aria.c
Go to the documentation of this file.
1 /**
2  * @file aria.c
3  * @brief ARIA encryption algorithm
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCRYPTO Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * ARIA is a 128-bit block cipher with 128-, 192-, and 256-bit keys. The
30  * algorithm consists of a key scheduling part and data randomizing part.
31  * Refer to RFC 5794 for more details
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 2.4.0
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
39 
40 //Dependencies
41 #include "core/crypto.h"
42 #include "cipher/aria.h"
43 #include "debug.h"
44 
45 //Check crypto library configuration
46 #if (ARIA_SUPPORT == ENABLED)
47 
48 //Move operation
49 #define MOV128(b, a) \
50 { \
51  (b)[0] = (a)[0]; \
52  (b)[1] = (a)[1]; \
53  (b)[2] = (a)[2]; \
54  (b)[3] = (a)[3]; \
55 }
56 
57 //XOR operation
58 #define XOR128(b, a) \
59 { \
60  (b)[0] ^= (a)[0]; \
61  (b)[1] ^= (a)[1]; \
62  (b)[2] ^= (a)[2]; \
63  (b)[3] ^= (a)[3]; \
64 }
65 
66 //Rotate left operation
67 #define ROL128(b, a, n) \
68 { \
69  (b)[0] = ((a)[((n) / 32 + 0) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 1) % 4] >> (32 - ((n) % 32))); \
70  (b)[1] = ((a)[((n) / 32 + 1) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 2) % 4] >> (32 - ((n) % 32))); \
71  (b)[2] = ((a)[((n) / 32 + 2) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 3) % 4] >> (32 - ((n) % 32))); \
72  (b)[3] = ((a)[((n) / 32 + 3) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 0) % 4] >> (32 - ((n) % 32))); \
73 }
74 
75 //Substitution layer SL1
76 #define SL1(b, a) \
77 { \
78  uint8_t *x = (uint8_t *) (a); \
79  uint8_t *y = (uint8_t *) (b); \
80  y[0] = sb1[x[0]]; \
81  y[1] = sb2[x[1]]; \
82  y[2] = sb3[x[2]]; \
83  y[3] = sb4[x[3]]; \
84  y[4] = sb1[x[4]]; \
85  y[5] = sb2[x[5]]; \
86  y[6] = sb3[x[6]]; \
87  y[7] = sb4[x[7]]; \
88  y[8] = sb1[x[8]]; \
89  y[9] = sb2[x[9]]; \
90  y[10] = sb3[x[10]]; \
91  y[11] = sb4[x[11]]; \
92  y[12] = sb1[x[12]]; \
93  y[13] = sb2[x[13]]; \
94  y[14] = sb3[x[14]]; \
95  y[15] = sb4[x[15]]; \
96 }
97 
98 //Substitution layer SL2
99 #define SL2(b, a) \
100 { \
101  uint8_t *x = (uint8_t *) (a); \
102  uint8_t *y = (uint8_t *) (b); \
103  y[0] = sb3[x[0]]; \
104  y[1] = sb4[x[1]]; \
105  y[2] = sb1[x[2]]; \
106  y[3] = sb2[x[3]]; \
107  y[4] = sb3[x[4]]; \
108  y[5] = sb4[x[5]]; \
109  y[6] = sb1[x[6]]; \
110  y[7] = sb2[x[7]]; \
111  y[8] = sb3[x[8]]; \
112  y[9] = sb4[x[9]]; \
113  y[10] = sb1[x[10]]; \
114  y[11] = sb2[x[11]]; \
115  y[12] = sb3[x[12]]; \
116  y[13] = sb4[x[13]]; \
117  y[14] = sb1[x[14]]; \
118  y[15] = sb2[x[15]]; \
119 }
120 
121 //Diffusion layer
122 #define A(b, a) \
123 { \
124  uint8_t *x = (uint8_t *) (a); \
125  uint8_t *y = (uint8_t *) (b); \
126  y[0] = x[3] ^ x[4] ^ x[6] ^ x[8] ^ x[9] ^ x[13] ^ x[14]; \
127  y[1] = x[2] ^ x[5] ^ x[7] ^ x[8] ^ x[9] ^ x[12] ^ x[15]; \
128  y[2] = x[1] ^ x[4] ^ x[6] ^ x[10] ^ x[11] ^ x[12] ^ x[15]; \
129  y[3] = x[0] ^ x[5] ^ x[7] ^ x[10] ^ x[11] ^ x[13] ^ x[14]; \
130  y[4] = x[0] ^ x[2] ^ x[5] ^ x[8] ^ x[11] ^ x[14] ^ x[15]; \
131  y[5] = x[1] ^ x[3] ^ x[4] ^ x[9] ^ x[10] ^ x[14] ^ x[15]; \
132  y[6] = x[0] ^ x[2] ^ x[7] ^ x[9] ^ x[10] ^ x[12] ^ x[13]; \
133  y[7] = x[1] ^ x[3] ^ x[6] ^ x[8] ^ x[11] ^ x[12] ^ x[13]; \
134  y[8] = x[0] ^ x[1] ^ x[4] ^ x[7] ^ x[10] ^ x[13] ^ x[15]; \
135  y[9] = x[0] ^ x[1] ^ x[5] ^ x[6] ^ x[11] ^ x[12] ^ x[14]; \
136  y[10] = x[2] ^ x[3] ^ x[5] ^ x[6] ^ x[8] ^ x[13] ^ x[15]; \
137  y[11] = x[2] ^ x[3] ^ x[4] ^ x[7] ^ x[9] ^ x[12] ^ x[14]; \
