aria.c
Go to the documentation of this file.
1 /**
2  * @file aria.c
3  * @brief ARIA encryption algorithm
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCrypto Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * ARIA is a 128-bit block cipher with 128-, 192-, and 256-bit keys. The
30  * algorithm consists of a key scheduling part and data randomizing part.
31  * Refer to RFC 5794 for more details
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 1.9.6
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
39 
40 //Dependencies
41 #include "core/crypto.h"
42 #include "cipher/aria.h"
43 #include "debug.h"
44 
45 //Check crypto library configuration
46 #if (ARIA_SUPPORT == ENABLED)
47 
48 //Move operation
49 #define MOV128(b, a) \
50 { \
51  (b)[0] = (a)[0]; \
52  (b)[1] = (a)[1]; \
53  (b)[2] = (a)[2]; \
54  (b)[3] = (a)[3]; \
55 }
56 
57 //XOR operation
58 #define XOR128(b, a) \
59 { \
60  (b)[0] ^= (a)[0]; \
61  (b)[1] ^= (a)[1]; \
62  (b)[2] ^= (a)[2]; \
63  (b)[3] ^= (a)[3]; \
64 }
65 
66 //Rotate left operation
67 #define ROL128(b, a, n) \
68 { \
69  (b)[0] = ((a)[((n) / 32 + 0) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 1) % 4] >> (32 - ((n) % 32))); \
70  (b)[1] = ((a)[((n) / 32 + 1) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 2) % 4] >> (32 - ((n) % 32))); \
71  (b)[2] = ((a)[((n) / 32 + 2) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 3) % 4] >> (32 - ((n) % 32))); \
72  (b)[3] = ((a)[((n) / 32 + 3) % 4] << ((n) % 32)) | ((a)[((n) / 32 + 0) % 4] >> (32 - ((n) % 32))); \
73 }
74 
75 //Substitution layer SL1
76 #define SL1(b, a) \
77 { \
78  uint8_t *x = (uint8_t *) (a); \
79  uint8_t *y = (uint8_t *) (b); \
80  y[0] = sb1[x[0]]; \
81  y[1] = sb2[x[1]]; \
82  y[2] = sb3[x[2]]; \
83  y[3] = sb4[x[3]]; \
84  y[4] = sb1[x[4]]; \
85  y[5] = sb2[x[5]]; \
86  y[6] = sb3[x[6]]; \
87  y[7] = sb4[x[7]]; \
88  y[8] = sb1[x[8]]; \
89  y[9] = sb2[x[9]]; \
90  y[10] = sb3[x[10]]; \
91  y[11] = sb4[x[11]]; \
92  y[12] = sb1[x[12]]; \
93  y[13] = sb2[x[13]]; \
94  y[14] = sb3[x[14]]; \
95  y[15] = sb4[x[15]]; \
96 }
97 
98 //Substitution layer SL2
99 #define SL2(b, a) \
100 { \
101  uint8_t *x = (uint8_t *) (a); \
102  uint8_t *y = (uint8_t *) (b); \
103  y[0] = sb3[x[0]]; \
104  y[1] = sb4[x[1]]; \
105  y[2] = sb1[x[2]]; \
106  y[3] = sb2[x[3]]; \
107  y[4] = sb3[x[4]]; \
108  y[5] = sb4[x[5]]; \
109  y[6] = sb1[x[6]]; \
110  y[7] = sb2[x[7]]; \
111  y[8] = sb3[x[8]]; \
112  y[9] = sb4[x[9]]; \
113  y[10] = sb1[x[10]]; \
114  y[11] = sb2[x[11]]; \
115  y[12] = sb3[x[12]]; \
116  y[13] = sb4[x[13]]; \
117  y[14] = sb1[x[14]]; \
118  y[15] = sb2[x[15]]; \
119 }
120 
121 //Diffusion layer
122 #define A(b, a) \
123 { \
124  uint8_t *x = (uint8_t *) (a); \
125  uint8_t *y = (uint8_t *) (b); \
126  y[0] = x[3] ^ x[4] ^ x[6] ^ x[8] ^ x[9] ^ x[13] ^ x[14]; \
127  y[1] = x[2] ^ x[5] ^ x[7] ^ x[8] ^ x[9] ^ x[12] ^ x[15]; \
128  y[2] = x[1] ^ x[4] ^ x[6] ^ x[10] ^ x[11] ^ x[12] ^ x[15]; \
129  y[3] = x[0] ^ x[5] ^ x[7] ^ x[10] ^ x[11] ^ x[13] ^ x[14]; \
130  y[4] = x[0] ^ x[2] ^ x[5] ^ x[8] ^ x[11] ^ x[14] ^ x[15]; \
131  y[5] = x[1] ^ x[3] ^ x[4] ^ x[9] ^ x[10] ^ x[14] ^ x[15]; \
132  y[6] = x[0] ^ x[2] ^ x[7] ^ x[9] ^ x[10] ^ x[12] ^ x[13]; \
133  y[7] = x[1] ^ x[3] ^ x[6] ^ x[8] ^ x[11] ^ x[12] ^ x[13]; \
134  y[8] = x[0] ^ x[1] ^ x[4] ^ x[7] ^ x[10] ^ x[13] ^ x[15]; \
135  y[9] = x[0] ^ x[1] ^ x[5] ^ x[6] ^ x[11] ^ x[12] ^ x[14]; \
136  y[10] = x[2] ^ x[3] ^ x[5] ^ x[6] ^ x[8] ^ x[13] ^ x[15]; \
137  y[11] = x[2] ^ x[3] ^ x[4] ^ x[7] ^ x[9] ^ x[12] ^ x[14]; \
138  y[12] = x[1] ^ x[2] ^ x[6] ^ x[7] ^ x[9] ^ x[11] ^ x[12]; \
139  y[13] = x[0] ^ x[3] ^ x[6] ^ x[7] ^ x[8] ^ x[10] ^ x[13]; \
140  y[14] = x[0] ^ x[3] ^ x[4] ^ x[5] ^ x[9] ^ x[11] ^ x[14]; \
141  y[15] = x[1] ^ x[2] ^ x[4] ^ x[5] ^ x[8] ^ x[10] ^ x[15]; \
142 }
143 
144 //S-box 1
145 static const uint8_t sb1[256] =
146 {
147  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
148  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
149  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
150  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
151  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
152  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
153  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
154  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
155  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
156  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
157  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
158  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
159  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
160  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
161  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
162  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
163 };
164 
165 //S-box 2
166 static const uint8_t sb2[256] =
167 {
168  0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46, 0x3C, 0x4D, 0x8B, 0xD1,
169  0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B, 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1,
170  0x1D, 0x06, 0x41, 0x6B, 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
171  0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA, 0x0F, 0xEE, 0x10, 0xEB,
172  0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91, 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD,
173  0x08, 0x7A, 0x88, 0x38, 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
174  0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74, 0x32, 0xCA, 0xE9, 0xB1,
175  0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26, 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40,
176  0xEC, 0x20, 0x8C, 0xBD, 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
177  0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E, 0xE8, 0x25, 0x92, 0xE5,
178  0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A, 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43,
179  0xA7, 0xE1, 0xD0, 0xF5, 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
180  0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24, 0x16, 0x82, 0x5F, 0xDA,
181  0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F, 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C,
182  0x90, 0x0B, 0x5B, 0x33, 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
183  0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A, 0xAF, 0xBA, 0xB5, 0x81
184 };
185 
186 //S-box 3
187 static const uint8_t sb3[256] =
188 {
189  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
190  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
191  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
192  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
193  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
194  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
195  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
196  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
197  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
198  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
199  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
200  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
201  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
202  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
203  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
204  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
205 };
206 
207 //S-box 4
208 static const uint8_t sb4[256] =
209 {
210  0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1, 0x72, 0x09, 0x62, 0x3C,
211  0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3, 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D,
212  0x81, 0x65, 0xF5, 0x89, 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
213  0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98, 0x0C, 0xF4, 0x9B, 0xED,
214  0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58, 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B,
215  0x8C, 0xC2, 0xE6, 0x5F, 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
216  0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23, 0xDF, 0xEF, 0xCA, 0xD9,
217  0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19, 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41,
218  0xDA, 0xFF, 0xCD, 0x55, 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
219  0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE, 0x29, 0xAE, 0x92, 0xD7,
220  0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0, 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC,
221  0xEB, 0x6F, 0xD5, 0xF6, 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
222  0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13, 0x07, 0x4F, 0x4E, 0x45,
223  0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73, 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D,
224  0xF2, 0xB1, 0x00, 0x94, 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
225  0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33, 0x03, 0xA2, 0xAC, 0x60
226 };
227 
228 //Key scheduling constants
229 static const uint32_t c[12] =
230 {
231  BETOH32(0x517CC1B7), BETOH32(0x27220A94), BETOH32(0xFE13ABE8), BETOH32(0xFA9A6EE0),
232  BETOH32(0x6DB14ACC), BETOH32(0x9E21C820), BETOH32(0xFF28B1D5), BETOH32(0xEF5DE2B0),
233  BETOH32(0xDB92371D), BETOH32(0x2126E970), BETOH32(0x03249775), BETOH32(0x04E8C90E)
234 };
235 
236 //Common interface for encryption algorithms
238 {
239  "ARIA",
240  sizeof(AriaContext),
244  NULL,
245  NULL,
248 };
249 
250 
251 /**
252  * @brief Odd round function
253  * @param[in,out] d 128-bit string
254  * @param[in] rk 128-bit string
255  **/
256 
257 static void OF(uint32_t *d, const uint32_t *rk)
258 {
259  uint32_t t[4];
260 
261  //XOR D with RK
262  XOR128(d, rk);
263  //Substitution layer SL1
264  SL1(t, d);
265  //Diffusion layer
266  A(d, t);
267 }
268 
269 
270 /**
271  * @brief Even round function
272  * @param[in,out] d 128-bit string
273  * @param[in] rk 128-bit string
274  **/
275 
276 static void EF(uint32_t *d, const uint32_t *rk)
277 {
278  uint32_t t[4];
279 
280  //XOR D with RK
281  XOR128(d, rk);
282  //Substitution layer SL2
283  SL2(t, d);
284  //Diffusion layer
285  A(d, t);
286 }
287 
288 
289 /**
290  * @brief Initialize a ARIA context using the supplied key
291  * @param[in] context Pointer to the ARIA context to initialize
292  * @param[in] key Pointer to the key
293  * @param[in] keyLen Length of the key
294  * @return Error code
295  **/
296 
297 error_t ariaInit(AriaContext *context, const uint8_t *key, size_t keyLen)
298 {
299  uint_t i;
300  uint32_t *ek;
301  uint32_t *dk;
302  const uint32_t *ck1;
303  const uint32_t *ck2;
304  const uint32_t *ck3;
305  uint32_t w[16];
306 
307  //Check parameters
308  if(context == NULL || key == NULL)
310 
311  //Check the length of the master key
312  if(keyLen == 16)
313  {
314  //Select the relevant constants
315  ck1 = c + 0;
316  ck2 = c + 4;
317  ck3 = c + 8;
318  //The number of rounds depends on the size of the master key
319  context->nr = 12;
320  }
321  else if(keyLen == 24)
322  {
323  //Select the relevant constants
324  ck1 = c + 4;
325  ck2 = c + 8;
326  ck3 = c + 0;
327  //The number of rounds depends on the size of the master key
328  context->nr = 14;
329  }
330  else if(keyLen == 32)
331  {
332  //Select the relevant constants
333  ck1 = c + 8;
334  ck2 = c + 0;
335  ck3 = c + 4;
336  //The number of rounds depends on the size of the master key
337  context->nr = 16;
338  }
339  else
340  {
341  //Report an error
343  }
344 
345  //Compute 128-bit values KL and KR
346  cryptoMemset(w, 0, sizeof(w));
347  cryptoMemcpy(w, key, keyLen);
348 
349  //Save KR...
350  MOV128(w + 8, w + 4);
351 
352  //Compute intermediate values W0, W1, W2, and W3
353  MOV128(w + 4, w + 0);
354  OF(w + 4, ck1);
355  XOR128(w + 4, w + 8);
356 
357  MOV128(w + 8, w + 4);
358  EF(w + 8, ck2);
359  XOR128(w + 8, w + 0);
360 
361  MOV128(w + 12, w + 8);
362  OF(w + 12, ck3);
363  XOR128(w + 12, w + 4);
364 
365  //Convert from big-endian byte order to host byte order
366  for(i = 0; i < 16; i++)
367  {
368  w[i] = betoh32(w[i]);
369  }
370 
371  //Point to the encryption round keys
372  ek = context->ek;
373 
374  //Compute ek1, ..., ek17 as follow
375  ROL128(ek + 0, w + 4, 109);
376  XOR128(ek + 0, w + 0);
377  ROL128(ek + 4, w + 8, 109);
378  XOR128(ek + 4, w + 4);
379  ROL128(ek + 8, w + 12, 109);
380  XOR128(ek + 8, w + 8);
381  ROL128(ek + 12, w + 0, 109);
382  XOR128(ek + 12, w + 12);
383  ROL128(ek + 16, w + 4, 97);
384  XOR128(ek + 16, w + 0);
385  ROL128(ek + 20, w + 8, 97);
386  XOR128(ek + 20, w + 4);
387  ROL128(ek + 24, w + 12, 97);
388  XOR128(ek + 24, w + 8);
389  ROL128(ek + 28, w + 0, 97);
390  XOR128(ek + 28, w + 12);
391  ROL128(ek + 32, w + 4, 61);
392  XOR128(ek + 32, w + 0);
393  ROL128(ek + 36, w + 8, 61);
394  XOR128(ek + 36, w + 4);
395  ROL128(ek + 40, w + 12, 61);
396  XOR128(ek + 40, w + 8);
397  ROL128(ek + 44, w + 0, 61);
398  XOR128(ek + 44, w + 12);
399  ROL128(ek + 48, w + 4, 31);
400  XOR128(ek + 48, w + 0);
401  ROL128(ek + 52, w + 8, 31);
402  XOR128(ek + 52, w + 4);
403  ROL128(ek + 56, w + 12, 31);
404  XOR128(ek + 56, w + 8);
405  ROL128(ek + 60, w + 0, 31);
406  XOR128(ek + 60, w + 12);
407  ROL128(ek + 64, w + 4, 19);
408  XOR128(ek + 64, w + 0);
409 
410  //Convert from host byte order to big-endian byte order
411  for(i = 0; i < 68; i++)
412  {
413  ek[i] = htobe32(ek[i]);
414  }
415 
416  //Decryption round keys are derived from the encryption round keys
417  dk = context->dk;
418  //Compute dk1
419  MOV128(dk + 0, ek + context->nr * 4);
420 
421  //Compute dk2, ..., dk(n)
422  for(i = 1; i < context->nr; i++)
423  {
424  A(dk + i * 4, ek + (context->nr - i) * 4);
425  }
426 
427  //Compute dk(n + 1)
428  MOV128(dk + i * 4, ek + 0);
429 
430  //No error to report
431  return NO_ERROR;
432 }
433 
434 
435 /**
436  * @brief Encrypt a 16-byte block using ARIA algorithm
437  * @param[in] context Pointer to the ARIA context
438  * @param[in] input Plaintext block to encrypt
439  * @param[out] output Ciphertext block resulting from encryption
440  **/
441 
442 void ariaEncryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
443 {
444  uint32_t *ek;
445  uint32_t p[4];
446  uint32_t q[4];
447 
448  //Copy the plaintext to the buffer
449  cryptoMemcpy(p, input, ARIA_BLOCK_SIZE);
450 
451  //Point to the encryption round keys
452  ek = context->ek;
453 
454  //Apply 11 rounds
455  OF(p, ek + 0);
456  EF(p, ek + 4);
457  OF(p, ek + 8);
458  EF(p, ek + 12);
459  OF(p, ek + 16);
460  EF(p, ek + 20);
461  OF(p, ek + 24);
462  EF(p, ek + 28);
463  OF(p, ek + 32);
464  EF(p, ek + 36);
465  OF(p, ek + 40);
466 
467  //128-bit master keys require a total of 12 rounds
468  if(context->nr == 12)
469  {
470  XOR128(p, ek + 44);
471  SL2(q, p);
472  XOR128(q, ek + 48);
473  }
474  //192-bit master keys require a total of 14 rounds
475  else if(context->nr == 14)
476  {
477  EF(p, ek + 44);
478  OF(p, ek + 48);
479  XOR128(p, ek + 52);
480  SL2(q, p);
481  XOR128(q, ek + 56);
482  }
483  //256-bit master keys require a total of 16 rounds
484  else
485  {
486  EF(p, ek + 44);
487  OF(p, ek + 48);
488  EF(p, ek + 52);
489  OF(p, ek + 56);
490  XOR128(p, ek + 60);
491  SL2(q, p);
492  XOR128(q, ek + 64);
493  }
494 
495  //Copy the resulting ciphertext from the buffer
496  cryptoMemcpy(output, q, ARIA_BLOCK_SIZE);
497 }
498 
499 
500 /**
501  * @brief Decrypt a 16-byte block using ARIA algorithm
502  * @param[in] context Pointer to the ARIA context
503  * @param[in] input Ciphertext block to decrypt
504  * @param[out] output Plaintext block resulting from decryption
505  **/
506 
507 void ariaDecryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
508 {
509  uint32_t *dk;
510  uint32_t p[4];
511  uint32_t q[4];
512 
513  //Copy the ciphertext to the buffer
514  cryptoMemcpy(p, input, ARIA_BLOCK_SIZE);
515 
516  //Point to the decryption round keys
517  dk = context->dk;
518 
519  //Apply 11 rounds
520  OF(p, dk + 0);
521  EF(p, dk + 4);
522  OF(p, dk + 8);
523  EF(p, dk + 12);
524  OF(p, dk + 16);
525  EF(p, dk + 20);
526  OF(p, dk + 24);
527  EF(p, dk + 28);
528  OF(p, dk + 32);
529  EF(p, dk + 36);
530  OF(p, dk + 40);
531 
532  //128-bit master keys require a total of 12 rounds
533  if(context->nr == 12)
534  {
535  XOR128(p, dk + 44);
536  SL2(q, p);
537  XOR128(q, dk + 48);
538  }
539  //192-bit master keys require a total of 14 rounds
540  else if(context->nr == 14)
541  {
542  EF(p, dk + 44);
543  OF(p, dk + 48);
544  XOR128(p, dk + 52);
545  SL2(q, p);
546  XOR128(q, dk + 56);
547  }
548  //256-bit master keys require a total of 16 rounds
549  else
550  {
551  EF(p, dk + 44);
552  OF(p, dk + 48);
553  EF(p, dk + 52);
554  OF(p, dk + 56);
555  XOR128(p, dk + 60);
556  SL2(q, p);
557  XOR128(q, dk + 64);
558  }
559 
560  //The resulting value is the plaintext
561  cryptoMemcpy(output, q, ARIA_BLOCK_SIZE);
562 }
563 
564 #endif
#define betoh32(value)
Definition: cpu_endian.h:430
void(* CipherAlgoEncryptBlock)(void *context, const uint8_t *input, uint8_t *output)
Definition: crypto.h:1103
#define ARIA_BLOCK_SIZE
Definition: aria.h:38
uint8_t p
Definition: ndp.h:298
@ CIPHER_ALGO_TYPE_BLOCK
Definition: crypto.h:1069
ARIA encryption algorithm.
#define SL1(b, a)
Definition: aria.c:76
#define ROL128(b, a, n)
Definition: aria.c:67
uint32_t ek[68]
Definition: aria.h:56
#define BETOH32(value)
Definition: cpu_endian.h:427
uint16_t w[3]
Definition: ethernet.h:166
#define XOR128(b, a)
Definition: aria.c:58
uint8_t t
Definition: llmnr_common.h:81
error_t ariaInit(AriaContext *context, const uint8_t *key, size_t keyLen)
Initialize a ARIA context using the supplied key.
Definition: aria.c:297
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
error_t
Error codes.
Definition: error.h:42
#define MOV128(b, a)
Definition: aria.c:49
void(* CipherAlgoDecryptBlock)(void *context, const uint8_t *input, uint8_t *output)
Definition: crypto.h:1104
@ ERROR_INVALID_KEY_LENGTH
Definition: error.h:105
General definitions for cryptographic algorithms.
uint_t nr
Definition: aria.h:54
uint32_t dk[68]
Definition: aria.h:57
error_t(* CipherAlgoInit)(void *context, const uint8_t *key, size_t keyLen)
Definition: crypto.h:1100
#define htobe32(value)
Definition: cpu_endian.h:422
#define cryptoMemset(p, value, length)
Definition: crypto.h:636
#define cryptoMemcpy(dest, src, length)
Definition: crypto.h:642
Common interface for encryption algorithms.
Definition: crypto.h:1150
ARIA algorithm context.
Definition: aria.h:52
unsigned int uint_t
Definition: compiler_port.h:45
void ariaEncryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
Encrypt a 16-byte block using ARIA algorithm.
Definition: aria.c:442
void ariaDecryptBlock(AriaContext *context, const uint8_t *input, uint8_t *output)
Decrypt a 16-byte block using ARIA algorithm.
Definition: aria.c:507
const CipherAlgo ariaCipherAlgo
Definition: aria.c:237
@ NO_ERROR
Success.
Definition: error.h:44
Debugging facilities.
#define SL2(b, a)
Definition: aria.c:99
#define A(b, a)
Definition: aria.c:122