3 * $Id: twofish.c,v 1.2 2000/06/22 18:58:00 mdw Exp $
5 * Implementation of the Twofish cipher
7 * (c) 2000 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
33 * Revision 1.2 2000/06/22 18:58:00 mdw
34 * Twofish can handle keys with any byte-aligned size.
36 * Revision 1.1 2000/06/17 12:10:17 mdw
41 /*----- Header files ------------------------------------------------------*/
45 #include <mLib/bits.h>
50 #include "twofish-tab.h"
53 /*----- Global variables --------------------------------------------------*/
55 const octet twofish_keysz[] = { KSZ_RANGE, TWOFISH_KEYSZ, 0, 32, 1 };
57 /*----- Important tables --------------------------------------------------*/
59 static const octet q0[256] = TWOFISH_Q0, q1[256] = TWOFISH_Q1;
60 static const uint32 qmds[4][256] = TWOFISH_QMDS;
61 static const octet rslog[] = TWOFISH_RSLOG, rsexp[] = TWOFISH_RSEXP;
62 static const octet rs[32] = TWOFISH_RS;
64 /*----- Key initialization ------------------------------------------------*/
68 * Arguments: @uint32 x@ = input to the function
69 * @const uint32 *l@ = key values to mix in
70 * @unsigned k@ = number of key values there are
72 * Returns: The output of the function @h@.
74 * Use: Implements the Twofish function @h@.
77 static uint32 h(uint32 x, const uint32 *l, unsigned k)
79 /* --- Apply a series of @q@ tables to an integer --- */
81 # define Q(x, qa, qb, qc, qd) \
82 ((qa[((x) >> 0) & 0xff] << 0) | \
83 (qb[((x) >> 8) & 0xff] << 8) | \
84 (qc[((x) >> 16) & 0xff] << 16) | \
85 (qd[((x) >> 24) & 0xff] << 24))
87 /* --- Grind through the tables --- */
90 case 4: x = Q(x, q1, q0, q0, q1) ^ l[3];
91 case 3: x = Q(x, q1, q1, q0, q0) ^ l[2];
92 case 2: x = Q(x, q0, q1, q0, q1) ^ l[1];
93 x = Q(x, q0, q0, q1, q1) ^ l[0];
99 /* --- Apply the MDS matrix --- */
101 return (qmds[0][U8(x >> 0)] ^ qmds[1][U8(x >> 8)] ^
102 qmds[2][U8(x >> 16)] ^ qmds[3][U8(x >> 24)]);
105 /* --- @twofish_init@ --- *
107 * Arguments: @twofish_ctx *k@ = pointer to key block to fill in
108 * @const void *buf@ = pointer to buffer of key material
109 * @size_t sz@ = size of key material
113 * Use: Initializes a Twofish key buffer. Twofish accepts key sizes
114 * of up to 256 bits (32 bytes).
117 void twofish_init(twofish_ctx *k, const void *buf, size_t sz)
121 uint32 mo[KMAX], me[KMAX];
124 /* --- Expand the key into the three word arrays --- */
132 /* --- Sort out the key size --- */
134 KSZ_ASSERT(twofish, sz);
142 assert(((void)"This can't happen (bad key size in twofish_init)", 0));
144 /* --- Extend the key if necessary --- */
150 memset(b + sz, 0, ssz - sz);
154 /* --- Finally get the word count --- */
158 /* --- Extract words from the key --- *
160 * The @s@ table, constructed using the Reed-Solomon matrix, is cut into
161 * sequences of bytes, since this is actually more useful for computing
166 for (i = 0; i < sz; i++) {
171 /* --- Extract the easy subkeys --- */
174 mo[i] = LOAD32_L(q + 4);
176 /* --- Now do the Reed-Solomon thing --- */
178 for (j = 0; j < 4; j++) {
183 for (k = 0; k < 8; k++) {
185 a ^= rsexp[rslog[*qq] + *r];
190 s[j][sz - 1 - i] = ss[j] = a;
195 /* --- Clear away the temporary buffer --- */
201 /* --- Construct the expanded key --- */
204 uint32 p = 0x01010101;
208 for (i = 0; i < 40; i += 2) {
211 b = h(ip + p, mo, sz);
215 k->k[i + 1] = ROL32(b, 9);
220 /* --- Construct the S-box tables --- */
224 static const octet *q[4][KMAX + 1] = {
225 { q1, q0, q0, q1, q1 },
226 { q0, q0, q1, q1, q0 },
227 { q1, q1, q0, q0, q0 },
228 { q0, q1, q1, q0, q1 }
231 for (i = 0; i < 4; i++) {
235 for (j = 0; j < 256; j++) {
238 /* --- Push the byte through the q tables --- */
241 case 4: x = q[i][4][x] ^ s[i][3];
242 case 3: x = q[i][3][x] ^ s[i][2];
243 case 2: x = q[i][2][x] ^ s[i][1];
244 x = q[i][1][x] ^ s[i][0];
248 /* --- Write it in the key schedule --- */
250 k->g[i][j] = qmds[i][x];
255 /* --- Clear everything away --- */
262 /*----- Main encryption ---------------------------------------------------*/
264 /* --- Feistel function --- */
266 #define GG(k, t0, t1, x, y, kk) do { \
267 t0 = (k->g[0][U8(x >> 0)] ^ \
268 k->g[1][U8(x >> 8)] ^ \
269 k->g[2][U8(x >> 16)] ^ \
270 k->g[3][U8(x >> 24)]); \
271 t1 = (k->g[1][U8(y >> 0)] ^ \
272 k->g[2][U8(y >> 8)] ^ \
273 k->g[3][U8(y >> 16)] ^ \
274 k->g[0][U8(y >> 24)]); \
281 /* --- Round operations --- */
283 #define EROUND(k, w, x, y, z, kk) do { \
285 GG(k, _t0, _t1, w, x, kk); \
287 y ^= _t0; y = ROR32(y, 1); \
288 z = ROL32(z, 1); z ^= _t1; \
291 #define DROUND(k, w, x, y, z, kk) do { \
294 GG(k, _t0, _t1, w, x, kk); \
295 y = ROL32(y, 1); y ^= _t0; \
296 z ^= _t1; z = ROR32(z, 1); \
299 /* --- Complete encryption functions --- */
301 #define EBLK(k, a, b, c, d, w, x, y, z) do { \
302 const uint32 *_kk = k->k + 8; \
303 uint32 _a = a, _b = b, _c = c, _d = d; \
304 _a ^= k->k[0]; _b ^= k->k[1]; _c ^= k->k[2]; _d ^= k->k[3]; \
305 EROUND(k, _a, _b, _c, _d, _kk); \
306 EROUND(k, _c, _d, _a, _b, _kk); \
307 EROUND(k, _a, _b, _c, _d, _kk); \
308 EROUND(k, _c, _d, _a, _b, _kk); \
309 EROUND(k, _a, _b, _c, _d, _kk); \
310 EROUND(k, _c, _d, _a, _b, _kk); \
311 EROUND(k, _a, _b, _c, _d, _kk); \
312 EROUND(k, _c, _d, _a, _b, _kk); \
313 EROUND(k, _a, _b, _c, _d, _kk); \
314 EROUND(k, _c, _d, _a, _b, _kk); \
315 EROUND(k, _a, _b, _c, _d, _kk); \
316 EROUND(k, _c, _d, _a, _b, _kk); \
317 EROUND(k, _a, _b, _c, _d, _kk); \
318 EROUND(k, _c, _d, _a, _b, _kk); \
319 EROUND(k, _a, _b, _c, _d, _kk); \
320 EROUND(k, _c, _d, _a, _b, _kk); \
321 _c ^= k->k[4]; _d ^= k->k[5]; _a ^= k->k[6]; _b ^= k->k[7]; \
322 w = U32(_c); x = U32(_d); y = U32(_a); z = U32(_b); \
325 #define DBLK(k, a, b, c, d, w, x, y, z) do { \
326 const uint32 *_kk = k->k + 40; \
327 uint32 _a = a, _b = b, _c = c, _d = d; \
328 _a ^= k->k[4]; _b ^= k->k[5]; _c ^= k->k[6]; _d ^= k->k[7]; \
329 DROUND(k, _a, _b, _c, _d, _kk); \
330 DROUND(k, _c, _d, _a, _b, _kk); \
331 DROUND(k, _a, _b, _c, _d, _kk); \
332 DROUND(k, _c, _d, _a, _b, _kk); \
333 DROUND(k, _a, _b, _c, _d, _kk); \
334 DROUND(k, _c, _d, _a, _b, _kk); \
335 DROUND(k, _a, _b, _c, _d, _kk); \
336 DROUND(k, _c, _d, _a, _b, _kk); \
337 DROUND(k, _a, _b, _c, _d, _kk); \
338 DROUND(k, _c, _d, _a, _b, _kk); \
339 DROUND(k, _a, _b, _c, _d, _kk); \
340 DROUND(k, _c, _d, _a, _b, _kk); \
341 DROUND(k, _a, _b, _c, _d, _kk); \
342 DROUND(k, _c, _d, _a, _b, _kk); \
343 DROUND(k, _a, _b, _c, _d, _kk); \
344 DROUND(k, _c, _d, _a, _b, _kk); \
345 _c ^= k->k[0]; _d ^= k->k[1]; _a ^= k->k[2]; _b ^= k->k[3]; \
346 w = U32(_c); x = U32(_d); y = U32(_a); z = U32(_b); \
349 /* --- @twofish_eblk@, @twofish_dblk@ --- *
351 * Arguments: @const twofish_ctx *k@ = pointer to key block
352 * @const uint32 s[4]@ = pointer to source block
353 * @uint32 d[4]@ = pointer to destination block
357 * Use: Low-level block encryption and decryption.
360 void twofish_eblk(const twofish_ctx *k, const uint32 *s, uint32 *d)
362 EBLK(k, s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
365 void twofish_dblk(const twofish_ctx *k, const uint32 *s, uint32 *d)
367 DBLK(k, s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
370 BLKC_TEST(TWOFISH, twofish)
372 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob