aria.c
Go to the documentation of this file.
1 /**
2  * @file aria.c
3  * @brief ARIA encryption algorithm
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneCrypto Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @section Description
26  *
27  * ARIA is a 128-bit block cipher with 128-, 192-, and 256-bit keys. The
28  * algorithm consists of a key scheduling part and data randomizing part.
29  * Refer to RFC 5794 for more details
30  *
31  * @author Oryx Embedded SARL (www.oryx-embedded.com)
32  * @version 1.9.0
33  **/
34 
35 //Switch to the appropriate trace level
36 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
37 
38 //Dependencies
39 #include "core/crypto.h"
40 #include "cipher/aria.h"
41 #include "debug.h"
42 
43 //Check crypto library configuration
44 #if (ARIA_SUPPORT == ENABLED)
45 
46 //Move operation
47 #define MOV128(b, a) \
48 { \
49  (b)[0] = (a)[0]; \
50  (b)[1] = (a)[1]; \
51  (b)[2] = (a)[2]; \
52  (b)[3] = (a)[3]; \
53 }
54 
55 //XOR operation
56 #define XOR128(b, a) \
57 { \
58  (b)[0] ^= (a)[0]; \
59  (b)[1] ^= (a)[1]; \
60  (b)[2] ^= (a)[2]; \
61  (b)[3] ^= (a)[3]; \
62 }
63 
64 //Rotate left operation
65 #define ROL128(b, a, n) \
66 { \
67  (b)[0] = ((a)[((n) / 32 + 0) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 1) % 4] >> (32 - ((n) % 32))); \
68  (b)[1] = ((a)[((n) / 32 + 1) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 2) % 4] >> (32 - ((n) % 32))); \
69  (b)[2] = ((a)[((n) / 32 + 2) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 3) % 4] >> (32 - ((n) % 32))); \
70  (b)[3] = ((a)[((n) / 32 + 3) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 0) % 4] >> (32 - ((n) % 32))); \
71 }
72 
73 //Substitution layer SL1
74 #define SL1(b, a) \
75 { \
76  uint8_t *x = (uint8_t *) (a); \
77  uint8_t *y = (uint8_t *) (b); \
78  y[0] = sb1[x[0]]; \
79  y[1] = sb2[x[1]]; \
80  y[2] = sb3[x[2]]; \
81  y[3] = sb4[x[3]]; \
82  y[4] = sb1[x[4]]; \
83  y[5] = sb2[x[5]]; \
84  y[6] = sb3[x[6]]; \
85  y[7] = sb4[x[7]]; \
86  y[8] = sb1[x[8]]; \
87  y[9] = sb2[x[9]]; \
88  y[10] = sb3[x[10]]; \
89  y[11] = sb4[x[11]]; \
90  y[12] = sb1[x[12]]; \
91  y[13] = sb2[x[13]]; \
92  y[14] = sb3[x[14]]; \
93  y[15] = sb4[x[15]]; \
94 }
95 
96 //Substitution layer SL2
97 #define SL2(b, a) \
98 { \
99  uint8_t *x = (uint8_t *) (a); \
100  uint8_t *y = (uint8_t *) (b); \
101  y[0] = sb3[x[0]]; \
102  y[1] = sb4[x[1]]; \
103  y[2] = sb1[x[2]]; \
104  y[3] = sb2[x[3]]; \
105  y[4] = sb3[x[4]]; \
106  y[5] = sb4[x[5]]; \
107  y[6] = sb1[x[6]]; \
108  y[7] = sb2[x[7]]; \
109  y[8] = sb3[x[8]]; \
110  y[9] = sb4[x[9]]; \
111  y[10] = sb1[x[10]]; \
112  y[11] = sb2[x[11]]; \
113  y[12] = sb3[x[12]]; \
114  y[13] = sb4[x[13]]; \
115  y[14] = sb1[x[14]]; \
116  y[15] = sb2[x[15]]; \
117 }
118 
119 //Diffusion layer
120 #define A(b, a) \
121 { \
122  uint8_t *x = (uint8_t *) (a); \
123  uint8_t *y = (uint8_t *) (b); \
124  y[0] = x[3] ^ x[4] ^ x[6] ^ x[8] ^ x[9] ^ x[13] ^ x[14]; \
125  y[1] = x[2] ^ x[5] ^ x[7] ^ x[8] ^ x[9] ^ x[12] ^ x[15]; \
126  y[2] = x[1] ^ x[4] ^ x[6] ^ x[10] ^ x[11] ^ x[12] ^ x[15]; \
127  y[3] = x[0] ^ x[5] ^ x[7] ^ x[10] ^ x[11] ^ x[13] ^ x[14]; \
128  y[4] = x[0] ^ x[2] ^ x[5] ^ x[8] ^ x[11] ^ x[14] ^ x[15]; \
129  y[5] = x[1] ^ x[3] ^ x[4] ^ x[9] ^ x[10] ^ x[14] ^ x[15]; \
130  y[6] = x[0] ^ x[2] ^ x[7] ^ x[9] ^ x[10] ^ x[12] ^ x[13]; \
131  y[7] = x[1] ^ x[3] ^ x[6] ^ x[8] ^ x[11] ^ x[12] ^ x[13]; \
132  y[8] = x[0] ^ x[1] ^ x[4] ^ x[7] ^ x[10] ^ x[13] ^ x[15]; \
133  y[9] = x[0] ^ x[1] ^ x[5] ^ x[6] ^ x[11] ^ x[12] ^ x[14]; \
134  y[10] = x[2] ^ x[3] ^ x[5] ^ x[6] ^ x[8] ^ x[13] ^ x[15]; \
135  y[11] = x[2] ^ x[3] ^ x[4] ^ x[7] ^ x[9] ^ x[12] ^ x[14]; \
136  y[12] = x[1] ^ x[2] ^ x[6] ^ x[7] ^ x[9] ^ x[11] ^ x[12]; \
