <-> X12 */ + adiw r26, 7*8 + adiw r26, 7*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 5*8 + rcall xchg_zx8 + movw r26, DATA0 /* X10 <-> X12 */ + adiw r26, 7*8 + adiw r26, 3*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 5*8 + rcall xchg_zx8 + /* --- */ + movw r26, DATA0 /* X4 <-> X6 */ + adiw r26, 4*8 + movw r30, DATA0 + adiw r30, 6*8 + rcall xchg_zx8 + + /* call mix */ + ldi r30, lo8(threefish1024_rc0) + ldi r31, hi8(threefish1024_rc0) + mov r26, I + andi r26, 0x07 + add r30, r26 + adc r31, r1 + lpm r22, Z + adiw r30, 8 + lpm IDX0, Z + adiw r30, 8 + lpm IDX1, Z + adiw r30, 8 + lpm IDX2, Z + adiw r30, 8 + lpm IDX3, Z + adiw r30, 8 + lpm IDX4, Z + adiw r30, 8 + lpm IDX5, Z + adiw r30, 8 + lpm IDX6, Z + push IDX6 + push IDX5 + push IDX4 + push IDX3 + push IDX2 + + movw r24, DATA0 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 16 + mov r22, IDX0 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 32 + mov r22, IDX1 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 48 + pop r22 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 63 + adiw r24, 1 + pop r22 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 63 + adiw r24, 17 + pop r22 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 63 + adiw r24, 33 + pop r22 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 63 + adiw r24, 49 + pop r22 + call threefish_invmix_asm /* no rcall? */ + inc I +9: + rjmp 1b + +threefish1024_slut17: + .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38 + .byte 0x40, 0x48, 0x50, 0x58, 0x60, 0x68, 0x70, 0x78 + .byte 0x80, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30 + .byte 0x38, 0x40, 0x48, 0x50, 0x58, 0x60, 0x68, 0x70 + .byte 0x78, 0x80, 0x00, 0x08, 0x10 +threefish1024_slut3: + .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 + .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10 + .byte 0x00 + +threefish1024_rc0: .byte 0x69, 0x72, 0x21, 0x34, 0x42, 0x41, 0x31, 0x79 +threefish1024_rc1: .byte 0x61, 0x19, 0x1a, 0x19, 0x53, 0x10, 0x31, 0x53 +threefish1024_rc2: .byte 0x33, 0x40, 0x22, 0x69, 0x31, 0x22, 0x6a, 0x5b +threefish1024_rc3: .byte 0x72, 0x6b, 0x31, 0x60, 0x74, 0x71, 0x2b, 0x50 +threefish1024_rc4: .byte 0x5b, 0x23, 0x53, 0x63, 0x54, 0x3b, 0x2a, 0x20 +threefish1024_rc5: .byte 0x60, 0x22, 0x52, 0x11, 0x11, 0x14, 0x2b, 0x3a +threefish1024_rc6: .byte 0x7b, 0x02, 0x50, 0x43, 0x73, 0x40, 0x64, 0x5a +threefish1024_rc7: .byte 0x70, 0x70, 0x29, 0x51, 0x42, 0x7a, 0x71, 0x14 + +sub_z_from_x8: + ld r0, Z+ + ld r1, X + sub r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + clr r1 + ret + +T0 = IDX0 +T1 = 0 +CNT = 24 +xchg_zx8: + ldi CNT, 8 +1: ld T0, X + ld T1, Z + st X+, T1 + st Z+, T0 + dec CNT + brne 1b + ret + + + diff --git a/skein/threefish1024_dec_cstub.c b/skein/threefish1024_dec_cstub.c new file mode 100644 index 0000000..09b031f --- /dev/null +++ b/skein/threefish1024_dec_cstub.c @@ -0,0 +1,97 @@ +/* threefish1024_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + +#define X(a) (((uint64_t*)data)[(a)]) + +static +void permute_inv16(void* data){ + uint64_t t; + t = X(15); + X(15) = X(7); + X(7) = X(9); + X(9) = X(1); + X(1) = t; + t = X(11); + X(11) = X(5); + X(5) = X(13); + X(13) = X(3); + X(3) = t; + t = X(4); + X(4) = X(6); + X(6) = t; + t = X(14); + X(14) = X(12); + X(12) = X(10); + X(10) = X(8); + X(8) = t; +} + +static +void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<13; ++i){ + X(i) -= ctx->k[(s+i)%17]; + } + X(13) -= ctx->k[(s+13)%17] + ctx->t[s%3]; + X(14) -= ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; + X(15) -= ctx->k[(s+15)%17] + s; +} + +void threefish1024_dec(void* data, const threefish1024_ctx_t* ctx){ + uint8_t i=0,s=20; + uint8_t r0[8] = {0x69, 0x72, 0x21, 0x34, 0x42, 0x41, 0x31, 0x79}; + uint8_t r1[8] = {0x61, 0x19, 0x1a, 0x19, 0x53, 0x10, 0x31, 0x53}; + uint8_t r2[8] = {0x33, 0x40, 0x22, 0x69, 0x31, 0x22, 0x6a, 0x5b}; + uint8_t r3[8] = {0x72, 0x6b, 0x31, 0x60, 0x74, 0x71, 0x2b, 0x50}; + uint8_t r4[8] = {0x5b, 0x23, 0x53, 0x63, 0x54, 0x3b, 0x2a, 0x20}; + uint8_t r5[8] = {0x60, 0x22, 0x52, 0x11, 0x11, 0x14, 0x2b, 0x3a}; + uint8_t r6[8] = {0x7b, 0x02, 0x50, 0x43, 0x73, 0x40, 0x64, 0x5a}; + uint8_t r7[8] = {0x70, 0x70, 0x29, 0x51, 0x42, 0x7a, 0x71, 0x14}; + + do{ + if(i%4==0){ + add_key_16(data, ctx, s); + --s; + } + permute_inv16(data); + threefish_invmix((uint8_t*)data + 0, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + threefish_invmix((uint8_t*)data + 32, r2[i%8]); + threefish_invmix((uint8_t*)data + 48, r3[i%8]); + threefish_invmix((uint8_t*)data + 64, r4[i%8]); + threefish_invmix((uint8_t*)data + 80, r5[i%8]); + threefish_invmix((uint8_t*)data + 96, r6[i%8]); + threefish_invmix((uint8_t*)data +112, r7[i%8]); + ++i; + }while(i!=80); + add_key_16(data, ctx, s); +} diff --git a/skein/threefish1024_enc.c b/skein/threefish1024_enc.c new file mode 100644 index 0000000..41a3590 --- /dev/null +++ b/skein/threefish1024_enc.c @@ -0,0 +1,117 @@ +/* threefish1024_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + +#define X(a) (((uint64_t*)data)[(a)]) + +static +void permute_16(void* data){ + uint64_t t; + t = X(1); + X(1) = X(9); + X(9) = X(7); + X(7) = X(15); + X(15) = t; + t = X(3); + X(3) = X(13); + X(13) = X(5); + X(5) = X(11); + X(11) = t; + t = X(4); + X(4) = X(6); + X(6) = t; + t = X(8); + X(8) = X(10); + X(10) = X(12); + X(12) = X(14); + X(14) = t; +} + +#define THREEFISH_KEY_CONST 0x5555555555555555LL /* 2**64/3 */ + +#define K(s) (((uint64_t*)key)[(s)]) +#define T(s) (((uint64_t*)tweak)[(s)]) + +void threefish1024_init(const void* key, const void* tweak, threefish1024_ctx_t* ctx){ + memcpy(ctx->k, key, 16*8); + if(tweak){ + memcpy(ctx->t, tweak, 2*8); + ctx->t[2] = T(0) ^ T(1); + }else{ + memset(ctx, 0, 3*8); + } + uint8_t i; + ctx->k[16] = THREEFISH_KEY_CONST; + for(i=0; i<16; ++i){ + ctx->k[16] ^= K(i); + } +} + +static +void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<13; ++i){ + X(i) += ctx->k[(s+i)%17]; + } + X(13) += ctx->k[(s+13)%17] + ctx->t[s%3]; + X(14) += ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; + X(15) += ctx->k[(s+15)%17] + s; +} + +void threefish1024_enc(void* data, const threefish1024_ctx_t* ctx){ + uint8_t i=0,s=0; + uint8_t r0[8] = {55, 25, 33, 34, 28, 17, 58, 47}; + uint8_t r1[8] = {43, 25, 8, 43, 7, 6, 7, 49}; + uint8_t r2[8] = {37, 46, 18, 25, 47, 18, 32, 27}; + uint8_t r3[8] = {40, 13, 57, 60, 48, 25, 45, 58}; + uint8_t r4[8] = {16, 14, 21, 44, 51, 43, 19, 37}; + uint8_t r5[8] = {22, 13, 12, 9, 9, 42, 18, 48}; + uint8_t r6[8] = {38, 52, 32, 59, 35, 40, 2, 53}; + uint8_t r7[8] = {12, 57, 54, 34, 41, 15, 56, 56}; + + do{ + if(i%4==0){ + add_key_16(data, ctx, s); + ++s; + } + threefish_mix((uint8_t*)data + 0, r0[i%8]); + threefish_mix((uint8_t*)data + 16, r1[i%8]); + threefish_mix((uint8_t*)data + 32, r2[i%8]); + threefish_mix((uint8_t*)data + 48, r3[i%8]); + threefish_mix((uint8_t*)data + 64, r4[i%8]); + threefish_mix((uint8_t*)data + 80, r5[i%8]); + threefish_mix((uint8_t*)data + 96, r6[i%8]); + threefish_mix((uint8_t*)data +112, r7[i%8]); + permute_16(data); + ++i; + }while(i!=80); + add_key_16(data, ctx, s); +} diff --git a/skein/threefish1024_enc_asm.S b/skein/threefish1024_enc_asm.S new file mode 100644 index 0000000..38bf04c --- /dev/null +++ b/skein/threefish1024_enc_asm.S @@ -0,0 +1,617 @@ +/* threefish1024_enc_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-24 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +A0 = 14 +A1 = 15 +A2 = 16 +A3 = 17 +A4 = 18 +A5 = 19 +A6 = 20 +A7 = 21 +/* +#define THREEFISH_KEY_CONST 0x5555.5555.5555.5555.LL / * 2**64/3 * / + +#define K(s) (((uint64_t*)key)[(s)]) +#define T(s) (((uint64_t*)tweak)[(s)]) +void threefish1024_init(const void* key, const void* tweak, threefish512_ctx_t* ctx){ + memcpy(ctx->k, key, 16*8); + memcpy(ctx->t, tweak, 2*8); + uint8_t i; + ctx->k[16] = THREEFISH_KEY_CONST; + for(i=0; i<8; ++i){ + ctx->k[16] ^= K(i); + } + ctx->t[2] = T(0) ^ T(1); +} +*/ +/* + * param key: r24:r25 + * param tweak: r22:r23 + * param ctx: r20:r21 + */ +.global threefish1024_init +threefish1024_init: + push_range 14, 17 + movw r30, r20 + movw r26, r24 + ldi r24, 16 + ldi A7, 0x55 + mov A6, A7 + movw A4, A6 + movw A2, A6 + movw A0, A6 +1: + ld r0, X+ + st Z+, r0 + eor A0, r0 + ld r0, X+ + st Z+, r0 + eor A1, r0 + ld r0, X+ + st Z+, r0 + eor A2, r0 + ld r0, X+ + st Z+, r0 + eor A3, r0 + ld r0, X+ + st Z+, r0 + eor A4, r0 + ld r0, X+ + st Z+, r0 + eor A5, r0 + ld r0, X+ + st Z+, r0 + eor A6, r0 + ld r0, X+ + st Z+, r0 + eor A7, r0 + dec r24 + brne 1b + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 + /* now the tweak */ + movw r26, r22 + tst r27 + brne 3f + tst r26 + brne 3f + ldi r26, 3*8 +1: + st Z+, r1 + dec r26 + brne 1b + rjmp 9f +3: + ld A0, X+ + ld A1, X+ + ld A2, X+ + ld A3, X+ + ld A4, X+ + ld A5, X+ + ld A6, X+ + ld A7, X+ + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 + ld r0, X+ + eor A0, r0 + st Z+, r0 + ld r0, X+ + eor A1, r0 + st Z+, r0 + ld r0, X+ + eor A2, r0 + st Z+, r0 + ld r0, X+ + eor A3, r0 + st Z+, r0 + ld r0, X+ + eor A4, r0 + st Z+, r0 + ld r0, X+ + eor A5, r0 + st Z+, r0 + ld r0, X+ + eor A6, r0 + st Z+, r0 + ld r0, X+ + eor A7, r0 + st Z+, r0 + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 +9: + pop_range 14, 17 + ret + +/******************************************************************************/ +/* +#define X(a) (((uint64_t*)data)[(a)]) +void permute_16(void* data){ + uint64_t t; + t = X(1); + X(1) = X(9); + X(9) = X(7); + X(7) = X(15); + X(15) = t; + t = X(3); + X(3) = X(13); + X(13) = X(5); + X(5) = X(11); + X(11) = t; + t = X(4); + X(4) = X(6); + X(6) = t; + t = X(8); + X(8) = X(10); + X(10) = X(12); + X(12) = X(14); + X(14) = t; +} +void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<13; ++i){ + X(i) += ctx->k[(s+i)%17]; + } + X(13) += ctx->k[(s+13)%17] + ctx->t[s%3]; + X(14) += ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; + X(15) += ctx->k[(s+15)%17] + s; +} +void threefish1024_enc(void* data, const threefish1024_ctx_t* ctx){ + uint8_t i=0,s=0; + uint8_t r0[8] = {55, 25, 33, 34, 28, 17, 58, 47}; + uint8_t r1[8] = {43, 25, 8, 43, 7, 6, 7, 49}; + uint8_t r2[8] = {37, 46, 18, 25, 47, 18, 32, 27}; + uint8_t r3[8] = {40, 13, 57, 60, 48, 25, 45, 58}; + uint8_t r4[8] = {16, 14, 21, 44, 51, 43, 19, 37}; + uint8_t r5[8] = {22, 13, 12, 9, 9, 42, 18, 48}; + uint8_t r6[8] = {38, 52, 32, 59, 35, 40, 2, 53}; + uint8_t r7[8] = {12, 57, 54, 34, 41, 15, 56, 56}; + do{ + if(i%4==0){ + add_key_16(data, ctx, s); + ++s; + } + threefish_mix((uint8_t*)data + 0, r0[i%8]); + threefish_mix((uint8_t*)data + 16, r1[i%8]); + threefish_mix((uint8_t*)data + 32, r2[i%8]); + threefish_mix((uint8_t*)data + 48, r3[i%8]); + threefish_mix((uint8_t*)data + 64, r4[i%8]); + threefish_mix((uint8_t*)data + 80, r5[i%8]); + threefish_mix((uint8_t*)data + 96, r6[i%8]); + threefish_mix((uint8_t*)data +112, r7[i%8]); + permute_16(data); + ++i; + }while(i!=80); + add_key_16(data, ctx, s); +} +*/ +I = 2 +S = 3 +DATA0 = 4 +DATA1 = 5 +CTX0 = 6 +CTX1 = 7 +IDX0 = 8 +IDX1 = 9 +IDX2 = 10 +IDX3 = 11 +IDX4 = 12 +IDX5 = 13 +IDX6 = 14 +IDX7 = 15 + +/* + * param data: r24:r25 + * param ctx: r22:r23 + */ +.global threefish1024_enc +threefish1024_enc: + push r28 + push r29 + push_range 2, 17 + movw DATA0, r24 + movw CTX0, r22 + clr I + clr S +1: + mov r30, I + andi r30, 0x03 + breq 2f + rjmp 4f +2: + ldi r30, lo8(threefish1024_slut17) + ldi r31, hi8(threefish1024_slut17) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z+ + lpm IDX4, Z+ + lpm IDX5, Z+ + lpm IDX6, Z+ + lpm IDX7, Z + movw r30, CTX0 + movw r26, DATA0 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX4 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX5 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX6 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX7 + adc r31, r1 + rcall add_z_to_x8 + /* second half */ + ldi r30, lo8(threefish1024_slut17) + ldi r31, hi8(threefish1024_slut17) + add r30, S + adc r31, r1 + adiw r30, 8 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z+ + lpm IDX4, Z+ + lpm IDX5, Z+ + lpm IDX6, Z+ + lpm IDX7, Z + movw r30, CTX0 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX4 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX5 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX6 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX7 + adc r31, r1 + rcall add_z_to_x8 + /* now the remaining key */ + sbiw r26, 3*8 + ldi r30, lo8(threefish1024_slut3) + ldi r31, hi8(threefish1024_slut3) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z + movw r30, CTX0 + adiw r30, 7*8 /* make Z pointing to (extended tweak) */ + adiw r30, 7*8 + adiw r30, 3*8 + movw IDX2, r30 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, IDX2 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + ld r0, X + add r0, S + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + inc S + mov r26, S + cpi r26, 21 + brmi 4f +exit: + pop_range 2, 17 + pop r29 + pop r28 + ret +4: + /* call mix */ + ldi r30, lo8(threefish1024_rc0) + ldi r31, hi8(threefish1024_rc0) + mov r26, I + andi r26, 0x07 + add r30, r26 + adc r31, r1 + lpm r22, Z + adiw r30, 8 + lpm IDX0, Z + adiw r30, 8 + lpm IDX1, Z + adiw r30, 8 + lpm IDX2, Z + adiw r30, 8 + lpm IDX3, Z + adiw r30, 8 + lpm IDX4, Z + adiw r30, 8 + lpm IDX5, Z + adiw r30, 8 + lpm IDX6, Z + push IDX6 + push IDX5 + push IDX4 + push IDX3 + push IDX2 + + movw r24, DATA0 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 16 + mov r22, IDX0 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 32 + mov r22, IDX1 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 48 + pop r22 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 63 + adiw r24, 1 + pop r22 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 63 + adiw r24, 17 + pop r22 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 63 + adiw r24, 33 + pop r22 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 63 + adiw r24, 49 + pop r22 + call threefish_mix_asm /* no rcall? */ + /* now the permutation */ + movw r26, DATA0 /* X1 <-> X15 */ + adiw r26, 1*8 + movw r30, DATA0 + adiw r30, 7*8+4 + adiw r30, 7*8+4 + rcall xchg_zx8 + movw r26, DATA0 /* X1 <-> X9 */ + adiw r26, 1*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 2*8 + rcall xchg_zx8 + movw r26, DATA0 /* X9 <-> X7 */ + adiw r26, 7*8 + adiw r26, 2*8 + movw r30, DATA0 + adiw r30, 7*8 + rcall xchg_zx8 + /* --- */ + movw r26, DATA0 /* X3 <-> X11 */ + adiw r26, 3*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 4*8 + rcall xchg_zx8 + movw r26, DATA0 /* X3 <-> X13 */ + adiw r26, 3*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 6*8 + rcall xchg_zx8 + movw r26, DATA0 /* X13 <-> X5 */ + adiw r26, 7*8 + adiw r26, 6*8 + movw r30, DATA0 + adiw r30, 5*8 + rcall xchg_zx8 + /* --- */ + movw r26, DATA0 /* X8 <-> X14 */ + adiw r26, 7*8 + adiw r26, 1*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 7*8 + rcall xchg_zx8 + movw r26, DATA0 /* X8 <-> X10 */ + adiw r26, 7*8 + adiw r26, 1*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 3*8 + rcall xchg_zx8 + movw r26, DATA0 /* X10 <-> X12 */ + adiw r26, 7*8 + adiw r26, 3*8 + movw r30, DATA0 + adiw r30, 7*8 + adiw r30, 5*8 + rcall xchg_zx8 + /* --- */ + movw r26, DATA0 /* X4 <-> X6 */ + adiw r26, 4*8 + movw r30, DATA0 + adiw r30, 6*8 + rcall xchg_zx8 + + inc I +; mov r26, I +; cpi r26, 5 +; brne 9f +; rjmp exit +9: + rjmp 1b + +threefish1024_slut17: + .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38 + .byte 0x40, 0x48, 0x50, 0x58, 0x60, 0x68, 0x70, 0x78 + .byte 0x80, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30 + .byte 0x38, 0x40, 0x48, 0x50, 0x58, 0x60, 0x68, 0x70 + .byte 0x78, 0x80, 0x00, 0x08, 0x10 +threefish1024_slut3: + .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 + .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10 + .byte 0x00 +threefish1024_rc0: .byte 0x79, 0x31, 0x41, 0x42, 0x34, 0x21, 0x72, 0x69 +threefish1024_rc1: .byte 0x53, 0x31, 0x10, 0x53, 0x19, 0x1a, 0x19, 0x61 +threefish1024_rc2: .byte 0x5b, 0x6a, 0x22, 0x31, 0x69, 0x22, 0x40, 0x33 +threefish1024_rc3: .byte 0x50, 0x2b, 0x71, 0x74, 0x60, 0x31, 0x6b, 0x72 +threefish1024_rc4: .byte 0x20, 0x2a, 0x3b, 0x54, 0x63, 0x53, 0x23, 0x5b +threefish1024_rc5: .byte 0x3a, 0x2b, 0x14, 0x11, 0x11, 0x52, 0x22, 0x60 +threefish1024_rc6: .byte 0x5a, 0x64, 0x40, 0x73, 0x43, 0x50, 0x02, 0x7b +threefish1024_rc7: .byte 0x14, 0x71, 0x7a, 0x42, 0x51, 0x29, 0x70, 0x70 + +add_z_to_x8: + ld r0, Z+ + ld r1, X + add r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + clr r1 + ret + +T0 = IDX0 +T1 = 0 +CNT = 24 +xchg_zx8: + ldi CNT, 8 +1: ld T0, X + ld T1, Z + st X+, T1 + st Z+, T0 + dec CNT + brne 1b + ret + + + diff --git a/skein/threefish256_dec.c b/skein/threefish256_dec.c new file mode 100644 index 0000000..d23eb93 --- /dev/null +++ b/skein/threefish256_dec.c @@ -0,0 +1,69 @@ +/* threefish256_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + +#define X(a) (((uint64_t*)data)[(a)]) +static +void permute_4(void* data){ + uint64_t t; + t = X(1); + X(1) = X(3); + X(3) = t; +} + +#define K(s) (((uint64_t*)key)[(s)]) +#define T(s) (((uint64_t*)tweak)[(s)]) + +static +void add_key_4(void* data, const threefish256_ctx_t* ctx, uint8_t s){ + X(0) -= ctx->k[(s+0)%5]; + X(1) -= ctx->k[(s+1)%5] + ctx->t[s%3]; + X(2) -= ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; + X(3) -= ctx->k[(s+3)%5] + s; +} + +void threefish256_dec(void* data, const threefish256_ctx_t* ctx){ + uint8_t i=0,s=18; + uint8_t r0[8] = {59, 11, 53, 26, 58, 13, 36, 5}; + uint8_t r1[8] = {50, 42, 35, 20, 44, 46, 28, 56}; + do{ + if(i%4==0){ + add_key_4(data, ctx, s); + --s; + } + permute_4(data); + threefish_invmix(data, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + ++i; + }while(i!=72); + add_key_4(data, ctx, s); +} + diff --git a/skein/threefish256_dec_asm.S b/skein/threefish256_dec_asm.S new file mode 100644 index 0000000..d2316c6 --- /dev/null +++ b/skein/threefish256_dec_asm.S @@ -0,0 +1,279 @@ +/* threefish256_enc_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void permute_4(void* data){ + uint64_t t; + t = X(1); + X(1) = X(3); + X(3) = t; +} +void add_key_4(void* data, const threefish256_ctx_t* ctx, uint8_t s){ + X(0) -= ctx->k[(s+0)%5]; + X(1) -= ctx->k[(s+1)%5] + ctx->t[s%3]; + X(2) -= ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; + X(3) -= ctx->k[(s+3)%5] + s; +} +void threefish256_dec(void* data, const threefish256_ctx_t* ctx){ + uint8_t i=0,s=18; + uint8_t r0[8] = {0x73, 0x13, 0x7b, 0x32, 0x72, 0x2b, 0x44, 0x1b}; + uint8_t r1[8] = {0x62, 0x52, 0x43, 0x24, 0x54, 0x6a, 0x34, 0x70}; + do{ + if(i%4==0){ + add_key_4(data, ctx, s); + --s; + } + permute_4(data); + threefish_invmix(data, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + ++i; + }while(i!=72); + add_key_4(data, ctx, s); +} +*/ +I = 2 +S = 3 +DATA0 = 4 +DATA1 = 5 +CTX0 = 6 +CTX1 = 7 +IDX0 = 8 +IDX1 = 9 +IDX2 = 10 +IDX3 = 11 +/* + * param data: r24:r25 + * param ctx: r22:r23 + */ +.global threefish256_dec +threefish256_dec: + push r28 + push r29 + push_range 2, 17 + movw DATA0, r24 + movw CTX0, r22 + clr I + ldi r26, 18 + mov S, r26 +1: + mov r30, I + andi r30, 0x03 + breq 2f + rjmp 4f +2: + ldi r30, lo8(threefish256_slut5) + ldi r31, hi8(threefish256_slut5) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z + movw r30, CTX0 + movw r26, DATA0 + add r30, IDX0 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall sub_z_from_x8 + + /* now the remaining key */ + sbiw r26, 3*8 + ldi r30, lo8(threefish256_slut3) + ldi r31, hi8(threefish256_slut3) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z + movw r30, CTX0 + adiw r30, 5*8 + movw IDX2, r30 + add r30, IDX0 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, IDX2 + add r30, IDX1 + adc r31, r1 + rcall sub_z_from_x8 + ld r0, X + sub r0, S + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + tst S + brne 3f +exit: + pop_range 2, 17 + pop r29 + pop r28 + ret +3: + dec S +4: + /* now the permutation */ + movw r26, DATA0 + adiw r26, 8 + movw r30, r26 + adiw r30, 16 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + /* call mix */ + ldi r30, lo8(threefish256_rc0) + ldi r31, hi8(threefish256_rc0) + mov r26, I + andi r26, 0x07 + add r30, r26 + adc r31, r1 + lpm r22, Z + adiw r30, 8 + lpm IDX0, Z + movw r24, DATA0 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 16 + mov r22, IDX0 + call threefish_invmix_asm /* no rcall? */ + inc I + rjmp 1b + +threefish256_slut5: + .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 + .byte 0x18, 0x20, 0x00, 0x08, 0x10, 0x18, 0x20, 0x00 + .byte 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 +threefish256_slut3: + .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 + .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + +threefish256_rc0: .byte 0x73, 0x13, 0x7b, 0x32, 0x72, 0x2b, 0x44, 0x1b +threefish256_rc1: .byte 0x62, 0x52, 0x43, 0x24, 0x54, 0x6a, 0x34, 0x70 + +sub_z_from_x8: + ld r0, Z+ + ld r1, X + sub r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + clr r1 + ret + + + + + + + + + + diff --git a/skein/threefish256_dec_cstub.c b/skein/threefish256_dec_cstub.c new file mode 100644 index 0000000..1d89756 --- /dev/null +++ b/skein/threefish256_dec_cstub.c @@ -0,0 +1,66 @@ +/* threefish256_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + +#define X(a) (((uint64_t*)data)[(a)]) +static +void permute_4(void* data){ + uint64_t t; + t = X(1); + X(1) = X(3); + X(3) = t; +} + +static +void add_key_4(void* data, const threefish256_ctx_t* ctx, uint8_t s){ + X(0) -= ctx->k[(s+0)%5]; + X(1) -= ctx->k[(s+1)%5] + ctx->t[s%3]; + X(2) -= ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; + X(3) -= ctx->k[(s+3)%5] + s; +} + +void threefish256_dec(void* data, const threefish256_ctx_t* ctx){ + uint8_t i=0,s=18; + uint8_t r0[8] = {0x73, 0x13, 0x7b, 0x32, 0x72, 0x2b, 0x44, 0x1b}; + uint8_t r1[8] = {0x62, 0x52, 0x43, 0x24, 0x54, 0x6a, 0x34, 0x70}; + do{ + if(i%4==0){ + add_key_4(data, ctx, s); + --s; + } + permute_4(data); + threefish_invmix(data, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + ++i; + }while(i!=72); + add_key_4(data, ctx, s); +} + diff --git a/skein/threefish256_enc.c b/skein/threefish256_enc.c new file mode 100644 index 0000000..8bfbf9d --- /dev/null +++ b/skein/threefish256_enc.c @@ -0,0 +1,86 @@ +/* threefish256_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + +#define X(a) (((uint64_t*)data)[(a)]) +static +void permute_4(void* data){ + uint64_t t; + t = X(1); + X(1) = X(3); + X(3) = t; +} + +#define THREEFISH_KEY_CONST 0x5555555555555555LL /* 2**64/3 */ + +#define K(s) (((uint64_t*)key)[(s)]) +#define T(s) (((uint64_t*)tweak)[(s)]) + +void threefish256_init(const void* key, const void* tweak, threefish256_ctx_t* ctx){ + memcpy(ctx->k, key, 4*8); + if(tweak){ + memcpy(ctx->t, tweak, 2*8); + ctx->t[2] = T(0) ^ T(1); + }else{ + memset(ctx->t, 0, 3*8); + } + uint8_t i; + ctx->k[4] = THREEFISH_KEY_CONST; + for(i=0; i<4; ++i){ + ctx->k[4] ^= K(i); + } +} + +static +void add_key_4(void* data, const threefish256_ctx_t* ctx, uint8_t s){ + X(0) += ctx->k[(s+0)%5]; + X(1) += ctx->k[(s+1)%5] + ctx->t[s%3]; + X(2) += ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; + X(3) += ctx->k[(s+3)%5] + s; +} + +void threefish256_enc(void* data, const threefish256_ctx_t* ctx){ + uint8_t i=0,s=0; + uint8_t r0[8] = { 5, 36, 13, 58, 26, 53, 11, 59}; + uint8_t r1[8] = {56, 28, 46, 44, 20, 35, 42, 50}; + do{ + if(i%4==0){ + add_key_4(data, ctx, s); + ++s; + } + threefish_mix(data, r0[i%8]); + threefish_mix((uint8_t*)data + 16, r1[i%8]); + permute_4(data); + ++i; + }while(i!=72); + add_key_4(data, ctx, s); +} + diff --git a/skein/threefish256_enc_asm.S b/skein/threefish256_enc_asm.S new file mode 100644 index 0000000..dfa5d05 --- /dev/null +++ b/skein/threefish256_enc_asm.S @@ -0,0 +1,423 @@ +/* threefish256_enc_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +A0 = 14 +A1 = 15 +A2 = 16 +A3 = 17 +A4 = 18 +A5 = 19 +A6 = 20 +A7 = 21 +/* +#define THREEFISH_KEY_CONST 0x5555.5555.5555.5555.LL / * 2**64/3 * / + +#define K(s) (((uint64_t*)key)[(s)]) +#define T(s) (((uint64_t*)tweak)[(s)]) + +void threefish256_init(void* key, void* tweak, threefish256_ctx_t* ctx){ + memcpy(ctx->k, key, 4*8); + memcpy(ctx->t, tweak, 2*8); + uint8_t i; + ctx->k[4] = THREEFISH_KEY_CONST; + for(i=0; i<4; ++i){ + ctx->k[4] ^= K(i); + } + ctx->t[2] = T(0) ^ T(1); +} +*/ +/* + * param key: r24:r25 + * param tweak: r22:r23 + * param ctx: r20:r21 + */ +.global threefish256_init +threefish256_init: + push_range 14, 17 + movw r30, r20 + movw r26, r24 + ldi r24, 4 + ldi A7, 0x55 + mov A6, A7 + movw A4, A6 + movw A2, A6 + movw A0, A6 +1: + ld r0, X+ + st Z+, r0 + eor A0, r0 + ld r0, X+ + st Z+, r0 + eor A1, r0 + ld r0, X+ + st Z+, r0 + eor A2, r0 + ld r0, X+ + st Z+, r0 + eor A3, r0 + ld r0, X+ + st Z+, r0 + eor A4, r0 + ld r0, X+ + st Z+, r0 + eor A5, r0 + ld r0, X+ + st Z+, r0 + eor A6, r0 + ld r0, X+ + st Z+, r0 + eor A7, r0 + dec r24 + brne 1b + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 + /* now the tweak */ + tst r23 + brne 3f + tst r22 + brne 3f + ldi r26, 3*8 +2: + st Z+, r1 + dec r26 + brne 2b + rjmp 9f +3: + movw r26, r22 + ld A0, X+ + ld A1, X+ + ld A2, X+ + ld A3, X+ + ld A4, X+ + ld A5, X+ + ld A6, X+ + ld A7, X+ + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 + ld r0, X+ + eor A0, r0 + st Z+, r0 + ld r0, X+ + eor A1, r0 + st Z+, r0 + ld r0, X+ + eor A2, r0 + st Z+, r0 + ld r0, X+ + eor A3, r0 + st Z+, r0 + ld r0, X+ + eor A4, r0 + st Z+, r0 + ld r0, X+ + eor A5, r0 + st Z+, r0 + ld r0, X+ + eor A6, r0 + st Z+, r0 + ld r0, X+ + eor A7, r0 + st Z+, r0 + + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 +9: + pop_range 14, 17 + ret + +/******************************************************************************/ +/* +#define X(a) (((uint64_t*)data)[(a)]) +void permute_4(void* data){ + uint64_t t; + t = X(1); + X(1) = X(3); + X(3) = t; +} +void add_key_4(void* data, threefish256_ctx_t* ctx, uint8_t s){ / * s: 0..19 * / + X(0) += ctx->k[(s+0)%5]; + X(1) += ctx->k[(s+1)%5] + ctx->t[s%3]; + X(2) += ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; + X(3) += ctx->k[(s+3)%5] + s; +} +void threefish256_enc(void* data, threefish256_ctx_t* ctx){ + uint8_t i=0,s=0; + uint8_t r0[8] = { 5, 36, 13, 58, 26, 53, 11, 59}; + uint8_t r1[8] = {56, 28, 46, 44, 20, 35, 42, 50}; + do{ + if(i%4==0){ + add_key_4(data, ctx, s); + ++s; + } + threefish_mix(data, r0[i%8]); + threefish_mix((uint8_t*)data + 16, r1[i%8]); + permute_4(data); + ++i; + }while(i!=72); + add_key_4(data, ctx, s); +} +*/ +I = 2 +S = 3 +DATA0 = 4 +DATA1 = 5 +CTX0 = 6 +CTX1 = 7 +IDX0 = 8 +IDX1 = 9 +IDX2 = 10 +IDX3 = 11 +/* + * param data: r24:r25 + * param ctx: r22:r23 + */ +.global threefish256_enc +threefish256_enc: + push r28 + push r29 + push_range 2, 17 + movw DATA0, r24 + movw CTX0, r22 + clr I + clr S +1: + mov r30, I + andi r30, 0x03 + breq 2f + rjmp 4f +2: + ldi r30, lo8(threefish256_slut5) + ldi r31, hi8(threefish256_slut5) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z + movw r30, CTX0 + movw r26, DATA0 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall add_z_to_x8 + + /* now the remaining key */ + sbiw r26, 3*8 + ldi r30, lo8(threefish256_slut3) + ldi r31, hi8(threefish256_slut3) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z + movw r30, CTX0 + adiw r30, 5*8 + movw IDX2, r30 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, IDX2 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + ld r0, X + add r0, S + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + inc S + mov r26, S + cpi r26, 19 + brmi 4f +exit: + pop_range 2, 17 + pop r29 + pop r28 + ret +4: + /* call mix */ + ldi r30, lo8(threefish256_rc0) + ldi r31, hi8(threefish256_rc0) + mov r26, I + andi r26, 0x07 + add r30, r26 + adc r31, r1 + lpm r22, Z + adiw r30, 8 + lpm IDX0, Z + movw r24, DATA0 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 16 + mov r22, IDX0 + call threefish_mix_asm /* no rcall? */ + /* now the permutation */ + movw r26, DATA0 + adiw r26, 8 + movw r30, r26 + adiw r30, 16 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + inc I + rjmp 1b + +threefish256_slut5: + .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 + .byte 0x18, 0x20, 0x00, 0x08, 0x10, 0x18, 0x20, 0x00 + .byte 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 +threefish256_slut3: + .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 + .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 +;threefish256_rc0: .byte 5, 36, 13, 58, 26, 53, 11, 59 +;threefish256_rc1: .byte 56, 28, 46, 44, 20, 35, 42, 50 +threefish256_rc0: .byte 0x1b, 0x44, 0x2b, 0x72, 0x32, 0x7b, 0x13, 0x73 +threefish256_rc1: .byte 0x70, 0x34, 0x6a, 0x54, 0x24, 0x43, 0x52, 0x62 + +add_z_to_x8: + ld r0, Z+ + ld r1, X + add r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + clr r1 + ret + + + + + + + + + + diff --git a/skein/threefish256_enc_small.S b/skein/threefish256_enc_small.S new file mode 100644 index 0000000..f7392ba --- /dev/null +++ b/skein/threefish256_enc_small.S @@ -0,0 +1,362 @@ +/* threefish_mix.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +A0 = 14 +A1 = 15 +A2 = 16 +A3 = 17 +A4 = 18 +A5 = 19 +A6 = 20 +A7 = 21 +/* +#define THREEFISH_KEY_CONST 0x5555.5555.5555.5555.LL / * 2**64/3 * / + +#define K(s) (((uint64_t*)key)[(s)]) +#define T(s) (((uint64_t*)tweak)[(s)]) + +void threefish256_init(void* key, void* tweak, threefish256_ctx_t* ctx){ + memcpy(ctx->k, key, 4*8); + memcpy(ctx->t, tweak, 2*8); + uint8_t i; + ctx->k[4] = THREEFISH_KEY_CONST; + for(i=0; i<4; ++i){ + ctx->k[4] ^= K(i); + } + ctx->t[2] = T(0) ^ T(1); +} +*/ +/* + * param key: r24:r25 + * param tweak: r22:r23 + * param ctx: r20:r21 + */ +.global threefish256_init +threefish256_init: + push_range 14, 17 + movw r30, r20 + movw r26, r24 + ldi r24, 4 + ldi A7, 0x55 + mov A6, A7 + movw A4, A6 + movw A2, A6 + movw A0, A6 +1: + ld r0, X+ + st Z+, r0 + eor A0, r0 + ld r0, X+ + st Z+, r0 + eor A1, r0 + ld r0, X+ + st Z+, r0 + eor A2, r0 + ld r0, X+ + st Z+, r0 + eor A3, r0 + ld r0, X+ + st Z+, r0 + eor A4, r0 + ld r0, X+ + st Z+, r0 + eor A5, r0 + ld r0, X+ + st Z+, r0 + eor A6, r0 + ld r0, X+ + st Z+, r0 + eor A7, r0 + dec r24 + brne 1b + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 + /* now the tweak */ + movw r26, r22 + tst r27 + brne 3f + tst r26 + brne 3f + ldi r26, 3*8 +1: + st Z+, r1 + dec r26 + brne 1b + rjmp 9f +3: + ld A0, X+ + ld A1, X+ + ld A2, X+ + ld A3, X+ + ld A4, X+ + ld A5, X+ + ld A6, X+ + ld A7, X+ + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 + ld r0, X+ + eor A0, r0 + st Z+, r0 + ld r0, X+ + eor A1, r0 + st Z+, r0 + ld r0, X+ + eor A2, r0 + st Z+, r0 + ld r0, X+ + eor A3, r0 + st Z+, r0 + ld r0, X+ + eor A4, r0 + st Z+, r0 + ld r0, X+ + eor A5, r0 + st Z+, r0 + ld r0, X+ + eor A6, r0 + st Z+, r0 + ld r0, X+ + eor A7, r0 + st Z+, r0 + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 +9: + pop_range 14, 17 + ret + +/******************************************************************************/ +/* +#define X(a) (((uint64_t*)data)[(a)]) +void permute_4(void* data){ + uint64_t t; + t = X(1); + X(1) = X(3); + X(3) = t; +} +void add_key_4(void* data, threefish256_ctx_t* ctx, uint8_t s){ / * s: 0..19 * / + X(0) += ctx->k[(s+0)%5]; + X(1) += ctx->k[(s+1)%5] + ctx->t[s%3]; + X(2) += ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; + X(3) += ctx->k[(s+3)%5] + s; +} +void threefish256_enc(void* data, threefish256_ctx_t* ctx){ + uint8_t i=0,s=0; + uint8_t r0[8] = { 5, 36, 13, 58, 26, 53, 11, 59}; + uint8_t r1[8] = {56, 28, 46, 44, 20, 35, 42, 50}; + do{ + if(i%4==0){ + add_key_4(data, ctx, s); + ++s; + } + threefish_mix(data, r0[i%8]); + threefish_mix((uint8_t*)data + 16, r1[i%8]); + permute_4(data); + ++i; + }while(i!=72); + add_key_4(data, ctx, s); +} +*/ +I = 2 +S = 3 +DATA0 = 4 +DATA1 = 5 +CTX0 = 6 +CTX1 = 7 +IDX0 = 8 +IDX1 = 9 +IDX2 = 10 +IDX3 = 11 +/* + * param data: r24:r25 + * param ctx: r22:r23 + */ +.global threefish256_enc +threefish256_enc: + push r28 + push r29 + push_range 2, 17 + movw DATA0, r24 + movw CTX0, r22 + clr I + clr S +1: + mov r30, I + andi r30, 0x03 + breq 2f + rjmp 4f +2: + ldi r30, lo8(threefish256_slut5) + ldi r31, hi8(threefish256_slut5) + mov r26, S + add r30, r26 + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z + movw r30, CTX0 + movw r26, DATA0 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall add_z_to_x8 + + /* now the remaining key */ + sbiw r26, 3*8 + ldi r30, lo8(threefish256_slut3) + ldi r31, hi8(threefish256_slut3) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z + movw r30, CTX0 + adiw r30, 5*8 + movw IDX2, r30 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, IDX2 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + ld r0, X + add r0, S + st X+, r0 + ldi r16, 7 +3: + ld r0, X + adc r0, r1 + st X+, r0 + dec r16 + brne 3b + inc S + mov r26, S + cpi r26, 19 + brmi 4f +exit: + pop_range 2, 17 + pop r29 + pop r28 + ret +4: + /* call mix */ + ldi r30, lo8(threefish256_rc0) + ldi r31, hi8(threefish256_rc0) + mov r26, I + andi r26, 0x07 + add r30, r26 + adc r31, r1 + lpm r22, Z + adiw r30, 8 + lpm IDX0, Z + movw r24, DATA0 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 16 + mov r22, IDX0 + call threefish_mix_asm /* no rcall? */ + /* now the permutation */ + movw r26, DATA0 + adiw r26, 8 + movw r30, r26 + adiw r30, 16 + ldi r16, 8 +3: ld IDX0, X + ld IDX1, Z + st X+, IDX1 + st Z+, IDX0 + dec r16 + brne 3b + inc I + rjmp 1b + +threefish256_slut5: + .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 + .byte 0x18, 0x20, 0x00, 0x08, 0x10, 0x18, 0x20, 0x00 + .byte 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 +threefish256_slut3: + .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 + .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 +threefish256_rc0: .byte 0x1b, 0x44, 0x2b, 0x72, 0x32, 0x7b, 0x13, 0x73 +threefish256_rc1: .byte 0x70, 0x34, 0x6a, 0x54, 0x24, 0x43, 0x52, 0x62 + +add_z_to_x8: + ld r0, Z+ + ld r1, X + add r1, r0 + st X+, r1 + ldi r16, 7 +1: + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + dec r16 + brne 1b + clr r1 + ret + + + + + + + + + + diff --git a/skein/threefish512_dec.c b/skein/threefish512_dec.c new file mode 100644 index 0000000..c535d33 --- /dev/null +++ b/skein/threefish512_dec.c @@ -0,0 +1,81 @@ +/* threefish512_dec.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-22 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + + +#define X(a) (((uint64_t*)data)[(a)]) + + +static +void permute_inv8(void* data){ + uint64_t t; + t = X(6); + X(6) = X(4); + X(4) = X(2); + X(2) = X(0); + X(0) = t; + t = X(7); + X(7) = X(3); + X(3) = t; +} + +static +void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<5; ++i){ + X(i) -= ctx->k[(s+i)%9]; + } + X(5) -= ctx->k[(s+5)%9] + ctx->t[s%3]; + X(6) -= ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; + X(7) -= ctx->k[(s+7)%9] + s; +} + +void threefish512_dec(void* data, const threefish512_ctx_t* ctx){ + uint8_t i=0,s=18; + uint8_t r0[8] = {33, 29, 39, 33, 26, 34, 48, 38}; + uint8_t r1[8] = {51, 26, 27, 49, 12, 14, 20, 30}; + uint8_t r2[8] = {39, 11, 41, 8, 58, 15, 43, 50}; + uint8_t r3[8] = {35, 9, 14, 42, 7, 27, 31, 53}; + do{ + if(i%4==0){ + add_key_8(data, ctx, s); + --s; + } + permute_inv8(data); + threefish_invmix((uint8_t*)data + 0, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + threefish_invmix((uint8_t*)data + 32, r2[i%8]); + threefish_invmix((uint8_t*)data + 48, r3[i%8]); + ++i; + }while(i!=72); + add_key_8(data, ctx, s); +} + diff --git a/skein/threefish512_dec_asm.S b/skein/threefish512_dec_asm.S new file mode 100644 index 0000000..5ac9c0d --- /dev/null +++ b/skein/threefish512_dec_asm.S @@ -0,0 +1,330 @@ +/* threefish512_enc_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-24 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +#define X(a) (((uint64_t*)data)[(a)]) + + +static +void permute_inv8(void* data){ + uint64_t t; + t = X(6); + X(6) = X(4); + X(4) = X(2); + X(2) = X(0); + X(0) = t; + t = X(7); + X(7) = X(3); + X(3) = t; +} + +static +void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<5; ++i){ + X(i) -= ctx->k[(s+i)%9]; + } + X(5) -= ctx->k[(s+5)%9] + ctx->t[s%3]; + X(6) -= ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; + X(7) -= ctx->k[(s+7)%9] + s; +} + +void threefish512_dec(void* data, const threefish512_ctx_t* ctx){ + uint8_t i=0,s=18; + uint8_t r0[8] = {0x41, 0x4b, 0x59, 0x41, 0x32, 0x42, 0x60, 0x5a}; + uint8_t r1[8] = {0x63, 0x32, 0x33, 0x61, 0x14, 0x2a, 0x24, 0x4a}; + uint8_t r2[8] = {0x59, 0x13, 0x51, 0x10, 0x72, 0x29, 0x53, 0x62}; + uint8_t r3[8] = {0x43, 0x11, 0x2a, 0x52, 0x19, 0x33, 0x49, 0x7b}; + do{ + if(i%4==0){ + add_key_8(data, ctx, s); + --s; + } + permute_inv8(data); + threefish_invmix((uint8_t*)data + 0, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + threefish_invmix((uint8_t*)data + 32, r2[i%8]); + threefish_invmix((uint8_t*)data + 48, r3[i%8]); + ++i; + }while(i!=72); + add_key_8(data, ctx, s); +} +*/ +I = 2 +S = 3 +DATA0 = 4 +DATA1 = 5 +CTX0 = 6 +CTX1 = 7 +IDX0 = 8 +IDX1 = 9 +IDX2 = 10 +IDX3 = 11 +IDX4 = 12 +IDX5 = 13 +IDX6 = 14 +IDX7 = 15 +/* + * param data: r24:r25 + * param ctx: r22:r23 + */ +.global threefish512_dec +threefish512_dec: + push r28 + push r29 + push_range 2, 17 + movw DATA0, r24 + movw CTX0, r22 + clr I + ldi r26, 18 + mov S, r26 +1: + mov r30, I + andi r30, 0x03 + breq 2f + rjmp 4f +2: + ldi r30, lo8(threefish512_slut9) + ldi r31, hi8(threefish512_slut9) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z+ + lpm IDX4, Z+ + lpm IDX5, Z+ + lpm IDX6, Z+ + lpm IDX7, Z + movw r30, CTX0 + movw r26, DATA0 + add r30, IDX0 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX4 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX5 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX6 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, CTX0 + add r30, IDX7 + adc r31, r1 + rcall sub_z_from_x8 + + /* now the remaining key */ + sbiw r26, 3*8 + ldi r30, lo8(threefish512_slut3) + ldi r31, hi8(threefish512_slut3) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z + movw r30, CTX0 + adiw r30, 7*8 /* make Z pointing to (extended tweak) */ + adiw r30, 2*8 + movw IDX2, r30 + add r30, IDX0 + adc r31, r1 + rcall sub_z_from_x8 + movw r30, IDX2 + add r30, IDX1 + adc r31, r1 + rcall sub_z_from_x8 + ld r0, X + sub r0, S + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + tst S + brne 3f +exit: + pop_range 2, 17 + pop r29 + pop r28 + ret +3: + dec S +4: + /* now the permutation */ + movw r26, DATA0 + movw r30, DATA0 + adiw r30, 6*8 + rcall xchg_zx8 + movw r26, DATA0 + adiw r26, 6*8 + movw r30, DATA0 + adiw r30, 4*8 + rcall xchg_zx8 + movw r26, DATA0 + adiw r26, 2*8 + movw r30, DATA0 + adiw r30, 4*8 + rcall xchg_zx8 + movw r26, DATA0 + adiw r26, 3*8 + movw r30, DATA0 + adiw r30, 7*8 + rcall xchg_zx8 + /* call mix */ + ldi r30, lo8(threefish512_rc0) + ldi r31, hi8(threefish512_rc0) + mov r26, I + andi r26, 0x07 + add r30, r26 + adc r31, r1 + lpm r22, Z + adiw r30, 8 + lpm IDX0, Z + adiw r30, 8 + lpm IDX1, Z + push IDX1 + adiw r30, 8 + lpm IDX1, Z + + movw r24, DATA0 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 16 + mov r22, IDX0 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 32 + pop r22 + ;mov r22, IDX0 + call threefish_invmix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 48 + mov r22, IDX1 + call threefish_invmix_asm /* no rcall? */ + inc I + rjmp 1b + +threefish512_slut9: + .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38 + .byte 0x40, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30 + .byte 0x38, 0x40, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28 + .byte 0x30, 0x38, 0x40 +threefish512_slut3: + .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 + .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + +threefish512_rc0: .byte 0x41, 0x4b, 0x59, 0x41, 0x32, 0x42, 0x60, 0x5a +threefish512_rc1: .byte 0x63, 0x32, 0x33, 0x61, 0x14, 0x2a, 0x24, 0x4a +threefish512_rc2: .byte 0x59, 0x13, 0x51, 0x10, 0x72, 0x29, 0x53, 0x62 +threefish512_rc3: .byte 0x43, 0x11, 0x2a, 0x52, 0x19, 0x33, 0x49, 0x7b + +sub_z_from_x8: + ld r0, Z+ + ld r1, X + sub r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + sbc r1, r0 + st X+, r1 + clr r1 + ret + +T0 = IDX0 +T1 = 0 +CNT = 24 +xchg_zx8: + ldi CNT, 8 +1: ld T0, X + ld T1, Z + st X+, T1 + st Z+, T0 + dec CNT + brne 1b + ret + + + diff --git a/skein/threefish512_dec_cstub.c b/skein/threefish512_dec_cstub.c new file mode 100644 index 0000000..aaa9886 --- /dev/null +++ b/skein/threefish512_dec_cstub.c @@ -0,0 +1,81 @@ +/* threefish512_dec.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-22 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + + +#define X(a) (((uint64_t*)data)[(a)]) + + +static +void permute_inv8(void* data){ + uint64_t t; + t = X(6); + X(6) = X(4); + X(4) = X(2); + X(2) = X(0); + X(0) = t; + t = X(7); + X(7) = X(3); + X(3) = t; +} + +static +void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<5; ++i){ + X(i) -= ctx->k[(s+i)%9]; + } + X(5) -= ctx->k[(s+5)%9] + ctx->t[s%3]; + X(6) -= ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; + X(7) -= ctx->k[(s+7)%9] + s; +} + +void threefish512_dec(void* data, const threefish512_ctx_t* ctx){ + uint8_t i=0,s=18; + uint8_t r0[8] = {0x41, 0x4b, 0x59, 0x41, 0x32, 0x42, 0x60, 0x5a}; + uint8_t r1[8] = {0x63, 0x32, 0x33, 0x61, 0x14, 0x2a, 0x24, 0x4a}; + uint8_t r2[8] = {0x59, 0x13, 0x51, 0x10, 0x72, 0x29, 0x53, 0x62}; + uint8_t r3[8] = {0x43, 0x11, 0x2a, 0x52, 0x19, 0x33, 0x49, 0x7b}; + do{ + if(i%4==0){ + add_key_8(data, ctx, s); + --s; + } + permute_inv8(data); + threefish_invmix((uint8_t*)data + 0, r0[i%8]); + threefish_invmix((uint8_t*)data + 16, r1[i%8]); + threefish_invmix((uint8_t*)data + 32, r2[i%8]); + threefish_invmix((uint8_t*)data + 48, r3[i%8]); + ++i; + }while(i!=72); + add_key_8(data, ctx, s); +} + diff --git a/skein/threefish512_enc.c b/skein/threefish512_enc.c new file mode 100644 index 0000000..620276f --- /dev/null +++ b/skein/threefish512_enc.c @@ -0,0 +1,115 @@ +/* threefish512_enc.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + * + * + */ + +#include +#include +#include "threefish.h" + + +#define X(a) (((uint64_t*)data)[(a)]) + + +static +void permute_8(void* data){ + uint64_t t; + t = X(0); + X(0) = X(2); + X(2) = X(4); + X(4) = X(6); + X(6) = t; + t = X(3); + X(3) = X(7); + X(7) = t; +} +/* +static +void permute_inv8(void* data){ + uint64_t t; + t = X(6); + X(6) = X(4); + X(4) = X(2); + X(2) = X(0); + X(0) = t; + t = X(7); + X(7) = X(3); + X(3) = t; +} +*/ + +#define THREEFISH_KEY_CONST 0x5555555555555555LL /* 2**64/3 */ + +#define K(s) (((uint64_t*)key)[(s)]) +#define T(s) (((uint64_t*)tweak)[(s)]) + +void threefish512_init(const void* key, const void* tweak, threefish512_ctx_t* ctx){ + memcpy(ctx->k, key, 8*8); + if(tweak){ + memcpy(ctx->t, tweak, 2*8); + ctx->t[2] = T(0) ^ T(1); + }else{ + memset(ctx->t, 0, 3*8); + } + uint8_t i; + ctx->k[8] = THREEFISH_KEY_CONST; + for(i=0; i<8; ++i){ + ctx->k[8] ^= K(i); + } +} + +static +void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<5; ++i){ + X(i) += ctx->k[(s+i)%9]; + } + X(5) += ctx->k[(s+5)%9] + ctx->t[s%3]; + X(6) += ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; + X(7) += ctx->k[(s+7)%9] + s; +} + +void threefish512_enc(void* data, const threefish512_ctx_t* ctx){ + uint8_t i=0,s=0; + uint8_t r0[8] = {38, 48, 34, 26, 33, 39, 29, 33}; + uint8_t r1[8] = {30, 20, 14, 12, 49, 27, 26, 51}; + uint8_t r2[8] = {50, 43, 15, 58, 8, 41, 11, 39}; + uint8_t r3[8] = {53, 31, 27, 7, 42, 14, 9, 35}; + do{ + if(i%4==0){ + add_key_8(data, ctx, s); + ++s; + } + threefish_mix((uint8_t*)data + 0, r0[i%8]); + threefish_mix((uint8_t*)data + 16, r1[i%8]); + threefish_mix((uint8_t*)data + 32, r2[i%8]); + threefish_mix((uint8_t*)data + 48, r3[i%8]); + permute_8(data); + ++i; + }while(i!