Skip to content

lwc / candidates

Go to a project
Switch branch/tag
Find file
Normal viewHistoryPermalink
decrypt.c 2.43 KB
Newer Older
Round 1 Candidates
06f56ee8
 
lwc-tester committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 
#include "api.h"
#include "endian.h"
#include "permutations.h"

#define RATE (128 / 8)
#define PA_ROUNDS 12
#define PB_ROUNDS 8
#define IV                                                        \
  ((u64)(8 * (CRYPTO_KEYBYTES)) << 56 | (u64)(8 * (RATE)) << 48 | \
   (u64)(PA_ROUNDS) << 40 | (u64)(PB_ROUNDS) << 32)

int crypto_aead_decrypt(unsigned char* m, unsigned long long* mlen,
                        unsigned char* nsec, const unsigned char* c,
                        unsigned long long clen, const unsigned char* ad,
                        unsigned long long adlen, const unsigned char* npub,
                        const unsigned char* k) {
  if (clen < CRYPTO_ABYTES) {
    *mlen = 0;
    return -1;
  }

  const u64 K0 = U64BIG(*(u64*)k);
  const u64 K1 = U64BIG(*(u64*)(k + 8));
  const u64 N0 = U64BIG(*(u64*)npub);
  const u64 N1 = U64BIG(*(u64*)(npub + 8));
  state s;
  u64 i;
  (void)nsec;

  // set plaintext size
  *mlen = clen - CRYPTO_ABYTES;

  // initialization
  s.x0 = IV;
  s.x1 = K0;
  s.x2 = K1;
  s.x3 = N0;
  s.x4 = N1;
  P12();
  s.x3 ^= K0;
  s.x4 ^= K1;

  // process associated data
  if (adlen) {
    while (adlen >= RATE) {
      s.x0 ^= U64BIG(*(u64*)ad);
      s.x1 ^= U64BIG(*(u64*)(ad + 8));
      P8();
      adlen -= RATE;
      ad += RATE;
    }
    for (i = 0; i < adlen; ++i, ++ad)
      if (i < 8)
        s.x0 ^= INS_BYTE64(*ad, i);
      else
        s.x1 ^= INS_BYTE64(*ad, i % 8);
    if (adlen < 8)
      s.x0 ^= INS_BYTE64(0x80, adlen);
    else
      s.x1 ^= INS_BYTE64(0x80, adlen % 8);
    P8();
  }
  s.x4 ^= 1;

  // process plaintext
  clen -= CRYPTO_ABYTES;
  while (clen >= RATE) {
    *(u64*)m = U64BIG(s.x0) ^ *(u64*)c;
    *(u64*)(m + 8) = U64BIG(s.x1) ^ *(u64*)(c + 8);
    s.x0 = U64BIG(*((u64*)c));
    s.x1 = U64BIG(*((u64*)(c + 8)));
    P8();
    clen -= RATE;
    m += RATE;
    c += RATE;
  }
  for (i = 0; i < clen; ++i, ++m, ++c) {
    if (i < 8) {
      *m = EXT_BYTE64(s.x0, i) ^ *c;
      s.x0 &= ~INS_BYTE64(0xff, i);
      s.x0 |= INS_BYTE64(*c, i);
    } else {
      *m = EXT_BYTE64(s.x1, i % 8) ^ *c;
      s.x1 &= ~INS_BYTE64(0xff, i % 8);
      s.x1 |= INS_BYTE64(*c, i % 8);
    }
  }
  if (clen < 8)
    s.x0 ^= INS_BYTE64(0x80, clen);
  else
    s.x1 ^= INS_BYTE64(0x80, clen % 8);

  // finalization
  s.x2 ^= K0;
  s.x3 ^= K1;
  P12();
  s.x3 ^= K0;
  s.x4 ^= K1;

  // verify tag
  if (*(u64*)c != U64BIG(s.x3) || *(u64*)(c + 8) != U64BIG(s.x4)) {
    *mlen = 0;
    return -1;
  }

  return 0;
}