138  y[12] = x[1] ^ x[2] ^ x[6] ^ x[7] ^ x[9] ^ x[11] ^ x[12]; \
139  y[13] = x[0] ^ x[3] ^ x[6] ^ x[7] ^ x[8] ^ x[10] ^ x[13]; \
140  y[14] = x[0] ^ x[3] ^ x[4] ^ x[5] ^ x[9] ^ x[11] ^ x[14]; \
141  y[15] = x[1] ^ x[2] ^ x[4] ^ x[5] ^ x[8] ^ x[10] ^ x[15]; \
142 }
143 
144 //S-box 1
145 static const uint8_t sb1[256] =
146 {
147  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
148  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
149  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
150  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
151  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
152  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
153  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
154  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
155  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
156  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
157  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
158  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
159  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
160  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
161  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
162  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
163 };
164 
165 //S-box 2
166 static const uint8_t sb2[256] =
167 {
168  0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 0x3C, 0x4D, 0x8B, 0xD1,
169  0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1,
170  0x1D, 0x06, 0x41, 0x6B, 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
171  0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 0x0F, 0xEE, 0x10, 0xEB,
172  0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD,
173  0x08, 0x7A, 0x88, 0x38, 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
174  0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 0x32, 0xCA, 0xE9, 0xB1,
175  0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40,
176  0xEC, 0x20, 0x8C, 0xBD, 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
177  0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 0xE8, 0x25, 0x92, 0xE5,
178  0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43,
179  0xA7, 0xE1, 0xD0, 0xF5, 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
180  0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 0x16, 0x82, 0x5F, 0xDA,
181  0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C,
182  0x90, 0x0B, 0x5B, 0x33, 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
183  0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 0xAF, 0xBA, 0xB5, 0x81
184 };
185 
186 //S-box 3
187 static const uint8_t sb3[256] =
188 {
189  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
190  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
191  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
192  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
193  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
194  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
195  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
196  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
197  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
198  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
199  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
200  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
201  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
202  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
203  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
204  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
