3 * $Id: rijndael-mktab.c,v 1.4 2004/04/08 01:36:15 mdw Exp $
5 * Build precomputed tables for the Rijndael block cipher
7 * (c) 2000 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Header files ------------------------------------------------------*/
36 #include <mLib/bits.h>
38 /*----- Magic variables ---------------------------------------------------*/
40 static octet s[256], si[256];
41 static uint32 t[4][256], ti[4][256];
42 static uint32 u[4][256];
45 /*----- Main code ---------------------------------------------------------*/
49 * Arguments: @unsigned x, y@ = polynomials over %$\gf{2^8}$%
50 * @unsigned m@ = modulus
52 * Returns: The product of two polynomials.
54 * Use: Computes a product of polynomials, quite slowly.
57 static unsigned mul(unsigned x, unsigned y, unsigned m)
62 for (i = 0; i < 8; i++) {
78 * This is built from inversion in the multiplicative group of
79 * %$\gf{2^8}[x]/(p(x))$%, where %$p(x) = x^8 + x^4 + x^3 + x + 1$%, followed
80 * by an affine transformation treating inputs as vectors over %$\gf{2}$%.
81 * The result is a horrible function.
83 * The inversion is done slightly sneakily, by building log and antilog
84 * tables. Let %$a$% be an element of the finite field. If the inverse of
85 * %$a$% is %$a^{-1}$%, then %$\log a a^{-1} = 0$%. Hence
86 * %$\log a = -\log a^{-1}$%. This saves fiddling about with Euclidean
92 static void sbox(void)
94 octet log[256], alog[256];
99 /* --- Find a suitable generator, and build log tables --- */
102 for (g = 2; g < 256; g++) {
104 for (i = 0; i < 256; i++) {
107 x = mul(x, g, S_MOD);
108 if (x == 1 && i != 254)
114 fprintf(stderr, "couldn't find generator\n");
118 /* --- Now grind through and do the affine transform --- *
120 * The matrix multiply is an AND and a parity op. The add is an XOR.
123 for (i = 0; i < 256; i++) {
126 unsigned v = i ? alog[255 - log[i]] : 0;
128 assert(i == 0 || mul(i, v, S_MOD) == 1);
131 for (j = 0; j < 8; j++) {
137 x = (x << 1) | (r & 1);
148 * Construct the t tables for doing the round function efficiently.
151 static void tbox(void)
155 for (i = 0; i < 256; i++) {
159 /* --- Build a forwards t-box entry --- */
162 b = a << 1; if (b & 0x100) b ^= S_MOD;
164 w = (c << 0) | (a << 8) | (a << 16) | (b << 24);
166 t[1][i] = ROR32(w, 8);
167 t[2][i] = ROR32(w, 16);
168 t[3][i] = ROR32(w, 24);
170 /* --- Build a backwards t-box entry --- */
172 a = mul(si[i], 0x0e, S_MOD);
173 b = mul(si[i], 0x09, S_MOD);
174 c = mul(si[i], 0x0d, S_MOD);
175 d = mul(si[i], 0x0b, S_MOD);
176 w = (d << 0) | (c << 8) | (b << 16) | (a << 24);
178 ti[1][i] = ROR32(w, 8);
179 ti[2][i] = ROR32(w, 16);
180 ti[3][i] = ROR32(w, 24);
186 * Construct the tables for performing the decryption key schedule.
189 static void ubox(void)
193 for (i = 0; i < 256; i++) {
196 a = mul(i, 0x0e, S_MOD);
197 b = mul(i, 0x09, S_MOD);
198 c = mul(i, 0x0d, S_MOD);
199 d = mul(i, 0x0b, S_MOD);
200 w = (d << 0) | (c << 8) | (b << 16) | (a << 24);
202 u[1][i] = ROR32(w, 8);
203 u[2][i] = ROR32(w, 16);
204 u[3][i] = ROR32(w, 24);
208 /* --- Round constants --- */
210 static void rcon(void)
215 for (i = 0; i < sizeof(rc); i++) {
232 * Rijndael tables [generated]\n\
235 #ifndef CATACOMB_RIJNDAEL_TAB_H\n\
236 #define CATACOMB_RIJNDAEL_TAB_H\n\
239 /* --- Write out the S-box --- */
243 /* --- The byte substitution and its inverse --- */\n\
245 #define RIJNDAEL_S { \\\n\
247 for (i = 0; i < 256; i++) {
248 printf("0x%02x", s[i]);
250 fputs(" \\\n}\n\n", stdout);
252 fputs(", \\\n ", stdout);
258 #define RIJNDAEL_SI { \\\n\
260 for (i = 0; i < 256; i++) {
261 printf("0x%02x", si[i]);
263 fputs(" \\\n}\n\n", stdout);
265 fputs(", \\\n ", stdout);
270 /* --- Write out the big t tables --- */
274 /* --- The big round tables --- */\n\
276 #define RIJNDAEL_T { \\\n\
278 for (j = 0; j < 4; j++) {
279 for (i = 0; i < 256; i++) {
280 printf("0x%08lx", (unsigned long)t[j][i]);
283 fputs(" } \\\n}\n\n", stdout);
288 } else if (i % 4 == 3)
289 fputs(", \\\n ", stdout);
296 #define RIJNDAEL_TI { \\\n\
298 for (j = 0; j < 4; j++) {
299 for (i = 0; i < 256; i++) {
300 printf("0x%08lx", (unsigned long)ti[j][i]);
303 fputs(" } \\\n}\n\n", stdout);
308 } else if (i % 4 == 3)
309 fputs(", \\\n ", stdout);
315 /* --- Write out the big u tables --- */
319 /* --- The decryption key schedule tables --- */\n\
321 #define RIJNDAEL_U { \\\n\
323 for (j = 0; j < 4; j++) {
324 for (i = 0; i < 256; i++) {
325 printf("0x%08lx", (unsigned long)u[j][i]);
328 fputs(" } \\\n}\n\n", stdout);
333 } else if (i % 4 == 3)
334 fputs(", \\\n ", stdout);
340 /* --- Round constants --- */
344 /* --- The round constants --- */\n\
346 #define RIJNDAEL_RCON { \\\n\
348 for (i = 0; i < sizeof(rc); i++) {
349 printf("0x%02x", rc[i]);
350 if (i == sizeof(rc) - 1)
351 fputs(" \\\n}\n\n", stdout);
353 fputs(", \\\n ", stdout);
362 if (fclose(stdout)) {
363 fprintf(stderr, "error writing data\n");
370 /*----- That's all, folks -------------------------------------------------*/