=72); + add_key_8(data, ctx, s); +} + diff --git a/skein/threefish512_enc_asm.S b/skein/threefish512_enc_asm.S new file mode 100644 index 0000000..cc2967f --- /dev/null +++ b/skein/threefish512_enc_asm.S @@ -0,0 +1,464 @@ +/* threefish512_enc_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-24 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +A0 = 14 +A1 = 15 +A2 = 16 +A3 = 17 +A4 = 18 +A5 = 19 +A6 = 20 +A7 = 21 +/* +#define THREEFISH_KEY_CONST 0x5555.5555.5555.5555.LL / * 2**64/3 * / + +#define K(s) (((uint64_t*)key)[(s)]) +#define T(s) (((uint64_t*)tweak)[(s)]) +void threefish512_init(const void* key, const void* tweak, threefish512_ctx_t* ctx){ + memcpy(ctx->k, key, 8*8); + memcpy(ctx->t, tweak, 2*8); + uint8_t i; + ctx->k[8] = THREEFISH_KEY_CONST; + for(i=0; i<8; ++i){ + ctx->k[8] ^= K(i); + } + ctx->t[2] = T(0) ^ T(1); +} +*/ +/* + * param key: r24:r25 + * param tweak: r22:r23 + * param ctx: r20:r21 + */ +.global threefish512_init +threefish512_init: + push_range 14, 17 + movw r30, r20 + movw r26, r24 + ldi r24, 8 + ldi A7, 0x55 + mov A6, A7 + movw A4, A6 + movw A2, A6 + movw A0, A6 +1: + ld r0, X+ + st Z+, r0 + eor A0, r0 + ld r0, X+ + st Z+, r0 + eor A1, r0 + ld r0, X+ + st Z+, r0 + eor A2, r0 + ld r0, X+ + st Z+, r0 + eor A3, r0 + ld r0, X+ + st Z+, r0 + eor A4, r0 + ld r0, X+ + st Z+, r0 + eor A5, r0 + ld r0, X+ + st Z+, r0 + eor A6, r0 + ld r0, X+ + st Z+, r0 + eor A7, r0 + dec r24 + brne 1b + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 + /* now the tweak */ + movw r26, r22 + tst r27 + brne 3f + tst r26 + brne 3f + ldi r26, 3*8 +1: + st Z+, r1 + dec r26 + brne 1b + rjmp 9f +3: + ld A0, X+ + ld A1, X+ + ld A2, X+ + ld A3, X+ + ld A4, X+ + ld A5, X+ + ld A6, X+ + ld A7, X+ + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 + ld r0, X+ + eor A0, r0 + st Z+, r0 + ld r0, X+ + eor A1, r0 + st Z+, r0 + ld r0, X+ + eor A2, r0 + st Z+, r0 + ld r0, X+ + eor A3, r0 + st Z+, r0 + ld r0, X+ + eor A4, r0 + st Z+, r0 + ld r0, X+ + eor A5, r0 + st Z+, r0 + ld r0, X+ + eor A6, r0 + st Z+, r0 + ld r0, X+ + eor A7, r0 + st Z+, r0 + st Z+, A0 + st Z+, A1 + st Z+, A2 + st Z+, A3 + st Z+, A4 + st Z+, A5 + st Z+, A6 + st Z+, A7 +9: + pop_range 14, 17 + ret + +/******************************************************************************/ +/* +#define X(a) (((uint64_t*)data)[(a)]) +void permute_8(void* data){ + uint64_t t; + t = X(0); + X(0) = X(2); + X(2) = X(4); + X(4) = X(6); + X(6) = t; + t = X(3); + X(3) = X(7); + X(7) = t; +} +void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ + uint8_t i; + for(i=0; i<5; ++i){ + X(i) += ctx->k[(s+i)%9]; + } + X(5) += ctx->k[(s+5)%9] + ctx->t[s%3]; + X(6) += ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; + X(7) += ctx->k[(s+7)%9] + s; +} +void threefish512_enc(void* data, const threefish512_ctx_t* ctx){ + uint8_t i=0,s=0; + uint8_t r0[8] = {38, 48, 34, 26, 33, 39, 29, 33}; + uint8_t r1[8] = {30, 20, 14, 12, 49, 27, 26, 51}; + uint8_t r2[8] = {50, 43, 15, 58, 8, 41, 11, 39}; + uint8_t r3[8] = {53, 31, 27, 7, 42, 14, 9, 35}; + do{ + if(i%4==0){ + add_key_8(data, ctx, s); + ++s; + } + threefish_mix((uint8_t*)data + 0, r0[i%8]); + threefish_mix((uint8_t*)data + 16, r1[i%8]); + threefish_mix((uint8_t*)data + 32, r2[i%8]); + threefish_mix((uint8_t*)data + 48, r3[i%8]); + permute_8(data); + ++i; + }while(i!=72); + add_key_8(data, ctx, s); +} + +*/ +I = 2 +S = 3 +DATA0 = 4 +DATA1 = 5 +CTX0 = 6 +CTX1 = 7 +IDX0 = 8 +IDX1 = 9 +IDX2 = 10 +IDX3 = 11 +IDX4 = 12 +IDX5 = 13 +IDX6 = 14 +IDX7 = 15 +/* + * param data: r24:r25 + * param ctx: r22:r23 + */ +.global threefish512_enc +threefish512_enc: + push r28 + push r29 + push_range 2, 17 + movw DATA0, r24 + movw CTX0, r22 + clr I + clr S +1: + mov r30, I + andi r30, 0x03 + breq 2f + rjmp 4f +2: + ldi r30, lo8(threefish512_slut9) + ldi r31, hi8(threefish512_slut9) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z+ + lpm IDX2, Z+ + lpm IDX3, Z+ + lpm IDX4, Z+ + lpm IDX5, Z+ + lpm IDX6, Z+ + lpm IDX7, Z + movw r30, CTX0 + movw r26, DATA0 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX2 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX3 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX4 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX5 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX6 + adc r31, r1 + rcall add_z_to_x8 + movw r30, CTX0 + add r30, IDX7 + adc r31, r1 + rcall add_z_to_x8 + + /* now the remaining key */ + sbiw r26, 3*8 + ldi r30, lo8(threefish512_slut3) + ldi r31, hi8(threefish512_slut3) + add r30, S + adc r31, r1 + lpm IDX0, Z+ + lpm IDX1, Z + movw r30, CTX0 + adiw r30, 7*8 /* make Z pointing to (extended tweak) */ + adiw r30, 2*8 + movw IDX2, r30 + add r30, IDX0 + adc r31, r1 + rcall add_z_to_x8 + movw r30, IDX2 + add r30, IDX1 + adc r31, r1 + rcall add_z_to_x8 + ld r0, X + add r0, S + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + inc S + mov r26, S + cpi r26, 19 + brmi 4f +exit: + pop_range 2, 17 + pop r29 + pop r28 + ret +4: + /* call mix */ + ldi r30, lo8(threefish512_rc0) + ldi r31, hi8(threefish512_rc0) + mov r26, I + andi r26, 0x07 + add r30, r26 + adc r31, r1 + lpm r22, Z + adiw r30, 8 + lpm IDX0, Z + adiw r30, 8 + lpm IDX1, Z + push IDX1 + adiw r30, 8 + lpm IDX1, Z + + movw r24, DATA0 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 16 + mov r22, IDX0 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 32 + pop r22 + ;mov r22, IDX0 + call threefish_mix_asm /* no rcall? */ + movw r24, DATA0 + adiw r24, 48 + mov r22, IDX1 + call threefish_mix_asm /* no rcall? */ + /* now the permutation */ + movw r26, DATA0 + movw r30, DATA0 + adiw r30, 6*8 + rcall xchg_zx8 + movw r26, DATA0 + movw r30, DATA0 + adiw r30, 2*8 + rcall xchg_zx8 + movw r26, DATA0 + adiw r26, 2*8 + movw r30, DATA0 + adiw r30, 4*8 + rcall xchg_zx8 + movw r26, DATA0 + adiw r26, 3*8 + movw r30, DATA0 + adiw r30, 7*8 + rcall xchg_zx8 + inc I + rjmp 1b + +threefish512_slut9: + .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38 + .byte 0x40, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30 + .byte 0x38, 0x40, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28 + .byte 0x30, 0x38, 0x40 +threefish512_slut3: + .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 + .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 + +threefish512_rc0: .byte 0x5a, 0x60, 0x42, 0x32, 0x41, 0x59, 0x4b, 0x41 +threefish512_rc1: .byte 0x4a, 0x24, 0x2a, 0x14, 0x61, 0x33, 0x32, 0x63 +threefish512_rc2: .byte 0x62, 0x53, 0x29, 0x72, 0x10, 0x51, 0x13, 0x59 +threefish512_rc3: .byte 0x7b, 0x49, 0x33, 0x19, 0x52, 0x2a, 0x11, 0x43 + +add_z_to_x8: + ld r0, Z+ + ld r1, X + add r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + ld r0, Z+ + ld r1, X + adc r1, r0 + st X+, r1 + clr r1 + ret + +T0 = IDX0 +T1 = 0 +CNT = 24 +xchg_zx8: + ldi CNT, 8 +1: ld T0, X + ld T1, Z + st X+, T1 + st Z+, T0 + dec CNT + brne 1b + ret + + + diff --git a/skein/threefish_invmix.S b/skein/threefish_invmix.S new file mode 100644 index 0000000..1e55cf2 --- /dev/null +++ b/skein/threefish_invmix.S @@ -0,0 +1,299 @@ +/* threefish_invmix.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-21 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/* +#define X0 (((uint64_t*)data)[0]) +#define X1 (((uint64_t*)data)[1]) +void threefish_invmix(void* data, uint8_t rot){ + uint64_t x; + x = X1; + x ^= X0; + X1 = ((x>>rot)|(x<<(64-rot))); + X0 -= X1; +} +*/ +A0 = 10 +A1 = 11 +A2 = 12 +A3 = 13 +A4 = 14 +A5 = 15 +A6 = 16 +A7 = 17 + +B0 = 18 +B1 = 19 +B2 = 20 +B3 = 21 +B4 = 22 +B5 = 23 +B6 = 24 +B7 = 25 +vROT = 27 +/* + * param data: r24:r25 + * param rot: r22 + */ + +.global threefish_invmix_asm +threefish_invmix_asm: + movw r28, r24 + mov vROT,r22 + ldd A0, Y+ 0 + ldd A1, Y+ 1 + ldd A2, Y+ 2 + ldd A3, Y+ 3 + ldd A4, Y+ 4 + ldd A5, Y+ 5 + ldd A6, Y+ 6 + ldd A7, Y+ 7 + ldd B0, Y+ 8 + ldd B1, Y+ 9 + ldd B2, Y+10 + ldd B3, Y+11 + ldd B4, Y+12 + ldd B5, Y+13 + ldd B6, Y+14 + ldd B7, Y+15 + eor B0, A0 + eor B1, A1 + eor B2, A2 + eor B3, A3 + eor B4, A4 + eor B5, A5 + eor B6, A6 + eor B7, A7 + + mov r26, vROT + swap r26 + andi r26, 0x07 + ldi r30, pm_lo8(byte_rot_jmptable) + ldi r31, pm_hi8(byte_rot_jmptable) + add r30, r26 + adc r31, r1 + ijmp +post_byterot: + bst vROT, 3 + andi vROT, 0x07 + brts 1f + rjmp bit_rotr +1: rjmp bit_rotl +post_bitrot: + sub A0, B0 + sbc A1, B1 + sbc A2, B2 + sbc A3, B3 + sbc A4, B4 + sbc A5, B5 + sbc A6, B6 + sbc A7, B7 + + std Y+ 0, A0 + std Y+ 1, A1 + std Y+ 2, A2 + std Y+ 3, A3 + std Y+ 4, A4 + std Y+ 5, A5 + std Y+ 6, A6 + std Y+ 7, A7 + std Y+ 8, B0 + std Y+ 9, B1 + std Y+10, B2 + std Y+11, B3 + std Y+12, B4 + std Y+13, B5 + std Y+14, B6 + std Y+15, B7 +exit: + ret + +byte_rot_jmptable: + rjmp post_byterot;ret; rjmp byte_rotr_0 + rjmp byte_rotr_1 + rjmp byte_rotr_2 + rjmp byte_rotr_3 + rjmp byte_rotr_4 + rjmp byte_rotr_5 + rjmp byte_rotr_6 + rjmp byte_rotr_7 + rjmp post_byterot;ret; rjmp byte_rotr_0 + + + +; 0 1 2 3 4 5 6 7 +; 1 2 3 4 5 6 7 0 +;.global byte_rotr_1 +;.global byte_rotr_0 +byte_rotr_1: /* 10 words */ + mov r0, B0 + mov B0, B1 + mov B1, B2 + mov B2, B3 + mov B3, B4 + mov B4, B5 + mov B5, B6 + mov B6, B7 + mov B7, r0 +byte_rotr_0: + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 2 3 4 5 6 7 0 1 +;.global byte_rotr_2 +byte_rotr_2: /* 11 words */ + mov r0, B0 + mov B0, B2 + mov B2, B4 + mov B4, B6 + mov B6, r0 + mov r0, B1 + mov B1, B3 + mov B3, B5 + mov B5, B7 + mov B7, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 3 4 5 6 7 0 1 2 +;.global byte_rotr_3 +byte_rotr_3: /* 10 words */ + mov r0, B0 + mov B0, B3 + mov B3, B6 + mov B6, B1 + mov B1, B4 + mov B4, B7 + mov B7, B2 + mov B2, B5 + mov B5, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 4 5 6 7 0 1 2 3 +;.global byte_rotr_4 +byte_rotr_4: /* 13 words */ + mov r0, B0 + mov B0, B4 + mov B4, r0 + + mov r0, B1 + mov B1, B5 + mov B5, r0 + + mov r0, B2 + mov B2, B6 + mov B6, r0 + + mov r0, B3 + mov B3, B7 + mov B7, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 5 6 7 0 1 2 3 4 +;.global byte_rotr_5 +byte_rotr_5: /* 10 words */ + mov r0, B0 + mov B0, B5 + mov B5, B2 + mov B2, B7 + mov B7, B4 + mov B4, B1 + mov B1, B6 + mov B6, B3 + mov B3, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 6 7 0 1 2 3 4 5 +;.global byte_rotr_6 +byte_rotr_6: /* 11 words */ + mov r0, B0 + mov B0, B6 + mov B6, B4 + mov B4, B2 + mov B2, r0 + + mov r0, B1 + mov B1, B7 + mov B7, B5 + mov B5, B3 + mov B3, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 7 0 1 2 3 4 5 6 +;.global byte_rotr_7 +byte_rotr_7: /* 10 words */ + mov r0, B7 + mov B7, B6 + mov B6, B5 + mov B5, B4 + mov B4, B3 + mov B3, B2 + mov B2, B1 + mov B1, B0 + mov B0, r0 + rjmp post_byterot + +;.global bit_rotl +bit_rotl: + tst vROT + brne 1f + rjmp post_bitrot +1: mov r0, B7 + rol r0 + rol B0 + rol B1 + rol B2 + rol B3 + rol B4 + rol B5 + rol B6 + rol B7 + dec vROT + rjmp bit_rotl + +;.global bit_rotr +bit_rotr: + tst vROT + brne 1f + rjmp post_bitrot +1: mov r0, B0 + ror r0 + ror B7 + ror B6 + ror B5 + ror B4 + ror B3 + ror B2 + ror B1 + ror B0 + dec vROT + rjmp bit_rotr + + diff --git a/skein/threefish_invmix_4c.S b/skein/threefish_invmix_4c.S new file mode 100644 index 0000000..59cc545 --- /dev/null +++ b/skein/threefish_invmix_4c.S @@ -0,0 +1,305 @@ +/* threefish_invmix.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-21 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/* +#define X0 (((uint64_t*)data)[0]) +#define X1 (((uint64_t*)data)[1]) +void threefish_invmix(void* data, uint8_t rot){ + uint64_t x; + x = X1; + x ^= X0; + X1 = ((x>>rot)|(x<<(64-rot))); + X0 -= X1; +} +*/ +A0 = 10 +A1 = 11 +A2 = 12 +A3 = 13 +A4 = 14 +A5 = 15 +A6 = 16 +A7 = 17 + +B0 = 18 +B1 = 19 +B2 = 20 +B3 = 21 +B4 = 22 +B5 = 23 +B6 = 24 +B7 = 25 +vROT = 27 +/* + * param data: r24:r25 + * param rot: r22 + */ + +.global threefish_invmix +threefish_invmix: + push_range 10, 17 + push r28 + push r29 + movw r28, r24 + mov vROT,r22 + ldd A0, Y+ 0 + ldd A1, Y+ 1 + ldd A2, Y+ 2 + ldd A3, Y+ 3 + ldd A4, Y+ 4 + ldd A5, Y+ 5 + ldd A6, Y+ 6 + ldd A7, Y+ 7 + ldd B0, Y+ 8 + ldd B1, Y+ 9 + ldd B2, Y+10 + ldd B3, Y+11 + ldd B4, Y+12 + ldd B5, Y+13 + ldd B6, Y+14 + ldd B7, Y+15 + eor B0, A0 + eor B1, A1 + eor B2, A2 + eor B3, A3 + eor B4, A4 + eor B5, A5 + eor B6, A6 + eor B7, A7 + + mov r26, vROT + swap r26 + andi r26, 0x07 + ldi r30, pm_lo8(byte_rot_jmptable) + ldi r31, pm_hi8(byte_rot_jmptable) + add r30, r26 + adc r31, r1 + ijmp +post_byterot: + bst vROT, 3 + andi vROT, 0x07 + brts 1f + rjmp bit_rotr +1: rjmp bit_rotl +post_bitrot: + sub A0, B0 + sbc A1, B1 + sbc A2, B2 + sbc A3, B3 + sbc A4, B4 + sbc A5, B5 + sbc A6, B6 + sbc A7, B7 + + std Y+ 0, A0 + std Y+ 1, A1 + std Y+ 2, A2 + std Y+ 3, A3 + std Y+ 4, A4 + std Y+ 5, A5 + std Y+ 6, A6 + std Y+ 7, A7 + std Y+ 8, B0 + std Y+ 9, B1 + std Y+10, B2 + std Y+11, B3 + std Y+12, B4 + std Y+13, B5 + std Y+14, B6 + std Y+15, B7 +exit: + pop r29 + pop r28 + pop_range 10, 17 + ret + +byte_rot_jmptable: + rjmp post_byterot;ret; rjmp byte_rotr_0 + rjmp byte_rotr_1 + rjmp byte_rotr_2 + rjmp byte_rotr_3 + rjmp byte_rotr_4 + rjmp byte_rotr_5 + rjmp byte_rotr_6 + rjmp byte_rotr_7 + rjmp post_byterot;ret; rjmp byte_rotr_0 + + + +; 0 1 2 3 4 5 6 7 +; 1 2 3 4 5 6 7 0 +;.global byte_rotr_1 +;.global byte_rotr_0 +byte_rotr_1: /* 10 words */ + mov r0, B0 + mov B0, B1 + mov B1, B2 + mov B2, B3 + mov B3, B4 + mov B4, B5 + mov B5, B6 + mov B6, B7 + mov B7, r0 +byte_rotr_0: + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 2 3 4 5 6 7 0 1 +;.global byte_rotr_2 +byte_rotr_2: /* 11 words */ + mov r0, B0 + mov B0, B2 + mov B2, B4 + mov B4, B6 + mov B6, r0 + mov r0, B1 + mov B1, B3 + mov B3, B5 + mov B5, B7 + mov B7, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 3 4 5 6 7 0 1 2 +;.global byte_rotr_3 +byte_rotr_3: /* 10 words */ + mov r0, B0 + mov B0, B3 + mov B3, B6 + mov B6, B1 + mov B1, B4 + mov B4, B7 + mov B7, B2 + mov B2, B5 + mov B5, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 4 5 6 7 0 1 2 3 +;.global byte_rotr_4 +byte_rotr_4: /* 13 words */ + mov r0, B0 + mov B0, B4 + mov B4, r0 + + mov r0, B1 + mov B1, B5 + mov B5, r0 + + mov r0, B2 + mov B2, B6 + mov B6, r0 + + mov r0, B3 + mov B3, B7 + mov B7, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 5 6 7 0 1 2 3 4 +;.global byte_rotr_5 +byte_rotr_5: /* 10 words */ + mov r0, B0 + mov B0, B5 + mov B5, B2 + mov B2, B7 + mov B7, B4 + mov B4, B1 + mov B1, B6 + mov B6, B3 + mov B3, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 6 7 0 1 2 3 4 5 +;.global byte_rotr_6 +byte_rotr_6: /* 11 words */ + mov r0, B0 + mov B0, B6 + mov B6, B4 + mov B4, B2 + mov B2, r0 + + mov r0, B1 + mov B1, B7 + mov B7, B5 + mov B5, B3 + mov B3, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 7 0 1 2 3 4 5 6 +;.global byte_rotr_7 +byte_rotr_7: /* 10 words */ + mov r0, B7 + mov B7, B6 + mov B6, B5 + mov B5, B4 + mov B4, B3 + mov B3, B2 + mov B2, B1 + mov B1, B0 + mov B0, r0 + rjmp post_byterot + +;.global bit_rotl +bit_rotl: + tst vROT + brne 1f + rjmp post_bitrot +1: mov r0, B7 + rol r0 + rol B0 + rol B1 + rol B2 + rol B3 + rol B4 + rol B5 + rol B6 + rol B7 + dec vROT + rjmp bit_rotl + +;.global bit_rotr +bit_rotr: + tst vROT + brne 1f + rjmp post_bitrot +1: mov r0, B0 + ror r0 + ror B7 + ror B6 + ror B5 + ror B4 + ror B3 + ror B2 + ror B1 + ror B0 + dec vROT + rjmp bit_rotr + + diff --git a/skein/threefish_invmix_c.c b/skein/threefish_invmix_c.c new file mode 100644 index 0000000..f664888 --- /dev/null +++ b/skein/threefish_invmix_c.c @@ -0,0 +1,39 @@ +/* threefish_invmix_c.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-21 + * \license GPLv3 or later + * + * + * + */ + +#include + +#define X0 (((uint64_t*)data)[0]) +#define X1 (((uint64_t*)data)[1]) +void threefish_invmix(void* data, uint8_t rot){ + uint64_t x; + x = X1; + x ^= X0; + X1 = ((x>>rot)|(x<<(64-rot))); + X0 -= X1; +} diff --git a/skein/threefish_mix.S b/skein/threefish_mix.S new file mode 100644 index 0000000..07d076f --- /dev/null +++ b/skein/threefish_mix.S @@ -0,0 +1,311 @@ +/* threefish_mix.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/* +#define B0 (((uint64_t*)data)[0]) +#define B1 (((uint64_t*)data)[1]) +static +void mix(void* data, uint8_t rot){ + uint64_t x; + x = B1; + B0 += x; + B1 = ((x<>(64-rot))) ^ B0; +} +*/ +A0 = 10 +A1 = 11 +A2 = 12 +A3 = 13 +A4 = 14 +A5 = 15 +A6 = 16 +A7 = 17 + +B0 = 18 +B1 = 19 +B2 = 20 +B3 = 21 +B4 = 22 +B5 = 23 +B6 = 24 +B7 = 25 +vROT = 27 +/* + * param data: r24:r25 + * param rot: r22 + */ + +.global threefish_mix_asm +threefish_mix_asm: + movw r28, r24 + mov vROT,r22 + ldd A0, Y+ 0 + ldd A1, Y+ 1 + ldd A2, Y+ 2 + ldd A3, Y+ 3 + ldd A4, Y+ 4 + ldd A5, Y+ 5 + ldd A6, Y+ 6 + ldd A7, Y+ 7 + ldd B0, Y+ 8 + ldd B1, Y+ 9 + ldd B2, Y+10 + ldd B3, Y+11 + ldd B4, Y+12 + ldd B5, Y+13 + ldd B6, Y+14 + ldd B7, Y+15 + add A0, B0 + adc A1, B1 + adc A2, B2 + adc A3, B3 + adc A4, B4 + adc A5, B5 + adc A6, B6 + adc A7, B7 + + mov r26, vROT + swap r26 + andi r26, 0x07 + ldi r30, pm_lo8(byte_rot_jmptable) + ldi r31, pm_hi8(byte_rot_jmptable) + add r30, r26 + adc r31, r1 + ijmp +post_byterot: + bst vROT, 3 + andi vROT, 0x07 + brts 1f + rjmp bit_rotl +1: rjmp bit_rotr +post_bitrot: + eor B0, A0 + eor B1, A1 + eor B2, A2 + eor B3, A3 + eor B4, A4 + eor B5, A5 + eor B6, A6 + eor B7, A7 + + std Y+ 0, A0 + std Y+ 1, A1 + std Y+ 2, A2 + std Y+ 3, A3 + std Y+ 4, A4 + std Y+ 5, A5 + std Y+ 6, A6 + std Y+ 7, A7 + std Y+ 8, B0 + std Y+ 9, B1 + std Y+10, B2 + std Y+11, B3 + std Y+12, B4 + std Y+13, B5 + std Y+14, B6 + std Y+15, B7 +exit: + ret + + +byte_rot_jmptable: + rjmp post_byterot;ret; rjmp byte_rotr_0 + rjmp byte_rotr_7 + rjmp byte_rotr_6 + rjmp byte_rotr_5 + rjmp byte_rotr_4 + rjmp byte_rotr_3 + rjmp byte_rotr_2 + rjmp byte_rotr_1 + rjmp post_byterot;ret; rjmp byte_rotr_0 + +; 0 1 2 3 4 5 6 7 +; 1 2 3 4 5 6 7 0 +;.global byte_rotr_1 +;.global byte_rotr_0 +byte_rotr_1: /* 10 words */ + mov r0, B0 + mov B0, B1 + mov B1, B2 + mov B2, B3 + mov B3, B4 + mov B4, B5 + mov B5, B6 + mov B6, B7 + mov B7, r0 +byte_rotr_0: + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 2 3 4 5 6 7 0 1 +;.global byte_rotr_2 +byte_rotr_2: /* 11 words */ + mov r0, B0 + mov B0, B2 + mov B2, B4 + mov B4, B6 + mov B6, r0 + mov r0, B1 + mov B1, B3 + mov B3, B5 + mov B5, B7 + mov B7, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 3 4 5 6 7 0 1 2 +;.global byte_rotr_3 +byte_rotr_3: /* 10 words */ + mov r0, B0 + mov B0, B3 + mov B3, B6 + mov B6, B1 + mov B1, B4 + mov B4, B7 + mov B7, B2 + mov B2, B5 + mov B5, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 4 5 6 7 0 1 2 3 +;.global byte_rotr_4 +byte_rotr_4: /* 13 words */ + mov r0, B0 + mov B0, B4 + mov B4, r0 + + mov r0, B1 + mov B1, B5 + mov B5, r0 + + mov r0, B2 + mov B2, B6 + mov B6, r0 + + mov r0, B3 + mov B3, B7 + mov B7, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 5 6 7 0 1 2 3 4 +;.global byte_rotr_5 +byte_rotr_5: /* 10 words */ + mov r0, B0 + mov B0, B5 + mov B5, B2 + mov B2, B7 + mov B7, B4 + mov B4, B1 + mov B1, B6 + mov B6, B3 + mov B3, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 6 7 0 1 2 3 4 5 +;.global byte_rotr_6 +byte_rotr_6: /* 11 words */ + mov r0, B0 + mov B0, B6 + mov B6, B4 + mov B4, B2 + mov B2, r0 + + mov r0, B1 + mov B1, B7 + mov B7, B5 + mov B5, B3 + mov B3, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 7 0 1 2 3 4 5 6 +;.global byte_rotr_7 +byte_rotr_7: /* 10 words */ + mov r0, B7 + mov B7, B6 + mov B6, B5 + mov B5, B4 + mov B4, B3 + mov B3, B2 + mov B2, B1 + mov B1, B0 + mov B0, r0 + rjmp post_byterot + +;.global bit_rotl +bit_rotl: + tst vROT + brne 1f + rjmp post_bitrot +1: mov r0, B7 + rol r0 + rol B0 + rol B1 + rol B2 + rol B3 + rol B4 + rol B5 + rol B6 + rol B7 + dec vROT + rjmp bit_rotl + +;.global bit_rotr +bit_rotr: + tst vROT + brne 1f + rjmp post_bitrot +1: mov r0, B0 + ror r0 + ror B7 + ror B6 + ror B5 + ror B4 + ror B3 + ror B2 + ror B1 + ror B0 + dec vROT + rjmp bit_rotr + + + + + + + + + + + + + + + diff --git a/skein/threefish_mix_4c.S b/skein/threefish_mix_4c.S new file mode 100644 index 0000000..063232e --- /dev/null +++ b/skein/threefish_mix_4c.S @@ -0,0 +1,328 @@ +/* threefish_mix.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/* +#define B0 (((uint64_t*)data)[0]) +#define B1 (((uint64_t*)data)[1]) +static +void mix(void* data, uint8_t rot){ + uint64_t x; + x = B1; + B0 += x; + B1 = ((x<>(64-rot))) ^ B0; +} +*/ +A0 = 10 +A1 = 11 +A2 = 12 +A3 = 13 +A4 = 14 +A5 = 15 +A6 = 16 +A7 = 17 + +B0 = 18 +B1 = 19 +B2 = 20 +B3 = 21 +B4 = 22 +B5 = 23 +B6 = 24 +B7 = 25 +vROT = 27 +/* + * param data: r24:r25 + * param rot: r22 + */ + +.global threefish_mix +threefish_mix: + push r28 + push r29 + push_range 10, 17 + movw r28, r24 + mov vROT,r22 + ldd A0, Y+ 0 + ldd A1, Y+ 1 + ldd A2, Y+ 2 + ldd A3, Y+ 3 + ldd A4, Y+ 4 + ldd A5, Y+ 5 + ldd A6, Y+ 6 + ldd A7, Y+ 7 + ldd B0, Y+ 8 + ldd B1, Y+ 9 + ldd B2, Y+10 + ldd B3, Y+11 + ldd B4, Y+12 + ldd B5, Y+13 + ldd B6, Y+14 + ldd B7, Y+15 + add A0, B0 + adc A1, B1 + adc A2, B2 + adc A3, B3 + adc A4, B4 + adc A5, B5 + adc A6, B6 + adc A7, B7 + + mov r26, vROT + adiw r26, 3 + lsr r26 + lsr r26 + lsr r26 +; andi r26, 0x07 + ldi r30, pm_lo8(byte_rot_jmptable) + ldi r31, pm_hi8(byte_rot_jmptable) + add r30, r26 + adc r31, r1 + ijmp +post_byterot: + ldi r30, lo8(bit_rot_lut) + ldi r31, hi8(bit_rot_lut) + andi vROT, 0x07 + add r30, vROT + adc r31, r1 + lpm r27, Z + bst r27, 7 + andi r27, 0x07 + brts 1f + rjmp bit_rotl +1: rjmp bit_rotr +post_bitrot: + eor B0, A0 + eor B1, A1 + eor B2, A2 + eor B3, A3 + eor B4, A4 + eor B5, A5 + eor B6, A6 + eor B7, A7 + + std Y+ 0, A0 + std Y+ 1, A1 + std Y+ 2, A2 + std Y+ 3, A3 + std Y+ 4, A4 + std Y+ 5, A5 + std Y+ 6, A6 + std Y+ 7, A7 + std Y+ 8, B0 + std Y+ 9, B1 + std Y+10, B2 + std Y+11, B3 + std Y+12, B4 + std Y+13, B5 + std Y+14, B6 + std Y+15, B7 +exit: + pop_range 10, 17 + pop r29 + pop r28 + ret + +bit_rot_lut: + .byte 0x00 + .byte 0x01 + .byte 0x02 + .byte 0x03 + .byte 0x04 + .byte 0x83 + .byte 0x82 + .byte 0x81 + +byte_rot_jmptable: + rjmp post_byterot;ret; rjmp byte_rotr_0 + rjmp byte_rotr_7 + rjmp byte_rotr_6 + rjmp byte_rotr_5 + rjmp byte_rotr_4 + rjmp byte_rotr_3 + rjmp byte_rotr_2 + rjmp byte_rotr_1 + rjmp post_byterot;ret; rjmp byte_rotr_0 + +; 0 1 2 3 4 5 6 7 +; 1 2 3 4 5 6 7 0 + +byte_rotr_1: /* 10 words */ + mov r0, B0 + mov B0, B1 + mov B1, B2 + mov B2, B3 + mov B3, B4 + mov B4, B5 + mov B5, B6 + mov B6, B7 + mov B7, r0 +byte_rotr_0: + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 2 3 4 5 6 7 0 1 + +byte_rotr_2: /* 11 words */ + mov r0, B0 + mov B0, B2 + mov B2, B4 + mov B4, B6 + mov B6, r0 + mov r0, B1 + mov B1, B3 + mov B3, B5 + mov B5, B7 + mov B7, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 3 4 5 6 7 0 1 2 + +byte_rotr_3: /* 10 words */ + mov r0, B0 + mov B0, B3 + mov B3, B6 + mov B6, B1 + mov B1, B4 + mov B4, B7 + mov B7, B2 + mov B2, B5 + mov B5, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 4 5 6 7 0 1 2 3 +byte_rotr_4: /* 13 words */ + mov r0, B0 + mov B0, B4 + mov B4, r0 + + mov r0, B1 + mov B1, B5 + mov B5, r0 + + mov r0, B2 + mov B2, B6 + mov B6, r0 + + mov r0, B3 + mov B3, B7 + mov B7, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 5 6 7 0 1 2 3 4 +byte_rotr_5: /* 10 words */ + mov r0, B0 + mov B0, B5 + mov B5, B2 + mov B2, B7 + mov B7, B4 + mov B4, B1 + mov B1, B6 + mov B6, B3 + mov B3, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 6 7 0 1 2 3 4 5 +byte_rotr_6: /* 11 words */ + mov r0, B0 + mov B0, B6 + mov B6, B4 + mov B4, B2 + mov B2, r0 + + mov r0, B1 + mov B1, B7 + mov B7, B5 + mov B5, B3 + mov B3, r0 + rjmp post_byterot + +; 0 1 2 3 4 5 6 7 +; 7 0 1 2 3 4 5 6 +byte_rotr_7: /* 10 words */ + mov r0, B7 + mov B7, B6 + mov B6, B5 + mov B5, B4 + mov B4, B3 + mov B3, B2 + mov B2, B1 + mov B1, B0 + mov B0, r0 + rjmp post_byterot + +bit_rotl: + tst r27 + brne 1f + rjmp post_bitrot +1: mov r0, B7 + rol r0 + rol B0 + rol B1 + rol B2 + rol B3 + rol B4 + rol B5 + rol B6 + rol B7 + dec r27 + rjmp bit_rotl + +bit_rotr: + tst r27 + brne 1f + rjmp post_bitrot +1: mov r0, B0 + ror r0 + ror B7 + ror B6 + ror B5 + ror B4 + ror B3 + ror B2 + ror B1 + ror B0 + dec r27 + rjmp bit_rotr + + + + + + + + + + + + + + + diff --git a/skein/threefish_mix_c.c b/skein/threefish_mix_c.c new file mode 100644 index 0000000..2031bc8 --- /dev/null +++ b/skein/threefish_mix_c.c @@ -0,0 +1,38 @@ +/* threefish_mix_c.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + * + * + * + */ + +#include + +#define X0 (((uint64_t*)data)[0]) +#define X1 (((uint64_t*)data)[1]) +void threefish_mix(void* data, uint8_t rot){ + uint64_t x; + x = X1; + X0 += x; + X1 = ((x<>(64-rot))) ^ X0; +} diff --git a/skein/ubi.h b/skein/ubi.h new file mode 100644 index 0000000..1471881 --- /dev/null +++ b/skein/ubi.h @@ -0,0 +1,93 @@ +/* ubi.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + */ + +#ifndef UBI_H_ +#define UBI_H_ + +#include + +#define UBI_TYPE_KEY 0 +#define UBI_TYPE_CFG 4 +#define UBI_TYPE_PRS 8 +#define UBI_TYPE_PK 12 +#define UBI_TYPE_KDF 16 +#define UBI_TYPE_NON 20 +#define UBI_TYPE_MSG 48 +#define UBI_TYPE_OUT 63 + +#define UBI256_BLOCKSIZE 256 +#define UBI256_BLOCKSIZE_B ((UBI256_BLOCKSIZE+7)/8) + +#define UBI512_BLOCKSIZE 512 +#define UBI512_BLOCKSIZE_B ((UBI512_BLOCKSIZE+7)/8) + +#define UBI1024_BLOCKSIZE 1024 +#define UBI1024_BLOCKSIZE_B ((UBI1024_BLOCKSIZE+7)/8) + + +typedef struct{ + uint8_t tweak[16]; + uint8_t g[32]; +}ubi256_ctx_t; + +typedef struct{ + uint8_t tweak[16]; + uint8_t g[64]; +}ubi512_ctx_t; + +typedef struct{ + uint8_t tweak[16]; + uint8_t g[128]; +}ubi1024_ctx_t; + +void ubi256_init(ubi256_ctx_t* ctx, const void* g, uint8_t type); +void ubi256_nextBlock(ubi256_ctx_t* ctx, const void* block); +void ubi256_lastBlock(ubi256_ctx_t* ctx, const void* block, uint16_t length_b); +void ubi256_ctx2hash(void* dest, const ubi256_ctx_t* ctx); + +void ubi512_init(ubi512_ctx_t* ctx, const void* g, uint8_t type); +void ubi512_nextBlock(ubi512_ctx_t* ctx, const void* block); +void ubi512_lastBlock(ubi512_ctx_t* ctx, const void* block, uint16_t length_b); +void ubi512_ctx2hash(void* dest, const ubi512_ctx_t* ctx); + +void ubi1024_init(ubi1024_ctx_t* ctx, const void* g, uint8_t type); +void ubi1024_nextBlock(ubi1024_ctx_t* ctx, const void* block); +void ubi1024_lastBlock(ubi1024_ctx_t* ctx, const void* block, uint16_t length_b); +void ubi1024_ctx2hash(void* dest, const ubi1024_ctx_t* ctx); + +typedef struct{ + char schema[4]; + uint16_t version; + uint16_t reserved1; + uint64_t out_length; + uint8_t tree_leaf_size; + uint8_t tree_fan_out; + uint8_t tree_max_height; + uint8_t reserved2[13]; +}skein_config_t; + + +#endif /* UBI_H_ */ diff --git a/skein/ubi1024.c b/skein/ubi1024.c new file mode 100644 index 0000000..ae17cb3 --- /dev/null +++ b/skein/ubi1024.c @@ -0,0 +1,76 @@ +/* ubi1024.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + */ + +#include +#include +#include "threefish.h" +#include "memxor.h" +#include "ubi.h" + +void ubi1024_init(ubi1024_ctx_t* ctx, const void* g, uint8_t type){ + memset(ctx->tweak, 0, 15); + ctx->tweak[15] = 0x40+type; + memcpy(ctx->g, g, UBI1024_BLOCKSIZE_B); +} + +void ubi1024_nextBlock(ubi1024_ctx_t* ctx, const void* block){ + threefish1024_ctx_t tfctx; + ((uint64_t*)(ctx->tweak))[0] += UBI1024_BLOCKSIZE_B; + threefish1024_init(ctx->g, ctx->tweak, &tfctx); + memcpy(ctx->g, block, UBI1024_BLOCKSIZE_B); + threefish1024_enc(ctx->g, &tfctx); + memxor(ctx->g, block, UBI1024_BLOCKSIZE_B); + ctx->tweak[15] &= (uint8_t)~0x40; +} + + +void ubi1024_lastBlock(ubi1024_ctx_t* ctx, const void* block, uint16_t length_b){ + threefish1024_ctx_t tfctx; + while(length_b>UBI1024_BLOCKSIZE){ + ubi1024_nextBlock(ctx, block); + block = (uint8_t*)block + UBI1024_BLOCKSIZE_B; + length_b -= UBI1024_BLOCKSIZE; + } + ctx->tweak[15] |= 0x80; + ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; + if(length_b & 0x07) + ctx->tweak[14] |= 0x80; + threefish1024_init(ctx->g, ctx->tweak, &tfctx); + memset(ctx->g, 0, UBI1024_BLOCKSIZE_B); + memcpy(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07) + ctx->g[(length_b+7)/8-1] |= 0x80>>(length_b&7); + threefish1024_enc(ctx->g, &tfctx); + memxor(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07){ + ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); + } +} + +void ubi1024_ctx2hash(void* dest, const ubi1024_ctx_t* ctx){ + memcpy(dest, ctx->g, UBI1024_BLOCKSIZE_B); +} + diff --git a/skein/ubi1024_asm.S b/skein/ubi1024_asm.S new file mode 100644 index 0000000..28b6451 --- /dev/null +++ b/skein/ubi1024_asm.S @@ -0,0 +1,328 @@ +/* ubi1024_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void ubi1024_init(ubi1024_ctx_t* ctx, const void* g, uint8_t type){ + memset(ctx->tweak, 0, 15); + ctx->tweak[15] = 0x40+type; + memcpy(ctx->g, g, UBI1024_BLOCKSIZE_B); +} +*/ +/* + * param ctx: r24:r25 + * param g: r22:r23 + * param type: r20 + */ +.global ubi1024_init +ubi1024_init: + movw r26, r24 + ldi r21, 15 +1: st X+, r1 + dec r21 + brne 1b + ori r20, 0x40 + st X+, r20 + ldi r21, 128 + movw r30, r22 +2: ld r20, Z+ + st X+, r20 + dec r21 + brne 2b + ret + +/******************************************************************************/ +/* +void ubi1024_ctx2hash(void* dest, const ubi1024_ctx_t* ctx){ + memcpy(dest, ctx->g, UBI1024_BLOCKSIZE_B); +} +*/ +/* + * param dest: r24:r24 + * param ctx: r22:r23 + */ +.global ubi1024_ctx2hash +ubi1024_ctx2hash: + movw r26, r24 + movw r30, r22 + adiw r30, 16 + ldi r22, 128 +1: ld r23, Z+ + st X+, r23 + dec r22 + brne 1b + ret + +/******************************************************************************/ +/* +void ubi1024_nextBlock(ubi1024_ctx_t* ctx, const void* block){ + threefish1024_ctx_t tfctx; + ((uint64_t*)(ctx->tweak))[0] += UBI1024_BLOCKSIZE_B; + threefish1024_init(ctx->g, ctx->tweak, &tfctx); + memcpy(ctx->g, block, UBI1024_BLOCKSIZE_B); + threefish1024_enc(ctx->g, &tfctx); + memxor(ctx->g, block, UBI1024_BLOCKSIZE_B); + ctx->tweak[15] &= (uint8_t)~0x40; +} +*/ +/* + * param ctx: r24:r25 + * param block: r22:r23 + */ +CTX0 = 2 +CTX1 = 3 +BLOCK0 = 4 +BLOCK1 = 5 +TFCTX0 = 6 +TFCTX1 = 7 +.global ubi1024_nextBlock +ubi1024_nextBlock: + stack_alloc_large 20*8 + push_range 2, 7 + adiw r30, 1 /* Z points to tfctx */ + movw TFCTX0, r30 + movw CTX0, r24 + movw BLOCK0, r22 + movw r26, r24 +/* add BLOCKSIZE_B (128) to tweak */ + ldi r25, 128 + ld r24, X + add r24, r25 + st X+, r24 + ldi r25, 11 +1: ld r24, X + adc r24, r1 + st X+, r24 + dec r25 + brne 1b +/* call threefish1024_init */ + movw r24, CTX0 + adiw r24, 16 + movw r22, CTX0 + movw CTX0, r24 /* CTX points to ctx->g */ + movw r20, TFCTX0 + rcall threefish1024_init + /* copy block to ctx->g */ + movw r26, CTX0 + movw r30, BLOCK0 + ldi r25, 128 +1: ld r24, Z+ + st X+, r24 + dec r25 + brne 1b +/* call threefish1024_enc */ + movw r24, CTX0 + movw r22, TFCTX0 + rcall threefish1024_enc +/* xor block into ctx->g */ + movw r26, BLOCK0 + movw r30, CTX0 + ldi r25, 128 +1: ld r24, X+ + ld r23, Z + eor r23, r24 + st Z+, r23 + dec r25 + brne 1b +/* clear 'first' bit in tweak */ + sbiw r30, 1+2 + sbiw r30, 63 + sbiw r30, 63 + ld r24, Z + andi r24, ~0x40 + st Z, r24 +exit: + pop_range 2, 7 + stack_free_large2 20*8 + ret + +/******************************************************************************/ +/* +void ubi1024_lastBlock(ubi1024_ctx_t* ctx, const void* block, uint16_t length_b){ + threefish1024_ctx_t tfctx; + while(length_b>UBI1024_BLOCKSIZE){ + ubi1024_nextBlock(ctx, block); + block = (uint8_t*)block + UBI1024_BLOCKSIZE_B; + length_b -= UBI1024_BLOCKSIZE; + } + ctx->tweak[15] |= 0x80; + ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; + if(length_b & 0x07) + ctx->tweak[14] |= 0x80; + threefish1024_init(ctx->g, ctx->tweak, &tfctx); + memset(ctx->g, 0, UBI1024_BLOCKSIZE_B); + memcpy(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07) + ctx->g[(length_b+7)/8-1] |= 0x80>>(length_b&7); + threefish1024_enc(ctx->g, &tfctx); + memxor(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07){ + ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); + } +} +*/ +/* + * param ctx: r24:r25 + * param block: r22:r23 + * param ength_b: r20:r21 + */ +MASK_B = 8 +LEN_B = 9 +TFCTX0 = 10 +TFCTX1 = 11 +CTX0 = 12 +CTX1 = 13 +BLOCK0 = 14 +BLOCK1 = 15 +LENGTH0 = 16 +LENGTH1 = 17 +.global ubi1024_lastBlock +ubi1024_lastBlock: +/* run nextBlock for preceding blocks*/ + push_range 8, 17 + movw CTX0, r24 + movw BLOCK0, r22 + movw LENGTH0, r20 +1: cpi LENGTH1, 5 + brlo 2f + movw r24, CTX0 + movw r22, BLOCK0 + rcall ubi1024_nextBlock + ldi r25, 128 + add BLOCK0, r25 + adc BLOCK1, r1 + subi LENGTH1, 4 + rjmp 1b +2: cpi LENGTH1, 4 + brlo 3f + tst LENGTH0 + breq 3f + movw r24, CTX0 + movw r22, BLOCK0 + rcall ubi1024_nextBlock + ldi r25, 128 + add BLOCK0, r25 + adc BLOCK1, r1 + subi LENGTH1, 4 +3: /* now the real fun */ + stack_alloc_large 20*8 + adiw r30, 1 + movw TFCTX0, r30 + /* calculate LEN_B */ + movw r24, LENGTH0 + adiw r24, 7 + lsr r25 + ror r24 + lsr r25 + ror r24 + lsr r25 + ror r24 + mov LEN_B, r24 + /* add length to tweak */ + movw r30, CTX0 + ld r24, Z + add r24, LEN_B + st Z+, r24 + ldi r25, 11 +1: ld r24, Z + adc r24, r1 + st Z+, r24 + dec r25 + brne 1b + /* set 'final' bit*/ + movw r30, CTX0 + ldd r24, Z+15 + ori r24, 0x80 + std Z+15, r24 + /* store in MASK_B if we do bit processing and set 'BitPad' bit*/ + clr MASK_B + mov r24, LENGTH0 + andi r24, 0x07 + tst r24 + breq 4f + ldd r25, Z+14 + ori r25, 0x80 + std Z+14, r25 + ldi r25, 0x80 + mov MASK_B, r25 +1: lsr MASK_B + dec r24 + brne 1b +4: /* call threefish1024_init*/ + movw r24, CTX0 + adiw r24, 16 + movw r22, CTX0 + movw CTX0, r24 /* CTX points at ctx->g */ + movw r20, TFCTX0 + rcall threefish1024_init + /* copy block to ctx->g */ + movw r26, BLOCK0 + movw r30, CTX0 + mov r24, LEN_B + ldi r25, 128 + sub r25, LEN_B + tst r24 +1: breq 2f + ld r22, X+ + st Z+, r22 + dec r24 + rjmp 1b +2: tst MASK_B + breq 29f + or r22, MASK_B + st -Z, r22 + adiw r30, 1 +29: tst r25 +3: breq 4f + st Z+, r1 + dec r25 + rjmp 3b +4: /* call threefish1024_enc */ + movw r24, CTX0 + movw r22, TFCTX0 + rcall threefish1024_enc + /* xor block into ctx->g */ + movw r30, CTX0 + movw r26, BLOCK0 + tst LEN_B +5: breq 6f + ld r22, X+ + ld r23, Z + eor r23, r22 + st Z+, r23 + dec LEN_B + rjmp 5b +6: tst MASK_B + breq 7f + eor r23, MASK_B + st -Z, r23 + +7: stack_free_large2 20*8 + pop_range 8, 17 + ret + + diff --git a/skein/ubi256.c b/skein/ubi256.c new file mode 100644 index 0000000..09eb1e9 --- /dev/null +++ b/skein/ubi256.c @@ -0,0 +1,80 @@ +/* ubi256.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + */ + +#include +#include +#include "threefish.h" +#include "memxor.h" +#include "ubi.h" + +void ubi256_init(ubi256_ctx_t* ctx, const void* g, uint8_t type){ + memset(ctx->tweak, 0, 15); + ctx->tweak[15] = 0x40+type; + memcpy(ctx->g, g, 32); +} + +void ubi256_nextBlock(ubi256_ctx_t* ctx, const void* block){ + threefish256_ctx_t tfctx; + ((uint64_t*)(ctx->tweak))[0] += UBI256_BLOCKSIZE_B; + threefish256_init(ctx->g, ctx->tweak, &tfctx); + memcpy(ctx->g, block, UBI256_BLOCKSIZE_B); + threefish256_enc(ctx->g, &tfctx); + memxor(ctx->g, block, UBI256_BLOCKSIZE_B); + ctx->tweak[15] &= (uint8_t)~0x40; +} + + +void ubi256_lastBlock(ubi256_ctx_t* ctx, const void* block, uint16_t length_b){ + threefish256_ctx_t tfctx; + while(length_b>UBI256_BLOCKSIZE){ + ubi256_nextBlock(ctx, block); + block = (uint8_t*)block + UBI256_BLOCKSIZE_B; + length_b -= UBI256_BLOCKSIZE; + } + ctx->tweak[15] |= 0x80; + ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; + if(length_b & 0x07){ + ctx->tweak[14] |= 0x80; + } + threefish256_init(ctx->g, ctx->tweak, &tfctx); + memset(ctx->g, 0, UBI256_BLOCKSIZE_B); + memcpy(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07){ + ctx->g[((length_b+7)/8)-1] |= 0x80>>(length_b&7); + ctx->g[((length_b+7)/8)-1] &= ~((0x80>>(length_b&7))-1); + } + threefish256_enc(ctx->g, &tfctx); + memxor(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07){ + ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); + } + +} + +void ubi256_ctx2hash(void* dest, const ubi256_ctx_t* ctx){ + memcpy(dest, ctx->g, UBI256_BLOCKSIZE_B); +} + diff --git a/skein/ubi256_asm.S b/skein/ubi256_asm.S new file mode 100644 index 0000000..e5e6f9c --- /dev/null +++ b/skein/ubi256_asm.S @@ -0,0 +1,327 @@ +/* ubi256_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-16 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void ubi256_init(ubi256_ctx_t* ctx, const void* g, uint8_t type){ + memset(ctx->tweak, 0, 15); + ctx->tweak[15] = 0x40+type; + memcpy(ctx->g, g, 32); +} +*/ +/* + * param ctx: r24:r25 + * param g: r22:r23 + * param type: r20 + */ +.global ubi256_init +ubi256_init: + movw r26, r24 + ldi r21, 15 +1: st X+, r1 + dec r21 + brne 1b + ori r20, 0x40 + st X+, r20 + ldi r21, 32 + movw r30, r22 +2: ld r20, Z+ + st X+, r20 + dec r21 + brne 2b + ret + +/******************************************************************************/ +/* +void ubi256_ctx2hash(void* dest, const ubi256_ctx_t* ctx){ + memcpy(dest, ctx->g, UBI256_BLOCKSIZE_B); +} +*/ +/* + * param dest: r24:r24 + * param ctx: r22:r23 + */ +.global ubi256_ctx2hash +ubi256_ctx2hash: + movw r26, r24 + movw r30, r22 + adiw r30, 16 + ldi r22, 32 +1: ld r23, Z+ + st X+, r23 + dec r22 + brne 1b + ret + +/******************************************************************************/ +/* +void ubi256_nextBlock(ubi256_ctx_t* ctx, const void* block){ + threefish256_ctx_t tfctx; + ((uint64_t*)(ctx->tweak))[0] += UBI256_BLOCKSIZE_B; + threefish256_init(ctx->g, ctx->tweak, &tfctx); + memcpy(ctx->g, block, UBI256_BLOCKSIZE_B); + threefish256_enc(ctx->g, &tfctx); + memxor(ctx->g, block, UBI256_BLOCKSIZE_B); + ctx->tweak[15] &= (uint8_t)~0x40; +} +*/ +/* + * param ctx: r24:r25 + * param block: r22:r23 + */ +CTX0 = 2 +CTX1 = 3 +BLOCK0 = 4 +BLOCK1 = 5 +TFCTX0 = 6 +TFCTX1 = 7 +.global ubi256_nextBlock +ubi256_nextBlock: + stack_alloc_large 64 + push_range 2, 7 + adiw r30, 1 /* Z points to tfctx */ + movw TFCTX0, r30 + movw CTX0, r24 + movw BLOCK0, r22 + movw r26, r24 +/* add BLOCKSIZE_B (32) to tweak */ + ldi r25, 32 + ld r24, X + add r24, r25 + st X+, r24 + ldi r25, 11 +1: ld r24, X + adc r24, r1 + st X+, r24 + dec r25 + brne 1b +/* call threefish256_init */ + movw r24, CTX0 + adiw r24, 16 + movw r22, CTX0 + movw CTX0, r24 /* CTX points to ctx->g */ + movw r20, TFCTX0 + rcall threefish256_init + /* copy block to ctx->g */ + movw r26, CTX0 + movw r30, BLOCK0 + ldi r25, 32 +1: ld r24, Z+ + st X+, r24 + dec r25 + brne 1b +/* call threefish256_enc */ + movw r24, CTX0 + movw r22, TFCTX0 + rcall threefish256_enc +/* xor block into ctx->g */ + movw r26, BLOCK0 + movw r30, CTX0 + ldi r25, 32 +1: ld r24, X+ + ld r23, Z + eor r23, r24 + st Z+, r23 + dec r25 + brne 1b +/* clear 'first' bit in tweak */ + sbiw r30, 33 + ld r24, Z + andi r24, ~0x40 + st Z, r24 +exit: + pop_range 2, 7 + stack_free_large 64 + ret + +/******************************************************************************/ +/* +void ubi256_lastBlock(ubi256_ctx_t* ctx, const void* block, uint16_t length_b){ + threefish256_ctx_t tfctx; + while(length_b>UBI256_BLOCKSIZE){ + ubi256_nextBlock(ctx, block); + block = (uint8_t*)block + UBI256_BLOCKSIZE_B; + length_b -= UBI256_BLOCKSIZE; + } + ctx->tweak[15] |= 0x80; + ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; + if(length_b & 0x07){ + ctx->tweak[14] |= 0x80; + } + threefish256_init(ctx->g, ctx->tweak, &tfctx); + memset(ctx->g, 0, UBI256_BLOCKSIZE_B); + memcpy(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07){ + ctx->g[((length_b+7)/8)-1] |= 0x80>>(length_b&7); + ctx->g[((length_b+7)/8)-1] &= ~((0x80>>(length_b&7))-1); + } + threefish256_enc(ctx->g, &tfctx); + memxor(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07){ + ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); + } +} +*/ +/* + * param ctx: r24:r25 + * param block: r22:r23 + * param ength_b: r20:r21 + */ +MASK_B = 8 +LEN_B = 9 +TFCTX0 = 10 +TFCTX1 = 11 +CTX0 = 12 +CTX1 = 13 +BLOCK0 = 14 +BLOCK1 = 15 +LENGTH0 = 16 +LENGTH1 = 17 +.global ubi256_lastBlock +ubi256_lastBlock: +/* run nextBlock for preceding blocks*/ + push_range 8, 17 + movw CTX0, r24 + movw BLOCK0, r22 + movw LENGTH0, r20 +1: cpi LENGTH1, 2 + brlo 2f + movw r24, CTX0 + movw r22, BLOCK0 + rcall ubi256_nextBlock + ldi r25, 32 + add BLOCK0, r25 + adc BLOCK1, r1 + dec LENGTH1 + rjmp 1b +2: tst LENGTH1 + breq 3f + tst LENGTH0 + breq 3f + movw r24, CTX0 + movw r22, BLOCK0 + rcall ubi256_nextBlock + ldi r25, 32 + add BLOCK0, r25 + adc BLOCK1, r1 + dec LENGTH1 +3: /* now the real fun */ + stack_alloc_large 64 + adiw r30, 1 + movw TFCTX0, r30 + /* calculate LEN_B */ + movw r24, LENGTH0 + adiw r24, 7 + lsr r25 + ror r24 + lsr r24 + lsr r24 + mov LEN_B, r24 + /* add length to tweak */ + movw r30, CTX0 + ld r24, Z + add r24, LEN_B + st Z+, r24 + ldi r25, 11 +1: ld r24, Z + adc r24, r1 + st Z+, r24 + dec r25 + brne 1b + /* set 'final' bit*/ + movw r30, CTX0 + ldd r24, Z+15 + ori r24, 0x80 + std Z+15, r24 + /* store in T if we do bit processing and set 'BitPad' bit*/ + clr MASK_B + mov r24, LENGTH0 + andi r24, 0x07 + tst r24 + breq 4f + ldd r25, Z+14 + ori r25, 0x80 + std Z+14, r25 + ldi r25, 0x80 + mov MASK_B, r25 +1: lsr MASK_B + dec r24 + brne 1b +4: /* call threefish256_init*/ + movw r24, CTX0 + adiw r24, 16 + movw r22, CTX0 + movw CTX0, r24 /* CTX points at ctx->g */ + movw r20, TFCTX0 + rcall threefish256_init + /* copy block to ctx->g */ + movw r26, BLOCK0 + movw r30, CTX0 + mov r24, LEN_B + ldi r25, 32 + sub r25, LEN_B + tst r24 +1: breq 2f + ld r22, X+ + st Z+, r22 + dec r24 + rjmp 1b +2: tst MASK_B + breq 29f + or r22, MASK_B + st -Z, r22 + adiw r30, 1 +29: tst r25 +3: breq 4f + st Z+, r1 + dec r25 + rjmp 3b +4: /* call threefish256_enc */ + movw r24, CTX0 + movw r22, TFCTX0 + rcall threefish256_enc + /* xor block into ctx->g */ + movw r30, CTX0 + movw r26, BLOCK0 + tst LEN_B +5: breq 6f + ld r22, X+ + ld r23, Z + eor r23, r22 + st Z+, r23 + dec LEN_B + rjmp 5b +6: tst MASK_B + breq 7f + eor r23, MASK_B + st -Z, r23 + +7: stack_free_large 64 + pop_range 8, 17 + ret + + diff --git a/skein/ubi512.c b/skein/ubi512.c new file mode 100644 index 0000000..d6bab2d --- /dev/null +++ b/skein/ubi512.c @@ -0,0 +1,76 @@ +/* ubi512.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-12 + * \license GPLv3 or later + * + */ + +#include +#include +#include "threefish.h" +#include "memxor.h" +#include "ubi.h" + +void ubi512_init(ubi512_ctx_t* ctx, const void* g, uint8_t type){ + memset(ctx->tweak, 0, 15); + ctx->tweak[15] = 0x40+type; + memcpy(ctx->g, g, UBI512_BLOCKSIZE_B); +} + +void ubi512_nextBlock(ubi512_ctx_t* ctx, const void* block){ + threefish512_ctx_t tfctx; + ((uint64_t*)(ctx->tweak))[0] += UBI512_BLOCKSIZE_B; + threefish512_init(ctx->g, ctx->tweak, &tfctx); + memcpy(ctx->g, block, UBI512_BLOCKSIZE_B); + threefish512_enc(ctx->g, &tfctx); + memxor(ctx->g, block, UBI512_BLOCKSIZE_B); + ctx->tweak[15] &= (uint8_t)~0x40; +} + + +void ubi512_lastBlock(ubi512_ctx_t* ctx, const void* block, uint16_t length_b){ + threefish512_ctx_t tfctx; + while(length_b>UBI512_BLOCKSIZE){ + ubi512_nextBlock(ctx, block); + block = (uint8_t*)block + UBI512_BLOCKSIZE_B; + length_b -= UBI512_BLOCKSIZE; + } + ctx->tweak[15] |= 0x80; + ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; + if(length_b & 0x07) + ctx->tweak[14] |= 0x80; + threefish512_init(ctx->g, ctx->tweak, &tfctx); + memset(ctx->g, 0, UBI512_BLOCKSIZE_B); + memcpy(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07) + ctx->g[(length_b+7)/8-1] |= 0x80>>(length_b&7); + threefish512_enc(ctx->g, &tfctx); + memxor(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07){ + ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); + } +} + +void ubi512_ctx2hash(void* dest, const ubi512_ctx_t* ctx){ + memcpy(dest, ctx->g, UBI512_BLOCKSIZE_B); +} + diff --git a/skein/ubi512_asm.S b/skein/ubi512_asm.S new file mode 100644 index 0000000..6a17c48 --- /dev/null +++ b/skein/ubi512_asm.S @@ -0,0 +1,326 @@ +/* ubi512_asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2009-03-25 + * \license GPLv3 or later + */ + +#include "avr-asm-macros.S" + +/******************************************************************************/ +/* +void ubi512_init(ubi512_ctx_t* ctx, const void* g, uint8_t type){ + memset(ctx->tweak, 0, 15); + ctx->tweak[15] = 0x40+type; + memcpy(ctx->g, g, UBI512_BLOCKSIZE_B); +} +*/ +/* + * param ctx: r24:r25 + * param g: r22:r23 + * param type: r20 + */ +.global ubi512_init +ubi512_init: + movw r26, r24 + ldi r21, 15 +1: st X+, r1 + dec r21 + brne 1b + ori r20, 0x40 + st X+, r20 + ldi r21, 64 + movw r30, r22 +2: ld r20, Z+ + st X+, r20 + dec r21 + brne 2b + ret + +/******************************************************************************/ +/* +void ubi512_ctx2hash(void* dest, const ubi512_ctx_t* ctx){ + memcpy(dest, ctx->g, UBI512_BLOCKSIZE_B); +} +*/ +/* + * param dest: r24:r24 + * param ctx: r22:r23 + */ +.global ubi512_ctx2hash +ubi512_ctx2hash: + movw r26, r24 + movw r30, r22 + adiw r30, 16 + ldi r22, 64 +1: ld r23, Z+ + st X+, r23 + dec r22 + brne 1b + ret + +/******************************************************************************/ +/* +void ubi512_nextBlock(ubi512_ctx_t* ctx, const void* block){ + threefish512_ctx_t tfctx; + ((uint64_t*)(ctx->tweak))[0] += UBI512_BLOCKSIZE_B; + threefish512_init(ctx->g, ctx->tweak, &tfctx); + memcpy(ctx->g, block, UBI512_BLOCKSIZE_B); + threefish512_enc(ctx->g, &tfctx); + memxor(ctx->g, block, UBI512_BLOCKSIZE_B); + ctx->tweak[15] &= (uint8_t)~0x40; +} +*/ +/* + * param ctx: r24:r25 + * param block: r22:r23 + */ +CTX0 = 2 +CTX1 = 3 +BLOCK0 = 4 +BLOCK1 = 5 +TFCTX0 = 6 +TFCTX1 = 7 +.global ubi512_nextBlock +ubi512_nextBlock: + stack_alloc_large 12*8 + push_range 2, 7 + adiw r30, 1 /* Z points to tfctx */ + movw TFCTX0, r30 + movw CTX0, r24 + movw BLOCK0, r22 + movw r26, r24 +/* add BLOCKSIZE_B (64) to tweak */ + ldi r25, 64 + ld r24, X + add r24, r25 + st X+, r24 + ldi r25, 11 +1: ld r24, X + adc r24, r1 + st X+, r24 + dec r25 + brne 1b +/* call threefish512_init */ + movw r24, CTX0 + adiw r24, 16 + movw r22, CTX0 + movw CTX0, r24 /* CTX points to ctx->g */ + movw r20, TFCTX0 + rcall threefish512_init + /* copy block to ctx->g */ + movw r26, CTX0 + movw r30, BLOCK0 + ldi r25, 64 +1: ld r24, Z+ + st X+, r24 + dec r25 + brne 1b +/* call threefish512_enc */ + movw r24, CTX0 + movw r22, TFCTX0 + rcall threefish512_enc +/* xor block into ctx->g */ + movw r26, BLOCK0 + movw r30, CTX0 + ldi r25, 64 +1: ld r24, X+ + ld r23, Z + eor r23, r24 + st Z+, r23 + dec r25 + brne 1b +/* clear 'first' bit in tweak */ + sbiw r30, 33 + sbiw r30, 32 + ld r24, Z + andi r24, ~0x40 + st Z, r24 +exit: + pop_range 2, 7 + stack_free_large 12*8 + ret + +/******************************************************************************/ +/* +void ubi512_lastBlock(ubi512_ctx_t* ctx, const void* block, uint16_t length_b){ + threefish512_ctx_t tfctx; + while(length_b>UBI512_BLOCKSIZE){ + ubi512_nextBlock(ctx, block); + block = (uint8_t*)block + UBI512_BLOCKSIZE_B; + length_b -= UBI512_BLOCKSIZE; + } + ctx->tweak[15] |= 0x80; + ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; + if(length_b & 0x07) + ctx->tweak[14] |= 0x80; + threefish512_init(ctx->g, ctx->tweak, &tfctx); + memset(ctx->g, 0, UBI512_BLOCKSIZE_B); + memcpy(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07) + ctx->g[(length_b+7)/8-1] |= 0x80>>(length_b&7); + threefish512_enc(ctx->g, &tfctx); + memxor(ctx->g, block, (length_b+7)/8); + if(length_b & 0x07){ + ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); + } +} +*/ +/* + * param ctx: r24:r25 + * param block: r22:r23 + * param ength_b: r20:r21 + */ +MASK_B = 8 +LEN_B = 9 +TFCTX0 = 10 +TFCTX1 = 11 +CTX0 = 12 +CTX1 = 13 +BLOCK0 = 14 +BLOCK1 = 15 +LENGTH0 = 16 +LENGTH1 = 17 +.global ubi512_lastBlock +ubi512_lastBlock: +/* run nextBlock for preceding blocks*/ + push_range 8, 17 + movw CTX0, r24 + movw BLOCK0, r22 + movw LENGTH0, r20 +1: cpi LENGTH1, 3 + brlo 2f + movw r24, CTX0 + movw r22, BLOCK0 + rcall ubi512_nextBlock + ldi r25, 64 + add BLOCK0, r25 + adc BLOCK1, r1 + subi LENGTH1, 2 + rjmp 1b +2: cpi LENGTH1, 2 + brlo 3f + tst LENGTH0 + breq 3f + movw r24, CTX0 + movw r22, BLOCK0 + rcall ubi512_nextBlock + ldi r25, 64 + add BLOCK0, r25 + adc BLOCK1, r1 + subi LENGTH1, 2 +3: /* now the real fun */ + stack_alloc_large 8*12 + adiw r30, 1 + movw TFCTX0, r30 + /* calculate LEN_B */ + movw r24, LENGTH0 + adiw r24, 7 + lsr r25 + ror r24 + lsr r25 + ror r24 + lsr r24 + mov LEN_B, r24 + /* add length to tweak */ + movw r30, CTX0 + ld r24, Z + add r24, LEN_B + st Z+, r24 + ldi r25, 11 +1: ld r24, Z + adc r24, r1 + st Z+, r24 + dec r25 + brne 1b + /* set 'final' bit*/ + movw r30, CTX0 + ldd r24, Z+15 + ori r24, 0x80 + std Z+15, r24 + /* store in MASk_B if we do bit processing and set 'BitPad' bit*/ + clr MASK_B + mov r24, LENGTH0 + andi r24, 0x07 + tst r24 + breq 4f + ldd r25, Z+14 + ori r25, 0x80 + std Z+14, r25 + ldi r25, 0x80 + mov MASK_B, r25 +1: lsr MASK_B + dec r24 + brne 1b +4: /* call threefish512_init*/ + movw r24, CTX0 + adiw r24, 16 + movw r22, CTX0 + movw CTX0, r24 /* CTX points at ctx->g */ + movw r20, TFCTX0 + rcall threefish512_init + /* copy block to ctx->g */ + movw r26, BLOCK0 + movw r30, CTX0 + mov r24, LEN_B + ldi r25, 64 + sub r25, LEN_B + tst r24 +1: breq 2f + ld r22, X+ + st Z+, r22 + dec r24 + rjmp 1b +2: tst MASK_B + breq 29f + or r22, MASK_B + st -Z, r22 + adiw r30, 1 +29: tst r25 +3: breq 4f + st Z+, r1 + dec r25 + rjmp 3b +4: /* call threefish512_enc */ + movw r24, CTX0 + movw r22, TFCTX0 + rcall threefish512_enc + /* xor block into ctx->g */ + movw r30, CTX0 + movw r26, BLOCK0 + tst LEN_B +5: breq 6f + ld r22, X+ + ld r23, Z + eor r23, r22 + st Z+, r23 + dec LEN_B + rjmp 5b +6: tst MASK_B + breq 7f + eor r23, MASK_B + st -Z, r23 + +7: stack_free_large 8*12 + pop_range 8, 17 + ret + + diff --git a/skein1024.c b/skein1024.c deleted file mode 100644 index ac3162e..0000000 --- a/skein1024.c +++ /dev/null @@ -1,93 +0,0 @@ -/* skein1024.