3 * $Id: idea.c,v 1.3 2000/07/02 18:24:39 mdw Exp $
5 * Implementation of the IDEA cipher
7 * (c) 1999 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.3 2000/07/02 18:24:39 mdw
34 * Use a new multiplication function from an Ascom white paper to resist
37 * Revision 1.2 2000/06/17 11:24:08 mdw
38 * New key size interface.
40 * Revision 1.1 1999/09/03 08:41:12 mdw
45 /*----- Header files ------------------------------------------------------*/
52 #include <mLib/bits.h>
58 /*----- Global variables --------------------------------------------------*/
60 const octet idea_keysz[] = { KSZ_SET, IDEA_KEYSZ };
62 /*----- Main code ---------------------------------------------------------*/
66 * Arguments: @uint16 n@ = number to invert
68 * Returns: Multiplicative inverse of @n@ %$\pmod{2^{16} + 1}$%.
70 * Use: Computes multiplicative inverses. This is handy for the
71 * decryption key scheduling.
74 static uint16 inv(uint16 n)
85 t = a; a = b - q * a; b = t;
94 * Arguments @x@ and @y@ are two 32-bit values to multiply. On exit, @x@ is
95 * the product of the two arguments. The result is not normalized back to 16
96 * bits; the arguments are not expected to be normalized.
98 * This code is from `Side Channel Attack Hardening of the IDEA Cipher',
99 * published by Ascom Tech.
102 #define MUL(x, y) do { \
108 _tt = (uint32)x * (uint32)_t + (uint32)x + (uint32)_t + 1; \
110 _t = U16(_tt >> 16); \
111 x = x - _t + (x <= _t); \
114 /* --- @idea_init@ --- *
116 * Arguments: @idea_ctx *k@ = pointer to key block
117 * @const void *buf@ = pointer to key buffer
118 * @size_t sz@ = size of key material
122 * Use: Initializes an IDEA key buffer. The buffer must be exactly
123 * 16 bytes in size, because IDEA is only defined with a key
127 void idea_init(idea_ctx *k, const void *buf, size_t sz)
129 KSZ_ASSERT(idea, sz);
131 /* --- Unpack the encryption key --- */
134 const octet *p = buf;
136 uint32 a = LOAD32(p + 0);
137 uint32 b = LOAD32(p + 4);
138 uint32 c = LOAD32(p + 8);
139 uint32 d = LOAD32(p + 12);
142 /* --- Main unpacking loop --- */
144 for (i = 0; i < 6; i++) {
146 /* --- Spit out the next 8 subkeys --- */
158 /* --- Rotate and permute the subkeys --- */
162 a = U32((a << 25) | (b >> 7));
163 b = U32((b << 25) | (c >> 7));
164 c = U32((c << 25) | (d >> 7));
165 d = U32((d << 25) | (t >> 7));
169 /* --- Write out the tail-enders --- */
177 /* --- Convert this into the decryption key --- */
180 uint16 *p = k->e + 52;
184 /* --- Translate the main round keys --- */
186 for (i = 0; i < 8; i++) {
193 q[1] = 0x10000 - p[4];
194 q[2] = 0x10000 - p[3];
196 q[1] = 0x10000 - p[3];
197 q[2] = 0x10000 - p[4];
202 /* --- Translate the tail-enders --- */
206 q[1] = 0x10000 - p[1];
207 q[2] = 0x10000 - p[2];
212 /* --- @ROUND@ --- */
214 #define MIX(k, a, b, c, d) do { \
221 #define MA(k, a, b, c, d) do { \
222 unsigned _u = a ^ c; \
223 unsigned _v = b ^ d; \
234 #define ROUND(k, a, b, c, d) do { \
235 MIX(k, a, b, c, d); \
240 /* --- Encryption --- */
242 #define EBLK(k, a, b, c, d) do { \
243 unsigned _a = U16(a >> 16); \
244 unsigned _b = U16(a >> 0); \
245 unsigned _c = U16(b >> 16); \
246 unsigned _d = U16(b >> 0); \
247 const uint16 *_k = (k); \
249 ROUND(_k, _a, _b, _c, _d); \
250 ROUND(_k, _a, _c, _b, _d); \
251 ROUND(_k, _a, _b, _c, _d); \
252 ROUND(_k, _a, _c, _b, _d); \
253 ROUND(_k, _a, _b, _c, _d); \
254 ROUND(_k, _a, _c, _b, _d); \
255 ROUND(_k, _a, _b, _c, _d); \
256 ROUND(_k, _a, _c, _b, _d); \
257 MIX (_k, _a, _c, _b, _d); \
258 c = (U16(_a) << 16) | U16(_c); \
259 d = (U16(_b) << 16) | U16(_d); \
262 #define DBLK(k, a, b) EBLK((k), (a), (b))
264 /* --- @idea_eblk@, @idea_dblk@ --- *
266 * Arguments: @const idea_ctx *k@ = pointer to a key block
267 * @const uint32 s[2]@ = pointer to source block
268 * @uint32 d[2]@ = pointer to destination block
272 * Use: Low-level block encryption and decryption.
275 void idea_eblk(const idea_ctx *k, const uint32 *s, uint32 *d)
277 EBLK(k->e, s[0], s[1], d[0], d[1]);
280 void idea_dblk(const idea_ctx *k, const uint32 *s, uint32 *d)
282 EBLK(k->d, s[0], s[1], d[0], d[1]);
285 BLKC_TEST(IDEA, idea)
287 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob