1 /* $OpenBSD: rijndael.c,v 1.2 2000/10/15 14:14:01 markus Exp $ */
3 /* This is an independent implementation of the encryption algorithm: */
5 /* RIJNDAEL by Joan Daemen and Vincent Rijmen */
7 /* which is a candidate algorithm in the Advanced Encryption Standard */
8 /* programme of the US National Institute of Standards and Technology. */
10 /* Copyright in this implementation is held by Dr B R Gladman but I */
11 /* hereby give permission for its free direct or derivative use subject */
12 /* to acknowledgment of its origin and compliance with any conditions */
13 /* that the originators of the algorithm place on its exploitation. */
15 /* Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 */
17 /* Timing data for Rijndael (rijndael.c)
19 Algorithm: rijndael (rijndael.c)
22 Key Setup: 305/1389 cycles (encrypt/decrypt)
23 Encrypt: 374 cycles = 68.4 mbits/sec
24 Decrypt: 352 cycles = 72.7 mbits/sec
25 Mean: 363 cycles = 70.5 mbits/sec
28 Key Setup: 277/1595 cycles (encrypt/decrypt)
29 Encrypt: 439 cycles = 58.3 mbits/sec
30 Decrypt: 425 cycles = 60.2 mbits/sec
31 Mean: 432 cycles = 59.3 mbits/sec
34 Key Setup: 374/1960 cycles (encrypt/decrypt)
35 Encrypt: 502 cycles = 51.0 mbits/sec
36 Decrypt: 498 cycles = 51.4 mbits/sec
37 Mean: 500 cycles = 51.2 mbits/sec
44 void gen_tabs __P((void));
46 /* 3. Basic macros for speeding up generic operations */
48 /* Circular rotate of 32 bit values */
50 #define rotr(x,n) (((x) >> ((int)(n))) | ((x) << (32 - (int)(n))))
51 #define rotl(x,n) (((x) << ((int)(n))) | ((x) >> (32 - (int)(n))))
53 /* Invert byte order in a 32 bit variable */
55 #define bswap(x) (rotl(x, 8) & 0x00ff00ff | rotr(x, 8) & 0xff00ff00)
57 /* Extract byte from a 32 bit quantity (little endian notation) */
59 #define byte(x,n) ((u1byte)((x) >> (8 * n)))
61 #if BYTE_ORDER != LITTLE_ENDIAN
65 /* For inverting byte order in input/output 32 bit words if needed */
73 #define io_swap(x) bswap(x)
75 #define io_swap(x) (x)
78 /* For inverting the byte order of input/output blocks if needed */
82 #define get_block(x) \
83 ((u4byte*)(x))[0] = io_swap(in_blk[3]); \
84 ((u4byte*)(x))[1] = io_swap(in_blk[2]); \
85 ((u4byte*)(x))[2] = io_swap(in_blk[1]); \
86 ((u4byte*)(x))[3] = io_swap(in_blk[0])
88 #define put_block(x) \
89 out_blk[3] = io_swap(((u4byte*)(x))[0]); \
90 out_blk[2] = io_swap(((u4byte*)(x))[1]); \
91 out_blk[1] = io_swap(((u4byte*)(x))[2]); \
92 out_blk[0] = io_swap(((u4byte*)(x))[3])
94 #define get_key(x,len) \
95 ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \
96 ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \
97 switch((((len) + 63) / 64)) { \
99 ((u4byte*)(x))[0] = io_swap(in_key[3]); \
100 ((u4byte*)(x))[1] = io_swap(in_key[2]); \
101 ((u4byte*)(x))[2] = io_swap(in_key[1]); \
102 ((u4byte*)(x))[3] = io_swap(in_key[0]); \
105 ((u4byte*)(x))[0] = io_swap(in_key[5]); \
106 ((u4byte*)(x))[1] = io_swap(in_key[4]); \
107 ((u4byte*)(x))[2] = io_swap(in_key[3]); \
108 ((u4byte*)(x))[3] = io_swap(in_key[2]); \
109 ((u4byte*)(x))[4] = io_swap(in_key[1]); \
110 ((u4byte*)(x))[5] = io_swap(in_key[0]); \