137  y[13] = x[0] ^ x[3] ^ x[6] ^ x[7] ^ x[8] ^ x[10] ^ x[13]; \
138  y[14] = x[0] ^ x[3] ^ x[4] ^ x[5] ^ x[9] ^ x[11] ^ x[14]; \
139  y[15] = x[1] ^ x[2] ^ x[4] ^ x[5] ^ x[8] ^ x[10] ^ x[15]; \
140 }
141 
142 //S-box 1
143 static const uint8_t sb1[256] =
144 {
145  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
146  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
147  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
148  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
149  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
150  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
151  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
152  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
153  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
154  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
155  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
156  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
157  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
158  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
159  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
160  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
161 };
162 
163 //S-box 2
164 static const uint8_t sb2[256] =
165 {
166  0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 0x3C, 0x4D, 0x8B, 0xD1,
167  0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1,
168  0x1D, 0x06, 0x41, 0x6B, 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
169  0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 0x0F, 0xEE, 0x10, 0xEB,
170  0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD,
171  0x08, 0x7A, 0x88, 0x38, 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
172  0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 0x32, 0xCA, 0xE9, 0xB1,
173  0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40,
174  0xEC, 0x20, 0x8C, 0xBD, 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
175  0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 0xE8, 0x25, 0x92, 0xE5,
176  0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43,
177  0xA7, 0xE1, 0xD0, 0xF5, 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
178  0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 0x16, 0x82, 0x5F, 0xDA,
179  0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C,
180  0x90, 0x0B, 0x5B, 0x33, 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
181  0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 0xAF, 0xBA, 0xB5, 0x81
182 };
183 
184 //S-box 3
185 static const uint8_t sb3[256] =
186 {
187  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
188  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
189  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
190  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
191  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
192  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
193  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
194  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
195  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
196  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
197  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
198  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
199  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
200  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
201  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
202  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
203 };
204 
205 //S-box 4
206 static const uint8_t sb4[256] =
207 {
208  0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 0x72, 0x09, 0x62, 0x3C,
209  0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D,