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - */ - -#include -#include -#include "ubi.h" -#include "skein.h" - - -void skein1024_init(skein1024_ctx_t* ctx, uint16_t outsize_b){ - skein_config_t conf; - uint8_t null[UBI1024_BLOCKSIZE_B]; - memset(null, 0, UBI1024_BLOCKSIZE_B); - memset(&conf, 0, sizeof(skein_config_t)); - conf.schema[0] = 'S'; - conf.schema[1] = 'H'; - conf.schema[2] = 'A'; - conf.schema[3] = '3'; - conf.version = 1; - conf.out_length = outsize_b; - ctx->outsize_b = outsize_b; - ubi1024_init(&(ctx->ubictx), null, UBI_TYPE_CFG); - ubi1024_lastBlock(&(ctx->ubictx), &conf, 256); - ubi1024_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); -} - -void skein1024_nextBlock(skein1024_ctx_t* ctx, const void* block){ - ubi1024_nextBlock(&(ctx->ubictx), block); -} - -void skein1024_lastBlock(skein1024_ctx_t* ctx, const void* block, uint16_t length_b){ - ubi1024_lastBlock(&(ctx->ubictx), block, length_b); -} - -void skein1024_ctx2hash(void* dest, skein1024_ctx_t* ctx){ - ubi1024_ctx_t uctx; - uint16_t outsize_b; - - uint64_t counter=0; - uint8_t outbuffer[UBI1024_BLOCKSIZE_B]; - ubi1024_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); - - outsize_b = ctx->outsize_b; - while(1){ - memcpy(&uctx, &(ctx->ubictx), sizeof(ubi1024_ctx_t)); - ubi1024_lastBlock(&uctx, &counter, 64); - ubi1024_ctx2hash(outbuffer, &uctx); - if(outsize_b<=UBI1024_BLOCKSIZE){ - memcpy(dest, outbuffer, (ctx->outsize_b+7)/8); - break; - }else{ - memcpy(dest, outbuffer, UBI1024_BLOCKSIZE_B); - dest = (uint8_t*)dest + UBI1024_BLOCKSIZE_B; - outsize_b -= UBI1024_BLOCKSIZE; - counter++; - } - } -} - -void skein1024(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b){ - skein1024_ctx_t ctx; - skein1024_init(&ctx, outlength_b); - while(length_b>SKEIN1024_BLOCKSIZE){ - skein1024_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + SKEIN1024_BLOCKSIZE_B; - length_b -= SKEIN1024_BLOCKSIZE; - } - skein1024_lastBlock(&ctx, msg, length_b); - skein1024_ctx2hash(dest, &ctx); -} diff --git a/skein1024_asm.S b/skein1024_asm.S deleted file mode 100644 index 8983f6a..0000000 --- a/skein1024_asm.S +++ /dev/null @@ -1,358 +0,0 @@ -/* skein1024_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-25 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void skein1024_init(skein1024_ctx_t* ctx, uint16_t outsize_b){ - skein_config_t conf; - uint8_t null[UBI1024_BLOCKSIZE_B]; - memset(null, 0, UBI1024_BLOCKSIZE_B); - memset(&conf, 0, sizeof(skein_config_t)); - conf.schema[0] = 'S'; - conf.schema[1] = 'H'; - conf.schema[2] = 'A'; - conf.schema[3] = '3'; - conf.version = 1; - conf.out_length = outsize_b; - ctx->outsize_b = outsize_b; - ubi1024_init(&(ctx->ubictx), null, UBI_TYPE_CFG); - ubi1024_lastBlock(&(ctx->ubictx), &conf, 256); - ubi1024_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); -} -*/ -/* - * param ctx: r24:r25 - * param outsize_b: r22:r23 - */ -UBICTX0 = 2 -UBICTX1 = 3 -CONF0 = 4 -CONF1 = 5 -.global skein1024_init -skein1024_init: - push_range 2, 5 - stack_alloc_large 32+128-22 ; |<- 22 ->| - adiw r30, 1 ; | CONF (32) | - movw CONF0, r30 ; | null (128) | - movw r26, r24 - st X+, r22 - st X+, r23 - movw UBICTX0, r26 - ldi r24, 'S' - st Z+, r24 - ldi r24, 'H' - st Z+, r24 - ldi r24, 'A' - st Z+, r24 - ldi r24, '3' - st Z+, r24 - ldi r24, 1 - st Z+, r24 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r22 - st Z+, r23 - ldi 24, 128 -1: st Z+, r1 - dec r24 - brne 1b - /* call ubi1024_init*/ - subi r30, lo8(128) - sbci r31, hi8(128) - movw r24, UBICTX0 - movw r22, r30 - ldi r20, 4 - rcall ubi1024_init - /* call ubi1024_lastBlock*/ - movw r24, UBICTX0 - movw r22, CONF0 - ldi r21, 1 - clr r20 - rcall ubi1024_lastBlock - /* call ubi1024_init*/ - movw r24, UBICTX0 - adiw r24, 16 - movw r22, r24 - movw r24, UBICTX0 - ldi r20, 48 - rcall ubi1024_init - stack_free_large2 32+128-22 - pop_range 2, 5 - ret - -/******************************************************************************/ -.global skein1024_nextBlock -skein1024_nextBlock: - adiw r24, 2 - rjmp ubi1024_nextBlock - -/******************************************************************************/ -.global skein1024_lastBlock -skein1024_lastBlock: - adiw r24, 2 - rjmp ubi1024_lastBlock - -/******************************************************************************/ -/* -void skein1024_ctx2hash(void* dest, skein1024_ctx_t* ctx){ - ubi1024_ctx_t uctx; - uint16_t outsize_b; - - uint64_t counter=0; - uint8_t outbuffer[UBI1024_BLOCKSIZE_B]; - ubi1024_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); - - outsize_b = ctx->outsize_b; - while(1){ - memcpy(&uctx, &(ctx->ubictx), sizeof(ubi1024_ctx_t)); - ubi1024_lastBlock(&uctx, &counter, 64); - ubi1024_ctx2hash(outbuffer, &uctx); - if(outsize_b<=UBI1024_BLOCKSIZE){ - memcpy(dest, outbuffer, (ctx->outsize_b+7)/8); - break; - }else{ - memcpy(dest, outbuffer, UBI1024_BLOCKSIZE_B); - dest = (uint8_t*)dest + UBI1024_BLOCKSIZE_B; - outsize_b -= UBI1024_BLOCKSIZE; - counter++; - } - } -} -*/ -/* - * param dest: r24:r25 - * param ctx: r22:r23 - */ - OUTSIZE_B0 = 16 - OUTSIZE_B1 = 17 - UCTX0 = 14 - UCTX1 = 15 - UBICTX0 = 12 - UBICTX1 = 13 - DEST0 = 10 - DEST1 = 11 -.global skein1024_ctx2hash -skein1024_ctx2hash: - push_range 10, 17 - /* 144 || 8 || 128 */ - stack_alloc_large 144+8+128 /* uctx || counter || outbuffer */ - movw DEST0, r24 - adiw r30, 1 - movw UCTX0, r30 - ldi r16, 144 - add r30, r16 - adc r31, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - movw r26, 22 - ld OUTSIZE_B0, X+ - ld OUTSIZE_B1, X+ - movw UBICTX0, r26 - /* call ubi1024_init */ - movw r24, UBICTX0 - adiw r24, 16 - movw r22, r24 - movw r24, UBICTX0 - ldi r20, 63 - rcall ubi1024_init - - /* main loop */ - /* copy ubictx in uctx*/ -1: movw r30, UCTX0 - movw r26, UBICTX0 - ldi r24, 144 -2: ld r25, X+ - st Z+, r25 - dec r24 - brne 2b - /* call ubi1024_lastBlock */ - movw r24, UCTX0 - adiw r24, 63 - adiw r24, 63 - adiw r24, 18 - movw r22, r24 - movw r24, UCTX0 - clr r21 - ldi r20, 64 - rcall ubi1024_lastBlock - /* copy uctx->g to outbuffer */ - movw r26, UCTX0 - adiw r26, 16 - movw r30, UCTX0 - adiw r30, 63 - adiw r30, 63 - adiw r30, 18+8 - ldi r24, 128 -2: ld r25, X+ - st Z+, r25 - dec r24 - brne 2b - /* compare outsize_b with 1024*/ - cpi OUTSIZE_B1, 5 - brge 5f - cpi OUTSIZE_B1, 4 - brlo 3f - tst OUTSIZE_B0 - breq 3f -5: /* copy outbuffer to dest */ - movw r30, DEST0 - movw r26, UCTX0 - adiw r26, 63 - adiw r26, 63 - adiw r26, 18+8 - ldi r24, 128 -6: ld r25, X+ - st Z+, r25 - dec r24 - brne 6b - /* store new dest */ - movw DEST0, r30 - /* adjust counter and outsize_b*/ - subi OUTSIZE_B1, 2 - movw r30, UCTX0 - adiw r30, 63 - adiw r30, 63 - adiw r30, 18 - ldi r24, 1 - ld r25, Z - add r25, r24 - st Z+, r25 - ldi r24, 7 -6: ld r25, Z - adc r25, r1 - st Z+, r25 - dec r24 - brne 6b - rjmp 1b -3: /* last iteraton */ - movw r24, OUTSIZE_B0 - adiw r24, 7 - lsr r25 - ror r24 - lsr r25 - ror r24 - lsr r25 - ror r24 - movw r30, DEST0 - movw r26, UCTX0 - adiw r26, 63 - adiw r26, 63 - adiw r26, 18+8 - tst r24 - breq 8f -7: ld r25, X+ - st Z+, r25 - dec r24 - brne 7b -8: - stack_free_large3 144+8+128 - pop_range 10, 17 - ret - -/******************************************************************************/ -/* -void skein1024(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b){ - skein1024_ctx_t ctx; - skein1024_init(&ctx, outlength_b); - while(length_b>SKEIN1024_BLOCKSIZE){ - skein1024_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + SKEIN1024_BLOCKSIZE_B; - length_b -= SKEIN1024_BLOCKSIZE; - } - skein1024_lastBlock(&ctx, msg, length_b); - skein1024_ctx2hash(dest, &ctx); -} -*/ -/* - * param dest: r24:r25 - * param outlength_b: r22:r23 - * param msg: r20:r21 - * param length_b: r16:r19 - */ -LENGTH_B0 = 2 -LENGTH_B1 = 3 -LENGTH_B2 = 4 -LENGTH_B3 = 5 -DEST0 = 6 -DEST1 = 7 -MSG0 = 8 -MSG1 = 9 -CTX0 = 10 -CTX1 = 11 -.global skein1024 -skein1024: - push_range 2, 11 - stack_alloc_large 146 - adiw r30, 1 - movw CTX0, r30 - movw DEST0, r24 - movw MSG0, r20 - movw LENGTH_B0, r16 - movw LENGTH_B2, r18 - /* call skein1024_init */ - movw r24, r30 - rcall skein1024_init -1: tst LENGTH_B2 - brne 4f - tst LENGTH_B3 - brne 4f - /* call skein1024_lastBlock */ - movw r24, CTX0 - movw r22, MSG0 - movw r20, LENGTH_B0 - rcall skein1024_lastBlock - /* call skein1024_ctx2hash */ - movw r24, DEST0 - movw r22, CTX0 - rcall skein1024_ctx2hash - /* return */ - stack_free_large2 146 - pop_range 2, 11 - ret - -4: /* process preceeding blocks */ - movw r24, CTX0 - movw r22, MSG0 - rcall skein1024_nextBlock - ldi r24, 128 - add MSG0, r24 - adc MSG0, r1 - mov r24, LENGTH_B1 - mov r25, LENGTH_B2 - sbiw r24, 4 - sbc LENGTH_B3, r1 - mov LENGTH_B1, r24 - mov LENGTH_B2, r25 - rjmp 1b - diff --git a/skein256.c b/skein256.c deleted file mode 100644 index dfe6ef3..0000000 --- a/skein256.c +++ /dev/null @@ -1,94 +0,0 @@ -/* skein256.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - */ - -#include -#include -#include "ubi.h" -#include "skein.h" - -#include "cli.h" - -void skein256_init(skein256_ctx_t* ctx, uint16_t outsize_b){ - skein_config_t conf; - uint8_t null[UBI256_BLOCKSIZE_B]; - memset(null, 0, UBI256_BLOCKSIZE_B); - memset(&conf, 0, sizeof(skein_config_t)); - conf.schema[0] = 'S'; - conf.schema[1] = 'H'; - conf.schema[2] = 'A'; - conf.schema[3] = '3'; - conf.version = 1; - conf.out_length = outsize_b; - ctx->outsize_b = outsize_b; - ubi256_init(&(ctx->ubictx), null, UBI_TYPE_CFG); - ubi256_lastBlock(&(ctx->ubictx), &conf, 256); - ubi256_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); -} - -void skein256_nextBlock(skein256_ctx_t* ctx, const void* block){ - ubi256_nextBlock(&(ctx->ubictx), block); -} - -void skein256_lastBlock(skein256_ctx_t* ctx, const void* block, uint16_t length_b){ - ubi256_lastBlock(&(ctx->ubictx), block, length_b); -} - -void skein256_ctx2hash(void* dest, skein256_ctx_t* ctx){ - ubi256_ctx_t uctx; - uint16_t outsize_b; - - uint64_t counter=0; - uint8_t outbuffer[UBI256_BLOCKSIZE_B]; - ubi256_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); - - outsize_b = ctx->outsize_b; - while(1){ - memcpy(&uctx, &(ctx->ubictx), sizeof(ubi256_ctx_t)); - ubi256_lastBlock(&uctx, &counter, 64); - ubi256_ctx2hash(outbuffer, &uctx); - if(outsize_b<=UBI256_BLOCKSIZE){ - memcpy(dest, outbuffer, (outsize_b+7)/8); - break; - }else{ - memcpy(dest, outbuffer, UBI256_BLOCKSIZE_B); - dest = (uint8_t*)dest + UBI256_BLOCKSIZE_B; - outsize_b -= UBI256_BLOCKSIZE; - counter++; - } - } -} - -void skein256(void* dest, uint16_t outlength_b,const void* msg, uint32_t length_b){ - skein256_ctx_t ctx; - skein256_init(&ctx, outlength_b); - while(length_b>SKEIN256_BLOCKSIZE){ - skein256_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + SKEIN256_BLOCKSIZE_B; - length_b -= SKEIN256_BLOCKSIZE; - } - skein256_lastBlock(&ctx, msg, length_b); - skein256_ctx2hash(dest, &ctx); -} diff --git a/skein256_asm.S b/skein256_asm.S deleted file mode 100644 index 97ef472..0000000 --- a/skein256_asm.S +++ /dev/null @@ -1,343 +0,0 @@ -/* skein256_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void skein256_init(skein256_ctx_t* ctx, uint16_t outsize_b){ - skein_config_t conf; - uint8_t null[UBI256_BLOCKSIZE_B]; - memset(null, 0, UBI256_BLOCKSIZE_B); - memset(&conf, 0, sizeof(skein_config_t)); - conf.schema[0] = 'S'; - conf.schema[1] = 'H'; - conf.schema[2] = 'A'; - conf.schema[3] = '3'; - conf.version = 1; - conf.out_length = outsize_b; - ctx->outsize_b = outsize_b; - ubi256_init(&(ctx->ubictx), null, UBI_TYPE_CFG); - ubi256_lastBlock(&(ctx->ubictx), &conf, 256); - ubi256_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); -} -*/ -/* - * param ctx: r24:r25 - * param outsize_b: r22:r23 - */ -UBICTX0 = 2 -UBICTX1 = 3 -CONF0 = 4 -CONF1 = 5 -.global skein256_init -skein256_init: - push_range 2, 5 - stack_alloc 64-22 - adiw r30, 1 - movw CONF0, r30 - movw r26, r24 - st X+, r22 - st X+, r23 - movw UBICTX0, r26 - ldi r24, 'S' - st Z+, r24 - ldi r24, 'H' - st Z+, r24 - ldi r24, 'A' - st Z+, r24 - ldi r24, '3' - st Z+, r24 - ldi r24, 1 - st Z+, r24 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r22 - st Z+, r23 - ldi 24, 22+10 -1: st Z+, r1 - dec r24 - brne 1b - /* call ubi256_init*/ - sbiw r30, 32 - movw r24, UBICTX0 - movw r22, r30 - ldi r20, 4 - rcall ubi256_init - /* call ubi256_lastBlock*/ - movw r24, UBICTX0 - movw r22, CONF0 - ldi r21, 1 - clr r20 - rcall ubi256_lastBlock - /* call ubi256_init*/ - movw r24, UBICTX0 - adiw r24, 16 - movw r22, r24 - movw r24, UBICTX0 - ldi r20, 48 - rcall ubi256_init - stack_free 64-22 - pop_range 2, 5 - ret - -/******************************************************************************/ -.global skein256_nextBlock -skein256_nextBlock: - adiw r24, 2 - rjmp ubi256_nextBlock - -/******************************************************************************/ -.global skein256_lastBlock -skein256_lastBlock: - adiw r24, 2 - rjmp ubi256_lastBlock - -/******************************************************************************/ -/* -void skein256_ctx2hash(void* dest, skein256_ctx_t* ctx){ - ubi256_ctx_t uctx; - uint16_t outsize_b; - - uint64_t counter=0; - uint8_t outbuffer[UBI256_BLOCKSIZE_B]; - ubi256_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); - - outsize_b = ctx->outsize_b; - while(1){ - memcpy(&uctx, &(ctx->ubictx), sizeof(ubi256_ctx_t)); - ubi256_lastBlock(&uctx, &counter, 64); - ubi256_ctx2hash(outbuffer, &uctx); - if(outsize_b<=UBI256_BLOCKSIZE){ - memcpy(dest, outbuffer, (outsize_b+7)/8); - break; - }else{ - memcpy(dest, outbuffer, UBI256_BLOCKSIZE_B); - dest = (uint8_t*)dest + UBI256_BLOCKSIZE_B; - outsize_b -= UBI256_BLOCKSIZE; - counter++; - } - } -} -*/ -/* - * param dest: r24:r25 - * param ctx: r22:r23 - */ - OUTSIZE_B0 = 16 - OUTSIZE_B1 = 17 - UCTX0 = 14 - UCTX1 = 15 - UBICTX0 = 12 - UBICTX1 = 13 - DEST0 = 10 - DEST1 = 11 -.global skein256_ctx2hash -skein256_ctx2hash: - push_range 10, 17 - /* 48 || 8 || 32 */ - stack_alloc_large 88 /* uctx || counter || outbuffer */ - movw DEST0, r24 - adiw r30, 1 - movw UCTX0, r30 - adiw r30, 48 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - movw r26, 22 - ld OUTSIZE_B0, X+ - ld OUTSIZE_B1, X+ - movw UBICTX0, r26 - /* call ubi256_init */ - movw r24, UBICTX0 - adiw r24, 16 - movw r22, r24 - movw r24, UBICTX0 - ldi r20, 63 - rcall ubi256_init - - /* main loop */ - /* copy ubictx in uctx*/ -1: movw r30, UCTX0 - movw r26, UBICTX0 - ldi r24, 48 -2: ld r25, X+ - st Z+, r25 - dec r24 - brne 2b - /* call ubi256_lastBlock */ - movw r24, UCTX0 - adiw r24, 48 - movw r22, r24 - movw r24, UCTX0 - clr r21 - ldi r20, 64 - rcall ubi256_lastBlock - /* copy uctx->g to outbuffer */ - movw r26, UCTX0 - adiw r26, 16 - movw r30, UCTX0 - adiw r30, 56 - ldi r24, 32 -2: ld r25, X+ - st Z+, r25 - dec r24 - brne 2b - /* compare outsize_b with 256*/ - cpi OUTSIZE_B1, 2 - brge 5f - cpi OUTSIZE_B1, 1 - brlo 3f - tst OUTSIZE_B0 - breq 3f -5: /* copy outbuffer to dest */ - movw r30, DEST0 - movw r26, UCTX0 - adiw r26, 56 - ldi r24, 32 -6: ld r25, X+ - st Z+, r25 - dec r24 - brne 6b - /* store new dest */ - movw DEST0, r30 ;XXX r26 - /* adjust counter and outsize_b*/ - dec OUTSIZE_B1 - movw r30, UCTX0 - adiw r30, 48 - ldi r24, 1 - ld r25, Z - add r25, r24 - st Z+, r25 - ldi r24, 7 -6: ld r25, Z - adc r25, r1 - st Z+, r25 - dec r24 - brne 6b - rjmp 1b -3: /* last iteraton */ - movw r24, OUTSIZE_B0 - adiw r24, 7 - lsr r25 - ror r24 - lsr r24 - lsr r24 - movw r30, DEST0 - movw r26, UCTX0 - adiw r26, 56 - tst r24 - breq 8f -7: ld r25, X+ - st Z+, r25 - dec r24 - brne 7b -8: - stack_free_large 88 - pop_range 10, 17 - ret - -/******************************************************************************/ -/* -void skein256(void* dest, uint16_t outlength_b, const void* msg, uint32_t length_b){ - skein256_ctx_t ctx; - skein256_init(&ctx, outlength_b); - while(length_b>SKEIN256_BLOCKSIZE){ - skein256_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + SKEIN256_BLOCKSIZE_B; - length_b -= SKEIN256_BLOCKSIZE; - } - skein256_lastBlock(&ctx, msg, length_b); - skein256_ctx2hash(dest, &ctx); -} -*/ -/* - * param dest: r24:r25 - * param outlength_b: r22:r23 - * param msg: r20:r21 - * param length_b: r16:r19 - */ -LENGTH_B0 = 2 -LENGTH_B1 = 3 -LENGTH_B2 = 4 -LENGTH_B3 = 5 -DEST0 = 6 -DEST1 = 7 -MSG0 = 8 -MSG1 = 9 -CTX0 = 10 -CTX1 = 11 -.global skein256 -skein256: - push_range 2, 11 - stack_alloc 50 - adiw r30, 1 - movw CTX0, r30 - movw DEST0, r24 - movw MSG0, r20 - movw LENGTH_B0, r16 - movw LENGTH_B2, r18 - /* call skein256_init */ - movw r24, r30 - rcall skein256_init -1: tst LENGTH_B2 - brne 4f - tst LENGTH_B3 - brne 4f - /* call skein256_lastBlock */ - movw r24, CTX0 - movw r22, MSG0 - movw r20, LENGTH_B0 - rcall skein256_lastBlock - /* call skein256_ctx2hash */ - movw r24, DEST0 - movw r22, CTX0 - rcall skein256_ctx2hash - /* return */ - stack_free 50 - pop_range 2, 11 - ret - -4: /* process preceeding blocks */ - movw r24, CTX0 - movw r22, MSG0 - rcall skein256_nextBlock - movw r24, MSG0 - adiw r24, 32 - movw MSG0, r24 - mov r24, LENGTH_B1 - mov r25, LENGTH_B2 - sbiw r24, 1 - sbc LENGTH_B3, r1 - mov LENGTH_B1, r24 - mov LENGTH_B2, r25 - rjmp 1b - diff --git a/skein512.c b/skein512.c deleted file mode 100644 index 2558f34..0000000 --- a/skein512.c +++ /dev/null @@ -1,94 +0,0 @@ -/* skein512.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - */ - -#include -#include -#include "ubi.h" -#include "skein.h" - - -void skein512_init(skein512_ctx_t* ctx, uint16_t outsize_b){ - skein_config_t conf; - uint8_t null[UBI512_BLOCKSIZE_B]; - memset(null, 0, UBI512_BLOCKSIZE_B); - memset(&conf, 0, sizeof(skein_config_t)); - conf.schema[0] = 'S'; - conf.schema[1] = 'H'; - conf.schema[2] = 'A'; - conf.schema[3] = '3'; - conf.version = 1; - conf.out_length = outsize_b; - ctx->outsize_b = outsize_b; - ubi512_init(&(ctx->ubictx), null, UBI_TYPE_CFG); - ubi512_lastBlock(&(ctx->ubictx), &conf, 256); - ubi512_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); -} - -void skein512_nextBlock(skein512_ctx_t* ctx, const void* block){ - ubi512_nextBlock(&(ctx->ubictx), block); -} - -void skein512_lastBlock(skein512_ctx_t* ctx, const void* block, uint16_t length_b){ - ubi512_lastBlock(&(ctx->ubictx), block, length_b); -} - -void skein512_ctx2hash(void* dest, skein512_ctx_t* ctx){ - ubi512_ctx_t uctx; - uint16_t outsize_b; - - uint64_t counter=0; - uint8_t outbuffer[UBI512_BLOCKSIZE_B]; - ubi512_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); - - outsize_b = ctx->outsize_b; - while(1){ - memcpy(&uctx, &(ctx->ubictx), sizeof(ubi512_ctx_t)); - ubi512_lastBlock(&uctx, &counter, 64); - ubi512_ctx2hash(outbuffer, &uctx); - if(outsize_b<=UBI512_BLOCKSIZE){ - memcpy(dest, outbuffer, (ctx->outsize_b+7)/8); - break; - }else{ - memcpy(dest, outbuffer, UBI512_BLOCKSIZE_B); - dest = (uint8_t*)dest + UBI512_BLOCKSIZE_B; - outsize_b -= UBI512_BLOCKSIZE; - counter++; - } - } -} - -void skein512(void* dest, uint16_t outlength_b,const void* msg, uint32_t length_b){ - skein512_ctx_t ctx; - skein512_init(&ctx, outlength_b); - while(length_b>SKEIN512_BLOCKSIZE){ - skein512_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + SKEIN512_BLOCKSIZE_B; - length_b -= SKEIN512_BLOCKSIZE; - } - skein512_lastBlock(&ctx, msg, length_b); - skein512_ctx2hash(dest, &ctx); -} - diff --git a/skein512_asm.S b/skein512_asm.S deleted file mode 100644 index 8f6229d..0000000 --- a/skein512_asm.S +++ /dev/null @@ -1,351 +0,0 @@ -/* skein512_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void skein512_init(skein512_ctx_t* ctx, uint16_t outsize_b){ - skein_config_t conf; - uint8_t null[UBI512_BLOCKSIZE_B]; - memset(null, 0, UBI512_BLOCKSIZE_B); - memset(&conf, 0, sizeof(skein_config_t)); - conf.schema[0] = 'S'; - conf.schema[1] = 'H'; - conf.schema[2] = 'A'; - conf.schema[3] = '3'; - conf.version = 1; - conf.out_length = outsize_b; - ctx->outsize_b = outsize_b; - ubi512_init(&(ctx->ubictx), null, UBI_TYPE_CFG); - ubi512_lastBlock(&(ctx->ubictx), &conf, 256); - ubi512_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_MSG); -} -*/ -/* - * param ctx: r24:r25 - * param outsize_b: r22:r23 - */ -UBICTX0 = 2 -UBICTX1 = 3 -CONF0 = 4 -CONF1 = 5 -.global skein512_init -skein512_init: - push_range 2, 5 - stack_alloc_large 32+64-22 ; |<- 22 ->| - adiw r30, 1 ; | CONF (32) | - movw CONF0, r30 ; | null (64) | - movw r26, r24 - st X+, r22 - st X+, r23 - movw UBICTX0, r26 - ldi r24, 'S' - st Z+, r24 - ldi r24, 'H' - st Z+, r24 - ldi r24, 'A' - st Z+, r24 - ldi r24, '3' - st Z+, r24 - ldi r24, 1 - st Z+, r24 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r22 - st Z+, r23 - ldi 24, 64 -1: st Z+, r1 - dec r24 - brne 1b - /* call ubi512_init*/ - sbiw r30, 63 - sbiw r30, 1 - movw r24, UBICTX0 - movw r22, r30 - ldi r20, 4 - rcall ubi512_init - /* call ubi512_lastBlock*/ - movw r24, UBICTX0 - movw r22, CONF0 - ldi r21, 1 - clr r20 - rcall ubi512_lastBlock - /* call ubi512_init*/ - movw r24, UBICTX0 - adiw r24, 16 - movw r22, r24 - movw r24, UBICTX0 - ldi r20, 48 - rcall ubi512_init - stack_free_large 32+64-22 - pop_range 2, 5 - ret - -/******************************************************************************/ -.global skein512_nextBlock -skein512_nextBlock: - adiw r24, 2 - rjmp ubi512_nextBlock - -/******************************************************************************/ -.global skein512_lastBlock -skein512_lastBlock: - adiw r24, 2 - rjmp ubi512_lastBlock - -/******************************************************************************/ -/* -void skein512_ctx2hash(void* dest, skein512_ctx_t* ctx){ - ubi512_ctx_t uctx; - uint16_t outsize_b; - - uint64_t counter=0; - uint8_t outbuffer[UBI512_BLOCKSIZE_B]; - ubi512_init(&(ctx->ubictx), ctx->ubictx.g, UBI_TYPE_OUT); - - outsize_b = ctx->outsize_b; - while(1){ - memcpy(&uctx, &(ctx->ubictx), sizeof(ubi512_ctx_t)); - ubi512_lastBlock(&uctx, &counter, 64); - ubi512_ctx2hash(outbuffer, &uctx); - if(outsize_b<=UBI512_BLOCKSIZE){ - memcpy(dest, outbuffer, (ctx->outsize_b+7)/8); - break; - }else{ - memcpy(dest, outbuffer, UBI512_BLOCKSIZE_B); - dest = (uint8_t*)dest + UBI512_BLOCKSIZE_B; - outsize_b -= UBI512_BLOCKSIZE; - counter++; - } - } -} -*/ -/* - * param dest: r24:r25 - * param ctx: r22:r23 - */ - OUTSIZE_B0 = 16 - OUTSIZE_B1 = 17 - UCTX0 = 14 - UCTX1 = 15 - UBICTX0 = 12 - UBICTX1 = 13 - DEST0 = 10 - DEST1 = 11 -.global skein512_ctx2hash -skein512_ctx2hash: - push_range 10, 17 - /* 80 || 8 || 64 */ - stack_alloc_large 80+8+64 /* uctx || counter || outbuffer */ - movw DEST0, r24 - adiw r30, 1 - movw UCTX0, r30 - adiw r30, 63 - adiw r30, 17 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - st Z+, r1 - movw r26, 22 - ld OUTSIZE_B0, X+ - ld OUTSIZE_B1, X+ - movw UBICTX0, r26 - /* call ubi512_init */ - movw r24, UBICTX0 - adiw r24, 16 - movw r22, r24 - movw r24, UBICTX0 - ldi r20, 63 - rcall ubi512_init - - /* main loop */ - /* copy ubictx in uctx*/ -1: movw r30, UCTX0 - movw r26, UBICTX0 - ldi r24, 80 -2: ld r25, X+ - st Z+, r25 - dec r24 - brne 2b - /* call ubi512_lastBlock */ - movw r24, UCTX0 - adiw r24, 63 - adiw r24, 17 - movw r22, r24 - movw r24, UCTX0 - clr r21 - ldi r20, 64 - rcall ubi512_lastBlock - /* copy uctx->g to outbuffer */ - movw r26, UCTX0 - adiw r26, 16 - movw r30, UCTX0 - adiw r30, 63 - adiw r30, 17+8 - ldi r24, 64 -2: ld r25, X+ - st Z+, r25 - dec r24 - brne 2b - /* compare outsize_b with 512*/ - cpi OUTSIZE_B1, 3 - brge 5f - cpi OUTSIZE_B1, 2 - brlo 3f - tst OUTSIZE_B0 - breq 3f -5: /* copy outbuffer to dest */ - movw r30, DEST0 - movw r26, UCTX0 - adiw r26, 63 - adiw r26, 17+8 - ldi r24, 64 -6: ld r25, X+ - st Z+, r25 - dec r24 - brne 6b - /* store new dest */ - movw DEST0, r30 - /* adjust counter and outsize_b*/ - subi OUTSIZE_B1, 2 - movw r30, UCTX0 - adiw r30, 63 - adiw r30, 17 - ldi r24, 1 - ld r25, Z - add r25, r24 - st Z+, r25 - ldi r24, 7 -6: ld r25, Z - adc r25, r1 - st Z+, r25 - dec r24 - brne 6b - rjmp 1b -3: /* last iteraton */ - movw r24, OUTSIZE_B0 - adiw r24, 7 - lsr r25 - ror r24 - lsr r25 - ror r24 - lsr r24 - movw r30, DEST0 - movw r26, UCTX0 - adiw r26, 63 - adiw r26, 17+8 - tst r24 - breq 8f -7: ld r25, X+ - st Z+, r25 - dec r24 - brne 7b -8: - stack_free_large2 80+8+64 - pop_range 10, 17 - ret - -/******************************************************************************/ -/* -void skein512(void* dest, uint16_t outlength_b,const void* msg, uint32_t length_b){ - skein512_ctx_t ctx; - skein512_init(&ctx, outlength_b); - while(length_b>SKEIN512_BLOCKSIZE){ - skein512_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + SKEIN512_BLOCKSIZE_B; - length_b -= SKEIN512_BLOCKSIZE; - } - skein512_lastBlock(&ctx, msg, length_b); - skein512_ctx2hash(dest, &ctx); -} -*/ -/* - * param dest: r24:r25 - * param outlength_b: r22:r23 - * param msg: r20:r21 - * param length_b: r16:r19 - */ -LENGTH_B0 = 2 -LENGTH_B1 = 3 -LENGTH_B2 = 4 -LENGTH_B3 = 5 -DEST0 = 6 -DEST1 = 7 -MSG0 = 8 -MSG1 = 9 -CTX0 = 10 -CTX1 = 11 -.global skein512 -skein512: - push_range 2, 11 - stack_alloc_large 82 - adiw r30, 1 - movw CTX0, r30 - movw DEST0, r24 - movw MSG0, r20 - movw LENGTH_B0, r16 - movw LENGTH_B2, r18 - /* call skein512_init */ - movw r24, r30 - rcall skein512_init -1: tst LENGTH_B2 - brne 4f - tst LENGTH_B3 - brne 4f - /* call skein512_lastBlock */ - movw r24, CTX0 - movw r22, MSG0 - movw r20, LENGTH_B0 - rcall skein512_lastBlock - /* call skein512_ctx2hash */ - movw r24, DEST0 - movw r22, CTX0 - rcall skein512_ctx2hash - /* return */ - stack_free_large 82 - pop_range 2, 11 - ret - -4: /* process preceeding blocks */ - movw r24, CTX0 - movw r22, MSG0 - rcall skein512_nextBlock - ldi r24, 64 - add MSG0, r24 - adc MSG0, r1 - mov r24, LENGTH_B1 - mov r25, LENGTH_B2 - sbiw r24, 2 - sbc LENGTH_B3, r1 - mov LENGTH_B1, r24 - mov LENGTH_B2, r25 - rjmp 1b - diff --git a/test_src/config.h b/test_src/config.h index b501bab..5fb1011 100644 --- a/test_src/config.h +++ b/test_src/config.h @@ -37,7 +37,7 @@ #define UART0_DATABITS UART_DATABITS_8 #define UART0_RXBUFFER_SIZE 64 #define UART0_TXBUFFER_SIZE 64 -#define UART0_SWFLOWCTRL 0 +#define UART0_SWFLOWCTRL 1 #define UART0_THRESH_LOW 10 #define UART0_THRESH_HIGH 48 diff --git a/test_src/hexdigit_tab.c b/test_src/hexdigit_tab.c deleted file mode 100644 index 874109c..0000000 --- a/test_src/hexdigit_tab.c +++ /dev/null @@ -1,49 +0,0 @@ -/* hexdigit_tab.c */ -/* - * This file is part of AnonAccess, an access system which can be used - * to open door or doing other things with an anonymity featured - * account managment. - * Copyright (C) 2006, 2007, 2008 Daniel Otte (daniel.otte@rub.de) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - - - -#include -#include "hexdigit_tab.h" - -char hexdigit_tab_P[] PROGMEM = - {'0','1','2','3', - '4','5','6','7', - '8','9','A','B', - 'C','D','E','F'}; - -char hexdigit_tab_uc_P[] PROGMEM = - {'0','1','2','3', - '4','5','6','7', - '8','9','A','B', - 'C','D','E','F'}; - - -char hexdigit_tab_lc_P[] PROGMEM = - {'0','1','2','3', - '4','5','6','7', - '8','9','a','b', - 'c','d','e','f'}; - - - - - diff --git a/test_src/main-aes-test.c b/test_src/main-aes-test.c index 8d2aba6..765411b 100644 --- a/test_src/main-aes-test.c +++ b/test_src/main-aes-test.c @@ -26,14 +26,14 @@ #include "uart_i.h" #include "debug.h" -#include "aes.h" -#include "aes128_enc.h" -#include "aes128_dec.h" -#include "aes192_enc.h" -#include "aes192_dec.h" -#include "aes256_enc.h" -#include "aes256_dec.h" -#include "aes_keyschedule.h" +#include "aes/aes.h" +#include "aes/aes128_enc.h" +#include "aes/aes128_dec.h" +#include "aes/aes192_enc.h" +#include "aes/aes192_dec.h" +#include "aes/aes256_enc.h" +#include "aes/aes256_dec.h" +#include "aes/aes_keyschedule.h" #include "nessie_bc_test.h" #include "cli.h" diff --git a/test_src/main-aes128-test.c b/test_src/main-aes128-test.c index e9b3ce4..98462a1 100644 --- a/test_src/main-aes128-test.c +++ b/test_src/main-aes128-test.c @@ -26,10 +26,10 @@ #include "uart_i.h" #include "debug.h" -#include "aes.h" -#include "aes128_enc.h" -#include "aes128_dec.h" -#include "aes_keyschedule.h" +#include "aes/aes.h" +#include "aes/aes128_enc.h" +#include "aes/aes128_dec.h" +#include "aes/aes_keyschedule.h" #include "nessie_bc_test.h" #include "cli.h" diff --git a/test_src/main-aes192-test.c b/test_src/main-aes192-test.c index 577d057..c37dc7e 100644 --- a/test_src/main-aes192-test.c +++ b/test_src/main-aes192-test.c @@ -26,10 +26,10 @@ #include "uart_i.h" #include "debug.h" -#include "aes.h" -#include "aes192_enc.h" -#include "aes192_dec.h" -#include "aes_keyschedule.h" +#include "aes/aes.h" +#include "aes/aes192_enc.h" +#include "aes/aes192_dec.h" +#include "aes/aes_keyschedule.h" #include "nessie_bc_test.h" #include "cli.h" diff --git a/test_src/main-aes256-test.c b/test_src/main-aes256-test.c index 6b9f0b5..15d7f83 100644 --- a/test_src/main-aes256-test.c +++ b/test_src/main-aes256-test.c @@ -26,10 +26,10 @@ #include "uart_i.h" #include "debug.h" -#include "aes.h" -#include "aes256_enc.h" -#include "aes256_dec.h" -#include "aes_keyschedule.h" +#include "aes/aes.h" +#include "aes/aes256_enc.h" +#include "aes/aes256_dec.h" +#include "aes/aes_keyschedule.h" #include "nessie_bc_test.h" #include "cli.h" diff --git a/threefish.h b/threefish.h deleted file mode 100644 index 3b4cc99..0000000 --- a/threefish.h +++ /dev/null @@ -1,90 +0,0 @@ -/* threefish.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \file threefish.h - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * \brief Implementation of the Threefish block cipher - * \ingroup Threefish - */ - -#ifndef THREEFISH_H_ -#define THREEFISH_H_ - -#include - -#define THREEFISH256_BLOCKSIZE 256 -#define THREEFISH256_BLOCKSIZE_B ((THREEFISH256_BLOCKSIZE+7)/8) -#define THREEFISH512_BLOCKSIZE 512 -#define THREEFISH512_BLOCKSIZE_B ((THREEFISH512_BLOCKSIZE+7)/8) -#define THREEFISH1024_BLOCKSIZE 1024 -#define THREEFISH1024_BLOCKSIZE_B ((THREEFISH1024_BLOCKSIZE+7)/8) - -/** \typedef threefish256_ctx_t - * \brief holds key data for Threefish-256 - * - * A variable of this type may hold the key data for Threefish-256 encryption - * or decryption.. - */ -typedef struct{ - uint64_t k[5]; - uint64_t t[3]; -} threefish256_ctx_t; - -/** \typedef threefish512_ctx_t - * \brief holds key data for Threefish-512 - * - * A variable of this type may hold the key data for Threefish-512 encryption - * or decryption.. - */ -typedef struct{ - uint64_t k[9]; - uint64_t t[3]; -} threefish512_ctx_t; - -/** \typedef threefish1024_ctx_t - * \brief holds key data for Threefish-1024 - * - * A variable of this type may hold the key data for Threefish-1024 encryption - * or decryption.. - */ -typedef struct{ - uint64_t k[17]; - uint64_t t[3]; -} threefish1024_ctx_t; - - -void threefish_mix(void* data, uint8_t rot); -void threefish_invmix(void* data, uint8_t rot); - -void threefish256_init(const void* key, const void* tweak, threefish256_ctx_t* ctx); -void threefish512_init(const void* key, const void* tweak, threefish512_ctx_t* ctx); -void threefish1024_init(const void* key, const void* tweak, threefish1024_ctx_t* ctx); - -void threefish256_enc(void* data, const threefish256_ctx_t* ctx); -void threefish512_enc(void* data, const threefish512_ctx_t* ctx); -void threefish1024_enc(void* data, const threefish1024_ctx_t* ctx); - -void threefish256_dec(void* data, const threefish256_ctx_t* ctx); -void threefish512_dec(void* data, const threefish512_ctx_t* ctx); -void threefish1024_dec(void* data, const threefish1024_ctx_t* ctx); - -#endif /* THREEFISH_H_ */ diff --git a/threefish1024_dec.c b/threefish1024_dec.c deleted file mode 100644 index edb46d4..0000000 --- a/threefish1024_dec.c +++ /dev/null @@ -1,96 +0,0 @@ -/* threefish1024_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - * - * - */ - -#include -#include -#include "threefish.h" - -#define X(a) (((uint64_t*)data)[(a)]) - -static -void permute_inv16(void* data){ - uint64_t t; - t = X(15); - X(15) = X(7); - X(7) = X(9); - X(9) = X(1); - X(1) = t; - t = X(11); - X(11) = X(5); - X(5) = X(13); - X(13) = X(3); - X(3) = t; - t = X(4); - X(4) = X(6); - X(6) = t; - t = X(14); - X(14) = X(12); - X(12) = X(10); - X(10) = X(8); - X(8) = t; -} - -static -void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ - uint8_t i; - for(i=0; i<13; ++i){ - X(i) -= ctx->k[(s+i)%17]; - } - X(13) -= ctx->k[(s+13)%17] + ctx->t[s%3]; - X(14) -= ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; - X(15) -= ctx->k[(s+15)%17] + s; -} - -void threefish1024_dec(void* data, const threefish1024_ctx_t* ctx){ - uint8_t i=0,s=20; - uint8_t r0[8] = {47, 58, 17, 28, 34, 33, 25, 55}; - uint8_t r1[8] = {49, 7, 6, 7, 43, 8, 25, 43}; - uint8_t r2[8] = {27, 32, 18, 47, 25, 18, 46, 37}; - uint8_t r3[8] = {58, 45, 25, 48, 60, 57, 13, 40}; - uint8_t r4[8] = {37, 19, 43, 51, 44, 21, 14, 16}; - uint8_t r5[8] = {48, 18, 42, 9, 9, 12, 13, 22}; - uint8_t r6[8] = {53, 2, 40, 35, 59, 32, 52, 38}; - uint8_t r7[8] = {56, 56, 15, 41, 34, 54, 57, 12}; - do{ - if(i%4==0){ - add_key_16(data, ctx, s); - --s; - } - permute_inv16(data); - threefish_invmix((uint8_t*)data + 0, r0[i%8]); - threefish_invmix((uint8_t*)data + 16, r1[i%8]); - threefish_invmix((uint8_t*)data + 32, r2[i%8]); - threefish_invmix((uint8_t*)data + 48, r3[i%8]); - threefish_invmix((uint8_t*)data + 64, r4[i%8]); - threefish_invmix((uint8_t*)data + 80, r5[i%8]); - threefish_invmix((uint8_t*)data + 96, r6[i%8]); - threefish_invmix((uint8_t*)data +112, r7[i%8]); - ++i; - }while(i!=80); - add_key_16(data, ctx, s); -} diff --git a/threefish1024_dec_asm.S b/threefish1024_dec_asm.S deleted file mode 100644 index 5743829..0000000 --- a/threefish1024_dec_asm.S +++ /dev/null @@ -1,474 +0,0 @@ -/* threefish1024_enc_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-24 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void permute_inv16(void* data){ - uint64_t t; - t = X(15); - X(15) = X(7); - X(7) = X(9); - X(9) = X(1); - X(1) = t; - t = X(11); - X(11) = X(5); - X(5) = X(13); - X(13) = X(3); - X(3) = t; - t = X(4); - X(4) = X(6); - X(6) = t; - t = X(14); - X(14) = X(12); - X(12) = X(10); - X(10) = X(8); - X(8) = t; -} -void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ - uint8_t i; - for(i=0; i<13; ++i){ - X(i) -= ctx->k[(s+i)%17]; - } - X(13) -= ctx->k[(s+13)%17] + ctx->t[s%3]; - X(14) -= ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; - X(15) -= ctx->k[(s+15)%17] + s; -} -void threefish1024_dec(void* data, const threefish1024_ctx_t* ctx){ - uint8_t i=0,s=20; - uint8_t r0[8] = {0x69, 0x72, 0x21, 0x34, 0x42, 0x41, 0x31, 0x79}; - uint8_t r1[8] = {0x61, 0x19, 0x1a, 0x19, 0x53, 0x10, 0x31, 0x53}; - uint8_t r2[8] = {0x33, 0x40, 0x22, 0x69, 0x31, 0x22, 0x6a, 0x5b}; - uint8_t r3[8] = {0x72, 0x6b, 0x31, 0x60, 0x74, 0x71, 0x2b, 0x50}; - uint8_t r4[8] = {0x5b, 0x23, 0x53, 0x63, 0x54, 0x3b, 0x2a, 0x20}; - uint8_t r5[8] = {0x60, 0x22, 0x52, 0x11, 0x11, 0x14, 0x2b, 0x3a}; - uint8_t r6[8] = {0x7b, 0x02, 0x50, 0x43, 0x73, 0x40, 0x64, 0x5a}; - uint8_t r7[8] = {0x70, 0x70, 0x29, 0x51, 0x42, 0x7a, 0x71, 0x14}; - - do{ - if(i%4==0){ - add_key_16(data, ctx, s); - --s; - } - permute_inv16(data); - threefish_invmix((uint8_t*)data + 0, r0[i%8]); - threefish_invmix((uint8_t*)data + 16, r1[i%8]); - threefish_invmix((uint8_t*)data + 32, r2[i%8]); - threefish_invmix((uint8_t*)data + 48, r3[i%8]); - threefish_invmix((uint8_t*)data + 64, r4[i%8]); - threefish_invmix((uint8_t*)data + 80, r5[i%8]); - threefish_invmix((uint8_t*)data + 96, r6[i%8]); - threefish_invmix((uint8_t*)data +112, r7[i%8]); - ++i; - }while(i!=80); - add_key_16(data, ctx, s); -} -*/ -I = 2 -S = 3 -DATA0 = 4 -DATA1 = 5 -CTX0 = 6 -CTX1 = 7 -IDX0 = 8 -IDX1 = 9 -IDX2 = 10 -IDX3 = 11 -IDX4 = 12 -IDX5 = 13 -IDX6 = 14 -IDX7 = 15 - -/* - * param data: r24:r25 - * param ctx: r22:r23 - */ -.global threefish1024_dec -threefish1024_dec: - push r28 - push r29 - push_range 2, 17 - movw DATA0, r24 - movw CTX0, r22 - clr I - ldi r26, 20 - mov S, r26 -1: - mov r30, I - andi r30, 0x03 - breq 2f - rjmp 4f -2: - ldi r30, lo8(threefish1024_slut17) - ldi r31, hi8(threefish1024_slut17) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z+ - lpm IDX4, Z+ - lpm IDX5, Z+ - lpm IDX6, Z+ - lpm IDX7, Z - movw r30, CTX0 - movw r26, DATA0 - add r30, IDX0 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX4 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX5 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX6 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX7 - adc r31, r1 - rcall sub_z_from_x8 - /* second half */ - ldi r30, lo8(threefish1024_slut17) - ldi r31, hi8(threefish1024_slut17) - add r30, S - adc r31, r1 - adiw r30, 8 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z+ - lpm IDX4, Z+ - lpm IDX5, Z+ - lpm IDX6, Z+ - lpm IDX7, Z - movw r30, CTX0 - add r30, IDX0 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX4 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX5 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX6 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX7 - adc r31, r1 - rcall sub_z_from_x8 - /* now the remaining key */ - sbiw r26, 3*8 - ldi r30, lo8(threefish1024_slut3) - ldi r31, hi8(threefish1024_slut3) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z - movw r30, CTX0 - adiw r30, 7*8 /* make Z pointing to (extended tweak) */ - adiw r30, 7*8 - adiw r30, 3*8 - movw IDX2, r30 - add r30, IDX0 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, IDX2 - add r30, IDX1 - adc r31, r1 - rcall sub_z_from_x8 - ld r0, X - sub r0, S - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - tst S - brne 3f -exit: - pop_range 2, 17 - pop r29 - pop r28 - ret -3: - dec S -4: - /* now the permutation */ - movw r26, DATA0 /* X1 <-> X15 */ - adiw r26, 1*8 - movw r30, DATA0 - adiw r30, 7*8+4 - adiw r30, 7*8+4 - rcall xchg_zx8 - movw r26, DATA0 /* X15 <-> X7 */ - adiw r26, 7*8+4 - adiw r26, 7*8+4 - movw r30, DATA0 - adiw r30, 7*8 - rcall xchg_zx8 - movw r26, DATA0 /* X9 <-> X7 */ - adiw r26, 7*8 - adiw r26, 2*8 - movw r30, DATA0 - adiw r30, 7*8 - rcall xchg_zx8 - /* --- */ - movw r26, DATA0 /* X3 <-> X11 */ - adiw r26, 3*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 4*8 - rcall xchg_zx8 - movw r26, DATA0 /* X11 <-> X5 */ - adiw r26, 7*8 - adiw r26, 4*8 - movw r30, DATA0 - adiw r30, 5*8 - rcall xchg_zx8 - movw r26, DATA0 /* X13 <-> X5 */ - adiw r26, 7*8 - adiw r26, 6*8 - movw r30, DATA0 - adiw r30, 5*8 - rcall xchg_zx8 - /* --- */ - movw r26, DATA0 /* X8 <-> X14 */ - adiw r26, 7*8 - adiw r26, 1*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 7*8 - rcall xchg_zx8 - movw r26, DATA0 /* X14 <-> X12 */ - adiw r26, 7*8 - adiw r26, 7*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 5*8 - rcall xchg_zx8 - movw r26, DATA0 /* X10 <-> X12 */ - adiw r26, 7*8 - adiw r26, 3*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 5*8 - rcall xchg_zx8 - /* --- */ - movw r26, DATA0 /* X4 <-> X6 */ - adiw r26, 4*8 - movw r30, DATA0 - adiw r30, 6*8 - rcall xchg_zx8 - - /* call mix */ - ldi r30, lo8(threefish1024_rc0) - ldi r31, hi8(threefish1024_rc0) - mov r26, I - andi r26, 0x07 - add r30, r26 - adc r31, r1 - lpm r22, Z - adiw r30, 8 - lpm IDX0, Z - adiw r30, 8 - lpm IDX1, Z - adiw r30, 8 - lpm IDX2, Z - adiw r30, 8 - lpm IDX3, Z - adiw r30, 8 - lpm IDX4, Z - adiw r30, 8 - lpm IDX5, Z - adiw r30, 8 - lpm IDX6, Z - push IDX6 - push IDX5 - push IDX4 - push IDX3 - push IDX2 - - movw r24, DATA0 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 16 - mov r22, IDX0 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 32 - mov r22, IDX1 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 48 - pop r22 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 63 - adiw r24, 1 - pop r22 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 63 - adiw r24, 17 - pop r22 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 63 - adiw r24, 33 - pop r22 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 63 - adiw r24, 49 - pop r22 - call threefish_invmix_asm /* no rcall? */ - inc I -9: - rjmp 1b - -threefish1024_slut17: - .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38 - .byte 0x40, 0x48, 0x50, 0x58, 0x60, 0x68, 0x70, 0x78 - .byte 0x80, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30 - .byte 0x38, 0x40, 0x48, 0x50, 0x58, 0x60, 0x68, 0x70 - .byte 0x78, 0x80, 0x00, 0x08, 0x10 -threefish1024_slut3: - .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 - .