doc/twofish_8c_source.html

/**

 * @file twofish.c

 * @brief Twofish encryption algorithm

 *

 * @section License

 *

 * SPDX-License-Identifier: GPL-2.0-or-later

 *

 * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.

 *

 * This file is part of CycloneCRYPTO Open.

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public License

 * as published by the Free Software Foundation; either version 2

 * of the License, or (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

 *

 * @author Oryx Embedded SARL (www.oryx-embedded.com)

 * @version 2.4.4

 **/


//Switch to the appropriate trace level

#define TRACE_LEVEL CRYPTO_TRACE_LEVEL


//Dependencies

#include "core/crypto.h"

#include "cipher/twofish.h"


//Check crypto library configuration

#if (TWOFISH_SUPPORT == ENABLED)


//MDS matrix

static const uint8_t mds[4][4] =

{

   {0x01, 0xEF, 0x5B, 0x5B},

   {0x5B, 0xEF, 0xEF, 0x01},

   {0xEF, 0x5B, 0x01, 0xEF},

   {0xEF, 0x01, 0xEF, 0x5B}

};


//RS matrix

static const uint8_t rs[4][8] =

{

   {0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E},

   {0xA4, 0x56, 0x82, 0xF3, 0x1E, 0xC6, 0x68, 0xE5},

   {0x02, 0xA1, 0xFC, 0xC1, 0x47, 0xAE, 0x3D, 0x19},

   {0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E, 0x03}

};


//Permutation table q0

static const uint8_t q0[256] =

{

   0xA9, 0x67, 0xB3, 0xE8, 0x04, 0xFD, 0xA3, 0x76, 0x9A, 0x92, 0x80, 0x78, 0xE4, 0xDD, 0xD1, 0x38,

   0x0D, 0xC6, 0x35, 0x98, 0x18, 0xF7, 0xEC, 0x6C, 0x43, 0x75, 0x37, 0x26, 0xFA, 0x13, 0x94, 0x48,

   0xF2, 0xD0, 0x8B, 0x30, 0x84, 0x54, 0xDF, 0x23, 0x19, 0x5B, 0x3D, 0x59, 0xF3, 0xAE, 0xA2, 0x82,

   0x63, 0x01, 0x83, 0x2E, 0xD9, 0x51, 0x9B, 0x7C, 0xA6, 0xEB, 0xA5, 0xBE, 0x16, 0x0C, 0xE3, 0x61,

   0xC0, 0x8C, 0x3A, 0xF5, 0x73, 0x2C, 0x25, 0x0B, 0xBB, 0x4E, 0x89, 0x6B, 0x53, 0x6A, 0xB4, 0xF1,

   0xE1, 0xE6, 0xBD, 0x45, 0xE2, 0xF4, 0xB6, 0x66, 0xCC, 0x95, 0x03, 0x56, 0xD4, 0x1C, 0x1E, 0xD7,

   0xFB, 0xC3, 0x8E, 0xB5, 0xE9, 0xCF, 0xBF, 0xBA, 0xEA, 0x77, 0x39, 0xAF, 0x33, 0xC9, 0x62, 0x71,

   0x81, 0x79, 0x09, 0xAD, 0x24, 0xCD, 0xF9, 0xD8, 0xE5, 0xC5, 0xB9, 0x4D, 0x44, 0x08, 0x86, 0xE7,

   0xA1, 0x1D, 0xAA, 0xED, 0x06, 0x70, 0xB2, 0xD2, 0x41, 0x7B, 0xA0, 0x11, 0x31, 0xC2, 0x27, 0x90,

   0x20, 0xF6, 0x60, 0xFF, 0x96, 0x5C, 0xB1, 0xAB, 0x9E, 0x9C, 0x52, 0x1B, 0x5F, 0x93, 0x0A, 0xEF,

   0x91, 0x85, 0x49, 0xEE, 0x2D, 0x4F, 0x8F, 0x3B, 0x47, 0x87, 0x6D, 0x46, 0xD6, 0x3E, 0x69, 0x64,

   0x2A, 0xCE, 0xCB, 0x2F, 0xFC, 0x97, 0x05, 0x7A, 0xAC, 0x7F, 0xD5, 0x1A, 0x4B, 0x0E, 0xA7, 0x5A,

   0x28, 0x14, 0x3F, 0x29, 0x88, 0x3C, 0x4C, 0x02, 0xB8, 0xDA, 0xB0, 0x17, 0x55, 0x1F, 0x8A, 0x7D,

   0x57, 0xC7, 0x8D, 0x74, 0xB7, 0xC4, 0x9F, 0x72, 0x7E, 0x15, 0x22, 0x12, 0x58, 0x07, 0x99, 0x34,

   0x6E, 0x50, 0xDE, 0x68, 0x65, 0xBC, 0xDB, 0xF8, 0xC8, 0xA8, 0x2B, 0x40, 0xDC, 0xFE, 0x32, 0xA4,

   0xCA, 0x10, 0x21, 0xF0, 0xD3, 0x5D, 0x0F, 0x00, 0x6F, 0x9D, 0x36, 0x42, 0x4A, 0x5E, 0xC1, 0xE0

};


//Permutation table q1

static const uint8_t q1[256] =

{

   0x75, 0xF3, 0xC6, 0xF4, 0xDB, 0x7B, 0xFB, 0xC8, 0x4A, 0xD3, 0xE6, 0x6B, 0x45, 0x7D, 0xE8, 0x4B,

   0xD6, 0x32, 0xD8, 0xFD, 0x37, 0x71, 0xF1, 0xE1, 0x30, 0x0F, 0xF8, 0x1B, 0x87, 0xFA, 0x06, 0x3F,

   0x5E, 0xBA, 0xAE, 0x5B, 0x8A, 0x00, 0xBC, 0x9D, 0x6D, 0xC1, 0xB1, 0x0E, 0x80, 0x5D, 0xD2, 0xD5,

   0xA0, 0x84, 0x07, 0x14, 0xB5, 0x90, 0x2C, 0xA3, 0xB2, 0x73, 0x4C, 0x54, 0x92, 0x74, 0x36, 0x51,

   0x38, 0xB0, 0xBD, 0x5A, 0xFC, 0x60, 0x62, 0x96, 0x6C, 0x42, 0xF7, 0x10, 0x7C, 0x28, 0x27, 0x8C,

   0x13, 0x95, 0x9C, 0xC7, 0x24, 0x46, 0x3B, 0x70, 0xCA, 0xE3, 0x85, 0xCB, 0x11, 0xD0, 0x93, 0xB8,

   0xA6, 0x83, 0x20, 0xFF, 0x9F, 0x77, 0xC3, 0xCC, 0x03, 0x6F, 0x08, 0xBF, 0x40, 0xE7, 0x2B, 0xE2,

   0x79, 0x0C, 0xAA, 0x82, 0x41, 0x3A, 0xEA, 0xB9, 0xE4, 0x9A, 0xA4, 0x97, 0x7E, 0xDA, 0x7A, 0x17,

   0x66, 0x94, 0xA1, 0x1D, 0x3D, 0xF0, 0xDE, 0xB3, 0x0B, 0x72, 0xA7, 0x1C, 0xEF, 0xD1, 0x53, 0x3E,

   0x8F, 0x33, 0x26, 0x5F, 0xEC, 0x76, 0x2A, 0x49, 0x81, 0x88, 0xEE, 0x21, 0xC4, 0x1A, 0xEB, 0xD9,

   0xC5, 0x39, 0x99, 0xCD, 0xAD, 0x31, 0x8B, 0x01, 0x18, 0x23, 0xDD, 0x1F, 0x4E, 0x2D, 0xF9, 0x48,

   0x4F, 0xF2, 0x65, 0x8E, 0x78, 0x5C, 0x58, 0x19, 0x8D, 0xE5, 0x98, 0x57, 0x67, 0x7F, 0x05, 0x64,

   0xAF, 0x63, 0xB6, 0xFE, 0xF5, 0xB7, 0x3C, 0xA5, 0xCE, 0xE9, 0x68, 0x44, 0xE0, 0x4D, 0x43, 0x69,

   0x29, 0x2E, 0xAC, 0x15, 0x59, 0xA8, 0x0A, 0x9E, 0x6E, 0x47, 0xDF, 0x34, 0x35, 0x6A, 0xCF, 0xDC,

   0x22, 0xC9, 0xC0, 0x9B, 0x89, 0xD4, 0xED, 0xAB, 0x12, 0xA2, 0x0D, 0x52, 0xBB, 0x02, 0x2F, 0xA9,

   0xD7, 0x61, 0x1E, 0xB4, 0x50, 0x04, 0xF6, 0xC2, 0x16, 0x25, 0x86, 0x56, 0x55, 0x09, 0xBE, 0x91