210  0x81, 0x65, 0xF5, 0x89, 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
211  0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 0x0C, 0xF4, 0x9B, 0xED,
212  0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B,
213  0x8C, 0xC2, 0xE6, 0x5F, 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
214  0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 0xDF, 0xEF, 0xCA, 0xD9,
215  0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41,
216  0xDA, 0xFF, 0xCD, 0x55, 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
217  0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 0x29, 0xAE, 0x92, 0xD7,
218  0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC,
219  0xEB, 0x6F, 0xD5, 0xF6, 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
220  0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 0x07, 0x4F, 0x4E, 0x45,
221  0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D,
222  0xF2, 0xB1, 0x00, 0x94, 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
223  0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 0x03, 0xA2, 0xAC, 0x60
224 };
225 
226 //Key scheduling constants
227 static const uint32_t c[12] =
228 {
229  BETOH32(0x517CC1B7), BETOH32(0x27220A94), BETOH32(0xFE13ABE8), BETOH32(0xFA9A6EE0),
230  BETOH32(0x6DB14ACC), BETOH32(0x9E21C820), BETOH32(0xFF28B1D5), BETOH32(0xEF5DE2B0),
231  BETOH32(0xDB92371D), BETOH32(0x2126E970), BETOH32(0x03249775), BETOH32(0x04E8C90E)
232 };
233 
234 //Common interface for encryption algorithms
236 {
237  "ARIA",
238  sizeof(AriaContext),
242  NULL,
243  NULL,
246 };
247 
248 
249 /**
250  * @brief Odd round function
251  * @param[in,out] d 128-bit string
252  * @param[in] rk 128-bit string
253  **/
254 
255 static void OF(uint32_t *d, const uint32_t *rk)
256 {
257  uint32_t t[4];
258 
259  //XOR D with RK
260  XOR128(d, rk);
261  //Substitution layer SL1
262  SL1(t, d);
263  //Diffusion layer
264  A(d, t);
265 }
266 
267 
268 /**
269  * @brief Even round function
270  * @param[in,out] d 128-bit string
271  * @param[in] rk 128-bit string
272  **/
273 
274 static void EF(uint32_t *d, const uint32_t *rk)
275 {
276  uint32_t t[4];
277 
278  //XOR D with RK
279  XOR128(d, rk);
280  //Substitution layer SL2
281  SL2(t, d);
282  //Diffusion layer
283  A(d, t);
284 }
285 
286 
287 /**
288  * @brief Initialize a ARIA context using the supplied key
289  * @param[in] context Pointer to the ARIA context to initialize
290  * @param[in] key Pointer to the key
291  * @param[in] keyLen Length of the key
292  * @return Error code
293  **/
294 
295 error_t ariaInit(AriaContext *context, const uint8_t *key, size_t keyLen)
296 {
297  uint_t i;
298  uint32_t *ek;
299  uint32_t *dk;
300  const uint32_t *ck1;
301  const uint32_t *ck2;
302  const uint32_t *ck3;
303  uint32_t w[16];
304 
305  //128-bit master key?
306  if(keyLen == 16)
307  {
308  //Select the relevant constants
309  ck1 = c + 0;
310  ck2 = c + 4;
311  ck3 = c + 8;
312  //The number of rounds depends on the size of the master key
313  context->nr = 12;
314  }
315  //192-bit master key?
316  else if(keyLen == 24)
317  {
318  //Select the relevant constants
319  ck1 = c + 4;
320  ck2 = c + 8;
321  ck3 = c + 0;
322  //The number of rounds depends on the size of the master key
323  context->nr = 14;
324  }
325  //256-bit master key?
326  else if(keyLen == 32)
327  {
328  //Select the relevant constants
329  ck1 = c + 8;
330  ck2 = c + 0;
331  ck3 = c + 4;
332  //The number of rounds depends on the size of the master key
333  context->nr = 16;
334  }
335  else
336  {
337  //Report an error
339  }
340 
341  //Compute 128-bit values KL and KR
342  cryptoMemset(w, 0, sizeof(w));
343  cryptoMemcpy(w, key, keyLen);
344 
345  //Save KR...
346  MOV128(w + 8, w + 4);
347 
348  //Compute intermediate values W0, W1, W2, and W3
349  MOV128(w + 4, w + 0);
350  OF(w + 4, ck1);
351  XOR128(w + 4, w + 8);
352 
353  MOV128(w + 8, w + 4);
354  EF(w + 8, ck2);
355  XOR128(w + 8, w + 0);
356 
357  MOV128(w + 12, w + 8);
358  OF(w + 12, ck3);
359  XOR128(w + 12, w + 4);
360 
361  //Convert from big-endian byte order to host byte order
362  for(i = 0; i < 16; i++)
363  w[i] = betoh32(w[i]);
364 
365  //Point to the encryption round keys
366  ek = context->ek;
367 
368  //Compute ek1, ..., ek17 as follow
369  ROL128(ek + 0, w + 4, 109);
370  XOR128(ek + 0, w + 0);
371  ROL128(ek + 4, w + 8, 109);
372  XOR128(ek + 4, w + 4);
373  ROL128(ek + 8, w + 12, 109);
374  XOR128(ek + 8, w + 8);
375  ROL128(ek + 12, w + 0, 109);
376  XOR128(ek + 12, w + 12);
377  ROL128(ek + 16, w + 4, 97);
378  XOR128(ek + 16, w + 0);
379  ROL128(ek + 20, w + 8, 97);
380  XOR128(ek + 20, w + 4);
381  ROL128(ek + 24, w + 12, 97);
382  XOR128(ek + 24, w + 8);
383  ROL128(ek + 28, w + 0, 97);
384  XOR128(ek + 28, w + 12);
385  ROL128(ek + 32, w + 4, 61);
386  XOR128(ek + 32, w + 0);
387  ROL128(ek + 36, w + 8, 61);
388  XOR128(ek + 36, w + 4);
389  ROL128(ek + 40, w + 12, 61);
390  XOR128(ek + 40, w + 8);
391  ROL128(ek + 44, w + 0, 61);
392  XOR128(ek + 44, w + 12);
393  ROL128(ek + 48, w + 4, 31);
394  XOR128(ek + 48, w + 0);
395  ROL128(ek + 52, w + 8, 31);
396  XOR128(ek + 52, w + 4);
397  ROL128(ek + 56, w + 12, 31);
398  XOR128(ek + 56, w + 8);
399  ROL128(ek + 60, w + 0, 31);
400  XOR128(ek + 60, w + 12);
401  ROL128(ek + 64, w + 4, 19);
402  XOR128(ek + 64, w + 0);
403 
404  //Convert from host byte order to big-endian byte order
405  for(i = 0; i < 68; i++)
406  ek[i] = htobe32(ek[i]);
407 
408  //Decryption round keys are derived from the encryption round keys
409  dk = context->dk;
410  //Compute dk1
411  MOV128(dk + 0, ek + context->nr * 4);
412 
413  //Compute dk2, ..., dk(n)
414  for(i = 1; i < context->nr; i++)
415  A(dk + i * 4, ek + (context->nr - i) * 4);
416 
417  //Compute dk(n + 1)
418  MOV128(dk + i * 4, ek + 0);
419 
420  //No error to report
421  return NO_ERROR;
422 }
423 
424 
425 /**
426  * @brief Encrypt a 16-byte block using ARIA algorithm
427  * @param[in] context Pointer to the ARIA context
428  * @param[in] input Plaintext block to encrypt
429  * @param[out] output Ciphertext block resulting from encryption
430  **/
431 
432 void ariaEncryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
433 {
434  uint32_t *ek;
435  uint32_t p[4];
436  uint32_t q[4];
437 
438  //Copy the plaintext to the buffer
439  cryptoMemcpy(p, input, ARIA_BLOCK_SIZE);
440 
441  //Point to the encryption round keys
442  ek = context->ek;
443 
444  //Apply 11 rounds
445  OF(p, ek + 0);
446  EF(p, ek + 4);
447  OF(p, ek + 8);
448  EF(p, ek + 12);
449  OF(p, ek + 16);
450  EF(p, ek + 20);
451  OF(p, ek + 24);
452  EF(p, ek + 28);
453  OF(p, ek + 32);
454  EF(p, ek + 36);
455  OF(p, ek + 40);
456 
457  //128-bit master keys require a total of 12 rounds
458  if(context->nr == 12)
459  {
460  XOR128(p, ek + 44);
461  SL2(q, p);
462  XOR128(q, ek + 48);
463  }
464  //192-bit master keys require a total of 14 rounds
465  else if(context->nr == 14)
466  {
467  EF(p, ek + 44);
468  OF(p, ek + 48);
469  XOR128(p, ek + 52);
470  SL2(q, p);
471  XOR128(q, ek + 56);
472  }
473  //256-bit master keys require a total of 16 rounds
474  else
475  {
476  EF(p, ek + 44);
477  OF(p, ek + 48);
478  EF(p, ek + 52);
479  OF(p, ek + 56);
480  XOR128(p, ek + 60);
481  SL2(q, p);
482  XOR128(q, ek + 64);
483  }
484 