205 };
206 
207 //S-box 4
208 static const uint8_t sb4[256] =
209 {
210  0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 0x72, 0x09, 0x62, 0x3C,
211  0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D,
212  0x81, 0x65, 0xF5, 0x89, 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
213  0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 0x0C, 0xF4, 0x9B, 0xED,
214  0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B,
215  0x8C, 0xC2, 0xE6, 0x5F, 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
216  0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 0xDF, 0xEF, 0xCA, 0xD9,
217  0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41,
218  0xDA, 0xFF, 0xCD, 0x55, 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
219  0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 0x29, 0xAE, 0x92, 0xD7,
220  0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC,
221  0xEB, 0x6F, 0xD5, 0xF6, 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
222  0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 0x07, 0x4F, 0x4E, 0x45,
223  0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D,
224  0xF2, 0xB1, 0x00, 0x94, 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
225  0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 0x03, 0xA2, 0xAC, 0x60
226 };
227 
228 //Key scheduling constants
229 static const uint32_t c[12] =
230 {
231  BETOH32(0x517CC1B7), BETOH32(0x27220A94), BETOH32(0xFE13ABE8), BETOH32(0xFA9A6EE0),
232  BETOH32(0x6DB14ACC), BETOH32(0x9E21C820), BETOH32(0xFF28B1D5), BETOH32(0xEF5DE2B0),
233  BETOH32(0xDB92371D), BETOH32(0x2126E970), BETOH32(0x03249775), BETOH32(0x04E8C90E)
234 };
235 
236 //ARIA128-ECB OID (1.2.410.200046.1.1.1)
237 const uint8_t ARIA128_ECB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x01};
238 //ARIA128-CBC OID (1.2.410.200046.1.1.2)
239 const uint8_t ARIA128_CBC_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x02};
240 //ARIA128-CFB OID (1.2.410.200046.1.1.3)
241 const uint8_t ARIA128_CFB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x03};
242 //ARIA128-OFB OID (1.2.410.200046.1.1.4)
243 const uint8_t ARIA128_OFB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x04};
244 //ARIA128-CTR OID (1.2.410.200046.1.1.5)
245 const uint8_t ARIA128_CTR_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x05};
246 
247 //ARIA192-ECB OID (1.2.410.200046.1.1.6)
248 const uint8_t ARIA192_ECB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x06};
249 //ARIA192-CBC OID (1.2.410.200046.1.1.7)
250 const uint8_t ARIA192_CBC_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x07};
251 //ARIA192-CFB OID (1.2.410.200046.1.1.8)
252 const uint8_t ARIA192_CFB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x08};
253 //ARIA192-OFB OID (1.2.410.200046.1.1.9)
254 const uint8_t ARIA192_OFB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x09};
255 //ARIA192-CTR OID (1.2.410.200046.1.1.10)
256 const uint8_t ARIA192_CTR_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x0A};
257 
258 //ARIA256-ECB OID (1.2.410.200046.1.1.11)
259 const uint8_t ARIA256_ECB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x0B};
260 //ARIA256-CBC OID (1.2.410.200046.1.1.12)
261 const uint8_t ARIA256_CBC_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x0C};
262 //ARIA256-CFB OID (1.2.410.200046.1.1.13)
263 const uint8_t ARIA256_CFB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x0D};
264 //ARIA256-OFB OID (1.2.410.200046.1.1.14)
265 const uint8_t ARIA256_OFB_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x0E};