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10 - .byte 0x00 - -threefish1024_rc0: .byte 0x69, 0x72, 0x21, 0x34, 0x42, 0x41, 0x31, 0x79 -threefish1024_rc1: .byte 0x61, 0x19, 0x1a, 0x19, 0x53, 0x10, 0x31, 0x53 -threefish1024_rc2: .byte 0x33, 0x40, 0x22, 0x69, 0x31, 0x22, 0x6a, 0x5b -threefish1024_rc3: .byte 0x72, 0x6b, 0x31, 0x60, 0x74, 0x71, 0x2b, 0x50 -threefish1024_rc4: .byte 0x5b, 0x23, 0x53, 0x63, 0x54, 0x3b, 0x2a, 0x20 -threefish1024_rc5: .byte 0x60, 0x22, 0x52, 0x11, 0x11, 0x14, 0x2b, 0x3a -threefish1024_rc6: .byte 0x7b, 0x02, 0x50, 0x43, 0x73, 0x40, 0x64, 0x5a -threefish1024_rc7: .byte 0x70, 0x70, 0x29, 0x51, 0x42, 0x7a, 0x71, 0x14 - -sub_z_from_x8: - ld r0, Z+ - ld r1, X - sub r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - clr r1 - ret - -T0 = IDX0 -T1 = 0 -CNT = 24 -xchg_zx8: - ldi CNT, 8 -1: ld T0, X - ld T1, Z - st X+, T1 - st Z+, T0 - dec CNT - brne 1b - ret - - - diff --git a/threefish1024_enc.c b/threefish1024_enc.c deleted file mode 100644 index 41a3590..0000000 --- a/threefish1024_enc.c +++ /dev/null @@ -1,117 +0,0 @@ -/* threefish1024_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - * - * - */ - -#include -#include -#include "threefish.h" - -#define X(a) (((uint64_t*)data)[(a)]) - -static -void permute_16(void* data){ - uint64_t t; - t = X(1); - X(1) = X(9); - X(9) = X(7); - X(7) = X(15); - X(15) = t; - t = X(3); - X(3) = X(13); - X(13) = X(5); - X(5) = X(11); - X(11) = t; - t = X(4); - X(4) = X(6); - X(6) = t; - t = X(8); - X(8) = X(10); - X(10) = X(12); - X(12) = X(14); - X(14) = t; -} - -#define THREEFISH_KEY_CONST 0x5555555555555555LL /* 2**64/3 */ - -#define K(s) (((uint64_t*)key)[(s)]) -#define T(s) (((uint64_t*)tweak)[(s)]) - -void threefish1024_init(const void* key, const void* tweak, threefish1024_ctx_t* ctx){ - memcpy(ctx->k, key, 16*8); - if(tweak){ - memcpy(ctx->t, tweak, 2*8); - ctx->t[2] = T(0) ^ T(1); - }else{ - memset(ctx, 0, 3*8); - } - uint8_t i; - ctx->k[16] = THREEFISH_KEY_CONST; - for(i=0; i<16; ++i){ - ctx->k[16] ^= K(i); - } -} - -static -void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ - uint8_t i; - for(i=0; i<13; ++i){ - X(i) += ctx->k[(s+i)%17]; - } - X(13) += ctx->k[(s+13)%17] + ctx->t[s%3]; - X(14) += ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; - X(15) += ctx->k[(s+15)%17] + s; -} - -void threefish1024_enc(void* data, const threefish1024_ctx_t* ctx){ - uint8_t i=0,s=0; - uint8_t r0[8] = {55, 25, 33, 34, 28, 17, 58, 47}; - uint8_t r1[8] = {43, 25, 8, 43, 7, 6, 7, 49}; - uint8_t r2[8] = {37, 46, 18, 25, 47, 18, 32, 27}; - uint8_t r3[8] = {40, 13, 57, 60, 48, 25, 45, 58}; - uint8_t r4[8] = {16, 14, 21, 44, 51, 43, 19, 37}; - uint8_t r5[8] = {22, 13, 12, 9, 9, 42, 18, 48}; - uint8_t r6[8] = {38, 52, 32, 59, 35, 40, 2, 53}; - uint8_t r7[8] = {12, 57, 54, 34, 41, 15, 56, 56}; - - do{ - if(i%4==0){ - add_key_16(data, ctx, s); - ++s; - } - threefish_mix((uint8_t*)data + 0, r0[i%8]); - threefish_mix((uint8_t*)data + 16, r1[i%8]); - threefish_mix((uint8_t*)data + 32, r2[i%8]); - threefish_mix((uint8_t*)data + 48, r3[i%8]); - threefish_mix((uint8_t*)data + 64, r4[i%8]); - threefish_mix((uint8_t*)data + 80, r5[i%8]); - threefish_mix((uint8_t*)data + 96, r6[i%8]); - threefish_mix((uint8_t*)data +112, r7[i%8]); - permute_16(data); - ++i; - }while(i!=80); - add_key_16(data, ctx, s); -} diff --git a/threefish1024_enc_asm.S b/threefish1024_enc_asm.S deleted file mode 100644 index 38bf04c..0000000 --- a/threefish1024_enc_asm.S +++ /dev/null @@ -1,617 +0,0 @@ -/* threefish1024_enc_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-24 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -A0 = 14 -A1 = 15 -A2 = 16 -A3 = 17 -A4 = 18 -A5 = 19 -A6 = 20 -A7 = 21 -/* -#define THREEFISH_KEY_CONST 0x5555.5555.5555.5555.LL / * 2**64/3 * / - -#define K(s) (((uint64_t*)key)[(s)]) -#define T(s) (((uint64_t*)tweak)[(s)]) -void threefish1024_init(const void* key, const void* tweak, threefish512_ctx_t* ctx){ - memcpy(ctx->k, key, 16*8); - memcpy(ctx->t, tweak, 2*8); - uint8_t i; - ctx->k[16] = THREEFISH_KEY_CONST; - for(i=0; i<8; ++i){ - ctx->k[16] ^= K(i); - } - ctx->t[2] = T(0) ^ T(1); -} -*/ -/* - * param key: r24:r25 - * param tweak: r22:r23 - * param ctx: r20:r21 - */ -.global threefish1024_init -threefish1024_init: - push_range 14, 17 - movw r30, r20 - movw r26, r24 - ldi r24, 16 - ldi A7, 0x55 - mov A6, A7 - movw A4, A6 - movw A2, A6 - movw A0, A6 -1: - ld r0, X+ - st Z+, r0 - eor A0, r0 - ld r0, X+ - st Z+, r0 - eor A1, r0 - ld r0, X+ - st Z+, r0 - eor A2, r0 - ld r0, X+ - st Z+, r0 - eor A3, r0 - ld r0, X+ - st Z+, r0 - eor A4, r0 - ld r0, X+ - st Z+, r0 - eor A5, r0 - ld r0, X+ - st Z+, r0 - eor A6, r0 - ld r0, X+ - st Z+, r0 - eor A7, r0 - dec r24 - brne 1b - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 - /* now the tweak */ - movw r26, r22 - tst r27 - brne 3f - tst r26 - brne 3f - ldi r26, 3*8 -1: - st Z+, r1 - dec r26 - brne 1b - rjmp 9f -3: - ld A0, X+ - ld A1, X+ - ld A2, X+ - ld A3, X+ - ld A4, X+ - ld A5, X+ - ld A6, X+ - ld A7, X+ - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 - ld r0, X+ - eor A0, r0 - st Z+, r0 - ld r0, X+ - eor A1, r0 - st Z+, r0 - ld r0, X+ - eor A2, r0 - st Z+, r0 - ld r0, X+ - eor A3, r0 - st Z+, r0 - ld r0, X+ - eor A4, r0 - st Z+, r0 - ld r0, X+ - eor A5, r0 - st Z+, r0 - ld r0, X+ - eor A6, r0 - st Z+, r0 - ld r0, X+ - eor A7, r0 - st Z+, r0 - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 -9: - pop_range 14, 17 - ret - -/******************************************************************************/ -/* -#define X(a) (((uint64_t*)data)[(a)]) -void permute_16(void* data){ - uint64_t t; - t = X(1); - X(1) = X(9); - X(9) = X(7); - X(7) = X(15); - X(15) = t; - t = X(3); - X(3) = X(13); - X(13) = X(5); - X(5) = X(11); - X(11) = t; - t = X(4); - X(4) = X(6); - X(6) = t; - t = X(8); - X(8) = X(10); - X(10) = X(12); - X(12) = X(14); - X(14) = t; -} -void add_key_16(void* data, const threefish1024_ctx_t* ctx, uint8_t s){ - uint8_t i; - for(i=0; i<13; ++i){ - X(i) += ctx->k[(s+i)%17]; - } - X(13) += ctx->k[(s+13)%17] + ctx->t[s%3]; - X(14) += ctx->k[(s+14)%17] + ctx->t[(s+1)%3]; - X(15) += ctx->k[(s+15)%17] + s; -} -void threefish1024_enc(void* data, const threefish1024_ctx_t* ctx){ - uint8_t i=0,s=0; - uint8_t r0[8] = {55, 25, 33, 34, 28, 17, 58, 47}; - uint8_t r1[8] = {43, 25, 8, 43, 7, 6, 7, 49}; - uint8_t r2[8] = {37, 46, 18, 25, 47, 18, 32, 27}; - uint8_t r3[8] = {40, 13, 57, 60, 48, 25, 45, 58}; - uint8_t r4[8] = {16, 14, 21, 44, 51, 43, 19, 37}; - uint8_t r5[8] = {22, 13, 12, 9, 9, 42, 18, 48}; - uint8_t r6[8] = {38, 52, 32, 59, 35, 40, 2, 53}; - uint8_t r7[8] = {12, 57, 54, 34, 41, 15, 56, 56}; - do{ - if(i%4==0){ - add_key_16(data, ctx, s); - ++s; - } - threefish_mix((uint8_t*)data + 0, r0[i%8]); - threefish_mix((uint8_t*)data + 16, r1[i%8]); - threefish_mix((uint8_t*)data + 32, r2[i%8]); - threefish_mix((uint8_t*)data + 48, r3[i%8]); - threefish_mix((uint8_t*)data + 64, r4[i%8]); - threefish_mix((uint8_t*)data + 80, r5[i%8]); - threefish_mix((uint8_t*)data + 96, r6[i%8]); - threefish_mix((uint8_t*)data +112, r7[i%8]); - permute_16(data); - ++i; - }while(i!=80); - add_key_16(data, ctx, s); -} -*/ -I = 2 -S = 3 -DATA0 = 4 -DATA1 = 5 -CTX0 = 6 -CTX1 = 7 -IDX0 = 8 -IDX1 = 9 -IDX2 = 10 -IDX3 = 11 -IDX4 = 12 -IDX5 = 13 -IDX6 = 14 -IDX7 = 15 - -/* - * param data: r24:r25 - * param ctx: r22:r23 - */ -.global threefish1024_enc -threefish1024_enc: - push r28 - push r29 - push_range 2, 17 - movw DATA0, r24 - movw CTX0, r22 - clr I - clr S -1: - mov r30, I - andi r30, 0x03 - breq 2f - rjmp 4f -2: - ldi r30, lo8(threefish1024_slut17) - ldi r31, hi8(threefish1024_slut17) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z+ - lpm IDX4, Z+ - lpm IDX5, Z+ - lpm IDX6, Z+ - lpm IDX7, Z - movw r30, CTX0 - movw r26, DATA0 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX4 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX5 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX6 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX7 - adc r31, r1 - rcall add_z_to_x8 - /* second half */ - ldi r30, lo8(threefish1024_slut17) - ldi r31, hi8(threefish1024_slut17) - add r30, S - adc r31, r1 - adiw r30, 8 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z+ - lpm IDX4, Z+ - lpm IDX5, Z+ - lpm IDX6, Z+ - lpm IDX7, Z - movw r30, CTX0 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX4 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX5 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX6 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX7 - adc r31, r1 - rcall add_z_to_x8 - /* now the remaining key */ - sbiw r26, 3*8 - ldi r30, lo8(threefish1024_slut3) - ldi r31, hi8(threefish1024_slut3) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z - movw r30, CTX0 - adiw r30, 7*8 /* make Z pointing to (extended tweak) */ - adiw r30, 7*8 - adiw r30, 3*8 - movw IDX2, r30 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, IDX2 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - ld r0, X - add r0, S - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - inc S - mov r26, S - cpi r26, 21 - brmi 4f -exit: - pop_range 2, 17 - pop r29 - pop r28 - ret -4: - /* call mix */ - ldi r30, lo8(threefish1024_rc0) - ldi r31, hi8(threefish1024_rc0) - mov r26, I - andi r26, 0x07 - add r30, r26 - adc r31, r1 - lpm r22, Z - adiw r30, 8 - lpm IDX0, Z - adiw r30, 8 - lpm IDX1, Z - adiw r30, 8 - lpm IDX2, Z - adiw r30, 8 - lpm IDX3, Z - adiw r30, 8 - lpm IDX4, Z - adiw r30, 8 - lpm IDX5, Z - adiw r30, 8 - lpm IDX6, Z - push IDX6 - push IDX5 - push IDX4 - push IDX3 - push IDX2 - - movw r24, DATA0 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 16 - mov r22, IDX0 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 32 - mov r22, IDX1 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 48 - pop r22 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 63 - adiw r24, 1 - pop r22 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 63 - adiw r24, 17 - pop r22 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 63 - adiw r24, 33 - pop r22 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 63 - adiw r24, 49 - pop r22 - call threefish_mix_asm /* no rcall? */ - /* now the permutation */ - movw r26, DATA0 /* X1 <-> X15 */ - adiw r26, 1*8 - movw r30, DATA0 - adiw r30, 7*8+4 - adiw r30, 7*8+4 - rcall xchg_zx8 - movw r26, DATA0 /* X1 <-> X9 */ - adiw r26, 1*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 2*8 - rcall xchg_zx8 - movw r26, DATA0 /* X9 <-> X7 */ - adiw r26, 7*8 - adiw r26, 2*8 - movw r30, DATA0 - adiw r30, 7*8 - rcall xchg_zx8 - /* --- */ - movw r26, DATA0 /* X3 <-> X11 */ - adiw r26, 3*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 4*8 - rcall xchg_zx8 - movw r26, DATA0 /* X3 <-> X13 */ - adiw r26, 3*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 6*8 - rcall xchg_zx8 - movw r26, DATA0 /* X13 <-> X5 */ - adiw r26, 7*8 - adiw r26, 6*8 - movw r30, DATA0 - adiw r30, 5*8 - rcall xchg_zx8 - /* --- */ - movw r26, DATA0 /* X8 <-> X14 */ - adiw r26, 7*8 - adiw r26, 1*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 7*8 - rcall xchg_zx8 - movw r26, DATA0 /* X8 <-> X10 */ - adiw r26, 7*8 - adiw r26, 1*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 3*8 - rcall xchg_zx8 - movw r26, DATA0 /* X10 <-> X12 */ - adiw r26, 7*8 - adiw r26, 3*8 - movw r30, DATA0 - adiw r30, 7*8 - adiw r30, 5*8 - rcall xchg_zx8 - /* --- */ - movw r26, DATA0 /* X4 <-> X6 */ - adiw r26, 4*8 - movw r30, DATA0 - adiw r30, 6*8 - rcall xchg_zx8 - - inc I -; mov r26, I -; cpi r26, 5 -; brne 9f -; rjmp exit -9: - rjmp 1b - -threefish1024_slut17: - .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38 - .byte 0x40, 0x48, 0x50, 0x58, 0x60, 0x68, 0x70, 0x78 - .byte 0x80, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30 - .byte 0x38, 0x40, 0x48, 0x50, 0x58, 0x60, 0x68, 0x70 - .byte 0x78, 0x80, 0x00, 0x08, 0x10 -threefish1024_slut3: - .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 - .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10 - .byte 0x00 -threefish1024_rc0: .byte 0x79, 0x31, 0x41, 0x42, 0x34, 0x21, 0x72, 0x69 -threefish1024_rc1: .byte 0x53, 0x31, 0x10, 0x53, 0x19, 0x1a, 0x19, 0x61 -threefish1024_rc2: .byte 0x5b, 0x6a, 0x22, 0x31, 0x69, 0x22, 0x40, 0x33 -threefish1024_rc3: .byte 0x50, 0x2b, 0x71, 0x74, 0x60, 0x31, 0x6b, 0x72 -threefish1024_rc4: .byte 0x20, 0x2a, 0x3b, 0x54, 0x63, 0x53, 0x23, 0x5b -threefish1024_rc5: .byte 0x3a, 0x2b, 0x14, 0x11, 0x11, 0x52, 0x22, 0x60 -threefish1024_rc6: .byte 0x5a, 0x64, 0x40, 0x73, 0x43, 0x50, 0x02, 0x7b -threefish1024_rc7: .byte 0x14, 0x71, 0x7a, 0x42, 0x51, 0x29, 0x70, 0x70 - -add_z_to_x8: - ld r0, Z+ - ld r1, X - add r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - clr r1 - ret - -T0 = IDX0 -T1 = 0 -CNT = 24 -xchg_zx8: - ldi CNT, 8 -1: ld T0, X - ld T1, Z - st X+, T1 - st Z+, T0 - dec CNT - brne 1b - ret - - - diff --git a/threefish256_dec.c b/threefish256_dec.c deleted file mode 100644 index d23eb93..0000000 --- a/threefish256_dec.c +++ /dev/null @@ -1,69 +0,0 @@ -/* threefish256_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - * - * - */ - -#include -#include -#include "threefish.h" - -#define X(a) (((uint64_t*)data)[(a)]) -static -void permute_4(void* data){ - uint64_t t; - t = X(1); - X(1) = X(3); - X(3) = t; -} - -#define K(s) (((uint64_t*)key)[(s)]) -#define T(s) (((uint64_t*)tweak)[(s)]) - -static -void add_key_4(void* data, const threefish256_ctx_t* ctx, uint8_t s){ - X(0) -= ctx->k[(s+0)%5]; - X(1) -= ctx->k[(s+1)%5] + ctx->t[s%3]; - X(2) -= ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; - X(3) -= ctx->k[(s+3)%5] + s; -} - -void threefish256_dec(void* data, const threefish256_ctx_t* ctx){ - uint8_t i=0,s=18; - uint8_t r0[8] = {59, 11, 53, 26, 58, 13, 36, 5}; - uint8_t r1[8] = {50, 42, 35, 20, 44, 46, 28, 56}; - do{ - if(i%4==0){ - add_key_4(data, ctx, s); - --s; - } - permute_4(data); - threefish_invmix(data, r0[i%8]); - threefish_invmix((uint8_t*)data + 16, r1[i%8]); - ++i; - }while(i!=72); - add_key_4(data, ctx, s); -} - diff --git a/threefish256_dec_asm.S b/threefish256_dec_asm.S deleted file mode 100644 index d2316c6..0000000 --- a/threefish256_dec_asm.S +++ /dev/null @@ -1,279 +0,0 @@ -/* threefish256_enc_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void permute_4(void* data){ - uint64_t t; - t = X(1); - X(1) = X(3); - X(3) = t; -} -void add_key_4(void* data, const threefish256_ctx_t* ctx, uint8_t s){ - X(0) -= ctx->k[(s+0)%5]; - X(1) -= ctx->k[(s+1)%5] + ctx->t[s%3]; - X(2) -= ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; - X(3) -= ctx->k[(s+3)%5] + s; -} -void threefish256_dec(void* data, const threefish256_ctx_t* ctx){ - uint8_t i=0,s=18; - uint8_t r0[8] = {0x73, 0x13, 0x7b, 0x32, 0x72, 0x2b, 0x44, 0x1b}; - uint8_t r1[8] = {0x62, 0x52, 0x43, 0x24, 0x54, 0x6a, 0x34, 0x70}; - do{ - if(i%4==0){ - add_key_4(data, ctx, s); - --s; - } - permute_4(data); - threefish_invmix(data, r0[i%8]); - threefish_invmix((uint8_t*)data + 16, r1[i%8]); - ++i; - }while(i!=72); - add_key_4(data, ctx, s); -} -*/ -I = 2 -S = 3 -DATA0 = 4 -DATA1 = 5 -CTX0 = 6 -CTX1 = 7 -IDX0 = 8 -IDX1 = 9 -IDX2 = 10 -IDX3 = 11 -/* - * param data: r24:r25 - * param ctx: r22:r23 - */ -.global threefish256_dec -threefish256_dec: - push r28 - push r29 - push_range 2, 17 - movw DATA0, r24 - movw CTX0, r22 - clr I - ldi r26, 18 - mov S, r26 -1: - mov r30, I - andi r30, 0x03 - breq 2f - rjmp 4f -2: - ldi r30, lo8(threefish256_slut5) - ldi r31, hi8(threefish256_slut5) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z - movw r30, CTX0 - movw r26, DATA0 - add r30, IDX0 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall sub_z_from_x8 - - /* now the remaining key */ - sbiw r26, 3*8 - ldi r30, lo8(threefish256_slut3) - ldi r31, hi8(threefish256_slut3) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z - movw r30, CTX0 - adiw r30, 5*8 - movw IDX2, r30 - add r30, IDX0 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, IDX2 - add r30, IDX1 - adc r31, r1 - rcall sub_z_from_x8 - ld r0, X - sub r0, S - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - tst S - brne 3f -exit: - pop_range 2, 17 - pop r29 - pop r28 - ret -3: - dec S -4: - /* now the permutation */ - movw r26, DATA0 - adiw r26, 8 - movw r30, r26 - adiw r30, 16 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - /* call mix */ - ldi r30, lo8(threefish256_rc0) - ldi r31, hi8(threefish256_rc0) - mov r26, I - andi r26, 0x07 - add r30, r26 - adc r31, r1 - lpm r22, Z - adiw r30, 8 - lpm IDX0, Z - movw r24, DATA0 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 16 - mov r22, IDX0 - call threefish_invmix_asm /* no rcall? */ - inc I - rjmp 1b - -threefish256_slut5: - .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 - .byte 0x18, 0x20, 0x00, 0x08, 0x10, 0x18, 0x20, 0x00 - .byte 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 -threefish256_slut3: - .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 - .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - -threefish256_rc0: .byte 0x73, 0x13, 0x7b, 0x32, 0x72, 0x2b, 0x44, 0x1b -threefish256_rc1: .byte 0x62, 0x52, 0x43, 0x24, 0x54, 0x6a, 0x34, 0x70 - -sub_z_from_x8: - ld r0, Z+ - ld r1, X - sub r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - clr r1 - ret - - - - - - - - - - diff --git a/threefish256_enc.c b/threefish256_enc.c deleted file mode 100644 index 8bfbf9d..0000000 --- a/threefish256_enc.c +++ /dev/null @@ -1,86 +0,0 @@ -/* threefish256_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - * - * - */ - -#include -#include -#include "threefish.h" - -#define X(a) (((uint64_t*)data)[(a)]) -static -void permute_4(void* data){ - uint64_t t; - t = X(1); - X(1) = X(3); - X(3) = t; -} - -#define THREEFISH_KEY_CONST 0x5555555555555555LL /* 2**64/3 */ - -#define K(s) (((uint64_t*)key)[(s)]) -#define T(s) (((uint64_t*)tweak)[(s)]) - -void threefish256_init(const void* key, const void* tweak, threefish256_ctx_t* ctx){ - memcpy(ctx->k, key, 4*8); - if(tweak){ - memcpy(ctx->t, tweak, 2*8); - ctx->t[2] = T(0) ^ T(1); - }else{ - memset(ctx->t, 0, 3*8); - } - uint8_t i; - ctx->k[4] = THREEFISH_KEY_CONST; - for(i=0; i<4; ++i){ - ctx->k[4] ^= K(i); - } -} - -static -void add_key_4(void* data, const threefish256_ctx_t* ctx, uint8_t s){ - X(0) += ctx->k[(s+0)%5]; - X(1) += ctx->k[(s+1)%5] + ctx->t[s%3]; - X(2) += ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; - X(3) += ctx->k[(s+3)%5] + s; -} - -void threefish256_enc(void* data, const threefish256_ctx_t* ctx){ - uint8_t i=0,s=0; - uint8_t r0[8] = { 5, 36, 13, 58, 26, 53, 11, 59}; - uint8_t r1[8] = {56, 28, 46, 44, 20, 35, 42, 50}; - do{ - if(i%4==0){ - add_key_4(data, ctx, s); - ++s; - } - threefish_mix(data, r0[i%8]); - threefish_mix((uint8_t*)data + 16, r1[i%8]); - permute_4(data); - ++i; - }while(i!=72); - add_key_4(data, ctx, s); -} - diff --git a/threefish256_enc_asm.S b/threefish256_enc_asm.S deleted file mode 100644 index f18e7f4..0000000 --- a/threefish256_enc_asm.S +++ /dev/null @@ -1,423 +0,0 @@ -/* threefish256_enc_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -A0 = 14 -A1 = 15 -A2 = 16 -A3 = 17 -A4 = 18 -A5 = 19 -A6 = 20 -A7 = 21 -/* -#define THREEFISH_KEY_CONST 0x5555.5555.5555.5555.LL / * 2**64/3 * / - -#define K(s) (((uint64_t*)key)[(s)]) -#define T(s) (((uint64_t*)tweak)[(s)]) - -void threefish256_init(void* key, void* tweak, threefish256_ctx_t* ctx){ - memcpy(ctx->k, key, 4*8); - memcpy(ctx->t, tweak, 2*8); - uint8_t i; - ctx->k[4] = THREEFISH_KEY_CONST; - for(i=0; i<4; ++i){ - ctx->k[4] ^= K(i); - } - ctx->t[2] = T(0) ^ T(1); -} -*/ -/* - * param key: r24:r25 - * param tweak: r22:r23 - * param ctx: r20:r21 - */ -.global threefish256_init -threefish256_init: - push_range 14, 17 - movw r30, r20 - movw r26, r24 - ldi r24, 4 - ldi A7, 0x55 - mov A6, A7 - movw A4, A6 - movw A2, A6 - movw A0, A6 -1: - ld r0, X+ - st Z+, r0 - eor A0, r0 - ld r0, X+ - st Z+, r0 - eor A1, r0 - ld r0, X+ - st Z+, r0 - eor A2, r0 - ld r0, X+ - st Z+, r0 - eor A3, r0 - ld r0, X+ - st Z+, r0 - eor A4, r0 - ld r0, X+ - st Z+, r0 - eor A5, r0 - ld r0, X+ - st Z+, r0 - eor A6, r0 - ld r0, X+ - st Z+, r0 - eor A7, r0 - dec r24 - brne 1b - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 - /* now the tweak */ - tst r23 - brne 3f - tst r22 - brne 3f - ldi r26, 3*8 -2: - st Z+, r1 - dec r26 - brne 2b - rjmp 9f -3: - movw r26, r22 - ld A0, X+ - ld A1, X+ - ld A2, X+ - ld A3, X+ - ld A4, X+ - ld A5, X+ - ld A6, X+ - ld A7, X+ - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 - ld r0, X+ - eor A0, r0 - st Z+, r0 - ld r0, X+ - eor A1, r0 - st Z+, r0 - ld r0, X+ - eor A2, r0 - st Z+, r0 - ld r0, X+ - eor A3, r0 - st Z+, r0 - ld r0, X+ - eor A4, r0 - st Z+, r0 - ld r0, X+ - eor A5, r0 - st Z+, r0 - ld r0, X+ - eor A6, r0 - st Z+, r0 - ld r0, X+ - eor A7, r0 - st Z+, r0 - - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 -9: - pop_range 14, 17 - ret - -/******************************************************************************/ -/* -#define X(a) (((uint64_t*)data)[(a)]) -void permute_4(void* data){ - uint64_t t; - t = X(1); - X(1) = X(3); - X(3) = t; -} -void add_key_4(void* data, threefish256_ctx_t* ctx, uint8_t s){ /* s: 0..19 * / - X(0) += ctx->k[(s+0)%5]; - X(1) += ctx->k[(s+1)%5] + ctx->t[s%3]; - X(2) += ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; - X(3) += ctx->k[(s+3)%5] + s; -} -void threefish256_enc(void* data, threefish256_ctx_t* ctx){ - uint8_t i=0,s=0; - uint8_t r0[8] = { 5, 36, 13, 58, 26, 53, 11, 59}; - uint8_t r1[8] = {56, 28, 46, 44, 20, 35, 42, 50}; - do{ - if(i%4==0){ - add_key_4(data, ctx, s); - ++s; - } - threefish_mix(data, r0[i%8]); - threefish_mix((uint8_t*)data + 16, r1[i%8]); - permute_4(data); - ++i; - }while(i!=72); - add_key_4(data, ctx, s); -} -*/ -I = 2 -S = 3 -DATA0 = 4 -DATA1 = 5 -CTX0 = 6 -CTX1 = 7 -IDX0 = 8 -IDX1 = 9 -IDX2 = 10 -IDX3 = 11 -/* - * param data: r24:r25 - * param ctx: r22:r23 - */ -.global threefish256_enc -threefish256_enc: - push r28 - push r29 - push_range 2, 17 - movw DATA0, r24 - movw CTX0, r22 - clr I - clr S -1: - mov r30, I - andi r30, 0x03 - breq 2f - rjmp 4f -2: - ldi r30, lo8(threefish256_slut5) - ldi r31, hi8(threefish256_slut5) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z - movw r30, CTX0 - movw r26, DATA0 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall add_z_to_x8 - - /* now the remaining key */ - sbiw r26, 3*8 - ldi r30, lo8(threefish256_slut3) - ldi r31, hi8(threefish256_slut3) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z - movw r30, CTX0 - adiw r30, 5*8 - movw IDX2, r30 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, IDX2 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - ld r0, X - add r0, S - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - inc S - mov r26, S - cpi r26, 19 - brmi 4f -exit: - pop_range 2, 17 - pop r29 - pop r28 - ret -4: - /* call mix */ - ldi r30, lo8(threefish256_rc0) - ldi r31, hi8(threefish256_rc0) - mov r26, I - andi r26, 0x07 - add r30, r26 - adc r31, r1 - lpm r22, Z - adiw r30, 8 - lpm IDX0, Z - movw r24, DATA0 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 16 - mov r22, IDX0 - call threefish_mix_asm /* no rcall? */ - /* now the permutation */ - movw r26, DATA0 - adiw r26, 8 - movw r30, r26 - adiw r30, 16 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - inc I - rjmp 1b - -threefish256_slut5: - .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 - .byte 0x18, 0x20, 0x00, 0x08, 0x10, 0x18, 0x20, 0x00 - .byte 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 -threefish256_slut3: - .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 - .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 -;threefish256_rc0: .byte 5, 36, 13, 58, 26, 53, 11, 59 -;threefish256_rc1: .byte 56, 28, 46, 44, 20, 35, 42, 50 -threefish256_rc0: .byte 0x1b, 0x44, 0x2b, 0x72, 0x32, 0x7b, 0x13, 0x73 -threefish256_rc1: .byte 0x70, 0x34, 0x6a, 0x54, 0x24, 0x43, 0x52, 0x62 - -add_z_to_x8: - ld r0, Z+ - ld r1, X - add r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - clr r1 - ret - - - - - - - - - - diff --git a/threefish256_enc_small.S b/threefish256_enc_small.S deleted file mode 100644 index da08359..0000000 --- a/threefish256_enc_small.S +++ /dev/null @@ -1,362 +0,0 @@ -/* threefish_mix.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -A0 = 14 -A1 = 15 -A2 = 16 -A3 = 17 -A4 = 18 -A5 = 19 -A6 = 20 -A7 = 21 -/* -#define THREEFISH_KEY_CONST 0x5555.5555.5555.5555.LL / * 2**64/3 * / - -#define K(s) (((uint64_t*)key)[(s)]) -#define T(s) (((uint64_t*)tweak)[(s)]) - -void threefish256_init(void* key, void* tweak, threefish256_ctx_t* ctx){ - memcpy(ctx->k, key, 4*8); - memcpy(ctx->t, tweak, 2*8); - uint8_t i; - ctx->k[4] = THREEFISH_KEY_CONST; - for(i=0; i<4; ++i){ - ctx->k[4] ^= K(i); - } - ctx->t[2] = T(0) ^ T(1); -} -*/ -/* - * param key: r24:r25 - * param tweak: r22:r23 - * param ctx: r20:r21 - */ -.global threefish256_init -threefish256_init: - push_range 14, 17 - movw r30, r20 - movw r26, r24 - ldi r24, 4 - ldi A7, 0x55 - mov A6, A7 - movw A4, A6 - movw A2, A6 - movw A0, A6 -1: - ld r0, X+ - st Z+, r0 - eor A0, r0 - ld r0, X+ - st Z+, r0 - eor A1, r0 - ld r0, X+ - st Z+, r0 - eor A2, r0 - ld r0, X+ - st Z+, r0 - eor A3, r0 - ld r0, X+ - st Z+, r0 - eor A4, r0 - ld r0, X+ - st Z+, r0 - eor A5, r0 - ld r0, X+ - st Z+, r0 - eor A6, r0 - ld r0, X+ - st Z+, r0 - eor A7, r0 - dec r24 - brne 1b - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 - /* now the tweak */ - movw r26, r22 - tst r27 - brne 3f - tst r26 - brne 3f - ldi r26, 3*8 -1: - st Z+, r1 - dec r26 - brne 1b - rjmp 9f -3: - ld A0, X+ - ld A1, X+ - ld A2, X+ - ld A3, X+ - ld A4, X+ - ld A5, X+ - ld A6, X+ - ld A7, X+ - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 - ld r0, X+ - eor A0, r0 - st Z+, r0 - ld r0, X+ - eor A1, r0 - st Z+, r0 - ld r0, X+ - eor A2, r0 - st Z+, r0 - ld r0, X+ - eor A3, r0 - st Z+, r0 - ld r0, X+ - eor A4, r0 - st Z+, r0 - ld r0, X+ - eor A5, r0 - st Z+, r0 - ld r0, X+ - eor A6, r0 - st Z+, r0 - ld r0, X+ - eor A7, r0 - st Z+, r0 - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 -9: - pop_range 14, 17 - ret - -/******************************************************************************/ -/* -#define X(a) (((uint64_t*)data)[(a)]) -void permute_4(void* data){ - uint64_t t; - t = X(1); - X(1) = X(3); - X(3) = t; -} -void add_key_4(void* data, threefish256_ctx_t* ctx, uint8_t s){ /* s: 0..19 * / - X(0) += ctx->k[(s+0)%5]; - X(1) += ctx->k[(s+1)%5] + ctx->t[s%3]; - X(2) += ctx->k[(s+2)%5] + ctx->t[(s+1)%3]; - X(3) += ctx->k[(s+3)%5] + s; -} -void threefish256_enc(void* data, threefish256_ctx_t* ctx){ - uint8_t i=0,s=0; - uint8_t r0[8] = { 5, 36, 13, 58, 26, 53, 11, 59}; - uint8_t r1[8] = {56, 28, 46, 44, 20, 35, 42, 50}; - do{ - if(i%4==0){ - add_key_4(data, ctx, s); - ++s; - } - threefish_mix(data, r0[i%8]); - threefish_mix((uint8_t*)data + 16, r1[i%8]); - permute_4(data); - ++i; - }while(i!=72); - add_key_4(data, ctx, s); -} -*/ -I = 2 -S = 3 -DATA0 = 4 -DATA1 = 5 -CTX0 = 6 -CTX1 = 7 -IDX0 = 8 -IDX1 = 9 -IDX2 = 10 -IDX3 = 11 -/* - * param data: r24:r25 - * param ctx: r22:r23 - */ -.global threefish256_enc -threefish256_enc: - push r28 - push r29 - push_range 2, 17 - movw DATA0, r24 - movw CTX0, r22 - clr I - clr S -1: - mov r30, I - andi r30, 0x03 - breq 2f - rjmp 4f -2: - ldi r30, lo8(threefish256_slut5) - ldi r31, hi8(threefish256_slut5) - mov r26, S - add r30, r26 - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z - movw r30, CTX0 - movw r26, DATA0 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall add_z_to_x8 - - /* now the remaining key */ - sbiw r26, 3*8 - ldi r30, lo8(threefish256_slut3) - ldi r31, hi8(threefish256_slut3) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z - movw r30, CTX0 - adiw r30, 5*8 - movw IDX2, r30 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, IDX2 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - ld r0, X - add r0, S - st X+, r0 - ldi r16, 7 -3: - ld r0, X - adc r0, r1 - st X+, r0 - dec r16 - brne 3b - inc S - mov r26, S - cpi r26, 19 - brmi 4f -exit: - pop_range 2, 17 - pop r29 - pop r28 - ret -4: - /* call mix */ - ldi r30, lo8(threefish256_rc0) - ldi r31, hi8(threefish256_rc0) - mov r26, I - andi r26, 0x07 - add r30, r26 - adc r31, r1 - lpm r22, Z - adiw r30, 8 - lpm IDX0, Z - movw r24, DATA0 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 16 - mov r22, IDX0 - call threefish_mix_asm /* no rcall? */ - /* now the permutation */ - movw r26, DATA0 - adiw r26, 8 - movw r30, r26 - adiw r30, 16 - ldi r16, 8 -3: ld IDX0, X - ld IDX1, Z - st X+, IDX1 - st Z+, IDX0 - dec r16 - brne 3b - inc I - rjmp 1b - -threefish256_slut5: - .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 - .byte 0x18, 0x20, 0x00, 0x08, 0x10, 0x18, 0x20, 0x00 - .byte 0x08, 0x10, 0x18, 0x20, 0x00, 0x08, 0x10 -threefish256_slut3: - .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 - .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 -threefish256_rc0: .byte 0x1b, 0x44, 0x2b, 0x72, 0x32, 0x7b, 0x13, 0x73 -threefish256_rc1: .byte 0x70, 0x34, 0x6a, 0x54, 0x24, 0x43, 0x52, 0x62 - -add_z_to_x8: - ld r0, Z+ - ld r1, X - add r1, r0 - st X+, r1 - ldi r16, 7 -1: - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - dec r16 - brne 1b - clr r1 - ret - - - - - - - - - - diff --git a/threefish512_dec.c b/threefish512_dec.c deleted file mode 100644 index c535d33..0000000 --- a/threefish512_dec.c +++ /dev/null @@ -1,81 +0,0 @@ -/* threefish512_dec.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-22 - * \license GPLv3 or later - * - * - * - */ - -#include -#include -#include "threefish.h" - - -#define X(a) (((uint64_t*)data)[(a)]) - - -static -void permute_inv8(void* data){ - uint64_t t; - t = X(6); - X(6) = X(4); - X(4) = X(2); - X(2) = X(0); - X(0) = t; - t = X(7); - X(7) = X(3); - X(3) = t; -} - -static -void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ - uint8_t i; - for(i=0; i<5; ++i){ - X(i) -= ctx->k[(s+i)%9]; - } - X(5) -= ctx->k[(s+5)%9] + ctx->t[s%3]; - X(6) -= ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; - X(7) -= ctx->k[(s+7)%9] + s; -} - -void threefish512_dec(void* data, const threefish512_ctx_t* ctx){ - uint8_t i=0,s=18; - uint8_t r0[8] = {33, 29, 39, 33, 26, 34, 48, 38}; - uint8_t r1[8] = {51, 26, 27, 49, 12, 14, 20, 30}; - uint8_t r2[8] = {39, 11, 41, 8, 58, 15, 43, 50}; - uint8_t r3[8] = {35, 9, 14, 42, 7, 27, 31, 53}; - do{ - if(i%4==0){ - add_key_8(data, ctx, s); - --s; - } - permute_inv8(data); - threefish_invmix((uint8_t*)data + 0, r0[i%8]); - threefish_invmix((uint8_t*)data + 16, r1[i%8]); - threefish_invmix((uint8_t*)data + 32, r2[i%8]); - threefish_invmix((uint8_t*)data + 48, r3[i%8]); - ++i; - }while(i!=72); - add_key_8(data, ctx, s); -} - diff --git a/threefish512_dec_asm.S b/threefish512_dec_asm.S deleted file mode 100644 index 5ac9c0d..0000000 --- a/threefish512_dec_asm.S +++ /dev/null @@ -1,330 +0,0 @@ -/* threefish512_enc_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-24 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -#define X(a) (((uint64_t*)data)[(a)]) - - -static -void permute_inv8(void* data){ - uint64_t t; - t = X(6); - X(6) = X(4); - X(4) = X(2); - X(2) = X(0); - X(0) = t; - t = X(7); - X(7) = X(3); - X(3) = t; -} - -static -void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ - uint8_t i; - for(i=0; i<5; ++i){ - X(i) -= ctx->k[(s+i)%9]; - } - X(5) -= ctx->k[(s+5)%9] + ctx->t[s%3]; - X(6) -= ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; - X(7) -= ctx->k[(s+7)%9] + s; -} - -void threefish512_dec(void* data, const threefish512_ctx_t* ctx){ - uint8_t i=0,s=18; - uint8_t r0[8] = {0x41, 0x4b, 0x59, 0x41, 0x32, 0x42, 0x60, 0x5a}; - uint8_t r1[8] = {0x63, 0x32, 0x33, 0x61, 0x14, 0x2a, 0x24, 0x4a}; - uint8_t r2[8] = {0x59, 0x13, 0x51, 0x10, 0x72, 0x29, 0x53, 0x62}; - uint8_t r3[8] = {0x43, 0x11, 0x2a, 0x52, 0x19, 0x33, 0x49, 0x7b}; - do{ - if(i%4==0){ - add_key_8(data, ctx, s); - --s; - } - permute_inv8(data); - threefish_invmix((uint8_t*)data + 0, r0[i%8]); - threefish_invmix((uint8_t*)data + 16, r1[i%8]); - threefish_invmix((uint8_t*)data + 32, r2[i%8]); - threefish_invmix((uint8_t*)data + 48, r3[i%8]); - ++i; - }while(i!=72); - add_key_8(data, ctx, s); -} -*/ -I = 2 -S = 3 -DATA0 = 4 -DATA1 = 5 -CTX0 = 6 -CTX1 = 7 -IDX0 = 8 -IDX1 = 9 -IDX2 = 10 -IDX3 = 11 -IDX4 = 12 -IDX5 = 13 -IDX6 = 14 -IDX7 = 15 -/* - * param data: r24:r25 - * param ctx: r22:r23 - */ -.global threefish512_dec -threefish512_dec: - push r28 - push r29 - push_range 2, 17 - movw DATA0, r24 - movw CTX0, r22 - clr I - ldi r26, 18 - mov S, r26 -1: - mov r30, I - andi r30, 0x03 - breq 2f - rjmp 4f -2: - ldi r30, lo8(threefish512_slut9) - ldi r31, hi8(threefish512_slut9) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z+ - lpm IDX4, Z+ - lpm IDX5, Z+ - lpm IDX6, Z+ - lpm IDX7, Z - movw r30, CTX0 - movw r26, DATA0 - add r30, IDX0 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX4 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX5 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX6 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, CTX0 - add r30, IDX7 - adc r31, r1 - rcall sub_z_from_x8 - - /* now the remaining key */ - sbiw r26, 3*8 - ldi r30, lo8(threefish512_slut3) - ldi r31, hi8(threefish512_slut3) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z - movw r30, CTX0 - adiw r30, 7*8 /* make Z pointing to (extended tweak) */ - adiw r30, 2*8 - movw IDX2, r30 - add r30, IDX0 - adc r31, r1 - rcall sub_z_from_x8 - movw r30, IDX2 - add r30, IDX1 - adc r31, r1 - rcall sub_z_from_x8 - ld r0, X - sub r0, S - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - tst S - brne 3f -exit: - pop_range 2, 17 - pop r29 - pop r28 - ret -3: - dec S -4: - /* now the permutation */ - movw r26, DATA0 - movw r30, DATA0 - adiw r30, 6*8 - rcall xchg_zx8 - movw r26, DATA0 - adiw r26, 6*8 - movw r30, DATA0 - adiw r30, 4*8 - rcall xchg_zx8 - movw r26, DATA0 - adiw r26, 2*8 - movw r30, DATA0 - adiw r30, 4*8 - rcall xchg_zx8 - movw r26, DATA0 - adiw r26, 3*8 - movw r30, DATA0 - adiw r30, 7*8 - rcall xchg_zx8 - /* call mix */ - ldi r30, lo8(threefish512_rc0) - ldi r31, hi8(threefish512_rc0) - mov r26, I - andi r26, 0x07 - add r30, r26 - adc r31, r1 - lpm r22, Z - adiw r30, 8 - lpm IDX0, Z - adiw r30, 8 - lpm IDX1, Z - push IDX1 - adiw r30, 8 - lpm IDX1, Z - - movw r24, DATA0 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 16 - mov r22, IDX0 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 32 - pop r22 - ;mov r22, IDX0 - call threefish_invmix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 48 - mov r22, IDX1 - call threefish_invmix_asm /* no rcall? */ - inc I - rjmp 1b - -threefish512_slut9: - .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38 - .byte 0x40, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30 - .byte 0x38, 0x40, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28 - .byte 0x30, 0x38, 0x40 -threefish512_slut3: - .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 - .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - -threefish512_rc0: .byte 0x41, 0x4b, 0x59, 0x41, 0x32, 0x42, 0x60, 0x5a -threefish512_rc1: .byte 0x63, 0x32, 0x33, 0x61, 0x14, 0x2a, 0x24, 0x4a -threefish512_rc2: .byte 0x59, 0x13, 0x51, 0x10, 0x72, 0x29, 0x53, 0x62 -threefish512_rc3: .byte 0x43, 0x11, 0x2a, 0x52, 0x19, 0x33, 0x49, 0x7b - -sub_z_from_x8: - ld r0, Z+ - ld r1, X - sub r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - sbc r1, r0 - st X+, r1 - clr r1 - ret - -T0 = IDX0 -T1 = 0 -CNT = 24 -xchg_zx8: - ldi CNT, 8 -1: ld T0, X - ld T1, Z - st X+, T1 - st Z+, T0 - dec CNT - brne 1b - ret - - - diff --git a/threefish512_enc.c b/threefish512_enc.c deleted file mode 100644 index 620276f..0000000 --- a/threefish512_enc.c +++ /dev/null @@ -1,115 +0,0 @@ -/* threefish512_enc.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - * - * - */ - -#include -#include -#include "threefish.h" - - -#define X(a) (((uint64_t*)data)[(a)]) - - -static -void permute_8(void* data){ - uint64_t t; - t = X(0); - X(0) = X(2); - X(2) = X(4); - X(4) = X(6); - X(6) = t; - t = X(3); - X(3) = X(7); - X(7) = t; -} -/* -static -void permute_inv8(void* data){ - uint64_t t; - t = X(6); - X(6) = X(4); - X(4) = X(2); - X(2) = X(0); - X(0) = t; - t = X(7); - X(7) = X(3); - X(3) = t; -} -*/ - -#define THREEFISH_KEY_CONST 0x5555555555555555LL /* 2**64/3 */ - -#define K(s) (((uint64_t*)key)[(s)]) -#define T(s) (((uint64_t*)tweak)[(s)]) - -void threefish512_init(const void* key, const void* tweak, threefish512_ctx_t* ctx){ - memcpy(ctx->k, key, 8*8); - if(tweak){ - memcpy(ctx->t, tweak, 2*8); - ctx->t[2] = T(0) ^ T(1); - }else{ - memset(ctx->t, 0, 3*8); - } - uint8_t i; - ctx->k[8] = THREEFISH_KEY_CONST; - for(i=0; i<8; ++i){ - ctx->k[8] ^= K(i); - } -} - -static -void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ - uint8_t i; - for(i=0; i<5; ++i){ - X(i) += ctx->k[(s+i)%9]; - } - X(5) += ctx->k[(s+5)%9] + ctx->t[s%3]; - X(6) += ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; - X(7) += ctx->k[(s+7)%9] + s; -} - -void threefish512_enc(void* data, const threefish512_ctx_t* ctx){ - uint8_t i=0,s=0; - uint8_t r0[8] = {38, 48, 34, 26, 33, 39, 29, 33}; - uint8_t r1[8] = {30, 20, 14, 12, 49, 27, 26, 51}; - uint8_t r2[8] = {50, 43, 15, 58, 8, 41, 11, 39}; - uint8_t r3[8] = {53, 31, 27, 7, 42, 14, 9, 35}; - do{ - if(i%4==0){ - add_key_8(data, ctx, s); - ++s; - } - threefish_mix((uint8_t*)data + 0, r0[i%8]); - threefish_mix((uint8_t*)data + 16, r1[i%8]); - threefish_mix((uint8_t*)data + 32, r2[i%8]); - threefish_mix((uint8_t*)data + 48, r3[i%8]); - permute_8(data); - ++i; - }while(i!=72); - add_key_8(data, ctx, s); -} - diff --git a/threefish512_enc_asm.S b/threefish512_enc_asm.S deleted file mode 100644 index cc2967f..0000000 --- a/threefish512_enc_asm.S +++ /dev/null @@ -1,464 +0,0 @@ -/* threefish512_enc_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-24 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -A0 = 14 -A1 = 15 -A2 = 16 -A3 = 17 -A4 = 18 -A5 = 19 -A6 = 20 -A7 = 21 -/* -#define THREEFISH_KEY_CONST 0x5555.5555.5555.5555.LL / * 2**64/3 * / - -#define K(s) (((uint64_t*)key)[(s)]) -#define T(s) (((uint64_t*)tweak)[(s)]) -void threefish512_init(const void* key, const void* tweak, threefish512_ctx_t* ctx){ - memcpy(ctx->k, key, 8*8); - memcpy(ctx->t, tweak, 2*8); - uint8_t i; - ctx->k[8] = THREEFISH_KEY_CONST; - for(i=0; i<8; ++i){ - ctx->k[8] ^= K(i); - } - ctx->t[2] = T(0) ^ T(1); -} -*/ -/* - * param key: r24:r25 - * param tweak: r22:r23 - * param ctx: r20:r21 - */ -.global threefish512_init -threefish512_init: - push_range 14, 17 - movw r30, r20 - movw r26, r24 - ldi r24, 8 - ldi A7, 0x55 - mov A6, A7 - movw A4, A6 - movw A2, A6 - movw A0, A6 -1: - ld r0, X+ - st Z+, r0 - eor A0, r0 - ld r0, X+ - st Z+, r0 - eor A1, r0 - ld r0, X+ - st Z+, r0 - eor A2, r0 - ld r0, X+ - st Z+, r0 - eor A3, r0 - ld r0, X+ - st Z+, r0 - eor A4, r0 - ld r0, X+ - st Z+, r0 - eor A5, r0 - ld r0, X+ - st Z+, r0 - eor A6, r0 - ld r0, X+ - st Z+, r0 - eor A7, r0 - dec r24 - brne 1b - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 - /* now the tweak */ - movw r26, r22 - tst r27 - brne 3f - tst r26 - brne 3f - ldi r26, 3*8 -1: - st Z+, r1 - dec r26 - brne 1b - rjmp 9f -3: - ld A0, X+ - ld A1, X+ - ld A2, X+ - ld A3, X+ - ld A4, X+ - ld A5, X+ - ld A6, X+ - ld A7, X+ - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 - ld r0, X+ - eor A0, r0 - st Z+, r0 - ld r0, X+ - eor A1, r0 - st Z+, r0 - ld r0, X+ - eor A2, r0 - st Z+, r0 - ld r0, X+ - eor A3, r0 - st Z+, r0 - ld r0, X+ - eor A4, r0 - st Z+, r0 - ld r0, X+ - eor A5, r0 - st Z+, r0 - ld r0, X+ - eor A6, r0 - st Z+, r0 - ld r0, X+ - eor A7, r0 - st Z+, r0 - st Z+, A0 - st Z+, A1 - st Z+, A2 - st Z+, A3 - st Z+, A4 - st Z+, A5 - st Z+, A6 - st Z+, A7 -9: - pop_range 14, 17 - ret - -/******************************************************************************/ -/* -#define X(a) (((uint64_t*)data)[(a)]) -void permute_8(void* data){ - uint64_t t; - t = X(0); - X(0) = X(2); - X(2) = X(4); - X(4) = X(6); - X(6) = t; - t = X(3); - X(3) = X(7); - X(7) = t; -} -void add_key_8(void* data, const threefish512_ctx_t* ctx, uint8_t s){ - uint8_t i; - for(i=0; i<5; ++i){ - X(i) += ctx->k[(s+i)%9]; - } - X(5) += ctx->k[(s+5)%9] + ctx->t[s%3]; - X(6) += ctx->k[(s+6)%9] + ctx->t[(s+1)%3]; - X(7) += ctx->k[(s+7)%9] + s; -} -void threefish512_enc(void* data, const threefish512_ctx_t* ctx){ - uint8_t i=0,s=0; - uint8_t r0[8] = {38, 48, 34, 26, 33, 39, 29, 33}; - uint8_t r1[8] = {30, 20, 14, 12, 49, 27, 26, 51}; - uint8_t r2[8] = {50, 43, 15, 58, 8, 41, 11, 39}; - uint8_t r3[8] = {53, 31, 27, 7, 42, 14, 9, 35}; - do{ - if(i%4==0){ - add_key_8(data, ctx, s); - ++s; - } - threefish_mix((uint8_t*)data + 0, r0[i%8]); - threefish_mix((uint8_t*)data + 16, r1[i%8]); - threefish_mix((uint8_t*)data + 32, r2[i%8]); - threefish_mix((uint8_t*)data + 48, r3[i%8]); - permute_8(data); - ++i; - }while(i!=72); - add_key_8(data, ctx, s); -} - -*/ -I = 2 -S = 3 -DATA0 = 4 -DATA1 = 5 -CTX0 = 6 -CTX1 = 7 -IDX0 = 8 -IDX1 = 9 -IDX2 = 10 -IDX3 = 11 -IDX4 = 12 -IDX5 = 13 -IDX6 = 14 -IDX7 = 15 -/* - * param data: r24:r25 - * param ctx: r22:r23 - */ -.global threefish512_enc -threefish512_enc: - push r28 - push r29 - push_range 2, 17 - movw DATA0, r24 - movw CTX0, r22 - clr I - clr S -1: - mov r30, I - andi r30, 0x03 - breq 2f - rjmp 4f -2: - ldi r30, lo8(threefish512_slut9) - ldi r31, hi8(threefish512_slut9) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z+ - lpm IDX2, Z+ - lpm IDX3, Z+ - lpm IDX4, Z+ - lpm IDX5, Z+ - lpm IDX6, Z+ - lpm IDX7, Z - movw r30, CTX0 - movw r26, DATA0 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX2 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX3 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX4 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX5 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX6 - adc r31, r1 - rcall add_z_to_x8 - movw r30, CTX0 - add r30, IDX7 - adc r31, r1 - rcall add_z_to_x8 - - /* now the remaining key */ - sbiw r26, 3*8 - ldi r30, lo8(threefish512_slut3) - ldi r31, hi8(threefish512_slut3) - add r30, S - adc r31, r1 - lpm IDX0, Z+ - lpm IDX1, Z - movw r30, CTX0 - adiw r30, 7*8 /* make Z pointing to (extended tweak) */ - adiw r30, 2*8 - movw IDX2, r30 - add r30, IDX0 - adc r31, r1 - rcall add_z_to_x8 - movw r30, IDX2 - add r30, IDX1 - adc r31, r1 - rcall add_z_to_x8 - ld r0, X - add r0, S - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - inc S - mov r26, S - cpi r26, 19 - brmi 4f -exit: - pop_range 2, 17 - pop r29 - pop r28 - ret -4: - /* call mix */ - ldi r30, lo8(threefish512_rc0) - ldi r31, hi8(threefish512_rc0) - mov r26, I - andi r26, 0x07 - add r30, r26 - adc r31, r1 - lpm r22, Z - adiw r30, 8 - lpm IDX0, Z - adiw r30, 8 - lpm IDX1, Z - push IDX1 - adiw r30, 8 - lpm IDX1, Z - - movw r24, DATA0 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 16 - mov r22, IDX0 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 32 - pop r22 - ;mov r22, IDX0 - call threefish_mix_asm /* no rcall? */ - movw r24, DATA0 - adiw r24, 48 - mov r22, IDX1 - call threefish_mix_asm /* no rcall? */ - /* now the permutation */ - movw r26, DATA0 - movw r30, DATA0 - adiw r30, 6*8 - rcall xchg_zx8 - movw r26, DATA0 - movw r30, DATA0 - adiw r30, 2*8 - rcall xchg_zx8 - movw r26, DATA0 - adiw r26, 2*8 - movw r30, DATA0 - adiw r30, 4*8 - rcall xchg_zx8 - movw r26, DATA0 - adiw r26, 3*8 - movw r30, DATA0 - adiw r30, 7*8 - rcall xchg_zx8 - inc I - rjmp 1b - -threefish512_slut9: - .byte 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30, 0x38 - .byte 0x40, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28, 0x30 - .byte 0x38, 0x40, 0x00, 0x08, 0x10, 0x18, 0x20, 0x28 - .byte 0x30, 0x38, 0x40 -threefish512_slut3: - .byte 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - .byte 0x10, 0x00, 0x08, 0x10, 0x00, 0x08, 0x10, 0x00 - .byte 0x08, 0x10, 0x00, 0x08, 0x10, 0x00, 0x08 - -threefish512_rc0: .byte 0x5a, 0x60, 0x42, 0x32, 0x41, 0x59, 0x4b, 0x41 -threefish512_rc1: .byte 0x4a, 0x24, 0x2a, 0x14, 0x61, 0x33, 0x32, 0x63 -threefish512_rc2: .byte 0x62, 0x53, 0x29, 0x72, 0x10, 0x51, 0x13, 0x59 -threefish512_rc3: .byte 0x7b, 0x49, 0x33, 0x19, 0x52, 0x2a, 0x11, 0x43 - -add_z_to_x8: - ld r0, Z+ - ld r1, X - add r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - ld r0, Z+ - ld r1, X - adc r1, r0 - st X+, r1 - clr r1 - ret - -T0 = IDX0 -T1 = 0 -CNT = 24 -xchg_zx8: - ldi CNT, 8 -1: ld T0, X - ld T1, Z - st X+, T1 - st Z+, T0 - dec CNT - brne 1b - ret - - - diff --git a/threefish_invmix.S b/threefish_invmix.S deleted file mode 100644 index 1e55cf2..0000000 --- a/threefish_invmix.S +++ /dev/null @@ -1,299 +0,0 @@ -/* threefish_invmix.