};


//Common interface for encryption algorithms

const CipherAlgo twofishCipherAlgo =

{

   "Twofish",

   sizeof(TwofishContext),

   CIPHER_ALGO_TYPE_BLOCK,

   TWOFISH_BLOCK_SIZE,

   (CipherAlgoInit) twofishInit,

   NULL,

   NULL,

   (CipherAlgoEncryptBlock) twofishEncryptBlock,

   (CipherAlgoDecryptBlock) twofishDecryptBlock,

   (CipherAlgoDeinit) twofishDeinit

};


/**

 * @brief Multiplication in GF(2^8)

 * @param[in] a First operand

 * @param[in] b Second operand

 * @param[in] p Primitive polynomial of degree 8 over GF(2)

 * @return Resulting value

 **/


static uint32_t GF_MUL(uint8_t a, uint8_t b, uint8_t p)

{

   uint_t i;

   uint8_t r;


   //Initialize result

   r = 0;


   //The operand is processed bit by bit

   for(i = 0; i < 8; i++)

   {

      //Check the value of the current bit

      if((b & 0x01) != 0)

      {

         //An addition in GF(2^8) is identical to a bitwise XOR operation

         r ^= a;

      }


      //The multiplication of a polynomial by x in GF(2^8) corresponds

      //to a shift of indices

      if((a & 0x80) != 0)

      {

         a = (a << 1) ^ p;

      }

      else

      {

         a = a << 1;

      }


      //Process next bit

      b = b >> 1;

   }


   //Return the resulting value

   return r;

}


/**

 * @brief Helper subroutine for implementing function h

 * @param[in] x Input value X

 * @param[in] l List L of 32-bit words of length k

 * @param[in] k Length of the list L

 * @param[in] i Index in range 0 to 3

 * @return Output value Z

 **/


static uint32_t H_SUB(uint8_t x, const uint32_t *l, uint_t k, uint_t i)

{

   uint32_t z;


   //This stage is optional

   if(k == 4)

   {

      //The byte is passed through a fixed S-box

      x = (i == 1 || i == 2) ? q0[x] : q1[x];

      //Then resulting value is XORed with a byte derived from the list

      x ^= (l[3] >> (8 * i)) & 0xFF;

   }


   //This stage is optional

   if(k >= 3)

   {

      //The byte is passed through a fixed S-box

      x = (i == 2 || i == 3) ? q0[x] : q1[x];

      //Then resulting value is XORed with a byte derived from the list

      x ^= (l[2] >> (8 * i)) & 0xFF;

   }


   //The following 2 stages are always required

   x = (i == 0 || i == 2) ? q0[x] : q1[x];

   x ^= (l[1] >> (8 * i)) & 0xFF;

   x = (i == 0 || i == 1) ? q0[x] : q1[x];

   x ^= (l[0] >> (8 * i)) & 0xFF;


   //Finally, the byte is once again passed through a fixed S-box

   x = (i == 1 || i == 3) ? q0[x] : q1[x];


   //The resulting value is multiplied by the MDS matrix

   z = GF_MUL(mds[0][i], x, 0x69);

   z |= GF_MUL(mds[1][i], x, 0x69) << 8;

   z |= GF_MUL(mds[2][i], x, 0x69) << 16;

   z |= GF_MUL(mds[3][i], x, 0x69) << 24;


   //Return the resulting value

   return z;

}


/**

 * @brief Function h

 * @param[in] x Input value X

 * @param[in] l List L of 32-bit words of length k

 * @param[in] k Length of the list L

 * @return Output value Z

 **/


static uint32_t H(uint8_t x, const uint32_t *l, uint_t k)

{

   uint_t i;

   uint32_t z;


   //Initialize result

   z = 0;


   //Process each byte of the 32-bit word

   for(i = 0; i < 4; i++)

   {

      z ^= H_SUB(x, l, k, i);

   }


   //Return the resulting value

   return z;

}


/**

 * @brief Key expansion

 * @param[in] context Pointer to the Twofish context to initialize

 * @param[in] key Pointer to the key

 * @param[in] keyLen Length of the key

 * @return Error code

 **/


error_t twofishInit(TwofishContext *context, const uint8_t *key, size_t keyLen)