485  //Copy the resulting ciphertext from the buffer
486  cryptoMemcpy(output, q, ARIA_BLOCK_SIZE);
487 }
488 
489 
490 /**
491  * @brief Decrypt a 16-byte block using ARIA algorithm
492  * @param[in] context Pointer to the ARIA context
493  * @param[in] input Ciphertext block to decrypt
494  * @param[out] output Plaintext block resulting from decryption
495  **/
496 
497 void ariaDecryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
498 {
499  uint32_t *dk;
500  uint32_t p[4];
501  uint32_t q[4];
502 
503  //Copy the ciphertext to the buffer
504  cryptoMemcpy(p, input, ARIA_BLOCK_SIZE);
505 
506  //Point to the decryption round keys
507  dk = context->dk;
508 
509  //Apply 11 rounds
510  OF(p, dk + 0);
511  EF(p, dk + 4);
512  OF(p, dk + 8);
513  EF(p, dk + 12);
514  OF(p, dk + 16);
515  EF(p, dk + 20);
516  OF(p, dk + 24);
517  EF(p, dk + 28);
518  OF(p, dk + 32);
519  EF(p, dk + 36);
520  OF(p, dk + 40);
521 
522  //128-bit master keys require a total of 12 rounds
523  if(context->nr == 12)
524  {
525  XOR128(p, dk + 44);
526  SL2(q, p);
527  XOR128(q, dk + 48);
528  }
529  //192-bit master keys require a total of 14 rounds
530  else if(context->nr == 14)
531  {
532  EF(p, dk + 44);
533  OF(p, dk + 48);
534  XOR128(p, dk + 52);
535  SL2(q, p);
536  XOR128(q, dk + 56);
537  }
538  //256-bit master keys require a total of 16 rounds
539  else
540  {
541  EF(p, dk + 44);
542  OF(p, dk + 48);
543  EF(p, dk + 52);
544  OF(p, dk + 56);
545  XOR128(p, dk + 60);
546  SL2(q, p);
547  XOR128(q, dk + 64);
548  }
549 
550  //The resulting value is the plaintext
551  cryptoMemcpy(output, q, ARIA_BLOCK_SIZE);
552 }
553 
554 #endif
error_t ariaInit(AriaContext *context, const uint8_t *key, size_t keyLen)
Initialize a ARIA context using the supplied key.
Definition: aria.c:295
uint8_t c
Definition: ndp.h:510
#define cryptoMemcpy(dest, src, length)
Definition: crypto.h:590
Debugging facilities.
uint8_t p
Definition: ndp.h:295
void(* CipherAlgoDecryptBlock)(void *context, const uint8_t *input, uint8_t *output)
Definition: crypto.h:1030
#define htobe32(value)
Definition: cpu_endian.h:420
General definitions for cryptographic algorithms.
void ariaEncryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
Encrypt a 16-byte block using ARIA algorithm.
Definition: aria.c:432
Common interface for encryption algorithms.
Definition: crypto.h:1073
#define MOV128(b, a)
Definition: aria.c:47
ARIA algorithm context.
Definition: aria.h:50
#define A(b, a)
Definition: aria.c:120
#define XOR128(b, a)
Definition: aria.c:56
#define ROL128(b, a, n)
Definition: aria.c:65
#define SL2(b, a)
Definition: aria.c:97
#define betoh32(value)
Definition: cpu_endian.h:428
uint16_t w[3]
Definition: ethernet.h:154
error_t(* CipherAlgoInit)(void *context, const uint8_t *key, size_t keyLen)
Definition: crypto.h:1026
#define BETOH32(value)
Definition: cpu_endian.h:425
#define ARIA_BLOCK_SIZE
Definition: aria.h:36
void ariaDecryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
Decrypt a 16-byte block using ARIA algorithm.
Definition: aria.c:497
#define SL1(b, a)
Definition: aria.c:74
ARIA encryption algorithm.
Success.
Definition: error.h:42
error_t
Error codes.
Definition: error.h:40
unsigned int uint_t
Definition: compiler_port.h:43
void(* CipherAlgoEncryptBlock)(void *context, const uint8_t *input, uint8_t *output)
Definition: crypto.h:1029
uint32_t dk[68]
Definition: aria.h:55
const CipherAlgo ariaCipherAlgo
Definition: aria.c:235
uint_t nr
Definition: aria.h:52
#define cryptoMemset(p, value, length)
Definition: crypto.h:584
uint32_t ek[68]
Definition: aria.h:54