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-21 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/* -#define X0 (((uint64_t*)data)[0]) -#define X1 (((uint64_t*)data)[1]) -void threefish_invmix(void* data, uint8_t rot){ - uint64_t x; - x = X1; - x ^= X0; - X1 = ((x>>rot)|(x<<(64-rot))); - X0 -= X1; -} -*/ -A0 = 10 -A1 = 11 -A2 = 12 -A3 = 13 -A4 = 14 -A5 = 15 -A6 = 16 -A7 = 17 - -B0 = 18 -B1 = 19 -B2 = 20 -B3 = 21 -B4 = 22 -B5 = 23 -B6 = 24 -B7 = 25 -vROT = 27 -/* - * param data: r24:r25 - * param rot: r22 - */ - -.global threefish_invmix_asm -threefish_invmix_asm: - movw r28, r24 - mov vROT,r22 - ldd A0, Y+ 0 - ldd A1, Y+ 1 - ldd A2, Y+ 2 - ldd A3, Y+ 3 - ldd A4, Y+ 4 - ldd A5, Y+ 5 - ldd A6, Y+ 6 - ldd A7, Y+ 7 - ldd B0, Y+ 8 - ldd B1, Y+ 9 - ldd B2, Y+10 - ldd B3, Y+11 - ldd B4, Y+12 - ldd B5, Y+13 - ldd B6, Y+14 - ldd B7, Y+15 - eor B0, A0 - eor B1, A1 - eor B2, A2 - eor B3, A3 - eor B4, A4 - eor B5, A5 - eor B6, A6 - eor B7, A7 - - mov r26, vROT - swap r26 - andi r26, 0x07 - ldi r30, pm_lo8(byte_rot_jmptable) - ldi r31, pm_hi8(byte_rot_jmptable) - add r30, r26 - adc r31, r1 - ijmp -post_byterot: - bst vROT, 3 - andi vROT, 0x07 - brts 1f - rjmp bit_rotr -1: rjmp bit_rotl -post_bitrot: - sub A0, B0 - sbc A1, B1 - sbc A2, B2 - sbc A3, B3 - sbc A4, B4 - sbc A5, B5 - sbc A6, B6 - sbc A7, B7 - - std Y+ 0, A0 - std Y+ 1, A1 - std Y+ 2, A2 - std Y+ 3, A3 - std Y+ 4, A4 - std Y+ 5, A5 - std Y+ 6, A6 - std Y+ 7, A7 - std Y+ 8, B0 - std Y+ 9, B1 - std Y+10, B2 - std Y+11, B3 - std Y+12, B4 - std Y+13, B5 - std Y+14, B6 - std Y+15, B7 -exit: - ret - -byte_rot_jmptable: - rjmp post_byterot;ret; rjmp byte_rotr_0 - rjmp byte_rotr_1 - rjmp byte_rotr_2 - rjmp byte_rotr_3 - rjmp byte_rotr_4 - rjmp byte_rotr_5 - rjmp byte_rotr_6 - rjmp byte_rotr_7 - rjmp post_byterot;ret; rjmp byte_rotr_0 - - - -; 0 1 2 3 4 5 6 7 -; 1 2 3 4 5 6 7 0 -;.global byte_rotr_1 -;.global byte_rotr_0 -byte_rotr_1: /* 10 words */ - mov r0, B0 - mov B0, B1 - mov B1, B2 - mov B2, B3 - mov B3, B4 - mov B4, B5 - mov B5, B6 - mov B6, B7 - mov B7, r0 -byte_rotr_0: - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 2 3 4 5 6 7 0 1 -;.global byte_rotr_2 -byte_rotr_2: /* 11 words */ - mov r0, B0 - mov B0, B2 - mov B2, B4 - mov B4, B6 - mov B6, r0 - mov r0, B1 - mov B1, B3 - mov B3, B5 - mov B5, B7 - mov B7, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 3 4 5 6 7 0 1 2 -;.global byte_rotr_3 -byte_rotr_3: /* 10 words */ - mov r0, B0 - mov B0, B3 - mov B3, B6 - mov B6, B1 - mov B1, B4 - mov B4, B7 - mov B7, B2 - mov B2, B5 - mov B5, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 4 5 6 7 0 1 2 3 -;.global byte_rotr_4 -byte_rotr_4: /* 13 words */ - mov r0, B0 - mov B0, B4 - mov B4, r0 - - mov r0, B1 - mov B1, B5 - mov B5, r0 - - mov r0, B2 - mov B2, B6 - mov B6, r0 - - mov r0, B3 - mov B3, B7 - mov B7, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 5 6 7 0 1 2 3 4 -;.global byte_rotr_5 -byte_rotr_5: /* 10 words */ - mov r0, B0 - mov B0, B5 - mov B5, B2 - mov B2, B7 - mov B7, B4 - mov B4, B1 - mov B1, B6 - mov B6, B3 - mov B3, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 6 7 0 1 2 3 4 5 -;.global byte_rotr_6 -byte_rotr_6: /* 11 words */ - mov r0, B0 - mov B0, B6 - mov B6, B4 - mov B4, B2 - mov B2, r0 - - mov r0, B1 - mov B1, B7 - mov B7, B5 - mov B5, B3 - mov B3, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 7 0 1 2 3 4 5 6 -;.global byte_rotr_7 -byte_rotr_7: /* 10 words */ - mov r0, B7 - mov B7, B6 - mov B6, B5 - mov B5, B4 - mov B4, B3 - mov B3, B2 - mov B2, B1 - mov B1, B0 - mov B0, r0 - rjmp post_byterot - -;.global bit_rotl -bit_rotl: - tst vROT - brne 1f - rjmp post_bitrot -1: mov r0, B7 - rol r0 - rol B0 - rol B1 - rol B2 - rol B3 - rol B4 - rol B5 - rol B6 - rol B7 - dec vROT - rjmp bit_rotl - -;.global bit_rotr -bit_rotr: - tst vROT - brne 1f - rjmp post_bitrot -1: mov r0, B0 - ror r0 - ror B7 - ror B6 - ror B5 - ror B4 - ror B3 - ror B2 - ror B1 - ror B0 - dec vROT - rjmp bit_rotr - - diff --git a/threefish_invmix_c.c b/threefish_invmix_c.c deleted file mode 100644 index f664888..0000000 --- a/threefish_invmix_c.c +++ /dev/null @@ -1,39 +0,0 @@ -/* threefish_invmix_c.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-21 - * \license GPLv3 or later - * - * - * - */ - -#include - -#define X0 (((uint64_t*)data)[0]) -#define X1 (((uint64_t*)data)[1]) -void threefish_invmix(void* data, uint8_t rot){ - uint64_t x; - x = X1; - x ^= X0; - X1 = ((x>>rot)|(x<<(64-rot))); - X0 -= X1; -} diff --git a/threefish_mix.S b/threefish_mix.S deleted file mode 100644 index 07d076f..0000000 --- a/threefish_mix.S +++ /dev/null @@ -1,311 +0,0 @@ -/* threefish_mix.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/* -#define B0 (((uint64_t*)data)[0]) -#define B1 (((uint64_t*)data)[1]) -static -void mix(void* data, uint8_t rot){ - uint64_t x; - x = B1; - B0 += x; - B1 = ((x<>(64-rot))) ^ B0; -} -*/ -A0 = 10 -A1 = 11 -A2 = 12 -A3 = 13 -A4 = 14 -A5 = 15 -A6 = 16 -A7 = 17 - -B0 = 18 -B1 = 19 -B2 = 20 -B3 = 21 -B4 = 22 -B5 = 23 -B6 = 24 -B7 = 25 -vROT = 27 -/* - * param data: r24:r25 - * param rot: r22 - */ - -.global threefish_mix_asm -threefish_mix_asm: - movw r28, r24 - mov vROT,r22 - ldd A0, Y+ 0 - ldd A1, Y+ 1 - ldd A2, Y+ 2 - ldd A3, Y+ 3 - ldd A4, Y+ 4 - ldd A5, Y+ 5 - ldd A6, Y+ 6 - ldd A7, Y+ 7 - ldd B0, Y+ 8 - ldd B1, Y+ 9 - ldd B2, Y+10 - ldd B3, Y+11 - ldd B4, Y+12 - ldd B5, Y+13 - ldd B6, Y+14 - ldd B7, Y+15 - add A0, B0 - adc A1, B1 - adc A2, B2 - adc A3, B3 - adc A4, B4 - adc A5, B5 - adc A6, B6 - adc A7, B7 - - mov r26, vROT - swap r26 - andi r26, 0x07 - ldi r30, pm_lo8(byte_rot_jmptable) - ldi r31, pm_hi8(byte_rot_jmptable) - add r30, r26 - adc r31, r1 - ijmp -post_byterot: - bst vROT, 3 - andi vROT, 0x07 - brts 1f - rjmp bit_rotl -1: rjmp bit_rotr -post_bitrot: - eor B0, A0 - eor B1, A1 - eor B2, A2 - eor B3, A3 - eor B4, A4 - eor B5, A5 - eor B6, A6 - eor B7, A7 - - std Y+ 0, A0 - std Y+ 1, A1 - std Y+ 2, A2 - std Y+ 3, A3 - std Y+ 4, A4 - std Y+ 5, A5 - std Y+ 6, A6 - std Y+ 7, A7 - std Y+ 8, B0 - std Y+ 9, B1 - std Y+10, B2 - std Y+11, B3 - std Y+12, B4 - std Y+13, B5 - std Y+14, B6 - std Y+15, B7 -exit: - ret - - -byte_rot_jmptable: - rjmp post_byterot;ret; rjmp byte_rotr_0 - rjmp byte_rotr_7 - rjmp byte_rotr_6 - rjmp byte_rotr_5 - rjmp byte_rotr_4 - rjmp byte_rotr_3 - rjmp byte_rotr_2 - rjmp byte_rotr_1 - rjmp post_byterot;ret; rjmp byte_rotr_0 - -; 0 1 2 3 4 5 6 7 -; 1 2 3 4 5 6 7 0 -;.global byte_rotr_1 -;.global byte_rotr_0 -byte_rotr_1: /* 10 words */ - mov r0, B0 - mov B0, B1 - mov B1, B2 - mov B2, B3 - mov B3, B4 - mov B4, B5 - mov B5, B6 - mov B6, B7 - mov B7, r0 -byte_rotr_0: - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 2 3 4 5 6 7 0 1 -;.global byte_rotr_2 -byte_rotr_2: /* 11 words */ - mov r0, B0 - mov B0, B2 - mov B2, B4 - mov B4, B6 - mov B6, r0 - mov r0, B1 - mov B1, B3 - mov B3, B5 - mov B5, B7 - mov B7, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 3 4 5 6 7 0 1 2 -;.global byte_rotr_3 -byte_rotr_3: /* 10 words */ - mov r0, B0 - mov B0, B3 - mov B3, B6 - mov B6, B1 - mov B1, B4 - mov B4, B7 - mov B7, B2 - mov B2, B5 - mov B5, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 4 5 6 7 0 1 2 3 -;.global byte_rotr_4 -byte_rotr_4: /* 13 words */ - mov r0, B0 - mov B0, B4 - mov B4, r0 - - mov r0, B1 - mov B1, B5 - mov B5, r0 - - mov r0, B2 - mov B2, B6 - mov B6, r0 - - mov r0, B3 - mov B3, B7 - mov B7, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 5 6 7 0 1 2 3 4 -;.global byte_rotr_5 -byte_rotr_5: /* 10 words */ - mov r0, B0 - mov B0, B5 - mov B5, B2 - mov B2, B7 - mov B7, B4 - mov B4, B1 - mov B1, B6 - mov B6, B3 - mov B3, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 6 7 0 1 2 3 4 5 -;.global byte_rotr_6 -byte_rotr_6: /* 11 words */ - mov r0, B0 - mov B0, B6 - mov B6, B4 - mov B4, B2 - mov B2, r0 - - mov r0, B1 - mov B1, B7 - mov B7, B5 - mov B5, B3 - mov B3, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 7 0 1 2 3 4 5 6 -;.global byte_rotr_7 -byte_rotr_7: /* 10 words */ - mov r0, B7 - mov B7, B6 - mov B6, B5 - mov B5, B4 - mov B4, B3 - mov B3, B2 - mov B2, B1 - mov B1, B0 - mov B0, r0 - rjmp post_byterot - -;.global bit_rotl -bit_rotl: - tst vROT - brne 1f - rjmp post_bitrot -1: mov r0, B7 - rol r0 - rol B0 - rol B1 - rol B2 - rol B3 - rol B4 - rol B5 - rol B6 - rol B7 - dec vROT - rjmp bit_rotl - -;.global bit_rotr -bit_rotr: - tst vROT - brne 1f - rjmp post_bitrot -1: mov r0, B0 - ror r0 - ror B7 - ror B6 - ror B5 - ror B4 - ror B3 - ror B2 - ror B1 - ror B0 - dec vROT - rjmp bit_rotr - - - - - - - - - - - - - - - diff --git a/threefish_mix_4c.S b/threefish_mix_4c.S deleted file mode 100644 index 063232e..0000000 --- a/threefish_mix_4c.S +++ /dev/null @@ -1,328 +0,0 @@ -/* threefish_mix.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/* -#define B0 (((uint64_t*)data)[0]) -#define B1 (((uint64_t*)data)[1]) -static -void mix(void* data, uint8_t rot){ - uint64_t x; - x = B1; - B0 += x; - B1 = ((x<>(64-rot))) ^ B0; -} -*/ -A0 = 10 -A1 = 11 -A2 = 12 -A3 = 13 -A4 = 14 -A5 = 15 -A6 = 16 -A7 = 17 - -B0 = 18 -B1 = 19 -B2 = 20 -B3 = 21 -B4 = 22 -B5 = 23 -B6 = 24 -B7 = 25 -vROT = 27 -/* - * param data: r24:r25 - * param rot: r22 - */ - -.global threefish_mix -threefish_mix: - push r28 - push r29 - push_range 10, 17 - movw r28, r24 - mov vROT,r22 - ldd A0, Y+ 0 - ldd A1, Y+ 1 - ldd A2, Y+ 2 - ldd A3, Y+ 3 - ldd A4, Y+ 4 - ldd A5, Y+ 5 - ldd A6, Y+ 6 - ldd A7, Y+ 7 - ldd B0, Y+ 8 - ldd B1, Y+ 9 - ldd B2, Y+10 - ldd B3, Y+11 - ldd B4, Y+12 - ldd B5, Y+13 - ldd B6, Y+14 - ldd B7, Y+15 - add A0, B0 - adc A1, B1 - adc A2, B2 - adc A3, B3 - adc A4, B4 - adc A5, B5 - adc A6, B6 - adc A7, B7 - - mov r26, vROT - adiw r26, 3 - lsr r26 - lsr r26 - lsr r26 -; andi r26, 0x07 - ldi r30, pm_lo8(byte_rot_jmptable) - ldi r31, pm_hi8(byte_rot_jmptable) - add r30, r26 - adc r31, r1 - ijmp -post_byterot: - ldi r30, lo8(bit_rot_lut) - ldi r31, hi8(bit_rot_lut) - andi vROT, 0x07 - add r30, vROT - adc r31, r1 - lpm r27, Z - bst r27, 7 - andi r27, 0x07 - brts 1f - rjmp bit_rotl -1: rjmp bit_rotr -post_bitrot: - eor B0, A0 - eor B1, A1 - eor B2, A2 - eor B3, A3 - eor B4, A4 - eor B5, A5 - eor B6, A6 - eor B7, A7 - - std Y+ 0, A0 - std Y+ 1, A1 - std Y+ 2, A2 - std Y+ 3, A3 - std Y+ 4, A4 - std Y+ 5, A5 - std Y+ 6, A6 - std Y+ 7, A7 - std Y+ 8, B0 - std Y+ 9, B1 - std Y+10, B2 - std Y+11, B3 - std Y+12, B4 - std Y+13, B5 - std Y+14, B6 - std Y+15, B7 -exit: - pop_range 10, 17 - pop r29 - pop r28 - ret - -bit_rot_lut: - .byte 0x00 - .byte 0x01 - .byte 0x02 - .byte 0x03 - .byte 0x04 - .byte 0x83 - .byte 0x82 - .byte 0x81 - -byte_rot_jmptable: - rjmp post_byterot;ret; rjmp byte_rotr_0 - rjmp byte_rotr_7 - rjmp byte_rotr_6 - rjmp byte_rotr_5 - rjmp byte_rotr_4 - rjmp byte_rotr_3 - rjmp byte_rotr_2 - rjmp byte_rotr_1 - rjmp post_byterot;ret; rjmp byte_rotr_0 - -; 0 1 2 3 4 5 6 7 -; 1 2 3 4 5 6 7 0 - -byte_rotr_1: /* 10 words */ - mov r0, B0 - mov B0, B1 - mov B1, B2 - mov B2, B3 - mov B3, B4 - mov B4, B5 - mov B5, B6 - mov B6, B7 - mov B7, r0 -byte_rotr_0: - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 2 3 4 5 6 7 0 1 - -byte_rotr_2: /* 11 words */ - mov r0, B0 - mov B0, B2 - mov B2, B4 - mov B4, B6 - mov B6, r0 - mov r0, B1 - mov B1, B3 - mov B3, B5 - mov B5, B7 - mov B7, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 3 4 5 6 7 0 1 2 - -byte_rotr_3: /* 10 words */ - mov r0, B0 - mov B0, B3 - mov B3, B6 - mov B6, B1 - mov B1, B4 - mov B4, B7 - mov B7, B2 - mov B2, B5 - mov B5, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 4 5 6 7 0 1 2 3 -byte_rotr_4: /* 13 words */ - mov r0, B0 - mov B0, B4 - mov B4, r0 - - mov r0, B1 - mov B1, B5 - mov B5, r0 - - mov r0, B2 - mov B2, B6 - mov B6, r0 - - mov r0, B3 - mov B3, B7 - mov B7, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 5 6 7 0 1 2 3 4 -byte_rotr_5: /* 10 words */ - mov r0, B0 - mov B0, B5 - mov B5, B2 - mov B2, B7 - mov B7, B4 - mov B4, B1 - mov B1, B6 - mov B6, B3 - mov B3, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 6 7 0 1 2 3 4 5 -byte_rotr_6: /* 11 words */ - mov r0, B0 - mov B0, B6 - mov B6, B4 - mov B4, B2 - mov B2, r0 - - mov r0, B1 - mov B1, B7 - mov B7, B5 - mov B5, B3 - mov B3, r0 - rjmp post_byterot - -; 0 1 2 3 4 5 6 7 -; 7 0 1 2 3 4 5 6 -byte_rotr_7: /* 10 words */ - mov r0, B7 - mov B7, B6 - mov B6, B5 - mov B5, B4 - mov B4, B3 - mov B3, B2 - mov B2, B1 - mov B1, B0 - mov B0, r0 - rjmp post_byterot - -bit_rotl: - tst r27 - brne 1f - rjmp post_bitrot -1: mov r0, B7 - rol r0 - rol B0 - rol B1 - rol B2 - rol B3 - rol B4 - rol B5 - rol B6 - rol B7 - dec r27 - rjmp bit_rotl - -bit_rotr: - tst r27 - brne 1f - rjmp post_bitrot -1: mov r0, B0 - ror r0 - ror B7 - ror B6 - ror B5 - ror B4 - ror B3 - ror B2 - ror B1 - ror B0 - dec r27 - rjmp bit_rotr - - - - - - - - - - - - - - - diff --git a/threefish_mix_c.c b/threefish_mix_c.c deleted file mode 100644 index 2031bc8..0000000 --- a/threefish_mix_c.c +++ /dev/null @@ -1,38 +0,0 @@ -/* threefish_mix_c.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - * - * - * - */ - -#include - -#define X0 (((uint64_t*)data)[0]) -#define X1 (((uint64_t*)data)[1]) -void threefish_mix(void* data, uint8_t rot){ - uint64_t x; - x = X1; - X0 += x; - X1 = ((x<>(64-rot))) ^ X0; -} diff --git a/twister-asm.S b/twister-asm.S deleted file mode 100644 index 746ea09..0000000 --- a/twister-asm.S +++ /dev/null @@ -1,604 +0,0 @@ -/* twister-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file twister-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-22 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" - -twister_sbox: -.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5 -.byte 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 -.byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0 -.byte 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 -.byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc -.byte 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 -.byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a -.byte 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 -.byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0 -.byte 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 -.byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b -.byte 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf -.byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85 -.byte 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 -.byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5 -.byte 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 -.byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17 -.byte 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 -.byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88 -.byte 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb -.byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c -.byte 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 -.byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9 -.byte 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 -.byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6 -.byte 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a -.byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e -.byte 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e -.byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94 -.byte 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf -.byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68 -.byte 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 - -/* - * param ctx: r24:r25 - * param msg: r22:r23 - */ -.global twister_mini_round -twister_mini_round: - movw r26, r24 - movw r30, r22 - adiw r26, 8*7 - adiw r30, 8 - ldi r21, 8 -1: - ld r22, X - ld r23, -Z - eor r22, r23 - st X+, r22 - dec r21 - brne 1b - -/* - * param ctx: r24:r25 - * - */ -X_SAVE0 = 4 -X_SAVE1 = 5 -Y_SAVE0 = 6 -Y_SAVE1 = 7 -MDS0 = 8 -MDS1 = 9 -MDS2 = 10 -MDS3 = 11 -MDS4 = 12 -MDS5 = 13 -MDS6 = 14 -MDS7 = 15 - - -.global twister_blank_round -twister_blank_round: - push_range 4, 17 - push r28 - push r29 - stack_alloc_large 64, r28, r29 - - movw X_SAVE0, r24 - movw r30, r24 - adiw r30, 63 - adiw r30, 1+8 /* Z points behind counter */ - movw r26, r24 - adiw r26, 1 - ldi r22, 8 -1: /* "add" counter */ - ld r16, -Z - ld r21, X - eor r21, r16 - st X, r21 - adiw r26, 8 - dec r22 - brne 1b - - /* decrement counter */ - subi r16, 1 - st Z+, r16 - ldi r17, 7 -1: - ld r16, Z - sbci r16, 0 - st Z+, r16 - dec r17 - brne 1b - - movw r26, r24 - adiw r28, 1 /* Y points to stack memory */ - movw Y_SAVE0, r28 - movw r24, r28 - ldi r20, lo8(twister_sbox) - ldi r21, hi8(twister_sbox) - ldi r18, 8 -1: - ldi r19, 0 - -2: /* sbox substitution */ - ld r0, X+ - movw r30, r20 - add r30, r0 - adc r31, r1 - lpm r0, Z - movw r28, r24 - mov r16, r18 - add r16, r19 - andi r16, 0x07 - add r28, r16 - adc r29, r1 - st Y, r0 - inc r19 - cpi r19, 8 - brne 2b - adiw r24, 8 - dec r18 - brne 1b - - /* load MDS-Table to MDS0:MDS7 */ - ldi r18, 1 - mov MDS1, r18 - mov MDS2, r18 - mov MDS7, r18 - ldi r18, 2 - mov MDS0, r18 - ldi r18, 5 - mov MDS3, r18 - ldi r18, 6 - mov MDS6, r18 - ldi r18, 7 - mov MDS4, r18 - ldi r18, 8 - mov MDS5, r18 - - ldi r20, 0x4D /* reducer for gf256mul*/ - ldi r16, 0 - -1: - movw r26, X_SAVE0 - add r26, r16 - adc r27, r1 - ldi r17, 8 -2: - mov r24, MDS0 - movw r28, Y_SAVE0 - add r28, r16 - adc r29, r1 - ld r22, Y - rcall gf256mul - mov r0, r24 - - mov r24, MDS1 - ldd r22, Y+8 - rcall gf256mul - eor r0, r24 - - mov r24, MDS2 - ldd r22, Y+8*2 - rcall gf256mul - eor r0, r24 - - mov r24, MDS3 - ldd r22, Y+8*3 - rcall gf256mul - eor r0, r24 - - mov r24, MDS4 - ldd r22, Y+8*4 - rcall gf256mul - eor r0, r24 - - mov r24, MDS5 - ldd r22, Y+8*5 - rcall gf256mul - eor r0, r24 - - mov r24, MDS6 - ldd r22, Y+8*6 - rcall gf256mul - eor r0, r24 - - mov r24, MDS7 - ldd r22, Y+8*7 - rcall gf256mul - eor r0, r24 - - st X, r0 - adiw r26, 8 - - mov r0, MDS7 - mov MDS7, MDS6 - mov MDS6, MDS5 - mov MDS5, MDS4 - mov MDS4, MDS3 - mov MDS3, MDS2 - mov MDS2, MDS1 - mov MDS1, MDS0 - mov MDS0, r0 - - dec r17 - brne 2b -8: - inc r16 - cpi r16, 8 - brne 1b - -9: - stack_free_large 64 - pop r29 - pop r28 - pop_range 4, 17 - ret - -/*********************************************************************/ -A = 23 -B = 22 -P = 24 - -gf256mul: - mov A, r24 - clr P -1: - lsr A - breq 4f - brcc 2f - eor P, B -2: - lsl B - brcc 3f - eor B, r20 -3: - rjmp 1b -4: - brcc 2f - eor P, B -2: - ret - -/*********************************************************************/ -/* twister_ctx2hash */ -/* - * param dest: r24:r25 - * param ctx: r22:r23 - * param hashsize_b: r20:r21 - */ -DEST_SAVE0 = 10 -DEST_SAVE1 = 11 -CTX_SAVE0 = 12 -CTX_SAVE1 = 13 -LEN_SAVE = 14 -LEN32_SAVE = 15 -TMP_SAVE0 = 16 -TMP_SAVE1 = 17 - - -.global twister_ctx2hash -.global twister_small_ctx2hash -.global twister_large_ctx2hash -.global twister224_ctx2hash -.global twister256_ctx2hash -.global twister384_ctx2hash -.global twister512_ctx2hash - -twister224_ctx2hash: - ldi r20, lo8(224) - ldi r21, hi8(224) - rjmp twister_ctx2hash - -twister256_ctx2hash: - ldi r20, lo8(256) - ldi r21, hi8(256) - rjmp twister_ctx2hash - -twister384_ctx2hash: - ldi r20, lo8(384) - ldi r21, hi8(384) - rjmp twister_ctx2hash - -twister512_ctx2hash: - ldi r20, lo8(512) - ldi r21, hi8(512) -; rjmp twister_ctx2hash - -twister_large_ctx2hash: -twister_small_ctx2hash: -twister_ctx2hash: - push_range 10, 17 - push r28 - push r29 - stack_alloc_large 64 - movw DEST_SAVE0, r24 - movw CTX_SAVE0, r22 - clr LEN32_SAVE - sbrc r20, 5 - inc LEN32_SAVE - lsr r21 - ror r20 - lsr r21 - ror r20 /* length is max 512 so we now only have to shift r20 */ - swap r20 /* this is faster than 4 shifts */ - andi r20, 0x0f - add r20, LEN32_SAVE - mov LEN_SAVE, r20 - - adiw r30, 1 - movw TMP_SAVE0, r30 -1: - dec LEN_SAVE - brmi 9f - /* tmp <- ctx-s */ - movw r30, TMP_SAVE0 - movw r26, CTX_SAVE0 - ldi r20, 64/4 -3: - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - dec r20 - brne 3b - - movw r24, CTX_SAVE0 - rcall twister_blank_round - /* ctx-s ^= tmp */ - movw r30, TMP_SAVE0 - movw r26, CTX_SAVE0 - ldi r20, 64 -3: - ld r0, X - ld r21, Z+ - eor r0, r21 - st X+, r0 - dec r20 - brne 3b - - movw r24, CTX_SAVE0 - rcall twister_blank_round - - - movw r26, CTX_SAVE0 - - tst LEN_SAVE - brne 2f - tst LEN32_SAVE - brne 5f -2: - adiw r26, 8*7 - movw r30, TMP_SAVE0 - adiw r30, 8*7 - movw r28, DEST_SAVE0 - ldi r20, 8 -3: - ld r0, Z - ld r21, X - eor r0, r21 - st Y+, r0 - sbiw r26, 8 - sbiw r30, 8 - dec r20 - brne 3b - movw DEST_SAVE0, r28 -7: - rjmp 1b - -5: - adiw r26, 8*3 - movw r30, TMP_SAVE0 - adiw r30, 8*3 - movw r28, DEST_SAVE0 - ldi r20, 4 -3: - ld r0, Z - ld r21, X - eor r0, r21 - st Y+, r0 - sbiw r26, 8 - sbiw r30, 8 - dec r20 - brne 3b - -9: - stack_free_large 64 - pop r29 - pop r28 - pop_range 10, 17 - ret - - - -/*********************************************************************/ -/* void twister_small_nextBlock(twister_state_t* ctx, void* msg) */ -/* - * param ctx: r24:r25 - * param msg: r22:r23 - */ -CTX_SAVE0 = 14 -CTX_SAVE1 = 15 -TMP_SAVE0 = 12 -TMP_SAVE1 = 13 -MSG_SAVE0 = 28 -MSG_SAVE1 = 29 -.global twister_small_nextBlock -.global twister224_nextBlock -.global twister256_nextBlock - -twister224_nextBlock: -twister256_nextBlock: -twister_small_nextBlock: - push_range 12, 15 - push r28 - push r29 - stack_alloc_large 64 - adiw r30, 1 - movw TMP_SAVE0, r30 - movw CTX_SAVE0, r24 - movw MSG_SAVE0, r22 - movw r26, CTX_SAVE0 - ldi r18, 64/8 -1: - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - dec r18 - brne 1b - - rcall twister_mini_round - - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r30, TMP_SAVE0 - movw r26, CTX_SAVE0 - ldi r18, 64 -1: - ld r0, X - ld r23, Z - eor r0, r23 - st X+, r0 - st Z+, r0 - dec r18 - brne 1b - - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r30, TMP_SAVE0 - movw r26, CTX_SAVE0 - ldi r18, 64 -1: - ld r0, X - ld r23, Z - eor r0, r23 - st X+, r0 - st Z+, r0 - dec r18 - brne 1b - - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - rcall twister_blank_round - - movw r30, TMP_SAVE0 - movw r26, CTX_SAVE0 - ldi r18, 64 -1: - ld r0, X - ld r23, Z+ - eor r0, r23 - st X+, r0 - dec r18 - brne 1b - - adiw r26, 9 - ldi r19, 2 - ld r0, X - add r0, r19 - st X+, r0 - - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - - stack_free_large 64 - pop r29 - pop r28 - pop_range 12, 15 - ret - - - - - - - - diff --git a/twister-large-asm.S b/twister-large-asm.S deleted file mode 100644 index be10546..0000000 --- a/twister-large-asm.S +++ /dev/null @@ -1,516 +0,0 @@ -/* twister-large-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file twister-large-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-27 - * \license GPLv3 or later - * - */ - - #include "avr-asm-macros.S" - -/* void checksum_update(twister_large_ctx_t* ctx, uint8_t col) */ -/* - * param ctx: r24:r25 - * param col: r22 - */ -checksum_update: - push r16 - push r28 - push r29 - lsl r22 - lsl r22 - lsl r22 - mov r16, r22 - movw r30, r24 /* X points to ctx->state.s */ - - ldd r18, Z+7*8 - ldd r19, Z+6*8 - ldd r20, Z+5*8 - ldd r21, Z+4*8 - ldd r22, Z+3*8 - ldd r23, Z+2*8 - ldd r24, Z+1*8 - ldd r25, Z+0*8 - - adiw r30, 63 - adiw r30, 1+3*8 /* Z points at ctx->checksum[0][8] */ - movw r28, r30 /* Y points at ctx->checksum[0][8] */ - andi r16, 63 - add r30, r16 /* Z points at ctx->checksum[col][8]*/ - adc r31, r1 - ldi r26, 8 - add r16, r26 - andi r16, 63 - add r28, r16 - adc r29, r1 /* Y points at ctx->checksum[(col+1)%8][8]*/ - - ld r0, -Y - add r18, r0 - ld r0, -Z - eor r0, r18 - st Z, r0 - - ld r0, -Y - adc r19, r0 - ld r0, -Z - eor r0, r19 - st Z, r0 - - ld r0, -Y - adc r20, r0 - ld r0, -Z - eor r0, r20 - st Z, r0 - - ld r0, -Y - adc r21, r0 - ld r0, -Z - eor r0, r21 - st Z, r0 - - ld r0, -Y - adc r22, r0 - ld r0, -Z - eor r0, r22 - st Z, r0 - - ld r0, -Y - adc r23, r0 - ld r0, -Z - eor r0, r23 - st Z, r0 - - ld r0, -Y - adc r24, r0 - ld r0, -Z - eor r0, r24 - st Z, r0 - - ld r0, -Y - adc r25, r0 - ld r0, -Z - eor r0, r25 - st Z, r0 - - pop r29 - pop r28 - pop r16 - ret - -/*********************************************************************/ -/* void twister_large_init(twister_large_ctx_t* ctx, uint16_t hashsize_b)*/ -/* - * param ctx: r24:r25 - * param hashsize_b: r22:r23 - */ -.global twister384_init -twister384_init: - ldi r22, lo8(384) - ldi r23, hi8(384) - rjmp twister_large_init - -.global twister512_init -twister512_init: - ldi r22, lo8(512) - ldi r23, hi8(512) - -.global twister_large_init -twister_large_init: - movw r30, r24 - ldi r24, 64 -1: - st Z+, r1 - dec r24 - brne 1b - - dec r1 - ldi r24, 8 -1: - st Z+, r1 - dec r24 - brne 1b - - inc r1 - ldi r24, 8+64 -1: - st Z+, r1 - dec r24 - brne 1b - - subi r30, lo8(1+8+8+8*7+64) - sbci r31, hi8(1+8+8+8*7+64) - st Z, r23 - std Z+8, r22 - ret - -/*********************************************************************/ -/* void twister_large_nextBlock(twister_state_t* ctx, void* msg) */ -/* - * param ctx: r24:r25 - * param msg: r22:r23 - */ -CTX_SAVE0 = 14 -CTX_SAVE1 = 15 -TMP_SAVE0 = 12 -TMP_SAVE1 = 13 -MSG_SAVE0 = 28 -MSG_SAVE1 = 29 -.global twister_large_nextBlock -.global twister384_nextBlock -.global twister512_nextBlock - -twister384_nextBlock: -twister512_nextBlock: -twister_large_nextBlock: - push_range 12, 15 - push r28 - push r29 - stack_alloc_large 64 - adiw r30, 1 - movw TMP_SAVE0, r30 - movw CTX_SAVE0, r24 - movw MSG_SAVE0, r22 - movw r26, CTX_SAVE0 - ldi r18, 64/8 -1: - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - ld r0, X+ - st Z+, r0 - dec r18 - brne 1b - /* maxi round 1 */ - movw r24, CTX_SAVE0 - ldi r22, 0 - rcall checksum_update - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - ldi r22, 1 - rcall checksum_update - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - ldi r22, 2 - rcall checksum_update - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r30, TMP_SAVE0 - movw r26, CTX_SAVE0 - ldi r18, 64 -1: - ld r0, X - ld r23, Z - eor r0, r23 - st X+, r0 - st Z+, r0 - dec r18 - brne 1b - /* maxi round 2 */ - movw r24, CTX_SAVE0 - ldi r22, 3 - rcall checksum_update - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - rcall twister_blank_round - - movw r24, CTX_SAVE0 - ldi r22, 4 - rcall checksum_update - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r30, TMP_SAVE0 - movw r26, CTX_SAVE0 - ldi r18, 64 -1: - ld r0, X - ld r23, Z - eor r0, r23 - st X+, r0 - st Z+, r0 - dec r18 - brne 1b - /* maxi round 3 */ - movw r24, CTX_SAVE0 - ldi r22, 5 - rcall checksum_update - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - ldi r22, 6 - rcall checksum_update - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - ldi r22, 7 - rcall checksum_update - adiw MSG_SAVE0, 8 - movw r22, MSG_SAVE0 - movw r24, CTX_SAVE0 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - rcall twister_blank_round - - movw r30, TMP_SAVE0 - movw r26, CTX_SAVE0 - ldi r18, 64 -1: - ld r0, X - ld r23, Z+ - eor r0, r23 - st X+, r0 - dec r18 - brne 1b - - adiw r26, 9 - ldi r19, 2 - ld r0, X - add r0, r19 - st X+, r0 - - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - ld r0, X - adc r0, r1 - st X+, r0 - - stack_free_large 64 - pop r29 - pop r28 - pop_range 12, 15 - ret - -/*********************************************************************/ -/* void twister_large_lastBlock(twister_state_t* ctx, void* msg, uint16_t length_b) */ -/* - * param ctx: r24:r25 - * param msg: r22:r23 - * param length_b: r20:r21 - */ -TMP_SAVE0 = 12 -TMP_SAVE1 = 13 -CTX_SAVE0 = 14 -CTX_SAVE1 = 15 -LEN_SAVE0 = 16 -LEN_SAVE1 = 17 -MSG_SAVE0 = 28 -MSG_SAVE1 = 29 -.global twister_large_lastBlock -.global twister384_lastBlock -.global twister512_lastBlock - -twister384_lastBlock: -twister512_lastBlock: -twister_large_lastBlock: - push_range 12, 17 - push r28 - push r29 - stack_alloc_large 64 - adiw r30, 1 - movw TMP_SAVE0, r30 - movw CTX_SAVE0, r24 - movw MSG_SAVE0, r22 - movw LEN_SAVE0, r20 -1: - cpi LEN_SAVE1, 2 - brmi 2f - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - rcall twister_large_nextBlock - adiw MSG_SAVE0, 8 - subi LEN_SAVE1, 2 - rjmp 1b -2: - movw r18, LEN_SAVE0 - lsr r19 - ror r18 - lsr r18 - lsr r18 - ldi r19, 63 - movw r26, MSG_SAVE0 - movw r30, TMP_SAVE0 - ldi r20, 0x80 - sub r19, r18 /* r18: bytes to copy, r19: bytes to clear */ - - ld r0, X+ -3: - tst r18 - breq 4f -31: - st Z+, r0 - ld r0, X+ - dec r18 - brne 31b -4: - mov r18, LEN_SAVE0 - andi r18, 0x07 - ldi r20, 0x80 - breq 5f -4: - lsr r20 - dec r18 - brne 4b - or r20, r0 - rjmp 5f - -5: - st Z+, r20 - tst r19 - breq 7f -6: - st Z+, r1 - dec r19 - brne 6b -7: - movw r24, CTX_SAVE0 - movw r22, TMP_SAVE0 - rcall twister_large_nextBlock - - ldi r19, 2 - clr r18 - - sub r18, LEN_SAVE0 - sbc r19, LEN_SAVE1 - movw r26, CTX_SAVE0 - adiw r26, 63 - adiw r26, 1+8 - - ld r0, X - sub r0, r18 - st X+, r0 - ld r0, X - sbc r0, r19 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - - sbiw r26, 8 - movw r24, CTX_SAVE0 - movw r22, r26 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - movw r22, CTX_SAVE0 - ldi r16, 64+8+8 - add r22, r16 - adc r23, r1 - movw r30, r22 - ldi r26, 8 -1: - ld r12, Z+ - ld r13, Z+ - ld r16, Z+ - ld r17, Z+ - ld r18, Z+ - ld r19, Z+ - ld r20, Z+ - ld r21, Z+ - st -Z, r12 - st -Z, r13 - st -Z, r16 - st -Z, r17 - st -Z, r18 - st -Z, r19 - st -Z, r20 - st -Z, r21 - adiw r30, 8 - dec r26 - brne 1b - - movw r24, CTX_SAVE0 - movw r22, CTX_SAVE0 - ldi r26, 64+2*8 - add r22, r26 - adc r23, r1 - rcall twister_small_nextBlock - - stack_free_large 64 - pop r29 - pop r28 - pop_range 12, 17 - ret diff --git a/twister-large.c b/twister-large.c deleted file mode 100644 index 1775488..0000000 --- a/twister-large.c +++ /dev/null @@ -1,238 +0,0 @@ -/* twister-large.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include -#include -#include "memxor.h" -#include "twister.h" -#include "twister-large.h" - -/*********************************************************************/ - -static -void checksum_update(twister_large_ctx_t* ctx, uint8_t col){ - uint8_t i, col2; - uint8_t carry = 0; - int sum = 0; - - col2 = (col+1)%8; - - for( i=0; i<8; i++ ) - { - sum = (int) ctx->checksum[col2][7-i] - + (int) ctx->state.s[7-i][0] /* col or 0 ???*/ - + carry; - ctx->checksum[col][7-i] ^= (uint8_t)sum; - carry = sum>>8; - - } -} - -/*********************************************************************/ - -void twister_large_init(twister_large_ctx_t* ctx, uint16_t hashsize_b){ - memset(ctx->state.s, 0, 64); - memset(ctx->checksum, 0, 64); - ctx->state.counter=0xffffffffffffffffLL; - ctx->state.s[0][7] = hashsize_b>>8; - ctx->state.s[1][7] = hashsize_b&0xff; - ctx->state.length_counter_b = 0; -} - -/*********************************************************************/ - -void twister_large_nextBlock(twister_large_ctx_t* ctx, const void* msg){ - uint8_t tmp[8][8]; - - /* 1st maxi round */ - memcpy(tmp, ctx->state.s, 64); - checksum_update(ctx, 0); - twister_mini_round(&(ctx->state), msg); - msg = (uint8_t*)msg + 8; - - checksum_update(ctx, 1); - twister_mini_round(&(ctx->state), msg); - msg = (uint8_t*)msg + 8; - - checksum_update(ctx, 2); - twister_mini_round(&(ctx->state), msg); - msg = (uint8_t*)msg + 8; - memxor(ctx->state.s, tmp, 64); - - /* 2nd maxi round */ - memcpy(tmp, ctx->state.s, 64); - checksum_update(ctx, 3); - twister_mini_round(&(ctx->state), msg); - msg = (uint8_t*)msg + 8; - - twister_blank_round(&(ctx->state)); - - checksum_update(ctx, 4); - twister_mini_round(&(ctx->state), msg); - msg = (uint8_t*)msg + 8; - memxor(ctx->state.s, tmp, 64); - - /* 3rd maxi round */ - memcpy(tmp, ctx->state.s, 64); - checksum_update(ctx, 5); - twister_mini_round(&(ctx->state), msg); - msg = (uint8_t*)msg + 8; - - checksum_update(ctx, 6); - twister_mini_round(&(ctx->state), msg); - msg = (uint8_t*)msg + 8; - - checksum_update(ctx, 7); - twister_mini_round(&(ctx->state), msg); - - twister_blank_round(&(ctx->state)); - memxor(ctx->state.s, tmp, 64); - ctx->state.length_counter_b += 512; -} - -/*********************************************************************/ - -void twister_inject_chksum(twister_large_ctx_t* ctx, uint8_t col){ - *((uint64_t*)(&ctx->state.s[7][0])) ^= *((uint64_t*)(&ctx->checksum[col][0])); - twister_blank_round(&ctx->state); -} - -/*********************************************************************/ - -void twister_large_lastBlock(twister_large_ctx_t* ctx, const void* msg, uint16_t length_b){ - uint8_t tmp[64]; - while(length_b>=512){ - twister_large_nextBlock(ctx, msg); - msg = ((uint8_t*)msg)+64; - length_b -= 512; - } - memset(tmp, 0, 64); - memcpy(tmp, msg, (length_b+7)/8); - tmp[length_b/8] |= 0x80 >> (length_b&0x07); - twister_large_nextBlock(ctx, tmp); - ctx->state.length_counter_b -= 512 - length_b; - twister_mini_round(&(ctx->state), &(ctx->state.length_counter_b)); - - memcpy(tmp, ctx->state.s, 64); - twister_inject_chksum(ctx, 0); - twister_inject_chksum(ctx, 1); - twister_inject_chksum(ctx, 2); - memxor(ctx->state.s, tmp, 64); - - memcpy(tmp, ctx->state.s, 64); - twister_inject_chksum(ctx, 3); - twister_inject_chksum(ctx, 4); - twister_inject_chksum(ctx, 5); - memxor(ctx->state.s, tmp, 64); - - memcpy(tmp, ctx->state.s, 64); - twister_inject_chksum(ctx, 6); - twister_inject_chksum(ctx, 7); - twister_blank_round(&(ctx->state)); - memxor(ctx->state.s, tmp, 64); - -} - -/*********************************************************************/ - -void twister_large_ctx2hash(void* dest, twister_large_ctx_t* ctx, uint16_t hashsize_b){ - twister_ctx2hash(dest, &(ctx->state), hashsize_b); -} - -/*********************************************************************/ -/*********************************************************************/ - -void twister384_init(twister384_ctx_t* ctx){ - twister_large_init(ctx, 384); -} - -/*********************************************************************/ - -void twister384_nextBlock(twister384_ctx_t* ctx, const void* msg){ - twister_large_nextBlock(ctx, msg); -} - -/*********************************************************************/ - -void twister384_lastBlock(twister384_ctx_t* ctx, const void* msg, uint16_t length_b){ - twister_large_lastBlock(ctx, msg, length_b); -} - -/*********************************************************************/ - -void twister384_ctx2hash(void* dest, twister384_ctx_t* ctx){ - twister_large_ctx2hash(dest, ctx, 384); -} - -/*********************************************************************/ - -void twister384(void* dest, const void* msg, uint32_t msg_length_b){ - twister_large_ctx_t ctx; - twister_large_init(&ctx, 384); - while(msg_length_b >=512){ - twister_large_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + 512/8; - msg_length_b -= 512; - } - twister_large_lastBlock(&ctx, msg, msg_length_b); - twister_large_ctx2hash(dest, &ctx, 384); -} - -/*********************************************************************/ -/*********************************************************************/ - - -void twister512_init(twister512_ctx_t* ctx){ - twister_large_init(ctx, 512); -} - -/*********************************************************************/ - -void twister512_nextBlock(twister512_ctx_t* ctx, const void* msg){ - twister_large_nextBlock(ctx, msg); -} - -/*********************************************************************/ - -void twister512_lastBlock(twister512_ctx_t* ctx, const void* msg, uint16_t length_b){ - twister_large_lastBlock(ctx, msg, length_b); -} - -/*********************************************************************/ - -void twister512_ctx2hash(void* dest, twister512_ctx_t* ctx){ - twister_large_ctx2hash(dest, ctx, 512); -} - -/*********************************************************************/ - -void twister512(void* dest, const void* msg, uint32_t msg_length_b){ - twister_large_ctx_t ctx; - twister_large_init(&ctx, 512); - while(msg_length_b >=512){ - twister_large_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + 512/8; - msg_length_b -= 512; - } - twister_large_lastBlock(&ctx, msg, msg_length_b); - twister_large_ctx2hash(dest, &ctx, 512); -} - - - diff --git a/twister-large.h b/twister-large.h deleted file mode 100644 index 45de18b..0000000 --- a/twister-large.h +++ /dev/null @@ -1,45 +0,0 @@ -/* twister-large.h */ - -#ifndef TWISTER_large_H_ -#define TWISTER_large_H_ - -#include -#include "twister.h" - -typedef uint8_t twister384_hash_t[384/8]; -typedef uint8_t twister512_hash_t[512/8]; - -typedef struct { - twister_state_t state; - twister_checksum_t checksum; -} twister_large_ctx_t; - -typedef twister_large_ctx_t twister384_ctx_t; -typedef twister_large_ctx_t twister512_ctx_t; - -/*********************************************************************/ - -void twister_large_nextBlock(twister_large_ctx_t* ctx, const void* msg); -void twister_large_init(twister_large_ctx_t* ctx, uint16_t hashsize_b); -void twister_large_lastBlock(twister_large_ctx_t* ctx, const void* msg, uint16_t length_b); -void twister_large_ctx2hash(void* dest, twister_large_ctx_t* ctx, uint16_t hashsize_b); - -/*********************************************************************/ - -void twister384_init(twister384_ctx_t* ctx); -void twister384_nextBlock(twister384_ctx_t* ctx, const void* msg); -void twister384_lastBlock(twister384_ctx_t* ctx, const void* msg, uint16_t length_b); -void twister384_ctx2hash(void* dest, twister384_ctx_t* ctx); -void twister384(void* dest, const void* msg, uint32_t msg_length_b); - -/*********************************************************************/ - -void twister512_init(twister512_ctx_t* ctx); -void twister512_nextBlock(twister512_ctx_t* ctx, const void* msg); -void twister512_lastBlock(twister512_ctx_t* ctx, const void* msg, uint16_t length_b); -void twister512_ctx2hash(void* dest, twister512_ctx_t* ctx); -void twister512(void* dest, const void* msg, uint32_t msg_length_b); - - -#endif /* TWISTER_large_H_ */ - diff --git a/twister-sha3api.c b/twister-sha3api.c deleted file mode 100644 index 4ad0233..0000000 --- a/twister-sha3api.c +++ /dev/null @@ -1,113 +0,0 @@ -/* twister-sha3api.c */ - -#include "sha3-api.h" -#include "twister-sha3api.h" -#include "twister.h" -#include "twister-small.h" -#include "twister-big.h" -#include -#include - -#define BLOCKSIZE 512 - -HashReturn Init(hashState *state, int hashbitlen){ - if(!state) - return FAIL; - if(hashbitlen<32 || hashbitlen>512 || hashbitlen%32) - return BAD_HASHBITLEN; - - if (hashbitlen>=32 && hashbitlen<=256){ - state->hashbitlen = hashbitlen; - state->big = 0; - state->ctx = malloc(sizeof(twister_state_t)); - twister_small_init(state->ctx, hashbitlen); - state->buffer_fill_state=0; - memset(state->buffer, 0, 64); - return SUCCESS; - } - if (hashbitlen>256 && hashbitlen<=512){ - state->hashbitlen = hashbitlen; - state->big = 1; - state->ctx = malloc(sizeof(twister_big_ctx_t)); - twister_big_init(state->ctx, hashbitlen); - state->buffer_fill_state=0; - memset(state->buffer, 0, 64); - return SUCCESS; - } - return BAD_HASHBITLEN; -} - -void insertBitToBuffer(hashState *state, uint8_t bit){ - state->buffer[state->buffer_fill_state/8] |= - bit<<(7-(state->buffer_fill_state%8)); - state->buffer_fill_state++; -} - - -HashReturn Update(hashState *state, const BitSequence *data, - DataLength databitlen){ - if(state->buffer_fill_state+databitlen>(7-i%8))); - } - return SUCCESS; - } - if(state->buffer_fill_state==0){ - while(databitlen>=512){ - if(state->big){ - twister_big_nextBlock(state->ctx, data); - }else{ - twister_small_nextBlock(state->ctx, data); - } - data += 64; - databitlen -= 512; - } - if(databitlen!=0) - Update(state, data, databitlen); - return SUCCESS; - }else{ - DataLength i; - for(i=0; ibuffer_fill_state==512){ - if(state->big){ - twister_big_nextBlock(state->ctx, state->buffer); - }else{ - twister_small_nextBlock(state->ctx, state->buffer); - } - memset(state->buffer, 0, 64); - state->buffer_fill_state = 0; - } - insertBitToBuffer(state, 1&(data[i/8]>>(7-i%8))); - } - return SUCCESS; - } - return FAIL; -} - -HashReturn Final(hashState *state, BitSequence *hashval){ - if(state->big){ - twister_big_lastBlock(state->ctx, state->buffer, state->buffer_fill_state); - twister_big_ctx2hash(hashval, state->ctx, state->hashbitlen); - return SUCCESS; - }else{ - twister_small_lastBlock(state->ctx, state->buffer, state->buffer_fill_state); - twister_small_ctx2hash(hashval, state->ctx, state->hashbitlen); - return SUCCESS; - } -} - -HashReturn Hash(int hashbitlen, const BitSequence *data, - DataLength databitlen, BitSequence *hashval){ - HashReturn ret; - hashState state; - ret = Init(&state, hashbitlen); - if(ret!=SUCCESS) - return ret; - ret = Update(&state, data, databitlen); - if(ret!=SUCCESS) - return ret; - return Final(&state, hashval); -} - diff --git a/twister-sha3api.h b/twister-sha3api.h deleted file mode 100644 index 173dd52..0000000 --- a/twister-sha3api.h +++ /dev/null @@ -1,20 +0,0 @@ -/* twister-sha3api.h */ - -#include "sha3-api.h" -#include - -typedef struct{ - uint16_t hashbitlen; - uint8_t big; - void* ctx; /* points either to twister_state_t or twister_big_ctx_t */ - uint8_t buffer[64]; - uint16_t buffer_fill_state; -}hashState; - -HashReturn Init(hashState *state, int hashbitlen); -HashReturn Update(hashState *state, const BitSequence *data, - DataLength databitlen); -HashReturn Final(hashState *state, BitSequence *hashval); -HashReturn Hash(int hashbitlen, const BitSequence *data, - DataLength databitlen, BitSequence *hashval); - diff --git a/twister-small-asm.S b/twister-small-asm.S deleted file mode 100644 index 6cfda29..0000000 --- a/twister-small-asm.S +++ /dev/null @@ -1,209 +0,0 @@ -/* twister-small-asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file twister-small-asm.