266 //ARIA256-CTR OID (1.2.410.200046.1.1.15)
267 const uint8_t ARIA256_CTR_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x0F};
268 
269 //ARIA128-GCM OID (1.2.410.200046.1.1.34)
270 const uint8_t ARIA128_GCM_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x22};
271 //ARIA192-GCM OID (1.2.410.200046.1.1.35)
272 const uint8_t ARIA192_GCM_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x23};
273 //ARIA256-GCM OID (1.2.410.200046.1.1.36)
274 const uint8_t ARIA256_GCM_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x24};
275 
276 //ARIA128-CCM OID (1.2.410.200046.1.1.37)
277 const uint8_t ARIA128_CCM_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x25};
278 //ARIA192-CCM OID (1.2.410.200046.1.1.38)
279 const uint8_t ARIA192_CCM_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x26};
280 //ARIA256-CCM OID (1.2.410.200046.1.1.39)
281 const uint8_t ARIA256_CCM_OID[9] = {0x2A, 0x83, 0x1A, 0x8C, 0x9A, 0x6E, 0x01, 0x01, 0x27};
282 
283 //Common interface for encryption algorithms
284 const CipherAlgo ariaCipherAlgo =
285 {
286  "ARIA",
287  sizeof(AriaContext),
288  CIPHER_ALGO_TYPE_BLOCK,
289  ARIA_BLOCK_SIZE,
290  (CipherAlgoInit) ariaInit,
291  NULL,
292  NULL,
293  (CipherAlgoEncryptBlock) ariaEncryptBlock,
294  (CipherAlgoDecryptBlock) ariaDecryptBlock,
295  (CipherAlgoDeinit) ariaDeinit
296 };
297 
298 
299 /**
300  * @brief Odd round function
301  * @param[in,out] d 128-bit string
302  * @param[in] rk 128-bit string
303  **/
304 
305 static void OF(uint32_t *d, const uint32_t *rk)
306 {
307  uint32_t t[4];
308 
309  //XOR D with RK
310  XOR128(d, rk);
311  //Substitution layer SL1
312  SL1(t, d);
313  //Diffusion layer
314  A(d, t);
315 }
316 
317 
318 /**
319  * @brief Even round function
320  * @param[in,out] d 128-bit string
321  * @param[in] rk 128-bit string
322  **/
323 
324 static void EF(uint32_t *d, const uint32_t *rk)
325 {
326  uint32_t t[4];
327 
328  //XOR D with RK
329  XOR128(d, rk);
330  //Substitution layer SL2
331  SL2(t, d);
332  //Diffusion layer
333  A(d, t);
334 }
335 
336 
337 /**
338  * @brief Initialize a ARIA context using the supplied key
339  * @param[in] context Pointer to the ARIA context to initialize
340  * @param[in] key Pointer to the key
341  * @param[in] keyLen Length of the key
342  * @return Error code
343  **/
344 
345 error_t ariaInit(AriaContext *context, const uint8_t *key, size_t keyLen)
346 {
347  uint_t i;
348  uint32_t *ek;
349  uint32_t *dk;
350  const uint32_t *ck1;
351  const uint32_t *ck2;
352  const uint32_t *ck3;
353  uint32_t w[16];
354 
355  //Check parameters
356  if(context == NULL || key == NULL)
357  return ERROR_INVALID_PARAMETER;
358 
359  //Check the length of the master key
360  if(keyLen == 16)
361  {
362  //128-bit master keys require a total of 12 rounds
363  context->nr = 12;
364 
365  //Select the relevant constants
366  ck1 = c + 0;
367  ck2 = c + 4;
368  ck3 = c + 8;
369  }
370  else if(keyLen == 24)
371  {
372  //192-bit master keys require a total of 14 rounds
373  context->nr = 14;
374 
375  //Select the relevant constants
376  ck1 = c + 4;
377  ck2 = c + 8;
378  ck3 = c + 0;
379  }
380  else if(keyLen == 32)
381  {
382  //256-bit master keys require a total of 16 rounds
383  context->nr = 16;
384 
385  //Select the relevant constants
386  ck1 = c + 8;
387  ck2 = c + 0;
388  ck3 = c + 4;
389  }
390  else
391  {
392  //Report an error
393  return ERROR_INVALID_KEY_LENGTH;
394  }
395 
396  //Compute 128-bit values KL and KR
397  osMemset(w, 0, sizeof(w));
398  osMemcpy(w, key, keyLen);
399 
400  //Save KR...