113 ((u4byte*)(x))[0] = io_swap(in_key[7]); \
114 ((u4byte*)(x))[1] = io_swap(in_key[6]); \
115 ((u4byte*)(x))[2] = io_swap(in_key[5]); \
116 ((u4byte*)(x))[3] = io_swap(in_key[4]); \
117 ((u4byte*)(x))[4] = io_swap(in_key[3]); \
118 ((u4byte*)(x))[5] = io_swap(in_key[2]); \
119 ((u4byte*)(x))[6] = io_swap(in_key[1]); \
120 ((u4byte*)(x))[7] = io_swap(in_key[0]); \
125 #define get_block(x) \
126 ((u4byte*)(x))[0] = io_swap(in_blk[0]); \
127 ((u4byte*)(x))[1] = io_swap(in_blk[1]); \
128 ((u4byte*)(x))[2] = io_swap(in_blk[2]); \
129 ((u4byte*)(x))[3] = io_swap(in_blk[3])
131 #define put_block(x) \
132 out_blk[0] = io_swap(((u4byte*)(x))[0]); \
133 out_blk[1] = io_swap(((u4byte*)(x))[1]); \
134 out_blk[2] = io_swap(((u4byte*)(x))[2]); \
135 out_blk[3] = io_swap(((u4byte*)(x))[3])
137 #define get_key(x,len) \
138 ((u4byte*)(x))[4] = ((u4byte*)(x))[5] = \
139 ((u4byte*)(x))[6] = ((u4byte*)(x))[7] = 0; \
140 switch((((len) + 63) / 64)) { \
142 ((u4byte*)(x))[6] = io_swap(in_key[6]); \
143 ((u4byte*)(x))[7] = io_swap(in_key[7]); \
145 ((u4byte*)(x))[4] = io_swap(in_key[4]); \
146 ((u4byte*)(x))[5] = io_swap(in_key[5]); \
148 ((u4byte*)(x))[0] = io_swap(in_key[0]); \
149 ((u4byte*)(x))[1] = io_swap(in_key[1]); \
150 ((u4byte*)(x))[2] = io_swap(in_key[2]); \
151 ((u4byte*)(x))[3] = io_swap(in_key[3]); \
163 u4byte ft_tab[4][256];
164 u4byte it_tab[4][256];
167 u4byte fl_tab[4][256];
168 u4byte il_tab[4][256];
173 #define ff_mult(a,b) (a && b ? pow_tab[(log_tab[a] + log_tab[b]) % 255] : 0)
175 #define f_rn(bo, bi, n, k) \
176 bo[n] = ft_tab[0][byte(bi[n],0)] ^ \
177 ft_tab[1][byte(bi[(n + 1) & 3],1)] ^ \
178 ft_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
179 ft_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
181 #define i_rn(bo, bi, n, k) \
182 bo[n] = it_tab[0][byte(bi[n],0)] ^ \
183 it_tab[1][byte(bi[(n + 3) & 3],1)] ^ \
184 it_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
185 it_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
190 ( fl_tab[0][byte(x, 0)] ^ \
191 fl_tab[1][byte(x, 1)] ^ \
192 fl_tab[2][byte(x, 2)] ^ \
193 fl_tab[3][byte(x, 3)] )
195 #define f_rl(bo, bi, n, k) \
196 bo[n] = fl_tab[0][byte(bi[n],0)] ^ \
197 fl_tab[1][byte(bi[(n + 1) & 3],1)] ^ \
198 fl_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
199 fl_tab[3][byte(bi[(n + 3) & 3],3)] ^ *(k + n)
201 #define i_rl(bo, bi, n, k) \
202 bo[n] = il_tab[0][byte(bi[n],0)] ^ \
203 il_tab[1][byte(bi[(n + 3) & 3],1)] ^ \
204 il_tab[2][byte(bi[(n + 2) & 3],2)] ^ \
205 il_tab[3][byte(bi[(n + 1) & 3],3)] ^ *(k + n)
210 ((u4byte)sbx_tab[byte(x, 0)] << 0) ^ \
211 ((u4byte)sbx_tab[byte(x, 1)] << 8) ^ \
212 ((u4byte)sbx_tab[byte(x, 2)] << 16) ^ \
213 ((u4byte)sbx_tab[byte(x, 3)] << 24)
215 #define f_rl(bo, bi, n, k) \
216 bo[n] = (u4byte)sbx_tab[byte(bi[n],0)] ^ \
217 rotl(((u4byte)sbx_tab[byte(bi[(n + 1) & 3],1)]), 8) ^ \
218 rotl(((u4byte)sbx_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \
219 rotl(((u4byte)sbx_tab[byte(bi[(n + 3) & 3],3)]), 24) ^ *(k + n)
221 #define i_rl(bo, bi, n, k) \
222 bo[n] = (u4byte)isb_tab[byte(bi[n],0)] ^ \
223 rotl(((u4byte)isb_tab[byte(bi[(n + 3) & 3],1)]), 8) ^ \
224 rotl(((u4byte)isb_tab[byte(bi[(n + 2) & 3],2)]), 16) ^ \
225 rotl(((u4byte)isb_tab[byte(bi[(n + 1) & 3],3)]), 24) ^ *(k + n)
235 /* log and power tables for GF(2**8) finite field with */
236 /* 0x11b as modular polynomial - the simplest prmitive */
237 /* root is 0x11, used here to generate the tables */
239 for(i = 0,p = 1; i < 256; ++i) {
240 pow_tab[i] = (u1byte)p; log_tab[p] = (u1byte)i;
242 p = p ^ (p << 1) ^ (p & 0x80 ? 0x01b : 0);
245 log_tab[1] = 0; p = 1;
247 for(i = 0; i < 10; ++i) {
250 p = (p << 1) ^ (p & 0x80 ? 0x1b : 0);
253 /* note that the affine byte transformation matrix in */
254 /* rijndael specification is in big endian format with */
255 /* bit 0 as the most significant bit. In the remainder */
256 /* of the specification the bits are numbered from the */
257 /* least significant end of a byte. */
259 for(i = 0; i < 256; ++i) {
260 p = (i ? pow_tab[255 - log_tab[i]] : 0); q = p;
261 q = (q >> 7) | (q << 1); p ^= q;
262 q = (q >> 7) | (q << 1); p ^= q;
263 q = (q >> 7) | (q << 1); p ^= q;
264 q = (q >> 7) | (q << 1); p ^= q ^ 0x63;
265 sbx_tab[i] = (u1byte)p; isb_tab[p] = (u1byte)i;
268 for(i = 0; i < 256; ++i) {
273 t = p; fl_tab[0][i] = t;
274 fl_tab[1][i] = rotl(t, 8);
275 fl_tab[2][i] = rotl(t, 16);
276 fl_tab[3][i] = rotl(t, 24);
278 t = ((u4byte)ff_mult(2, p)) |
281 ((u4byte)ff_mult(3, p) << 24);
284 ft_tab[1][i] = rotl(t, 8);
285 ft_tab[2][i] = rotl(t, 16);
286 ft_tab[3][i] = rotl(t, 24);
292 t = p; il_tab[0][i] = t;
293 il_tab[1][i] = rotl(t, 8);
294 il_tab[2][i] = rotl(t, 16);
295 il_tab[3][i] = rotl(t, 24);
297 t = ((u4byte)ff_mult(14, p)) |
298 ((u4byte)ff_mult( 9, p) << 8) |
299 ((u4byte)ff_mult(13, p) << 16) |
300 ((u4byte)ff_mult(11, p) << 24);
303 it_tab[1][i] = rotl(t, 8);
304 it_tab[2][i] = rotl(t, 16);
305 it_tab[3][i] = rotl(t, 24);
311 #define star_x(x) (((x) & 0x7f7f7f7f) << 1) ^ ((((x) & 0x80808080) >> 7) * 0x1b)
313 #define imix_col(y,x) \
319 (y) ^= rotr(u ^ t, 8) ^ \
323 /* initialise the key schedule from the user supplied key */
326 { t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
327 t ^= e_key[4 * i]; e_key[4 * i + 4] = t; \
328 t ^= e_key[4 * i + 1]; e_key[4 * i + 5] = t; \
329 t ^= e_key[4 * i + 2]; e_key[4 * i + 6] = t; \
330 t ^= e_key[4 * i + 3]; e_key[4 * i + 7] = t; \
334 { t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
335 t ^= e_key[6 * i]; e_key[6 * i + 6] = t; \
336 t ^= e_key[6 * i + 1]; e_key[6 * i + 7] = t; \
337 t ^= e_key[6 * i + 2]; e_key[6 * i + 8] = t; \
338 t ^= e_key[6 * i + 3]; e_key[6 * i + 9] = t; \
339 t ^= e_key[6 * i + 4]; e_key[6 * i + 10] = t; \
340 t ^= e_key[6 * i + 5]; e_key[6 * i + 11] = t; \
344 { t = ls_box(rotr(t, 8)) ^ rco_tab[i]; \
345 t ^= e_key[8 * i]; e_key[8 * i + 8] = t; \
346 t ^= e_key[8 * i + 1]; e_key[8 * i + 9] = t; \
347 t ^= e_key[8 * i + 2]; e_key[8 * i + 10] = t; \
348 t ^= e_key[8 * i + 3]; e_key[8 * i + 11] = t; \
349 t = e_key[8 * i + 4] ^ ls_box(t); \
350 e_key[8 * i + 12] = t; \
351 t ^= e_key[8 * i + 5]; e_key[8 * i + 13] = t; \
352 t ^= e_key[8 * i + 6]; e_key[8 * i + 14] = t; \
353 t ^= e_key[8 * i + 7]; e_key[8 * i + 15] = t; \
357 rijndael_set_key(rijndael_ctx *ctx, const u4byte *in_key, const u4byte key_len,
360 u4byte i, t, u, v, w;
361 u4byte *e_key = ctx->e_key;
362 u4byte *d_key = ctx->d_key;
364 ctx->decrypt = !encrypt;
369 ctx->k_len = (key_len + 31) / 32;
371 e_key[0] = in_key[0]; e_key[1] = in_key[1];
372 e_key[2] = in_key[2]; e_key[3] = in_key[3];
375 case 4: t = e_key[3];
376 for(i = 0; i < 10; ++i)
380 case 6: e_key[4] = in_key[4]; t = e_key[5] = in_key[5];
381 for(i = 0; i < 8; ++i)
385 case 8: e_key[4] = in_key[4]; e_key[5] = in_key[5];
386 e_key[6] = in_key[6]; t = e_key[7] = in_key[7];
387 for(i = 0; i < 7; ++i)
393 d_key[0] = e_key[0]; d_key[1] = e_key[1];
394 d_key[2] = e_key[2]; d_key[3] = e_key[3];
396 for(i = 4; i < 4 * ctx->k_len + 24; ++i) {
397 imix_col(d_key[i], e_key[i]);
404 /* encrypt a block of text */
406 #define f_nround(bo, bi, k) \
407 f_rn(bo, bi, 0, k); \
408 f_rn(bo, bi, 1, k); \
409 f_rn(bo, bi, 2, k); \
410 f_rn(bo, bi, 3, k); \
413 #define f_lround(bo, bi, k) \
414 f_rl(bo, bi, 0, k); \
415 f_rl(bo, bi, 1, k); \
416 f_rl(bo, bi, 2, k); \
420 rijndael_encrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk)
422 u4byte k_len = ctx->k_len;
423 u4byte *e_key = ctx->e_key;
424 u4byte b0[4], b1[4], *kp;
426 b0[0] = in_blk[0] ^ e_key[0]; b0[1] = in_blk[1] ^ e_key[1];
427 b0[2] = in_blk[2] ^ e_key[2]; b0[3] = in_blk[3] ^ e_key[3];
432 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
436 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
439 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
440 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
441 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
442 f_nround(b1, b0, kp); f_nround(b0, b1, kp);
443 f_nround(b1, b0, kp); f_lround(b0, b1, kp);
445 out_blk[0] = b0[0]; out_blk[1] = b0[1];
446 out_blk[2] = b0[2]; out_blk[3] = b0[3];
449 /* decrypt a block of text */
451 #define i_nround(bo, bi, k) \
452 i_rn(bo, bi, 0, k); \
453 i_rn(bo, bi, 1, k); \
454 i_rn(bo, bi, 2, k); \
455 i_rn(bo, bi, 3, k); \
458 #define i_lround(bo, bi, k) \
459 i_rl(bo, bi, 0, k); \
460 i_rl(bo, bi, 1, k); \
461 i_rl(bo, bi, 2, k); \
465 rijndael_decrypt(rijndael_ctx *ctx, const u4byte *in_blk, u4byte *out_blk)
467 u4byte b0[4], b1[4], *kp;
468 u4byte k_len = ctx->k_len;
469 u4byte *e_key = ctx->e_key;
470 u4byte *d_key = ctx->d_key;
472 b0[0] = in_blk[0] ^ e_key[4 * k_len + 24]; b0[1] = in_blk[1] ^ e_key[4 * k_len + 25];
473 b0[2] = in_blk[2] ^ e_key[4 * k_len + 26]; b0[3] = in_blk[3] ^ e_key[4 * k_len + 27];
475 kp = d_key + 4 * (k_len + 5);
478 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
482 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
485 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
486 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
487 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
488 i_nround(b1, b0, kp); i_nround(b0, b1, kp);
489 i_nround(b1, b0, kp); i_lround(b0, b1, kp);
491 out_blk[0] = b0[0]; out_blk[1] = b0[1];
492 out_blk[2] = b0[2]; out_blk[3] = b0[3];