3 * $Id: square-mktab.c,v 1.1 2000/07/27 18:10:27 mdw Exp $
5 * Build precomputed tables for the Square block cipher
7 * (c) 2000 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
32 * $Log: square-mktab.c,v $
33 * Revision 1.1 2000/07/27 18:10:27 mdw
34 * Build precomuted tables for Square.
38 /*----- Header files ------------------------------------------------------*/
44 #include <mLib/bits.h>
46 /*----- Magic variables ---------------------------------------------------*/
48 static octet s[256], si[256];
49 static uint32 t[4][256], ti[4][256];
50 static uint32 u[4][256];
53 /*----- Main code ---------------------------------------------------------*/
57 * Arguments: @unsigned x, y@ = polynomials over %$\gf{2^8}$%
58 * @unsigned m@ = modulus
60 * Returns: The product of two polynomials.
62 * Use: Computes a product of polynomials, quite slowly.
65 static unsigned mul(unsigned x, unsigned y, unsigned m)
70 for (i = 0; i < 8; i++) {
86 * This is built from inversion in the multiplicative group of
87 * %$\gf{2^8}[x]/(p(x))$%, where %$p(x) = x^8 + x^4 + x^3 + x + 1$%, followed
88 * by an affine transformation treating inputs as vectors over %$\gf{2}$%.
89 * The result is a horrible function.
91 * The inversion is done slightly sneakily, by building log and antilog
92 * tables. Let %$a$% be an element of the finite field. If the inverse of
93 * %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%. Hence
94 * %$\log a = -\log a^{-1}$%. This saves fiddling about with Euclidean
100 static void sbox(void)
102 octet log[256], alog[256];
107 /* --- Find a suitable generator, and build log tables --- */
110 for (g = 2; g < 256; g++) {
112 for (i = 0; i < 256; i++) {
115 x = mul(x, g, S_MOD);
116 if (x == 1 && i != 254)
122 fprintf(stderr, "couldn't find generator\n");
126 /* --- Now grind through and do the affine transform --- *
128 * The matrix multiply is an AND and a parity op. The add is an XOR.
131 for (i = 0; i < 256; i++) {
133 octet m[] = { 0xd6, 0x7b, 0x3d, 0x1f, 0x0f, 0x05, 0x03, 0x01 };
134 unsigned v = i ? alog[255 - log[i]] : 0;
136 assert(i == 0 || mul(i, v, S_MOD) == 1);
139 for (j = 0; j < 8; j++) {
145 x = (x << 1) | (r & 1);
155 * Construct the t tables for doing the round function efficiently.
158 static void tbox(void)
162 for (i = 0; i < 256; i++) {
166 /* --- Build a forwards t-box entry --- */
169 b = a << 1; if (b & 0x100) b ^= S_MOD;
171 w = (b << 0) | (a << 8) | (a << 16) | (c << 24);
173 t[1][i] = ROL32(w, 8);
174 t[2][i] = ROL32(w, 16);
175 t[3][i] = ROL32(w, 24);
177 /* --- Build a backwards t-box entry --- */
179 a = mul(si[i], 0x0e, S_MOD);
180 b = mul(si[i], 0x09, S_MOD);
181 c = mul(si[i], 0x0d, S_MOD);
182 d = mul(si[i], 0x0b, S_MOD);
183 w = (a << 0) | (b << 8) | (c << 16) | (d << 24);
185 ti[1][i] = ROL32(w, 8);
186 ti[2][i] = ROL32(w, 16);
187 ti[3][i] = ROL32(w, 24);
193 * Construct the tables for performing the key schedule.
196 static void ubox(void)
200 for (i = 0; i < 256; i++) {
204 b = a << 1; if (b & 0x100) b ^= S_MOD;
206 w = (b << 0) | (a << 8) | (a << 16) | (c << 24);
208 u[1][i] = ROL32(w, 8);
209 u[2][i] = ROL32(w, 16);
210 u[3][i] = ROL32(w, 24);
214 /* --- Round constants --- */
221 for (i = 0; i < sizeof(rc); i++) {
238 * Square tables [generated]\n\
241 #ifndef CATACOMB_SQUARE_TAB_H\n\
242 #define CATACOMB_SQUARE_TAB_H\n\
245 /* --- Write out the S-box --- */
249 /* --- The byte substitution and its inverse --- */\n\
251 #define SQUARE_S { \\\n\
253 for (i = 0; i < 256; i++) {
254 printf("0x%02x", s[i]);
256 fputs(" \\\n}\n\n", stdout);
258 fputs(", \\\n ", stdout);
264 #define SQUARE_SI { \\\n\
266 for (i = 0; i < 256; i++) {
267 printf("0x%02x", si[i]);
269 fputs(" \\\n}\n\n", stdout);
271 fputs(", \\\n ", stdout);
276 /* --- Write out the big t tables --- */
280 /* --- The big round tables --- */\n\
282 #define SQUARE_T { \\\n\
284 for (j = 0; j < 4; j++) {
285 for (i = 0; i < 256; i++) {
286 printf("0x%08x", t[j][i]);
289 fputs(" } \\\n}\n\n", stdout);
294 } else if (i % 4 == 3)
295 fputs(", \\\n ", stdout);
302 #define SQUARE_TI { \\\n\
304 for (j = 0; j < 4; j++) {
305 for (i = 0; i < 256; i++) {
306 printf("0x%08x", ti[j][i]);
309 fputs(" } \\\n}\n\n", stdout);
314 } else if (i % 4 == 3)
315 fputs(", \\\n ", stdout);
321 /* --- Write out the big u tables --- */
325 /* --- The key schedule tables --- */\n\
327 #define SQUARE_U { \\\n\
329 for (j = 0; j < 4; j++) {
330 for (i = 0; i < 256; i++) {
331 printf("0x%08x", u[j][i]);
334 fputs(" } \\\n}\n\n", stdout);
339 } else if (i % 4 == 3)
340 fputs(", \\\n ", stdout);
346 /* --- Round constants --- */
350 /* --- The round constants --- */\n\
352 #define SQUARE_RCON { \\\n\
354 for (i = 0; i < sizeof(rc); i++) {
355 printf("0x%02x", rc[i]);
356 if (i == sizeof(rc) - 1)
357 fputs(" \\\n}\n\n", stdout);
359 fputs(", \\\n ", stdout);
368 if (fclose(stdout)) {
369 fprintf(stderr, "error writing data\n");
376 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob