--- /dev/null
+/* serpent_asm.S */
+/*
+ This file is part of the AVR-Crypto-Lib.
+ Copyright (C) 2008 Daniel Otte (daniel.otte@rub.de)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ * File: serpent_sboxes.S
+ * Author: Daniel Otte
+ * Date: 2008-08-07
+ * License: GPLv3 or later
+ * Description: Implementation of the serpent sbox function.
+ *
+ */
+
+#include <avr/io.h>
+#include "avr-asm-macros.S"
+
+/*
+static void serpent_lt(uint8_t *b){
+ X0 = rotl32(X0, 13);
+ X2 = rotl32(X2, 3);
+ X1 ^= X0 ^ X2;
+ X3 ^= X2 ^ (X0 << 3);
+ X1 = rotl32(X1, 1);
+ X3 = rotl32(X3, 7);
+ X0 ^= X1 ^ X3;
+ X2 ^= X3 ^ (X1 << 7);
+ X0 = rotl32(X0, 5);
+ X2 = rotr32(X2, 10);
+}
+*/
+
+#if 0
+A0 = 4
+A1 = 5
+A2 = 6
+A3 = 7
+B0 = 8
+B1 = 9
+B2 = 10
+B3 = 11
+C0 = 12
+C1 = 13
+C2 = 14
+C3 = 15
+D0 = 16
+D1 = 17
+D2 = 18
+D3 = 19
+T0 = 20
+T1 = 21
+T2 = 22
+T3 = 23
+
+serpent_lt:
+ push_range 4, 17
+ movw r26, r24
+ ld A2, X+
+ ld A3, X+
+ ld A0, X+
+ ld A1, X+
+ ldi r20, 3
+ mov r0, A0
+1:
+ lsr r0
+ ror A3
+ ror A2
+ ror A1
+ ror A0
+ dec r20
+ brne 1b
+ ld B0, X+
+ ld B1, X+
+ ld B2, X+
+ ld B3, X+
+
+ ld C2, X+
+ ld C3, X+
+ ld C0, X+
+ ld C1, X+
+ ldi r20, 3
+ mov r0, C0
+1:
+ lsr r0
+ ror C3
+ ror C2
+ ror C1
+ ror C0
+ dec r20
+ brne 1b
+
+ ld D0, X+
+ ld D1, X+
+ ld D2, X+
+ ld D3, X+
+ /* X1 ^= X0 ^ X2; */
+ eor B0, A0
+ eor B0, C0
+ eor B1, A1
+ eor B1, C1
+ eor B2, A2
+ eor B2, C2
+ eor B3, A3
+ eor B3, C3
+ /* X3 ^= X2 ^ (X0 << 3); */
+ mov T0, A0
+ mov T1, A1
+ mov T2, A2
+ mov T3, A3
+ ldi r24, 3
+1:
+ lsl T0
+ rol T1
+ rol T2
+ rol T3
+ dec r24
+ brne 1b
+ eor C0, B0
+ eor C0, T0
+ eor C1, B1
+ eor C1, T1
+ eor C2, B2
+ eor C2, T2
+ eor C3, B3
+ eor C3, T3
+ /* X1 = rotl32(X1, 1); */
+ mov r0, B3
+ lsl r0
+ rol B0
+ rol B1
+ rol B2
+ rol B3
+ /* X3 = rotl32(X3, 7); */
+ mov r0, D3
+ mov D3, D2
+ mov D2, D1
+ mov D1, D0
+ mov D0, r0
+ lsr r0
+ ror D3
+ ror D2
+ ror D1
+ ror D0
+ /* X0 ^= X1 ^ X3; */
+ eor A0, B0
+ eor A0, D0
+ eor A1, B1
+ eor A1, D1
+ eor A2, B2
+ eor A2, D2
+ eor A3, B3
+ eor A3, D3
+ /* X2 ^= X3 ^ (X1 << 7); */
+ mov T1, B0
+ mov T2, B1
+ mov T3, B2
+ clr T0
+ mov r0, B3
+ lsr r0
+ ror T2
+ ror T1
+ ror T0
+ eor C0, D0
+ eor C0, T0
+ eor C1, D1
+ eor C1, T1
+ eor C2, D2
+ eor C2, T2
+ eor C3, D3
+ eor C3, T3
+ /* X0 = rotl32(X0, 5); */
+ ldi r24, 5
+ mov r0, A3
+1:
+ lsl r0
+ rol A0
+ rol A1
+ rol A2
+ rol A3
+ dec r24
+ brne 1b
+ /* X2 = rotr32(X2, 10); */
+ mov r0, C0
+ mov C0, C1
+ mov C1, C2
+ mov C2, C3
+ mov C3, r0
+ ldi r24, 2
+1:
+ lsr r0
+ ror C2
+ ror C1
+ ror C0
+ ror C3
+ dec r24
+ brne 1b
+
+ clr r31
+ ldi r30, D3+1
+ ldi r24, 16
+1:
+ ld r0, -Z
+ st -X, r0
+ dec r24
+ brne 1b
+
+ pop_range 4, 17
+ ret
+#endif
+
+T0 = 22
+T1 = 23
+T2 = 24
+T3 = 25
+TT = 21
+/* rotate the data word (4 byte) pointed to by X by r20 bits to the right */
+memrotr32:
+ ld T0, X+
+ ld T1, X+
+ ld T2, X+
+ ld T3, X+
+ mov TT, T0
+1:
+ lsr TT
+ ror T3
+ ror T2
+ ror T1
+ ror T0
+ dec r20
+ brne 1b
+ st -X, T3
+ st -X, T2
+ st -X, T1
+ st -X, T0
+ ret
+
+/* rotate the data word (4 byte) pointed to by X by r20 bits to the left */
+memrotl32:
+ ld T0, X+
+ ld T1, X+
+ ld T2, X+
+ ld T3, X+
+ mov TT, T3
+1:
+ lsl TT
+ rol T0
+ rol T1
+ rol T2
+ rol T3
+ dec r20
+ brne 1b
+ st -X, T3
+ st -X, T2
+ st -X, T1
+ st -X, T0
+ ret
+
+/* xor the dataword (4 byte) pointed by Z into X */
+memeor32:
+ ldi T2, 4
+1:
+ ld T0, X
+ ld T1, Z+
+ eor T0, T1
+ st X+, T0
+ dec T2
+ brne 1b
+ ret
+
+serpent_lt:
+ /* X0 := X0 <<< 13 */
+ movw r26, r24
+ ldi r20, 7
+ rcall memrotl32
+ ldi r20, 6
+ rcall memrotl32
+ /* X2 := X2 <<< 3 */
+ adiw r26, 8
+ ldi r20, 3
+ rcall memrotl32
+ /* X1 ^= X2 */
+ movw r30, r26
+ sbiw r26, 4
+ rcall memeor32
+ /* X1 ^= X0 */
+ sbiw r26, 4
+ sbiw r30, 12
+ rcall memeor32
+ /* X3 ^= X2 */
+ movw r30, r26
+ adiw r26, 4
+ rcall memeor32
+ /* T := X0 */
+ sbiw r26, 16
+ ld r18, X+
+ ld r19, X+
+ ld r20, X+
+ ld r21, X+
+ /* T := T<<3 */
+ ldi r22, 3
+1:
+ lsl r18
+ rol r19
+ rol r20
+ rol r21
+ dec r22
+ brne 1b
+ clr r31
+ /* X3 ^= T */
+ adiw r26, 8
+ ldi r30, 18
+ rcall memeor32
+ /* X1 := X1<<<1 */
+ sbiw r26, 12
+ ldi r20, 1
+ rcall memrotl32
+ /* X3 := X3<<<7 */
+ adiw r26, 8
+ ldi r20, 7
+ rcall memrotl32
+ /* X0 ^= X3 */
+ movw r30, r26
+ sbiw r26, 12
+ rcall memeor32
+ /* X0 ^= X1 */
+ movw r30, r26
+ sbiw r26, 4
+ rcall memeor32
+ /* X2 ^= X3 */
+ adiw r26, 4
+ adiw r30, 4
+ rcall memeor32
+ /* T := X1<<<8 */
+ sbiw r26, 8
+ ld r19, X+
+ ld r20, X+
+ ld r21, X+
+ ld r18, X+
+ /* T := T>>>1; T&=0xfffffff8 */
+ lsr r18
+ ror r21
+ ror r20
+ ror r19
+ clr r18
+ ror r18
+ clr r31
+ ldi r30, 18
+ /* X2 ^= T */
+ rcall memeor32
+ /* X0 := X0 <<< 5 */
+ sbiw r26, 12
+ ldi r20, 5
+ rcall memrotl32
+ /* X3 := X3 >>> 10 */
+ adiw r26, 8
+ ldi r20, 7
+ rcall memrotr32
+ ldi r20, 3
+ rcall memrotr32
+ ret
+
+serpent_inv_lt:
+ /* X0 := X0 >>> 5 */
+ movw r26, r24
+ ldi r20, 5
+ rcall memrotr32
+ /* X2 := X2 <<< 10 */
+ adiw r26, 8
+ ldi r20, 7
+ rcall memrotl32
+ ldi r20, 3
+ rcall memrotl32
+ /* X2 ^= X3 */
+ movw r30, r26
+ adiw r30, 4
+ rcall memeor32
+ sbiw r26, 4
+ sbiw r30, 12
+ /* T := X1<<7 */
+ ld r19, Z+
+ ld r20, Z+
+ ld r21, Z+
+ ld r18, Z+
+ lsr r18
+ ror r21
+ ror r20
+ ror r19
+ clr r18
+ ror r18
+ clr r31
+ /* X2 ^= T */
+ ldi r30, 18
+ rcall memeor32
