1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3 #include "tomcrypt_private.h"
4
5 /**
6 @file sober128_stream.c
7 Implementation of SOBER-128 by Tom St Denis.
8 Based on s128fast.c reference code supplied by Greg Rose of QUALCOMM.
9 */
10
11 #ifdef LTC_SOBER128
12
13 #define LTC_SOBER128TAB_C
14 #include "sober128tab.c"
15
16 /* don't change these... */
17 #define N 17
18 #define INITKONST 0x6996c53a /* value of KONST to use during key loading */
19 #define KEYP 15 /* where to insert key words */
20 #define FOLDP 4 /* where to insert non-linear feedback */
21
BYTE2WORD(const unsigned char * b)22 static ulong32 BYTE2WORD(const unsigned char *b)
23 {
24 ulong32 t;
25 LOAD32L(t, b);
26 return t;
27 }
28
XORWORD(ulong32 w,const unsigned char * in,unsigned char * out)29 static void XORWORD(ulong32 w, const unsigned char *in, unsigned char *out)
30 {
31 ulong32 t;
32 LOAD32L(t, in);
33 t ^= w;
34 STORE32L(t, out);
35 }
36
37 /* give correct offset for the current position of the register,
38 * where logically R[0] is at position "zero".
39 */
40 #define OFF(zero, i) (((zero)+(i)) % N)
41
42 /* step the LFSR */
43 /* After stepping, "zero" moves right one place */
44 #define STEP(R,z) \
45 R[OFF(z,0)] = R[OFF(z,15)] ^ R[OFF(z,4)] ^ (R[OFF(z,0)] << 8) ^ Multab[(R[OFF(z,0)] >> 24) & 0xFF];
46
cycle(ulong32 * R)47 static void cycle(ulong32 *R)
48 {
49 ulong32 t;
50 int i;
51
52 STEP(R,0);
53 t = R[0];
54 for (i = 1; i < N; ++i) {
55 R[i-1] = R[i];
56 }
57 R[N-1] = t;
58 }
59
60 /* Return a non-linear function of some parts of the register.
61 */
62 #define NLFUNC(st,z) \
63 { \
64 t = st->R[OFF(z,0)] + st->R[OFF(z,16)]; \
65 t ^= Sbox[(t >> 24) & 0xFF]; \
66 t = RORc(t, 8); \
67 t = ((t + st->R[OFF(z,1)]) ^ st->konst) + st->R[OFF(z,6)]; \
68 t ^= Sbox[(t >> 24) & 0xFF]; \
69 t = t + st->R[OFF(z,13)]; \
70 }
71
nltap(const sober128_state * st)72 static ulong32 nltap(const sober128_state *st)
73 {
74 ulong32 t;
75 NLFUNC(st, 0);
76 return t;
77 }
78
79 /* Save the current register state
80 */
s128_savestate(sober128_state * st)81 static void s128_savestate(sober128_state *st)
82 {
83 int i;
84 for (i = 0; i < N; ++i) {
85 st->initR[i] = st->R[i];
86 }
87 }
88
89 /* initialise to previously saved register state
90 */
s128_reloadstate(sober128_state * st)91 static void s128_reloadstate(sober128_state *st)
92 {
93 int i;
94
95 for (i = 0; i < N; ++i) {
96 st->R[i] = st->initR[i];
97 }
98 }
99
100 /* Initialise "konst"
101 */
s128_genkonst(sober128_state * st)102 static void s128_genkonst(sober128_state *st)
103 {
104 ulong32 newkonst;
105
106 do {
107 cycle(st->R);
108 newkonst = nltap(st);
109 } while ((newkonst & 0xFF000000) == 0);
110 st->konst = newkonst;
111 }
112
113 /* Load key material into the register
114 */
115 #define ADDKEY(k) \
116 st->R[KEYP] += (k);
117
118 #define XORNL(nl) \
119 st->R[FOLDP] ^= (nl);
120
121 /* nonlinear diffusion of register for key */
122 #define DROUND(z) STEP(st->R,z); NLFUNC(st,(z+1)); st->R[OFF((z+1),FOLDP)] ^= t;
s128_diffuse(sober128_state * st)123 static void s128_diffuse(sober128_state *st)
124 {
125 ulong32 t;
126 /* relies on FOLD == N == 17! */
127 DROUND(0);
128 DROUND(1);
129 DROUND(2);
130 DROUND(3);
131 DROUND(4);
132 DROUND(5);
133 DROUND(6);
134 DROUND(7);
135 DROUND(8);
136 DROUND(9);
137 DROUND(10);
138 DROUND(11);
139 DROUND(12);
140 DROUND(13);
141 DROUND(14);
142 DROUND(15);
143 DROUND(16);
144 }
145
146 /**
147 Initialize an Sober128 context (only the key)
148 @param st [out] The destination of the Sober128 state
149 @param key The secret key
150 @param keylen The length of the secret key (octets)
151 @return CRYPT_OK if successful
152 */
sober128_stream_setup(sober128_state * st,const unsigned char * key,unsigned long keylen)153 int sober128_stream_setup(sober128_state *st, const unsigned char *key, unsigned long keylen)
154 {
155 ulong32 i, k;
156
157 LTC_ARGCHK(st != NULL);
158 LTC_ARGCHK(key != NULL);
159 LTC_ARGCHK(keylen > 0);
160
161 /* keylen must be multiple of 4 bytes */
162 if ((keylen & 3) != 0) {
163 return CRYPT_INVALID_KEYSIZE;
164 }
165
166 /* Register initialised to Fibonacci numbers */
167 st->R[0] = 1;
168 st->R[1] = 1;
169 for (i = 2; i < N; ++i) {
170 st->R[i] = st->R[i-1] + st->R[i-2];
171 }
172 st->konst = INITKONST;
173
174 for (i = 0; i < keylen; i += 4) {
175 k = BYTE2WORD((unsigned char *)&key[i]);
176 ADDKEY(k);
177 cycle(st->R);
178 XORNL(nltap(st));
179 }
180
181 /* also fold in the length of the key */
182 ADDKEY(keylen);
183
184 /* now diffuse */
185 s128_diffuse(st);
186 s128_genkonst(st);
187 s128_savestate(st);
188 st->nbuf = 0;
189
190 return CRYPT_OK;
191 }
192
193 /**
194 Set IV to the Sober128 state
195 @param st The Sober12820 state
196 @param iv The IV data to add
197 @param ivlen The length of the IV (must be 12)
198 @return CRYPT_OK on success
199 */
sober128_stream_setiv(sober128_state * st,const unsigned char * iv,unsigned long ivlen)200 int sober128_stream_setiv(sober128_state *st, const unsigned char *iv, unsigned long ivlen)
201 {
202 ulong32 i, k;
203
204 LTC_ARGCHK(st != NULL);
205 LTC_ARGCHK(iv != NULL);
206 LTC_ARGCHK(ivlen > 0);
207
208 /* ok we are adding an IV then... */
209 s128_reloadstate(st);
210
211 /* ivlen must be multiple of 4 bytes */
212 if ((ivlen & 3) != 0) {
213 return CRYPT_INVALID_KEYSIZE;
214 }
215
216 for (i = 0; i < ivlen; i += 4) {
217 k = BYTE2WORD((unsigned char *)&iv[i]);
218 ADDKEY(k);
219 cycle(st->R);
220 XORNL(nltap(st));
221 }
222
223 /* also fold in the length of the key */
224 ADDKEY(ivlen);
225
226 /* now diffuse */
227 s128_diffuse(st);
228 st->nbuf = 0;
229
230 return CRYPT_OK;
231 }
232
233 /* XOR pseudo-random bytes into buffer
234 */
235 #define SROUND(z) STEP(st->R,z); NLFUNC(st,(z+1)); XORWORD(t, in+(z*4), out+(z*4));
236
237 /**
238 Encrypt (or decrypt) bytes of ciphertext (or plaintext) with Sober128
239 @param st The Sober128 state
240 @param in The plaintext (or ciphertext)
241 @param inlen The length of the input (octets)
242 @param out [out] The ciphertext (or plaintext), length inlen
243 @return CRYPT_OK if successful
244 */
sober128_stream_crypt(sober128_state * st,const unsigned char * in,unsigned long inlen,unsigned char * out)245 int sober128_stream_crypt(sober128_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out)
246 {
247 ulong32 t;
248
249 if (inlen == 0) return CRYPT_OK; /* nothing to do */
250 LTC_ARGCHK(out != NULL);
251 LTC_ARGCHK(st != NULL);
252
253 /* handle any previously buffered bytes */
254 while (st->nbuf != 0 && inlen != 0) {
255 *out++ = *in++ ^ (unsigned char)(st->sbuf & 0xFF);
256 st->sbuf >>= 8;
257 st->nbuf -= 8;
258 --inlen;
259 }
260
261 #ifndef LTC_SMALL_CODE
262 /* do lots at a time, if there's enough to do */
263 while (inlen >= N*4) {
264 SROUND(0);
265 SROUND(1);
266 SROUND(2);
267 SROUND(3);
268 SROUND(4);
269 SROUND(5);
270 SROUND(6);
271 SROUND(7);
272 SROUND(8);
273 SROUND(9);
274 SROUND(10);
275 SROUND(11);
276 SROUND(12);
277 SROUND(13);
278 SROUND(14);
279 SROUND(15);
280 SROUND(16);
281 out += 4*N;
282 in += 4*N;
283 inlen -= 4*N;
284 }
285 #endif
286
287 /* do small or odd size buffers the slow way */
288 while (4 <= inlen) {
289 cycle(st->R);
290 t = nltap(st);
291 XORWORD(t, in, out);
292 out += 4;
293 in += 4;
294 inlen -= 4;
295 }
296
297 /* handle any trailing bytes */
298 if (inlen != 0) {
299 cycle(st->R);
300 st->sbuf = nltap(st);
301 st->nbuf = 32;
302 while (st->nbuf != 0 && inlen != 0) {
303 *out++ = *in++ ^ (unsigned char)(st->sbuf & 0xFF);
304 st->sbuf >>= 8;
305 st->nbuf -= 8;
306 --inlen;
307 }
308 }
309
310 return CRYPT_OK;
311 }
312
sober128_stream_keystream(sober128_state * st,unsigned char * out,unsigned long outlen)313 int sober128_stream_keystream(sober128_state *st, unsigned char *out, unsigned long outlen)
314 {
315 if (outlen == 0) return CRYPT_OK; /* nothing to do */
316 LTC_ARGCHK(out != NULL);
317 XMEMSET(out, 0, outlen);
318 return sober128_stream_crypt(st, out, outlen, out);
319 }
320
321 /**
322 Terminate and clear Sober128 state
323 @param st The Sober128 state
324 @return CRYPT_OK on success
325 */
sober128_stream_done(sober128_state * st)326 int sober128_stream_done(sober128_state *st)
327 {
328 LTC_ARGCHK(st != NULL);
329 zeromem(st, sizeof(sober128_state));
330 return CRYPT_OK;
331 }
332
333 #endif
334