401  MOV128(w + 8, w + 4);
402 
403  //Compute intermediate values W0, W1, W2, and W3
404  MOV128(w + 4, w + 0);
405  OF(w + 4, ck1);
406  XOR128(w + 4, w + 8);
407 
408  MOV128(w + 8, w + 4);
409  EF(w + 8, ck2);
410  XOR128(w + 8, w + 0);
411 
412  MOV128(w + 12, w + 8);
413  OF(w + 12, ck3);
414  XOR128(w + 12, w + 4);
415 
416  //Convert from big-endian byte order to host byte order
417  for(i = 0; i < 16; i++)
418  {
419  w[i] = betoh32(w[i]);
420  }
421 
422  //Point to the encryption round keys
423  ek = context->ek;
424 
425  //Compute ek1, ..., ek17 as follow
426  ROL128(ek + 0, w + 4, 109);
427  XOR128(ek + 0, w + 0);
428  ROL128(ek + 4, w + 8, 109);
429  XOR128(ek + 4, w + 4);
430  ROL128(ek + 8, w + 12, 109);
431  XOR128(ek + 8, w + 8);
432  ROL128(ek + 12, w + 0, 109);
433  XOR128(ek + 12, w + 12);
434  ROL128(ek + 16, w + 4, 97);
435  XOR128(ek + 16, w + 0);
436  ROL128(ek + 20, w + 8, 97);
437  XOR128(ek + 20, w + 4);
438  ROL128(ek + 24, w + 12, 97);
439  XOR128(ek + 24, w + 8);
440  ROL128(ek + 28, w + 0, 97);
441  XOR128(ek + 28, w + 12);
442  ROL128(ek + 32, w + 4, 61);
443  XOR128(ek + 32, w + 0);
444  ROL128(ek + 36, w + 8, 61);
445  XOR128(ek + 36, w + 4);
446  ROL128(ek + 40, w + 12, 61);
447  XOR128(ek + 40, w + 8);
448  ROL128(ek + 44, w + 0, 61);
449  XOR128(ek + 44, w + 12);
450  ROL128(ek + 48, w + 4, 31);
451  XOR128(ek + 48, w + 0);
452  ROL128(ek + 52, w + 8, 31);
453  XOR128(ek + 52, w + 4);
454  ROL128(ek + 56, w + 12, 31);
455  XOR128(ek + 56, w + 8);
456  ROL128(ek + 60, w + 0, 31);
457  XOR128(ek + 60, w + 12);
458  ROL128(ek + 64, w + 4, 19);
459  XOR128(ek + 64, w + 0);
460 
461  //Convert from host byte order to big-endian byte order
462  for(i = 0; i < 68; i++)
463  {
464  ek[i] = htobe32(ek[i]);
465  }
466 
467  //Decryption round keys are derived from the encryption round keys
468  dk = context->dk;
469  //Compute dk1
470  MOV128(dk + 0, ek + context->nr * 4);
471 
472  //Compute dk2, ..., dk(n)
473  for(i = 1; i < context->nr; i++)
474  {
475  A(dk + i * 4, ek + (context->nr - i) * 4);
476  }
477 
478  //Compute dk(n + 1)
479  MOV128(dk + i * 4, ek + 0);
480 
481  //No error to report
482  return NO_ERROR;
483 }
484 
485 
486 /**
487  * @brief Encrypt a 16-byte block using ARIA algorithm
488  * @param[in] context Pointer to the ARIA context
489  * @param[in] input Plaintext block to encrypt
490  * @param[out] output Ciphertext block resulting from encryption
491  **/
492 
493 void ariaEncryptBlock(AriaContext *context, const uint8_t *input,
494  uint8_t *output)
495 {
496  uint32_t *ek;
497  uint32_t p[4];
498  uint32_t q[4];
499 
500  //Copy the plaintext to the buffer
501  osMemcpy(p, input, ARIA_BLOCK_SIZE);
502 
503  //Point to the encryption round keys
504  ek = context->ek;
505 
506  //Apply 11 rounds
507  OF(p, ek + 0);
508  EF(p, ek + 4);
509  OF(p, ek + 8);
510  EF(p, ek + 12);
511  OF(p, ek + 16);
512  EF(p, ek + 20);
513  OF(p, ek + 24);
514  EF(p, ek + 28);
515  OF(p, ek + 32);
516  EF(p, ek + 36);
517  OF(p, ek + 40);
518 
519  //The number of rounds depends on the length of the master key
520  if(context->nr == 12)
521  {
522  //128-bit master keys require a total of 12 rounds
523  XOR128(p, ek + 44);
524  SL2(q, p);
525  XOR128(q, ek + 48);
526  }
527  else if(context->nr == 14)
528  {
529  //192-bit master keys require a total of 14 rounds
530  EF(p, ek + 44);
531  OF(p, ek + 48);
532  XOR128(p, ek + 52);
533  SL2(q, p);
534  XOR128(q, ek + 56);
535  }
536  else
537  {
538  //256-bit master keys require a total of 16 rounds
