1 /* mqq160-sign_P-asm.S */
3 This file is part of the AVR-Crypto-Lib.
4 Copyright (C) 2010 Daniel Otte (daniel.otte@rub.de)
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 * \file mqq160-sign_P-asm.S
21 * \email daniel.otte@rub.de
24 * \license GPLv3 or later
28 #include "avr-asm-macros.S"
31 static void mqq_inv_affine_transformation(uint8_t* input_bytes, uint8_t* result, const mqq160_sign_key_t* key){
32 /* The matrix SInv is given as two permutations of 160 elements. */
33 uint8_t j, byteindex, bitindex, bitindex_d, byteindex_d, rp1, rp5;
34 uint8_t *r1_ptr, *r5_ptr;
37 /* Initialize H1 and H2 = 0 */
39 memset(result, 0, 20);
42 Fill H1 with bits of InputBytes accordingly to RP1 permutation
43 and fill H2 with bits of InputBytes accordingly to RP5 permutation
51 rp1 = pgm_read_byte(r1_ptr++);
52 rp5 = pgm_read_byte(r5_ptr++);
54 bitindex = 0x80 >> (rp1&0x07);
55 if (input_bytes[byteindex] & bitindex){
56 h1[byteindex_d] ^= bitindex_d;
60 bitindex = 0x80 >> (rp5&0x07);
61 if (input_bytes[byteindex] & bitindex){
62 result[byteindex_d] ^= bitindex_d;
72 result[j] ^= h1[j] ^ h1[pgm_read_byte(j+mod20_table)]
73 ^ h1[pgm_read_byte(8+j+mod20_table)]
74 ^ h1[pgm_read_byte(12+j+mod20_table)];
118 param input_bytes: r24:r25
119 param result: r22:r23
122 ;.global mqq_inv_affine_transformation
123 mqq_inv_affine_transformation:
128 adiw r30, 1 /* Z points to stack space for h1 */
129 movw r28, r20 /* Y points to the key struct in RAM */
131 movw r26, r30 /* X points to h1[0] */
132 ldd xrp5_0, Y+8 /* load pointer rp5 to xrp5 */
135 ldd r30, Y+6 /* load pointer to rp1 in Z */
158 movw r26, xres_0 /* X points to result */
181 ; --- now we mix result with h1
182 sbiw r26, 20 /* adjusting X to point at result[0] */
184 ldi r30, lo8(affine_mix_lut)
185 ldi r31, hi8(affine_mix_lut)
222 .byte 0x84, 0x85, 0x86, 0x87
223 .byte 0xC0, 0xC1, 0xC2, 0xC3
224 .byte 0x40, 0x41, 0x42, 0x43
225 .byte 0x44, 0x45, 0x46, 0x47
226 .byte 0x80, 0x81, 0x82, 0x83
228 /******************************************************************************/
245 ; stack_alloc 25, r26, r27
246 ; adiw r26, 1 /* X points to e[0] */
257 sbiw r26, 9 /* adjust X to point at e[0] */
260 ld r30, Y+ /* Z points to a[0] in progmem */
302 ;------ all inputs are consumed, X points at e[0]
303 ;------ So we finished with obtaining e0 .. e7 and e8
310 We can look at the bits of e0 .. e7 as a columns of a given matrix. We want to define 8 variables that have the rows
311 of that matrix. The variables need to be 16-bit because we will put into the upper 8 bits the bits of e0 .. e7,
312 and the bits of the variable result will be the Least Significant Bits of a[0] ... a[7].
314 adiw r28, 9 /* Y points at a[0] */
334 ;------- First we apply upper triangular transformation
335 sbiw r28, 16 /* Y points at a[0] */
336 movw r30, r28 /* Z points at a[0] */
351 movw r28, r30 /* Y points at a[row]*/
359 /* Y points at a[row] */
360 /* if T is set we have to permute [Y] and [Z] */
370 75: /* permutation done */
396 ;------ Then we eliminate 1s above the main diagonal
425 ;------ The result is in the Least Significant Bits of a[0] ... a[7]
426 /* Z should point at a[0] */
442 /******************************************************************************/
465 stack_alloc 20, r26, r27 /* r1[20] + key */
466 adiw r26, 1 /* X points to stack memory */
470 /* call to mqq_inv_affine_transformation(hash, dest, &key); */
474 rcall mqq_inv_affine_transformation
476 /* r1[0]=((uint8_t*)dest)[0]; */
486 stack_alloc 25, r28, r29
534 rcall mqq_inv_affine_transformation