+ /* X0 ^= X1 */
+ sbiw r26, 12
+ movw r30, r26
+ adiw r30, 4
+ rcall memeor32
+ /* X0 ^= X3 */
+ sbiw r26, 4
+ adiw r30, 4
+ rcall memeor32
+ /* X1 := X1>>>1 */
+ ldi r20, 1
+ rcall memrotr32
+ /* X3 := X3>>>7 */
+ adiw r26, 8
+ ldi r20, 7
+ rcall memrotr32
+ /* X3 ^= X2 */
+ sbiw r30, 8
+ rcall memeor32
+ sbiw r26, 4
+ /* T:= X0<<3 */
+ sbiw r30, 12
+ ld r18, Z+
+ ld r19, Z+
+ ld r20, Z+
+ ld r21, Z+
+ ldi r24, 3
+1:
+ lsl r18
+ rol r19
+ rol r20
+ rol r21
+ dec r24
+ brne 1b
+ /* X3 ^= T */
+ clr r31
+ ldi r30, 18
+ rcall memeor32
+ /* X1 ^= X0 */
+ sbiw r26, 12
+ movw r30, r26
+ sbiw r30, 4
+ rcall memeor32
+ /* X1 ^= X2 */
+ movw r26, r30
+ adiw r30, 4
+ rcall memeor32
+ /* X2 := X2 >>> 3 */
+ ldi r20, 3
+ rcall memrotr32
+ /* X0 := X0 >>> 13 */
+ sbiw r26, 8
+ ldi r20, 7
+ rcall memrotr32
+ ldi r20, 6
+ rcall memrotr32
+ ret
+
+/*
+#define GOLDEN_RATIO 0x9e3779b9l
+
+static uint32_t serpent_gen_w(uint32_t * b, uint8_t i){
+ uint32_t ret;
+ ret = b[0] ^ b[3] ^ b[5] ^ b[7] ^ GOLDEN_RATIO ^ (uint32_t)i;
+ ret = rotl32(ret, 11);
+ return ret;
+}
+*/
+/*
+ * param b is passed in r24:r25
+ * param i is passed in r22
+ * return value is returned in r22.r23.r24.r25
+ */
+ /* trashes:
+ * r20-r25, r30-r31
+ */
+serpent_gen_w:
+ movw r30, r24
+ /* ^i^b[0]*/
+ ld r21, Z+
+ eor r22, r21
+ ld r23, Z+
+ ld r24, Z+
+ ld r25, Z+
+ /* ^b[3]^b[5]^[b7] */
+ adiw r30, 4
+ ldi r20, 3
+1:
+ adiw r30, 4
+ ld r21, Z+
+ eor r22, r21
+ ld r21, Z+
+ eor r23, r21
+ ld r21, Z+
+ eor r24, r21
+ ld r21, Z+
+ eor r25, r21
+ dec r20
+ brne 1b
+ /* ^0x9e3779b9l */
+ ldi r21, 0xb9
+ eor r22, r21
+ ldi r21, 0x79
+ eor r23, r21
+ ldi r21, 0x37
+ eor r24, r21
+ ldi r21, 0x9e
+ eor r25, r21
+ /* <<<11 */
+ mov r21, r25
+ mov r25, r24
+ mov r24, r23
+ mov r23, r22
+ mov r22, r21
+ mov r21, r25
+ ldi r20, 3
+1:
+ lsl r21
+ rol r22
+ rol r23
+ rol r24
+ rol r25
+ dec r20
+ brne 1b
+ ret
+
+/*
+ * void serpent_init(const void* key, uint16_t keysize_b, serpent_ctx_t* ctx)
+ */
+/*
+ * param key is passed in r24:r25
+ * param keysize is passed in r22:r23
+ * param ctx is passed in r20:r21
+ */
+.global serpent_init
+serpent_init:
+ stack_alloc 32
+ adiw r30, 1
+ push_ r30, r31
+ movw r26, r22
+ adiw r26, 7
+ tst r27
+ breq 1f
+ ldi r26, 32
+ rjmp 2f
+1:
+ lsr r26
+ lsr r26
+ lsr r26
+2:
+ mov r22, r26
+ bst r22, 5 /* store in T if we have to do the "append 1 thing"*/
+ ldi r27, 32
+3: /* set buffer to zero */
+ st Z+, r1
+ dec r27
+ brne 3b
+
+ movw r26, r24 /* X points to the key */
+ sbiw r30, 32
+ tst r22
+ breq 5f /* if keylength_b==0 */
+4: /* copy keybytes to buffer */
+ ld r19, X+
+ st Z+, r19
+ dec r22
+ brne 4b