{

   uint_t i;

   uint_t j;

   uint_t k;

   uint_t n;

   uint32_t a;

   uint32_t b;

   uint32_t me[4];

   uint32_t mo[4];

   uint32_t s[4];


   //Check parameters

   if(context == NULL || key == NULL)

      return ERROR_INVALID_PARAMETER;


   //Check the length of the key

   if(keyLen != 16 && keyLen != 24 && keyLen != 32)

      return ERROR_INVALID_KEY_LENGTH;


   //Let k = N / 64 where N is the length of the key, in bits

   k = keyLen / 8;


   //The bytes are first converted into 2*k words of 32 bits each and then

   //into two word vectors Me and Mo of length k

   for(i = 0; i < k; i++)

   {

      me[i] = LOAD32LE(key + 8 * i);

      mo[i] = LOAD32LE(key + 8 * i + 4);

   }


   //A third word vector S of length k is derived from the key

   for(i = 0; i < k; i++)

   {

      //Note that S lists the words in reverse order

      s[k - i - 1] = 0;


      //Each result of 4 bytes is interpreted as a 32-bit word

      for(j = 0; j < 4; j++)

      {

         //Take the key bytes in groups of 8, interpreting them as a vector

         //over GF(2^8), and multiplying them by the RS matrix

         for(a = 0, n = 0; n < 8; n++)

         {

            a ^= GF_MUL(rs[j][n], key[8 * i + n], 0x4D);

         }


         //Update current word

         s[k - i - 1] |= a << (8 * j);

      }

   }


   //Generate the key-dependent S-boxes

   for(i = 0; i < 256; i++)

   {

      context->s1[i] = H_SUB(i, s, k, 0);

      context->s2[i] = H_SUB(i, s, k, 1);

      context->s3[i] = H_SUB(i, s, k, 2);

      context->s4[i] = H_SUB(i, s, k, 3);

   }


   //Generate the expanded key words K

   for(i = 0; i < 20; i++)

   {

      //The words of the expanded key are defined using the h function

      a = H(2 * i, me, k);

      b = H(2 * i + 1, mo, k);

      b = ROL32(b, 8);

      a += b;

      context->k[2 * i] = a;

      a += b;

      context->k[2 * i + 1] = ROL32(a, 9);

   }


   //No error to report

   return NO_ERROR;

}


/**

 * @brief Encrypt a 16-byte block using Twofish algorithm

 * @param[in] context Pointer to the Twofish context

 * @param[in] input Plaintext block to encrypt

 * @param[out] output Ciphertext block resulting from encryption

 **/


void twofishEncryptBlock(TwofishContext *context, const uint8_t *input,

   uint8_t *output)

{

   uint_t i;

   uint32_t r0;

   uint32_t r1;

   uint32_t r2;

   uint32_t r3;

   uint32_t t0;

   uint32_t t1;


   //The 16 bytes of plaintext are split into 4 words

   r0 = LOAD32LE(input + 0);

   r1 = LOAD32LE(input + 4);

   r2 = LOAD32LE(input + 8);

   r3 = LOAD32LE(input + 12);


   //In the input whitening step, the data words are XORed with 4 words of

   //the expanded key

   r0 ^= context->k[0];

   r1 ^= context->k[1];

   r2 ^= context->k[2];

   r3 ^= context->k[3];


   //16 rounds of computation are needed

   for(i = 0; i < 32; i += 4)

   {

      //Apply odd round function

      t0 = context->s1[r0 & 0xFF];

      t0 ^= context->s2[(r0 >> 8) & 0xFF];

      t0 ^= context->s3[(r0 >> 16) & 0xFF];

      t0 ^= context->s4[(r0 >> 24) & 0xFF];


      t1 = context->s2[r1 & 0xFF];

      t1 ^= context->s3[(r1 >> 8) & 0xFF];

      t1 ^= context->s4[(r1 >> 16) & 0xFF];

      t1 ^= context->s1[(r1 >> 24) & 0xFF];


      r2 ^= t0 + t1 + context->k[8 + i];

      r2 = ROR32(r2, 1);

      r3 = ROL32(r3, 1);

      r3 ^= (t0 + t1 + t1 + context->k[9 + i]);


      //Apply even round function

      t0 = context->s1[r2 & 0xFF];

      t0 ^= context->s2[(r2 >> 8) & 0xFF];

      t0 ^= context->s3[(r2 >> 16) & 0xFF];

      t0 ^= context->s4[(r2 >> 24) & 0xFF];


      t1 = context->s2[r3 & 0xFF];

      t1 ^= context->s3[(r3 >> 8) & 0xFF];

      t1 ^= context->s4[(r3 >> 16) & 0xFF];

      t1 ^= context->s1[(r3 >> 24) & 0xFF];


      r0 ^= t0 + t1 + context->k[10 + i];

      r0 = ROR32(r0, 1);

      r1 = ROL32(r1, 1);

      r1 ^= (t0 + t1 + t1 + context->k[11 + i]);

   }


   //The output whitening step undoes the swap of the last round, and XORs

   //the data words with 4 words of the expanded key

   r2 ^= context->k[4];

   r3 ^= context->k[5];

   r0 ^= context->k[6];

   r1 ^= context->k[7];


   //The 4 words of ciphertext are then written as 16 bytes

   STORE32LE(r2, output + 0);

   STORE32LE(r3, output + 4);

   STORE32LE(r0, output + 8);

   STORE32LE(r1, output + 12);

}


/**

 * @brief Decrypt a 16-byte block using Twofish algorithm

 * @param[in] context Pointer to the Twofish context

 * @param[in] input Ciphertext block to decrypt

 * @param[out] output Plaintext block resulting from decryption

 **/


void twofishDecryptBlock(TwofishContext *context, const uint8_t *input,

   uint8_t *output)

{

   uint_t i;

   uint32_t r0;

   uint32_t r1;

   uint32_t r2;

   uint32_t r3;

   uint32_t t0;

   uint32_t t1;


   //The 16 bytes of ciphertext are split into 4 words

   r2 = LOAD32LE(input + 0);

   r3 = LOAD32LE(input + 4);

   r0 = LOAD32LE(input + 8);

   r1 = LOAD32LE(input + 12);


   //The input whitening step undoes the swap of the last round, and XORs

   //the data words with 4 words of the expanded key

   r2 ^= context->k[4];

   r3 ^= context->k[5];

   r0 ^= context->k[6];

   r1 ^= context->k[7];


   //16 rounds of computation are needed

   for(i = 0; i < 32; i += 4)

   {

      //Apply even round function

      t0 = context->s1[r2 & 0xFF];

      t0 ^= context->s2[(r2 >> 8) & 0xFF];

      t0 ^= context->s3[(r2 >> 16) & 0xFF];

      t0 ^= context->s4[(r2 >> 24) & 0xFF];


      t1 = context->s2[r3 & 0xFF];

      t1 ^= context->s3[(r3 >> 8) & 0xFF];

      t1 ^= context->s4[(r3 >> 16) & 0xFF];

      t1 ^= context->s1[(r3 >> 24) & 0xFF];


      r0 = ROL32(r0, 1);

      r0 ^= t0 + t1 + context->k[38 - i];

      r1 ^= (t0 + t1 + t1 + context->k[39 - i]);

      r1 = ROR32(r1, 1);


      //Apply odd round function

      t0 = context->s1[r0 & 0xFF];

      t0 ^= context->s2[(r0 >> 8) & 0xFF];

      t0 ^= context->s3[(r0 >> 16) & 0xFF];

      t0 ^= context->s4[(r0 >> 24) & 0xFF];


      t1 = context->s2[r1 & 0xFF];

      t1 ^= context->s3[(r1 >> 8) & 0xFF];

      t1 ^= context->s4[(r1 >> 16) & 0xFF];

      t1 ^= context->s1[(r1 >> 24) & 0xFF];


      r2 = ROL32(r2, 1);

      r2 ^= t0 + t1 + context->k[36 - i];

      r3 ^= (t0 + t1 + t1 + context->k[37 - i]);

      r3 = ROR32(r3, 1);

   }


   //In the output whitening step, the data words are XORed with 4 words of

   //the expanded key

   r0 ^= context->k[0];

   r1 ^= context->k[1];

   r2 ^= context->k[2];

   r3 ^= context->k[3];


   //The 4 words of plaintext are then written as 16 bytes

   STORE32LE(r0, output + 0);

   STORE32LE(r1, output + 4);

   STORE32LE(r2, output + 8);

   STORE32LE(r3, output + 12);

}


/**

 * @brief Release Twofish context

 * @param[in] context Pointer to the Twofish context

 **/


void twofishDeinit(TwofishContext *context)

{

   //Clear Twofish context

   osMemset(context, 0, sizeof(TwofishContext));

}


#endif