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-26 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" - -/* void twister_small_init(twister_state_t* ctx, uint16_t hashsize_b)*/ -/* - * param ctx: r24:r25 - * param hashsize_b: r22:r23 - */ -.global twister224_init -twister224_init: - ldi r22, lo8(224) - ldi r23, hi8(224) - rjmp 1f - -.global twister256_init -twister256_init: - ldi r22, lo8(256) - ldi r23, hi8(256) - -.global twister_small_init -twister_small_init: - movw r30, r24 - ldi r24, 64 -1: - st Z+, r1 - dec r24 - brne 1b - - dec r1 - ldi r24, 8 -1: - st Z+, r1 - dec r24 - brne 1b - - inc r1 - ldi r24, 8 -1: - st Z+, r1 - dec r24 - brne 1b - - sbiw r30, 1+8+8 - sbiw r30, 8*7 - st Z, r23 - std Z+8, r22 - ret -#if 1 -/*********************************************************************/ -/* void twister_small_lastBlock(twister_state_t* ctx, void* msg, uint16_t length_b) */ -/* - * param ctx: r24:r25 - * param msg: r22:r23 - * param length_b: r20:r21 - */ -TMP_SAVE0 = 12 -TMP_SAVE1 = 13 -CTX_SAVE0 = 14 -CTX_SAVE1 = 15 -LEN_SAVE0 = 16 -LEN_SAVE1 = 17 -MSG_SAVE0 = 28 -MSG_SAVE1 = 29 -.global twister_small_lastBlock -.global twister224_lastBlock -.global twister256_lastBlock - -twister224_lastBlock: -twister256_lastBlock: -twister_small_lastBlock: - push_range 12, 17 - push r28 - push r29 - stack_alloc_large 64 - adiw r30, 1 - movw TMP_SAVE0, r30 - movw CTX_SAVE0, r24 - movw MSG_SAVE0, r22 - movw LEN_SAVE0, r20 -1: - cpi LEN_SAVE1, 2 - brmi 2f - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - rcall twister_small_nextBlock - adiw MSG_SAVE0, 8 - subi LEN_SAVE1, 2 - rjmp 1b -2: - movw r18, LEN_SAVE0 - lsr r19 - ror r18 - lsr r18 - lsr r18 - ldi r19, 63 - movw r26, MSG_SAVE0 - movw r30, TMP_SAVE0 - ldi r20, 0x80 - sub r19, r18 /* r18: bytes to copy, r19: bytes to clear */ - - ld r0, X+ -3: tst r18 - breq 4f -31: - st Z+, r0 - ld r0, X+ - dec r18 - brne 31b -4: - mov r18, LEN_SAVE0 - andi r18, 0x07 - ldi r20, 0x80 - breq 5f -4: - lsr r20 - dec r18 - brne 4b - or r20, r0 - rjmp 5f - -5: - st Z+, r20 - - tst r19 - breq 7f -6: - st Z+, r1 - dec r19 - brne 6b -7: - movw r24, CTX_SAVE0 - movw r22, TMP_SAVE0 - rcall twister_small_nextBlock - - ldi r19, 2 - clr r18 - - sub r18, LEN_SAVE0 - sbc r19, LEN_SAVE1 - movw r26, CTX_SAVE0 - adiw r26, 63 - adiw r26, 1+8 - - ld r0, X - sub r0, r18 - st X+, r0 - ld r0, X - sbc r0, r19 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - ld r0, X - sbc r0, r1 - st X+, r0 - - sbiw r26, 8 - movw r24, CTX_SAVE0 - movw r22, r26 - rcall twister_mini_round - - movw r24, CTX_SAVE0 - rcall twister_blank_round - - stack_free_large 64 - pop r29 - pop r28 - pop_range 12, 17 - ret - -#endif diff --git a/twister-small-stub.c b/twister-small-stub.c deleted file mode 100644 index 9eb4112..0000000 --- a/twister-small-stub.c +++ /dev/null @@ -1,167 +0,0 @@ -/* twister-small.c */ - -#include -#include -#include "memxor.h" -#include "twister-small.h" - -/*********************************************************************/ -#if 0 -void twister_small_init(twister_state_t* ctx, uint16_t hashsize_b){ - memset(ctx->s, 0, 64); - ctx->counter=0xffffffffffffffffLL; - ctx->s[0][7] = hashsize_b>>8; - ctx->s[1][7] = hashsize_b&0xff; - ctx->length_counter_b = 0; -} - -/*********************************************************************/ - -void twister_small_nextBlock(twister_state_t* ctx, void* msg){ - uint8_t tmp[8][8]; - /* round 1 */ - memcpy(tmp, ctx->s, 64); - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - memxor(ctx->s, tmp, 64); - - /* round 2 */ - memcpy(tmp, ctx->s, 64); - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - memxor(ctx->s, tmp, 64); - - /* round 3 */ - memcpy(tmp, ctx->s, 64); - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - twister_blank_round(ctx); - memxor(ctx->s, tmp, 64); - ctx->length_counter_b += 512; -} -#endif -/*********************************************************************/ -#if 0 -void twister_small_lastBlock(twister_state_t* ctx, void* msg, uint16_t length_b){ - uint8_t tmp[64]; - while(length_b>512){ - twister_small_nextBlock(ctx, msg); - msg = ((uint8_t*)msg)+64; - length_b -= 512; - } - memset(tmp, 0, 64); - memcpy(tmp, msg, (length_b+7)/8); - tmp[length_b/8] |= 0x80 >> (length_b&0x07); - twister_small_nextBlock(ctx, tmp); - ctx->length_counter_b -= 512 - length_b; - twister_mini_round(ctx, &(ctx->length_counter_b)); - twister_blank_round(ctx); -} - - -void twister256_lastBlock(twister256_ctx_t* ctx, void* msg, uint16_t length_b){ - twister_small_lastBlock(ctx, msg, length_b); -} - - -void twister224_lastBlock(twister224_ctx_t* ctx, void* msg, uint16_t length_b){ - twister_small_lastBlock(ctx, msg, length_b); -} - -#endif -#if 0 -/*********************************************************************/ - -void twister_small_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b){ - twister_ctx2hash(dest, ctx, hashsize_b); -} - -/*********************************************************************/ -/*********************************************************************/ - -#ifndef NO_TWISTER_256 - -void twister256_init(twister256_ctx_t* ctx){ - twister_small_init(ctx, 256); -} - -/*********************************************************************/ - -void twister256_nextBlock(twister256_ctx_t* ctx, void* msg){ - twister_small_nextBlock(ctx, msg); -} - -/*********************************************************************/ - -/*********************************************************************/ - -void twister256_ctx2hash(void* dest, twister256_ctx_t* ctx){ - twister_ctx2hash(dest, ctx, 256); -} - -/*********************************************************************/ - -void twister256(void* dest, void* msg, uint32_t msg_length_b){ - twister_state_t ctx; - twister_small_init(&ctx, 256); - while(msg_length_b >=512){ - twister_small_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + 512/8; - msg_length_b -= 512; - } - twister_small_lastBlock(&ctx, msg, msg_length_b); - twister_ctx2hash(dest, &ctx, 256); -} - -/*********************************************************************/ - -#endif - -/*********************************************************************/ -/*********************************************************************/ - -#ifndef NO_TWISTER_224 - -void twister224_init(twister224_ctx_t* ctx){ - twister_small_init(ctx, 224); -} - -/*********************************************************************/ - -void twister224_nextBlock(twister224_ctx_t* ctx, void* msg){ - twister_small_nextBlock(ctx, msg); -} - -/*********************************************************************/ - -/*********************************************************************/ - -void twister224_ctx2hash(void* dest, twister224_ctx_t* ctx){ - twister_ctx2hash(dest, ctx, 224); -} - -/*********************************************************************/ - -void twister224(void* dest, void* msg, uint32_t msg_length_b){ - twister_state_t ctx; - twister_small_init(&ctx, 224); - while(msg_length_b >=512){ - twister_small_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + 512/8; - msg_length_b -= 512; - } - twister_small_lastBlock(&ctx, msg, msg_length_b); - twister_ctx2hash(dest, &ctx, 224); -} - -#endif -#endif diff --git a/twister-small.c b/twister-small.c deleted file mode 100644 index 5fb0536..0000000 --- a/twister-small.c +++ /dev/null @@ -1,164 +0,0 @@ -/* twister-small.c */ - -#include -#include -#include "memxor.h" -#include "twister-small.h" - -/*********************************************************************/ - -void twister_small_init(twister_state_t* ctx, uint16_t hashsize_b){ - memset(ctx->s, 0, 64); - ctx->counter=0xffffffffffffffffLL; - ctx->s[0][7] = hashsize_b>>8; - ctx->s[1][7] = hashsize_b&0xff; - ctx->length_counter_b = 0; -} - -/*********************************************************************/ - -void twister_small_nextBlock(twister_state_t* ctx, const void* msg){ - uint8_t tmp[8][8]; - /* round 1 */ - memcpy(tmp, ctx->s, 64); - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - memxor(ctx->s, tmp, 64); - - /* round 2 */ - memcpy(tmp, ctx->s, 64); - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - memxor(ctx->s, tmp, 64); - - /* round 3 */ - memcpy(tmp, ctx->s, 64); - twister_mini_round(ctx, msg); - msg = ((uint8_t*)msg) + 8; - twister_mini_round(ctx, msg); - twister_blank_round(ctx); - memxor(ctx->s, tmp, 64); - ctx->length_counter_b += 512; -} - -/*********************************************************************/ - -void twister_small_lastBlock(twister_state_t* ctx, const void* msg, uint16_t length_b){ - uint8_t tmp[64]; - while(length_b>=512){ - twister_small_nextBlock(ctx, msg); - msg = ((uint8_t*)msg)+64; - length_b -= 512; - } - memset(tmp, 0, 64); - memcpy(tmp, msg, (length_b+7)/8); - tmp[length_b/8] |= 0x80 >> (length_b&0x07); - twister_small_nextBlock(ctx, tmp); - ctx->length_counter_b -= 512 - length_b; - - twister_mini_round(ctx, &(ctx->length_counter_b)); - twister_blank_round(ctx); -} - -/*********************************************************************/ - -void twister_small_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b){ - twister_ctx2hash(dest, ctx, hashsize_b); -} - -/*********************************************************************/ -/*********************************************************************/ - -#ifndef NO_TWISTER_256 - -void twister256_init(twister256_ctx_t* ctx){ - twister_small_init(ctx, 256); -} - -/*********************************************************************/ - -void twister256_nextBlock(twister256_ctx_t* ctx, const void* msg){ - twister_small_nextBlock(ctx, msg); -} - -/*********************************************************************/ - -void twister256_lastBlock(twister256_ctx_t* ctx, const void* msg, uint16_t length_b){ - twister_small_lastBlock(ctx, msg, length_b); -} - -/*********************************************************************/ - -void twister256_ctx2hash(void* dest, twister256_ctx_t* ctx){ - twister_ctx2hash(dest, ctx, 256); -} - -/*********************************************************************/ - -void twister256(void* dest, const void* msg, uint32_t msg_length_b){ - twister_state_t ctx; - twister_small_init(&ctx, 256); - while(msg_length_b >=512){ - twister_small_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + 512/8; - msg_length_b -= 512; - } - twister_small_lastBlock(&ctx, msg, msg_length_b); - twister_ctx2hash(dest, &ctx, 256); -} - -/*********************************************************************/ - -#endif - -/*********************************************************************/ -/*********************************************************************/ - -#ifndef NO_TWISTER_224 - -void twister224_init(twister224_ctx_t* ctx){ - twister_small_init(ctx, 224); -} - -/*********************************************************************/ - -void twister224_nextBlock(twister224_ctx_t* ctx, const void* msg){ - twister_small_nextBlock(ctx, msg); -} - -/*********************************************************************/ - -void twister224_lastBlock(twister224_ctx_t* ctx, const void* msg, uint16_t length_b){ - twister_small_lastBlock(ctx, msg, length_b); -} - -/*********************************************************************/ - -void twister224_ctx2hash(void* dest, twister224_ctx_t* ctx){ - twister_ctx2hash(dest, ctx, 224); -} - -/*********************************************************************/ - -void twister224(void* dest, const void* msg, uint32_t msg_length_b){ - twister_state_t ctx; - twister_small_init(&ctx, 224); - while(msg_length_b >=512){ - twister_small_nextBlock(&ctx, msg); - msg = (uint8_t*)msg + 512/8; - msg_length_b -= 512; - } - twister_small_lastBlock(&ctx, msg, msg_length_b); - twister_ctx2hash(dest, &ctx, 224); -} - -#endif - diff --git a/twister-small.h b/twister-small.h deleted file mode 100644 index ca55119..0000000 --- a/twister-small.h +++ /dev/null @@ -1,33 +0,0 @@ -/* twister-small.h */ - -#ifndef TWISTER_SMALL_H_ -#define TWISTER_SMALL_H_ - -#include -#include "twister.h" - -typedef uint8_t twister256_hash_t[256/8]; -typedef uint8_t twister224_hash_t[224/8]; - -typedef twister_state_t twister256_ctx_t; -typedef twister_state_t twister224_ctx_t; - -void twister_small_init(twister_state_t* ctx, uint16_t hashsize_b); -void twister_small_lastBlock(twister_state_t* ctx, const void* msg, uint16_t length_b); -void twister_small_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b); -void twister_small_nextBlock(twister_state_t* ctx, const void* msg); - - -void twister256_init(twister256_ctx_t* ctx); -void twister256_nextBlock(twister256_ctx_t* ctx, const void* msg); -void twister256_lastBlock(twister256_ctx_t* ctx, const void* msg, uint16_t length_b); -void twister256_ctx2hash(void* dest, twister_state_t* ctx); -void twister256(void* dest, const void* msg, uint32_t msg_length_b); - -void twister224_init(twister224_ctx_t* ctx); -void twister224_nextBlock(twister224_ctx_t* ctx, const void* msg); -void twister224_lastBlock(twister224_ctx_t* ctx, const void* msg, uint16_t length_b); -void twister224_ctx2hash(void* dest, twister224_ctx_t* ctx); -void twister224(void* dest, const void* msg, uint32_t msg_length_b); - -#endif /* TWISTER_SMALL_H_ */ diff --git a/twister.c b/twister.c deleted file mode 100644 index c82e22e..0000000 --- a/twister.c +++ /dev/null @@ -1,116 +0,0 @@ -/* twister.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "config.h" -#include -#include -#include -#include "twister.h" -#include "twister_tables.h" -#include "memxor.h" - -//#ifndef TWISTER_MUL_TABLE -# include "gf256mul.h" -//#endif - -#define MDS(a,b) pgm_read_byte(&(twister_mds[(a)][(b)])) - -//#ifdef TWISTER_MUL_TABLE -//# define MULT(a,b) pgm_read_byte(&(twister_multab[(a)][(b)])) -//#else -# define MULT(a,b) gf256mul((a),(b), 0x4D) -//#endif - -void twister_blank_round(twister_state_t* ctx){ - uint8_t i,j,k; - uint8_t tmp[8][8]; - /* add twist counter */ - for(i=0; i<8; ++i){ - ctx->s[i][1] ^= ((uint8_t*)&(ctx->counter))[7-i]; - } - ctx->counter--; - /* sub bytes */ - for(i=0; i<8; ++i){ - for(j=0;j<8;++j){ - tmp[i][j] = pgm_read_byte(twister_sbox+ctx->s[i][j]); - } - } - /* mix columns with integrates shift rows */ - for( i=0; i<8; i++ ){ - // multiply with mds matrix - for( j=0; j<8; j++ ){ - k=(i+1)&7; - ctx->s[j][i] = - MULT( MDS(j,0), (tmp[0][i]) ); - ctx->s[j][i] ^= - MULT( MDS(j,1), (tmp[1][k]) ); - ctx->s[j][i] ^= - MULT( MDS(j,2), (tmp[2][((++k)&7)]) ); - ctx->s[j][i] ^= - MULT( MDS(j,3), (tmp[3][((++k)&7)]) ); - ctx->s[j][i] ^= - MULT( MDS(j,4), (tmp[4][((++k)&7)]) ); - ctx->s[j][i] ^= - MULT( MDS(j,5), (tmp[5][((++k)&7)]) ); - ctx->s[j][i] ^= - MULT( MDS(j,6), (tmp[6][((++k)&7)]) ); - ctx->s[j][i] ^= - MULT( MDS(j,7), (tmp[7][((++k)&7)]) ); - - } - } -} -void twister_mini_round(twister_state_t* ctx, const void* msg){ - /* inject message */ - uint8_t i; - for(i=0; i<8; ++i){ - ctx->s[7][7-i] ^= *((uint8_t*)msg); - msg = (uint8_t*)msg +1; - } - twister_blank_round(ctx); -} - -void twister_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b){ - uint8_t tmp[8][8]; - uint8_t j; - uint16_t i=hashsize_b; - while(i>=64){ - i-=64; - memcpy(tmp,ctx->s, 64); - twister_blank_round(ctx); - memxor(ctx->s, tmp, 64); - twister_blank_round(ctx); - for(j=0; j<8; ++j){ - *((uint8_t*)dest) = ctx->s[7-j][0] ^ tmp[7-j][0]; - dest = (uint8_t*)dest + 1; - } - } - if(i>=32){ - memcpy(tmp,ctx->s, 64); - twister_blank_round(ctx); - memxor(ctx->s, tmp, 64); - twister_blank_round(ctx); - for(j=0; j<4; ++j){ - *((uint8_t*)dest) = ctx->s[3-j][0] ^ tmp[3-j][0]; - dest = (uint8_t*)dest + 1; - } - } -} - - diff --git a/twister.h b/twister.h deleted file mode 100644 index ec6b219..0000000 --- a/twister.h +++ /dev/null @@ -1,44 +0,0 @@ -/* twister.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file twister.h - * \author Daniel Otte - * \date 2008-12-20 - * \license GPLv3 or later - * - */ - -#ifndef TWISTER_H_ -#define TWISTER_H_ - -#include - -typedef struct { - uint8_t s[8][8]; - uint64_t counter; - uint64_t length_counter_b; -} twister_state_t; - -typedef uint8_t twister_checksum_t[8][8]; - -void twister_blank_round(twister_state_t* ctx); -void twister_mini_round(twister_state_t* ctx, const void* msg); -void twister_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b); - -#endif /* TWISTER_H_ */ diff --git a/twister/gf256mul.S b/twister/gf256mul.S new file mode 100644 index 0000000..b269d3a --- /dev/null +++ b/twister/gf256mul.S @@ -0,0 +1,82 @@ +/* gf256mul.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * File: gf256mul.S + * Author: Daniel Otte + * Date: 2008-12-19 + * License: GPLv3 or later + * Description: peasant's algorithm for multiplication in GF(2^8) + * + */ + +#include +#define OPTIMIZE_SMALL_A + +/* + * param a: r24 + * param b: r22 + * param reducer: r20 + */ +A = 23 +B = 22 +P = 24 +.global gf256mul + +#ifdef OPTIMIZE_SMALL_A +gf256mul: + mov A, r24 + clr r24 +1: + lsr A + breq 4f + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + rjmp 1b +4: + brcc 2f + eor P, B +2: + ret + +#else + +gf256mul: + mov r21, r24 + clr r24 + ldi r25, 8 +1: + lsr A + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + dec r25 + brne 1b + ret + +#endif diff --git a/twister/gf256mul.h b/twister/gf256mul.h new file mode 100644 index 0000000..87f1cb3 --- /dev/null +++ b/twister/gf256mul.h @@ -0,0 +1,37 @@ +/* gf256mul.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef GF256MUL_H_ +#define GF256MUL_H_ + +/** + * \author Daniel Otte + * \email daniel.otte@rub.de + * \date 2008-12-19 + * \license GPLv3 + * \brief + * + * + */ + +#include + +uint8_t gf256mul(uint8_t a, uint8_t b, uint8_t reducer); + +#endif /* GF256MUL_H_ */ + diff --git a/twister/memxor.S b/twister/memxor.S new file mode 100644 index 0000000..a32058b --- /dev/null +++ b/twister/memxor.S @@ -0,0 +1,66 @@ +/* memxor.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * File: memxor.S + * Author: Daniel Otte + * Date: 2008-08-07 + * License: GPLv3 or later + * Description: memxor, XORing one block into another + * + */ + +/* + * void memxor(void* dest, const void* src, uint16_t n); + */ + /* + * param dest is passed in r24:r25 + * param src is passed in r22:r23 + * param n is passed in r20:r21 + */ +.global memxor +memxor: + movw r30, r24 + movw r26, r22 + movw r24, r20 + adiw r24, 0 + breq 2f +1: + ld r20, X+ + ld r21, Z + eor r20, r21 + st Z+, r20 + sbiw r24, 1 + brne 1b +2: + ret + + + + + + + + + + + + + + diff --git a/twister/memxor.h b/twister/memxor.h new file mode 100644 index 0000000..a62a616 --- /dev/null +++ b/twister/memxor.h @@ -0,0 +1,7 @@ +#ifndef MEMXOR_H_ +#define MEMXOR_H_ +#include + +void memxor(void* dest, const void* src, uint16_t n); + +#endif diff --git a/twister/twister-asm.S b/twister/twister-asm.S new file mode 100644 index 0000000..746ea09 --- /dev/null +++ b/twister/twister-asm.S @@ -0,0 +1,604 @@ +/* twister-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-22 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" + +twister_sbox: +.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5 +.byte 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 +.byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0 +.byte 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 +.byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc +.byte 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 +.byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a +.byte 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 +.byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0 +.byte 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 +.byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b +.byte 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf +.byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85 +.byte 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 +.byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5 +.byte 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 +.byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17 +.byte 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 +.byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88 +.byte 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb +.byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c +.byte 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 +.byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9 +.byte 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 +.byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6 +.byte 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a +.byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e +.byte 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e +.byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94 +.byte 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf +.byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68 +.byte 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 + +/* + * param ctx: r24:r25 + * param msg: r22:r23 + */ +.global twister_mini_round +twister_mini_round: + movw r26, r24 + movw r30, r22 + adiw r26, 8*7 + adiw r30, 8 + ldi r21, 8 +1: + ld r22, X + ld r23, -Z + eor r22, r23 + st X+, r22 + dec r21 + brne 1b + +/* + * param ctx: r24:r25 + * + */ +X_SAVE0 = 4 +X_SAVE1 = 5 +Y_SAVE0 = 6 +Y_SAVE1 = 7 +MDS0 = 8 +MDS1 = 9 +MDS2 = 10 +MDS3 = 11 +MDS4 = 12 +MDS5 = 13 +MDS6 = 14 +MDS7 = 15 + + +.global twister_blank_round +twister_blank_round: + push_range 4, 17 + push r28 + push r29 + stack_alloc_large 64, r28, r29 + + movw X_SAVE0, r24 + movw r30, r24 + adiw r30, 63 + adiw r30, 1+8 /* Z points behind counter */ + movw r26, r24 + adiw r26, 1 + ldi r22, 8 +1: /* "add" counter */ + ld r16, -Z + ld r21, X + eor r21, r16 + st X, r21 + adiw r26, 8 + dec r22 + brne 1b + + /* decrement counter */ + subi r16, 1 + st Z+, r16 + ldi r17, 7 +1: + ld r16, Z + sbci r16, 0 + st Z+, r16 + dec r17 + brne 1b + + movw r26, r24 + adiw r28, 1 /* Y points to stack memory */ + movw Y_SAVE0, r28 + movw r24, r28 + ldi r20, lo8(twister_sbox) + ldi r21, hi8(twister_sbox) + ldi r18, 8 +1: + ldi r19, 0 + +2: /* sbox substitution */ + ld r0, X+ + movw r30, r20 + add r30, r0 + adc r31, r1 + lpm r0, Z + movw r28, r24 + mov r16, r18 + add r16, r19 + andi r16, 0x07 + add r28, r16 + adc r29, r1 + st Y, r0 + inc r19 + cpi r19, 8 + brne 2b + adiw r24, 8 + dec r18 + brne 1b + + /* load MDS-Table to MDS0:MDS7 */ + ldi r18, 1 + mov MDS1, r18 + mov MDS2, r18 + mov MDS7, r18 + ldi r18, 2 + mov MDS0, r18 + ldi r18, 5 + mov MDS3, r18 + ldi r18, 6 + mov MDS6, r18 + ldi r18, 7 + mov MDS4, r18 + ldi r18, 8 + mov MDS5, r18 + + ldi r20, 0x4D /* reducer for gf256mul*/ + ldi r16, 0 + +1: + movw r26, X_SAVE0 + add r26, r16 + adc r27, r1 + ldi r17, 8 +2: + mov r24, MDS0 + movw r28, Y_SAVE0 + add r28, r16 + adc r29, r1 + ld r22, Y + rcall gf256mul + mov r0, r24 + + mov r24, MDS1 + ldd r22, Y+8 + rcall gf256mul + eor r0, r24 + + mov r24, MDS2 + ldd r22, Y+8*2 + rcall gf256mul + eor r0, r24 + + mov r24, MDS3 + ldd r22, Y+8*3 + rcall gf256mul + eor r0, r24 + + mov r24, MDS4 + ldd r22, Y+8*4 + rcall gf256mul + eor r0, r24 + + mov r24, MDS5 + ldd r22, Y+8*5 + rcall gf256mul + eor r0, r24 + + mov r24, MDS6 + ldd r22, Y+8*6 + rcall gf256mul + eor r0, r24 + + mov r24, MDS7 + ldd r22, Y+8*7 + rcall gf256mul + eor r0, r24 + + st X, r0 + adiw r26, 8 + + mov r0, MDS7 + mov MDS7, MDS6 + mov MDS6, MDS5 + mov MDS5, MDS4 + mov MDS4, MDS3 + mov MDS3, MDS2 + mov MDS2, MDS1 + mov MDS1, MDS0 + mov MDS0, r0 + + dec r17 + brne 2b +8: + inc r16 + cpi r16, 8 + brne 1b + +9: + stack_free_large 64 + pop r29 + pop r28 + pop_range 4, 17 + ret + +/*********************************************************************/ +A = 23 +B = 22 +P = 24 + +gf256mul: + mov A, r24 + clr P +1: + lsr A + breq 4f + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + rjmp 1b +4: + brcc 2f + eor P, B +2: + ret + +/*********************************************************************/ +/* twister_ctx2hash */ +/* + * param dest: r24:r25 + * param ctx: r22:r23 + * param hashsize_b: r20:r21 + */ +DEST_SAVE0 = 10 +DEST_SAVE1 = 11 +CTX_SAVE0 = 12 +CTX_SAVE1 = 13 +LEN_SAVE = 14 +LEN32_SAVE = 15 +TMP_SAVE0 = 16 +TMP_SAVE1 = 17 + + +.global twister_ctx2hash +.global twister_small_ctx2hash +.global twister_large_ctx2hash +.global twister224_ctx2hash +.global twister256_ctx2hash +.global twister384_ctx2hash +.global twister512_ctx2hash + +twister224_ctx2hash: + ldi r20, lo8(224) + ldi r21, hi8(224) + rjmp twister_ctx2hash + +twister256_ctx2hash: + ldi r20, lo8(256) + ldi r21, hi8(256) + rjmp twister_ctx2hash + +twister384_ctx2hash: + ldi r20, lo8(384) + ldi r21, hi8(384) + rjmp twister_ctx2hash + +twister512_ctx2hash: + ldi r20, lo8(512) + ldi r21, hi8(512) +; rjmp twister_ctx2hash + +twister_large_ctx2hash: +twister_small_ctx2hash: +twister_ctx2hash: + push_range 10, 17 + push r28 + push r29 + stack_alloc_large 64 + movw DEST_SAVE0, r24 + movw CTX_SAVE0, r22 + clr LEN32_SAVE + sbrc r20, 5 + inc LEN32_SAVE + lsr r21 + ror r20 + lsr r21 + ror r20 /* length is max 512 so we now only have to shift r20 */ + swap r20 /* this is faster than 4 shifts */ + andi r20, 0x0f + add r20, LEN32_SAVE + mov LEN_SAVE, r20 + + adiw r30, 1 + movw TMP_SAVE0, r30 +1: + dec LEN_SAVE + brmi 9f + /* tmp <- ctx-s */ + movw r30, TMP_SAVE0 + movw r26, CTX_SAVE0 + ldi r20, 64/4 +3: + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + dec r20 + brne 3b + + movw r24, CTX_SAVE0 + rcall twister_blank_round + /* ctx-s ^= tmp */ + movw r30, TMP_SAVE0 + movw r26, CTX_SAVE0 + ldi r20, 64 +3: + ld r0, X + ld r21, Z+ + eor r0, r21 + st X+, r0 + dec r20 + brne 3b + + movw r24, CTX_SAVE0 + rcall twister_blank_round + + + movw r26, CTX_SAVE0 + + tst LEN_SAVE + brne 2f + tst LEN32_SAVE + brne 5f +2: + adiw r26, 8*7 + movw r30, TMP_SAVE0 + adiw r30, 8*7 + movw r28, DEST_SAVE0 + ldi r20, 8 +3: + ld r0, Z + ld r21, X + eor r0, r21 + st Y+, r0 + sbiw r26, 8 + sbiw r30, 8 + dec r20 + brne 3b + movw DEST_SAVE0, r28 +7: + rjmp 1b + +5: + adiw r26, 8*3 + movw r30, TMP_SAVE0 + adiw r30, 8*3 + movw r28, DEST_SAVE0 + ldi r20, 4 +3: + ld r0, Z + ld r21, X + eor r0, r21 + st Y+, r0 + sbiw r26, 8 + sbiw r30, 8 + dec r20 + brne 3b + +9: + stack_free_large 64 + pop r29 + pop r28 + pop_range 10, 17 + ret + + + +/*********************************************************************/ +/* void twister_small_nextBlock(twister_state_t* ctx, void* msg) */ +/* + * param ctx: r24:r25 + * param msg: r22:r23 + */ +CTX_SAVE0 = 14 +CTX_SAVE1 = 15 +TMP_SAVE0 = 12 +TMP_SAVE1 = 13 +MSG_SAVE0 = 28 +MSG_SAVE1 = 29 +.global twister_small_nextBlock +.global twister224_nextBlock +.global twister256_nextBlock + +twister224_nextBlock: +twister256_nextBlock: +twister_small_nextBlock: + push_range 12, 15 + push r28 + push r29 + stack_alloc_large 64 + adiw r30, 1 + movw TMP_SAVE0, r30 + movw CTX_SAVE0, r24 + movw MSG_SAVE0, r22 + movw r26, CTX_SAVE0 + ldi r18, 64/8 +1: + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + dec r18 + brne 1b + + rcall twister_mini_round + + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r30, TMP_SAVE0 + movw r26, CTX_SAVE0 + ldi r18, 64 +1: + ld r0, X + ld r23, Z + eor r0, r23 + st X+, r0 + st Z+, r0 + dec r18 + brne 1b + + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r30, TMP_SAVE0 + movw r26, CTX_SAVE0 + ldi r18, 64 +1: + ld r0, X + ld r23, Z + eor r0, r23 + st X+, r0 + st Z+, r0 + dec r18 + brne 1b + + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + rcall twister_blank_round + + movw r30, TMP_SAVE0 + movw r26, CTX_SAVE0 + ldi r18, 64 +1: + ld r0, X + ld r23, Z+ + eor r0, r23 + st X+, r0 + dec r18 + brne 1b + + adiw r26, 9 + ldi r19, 2 + ld r0, X + add r0, r19 + st X+, r0 + + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + + stack_free_large 64 + pop r29 + pop r28 + pop_range 12, 15 + ret + + + + + + + + diff --git a/twister/twister-asm.S_shiftmul b/twister/twister-asm.S_shiftmul new file mode 100644 index 0000000..3857e19 --- /dev/null +++ b/twister/twister-asm.S_shiftmul @@ -0,0 +1,351 @@ +/* twister-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-22 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" + +twister_sbox: +.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5 +.byte 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 +.byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0 +.byte 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 +.byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc +.byte 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 +.byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a +.byte 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 +.byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0 +.byte 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 +.byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b +.byte 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf +.byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85 +.byte 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 +.byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5 +.byte 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 +.byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17 +.byte 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 +.byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88 +.byte 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb +.byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c +.byte 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 +.byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9 +.byte 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 +.byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6 +.byte 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a +.byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e +.byte 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e +.byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94 +.byte 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf +.byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68 +.byte 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 + + +/* + * param ctx: r24:r25 + * + */ +X_SAVE0 = 4 +X_SAVE1 = 5 +Y_SAVE0 = 6 +Y_SAVE1 = 7 +MDS0 = 8 +MDS1 = 9 +MDS2 = 10 +MDS3 = 11 +MDS4 = 12 +MDS5 = 13 +MDS6 = 14 +MDS7 = 15 +IDX1 = 18 +IDX2 = 19 +TMP = 21 +.global twister_blank_round +twister_blank_round: + push_range 4, 17 + push r28 + push r29 + stack_alloc_large 64, r28, r29 + + movw r30, r24 + adiw r30, 63 + adiw r30, 1+8 /* Z points behind counter */ + movw r26, r24 + adiw r26, 1 + ldi r22, 8 +1: /* "add" counter */ + ld r16, -Z + ld r21, X + eor r21, r16 + st X, r21 + adiw r26, 8 + dec r22 + brne 1b + + /* decrement counter */ + subi r16, 1 + st Z+, r16 + ldi r17, 7 +1: + ld r16, Z + sbci r16, 0 + st Z+, r16 + dec r17 + brne 1b + + movw r26, r24 + adiw r28, 1 /* Y points to stack memory */ + movw Y_SAVE0, r28 + ldi r20, lo8(twister_sbox) + ldi r21, hi8(twister_sbox) + ldi r19, 64 + +1: /* sbox substitution */ + ld r0, X+ + movw r30, r20 + add r30, r0 + adc r31, r1 + lpm r0, Z + st Y+, r0 + dec r19 + brne 1b + + /* load MDS-Table to MDS0:MDS7 */ +/* + ldi r18, 1 + mov MDS1, r18 + mov MDS6, r18 + mov MDS7, r18 + ldi r18, 2 + mov MDS0, r18 + ldi r18, 5 + mov MDS5, r18 + ldi r18, 6 + mov MDS2, r18 + ldi r18, 7 + mov MDS4, r18 + ldi r18, 8 + mov MDS3, r18 +*/ + ldi r18, 1 + mov MDS1, r18 + mov MDS2, r18 + mov MDS7, r18 + ldi r18, 2 + mov MDS0, r18 + ldi r18, 5 + mov MDS3, r18 + ldi r18, 6 + mov MDS6, r18 + ldi r18, 7 + mov MDS4, r18 + ldi r18, 8 + mov MDS5, r18 +; sbiw r28, 63 +; sbiw r28, 1 /* Y points again at tmp buffer */ +; movw Y_SAVE0, r28 +; sbiw r26, 63 +; sbiw r26, 1 /* X points again at state buffer */ + movw X_SAVE0, r24 + + ldi r20, 0x4D /* reducer for gf256mul*/ + ldi r16, 0 + +; rjmp 9f +1: + mov IDX1, r16 + movw r26, X_SAVE0 + add r26, r16 + adc r27, r1 + ldi r17, 0 +2: + mov IDX2, r17 + + mov r24, MDS0 + movw r28, Y_SAVE0 + add r28, IDX1 + adc r29, r1 + ld r22, Y + rcall gf256mul + mov r0, r24 + + mov r24, MDS1 + movw r28, Y_SAVE0 + adiw r28, 8 + inc IDX1 + andi IDX1, 0x07 + add r28, IDX1 + adc r29, r1 + ld r22, Y + rcall gf256mul + eor r0, r24 + + mov r24, MDS2 + movw r28, Y_SAVE0 + adiw r28, 8*2 + inc IDX1 + andi IDX1, 0x07 + add r28, IDX1 + adc r29, r1 + ld r22, Y + rcall gf256mul + eor r0, r24 + + mov r24, MDS3 + movw r28, Y_SAVE0 + adiw r28, 8*3 + inc IDX1 + andi IDX1, 0x07 + add r28, IDX1 + adc r29, r1 + ld r22, Y + rcall gf256mul + eor r0, r24 + + mov r24, MDS4 + movw r28, Y_SAVE0 + adiw r28, 8*4 + inc IDX1 + andi IDX1, 0x07 + add r28, IDX1 + adc r29, r1 + ld r22, Y + rcall gf256mul + eor r0, r24 + + mov r24, MDS5 + movw r28, Y_SAVE0 + adiw r28, 8*5 + inc IDX1 + andi IDX1, 0x07 + add r28, IDX1 + adc r29, r1 + ld r22, Y + rcall gf256mul + eor r0, r24 + + mov r24, MDS6 + movw r28, Y_SAVE0 + adiw r28, 8*6 + inc IDX1 + andi IDX1, 0x07 + add r28, IDX1 + adc r29, r1 + ld r22, Y + rcall gf256mul + eor r0, r24 + + mov r24, MDS7 + movw r28, Y_SAVE0 + adiw r28, 8*7 + inc IDX1 + andi IDX1, 0x07 + add r28, IDX1 + adc r29, r1 + ld r22, Y + rcall gf256mul + eor r0, r24 + + st X, r0 + adiw r26, 8 +/* + mov r0, MDS0 + mov MDS0, MDS1 + mov MDS1, MDS2 + mov MDS2, MDS3 + mov MDS3, MDS4 + mov MDS4, MDS5 + mov MDS5, MDS6 + mov MDS6, MDS7 + mov MDS7, r0 +*/ + mov r0, MDS7 + mov MDS7, MDS6 + mov MDS6, MDS5 + mov MDS5, MDS4 + mov MDS4, MDS3 + mov MDS3, MDS2 + mov MDS2, MDS1 + mov MDS1, MDS0 + mov MDS0, r0 + + cpi r17, 7 + breq 8f + inc r17 + rjmp 2b +8: + + mov r0, MDS7 + mov MDS7, MDS6 + mov MDS6, MDS5 + mov MDS5, MDS4 + mov MDS4, MDS3 + mov MDS3, MDS2 + mov MDS2, MDS1 + mov MDS1, MDS0 + mov MDS0, r0 + + cpi r16, 7 + breq 9f + inc r16 + rjmp 1b +9: + stack_free_large 64 + pop r29 + pop r28 + pop_range 4, 17 + ret + + +A = 23 +B = 22 +P = 24 + +gf256mul: + mov A, r24 + clr P +1: + lsr A + breq 4f + brcc 2f + eor P, B +2: + lsl B + brcc 3f + eor B, r20 +3: + rjmp 1b +4: + brcc 2f + eor P, B +2: + ret + + + + + + + + diff --git a/twister/twister-large-asm.S b/twister/twister-large-asm.S new file mode 100644 index 0000000..be10546 --- /dev/null +++ b/twister/twister-large-asm.S @@ -0,0 +1,516 @@ +/* twister-large-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister-large-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-27 + * \license GPLv3 or later + * + */ + + #include "avr-asm-macros.S" + +/* void checksum_update(twister_large_ctx_t* ctx, uint8_t col) */ +/* + * param ctx: r24:r25 + * param col: r22 + */ +checksum_update: + push r16 + push r28 + push r29 + lsl r22 + lsl r22 + lsl r22 + mov r16, r22 + movw r30, r24 /* X points to ctx->state.s */ + + ldd r18, Z+7*8 + ldd r19, Z+6*8 + ldd r20, Z+5*8 + ldd r21, Z+4*8 + ldd r22, Z+3*8 + ldd r23, Z+2*8 + ldd r24, Z+1*8 + ldd r25, Z+0*8 + + adiw r30, 63 + adiw r30, 1+3*8 /* Z points at ctx->checksum[0][8] */ + movw r28, r30 /* Y points at ctx->checksum[0][8] */ + andi r16, 63 + add r30, r16 /* Z points at ctx->checksum[col][8]*/ + adc r31, r1 + ldi r26, 8 + add r16, r26 + andi r16, 63 + add r28, r16 + adc r29, r1 /* Y points at ctx->checksum[(col+1)%8][8]*/ + + ld r0, -Y + add r18, r0 + ld r0, -Z + eor r0, r18 + st Z, r0 + + ld r0, -Y + adc r19, r0 + ld r0, -Z + eor r0, r19 + st Z, r0 + + ld r0, -Y + adc r20, r0 + ld r0, -Z + eor r0, r20 + st Z, r0 + + ld r0, -Y + adc r21, r0 + ld r0, -Z + eor r0, r21 + st Z, r0 + + ld r0, -Y + adc r22, r0 + ld r0, -Z + eor r0, r22 + st Z, r0 + + ld r0, -Y + adc r23, r0 + ld r0, -Z + eor r0, r23 + st Z, r0 + + ld r0, -Y + adc r24, r0 + ld r0, -Z + eor r0, r24 + st Z, r0 + + ld r0, -Y + adc r25, r0 + ld r0, -Z + eor r0, r25 + st Z, r0 + + pop r29 + pop r28 + pop r16 + ret + +/*********************************************************************/ +/* void twister_large_init(twister_large_ctx_t* ctx, uint16_t hashsize_b)*/ +/* + * param ctx: r24:r25 + * param hashsize_b: r22:r23 + */ +.global twister384_init +twister384_init: + ldi r22, lo8(384) + ldi r23, hi8(384) + rjmp twister_large_init + +.global twister512_init +twister512_init: + ldi r22, lo8(512) + ldi r23, hi8(512) + +.global twister_large_init +twister_large_init: + movw r30, r24 + ldi r24, 64 +1: + st Z+, r1 + dec r24 + brne 1b + + dec r1 + ldi r24, 8 +1: + st Z+, r1 + dec r24 + brne 1b + + inc r1 + ldi r24, 8+64 +1: + st Z+, r1 + dec r24 + brne 1b + + subi r30, lo8(1+8+8+8*7+64) + sbci r31, hi8(1+8+8+8*7+64) + st Z, r23 + std Z+8, r22 + ret + +/*********************************************************************/ +/* void twister_large_nextBlock(twister_state_t* ctx, void* msg) */ +/* + * param ctx: r24:r25 + * param msg: r22:r23 + */ +CTX_SAVE0 = 14 +CTX_SAVE1 = 15 +TMP_SAVE0 = 12 +TMP_SAVE1 = 13 +MSG_SAVE0 = 28 +MSG_SAVE1 = 29 +.global twister_large_nextBlock +.global twister384_nextBlock +.global twister512_nextBlock + +twister384_nextBlock: +twister512_nextBlock: +twister_large_nextBlock: + push_range 12, 15 + push r28 + push r29 + stack_alloc_large 64 + adiw r30, 1 + movw TMP_SAVE0, r30 + movw CTX_SAVE0, r24 + movw MSG_SAVE0, r22 + movw r26, CTX_SAVE0 + ldi r18, 64/8 +1: + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + ld r0, X+ + st Z+, r0 + dec r18 + brne 1b + /* maxi round 1 */ + movw r24, CTX_SAVE0 + ldi r22, 0 + rcall checksum_update + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + ldi r22, 1 + rcall checksum_update + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + ldi r22, 2 + rcall checksum_update + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r30, TMP_SAVE0 + movw r26, CTX_SAVE0 + ldi r18, 64 +1: + ld r0, X + ld r23, Z + eor r0, r23 + st X+, r0 + st Z+, r0 + dec r18 + brne 1b + /* maxi round 2 */ + movw r24, CTX_SAVE0 + ldi r22, 3 + rcall checksum_update + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + rcall twister_blank_round + + movw r24, CTX_SAVE0 + ldi r22, 4 + rcall checksum_update + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r30, TMP_SAVE0 + movw r26, CTX_SAVE0 + ldi r18, 64 +1: + ld r0, X + ld r23, Z + eor r0, r23 + st X+, r0 + st Z+, r0 + dec r18 + brne 1b + /* maxi round 3 */ + movw r24, CTX_SAVE0 + ldi r22, 5 + rcall checksum_update + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + ldi r22, 6 + rcall checksum_update + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + ldi r22, 7 + rcall checksum_update + adiw MSG_SAVE0, 8 + movw r22, MSG_SAVE0 + movw r24, CTX_SAVE0 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + rcall twister_blank_round + + movw r30, TMP_SAVE0 + movw r26, CTX_SAVE0 + ldi r18, 64 +1: + ld r0, X + ld r23, Z+ + eor r0, r23 + st X+, r0 + dec r18 + brne 1b + + adiw r26, 9 + ldi r19, 2 + ld r0, X + add r0, r19 + st X+, r0 + + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + ld r0, X + adc r0, r1 + st X+, r0 + + stack_free_large 64 + pop r29 + pop r28 + pop_range 12, 15 + ret + +/*********************************************************************/ +/* void twister_large_lastBlock(twister_state_t* ctx, void* msg, uint16_t length_b) */ +/* + * param ctx: r24:r25 + * param msg: r22:r23 + * param length_b: r20:r21 + */ +TMP_SAVE0 = 12 +TMP_SAVE1 = 13 +CTX_SAVE0 = 14 +CTX_SAVE1 = 15 +LEN_SAVE0 = 16 +LEN_SAVE1 = 17 +MSG_SAVE0 = 28 +MSG_SAVE1 = 29 +.global twister_large_lastBlock +.global twister384_lastBlock +.global twister512_lastBlock + +twister384_lastBlock: +twister512_lastBlock: +twister_large_lastBlock: + push_range 12, 17 + push r28 + push r29 + stack_alloc_large 64 + adiw r30, 1 + movw TMP_SAVE0, r30 + movw CTX_SAVE0, r24 + movw MSG_SAVE0, r22 + movw LEN_SAVE0, r20 +1: + cpi LEN_SAVE1, 2 + brmi 2f + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + rcall twister_large_nextBlock + adiw MSG_SAVE0, 8 + subi LEN_SAVE1, 2 + rjmp 1b +2: + movw r18, LEN_SAVE0 + lsr r19 + ror r18 + lsr r18 + lsr r18 + ldi r19, 63 + movw r26, MSG_SAVE0 + movw r30, TMP_SAVE0 + ldi r20, 0x80 + sub r19, r18 /* r18: bytes to copy, r19: bytes to clear */ + + ld r0, X+ +3: + tst r18 + breq 4f +31: + st Z+, r0 + ld r0, X+ + dec r18 + brne 31b +4: + mov r18, LEN_SAVE0 + andi r18, 0x07 + ldi r20, 0x80 + breq 5f +4: + lsr r20 + dec r18 + brne 4b + or r20, r0 + rjmp 5f + +5: + st Z+, r20 + tst r19 + breq 7f +6: + st Z+, r1 + dec r19 + brne 6b +7: + movw r24, CTX_SAVE0 + movw r22, TMP_SAVE0 + rcall twister_large_nextBlock + + ldi r19, 2 + clr r18 + + sub r18, LEN_SAVE0 + sbc r19, LEN_SAVE1 + movw r26, CTX_SAVE0 + adiw r26, 63 + adiw r26, 1+8 + + ld r0, X + sub r0, r18 + st X+, r0 + ld r0, X + sbc r0, r19 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + + sbiw r26, 8 + movw r24, CTX_SAVE0 + movw r22, r26 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + movw r22, CTX_SAVE0 + ldi r16, 64+8+8 + add r22, r16 + adc r23, r1 + movw r30, r22 + ldi r26, 8 +1: + ld r12, Z+ + ld r13, Z+ + ld r16, Z+ + ld r17, Z+ + ld r18, Z+ + ld r19, Z+ + ld r20, Z+ + ld r21, Z+ + st -Z, r12 + st -Z, r13 + st -Z, r16 + st -Z, r17 + st -Z, r18 + st -Z, r19 + st -Z, r20 + st -Z, r21 + adiw r30, 8 + dec r26 + brne 1b + + movw r24, CTX_SAVE0 + movw r22, CTX_SAVE0 + ldi r26, 64+2*8 + add r22, r26 + adc r23, r1 + rcall twister_small_nextBlock + + stack_free_large 64 + pop r29 + pop r28 + pop_range 12, 17 + ret diff --git a/twister/twister-large.c b/twister/twister-large.c new file mode 100644 index 0000000..1775488 --- /dev/null +++ b/twister/twister-large.c @@ -0,0 +1,238 @@ +/* twister-large.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include "memxor.h" +#include "twister.h" +#include "twister-large.h" + +/*********************************************************************/ + +static +void checksum_update(twister_large_ctx_t* ctx, uint8_t col){ + uint8_t i, col2; + uint8_t carry = 0; + int sum = 0; + + col2 = (col+1)%8; + + for( i=0; i<8; i++ ) + { + sum = (int) ctx->checksum[col2][7-i] + + (int) ctx->state.s[7-i][0] /* col or 0 ???*/ + + carry; + ctx->checksum[col][7-i] ^= (uint8_t)sum; + carry = sum>>8; + + } +} + +/*********************************************************************/ + +void twister_large_init(twister_large_ctx_t* ctx, uint16_t hashsize_b){ + memset(ctx->state.s, 0, 64); + memset(ctx->checksum, 0, 64); + ctx->state.counter=0xffffffffffffffffLL; + ctx->state.s[0][7] = hashsize_b>>8; + ctx->state.s[1][7] = hashsize_b&0xff; + ctx->state.length_counter_b = 0; +} + +/*********************************************************************/ + +void twister_large_nextBlock(twister_large_ctx_t* ctx, const void* msg){ + uint8_t tmp[8][8]; + + /* 1st maxi round */ + memcpy(tmp, ctx->state.s, 64); + checksum_update(ctx, 0); + twister_mini_round(&(ctx->state), msg); + msg = (uint8_t*)msg + 8; + + checksum_update(ctx, 1); + twister_mini_round(&(ctx->state), msg); + msg = (uint8_t*)msg + 8; + + checksum_update(ctx, 2); + twister_mini_round(&(ctx->state), msg); + msg = (uint8_t*)msg + 8; + memxor(ctx->state.s, tmp, 64); + + /* 2nd maxi round */ + memcpy(tmp, ctx->state.s, 64); + checksum_update(ctx, 3); + twister_mini_round(&(ctx->state), msg); + msg = (uint8_t*)msg + 8; + + twister_blank_round(&(ctx->state)); + + checksum_update(ctx, 4); + twister_mini_round(&(ctx->state), msg); + msg = (uint8_t*)msg + 8; + memxor(ctx->state.s, tmp, 64); + + /* 3rd maxi round */ + memcpy(tmp, ctx->state.s, 64); + checksum_update(ctx, 5); + twister_mini_round(&(ctx->state), msg); + msg = (uint8_t*)msg + 8; + + checksum_update(ctx, 6); + twister_mini_round(&(ctx->state), msg); + msg = (uint8_t*)msg + 8; + + checksum_update(ctx, 7); + twister_mini_round(&(ctx->state), msg); + + twister_blank_round(&(ctx->state)); + memxor(ctx->state.s, tmp, 64); + ctx->state.length_counter_b += 512; +} + +/*********************************************************************/ + +void twister_inject_chksum(twister_large_ctx_t* ctx, uint8_t col){ + *((uint64_t*)(&ctx->state.s[7][0])) ^= *((uint64_t*)(&ctx->checksum[col][0])); + twister_blank_round(&ctx->state); +} + +/*********************************************************************/ + +void twister_large_lastBlock(twister_large_ctx_t* ctx, const void* msg, uint16_t length_b){ + uint8_t tmp[64]; + while(length_b>=512){ + twister_large_nextBlock(ctx, msg); + msg = ((uint8_t*)msg)+64; + length_b -= 512; + } + memset(tmp, 0, 64); + memcpy(tmp, msg, (length_b+7)/8); + tmp[length_b/8] |= 0x80 >> (length_b&0x07); + twister_large_nextBlock(ctx, tmp); + ctx->state.length_counter_b -= 512 - length_b; + twister_mini_round(&(ctx->state), &(ctx->state.length_counter_b)); + + memcpy(tmp, ctx->state.s, 64); + twister_inject_chksum(ctx, 0); + twister_inject_chksum(ctx, 1); + twister_inject_chksum(ctx, 2); + memxor(ctx->state.s, tmp, 64); + + memcpy(tmp, ctx->state.s, 64); + twister_inject_chksum(ctx, 3); + twister_inject_chksum(ctx, 4); + twister_inject_chksum(ctx, 5); + memxor(ctx->state.s, tmp, 64); + + memcpy(tmp, ctx->state.s, 64); + twister_inject_chksum(ctx, 6); + twister_inject_chksum(ctx, 7); + twister_blank_round(&(ctx->state)); + memxor(ctx->state.s, tmp, 64); + +} + +/*********************************************************************/ + +void twister_large_ctx2hash(void* dest, twister_large_ctx_t* ctx, uint16_t hashsize_b){ + twister_ctx2hash(dest, &(ctx->state), hashsize_b); +} + +/*********************************************************************/ +/*********************************************************************/ + +void twister384_init(twister384_ctx_t* ctx){ + twister_large_init(ctx, 384); +} + +/*********************************************************************/ + +void twister384_nextBlock(twister384_ctx_t* ctx, const void* msg){ + twister_large_nextBlock(ctx, msg); +} + +/*********************************************************************/ + +void twister384_lastBlock(twister384_ctx_t* ctx, const void* msg, uint16_t length_b){ + twister_large_lastBlock(ctx, msg, length_b); +} + +/*********************************************************************/ + +void twister384_ctx2hash(void* dest, twister384_ctx_t* ctx){ + twister_large_ctx2hash(dest, ctx, 384); +} + +/*********************************************************************/ + +void twister384(void* dest, const void* msg, uint32_t msg_length_b){ + twister_large_ctx_t ctx; + twister_large_init(&ctx, 384); + while(msg_length_b >=512){ + twister_large_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + 512/8; + msg_length_b -= 512; + } + twister_large_lastBlock(&ctx, msg, msg_length_b); + twister_large_ctx2hash(dest, &ctx, 384); +} + +/*********************************************************************/ +/*********************************************************************/ + + +void twister512_init(twister512_ctx_t* ctx){ + twister_large_init(ctx, 512); +} + +/*********************************************************************/ + +void twister512_nextBlock(twister512_ctx_t* ctx, const void* msg){ + twister_large_nextBlock(ctx, msg); +} + +/*********************************************************************/ + +void twister512_lastBlock(twister512_ctx_t* ctx, const void* msg, uint16_t length_b){ + twister_large_lastBlock(ctx, msg, length_b); +} + +/*********************************************************************/ + +void twister512_ctx2hash(void* dest, twister512_ctx_t* ctx){ + twister_large_ctx2hash(dest, ctx, 512); +} + +/*********************************************************************/ + +void twister512(void* dest, const void* msg, uint32_t msg_length_b){ + twister_large_ctx_t ctx; + twister_large_init(&ctx, 512); + while(msg_length_b >=512){ + twister_large_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + 512/8; + msg_length_b -= 512; + } + twister_large_lastBlock(&ctx, msg, msg_length_b); + twister_large_ctx2hash(dest, &ctx, 512); +} + + + diff --git a/twister/twister-large.h b/twister/twister-large.h new file mode 100644 index 0000000..45de18b --- /dev/null +++ b/twister/twister-large.h @@ -0,0 +1,45 @@ +/* twister-large.h */ + +#ifndef TWISTER_large_H_ +#define TWISTER_large_H_ + +#include +#include "twister.h" + +typedef uint8_t twister384_hash_t[384/8]; +typedef uint8_t twister512_hash_t[512/8]; + +typedef struct { + twister_state_t state; + twister_checksum_t checksum; +} twister_large_ctx_t; + +typedef twister_large_ctx_t twister384_ctx_t; +typedef twister_large_ctx_t twister512_ctx_t; + +/*********************************************************************/ + +void twister_large_nextBlock(twister_large_ctx_t* ctx, const void* msg); +void twister_large_init(twister_large_ctx_t* ctx, uint16_t hashsize_b); +void twister_large_lastBlock(twister_large_ctx_t* ctx, const void* msg, uint16_t length_b); +void twister_large_ctx2hash(void* dest, twister_large_ctx_t* ctx, uint16_t hashsize_b); + +/*********************************************************************/ + +void twister384_init(twister384_ctx_t* ctx); +void twister384_nextBlock(twister384_ctx_t* ctx, const void* msg); +void twister384_lastBlock(twister384_ctx_t* ctx, const void* msg, uint16_t length_b); +void twister384_ctx2hash(void* dest, twister384_ctx_t* ctx); +void twister384(void* dest, const void* msg, uint32_t msg_length_b); + +/*********************************************************************/ + +void twister512_init(twister512_ctx_t* ctx); +void twister512_nextBlock(twister512_ctx_t* ctx, const void* msg); +void twister512_lastBlock(twister512_ctx_t* ctx, const void* msg, uint16_t length_b); +void twister512_ctx2hash(void* dest, twister512_ctx_t* ctx); +void twister512(void* dest, const void* msg, uint32_t msg_length_b); + + +#endif /* TWISTER_large_H_ */ + diff --git a/twister/twister-sha3api.c b/twister/twister-sha3api.c new file mode 100644 index 0000000..4ad0233 --- /dev/null +++ b/twister/twister-sha3api.c @@ -0,0 +1,113 @@ +/* twister-sha3api.c */ + +#include "sha3-api.h" +#include "twister-sha3api.h" +#include "twister.h" +#include "twister-small.h" +#include "twister-big.h" +#include +#include + +#define BLOCKSIZE 512 + +HashReturn Init(hashState *state, int hashbitlen){ + if(!state) + return FAIL; + if(hashbitlen<32 || hashbitlen>512 || hashbitlen%32) + return BAD_HASHBITLEN; + + if (hashbitlen>=32 && hashbitlen<=256){ + state->hashbitlen = hashbitlen; + state->big = 0; + state->ctx = malloc(sizeof(twister_state_t)); + twister_small_init(state->ctx, hashbitlen); + state->buffer_fill_state=0; + memset(state->buffer, 0, 64); + return SUCCESS; + } + if (hashbitlen>256 && hashbitlen<=512){ + state->hashbitlen = hashbitlen; + state->big = 1; + state->ctx = malloc(sizeof(twister_big_ctx_t)); + twister_big_init(state->ctx, hashbitlen); + state->buffer_fill_state=0; + memset(state->buffer, 0, 64); + return SUCCESS; + } + return BAD_HASHBITLEN; +} + +void insertBitToBuffer(hashState *state, uint8_t bit){ + state->buffer[state->buffer_fill_state/8] |= + bit<<(7-(state->buffer_fill_state%8)); + state->buffer_fill_state++; +} + + +HashReturn Update(hashState *state, const BitSequence *data, + DataLength databitlen){ + if(state->buffer_fill_state+databitlen>(7-i%8))); + } + return SUCCESS; + } + if(state->buffer_fill_state==0){ + while(databitlen>=512){ + if(state->big){ + twister_big_nextBlock(state->ctx, data); + }else{ + twister_small_nextBlock(state->ctx, data); + } + data += 64; + databitlen -= 512; + } + if(databitlen!=0) + Update(state, data, databitlen); + return SUCCESS; + }else{ + DataLength i; + for(i=0; ibuffer_fill_state==512){ + if(state->big){ + twister_big_nextBlock(state->ctx, state->buffer); + }else{ + twister_small_nextBlock(state->ctx, state->buffer); + } + memset(state->buffer, 0, 64); + state->buffer_fill_state = 0; + } + insertBitToBuffer(state, 1&(data[i/8]>>(7-i%8))); + } + return SUCCESS; + } + return FAIL; +} + +HashReturn Final(hashState *state, BitSequence *hashval){ + if(state->big){ + twister_big_lastBlock(state->ctx, state->buffer, state->buffer_fill_state); + twister_big_ctx2hash(hashval, state->ctx, state->hashbitlen); + return SUCCESS; + }else{ + twister_small_lastBlock(state->ctx, state->buffer, state->buffer_fill_state); + twister_small_ctx2hash(hashval, state->ctx, state->hashbitlen); + return SUCCESS; + } +} + +HashReturn Hash(int hashbitlen, const BitSequence *data, + DataLength databitlen, BitSequence *hashval){ + HashReturn ret; + hashState state; + ret = Init(&state, hashbitlen); + if(ret!=SUCCESS) + return ret; + ret = Update(&state, data, databitlen); + if(ret!=SUCCESS) + return ret; + return Final(&state, hashval); +} + diff --git a/twister/twister-sha3api.h b/twister/twister-sha3api.h new file mode 100644 index 0000000..173dd52 --- /dev/null +++ b/twister/twister-sha3api.h @@ -0,0 +1,20 @@ +/* twister-sha3api.h */ + +#include "sha3-api.h" +#include + +typedef struct{ + uint16_t hashbitlen; + uint8_t big; + void* ctx; /* points either to twister_state_t or twister_big_ctx_t */ + uint8_t buffer[64]; + uint16_t buffer_fill_state; +}hashState; + +HashReturn Init(hashState *state, int hashbitlen); +HashReturn Update(hashState *state, const BitSequence *data, + DataLength databitlen); +HashReturn Final(hashState *state, BitSequence *hashval); +HashReturn Hash(int hashbitlen, const BitSequence *data, + DataLength databitlen, BitSequence *hashval); + diff --git a/twister/twister-small-asm.S b/twister/twister-small-asm.S new file mode 100644 index 0000000..6cfda29 --- /dev/null +++ b/twister/twister-small-asm.S @@ -0,0 +1,209 @@ +/* twister-small-asm.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister-small-asm.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-26 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" + +/* void twister_small_init(twister_state_t* ctx, uint16_t hashsize_b)*/ +/* + * param ctx: r24:r25 + * param hashsize_b: r22:r23 + */ +.global twister224_init +twister224_init: + ldi r22, lo8(224) + ldi r23, hi8(224) + rjmp 1f + +.global twister256_init +twister256_init: + ldi r22, lo8(256) + ldi r23, hi8(256) + +.global twister_small_init +twister_small_init: + movw r30, r24 + ldi r24, 64 +1: + st Z+, r1 + dec r24 + brne 1b + + dec r1 + ldi r24, 8 +1: + st Z+, r1 + dec r24 + brne 1b + + inc r1 + ldi r24, 8 +1: + st Z+, r1 + dec r24 + brne 1b + + sbiw r30, 1+8+8 + sbiw r30, 8*7 + st Z, r23 + std Z+8, r22 + ret +#if 1 +/*********************************************************************/ +/* void twister_small_lastBlock(twister_state_t* ctx, void* msg, uint16_t length_b) */ +/* + * param ctx: r24:r25 + * param msg: r22:r23 + * param length_b: r20:r21 + */ +TMP_SAVE0 = 12 +TMP_SAVE1 = 13 +CTX_SAVE0 = 14 +CTX_SAVE1 = 15 +LEN_SAVE0 = 16 +LEN_SAVE1 = 17 +MSG_SAVE0 = 28 +MSG_SAVE1 = 29 +.global twister_small_lastBlock +.global twister224_lastBlock +.global twister256_lastBlock + +twister224_lastBlock: +twister256_lastBlock: +twister_small_lastBlock: + push_range 12, 17 + push r28 + push r29 + stack_alloc_large 64 + adiw r30, 1 + movw TMP_SAVE0, r30 + movw CTX_SAVE0, r24 + movw MSG_SAVE0, r22 + movw LEN_SAVE0, r20 +1: + cpi LEN_SAVE1, 2 + brmi 2f + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + rcall twister_small_nextBlock + adiw MSG_SAVE0, 8 + subi LEN_SAVE1, 2 + rjmp 1b +2: + movw r18, LEN_SAVE0 + lsr r19 + ror r18 + lsr r18 + lsr r18 + ldi r19, 63 + movw r26, MSG_SAVE0 + movw r30, TMP_SAVE0 + ldi r20, 0x80 + sub r19, r18 /* r18: bytes to copy, r19: bytes to clear */ + + ld r0, X+ +3: tst r18 + breq 4f +31: + st Z+, r0 + ld r0, X+ + dec r18 + brne 31b +4: + mov r18, LEN_SAVE0 + andi r18, 0x07 + ldi r20, 0x80 + breq 5f +4: + lsr r20 + dec r18 + brne 4b + or r20, r0 + rjmp 5f + +5: + st Z+, r20 + + tst r19 + breq 7f +6: + st Z+, r1 + dec r19 + brne 6b +7: + movw r24, CTX_SAVE0 + movw r22, TMP_SAVE0 + rcall twister_small_nextBlock + + ldi r19, 2 + clr r18 + + sub r18, LEN_SAVE0 + sbc r19, LEN_SAVE1 + movw r26, CTX_SAVE0 + adiw r26, 63 + adiw r26, 1+8 + + ld r0, X + sub r0, r18 + st X+, r0 + ld r0, X + sbc r0, r19 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + ld r0, X + sbc r0, r1 + st X+, r0 + + sbiw r26, 8 + movw r24, CTX_SAVE0 + movw r22, r26 + rcall twister_mini_round + + movw r24, CTX_SAVE0 + rcall twister_blank_round + + stack_free_large 64 + pop r29 + pop r28 + pop_range 12, 17 + ret + +#endif diff --git a/twister/twister-small-stub.c b/twister/twister-small-stub.c new file mode 100644 index 0000000..9eb4112 --- /dev/null +++ b/twister/twister-small-stub.c @@ -0,0 +1,167 @@ +/* twister-small.c */ + +#include +#include +#include "memxor.h" +#include "twister-small.h" + +/*********************************************************************/ +#if 0 +void twister_small_init(twister_state_t* ctx, uint16_t hashsize_b){ + memset(ctx->s, 0, 64); + ctx->counter=0xffffffffffffffffLL; + ctx->s[0][7] = hashsize_b>>8; + ctx->s[1][7] = hashsize_b&0xff; + ctx->length_counter_b = 0; +} + +/*********************************************************************/ + +void twister_small_nextBlock(twister_state_t* ctx, void* msg){ + uint8_t tmp[8][8]; + /* round 1 */ + memcpy(tmp, ctx->s, 64); + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + memxor(ctx->s, tmp, 64); + + /* round 2 */ + memcpy(tmp, ctx->s, 64); + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + memxor(ctx->s, tmp, 64); + + /* round 3 */ + memcpy(tmp, ctx->s, 64); + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + twister_blank_round(ctx); + memxor(ctx->s, tmp, 64); + ctx->length_counter_b += 512; +} +#endif +/*********************************************************************/ +#if 0 +void twister_small_lastBlock(twister_state_t* ctx, void* msg, uint16_t length_b){ + uint8_t tmp[64]; + while(length_b>512){ + twister_small_nextBlock(ctx, msg); + msg = ((uint8_t*)msg)+64; + length_b -= 512; + } + memset(tmp, 0, 64); + memcpy(tmp, msg, (length_b+7)/8); + tmp[length_b/8] |= 0x80 >> (length_b&0x07); + twister_small_nextBlock(ctx, tmp); + ctx->length_counter_b -= 512 - length_b; + twister_mini_round(ctx, &(ctx->length_counter_b)); + twister_blank_round(ctx); +} + + +void twister256_lastBlock(twister256_ctx_t* ctx, void* msg, uint16_t length_b){ + twister_small_lastBlock(ctx, msg, length_b); +} + + +void twister224_lastBlock(twister224_ctx_t* ctx, void* msg, uint16_t length_b){ + twister_small_lastBlock(ctx, msg, length_b); +} + +#endif +#if 0 +/*********************************************************************/ + +void twister_small_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b){ + twister_ctx2hash(dest, ctx, hashsize_b); +} + +/*********************************************************************/ +/*********************************************************************/ + +#ifndef NO_TWISTER_256 + +void twister256_init(twister256_ctx_t* ctx){ + twister_small_init(ctx, 256); +} + +/*********************************************************************/ + +void twister256_nextBlock(twister256_ctx_t* ctx, void* msg){ + twister_small_nextBlock(ctx, msg); +} + +/*********************************************************************/ + +/*********************************************************************/ + +void twister256_ctx2hash(void* dest, twister256_ctx_t* ctx){ + twister_ctx2hash(dest, ctx, 256); +} + +/*********************************************************************/ + +void twister256(void* dest, void* msg, uint32_t msg_length_b){ + twister_state_t ctx; + twister_small_init(&ctx, 256); + while(msg_length_b >=512){ + twister_small_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + 512/8; + msg_length_b -= 512; + } + twister_small_lastBlock(&ctx, msg, msg_length_b); + twister_ctx2hash(dest, &ctx, 256); +} + +/*********************************************************************/ + +#endif + +/*********************************************************************/ +/*********************************************************************/ + +#ifndef NO_TWISTER_224 + +void twister224_init(twister224_ctx_t* ctx){ + twister_small_init(ctx, 224); +} + +/*********************************************************************/ + +void twister224_nextBlock(twister224_ctx_t* ctx, void* msg){ + twister_small_nextBlock(ctx, msg); +} + +/*********************************************************************/ + +/*********************************************************************/ + +void twister224_ctx2hash(void* dest, twister224_ctx_t* ctx){ + twister_ctx2hash(dest, ctx, 224); +} + +/*********************************************************************/ + +void twister224(void* dest, void* msg, uint32_t msg_length_b){ + twister_state_t ctx; + twister_small_init(&ctx, 224); + while(msg_length_b >=512){ + twister_small_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + 512/8; + msg_length_b -= 512; + } + twister_small_lastBlock(&ctx, msg, msg_length_b); + twister_ctx2hash(dest, &ctx, 224); +} + +#endif +#endif diff --git a/twister/twister-small.c b/twister/twister-small.c new file mode 100644 index 0000000..5fb0536 --- /dev/null +++ b/twister/twister-small.c @@ -0,0 +1,164 @@ +/* twister-small.c */ + +#include +#include +#include "memxor.h" +#include "twister-small.h" + +/*********************************************************************/ + +void twister_small_init(twister_state_t* ctx, uint16_t hashsize_b){ + memset(ctx->s, 0, 64); + ctx->counter=0xffffffffffffffffLL; + ctx->s[0][7] = hashsize_b>>8; + ctx->s[1][7] = hashsize_b&0xff; + ctx->length_counter_b = 0; +} + +/*********************************************************************/ + +void twister_small_nextBlock(twister_state_t* ctx, const void* msg){ + uint8_t tmp[8][8]; + /* round 1 */ + memcpy(tmp, ctx->s, 64); + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + memxor(ctx->s, tmp, 64); + + /* round 2 */ + memcpy(tmp, ctx->s, 64); + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + memxor(ctx->s, tmp, 64); + + /* round 3 */ + memcpy(tmp, ctx->s, 64); + twister_mini_round(ctx, msg); + msg = ((uint8_t*)msg) + 8; + twister_mini_round(ctx, msg); + twister_blank_round(ctx); + memxor(ctx->s, tmp, 64); + ctx->length_counter_b += 512; +} + +/*********************************************************************/ + +void twister_small_lastBlock(twister_state_t* ctx, const void* msg, uint16_t length_b){ + uint8_t tmp[64]; + while(length_b>=512){ + twister_small_nextBlock(ctx, msg); + msg = ((uint8_t*)msg)+64; + length_b -= 512; + } + memset(tmp, 0, 64); + memcpy(tmp, msg, (length_b+7)/8); + tmp[length_b/8] |= 0x80 >> (length_b&0x07); + twister_small_nextBlock(ctx, tmp); + ctx->length_counter_b -= 512 - length_b; + + twister_mini_round(ctx, &(ctx->length_counter_b)); + twister_blank_round(ctx); +} + +/*********************************************************************/ + +void twister_small_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b){ + twister_ctx2hash(dest, ctx, hashsize_b); +} + +/*********************************************************************/ +/*********************************************************************/ + +#ifndef NO_TWISTER_256 + +void twister256_init(twister256_ctx_t* ctx){ + twister_small_init(ctx, 256); +} + +/*********************************************************************/ + +void twister256_nextBlock(twister256_ctx_t* ctx, const void* msg){ + twister_small_nextBlock(ctx, msg); +} + +/*********************************************************************/ + +void twister256_lastBlock(twister256_ctx_t* ctx, const void* msg, uint16_t length_b){ + twister_small_lastBlock(ctx, msg, length_b); +} + +/*********************************************************************/ + +void twister256_ctx2hash(void* dest, twister256_ctx_t* ctx){ + twister_ctx2hash(dest, ctx, 256); +} + +/*********************************************************************/ + +void twister256(void* dest, const void* msg, uint32_t msg_length_b){ + twister_state_t ctx; + twister_small_init(&ctx, 256); + while(msg_length_b >=512){ + twister_small_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + 512/8; + msg_length_b -= 512; + } + twister_small_lastBlock(&ctx, msg, msg_length_b); + twister_ctx2hash(dest, &ctx, 256); +} + +/*********************************************************************/ + +#endif + +/*********************************************************************/ +/*********************************************************************/ + +#ifndef NO_TWISTER_224 + +void twister224_init(twister224_ctx_t* ctx){ + twister_small_init(ctx, 224); +} + +/*********************************************************************/ + +void twister224_nextBlock(twister224_ctx_t* ctx, const void* msg){ + twister_small_nextBlock(ctx, msg); +} + +/*********************************************************************/ + +void twister224_lastBlock(twister224_ctx_t* ctx, const void* msg, uint16_t length_b){ + twister_small_lastBlock(ctx, msg, length_b); +} + +/*********************************************************************/ + +void twister224_ctx2hash(void* dest, twister224_ctx_t* ctx){ + twister_ctx2hash(dest, ctx, 224); +} + +/*********************************************************************/ + +void twister224(void* dest, const void* msg, uint32_t msg_length_b){ + twister_state_t ctx; + twister_small_init(&ctx, 224); + while(msg_length_b >=512){ + twister_small_nextBlock(&ctx, msg); + msg = (uint8_t*)msg + 512/8; + msg_length_b -= 512; + } + twister_small_lastBlock(&ctx, msg, msg_length_b); + twister_ctx2hash(dest, &ctx, 224); +} + +#endif + diff --git a/twister/twister-small.h b/twister/twister-small.h new file mode 100644 index 0000000..ca55119 --- /dev/null +++ b/twister/twister-small.h @@ -0,0 +1,33 @@ +/* twister-small.h */ + +#ifndef TWISTER_SMALL_H_ +#define TWISTER_SMALL_H_ + +#include +#include "twister.h" + +typedef uint8_t twister256_hash_t[256/8]; +typedef uint8_t twister224_hash_t[224/8]; + +typedef twister_state_t twister256_ctx_t; +typedef twister_state_t twister224_ctx_t; + +void twister_small_init(twister_state_t* ctx, uint16_t hashsize_b); +void twister_small_lastBlock(twister_state_t* ctx, const void* msg, uint16_t length_b); +void twister_small_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b); +void twister_small_nextBlock(twister_state_t* ctx, const void* msg); + + +void twister256_init(twister256_ctx_t* ctx); +void twister256_nextBlock(twister256_ctx_t* ctx, const void* msg); +void twister256_lastBlock(twister256_ctx_t* ctx, const void* msg, uint16_t length_b); +void twister256_ctx2hash(void* dest, twister_state_t* ctx); +void twister256(void* dest, const void* msg, uint32_t msg_length_b); + +void twister224_init(twister224_ctx_t* ctx); +void twister224_nextBlock(twister224_ctx_t* ctx, const void* msg); +void twister224_lastBlock(twister224_ctx_t* ctx, const void* msg, uint16_t length_b); +void twister224_ctx2hash(void* dest, twister224_ctx_t* ctx); +void twister224(void* dest, const void* msg, uint32_t msg_length_b); + +#endif /* TWISTER_SMALL_H_ */ diff --git a/twister/twister-speed.log b/twister/twister-speed.log new file mode 100644 index 0000000..e5377dc --- /dev/null +++ b/twister/twister-speed.log @@ -0,0 +1,40 @@ + === Twister-224 performance === + type: hashfunction + hashsize (bits): 224 + ctxsize (bytes): 80 + blocksize (bits): 512 + init (cycles): 480 + nextBlock (cycles): 36528 + lastBlock (cycles): 8071 + ctx2hash (cycles): 19377 + + === Twister-256 performance === + type: hashfunction + hashsize (bits): 256 + ctxsize (bytes): 80 + blocksize (bits): 512 + init (cycles): 425 + nextBlock (cycles): 36535 + lastBlock (cycles): 8064 + ctx2hash (cycles): 19438 + + === Twister-384 performance === + type: hashfunction + hashsize (bits): 384 + ctxsize (bytes): 144 + blocksize (bits): 512 + init (cycles): 745 + nextBlock (cycles): 55707 + lastBlock (cycles): 42573 + ctx2hash (cycles): 27212 + + === Twister-512 performance === + type: hashfunction + hashsize (bits): 512 + ctxsize (bytes): 144 + blocksize (bits): 512 + init (cycles): 743 + nextBlock (cycles): 55707 + lastBlock (cycles): 42573 + ctx2hash (cycles): 35203 + diff --git a/twister/twister.c b/twister/twister.c new file mode 100644 index 0000000..c82e22e --- /dev/null +++ b/twister/twister.c @@ -0,0 +1,116 @@ +/* twister.c */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include +#include +#include +#include "twister.h" +#include "twister_tables.h" +#include "memxor.h" + +//#ifndef TWISTER_MUL_TABLE +# include "gf256mul.h" +//#endif + +#define MDS(a,b) pgm_read_byte(&(twister_mds[(a)][(b)])) + +//#ifdef TWISTER_MUL_TABLE +//# define MULT(a,b) pgm_read_byte(&(twister_multab[(a)][(b)])) +//#else +# define MULT(a,b) gf256mul((a),(b), 0x4D) +//#endif + +void twister_blank_round(twister_state_t* ctx){ + uint8_t i,j,k; + uint8_t tmp[8][8]; + /* add twist counter */ + for(i=0; i<8; ++i){ + ctx->s[i][1] ^= ((uint8_t*)&(ctx->counter))[7-i]; + } + ctx->counter--; + /* sub bytes */ + for(i=0; i<8; ++i){ + for(j=0;j<8;++j){ + tmp[i][j] = pgm_read_byte(twister_sbox+ctx->s[i][j]); + } + } + /* mix columns with integrates shift rows */ + for( i=0; i<8; i++ ){ + // multiply with mds matrix + for( j=0; j<8; j++ ){ + k=(i+1)&7; + ctx->s[j][i] = + MULT( MDS(j,0), (tmp[0][i]) ); + ctx->s[j][i] ^= + MULT( MDS(j,1), (tmp[1][k]) ); + ctx->s[j][i] ^= + MULT( MDS(j,2), (tmp[2][((++k)&7)]) ); + ctx->s[j][i] ^= + MULT( MDS(j,3), (tmp[3][((++k)&7)]) ); + ctx->s[j][i] ^= + MULT( MDS(j,4), (tmp[4][((++k)&7)]) ); + ctx->s[j][i] ^= + MULT( MDS(j,5), (tmp[5][((++k)&7)]) ); + ctx->s[j][i] ^= + MULT( MDS(j,6), (tmp[6][((++k)&7)]) ); + ctx->s[j][i] ^= + MULT( MDS(j,7), (tmp[7][((++k)&7)]) ); + + } + } +} +void twister_mini_round(twister_state_t* ctx, const void* msg){ + /* inject message */ + uint8_t i; + for(i=0; i<8; ++i){ + ctx->s[7][7-i] ^= *((uint8_t*)msg); + msg = (uint8_t*)msg +1; + } + twister_blank_round(ctx); +} + +void twister_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b){ + uint8_t tmp[8][8]; + uint8_t j; + uint16_t i=hashsize_b; + while(i>=64){ + i-=64; + memcpy(tmp,ctx->s, 64); + twister_blank_round(ctx); + memxor(ctx->s, tmp, 64); + twister_blank_round(ctx); + for(j=0; j<8; ++j){ + *((uint8_t*)dest) = ctx->s[7-j][0] ^ tmp[7-j][0]; + dest = (uint8_t*)dest + 1; + } + } + if(i>=32){ + memcpy(tmp,ctx->s, 64); + twister_blank_round(ctx); + memxor(ctx->s, tmp, 64); + twister_blank_round(ctx); + for(j=0; j<4; ++j){ + *((uint8_t*)dest) = ctx->s[3-j][0] ^ tmp[3-j][0]; + dest = (uint8_t*)dest + 1; + } + } +} + + diff --git a/twister/twister.h b/twister/twister.h new file mode 100644 index 0000000..ec6b219 --- /dev/null +++ b/twister/twister.h @@ -0,0 +1,44 @@ +/* twister.h */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister.h + * \author Daniel Otte + * \date 2008-12-20 + * \license GPLv3 or later + * + */ + +#ifndef TWISTER_H_ +#define TWISTER_H_ + +#include + +typedef struct { + uint8_t s[8][8]; + uint64_t counter; + uint64_t length_counter_b; +} twister_state_t; + +typedef uint8_t twister_checksum_t[8][8]; + +void twister_blank_round(twister_state_t* ctx); +void twister_mini_round(twister_state_t* ctx, const void* msg); +void twister_ctx2hash(void* dest, twister_state_t* ctx, uint16_t hashsize_b); + +#endif /* TWISTER_H_ */ diff --git a/twister/twister224.S b/twister/twister224.S new file mode 100644 index 0000000..e97ed55 --- /dev/null +++ b/twister/twister224.S @@ -0,0 +1,98 @@ +/* twister224.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister224.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-28 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" +/*********************************************************************/ +/* void twister224(void* dest, void* msg, uint32_t msg_length_b) */ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param msg_length_b: r18:r21 + */ + +CTX_SAVE0 = 10 +CTX_SAVE1 = 11 +DST_SAVE0 = 14 +DST_SAVE1 = 15 +MSG_LEN0 = 16 +MSG_LEN1 = 17 +MSG_LEN2 = 12 +MSG_LEN3 = 13 +MSG_SAVE0 = 28 +MSG_SAVE1 = 29 + +.global twister224 +twister224: + push_range 10, 17 + push r28 + push r29 + stack_alloc_large 64+2*8 + adiw r30, 1 + movw CTX_SAVE0, r30 + movw DST_SAVE0, r24 + movw MSG_SAVE0, r22 + movw MSG_LEN0, r18 + movw MSG_LEN2, r20 + movw r24, CTX_SAVE0 + ldi r22, lo8(224) + ldi r23, hi8(224) + rcall twister_small_init +1: + tst MSG_LEN3 + brne 2f + tst MSG_LEN2 + brne 2f + cpi MSG_LEN1, 2 + brmi 3f +2: + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + rcall twister_small_nextBlock + adiw MSG_SAVE0, 63 + adiw MSG_SAVE0, 1 + subi MSG_LEN1, 2 + sbc MSG_LEN2, r1 + sbc MSG_LEN3, r1 + rjmp 1b +3: + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + movw r20, MSG_LEN0 + rcall twister_small_lastBlock + + movw r24, DST_SAVE0 + movw r22, CTX_SAVE0 + ldi r20, lo8(224) + ldi r21, hi8(224) + rcall twister_small_ctx2hash + + stack_free_large 64+2*8 + pop r29 + pop r28 + pop_range 10, 17 + ret + diff --git a/twister/twister256.S b/twister/twister256.S new file mode 100644 index 0000000..ce1dc11 --- /dev/null +++ b/twister/twister256.S @@ -0,0 +1,99 @@ +/* twister256.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister256.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-28 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" +/*********************************************************************/ +/* void twister256(void* dest, void* msg, uint32_t msg_length_b) */ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param msg_length_b: r18:r21 + */ + +CTX_SAVE0 = 10 +CTX_SAVE1 = 11 +DST_SAVE0 = 14 +DST_SAVE1 = 15 +MSG_LEN0 = 16 +MSG_LEN1 = 17 +MSG_LEN2 = 12 +MSG_LEN3 = 13 +MSG_SAVE0 = 28 +MSG_SAVE1 = 29 + +.global twister256 +twister256: + push_range 10, 17 + push r28 + push r29 + stack_alloc_large 64+2*8 + adiw r30, 1 + movw CTX_SAVE0, r30 + movw DST_SAVE0, r24 + movw MSG_SAVE0, r22 + movw MSG_LEN0, r18 + movw MSG_LEN2, r20 + movw r24, CTX_SAVE0 + ldi r22, lo8(256) + ldi r23, hi8(256) + rcall twister_small_init +1: + tst MSG_LEN3 + brne 2f + tst MSG_LEN2 + brne 2f + cpi MSG_LEN1, 2 + brmi 3f +2: + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + rcall twister_small_nextBlock + adiw MSG_SAVE0, 63 + adiw MSG_SAVE0, 1 + subi MSG_LEN1, 2 + sbc MSG_LEN2, r1 + sbc MSG_LEN3, r1 + rjmp 1b +3: + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + movw r20, MSG_LEN0 + rcall twister_small_lastBlock + + movw r24, DST_SAVE0 + movw r22, CTX_SAVE0 + ldi r20, lo8(256) + ldi r21, hi8(256) + rcall twister_small_ctx2hash + + stack_free_large 64+2*8 + pop r29 + pop r28 + pop_range 10, 17 + ret + + diff --git a/twister/twister384.S b/twister/twister384.S new file mode 100644 index 0000000..6a15fc5 --- /dev/null +++ b/twister/twister384.S @@ -0,0 +1,97 @@ +/* twister384.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister384.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-28 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" +/*********************************************************************/ +/* void twister384(void* dest, void* msg, uint32_t msg_length_b) */ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param msg_length_b: r18:r21 + */ + +CTX_SAVE0 = 10 +CTX_SAVE1 = 11 +DST_SAVE0 = 14 +DST_SAVE1 = 15 +MSG_LEN0 = 16 +MSG_LEN1 = 17 +MSG_LEN2 = 12 +MSG_LEN3 = 13 +MSG_SAVE0 = 28 +MSG_SAVE1 = 29 + +.global twister384 +twister384: + push_range 10, 17 + push r28 + push r29 + stack_alloc_large 64+2*8+64 + adiw r30, 1 + movw CTX_SAVE0, r30 + movw DST_SAVE0, r24 + movw MSG_SAVE0, r22 + movw MSG_LEN0, r18 + movw MSG_LEN2, r20 + movw r24, CTX_SAVE0 + ldi r22, lo8(384) + ldi r23, hi8(384) + rcall twister_large_init +1: + tst MSG_LEN3 + brne 2f + tst MSG_LEN2 + brne 2f + cpi MSG_LEN1, 2 + brmi 3f +2: + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + rcall twister_large_nextBlock + adiw MSG_SAVE0, 63 + adiw MSG_SAVE0, 1 + subi MSG_LEN1, 2 + sbc MSG_LEN2, r1 + sbc MSG_LEN3, r1 + rjmp 1b +3: + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + movw r20, MSG_LEN0 + rcall twister_large_lastBlock + + movw r24, DST_SAVE0 + movw r22, CTX_SAVE0 + ldi r20, lo8(384) + ldi r21, hi8(384) + rcall twister_large_ctx2hash + + stack_free_large2 64+2*8+64 + pop r29 + pop r28 + pop_range 10, 17 + ret diff --git a/twister/twister512.S b/twister/twister512.S new file mode 100644 index 0000000..0aece4d --- /dev/null +++ b/twister/twister512.S @@ -0,0 +1,97 @@ +/* twister512.S */ +/* + This file is part of the AVR-Crypto-Lib. + Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/** + * \file twister512.S + * \email daniel.otte@rub.de + * \author Daniel Otte + * \date 2008-12-28 + * \license GPLv3 or later + * + */ + +#include "avr-asm-macros.S" +/*********************************************************************/ +/* void twister384(void* dest, void* msg, uint32_t msg_length_b) */ +/* + * param dest: r24:r25 + * param msg: r22:r23 + * param msg_length_b: r18:r21 + */ + +CTX_SAVE0 = 10 +CTX_SAVE1 = 11 +DST_SAVE0 = 14 +DST_SAVE1 = 15 +MSG_LEN0 = 16 +MSG_LEN1 = 17 +MSG_LEN2 = 12 +MSG_LEN3 = 13 +MSG_SAVE0 = 28 +MSG_SAVE1 = 29 + +.global twister512 +twister512: + push_range 10, 17 + push r28 + push r29 + stack_alloc_large 64+2*8+64 + adiw r30, 1 + movw CTX_SAVE0, r30 + movw DST_SAVE0, r24 + movw MSG_SAVE0, r22 + movw MSG_LEN0, r18 + movw MSG_LEN2, r20 + movw r24, CTX_SAVE0 + ldi r22, lo8(512) + ldi r23, hi8(512) + rcall twister_large_init +1: + tst MSG_LEN3 + brne 2f + tst MSG_LEN2 + brne 2f + cpi MSG_LEN1, 2 + brmi 3f +2: + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + rcall twister_large_nextBlock + adiw MSG_SAVE0, 63 + adiw MSG_SAVE0, 1 + subi MSG_LEN1, 2 + sbc MSG_LEN2, r1 + sbc MSG_LEN3, r1 + rjmp 1b +3: + movw r24, CTX_SAVE0 + movw r22, MSG_SAVE0 + movw r20, MSG_LEN0 + rcall twister_large_lastBlock + + movw r24, DST_SAVE0 + movw r22, CTX_SAVE0 + ldi r20, lo8(512) + ldi r21, hi8(512) + rcall twister_large_ctx2hash + + stack_free_large2 64+2*8+64 + pop r29 + pop r28 + pop_range 10, 17 + ret diff --git a/twister/twister_ref.h b/twister/twister_ref.h new file mode 100644 index 0000000..1a5e05a --- /dev/null +++ b/twister/twister_ref.h @@ -0,0 +1,90 @@ +/****************************************************************** + ** Header File for the Reference Implementation of Twister + ** + ** Author: Ewan Fleischmann 2008 + ** + ** This algorithm and source code is released into the public domain. + ** + *******************************************************************/ + +#ifndef TWISTER_REF_H_ +#define TWISTER_REF_H_ + +#define DEBUG + +#define MIN(a,b) ((a)>(b)?(b):(a)) +/* state matrix has size of 8x8 BYTES i.e. 8 rows and 8 columns*/ +#define NUMROWSCOLUMNS 8 +#define STATESIZE NUMROWSCOLUMNS * NUMROWSCOLUMNS + +/* blocksize in BITS, i.e. size of an input message block for a compression function call*/ +#define BLOCKSIZE 512 + +/* unit64 def for ANSIC/GNUC <-> MSVC */ +#ifdef __GNUC__ +#include +#else +typedef unsigned __int64 uint64_t; +#endif + +/* multiplication in F_256 */ +#define MULT(a,b) (multab[a-1][b]) + +/* NIST requirements definitions */ +typedef unsigned char BitSequence; +typedef uint64_t DataLength; +typedef enum {SUCCESS=0, FAIL=1, BAD_HASHBITLEN=2 } HashReturn; +typedef enum {FULL = 0, NOT_FULL = 1 } INTERMEDIATE_RESULT; + +typedef struct { + /* statematrix[Y][X] */ + unsigned char hs_State[NUMROWSCOLUMNS][NUMROWSCOLUMNS]; + + /* matrix for checksum */ + unsigned char hs_Checksum[NUMROWSCOLUMNS][NUMROWSCOLUMNS]; + + /* Processed message bits */ + DataLength hs_ProcessedMsgLen; + + /* Unprocessed message block */ + BitSequence hs_Data[STATESIZE]; + + /* size of data hs_Data, in bits*/ + uint64_t hs_DataBitLen; + + /* Twist counter, prevents slide attacks, counts the number of twist operations */ + uint64_t hs_Counter; + + /* output hash bit length, in bits */ + uint64_t hs_HashBitLen; + +} hashState; + + +/******************************************************************/ +/************************* N I S T A P I ***********************/ +/******************************************************************/ + +/* Initiate Twister */ +HashReturn Init(hashState *state, int hashbitlen); + +/* Process the supplied data */ +HashReturn Update(hashState *state, const BitSequence *data, + DataLength databitlen); + +/* Perform any post processing and output filtering */ +HashReturn Final(hashState *state, BitSequence *hashval); + +/* Hash the supplied data and provie the resulting hash value */ +HashReturn Hash(int hashbitlen, const BitSequence *data, + DataLength databitlen, BitSequence *hashval); + + +/* only for testing */ +INTERMEDIATE_RESULT fill_intermediate_state( hashState *state, const BitSequence *data, DataLength *databitlen, DataLength *processed ); +void twist( hashState *state, uint64_t *data ); +void twist_mini_round( hashState *state ); +void checksum( hashState *state, int col ); + + +#endif /* TWISTER_REF_H_ */ diff --git a/twister/twister_tables.h b/twister/twister_tables.h new file mode 100644 index 0000000..b0f145c --- /dev/null +++ b/twister/twister_tables.h @@ -0,0 +1,232 @@ +/****************************************************************** + * S-BOX for Twister + * + * + *******************************************************************/ + +#include "config.h" +#include +#include + +static const uint8_t twister_sbox[256] PROGMEM = { + 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, + 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, + 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, + 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, + 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, + 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, + 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, + 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, + 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, + 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, + 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, + 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, + 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, + 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, + 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, + 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, + 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, + 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, + 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, + 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, + 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, + 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, + 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, + 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, + 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, + 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, + 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, + 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, + 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, + 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, + 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, + 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 +}; + +#ifndef TWISTER_MUL_TABLE + + +/* Twister MDS matrix */ +static const uint8_t twister_mds[8][8] PROGMEM = { + {2, 1, 1, 5, 7, 8, 6, 1}, + {1, 2, 1, 1, 5, 7, 8, 6}, + {6, 1, 2, 1, 1, 5, 7, 8}, + {8, 6, 1, 2, 1, 1, 5, 7}, + {7, 8, 6, 1, 2, 1, 1, 5}, + {5, 7, 8, 6, 1, 2, 1, 1}, + {1, 5, 7, 8, 6, 1, 2, 1}, + {1, 1, 5, 7, 8, 6, 1, 2} +}; + +#else + +#define S1 0 +#define S2 1 +#define S3 X +#define S4 X +#define S5 2 +#define S6 3 +#define S7 4 +#define S8 5 + +static const uint8_t twister_mds[8][8] PROGMEM = { + {S2, S1, S1, S5, S7, S8, S6, S1}, + {S1, S2, S1, S1, S5, S7, S8, S6}, + {S6, S1, S2, S1, S1, S5, S7, S8}, + {S8, S6, S1, S2, S1, S1, S5, S7}, + {S7, S8, S6, S1, S2, S1, S1, S5}, + {S5, S7, S8, S6, S1, S2, S1, S1}, + {S1, S5, S7, S8, S6, S1, S2, S1}, + {S1, S1, S5, S7, S8, S6, S1, S2} +}; + +static const uint8_t twister_multab[8][256] PROGMEM = { + { /* 1 */ + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, + 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, + 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, + 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, + 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, + 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, + 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, + 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, + 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, + 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, + 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, + 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, + 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, + 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, + 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, + 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255 + }, + { /* 2 */ + 0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30, + 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, + 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, + 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, + 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154, 156, 158, + 160, 162, 164, 166, 168, 170, 172, 174, 176, 178, 180, 182, 184, 186, 188, 190, + 192, 194, 196, 198, 200, 202, 204, 206, 208, 210, 212, 214, 216, 218, 220, 222, + 224, 226, 228, 230, 232, 234, 236, 238, 240, 242, 244, 246, 248, 250, 252, 254, + 77, 79, 73, 75, 69, 71, 65, 67, 93, 95, 89, 91, 85, 87, 81, 83, + 109, 111, 105, 107, 101, 103, 97, 99, 125, 127, 121, 123, 117, 119, 113, 115, + 13, 15, 9, 11, 5, 7, 1, 3, 29, 31, 25, 27, 21, 23, 17, 19, + 45, 47, 41, 43, 37, 39, 33, 35, 61, 63, 57, 59, 53, 55, 49, 51, + 205, 207, 201, 203, 197, 199, 193, 195, 221, 223, 217, 219, 213, 215, 209, 211, + 237, 239, 233, 235, 229, 231, 225, 227, 253, 255, 249, 251, 245, 247, 241, 243, + 141, 143, 137, 139, 133, 135, 129, 131, 157, 159, 153, 155, 149, 151, 145, 147, + 173, 175, 169, 171, 165, 167, 161, 163, 189, 191, 185, 187, 181, 183, 177, 179 + }, +/* { / * 3 * / + 0, 3, 6, 5, 12, 15, 10, 9, 24, 27, 30, 29, 20, 23, 18, 17, + 48, 51, 54, 53, 60, 63, 58, 57, 40, 43, 46, 45, 36, 39, 34, 33, + 96, 99, 102, 101, 108, 111, 106, 105, 120, 123, 126, 125, 116, 119, 114, 113, + 80, 83, 86, 85, 92, 95, 90, 89, 72, 75, 78, 77, 68, 71, 66, 65, + 192, 195, 198, 197, 204, 207, 202, 201, 216, 219, 222, 221, 212, 215, 210, 209, + 240, 243, 246, 245, 252, 255, 250, 249, 232, 235, 238, 237, 228, 231, 226, 225, + 160, 163, 166, 165, 172, 175, 170, 169, 184, 187, 190, 189, 180, 183, 178, 177, + 144, 147, 150, 149, 156, 159, 154, 153, 136, 139, 142, 141, 132, 135, 130, 129, + 205, 206, 203, 200, 193, 194, 199, 196, 213, 214, 211, 208, 217, 218, 223, 220, + 253, 254, 251, 248, 241, 242, 247, 244, 229, 230, 227, 224, 233, 234, 239, 236, + 173, 174, 171, 168, 161, 162, 167, 164, 181, 182, 179, 176, 185, 186, 191, 188, + 157, 158, 155, 152, 145, 146, 151, 148, 133, 134, 131, 128, 137, 138, 143, 140, + 13, 14, 11, 8, 1, 2, 7, 4, 21, 22, 19, 16, 25, 26, 31, 28, + 61, 62, 59, 56, 49, 50, 55, 52, 37, 38, 35, 32, 41, 42, 47, 44, + 109, 110, 107, 104, 97, 98, 103, 100, 117, 118, 115, 112, 121, 122, 127, 124, + 93, 94, 91, 88, 81, 82, 87, 84, 69, 70, 67, 64, 73, 74, 79, 76 + }, + { / * 4 * / + 0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, 52, 56, 60, + 64, 68, 72, 76, 80, 84, 88, 92, 96, 100, 104, 108, 112, 116, 120, 124, + 128, 132, 136, 140, 144, 148, 152, 156, 160, 164, 168, 172, 176, 180, 184, 188, + 192, 196, 200, 204, 208, 212, 216, 220, 224, 228, 232, 236, 240, 244, 248, 252, + 77, 73, 69, 65, 93, 89, 85, 81, 109, 105, 101, 97, 125, 121, 117, 113, + 13, 9, 5, 1, 29, 25, 21, 17, 45, 41, 37, 33, 61, 57, 53, 49, + 205, 201, 197, 193, 221, 217, 213, 209, 237, 233, 229, 225, 253, 249, 245, 241, + 141, 137, 133, 129, 157, 153, 149, 145, 173, 169, 165, 161, 189, 185, 181, 177, + 154, 158, 146, 150, 138, 142, 130, 134, 186, 190, 178, 182, 170, 174, 162, 166, + 218, 222, 210, 214, 202, 206, 194, 198, 250, 254, 242, 246, 234, 238, 226, 230, + 26, 30, 18, 22, 10, 14, 2, 6, 58, 62, 50, 54, 42, 46, 34, 38, + 90, 94, 82, 86, 74, 78, 66, 70, 122, 126, 114, 118, 106, 110, 98, 102, + 215, 211, 223, 219, 199, 195, 207, 203, 247, 243, 255, 251, 231, 227, 239, 235, + 151, 147, 159, 155, 135, 131, 143, 139, 183, 179, 191, 187, 167, 163, 175, 171, + 87, 83, 95, 91, 71, 67, 79, 75, 119, 115, 127, 123, 103, 99, 111, 107, + 23, 19, 31, 27, 7, 3, 15, 11, 55, 51, 63, 59, 39, 35, 47, 43 + }, +*/ { /* 5 */ + 0, 5, 10, 15, 20, 17, 30, 27, 40, 45, 34, 39, 60, 57, 54, 51, + 80, 85, 90, 95, 68, 65, 78, 75, 120, 125, 114, 119, 108, 105, 102, 99, + 160, 165, 170, 175, 180, 177, 190, 187, 136, 141, 130, 135, 156, 153, 150, 147, + 240, 245, 250, 255, 228, 225, 238, 235, 216, 221, 210, 215, 204, 201, 198, 195, + 13, 8, 7, 2, 25, 28, 19, 22, 37, 32, 47, 42, 49, 52, 59, 62, + 93, 88, 87, 82, 73, 76, 67, 70, 117, 112, 127, 122, 97, 100, 107, 110, + 173, 168, 167, 162, 185, 188, 179, 182, 133, 128, 143, 138, 145, 148, 155, 158, + 253, 248, 247, 242, 233, 236, 227, 230, 213, 208, 223, 218, 193, 196, 203, 206, + 26, 31, 16, 21, 14, 11, 4, 1, 50, 55, 56, 61, 38, 35, 44, 41, + 74, 79, 64, 69, 94, 91, 84, 81, 98, 103, 104, 109, 118, 115, 124, 121, + 186, 191, 176, 181, 174, 171, 164, 161, 146, 151, 152, 157, 134, 131, 140, 137, + 234, 239, 224, 229, 254, 251, 244, 241, 194, 199, 200, 205, 214, 211, 220, 217, + 23, 18, 29, 24, 3, 6, 9, 12, 63, 58, 53, 48, 43, 46, 33, 36, + 71, 66, 77, 72, 83, 86, 89, 92, 111, 106, 101, 96, 123, 126, 113, 116, + 183, 178, 189, 184, 163, 166, 169, 172, 159, 154, 149, 144, 139, 142, 129, 132, + 231, 226, 237, 232, 243, 246, 249, 252, 207, 202, 197, 192, 219, 222, 209, 212 + }, + { /* 6 */ + 0, 6, 12, 10, 24, 30, 20, 18, 48, 54, 60, 58, 40, 46, 36, 34, + 96, 102, 108, 106, 120, 126, 116, 114, 80, 86, 92, 90, 72, 78, 68, 66, + 192, 198, 204, 202, 216, 222, 212, 210, 240, 246, 252, 250, 232, 238, 228, 226, + 160, 166, 172, 170, 184, 190, 180, 178, 144, 150, 156, 154, 136, 142, 132, 130, + 205, 203, 193, 199, 213, 211, 217, 223, 253, 251, 241, 247, 229, 227, 233, 239, + 173, 171, 161, 167, 181, 179, 185, 191, 157, 155, 145, 151, 133, 131, 137, 143, + 13, 11, 1, 7, 21, 19, 25, 31, 61, 59, 49, 55, 37, 35, 41, 47, + 109, 107, 97, 103, 117, 115, 121, 127, 93, 91, 81, 87, 69, 67, 73, 79, + 215, 209, 219, 221, 207, 201, 195, 197, 231, 225, 235, 237, 255, 249, 243, 245, + 183, 177, 187, 189, 175, 169, 163, 165, 135, 129, 139, 141, 159, 153, 147, 149, + 23, 17, 27, 29, 15, 9, 3, 5, 39, 33, 43, 45, 63, 57, 51, 53, + 119, 113, 123, 125, 111, 105, 99, 101, 71, 65, 75, 77, 95, 89, 83, 85, + 26, 28, 22, 16, 2, 4, 14, 8, 42, 44, 38, 32, 50, 52, 62, 56, + 122, 124, 118, 112, 98, 100, 110, 104, 74, 76, 70, 64, 82, 84, 94, 88, + 218, 220, 214, 208, 194, 196, 206, 200, 234, 236, 230, 224, 242, 244, 254, 248, + 186, 188, 182, 176, 162, 164, 174, 168, 138, 140, 134, 128, 146, 148, 158, 152 + }, + { /* 7 */ + 0, 7, 14, 9, 28, 27, 18, 21, 56, 63, 54, 49, 36, 35, 42, 45, + 112, 119, 126, 121, 108, 107, 98, 101, 72, 79, 70, 65, 84, 83, 90, 93, + 224, 231, 238, 233, 252, 251, 242, 245, 216, 223, 214, 209, 196, 195, 202, 205, + 144, 151, 158, 153, 140, 139, 130, 133, 168, 175, 166, 161, 180, 179, 186, 189, + 141, 138, 131, 132, 145, 150, 159, 152, 181, 178, 187, 188, 169, 174, 167, 160, + 253, 250, 243, 244, 225, 230, 239, 232, 197, 194, 203, 204, 217, 222, 215, 208, + 109, 106, 99, 100, 113, 118, 127, 120, 85, 82, 91, 92, 73, 78, 71, 64, + 29, 26, 19, 20, 1, 6, 15, 8, 37, 34, 43, 44, 57, 62, 55, 48, + 87, 80, 89, 94, 75, 76, 69, 66, 111, 104, 97, 102, 115, 116, 125, 122, + 39, 32, 41, 46, 59, 60, 53, 50, 31, 24, 17, 22, 3, 4, 13, 10, + 183, 176, 185, 190, 171, 172, 165, 162, 143, 136, 129, 134, 147, 148, 157, 154, + 199, 192, 201, 206, 219, 220, 213, 210, 255, 248, 241, 246, 227, 228, 237, 234, + 218, 221, 212, 211, 198, 193, 200, 207, 226, 229, 236, 235, 254, 249, 240, 247, + 170, 173, 164, 163, 182, 177, 184, 191, 146, 149, 156, 155, 142, 137, 128, 135, + 58, 61, 52, 51, 38, 33, 40, 47, 2, 5, 12, 11, 30, 25, 16, 23, + 74, 77, 68, 67, 86, 81, 88, 95, 114, 117, 124, 123, 110, 105, 96, 103 + }, + { /* 8 */ + 0, 8, 16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120, + 128, 136, 144, 152, 160, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240, 248, + 77, 69, 93, 85, 109, 101, 125, 117, 13, 5, 29, 21, 45, 37, 61, 53, + 205, 197, 221, 213, 237, 229, 253, 245, 141, 133, 157, 149, 173, 165, 189, 181, + 154, 146, 138, 130, 186, 178, 170, 162, 218, 210, 202, 194, 250, 242, 234, 226, + 26, 18, 10, 2, 58, 50, 42, 34, 90, 82, 74, 66, 122, 114, 106, 98, + 215, 223, 199, 207, 247, 255, 231, 239, 151, 159, 135, 143, 183, 191, 167, 175, + 87, 95, 71, 79, 119, 127, 103, 111, 23, 31, 7, 15, 55, 63, 39, 47, + 121, 113, 105, 97, 89, 81, 73, 65, 57, 49, 41, 33, 25, 17, 9, 1, + 249, 241, 233, 225, 217, 209, 201, 193, 185, 177, 169, 161, 153, 145, 137, 129, + 52, 60, 36, 44, 20, 28, 4, 12, 116, 124, 100, 108, 84, 92, 68, 76, + 180, 188, 164, 172, 148, 156, 132, 140, 244, 252, 228, 236, 212, 220, 196, 204, + 227, 235, 243, 251, 195, 203, 211, 219, 163, 171, 179, 187, 131, 139, 147, 155, + 99, 107, 115, 123, 67, 75, 83, 91, 35, 43, 51, 59, 3, 11, 19, 27, + 174, 166, 190, 182, 142, 134, 158, 150, 238, 230, 254, 246, 206, 198, 222, 214, + 46, 38, 62, 54, 14, 6, 30, 22, 110, 102, 126, 118, 78, 70, 94, 86 + } +}; + +#endif + + diff --git a/twister224.S b/twister224.S deleted file mode 100644 index e97ed55..0000000 --- a/twister224.S +++ /dev/null @@ -1,98 +0,0 @@ -/* twister224.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file twister224.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-28 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" -/*********************************************************************/ -/* void twister224(void* dest, void* msg, uint32_t msg_length_b) */ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param msg_length_b: r18:r21 - */ - -CTX_SAVE0 = 10 -CTX_SAVE1 = 11 -DST_SAVE0 = 14 -DST_SAVE1 = 15 -MSG_LEN0 = 16 -MSG_LEN1 = 17 -MSG_LEN2 = 12 -MSG_LEN3 = 13 -MSG_SAVE0 = 28 -MSG_SAVE1 = 29 - -.global twister224 -twister224: - push_range 10, 17 - push r28 - push r29 - stack_alloc_large 64+2*8 - adiw r30, 1 - movw CTX_SAVE0, r30 - movw DST_SAVE0, r24 - movw MSG_SAVE0, r22 - movw MSG_LEN0, r18 - movw MSG_LEN2, r20 - movw r24, CTX_SAVE0 - ldi r22, lo8(224) - ldi r23, hi8(224) - rcall twister_small_init -1: - tst MSG_LEN3 - brne 2f - tst MSG_LEN2 - brne 2f - cpi MSG_LEN1, 2 - brmi 3f -2: - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - rcall twister_small_nextBlock - adiw MSG_SAVE0, 63 - adiw MSG_SAVE0, 1 - subi MSG_LEN1, 2 - sbc MSG_LEN2, r1 - sbc MSG_LEN3, r1 - rjmp 1b -3: - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - movw r20, MSG_LEN0 - rcall twister_small_lastBlock - - movw r24, DST_SAVE0 - movw r22, CTX_SAVE0 - ldi r20, lo8(224) - ldi r21, hi8(224) - rcall twister_small_ctx2hash - - stack_free_large 64+2*8 - pop r29 - pop r28 - pop_range 10, 17 - ret - diff --git a/twister256.S b/twister256.S deleted file mode 100644 index ce1dc11..0000000 --- a/twister256.S +++ /dev/null @@ -1,99 +0,0 @@ -/* twister256.