+5:
+ brts 7f /* if keylength_b == 256 */
+ ldi r18, 0x01
+ andi r22, 0x07
+ brne 6f
+ st Z, r18
+ rjmp 7f
+6: /* shift the one to the right position */
+ lsl r18
+ dec r22
+ brne 6b
+ or r18, r19
+ st -Z, r18
+7: /* post "appending 1 thing" buffer is ready for subkey generation */
+ movw r26, r20 /* X points to the context */
+
+ pop_ r19, r18 /* r18:r19 points to the buffer */
+ push r16
+ clr r16
+8:
+ movw r24, r18
+ mov r22, r16
+ rcall serpent_gen_w
+ movw r30, r18
+ ldi r20, 7*4
+1: /* the memmove */
+ ldd r0, Z+4
+ st Z+, r0
+ dec r20
+ brne 1b
+ /* store new word in buffer and context */
+ st Z+, r22
+ st Z+, r23
+ st Z+, r24
+ st Z+, r25
+ st X+, r22
+ st X+, r23
+ st X+, r24
+ st X+, r25
+
+ inc r16
+ cpi r16, 132
+ brne 8b
+
+ push_ r28, r29
+ movw r28, r26
+ subi r28, lo8(132*4)
+ sbci r29, hi8(132*4)
+ ldi r16, 33
+2:
+ movw r24, r28
+ adiw r28, 16
+ ldi r22, 2
+ add r22, r16
+ rcall sbox128
+ dec r16
+ brne 2b
+ pop_ r29, r28, r16
+ stack_free 32
+ ret
+
+/*
+ * void serpent_enc(void* buffer, const serpent_ctx_t* ctx){
+ */
+/*
+ * param buffer is passed in r24:r25
+ * param ctx is passed in r22:r23
+ */
+.global serpent_enc
+serpent_enc:
+
+ push_ r12, r13, r14, r15, r16
+ clr r16
+ movw r14, r24
+ movw r12, r22
+1:
+ movw r24, r14
+ movw r22, r12
+ ldi r20, 16
+ add r12, r20
+ adc r13, r1
+ clr r21
+ rcall memxor
+ movw r24, r14
+ mov r22, r16
+ rcall sbox128
+ movw r24, r14
+ rcall serpent_lt
+
+ inc r16
+ cpi r16, 31
+ brne 1b
+
+ movw r24, r14
+ movw r22, r12
+ ldi r20, 16
+ add r12, r20
+ adc r13, r1
+ clr r21
+ rcall memxor
+ movw r24, r14
+ mov r22, r16
+ rcall sbox128
+
+ inc r16
+ movw r24, r14
+ movw r22, r12
+ ldi r20, 16
+ clr r21
+ pop_ r16, r15, r14, r13, r12
+ rjmp memxor
+
+/*
+ * void serpent_dec(void* buffer, const serpent_ctx_t* ctx){
+ */
+/*
+ * param buffer is passed in r24:r25
+ * param ctx is passed in r22:r23
+ */
+.global serpent_dec
+serpent_dec:
+ push_ r12, r13, r14, r15, r16
+ movw r14, r24
+// ldi r16, lo8(32*16)
+// add r22, r16
+ ldi r16, hi8(32*16)
+ add r23, r16
+ movw r12, r22
+ ldi r20, 16
+ clr r21
+ rcall memxor
+
+ movw r24, r14
+ ldi r22, 31
+ call inv_sbox128
+
+ movw r24, r14
+ ldi r20, 16
+ sub r12, r20
+ sbc r13, r1
+ movw r22, r12
+ clr r21
+ rcall memxor
+ ldi r16, 31
+1:
+ dec r16
+ movw r24, r14
+ rcall serpent_inv_lt
+ movw r24, r14
+ mov r22, r16
+ rcall inv_sbox128
+ movw r24, r14
+ ldi r20, 16
+ sub r12, r20
+ sbc r13, r1
+ movw r22, r12
+ clr r21
+ rcall memxor
+
+ tst r16
+ brne 1b
+ pop_ r16, r15, r14, r13, r12
+ ret
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
projects / avr-crypto-lib.git / blobdiff