539  EF(p, ek + 44);
540  OF(p, ek + 48);
541  EF(p, ek + 52);
542  OF(p, ek + 56);
543  XOR128(p, ek + 60);
544  SL2(q, p);
545  XOR128(q, ek + 64);
546  }
547 
548  //Copy the resulting ciphertext from the buffer
549  osMemcpy(output, q, ARIA_BLOCK_SIZE);
550 }
551 
552 
553 /**
554  * @brief Decrypt a 16-byte block using ARIA algorithm
555  * @param[in] context Pointer to the ARIA context
556  * @param[in] input Ciphertext block to decrypt
557  * @param[out] output Plaintext block resulting from decryption
558  **/
559 
560 void ariaDecryptBlock(AriaContext *context, const uint8_t *input,
561  uint8_t *output)
562 {
563  uint32_t *dk;
564  uint32_t p[4];
565  uint32_t q[4];
566 
567  //Copy the ciphertext to the buffer
568  osMemcpy(p, input, ARIA_BLOCK_SIZE);
569 
570  //Point to the decryption round keys
571  dk = context->dk;
572 
573  //Apply 11 rounds
574  OF(p, dk + 0);
575  EF(p, dk + 4);
576  OF(p, dk + 8);
577  EF(p, dk + 12);
578  OF(p, dk + 16);
579  EF(p, dk + 20);
580  OF(p, dk + 24);
581  EF(p, dk + 28);
582  OF(p, dk + 32);
583  EF(p, dk + 36);
584  OF(p, dk + 40);
585 
586  //The number of rounds depends on the length of the master key
587  if(context->nr == 12)
588  {
589  //128-bit master keys require a total of 12 rounds
590  XOR128(p, dk + 44);
591  SL2(q, p);
592  XOR128(q, dk + 48);
593  }
594  else if(context->nr == 14)
595  {
596  //192-bit master keys require a total of 14 rounds
597  EF(p, dk + 44);
598  OF(p, dk + 48);
599  XOR128(p, dk + 52);
600  SL2(q, p);
601  XOR128(q, dk + 56);
602  }
603  else
604  {
605  //256-bit master keys require a total of 16 rounds
606  EF(p, dk + 44);
607  OF(p, dk + 48);
608  EF(p, dk + 52);
609  OF(p, dk + 56);
610  XOR128(p, dk + 60);
611  SL2(q, p);
612  XOR128(q, dk + 64);
613  }
614 
615  //The resulting value is the plaintext
616  osMemcpy(output, q, ARIA_BLOCK_SIZE);
617 }
618 
619 
620 /**
621  * @brief Release ARIA context
622  * @param[in] context Pointer to the ARIA context
623  **/
624 
625 void ariaDeinit(AriaContext *context)
626 {
627  //Clear ARIA context
628  osMemset(context, 0, sizeof(AriaContext));
629 }
630 
631 #endif
ARIA128_CFB_OID
const uint8_t ARIA128_CFB_OID[9]
Definition: aria.c:241
ARIA128_ECB_OID
const uint8_t ARIA128_ECB_OID[9]
Definition: aria.c:237
ARIA256_OFB_OID
const uint8_t ARIA256_OFB_OID[9]
Definition: aria.c:265
ARIA256_GCM_OID
const uint8_t ARIA256_GCM_OID[9]
Definition: aria.c:274
ARIA256_CCM_OID
const uint8_t ARIA256_CCM_OID[9]
Definition: aria.c:281
ARIA128_CCM_OID
const uint8_t ARIA128_CCM_OID[9]
Definition: aria.c:277
A
#define A(b, a)
Definition: aria.c:122
ariaDeinit
void ariaDeinit(AriaContext *context)
Release ARIA context.
Definition: aria.c:625
ARIA192_CTR_OID
const uint8_t ARIA192_CTR_OID[9]
Definition: aria.c:256
ARIA256_CTR_OID
const uint8_t ARIA256_CTR_OID[9]
Definition: aria.c:267
ARIA192_CFB_OID
const uint8_t ARIA192_CFB_OID[9]
Definition: aria.c:252
ROL128
#define ROL128(b, a, n)
Definition: aria.c:67
SL1
#define SL1(b, a)
Definition: aria.c:76
ARIA256_ECB_OID
const uint8_t ARIA256_ECB_OID[9]
Definition: aria.c:259
SL2
#define SL2(b, a)
Definition: aria.c:99
ARIA128_CTR_OID
const uint8_t ARIA128_CTR_OID[9]
Definition: aria.c:245
ARIA128_CBC_OID
const uint8_t ARIA128_CBC_OID[9]
Definition: aria.c:239
ARIA256_CBC_OID
const uint8_t ARIA256_CBC_OID[9]
Definition: aria.c:261
ARIA128_GCM_OID
const uint8_t ARIA128_GCM_OID[9]
Definition: aria.c:270
ariaDecryptBlock
void ariaDecryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
Decrypt a 16-byte block using ARIA algorithm.
Definition: aria.c:560
ARIA192_GCM_OID
const uint8_t ARIA192_GCM_OID[9]
Definition: aria.c:272
ARIA192_ECB_OID
const uint8_t ARIA192_ECB_OID[9]
Definition: aria.c:248
ariaEncryptBlock
void ariaEncryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
Encrypt a 16-byte block using ARIA algorithm.
Definition: aria.c:493
ariaCipherAlgo
const CipherAlgo ariaCipherAlgo
Definition: aria.c:284
ARIA128_OFB_OID
const uint8_t ARIA128_OFB_OID[9]
Definition: aria.c:243
ARIA192_CBC_OID
const uint8_t ARIA192_CBC_OID[9]
Definition: aria.c:250
XOR128
#define XOR128(b, a)
Definition: aria.c:58
ARIA256_CFB_OID
const uint8_t ARIA256_CFB_OID[9]
Definition: aria.c:263
ariaInit
error_t ariaInit(AriaContext *context, const uint8_t *key, size_t keyLen)
Initialize a ARIA context using the supplied key.
Definition: aria.c:345
ARIA192_OFB_OID
const uint8_t ARIA192_OFB_OID[9]
Definition: aria.c:254
MOV128
#define MOV128(b, a)
Definition: aria.c:49
ARIA192_CCM_OID
const uint8_t ARIA192_CCM_OID[9]
Definition: aria.c:279
aria.h
ARIA encryption algorithm.
ARIA_BLOCK_SIZE
#define ARIA_BLOCK_SIZE
Definition: aria.h:38
uint_t
unsigned int uint_t
Definition: compiler_port.h:50
BETOH32
#define BETOH32(value)
Definition: cpu_endian.h:451
betoh32
#define betoh32(value)
Definition: cpu_endian.h:454
htobe32
#define htobe32(value)
Definition: cpu_endian.h:446
crypto.h
General definitions for cryptographic algorithms.
CipherAlgoDeinit
void(* CipherAlgoDeinit)(void *context)
Definition: crypto.h:983
CipherAlgoDecryptBlock
void(* CipherAlgoDecryptBlock)(void *context, const uint8_t *input, uint8_t *output)
Definition: crypto.h:980
CipherAlgoInit
error_t(* CipherAlgoInit)(void *context, const uint8_t *key, size_t keyLen)
Definition: crypto.h:968
CipherAlgoEncryptBlock
void(* CipherAlgoEncryptBlock)(void *context, const uint8_t *input, uint8_t *output)
Definition: crypto.h:977
CIPHER_ALGO_TYPE_BLOCK
@ CIPHER_ALGO_TYPE_BLOCK
Definition: crypto.h:932
debug.h
Debugging facilities.
error_t
error_t
Error codes.
Definition: error.h:43
ERROR_INVALID_KEY_LENGTH
@ ERROR_INVALID_KEY_LENGTH
Definition: error.h:107
NO_ERROR
@ NO_ERROR
Success.
Definition: error.h:44
ERROR_INVALID_PARAMETER
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
t
uint8_t t
Definition: lldp_ext_med.h:212
c
uint8_t c
Definition: ndp.h:514
p
uint8_t p
Definition: ndp.h:300
osMemset
#define osMemset(p, value, length)
Definition: os_port.h:135
osMemcpy
#define osMemcpy(dest, src, length)
Definition: os_port.h:141
AriaContext
ARIA algorithm context.
Definition: aria.h:53
AriaContext::ek
uint32_t ek[68]
Definition: aria.h:56
AriaContext::dk
uint32_t dk[68]
Definition: aria.h:57
AriaContext::nr
uint_t nr
Definition: aria.h:54
CipherAlgo
Common interface for encryption algorithms.
Definition: crypto.h:1036