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file twister256.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-28 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" -/*********************************************************************/ -/* void twister256(void* dest, void* msg, uint32_t msg_length_b) */ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param msg_length_b: r18:r21 - */ - -CTX_SAVE0 = 10 -CTX_SAVE1 = 11 -DST_SAVE0 = 14 -DST_SAVE1 = 15 -MSG_LEN0 = 16 -MSG_LEN1 = 17 -MSG_LEN2 = 12 -MSG_LEN3 = 13 -MSG_SAVE0 = 28 -MSG_SAVE1 = 29 - -.global twister256 -twister256: - push_range 10, 17 - push r28 - push r29 - stack_alloc_large 64+2*8 - adiw r30, 1 - movw CTX_SAVE0, r30 - movw DST_SAVE0, r24 - movw MSG_SAVE0, r22 - movw MSG_LEN0, r18 - movw MSG_LEN2, r20 - movw r24, CTX_SAVE0 - ldi r22, lo8(256) - ldi r23, hi8(256) - rcall twister_small_init -1: - tst MSG_LEN3 - brne 2f - tst MSG_LEN2 - brne 2f - cpi MSG_LEN1, 2 - brmi 3f -2: - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - rcall twister_small_nextBlock - adiw MSG_SAVE0, 63 - adiw MSG_SAVE0, 1 - subi MSG_LEN1, 2 - sbc MSG_LEN2, r1 - sbc MSG_LEN3, r1 - rjmp 1b -3: - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - movw r20, MSG_LEN0 - rcall twister_small_lastBlock - - movw r24, DST_SAVE0 - movw r22, CTX_SAVE0 - ldi r20, lo8(256) - ldi r21, hi8(256) - rcall twister_small_ctx2hash - - stack_free_large 64+2*8 - pop r29 - pop r28 - pop_range 10, 17 - ret - - diff --git a/twister384.S b/twister384.S deleted file mode 100644 index 6a15fc5..0000000 --- a/twister384.S +++ /dev/null @@ -1,97 +0,0 @@ -/* twister384.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file twister384.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-28 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" -/*********************************************************************/ -/* void twister384(void* dest, void* msg, uint32_t msg_length_b) */ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param msg_length_b: r18:r21 - */ - -CTX_SAVE0 = 10 -CTX_SAVE1 = 11 -DST_SAVE0 = 14 -DST_SAVE1 = 15 -MSG_LEN0 = 16 -MSG_LEN1 = 17 -MSG_LEN2 = 12 -MSG_LEN3 = 13 -MSG_SAVE0 = 28 -MSG_SAVE1 = 29 - -.global twister384 -twister384: - push_range 10, 17 - push r28 - push r29 - stack_alloc_large 64+2*8+64 - adiw r30, 1 - movw CTX_SAVE0, r30 - movw DST_SAVE0, r24 - movw MSG_SAVE0, r22 - movw MSG_LEN0, r18 - movw MSG_LEN2, r20 - movw r24, CTX_SAVE0 - ldi r22, lo8(384) - ldi r23, hi8(384) - rcall twister_large_init -1: - tst MSG_LEN3 - brne 2f - tst MSG_LEN2 - brne 2f - cpi MSG_LEN1, 2 - brmi 3f -2: - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - rcall twister_large_nextBlock - adiw MSG_SAVE0, 63 - adiw MSG_SAVE0, 1 - subi MSG_LEN1, 2 - sbc MSG_LEN2, r1 - sbc MSG_LEN3, r1 - rjmp 1b -3: - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - movw r20, MSG_LEN0 - rcall twister_large_lastBlock - - movw r24, DST_SAVE0 - movw r22, CTX_SAVE0 - ldi r20, lo8(384) - ldi r21, hi8(384) - rcall twister_large_ctx2hash - - stack_free_large2 64+2*8+64 - pop r29 - pop r28 - pop_range 10, 17 - ret diff --git a/twister512.S b/twister512.S deleted file mode 100644 index 0aece4d..0000000 --- a/twister512.S +++ /dev/null @@ -1,97 +0,0 @@ -/* twister512.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/** - * \file twister512.S - * \email daniel.otte@rub.de - * \author Daniel Otte - * \date 2008-12-28 - * \license GPLv3 or later - * - */ - -#include "avr-asm-macros.S" -/*********************************************************************/ -/* void twister384(void* dest, void* msg, uint32_t msg_length_b) */ -/* - * param dest: r24:r25 - * param msg: r22:r23 - * param msg_length_b: r18:r21 - */ - -CTX_SAVE0 = 10 -CTX_SAVE1 = 11 -DST_SAVE0 = 14 -DST_SAVE1 = 15 -MSG_LEN0 = 16 -MSG_LEN1 = 17 -MSG_LEN2 = 12 -MSG_LEN3 = 13 -MSG_SAVE0 = 28 -MSG_SAVE1 = 29 - -.global twister512 -twister512: - push_range 10, 17 - push r28 - push r29 - stack_alloc_large 64+2*8+64 - adiw r30, 1 - movw CTX_SAVE0, r30 - movw DST_SAVE0, r24 - movw MSG_SAVE0, r22 - movw MSG_LEN0, r18 - movw MSG_LEN2, r20 - movw r24, CTX_SAVE0 - ldi r22, lo8(512) - ldi r23, hi8(512) - rcall twister_large_init -1: - tst MSG_LEN3 - brne 2f - tst MSG_LEN2 - brne 2f - cpi MSG_LEN1, 2 - brmi 3f -2: - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - rcall twister_large_nextBlock - adiw MSG_SAVE0, 63 - adiw MSG_SAVE0, 1 - subi MSG_LEN1, 2 - sbc MSG_LEN2, r1 - sbc MSG_LEN3, r1 - rjmp 1b -3: - movw r24, CTX_SAVE0 - movw r22, MSG_SAVE0 - movw r20, MSG_LEN0 - rcall twister_large_lastBlock - - movw r24, DST_SAVE0 - movw r22, CTX_SAVE0 - ldi r20, lo8(512) - ldi r21, hi8(512) - rcall twister_large_ctx2hash - - stack_free_large2 64+2*8+64 - pop r29 - pop r28 - pop_range 10, 17 - ret diff --git a/twister_ref.h b/twister_ref.h deleted file mode 100644 index 1a5e05a..0000000 --- a/twister_ref.h +++ /dev/null @@ -1,90 +0,0 @@ -/****************************************************************** - ** Header File for the Reference Implementation of Twister - ** - ** Author: Ewan Fleischmann 2008 - ** - ** This algorithm and source code is released into the public domain. - ** - *******************************************************************/ - -#ifndef TWISTER_REF_H_ -#define TWISTER_REF_H_ - -#define DEBUG - -#define MIN(a,b) ((a)>(b)?(b):(a)) -/* state matrix has size of 8x8 BYTES i.e. 8 rows and 8 columns*/ -#define NUMROWSCOLUMNS 8 -#define STATESIZE NUMROWSCOLUMNS * NUMROWSCOLUMNS - -/* blocksize in BITS, i.e. size of an input message block for a compression function call*/ -#define BLOCKSIZE 512 - -/* unit64 def for ANSIC/GNUC <-> MSVC */ -#ifdef __GNUC__ -#include -#else -typedef unsigned __int64 uint64_t; -#endif - -/* multiplication in F_256 */ -#define MULT(a,b) (multab[a-1][b]) - -/* NIST requirements definitions */ -typedef unsigned char BitSequence; -typedef uint64_t DataLength; -typedef enum {SUCCESS=0, FAIL=1, BAD_HASHBITLEN=2 } HashReturn; -typedef enum {FULL = 0, NOT_FULL = 1 } INTERMEDIATE_RESULT; - -typedef struct { - /* statematrix[Y][X] */ - unsigned char hs_State[NUMROWSCOLUMNS][NUMROWSCOLUMNS]; - - /* matrix for checksum */ - unsigned char hs_Checksum[NUMROWSCOLUMNS][NUMROWSCOLUMNS]; - - /* Processed message bits */ - DataLength hs_ProcessedMsgLen; - - /* Unprocessed message block */ - BitSequence hs_Data[STATESIZE]; - - /* size of data hs_Data, in bits*/ - uint64_t hs_DataBitLen; - - /* Twist counter, prevents slide attacks, counts the number of twist operations */ - uint64_t hs_Counter; - - /* output hash bit length, in bits */ - uint64_t hs_HashBitLen; - -} hashState; - - -/******************************************************************/ -/************************* N I S T A P I ***********************/ -/******************************************************************/ - -/* Initiate Twister */ -HashReturn Init(hashState *state, int hashbitlen); - -/* Process the supplied data */ -HashReturn Update(hashState *state, const BitSequence *data, - DataLength databitlen); - -/* Perform any post processing and output filtering */ -HashReturn Final(hashState *state, BitSequence *hashval); - -/* Hash the supplied data and provie the resulting hash value */ -HashReturn Hash(int hashbitlen, const BitSequence *data, - DataLength databitlen, BitSequence *hashval); - - -/* only for testing */ -INTERMEDIATE_RESULT fill_intermediate_state( hashState *state, const BitSequence *data, DataLength *databitlen, DataLength *processed ); -void twist( hashState *state, uint64_t *data ); -void twist_mini_round( hashState *state ); -void checksum( hashState *state, int col ); - - -#endif /* TWISTER_REF_H_ */ diff --git a/twister_tables.h b/twister_tables.h deleted file mode 100644 index b0f145c..0000000 --- a/twister_tables.h +++ /dev/null @@ -1,232 +0,0 @@ -/****************************************************************** - * S-BOX for Twister - * - * - *******************************************************************/ - -#include "config.h" -#include -#include - -static const uint8_t twister_sbox[256] PROGMEM = { - 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, - 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, - 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, - 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, - 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, - 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, - 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, - 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, - 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, - 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, - 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, - 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, - 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, - 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, - 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, - 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, - 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 -}; - -#ifndef TWISTER_MUL_TABLE - - -/* Twister MDS matrix */ -static const uint8_t twister_mds[8][8] PROGMEM = { - {2, 1, 1, 5, 7, 8, 6, 1}, - {1, 2, 1, 1, 5, 7, 8, 6}, - {6, 1, 2, 1, 1, 5, 7, 8}, - {8, 6, 1, 2, 1, 1, 5, 7}, - {7, 8, 6, 1, 2, 1, 1, 5}, - {5, 7, 8, 6, 1, 2, 1, 1}, - {1, 5, 7, 8, 6, 1, 2, 1}, - {1, 1, 5, 7, 8, 6, 1, 2} -}; - -#else - -#define S1 0 -#define S2 1 -#define S3 X -#define S4 X -#define S5 2 -#define S6 3 -#define S7 4 -#define S8 5 - -static const uint8_t twister_mds[8][8] PROGMEM = { - {S2, S1, S1, S5, S7, S8, S6, S1}, - {S1, S2, S1, S1, S5, S7, S8, S6}, - {S6, S1, S2, S1, S1, S5, S7, S8}, - {S8, S6, S1, S2, S1, S1, S5, S7}, - {S7, S8, S6, S1, S2, S1, S1, S5}, - {S5, S7, S8, S6, S1, S2, S1, S1}, - {S1, S5, S7, S8, S6, S1, S2, S1}, - {S1, S1, S5, S7, S8, S6, S1, S2} -}; - -static const uint8_t twister_multab[8][256] PROGMEM = { - { /* 1 */ - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, - 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, - 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, - 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, - 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, - 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, - 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, - 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, - 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, - 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, - 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, - 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, - 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, - 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, - 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, - 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255 - }, - { /* 2 */ - 0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30, - 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, - 64, 66, 68, 70, 72, 74, 76, 78, 80, 82, 84, 86, 88, 90, 92, 94, - 96, 98, 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, - 128, 130, 132, 134, 136, 138, 140, 142, 144, 146, 148, 150, 152, 154, 156, 158, - 160, 162, 164, 166, 168, 170, 172, 174, 176, 178, 180, 182, 184, 186, 188, 190, - 192, 194, 196, 198, 200, 202, 204, 206, 208, 210, 212, 214, 216, 218, 220, 222, - 224, 226, 228, 230, 232, 234, 236, 238, 240, 242, 244, 246, 248, 250, 252, 254, - 77, 79, 73, 75, 69, 71, 65, 67, 93, 95, 89, 91, 85, 87, 81, 83, - 109, 111, 105, 107, 101, 103, 97, 99, 125, 127, 121, 123, 117, 119, 113, 115, - 13, 15, 9, 11, 5, 7, 1, 3, 29, 31, 25, 27, 21, 23, 17, 19, - 45, 47, 41, 43, 37, 39, 33, 35, 61, 63, 57, 59, 53, 55, 49, 51, - 205, 207, 201, 203, 197, 199, 193, 195, 221, 223, 217, 219, 213, 215, 209, 211, - 237, 239, 233, 235, 229, 231, 225, 227, 253, 255, 249, 251, 245, 247, 241, 243, - 141, 143, 137, 139, 133, 135, 129, 131, 157, 159, 153, 155, 149, 151, 145, 147, - 173, 175, 169, 171, 165, 167, 161, 163, 189, 191, 185, 187, 181, 183, 177, 179 - }, -/* { / * 3 * / - 0, 3, 6, 5, 12, 15, 10, 9, 24, 27, 30, 29, 20, 23, 18, 17, - 48, 51, 54, 53, 60, 63, 58, 57, 40, 43, 46, 45, 36, 39, 34, 33, - 96, 99, 102, 101, 108, 111, 106, 105, 120, 123, 126, 125, 116, 119, 114, 113, - 80, 83, 86, 85, 92, 95, 90, 89, 72, 75, 78, 77, 68, 71, 66, 65, - 192, 195, 198, 197, 204, 207, 202, 201, 216, 219, 222, 221, 212, 215, 210, 209, - 240, 243, 246, 245, 252, 255, 250, 249, 232, 235, 238, 237, 228, 231, 226, 225, - 160, 163, 166, 165, 172, 175, 170, 169, 184, 187, 190, 189, 180, 183, 178, 177, - 144, 147, 150, 149, 156, 159, 154, 153, 136, 139, 142, 141, 132, 135, 130, 129, - 205, 206, 203, 200, 193, 194, 199, 196, 213, 214, 211, 208, 217, 218, 223, 220, - 253, 254, 251, 248, 241, 242, 247, 244, 229, 230, 227, 224, 233, 234, 239, 236, - 173, 174, 171, 168, 161, 162, 167, 164, 181, 182, 179, 176, 185, 186, 191, 188, - 157, 158, 155, 152, 145, 146, 151, 148, 133, 134, 131, 128, 137, 138, 143, 140, - 13, 14, 11, 8, 1, 2, 7, 4, 21, 22, 19, 16, 25, 26, 31, 28, - 61, 62, 59, 56, 49, 50, 55, 52, 37, 38, 35, 32, 41, 42, 47, 44, - 109, 110, 107, 104, 97, 98, 103, 100, 117, 118, 115, 112, 121, 122, 127, 124, - 93, 94, 91, 88, 81, 82, 87, 84, 69, 70, 67, 64, 73, 74, 79, 76 - }, - { / * 4 * / - 0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, 52, 56, 60, - 64, 68, 72, 76, 80, 84, 88, 92, 96, 100, 104, 108, 112, 116, 120, 124, - 128, 132, 136, 140, 144, 148, 152, 156, 160, 164, 168, 172, 176, 180, 184, 188, - 192, 196, 200, 204, 208, 212, 216, 220, 224, 228, 232, 236, 240, 244, 248, 252, - 77, 73, 69, 65, 93, 89, 85, 81, 109, 105, 101, 97, 125, 121, 117, 113, - 13, 9, 5, 1, 29, 25, 21, 17, 45, 41, 37, 33, 61, 57, 53, 49, - 205, 201, 197, 193, 221, 217, 213, 209, 237, 233, 229, 225, 253, 249, 245, 241, - 141, 137, 133, 129, 157, 153, 149, 145, 173, 169, 165, 161, 189, 185, 181, 177, - 154, 158, 146, 150, 138, 142, 130, 134, 186, 190, 178, 182, 170, 174, 162, 166, - 218, 222, 210, 214, 202, 206, 194, 198, 250, 254, 242, 246, 234, 238, 226, 230, - 26, 30, 18, 22, 10, 14, 2, 6, 58, 62, 50, 54, 42, 46, 34, 38, - 90, 94, 82, 86, 74, 78, 66, 70, 122, 126, 114, 118, 106, 110, 98, 102, - 215, 211, 223, 219, 199, 195, 207, 203, 247, 243, 255, 251, 231, 227, 239, 235, - 151, 147, 159, 155, 135, 131, 143, 139, 183, 179, 191, 187, 167, 163, 175, 171, - 87, 83, 95, 91, 71, 67, 79, 75, 119, 115, 127, 123, 103, 99, 111, 107, - 23, 19, 31, 27, 7, 3, 15, 11, 55, 51, 63, 59, 39, 35, 47, 43 - }, -*/ { /* 5 */ - 0, 5, 10, 15, 20, 17, 30, 27, 40, 45, 34, 39, 60, 57, 54, 51, - 80, 85, 90, 95, 68, 65, 78, 75, 120, 125, 114, 119, 108, 105, 102, 99, - 160, 165, 170, 175, 180, 177, 190, 187, 136, 141, 130, 135, 156, 153, 150, 147, - 240, 245, 250, 255, 228, 225, 238, 235, 216, 221, 210, 215, 204, 201, 198, 195, - 13, 8, 7, 2, 25, 28, 19, 22, 37, 32, 47, 42, 49, 52, 59, 62, - 93, 88, 87, 82, 73, 76, 67, 70, 117, 112, 127, 122, 97, 100, 107, 110, - 173, 168, 167, 162, 185, 188, 179, 182, 133, 128, 143, 138, 145, 148, 155, 158, - 253, 248, 247, 242, 233, 236, 227, 230, 213, 208, 223, 218, 193, 196, 203, 206, - 26, 31, 16, 21, 14, 11, 4, 1, 50, 55, 56, 61, 38, 35, 44, 41, - 74, 79, 64, 69, 94, 91, 84, 81, 98, 103, 104, 109, 118, 115, 124, 121, - 186, 191, 176, 181, 174, 171, 164, 161, 146, 151, 152, 157, 134, 131, 140, 137, - 234, 239, 224, 229, 254, 251, 244, 241, 194, 199, 200, 205, 214, 211, 220, 217, - 23, 18, 29, 24, 3, 6, 9, 12, 63, 58, 53, 48, 43, 46, 33, 36, - 71, 66, 77, 72, 83, 86, 89, 92, 111, 106, 101, 96, 123, 126, 113, 116, - 183, 178, 189, 184, 163, 166, 169, 172, 159, 154, 149, 144, 139, 142, 129, 132, - 231, 226, 237, 232, 243, 246, 249, 252, 207, 202, 197, 192, 219, 222, 209, 212 - }, - { /* 6 */ - 0, 6, 12, 10, 24, 30, 20, 18, 48, 54, 60, 58, 40, 46, 36, 34, - 96, 102, 108, 106, 120, 126, 116, 114, 80, 86, 92, 90, 72, 78, 68, 66, - 192, 198, 204, 202, 216, 222, 212, 210, 240, 246, 252, 250, 232, 238, 228, 226, - 160, 166, 172, 170, 184, 190, 180, 178, 144, 150, 156, 154, 136, 142, 132, 130, - 205, 203, 193, 199, 213, 211, 217, 223, 253, 251, 241, 247, 229, 227, 233, 239, - 173, 171, 161, 167, 181, 179, 185, 191, 157, 155, 145, 151, 133, 131, 137, 143, - 13, 11, 1, 7, 21, 19, 25, 31, 61, 59, 49, 55, 37, 35, 41, 47, - 109, 107, 97, 103, 117, 115, 121, 127, 93, 91, 81, 87, 69, 67, 73, 79, - 215, 209, 219, 221, 207, 201, 195, 197, 231, 225, 235, 237, 255, 249, 243, 245, - 183, 177, 187, 189, 175, 169, 163, 165, 135, 129, 139, 141, 159, 153, 147, 149, - 23, 17, 27, 29, 15, 9, 3, 5, 39, 33, 43, 45, 63, 57, 51, 53, - 119, 113, 123, 125, 111, 105, 99, 101, 71, 65, 75, 77, 95, 89, 83, 85, - 26, 28, 22, 16, 2, 4, 14, 8, 42, 44, 38, 32, 50, 52, 62, 56, - 122, 124, 118, 112, 98, 100, 110, 104, 74, 76, 70, 64, 82, 84, 94, 88, - 218, 220, 214, 208, 194, 196, 206, 200, 234, 236, 230, 224, 242, 244, 254, 248, - 186, 188, 182, 176, 162, 164, 174, 168, 138, 140, 134, 128, 146, 148, 158, 152 - }, - { /* 7 */ - 0, 7, 14, 9, 28, 27, 18, 21, 56, 63, 54, 49, 36, 35, 42, 45, - 112, 119, 126, 121, 108, 107, 98, 101, 72, 79, 70, 65, 84, 83, 90, 93, - 224, 231, 238, 233, 252, 251, 242, 245, 216, 223, 214, 209, 196, 195, 202, 205, - 144, 151, 158, 153, 140, 139, 130, 133, 168, 175, 166, 161, 180, 179, 186, 189, - 141, 138, 131, 132, 145, 150, 159, 152, 181, 178, 187, 188, 169, 174, 167, 160, - 253, 250, 243, 244, 225, 230, 239, 232, 197, 194, 203, 204, 217, 222, 215, 208, - 109, 106, 99, 100, 113, 118, 127, 120, 85, 82, 91, 92, 73, 78, 71, 64, - 29, 26, 19, 20, 1, 6, 15, 8, 37, 34, 43, 44, 57, 62, 55, 48, - 87, 80, 89, 94, 75, 76, 69, 66, 111, 104, 97, 102, 115, 116, 125, 122, - 39, 32, 41, 46, 59, 60, 53, 50, 31, 24, 17, 22, 3, 4, 13, 10, - 183, 176, 185, 190, 171, 172, 165, 162, 143, 136, 129, 134, 147, 148, 157, 154, - 199, 192, 201, 206, 219, 220, 213, 210, 255, 248, 241, 246, 227, 228, 237, 234, - 218, 221, 212, 211, 198, 193, 200, 207, 226, 229, 236, 235, 254, 249, 240, 247, - 170, 173, 164, 163, 182, 177, 184, 191, 146, 149, 156, 155, 142, 137, 128, 135, - 58, 61, 52, 51, 38, 33, 40, 47, 2, 5, 12, 11, 30, 25, 16, 23, - 74, 77, 68, 67, 86, 81, 88, 95, 114, 117, 124, 123, 110, 105, 96, 103 - }, - { /* 8 */ - 0, 8, 16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120, - 128, 136, 144, 152, 160, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240, 248, - 77, 69, 93, 85, 109, 101, 125, 117, 13, 5, 29, 21, 45, 37, 61, 53, - 205, 197, 221, 213, 237, 229, 253, 245, 141, 133, 157, 149, 173, 165, 189, 181, - 154, 146, 138, 130, 186, 178, 170, 162, 218, 210, 202, 194, 250, 242, 234, 226, - 26, 18, 10, 2, 58, 50, 42, 34, 90, 82, 74, 66, 122, 114, 106, 98, - 215, 223, 199, 207, 247, 255, 231, 239, 151, 159, 135, 143, 183, 191, 167, 175, - 87, 95, 71, 79, 119, 127, 103, 111, 23, 31, 7, 15, 55, 63, 39, 47, - 121, 113, 105, 97, 89, 81, 73, 65, 57, 49, 41, 33, 25, 17, 9, 1, - 249, 241, 233, 225, 217, 209, 201, 193, 185, 177, 169, 161, 153, 145, 137, 129, - 52, 60, 36, 44, 20, 28, 4, 12, 116, 124, 100, 108, 84, 92, 68, 76, - 180, 188, 164, 172, 148, 156, 132, 140, 244, 252, 228, 236, 212, 220, 196, 204, - 227, 235, 243, 251, 195, 203, 211, 219, 163, 171, 179, 187, 131, 139, 147, 155, - 99, 107, 115, 123, 67, 75, 83, 91, 35, 43, 51, 59, 3, 11, 19, 27, - 174, 166, 190, 182, 142, 134, 158, 150, 238, 230, 254, 246, 206, 198, 222, 214, - 46, 38, 62, 54, 14, 6, 30, 22, 110, 102, 126, 118, 78, 70, 94, 86 - } -}; - -#endif - - diff --git a/ubi.h b/ubi.h deleted file mode 100644 index 1471881..0000000 --- a/ubi.h +++ /dev/null @@ -1,93 +0,0 @@ -/* ubi.h */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - */ - -#ifndef UBI_H_ -#define UBI_H_ - -#include - -#define UBI_TYPE_KEY 0 -#define UBI_TYPE_CFG 4 -#define UBI_TYPE_PRS 8 -#define UBI_TYPE_PK 12 -#define UBI_TYPE_KDF 16 -#define UBI_TYPE_NON 20 -#define UBI_TYPE_MSG 48 -#define UBI_TYPE_OUT 63 - -#define UBI256_BLOCKSIZE 256 -#define UBI256_BLOCKSIZE_B ((UBI256_BLOCKSIZE+7)/8) - -#define UBI512_BLOCKSIZE 512 -#define UBI512_BLOCKSIZE_B ((UBI512_BLOCKSIZE+7)/8) - -#define UBI1024_BLOCKSIZE 1024 -#define UBI1024_BLOCKSIZE_B ((UBI1024_BLOCKSIZE+7)/8) - - -typedef struct{ - uint8_t tweak[16]; - uint8_t g[32]; -}ubi256_ctx_t; - -typedef struct{ - uint8_t tweak[16]; - uint8_t g[64]; -}ubi512_ctx_t; - -typedef struct{ - uint8_t tweak[16]; - uint8_t g[128]; -}ubi1024_ctx_t; - -void ubi256_init(ubi256_ctx_t* ctx, const void* g, uint8_t type); -void ubi256_nextBlock(ubi256_ctx_t* ctx, const void* block); -void ubi256_lastBlock(ubi256_ctx_t* ctx, const void* block, uint16_t length_b); -void ubi256_ctx2hash(void* dest, const ubi256_ctx_t* ctx); - -void ubi512_init(ubi512_ctx_t* ctx, const void* g, uint8_t type); -void ubi512_nextBlock(ubi512_ctx_t* ctx, const void* block); -void ubi512_lastBlock(ubi512_ctx_t* ctx, const void* block, uint16_t length_b); -void ubi512_ctx2hash(void* dest, const ubi512_ctx_t* ctx); - -void ubi1024_init(ubi1024_ctx_t* ctx, const void* g, uint8_t type); -void ubi1024_nextBlock(ubi1024_ctx_t* ctx, const void* block); -void ubi1024_lastBlock(ubi1024_ctx_t* ctx, const void* block, uint16_t length_b); -void ubi1024_ctx2hash(void* dest, const ubi1024_ctx_t* ctx); - -typedef struct{ - char schema[4]; - uint16_t version; - uint16_t reserved1; - uint64_t out_length; - uint8_t tree_leaf_size; - uint8_t tree_fan_out; - uint8_t tree_max_height; - uint8_t reserved2[13]; -}skein_config_t; - - -#endif /* UBI_H_ */ diff --git a/ubi1024.c b/ubi1024.c deleted file mode 100644 index ae17cb3..0000000 --- a/ubi1024.c +++ /dev/null @@ -1,76 +0,0 @@ -/* ubi1024.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - */ - -#include -#include -#include "threefish.h" -#include "memxor.h" -#include "ubi.h" - -void ubi1024_init(ubi1024_ctx_t* ctx, const void* g, uint8_t type){ - memset(ctx->tweak, 0, 15); - ctx->tweak[15] = 0x40+type; - memcpy(ctx->g, g, UBI1024_BLOCKSIZE_B); -} - -void ubi1024_nextBlock(ubi1024_ctx_t* ctx, const void* block){ - threefish1024_ctx_t tfctx; - ((uint64_t*)(ctx->tweak))[0] += UBI1024_BLOCKSIZE_B; - threefish1024_init(ctx->g, ctx->tweak, &tfctx); - memcpy(ctx->g, block, UBI1024_BLOCKSIZE_B); - threefish1024_enc(ctx->g, &tfctx); - memxor(ctx->g, block, UBI1024_BLOCKSIZE_B); - ctx->tweak[15] &= (uint8_t)~0x40; -} - - -void ubi1024_lastBlock(ubi1024_ctx_t* ctx, const void* block, uint16_t length_b){ - threefish1024_ctx_t tfctx; - while(length_b>UBI1024_BLOCKSIZE){ - ubi1024_nextBlock(ctx, block); - block = (uint8_t*)block + UBI1024_BLOCKSIZE_B; - length_b -= UBI1024_BLOCKSIZE; - } - ctx->tweak[15] |= 0x80; - ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; - if(length_b & 0x07) - ctx->tweak[14] |= 0x80; - threefish1024_init(ctx->g, ctx->tweak, &tfctx); - memset(ctx->g, 0, UBI1024_BLOCKSIZE_B); - memcpy(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07) - ctx->g[(length_b+7)/8-1] |= 0x80>>(length_b&7); - threefish1024_enc(ctx->g, &tfctx); - memxor(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07){ - ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); - } -} - -void ubi1024_ctx2hash(void* dest, const ubi1024_ctx_t* ctx){ - memcpy(dest, ctx->g, UBI1024_BLOCKSIZE_B); -} - diff --git a/ubi1024_asm.S b/ubi1024_asm.S deleted file mode 100644 index 28b6451..0000000 --- a/ubi1024_asm.S +++ /dev/null @@ -1,328 +0,0 @@ -/* ubi1024_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void ubi1024_init(ubi1024_ctx_t* ctx, const void* g, uint8_t type){ - memset(ctx->tweak, 0, 15); - ctx->tweak[15] = 0x40+type; - memcpy(ctx->g, g, UBI1024_BLOCKSIZE_B); -} -*/ -/* - * param ctx: r24:r25 - * param g: r22:r23 - * param type: r20 - */ -.global ubi1024_init -ubi1024_init: - movw r26, r24 - ldi r21, 15 -1: st X+, r1 - dec r21 - brne 1b - ori r20, 0x40 - st X+, r20 - ldi r21, 128 - movw r30, r22 -2: ld r20, Z+ - st X+, r20 - dec r21 - brne 2b - ret - -/******************************************************************************/ -/* -void ubi1024_ctx2hash(void* dest, const ubi1024_ctx_t* ctx){ - memcpy(dest, ctx->g, UBI1024_BLOCKSIZE_B); -} -*/ -/* - * param dest: r24:r24 - * param ctx: r22:r23 - */ -.global ubi1024_ctx2hash -ubi1024_ctx2hash: - movw r26, r24 - movw r30, r22 - adiw r30, 16 - ldi r22, 128 -1: ld r23, Z+ - st X+, r23 - dec r22 - brne 1b - ret - -/******************************************************************************/ -/* -void ubi1024_nextBlock(ubi1024_ctx_t* ctx, const void* block){ - threefish1024_ctx_t tfctx; - ((uint64_t*)(ctx->tweak))[0] += UBI1024_BLOCKSIZE_B; - threefish1024_init(ctx->g, ctx->tweak, &tfctx); - memcpy(ctx->g, block, UBI1024_BLOCKSIZE_B); - threefish1024_enc(ctx->g, &tfctx); - memxor(ctx->g, block, UBI1024_BLOCKSIZE_B); - ctx->tweak[15] &= (uint8_t)~0x40; -} -*/ -/* - * param ctx: r24:r25 - * param block: r22:r23 - */ -CTX0 = 2 -CTX1 = 3 -BLOCK0 = 4 -BLOCK1 = 5 -TFCTX0 = 6 -TFCTX1 = 7 -.global ubi1024_nextBlock -ubi1024_nextBlock: - stack_alloc_large 20*8 - push_range 2, 7 - adiw r30, 1 /* Z points to tfctx */ - movw TFCTX0, r30 - movw CTX0, r24 - movw BLOCK0, r22 - movw r26, r24 -/* add BLOCKSIZE_B (128) to tweak */ - ldi r25, 128 - ld r24, X - add r24, r25 - st X+, r24 - ldi r25, 11 -1: ld r24, X - adc r24, r1 - st X+, r24 - dec r25 - brne 1b -/* call threefish1024_init */ - movw r24, CTX0 - adiw r24, 16 - movw r22, CTX0 - movw CTX0, r24 /* CTX points to ctx->g */ - movw r20, TFCTX0 - rcall threefish1024_init - /* copy block to ctx->g */ - movw r26, CTX0 - movw r30, BLOCK0 - ldi r25, 128 -1: ld r24, Z+ - st X+, r24 - dec r25 - brne 1b -/* call threefish1024_enc */ - movw r24, CTX0 - movw r22, TFCTX0 - rcall threefish1024_enc -/* xor block into ctx->g */ - movw r26, BLOCK0 - movw r30, CTX0 - ldi r25, 128 -1: ld r24, X+ - ld r23, Z - eor r23, r24 - st Z+, r23 - dec r25 - brne 1b -/* clear 'first' bit in tweak */ - sbiw r30, 1+2 - sbiw r30, 63 - sbiw r30, 63 - ld r24, Z - andi r24, ~0x40 - st Z, r24 -exit: - pop_range 2, 7 - stack_free_large2 20*8 - ret - -/******************************************************************************/ -/* -void ubi1024_lastBlock(ubi1024_ctx_t* ctx, const void* block, uint16_t length_b){ - threefish1024_ctx_t tfctx; - while(length_b>UBI1024_BLOCKSIZE){ - ubi1024_nextBlock(ctx, block); - block = (uint8_t*)block + UBI1024_BLOCKSIZE_B; - length_b -= UBI1024_BLOCKSIZE; - } - ctx->tweak[15] |= 0x80; - ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; - if(length_b & 0x07) - ctx->tweak[14] |= 0x80; - threefish1024_init(ctx->g, ctx->tweak, &tfctx); - memset(ctx->g, 0, UBI1024_BLOCKSIZE_B); - memcpy(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07) - ctx->g[(length_b+7)/8-1] |= 0x80>>(length_b&7); - threefish1024_enc(ctx->g, &tfctx); - memxor(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07){ - ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); - } -} -*/ -/* - * param ctx: r24:r25 - * param block: r22:r23 - * param ength_b: r20:r21 - */ -MASK_B = 8 -LEN_B = 9 -TFCTX0 = 10 -TFCTX1 = 11 -CTX0 = 12 -CTX1 = 13 -BLOCK0 = 14 -BLOCK1 = 15 -LENGTH0 = 16 -LENGTH1 = 17 -.global ubi1024_lastBlock -ubi1024_lastBlock: -/* run nextBlock for preceding blocks*/ - push_range 8, 17 - movw CTX0, r24 - movw BLOCK0, r22 - movw LENGTH0, r20 -1: cpi LENGTH1, 5 - brlo 2f - movw r24, CTX0 - movw r22, BLOCK0 - rcall ubi1024_nextBlock - ldi r25, 128 - add BLOCK0, r25 - adc BLOCK1, r1 - subi LENGTH1, 4 - rjmp 1b -2: cpi LENGTH1, 4 - brlo 3f - tst LENGTH0 - breq 3f - movw r24, CTX0 - movw r22, BLOCK0 - rcall ubi1024_nextBlock - ldi r25, 128 - add BLOCK0, r25 - adc BLOCK1, r1 - subi LENGTH1, 4 -3: /* now the real fun */ - stack_alloc_large 20*8 - adiw r30, 1 - movw TFCTX0, r30 - /* calculate LEN_B */ - movw r24, LENGTH0 - adiw r24, 7 - lsr r25 - ror r24 - lsr r25 - ror r24 - lsr r25 - ror r24 - mov LEN_B, r24 - /* add length to tweak */ - movw r30, CTX0 - ld r24, Z - add r24, LEN_B - st Z+, r24 - ldi r25, 11 -1: ld r24, Z - adc r24, r1 - st Z+, r24 - dec r25 - brne 1b - /* set 'final' bit*/ - movw r30, CTX0 - ldd r24, Z+15 - ori r24, 0x80 - std Z+15, r24 - /* store in MASK_B if we do bit processing and set 'BitPad' bit*/ - clr MASK_B - mov r24, LENGTH0 - andi r24, 0x07 - tst r24 - breq 4f - ldd r25, Z+14 - ori r25, 0x80 - std Z+14, r25 - ldi r25, 0x80 - mov MASK_B, r25 -1: lsr MASK_B - dec r24 - brne 1b -4: /* call threefish1024_init*/ - movw r24, CTX0 - adiw r24, 16 - movw r22, CTX0 - movw CTX0, r24 /* CTX points at ctx->g */ - movw r20, TFCTX0 - rcall threefish1024_init - /* copy block to ctx->g */ - movw r26, BLOCK0 - movw r30, CTX0 - mov r24, LEN_B - ldi r25, 128 - sub r25, LEN_B - tst r24 -1: breq 2f - ld r22, X+ - st Z+, r22 - dec r24 - rjmp 1b -2: tst MASK_B - breq 29f - or r22, MASK_B - st -Z, r22 - adiw r30, 1 -29: tst r25 -3: breq 4f - st Z+, r1 - dec r25 - rjmp 3b -4: /* call threefish1024_enc */ - movw r24, CTX0 - movw r22, TFCTX0 - rcall threefish1024_enc - /* xor block into ctx->g */ - movw r30, CTX0 - movw r26, BLOCK0 - tst LEN_B -5: breq 6f - ld r22, X+ - ld r23, Z - eor r23, r22 - st Z+, r23 - dec LEN_B - rjmp 5b -6: tst MASK_B - breq 7f - eor r23, MASK_B - st -Z, r23 - -7: stack_free_large2 20*8 - pop_range 8, 17 - ret - - diff --git a/ubi256.c b/ubi256.c deleted file mode 100644 index 09eb1e9..0000000 --- a/ubi256.c +++ /dev/null @@ -1,80 +0,0 @@ -/* ubi256.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - */ - -#include -#include -#include "threefish.h" -#include "memxor.h" -#include "ubi.h" - -void ubi256_init(ubi256_ctx_t* ctx, const void* g, uint8_t type){ - memset(ctx->tweak, 0, 15); - ctx->tweak[15] = 0x40+type; - memcpy(ctx->g, g, 32); -} - -void ubi256_nextBlock(ubi256_ctx_t* ctx, const void* block){ - threefish256_ctx_t tfctx; - ((uint64_t*)(ctx->tweak))[0] += UBI256_BLOCKSIZE_B; - threefish256_init(ctx->g, ctx->tweak, &tfctx); - memcpy(ctx->g, block, UBI256_BLOCKSIZE_B); - threefish256_enc(ctx->g, &tfctx); - memxor(ctx->g, block, UBI256_BLOCKSIZE_B); - ctx->tweak[15] &= (uint8_t)~0x40; -} - - -void ubi256_lastBlock(ubi256_ctx_t* ctx, const void* block, uint16_t length_b){ - threefish256_ctx_t tfctx; - while(length_b>UBI256_BLOCKSIZE){ - ubi256_nextBlock(ctx, block); - block = (uint8_t*)block + UBI256_BLOCKSIZE_B; - length_b -= UBI256_BLOCKSIZE; - } - ctx->tweak[15] |= 0x80; - ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; - if(length_b & 0x07){ - ctx->tweak[14] |= 0x80; - } - threefish256_init(ctx->g, ctx->tweak, &tfctx); - memset(ctx->g, 0, UBI256_BLOCKSIZE_B); - memcpy(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07){ - ctx->g[((length_b+7)/8)-1] |= 0x80>>(length_b&7); - ctx->g[((length_b+7)/8)-1] &= ~((0x80>>(length_b&7))-1); - } - threefish256_enc(ctx->g, &tfctx); - memxor(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07){ - ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); - } - -} - -void ubi256_ctx2hash(void* dest, const ubi256_ctx_t* ctx){ - memcpy(dest, ctx->g, UBI256_BLOCKSIZE_B); -} - diff --git a/ubi256_asm.S b/ubi256_asm.S deleted file mode 100644 index e5e6f9c..0000000 --- a/ubi256_asm.S +++ /dev/null @@ -1,327 +0,0 @@ -/* ubi256_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-16 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void ubi256_init(ubi256_ctx_t* ctx, const void* g, uint8_t type){ - memset(ctx->tweak, 0, 15); - ctx->tweak[15] = 0x40+type; - memcpy(ctx->g, g, 32); -} -*/ -/* - * param ctx: r24:r25 - * param g: r22:r23 - * param type: r20 - */ -.global ubi256_init -ubi256_init: - movw r26, r24 - ldi r21, 15 -1: st X+, r1 - dec r21 - brne 1b - ori r20, 0x40 - st X+, r20 - ldi r21, 32 - movw r30, r22 -2: ld r20, Z+ - st X+, r20 - dec r21 - brne 2b - ret - -/******************************************************************************/ -/* -void ubi256_ctx2hash(void* dest, const ubi256_ctx_t* ctx){ - memcpy(dest, ctx->g, UBI256_BLOCKSIZE_B); -} -*/ -/* - * param dest: r24:r24 - * param ctx: r22:r23 - */ -.global ubi256_ctx2hash -ubi256_ctx2hash: - movw r26, r24 - movw r30, r22 - adiw r30, 16 - ldi r22, 32 -1: ld r23, Z+ - st X+, r23 - dec r22 - brne 1b - ret - -/******************************************************************************/ -/* -void ubi256_nextBlock(ubi256_ctx_t* ctx, const void* block){ - threefish256_ctx_t tfctx; - ((uint64_t*)(ctx->tweak))[0] += UBI256_BLOCKSIZE_B; - threefish256_init(ctx->g, ctx->tweak, &tfctx); - memcpy(ctx->g, block, UBI256_BLOCKSIZE_B); - threefish256_enc(ctx->g, &tfctx); - memxor(ctx->g, block, UBI256_BLOCKSIZE_B); - ctx->tweak[15] &= (uint8_t)~0x40; -} -*/ -/* - * param ctx: r24:r25 - * param block: r22:r23 - */ -CTX0 = 2 -CTX1 = 3 -BLOCK0 = 4 -BLOCK1 = 5 -TFCTX0 = 6 -TFCTX1 = 7 -.global ubi256_nextBlock -ubi256_nextBlock: - stack_alloc_large 64 - push_range 2, 7 - adiw r30, 1 /* Z points to tfctx */ - movw TFCTX0, r30 - movw CTX0, r24 - movw BLOCK0, r22 - movw r26, r24 -/* add BLOCKSIZE_B (32) to tweak */ - ldi r25, 32 - ld r24, X - add r24, r25 - st X+, r24 - ldi r25, 11 -1: ld r24, X - adc r24, r1 - st X+, r24 - dec r25 - brne 1b -/* call threefish256_init */ - movw r24, CTX0 - adiw r24, 16 - movw r22, CTX0 - movw CTX0, r24 /* CTX points to ctx->g */ - movw r20, TFCTX0 - rcall threefish256_init - /* copy block to ctx->g */ - movw r26, CTX0 - movw r30, BLOCK0 - ldi r25, 32 -1: ld r24, Z+ - st X+, r24 - dec r25 - brne 1b -/* call threefish256_enc */ - movw r24, CTX0 - movw r22, TFCTX0 - rcall threefish256_enc -/* xor block into ctx->g */ - movw r26, BLOCK0 - movw r30, CTX0 - ldi r25, 32 -1: ld r24, X+ - ld r23, Z - eor r23, r24 - st Z+, r23 - dec r25 - brne 1b -/* clear 'first' bit in tweak */ - sbiw r30, 33 - ld r24, Z - andi r24, ~0x40 - st Z, r24 -exit: - pop_range 2, 7 - stack_free_large 64 - ret - -/******************************************************************************/ -/* -void ubi256_lastBlock(ubi256_ctx_t* ctx, const void* block, uint16_t length_b){ - threefish256_ctx_t tfctx; - while(length_b>UBI256_BLOCKSIZE){ - ubi256_nextBlock(ctx, block); - block = (uint8_t*)block + UBI256_BLOCKSIZE_B; - length_b -= UBI256_BLOCKSIZE; - } - ctx->tweak[15] |= 0x80; - ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; - if(length_b & 0x07){ - ctx->tweak[14] |= 0x80; - } - threefish256_init(ctx->g, ctx->tweak, &tfctx); - memset(ctx->g, 0, UBI256_BLOCKSIZE_B); - memcpy(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07){ - ctx->g[((length_b+7)/8)-1] |= 0x80>>(length_b&7); - ctx->g[((length_b+7)/8)-1] &= ~((0x80>>(length_b&7))-1); - } - threefish256_enc(ctx->g, &tfctx); - memxor(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07){ - ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); - } -} -*/ -/* - * param ctx: r24:r25 - * param block: r22:r23 - * param ength_b: r20:r21 - */ -MASK_B = 8 -LEN_B = 9 -TFCTX0 = 10 -TFCTX1 = 11 -CTX0 = 12 -CTX1 = 13 -BLOCK0 = 14 -BLOCK1 = 15 -LENGTH0 = 16 -LENGTH1 = 17 -.global ubi256_lastBlock -ubi256_lastBlock: -/* run nextBlock for preceding blocks*/ - push_range 8, 17 - movw CTX0, r24 - movw BLOCK0, r22 - movw LENGTH0, r20 -1: cpi LENGTH1, 2 - brlo 2f - movw r24, CTX0 - movw r22, BLOCK0 - rcall ubi256_nextBlock - ldi r25, 32 - add BLOCK0, r25 - adc BLOCK1, r1 - dec LENGTH1 - rjmp 1b -2: tst LENGTH1 - breq 3f - tst LENGTH0 - breq 3f - movw r24, CTX0 - movw r22, BLOCK0 - rcall ubi256_nextBlock - ldi r25, 32 - add BLOCK0, r25 - adc BLOCK1, r1 - dec LENGTH1 -3: /* now the real fun */ - stack_alloc_large 64 - adiw r30, 1 - movw TFCTX0, r30 - /* calculate LEN_B */ - movw r24, LENGTH0 - adiw r24, 7 - lsr r25 - ror r24 - lsr r24 - lsr r24 - mov LEN_B, r24 - /* add length to tweak */ - movw r30, CTX0 - ld r24, Z - add r24, LEN_B - st Z+, r24 - ldi r25, 11 -1: ld r24, Z - adc r24, r1 - st Z+, r24 - dec r25 - brne 1b - /* set 'final' bit*/ - movw r30, CTX0 - ldd r24, Z+15 - ori r24, 0x80 - std Z+15, r24 - /* store in T if we do bit processing and set 'BitPad' bit*/ - clr MASK_B - mov r24, LENGTH0 - andi r24, 0x07 - tst r24 - breq 4f - ldd r25, Z+14 - ori r25, 0x80 - std Z+14, r25 - ldi r25, 0x80 - mov MASK_B, r25 -1: lsr MASK_B - dec r24 - brne 1b -4: /* call threefish256_init*/ - movw r24, CTX0 - adiw r24, 16 - movw r22, CTX0 - movw CTX0, r24 /* CTX points at ctx->g */ - movw r20, TFCTX0 - rcall threefish256_init - /* copy block to ctx->g */ - movw r26, BLOCK0 - movw r30, CTX0 - mov r24, LEN_B - ldi r25, 32 - sub r25, LEN_B - tst r24 -1: breq 2f - ld r22, X+ - st Z+, r22 - dec r24 - rjmp 1b -2: tst MASK_B - breq 29f - or r22, MASK_B - st -Z, r22 - adiw r30, 1 -29: tst r25 -3: breq 4f - st Z+, r1 - dec r25 - rjmp 3b -4: /* call threefish256_enc */ - movw r24, CTX0 - movw r22, TFCTX0 - rcall threefish256_enc - /* xor block into ctx->g */ - movw r30, CTX0 - movw r26, BLOCK0 - tst LEN_B -5: breq 6f - ld r22, X+ - ld r23, Z - eor r23, r22 - st Z+, r23 - dec LEN_B - rjmp 5b -6: tst MASK_B - breq 7f - eor r23, MASK_B - st -Z, r23 - -7: stack_free_large 64 - pop_range 8, 17 - ret - - diff --git a/ubi512.c b/ubi512.c deleted file mode 100644 index d6bab2d..0000000 --- a/ubi512.c +++ /dev/null @@ -1,76 +0,0 @@ -/* ubi512.c */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-12 - * \license GPLv3 or later - * - */ - -#include -#include -#include "threefish.h" -#include "memxor.h" -#include "ubi.h" - -void ubi512_init(ubi512_ctx_t* ctx, const void* g, uint8_t type){ - memset(ctx->tweak, 0, 15); - ctx->tweak[15] = 0x40+type; - memcpy(ctx->g, g, UBI512_BLOCKSIZE_B); -} - -void ubi512_nextBlock(ubi512_ctx_t* ctx, const void* block){ - threefish512_ctx_t tfctx; - ((uint64_t*)(ctx->tweak))[0] += UBI512_BLOCKSIZE_B; - threefish512_init(ctx->g, ctx->tweak, &tfctx); - memcpy(ctx->g, block, UBI512_BLOCKSIZE_B); - threefish512_enc(ctx->g, &tfctx); - memxor(ctx->g, block, UBI512_BLOCKSIZE_B); - ctx->tweak[15] &= (uint8_t)~0x40; -} - - -void ubi512_lastBlock(ubi512_ctx_t* ctx, const void* block, uint16_t length_b){ - threefish512_ctx_t tfctx; - while(length_b>UBI512_BLOCKSIZE){ - ubi512_nextBlock(ctx, block); - block = (uint8_t*)block + UBI512_BLOCKSIZE_B; - length_b -= UBI512_BLOCKSIZE; - } - ctx->tweak[15] |= 0x80; - ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; - if(length_b & 0x07) - ctx->tweak[14] |= 0x80; - threefish512_init(ctx->g, ctx->tweak, &tfctx); - memset(ctx->g, 0, UBI512_BLOCKSIZE_B); - memcpy(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07) - ctx->g[(length_b+7)/8-1] |= 0x80>>(length_b&7); - threefish512_enc(ctx->g, &tfctx); - memxor(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07){ - ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); - } -} - -void ubi512_ctx2hash(void* dest, const ubi512_ctx_t* ctx){ - memcpy(dest, ctx->g, UBI512_BLOCKSIZE_B); -} - diff --git a/ubi512_asm.S b/ubi512_asm.S deleted file mode 100644 index 6a17c48..0000000 --- a/ubi512_asm.S +++ /dev/null @@ -1,326 +0,0 @@ -/* ubi512_asm.S */ -/* - This file is part of the AVR-Crypto-Lib. - Copyright (C) 2009 Daniel Otte (daniel.otte@rub.de) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -/* - * \author Daniel Otte - * \email daniel.otte@rub.de - * \date 2009-03-25 - * \license GPLv3 or later - */ - -#include "avr-asm-macros.S" - -/******************************************************************************/ -/* -void ubi512_init(ubi512_ctx_t* ctx, const void* g, uint8_t type){ - memset(ctx->tweak, 0, 15); - ctx->tweak[15] = 0x40+type; - memcpy(ctx->g, g, UBI512_BLOCKSIZE_B); -} -*/ -/* - * param ctx: r24:r25 - * param g: r22:r23 - * param type: r20 - */ -.global ubi512_init -ubi512_init: - movw r26, r24 - ldi r21, 15 -1: st X+, r1 - dec r21 - brne 1b - ori r20, 0x40 - st X+, r20 - ldi r21, 64 - movw r30, r22 -2: ld r20, Z+ - st X+, r20 - dec r21 - brne 2b - ret - -/******************************************************************************/ -/* -void ubi512_ctx2hash(void* dest, const ubi512_ctx_t* ctx){ - memcpy(dest, ctx->g, UBI512_BLOCKSIZE_B); -} -*/ -/* - * param dest: r24:r24 - * param ctx: r22:r23 - */ -.global ubi512_ctx2hash -ubi512_ctx2hash: - movw r26, r24 - movw r30, r22 - adiw r30, 16 - ldi r22, 64 -1: ld r23, Z+ - st X+, r23 - dec r22 - brne 1b - ret - -/******************************************************************************/ -/* -void ubi512_nextBlock(ubi512_ctx_t* ctx, const void* block){ - threefish512_ctx_t tfctx; - ((uint64_t*)(ctx->tweak))[0] += UBI512_BLOCKSIZE_B; - threefish512_init(ctx->g, ctx->tweak, &tfctx); - memcpy(ctx->g, block, UBI512_BLOCKSIZE_B); - threefish512_enc(ctx->g, &tfctx); - memxor(ctx->g, block, UBI512_BLOCKSIZE_B); - ctx->tweak[15] &= (uint8_t)~0x40; -} -*/ -/* - * param ctx: r24:r25 - * param block: r22:r23 - */ -CTX0 = 2 -CTX1 = 3 -BLOCK0 = 4 -BLOCK1 = 5 -TFCTX0 = 6 -TFCTX1 = 7 -.global ubi512_nextBlock -ubi512_nextBlock: - stack_alloc_large 12*8 - push_range 2, 7 - adiw r30, 1 /* Z points to tfctx */ - movw TFCTX0, r30 - movw CTX0, r24 - movw BLOCK0, r22 - movw r26, r24 -/* add BLOCKSIZE_B (64) to tweak */ - ldi r25, 64 - ld r24, X - add r24, r25 - st X+, r24 - ldi r25, 11 -1: ld r24, X - adc r24, r1 - st X+, r24 - dec r25 - brne 1b -/* call threefish512_init */ - movw r24, CTX0 - adiw r24, 16 - movw r22, CTX0 - movw CTX0, r24 /* CTX points to ctx->g */ - movw r20, TFCTX0 - rcall threefish512_init - /* copy block to ctx->g */ - movw r26, CTX0 - movw r30, BLOCK0 - ldi r25, 64 -1: ld r24, Z+ - st X+, r24 - dec r25 - brne 1b -/* call threefish512_enc */ - movw r24, CTX0 - movw r22, TFCTX0 - rcall threefish512_enc -/* xor block into ctx->g */ - movw r26, BLOCK0 - movw r30, CTX0 - ldi r25, 64 -1: ld r24, X+ - ld r23, Z - eor r23, r24 - st Z+, r23 - dec r25 - brne 1b -/* clear 'first' bit in tweak */ - sbiw r30, 33 - sbiw r30, 32 - ld r24, Z - andi r24, ~0x40 - st Z, r24 -exit: - pop_range 2, 7 - stack_free_large 12*8 - ret - -/******************************************************************************/ -/* -void ubi512_lastBlock(ubi512_ctx_t* ctx, const void* block, uint16_t length_b){ - threefish512_ctx_t tfctx; - while(length_b>UBI512_BLOCKSIZE){ - ubi512_nextBlock(ctx, block); - block = (uint8_t*)block + UBI512_BLOCKSIZE_B; - length_b -= UBI512_BLOCKSIZE; - } - ctx->tweak[15] |= 0x80; - ((uint64_t*)(ctx->tweak))[0] += (length_b+7)/8; - if(length_b & 0x07) - ctx->tweak[14] |= 0x80; - threefish512_init(ctx->g, ctx->tweak, &tfctx); - memset(ctx->g, 0, UBI512_BLOCKSIZE_B); - memcpy(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07) - ctx->g[(length_b+7)/8-1] |= 0x80>>(length_b&7); - threefish512_enc(ctx->g, &tfctx); - memxor(ctx->g, block, (length_b+7)/8); - if(length_b & 0x07){ - ctx->g[((length_b+7)/8)-1] ^= 0x80>>(length_b&7); - } -} -*/ -/* - * param ctx: r24:r25 - * param block: r22:r23 - * param ength_b: r20:r21 - */ -MASK_B = 8 -LEN_B = 9 -TFCTX0 = 10 -TFCTX1 = 11 -CTX0 = 12 -CTX1 = 13 -BLOCK0 = 14 -BLOCK1 = 15 -LENGTH0 = 16 -LENGTH1 = 17 -.global ubi512_lastBlock -ubi512_lastBlock: -/* run nextBlock for preceding blocks*/ - push_range 8, 17 - movw CTX0, r24 - movw BLOCK0, r22 - movw LENGTH0, r20 -1: cpi LENGTH1, 3 - brlo 2f - movw r24, CTX0 - movw r22, BLOCK0 - rcall ubi512_nextBlock - ldi r25, 64 - add BLOCK0, r25 - adc BLOCK1, r1 - subi LENGTH1, 2 - rjmp 1b -2: cpi LENGTH1, 2 - brlo 3f - tst LENGTH0 - breq 3f - movw r24, CTX0 - movw r22, BLOCK0 - rcall ubi512_nextBlock - ldi r25, 64 - add BLOCK0, r25 - adc BLOCK1, r1 - subi LENGTH1, 2 -3: /* now the real fun */ - stack_alloc_large 8*12 - adiw r30, 1 - movw TFCTX0, r30 - /* calculate LEN_B */ - movw r24, LENGTH0 - adiw r24, 7 - lsr r25 - ror r24 - lsr r25 - ror r24 - lsr r24 - mov LEN_B, r24 - /* add length to tweak */ - movw r30, CTX0 - ld r24, Z - add r24, LEN_B - st Z+, r24 - ldi r25, 11 -1: ld r24, Z - adc r24, r1 - st Z+, r24 - dec r25 - brne 1b - /* set 'final' bit*/ - movw r30, CTX0 - ldd r24, Z+15 - ori r24, 0x80 - std Z+15, r24 - /* store in MASk_B if we do bit processing and set 'BitPad' bit*/ - clr MASK_B - mov r24, LENGTH0 - andi r24, 0x07 - tst r24 - breq 4f - ldd r25, Z+14 - ori r25, 0x80 - std Z+14, r25 - ldi r25, 0x80 - mov MASK_B, r25 -1: lsr MASK_B - dec r24 - brne 1b -4: /* call threefish512_init*/ - movw r24, CTX0 - adiw r24, 16 - movw r22, CTX0 - movw CTX0, r24 /* CTX points at ctx->g */ - movw r20, TFCTX0 - rcall threefish512_init - /* copy block to ctx->g */ - movw r26, BLOCK0 - movw r30, CTX0 - mov r24, LEN_B - ldi r25, 64 - sub r25, LEN_B - tst r24 -1: breq 2f - ld r22, X+ - st Z+, r22 - dec r24 - rjmp 1b -2: tst MASK_B - breq 29f - or r22, MASK_B - st -Z, r22 - adiw r30, 1 -29: tst r25 -3: breq 4f - st Z+, r1 - dec r25 - rjmp 3b -4: /* call threefish512_enc */ - movw r24, CTX0 - movw r22, TFCTX0 - rcall threefish512_enc - /* xor block into ctx->g */ - movw r30, CTX0 - movw r26, BLOCK0 - tst LEN_B -5: breq 6f - ld r22, X+ - ld r23, Z - eor r23, r22 - st Z+, r23 - dec LEN_B - rjmp 5b -6: tst MASK_B - breq 7f - eor r23, MASK_B - st -Z, r23 - -7: stack_free_large 8*12 - pop_range 8, 17 - ret - -